Terminal Compromise

Home > Other > Terminal Compromise > Page 45
Terminal Compromise Page 45

by by Winn Schwartau


  "I for one would be most interested," said Senator Deere. "It appeared that this morning our speakers assumed we were more knowledgeable that we are. Any clarifications will be most welcome." The crowd agreed silently. Much of the history was cloaked in secrecy.

  The distinguished Ted Hammacher was an accomplished orator, utilizing the best that Washington diplomatic-speak could muster. At 50 years old, his short cropped white hair capped a proper military bearing even though he had maintained a civilian status throughout his Pentagon associations. "Thank you madam chairman." He glanced down at the well organized folder and turned a page.

  "Concerns of privacy can be traced back thousands of years with perhaps the Egyptian pyramids as the first classic example of a brute force approach towards privacy. The first recorded at- tempts at disguising the contents of a written message were in Roman times when Julius Caesar encoded messages to his generals in the field. The Romans used a simple substitution cipher where one letter in the alphabet is used in place of another. The cryptograms found in the Sunday paper use the same techniques. Any method by which a the contents of a message is scrambled is known as encryption."

  The CNN producer maintained the sole camera shot and his atten- tion on Ted Hammacher. He missed Senator Rickfield and his aid reappear on the dais. Rickfield's eyes penetrated Nancy Deere who imperceptibly acknowledged his return. "You should not over- step your bounds," Rickfield leaned over and said to her. "You have five years to go. Stunts like this will not make your time any easier."

  "Senator," she said to Rickfield as Hammacher spoke. "You are obviously not familiar with the procedures of Senate panel proto- col. I was merely trying to assist the progress of the hearings in your absence, I assure you." Her coolness infuriated Rick- field.

  "Well, then, thank you," he sneered. "But, now, I am back. I will appreciate no further procedural interference." He sat up brusquely indicating that his was the last word on the subject. Unaware of the political sidebar in progress, Hammacher contin- ued.

  "Ciphers were evolved over the centuries until they reached a temporary plateau during World War II. The Germans used the most sophisticated message encoding or encryption device ever devised. Suitably called the Enigma, their encryption scheme was nearly uncrackable until the Allies captured one of the devices, and then under the leadership of Alan Turing, a method was found to regularly decipher intercepted German High Command orders. Many historians consider this effort as being instrumental in bringing about an end to the war.

  "In the years immediately following World War II, the only per- ceived need for secrecy was by the military and the emerging intelligence services, namely the OSS as it became the modern CIA, the British MI-5 and MI-6 and of course our opponents on the other side. In an effort to maintain a technological leadership position, the National Security Agency funded various projects to develop encryption schemes that would adequately protect govern- ment information and communications for the foreseeable future.

  "The first such requests were issued in 1972 but it wasn't until 1974 that the National Bureau of Standards accepted an IBM pro- posal for an encryption process known as Lucifer. With the assistance of the NSA who is responsible for cryptography, the Data Encryption Standard was approved in November of 1976. There was an accompanying furor over the DES, some saying that the NSA intentionally weakened it to insure that they could still decrypt any messages using the approved algorithm.

  "In 1982 a financial group, FIMAS endorsed a DES based method to authenticate Electronic Funds Transfer, or EFT. Banks move upwards of a trillion dollars daily, and in an effort to insure that all monies are moved accurately and to their intended desti- nations, the technique of Message Authentication Coding was introduced. For still unknown reasons it was decided that en- crypting the contents of the messages, or transfers, was unneces- sary. Thus, financial transactions are still carried out with no protection from eavesdropping."

  "Excuse me, Mr. Hammacher, I want to understand this," interrupt- ed Senator Deere. "Are you saying that, since 1976, we have had the ability to camouflage the nation's financial networks, yet as of today, they are still unprotected?" Rickfield looked over at Nancy in disgust but the single camera missed it.

  "Yes, ma'am, that's exactly the case," replied Hammacher.

