Computer underground Digest Wed Jul 10, 1996 Volume 8 : Issue 52 ISSN 1004-042X Editor: Jim Thomas (cudigest@sun.soci.niu.edu) News Editor: Gordon Meyer (gmeyer@sun.soci.niu.edu) Archivist: Brendan Kehoe Shadow Master: Stanton McCandlish Field Agent Extraordinaire: David Smith Shadow-Archivists: Dan Carosone / Paul Southworth Ralph Sims / Jyrki Kuoppala Ian Dickinson Cu Digest Homepage: http://www.soci.niu.edu/~cudigest CONTENTS, #8.52 (Wed, Jul 10, 1996) File 1--DOJ calls for "Manhattan Project" to combat "the new cyber threats" File 2--Cu Digest Header Info (unchanged since 7 Apr, 1996) CuD ADMINISTRATIVE, EDITORIAL, AND SUBSCRIPTION INFORMATION ApPEARS IN THE CONCLUDING FILE AT THE END OF EACH ISSUE. --------------------------------------------------------------------- Date: Sun, 9 Jun 1996 01:04:51 -0500 From: Mike Godwin Subject: File 1-- DOJ calls for "Manhattan Project" to combat "the new cyber threats" [The following document was typed in from a photocopy by Mike Godwin, mnemonic@well.com. Any errors in transcription are his.] NATIONAL SECURITY IN THE INFORMATION AGE Conference at the U.S. Air Force Academy, Colorado Springs, Colorado 29 February 1996 THE HONORABLE JAMIE S. GORELICK, DEPUTY ATTORNEY GENERAL OF THE UNITED STATES Thank you for that kind introduction. I very much appreciate the opportunity to speak with you this evening about national security in the information age. You have brought together a truly remarkable collection of people for this conference. This is precisely the sort of cross-section of government and industry that is needed for us to begin working through the difficult policy questions that must be resolved. In some ways, what we are experiencing today is sort of the "Big Bang" moment in the development of information technology: New technology is virtually exploding onto the scene, with important developments occurring almost daily. With each new technological innovation, there are not only myriad new opportunities for business and new conveniences for consumers, but also new legal and policy issues for national policymakers to confront. And since, as many of you know, Begin Page 2 policy making in Washington is not always lightning-quick, it will not surprise you to learn that the development of technology has to a large degree outpaced our planning and actions. Fortunately, though, this has begun to change. Tonight, I would like to speak with you about some of the important developments that are taking place in Washington concerning national security in the information age. More importantly, I want to underscore the importance of developing and continuing a dialogue between government and industry on these issues. Simply put, no matter what we try to do in Washington, we will get nowhere unless we successfully enlist the assistance and cooperation of the private sector. At the same time, though, The private sector must recognize that a government role is also indispensable. Government and private industry are, in a very real way, interdependent in this area. No workable solution to the myriad problems can be devised by one or the other unilaterally. We have to work together. Begin Page 3 * * * One of the most striking things about the explosion of new information technology over the last couple of years, in this "Age of the Internet," is the way in which that technology is often portrayed as an unqualified "good." The exponential growth of the Internet, the expansion of digital and cellular phone systems, and the proliferation of unbreakable encryption are viewed by some as unconditionally positive developments. Correspondingly, any effort to regulate the use of these new technologies is seen as "bad," as the work of neo-Luddites, and as inevitably doomed to failure. We are witnessing this phenomenon right now in the raging debate over efforts to restrict pornography on the Internet. We saw it last year in the debate over the FBI's effort to ensure that it can continue to conduct legally authorized wiretaps on digital telephones. And we see it, too, in the ongoing effort to develop a national encryption policy, in which we Begin Page 4 seek to encourage the use of strong encryption while protecting the interests that all of us have in effective law enforcement and national security systems. In all of these debates, the decibel level is high. Many critics of government start from the proposition that any involvement by Washington is necessarily bad. In such circumstances, it is difficult even to engage in rational discourse, let alone find common ground. Clearly, we need to step back, take a deep breath, and recognize a fundamental principle for starters: technology is not inherently "good." Nor is it inherently "evil." Rather, it is a tool whose virtue and worth depend on the use to which people put it. Everyone recognizes this simple proposition in the case of nuclear technology. Obviously, that technology can be enormously useful -- if harnessed correctly, it can end our dependence on fossil fuels, satisfy our energy needs, and reduce pollution caused by burning coal, oil, or gas. But it also is potentially evil, if Begin Page 5 it is turned into nuclear weapons used by a rogue state or terrorists to kill innocent people. But this notion of "moral neutrality" is not the universal view when it comes to information technology. It is easy to grasp the potential good of this technology. The spread of the Internet, for instance, can greatly enhance our lives in countless ways: It can connect people