Computer underground Digest Wed Jul 10, 1996 Volume 8 : Issue 52
ISSN 1004-042X
Editor: Jim Thomas (
[email protected])
News Editor: Gordon Meyer (
[email protected])
Archivist: Brendan Kehoe
Shadow Master: Stanton McCandlish
Field Agent Extraordinaire: David Smith
Shadow-Archivists: Dan Carosone / Paul Southworth
Ralph Sims / Jyrki Kuoppala
Ian Dickinson
Cu Digest Homepage:
http://www.soci.niu.edu/~cudigest
CONTENTS, #8.52 (Wed, Jul 10, 1996)
File 1--DOJ calls for "Manhattan Project" to combat "the new cyber threats"
File 2--Cu Digest Header Info (unchanged since 7 Apr, 1996)
CuD ADMINISTRATIVE, EDITORIAL, AND SUBSCRIPTION INFORMATION ApPEARS IN
THE CONCLUDING FILE AT THE END OF EACH ISSUE.
---------------------------------------------------------------------
Date: Sun, 9 Jun 1996 01:04:51 -0500
From: Mike Godwin <
[email protected]>
Subject: File 1-- DOJ calls for "Manhattan Project" to combat "the new cyber threats"
[The following document was typed in from a photocopy by Mike
Godwin,
[email protected]. Any errors in transcription are his.]
NATIONAL SECURITY IN THE INFORMATION AGE
Conference at the U.S. Air Force Academy,
Colorado Springs, Colorado
29 February 1996
THE HONORABLE JAMIE S. GORELICK,
DEPUTY ATTORNEY GENERAL OF THE UNITED STATES
Thank you for that kind introduction. I very much appreciate the
opportunity to speak with you this evening about national
security in the information age. You have brought together a
truly remarkable collection of people for this conference. This
is precisely the sort of cross-section of government and
industry that is needed for us to begin working through the
difficult policy questions that must be resolved.
In some ways, what we are experiencing today is sort of the "Big
Bang" moment in the development of information technology: New
technology is virtually exploding onto the scene, with important
developments occurring almost daily. With each new technological
innovation, there are not only myriad new opportunities for
business and new conveniences for consumers, but also new legal
and policy issues for national policymakers to confront. And
since, as many of you know,
Begin Page 2
policy making in Washington is not always lightning-quick, it
will not surprise you to learn that the development of
technology has to a large degree outpaced our planning and
actions.
Fortunately, though, this has begun to change. Tonight, I would
like to speak with you about some of the important developments
that are taking place in Washington concerning national security
in the information age. More importantly, I want to underscore
the importance of developing and continuing a dialogue between
government and industry on these issues. Simply put, no matter
what we try to do in Washington, we will get nowhere unless we
successfully enlist the assistance and cooperation of the
private sector.
At the same time, though, The private sector must recognize that
a government role is also indispensable. Government and private
industry are, in a very real way, interdependent in this area.
No workable solution to the myriad problems can be devised by
one or the other unilaterally. We have to work together.
Begin Page 3
* * *
One of the most striking things about the explosion of new
information technology over the last couple of years, in this
"Age of the Internet," is the way in which that technology is
often portrayed as an unqualified "good." The exponential growth
of the Internet, the expansion of digital and cellular phone
systems, and the proliferation of unbreakable encryption are
viewed by some as unconditionally positive developments.
Correspondingly, any effort to regulate the use of these new
technologies is seen as "bad," as the work of neo-Luddites, and
as inevitably doomed to failure.
We are witnessing this phenomenon right now in the raging debate
over efforts to restrict pornography on the Internet. We saw it
last year in the debate over the FBI's effort to ensure that it
can continue to conduct legally authorized wiretaps on digital
telephones. And we see it, too, in the ongoing effort to develop
a national encryption policy, in which we
Begin Page 4
seek to encourage the use of strong encryption while protecting
the interests that all of us have in effective law enforcement
and national security systems.
