-
Sub:     Information Systems Security Update, # 96-14
-
# 96-14


     End of Year Musings


1.  If the debate over "trusted systems" in the 1980s frequently
became an exercise of wasted time and effort in the information
systems security world, then the current debate over "cryptography"
appears to be similarly an incredible diversion from meaningful
solutions to identifiable challenges.  Those who may remember the
slogan "C-2 by 92" in the discussion of trusted systems will
perhaps now entertain the possibility that there was a solution in
search of a problem.  In some cases it was even a non-solution,
particularly as one began to address protection mechanisms for the
potential threat from malicious code.  At a certain point I had
begun an "underground" campaign to promote "B-2 by 2002", but had
to drop it when people thought I was serious.  The reality was that
those leading the debate had narrowly focused on one aspect of
information systems security.  The parallel in the on-going
cryptography debate is that once again the dominant voices have
narrowly focused the discussion.  Rather than encourage
organizations to immediately adopt some type of cryptography to
address known vulnerabilities and weaknesses, the policy direction
is to restrict all but the "officially sanctioned".  While Pretty
Good Privacy (PGP) could be a part of the information systems
security solution for many government organizations, we instead
await the "ultimate" hardware solution.  Ironically the major
emergency response teams continue to use PGP for a variety of
purposes.


2.  If trusted systems and cryptography are visible components of
the solution, a major component remains in "stealth" mode:  namely,
the personnel infrastructure to support information systems.
Rarely is there meaningful effort to recruit, to train, and to
retain those who manage our information systems.  While as a system
administrator I occasionally have been heard to remark on "bad"
days that "systems administration would be a great job if it were
not for all those users", ultimately those who manage our systems
hold our fates in their hands.  All the technology in the world is
of little value if the administrator is untrained and unmotivated.


3.  The Institute of Land Warfare published a paper, number 23, in
February 1996 entitled "Nonlethal Technology and Fourth Epoch War:
A New Paradigm of Politico-Military Force" by Dr. Robert Bunker and
Dr. T. Lindsay Moore.  While any title with the word "paradigm"
usually irritates me, I overcame my prejudice and found the paper
worthwhile.  The authors propose future "force options" will
include a "multitasking virus", a "computer virus weapon", and a
"sleeper virus" among other software options.  The Institute of
Land Warfare's telephone number is 1-800-336-4570 or 703-841-4300,
extension 320.  Pony Express delivered the paper to my location
just in time for Christmas.


[Disclaimer:  Information Systems Security Updates represent the
opinions and views of the author (mcdonalc@wsmr.army.mil), not his
employer.  Recipients are free to quote all/parts of the ISSU with
credit/blame to the author.]