A conversation with techno-security specialist Dorothy Denning.
Dr. Dorothy E. Denning is professor of Computer Science at Georgetown University and director of the Georgetown Institute for Information Assurance. Her current work encompasses the areas of cybercrime, information warfare and assurance, and the impact of technology on society. She is author of numerous publications, including her latest book, Information Warfare and Security (Addison Wesley). She is an ACM Fellow and recipient of the National Computer Systems Security Award, the Distinguished Lecture in Computer Security Award, and the TechnoSecurity Professional of the Year Award.
UBIQUITY: Let's start by talking about Carnivore, which has been much in the news lately. As you know, people who think of themselves as civil libertarians are highly critical of the FBI and law enforcement agencies for putting out such a wide net, watching the traffic of everybody in order to deal with presumably relatively few criminals. What's your answer to that?
DENNING: Well, I don't view Carnivore as putting out a wide net at all. In fact, I see it as the contrary. What it's being used to do is to pick out the stuff that only pertains to the criminal investigation and to the subject of investigation. Everything else is discarded.
UBIQUITY: Is it broad-based in the sense that, unlike a wiretap, which goes to a particular target's phone line, it watches the traffic of the wide world as that world turns and passes by?
DENNING: Not really. Carnivore only scoops up the traffic that passes through the filter, whether e-mail or Web traffic. For all practical purposes, it's as though it never even saw anything else -- because it's not viewed by any human, it's not retained, and it's not sent anywhere. It's effectively not intercepted.
UBIQUITY: Then are you surprised by all the criticisms?
DENNING: No, because, for one thing, there are a significant number of people who are opposed to wiretaps to begin with and this is another form of wiretap. People are also concerned that the tool might be misused. And they are concerned that the legal standards for intercepting e-mail headers is inadequate. I should mention that even the Justice Department has recommended tightening up of the legal regime to bring Internet intercepts up to the same standard as for telephone conversations. That's good.
UBIQUITY: Do you feel that the FBI is essentially correct in thinking that it's been losing ground against criminals and terrorists who have become increasingly sophisticated in the use of information technology?
DENNING: Well, I don't know if it's losing ground, but it certainly needs to keep up with technological advances. It can't just watch new technologies roll out and say, "Well, we'll just let that go. Score 1 for the bad guys."
UBIQUITY: What do you think is the most misunderstood aspect of the tussle between law enforcement and civil libertarians? What do people fail to understand?
DENNING: Well, that's a difficult question. I think there's a basic disagreement over the value of doing intercepts. People in law enforcement believe that intercepts are essential for certain kinds of investigations, whereas people who are opposed to them argue that they are invasive of privacy and not worth the cost or risk of abuse.
UBIQUITY: So you think it's mainly a cost-benefit analysis?
DENNING: That is certainly a large part of the debate.
UBIQUITY: Is the concern over potential abuse justified?
DENNING: Historically, there have been cases of abuse, and when that happens everyone wants to do something to prevent it from ever happening again.
UBIQUITY: What's an example of some bad things that resulted in a lot of legislation in this area?
DENNING: The wiretaps against Martin Luther King and the NSA intercepts of allegedly subversive Americans in the '60s. These led to substantial revisions in the laws and procedures governing wiretaps, including the introduction of the Foreign Intelligence Surveillance Act and the establishment of Congressional oversight. The whole legal and operational framework is different now.
UBIQUITY: Well, what is the general state of law enforcement right now, in terms of the Internet? What is this Cybercrime Convention that's being talked about?
DENNING: It's sponsored by the Council of Europe. I think the objective is to bring all the countries up to the same level of standard with respect to computer crime laws. Right now, many countries don't have basic computer crime laws, so they are safe havens for certain types of activity. The Cybercrime Convention is trying to get everybody on track with the same basic sets of laws and to establish mechanisms for cooperation on cases that cross borders.
UBIQUITY: Any major controversies?
DENNING: Some people are concerned with Article 6 of the convention, which relates to cyberweapons, or what the convention calls "illegal devices."
UBIQUITY: Defined how?