In all of these debates, the decibel level is high. Many critics
of government start from the proposition that any involvement by
Washington is necessarily bad. In such circumstances, it is
difficult even to engage in rational discourse, let alone find
common ground.
Clearly, we need to step back, take a deep breath, and recognize
a fundamental principle for starters: technology is not
inherently "good." Nor is it inherently "evil." Rather, it is a
tool whose virtue and worth depend on the use to which people
put it.
Everyone recognizes this simple proposition in the case of
nuclear technology. Obviously, that technology can be enormously
useful -- if harnessed correctly, it can end our dependence on
fossil fuels, satisfy our energy needs, and reduce pollution
caused by burning coal, oil, or gas. But it also is potentially
evil, if
Begin Page 5
it is turned into nuclear weapons used by a rogue state or
terrorists to kill innocent people.
But this notion of "moral neutrality" is not the universal view
when it comes to information technology. It is easy to grasp
the potential good of this technology. The spread of the
Internet, for instance, can greatly enhance our lives in
countless ways: It can connect people across vast distances; it
can disseminate knowledge to far-flung corners of the earth; it
can spread the message of democracy to people who labor under
tyrannical regimes; it can improve our own democratic process by
allowing candidates to distribute their message more broadly and
cheaply or by permitting the people to make their voices -- and
their votes --heard more clearly; it can allow parents to spend
more time with their children by "telecommuting"; it can improve
our children's education by providing even the poorest school
districts with electronic access to our best teachers; and it
can improve the lives of our senior citizens by allowing them to
communicate with
Begin Page 6
relatives or shop without leaving their homes. The possibilities
are truly endless.
Similarly, strong encryption has the potential for better
protecting people's privacy and for increasing our ability to
conduct electronic commerce without fear of theft or fraud.
But what has too often been ignored is the potential for the new
technology to be put to evil uses. Thus, absent regulation, the
Internet allows the distribution of child pornography nationwide
at the push of a button, without any control over who is exposed
to it. Similarly, it can permit much greater invasion of
privacy and damage to reputation if private facts about a
person, or malicious slander, can be spread so quickly and
easily. In the old days, when gossip spread by word of mouth,
harm was necessarily limited. But now someone can be
"electronically slammed" around the world in minutes. And, the
more people begin to rely on the Internet to conduct electronic
commerce and everyday communications, the greater potential
there is for
Begin Page 7
invasion of their privacy as credit companies and service
providers acquire vast amounts of personal information about
people's purchases, hobbies, interests, phone records, and other
details of their everyday lives. In the past, it would have
taken weeks of intensive investigation into a person's life to
put together a picture of him that can now be developed in
minutes. And electronically stored private information - - such
as credit or health records -- not only can be accessed quickly,
but also can be altered.
Encryption, too, can be used for sinister purposes. With the
proliferation of unbreakable encryption, law enforcement stands
to lose some of its most effective tools against terrorists and
organized crime groups. Court-ordered wiretaps that allows us
to intercept communications and prevent a terrorist plot are
rendered worthless. Stored data files that might hold the key to
bringing down an international drug cartel or child pornography
ring will be undecipherable, allowing some of the most heinous
criminals to go free.
Begin Page 8
Just imagine, for a moment, if we found someone who was abusing
innocent children to manufacture graphic, hard-core child
pornography. Imagine that law enforcement successfully obtained
a warrant to search his office for evidence, including his
computer files. Imagine, though, that we go to all that effort
to catch this criminal, only to find that the list of children
that he uses to produce his pornography is encrypted with DES.
He's disposed of his only key (or at least he claims he did).
No key is held in escrow. Dead end for us. Is this really the
type of constraint we want? Unfortunately, this is _not_ an
imaginary scenario. This problem is a real one.
Or, imagine an employee who encrypts crucial company documents
just before he quits the company, leaving the company helpless
to access the plain text . Or a widow who finds that all of her
deceased spouse's probate files are encrypted, but he did not
leave a key.
