Dorothy Denning has never been shy of sounding off about society's use of
technology. This widely quoted Georgetown University professor of computer
science was once dubbed the "Clipper Chick" because of her vocal support of
the controversial Clipper encryption proposal. That policy measure, which
was ultimately scuttled, would have allowed the U.S. government access to
keys that could decipher any message encoded by the system.
Despite her unpopular stance on encryption, Denning's dedication to
security nonetheless earned her respect, even from her opponents. Today,
she is considered an expert in encryption, hacktivism and emerging trends
in cyberterrorism.
Do you think we are headed in the right direction to protect the Internet?
I generally think we are headed in the right direction. I would not myself
want to see a heavier hand placed on it. Generally, there is a business
case for implementing a certain level of security for risk management, and
companies are taking reasonable precautions to protect their systems.
That's what we want. I don't think we want a heavier hand demanding that
more resources be put on it than are perhaps justified by the risk.
A lot of computer users are leaving themselves open to attacks because they
have unsecured machines. How reasonable is it to believe users will be able
to defend themselves and not become a liability to national security?
What we have to hope is that over time, products that ship from Microsoft
and others offer a sufficiently high level of security and a simple means
for keeping it in that state. It's got to be much simpler for people to
deal with than it is right now.
What's the future for Internet security?
We don't have 100 percent physical security right now, which is why we had
snipers running around Washington knocking people off. What we have to come
to recognize is that cyberspace will be the same way. We need to learn to
manage that risk and not fool ourselves into thinking we can eliminate it.
Do you think the onus of liability should be put on the ISPs (Internet
service providers) to take care of security for their users?
That's a hard question, because once you start formalizing where we are
going to put liability, the question starts coming up of who's going to pay
for it. Almost anywhere you put it, the costs are going to end up coming
back to the users of the technology.
If the ISPs are liable, they are going to have to get insurance to cover
that liability, and they are going to have to increase their rates, and so
the users are going to pay more for that service.
It's a similar kind of thing if you push the liability back onto the
vendors. Microsoft is going to have to insure their products, and that will
make the products a lot more costly. The liability issues are difficult
ones that are perhaps best worked out first in the courts rather than
trying to legislate it some way.
Do you think we will need the equivalent of a driver's license for people
who put Web servers on the Internet?
I think it is a difficult question. Driving is a life-and-death matter.
When you get on the road, it is not only important that you are competent
to drive, but that other people on the road are competent to drive. And
because of that life-and-death matter, we can all agree to driver's licenses.
On the Internet, it is still not a life-or-death thing. It is not clear
what requirements you want to demand of people who are providing services
on the Internet.
To some extent, if an ISP is not offering a sufficient level of security,
it is not going to stay in business very long. It is going to get shut
down, it is going to be hacked, and it is not going to be able to sustain
its business. And that may be a sufficient way of dealing with it.
How do you stand on the whole idea of cyberterrorism?
I wouldn't call any of it cyberterrorism, and I don't see any of that
happening in the very near term. We are having a lot of cyberattacks, and
they are indeed costly and serious, but they are not terrorist attacks.
What kinds of attacks are considered terrorism?
(Their intent) would have to (be to) cause serious injury or harm to
people, (most often) with physical consequences, but at least (with) very
severe economic consequences. And it would have to be done for the purposes
that terrorist acts are conducted for. This is generally political and not
for the purpose of robbing a bank--that's not terrorism. Extortion is
generally not terrorism; someone is trying to make money off of you.
Do you think recent anti-terrorism laws, such as the USA Patriot Act, are
too broad?
I think that intent has to be taken into account when we paint things as
terrorism, like we do with other kinds of acts. The snipers' actions in
Washington don't fit the usual definitions of terrorism in that they
weren't politically motivated. However, they certainly did terrorize people
in this area.
The concern that the Washington snipers caused is a great deal more than
anything you will find on the Internet?
Oh, yes. Way more. When lives are at stake, it's a whole new ballgame over
anything that is happening on the Internet. That said, when you look at the
Internet down the road, and you realize how computers are being embedded in
all sorts of technology--including in automobiles--(you see) the potential
for a computer attack to have deadly consequences increases.
Formula One race cars, for example, are radio-controlled from the pit so
that instructions can be input or issued and (so) affect how the engine
operates. If somebody can hack that kind of system, they can potentially
cause things to happen that can lead to death. So cyberattacks could have
more physical consequences down the road.
What are the issues you have been working on?
One is trying to understand how activists are using the Internet, and
(another) how terrorists are using the Internet. I'm still getting a little
into cyberterrorism, and whether that is real. Another is location-based
security, particularly something we call "geo-encryption," which is
encrypting so that information can only be decrypted at a particular location.
And most recently, I've been writing about what I'm calling the cyberspace
security infrastructure, which is all the industry laws and procedures and
everything that has evolved over the years to address the security threat.
http://news.com.com/1200-1120-975427.html
Agree? Disagree? We want to hear what you think about the future of
technology. Join in the discussion and interact with other readers of CNET
News.com.