To start off the new year, President Clinton announced an ambitious plan to combat cyberterrorism called the National Plan for Information Systems Protection. In the announcement, he said all the right things.
So why am I worried that the plan is a bit off target?
The plan (
) consists of 10 programs. They include figuring out what the critical infrastructure components are, monitoring the Internet to detect intruders who might attack the critical infrastructure components, making sure that law enforcement knows what to do, sharing information on attacks and ensuring that there is a way to react to an attack. The programs also include supporting research on intrusion detection, supporting students who want to go into this area, making sure people understand there is a problem here, passing some new laws, and lastly, ensuring that all of the above do not violate rights of American citizens.
But reading the plan makes it clear that a primary focus is to finish deploying the Federal Intrusion Detection Network (FIDNet) announced last summer. FIDNet is a set of intrusion-detection monitors -- 500 in the first phase -- installed on government networks. Its aim is to determine when systems have come under attack by monitoring network activity. Observers expressed a great deal of concern over FIDNet's impact on individual privacy when the plan was first announced. Since then, the concern has increased with the discovery of Echelon, a worldwide Internet monitoring system operated by the spy agencies of the U.S. and four other countries.
It is all well and good to watch networks to see if resources are under attack, but it would be more effective in the long run to put some effort into actually protecting the resources by making them harder to attack. A primary way of doing this is to increase the use of encryption to protect management protocols and other communications. This new plan does include a timetable that encourages the use of encrypted e-mail within the Department of Defense by 2001 but otherwise ignores the adage that a little prevention can avoid a lot of after-the-fact cure.
It is consistent for this administration, however, to omit encouraging the general use of encryption from its plan. The administration has not yet internalized the fact that the bad guys already have effective encryption and that holding back research on better encryption technology and encouraging its use by the general Internet user just makes it harder to protect the very infrastructure that the administration worries about.
At this stage, the administration's plan does not assuage the worry over FIDNet and does not seem to address in any useful way protecting the Internet infrastructure. Not an auspicious beginning to the century.
Disclaimer: To Harvard, this is just another century, not a big deal. Thus, the above lamenting is my own.
(Bradner is a consultant with Harvard University's University Information Systems. He can be reached at firstname.lastname@example.org.)