Beyond these examples of potential ill-uses [sic] of information
technologies, there are broader social
Begin Page 9
problems that are harder to measure, but which we are slowly
coming to recognize instinctively. For instance, if people are
spending hours on end in chat room, conversing with faceless
strangers thousands of miles away, will they spend less time
actually talking with their children, their parents and their
friends? What will this do to interpersonal relations and
children's intellectual and emotional development?
And what effect will the Internet have on the nature of
communication itself? Anyone who has used e-mail has experienced
the misunderstandings that arise so frequently in electronic
conversations. Something odd happens, whether it is that people
feel more free to discard social conventions like politeness and
to be brutally candid when they are looking at a computer screen
instead of a human face; or whether it is the lack of tone,
intonation or facial expression that accompanies spoken
communication and can subtly change the meaning of a person's
actual words or signal that someone is only joking; or whether
it is the lack of care that goes into messages that someone
fires off on
Begin Page 10
her keyboard rather than taking the time to think out a
handwritten letter. Something happens that simply engenders
misunderstandings and hurt feelings more frequently in e-mail
than in casual conversations by the water cooler or written
letters to friends. We've all experienced this, but we don't
quite know what the implications are.
The metaphor of the "information Superhighway" has become a
cliche by now, but let me invoke it one last time before putting
it to rest! Imagine if, at the advent of the automobile, all of
the states, as well as individual companies, just started
building their own roads all over the place, with no speed
limits, no lane markings, no highway patrol or emergency rescue
services, no emergency exits, no safety inspections for trucks
or passenger vehicles. I think everyone would recognize that
this would be a recipe for disaster. But now as we are
constructing our "information superhighway," which is a thousand
times more complicated than our automotive highway system -- and
provides opportunity for much greater damage if abused
Begin Page 11
-- many people are telling the government to just get out of the
way and let NII develop its own, with no restrictions,
nonregulation, no effort even to protect our information
infrastructures from attack or abuse. This simply does not make
sense.
In my view, we really have two choices: We can begin now,
jointly, to try to come up with solutions to some of the
difficult issues raised by the growth of the information
infrastructure in a rational, measured, and prudent way. Or we
can wait until a crisis occurs, until some cyber catastrophe
suddenly crystallizes these issues in the public's mind and
leads to an outcry and a call for immediate government response.
But, if history teaches us anything, it is exactly this sort of
crisis mode, when the government is pressured to respond to some
recent outrage, that we are most likely to overreact and enact
bad policy [sic]. Let's try to do it now, while cooler heads
prevail; let's work together to come up with solutions that
serve the public interests.
Begin Page 12
The telecommunications industry, to its great credit,
understands this interdependence. As a result, I think the
president's national security telecommunications advisory
committee -- a joint government-industry body - - has been
highly successful in crafting solutions to the particular
problems faced by the telecommunications industry. The NSTAC
serves as a model, in many ways, for what we need to do for the
rest of our industries that rely on the national information
infrastructure.
* * *
Let me now turn to the particular problems posed by the
information revolution for our national security. You have heard
a lot over the last two days about the growing dependence on the
information infrastructure in all sectors of society --
military, political, economic, academic, and cultural -- and
about the increasing interconnectedness of all these sectors.
The implications for national security are becoming more
apparent: as we become more interconnected, we are also
Begin Page 13
more vulnerable to attack from many different sources. The
information and control systems for our critical industries, for
instance, are more vulnerable to penetration and disruption;
information can be more easily stolen, distorted, or destroyed;
and the very operation of those industries can be brought to a
halt more quickly and easily.
The issue of how we address our vulnerability to such attacks
has often been referred to as a "defensive information warfare."
But this term can be misleading. It suggests that the issue is
a problem only for our defense establishment, and should be
addressed as part of our national defense strategy. Certainly,
the military sits on a vulnerable platform consisting of
different critical infrastructures. But civil society sits on
that same platform. This is therefore also an issue for the
civilian world. Every person and institution that is connected
to the "information superhighway" is vulnerable to attack, not
just those people and institutions involved in our defense
mission.