  "What does that mean to us? The Government? Or the average citi- zen?"

  "In my opinion it borders on insanity. It means that for the price of a bit of electronic equipment, anyone can tap into the details of the financial dealings of banks, the government and every citizen in this country."

  Senator Deere visibly gulped. "Thank you, please continue."

  "In 1984, President Reagan signed National Security Decision Directive 145. NSDD-145 established that defense contractors and other organizations that handle sensitive or classified informa- tion must adhere to certain security and privacy guidelines. A number of advisory groups were established, and to a minimal extent, the recommendations have been implemented, but I must emphasize, to a minimal extent."

  "Can you be a little more specific, Mr. Hammacher?" Asked Senator Deere.

  "No ma'am, I can't. A great deal of these efforts are classified and by divulging who is not currently in compliance would be a security violation in itself. It would be fair to say, though, that the majority of those organizations targeted for additional security measures fall far short of the government's intentions and desires. I am sorry I cannot be more specific."

  "I understand completely. Once again," Nancy said to Hammacher, "I am sorry to interrupt."

  "Not at all, Senator." Hammacher sipped from his water glass. "As you can see, the interest in security was primarily from the government, and more specifically the defense community. In 1981, the Department of Defense chartered the DoD Computer Secu- rity Center which has since become the National Computer Security Center operating under the auspices of the National Security Agency. In 1983 they published a series of guidelines to be used in the creation or evaluation of computer security. Officially titled the Trusted Computer Security Evaluation Criteria, it is popularly known as the Orange Book. It has had some minor updates since then, but by and large it is an outdated document designed for older computer architectures.

  "The point to be made here is that while the government had an ostensible interest and concern about the security of computers, especially those under their control, there was virtually no overt significance placed upon the security of private industry's computers. Worse yet, it was not until 1987 that any proposed criteria were developed for networked computers. So, as the world tied itself together with millions of computers and net- works, the Government was not concerned enough to address the issue. Even today, there are no secure network criteria that are universally accepted."

  "Mr. Hammacher." Senator Rickfield spoke up for the first time. "You appear to have a most demeaning tone with respect to the United States Government's ability to manage itself. I for one remain unconvinced that we are as derelict as you suggest. Therefore, I would ask that you stick to the subject at hand, the facts, and leave your personal opinions at home."

  Nancy Deere as well as much of the audience listened in awe as Rickfield slashed out at Hammacher who was in the process of building an argument. Common courtesy demanded that he be per- mitted to finish his statement, even if his conclusions were unpopular or erroneous.

  Hammacher did not seem fazed. "Sir, I am recounting the facts, and only the facts. My personal opinions would only be further damning, so I agree, that I will refrain." He turned a page in his notebook and continued.

  "Several laws were passed, most notably Public Law 100-235, the Computer Security Act of 1987. This weak law called for enhanced cooperation between the NSA and NIST in the administration of security for the sensitive but unclassified world of the Govern- ment and the private sector. Interestingly enough, in mid 1990 it was announced, that after a protracted battle between the two security agencies, the NCSC would shut down and merge its efforts with
its giant super secret parent, the NSA. President Bush signed the Directive effectively replacing Reagan's NSDD-145. Because the budgeting and appropriations for both NSA and the former NCSC are classified, there is no way to accurately gauge the effectiveness of this move. It may still be some time before we understand the ramifications of the new Executive Order.

  "To date every state has some kind of statute designed to punish computer crime, but prosecutions that involve the crossing of state lines in the commission of a crime are far and few between. Only 1% of all computer criminals are prosecuted and less than 5% of those result in convictions. In short, the United States has done little or nothing to forge an appropriate defense against computer crime, despite the political gerrymandering and agency shuffling over the last decade. That concludes my opening re- marks." Hammacher sat back in his chair and finished the water. He turned to his lawyer and whispered something Scott couldn't hear.

  "Ah, Mr. Hammacher, before you continue, I would like ask a few questions. Do you mind?" Senator Nancy Deere was being her usual gracious self.