across vast distances; it can disseminate knowledge to far-flung corners of the earth; it can spread the message of democracy to people who labor under tyrannical regimes; it can improve our own democratic process by allowing candidates to distribute their message more broadly and cheaply or by permitting the people to make their voices -- and their votes --heard more clearly; it can allow parents to spend more time with their children by "telecommuting"; it can improve our children's education by providing even the poorest school districts with electronic access to our best teachers; and it can improve the lives of our senior citizens by allowing them to communicate with Begin Page 6 relatives or shop without leaving their homes. The possibilities are truly endless. Similarly, strong encryption has the potential for better protecting people's privacy and for increasing our ability to conduct electronic commerce without fear of theft or fraud. But what has too often been ignored is the potential for the new technology to be put to evil uses. Thus, absent regulation, the Internet allows the distribution of child pornography nationwide at the push of a button, without any control over who is exposed to it. Similarly, it can permit much greater invasion of privacy and damage to reputation if private facts about a person, or malicious slander, can be spread so quickly and easily. In the old days, when gossip spread by word of mouth, harm was necessarily limited. But now someone can be "electronically slammed" around the world in minutes. And, the more people begin to rely on the Internet to conduct electronic commerce and everyday communications, the greater potential there is for Begin Page 7 invasion of their privacy as credit companies and service providers acquire vast amounts of personal information about people's purchases, hobbies, interests, phone records, and other details of their everyday lives. In the past, it would have taken weeks of intensive investigation into a person's life to put together a picture of him that can now be developed in minutes. And electronically stored private information - - such as credit or health records -- not only can be accessed quickly, but also can be altered. Encryption, too, can be used for sinister purposes. With the proliferation of unbreakable encryption, law enforcement stands to lose some of its most effective tools against terrorists and organized crime groups. Court-ordered wiretaps that allows us to intercept communications and prevent a terrorist plot are rendered worthless. Stored data files that might hold the key to bringing down an international drug cartel or child pornography ring will be undecipherable, allowing some of the most heinous criminals to go free. Begin Page 8 Just imagine, for a moment, if we found someone who was abusing innocent children to manufacture graphic, hard-core child pornography. Imagine that law enforcement successfully obtained a warrant to search his office for evidence, including his computer files. Imagine, though, that we go to all that effort to catch this criminal, only to find that the list of children that he uses to produce his pornography is encrypted with DES. He's disposed of his only key (or at least he claims he did). No key is held in escrow. Dead end for us. Is this really the type of constraint we want? Unfortunately, this is _not_ an imaginary scenario. This problem is a real one. Or, imagine an employee who encrypts crucial company documents just before he quits the company, leaving the company helpless to access the plain text . Or a widow who finds that all of her deceased spouse's probate files are encrypted, but he did not leave a key. Beyond these examples of potential ill-uses [sic] of information technologies, there are broader social Begin Page 9 problems that are harder to measure, but which we are slowly coming to recognize instinctively. For instance, if people are spending hours on end in chat room, conversing with faceless strangers thousands of miles away, will they spend less time actually talking with their children, their parents and their friends? What will this do to interpersonal relations and children's intellectual and emotional development? And what effect will the Internet have on the nature of communication itself? Anyone who has used e-mail has experienced the misunderstandings that arise so frequently in electronic conversations. Something odd happens, whether it is that people feel more free to discard social conventions like politeness and to be brutally candid when they are looking at a computer screen instead of a human face; or whether it is the lack of tone, intonation or facial expression that accompanies spoken communication and can subtly change the meaning of a person's actual words or signal that someone is only joking; or whether it is the lack of care that goes into messages that someone fires off on Begin Page 10 her keyboard rather than taking the time to think out a handwritten letter. Something happens that simply engenders misunderstandings and hurt feelings more frequently in e-mail than in casual conversations by the water cooler or written letters to friends. We've all experienced this, but we don't quite know what the implications are. The metaphor of the "information Superhighway" has become a cliche by now, but let me invoke it one last time before putting it to rest! Imagine if, at the advent of the automobile, all of the states, as well as individual companies, just started building