Begin Page 14
Moreover, the sources of attacks are not limited to nation
states or other foreign powers during times of war. Rather, they
can run the gamut, from the disgruntled employee who steals or
destroys his employers information out of malice; to the
criminal who steals proprietary information for pecuniary gain;
to terrorists who seek to cause widespread death or destruction
to intimidate or coerce the government; to foreign intelligence
agents who want surreptitiously to access or manipulate
classified or proprietary information; and, finally, to the
hostile state using cyber attacks as an instrument of war.
Obviously, not all of these attacks are directly related to
defense. All of them are, however, of interest to law
enforcement.
The statistics illustrate, in broad strokes at least, how the
cyber threat is increasing. From 1991 to 1995, the number of
Internet hosts increased from approximately 750,000 to over 5
million, an expansion of over 500%. Not surprisingly, over a
three-year period from 1991 to
Begin Page 15
1994, the number of security incidents reported to the Computer
Emergency Response Team (or CERT) at Carnegie Mellon University
increased 498%, and the number of sites affected worldwide was
up 702%.
Recent surveys reinforce the CERT statistics. One survey of 246
companies revealed that the monthly rate of incidents involving
the theft of corporate proprietary information rose 260% from
1985-1993. Only 32 of these companies were willing to quantify
their losses, which amounted to $1.8 billion. In the other
survey, almost one quarter of the 898 organizations queried
reported a computer crime within the previous 12 months. And
last summer, the Defense Information Systems Agency (DISA),
reported that attacks on DOD computer systems had doubled from
only the year before and were then running at a rate of two a
day.
Let me give you a few examples of the types of "cyber" crimes we
have seen in recent years to put some flesh on the bones of
these statistics. These cases illustrate how vulnerable we
already are, both as
Begin Page 16
individuals and as institutions, and provide a window into our
future.
* In 1994, nine people, including an MCI employee, were indicted
for a scheme involving a $50-million telephone calling card
fraud. Using a sniffer program (which monitors network traffic),
they captured and used more than 150,000 calling card numbers.
The scheme had been directed by hackers in Germany who then made
international calls to attack U.S. computer networks.
* A computer hacker broke into files at a bank and a credit
union, and then used the information to apply for credit cards
in the victim's name. The criminal then used these cards to go
on a buying spree. The victim's ability to obtain credit was
ruined and had to be painstakingly reestablished.
Begin Page 17
Hackers broke into Lawrence Livermore Laboratory computers and
used them to store illegal hard-core pornography. Nearly 2,000
megabytes with 1,000 images were found on one Internet-linked
computer.
* We have seen transmission of child pornography files by e-mail
through America Online.
* Con artists have used electronic bulletin board systems to
hype recently-purchased penny stocks, driving up the price and
giving the con artists a profit.
For the most part, these attacks appear to come from
"unstructured" sources: That is, they are unrelated incursions
by individuals or small groups usually seeking to steal
information or services or to cause disruption purely out of
malice, but with no grand design or organization. In terms of
national security, though, the greatest threat will come from
"structured" sources: organized crime groups (we have seen
instances
Begin Page 18
of this), and, more importantly, terrorist organizations,
foreign intelligence agencies, and foreign military services.
These are the entities whose efforts are the best financed, the
most focused, and the most likely to cause widespread damage to
our national security by disrupting elements of our
infrastructures that depend on the information superhighway.
Even for these structured threats, law enforcement plays a
critical role. Under Presidential Decision Directive 39, which
was issued last summer and sets out the administration's
counterterrorism policy, the Department of Justice (through its
component, the FBI) is the lead agency responsible for
combatting terrorism in the United States. And Executive Order
12333, which has been the guiding instrument for the
intelligence community since 1981, designates the FBI as the
lead agency for counterintelligence matters. So clearly, law
enforcement has an important role in protecting our national
security against the new cyber threats.
Begin Page 19
Our most immediate concern right now is the terrorist threat. As
our society becomes more and more dependent on the information
superhighway, we must expand our focus beyond the traditional
"physical" attacks by terrorists that we have encountered in the
past, and to anticipate and protect against cyber attacks that
could cause as great, if not greater, impact as a well-placed
bomb.
