From: David Sternlight <david@sternlight.com>
Date: Fri, 19 Jul 1996 09:59:21 +0800
To: Jeff Barber <jeffb@issl.atl.hp.com>
Subject: Re: Gorelick testifies before Senate, unveils new executive order
In-Reply-To: <v03007605ae13b9a0cd37@[192.187.162.15]>
Message-ID: <v03007608ae142fe9978b@[192.187.162.15]>
MIME-Version: 1.0
Content-Type: text/plain


At 8:14 AM -0700 7/18/96, Jeff Barber wrote:
>David Sternlight writes:
>
>> Here's the problem in a nutshell: Everyone who has looked at our systems,
>> from Cliff Stoll on to blue ribbon scientific commissions, has come to the
>> conclusion that our society is vulnerable to willful sabotage from abroad,
>> ranging from information sabotage (hacking electronic financial
>> transactions) to physical sabotage (hacking power grid control computers to
>> cause widespread power failures leading to serious damage to people and
>> things; hacking the phone companies' computers, etc.). Some cases have
>> already been observed. The field has already got a name and lots of
>> publications. It's called "information warfare" and the government is
>> taking it VERY seriously.
>>
>> Serious studies have shown that the kinds of protections to make the
>> systems we depend on robust against determined and malicious attackers (say
>> a terrorist government, or one bent on doing a lot of damage in retaliation
>> for one of our policies they don't like), have costs beyond the capability
>> of individual private sector actors.
>
>> In such a case, where public benefits from government action greatly exceed
>> public (taxpayer) costs, and the private sector cannot (or will not) act
>> unaided, the classical basis for government action in the interests of the
>> citizenry exists. It's the economist's "lighthouse" argument.
>>
>> The motivation has nothing to do with privacy, government snooping, or any
>> of the other things some get so excited about, though the solutions
>> certainly have side effects in those domains. The goal should be to
>> minimize the deleterious side-effects, not to throw out the baby with the
>> bath water.
>
>I for one reject your premise and your conclusions.  There is no
>indication that government is capable of addressing this "problem"
>in a useful way.

Let's see what the study group recommends. There are a lot of things the
government can do, and plenty of historical precedent. To take one example,
in the merchant marine industry the government for years paid a subsidy for
shipbuilders to add certain "national defense features" to ships they were
building, to harden them in excess of normal civilian requirements so
they'd be robust in time of war. No shipbuilder could afford such features
unaided, and without them we either had a dramatically reduced shipping
capability in wartime or a very vulnerable one. Things have changed since
then, but the basic principles in the example are still valid.

> In fact, I argue that the situation is at least
>partially of government construction.  The government's hindrance of
>crypto technology has undoubtedly slowed down and in many cases
>entirely prevented the application of current technology to protect
>the very systems the government now purports to be concerned about.

There are no restrictions on using as good domestic crypto as you can get,
and this issue is about the robustness of our domestic information
infrastructure. Clearly if hardening were cost-justified to the civilian
companies it would have been done already.

One of the core problems is that the benefits from hardening cannot be
captured by the individual compnanies, so they cannot cost-justify doing
it. But the losses from failure to harden can cost the wider society much
treasure. That's a natural case for government intervention on behalf of
the wider society. It's exactly like the "lighthouse" argument. The
benefits from a lighthouse can't justify an individual shipbuilder building
one, but the losses to society from the random aggregation of shipwrecks
are far greater than the cost of lighthouses. Ergo, the government builds
the lighthouses.

>
>(This is not conjecture or speculation; it is fact.  I personally have
>witnessed -- and, in some cases, been part of -- the many hundreds of
>hours of productivity lost to producing and distributing security software
>in ways that protect the company from ITAR violations, or trying to
>formulate adequate solutions for the company's non-US customers.)

Irrelevant to the central issue we're discussing, and by comparison, a gnat.

>
>My message to a government concerned about the dangers of "information
>warfare" (and its apologists): get out of the way and let industry work
>on security.  Then you can choose from the products offered for your
>protection or develop your own.  But don't sit there and prevent or help
>prevent deployment of security technology while decrying the lack of
>security.

This isn't about preventing domestic deployment but assisting it. You are
raising an entirely unrelated issue--crypto export policy.

>
>I don't claim that the current security deficiencies are entirely due
>to ITAR restrictions but it is certainly a significant factor, and there
>is still zero evidence that the government is competent to help.  Let
>them first fix their own problems (e.g. the alleged 250,000 DoD computer
>breakins), *then* come help us in the private sector.

Again as irrelevant as the argument that we shouldn't jail criminals until
we've eliminated the economic inequities that allegedly produce crime.

David