[ISN] Cybersecurity should be kept in civilian hands

From: InfoSec News (isnat_private)
Date: Mon Aug 19 2002 - 05:40:25 PDT

  • Next message: InfoSec News: "[ISN] FBI continues tech exec shift"

    By Whitfield Diffie and Susan Landau, 8/18/2002
    In the wake of Sept. 11, we're all agreed on the need to protect
    critical infrastructure - telecommunications, electric power,
    transportation, banking, and finance. We also know much of that
    infrastructure depends on the Internet, so cybersecurity will be a
    critical concern of the proposed Department of Homeland Security. The
    only question: How best to achieve it?
    The administration's plan has the FBI's National Infrastructure
    Protection Center, the Commerce Department's Critical Infrastructure
    Protection Office, and the GSA's Federal Computer Incident Response
    Center all moving over to the new Department of Homeland Security.  
    That's appropriate. But the plan also includes moving the Commerce
    Department's Computer Security Division (part of the National
    Institute of Standards and Technology) to Homeland Security. That move
    would be a big mistake.
    The Computer Security Division's job is to develop security standards
    and technology for the protection of sensitive information in
    government and the private sector. The problem with moving this
    division into Homeland Security is that the civilian side of the world
    doesn't work the same way as the classified side.
    A case in point: Computer security outside the national security
    community has been a Commerce Department responsibility since 1967,
    but in the 1980s, a challenge to that authority arose. The National
    Security Agency, which provides information security for classified
    government information, felt it had more expertise. So the NSA pressed
    banks to adopt its systems, the workings of which were classified,
    over the publicly released Data Encryption Standard. But banking
    standards are international. There was no way other countries would
    accept information security standards they couldn't verify.
    The NSA's efforts set the banks' standards efforts back 16 months.
    The 1980s and '90s saw many battles over the Computer Security
    Division's cryptography standards, with national security and law
    enforcement arrayed on one side, industry and the public on the other.  
    In a study titled ''Cryptography's Role in Securing the Information
    Society,'' the National Research Council found the result was a delay
    in the deployment of secure systems - exactly the opposite of what is
    needed now.
    These days the Computer Security Division has learned how to develop
    computer security standards in an open environment, thus smoothing the
    path to widespread international use. It is well suited by tradition,
    reputation, and structure to do this.
    Its recent successes include approval of the algorithm Rijndael,
    designed by two Belgian cryptographers, as the new Advanced Encryption
    Standard (AES). This Federal Information Processing Standard was the
    culmination of a four-year effort by the Computer Security Division.  
    The result is an algorithm that is well accepted internationally and
    likely to be rapidly adopted.
    The bottom line is this: We haven't got the 16 months that banking
    lost when NSA tried to involve itself in issues properly belonging to
    the civilian world.
    As recently reported in the national press, Al Qaeda has been
    exploring cyberattacks. The Department of Homeland Security needs to
    have the resources to prevent them. It may, for example, need
    additional cybersecurity expertise for determining appropriate
    standards for systems controlling critical infrastructure components,
    much like the Treasury Department's standards for electronic funds
    transfer, which mandate the use of the Data Encryption Standard, the
    predecessor to AES. But the Computer Security Division is effectively
    doing its job improving computer security for public systems. Moving
    it to a department controlled by law enforcement and national security
    would diminish its effectiveness.
    It would, in short, leave us less secure in cyberspace, not more.
    Sun Microsystems' Whitfield Diffie, chief security officer, and Susan
    Landau, senior staff engineer, are co-authors of ''Privacy on the
    Line: the Politics of Wiretapping and Encryption'' (MIT Press, 1998).  
    Diffie is the coinventor of public-key cryptography.
    This story ran on page E4 of the Boston Globe on 8/18/2002.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Mon Aug 19 2002 - 08:23:20 PDT