[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Govt. key escrow justification
I'm attaching the Nando and NYT pieces on the President's Commission
on Critical Infrastructure Protection. As feared yet expected, their
effort is turning into another key escrow justification. Anyone who
is interested, let me know, I've commented the PCCIP summary report
(the full report is classified). I'm one of the few public strong-
crypto supporters who also happens to be a professional in the field
of infrastructural attacks, so this makes things even more lonely.
Michael Wilson
http://www.7pillars.com/
________________________________________________________________________
U.S. cyberterrorism report hit on encryption stance
____________________________________________________________________________
Copyright ) 1997 Nando.net
Copyright ) 1997 Reuters
WASHINGTON (November 6, 1997 00:53 a.m. EST http://www.nando.net) - The
U.S. commission on critical infrastructure drew strong criticism
Wednesday for endorsing the Clinton administration's controversial
policy that would require government access to all private computer
data.
Sen. Patrick Leahy, Democrat of Vermont, said significant questions had
been raised about the costs and feasibility of so-called key recovery
systems.
"Until those significant questions are fully considered and answered, we
should be cautious in adopting grand key recovery encryption schemes
that may only exacerbate system vulnerabilities," Leahy said in a
statement.
The commission's report, delivered to President Clinton last month and
later released to the public in declassified form, warned that critical
telephone, power, water and financial systems were becoming increasingly
vulnerable to computer attack.
The commission also said it favored greater use of computer encryption
programs, which use mathematical formulas to scramble information and
render it unreadable without a password or software "key."
Encryption programs could be used to prevent hackers or terrorists from
infiltrating computer networks that run critical infrastructure systems,
for example.
But the commission backed use of key recovery, a technology to allow law
enforcement officials to decode any encrypted message covertly.
"Key recovery is needed to provide business access to data when
encryption keys are lost or maliciously misplaced, and court-authorized
law enforcement access to the plain text of criminal related
communications and data lawfully seized," the report said.
FBI director Louis Freeh and other law enforcement officials back
legislation to require all encryption products to include such features,
but many high-tech companies, scientists, and civil libertarians oppose
mandatory back-door access to coded information.
The Center for Democracy and Technology, an Internet advocacy group,
noted that a recent report by cryptography experts found that key
recovery features added numerous new vulnerabilities to computer
systems.
"Key recovery is inconsistent with the (commission's) own calls for
greater security in our nation's critical infrastructures," the group
said.
Robert Marsh, who chaired the commission, defended the report to
reporters after a hearing before the Senate Judiciary Committee's
technology and terrorism subcommittee.
Marsh contended the report took a balanced view of the encryption
debate. "We didn't get into the encryption debate and all the nuances
and individual decisions," he said. "We simply came on strong for
encryption."
In its formal recommendations, the commission urged the government to
speed up pilot programs on key recovery, promote efforts to plan for
implementing large-scale key recovery systems and encourage
private-sector key recovery efforts.
___________________________________________________________________
November 6, 1997
Head of Cyber-Terrorism Panel Says Encryption Rules May Be Needed
By JERI CLAUSING Bio
WASHINGTON The head of a presidential commission on cyber-terrorism
on Wednesday told a Senate panel that a mandatory system guaranteeing
third-party access to scrambled computer communications may be
necessary if industry does not embrace the Clinton administration's
plan for a voluntary encryption decoding system.
________________________________________________________________
Robert T. Marsh, an aerospace consultant and retired Air Force
general who is chairman of the President's Commission on Critical
Infrastructure Protection, made the remarks in his first
non-classified report on the commission's 15-month study and its
recommendations for protecting the nation's computer networks from
high-tech terrorism.
The commission recommended a variety of proposals, including
increased private-public partnership and information sharing, more
comprehensive background checks on people who hold sensitive
positions, strengthening of government computer systems and spending
more on research to improve network security.
But the key to national security, Marsh said, is strong encryption
coupled with a back-door access for law enforcement officials to
sensitive communications.
"We want to see that adopted over all the critical control functions
at an early date," he told the Senate Judiciary Committee's
Subcommittee on Technology, Terrorism and Government Information.
The commission's recommendation for a voluntary system that would
give law enforcement officials the ability to decode electronic
messages, called a key-recovery system, mirrors that of the
administration, which says it wants ensure such officials can gain
access to the coded communications of suspected criminals and
terrorists.
Encryption policy has been a volatile topic on Capitol Hill this
year, where bills ranging from an industry-backed ban on key recovery
to an FBI-supported mandatory key-recovery scheme have passed various
House committees. The Clinton administration insists it supports a
Senate bill establishing voluntary key recovery.
"We didn't get into the encryption debate and all the nuances of
individual positions," Marsh said. "We simply came on strong for
encryption. We must have encryption."
He told the panel that "we must lower the temperature of the
encryption debate" long enough to complete pilot projects on key
recovery that will prove to industry that such systems can work.
Various agencies of the federal government currently are developing
13 key recovery pilot projects, which were on display Wednesday at a
Government Information Technology Services conference. Marsh said the
National Security Agency and the National Institutes for Standards
and Technology should head efforts to perfect those systems and set
standards for a national infrastructure protection office to carry
out.
Asked by the subcommittee's chairman, Jon Kyl, an Arizona Republican,
if those controls should be mandated, Marsh responded: "We think
businessmen will find it in their best interest to incorporate these
controls. ... Of course, in due time, that may be an option if they
are not willing to accept them."
Critics blasted the report as premature and contradictory.
"I am concerned that the report's recommendations that large-scale
key-recovery encryption systems which allow for surreptitious
decryption by law enforcement be deployed for use by federal agencies
and the private sector is premature," said Senator Patrick Leahy, a
Vermont Democrat who has sponsored a bill to relax controls on
encryption technology."
"Significant questions have been raised by leading cryptographers
about the security risks inherent in large-scale key recovery
systems, which introduce new vulnerabilities and targets for attack,
as well as about the costs and feasibility of implementing such
systems."
The Center for Democracy and Technology said the "increasing
vulnerabilities," "increasing dependence on critical infrastructure,"
and "wide spectrum of threats" identified by the commission all
provide powerful arguments against the deployment of the vastly
complex and insecure systems for back-door access that key recovery
requires.
The center cited a recent study by 11 expert cryptographers and
computer security experts, "The Risks of Key Recovery, Key Escrow,
and Trusted Third Parties," which identifies numerous risks in the
widespread deployment of such key-recovery plans. Among those risks
is insider abuse, which Marsh said so far has been the chief culprit
in computer-related crimes.
Marsh said a separate section of the report makes "recommendations
that try to equip us better to deal with the insider threat, that's a
separate problem."
________________________________________________________________
Jeri Clausing at [email protected] welcomes your comments and
suggestions.
________________________________________________________________
Copyright 1997 The New York Times Company
---
For those who want to track this issue further, the PCCIP is at
http://www.pccip.gov/