It's not hard to imagine how terrorists could use cyber tools to
wreak massive havoc in this country. Consider the World Trade
Center case, for example. There was some evidence suggesting
that the conspirators in that case intended to cause the tower
to collapse, in order to disrupt the financial markets on wall
street. That same objective could also be accomplished through
an electronic attack on the energy or telecommunications systems
that supply lower Manhattan, or on the information systems of
the banking and financial institutions themselves.
Begin Page 20
The threat is _not_ simply hypothetical. We have already seen
attacks on elements of the infrastructure that, although
apparently not committed by terrorists, illustrate the
vulnerabilities that are present in our information networks,
and demonstrate the urgency of our situation.
* The pending case involving Citibank is one example. Between
June and October in 1994, approximately 40 wire transfers were
attempted from Citibank's cash management system through the use
of a computer and phone lines from St. Petersburg, Russia, by
compromising the password and user identification code system.
Citibank was successful in blocking most of the transfers or
recovering the funds from recipient banks, limiting its losses.
But the potential loss was enormous. Still, imagine what the
impact might have been if the intruders' intent was not to steal
funds from a few accounts, but to bring down the entire bank's
accounting system; or to zero out the
Begin Page 21
records of thousands of accounts; or to disrupt several major
banks simultaneously.
* In 1989, the "Legion of Doom" in Atlanta, Georgia, remotely
accessed the administrative computers of Bell South and
wiretapped calls and altered phone services. It could have shut
down the phone network for the Southeastern United States.
* From 1993 to 1995, a man in California gained control of the
computers running local telephone switches, and discovered
information concerning U.S. government wiretaps conducted
pursuant to the Foreign Intelligence Surveillance Act (FISA). He
also uncovered a criminal wiretap and warned the target.
Now, in part through the efforts by joint industry-government
bodies such as the President's National Security Advisory
Committee (NSTAC), telecommunications carriers have taken steps
to prevent,
Begin Page 22
or to minimize and contain the damage from, this sort of attack,
in order to avoid the sort of regional disruption threatened by
the Legion of Doom. But I don't know anyone who thinks that this
sort of disruption is no longer a real possibility.
The banking and telecommunications infrastructures are not the
only ones that have been affected.
* In 1992, a computer intruder was arrested for tampering with
the Emergency 911 systems in Virginia, Maryland, and New Jersey
in order to introduce a virus and bring down the systems.
* Also in 1992, a fired employee of an emergency alert network
sabotaged the firm's computer system by hacking into the
company's computers, causing them to crash for about 10 hours.
During that time, there was an emergency at an oil refinery. The
disabled system was therefore unable to alert thousands of
nearby residents to a noxious release from the
Begin Page 23
refinery. Beyond that, the computer crash potentially
jeopardized hundreds of thousands of people in 22 states and 6
areas of Canada where the alert network operated.
And, of course, the government itself has not been immune to
such attacks.
* A computer hacker penetrated computer or phone systems of
universities, government departments, and companies. In the
U.S. marshals' computer, he found the locations of individual
federal prisoners, putting the security of our institutions at
risk. He also stole from an air force base a computer access
card, which he then sold through the mail.
* Finally, a sniffer was introduced into computers of NASA's
Goddard Space Flight Center, permitting someone to download a
large volume of complex calibration telemetry calculations
transmitted from satellites. The
Begin Page 24
sniffer remained undetected for an unprecedented length of time.
These are just some examples of the cases we've already seen.
But they should convey to you the urgency of the situation.
Now, some of my colleagues in government think it's best not to
discuss such cases, or to speculate about possible terrorist
cyber attacks, publicly, for fear of inspiring would-be
terrorists to carry out just the sort of attacks we're concerned
about. But I think keeping quiet about the problem is the wrong
approach. Silence will not appreciably lessen the probability of
an attack. We must take it as a given that someone is already
scheming.
