Interesting People mailing list archives
IP: Information Warfare and Encryption
From: Dave Farber <farber () central cis upenn edu>
Date: Tue, 23 Apr 1996 21:09:36 -0400
Date: Tue, 23 Apr 96 21:01:43 EST From: "Stewart Baker" <sbaker () mail steptoe com> To: farber () central cis upenn edu Dave: Here is my latest op-ed, as sent to and more or less as published by the Journal of Commerce. Stewart Baker December 2002: As Iraqi troops mass once again on the border with Kuwait, the President mobilizes U.S. forces. But as the crisis grows, civilians find themselves suffering home-front hardships unprecedented in this century. The U.S. power grid fails again and again. Telephone service goes down. Looting spreads beyond the inner city as groceries run short and merchants stop taking checks and credit cards. Railroad networks suffer inexplicable failures, leading to safety measures that cut in half deliveries of food and fuel to a snowbound East Coast. Airports close and flights are cut due to interruptions in air traffic control data. "I haven't seen anything like this since the strategic bombing of Germany in 1944 and 1945," declares a British military commentator. "The critical nodes of America's civilian infrastructure are being taken down more or less at will." Protests mount against a distant military intervention. When disruption of natural gas deliveries to the Northeast causes a wave of nursing home deaths, Congress passes a resolution condemning the President's handling of the crisis. Twenty hours later, the President orders the troops home. For the first time in its history, America has suffered more casualties at home than on the front. Worse, the clear superiority of U.S. military forces has been rendered irrelevant. That's the Pentagon's latest nightmare -- one born, ironically, of its own futuristic plans for winning wars by attacking the information and communications systems of our adversaries. Only as those plans were being hatched did it begin to dawn on military planners that the nation most vulnerable to such an attack is, well, us. Five years ago, telephones in the Baltimore-Washington area shut down for hours due to a simple mistake in programming. Switch failures in 1991 also shut down major airports when air traffic controllers could not get the data they needed. If that's what happens when everyone is trying to make the system work, imagine what would happen if a large number of skilled operatives were trying to shut it down. Even the military is vulnerable. In one recent study, government hackers probed thousands of unclassified military systems. They succeeded 88% of the time. Only 4% of their successful attacks were detected. But the attacks in my scenario never touched a government or military computer. The United States could be crippled by attacks aimed entirely at systems in private hands. And private companies can't be expected to protect against state-sponsored information warfare. By and large, it doesn't make economic sense for them to spend more on network defenses than they are likely to lose to everyday hackers and criminals. For the same reason, few in the private sector want government advice, let alone government mandates, designed to raise the level of security on their computer networks. Indeed, it's hard for government and industry to even have a dialogue on this issue. Five minutes into the discussion, industry says that it needs cheap unbreakable encryption to secure its systems, and the government asks how the FBI can catch the crooks who will use encryption to hide their activities. Ten minutes after that, industry is shouting "Big Brother" and the government is sermonizing about the World Trade Center bombing. By the time that fight has wound down, nobody has the energy -- or the mutual trust -- needed to discuss the gritty details of network security. And so we rock along, putting more and more of our infrastructure into cyberspace and hoping our adversaries won't notice or won't exploit those vulnerabilities. Fat chance. So far, the government's response has been heavily dominated by the military. But we won't get far without a consensus -- one that includes industry -- on questions like how we can identify organized attacks on critical civilian systems, how we can provide cost-effective protection against the most obvious attacks, and (as a way to get industry to the table) how to limit the liability of companies that act responsibly in reporting and protecting against attacks. In talks with the telecommunications industry and others, the Clinton Administration is trying to build such a consensus. That's a excellent idea, but as a veteran of the encryption debates, I have one prediction. Nothing will come of the effort unless the Administration announces clearly and unequivocally that whatever institution it creates to address this problem will offer no advice about encryption policy. None. Zip. Zero. A high-level review of computer security that doesn't talk about encryption -- what could be more boring? But the alternative is to sit around waiting for a Pearl Harbor attack on our information infrastructure. And in the end, that'll be a tad more excitement than any of us really wants. ------------------- Stewart Baker has an international and technology law practice in Washington. He was general counsel to the National Security Agency in 1992-94. He is a member of the Defense Science Board task force on information warfare defense.
Current thread:
- IP: Information Warfare and Encryption Dave Farber (Apr 23)