their own roads all over the place, with no speed limits, no lane markings, no highway patrol or emergency rescue services, no emergency exits, no safety inspections for trucks or passenger vehicles. I think everyone would recognize that this would be a recipe for disaster. But now as we are constructing our "information superhighway," which is a thousand times more complicated than our automotive highway system -- and provides opportunity for much greater damage if abused Begin Page 11 -- many people are telling the government to just get out of the way and let NII develop its own, with no restrictions, nonregulation, no effort even to protect our information infrastructures from attack or abuse. This simply does not make sense. In my view, we really have two choices: We can begin now, jointly, to try to come up with solutions to some of the difficult issues raised by the growth of the information infrastructure in a rational, measured, and prudent way. Or we can wait until a crisis occurs, until some cyber catastrophe suddenly crystallizes these issues in the public's mind and leads to an outcry and a call for immediate government response. But, if history teaches us anything, it is exactly this sort of crisis mode, when the government is pressured to respond to some recent outrage, that we are most likely to overreact and enact bad policy [sic]. Let's try to do it now, while cooler heads prevail; let's work together to come up with solutions that serve the public interests. Begin Page 12 The telecommunications industry, to its great credit, understands this interdependence. As a result, I think the president's national security telecommunications advisory committee -- a joint government-industry body - - has been highly successful in crafting solutions to the particular problems faced by the telecommunications industry. The NSTAC serves as a model, in many ways, for what we need to do for the rest of our industries that rely on the national information infrastructure. * * * Let me now turn to the particular problems posed by the information revolution for our national security. You have heard a lot over the last two days about the growing dependence on the information infrastructure in all sectors of society -- military, political, economic, academic, and cultural -- and about the increasing interconnectedness of all these sectors. The implications for national security are becoming more apparent: as we become more interconnected, we are also Begin Page 13 more vulnerable to attack from many different sources. The information and control systems for our critical industries, for instance, are more vulnerable to penetration and disruption; information can be more easily stolen, distorted, or destroyed; and the very operation of those industries can be brought to a halt more quickly and easily. The issue of how we address our vulnerability to such attacks has often been referred to as a "defensive information warfare." But this term can be misleading. It suggests that the issue is a problem only for our defense establishment, and should be addressed as part of our national defense strategy. Certainly, the military sits on a vulnerable platform consisting of different critical infrastructures. But civil society sits on that same platform. This is therefore also an issue for the civilian world. Every person and institution that is connected to the "information superhighway" is vulnerable to attack, not just those people and institutions involved in our defense mission. Begin Page 14 Moreover, the sources of attacks are not limited to nation states or other foreign powers during times of war. Rather, they can run the gamut, from the disgruntled employee who steals or destroys his employers information out of malice; to the criminal who steals proprietary information for pecuniary gain; to terrorists who seek to cause widespread death or destruction to intimidate or coerce the government; to foreign intelligence agents who want surreptitiously to access or manipulate classified or proprietary information; and, finally, to the hostile state using cyber attacks as an instrument of war. Obviously, not all of these attacks are directly related to defense. All of them are, however, of interest to law enforcement. The statistics illustrate, in broad strokes at least, how the cyber threat is increasing. From 1991 to 1995, the number of Internet hosts increased from approximately 750,000 to over 5 million, an expansion of over 500%. Not surprisingly, over a three-year period from 1991 to Begin Page 15 1994, the number of security incidents reported to the Computer Emergency Response Team (or CERT) at Carnegie Mellon University increased 498%, and the number of sites affected worldwide was up 702%. Recent surveys reinforce the CERT statistics. One survey of 246 companies revealed that the monthly rate of incidents involving the theft of corporate proprietary information rose 260% from 1985-1993. Only 32 of these companies were willing to quantify their losses, which amounted to $1.8 billion. In the other survey, almost one quarter of the 898 organizations queried reported a computer crime within the previous 12 months. And last summer, the Defense Information Systems Agency (DISA), reported that attacks on DOD computer systems had doubled from only the year before and were then running at a rate of two a day. Let me give you a few examples of the types of "cyber" crimes we have seen in recent years to put some flesh on the bones of these statistics. These