The network is the story: News on the latest Internet standards and struggles
May 1998
![[Next story]](/sunworldonline/icons/tb-next.gif){kind=icon}
![[Table of Contents]](/sunworldonline/icons/tb-toc.gif){kind=icon}
![[Search]](/sunworldonline/icons/tb-search.gif){kind=icon}
|
|
The network is the story: News on the latest Internet standards and struggles |
May 1998
|
 Mail this article to a friend |
Clinton also signed a directive establishing the offices of National Coordinator for Security, Infrastructure Protection and Counterterrorism, which will oversee a variety of policies and programs. Those will cover counter-terrorism and the protection of critical infrastructure, which includes communications networks.
"As we approach the 21st century, our foes have extended the fields of battle -- from physical space to cyberspace; from the world's vast bodies of water to the complex workings of our own human bodies," said Clinton, according to a transcript of the speech he gave at the U.S. Naval Academy in Annapolis, Maryland. "Rather than invading our beaches or launching bombers, these adversaries may attempt cyberattacks against our critical military systems and our economic base."
Pointing to the satellite failure earlier this week, which disabled most of the nation's paging networks and broadcasting and data services, Clinton said the incident highlights the country's dependence on technology and the vulnerability of communications networks.
"Intentional attacks against our critical systems already are underway. Hackers break into government and business computers. They can raid banks, run up credit card charges, extort money by threats to unleash computer viruses," he said.
In order to be better prepared, Clinton called for the establishment of an early warning system to be operational by 2003. The system should be capable of detecting and defending against attacks on critical infrastructures such as power systems, water supplies, air traffic control, financial services, telephone systems, computer networks, and police, fire, and medical services.
"Just 15 years ago, these infrastructures -- some within government, some in the private sector -- were separate and distinct," Clinton said. "Now, they are linked together over vast computer-electronic networks, greatly increasing our productivity, but also making us much more vulnerable to disruption. ...If we fail to take strong action, then terrorists, criminals, and hostile regimes could invade and paralyze these vital systems, disrupting commerce, threatening health, weakening our capacity to function in a crisis," he warned.
The president appointed National Security Council adviser Richard Clarke, to head a new office on infrastructure protection and counterterrorism. Also, former U.S. Senator Sam Nunn and Jamie Gorelick, formerly the U.S. Justice Department's number-two official and now the Federal National Mortgage Association's vice chairwoman, will lead a private industry advisory group, the Dow Jones news service reported.
Today's moves follow an October 1997 recommendation by the President's Commission on Critical Infrastructure Protection that the government create a real-time warning capability modeled upon the military's air defense and missile-warning system.
While the commission found no evidence of an impending cyberattack on the nation's infrastructure, its members warned that the capability to exploit weaknesses in the country's power, telecommunications, transportation, and financial segments does exist.
In addition, U.S. Attorney General Janet Reno announced in February an interagency effort to track and analyze electronic threats to the nation's critical infrastructures, such as communications, transportation, and energy networks.
The National Infrastructure Protection Center will include the Computer Investigations and Infrastructure Threat Assessment Center of the U.S. Federal Bureau of Investigation, and will add real-time intrusion-detection capabilities for cyberattacks directed at various national, electronic infrastructures.
--Torsten Busse, IDG News Service
Resources
The privacy plan includes a World Wide Web site that individuals can use to restrict certain types of personal information from being accessed and exploited. It also calls for legislation regarding the use of Internet-based medical records and for a "Summit on Privacy" to discuss the feasibility of self-regulation on the Internet, with a focus on children's privacy.
"We need an electronic bill of rights for this electronic age," Gore said in a statement. "Americans should have the right to choose whether their personal information is disclosed; they should have the right to know how, when, and how much of that information is being used; and they should have the right to see it themselves, to know if it's accurate."
The U.S. Federal Trade Commission will sponsor the new Web site, http://www.consumer.gov/, which Gore said will allow individuals to do the following:
He also called on the U.S. Commerce Department to convene a Summit on Privacy within the next month that would assemble privacy advocates, consumer advocates and industry officials to explore the feasibility and limitations of employing self-regulation on the Internet and to focus on children's privacy.
In addition, Gore said that a Presidential Memorandum, effective today, directs the heads of U.S. agencies to do the following:
--Jon Skillings, IDG News Service
Resources
The long-awaited proposals take the form of a bill aimed at promoting electronic commerce in the U.K., introduced by Barbara Roche, minister for small firms, trade, and industry and undersecretary of state at the DTI. That means the encryption policies could become law, rather than just guidelines, according to a statement issued by the department yesterday.
