National Security The 21st Century Project logo
and the Internet

Gary Chapman
Director
The 21st Century Project
LBJ School of Public Affairs
Drawer Y, University Station
University of Texas
Austin, TX 78713
(512) 471-8326
(512) 471-1835 (fax)
gary.chapman@mail.utexas.edu
http://www.utexas.edu/lbj/21cp

July, 1998

This paper was presented at the annual convention of the Internet Society in July, 1998, in Geneva, Switzerland.

Introduction

The modern concept of "national security" and the electronic digital computer are roughly the same age, both products of World War II. ENIAC, the world's first digital electronic computer, went into service at the University of Pennsylvania in 1946. The U.S. government's Central Intelligence Agency and National Security Agency were launched a year later, authorized by the National Security Act.

Until relatively recently, national security and computers enjoyed a symbiotic relationship, too. Until the mid-1960s, perhaps even later, the chief U.S. government agencies responsible for national security were also the chief catalysts and funders for computer research, and also the largest customers of the computer industry. Indeed, the appearance of the digital computer even shaped the strategy of national security in the United States, as more and more national security planning became dependent on computer-based models using techniques of systems analysis and operations research. One might even argue that this symbiotic relationship between computers and national security is the primary bearer and symbol of U.S. power in the latter half of the twentieth century, even more so than nuclear weapons.

Computer technology is still important to national security, perhaps of paramount importance. Without computers, modern arsenals and "battle management" and communications would be impossible. The future appears to belong to so-called "smart" weapons, complex systems of command and control, telecommunications, satellites, electronic surveillance, and split-second information processing. The end of the Cold War has appeared to speed up the process of integrating advanced computers into weapons and command systems, rather than slow it down. The United States' overwhelming superiority in information technologies is the key to its superpower status for the foreseeable future.

But a new phenomenon is the threat to national security posed by networked computers, particularly through the Internet. This is accompanied by more than a small amount of irony, as the Internet was, for decades, a project of the U.S. Department of Defense. For a long time, during the period when the Internet was used almost exclusively by scientists, engineers, academics, and a handful of military personnel, the Internet was viewed by experts mainly as a benign and interesting research project, one with modest and limited application to national security objectives. But in the 1990s, and especially in the past two to three years, the Internet has increasingly been regarded by national security officials as a new playing field for international conflict, a new medium in which national security will take on new forms, and one in which the U.S. government agencies responsible for national security have a growing stake. High officials of the CIA, the National Security Agency, the FBI, the White House, and other, less well-known agencies now believe that the Internet is a "critical national asset" that requires their attention and protection. This may signal a new era in the development of the Internet, equal in importance to its commercial potential. In fact, the commercial use of the Internet may be influenced by national security controversies as much as by consumer response to new Internet applications.

This paper will review this controversy, looking first at the history of the Internet's relationship to national security, then providing an overview of the new landscape now that the Internet is increasingly embedded in "critical national infrastructure." The concept of "infowar," or "cyberwar," will be described, along with the attendant difficulties of assessing computer-based threats to national assets. Finally, the paper will offer some thoughts on what this new phenomenon might mean for the future development of the Internet, what strategies policymakers and technology experts should consider, and what dangers lie ahead for democracy and public policy.

The Internet and the Military in Historical Context

As is common, popular knowledge by now, the Internet was first launched as a research project funded and managed by the U.S. Department of Defense Advanced Research Projects Agency (ARPA) in the late 1960s. In 1983, the Defense Communications Agency split the network into two parts, ARPANET and MILNET, the former for the research community and the latter for nonclassified military communications. ARPANET's name was changed to the Internet, and management was turned over to the National Science Foundation. It was also in 1983 that the network adopted TCP/IP, which was perhaps the most important technical decision in the history of the Internet to date, allowing a vast expansion of the Internet that continues at an amazing rate of growth today.

There is a persistent myth surrounding the history of the Internet that it was designed to "sustain a nuclear attack," and that this was the chief research interest of the Internet's Pentagon sponsors. As described in the definitive history of the Internet, When Wizards Stay Up Late, by Katie Hafner and Matt Lyon, the story that lies behind this myth is somewhat complicated [Hafner and Lyon, 1996].

Paul Baran, a RAND Corporation researcher who joined that Air Force-sponsored thinktank in Santa Monica, California, in 1959, "developed an interest in the survivability of communications systems under nuclear attack," write Hafner and Lyon. "He was motivated primarily by the hovering tensions of the cold war, not the engineering challenges involved. . . . Baran knew, as did all who understood nuclear weapons and communications technology, that the early command and control systems for missile launch were dangerously fragile" [54]. At this time, during the late 1950s and early 1960s, the RAND Corporation was the primary source of strategic thinking for U.S. nuclear policy, and the institution was already heavily dependent on computer technology, producing many of the earliest computer models of nuclear war.

RAND researchers were working on sustainable communications systems before Baran joined their ranks, without much success. It was Baran's theoretical work on distributed networked systems that pointed toward a solution. Baran came up with three theoretical innovations that became fundamental to the development of the Internet: a distributed network, network redundancy, and message disaggregation. This was a radical departure from the then universal model of communications based on centralized switching and open, direct circuits.

Baran's work was understood by only a handful of communications experts in the United States, and it was poorly received by the people in charge of improving defense communications, most of whom came from careers rooted in the more conventional model. He halted his work in 1964, convinced that the agencies responsible for military communications would botch the job even if they adopted his ideas. "So I told my friends in the Pentagon to abort this entire program -- because they wouldn't get it right," he told Hafner and Lyon [64]. Instead, he decided to wait for the right moment, with some different kind of organization.

