CyberTimes
toolbar
IBM Active Channel for Microsoft Internet Explorer. Find out about your chance to win a computer; click here for official rules and information.
November 6, 1997

Head of Cyber-Terrorism Panel Says Encryption Rules May Be Needed

By JERI CLAUSING Bio
 WASHINGTON — The head of a presidential commission on cyber-terrorism on Wednesday told a Senate panel that a mandatory system guaranteeing third-party access to scrambled computer communications may be necessary if industry does not embrace the Clinton administration's plan for a voluntary encryption decoding system.


Related Article
U.S. Commission Finds That Nation Is Vulnerable to Cyber-Terrorism
(October 23, 1997)

Robert T. Marsh, an aerospace consultant and retired Air Force general who is chairman of the President's Commission on Critical Infrastructure Protection, made the remarks in his first non-classified report on the commission's 15-month study and its recommendations for protecting the nation's computer networks from high-tech terrorism.

The commission recommended a variety of proposals, including increased private-public partnership and information sharing, more comprehensive background checks on people who hold sensitive positions, strengthening of government computer systems and spending more on research to improve network security.

But the key to national security, Marsh said, is strong encryption coupled with a back-door access for law enforcement officials to sensitive communications.

"We want to see that adopted over all the critical control functions at an early date," he told the Senate Judiciary Committee's Subcommittee on Technology, Terrorism and Government Information.

The commission's recommendation for a voluntary system that would give law enforcement officials the ability to decode electronic messages, called a key-recovery system, mirrors that of the administration, which says it wants ensure such officials can gain access to the coded communications of suspected criminals and terrorists.

Encryption policy has been a volatile topic on Capitol Hill this year, where bills ranging from an industry-backed ban on key recovery to an FBI-supported mandatory key-recovery scheme have passed various House committees. The Clinton administration insists it supports a Senate bill establishing voluntary key recovery.

"We didn't get into the encryption debate and all the nuances of individual positions," Marsh said. "We simply came on strong for encryption. We must have encryption."

He told the panel that "we must lower the temperature of the encryption debate" long enough to complete pilot projects on key recovery that will prove to industry that such systems can work.

Various agencies of the federal government currently are developing 13 key recovery pilot projects, which were on display Wednesday at a Government Information Technology Services conference. Marsh said the National Security Agency and the National Institutes for Standards and Technology should head efforts to perfect those systems and set standards for a national infrastructure protection office to carry out.

The Encryption Debate:
Is It About Privacy or Security?


Asked by the subcommittee's chairman, Jon Kyl, an Arizona Republican, if those controls should be mandated, Marsh responded: "We think businessmen will find it in their best interest to incorporate these controls. ... Of course, in due time, that may be an option if they are not willing to accept them."

Critics blasted the report as premature and contradictory.

"I am concerned that the report's recommendations that large-scale key-recovery encryption systems which allow for surreptitious decryption by law enforcement be deployed for use by federal agencies and the private sector is premature," said Senator Patrick Leahy, a Vermont Democrat who has sponsored a bill to relax controls on encryption technology."

"Significant questions have been raised by leading cryptographers about the security risks inherent in large-scale key recovery systems, which introduce new vulnerabilities and targets for attack, as well as about the costs and feasibility of implementing such systems."

The Center for Democracy and Technology said the "increasing vulnerabilities," "increasing dependence on critical infrastructure," and "wide spectrum of threats" identified by the commission all provide powerful arguments against the deployment of the vastly complex and insecure systems for back-door access that key recovery requires.

The center cited a recent study by 11 expert cryptographers and computer security experts, "The Risks of Key Recovery, Key Escrow, and Trusted Third Parties," which identifies numerous risks in the widespread deployment of such key-recovery plans. Among those risks is insider abuse, which Marsh said so far has been the chief culprit in computer-related crimes.

Marsh said a separate section of the report makes "recommendations that try to equip us better to deal with the insider threat, that's a separate problem."

Related Sites
Following are links to the external Web sites mentioned in this article. These sites are not part of The New York Times on the Web, and The Times has no control over their content or availability. When you have finished visiting any of these sites, you will be ableto return to this page by clicking on your Web browser's "Back" button or icon until thispage reappears.
Jeri Clausing at jeri@nytimes.com welcomes your comments and suggestions.


IBM Active Channel for Microsoft Internet Explorer. Find out about your chance to win a computer; click here for official rules and information.
Home | Sections | Contents | Search | Forums | Help

Copyright 1997 The New York Times Company