Like the much-debated government policies in the U.S., the U.K. proposal would allow law enforcement officials to obtain "keys" to encrypted communications should the government believe the content to be in violation of the law. The British government has long favored such a plan, which would house keys -- mathematical values that unlock an encrypted text -- with a trusted third party.
The new plan takes into account criticisms and concerns of U.K. businesses regarding a consultation paper on the licensing of trusted third parties, proposed by the government last year.
The new U.K. scheme would encourage, but not require, that certificate authorities or trusted third parties register with a licensing body, according to the DTI. It would set minimum technical and competence requirements on companies seeking licenses, one term of which is cooperation with the government in the area of key recovery in investigations. Licensed providers of encryption services would be required by law to make keys available to the government or other interested parties -- such as companies that want to read encrypted messages sent by employees -- under certain circumstances.
In large part, the DTI supports a key recovery system involving trusted third parties because it fears that criminals and terrorists could use encryption to harmful ends. While civil liberties groups have disputed the validity of this claim, the U.K. government stands by its reasoning that law enforcement officials should be able to get access to encrypted information when investigating suspicious activities. The new proposal would require that law enforcement officials obtain a warrant in order to request the keys, whether from the third party or the user of the encryption product.
The biggest problem with the proposal is that it leaves many fundamental questions unanswered, said several observers.
"It's a bit of a dodgy document," said Yaman Akdeniz, founder of the U.K. group Cyber Rights and Cyber Liberties. "The statement doesn't make anything better or anything worse."
Because it is unclear what advantages licensed authorities would hold over unlicensed ones, such a two-tier system is bound to create confusion and stem the development of electronic commerce, according to Akdeniz. The government plans to encourage licensing by recognizing only digital signatures from licensed bodies as legal documents, according to the DTI.
It is also unclear what would happen if users of unlicensed encryption services are asked by law enforcement officials to give up their keys, Akdeniz said. Criminals and terrorists are unlikely to use encryption products from companies that have signed deals with the government to provide keys, in which case the government will still have to recover the key by forceful measures, he said. For that reason, it doesn't seem to matter whether a company is using a licensed encryption system, he said.
The government proposal was drafted to comply with the Organization for Economic Cooperation and Development (OECD) guidelines on cryptography policy, which were released in March 1997. Although it states the need for encryption export controls, it does not go into detail about the U.K.'s plans in that area, nor does it place any restrictions on the use of strong encryption within the U.K.
Akdeniz suggested that the DTI may be introducing a voluntary key recovery system, instead of the mandatory scheme it has pushed in the past, because the U.K. is following the lead of European Union policies, which do not favor key recovery systems. The DTI said it would follow the OECD guidelines and would also work with EU on the development of digital signatures.
Commercial interests in the U.K. had mixed reactions to the proposal. The Confederation of British Industry supports key recovery in some instances, but maintains that it should not be applied to all encrypted communications between corporations. For example, two companies that have been doing business with one another for many years may already have a trusted relationship in place, so it would be unfair to ask them to invest in a new system that places keys with a third party, said a Confederation spokeswoman.
The Confederation's main goal is to eliminate undue burdens on companies and to protect their privacy, she said. The group has not yet read the new proposal carefully enough to state a formal opinion, she added.
One encryption software vendor in the U.K., JCP Computer Services, echoed concerns that the document paints a foggy picture of what it means for a company to obtain a license. Even if a company doesn't cooperate with the key recovery plan, the government could still get the keys, calling into question the advantage of standing up to the government and refusing to get a license, according to Robin Wilton, chief consultant at JCP in London.
The proposal could put companies such as JCP in a bind. Developers of encryption software would be required to build products to the specifications of key recovery in order to work with licensed certificate authorities and third parties. Failure to build this capability into products could make such a company less competitive if key recovery becomes the standard, but supporting key recovery could cause some customers who disagree with the policy to turn away, Wilton added.
The role of software vendors in the licensing plan is unclear, as is the application of the scheme to specific industries, such as high-security finance and medicine, he said.
"The government has raised issues but not gone into detail," Wilton said. "I hope their thinking behind this document is more clear than the document itself."
--Kristi Essick, IDG News Service
Resources
|
|
|
|
![[(c) Copyright Web Publishing Inc., and IDG Communication company]](/sunworldonline/icons/b-copyright98.gif){kind=icon}
If you have technical problems with this magazine, contact webmaster@sunworld.com
URL: http://www.sunworld.com/swol-05-1998/swol-05-if.html
Last modified: