13 April 1997
Source: http://www.dtic.dla.mil/defenselink/pubs/di97/di1202.html

[Defense Issues banner]

Information security can determine whether the United States simply rides the third societal wave passively or maximizes opportunities the information age offers. The results might be very different.

Volume 12, Number 2

Information Security in a Third Wave Society

Prepared remarks by William P. Crowell, deputy director, National Security Agency, at the National Information Systems Security Conference, Baltimore, Oct. 25, 1996.

The emergence of communications and computer networks offers us tremendous opportunities for changes that will benefit mankind. However, contemplate for a moment a future in which there are no secrets. Imagine a situation where almost everything about you that you consider private can be discovered by anyone -- your spending habits, your school report cards, your medical history. Imagine an environment in which there are no business secrets -- intellectual property is unprotected, market strategies are known by your competitors, and corporate weaknesses are known to all.

This in not the kind of future I want to see. A society without information safeguards would be harmful to the privacy of U.S. citizens, the competitiveness of U.S. business and ultimately the national security of our nation. So let us consider the tremendous challenges that this nation must address to ensure a smooth transition to an information-based society.

Futurists Alvin and Heidi Toffler describe society's evolution in three "waves": agriculture-based, industry-based and information-based. They maintain that today's leading powers have evolved from agrarian nations into industrial ones, and now, many of the industrial nations are evolving into information societies. The United States has prospered within the first two waves and is certainly on the forefront of the "third wave." In fact, many believe that the prospects for the U.S. in the information society of the 21st century are far greater than what we experienced as a nation during the industrial wave of this century.

Information security, or the lack of it, has the potential to determine whether we simply ride the third wave to see where it takes us or maximize the opportunities that the information age offers us. The results might be very different.

I'd like to see the robust development of INFOSEC, and with it INFOSEC professionals, to help the country surf the third wave -- that is, help establish information security policies, products and services that become ubiquitous, inexpensive and easy to use. Information security will be a deal maker as we transition to an information-based society. This transition won't be an easy task.

My agency has long played an important role in implementing INFOSEC to produce the safeguards that control our nuclear arsenal [and] enable our military commanders and policy makers to communicate securely anywhere in the world. But the expansion of networks and information technology beyond the traditional government and the military sectors into the global business network means that industry will lead the way into the information age. Information technology and information services dominate domestic business sales and are already a leading export. But many of these commercial information products and services are not proliferating as they otherwise might because of their lack of security.

For example, consider electronic commerce. Inexpensive information technology, ubiquitous networking, public key encryption, the needs of customers and the imperatives of business competition make electronic commerce inevitable. However, despite its huge potential, electronic commerce has grown remarkably slowly, primarily because of the lack of security needed to instill confidence in its use. INFOSEC is paramount for the successful implementation of electronic commerce. The net without security takes us back to the days of the telephone party line.

The White House recently defined a policy initiative that is designed to accelerate the growth of cryptography as a security enabler. Some believe the administration's initiative is about key escrow and export controls, but in the broadest sense, the initiative deals with the preparations we must make as a nation to use information technology to its full potential by implementing the proper security protocols.

The administration policy transcends the key escrow issue. It focuses on the more fundamental question of key management infrastructure. In other words, it is an attempt to create an environment in which an international framework will grow to support the use of strong encryption to protect private, business and government interests. Although it will be difficult to move this initiative from concept to reality, it is critical that we do so, and quickly.

To provide security in a networked environment, we will need to resolve a complex and interrelated set of issues pertaining to trust, scalability, liability and risk, availability of service and public policy.

Let me give you a sense of the level of trust in our systems today. According to a survey by Ernst and Young [accounting firm] and Information Week [magazine] released in early October 1996, 71 percent of the 1,300 senior information executives surveyed expressed lack of confidence in the security of their computer networks. Over three-quarters had experienced losses within the past two years due to problems with information security, computer viruses and disaster recovery.

There is much more to the issue of trust than a good encryption algorithm. Without an effective security infrastructure to implement it, an encryption algorithm value is comparable to that of a bank vault door on a cardboard box.

` Trust in a system begins with the encryption algorithm and goes far beyond. Trust encompasses not only the strength of the encryption algorithm but the integrity of those who:

• Issue the public key certificates that vouch for your identity and the identity of those with whom you deal;
• Build the directories that allow others to know how to communicate securely with you; and
• Assist you if you believe your encryption key or certificate has been compromised or lost. Can we build that level of trust into an infrastructure big enough to support electronic commerce on a global basis? The answer to that is, "We must!" Encryption has little chance of being used to its full potential, here or overseas, until such a trusted international framework is in place.
  How do we scale up to a global system while maintaining trust? Many of us have experience building limited segments of a management infrastructure for a business, a business sector or a part of the government.
  The National Security Agency and the Department of Defense have a great deal of experience in building security infrastructures for critical functions like nuclear command and control and military operations worldwide. We are currently building the key management infrastructure to support 2 million users of the Defense Messaging System to provide e-mail and browser services to DoD users, but we have yet to tackle the issue of support for electronic commerce with the 860,000 vendors who do business with the Department of Defense.
  The complexity of these efforts pales in comparison with putting together a key management infrastructure for all applications -- private, public and military -- in a global, networked environment. Unanswered questions abound in this area. For example:
  
• Who defines what constitute a trusted issuer of certificates?
• How do we limit authorities of certificate users?
• Are we ready to certify all users for all applications and all types of transactions?
• Are we ready to crosscertify from any nation? All nations?

