- The Washington Times - Thursday, December 30, 1999

On Dec. 8, David Lee Smith pleaded guilty to disrupting some 1.2 million computers by spreading the Melissa Virus. He said he meant to circulate "a harmless, joke message," and had no idea how much damage would ensue. But state and federal prosecutors represented that the virus "had caused at least $80 million" in damages. That would make this offense one of the most costly crimes in American history. Other attacks with major financial consequences have occurred, and more are anticipated.

The most recent threat was described this month at Stanford University at the Hoover Institution's National Security Forum conference on cyber crime and terrorism, co-sponsored by Stanford's Center for International Security and Cooperation (CISAC) and the Consortium for Research on Information Security and Policy (CRISP). Thomas A. Longstaff of the Software Engineering Institute at Carnegie Mellon University told the audience of a distributed attack tool that has been spotted on the Internet: a simple program can be sent into thousands of unsecured computers that will tell them all at a certain time on a certain date to send a message to a particular address or addresses.

He estimated that this device could enable an attacker to send 50,000 simultaneous messages to single sites, bringing them all down, with substantial damage.

The damage estimates for cyber attacks are still unscientific. Richard Power of the Computer Security Institute in San Francisco, who with the FBI publishes reports on cyber crimes, conceded at the conference that estimates are based on what companies informally report about the costs of attacks.

In formal filings, such as SEC-required reports, companies are reluctant to admit that any problem could interrupt their cyber activities or compromise the security they are trying to convince customers exists on their web sites. Even assuming substantial off-the-record exaggeration, however, the CSI/FBI estimate of total losses suffered during the last three years is quite impressive: $361,000,000. Attacks on public sites, including the Defense Department and other agencies, as well as on sites that constitute part of the nation's critical infrastructure, are also increasing at a rapid pace.

These attacks have been less successful than attacks on private-sector activities, but some scary results have been achieved. Consider the "Solar Sunrise" attack of February 1998 in which several teen-agers were able to gain illegal entry into a number of sensitive computers in the United States (Pentagon and NASA) and Israel (parliament). The Clinton administration has recognized that cyber crime is a serious problem. In May 1998, President Clinton issued Presidential Decision Directive 63, putting federal agencies to work on cyber issues, including protection of the critical infrastructure. Some $ 1.5 billion is already being spent annually on cyber-security activities.

Regrettably, the effort seems flawed in some of its assumptions and priorities. First, and most wastefully, the administration fought a long, costly, and futile battle to control the design, sale and use of advanced encryption. Perhaps no single measure can assure security in cyberspace more cheaply and effectively than encryption, and the government's encryption policy greatly delayed, and is still damaging, its potential.

Currently, the administration is attempting to convince the Internet Engineering Task Force (IETF), which establishes voluntary standards for Internet Protocols, to require "trap doors" in computers so as to enable the government to cybertap (with appropriate court orders). Every technologically competent person who addressed this issue at the recent conference saw such trap doors as eventually enhancing the ability of criminals to attack computers and reduce security. Second, the government has failed to encourage support of "Best Common Practices" standards for the Internet, allowing proprietary programs and narrow priorities to dominate.

Peter G. Neumann of the influential Menlo Park, California business and technology research organization SRI International called "closed," proprietary programs the greatest source of lack of security on the Internet, responsible for much greater damage than criminal actions. This danger will grow, he predicted, as government agencies adopt overambitious, "highly distributed systems" to increase the amount of air traffic in congested areas to even greater levels.

Just as the best defense against chemical and biological weapons incidents is to have strong public health programs aimed at protecting against all disasters, deliberate or otherwise, so too is it essential that the information infrastructure be built on the most reliable systems available. Businesses are giving convenience, speed, and competitive challenges far higher priority than security, as Donn B. Parker of SRI explained in his insightful conference paper.

Finally, while everyone in this field recognizes that the information infrastructure is inherently transnational, and that defenses based on national boundaries are impractical, the Clinton administration seems to have limited its international cooperative activities to pious declarations and informal law-enforcement exchanges.

Criminal law cooperation is essential, but in itself insufficient. An international effort is needed that establishes legally enforceable norms for setting and implementing security standards, and mandated rules and procedures for cooperation and mutual protection, as in commercial aviation. An international treaty for cyber cooperation can be written, moreover, to be inapplicable to government activities. We should, as President Clinton recently announced, be assisting friendly states currently left out of the cyber revolution, not holding back from creating new markets for all goods and services, including our own, on the basis of non-existent national-security concerns.

Of course, it isn't just the government that is digging in its heels against truly effective security. Private sector control of the information infrastructure is a revolutionary development that virtually no one wants to see sacrificed to national, let alone international, regulation. The possibility of governmental abuse and incompetence make an international agreement a potential disaster. We can have security and standards in this field, however, without surrendering private control.

The multilateral treaty tabled for consideration at the conference would preserve the IETF as the world's standard-setting body for the Internet, working within a voluntary, unpaid structure of private experts. For perhaps the first time in human history, an international regime could be established that is controlled by private-sector forces. No one can guarantee that, once set in motion, an international effort to enhance cyber security might not lead to government control and a lessening of freedom.

But think about it. Right now, private forces control the action, and could prevent anything undesirable. Wait a few more years, and government officials will have established many trap doors and increased their influence, if not control. The responsible thing to do is to move now to give legal stability to the current, private, standard-setting regime, with just enough government backing to ensure that the public is protected against both crime and technological inadequacy.

Abraham D. Sofaer is the George P.Schultz senior fellow at the Hoover Institution, Stanford University.



Click to Read More

Click to Hide