cases illustrate how vulnerable we already are, both as Begin Page 16 individuals and as institutions, and provide a window into our future. * In 1994, nine people, including an MCI employee, were indicted for a scheme involving a $50-million telephone calling card fraud. Using a sniffer program (which monitors network traffic), they captured and used more than 150,000 calling card numbers. The scheme had been directed by hackers in Germany who then made international calls to attack U.S. computer networks. * A computer hacker broke into files at a bank and a credit union, and then used the information to apply for credit cards in the victim's name. The criminal then used these cards to go on a buying spree. The victim's ability to obtain credit was ruined and had to be painstakingly reestablished. Begin Page 17 Hackers broke into Lawrence Livermore Laboratory computers and used them to store illegal hard-core pornography. Nearly 2,000 megabytes with 1,000 images were found on one Internet-linked computer. * We have seen transmission of child pornography files by e-mail through America Online. * Con artists have used electronic bulletin board systems to hype recently-purchased penny stocks, driving up the price and giving the con artists a profit. For the most part, these attacks appear to come from "unstructured" sources: That is, they are unrelated incursions by individuals or small groups usually seeking to steal information or services or to cause disruption purely out of malice, but with no grand design or organization. In terms of national security, though, the greatest threat will come from "structured" sources: organized crime groups (we have seen instances Begin Page 18 of this), and, more importantly, terrorist organizations, foreign intelligence agencies, and foreign military services. These are the entities whose efforts are the best financed, the most focused, and the most likely to cause widespread damage to our national security by disrupting elements of our infrastructures that depend on the information superhighway. Even for these structured threats, law enforcement plays a critical role. Under Presidential Decision Directive 39, which was issued last summer and sets out the administration's counterterrorism policy, the Department of Justice (through its component, the FBI) is the lead agency responsible for combatting terrorism in the United States. And Executive Order 12333, which has been the guiding instrument for the intelligence community since 1981, designates the FBI as the lead agency for counterintelligence matters. So clearly, law enforcement has an important role in protecting our national security against the new cyber threats. Begin Page 19 Our most immediate concern right now is the terrorist threat. As our society becomes more and more dependent on the information superhighway, we must expand our focus beyond the traditional "physical" attacks by terrorists that we have encountered in the past, and to anticipate and protect against cyber attacks that could cause as great, if not greater, impact as a well-placed bomb. It's not hard to imagine how terrorists could use cyber tools to wreak massive havoc in this country. Consider the World Trade Center case, for example. There was some evidence suggesting that the conspirators in that case intended to cause the tower to collapse, in order to disrupt the financial markets on wall street. That same objective could also be accomplished through an electronic attack on the energy or telecommunications systems that supply lower Manhattan, or on the information systems of the banking and financial institutions themselves. Begin Page 20 The threat is _not_ simply hypothetical. We have already seen attacks on elements of the infrastructure that, although apparently not committed by terrorists, illustrate the vulnerabilities that are present in our information networks, and demonstrate the urgency of our situation. * The pending case involving Citibank is one example. Between June and October in 1994, approximately 40 wire transfers were attempted from Citibank's cash management system through the use of a computer and phone lines from St. Petersburg, Russia, by compromising the password and user identification code system. Citibank was successful in blocking most of the transfers or recovering the funds from recipient banks, limiting its losses. But the potential loss was enormous. Still, imagine what the impact might have been if the intruders' intent was not to steal funds from a few accounts, but to bring down the entire bank's accounting system; or to zero out the Begin Page 21 records of thousands of accounts; or to disrupt several major banks simultaneously. * In 1989, the "Legion of Doom" in Atlanta, Georgia, remotely accessed the administrative computers of Bell South and wiretapped calls and altered phone services. It could have shut down the phone network for the Southeastern United States. * From 1993 to 1995, a man in California gained control of the computers running local telephone switches, and discovered information concerning U.S. government wiretaps conducted pursuant to the Foreign Intelligence Surveillance Act (FISA). He also uncovered a criminal wiretap and warned the target. Now, in part through the efforts by joint industry-government bodies such as the President's National Security Advisory Committee (NSTAC), telecommunications carriers have taken steps to prevent, Begin Page 22 or to minimize and contain the damage from, this sort of