In order to use certificates with confidence, that is, the way we use paper currency and signed contracts today, we will need to track the certificate authorities globally and with complete trust. Making trust scalable will be one of the most difficult challenges of the information age.

What happens when something goes wrong, for example, when a user trusts the infrastructure, follows its procedures and loses information or money? Whose fault is it, and who makes good the loss?

Risk is inherent in networking. With the best of precautions, in a networked environment some risk will always remain. With information technology advancing dynamically, today's effective solution will be obsolete tomorrow. The situation is made more difficult by the competitive imperatives driving us toward electronic commerce. Electronic commerce cannot wait until the perfect infrastructure is put in place.

The next stage of electronic commerce takes risk to a new plane. It must protect billions of transactions ranging from simple credit card purchases to large-scale electronic transfers of funds and proprietary information.

To use networks we must accept some risk and manage it. Part of risk management will require us to take a hard look at the issue of liability. How do we set limits on liability while maintaining trust?

Another challenge we face with the increased dependency on computers and communications technology is network availability. Consider the medical community's use of information technology for telemedicine. Using the network in the field of medicine has tremendous potential to globally unite specialists and patients. It can, literally, be a life saver. But the users of telemedicine's information technology must be able to count on its availability. Denial of service is unacceptable.

We are now in a national discussion on how to balance the interests of individuals' and businesses' privacy with society's public safety interests in law enforcement and national security. How we resolve this dichotomy will shape the structure we build to implement our security solutions, an infrastructure that will have key management as its foundation.

If we overemphasize public safety and security, we risk a world with too much government access at the cost of individual privacy. If we overemphasize the privacy issue, we risk a world with perhaps too many secrets -- for example, a world in which terrorists, organized crime and hackers acquire secure command, control and communications capabilities with a degree of privacy formerly available only to advanced military forces. Both of these extremes are unpalatable. We need to strike a balance that provides adequate protection for both individuals and businesses and for society as a whole.

As a matter of public policy, the administration is pursuing the establishment of a key management infrastructure with a feature called key recovery. One of the fundamental questions on this issue is whether to include a key recovery feature. Key recovery would add complexity and arguments have been advanced to support proceeding without it. There are, however, three very good reasons for designing key recovery into the key management infrastructure.

First, key recovery is good business practice. It protects information from loss by allowing users to regain access to their encrypted data when encryption keys are lost or corrupted. Key recovery is analogous to systems administrators recovering forgotten passwords or individuals maintaining spare house or desk keys for emergency use.

This goes back to the trust issue. Key recovery will help ensure the availability of information and systems by avoiding lockout and by guaranteeing authorized access to information, thus increasing the level of trust in the security system.

Second, key recovery makes it possible for law enforcement, with proper authorization, to be able to access the keys. This is an essential component of a solution that protects the public interest. There is a clear societal interest in preventing cyberspace from developing into a sanctuary for global, instantaneous and secure centers of operations for criminals, terrorists and rogue nations.

Finally, key recovery may prove essential in making encryption scalable on an international basis. We are not the only country wrestling with the public safety implications of unbreakable cryptography. France, Israel and Russia recently imposed import and domestic use restrictions. Several Asian, South American and African countries have had similar restrictions in place for years. Others may impose them as strong cryptography proliferates.

For many overseas, as well as here, the logic of the need to balance business imperatives with public safety concerns argues for key recovery. The European Union and other confederations are considering key recovery-based KMIs. The world's major standards bodies are designing future standards so that key recovery can be accommodated.

International standards and protocols for key recovery may prove essential to hand off national restrictions on strong encryption, to promote a broad export market for cryptography and to establish a key management infrastructure acceptable for general international use. This would accelerate the realization of the promise of information technology, and that would be in everyone's best interest.

Working in partnership, government and industry together need to lay the foundation necessary to sustain and strengthen information security for America. I wish to emphasize that the infrastructure for key management will be built by industry as a commercial venture. This task is huge. Collaboration among many partners will be essential if we are to establish a KMI that promotes the use of encryption worldwide.

Information security is essential to successfully navigating the information age. We must build the foundation components of trust, risk and liability, scalability, availability and policy which must accompany encryption to build real security into system. INFOSEC professionals will play a critical role in making this a reality. We are facing a tremendous challenge during the transition to an information society, and we can only succeed by working collaboratively to keep ahead of the breaking crest of the third wave.

Published for internal information use by the American Forces Information Service, a field activity of the Office of the Assistant Secretary of Defense (Public Affairs), Washington, D.C. Parenthetical entries are speaker/author notes; bracketed entries are editorial notes. This material is in the public domain and may be reprinted without permission. Defense Issues is available on the Internet via the World Wide Web at http://www.dtic.mil/defenselink/pubs/di_index.html.