Plugged In: Government's Hands On

Industry executives say they can protect the nation's electronic networks from hackers, spies and other ne'er-do-wells if the government will only write new anti-hacker laws, share intelligence data, subsidize new research and increase public awareness of computer crime -- and simultaneously give up its efforts to control encryption technology.

But security is also important to government because intelligence officials fear that wartime hackers may cripple the nation's critical information networks, including the telephone system and the power grid.

That concern has spawned a White House task force, dubbed the Commission on Critical Infrastructure Protection, which is intended to boost security of the nation's networks. Government officials are recruiting at least 10 executives from the infotech industry and other sectors of the economy to serve on the panel, whose recommendations are slated to be on the president's desk next spring.

"I consider this issue to be one of the most important issues that our government, and our society as a whole, face today.... What we need, then, is the equivalent of the Manhattan Project for [network] infrastructure protection," said Jamie Gorelick, the deputy attorney general. Gorelick spoke at a July 16 hearing called by Sen. Sam Nunn, D-Ga.

Government officials decline to speculate on what the commission might eventually recommend. However, in return for meeting the government's demands, industry is expected to ask for additional funding and fewer regulations.

The commission's recommendations will be shaped by congressional debates, industry lobbying and new technology. Also, the commission's recommendations will be influenced by earlier government work, including the security panel of the Commerce Department's National Information Infrastructure Task Force, which includes representatives from many government agencies.

Key Management

Although the infotech industry would like to develop secure networks without the government's involvement, the government can't be ignored -- and may prove a blessing, said executives.

One critical area is the development of a nationwide mechanism for sharing, checking and updating peoples' electronic identities and addresses. The government will play a central role in the creation of this key-management infrastructure because the government is "the last word in identity. It issues your passport, [and] you will need the [cyberspace] equivalent," said Brian O'Higgins, director of Nortel Secure Networks, Ottawa, Canada.

Key-management systems are needed for electronic commerce because they allow encryption to shield privacy and money from online theft while allowing buyers and sellers to know whom they are dealing with.

Numerous key-management infrastructures will be created by sectors of the economy, including the medical, financial and auto manufacturing sectors, O'Higgins predicted. But "government is at the top of the heap because individuals and corporations have to have transactions with the government," if only to collect benefits or pay taxes, said O'Higgins, whose company is building a key-management system for Canada.

By 1998, Nortel's key-management system is expected to help manage the electronic identities of 20 million Canadians.

Also, the government can use its immense power in the marketplace to foster the use of common technology standards, helping the various key-management systems swap needed information, he said. "Everybody is an island... everybody has got proprietary and different [key-management] systems," said Jay Heiser, product manager at Norman Data Defense Systems Inc., Fairview Park, Va.

Digital Signatures

The government can also promote the use of digital signatures, O'Higgins said. Various states, including Virginia and Utah, are writing laws that give digital signatures the same legal clout as handwritten signatures and allowing companies and individuals to enforce contracts signed via the Internet.

However, industry is migrating toward common use of a digital signature standard based on technology developed by RSA Data Security, Redwood City, Calif. In contrast, government officials are promoting the use of a rival standard, setting the stage for an expensive disconnect, he said.

Certification Schemes

Another role for government is the certification of security technology, said Richard Tracy, director of information security at Telos Corp., Ashburn, Va. "Industry could probably do that itself, but government sponsorship or endorsement would be helpful," he said.

Although industry-developed anti-virus and anti-hacker technology is being graded by the National Computer Security Association, based in Carlisle, Pa., government officials could go further to measure how well companies' products meet the claims in their advertising copy, said Pete Privateer, operations chief at Axent Technologies Inc., Rockville, Md. But government certification needs to be quick, low-cost and adaptable to changing technological trends, he said.

One good step in this direction, said O'Higgins, is the forthcoming government encryption standard, dubbed FIPS 140-I. Due in January, the standard will provide a basic test to ensure that commercial encryption products meet a basic quality level, he said, adding that government officials "are well ahead of the game here."

Anti-Hacker Laws

Industry executives also called for new laws to suppress electronic crimes, such as hacking. "We don't have a cultural understanding of what is appropriate [behavior in cyberspace].... The online community still sees an unlocked door as an invitation, so [government] needs to set expectations as to what is acceptable," said Heiser.

Although industry is developing a variety of new security technologies, "what is missing is cops," said Peter Tippett, president of the National Computer Security Association. Those cops are needed to enforce laws against computer crime -- including international computer crime -- and to promote responsible behavior in cyberspace, he said.

Currently, "there are no cultural norms" that strongly shape legal behavior in cyberspace, he said.

Congressional committees have approved a series of matching draft laws that would impose tough penalties on computer hackers. They are also considering more penalties for the use of computers in the commission of crimes. However, these draft bills have not been approved by the entire Congress.

Insurance

Government officials could also help create a market for security insurance, said Privateer. Of critical importance, he said, is a mechanism for gauging the value of stolen information. "Has the information been stolen if the information is still in the [victim's] computer? How can we measure the value of information?" he asked.

If companies can assess the value of information, then insurance companies can insure information, he said. In turn, the insurance companies -- and predatory lawyers -- will push companies to better protect their information, Privateer said.

Some government officials agree. "Attaching legal consequences for the unauthorized or improper use of electronic data will increase the likelihood that the National Information Infrastructure will be a trustworthy, reliable system," according to a government report titled "NII Security: The Federal Role." The report was written by the Commerce Department's National Information Infrastructure Task Force and released June 14, 1995.

But "we are going to have to solve [the data valuation] problem," said Privateer. "To be honest, I don't have an idea how to solve it," he said.

Threat Warnings

Government officials can also provide additional intelligence information about new computer-security threats, said NCSA's Tippett. Industry executives now cooperate through a wide variety of informal and formal mechanisms, most notably the Pentagon-backed Computer Emergency Response Team based in Carnegie Mellon University, Pittsburgh. With such industrywide cooperation, executives in the security industry can quickly provide their customers with technical fixes and other cures for security problems.

These threat warnings, coupled with top-level statements by government officials, also help convince senior executives to spend money on security, said Privateer. For example, the new security commission has been very helpful in "getting people with decision-making authority [in industry] to think about" security problems.

Easy Encryption

The government's greatest contribution would be to end its campaign to control encryption, said numerous executives in the security industry.

Industry executives said their efforts to market encryption technology are being stymied by government restrictions on the export of encryption and government efforts to promote encryption schemes that would allow law enforcement officials to execute court-ordered wiretaps of encrypted communications. "They should just stay out of the issue entirely" said O'Higgins. "The obvious bone of contention is the encryption issue.... Vendors need to be able to make products that work throughout the world," said Heiser.

"Stop this nonsense about encryption.... Government should put as few restrictions as possible on the technology," said Privateer. With few restrictions, companies and individuals will make greater use of encryption, boosting information security from coast to coast, said executives.

Under pressure from industry lobbyists, new technology and Congress, White House officials have made several efforts to square this circle, by offering new ideas such as "key-escrow," or "key-recovery," intended to minimize the burden on industry and on consumers, while helping the FBI get access to conversations and data shared among criminals and terrorists. However, there is no obvious solution to this dilemma, ensuring much debate for some time ahead.

Government officials know they need industry's cooperation if they want to protect the nation's electronic infrastructure. And industry's price for cooperation is liberty -- the liberty to make a buck.