His opportunity emerged a few years later, when Larry Roberts, one of the ARPA officials in charge of investigating computer networks in the late 1960s, discovered Baran's RAND papers. However, note Hafner and Lyon, "Nuclear war scenarios, and command and control issues, weren't high on Roberts' agenda" [77]. Roberts was intrigued by Baran's theoretical ideas of a distributed network from a purely research point of view. Roberts was also interested in a network that would tie together several of ARPA's chief research sites, universities and other institutions conducting experiments funded by the agency. It was Roberts who laid the first foundations of the Internet, relying on contributions from many different sources, including Baran, who became a consultant to the project.

Thus, while Baran's work was motivated by the goal of building a communications network that could survive a nuclear war, this motivation was only a small part of the flow of ideas that built the technical foundations of the Internet.

Even more important is the fact that the Internet was never linked to any critical military application or system. The Internet never played a role in controlling nuclear weapons, for example. The communications network that connected U.S. nuclear facilities, such as between the North American Air Defense Command in Cheyenne Mountain, Colorado -- the hub of the country's "early warning" system -- and the launch control headquarters of the Strategic Air Command in Omaha, Nebraska, was deliberately isolated from the Internet. The scenario portrayed in the popular movie "War Games," in which a teenage computer whiz taps into the nation's nuclear arsenal from his home computer, was never possible in real life. The Defense Department built its own global communications network, the World-Wide Military Communications System (WWMCs, pronounced "Wimmix"), which shared little with the Internet and was not connected to it; indeed, WWMCs was notoriously unreliable and was eventually abandoned.

For a variety of reasons, the development of the Internet, even when it was funded by the Pentagon, scarcely attracted the attention of military planners or national security officials. In the 1960s and 1970s, ARPA was an agency nearly unto itself, run primarily by and for academic researchers who were distant from military culture. ARPA's character began to change in the 1980s, but in the early days of the Internet, the system was viewed almost universally as a research program, not as a precursor to a communications network tied to national security. In fact, it was this research character that contributed to the ease with which the Internet was absorbed by the civilian sector and now by commercial enterprises. The Internet was not burdened with security classifications, black budgets, or secret technical specifications. And, ironically enough, it was this very openness of the Internet's development that reduced its importance in the eyes of career military officers and high national security officials, who were conditioned to believe that anything significant in their fields must be classified and secret.

In short, while the Internet and the concept of "national security" share common roots in history, they developed along separate and divergent paths. This makes it all the more interesting that these paths are now converging again, but in a way that makes the Internet problematic and even threatening to national security.

The New Intersection of National Security and the Internet

In September of 1997, the President's Commission on Critical Infrastructure Protection released a preliminary report calling for a vast increase in funding to protect eight key elements of U.S. infrastructure: electric power distribution, telecommunication, banking and finance, water, transportation, oil and gas storage and transportation, emergency services and government services.

"These are the life support systems of the nation," said the Commission's chairman, retired Air Force General Robert T. Marsh. "They're vital, not only for day-to-day discourse, they're vital to national security. They're vital to our economic competitiveness world wide, they're vital to our very way of life."

"The Internet provides an access point into all these infrastructures," said Marsh. Commission member John T. Davis, representing the National Security Agency, said the government should develop a secure "Next Generation Internet" for official use.

The commission recommended doubling the current federal R&D budget of $250 million for protecting these systems, with increases of $100 million each year after 1999 to $1 billion per year by 2004.

In February, 1998, U.S. Attorney General Janet Reno unveiled a $64 million plan to build a new "command center" to fight "cyber attacks" against U.S. computer systems. This new "command center" is called the National Infrastructure Protection Center, a Justice Department response to the report from the President's Commission on Critical Infrastructure Protection [Glave, 1998].

These are just some of the more recent and visible results of concern over "cyber war," "infowar," "cyberterrorism," and other, related threats now perceived by law enforcement personnel and national security officials as new and important terrain. And these authorities commonly view the Internet as the "highway" upon which these threats will be borne.

The character of the Internet has been dramatically transformed over the past five years, as everyone knows. What began as a communications network for scientists, academics, engineers, and specialists is now a vast, global, communications medium that rivals the public telephone network, television broadcasting, and even radio. The Internet-using population, worldwide, is now over 60 million people, and Matrix Internet Data Services, an Internet demographic consulting company in Austin, Texas, has predicted that, by the year 2002, there could be more than 700 million people using the network. Senior executives in large telecommunications companies, an industry which is now the largest in the world, routinely report that data traffic will soon surpass voice traffic, and that packet-switched networks, like the Internet, may eventually supersede the circuit-switched telephone network worldwide. The Internet "model," of packet-switching, distributed communication, and unmanned digital nodes, appears to be the bedrock for nearly all future communications.

Of particular importance to those charged with national security is the fact that increasing levels of international commerce are conducted over the Internet, and also increasing levels of government service. International funds transfers, now surpassing over a trillion dollars a day, are carried by computer networks. Power grids, banks, government databases, large corporate enterprises, news networks, transportation facilities, and many other essential components of civilized life are increasingly "on the net," delivering services or conducting critical communications over the Internet.

Disruption of such services or communications could, someday it is feared, resemble or approach in severity an actual physical attack such as a military strike or a major terrorist incident. At present, the potential for a computer attack that would produce a major national calamity is controversial. Most computer attacks documented so far have been merely intrusions or annoyances. In many cases, vulnerability to computer attack is shrouded in secrecy or proprietary prudence. In other cases, vulnerability may be exaggerated to enhance the status and commercial value of computer security firms or to improve the negotiating position of government agencies that are seeking more funding or clout.

What is important now, however, is that officials of the U.S. government and experts in the private sector are arguing, persistently, that the growth of the Internet, and its expanding capabilities, combined with the fact that it is increasingly embedded in "critical national infrastructures," makes protection of computers on the Internet a matter of national security. In other words, regardless of the current threat, the future indicates growing vulnerability and thus a growing urgency for protection and vigilance.

