by
Stewart Baker
(sbaker@steptoe.com)

Michael Hintze
(mhintze@steptoe.com)

November 1997

The Technology Subcommittee of the House Science Committee held a hearing late last week (Nov. 6) on the recently issued report by the President's Commission on Critical Infrastructure Protection. Those testifying at the hearing were:

  • Robert T. Marsh, Chairman, President's Commission on Critical Infrastructure Protection;
  • Russell B. Stevenson, Jr., General Counsel, CyberCash, Inc.;
  • Stephen R. Katz, Chief Information Security Officer , Citibank;
  • Glenn Davidson , Executive Vice President, Computer & Communication Industry Association; and
  • Dr. Peter G. Neumann, Principal Scientist, Computer Science Laboratory, SRI International.

Copies of the written testimony can be found at: http://www.house.gov/science/hearing.htmlTechnology

The hearing began with an opening statement from Subcommittee Chairwoman Connie Morella (R-MD). She noted that there is a serious need to improve computer security, and that vulnerable systems affect everyone. As an example, she cited a recent occurrence in which the Senate was hit with an "e-mail bomb" which crashed its system. Rep. Morella stated that solutions should involve cooperation between government and industry, but should be lead by the private sector.

Rep. Bart Gordon (D-TN) also made an opening statement. He noted his surprise that the report included so little about encryption and that it did not address the year 2000 problem at all.

The first person to testify was Commission Chairman Robert Marsh. His testimony essentially summarized the findings of the Commission as set out in the report. He emphasized that this is an immediate problem and there is a need to act now. There are three categories of actions that can be taken: actions that the government must take, actions that private industry must take and actions that require a cooperative effort between the two. In order for such actions to take place, however, there needs to be a collaborative environment in which information can be shared. Creating that environment is a major focus of the report. He also noted that there is a need for education programs to get information out regarding the threats. Additionally, there is a need to address legal issues, such as a review of federal laws that do not adequately take into account threats to modern electronic networks. He also noted that federal research and development is inadequate. He recommended doubling the budget for federal research and development next year, and then increasing it 20% each year for the next five years.

The next panelist was Russell Stevenson of CyberCash. He made three principle points. Government or collaborative actions should be limited to where there is a market failure. Second, in undertaking such actions, care should be taken to avoid unintended consequences, such as stifling innovation. Third, encryption is a cornerstone of protecting the security of these infrastructures, and nothing could be a greater threat to electronic commerce and security than an ill-conceived encryption policy. He noted the irony of law enforcement efforts that have the stated intent of allowing the FBI and other agencies to capture terrorists and criminals, but, in effect, expose the Internet to attacks from the same terrorists and criminals.

Steven Katz of Citibank testified next. He noted that banks are leaders in information security implementation and were one of the first to use strong cryptography. He suggested that it would be a mistake to adopt across-the-board standards because the best approach for addressing threats to infrastructures is always changing. Finally, he argued that banks should be allowed to use robust encryption with any key length and without the need to incorporate key escrow features. Current policy is to allow banks to export strong encryption and this should be continued and expanded.

The next person to testify was Glenn Davidson of the Computer and Communication Industry Association. He questioned the need for the work of the Commission to be shrouded in secrecy and suggested that the Commission needs to make public more of the information underlying its findings. He also asked why the report is so weak on encryption. He noted that encryption is the most effective means for protecting critical infrastructures. Yet, the report devotes only a single page to this important issue. What the Commission does say about encryption includes a strong endorsement of key recovery, but, he argued, key recovery will not work on a large scale. Finally, regarding the cost of implementing the safeguard suggested by the report, he argued that any difference between the cost of what industry needs to provide its customers and the cost of implementing what the government recommends should be paid for by the government.

The final person to testify was Dr. Peter Neumann of the Computer Science Laboratory, SRI International. He also noted that the report fails to address the year 2000 problem. He pointed out that the report contains only 3 pages on research and development, but argued that such an important issue deserves a much more thorough discussion. Turning to the subject of cryptography, he noted the difficulties with designing even modest sized information systems and questioned how we could develop a huge key recovery system without building in substantial risks. The one page devoted to cryptography did not address any of the risks of key recovery. He cautioned the Committee members to look beyond the surface of key recovery systems to do a thorough evaluation of the risks involved. He noted that just because somebody can be shown a working demo of a key recovery system, such a demo does not reveal the underlying risks or the difficulties of implementation.

