From: Jeff Barber <jeffb@issl.atl.hp.com>
Date: Fri, 19 Jul 1996 03:37:01 +0800
To: david@sternlight.com (David Sternlight)
Subject: Re: Gorelick testifies before Senate, unveils new executive order
In-Reply-To: <v03007605ae13b9a0cd37@[192.187.162.15]>
Message-ID: <199607181514.LAA16918@jafar.issl.atl.hp.com>
MIME-Version: 1.0
Content-Type: text/plain


David Sternlight writes:

> Here's the problem in a nutshell: Everyone who has looked at our systems,
> from Cliff Stoll on to blue ribbon scientific commissions, has come to the
> conclusion that our society is vulnerable to willful sabotage from abroad,
> ranging from information sabotage (hacking electronic financial
> transactions) to physical sabotage (hacking power grid control computers to
> cause widespread power failures leading to serious damage to people and
> things; hacking the phone companies' computers, etc.). Some cases have
> already been observed. The field has already got a name and lots of
> publications. It's called "information warfare" and the government is
> taking it VERY seriously.
> 
> Serious studies have shown that the kinds of protections to make the
> systems we depend on robust against determined and malicious attackers (say
> a terrorist government, or one bent on doing a lot of damage in retaliation
> for one of our policies they don't like), have costs beyond the capability
> of individual private sector actors.

> In such a case, where public benefits from government action greatly exceed
> public (taxpayer) costs, and the private sector cannot (or will not) act
> unaided, the classical basis for government action in the interests of the
> citizenry exists. It's the economist's "lighthouse" argument.
> 
> The motivation has nothing to do with privacy, government snooping, or any
> of the other things some get so excited about, though the solutions
> certainly have side effects in those domains. The goal should be to
> minimize the deleterious side-effects, not to throw out the baby with the
> bath water.

I for one reject your premise and your conclusions.  There is no 
indication that government is capable of addressing this "problem"
in a useful way.  In fact, I argue that the situation is at least
partially of government construction.  The government's hindrance of
crypto technology has undoubtedly slowed down and in many cases
entirely prevented the application of current technology to protect
the very systems the government now purports to be concerned about.

(This is not conjecture or speculation; it is fact.  I personally have
witnessed -- and, in some cases, been part of -- the many hundreds of
hours of productivity lost to producing and distributing security software
in ways that protect the company from ITAR violations, or trying to
formulate adequate solutions for the company's non-US customers.)

My message to a government concerned about the dangers of "information
warfare" (and its apologists): get out of the way and let industry work
on security.  Then you can choose from the products offered for your 
protection or develop your own.  But don't sit there and prevent or help
prevent deployment of security technology while decrying the lack of
security.

I don't claim that the current security deficiencies are entirely due
to ITAR restrictions but it is certainly a significant factor, and there
is still zero evidence that the government is competent to help.  Let
them first fix their own problems (e.g. the alleged 250,000 DoD computer
breakins), *then* come help us in the private sector.


-- Jeff