  "Not at all, Senator."

  "You said earlier that the NSA endorsed a cryptographic system that they themselves could crack. Could you elaborate?" Senator Nancy Deere's ability to grasp an issue at the roots was uncanny.

  "I'd be pleased to. First of all, it is only one opinion that the NSA can crack DES; it has never been proven or disproven. When DES was first introduced some theoreticians felt that NSA had compromised the original integrity of IBM's Lucifer encryp- tion project. I am not qualified to comment either way, but the reduction of the key length, and the functional feedback mecha- nisms were less stringent than the original. If this is true, then we have to ask ourselves, why? Why would the NSA want a weaker system?"

  A number of heads in the hearing room nodded in agreement with the question; others merely acknowledged that it was NSA bashing time again.

  Hammacher continued. "There is one theory that suggests that the NSA, as the largest eavesdropping operation in the world wanted to make sure that they could still listen in on messages once they have been encrypted. The NSA has neither confirmed or denied these reports. If that is true, then we must ask our- selves, if DES is so weak, why does the NSA have the ultimate say on export control. The export of DES is restricted by the Muni- tions Control, Department of State, and they rely upon DoD and the NSA for approval.

  "The export controls suggest that maybe NSA cannot decrypt DES, and there is some evidence to support that. For example, in 1985, the Department of Treasury wanted to extend the validation of DES for use throughout the Treasury, the Federal Reserve System and member banks. The NSA put a lot of political muscle behind an effort to have DES deaffirmed and replaced with newer encryption algorithms. Treasury argued that they had already adapted DES, their constituents had spent millions on DES equip- ment for EFT and it would be entirely too cumbersome and expen- sive to make a change now. Besides, they asked, what's wrong with DES? They never got an answer to that question, and thus they won the battle and DES is still the approved encryption methodology for banks. It was never established whether DES was too strong or too weak for NSA's taste.

  "Later, in 1987, the NSA received an application for export of a DES based device that employed a technique called infinite en- cryption. In response to the frenzy over the strength or weakness of DES, one company took DES and folded it over and over on itself using multiple keys. The NSA had an internal hemorrhage. They forbade this product from being exported from the United States in any form whatsoever. Period. It was an extraordinary move on their part, and one that had built-in contradictions. If DES is weak, then why not export it? If it's too strong, why argue with Treasury? In any case, the multiple DES issue died down until recently, when NSA, beaten at their own game by too much secrecy, developed a secret internal program to create a Multiple-DES encryption standard with a minimum of three sequen- tial iterations.

  "Further embarrassment was caused when an Israeli mathematician found the 'trap door' built into DES by the NSA and how to decode messages in seconds. This quite clearly suggests that the gov- ernment has been listening in on supposedly secret and private communications.

  "Then we have to look at another event that strongly suggests that NSA has something to hide."

  "Mr. Hammacher!" Shouted Senator Rickfield. "I warned you about that."

  "I see nothing wrong with his comments, Senator," Deere said, careful to make sure that she was heard over the sound system.

  "I am the chairman of this committee, Ms. Deere, and I find Mr. Hammacher's characterization of the NSA as unfitting this forum. I wish he would find other words or eliminate the thought alto- gether. Mr. Hammacher, do you think you are capable of that?"

  Hammacher seethed. "Senator, I mean no disrespect to you or this committee. However, I was asked to testify, and at my own ex- pense I am providing as accurate information as possible. If you happen to find anything I say not to your liking, I do apologize, but my only alternative is not to testify at all."

  "We accept your withdrawal, Mr. Hammacher, thank you for your time." A hushed silence covered the hearing room. This was not the time to get into it with Rickfield, Nancy thought. He has sufficiently embarrassed himself and the media will take care of the rest. Why the hell is he acting this way? He is known as a hard ass, a real case, but his public image was unblemished. Had the job passed him by?

