Information Security’s Changing Threatscape

1 Recently had a conversation withWilliam P. Crowell, former DeputyDirector of the National security Agency(NSA), about the Changing Threatscape ofinformation security . I ve known him for anumber of years and because of his exten-sive professional background, his per-spectives are always extremely insightful. Crowell s involvement in securitystarted in 1962 while working for theNSA. There, he held a series of seniorpositions over several decades withinoperations, strategic planning, researchand development, and finance. In early1994, he was appointed as the DeputyDirector of NSA and served in that postuntil his retirement in late 1997. Few individuals have had such an extensiveexposure to Information security .

2 As ifseveral decades with the NSA weren tenough, he continues to be involved ininformation security in numerous rolesin the private , he is an independent consult-ant specializing in Information technolo-gy, security and intelligence systems. BC:How did you get involved in infor-mation security at the NSA?WC:While working as an intelligenceofficer for the NSA performing intelli-gence on Information systems, I began tolearn a lot about Information was a particular project that actedas a turning point for me and that set meon the Information security path. I wasasked to put some very sensitive informa-tion into a new computer system and Ibegan asking questions about how wellprotected the system was.

3 This was dur-ing the 1970s, and I was assured that the Information would be protectedas well as any Information possibly could because the system used verystrong wasn t very convinced by that, so Iasked for permission to test the systemand that night I was able to gain access bysimple password guessing. Then I found afile containing the passwords for all theother systems. From that point on, I alwayslooked at problems from the perspective ofboth an attacker and a :It s interesting how passwords werea fundamental flaw in security then andmany would argue that passwords are stillone of the weakest links in informationsecurity today?WC:It has not changed very is ever really a new :Obviously there are many storiesthat you won t be able to share, but is thereone that really exemplifies the importanceof strong Information :Back at the NSA in the 1970s, I rana program that has since been declassi-fied.

4 The program was codenamedVENONA and it involved successfulattempts by the United States to exploit theSoviet s KGB and GRU encrypted commu-nications between 1943 and 1948. Theexploitation went on for a very log timewith the last message being read in 1980. What was unique about the Sovietcommunication encryption was that itwas double-encrypted material. It hadbeen encoded with a two-part code andthen encrypted with a one-time pad. One-time pads of course are essentiallyrandom numbers that are generatedonce and used once, and if they are usedproperly it is impossible to read themirrespective of computing power. BC:It sounds like the Soviets used theirencryption correctly. Where was thebreakdown?

5 WC: What we presume happened wasthat the bureau that produced the pads,under pressure during WWII, had decidedto reuse the pads for another user besidesthe KGB and GRU. They used it for theSoviet Trade Organization. But, theywere clever. They reversed the numberson some pages and reversed the order ofother pages to try and disguise the factthat they reused the of the reuse, the analystswere not only able to break through theenormous mathematical difficulties ofthe one-time pad, but one linguisticgenius on the team, was able to substitutein his head all of the code values that hadbeen used across all of the messages thathad been broken before and figured outthe codebook. BC: That s amazing; so what was thenet of this program?

6 WC:In the end 2,900 messages wereread. The first message read, Ethel age32, two children, is the wife of Antenna. Antenna was the cover name for JuliusRosenberg. BC:Julius and Ethel Rosenberg theAmericans executed for working for theKGB and giving the Soviets nuclearweapons secrets? WC:Yes, and the entire situation wasknown from the very first message read, Information security s Changing ThreatscapeA Conversation with William P. Crowell, Former NSA Deputy Director NETWORK INSIDERI36 IIT DEFENSEIDEC/JAN in the days of communicationsecurity, you might have had some ama-teur radio operators that interceptedsome Morse code, but nothing nearingthe numbers of today s script , Information system attacks perpe-trated by organized crime, drug cartelsand terror networks are here today, butthey are hard to separate from each otherwithout detailed investigations.

7 Think of this as a Venn diagram whereeach group is independent yet at somepoint they overlap each other. This is whyit is hard to definitively claim that an attackwas motivated by a terror organization oran organized crime group. All these groupsneed to raise money to finance their agen-das, and cyber crime is certainly an attrac-tive alternative, partly because it requiresso little in terms of resources. It hasreduced risk and is relatively anonymouswhen compared to more traditional crimeslike robbing a bank. BC:We ve talked a bit now aboutthreats from the outside, what areyour thoughts on threats perpetratedby insiders such as trusted employeeswith legitimate access to Information ?WC:Malicious insiders have alwaysbeen a problem; they are not new.

8 Whatis new is that we ve given them morekeys to the kingdom. Insiders havegreater access because businesses arenetwork-based and broad access to criticalassets is desired to make the businessmore efficient and effective. Businessessimply don t provide the same level ofsecurity for Information assets that theydo for their physical assets. For example,a business doesn t leave money sittingaround; they put it in a safe. But mostorganizations leave Information assetsmore :Speaking of physical security , whatdo you think about convergence physi-cal and logical security coming together?Is it really just a matter of time beforethese two disciplines have some level of integration?

9 WC: Convergence can be driven by anumber of different variables. Before theInternet as we know it today, there weremainframe networks that I worked on thatwere simple, direct connections to IBMmainframes and other large computers ofthe day using terminal today use Ethernet and TCP/IPand allow us to connect very large num-bers of PCs, servers and mainframes anddon t require the expensive interconnec-tion technology like those in the past. TheInternet has allowed us to develop lowcost network elements routers, switches,wireless, and so on. This is creating a revolution in how we access consider video five years ago, all video cameraswere connected via some type of analogconnection.

10 Now IP-based cameras are$200 instead of $2000 and the encodingis MPEG4 which uses about 1/3 the band-width needed before. So now we have amuch more flexible, inexpensive solutionthat also allows for digital processing. Weand that s why there was so much contro-versy because some of the informationthat proved their guilt was not releasablebecause it was still classified. BC:What is the most fundamentalchange in security you ve seen sincecirca 1960? WC:The principal change is that we vegone from communication security protecting Information in transit, to infor-mation security in a networked worldwhere accessing Information isn t justthrough a radio communication path, butthrough the network itself.