[ISN] Cybersecurity should be kept in civilian hands

Mon Aug 19 17:31:39 EDT 2002

--- begin forwarded text

Status: RO
Date: Mon, 19 Aug 2002 07:40:25 -0500 (CDT)
From: InfoSec News <isn at c4i.org>
To: isn at attrition.org
Subject: [ISN] Cybersecurity should be kept in civilian hands
Sender: owner-isn at attrition.org
Reply-To: InfoSec News <isn at c4i.org>

http://www.boston.com/dailyglobe2/230/business/Cybersecurity_should_be_kept_in_civilian_hands+.shtml

By Whitfield Diffie and Susan Landau, 8/18/2002

In the wake of Sept. 11, we're all agreed on the need to protect
critical infrastructure - telecommunications, electric power,
transportation, banking, and finance. We also know much of that
infrastructure depends on the Internet, so cybersecurity will be a
critical concern of the proposed Department of Homeland Security. The
only question: How best to achieve it?

The administration's plan has the FBI's National Infrastructure
Protection Center, the Commerce Department's Critical Infrastructure
Protection Office, and the GSA's Federal Computer Incident Response
Center all moving over to the new Department of Homeland Security.
That's appropriate. But the plan also includes moving the Commerce
Department's Computer Security Division (part of the National
Institute of Standards and Technology) to Homeland Security. That move
would be a big mistake.

The Computer Security Division's job is to develop security standards
and technology for the protection of sensitive information in
government and the private sector. The problem with moving this
division into Homeland Security is that the civilian side of the world
doesn't work the same way as the classified side.

A case in point: Computer security outside the national security
community has been a Commerce Department responsibility since 1967,
but in the 1980s, a challenge to that authority arose. The National
Security Agency, which provides information security for classified
government information, felt it had more expertise. So the NSA pressed
banks to adopt its systems, the workings of which were classified,
over the publicly released Data Encryption Standard. But banking
standards are international. There was no way other countries would
accept information security standards they couldn't verify.

The NSA's efforts set the banks' standards efforts back 16 months.

The 1980s and '90s saw many battles over the Computer Security
Division's cryptography standards, with national security and law
enforcement arrayed on one side, industry and the public on the other.
In a study titled ''Cryptography's Role in Securing the Information
Society,'' the National Research Council found the result was a delay
in the deployment of secure systems - exactly the opposite of what is
needed now.

These days the Computer Security Division has learned how to develop
computer security standards in an open environment, thus smoothing the
path to widespread international use. It is well suited by tradition,
reputation, and structure to do this.

Its recent successes include approval of the algorithm Rijndael,
designed by two Belgian cryptographers, as the new Advanced Encryption
Standard (AES). This Federal Information Processing Standard was the
culmination of a four-year effort by the Computer Security Division.
The result is an algorithm that is well accepted internationally and
likely to be rapidly adopted.

The bottom line is this: We haven't got the 16 months that banking
lost when NSA tried to involve itself in issues properly belonging to
the civilian world.

As recently reported in the national press, Al Qaeda has been
exploring cyberattacks. The Department of Homeland Security needs to
have the resources to prevent them. It may, for example, need
additional cybersecurity expertise for determining appropriate
standards for systems controlling critical infrastructure components,
much like the Treasury Department's standards for electronic funds
transfer, which mandate the use of the Data Encryption Standard, the
predecessor to AES. But the Computer Security Division is effectively
doing its job improving computer security for public systems. Moving
it to a department controlled by law enforcement and national security
would diminish its effectiveness.

It would, in short, leave us less secure in cyberspace, not more.

Sun Microsystems' Whitfield Diffie, chief security officer, and Susan
Landau, senior staff engineer, are co-authors of ''Privacy on the
Line: the Politics of Wiretapping and Encryption'' (MIT Press, 1998).
Diffie is the coinventor of public-key cryptography.

This story ran on page E4 of the Boston Globe on 8/18/2002.

-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo at attrition.org with 'unsubscribe isn'
in the BODY of the mail.

--- end forwarded text

-- 
-----------------
R. A. Hettinga <mailto: rah at ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com