  A stunned and incensed Hammacher gathered his belongings as his lawyer placated him. Scott overheard bits and pieces as they both agreed that Rickfield was a flaming asshole. A couple of reporters hurriedly followed them out of the hearing room for a one on one interview.

  "Is Dr. Sternman ready?" Rickfield asked.

  A bustle of activity and a man spoke to the dais without the assistance of a microphone. "Yessir, I am."

  Sternman was definitely the academic type, Scott noted. A crum- pled ill fitting brown suit covering a small hunched body that was no more than 45 years old. He held an old scratched brief- case and an armful of folders and envelopes. Scott was reminded of the studious high school student that jocks enjoy tripping with their feet. Dr. Sternman busied himself to straighten the papers that fell onto the desk and his performance received a brief titter from the crowd.

  "Ah, yes, Mr. Chairman," Sternman said. "I'm ready now." Rick- field looked as bored as ever.

  "Thank you, Dr. Sternman. You are, I understand, a computer virus expert? Is that correct?"

  "Yessir. My doctoral thesis was on the subject and I have spent several years researching computer viruses, their proliferation and propagation." Rickfield groaned to himself. Unintelligible mumbo jumbo.

  "I also understand that your comments will be brief as we have someone else yet to hear from today." It was as much a command as a question.

  "Yessir, it will be brief."

  "Then, please, enlighten us, what is a virus expert and what do you do?" Rickfield grinned menacingly at Dr. Les Sternman, Pro- fessor of Applied Theoretical Mathematics, Massachusetts Insti- tute of Technology.

  "I believe the committee has received an advance copy of some notes I made on the nature of computer viruses and the danger they represent?" Rickfield hadn't read anything, so he looked at Boyers who also shrugged his shoulders.

  "Yes, Dr. Sternman," Nancy Deere said, "and we thank you for your consideration." Rickfield glared at her as she politely upstaged him yet again. "May I ask, though, that you provide a brief description of a computer virus for the benefit of those who have not read your presentation?" She stuck it to Rickfield again.

  "I'd be happy to, madam Chairwoman," he said nonchalantly. Rick- field's neck turned red at the inadvertent sudden rise in Senator Deere's stature. For the next several minutes Sternman solemnly described what a virus was, how it worked and a history of their attacks. He told the committee about Worms, Trojan Horses, Time Bombs, Logic Bombs, Stealth Viruses, Crystal Viruses and an assorted family of similar surreptitious computer programs. Despite Sternman
's sermonly manner, his audience found the sub- ject matter fascinating.

  "The reason you are here, Dr. Sternman, is to bring us up to speed on computer viruses, which you have done with alacrity, and we appreciate that." Rickfield held seniority, but Nancy Deere took charge due to her preparation. "Now that we have an under- standing of the virus, can you give us an idea of the type of problems that they cause?"

  "Ah, yes, but I need to say something here," Sternman said.

  "Please, proceed," Rickfield said politely.

  "When I first heard about replicating software, viruses, and this was over 15 years ago, I, as many of my graduate students did, thought of them as a curious anomaly. A benign subset of comput- er software that had no anticipated applications. We spent months working with viruses, self cloning software and built mathematical models of their behavior which fit quite neatly in the domain of conventional set theory. Then an amazing discovery befell us. We proved mathematically that there is absolutely no effective way to protect against computer viruses in software."

  Enough of the spectators had heard about viruses over the past few years to comprehend the purport of that one compelling state- ment. Even Senator Rickfield joined Nancy and the others in their awe. No way to combat viruses? Dr. Sternman had dropped a bombshell on them.

  "Dr. Sternman," said Senator Deere, "could you repeat that?

  "Yes, yes," Sternman replied, knowing the impact of his state- ment. "That is correct. A virus is a piece of software and software is designed to do specific tasks in a hardware environ- ment. All software uses basically the same techniques to do its job. Without all of the technicalities, if one piece of software can do something, another piece of software can un-do it. It's kind of a computer arms race.

 

‹ Prev