Following the testimony, Representative Morella asked the question raised by Mr. Davidson: how would these safeguards be funded? Robert Marsh responded that once the private sector is made better aware of the risks to their systems, they will undoubtedly decide to implement procedures to protect themselves. These same procedures that are implemented to protect against hackers and thieves will also protect against terrorists. Thus, there will be no need for the government to impose greater safeguards than would be implemented by the private sector on their own. Russell Stevenson pointed out, however, that there may be problems that need to be addressed beyond protecting individual companies.

These could include broader infrastructure problems, which should be funded by the government. Representative Morella next asked Robert Marsh about the failure to address the year 2000 problem, and the very brief discussion of encryption. Mr. Marsh responded that the year 2000 issue is already being addressed and worked on, and that there is very little the Commission could have added. Regarding encryption, he acknowledged that it is a controversial topic. However, he noted that while good encryption is essential to infrastructure protection, there has to be key recovery. He noted that it is essential for sound business reasons as well as for law enforcement reasons. He further stated that the government should get serious about pilot programs and that such programs could solve the problems that have been raised about the implementation of a large scale, key recovery infrastructure.

Representative Morella next asked each of the panelists whether they support the SAFE bill (H.R. 695). Robert Marsh declined to comment on the issue, but the rest of the panelist uniformly stated that they support the original version of the SAFE bill. Here, two of the panelists also noted that it is very important to distinguish between key recovery and data recovery. Providing encryption keys opens up the ability of law enforcement or a hostile party to access huge amounts of information. Instead, companies should only be asked to provide plaintext data when there is a legitimate request. This way companies can maintain control of their keys and maintain the security of their encryption systems.

Representative Roscoe Bartlett (R-MD) then went off on somewhat of a tangent by discussion the dangers of an electro-magnetic pulse (EMP) from a high altitude nuclear blast, and its ability to wipe out all the micro electronics in the country. In response, Peter Neumann suggested that this is a remote possibility, and not as much of a threat as cyber attacks on infrastructures which are much easier and require fewer resources.

Representative Gordon then asked the panelists what Congress should focus on to bring about these recommendations. Robert Marsh suggested that Congress should enact whatever enabling legislation is requested by the President, such as creating the information sharing center and other structures recommended in the report. Congress could also review existing laws and make whatever changes that are required to address the cyber threats. Russell Stevenson said that Congress should address the encryption issues so as to put an end to this ongoing debate. Steven Katz recommended that Congress adopt the original SAFE bill, that it enact federal electronic authentication legislation, and it start a public education program. Glenn Davidson agreed that Congress could fund a public awareness campaign, that it could fund research and development, and that it should pass the original SAFE bill. Peter Neumann recommended a focused research effort to bring out security in our infrastructures.

Representative Paul McHale (D-PA) also asked about the SAFE bill and the changes made in the various congressional committees that the panelists find problematic. Russell Stevenson noted that one of the versions of SAFE changed it from a bill that would strengthen the use of encryption by allowing free exports to one that required domestic use of key recovery encryption, thereby hindering the development and wide use of encryption. Peter Neumann argued that bills such as the McCain-Kerrey bill give law enforcement unrestricted rights to obtain encryption keys without an understanding of the risks involved.

Representative Bartlett noted that he is on the National Security Committee (which passed the version of the SAFE bill requiring domestic key recovery). He maintained that the language in the original bill raised very serious and legitimate concerns. However, he admitted that maybe they did not have the time or wisdom to pass the best bill, and that he looks forward to working with the panelists in the next congressional session to develop a bill that meets the needs of industry as well as the needs of law enforcement.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

For further information please contact L. Benjamin Ederington on Tel: + 202-429-6411, Fax: 202-429-3902 or E-mail: bedering@steptoe.com