Instead, our main concern should be to get our own house in
order and begin constructing our defenses. This means, first and
foremost, that we need to raise people's consciousness -- both
within the government and in the relevant sectors of industry.
This requires that
Begin Page 25
we talk about the threat and how to combat it. That is why this
conference is so valuable. Second, it means we have to figure
out how to organize ourselves within government, and in the
private sector, to fight the threat.
While the Justice Department is designated as the lead agency
for fighting terrorism in the U.S., we do not look at the cyber
threat solely as a subset of terrorism. The potential sources of
attack are simply too varied. It would be self-defeating to
concentrate on protecting against terrorist attacks, but to
ignore the problem of hackers, foreign espionage agents, or
organized crime groups. Yet, despite the breadth of the problem,
right now, there is no single agency, no focal point within the
government responsible for protecting against such attacks. In
fact, at last count there some 22 agencies and task forces that
thought they had responsibility for some segment of this
problem. Similarly, while many individual companies have taken
steps to secure their information systems, very few industries
have begun considering this problem on an
Begin Page 26
industry-wide scale. But clearly this problem begs for a
comprehensive approach that involves both industry and
government in a cooperative effort.
So, what needs to be done? Let me set out a roadmap for you, and
identify in particular where I think help from industry is
critical.
_First_, we have to identify our vulnerabilities. This means
identifying those components of government and the private
sector that, if attacked, would result in the greatest harm to
society, on a regional or national scale These are what we have
begun calling "critical national infrastructures." We currently
break those infrastructures into roughly eight categories:
telecommunications; electrical power systems; transportation;
water supply systems; emergency services (including medical,
police, and fire and rescue services); and continuity of
government and government operations.
Begin Page 27
We already have a foundation for this effort. Both the Defense
Department and the FBI have what they call key asset programs,
which consist of databases identifying key assets within each
category of critical infrastructures, and containing
vulnerability information and emergency points of contact for
each key asset.
Until now, however, both of these programs have focused on
vulnerabilities to _physical_ attack. DOD and FBI have already
set out to broaden the focus of these programs to include
vulnerabilities to cyber attacks and to coordinate the two
databases. In expanding into the cyber area, we will need a lot
of cooperation from industry, a willingness to share information
with us (on a confidential basis) and to work jointly with us in
determining vulnerabilities.
The _second_ thing we need to do is identify the scope and
sources of the threat. Again, the defense and intelligence
communities have been concerned with identifying military and
espionage threats in this
Begin Page 28
field. But there has been very little effort to assess
comprehensively the full range of cyber threats to our
infrastructures: who poses a threat? What are their
capabilities? What have they done in the past? What are their
intentions?
This will require a joint effort by the defense, intelligence,
and law enforcement communities, combining their data and doing
joint analyses. But it will also require cooperation by
industry. No analysis can be complete without information about
what attacks industry has already experienced, and by whom.
On this point, let me say that under-reporting of computer
crimes has been a major problem in getting a handle on the
nature and scope of the threat. There are two principal reasons
for this under-reporting. First, many victims don't even now
they are victims. Let me give you one example. The Justice
Department handled a case in 1992 involving a hacker intrusion
into Boeing's supercomputer center in Seattle. The hacker
downloaded encrypted password files and used Boeing's computers
to
Begin Page 29
run hacker and cracker programs. To its great credit, Boeing
reported the intrusion to the FBI and partitioned its system to
allow agents to trace the hackers to the source.
In the course of the investigation, the FBI soon learned that
the hackers had gained access to the entire computer system
serving the federal district court in Seattle. In fact, he had
obtained the passwords of both the system administrator and a
federal judge, forcing the courthouse system to close for a day.
Yet, without Boeing's call to law enforcement, the federal court
administrator would not have known that an intruder had acquired
unfettered access to the court's computers.