attack, in order to avoid the sort of regional disruption threatened by the Legion of Doom. But I don't know anyone who thinks that this sort of disruption is no longer a real possibility. The banking and telecommunications infrastructures are not the only ones that have been affected. * In 1992, a computer intruder was arrested for tampering with the Emergency 911 systems in Virginia, Maryland, and New Jersey in order to introduce a virus and bring down the systems. * Also in 1992, a fired employee of an emergency alert network sabotaged the firm's computer system by hacking into the company's computers, causing them to crash for about 10 hours. During that time, there was an emergency at an oil refinery. The disabled system was therefore unable to alert thousands of nearby residents to a noxious release from the Begin Page 23 refinery. Beyond that, the computer crash potentially jeopardized hundreds of thousands of people in 22 states and 6 areas of Canada where the alert network operated. And, of course, the government itself has not been immune to such attacks. * A computer hacker penetrated computer or phone systems of universities, government departments, and companies. In the U.S. marshals' computer, he found the locations of individual federal prisoners, putting the security of our institutions at risk. He also stole from an air force base a computer access card, which he then sold through the mail. * Finally, a sniffer was introduced into computers of NASA's Goddard Space Flight Center, permitting someone to download a large volume of complex calibration telemetry calculations transmitted from satellites. The Begin Page 24 sniffer remained undetected for an unprecedented length of time. These are just some examples of the cases we've already seen. But they should convey to you the urgency of the situation. Now, some of my colleagues in government think it's best not to discuss such cases, or to speculate about possible terrorist cyber attacks, publicly, for fear of inspiring would-be terrorists to carry out just the sort of attacks we're concerned about. But I think keeping quiet about the problem is the wrong approach. Silence will not appreciably lessen the probability of an attack. We must take it as a given that someone is already scheming. Instead, our main concern should be to get our own house in order and begin constructing our defenses. This means, first and foremost, that we need to raise people's consciousness -- both within the government and in the relevant sectors of industry. This requires that Begin Page 25 we talk about the threat and how to combat it. That is why this conference is so valuable. Second, it means we have to figure out how to organize ourselves within government, and in the private sector, to fight the threat. While the Justice Department is designated as the lead agency for fighting terrorism in the U.S., we do not look at the cyber threat solely as a subset of terrorism. The potential sources of attack are simply too varied. It would be self-defeating to concentrate on protecting against terrorist attacks, but to ignore the problem of hackers, foreign espionage agents, or organized crime groups. Yet, despite the breadth of the problem, right now, there is no single agency, no focal point within the government responsible for protecting against such attacks. In fact, at last count there some 22 agencies and task forces that thought they had responsibility for some segment of this problem. Similarly, while many individual companies have taken steps to secure their information systems, very few industries have begun considering this problem on an Begin Page 26 industry-wide scale. But clearly this problem begs for a comprehensive approach that involves both industry and government in a cooperative effort. So, what needs to be done? Let me set out a roadmap for you, and identify in particular where I think help from industry is critical. _First_, we have to identify our vulnerabilities. This means identifying those components of government and the private sector that, if attacked, would result in the greatest harm to society, on a regional or national scale These are what we have begun calling "critical national infrastructures." We currently break those infrastructures into roughly eight categories: telecommunications; electrical power systems; transportation; water supply systems; emergency services (including medical, police, and fire and rescue services); and continuity of government and government operations. Begin Page 27 We already have a foundation for this effort. Both the Defense Department and the FBI have what they call key asset programs, which consist of databases identifying key assets within each category of critical infrastructures, and containing vulnerability information and emergency points of contact for each key asset. Until now, however, both of these programs have focused on vulnerabilities to _physical_ attack. DOD and FBI have already set out to broaden the focus of these programs to include vulnerabilities to cyber attacks and to coordinate the two databases. In expanding into the cyber area, we will need a lot of cooperation from industry, a willingness to share information with us (on a confidential basis) and to work jointly with us in determining vulnerabilities. The _second_ thing we need to do is identify the scope and sources of the threat. Again, the defense and intelligence communities have been concerned with identifying military and espionage threats in this