The following text is copyright 2000 by Network World, permission is hearby given for reproduction, as long as attribution is given and this notice is included.

Why does this feel wrong?

By Scott Bradner

To start off the new year President Clinton announced an ambitious plan to combat cyber-terrorism called the "National Plan for Information Systems Protection." In the announcement he said all the right things, so why am I worried that the plan is a bit off target?

The plan (at http://www.whitehouse.gov/WH/EOP/NSC/html/documents/npisp-execsummary-000105.pdf) consists of 10 programs. The programs include figuring out what the critical infrastructure components are, monitoring the network to detect intruders that might attack them, make sure that law enforcement knows what to do, share information on attacks, make sure that there is a way to react to an attack, support research in intrusion detection, support students who want to go into this area, make sure that people understand here is a problem here, pass some new laws, and lastly, make sure that all of the above do not violate rights of American citizens.

But reading the plan makes it clear that a primary focus is to finish deploying the Federal Intrusion Detection Network (FIDNet) announced last summer. FIDNet is a set of intrusion detection monitors, 500 in the first phase, installed on government networks. It's aim is to figure out when systems have come under attack by monitoring network activity. There was a great deal of concern expressed over FIDNet's impact on individual privacy when it was first announced and, since then, the concern has been increased with the discovery of Echelon, a world wide Internet monitoring system operated by the spy agencies of the U.S and four other countries.

It is all well and good to watch the net to see if resources are under attack but it would be more effective in the long run to put some effort into actually protecting the resources so that they are harder to attack. One primary way of doing this is to increase the use of encryption to protect management protocols and other communications. This new plan does include a timetable which has the use of encrypted email being encouraged within the Department of Defense by 2001 but otherwise ignores the adage that a little prevention can avoid a lot of after the fact cure.

It is consistent for this administration to leave encouraging the general use of encryption out of their plan. They have not yet internalized the fact that the bad guys already have effective encryption and that holding back on research on better encryption technology and encouraging its use by the general Internet user just makes it harder to protect the very infrastructure they worry about.

At this stage the administration's plan does not assuage the worry over FIDNet and does not seem to address in any useful way protecting the infrastructure. Not an auspicious beginning to the century.

disclaimer: To Harvard, this just another century, not a big deal, thus the above lamenting is my own.