A second reason for under-reporting is the collateral
consequences of reporting. To put it bluntly, there may be a lot
of explaining to do -- to managers, customers, regulators, or
the public. If it is your job to secure a company's information
systems, how eager will you be to confess to people that your
defenses didn't work? Banks are a prime example. If
Begin Page 30
you are Citibank, you maybe loath to reveal to depositors that
their accounts may be vulnerable to electronic theft. Similarly,
a telecommunications carrier may not want to publicize that its
customers' conversations have been accessed by so-called "phone
phreakers."
The extent of under-reporting is illustrated by some statistics
compiled by DISA. As many of you probably know, DISA tests the
security of DOD computer systems by having its tiger teams
"attack" the computes using standard hacker methods and tools.
Over the course of this program, DISA has accumulated some
telling statistics. At last count, DISA tiger teams had
successfully penetrated 88% of the computer systems they
attacked. More startling, system administrators at the
successfully attacked sites only detected 4% of these
penetrations. And of the 4 % who discovered the intrusion, only
5% reported it! If you do the math, you'll see that of the
10,000 machines attacked, 8,800 were penetrated, only 352
discovered it, and only 18 reported it. Or put another way, for
each report of a
Begin Page 31
computer intrusion, there were 490 others that went unreported.
The FINAL step, and probably the most difficult, is to figure
out how to organize ourselves to address the problem. Again, I
believe it is a mistake to think about this problem in
compartments: that is, for DOD as a military problem; for
Justice and FBI as a terrorism problem; for the CIA and NSA as
an espionage problem and for private industry as a white-collar
crime problem. The threat is too varied. and the problems too
overlapping, to permit such a fragmented approach. We clearly
need one focal point in the government to take the lead in
addressing this issue comprehensively -- to develop national
policy, coordinate the necessary other agencies, and with
industry on developing solutions. We need the equivalent of the
"Manhattan Project" to address the technological issues and to
help us harden our infrastructures against attack. It might be
that we can just designate an existing agency to take the lead.
Or we may need a new agency or some interagency body to perform
the task.
Begin Page 32
But some centralized entity is direly needed to push this effort
along.
Most importantly, though, whatever we decide to do within the
government, we need to enlist the private sector to join in this
cooperative venture -- not just in assessing vulnerabilities and
threats, but in devising and implementing solutions. Simply put,
without the participation of the private sector, any effort is
bound to come up short.
There are several reasons for this. _First_, at the most basic
level, most components of the national information
infrastructure, as well as the critical industries and
institutions that depend on the NII, are in private hands. This
means that, absent statutory authority to regulate a particular
industry, the government has limited ability to require private
companies to take protective measures; it can merely advise
industry and urge it to "do the right thing." And even if
government convinces industry to take protective measures, there
remains the knotty question
Begin Page 33
of who will pay for such measures (or for restoration of service
after an attack). Although private companies have an obvious
financial incentive to take steps to reduce thefts, it is less
clear that they are willing to incur the costs necessary to
protect their plants or information systems against a purely
malicious or terrorist attack. These are issues that need to be
worked out by industry and government together.
_Second_, private sector involvement in crafting and
implementing solutions is needed in order to engender the trust
in government that will be necessary to implement any solution.
Few people question the need for a government role, at some
level, in protecting the physical plant of the nation's critical
infrastructures. But the same cannot be said in the information
technology arena. The notion of government involvement in this
area immediately raises concerns about privacy, economic
competitiveness, and protection of proprietary information. The
raging debate over the government's encryption policy is just
one example. These concerns are not easily reconciled with the
interests in national
Page 34
security and law enforcement; but to ignore them would render
any effort futile.
We are currently trying to come up with a framework for
addressing all these issues. No decisions have been made yet, so
I cannot report to you on precisely where we are headed. But I
do know that, in the very near future, we will be reaching out
to critical industries to get them integrally involved in the
process. I ask you to join us in this vital effort; to sit down
with us and share your concerns, your ideas, your skill and
expertise, and your energy; and to work with us to begin
addressing this problem.
There are many skeptics who say that we will have to endure the
electronic equivalent of Pearl Harbor or Oklahoma City before
the key players in government or industry wake up to the problem
of protecting our information and other critical infrastructures
from the new cyber threats. The fact that the Olin Foundation
and the Air Force are holding this conference, however, and
Begin Page 35
have succeeded in getting such a diverse and high-level group of
participants disproves this pessimistic view.