Jamie Gorelick, U.S. Deputy Attorney General, told the host of TV's "Nightline" news talk show, Forrest Sawyer, in December of 1997, "My own assessment, Forrest, is that we have a couple of years before there is a really serious threat. We have seen indications in criminal activity, in the plans of foreign nations, in the plans of terrorist groups that lead us to believe that we should be about the process of hardening our computers against attack" [Nightline, 1997].

In yet another irony, what may contribute to the threat of computer attack in the U.S. is the country's unrivaled military superiority. General Marsh said on the same "Nightline" program, "Nobody around the world today would attempt to defeat us on the battlefield. Instead, they will be seeking means to find vulnerabilities in our systems that they can exploit and do serious harm without having to confront us in the conventional armed way of the past."

If the Internet does prove to be a viable means for nations to attack one another, nations capable of such threats will be able to afford a credible threatening status far more cheaply than if they needed vast arsenals of missiles and tanks. A relatively modest investment in the skills of a handful of network trespassers and hackers would become a substitute for immense investments in weaponry. As such, the sources of credible threats could proliferate.

This "new terrain" of computer warfare or cyberterrorism poses some serious and unfamiliar challenges to national security authorities.

First, all forms of warfare in the past have involved a threat to geographically specific assets by equally geographically specific threats -- such as massed armies or ballistic missiles. One of the chief characteristics about computer attacks is their ambiguity in nearly every dimension: it's difficult to ascertain where the attack is coming from, who is behind it, what the motive is, whether it is the work of a determined enemy or merely a curious trespasser, etc. Penetrations that come from trespassers inside the U.S. may not be benign or "domestic." Before the war in the Persian Gulf, for example, there was a report of a U.S. hacker breaking into Pentagon computers and then offering to sell the information to Saddam Hussein (who didn't buy it because he didn't believe it was genuine) [Nightline, 1997].

It's not even clear what the term "cyberwar" describes. If it means an organized and coordinated attack on computer systems by another state government, that may be too high a threshold; it's unlikely we'll see an unequivocal example of this soon, except perhaps by the U.S. attacking an enemy's computers. "Cyberterrorism" may be more likely, but, as in the distinction between war and terrorism by other means, this prospect might call for solutions different than protection from "cyberwar."

If a computer attack were to occur in the midst of some other crisis of national security, says Roger Molander, an expert now at the RAND Corporation, the very ambiguity of the attack may complicate decision-making tremendously. This is a murky world for national security officials.

Second, the United States has historically avoided major military attacks because of its relative isolation from belligerents, a kind of "continental defense." Most of the country's history in military strategy has been to keep conflict as far from the U.S. mainland as possible. But the Internet poses a new dilemma: its global character, and the way it works, allows easy access to almost any networked computer inside the United States, including those running critical systems, from nearly anywhere else in the world. For a determined adversary, there are now millions of entry points to the U.S. heartland, and requiring no logistical effort, in contrast to the obstacles facing adversaries in the past.

Third, because of the fact that computer attacks can come from both inside and outside the U.S., and the fact that the origins of such attacks are difficult to identify promptly, jurisdictional controversies and overlap among law enforcement and national security agencies are already rampant. The U.S. has had a long tradition, for fifty years at least, of separating the jurisdictions of agencies responsible for domestic threats from those responsible for foreign threats. If the Internet is factored into their responsibilities, these jurisdictional boundaries are rendered exceedingly vague and arbitrary, leading to confusion and conflicting interests.

Finally, the biggest issue of all: for the most part, in the past, the U.S. military and its national security allies, such as intelligence agencies, have been charged with protecting military assets first, and using these as offensive weapons or deterrents against enemies. In a "cyberwar" scenario, however, conventional military assets will be useless, and there may be no appropriate offensive weapons available. The military and law enforcement and national security agencies are increasingly faced with protecting private assets, such as corporate computer systems, or other information systems far outside the jurisdiction of the federal government. Given the nature of U.S. democracy, the federal government's powers for forcing protection schemes on private companies or other governmental entities are limited. And, as demonstrated by the ongoing debate over encryption restrictions, the government may have interests quite different from those of private companies, especially those that compete in the global marketplace. Indeed, given the evolving nature of global enterprise, it's commonly unclear where a U.S. company stops and a foreign counterpart or partner begins. The Internet does tend to erase national borders, as does global commerce. The U.S. defense establishment has traditionally been able to circumscribe what constitutes a "national asset," but this is getting more and more difficult to do.

For all these reasons, many of which have emerged only in the past half decade, the Internet is a new factor in national security assessment. And, given the significant influence of national security agencies in setting national political agendas, and in shaping technological trends, this new friction between the Internet and national security is likely to affect the way the Internet develops for the foreseeable future. At stake is whether the Internet can retain its democratic, global, and egalitarian features, or whether it will be absorbed into older patterns of national competition for power and status.

Netwar and Threats to Nations

How big a threat to national security is the Internet?

While the question is obvious, the answer, unfortunately, is not. While advancing technology has made assessing all threats to national security increasingly difficult, assessments of the threat of "cyberwar" or "cyberterrorism" via the Internet may be the most difficult of all, for a variety of reasons.

First, of course, the Internet is constantly changing. Indeed, it may be the most rapidly evolving entity in human history. It is difficult, if not impossible, to fix a "moment" on the Internet to make an assessment that would last more than a few weeks, at most. This is very different than assessing other kinds of vulnerabilities or threats, which change or accumulate much more slowly. During the Cold War, U.S. intelligence sources had a reasonably good idea of the capabilities of the Soviet Union, at least in terms of the raw numbers of its military assets. It's difficult to imagine how the same sources could "count" the threat of Russian hackers, for example, some of whom have penetrated deep into the computers of U.S.-based banks, such as CitiCorp in New York. The Internet has also extended and deepened its reach so broadly over the past few years that it's almost certainly impossible for anyone, or any group of people, to "know" everything it touches at any given time. Not only is the system vast, involving tens of millions of computers, but it is characterized by rapid change, contingency, complexity, innovation, and constant "churn," or the birth and death of new features almost overnight. This is, in short, a risk assessment team's worst nightmare.