DENNING: These are software tools for committing cybercrimes, which the convention describes as crimes against the confidentiality, integrity, and availability of data. Article 6 calls for signatories of the convention to make the production, distribution, and possession of cyberweapons a crime under certain conditions. The concern is that this could interfere with the development and use of cyberweapons for legitimate reasons, including research and security. Many hacking tools are also used for defense.
UBIQUITY: What do you think of worries that some corporations are misusing consumer information?
DENNING: It's a legitimate concern. People don't want to have information about them collected in the first place, and when it is, they don't want it going to some other party without their consent.
UBIQUITY: What about mailing lists themselves? I mean, no particular information about a person other than that the person is on a mailing list? Do you think that's sharable, or is that just as bad?
DENNING: People are concerned about the sale of mailing lists. They don't want to get more junk mail and they don't want third parties knowing their affiliations. Companies need to respect that.
UBIQUITY: What are you personally focused on now, besides the cyberweapons control issues we talked about a little while ago?
DENNING: I've been looking at hacktivism and also at general trends in technology and how they're impacting information security.
UBIQUITY: Tell us what hacktivism is.
DENNING: It's basically the joining of hacking with activism, where you've got people hacking for a cause. They might deface a Web site with political messages. Or they might stage a Web sit-in and get thousands of users from all over the world to visit a target Web site all at once, using software that generates lots of traffic against the site. It's not usually as bad as a denial of service attack, but it certainly can degrade service.
UBIQUITY: Is hacktivism becoming a big problem?
DENNING: I don't know if it's becoming a huge problem yet, but there certainly is more of it going on now than there was before. I think the existence of the xWeb has stimulated a lot of it, since with the Web you basically have a global billboard on which to post your messages and get worldwide attention.
UBIQUITY: What can be done about it?
DENNING: Where the acts are crimes, it needs to be addressed the same way you would address any kind of computer crime, starting with security defenses so you will not be a victim. You also need good laws.
UBIQUITY: On the subject of laws, there are various laws that apply to copyright, which seem to be widely ignored now, especially in music distribution carried out through facilities such as Napster and Napster lookalikes. A lot of people in technology either openly or implicitly support what Napster and others are doing on the grounds that technology is more important than allegedly obsolete copyright laws. What are your thoughts on that?
DENNING: I think it's important to respect copyrights. Of course, Napster, in and of itself, is a tool that can be used without violating copyright, just as a Xerox machine can be used without violating copyright. I don't approve of using any technology to violate copyright. I think that today especially (and in the future even more so!) when so much of the economy is based on knowledge and information, we need mechanisms such as copyright to protect our intellectual property.
UBIQUITY: Do you think the champions of copyright law are losing the battle against technology?
DENNING: I wouldn't say they're losing the battle -- I think there certainly is a battle. I just don't know. It's a hard issue.
UBIQUITY: But you don't particularly sympathize with those people who think that "information needs to be free"?
DENNING: No, because information doesn't have a mind of its own. What those people are basically saying is they want that information, but they don't want to pay for it. If all information were free, the economy would collapse.
UBIQUITY: This kind of idea seems unique to the Internet. What are your general views on the new culture -- the Silicon Valley and Internet cultures? Do you think they're something to worry about or simply to rejoice in?
DENNING: Well, I think the culture is becoming more diversified as more and more people get on the Net -- almost everyone is on the Net now. The culture of the Internet is more and more reflecting the general culture of the population, of course tempered by the technology.
UBIQUITY: Do you think that's good or bad, or both?
DENNING: I think it's great. The Net is a lot more useful and fun than it used to be.
UBIQUITY: You don't join those who worry about the so-called over-commercialization of the Internet?
DENNING: Absolutely not. It's that very commercialization that has brought new things to the Net that weren't there before. The old stuff is still there, but now there are also all kinds of great new opportunities, such as online shopping. I think that's great. It's fantastic that I can just go to a Web site and, for example, order books from Amazon and not have to run off to a bookstore.
UBIQUITY: Have you found yourself running into a reasonably large number of people who resent Amazon and other such companies?
DENNING: There certainly are people who don't like the commercialization of the Internet. But the commercialization is what has led to the Internet's amazing growth and vitality. If it hadn't been for business getting onto the Internet, the network wouldn't be as pervasive as it is today. We wouldn't be as well-connected.