Technology

Terrorism Talks Open RSA Conference


The official theme of the eleventh annual RSA Conference evokes the

Elizabethan Era -- complete with costumed minstrels and acrobats wandering

the San Jose, Calf. convention center. Unofficially, the security event

opened Tuesday with a more serious theme, with U.S. cyber security czar

Richard Clarke warning about the potential for terrorist hack attacks, and a

panel of noted cryptographers fretting over lost liberties in the wake of

the real terrorist attacks of September 11.

In a keynote address kicking off the conference, Clarke repeated the

message that he's delivered around the country since his appointment as the

White House's Special Advisor for Cyber Security last fall, evoking

patriotic duty and September 11 to urge companies to make computer security

a top priority, and arguing that future terrorists may exploit glaring

weaknesses in U.S. computer systems.

"This industry runs the same risk that the aviation industry ran," Clarke

said. "For years, people in the aviation industry knew that there were

security vulnerabilities. They convinced each other and convinced themselves

that these vulnerabilities would never be used."

Citing a Forrester Research report that found companies spend on average

.0025 percent of their revenue on information security, Clarke chided, "If

you spend more money on coffee than IT security, you will be hacked. And

moreover, you deserve to be hacked."

GOVNET REDUX.

In contrast, Clarke said, the Bush administration has proposed increasing

federal cyber security funding by sixty-four percent to $4 billion -- eight

percent of the government's $50 billion IT budget.

Clark also defended his proposal for the creation of a private network

exclusively for sensitive government computers. The administration received

167 comments on the proposal to create a "Govnet" that would be isolated

from the public Internet, Clarke said. Those proposals are being reviewed by

sixteen federal agencies.

The cyber security czar professed surprise at learning from the comments

that other segregated wide area networks already exist, within federal

agencies and private companies. "What we discovered is that the idea of

having a separate air-gapped network... is in fact an old idea," said

Clarke. "There are already such networks out there."

Some security experts had criticized the Govnet proposal, arguing that such

a network would itself be vulnerable to attack, and would represent a

government abandonment of the Internet. Clarke countered Tuesday that he

didn't expect Govnet to provide perfect security, but that it makes sense to

remove critical government functions from the public network. "I don't know

where it was ever written that everything has to be connected to everything

else," said Clarke.

Clarke's talk -- a mix of fiery rhetoric and pragmatic analysis -- was

generally well received, though observers disagreed with Clarke on some key

points.

"He seems to say that out of the goodness of our hearts we should spend more

and more and do the right thing, and I don't think that's going to happen,"

said Bruce Schneier, CTO of Counterpane Internet Security. "If you want to

make them do the right thing, make it illegal to do the wrong thing."

"I really believe terrorists are more interested in physical mayhem," said

former hacker Kevin Mitnick, also attending the conference. "A lot of people

don't take notice if the phone system goes down in Miami."

CRYPTOGRAPHER'S PANEL.

The terrorism theme carried over into the Cryptographer's Panel -- an annual

tradition at the conference that brings together the world's most well known

cryptography experts. But the panel was less concerned with the purported

threat of cyber terrorism, than with the corporate and governmental

responses to physical attacks.

Adi Shamir, professor at the Weizmann Institute of Science, criticized the

hodgepodge of security measures that went into effect following September

11, including airport screeners that sometimes prohibited innocuous items

like fingernail clippers, while allowing materials that could be converted

into weapons. "I think that in computer security we know the importance of

multiple lines of defense," said Shamir. "They should use ethical computer

hackers in order to think of ways that airline security could be breached."

Privacy was an issue for MIT professor Ronald Rivest, who was particularly

concerned about plans to make widespread use of small, inexpensive

radio-frequency tags as security tools. "Everything you own might have one

of these tags on them," said Rivest. "I might be able to tell how much money

you're carrying just by putting out a radio probe."

The technology could backfire, said Rivest, with terrorists using the tags

as a proximity fuse for an explosive, so that a bomb would go off when a

particular person came within range. The cryptographer suggested that laws

may be needed to prevent companies or the government from tying such tags to

personally identifiable information.

Whitfield Diffie, another cryptography legend, worried about growing

restrictions on the free flow of information. "The more we impose controls

on ourselves, the more they can be taken over to support some else's

information control policies," said Diffie.

The cryptographer drew applause for condemning intrusive new surveillance

practices. "This kind of very un-American watching of people is something we

should watch very carefully."

The RSA Conference continues through Friday. By Kevin Poulsen


Burger King's Young Buns
LIMITED-TIME OFFER SUBSCRIBE NOW

(enter your email)
(enter up to 5 email addresses, separated by commas)

Max 250 characters

Sponsored Links

Buy a link now!

 
blog comments powered by Disqus