Next, even if one were able to narrow one's focus to "critical" systems connected to the Internet, there are no public or even readily available data on how vulnerable such systems might be. Defense computers are buried under layers of secrecy and classification, and private companies are not likely to volunteer such information. We typically only hear about computer vulnerabilities after a break-in, and even then we learn little about the incident, and sometimes the descriptions of break-ins are not accurate, either. A New Jersey State Trooper once told the press that a teenage hacker he had arrested was altering the orbital paths of U.S. defense satellites, which was not only untrue but absurd.

People who reveal computer break-ins often have ancillary reasons for such revelations. Responding to a recent rash of reported break-ins in Pentagon computers, Peter Neumann, one of the world's leading computer security experts, told HotWired News, "Perhaps this is a con game. . . .You put out a system with miserable protection and hope that someone breaks it," he said. "Then you can ask for millions of dollars more to perform further palliative protections, rather than getting to the core of the problem -- significantly ratcheting up the security of the infrastructure" [Glave, 1998].

When officials like General Robert Marsh tell the press that the Internet provides access to many, if not all, of the critical infrastructure systems of the United States, it's difficult to assess this claim, except to suspect that he's right. The nature of the problem is one in which it's unlikely that we'll see detailed government reports on the levels and sources of current risks. Accumulating evidence based on anecdotal reports is likely to be the only information available.

Because of the paucity of hard data, and the difficulty of assessing what computer systems are vulnerable because of being connected to the Internet, it is ipso facto difficult to assess whether there is in fact an Internet-related threat that compares to other kinds of threats. Kevin Poulsen, who appeared on the "Nightline" TV program mentioned earlier, and who was described on that program as a "former computer hacker," said, "I've heard so much talk about the coming info war. I'll be more worried when somebody can actually show me a single case of a hacker doing something that malicious. So far they haven't."

He went on, "The most heinous, coordinated, planned-out, conspiratorial, hacker attack imaginable wouldn't come close to a single bombing of a building. Nobody's ever going to die from anything that happens electronically. The government has held me up as an example of a hacker that had reached the very top. If I wasn't anywhere near having that kind of capability, then what reason is there to think that anybody is?" [Nightline, 1997]

Most examples of computer break-ins have been annoyances and cause for alarm, not serious threats to critical systems. Gene Spafford, another computer security expert, likened hacker break-ins to "being pecked to death by ducks. No one of these instances is really serious. ... But if you've got 10,000 people doing that, its a huge problem" [Glave].

There have been some worrisome computer attacks, such as the attempt by German hackers to secure classified information and sell it to the Soviets, chronicled in Clifford Stoll's book The Cuckoo's Egg [Stoll, 1989]. There is some evidence that there was an attempt to disable Croatian computers during its war with Serbia, and Croatian security experts suspected Serbian programmers for the attacks, although there was no definitive evidence [Pale, 1998]. The 1989 Morris "worm" that brought down thousands of Internet computers, and the 1998 virus that affected Windows computers on the net, highlighted the vulnerability of the system as a whole. The Pentagon has admitted that its computers have been penetrated hundreds of thousands of times. Federal officials have hinted, in press briefings, that they have classified information about far more serious hacking attempts, successes, or penetration capabilities in other countries. And, of course, the Pentagon is busy building an offensive "info-war" capability of its own [Aviation Week and Space Technology, 1998].

But the overall problem facing national security authorities is that this threat of Internet-based terrorism or attack, however grave it might be, is to date not at all tangible to the average citizen, nor is it likely to become more so in the near future unless a catastrophe occurs for "demo" purposes. Their current strategy is to request vast sums of money to prevent something from occuring, not unlike the Year 2000 problem, which the public also barely understands, if at all.

This is, again, far different from the world of the recent past, in which the threat of Hiroshima in the United States was lodged quite vividly in the minds of most citizens. It's considerably more difficult to persuade the public that there is a large potential for threat to the nation via the Internet, when the entire country is on a big campaign to get everyone online, especially schoolchildren, and there is no obvious way to quantify or even nail down the full nature of the threat. Once again, this is "new terrain" for national security advisors.

As everyone knows, "national security" is largely a game of perceptions, a combination of both real and imagined threats and assets. Even during the Cold War, it was controversial how big a threat the Soviet Union was to the U.S.; this controversy continues even today, nearly ten years after the end of that conflict. So it's not surprising that it is controversial whether there is a national security threat posed by the Internet or whether this is a paranoid frame of mind; or, cynically, whether this is related primarily to institutions hoping to increase their budgets and their longevity. This controversy is fueled by the sparse information available about the true level of risk at hand, especially with respect to "critical" systems. Because we can expect that this dearth of information will continue, the controversy about the nature of the threat will no doubt extend far into the future as well. In the digital era, the very nature of the technology paradoxically makes perceptions more important, because tangible facts are harder to come by.

What do we know? When computer security experts are asked whether Internet-networked computers are secure, their answers are almost always along the lines of "not enough," or "not yet." One might discount such answers as self-interest and still conclude that more needs to be done about computer security. The explanation given by security experts about why we don't do more is that the public has not yet demanded more security for computers, and, without significant public demand, companies are not providing it. It's also expensive and sometimes troublesome to secure a computer and to keep it secure, imposing discipline on users and system administrators who would rather not be disciplined. It is common to hear of people learning about computer security the hard way, in a "trial by fire," absorbing a lesson after something nasty has occurred. Obviously if there is a real threat to national security via the Internet, such lessons are not an adequate substitute for prudent policymaking. It is the job of national security officials to prevent catastrophes, not to say "I told you so."