Begin Page 28 field. But there has been very little effort to assess comprehensively the full range of cyber threats to our infrastructures: who poses a threat? What are their capabilities? What have they done in the past? What are their intentions? This will require a joint effort by the defense, intelligence, and law enforcement communities, combining their data and doing joint analyses. But it will also require cooperation by industry. No analysis can be complete without information about what attacks industry has already experienced, and by whom. On this point, let me say that under-reporting of computer crimes has been a major problem in getting a handle on the nature and scope of the threat. There are two principal reasons for this under-reporting. First, many victims don't even now they are victims. Let me give you one example. The Justice Department handled a case in 1992 involving a hacker intrusion into Boeing's supercomputer center in Seattle. The hacker downloaded encrypted password files and used Boeing's computers to Begin Page 29 run hacker and cracker programs. To its great credit, Boeing reported the intrusion to the FBI and partitioned its system to allow agents to trace the hackers to the source. In the course of the investigation, the FBI soon learned that the hackers had gained access to the entire computer system serving the federal district court in Seattle. In fact, he had obtained the passwords of both the system administrator and a federal judge, forcing the courthouse system to close for a day. Yet, without Boeing's call to law enforcement, the federal court administrator would not have known that an intruder had acquired unfettered access to the court's computers. A second reason for under-reporting is the collateral consequences of reporting. To put it bluntly, there may be a lot of explaining to do -- to managers, customers, regulators, or the public. If it is your job to secure a company's information systems, how eager will you be to confess to people that your defenses didn't work? Banks are a prime example. If Begin Page 30 you are Citibank, you maybe loath to reveal to depositors that their accounts may be vulnerable to electronic theft. Similarly, a telecommunications carrier may not want to publicize that its customers' conversations have been accessed by so-called "phone phreakers." The extent of under-reporting is illustrated by some statistics compiled by DISA. As many of you probably know, DISA tests the security of DOD computer systems by having its tiger teams "attack" the computes using standard hacker methods and tools. Over the course of this program, DISA has accumulated some telling statistics. At last count, DISA tiger teams had successfully penetrated 88% of the computer systems they attacked. More startling, system administrators at the successfully attacked sites only detected 4% of these penetrations. And of the 4 % who discovered the intrusion, only 5% reported it! If you do the math, you'll see that of the 10,000 machines attacked, 8,800 were penetrated, only 352 discovered it, and only 18 reported it. Or put another way, for each report of a Begin Page 31 computer intrusion, there were 490 others that went unreported. The FINAL step, and probably the most difficult, is to figure out how to organize ourselves to address the problem. Again, I believe it is a mistake to think about this problem in compartments: that is, for DOD as a military problem; for Justice and FBI as a terrorism problem; for the CIA and NSA as an espionage problem and for private industry as a white-collar crime problem. The threat is too varied. and the problems too overlapping, to permit such a fragmented approach. We clearly need one focal point in the government to take the lead in addressing this issue comprehensively -- to develop national policy, coordinate the necessary other agencies, and with industry on developing solutions. We need the equivalent of the "Manhattan Project" to address the technological issues and to help us harden our infrastructures against attack. It might be that we can just designate an existing agency to take the lead. Or we may need a new agency or some interagency body to perform the task. Begin Page 32 But some centralized entity is direly needed to push this effort along. Most importantly, though, whatever we decide to do within the government, we need to enlist the private sector to join in this cooperative venture -- not just in assessing vulnerabilities and threats, but in devising and implementing solutions. Simply put, without the participation of the private sector, any effort is bound to come up short. There are several reasons for this. _First_, at the most basic level, most components of the national information infrastructure, as well as the critical industries and institutions that depend on the NII, are in private hands. This means that, absent statutory authority to regulate a particular industry, the government has limited ability to require private companies to take protective measures; it can merely advise industry and urge it to "do the right thing." And even if government convinces industry to take protective measures, there remains the knotty question Begin Page 33 of who will pay for such measures (or for restoration of service after an attack). Although private companies have an obvious financial incentive to take steps to reduce thefts, it is less clear that they are willing to incur the costs necessary to protect their plants or information systems against