http://www.boston.com/dailyglobe2/230/business/Cybersecurity_should_be_kept_in_civilian_hands+.shtml By Whitfield Diffie and Susan Landau, 8/18/2002 In the wake of Sept. 11, we're all agreed on the need to protect critical infrastructure - telecommunications, electric power, transportation, banking, and finance. We also know much of that infrastructure depends on the Internet, so cybersecurity will be a critical concern of the proposed Department of Homeland Security. The only question: How best to achieve it? The administration's plan has the FBI's National Infrastructure Protection Center, the Commerce Department's Critical Infrastructure Protection Office, and the GSA's Federal Computer Incident Response Center all moving over to the new Department of Homeland Security. That's appropriate. But the plan also includes moving the Commerce Department's Computer Security Division (part of the National Institute of Standards and Technology) to Homeland Security. That move would be a big mistake. The Computer Security Division's job is to develop security standards and technology for the protection of sensitive information in government and the private sector. The problem with moving this division into Homeland Security is that the civilian side of the world doesn't work the same way as the classified side. A case in point: Computer security outside the national security community has been a Commerce Department responsibility since 1967, but in the 1980s, a challenge to that authority arose. The National Security Agency, which provides information security for classified government information, felt it had more expertise. So the NSA pressed banks to adopt its systems, the workings of which were classified, over the publicly released Data Encryption Standard. But banking standards are international. There was no way other countries would accept information security standards they couldn't verify. The NSA's efforts set the banks' standards efforts back 16 months. The 1980s and '90s saw many battles over the Computer Security Division's cryptography standards, with national security and law enforcement arrayed on one side, industry and the public on the other. In a study titled ''Cryptography's Role in Securing the Information Society,'' the National Research Council found the result was a delay in the deployment of secure systems - exactly the opposite of what is needed now. These days the Computer Security Division has learned how to develop computer security standards in an open environment, thus smoothing the path to widespread international use. It is well suited by tradition, reputation, and structure to do this. Its recent successes include approval of the algorithm Rijndael, designed by two Belgian cryptographers, as the new Advanced Encryption Standard (AES). This Federal Information Processing Standard was the culmination of a four-year effort by the Computer Security Division. The result is an algorithm that is well accepted internationally and likely to be rapidly adopted. The bottom line is this: We haven't got the 16 months that banking lost when NSA tried to involve itself in issues properly belonging to the civilian world. As recently reported in the national press, Al Qaeda has been exploring cyberattacks. The Department of Homeland Security needs to have the resources to prevent them. It may, for example, need additional cybersecurity expertise for determining appropriate standards for systems controlling critical infrastructure components, much like the Treasury Department's standards for electronic funds transfer, which mandate the use of the Data Encryption Standard, the predecessor to AES. But the Computer Security Division is effectively doing its job improving computer security for public systems. Moving it to a department controlled by law enforcement and national security would diminish its effectiveness. It would, in short, leave us less secure in cyberspace, not more. Sun Microsystems' Whitfield Diffie, chief security officer, and Susan Landau, senior staff engineer, are co-authors of ''Privacy on the Line: the Politics of Wiretapping and Encryption'' (MIT Press, 1998). Diffie is the coinventor of public-key cryptography. This story ran on page E4 of the Boston Globe on 8/18/2002. - ISN is currently hosted by Attrition.org To unsubscribe email firstname.lastname@example.org with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Mon Aug 19 2002 - 08:23:20 PDT