The vexing issue is how we might feel safer without seriously compromising the best features of the Internet, trampling on democracy, or turning into a surveillance society. These are not new concerns; they were not introduced into public debate by the appearance of the Internet. But they have been made rather dramatically more complicated by the first truly significant supra-national sphere of discourse and politics. They are further complicated by the dual role of national security agencies, which is to both protect national assets and to penetrate the defenses of enemies. It is this dual role, embedded in the traditions and histories of national security agencies, which is at the heart of the intense debates about a possible solution to computer-based threats: widespread digital encryption.

The Internet and National Security Agencies

By now, nearly every federal agency within the U.S. government has some department or division responsible for computer security. But the preeminent agencies of the field are still the agencies charged with national security, such as the National Security Agency, the Central Intelligence Agency, the Federal Bureau of Investigation, and, to a lesser extent, the Justice Department and the Secret Service within the Treasury Department. It is important to acknowledge that it is the character of these agencies, their histories and their other responsibilities that give the subject of computer security in the United States a particular kind of atmosphere, largely that of the military and national security community itself. Thus, the "command and control" model of computer security has tended to dominate the U.S. government's approach.

In 1987, the Computer Security Act of the U.S. Congress apportioned responsibilities for computer security to the National Institute of Standards and Technology (NIST), of the U.S. Department of Commerce, for non-classified computer systems; and to the National Security Agency (NSA) for classified systems. This law was the result of a certain level of alarm, on the part of Congress and civil libertarians, during the Reagan administration because of a pair of White House national security directives that pointed toward NSA control over all computers in the U.S. The Computer Security Act was an attempt to mark a boundary for civilian control of unclassified information systems.

However, since the Computer Security Act the U.S. National Security Agency has worked diligently to regain and secure its supremacy over computer security policy. A 1989 "Memorandum of Understanding" between NSA and NIST shifted power back to NSA, and in 1994 President Clinton issued Presidential Decision Directive 29, which set up the Security Policy Board, which has recommended that all computer security functions for the government be merged under NSA control [EPIC].

At the same time that NSA has attempted to impose its own standards on computer security in the U.S., the Justice Department's Federal Bureau of Investigation has tended to extend its responsibilities beyond domestic law enforcement to international crime, counter-terrorism, and counter-intelligence. While officials of the NSA are largely unknown to the public, FBI Director Louis Freeh is a common face in the news, often called upon to testify and make the government's case for control over encryption and computer security in the name of national security. The 1993 bombing of the World Trade Center in New York City, which was apparently connected to a foreign conspiracy in the Middle East, strengthened the FBI's role in monitoring international terrorism immeasurably. Freeh also points to international drug cartels, new foreign sources of organized crime, the international terrorist activities of so-called "rogue states," the frightening potential for the uncontrolled proliferation of small nuclear weapons, and other threats to make the case that the FBI now has a host of new targets.

These two phenomena of recent years have tended to blur the line between domestic security and national security, a blurring that has produced crises of constitutional protections in the past. But Congress has been persuaded by the federal law enforcement and national agencies. The Intelligence Authorization Act of 1997 states:

. . . elements of the Intelligence Community may, upon the request of a United States law enforcement agency collect information outside the United States about individuals who are not United States persons. Such elements may collect such information notwithstanding that the law enforcement agency intends to use the information collected for purposes of a law enforcement investigation or counterintelligence investigation.

Whitfield Diffie, the co-inventor of public key encryption, and his co-author Susan Landau, in their 1998 book Privacy on the Line, comment: "This wording carefully steers clear of permitting the intelligence community to spy on Americans directly, but opens the way for unprecedented collaboration between the intelligence and law enforcement communities" [Diffie and Landau, 1998, 123].

The boundary-free character of the Internet will likely intensify the merging of conventional law enforcement activities inside the U.S. and the activities of national security agencies. The front line in the debate about this trend is encryption policy. In September of 1997, the U.S. Congress' House National Security Committee voted to strengthen controls on the export of digital encryption, reversing a trend toward relaxing such controls, one of the chief goals of the high tech industry. Committee members cited the warnings they received in "classified briefings" as the main reason for their vote.

Congressman Mike Oxley, a Republican of Ohio, told The New York Times, "I would find it difficult to believe that a member who heard the briefing could walk away not committed to addressing security issues. Frankly, I wish everyone interested in this issue could have heard for themselves the alarming briefing that members of our committee heard" [Wayner, 1997].

Constraints of space prevent a comprehensive or even adequate review of the encryption debate here. In summary, the U.S. government's position is that law enforcement and national security authorities need to retain the ability to intercept and interpret communications, including digital data, in order to fulfill their responsibilities to protect the United States from crime and foreign threats. As such, the federal government has proposed a series of arrangements that have all included the concept of "escrowed keys," meaning the ability of authorized officials to acquire an encryption key to unlock scrambled data. Opponents of this scheme, which is the traditional approach in military cryptography, argue that public key encryption, without escrowed keys, is the only safeguard for privacy and authenticated electronic commerce. These opponents also argue that criminals and foreign adversaries will have no incentive to use encryption with escrowed keys -- i.e., the "key escrow" approach will provide keys to the communications of people who obey the law, while others will have easy access to unbreakable encryption algorithms. The ready availability of public key encryption, argue government critics, means that "the horse is out of the barn" already. Moreover, they point out, the task of security in the computer age is for each person, or each computer administrator, to be responsible for computer security, because the task is too immense and complex for bureaucratic oversight. The argument has been framed as one in which the protective schemes are characterized as a choice between armies or locks, and each of these has its attendant interest group.