a purely malicious or terrorist attack. These are issues that need to be worked out by industry and government together. _Second_, private sector involvement in crafting and implementing solutions is needed in order to engender the trust in government that will be necessary to implement any solution. Few people question the need for a government role, at some level, in protecting the physical plant of the nation's critical infrastructures. But the same cannot be said in the information technology arena. The notion of government involvement in this area immediately raises concerns about privacy, economic competitiveness, and protection of proprietary information. The raging debate over the government's encryption policy is just one example. These concerns are not easily reconciled with the interests in national Page 34 security and law enforcement; but to ignore them would render any effort futile. We are currently trying to come up with a framework for addressing all these issues. No decisions have been made yet, so I cannot report to you on precisely where we are headed. But I do know that, in the very near future, we will be reaching out to critical industries to get them integrally involved in the process. I ask you to join us in this vital effort; to sit down with us and share your concerns, your ideas, your skill and expertise, and your energy; and to work with us to begin addressing this problem. There are many skeptics who say that we will have to endure the electronic equivalent of Pearl Harbor or Oklahoma City before the key players in government or industry wake up to the problem of protecting our information and other critical infrastructures from the new cyber threats. The fact that the Olin Foundation and the Air Force are holding this conference, however, and Begin Page 35 have succeeded in getting such a diverse and high-level group of participants disproves this pessimistic view. But we cannot stop here. It is not enough to identify the problem and to talk about it. After this conference, we need to begin taking action. So I ask you to join us in taking those next steps. We need to educate industry about the problem, determine its scope, and create a joint approach to developing solutions. If we in government begin to pause or stumble, prod us or help us up. There will be much resistance along the way; but given the importance of the issue, inaction would be intolerable. Thank you. --------------- ------------------------------ ------------------------------ Date: Thu, 21 Mar 1996 22:51:01 CST From: CuD Moderators Subject: File 2--Cu Digest Header Info (unchanged since 7 Apr, 1996) Cu-Digest is a weekly electronic journal/newsletter. Subscriptions are available at no cost electronically. CuD is available as a Usenet newsgroup: comp.society.cu-digest Or, to subscribe, send post with this in the "Subject:: line: SUBSCRIBE CU-DIGEST Send the message to: cu-digest-request@weber.ucsd.edu DO NOT SEND SUBSCRIPTIONS TO THE MODERATORS. The editors may be contacted by voice (815-753-0303), fax (815-753-6302) or U.S. mail at: Jim Thomas, Department of Sociology, NIU, DeKalb, IL 60115, USA. To UNSUB, send a one-line message: UNSUB CU-DIGEST Send it to CU-DIGEST-REQUEST@WEBER.UCSD.EDU (NOTE: The address you unsub must correspond to your From: line) Issues of CuD can also be found in the Usenet comp.society.cu-digest news group; on CompuServe in DL0 and DL4 of the IBMBBS SIG, DL1 of LAWSIG, and DL1 of TELECOM; on GEnie in the PF*NPC RT libraries and in the VIRUS/SECURITY library; from America Online in the PC Telecom forum under "computing newsletters;" On Delphi in the General Discussion database of the Internet SIG; on RIPCO BBS (312) 528-5020 (and via Ripco on internet); and on Rune Stone BBS (IIRGWHQ) (860)-585-9638. CuD is also available via Fidonet File Request from 1:11/70; unlisted nodes and points welcome. EUROPE: In BELGIUM: Virtual Access BBS: +32-69-844-019 (ringdown) Brussels: STRATOMIC BBS +32-2-5383119 2:291/759@fidonet.org In ITALY: ZERO! BBS: +39-11-6507540 In LUXEMBOURG: ComNet BBS: +352-466893 UNITED STATES: etext.archive.umich.edu (192.131.22.8) in /pub/CuD/CuD ftp.eff.org (192.88.144.4) in /pub/Publications/CuD/ aql.gatech.edu (128.61.10.53) in /pub/eff/cud/ world.std.com in /src/wuarchive/doc/EFF/Publications/CuD/ wuarchive.wustl.edu in /doc/EFF/Publications/CuD/ EUROPE: nic.funet.fi in pub/doc/CuD/CuD/ (Finland) ftp.warwick.ac.uk in pub/cud/ (United Kingdom) The most recent issues of CuD can be obtained from the Cu Digest WWW site at: URL: http://www.soci.niu.edu/~cudigest/ COMPUTER UNDERGROUND DIGEST is an open forum dedicated to sharing information among computerists and to the presentation and debate of diverse views. CuD material may be reprinted for non-profit as long as the source is cited. Authors hold a presumptive copyright, and they should be contacted for reprint permission. It is assumed that non-personal mail to the moderators may be reprinted unless otherwise specified. Readers are encouraged to submit reasoned articles relating to computer culture and communication. Articles are preferred to short responses. Please avoid quoting previous posts unless absolutely necessary. DISCLAIMER: The views represented herein do not necessarily represent the views of the moderators. Digest contributors assume all responsibility for ensuring that articles submitted do not violate copyright protections. ------------------------------ End of Computer Underground Digest #8.52 ************************************