Re: Gorelick testifies before Senate, unveils new executive order

[David Sternlight <david@sternlight.com>]

At 1:32 PM -0700 7/18/96, Jeff Barber wrote:
>David Sternlight writes:
>>
>> At 8:14 AM -0700 7/18/96, Jeff Barber wrote:
>> >David Sternlight writes:
>> >
>> >> Here's the problem in a nutshell: Everyone who has looked at our systems,
>> >> from Cliff Stoll on to blue ribbon scientific commissions, has come
>>to the
>> >> conclusion that our society is vulnerable to willful sabotage from
>>abroad,
>> >> ranging from information sabotage (hacking electronic financial
>> >> transactions) to physical sabotage (hacking power grid control
>>computers to
>> >> cause widespread power failures leading to serious damage to people and
>> >> things; hacking the phone companies' computers, etc.). Some cases have
>> >> already been observed. The field has already got a name and lots of
>> >> publications. It's called "information warfare" and the government is
>> >> taking it VERY seriously.
>
>> >I for one reject your premise and your conclusions.  There is no
>> >indication that government is capable of addressing this "problem"
>> >in a useful way.
>>
>> Let's see what the study group recommends. There are a lot of things the
>> government can do, and plenty of historical precedent.
>
>There *are* a lot of things government can do.  There aren't a lot of
>things it can do well.  But you want to wait and see what a *government
>study group* decides to recommend?  Gee, who can guess what they'll decide?

You should do your homework. It's going to have a lot of industry people on
it and be chaired by an industry person.

>
>
>>                                                        To take one example,
>> in the merchant marine industry the government for years paid a subsidy for
>> shipbuilders to add certain "national defense features" to ships they were
>> building, to harden them in excess of normal civilian requirements so
>> they'd be robust in time of war. No shipbuilder could afford such features
>> unaided, and without them we either had a dramatically reduced shipping
>> capability in wartime or a very vulnerable one. Things have changed since
>> then, but the basic principles in the example are still valid.
>
>This wonderful little anecdote proves nothing by itself.  How many of
>these merchant ships survived u-boat torpedos thanks to this hardening?
>I'd guess the number's pretty near zero.

You should do your homework. It has to do with being able to carry military
cargoes. Those features worked perfectly.

>
>
>> > In fact, I argue that the situation is at least
>> >partially of government construction.  The government's hindrance of
>> >crypto technology has undoubtedly slowed down and in many cases
>> >entirely prevented the application of current technology to protect
>> >the very systems the government now purports to be concerned about.
>>
>> There are no restrictions on using as good domestic crypto as you can get,
>> and this issue is about the robustness of our domestic information
>> infrastructure.
>
>This is simply wrong.  There *are* restrictions on domestic crypto.  They
>are restrictions imposed by the crypto export policy.   Maybe there isn't
>an outright ban but there *are* nevertheless real restrictions (look up
>"restrict" in a dictionary near you).  And tell Netscape there are no
>restrictions.  We've all seen what they're going through to provide
>download access to domestic customers for products with strong encryption.
>News flash for David: jumping through these types of government-imposed
>hoops costs *real money* that could be better spent elsewhere.

You should do your homework. There are many restrictions in this world;
business licenses, paying for services used, etc. My point was that there
are no laws prohibiting strong domestic crypto and you know that to be
true.

>
>
>>                 Clearly if hardening were cost-justified to the civilian
>> companies it would have been done already.
>
>It is being done as we speak.  The government has clearly slowed the
>process down though.  And the more governmental involvement, the slower
>the process will go.  (And the quality of the result will likely suffer
>too.)

You are evading my point, which is that some protections are too expensive
for an individual firm to cost-justify but are justified in public benefits
from such protections. And there's no evidence that government regulations
have slowed down protections on domestic financial networks, domestic air
traffic control networks, etc.

I would not object if you were making valid points, but you're not. You're
evading the basic argument and trying to respond by nit-picking.

>
>
>> One of the core problems is that the benefits from hardening cannot be
>> captured by the individual compnanies, so they cannot cost-justify doing
>> it.
>
>This hasn't been demonstrated to my satisfaction.  I disagree, and I bet
>most American companies would too.

Again, you haven't done your homework. Ask any serious company what they'd
like to be able to do, and what they can afford (cost-justify) doing. I can
tell you from direct personal experience (I've been a senior technical
executive of two Fortune 50 companies) that you are flat wrong. Don't take
my word for it--ask the security chief of any Fortune 50 company.

Some companies used to have an aphorism "If you haven't had at least one
security violation, you're spending too much money on security." I don't
agree, but it reflects what companies used to think they could afford
unaided. Yet these days a "security violation" isn't just some safe left
unlocked in a guarded area but the West Coast power grid going down or a
747 being spoofed into a mountain.

>
>
>> it. But the losses from failure to harden can cost the wider society much
>> treasure. That's a natural case for government intervention on behalf of
>> the wider society. It's exactly like the "lighthouse" argument. The
>> benefits from a lighthouse can't justify an individual shipbuilder building
>> one, but the losses to society from the random aggregation of shipwrecks
>> are far greater than the cost of lighthouses. Ergo, the government builds
>> the lighthouses.
>
>Apples and oranges.  The costs of protecting companies' resources is not
>so high and the potential costs of not doing so are far higher.

"not so high" compared to what? what level of protection?
"costs of not doing so" doesn't capture public losses, which is the basis
for government intervention.You haven't done your homework. I suggest you
read any introductory economics text that covers public policy economics,
or any good cost/benefit analysis text.

>
>
>> >My message to a government concerned about the dangers of "information
>> >warfare" (and its apologists): get out of the way and let industry work
>> >on security.  Then you can choose from the products offered for your
>> >protection or develop your own.  But don't sit there and prevent or help
>> >prevent deployment of security technology while decrying the lack of
>> >security.
>>
>> This isn't about preventing domestic deployment but assisting it. You are
>> raising an entirely unrelated issue--crypto export policy.
>
>I'm merely pointing out the hypocrisy of a government that bemoans the
>lack of security infrastructure even as it has been hard at work raising
>obstacles to those that would build it.

Now THAT is apples and oranges. The security of, say, IBM's, or the FAA's,
or AT&T's domestic computer networks has little to do with crypto export
policy.

>
>
>> >I don't claim that the current security deficiencies are entirely due
>> >to ITAR restrictions but it is certainly a significant factor, and there
>> >is still zero evidence that the government is competent to help.  Let
>> >them first fix their own problems (e.g. the alleged 250,000 DoD computer
>> >breakins), *then* come help us in the private sector.
>>
>> Again as irrelevant as the argument that we shouldn't jail criminals until
>> we've eliminated the economic inequities that allegedly produce crime.
>
>Putting the government in charge of fixing security problems is likely
>to result in an infrastructure optimized for surveillance, as we've seen
>with other government-sponsored initiatives (Clipper, DigitalTelephony,
>etc.).

The subject matter of the Commission's inquiry has more to do with
authentication than message encryption, and more to do with infrastructure
and network security. And as it happens there is no problem getting export
licenses for authentication-only software with as secure a key as you like
and no escrow. RIPEM/SIG did it years ago. You aren't even on the same page
as this issue.


>The only security assistance that business and the public have ever
>gotten from the government has been the kind with unacceptable conditions
>(like undisclosed algorithms, "escrowed" keys, secret courts, etc.).

Again, you are trying to fight a different battle in the wrong arena.
This isn't about your ability to encrypt your traffic. It's about securing
the domestic infrastructure against information warfare. I know this is
beginning to sound tiresome, but you'd better do your homework.

David