IP: Neumann on PCCIP crypto

[Dave Farber <farber@cis.upenn.edu>]

X-Sender: james@get.wired.com
X-Mailer: Windows Eudora Pro Version 3.0 (32)
Date: Thu, 06 Nov 1997 16:11:39 -0800
To: farber@cis.upenn.edu
From: James Glave <james@wired.com>
Subject: Neumann on PCCIP crypto


This story offers an inside look at how encryption was written off by the
PCCIP....


http://www.wired.com/news/news/technology/story/8053.html


                     US Computer Security Called a Critical
                     Mess
                     by James Glave 


                     11:55am  28.Oct.97.PST
                     One of the nation's leading computer-security
                     authorities has sent a wake-up call to the federal
                     government. 


                     "The infrastructure stinks," Peter Neumann,
                     principle scientist at SRI International, said
                     Monday, speaking to an audience of
                     computer-security professionals at the Network
                     Security and Firewalls 97 conference in San Jose,
                     California. 


                     Neumann, who also moderates the popular
                     comp.risks Usenet forum, was an advisor on the
                     recent President's Commission on Critical
                     Infrastructure Protection (PCCIP). The report,
                     which is still largely classified, recognizes that the
                     nation's critical infrastructures -
                     telecommunications, power, water, banking, etc. -
                     are extremely vulnerable to attack. 


                     "When it comes to the computer information
                     infrastructure, they really did get to the conclusion
                     that things aren't good, we're in serious shape,"
                     Neumann told the crowd. "But their
                     recommendations are pretty much - I wouldn't say
                     pablum - but they are fairly obvious. They are the
                     kinds of recommendations that you or I might have
                     written a year ago." 


                     Among the report's conclusions is that "cyber
                     attacks can be conceived and planned without
                     detectable logistic preparation. They can be
                     invisibly reconnoitered, clandestinely rehearsed,
                     and then mounted in a matter of minutes or even
                     seconds without revealing the identity of the
                     hacker." 


                     Neumann said that the PCCIP's greatest
                     shortcoming was "tunnel vision" among the 17
                     commissioners: "The water person knew water,
                     the power person knew power. But the
                     commission didn't appreciate until the last month
                     that every critical infrastructure is connected to
                     computer communications infrastructures." 


                     Further, said Neumann, one of the most valuable
                     and essential security solutions - cryptography -
                     was off limits from the beginning. "Whether they
                     were told not to touch it, or if they decided that it
                     was so contentious that they couldn't do anything
                     with it, they simply ducked it. All they did was say
                     that it's important and that we need to have it." 


                     Neumann also touched on physical security and
                     social engineering. Ironically, Nancy J. Wong, one
                     of the commissioners, is the manager for
                     Information Assets and Risk Management for
                     Pacific Gas & Electric - which last week found
                     itself the target of sabotage that cut power to
                     126,000 San Franciscans. The sabotage is being
                     investigated by the FBI as an inside job. 


                     "There were people who had keys [to the PG&E
                     substation] but were no longer employees. There
                     were people who walked in and out and were
                     recognized but not questioned," said Neumann. 


                     One of the commission's recommendations is an
                     Information Sharing and Analysis Center, which
                     would compile incident and intrusion reports in a
                     similar manner to the Computer Emergency
                     Response Team. 


                     But Neumann is skeptical, pointing to the
                     widespread denial of vulnerability among phone
                     companies and banks. 


                     "The banks are categorically unwilling to talk
                     about [hacking] for competitive reasons. So
                     whether you can get a bank to admit that it's been
                     taken to the cleaners, and then to hush it up -
                     they've either hired the penetrator or paid off the
                     folks who lost money to pretend it never happened
                     - this is a very difficult issue," he said. 


                     "It's not clear at all where we go from here." 


            James Glave : Senior Technology Writer : Wired News
                   http://www.wired.com : 415.276.8430










**************************************************
"Photons have neither morals nor visas"  --  Dave Farber 1994
**************************************************