From: David Farber
Date: 10.30.01

Balancing Security and Liberty

The technology explosion of the past 30 years has complicated both government's role in, and citizens' desire for, privacy. Citizens demand safety while law enforcement believes it needs timely access to information that flows over networks. With the availability of cryptographically sophisticated mechanisms such as public key systems, we have a world where a vast amount of personal and public information streams wildly over digital systems such as the Internet, POTS (plain old telephone systems), wireless, and satellites.

After the tragic attack of September 11th, the Bush administration is calling for, and receiving, increased powers to listen to our conversations, monitor our e-mail, see who and where we visit in cyberspace — all with the stated intention of protecting us from terrorists. I could fill this column with the implications of the mechanisms that have been proposed for aiding law enforcement. As with any legislative mechanism behind which there is so little technical understanding, many of the changes may create greater dangers than they hope to eliminate. I would like, however, to focus on the security of the basic communications infrastructure we count on.

Turtles upon Turtles

The Internet was built in a university research atmosphere where the problems of creating a working system took priority. As the Internet grew, developers had neither time nor energy to address security. Suddenly we had an insecure network underpinning our industrial might and daily lives.

Consider what would have happened if, in addition to the attacks on New York and Washington, a concentrated physical and cyber attack had been made on the Internet. As the people who are technically responsible for the network, we'd better make sure such an atttack does not happen.

One might suggest that we patch the holes to fix the vulnerabilities, but most discussions on Internet security find turtles upon turtles — security problems on security problems. So what do we do? For the current-generation Internet, patches might be the only answer. Or perhaps regulatory authorities should demand Internet-wide management mechanisms. (I suggest this with real hesitation, but it may be the only path). That does not mean, however, that we should not strongly support holistic research attacks on the security issues to see if out-of-the-box thinking can help.

Untangling the Contradictions

We are about to take a dramatic technical step forward in communications technology with the arrival of end-to-end optical communications links. The very speed of these links (~60 Gbytes/wave) and vast number of waves possible demand a new examination of the Internet's structure and of the architectures of computer hardware and operating systems. This is an excellent time to make security fundamental to any real next-generation network. Information security and network resource protection must be a requirement, not an option.

I started this column talking about the privacy implications of 9/11 with respect to law enforcement. I close with a plea for end-to-end security for future networks. These might seem like contradictory aims, but they both seem to be requirements in the post-9/11 world. The technical community must provide the research needed to understand the nature of the contradictions and to find the path forward. It is equally important that we involve ourselves in continuing efforts to preserve liberty as well as safety.