1996-07-19 - Re: Gorelick testifies before Senate, unveils new executive order

Header Data

From: Jeff Barber <jeffb@issl.atl.hp.com>
To: david@sternlight.com (David Sternlight)
Message Hash: e92930badc5d693532bfb68e43904cbd88520ab38d9b954863d4f2ba17130219
Message ID: <199607182032.QAA17421@jafar.issl.atl.hp.com>
Reply To: <v03007608ae142fe9978b@[]>
UTC Datetime: 1996-07-19 04:53:42 UTC
Raw Date: Fri, 19 Jul 1996 12:53:42 +0800

Raw message

From: Jeff Barber <jeffb@issl.atl.hp.com>
Date: Fri, 19 Jul 1996 12:53:42 +0800
To: david@sternlight.com (David Sternlight)
Subject: Re: Gorelick testifies before Senate, unveils new executive order
In-Reply-To: <v03007608ae142fe9978b@[]>
Message-ID: <199607182032.QAA17421@jafar.issl.atl.hp.com>
MIME-Version: 1.0
Content-Type: text/plain

David Sternlight writes:
> At 8:14 AM -0700 7/18/96, Jeff Barber wrote:
> >David Sternlight writes:
> >
> >> Here's the problem in a nutshell: Everyone who has looked at our systems,
> >> from Cliff Stoll on to blue ribbon scientific commissions, has come to the
> >> conclusion that our society is vulnerable to willful sabotage from abroad,
> >> ranging from information sabotage (hacking electronic financial
> >> transactions) to physical sabotage (hacking power grid control computers to
> >> cause widespread power failures leading to serious damage to people and
> >> things; hacking the phone companies' computers, etc.). Some cases have
> >> already been observed. The field has already got a name and lots of
> >> publications. It's called "information warfare" and the government is
> >> taking it VERY seriously.

> >I for one reject your premise and your conclusions.  There is no
> >indication that government is capable of addressing this "problem"
> >in a useful way.
> Let's see what the study group recommends. There are a lot of things the
> government can do, and plenty of historical precedent.

There *are* a lot of things government can do.  There aren't a lot of
things it can do well.  But you want to wait and see what a *government
study group* decides to recommend?  Gee, who can guess what they'll decide?

>                                                        To take one example,
> in the merchant marine industry the government for years paid a subsidy for
> shipbuilders to add certain "national defense features" to ships they were
> building, to harden them in excess of normal civilian requirements so
> they'd be robust in time of war. No shipbuilder could afford such features
> unaided, and without them we either had a dramatically reduced shipping
> capability in wartime or a very vulnerable one. Things have changed since
> then, but the basic principles in the example are still valid.

This wonderful little anecdote proves nothing by itself.  How many of
these merchant ships survived u-boat torpedos thanks to this hardening?
I'd guess the number's pretty near zero.

> > In fact, I argue that the situation is at least
> >partially of government construction.  The government's hindrance of
> >crypto technology has undoubtedly slowed down and in many cases
> >entirely prevented the application of current technology to protect
> >the very systems the government now purports to be concerned about.
> There are no restrictions on using as good domestic crypto as you can get,
> and this issue is about the robustness of our domestic information
> infrastructure.

This is simply wrong.  There *are* restrictions on domestic crypto.  They
are restrictions imposed by the crypto export policy.   Maybe there isn't
an outright ban but there *are* nevertheless real restrictions (look up
"restrict" in a dictionary near you).  And tell Netscape there are no
restrictions.  We've all seen what they're going through to provide
download access to domestic customers for products with strong encryption.
News flash for David: jumping through these types of government-imposed
hoops costs *real money* that could be better spent elsewhere.

>                 Clearly if hardening were cost-justified to the civilian
> companies it would have been done already.

It is being done as we speak.  The government has clearly slowed the
process down though.  And the more governmental involvement, the slower
the process will go.  (And the quality of the result will likely suffer

> One of the core problems is that the benefits from hardening cannot be
> captured by the individual compnanies, so they cannot cost-justify doing
> it.

This hasn't been demonstrated to my satisfaction.  I disagree, and I bet
most American companies would too.

> it. But the losses from failure to harden can cost the wider society much
> treasure. That's a natural case for government intervention on behalf of
> the wider society. It's exactly like the "lighthouse" argument. The
> benefits from a lighthouse can't justify an individual shipbuilder building
> one, but the losses to society from the random aggregation of shipwrecks
> are far greater than the cost of lighthouses. Ergo, the government builds
> the lighthouses.

Apples and oranges.  The costs of protecting companies' resources is not
so high and the potential costs of not doing so are far higher.

> >My message to a government concerned about the dangers of "information
> >warfare" (and its apologists): get out of the way and let industry work
> >on security.  Then you can choose from the products offered for your
> >protection or develop your own.  But don't sit there and prevent or help
> >prevent deployment of security technology while decrying the lack of
> >security.
> This isn't about preventing domestic deployment but assisting it. You are
> raising an entirely unrelated issue--crypto export policy.

I'm merely pointing out the hypocrisy of a government that bemoans the
lack of security infrastructure even as it has been hard at work raising
obstacles to those that would build it.

> >I don't claim that the current security deficiencies are entirely due
> >to ITAR restrictions but it is certainly a significant factor, and there
> >is still zero evidence that the government is competent to help.  Let
> >them first fix their own problems (e.g. the alleged 250,000 DoD computer
> >breakins), *then* come help us in the private sector.
> Again as irrelevant as the argument that we shouldn't jail criminals until
> we've eliminated the economic inequities that allegedly produce crime.

Putting the government in charge of fixing security problems is likely
to result in an infrastructure optimized for surveillance, as we've seen
with other government-sponsored initiatives (Clipper, DigitalTelephony,
etc.).  The only security assistance that business and the public have ever
gotten from the government has been the kind with unacceptable conditions
(like undisclosed algorithms, "escrowed" keys, secret courts, etc.).
If the government wants to do that to its employees, fine.  (In fact,
if a private company wants to do that to its employees, that's fine too; 
I won't be working for them, but IMO it's their prerogative.)  But I
don't want the government telling industry what to do with its security. 
Furthermore, I don't want my tax dollars involved in funding (or perhaps
worse, "incentivising") it.  Just get government out of this business.

-- Jeff