---

Security: Protecting the Internet from Cyber Attacks
Walking the fine line that separates protection from intrusion

By Dorothy Denning denning@cs.georgetown.edu

The big issue has been and continues to be government surveillance. To what extent can the government monitor the Internet and critical infrastructures to protect against cyber attacks? Can it require service providers to install a monitoring capability that allows law enforcement to intercept and trace traffic under a court order? Under what conditions can it demand encryption keys in order to break open intercepted communications and stored data? Can it regulate the use of anonymous services or of encryption products and services?

There are other issues, too. What is the government's role in promoting research and education in information security? How can it better defend its own networks? How can it promote information sharing with industry to everyone's advantage?

The Players

In January, the Clinton administration released a draft National Plan for Information Security Protection. The plan proposes 10 programs. The most controversial of these is the development of a Federal Intrusion Detection Network (FIDNet) to monitor federal government networks for intruders and misuse. FIDNet would be a central analytic cell that would perform real-time analysis of system anomalies from multiple networks. Civil liberties groups have expressed concerns that FIDNet might sweep up too much information about private citizens when they interact with the government through the Internet. The government says it plans to design the system to protect privacy.

The administration also proposed the Cyberspace Electronic Security Act (CESA). The bill would set standards for government access to decryption keys. It would also allow courts to issue protective orders to block disclosure of sensitive investigative techniques and industry trade secrets used to gain access to plaintext. Civil liberties groups have challenged the bill's privacy protections. The Center for Democracy and Technology has concluded that the bill does not set adequate privacy standards.

Access to encryption keys has also been a big issue in the U.K., where civil liberties groups have challenged a provision in the Regulation of Investigatory Powers (RIP) bill, which would allow police to demand encryption keys from people under investigation. Controversy stems primarily from a provision stating that failure to comply could result in a two-year prison sentence. Civil liberties groups argue that the provision as worded reverses the burden of proof, although the government denies this.

Besides encryption, the issue of Internet wiretaps has been controversial: a government asks that such capability be provided, and civil libertarians generally object. Russian citizens were particularly outraged when their government authorized itself to spy on Internet traffic. Under Russia's System for Operational-Investigative Activities (SORM), ISPs are required to install a device that hotwires customers to the FSB. The IETF even got into the issue by debating whether they should put features in forthcoming protocols that would facilitate wiretapping. A motion to do so was overwhelmingly defeated.

Law enforcement agencies seek better means of investigating and prosecuting computer crimes that transcend state and national borders. The U.S. and many other countries have taken the position that the best way to deal with the challenges is to enhance their own capabilities rather than impose domestic restrictions on the use of technologies that offer encryption and anonymity.

A few nations, such as China, regulate encryption domestically. However, even in China the regulations require only that companies register the type of encryption they are using; they do not have to register keys. A regulation that also would have barred Chinese companies from buying products containing foreign-designed encryption software was quickly withdrawn because of foreign pressure and China's interest in being admitted to the World Trade Organization.

A bill in France would require all people posting content on a French Web site to identify themselves. EuroISPA, the European association of ISPs, said the bill was not specific enough and could have wider implications for the rest of Europe. Most countries still restrict exports of encryption, although controls are relaxing considerably in response to persistent requests from both industry and civil liberties groups.

The Forums

Governments have numerous forums for addressing the issues. In the U.S., these include Congress, the Critical Infrastructure Assurance Office (CIAO), the National Infrastructure Protection Center (NIPC), the President's Export Council Subcommittee on Encryption (PECSENC), interagency task forces, and offices within agencies. Several members of Congress are particularly active in Internet and critical infrastructure security, including Senators Bob Bennett (R-Utah), Jon Kyl (R-Az), Patrick Leahy (D-Vt), and Charles Schumer (D-NY), and Representatives Robert Andrews (D-NJ), Bob Goodlatte (R-Va), and Curt Weldon (R-Pa). Bennett was appointed head of the new Critical Infrastructure Protection Working Group. Schumer introduced S.2092 to update the laws on trap and trace so that a single court order could be used across state boundaries to trace an online communication from start to finish; allow federal prosecution of crimes even if damages did not exceed $5,000; allow for sentences of less than six months for violations of the Computer Fraud and Abuse Act; and make juvenile offenders eligible for Federal prosecution. CESA (see above) has not been introduced.

Congressional committees have recently held hearings on security issues: the House Government Reform Committee Subcommittee on Government Management, Information and Technology, on March 9; the House Armed Services Committee Subcommittee on Military Research and Development and Subcommittee on Readiness, on March 8; the Senate Judiciary Committee Subcommittee on Technology, Terrorism and Government Information, on February 1; the House Committee on the Judiciary Subcommittee on Crime and the Senate Committee on the Judiciary Subcommittee on Criminal Justice Oversight, on February 29; and the Joint Economic Committee, on February 23.

The Council of Europe of Strasbourg, with participation from the United States, Canada, Japan, and South Africa, has been drafting a Cybercrime Convention, which is due for completion at the end of the year and open for signature in 2001. The Convention aims to harmonize laws on computer crime and facilitate investigations and prosecutions across national boundaries. The G8 has also been addressing ways of improving cooperation and coordination among nations. The Computer Crime and Intellectual Property Section (CCIPS) of the U.S. Department of Justice has been participating in both groups.

U.S. Government CCIPS CIAO Congress: House and Senate NIPC Private Sector ACP CDT Cyber-Rights & Cyber-Liberties EFF EPIC IA IETF FIPR GILC ukcrypto: send message with body 'subscribe ukcrypto' to

The Prospects

I do not foresee any draconian laws that restrict the use of encryption or anonymity in the U.S. or most other democratic nations in the near future. The Clipper debates are a thing of the past, and governments realize the importance of the Internet to their economies and the necessity of providing strong security and privacy protections. I fully expect that FIDNet will address privacy concerns and that encryption policy will continue to go in the direction of liberalization. Governments that do not have strong protections against self-incrimination will be able to demand encryption keys.

That said, I think the surveillance issues will be with us for a long time, as the Internet evolves and new technologies bring with them new challenges. Plus, there will be debates about specific proposals such as FIDNet and RIP. Down the road, governments may push harder for built-in identification and surveillance capabilities so they can tap into and trace Internet connections.

What the Private Sector is Doing

Several private sector groups have been especially active in this area. These include the IETF, Americans for Computer Privacy (ACP), the Center for Democracy and Technology (CDT), Cyber-Rights & Cyber-Liberties, the Electronic Frontier Foundation (EFF), the Electronic Privacy Information Center (EPIC), the Foundation for Information Policy Research (FIPR), the Global Internet Liberty Campaign (GILC), and the Internet Alliance (IA). The ACP has perhaps the largest group of constituents, made up of of 40 trade associations, over 100 companies, and more than 6,500 individual members. GILC is one of the most global advocates, with member organizations from Europe, North America, Australia, and Asia. The IA released a policy document, International Policy Framework for International Law Enforcement and Security, in May. The ukcrypto e-mail distribution list is one of the best international discussion forums, although the main focus is U.K. policy.

What You Can Do

Visit the following Web sites of any of the above-mentioned government and private sector organizations for more information and sign up for their electronic newsletters and alerts, which frequently provide instructions about who to contact in order to voice an opinion on pending policy issues.