Adam Shostack wrote:
Ian J-B wrote:
> While Ian is substantially correct about the actions of
>governments, there are two points that he does not address. The first
>is that governments are subject to lobbying, the second is that most
>companies probably do not plan to wait six months to hear Washington
>or Brussels dictate their information security plans; they have real
>needs today that they should be planning to meet.
> Governments are subject to lobbying. Most of the governments
>that make the laws that cover most of the internet are, to one extent
>or another, answerable to the people, and do try to seek professional
>advice before making decisions. AAs most of us are aware, building
>strong information infrastructure requires strong cryptography; its
>like using concrete for highways. Governments will need to make
>allowances for this for the Information Superhighway to be built.
>(Just today, another article on Internet insecurities was on the front
>page of the New York Times. This is no longer a small issue.)
> You have needs now; odds are good that those needs do not
>include Clipper. From the point of view of building a secure network,
>or offering secure services, Clipper and its relatives are a single
>point of failure outside of your control. The government employees
>who own the database don't answer to you. They are corruptable, and
>for a small price. Aldrich Ames cost three million dollars. Could
>you buy the Clipper database for less? How much could you steal if
>all data moving in the
> There is a large amount of fear, uncertainty, and doubt about
>cryptography's future. My advice is to build systems based on todays
>laws, and not on what the future may hold, if no one speaks up to
>oppose it. Clipper has died an ignoble death in the US, it is fair to
>assume its relatives will do the same in Europe.
Adam makes some very valid points. Most governments consult individuals and
corporations before drafting/changing legislation. How they select those
contributors can be flawed, and some that are contacted fail to respond.
Several of us have also served, and do serve. on a variety of working
parties which are set up or sponsored by governments, 'standards' bodies and
international organisations. The work of these contributors generally
benefits all of us but may not represent all views, or be free of vested
interests. The only way to influence legislation is to lobby political
representatives, government officials and government executives but
remarkably few individuals and corporations take the time to do that. Most
prefer to complain bitterly that their particular government failed to take
full account of their particular interests. Of course they would complain
even louder if taxes increased dramatically because their government
embarked on a development programme to build a better crystal ball.
I would never advocate postponing a procurement decision in the *hope* that
something better might arrive in a few months and legislation usually takes
rather longer anyway. However, I would suggest that it is wise to look
carefully at all options before making that decision, after carefully
building an enterprise and risk policy suite so that you know what and why
you want to do something and can express your needs clearly to vendors. That
also greatly helps in the process of evaluating the responses.
We also suffer from the changing circumstances. Major changes in
international relations have coincided with dramatic growth in the
availability and use of Information Super Highways. Thats had at least two
effects.
NATO and friendly powers built a set of rules to address issues raised by
the Communist Block countries and the computer and communications
technologies of the 1960's and 70's and did not need to address commercial
interests in ISHs because that environment did not exist internationally as
it does today. During this period of international tension a set of needs,
organisations and vendor groups established and developed risk management
in watertight compartments. What made sense then does not necessarily make
sense today and risk management was largely built around government data
classification systems.
Today demand for data risk management is increasing more rapidly than the
supply of *skilled* risk professionals and many of those professionals who
are available have difficulty in making the transition from the defined
military/intelligence environment to the commercial environment. In this new
world, demand is creating the opportunities for 'cowboy' vendors to make the
wildest claims without sanction, FUD abounds, legislation lags behind
technology and there are a number of government organisations looking for a
new home and purpose. Aint life a bitch.
Over the coming months there will probably be two developments.
Major government policy reviews will complete in several areas, including
the European Union. Previously, governments have been concerned primarily
with the crime aspects of encryption and the fear that organised crime could
use ISH environments in a number of ways, particularly as a communications
system which is better that that used by police services. As with any
intelligence organisation, a police service has to get inside the decision
loop of the enemy and unlike a military unit does not have the means to drop
500Kg smart bombs from 17,000 feet onto the enemy command and control
network. They have always relied on being able to 'tap' mail and phone
communications, with or without a court order. Email threatens that ability
because of volume and multiple routing options and could defeat it through
the use of encryption. That could enable the criminal to get inside the
police decision loop. For that reason, and a few others, governments have
sought to control the use of encryption but have the challenge of how they
do that outside their national boundaries. What is now happening is that
other government organisations are coming to understand that this policy can
have damaging consequences for the economics of commerce and national
treasuries. This is generating the pressure to review encryption policies
and in some cases this is being done as a high priority (of course a high
priority for governments may not produce results that fast). So far much
lobbying has been done on the security services side of government but
better results may be produced by lobbying the financial and commercial arms
of government.
The other area of development is on the commercial and technical side of
encryption. Today there are many encryption systems and standards. Some of
these are not particularly good and, outside government, are single level
system high approaches. There will be some major shake outs and its anyone's
guess what the result will be or how long the process will take. In part its
all bound into the current restrictions on import and export imposed by the
US Federal Government in whose territory many of the products originate.
Whatever a user adopts today may become obsolete tomorrow, but then so does
much of the information technology, so it is important to accept that
today's 'quick fix' may have a short life and introduce high overheads.
Ian J-B
|
|
