[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Govt. key escrow justification




I'm attaching the Nando and NYT pieces on the President's Commission
on Critical Infrastructure Protection.  As feared yet expected, their
effort is turning into another key escrow justification.  Anyone who
is interested, let me know, I've commented the PCCIP summary report
(the full report is classified).  I'm one of the few public strong-
crypto supporters who also happens to be a professional in the field
of infrastructural attacks, so this makes things even more lonely.
Michael Wilson
http://www.7pillars.com/

   ________________________________________________________________________
                                       
               U.S. cyberterrorism report hit on encryption stance
  ____________________________________________________________________________
                                        
      Copyright ) 1997 Nando.net
      Copyright ) 1997 Reuters
      
   WASHINGTON (November 6, 1997 00:53 a.m. EST http://www.nando.net) - The
   U.S. commission on critical infrastructure drew strong criticism
   Wednesday for endorsing the Clinton administration's controversial
   policy that would require government access to all private computer
   data.
   
   Sen. Patrick Leahy, Democrat of Vermont, said significant questions had
   been raised about the costs and feasibility of so-called key recovery
   systems.
   
   "Until those significant questions are fully considered and answered, we
   should be cautious in adopting grand key recovery encryption schemes
   that may only exacerbate system vulnerabilities," Leahy said in a
   statement.
   
   The commission's report, delivered to President Clinton last month and
   later released to the public in declassified form, warned that critical
   telephone, power, water and financial systems were becoming increasingly
   vulnerable to computer attack.
   
   The commission also said it favored greater use of computer encryption
   programs, which use mathematical formulas to scramble information and
   render it unreadable without a password or software "key."
   
   Encryption programs could be used to prevent hackers or terrorists from
   infiltrating computer networks that run critical infrastructure systems,
   for example.
   
   But the commission backed use of key recovery, a technology to allow law
   enforcement officials to decode any encrypted message covertly.
   
   "Key recovery is needed to provide business access to data when
   encryption keys are lost or maliciously misplaced, and court-authorized
   law enforcement access to the plain text of criminal related
   communications and data lawfully seized," the report said.
   
   FBI director Louis Freeh and other law enforcement officials back
   legislation to require all encryption products to include such features,
   but many high-tech companies, scientists, and civil libertarians oppose
   mandatory back-door access to coded information.
   
   The Center for Democracy and Technology, an Internet advocacy group,
   noted that a recent report by cryptography experts found that key
   recovery features added numerous new vulnerabilities to computer
   systems.
   
   "Key recovery is inconsistent with the (commission's) own calls for
   greater security in our nation's critical infrastructures," the group
   said.
   
   Robert Marsh, who chaired the commission, defended the report to
   reporters after a hearing before the Senate Judiciary Committee's
   technology and terrorism subcommittee.
   
   Marsh contended the report took a balanced view of the encryption
   debate. "We didn't get into the encryption debate and all the nuances
   and individual decisions," he said. "We simply came on strong for
   encryption."
   
   In its formal recommendations, the commission urged the government to
   speed up pilot programs on key recovery, promote efforts to plan for
   implementing large-scale key recovery systems and encourage
   private-sector key recovery efforts.
     ___________________________________________________________________

      November 6, 1997
      
Head of Cyber-Terrorism Panel Says Encryption Rules May Be Needed

      By JERI CLAUSING Bio
      
     WASHINGTON The head of a presidential commission on cyber-terrorism
     on Wednesday told a Senate panel that a mandatory system guaranteeing
     third-party access to scrambled computer communications may be
     necessary if industry does not embrace the Clinton administration's
     plan for a voluntary encryption decoding system.
       ________________________________________________________________
     
     Robert T. Marsh, an aerospace consultant and retired Air Force
     general who is chairman of the President's Commission on Critical
     Infrastructure Protection, made the remarks in his first
     non-classified report on the commission's 15-month study and its
     recommendations for protecting the nation's computer networks from
     high-tech terrorism.
     
     The commission recommended a variety of proposals, including
     increased private-public partnership and information sharing, more
     comprehensive background checks on people who hold sensitive
     positions, strengthening of government computer systems and spending
     more on research to improve network security.
     
     But the key to national security, Marsh said, is strong encryption
     coupled with a back-door access for law enforcement officials to
     sensitive communications.
     
     "We want to see that adopted over all the critical control functions
     at an early date," he told the Senate Judiciary Committee's
     Subcommittee on Technology, Terrorism and Government Information.
     
     The commission's recommendation for a voluntary system that would
     give law enforcement officials the ability to decode electronic
     messages, called a key-recovery system, mirrors that of the
     administration, which says it wants ensure such officials can gain
     access to the coded communications of suspected criminals and
     terrorists.
     
     Encryption policy has been a volatile topic on Capitol Hill this
     year, where bills ranging from an industry-backed ban on key recovery
     to an FBI-supported mandatory key-recovery scheme have passed various
     House committees. The Clinton administration insists it supports a
     Senate bill establishing voluntary key recovery.
     
     "We didn't get into the encryption debate and all the nuances of
     individual positions," Marsh said. "We simply came on strong for
     encryption. We must have encryption."
     
     He told the panel that "we must lower the temperature of the
     encryption debate" long enough to complete pilot projects on key
     recovery that will prove to industry that such systems can work.
     
     Various agencies of the federal government currently are developing
     13 key recovery pilot projects, which were on display Wednesday at a
     Government Information Technology Services conference. Marsh said the
     National Security Agency and the National Institutes for Standards
     and Technology should head efforts to perfect those systems and set
     standards for a national infrastructure protection office to carry
     out.

     Asked by the subcommittee's chairman, Jon Kyl, an Arizona Republican,
     if those controls should be mandated, Marsh responded: "We think
     businessmen will find it in their best interest to incorporate these
     controls. ... Of course, in due time, that may be an option if they
     are not willing to accept them."
     
     Critics blasted the report as premature and contradictory.
     
     "I am concerned that the report's recommendations that large-scale
     key-recovery encryption systems which allow for surreptitious
     decryption by law enforcement be deployed for use by federal agencies
     and the private sector is premature," said Senator Patrick Leahy, a
     Vermont Democrat who has sponsored a bill to relax controls on
     encryption technology."
     
     "Significant questions have been raised by leading cryptographers
     about the security risks inherent in large-scale key recovery
     systems, which introduce new vulnerabilities and targets for attack,
     as well as about the costs and feasibility of implementing such
     systems."
     
     The Center for Democracy and Technology said the "increasing
     vulnerabilities," "increasing dependence on critical infrastructure,"
     and "wide spectrum of threats" identified by the commission all
     provide powerful arguments against the deployment of the vastly
     complex and insecure systems for back-door access that key recovery
     requires.
     
     The center cited a recent study by 11 expert cryptographers and
     computer security experts, "The Risks of Key Recovery, Key Escrow,
     and Trusted Third Parties," which identifies numerous risks in the
     widespread deployment of such key-recovery plans. Among those risks
     is insider abuse, which Marsh said so far has been the chief culprit
     in computer-related crimes.
     
     Marsh said a separate section of the report makes "recommendations
     that try to equip us better to deal with the insider threat, that's a
     separate problem."
       ________________________________________________________________

    Jeri Clausing at [email protected] welcomes your comments and
    suggestions.
       ________________________________________________________________

                  Copyright 1997 The New York Times Company

---
For those who want to track this issue further, the PCCIP is at
http://www.pccip.gov/