INTERVIEW: Bill Crowell, Cylink's NSA link
The networked future demands security
William P. Crowell, a former deputy director and chief operating officer of the National Security Agency, found the transition to working in industry easy at information security company Cylink Corp. of Sunnyvale, Calif., where he is president and chief executive officer.
'This is not the first time I've been out of government,' Crowell said. 'I'm loving it. I enjoy getting out and talking to customers. The feedback process for what you're doing and how you're doing is a little more immediate in private industry.'
Crowell joined Cylink in 1998 as vice president of product management and strategy and became president later that year. He joined the company's board of directors early this year.
Before his work at NSA and Cylink, Crowell was a vice president of Atlantic Aerospace Electronics Corp. of Greenbelt, Md. He holds a bachelor's degree in political science from Louisiana State University.
Susan M. Menke, GCN's chief technology editor, interviewed Crowell by telephone.GCN:'Which government agencies does Cylink Corp. work with on security issues?
CROWELL: Cylink produces commercial security products for electronic business, and the government is working quickly to convert to e-business. We're engaged with a number of agencies to secure their backbone communications: the Treasury and Justice departments, the FBI and others that are trying to secure their networks for all their business.
In most cases, the work is under long-term contracts with systems integrators. The purchases are essentially commercial purchases from us. It's not the usual kind of contractual arrangement.GCN:'Are agency security needs getting more intense in view of Web site hacking and denial-of-service attacks? How bad is it?
CROWELL: In today's networks, everything is connected to everything else. There are no borders and no barriers to anyone who wants to try to bring down a network by denying service'a popular and costly kind of attack'or by hacking or destroying information, either on a Web site or inside the network.
It's a growing problem that's going to continue to grow until the right kinds of protections are put in place, protections that provide an umbrella around the network and strongly authenticate internal users and somehow protect against service denial from outside.GCN:'You're speaking of public-key infrastructure authentication?
CROWELL: PKI is a fundamental piece of building secure systems. It provides the digital certificates necessary for strong authentication and encryption. We built the PKI for the Postal Service that forms the basis for its growing e-businesses. Most people have heard of online PC postage. That's an example of a new service that's being enabled by trustworthy cryptography, the foundation of which is PKI.
PC postage is sold by various vendors and is intended for small-office and home markets. But anyone can use it if it's beneficial. You create value on your ink-jet printer by printing an indicia that's backed up by the PKI and lets the Postal Service verify authenticity.GCN:'How will PKI work in a wider environment?
CROWELL: The token likely will be a smart card, which carries not only your digital certificate but also an encrypted version of your private key. You can use the smart card no matter where you are'with your notebook computer, at your desktop or with someone else's computer if it has a smart-card reader.
You can tie security to applications and to your identity. You can protect health records, motor vehicle records and digitally signed documents. My own smart card is a Cylink identification card. It lets me use my computer securely, and it also has a proximity chip that lets me unlock the doors around the office.GCN:'What's holding up smart-card adoption?
CROWELL: There's a huge installed base of magnetic card stripe readers for credit cards. They would have to be replaced by smart-card readers, so for that single use, there's a delay in favorable economics. What we're seeing now are larger areas where smart cards can be used for more than one application. That will drive interest in them, but it has been a slow start.GCN:'The readers cost how much, $25 apiece? Why aren't they popping up in new PCs?
CROWELL: Primarily cost and some security issues. Cylink has a patent on a method of protecting the personal identification number from the CPU, which increases the security of the reader.
The cost issue is about to have a breakthrough. The cards cost about $10 apiece in quantity'affordable if it can be leveraged not only to increase security but also to reduce fraud.
This would pay for itself if you could use it to reduce fraud.GCN:'Vinton Cerf, one of the founders of the Internet, has said banks would be the logical distributors for smart cards that could also be used for medical records and so on. Do you agree?
CROWELL: I think we're about to see that happen. There's a new standard for smart cards intended to be used by banks. Again, it's a question of how soon the current infrastructure is traded out.
More importantly, this is the basis for network protection. It allows secure Internet transactions with a nonrepudiable digital signature that protects both the merchant and the individual. Think of all the procurement activities government agencies carry out by paper or fax or other nonsecure, costly processes. If they were replaced by electronic transactions, it would reduce the government's costs considerably.GCN:'PKIs need certificate authorities as go-betweens. Who will be these trusted authorities?
CROWELL: You need an authority to certify your public key, which makes a matching pair with your private key. I believe this is going to evolve in different ways, mostly along business lines.
The Postal Service has postage as its mission. It's not going to give away the authority to somebody else. That's why USPS is operating its own PKI.
A Fortune 100 company with 200,000 employees certainly wants to control not only the activation of certificates that allow employees to do things on its network but also to control deactivation'to deny people the opportunity to continue doing things. It also wants to control what authority they have. The certificate is a way of defining their privileges'maybe they can spend $50,000 without an additional signature. It considerably reduces the opportunity for mischief on networks.GCN:'What's happening with virtual private networks in the government?
CROWELL: VPNs have also had a somewhat slow start. Cylink recently entered the market with an IP Security Protocol-compliant VPN that has 100-Mbps performance and centralized point-and-click management.
The issues up to now concerning adoption of VPNs have been performance and management on real networks, which are very complicated. If management isn't simple, it keeps you from doing what you need to do.
Also, there has been a lot of preoccupation with Y2K'deservedly maybe, but it not only burned up the energy of information technology staffs, it also burned up a lot of their funds. They're now able to turn their attention back to security.
You can really improve the security of connections between WANs and site-to-site VPNs. It saves money because you don't need dedicated circuits for IP connections. It essentially puts an encrypted firewall around the network. Denial-of-service attacks like those we've been seeing recently are hard to do without accessing the network.GCN:'What's your position on the contenders for a next-generation encryption standard that the National Institute of Standards and Technology has been evaluating?
- Family: Wife, Judy Ann; daughter, Laura Lynn Cayonette, and son, William Pierce Crowell
- Pets: Tango and Harley, both schnauzers
- Car: Lexus ES300
- Last book read: The Internet Bubble by Anthony B. Perkins and Michael C. Perkins
- Leisure activity: Motorcycle touring; recently traveled 4,000 miles through six Western states and Canada
CROWELL: Cylink was one of the 15 submitters of an Advanced Encryption Standard algorithm. It was also not one of the finalists.
We're following the evaluation of the remaining five and obviously examining them carefully to see what impact they would have on our business line, performance and security, and other factors.GCN:'You've been a strong supporter of removing barriers to the export of strong encryption products. How great is the danger to the nation?
CROWELL: There are opportunities to produce intelligence information from people's communications'something that has gone on throughout history. But we're not the same world as a few years ago. We're building economies based on networks.
The world economy within a short time will be totally dependent on network transactions. That's a strong statement, but look at what's happening. There are 160 million users of the Internet and 55 million domain names. In 1993, there was no Web. It was born in 1994, and it already has 800 billion pages. This is not marching along, it's galloping along.