30 April 1998
Thanks to AR
Aviation Week & Space Technology, April 27, 1998, Editorial
U.S. Director of Central Intelligence George J. Tenet recently spoke on "Information Security Risks, Opportunities and the Bottom Line" at a NationsBank Policy Forum organized by former U.S. Sen. Sam Nunn (D-Ga.) and held at the Georgia Institute of Technology in Atlanta. Excerpts from Tenet's address follow.
While the technical experts sort out the strengths and weaknesses in our information systems, your intelligence community has the job of determining what foreign entities may be doing to penetrate, damage or destroy our information systems. . . . I am here to tell you the threat is real and its growing.
The number of known potential adversaries conducting research on information attacks is increasing rapidly and includes intelligence services, military organizations . . . terrorists, criminals, industrial competitors, hackers and aggrieved or disloyal insiders. Foreign governments and their military services are paying increasing attention to the concept of information warfare. Terrorists and criminal groups have been using encryption and other information technologies to hide their operations for some time. Terrorist groups have their own Web pages. The emerging trend is for these groups to use those technologies offensively. The level of sophistication of their attacks is growing. . . .
The most important action that I can take as director of central intelligence is to provide adequate warning of cyber threats to our nation's security decision-makers in Washington and military command posts overseas. Through existing mechanisms, threat information can be passed to the private sector. Unfortunately, cyber threats are a difficult intelligence target. They are cheap, they need little infrastructure, and the technology required is dual-use. In addition, intrusion detection technology is still in its infancy. . . .
We as a nation need to develop a totally new way of thinking about this problem. Just as we took on the Soviet nuclear threat in the middle of this century, we will need a new collection discipline, new analytic approaches and new partnerships. . . . Neither government nor industry can solve these problems alone.
So what is needed, is obvious to all--security. What is less discussed is the need to bind a system of trust to the security systems. This is the only way that security will be truly achieved. What do I mean by this? Security is concerned with locks, fences and guards. Trust is about whether they work. In network terms, security is not just about encryption, but also is about authentication, digital signatures, data integrity and non-repudiation. Trust is about key management, digital certificates and policy--such as what your privileges are, what you are authorized or not authorized to do with your digital signature.
Much of the public discussion and rhetoric is about encryption--with little attention focused on what is needed to make its use trustworthy. The technology to bring good information security to networks is fairly well developed and understood. It is based on the use of public key encryption and digital signatures. The means to provide trust is less well understood and is called key management infrastructure. It is the system that binds public keys to users and provides the trust component in electronic security. . . . Efforts to provide key management infrastructure services for products with encryption are uncoordinated, immature and lagging the introduction of electronic commerce services.
We cannot keep building new capabilities on a poor foundation of security. It is folly to hope that someday we can add needed elements before it's too late. The longer we wait, the more our country is exposed and the costlier it will be to address the problem.
Think about it for a moment--we share the same network with our adversaries. We are staking our future on a resource that we have not yet learned to protect. The number of known potential adversaries conducting research on information attacks is growing rapidly. Technology is increasing the sophistication of their capabilities. Meanwhile, if our security remains where it is now, the risks and costs of attacking us will keep getting lower.
The need for cooperation between government and industry in building trustworthy key management infrastructure is paramount to meeting our common interests of networks that meet our business needs without introducing vulnerabilities in those systems. . . . If we are going to lead the world in information technology, we must recreate the trust between government and industry that allowed us to lead for over 40 years. We still have the power to lead by our example and the time to do what is right.
©April 27, 1998, The McGraw-Hill Companies Inc.