When it comes to protecting information, you can't be too careful. "If people think I see wires and mikes everywhere, it's because I do," said Robert Morris Sr., former chief scientist at the National Security Agency. "To protect information, one has to be paranoid."
Mr. Morris talked about his experiences protecting valuable information from World War II to the present during a visit to MIT last week as part of the Laboratory for Computer Science's Distinguished Lecture series. His skills in this realm are shared by his son, Robert T. Morris Jr., who wrote the famous Internet worm program that brought down the Internet for several days in November 1988.
At Bell Labs early in his career, Mr. Morris was part of the team that built the first modem, designed to run at the then-incredible speed of 48 bits per second. In the early 1960s, he worked with researchers at LCS on the development of MULTICS, the world's first time-shared computer system. He was educated at Harvard where he received bachelor's and master's degrees in pure mathematics.
In 1984, Morris joined the NSA full-time as chief scientist of the National Computer Security Center. During the Gulf War, he was detailed to the Joint Chiefs of Staff, where he worked with a special team on nullifying the Iraqi defense system. He retired in 1994 as the equivalent of a three-star general.
After decades in the information and intelligence business, Mr. Morris said the most important security is "not leaving your information lying on the sidewalk." Among the most common ways that information gets into the wrong hands, he said, are carelessness, overconfidence and "the cleaning person in the office." E-mail, in particular, has never been adequately encrypted, and he advised not even considering it for secure transactions.
In the past, Mr. Morris said, military and diplomatic messages were the information that people most wanted to exploit. Now the emphasis is on financial transactions, especially interbank transfers. With the Internet's rapid growth, electronic commerce and ordinary privacy are also areas of increasing concern, he said.
"NSA, being the principal cryptographic organization in the government, has to make sure that it recommends strong enough methods that the banking system in particular won't get filled up with fraudulent transactions," Mr. Morris said in reference to the current cryptography debate. "But neither do we want to recommend methods that make the intelligence business either impossible or excessively expensive. And we want to make sure that neither terrorists nor druggies have crypto strong enough to prevent detection."
Mr. Morris acknowledged that controls on widespread civilian use of strong cryptography could be compared to the National Rifle Association's argument about gun control: that it keeps weapons out of the hands of honest people but does little to deter criminals. "The good guys that need it are prevented from getting more," he said.
However, he added, the issue is less a matter of absolute security than of cost. "Think of reading something that is encrypted as being more or less expensive, depending on the strength of the encryption," he said. "It all comes down to how much it costs to crack a code, and whether someone is willing to spend the money to do it."
Indeed, in cost terms, deciphering encrypted information is still far more expensive than traditional intelligence methods: "burglary, blackmail, bribery and bugging," Mr. Morris said. So what's the most secure way to send a message? "Probably the US mail."
A version of this article appeared in MIT Tech Talk on November 26, 1997.