While the Congress has been largely sympathetic to and supportive of the federal law enforcement and national security agencies, another front has opened up in the U.S. courts.

In early 1997, in a case heard before the United States District Court for the Northern District of California, Bernstein v. United States Department of State , U.S. District Court Judge Marilyn Hall Patel ruled that national security considerations cannot be used to censor cryptographic schemes on the Internet. Daniel Bernstein, a graduate student, created an encryption algorithm called "Snuffle." After four years of correspondence with the U.S. State Department, Bernstein learned that his source code and all other material about "Snuffle" except a research paper were in violation of export control laws and could not be posted to the Internet. Bernstein sued the State Department, claiming that this ban violated his First Amendment rights. Judge Patel agreed with Bernstein, and wrote a stinging rebuke of the government's position. Patel ruled that computer source code is protected as free speech by the First Amendment, and that the government's attempt to ban such speech amounted to "prior restraint," which is unconstitutional. Judge Patel specifically prevented the U.S. government from using claims of a breach of national security to impose prior restraint on the distribution of encryption source code [Cummins, 1997].

The U.S. government has appealed the Bernstein decision to the U.S. Supreme Court, and it is there that a final ruling is expected. If the Supreme Court upholds Judge Patel's ruling, this may close the encryption debate for the foreseeable future; after such a ruling, all encryption source code could be posted to the Internet without intervention by national security or law enforcement agencies. This would effectively kill the means by which such agencies now control the distribution of non-escrow encryption algorithms. On the other hand, if the Supreme Court overturns the Bernstein decision, this will reinforce the role of national security agencies in shaping the future of the Internet. Because of this, the Bernstein case is being watched very closely by both sides of the encryption debate.

The dispute over encryption has put into stark relief the dual nature of the national security mission: the responsibility of such agencies to protect national technological assets and also retain the ability to intercept and interpret digital communications. In the era of the Internet, these two responsibilities are in conflict with each other, thus posing significant dilemmas to national security officials. On the one hand, these agencies are urging businesses, other government agencies, and individuals to protect their computer data from attack. On the other hand, these agencies seek to control the way these people protect such data in order to protect law enforcement and national security agency access to this data. Not surprisingly, both businesses and individuals are hesitant to implement encryption schemes that require turning over keys to people they don't know or whose motives they don't fully comprehend. Because of this hesitancy, the first mission of the security agencies, that of increasing protection for U.S. computer systems, is stymied.

General Marsh, the chairman of the President's Commission on Critical Infrastructure Protection, has told the press he hopes the dispute about encryption policy is resolved soon, because he believes, with justification, that this ongoing dispute is obstructing the implementation of greater security for computer systems. Members of the commission have hinted at their support for a loosening of encryption controls, but have also leaked the information, to The New York Times, that "they are Œunder fairly strict orders' to fall in line with the FBI's push for key recovery" [Wayner, 1997].

Business executives are understandably reluctant to invest in security systems that may be superseded by other technologies or blocked by court rulings. The U.S. federal government's rapid transition from one policy recommendation to another -- such as from DES to the "Clipper chip" to key escrow to "key recovery˛ -- has not helped foster confidence in the business community. And of course, some influential business organizations, such as the Business Software Alliance (http://www.bsa.org), are allied with civil libertarians and other opponents of U.S. government policy in the case of encryption standards.

Despite the hopes of General Marsh and others, at present the encryption debate in the United States is so polarized that compromise solutions are not visible nor likely to emerge soon. This polarization has been exacerbated by some ideological and political trends in the U.S. Republican conservatives who now control the U.S. Congress are more sympathetic to law enforcement and national security arguments than was true of the Congress just a few years ago. For example, for many years the U.S. House Subcommittee on Civil and Constitutional Rights was chaired by Rep. Don Edwards, a Democrat and a former FBI agent who was highly critical of any law enforcement encroachment on civil liberties. But Congressman Edwards has retired, and conservative Republicans have taken his place as committee chairmen.

Another new phenomenon is the emergence of a new breed of "cyberlibertarians˛ -- typically young, talented technologists who reject most of the assumptions of the national security establishment. Some of the more radical of these ideologues have argued that the Internet is the beginning of the end of the nation-state, let alone the end of the national security state. This perspective is not just an isolated intellectual discourse, either: the "cypherpunk" movement, for example, has complex and extensive ties to outlaw hackers, most of them young men, some of whom have adopted the intellectual framework of "cyberlibertarianism" as an ideological justification for criminal penetrations of government computers -- casting themselves as "Thomas Paines" of the digital revolution. Such "counterculture" attitudes are widely shared by educated young people all over the world, perhaps a natural attitude of young people rebelling against authority. But when this attitude is combined with the fact that these same people are the most technically adept in the world, and a number of them are affluent or even wealthy because of this skill -- once again, national security officials are confronting a new and alien environment, one dramatically different from eras of the past, when business leaders and skilled technologists were typically undisturbed by the alleged imperatives of national security. Now, when confronting young leaders of the digital revolution, national security authorities are in hostile territory. The end of the Cold War has given new impetus to calls for a dismantling of national security institutions, and the Internet, with its idealistic potential for global communications between planetary citizens, has come along at just the right time to fuel such ideas. Widespread use of phrases like "the digital revolution" and "Third Wave civilization" (lifted from the work of the Tofflers, and adopted by U.S. Speaker of the House Newt Gingrich) reinforce the popular notion that the "information age" entails an overturning of old regimes, including, perhaps, the centuries-old competition between nation states.

