An absence of trust and common perceptions of privacy will pace security reforms.
The exploding use of encryption in cyberspace has spawned a dilemma for policy makers. They must strive to balance citizens' rights to security and privacy with the needs of law enforcement and intelligence to police what a senior defense official terms a "lawless frontier," and others call the "World Wild Web."
A polarized and politicized debate over the control and sale of strong encryption has focused too much on arcane technology itself, rather than seeking consensus on what services and functions most need protecting. So, blending the disparate views of private and public security seems no closer today than when cryptography first crept out of the black world into the public consciousness. This arguably took place when then head of the Federal Bureau of Investigation (FBI) William Webster chose an AFCEA luncheon to launch a campaign for stronger federal controls over the use and export of cryptography.
Information security is an international issue, involving diverse cultures that do not hold a common view of personal privacy in cyberspace or of how it should be secured. All parties summon technology, regulation or laws to resolve what is fundamentally a social problem: a lack of trust--trust in one another, trust in rapidly changing technology, and trust in government.
Cryptography imposes new burdens on law enforcement and intelligence agencies, as all manner of miscreants are masking their deeds in cipher land. Former U.S. Representative Jack Brooks (D-TX) likened the conundrum confronting law officials to the sheriff who bemoaned that criminals had traded their horses for motor cars.
But, then as now, technology is neutral. Its dual edge serves both those who use and those who abuse information. Cryptography can provide limited and ephemeral solutions to some security risks, but only if the "settlers," in the Wild West sense, agree on the desired end state.
Remarking on the 3000-year-old history of cryptography, David Kahn concluded in his classic The Code Breakers that "it must be that as soon as a culture has reached a certain level ... cryptography appears spontaneously. É The multiple human needs and desires that demand privacy among two or more people in the midst of social life must invariably lead to cryptology. É"
Writing in the 1960s when the Internet and global e-commerce were but nascent notions within the cloisters of academia, Kahn could not have foreseen how the debate would be polarized by the different values that societies place on privacy and security. Global commerce demands international agreement that may be beyond reach if participants refuse to conduct what one commentator calls "a serious search for compromise."
Americans differ from Europeans in their perceptions of the electronic threat to privacy. Americans are viewed as being ignorant, apathetic, indifferent or disposed to default to the self-discipline of competitive markets. Europeans are viewed as seeking security through law and binding international agreement. Americans also are perceived as ambivalent--on the one hand, tediously blathering about treasured constitutional rights to privacy, while on the other hand, baring their souls in Internet chat rooms and online marketing transactions that leave persistent, exploitable electronic footprints revealing their most intimate personal interests, preferences and habits.
In Technology Review, Michael Dertouzos writes that U.S. consumers are becoming "accustomed to treating privacy as a tradable commodity--we don't mind giving some of it away to get the goods and services we desire."
The European Union threatens to deny e-commerce with nations that do not provide absolute guarantees of privacy. Some world leaders, again in the words of Dertouzos, want technology to "go figure out a solution to the privacy problems you brought upon us." Technology could reduce some exposure, Dertouzos adds, but only when each individual establishes a detailed personal profile, proscribing expectations of privacy for their personal data.
Initiatives by the White House to bolster national cybersecurity and public safety through control of the design, employment and export of cryptography proved poorly conceived, unnecessarily provocative, and technically assailable. The implicit expectation that international e-commerce would eagerly embrace cryptography endorsed by the intelligence agency of any nation was quickly hooted off the agenda, but not before the Clipper Chip fiasco had discredited more temperate initiatives belatedly served up by the Clinton Administration to quell the uproar from industry, Congress and civil libertarians alike.
In a recent speech in Munich, German Interior Minister Otto Schily is reported to have characterized U.S. efforts to control cryptography as something that "may be useful for controlling your citizens, but it is not useful for fighting crime."
On September 16, 1999, the administration announced a new proposal called the Cyberspace Electronic Security Act of 1999, or CESA. This effectively ended efforts to put export controls on cryptography. It sought no expanded legal authorities for law enforcement, but it provided the Wild West sheriff with $80 million dollars to form a technical support center to better enable the FBI to respond to the increasing use of encryption by criminals and terrorists. Federal, state and local law enforcement also can get support from the U.S. Defense Department's new Defense Computer Forensics Laboratory.
Congress has done little other than further polarize the cryptography issue by serving up contrasting bills that are intolerable to the opposition and unacceptable or patently ineffective in an international arena.
The legal community has done no better, illustrating, in the words of The Washington Post writer Joan Biskupic that "...even though the Internet has transformed how people go about their lives, it has not transformed the law É courts have not created a distinct body of law to deal with cyberspace." In the words of others, "Things are moving a lot faster than governments realize, and the Internet is writing its own rules."
Headed for the U.S. Supreme Court are conflicting circuit court rulings that characterize the transmission of cryptographic code over the Internet either as a form of publication that is protected by the First Amendment, or as a functional device not covered by the Constitution.
Academia has been helpful, bringing focus to the gut issues along with refreshing civility and thoughtful, balanced analysis, which may have emboldened the White House to tilt toward support for strong encryption policy.
The fiscal year 1994 defense authorization bill commissioned a study by the National Research Council (NRC) that would lead to a national cryptographic policy. A 1996 NRC report, "Cryptography's Role In Securing the Information Society," acknowledged that "politicization of privacy may inhibit policy É because of the emotional issue of trust in government." However, the report concluded that, while the "spread of cryptography will increase the burden of those in government charged with carrying out certain specific law enforcement and intelligence activities É widespread commercial and private use of cryptography in the United States and abroad is inevitable in the long run and its advantages, on balance, outweigh its disadvantages." The NRC report concluded with a plea for a national discussion of the issues that would lead to a "broadly acceptable social consensus."
U.S. Representative Curt Weldon (R-PA) might not agree that the frontier's settlers are involved in crafting policy. In his keynote address to InfowarCon '99 on September 8, he offered a plausible explanation for the absence of a national discussion on cryptography. Unlike our ancestors, he said, who directly experienced the trauma of the shift from farmland to factory, the impact of the information age has not yet touched our public consciousness.
Another perspective on technology and trust is contained in "Technology, Society, and National Security," released in August 1999 by the National Security Study Group, also known as the Rudman-Hart Commission. A brief overview of trustworthiness in cyberspace concludes with these words: "Total information security is not possible and global use of encryption will be limited by standardization protocols and government regulations. É Theoretically, the advantage lies with encryption; practically speaking, it may not."
Business Week likens the turmoil in cyberspace to the Wild West, with settlers playing a larger role than governments realize through chat rooms, e-mail and other congenial features of the Internet. However, beyond a few highly publicized acts of "electronic dissension" launched over the Internet, these new media are not being used by Netizens to influence the policy debate.
The "right" security balance--if such is a practicable goal--may not come from laws or top-down policies from government, but instead from a global infrastructure that just grew, with governments struggling simply to keep their van in sight. Citing the lack of technical and legal silver bullets, Paul Saffo writes in Business Week that "the way through this swamp is with a lot of small, comparatively weak solutions acting in concert."
Col. Alan D. Campen, USAF (Ret.), a contributing editor to SIGNAL, is a member of the adjunct faculty at the National Defense University School of Information Warfare and Strategy and contributing co-editor to the AFCEA book Cyberwar 2.0: Myths, Mysteries and Reality.