Security: Protecting the Internet from Cyber Attacks
Walking the fine line that separates protection from intrusion
By Dorothy Denning email@example.com
The big issue has been and continues to be government surveillance. To what extent can the government monitor the Internet and critical infrastructures to protect against cyber attacks? Can it require service providers to install a monitoring capability that allows law enforcement to intercept and trace traffic under a court order? Under what conditions can it demand encryption keys in order to break open intercepted communications and stored data? Can it regulate the use of anonymous services or of encryption products and services?
There are other issues, too. What is the government's role in promoting research and education in information security? How can it better defend its own networks? How can it promote information sharing with industry to everyone's advantage?
In January, the Clinton administration released a draft National Plan for Information Security Protection. The plan proposes 10 programs. The most controversial of these is the development of a Federal Intrusion Detection Network (FIDNet) to monitor federal government networks for intruders and misuse. FIDNet would be a central analytic cell that would perform real-time analysis of system anomalies from multiple networks. Civil liberties groups have expressed concerns that FIDNet might sweep up too much information about private citizens when they interact with the government through the Internet. The government says it plans to design the system to protect privacy.
The administration also proposed the Cyberspace Electronic Security Act (CESA). The bill would set standards for government access to decryption keys. It would also allow courts to issue protective orders to block disclosure of sensitive investigative techniques and industry trade secrets used to gain access to plaintext. Civil liberties groups have challenged the bill's privacy protections. The Center for Democracy and Technology has concluded that the bill does not set adequate privacy standards.
Access to encryption keys has also been a big issue in the U.K., where civil liberties groups have challenged a provision in the Regulation of Investigatory Powers (RIP) bill, which would allow police to demand encryption keys from people under investigation. Controversy stems primarily from a provision stating that failure to comply could result in a two-year prison sentence. Civil liberties groups argue that the provision as worded reverses the burden of proof, although the government denies this.
Besides encryption, the issue of Internet wiretaps has been controversial: a government asks that such capability be provided, and civil libertarians generally object. Russian citizens were particularly outraged when their government authorized itself to spy on Internet traffic. Under Russia's System for Operational-Investigative Activities (SORM), ISPs are required to install a device that hotwires customers to the FSB. The IETF even got into the issue by debating whether they should put features in forthcoming protocols that would facilitate wiretapping. A motion to do so was overwhelmingly defeated.
Law enforcement agencies seek better means of investigating and prosecuting computer crimes that transcend state and national borders. The U.S. and many other countries have taken the position that the best way to deal with the challenges is to enhance their own capabilities rather than impose domestic restrictions on the use of technologies that offer encryption and anonymity.
A few nations, such as China, regulate encryption domestically. However, even in China the regulations require only that companies register the type of encryption they are using; they do not have to register keys. A regulation that also would have barred Chinese companies from buying products containing foreign-designed encryption software was quickly withdrawn because of foreign pressure and China's interest in being admitted to the World Trade Organization.
A bill in France would require all people posting content on a French Web site to identify themselves. EuroISPA, the European association of ISPs, said the bill was not specific enough and could have wider implications for the rest of Europe. Most countries still restrict exports of encryption, although controls are relaxing considerably in response to persistent requests from both industry and civil liberties groups.
Governments have numerous forums for addressing the issues. In the U.S., these include Congress, the Critical Infrastructure Assurance Office (CIAO), the National Infrastructure Protection Center (NIPC), the President's Export Council Subcommittee on Encryption (PECSENC), interagency task forces, and offices within agencies. Several members of Congress are particularly active in Internet and critical infrastructure security, including Senators Bob Bennett (R-Utah), Jon Kyl (R-Az), Patrick Leahy (D-Vt), and Charles Schumer (D-NY), and Representatives Robert Andrews (D-NJ), Bob Goodlatte (R-Va), and Curt Weldon (R-Pa). Bennett was appointed head of the new Critical Infrastructure Protection Working Group. Schumer introduced S.2092 to update the laws on trap and trace so that a single court order could be used across state boundaries to trace an online communication from start to finish; allow federal prosecution of crimes even if damages did not exceed $5,000; allow for sentences of less than six months for violations of the Computer Fraud and Abuse Act; and make juvenile offenders eligible for Federal prosecution. CESA (see above) has not been introduced.
Congressional committees have recently held hearings on security issues: the House Government Reform Committee Subcommittee on Government Management, Information and Technology, on March 9; the House Armed Services Committee Subcommittee on Military Research and Development and Subcommittee on Readiness, on March 8; the Senate Judiciary Committee Subcommittee on Technology, Terrorism and Government Information, on February 1; the House Committee on the Judiciary Subcommittee on Crime and the Senate Committee on the Judiciary Subcommittee on Criminal Justice Oversight, on February 29; and the Joint Economic Committee, on February 23.
The Council of Europe of Strasbourg, with participation from the United States, Canada, Japan, and South Africa, has been drafting a Cybercrime Convention, which is due for completion at the end of the year and open for signature in 2001. The Convention aims to harmonize laws on computer crime and facilitate investigations and prosecutions across national boundaries. The G8 has also been addressing ways of improving cooperation and coordination among nations. The Computer Crime and Intellectual Property Section (CCIPS) of the U.S. Department of Justice has been participating in both groups.
Congress: House and Senate
Cyber-Rights & Cyber-Liberties
ukcrypto: send message with body 'subscribe ukcrypto' to
Join the Internet Society today: http://www.isoc.org