For these reasons, in addition to the prosaic clash of interests between the government and pragmatic corporations that are part of a global marketplace, the encryption debate is the leading edge of a much larger philosophical debate about the role of the state in the information age. It is unfair, of course, to characterize national security authorities as "dinosaurs" due for extinction, the way they are characterized by some of the "cyberlibertarians" -- even a small dose of the daily news is enough to convince most people that there are in fact real threats that continue to justify the need for some national security protections. On the other hand, there is no compelling reason to assume that the missions and structures and traditions and size of national security institutions created during the decades of the Cold War need persist into eternity. Many critics of national security agencies argue reasonably and persuasively that the Cold War should be regarded as an anomaly in U.S. history, a struggle that imposed sacrifices in democratic values that need not be sustained or repeated in the absence of a threat equivalent to the Soviet Union. These critics have quite rightly put on the table for debate the question of whether the "national security state" is an essential or necessary political form for nations in the 21st century, particularly in an era in which the Internet is challenging many assumptions and norms inherited from a pre-Internet period, that of World War II and the decades of the Cold War.

It may seem grandiose to suggest that complex technical debates such as those surrounding digital encryption or the prospect of "cyberwar" are the most important political debates of our time. But this is in fact the case. This is not actually all that surprising, when one considers the catalyst of such debates: the Internet itself, one of the most remarkable, promising, and at the same time vexing creations of human enterprise in the history of the world.

What Should We Do?

National security authorities, like everyone else, are confronted with a world far different than the familiar one of just a few years ago -- the tripartite combination of the end of the Cold War, the new intensity in global commerce and competition, and the information revolution has served to upend almost all previous cognitive models about how the world works. National security bureaucracies, of course, are notoriously resistant to change. But they also have many arguments on their side, as new threats have appeared simultaneously with new ways of communicating and doing business.

National security experts are facing several frustrating dilemmas. First is the need to secure U.S. computer systems while retaining some ability to intercept and interpret digital communications. As many people have pointed out, this dual mission may not only be irreconcilable, but the effort may produce some absurdities and unacceptable impositions on people using computers or developing information technologies, particularly software. Peter Wayner, a reporter for The New York Times who wrote about the Security and Freedom Through Encryption (SAFE) bill considered last year in the U.S. Congress, wrote:

The bill would force developers of new software to seek approval for their products from the United States government even if the products did not explicitly include encryption features. Such approval would be the only way to escape prosecution, [a Congressinal staff member] said. While admitting that this language would add a six- to nine-month delay in releasing new products, the staff member asserted that the computer industry would simply have to build this time into product development cycles [Wayner, 1997].

Given the life-cycles of computer software today, and the prospect of international competition not burdened by such delays, the imposition of a nine-month delay in releasing software products appears fatally ill-advised. The idea that computer software companies might need to have their products reviewed by the government, like prescription drugs, is also alarming and bizarre; the task would likely prove impossible, not to mention absurd.

Thus the implications of several initiatives by the national security community are so onerous, and so out of touch with the imperatives of the digital economy, that their chances of becoming law in the United States appear to be slim. Lawmakers are loathe to alienate national security authorities, but in this case they may have no choice -- the economic health of the United States could be seriously damaged by several of the proposals now on the table.

Moreover, it appears inevitable that uncontrolled public key encryption algorithms will proliferate, despite the resistance of the U.S. government. "Key escrow" systems such as those advocated by U.S. government officials are too vulnerable to compromise, and once keys are released into circulation, all encrypted data is compromised. Public key encryption schemes are already available in a wide variety of products and on the Internet, and there doesn't appear to be much that the government can do about these programs. If the Bernstein decision is upheld by the Supreme Court (and this Court has been consistently vigilant about challenges to the First Amendment), it will be illegal, unconstitutional, to block the distribution of source code, rendering all the efforts at government control moot. It is also significant, of course, that foreign governments do not share the U.S. government position on encryption, which creates a vast "safe harbor" for alternative encryption schemes that, because of the way the Internet works, would be merely a "click away."

The arguments of proponents of public key encryption, such as Diffie and Landau, are generally persuasive. They maintain that communications intercept is a "low-value" activity of law enforcement and national security agencies, and far outweighed by the value of more secure computer systems throughout society. They point out that surveillance of foreign communications is dependent on foreign targets of surveillance agreeing to "escrow" keys with the U.S. government, a rather improbable scenario. Diffie and Landau ask what the consequences would be if policymakers were to "make a mistake" by unregulating encryption.

If cryptography comes to present such a problem that there is popular consensus for regulating it, regulation will be just as possible in a decade as it is today. The laws will change, strong cryptography will not be made part of new products, and the ready availability that government claims to fear will decline again quickly. If, on the other hand, we set the precedent of building government surveillance capabilities into our security equipment, we risk the very survival of democracy [Diffie and Landau, 244].

They go on to say, ". . . government efforts to keep honest citizens from using cryptography to protect privacy continue. Such efforts are unlikely to achieve what governments claim to want, but very likely to cause serious damage to both business and democracy in the process" [245].

Widespread use of public key encryption appears to be the only viable and cost-effective means for truly securing computer systems essential to the functioning of modern society. The task then becomes one of adjusting the roles and activities and "mind-sets" of national security officials to this fact. This needs to be a process of collaborative work, as opposed to the current process that is characterized by polarization, hostility, suspicion and even attitudes that suggest that each side wishes the other side would die off and fade into obscurity. Collaborative work between citizens and national security agencies in the United States is unprecedented, too. There is a long history within such agencies that can be summed up in the phrase, "If only you knew what we know, you'd agree with us." But then, of course, the knowledge referred to is out of bounds, unavailable, secret, incapable of being assessed except by those deemed trustworthy enough to possess such knowledge, which typically means people who already agree with the assumptions of the intelligence and national security communities. This has to change, somehow. The end of the Cold War opens up a historic new opportunity for change.