But we cannot stop here. It is not enough to identify the
problem and to talk about it. After this conference, we need to
begin taking action. So I ask you to join us in taking those
next steps. We need to educate industry about the problem,
determine its scope, and create a joint approach to developing
solutions. If we in government begin to pause or stumble, prod
us or help us up. There will be much resistance along the way;
but given the importance of the issue, inaction would be
intolerable.
Thank you.
---------------
------------------------------
------------------------------
Date: Thu, 21 Mar 1996 22:51:01 CST
From: CuD Moderators <
[email protected]>
Subject: File 2--Cu Digest Header Info (unchanged since 7 Apr, 1996)
Cu-Digest is a weekly electronic journal/newsletter. Subscriptions are
available at no cost electronically.
CuD is available as a Usenet newsgroup: comp.society.cu-digest
Or, to subscribe, send post with this in the "Subject:: line:
SUBSCRIBE CU-DIGEST
Send the message to:
[email protected]
DO NOT SEND SUBSCRIPTIONS TO THE MODERATORS.
The editors may be contacted by voice (815-753-0303), fax (815-753-6302)
or U.S. mail at: Jim Thomas, Department of Sociology, NIU, DeKalb, IL
60115, USA.
To UNSUB, send a one-line message: UNSUB CU-DIGEST
Send it to
[email protected]
(NOTE: The address you unsub must correspond to your From: line)
Issues of CuD can also be found in the Usenet comp.society.cu-digest
news group; on CompuServe in DL0 and DL4 of the IBMBBS SIG, DL1 of
LAWSIG, and DL1 of TELECOM; on GEnie in the PF*NPC RT
libraries and in the VIRUS/SECURITY library; from America Online in
the PC Telecom forum under "computing newsletters;"
On Delphi in the General Discussion database of the Internet SIG;
on RIPCO BBS (312) 528-5020 (and via Ripco on internet);
and on Rune Stone BBS (IIRGWHQ) (860)-585-9638.
CuD is also available via Fidonet File Request from
1:11/70; unlisted nodes and points welcome.
EUROPE: In BELGIUM: Virtual Access BBS: +32-69-844-019 (ringdown)
Brussels: STRATOMIC BBS +32-2-5383119 2:291/
[email protected]
In ITALY: ZERO! BBS: +39-11-6507540
In LUXEMBOURG: ComNet BBS: +352-466893
UNITED STATES: etext.archive.umich.edu (192.131.22.8) in /pub/CuD/CuD
ftp.eff.org (192.88.144.4) in /pub/Publications/CuD/
aql.gatech.edu (128.61.10.53) in /pub/eff/cud/
world.std.com in /src/wuarchive/doc/EFF/Publications/CuD/
wuarchive.wustl.edu in /doc/EFF/Publications/CuD/
EUROPE: nic.funet.fi in pub/doc/CuD/CuD/ (Finland)
ftp.warwick.ac.uk in pub/cud/ (United Kingdom)
The most recent issues of CuD can be obtained from the
Cu Digest WWW site at:
URL:
http://www.soci.niu.edu/~cudigest/
COMPUTER UNDERGROUND DIGEST is an open forum dedicated to sharing
information among computerists and to the presentation and debate of
diverse views. CuD material may be reprinted for non-profit as long
as the source is cited. Authors hold a presumptive copyright, and
they should be contacted for reprint permission. It is assumed that
non-personal mail to the moderators may be reprinted unless otherwise
specified. Readers are encouraged to submit reasoned articles
relating to computer culture and communication. Articles are
preferred to short responses. Please avoid quoting previous posts
unless absolutely necessary.
DISCLAIMER: The views represented herein do not necessarily represent
the views of the moderators. Digest contributors assume all
responsibility for ensuring that articles submitted do not
violate copyright protections.
------------------------------
End of Computer Underground Digest #8.52
************************************
