My Perspective on Data Security and the US Government
During the recent podcast I did with Rich, I made a couple throw-away comments about the selection of Melissa Hathaway as cybersecurity advisor. A lot of ideas went into those comments and a few articles that I have read that brought to the fore several issues I have had ideas rolling around in my head for the last couple of years. In fact I have written this post a couple of times over the last year and deleted it because I thought it would be perceived as too political. My goal is not political commentary rather trying to provide perspective about the evolution of data security, but sometimes the two are linked so tightly together it is difficult to fully separate. The subject I want to discuss is the general state of basic underlying security of our electronic infrastructure, and the role that the government plays in Cyber Security. What got me going on this subject yet again was several articles that I ran across in the last month. The first was an article referenced by Bruce Schneier’s blog on The Register that talks about the NSA’s attempt to eavesdrop on Skype, which I am not sure they confirmed but highly believable. The second is the appointment of Melissa Hathaway, and while it is only being hinted at in this piece by USA Today, her comments indicate efforts at odds with other US intelligence organizations. The final article that urged me to rewrite this post was the following piece on Wired’s Threat Level Blog that the NSA wants to oversee cybersecurity. There is a strange push and pull going on here, because part of our government wants our entire electronic infrastructure to be both secure and private. They recognize the the Internet is a huge global marketplace for science and commerce, and is often leveraged by public entities as well, therefore it is in our best interest to have it secured to protect citizens & organizations alike. This is echoed in Hathaway’s comments. Conceptually this would reduce fraud globally, which costs companies billions of dollars every year. On the other side of the coin, strong electronic security makes intelligence gathering through eavesdropping difficult to impossible, and often requires secondary assistance to gather (insider cooperation, back doors in code and devices, cracking, etc) the same information, only at a higher cost. So what’s the problem? Good security on communications and infrastructure worldwide makes intelligence gather much, much harder. The people I have spoken with who have worked for or with US & British Intelligence organizations all share the same view that a secure communications infrastructure is facing stiff challenges from within our own government. A few years ago, Mr. Stephen Squires, who is/was at the time Chief Scientist for HP, spoke at Stanford Luncheon I attended about the evolution of computer security in the US. In a nutshell, he felt that cryptography would have solved most of the issues of privacy and security we have today, and today’s vendors with their point solutions were less than Band-Aids on gunshot wounds. Encryption could have easily been built into routers, phone switches, Ethernet cards and the like to ensure safe data transmission. Encryption could have been built into business applications to offer considerably higher security for data in motions and data at rest. He went on to say this was “discouraged” in various direct and indirect ways by our own government. He cited many examples of influence; the way bids are done, project specifications, funding, public-private partnerships, and most notably, US export controls on cryptography. A decade ago this was a common topic most of the crypto guys I have had the pleasure of meeting, and they were mostly frustrated by the US’s unwillingness to have all data and communications encrypted and secured. For those of you not familiar with what I am talking about, in the mid-90s, you could obtain cryptographic algorithms in papers and textbooks, but if you shipped encryption technology, you were going to be brought up on charges for illegal disbursement of munitions. When I got my first real job involving security, I had to be careful that I did not accidentally include a foreign national on the “CC:” line of an email that included the Blowfish variant we were working on as I could have been arrested. It’s code, for &!^@ sake! But the US Government was quite serious about this and has hindered the deployment of some security technologies on national infrastructure as well as allowing exportation, and have done little to lead in an area where they are in a perfect position to set an example for private industry. I am not sure what degree the majority of security professionals out there understand how rabid our government intelligence agencies are about encryption, but many historians view US victory in WW2 was due in large part to breaking the Japanese encryption codes, as well as the British efforts to reconstruct the Enigma cipher. While these are nice historical references, few are aware of more recent cases with the British in Falklands war and governments in the middle east were breached by the ability to break or bypass cryptography. This lesson is not lost on the Intelligence community, and who I would expect nothing less than to look for any advantage they can get. What is good for business security is considered bad for our spies. The concept from the governmental perspective was the benefits that the US Intelligence Services derive from lax security and encryption was a huge competitive advantage, so impediments into quality encryption technologies being widely available was to be discouraged. And when I have this discussion with people, they are usually thinking about Echelon, or the PROMIS variants that perform data analysis, but just two angles of using intelligence. We read all the time about Chinese or Russians breaking into US Government computers; is there some compelling reason to think this is not going on in the other direction? Another way to think about