The U.S. Congress should take the lead. Members of Congress should understand the stakes -- in the case of the intersection of the Internet and national security, the perspective of national security agencies is only one side of the coin, maybe even vastly overbalanced on the other side by the potential damage to business and democracy. Unfortunately, Congress has a history of being cowed and frightened by national security briefings. The Congress needs another leader like Don Edwards, who was not intimidated by officials of the FBI or the CIA. Whether this occurs will remain to be seen; high technology executives need to understand the need for such a leader, even if such a person doesn't agree with other features of the high tech sector's public policy agenda.

The public is not likely to be a major player in this debate. The subjects of national security and technology have always been reserved for elites, and, while this situation may be regrettable for democracy, it should not be expected that it will change soon. Consequently, there needs to be intense work on the part of the business community to persuade the White House and the Congress that the world is now a different place, that the changes recommended by government authorities are dangerous and unworkable, and that business stands ready to cooperate with national security officials in finding new solutions. To a certain extent this is already going on, but the dialogue with national security officials could be improved significantly if their Cold War rhetoric was attenuated or even abandoned.

President Clinton could be the leader this issue needs, but unfortunately he doesn't appear up to the task. He is a President more than usually shaped by the demands of law enforcement and national security authorities -- the Clinton administration has been one of the worst in recent memory for civil liberties in the U.S. The President is also famously averse to friction and confrontation, despite the ominipresence of these qualities during his service. He's probably not going to do anything to alienate either the national security community, upon whose approval much of his stature as a "law and order" President depends, or the high tech community, many of whom helped get him elected. The President's dithering on the issue of encryption may thus set the terms of the debate‹a kind of policy fibrillation -- until someone else holds his office or some other leader finds the means for real breakthrough.

In the meantime, proponents of both sides will continue to find opportunities for strategic advantage. Professional societies like the Internet Society, the Association for Computing Machinery, and IEEE should probably increase their efforts to find a workable solution. They might also consider undertaking efforts to educate the public about what's at stake, such as through sponsored television programs or a national campaign of public debate and community meetings. The high tech industry has every reason to help fund such public outreach efforts.

Finally, professional societies need to do more to educate their members that the most fundamental interests of the computing profession are not primarily about technical issues, but are tied up in public policy controversies. The computer industry has demonstrated time and time again that technical obstacles can be overcome, even with astonishing, disorienting rapidity. What hangs up progress in the information age are social and political controversies that have fewer, if any, black and white answers. People in the computer industry need to become far more sophisticated about policy issues, political participation, and how technology affects basic values in society. For too long, public policy has been considered a field separate from technology, and of only marginal importance. This may be changing, but, if so, it is changing too slowly to keep pace with the issues confronting us now. Other technical and scientific fields, particularly physics, do a much better job of integrating public policy work into their professional activities. There are lessons in the experiences of physicists that might help computer professionals, especially because of the tight coupling of the work of physicists with the field of national security.

Conclusion

The global extension of the Internet -- a natural and predictable development of computer networking -- was destined to clash with traditional principles of national security. Admitting this with the benefit of hindsight, of course, does not relieve the pressures of this clash that exist today, many of which are so vexing as to seem nearly insoluble. Two immense forces of great momentum are at odds: technological progress, which takes a million different forms, emerging from countless points around the world; and national security, the gravest and most fundamental public responsibility of the world's richest and most powerful nation. How the frictions between these forces will be resolved is not yet clear. Neither is likely to go away or even fade in strength.

What seems to be required is a new concept of national security that can accommodate the Internet. This does not have to be a radically libertarian utopia, one in which the nation-state itself withers and dies, as seems to be the hope of some young cyber-activists. Nor does it need to be an accommodation in which national security and police surveillance and enforcement are the rulers of the Internet. Any new accommodation would probably need to take uncontrolled, public key, so-called "strong" encryption for granted, as this seems to be inevitable. National security authorities were once faced with another technological revolution of comparable significance -- intercontinental ballistic missiles with nuclear warheads -- and security policy managed to adjust, for better or worse, to this new technology. The same kind of adjustment will now be required. The "national security state" that was a product of the Cold War may no longer be recognizable in ten or twenty years, but neither will any other institutions of modern society, because of the changes tied to the Internet. Because of this, national security officials need to start thinking in fresh ways. Right now they're on the wrong side of history, as noble as their aims might be.

Gary Chapman is director of The 21st Century Project at the LBJ School of Public Affairs at the University of Texas at Austin.

References

 

Back to last view

Aviation Week and Space Technology, special issue on "Information Warfare," January 19, 1998.

Cummins, Guylyn R., "National Security Alone Can't Be Used To Censor Cryptographic Speech On The Internet," Daily Transcript, March 12, 1997, available at http://www.sddt.com/reports/97reports/iWorld97_03_12/DN97_03_12_ti.html.

Diffie, Whitfield and Susan Landau, Privacy on the Line: The Politics of Wiretapping and Encryption, The MIT Press, 1998.

EPIC, Electronic Privacy Information Center, "The Computer Security Act of 1987," at http://www.epic.org/crypto/csa/.

Glave, James, "Critics Bash Reno's Cyberwar Plan," HotWired News, February 27, 1998, available at http://www.wired.com/news/news/technology/story/10605.html.

Hafner, Katie and Matthew Lyon, Where Wizards Stay Up Late: The Origins of the Internet, Simon and Schuster, 1996.

Nightline (ABC News TV talk show), December 9, 1997. Transcript available at http://www.infowar.com/CLASS_3/class3_011298a.html-ssi.

Pale, Predrag, personal interview with the Croatian Deputy Minister of Science and Technology, Predrag Pale, March 16, 1998, Zagreb, Croatia.

Stoll, Clifford, The Cuckoo's Egg: Tracking a Spy Through the Maze of Computer Espionage, Doubleday, 1989.

Wayner, Peter, "Computer Privacy: Your Shield? Or a Threat to National Security?" The New York Times, September 24, 1997.

  Back to last view