Hard Security Problems

Hard Network Security Problems

Hard Cryptographic Security Problems In Our Strategic Network Infrastructure

By Roy D. Follendore III

October 22, 2003

The class of truly hard technical network security issues that we face as a society include the resolution of difficult communication problems related to content. These are so difficult because they demand much more than logical solutions. They require rational decisions before logical solutions can become useful. For instance, we live in a dynamic society where changes in the reins of authority and responsibility within organizations can determine the strategic security our society. Fixed hard wired diagrams of how authority is to be achieved is out of sync with the realities of the ways that critical issues arise and are resolved. The distributed content that people may need one day may not be the same as they may need in another. It is irrational to withhold data, information and knowledge from those who at critical moments should be the decision makers. For this reason the technical leaders of our nation need to begin to understand the reasons why we have been using the wrong tool set.

Our lack of security and confidence in our strategic infrastructure does not arise out humanity's lack of understanding of mathematics. The state of our knowledge and scientific use of mathematics is sound. Nor does it arise from a simple problem of logical connectivity; we know how to do that well enough. In fact our current capabilities in cryptography are mathematically based. Moreover, the only real means that we currently have to control connectivity problems is through the use of cryptography. It is not the connection but the cause and effect relationship between effective control and management of content within cryptographic science that must be expanded.

The trouble we now face is that cryptography as we understand it by federal policies and guidelines effectively prevents the scientific philosophy of the field from evolving. It prevents the casting a new potential as to what cryptography can and must become if we are going to solve the kinds of complex problems that we are faced.

The principle problem within our current national network infrastructure is our inability to maintain the quality, integrity and security of data, information and knowledge content. All data, information and knowledge is time sensitive and there is risk which is assumed when that information is prevented from being appropriately used. Locking up essential files containing data, information and knowledge within highly secured networks minimizes the availability of relationships of content that might otherwise be present. The is one of the problems of content aggregation that can not be managed with current state of cryptographic technologies. This engineering problem is a matter of consistently delivering quality of content that must arrive to human beings just in time. This is a metric that must be measured with respect to both individual and organizational efficiency and effectiveness. There are currently no real metrics for describing this critical relationship and therefore no measure of security.

The reason for this begins with the nature of mathematics itself. Mathematicians proved to themselves that mathematical logic is incapable of solving all classes of problems. Unfortunately because this fact has was has not been widely understood, there exists the false assumption that mathematics can accomplish anything. As every grade school student is taught, mathematical logic is founded on axioms and postulates which govern how numbers may be used and referenced. It is a rigid framework. This means that the structure of mathematical logic excludes the degrees of freedom necessary to manage the complex real world problems in security that we must face. Inferential methods are not limited by such mathematical exclusions.

In spite of this fact, cryptography continues to be rigidly defined by our Government in terms of "purely" algorithmic mathematical solutions. We continue to produce efficient cryptographic algorithms that can not produce effective security results.