News & Events

LENS Conference - Spring 1998 - National Information Infrastructure Protection in the 21st Century

Identifying Emerging Roles for Industry and Government in Protecting
our Nation's Information Infrastructures from Cyber Threats

April 20-21, 1998
The Washington Duke Inn and Golf Club
3001 Cameron Boulevard
Durham, North Carolina

Co-sponsored by
The Center on Law, Ethics and National Security, Duke University School of Law
The Aegis Center for Legal Analysis, Falls Church, Virginia
and
The Center for National Security Law,University of Virginia


Transcripts

Opening Remarks

Monday, April 20th, 8:45 A.M.

Speakers:
Robinson Everett
Gary Sharp
Robert Turner

Mr. Silliman: For those of you I haven't had the opportunity to meet, I'm Scott Silliman, the Executive Director of the Center on Law, Ethics and National Security here at Duke Law School, and I'll have some comments in just a few minutes, but right now I want to introduce the founder of the Center here at Duke, Judge Robinson O. Everett. Robbie? 

Judge Everett: Scott, thank you very much. I feel very pleased to see we're starting up right on time; that's the sort of image we want to convey in being very punctual. We also want to convey an image of hospitality, and in order to do that we've arranged this wonderful place, but even more important we've brought out the sunshine this morning, so you can see some truly beautiful North Carolina weather and feel very much at home with us. 

The Center on Law, Ethics and National Security, for which the acronym is LENS-we provide a "lens" through which to see these issues-came into being in September of 1993. We've been at it for almost five years now. We've been fortunate in having cooperation and leadership and guidance from the Center for National Security Law at the University of Virginia Law School, which was a pioneer in the field, and their executive director happens to be a former student of mine here at Duke Law School, and he's helped quite a bit in co-sponsoring the program. 

We've had a lot of great things go on in the past five years, the greatest thing of course, the indispensable thing, was getting Scott Silliman when he retired from the Air Force to come here to Duke to be our Executive Director for the Center. Over the years, we've had several programs here, some of you, I know many of you, have attended, and some of you have spoken at those prior programs. Our first conference was on strengthening the enforcement of the humanitarian law, which was in 1995; in 1996 we ventured out to consider the United Nations, regional organizations and military operations; last year it was contemporary issues in controlling weapons of mass destruction. We always time these things well, because at the very time we started that conference, they were debating in the Senate what to do about chemical warfare and bacteriological warfare. And I think our timing is perfect this year, considering the problems in protecting the information infrastructure. Certainly this is a hot issue; it's one as to which there are many discussions going on. I talked today, a little while ago, with Bill Geiger, who heads up Aegis Research Corporation, and they have been very generous in providing us with assistance in putting on this program. And he mentioned there are about ten programs, meetings, going on, which are considering issues in this field, subsidiary issues, so we have a hot topic. 

We've been very fortunate over the weekend, we've gotten all pumped up, we had a fine alumni reunion here at Duke Law School; there was announced a major challenge grant for the development of our Center; a lot of very good things have been going on. The one down side, unfortunately, has been the loss of our former president at Duke - Terry Sanford, a great president, and a great senator and governor. Right now I'm going to ask you for a moment of silence to pay respect to Governor and President Sanford. [Silence.] Thank you very much, and I want to thank you for being here, you will make this conference a great success, and I unfortunately will have to be AWOL for the next hour; I've got to go down the street and teach a class in criminal procedure which unfortunately could not be postponed this close to exams. So I told Bob Giovagnoni a moment ago, I'd be AWOL, but I'd be watching on videotape, and I'll be back later with the opportunity to shake hands with you and explain to you how much we appreciate you being here, and telling you again, Bill, how much we appreciate the support from Aegis, and particularly the participation of Gary Sharp, who is the one who suggested this topic, who's been with us on prior occasions; also to express thanks to the Smith Richardson Foundation for their generous support. So, Scott, back to you, and I'll see you all in a little while. 

Mr. Silliman: Thanks, Judge. Now I'd like to introduce another of our co-sponsors, Professor Bob Turner from the University of Virginia's Center for National Security Law. Bob? 

Mr. Turner: Thank you Scott, and welcome ladies and gentlemen. I have some bad news and I have some good news this morning. The bad news is I didn't take time to prepare any remarks for this morning. The good news is I didn't take time to prepare any remarks for this morning [laughter], so I'm just very briefly going to say a couple of things. First, I bring the good wishes, warm good wishes, of John Norton Moore, our director, who had intended to be here, but unfortunately the conference conflicts with his last five classes of the semester, and it just was not possible, all of us believing that teaching is the most important thing we do. The second thing I want to do is to commend Robbie and Scott for the truly superb job they have done over the past five years of this Center. We started the Center for National Security Law in 1981 and were alone for I guess a dozen years or so, and then Robbie and Scott decided they could make it a little bit better, and they looked at what we were doing and they said, well, there's already a law and national security center, or I guess we'd already changed our name to National Security Law by then, and they said I know what we'll do, we'll call ours the center on ethics, law and national security to distinguish us from those guys up in Virginia, and we appreciated that distinction a great deal as you might imagine. 

I do have one plug, one advertisement, and that is, one of the things we take the greatest pride in, that we've been doing down in Charlottesville for these past, I guess it'll be eight years this summer, is our National Security Law Summer Institute. Scott knows about it, you can ask him, he took part in one of the Institutes, in fact just before he came here, and has been tremendously helpful to us, actually came back and helped us run the Institute the year that I was teaching up at Naval War College; as I look around there are other people here as well. This will run from the last day of May of this year, through the first two weeks of June; it's a high-intensive program, we've got Larry Eagleburger coming in to keynote it, we'll be up at CIA for part of the day and the Pentagon getting briefings, we'll meet with the legal advisors to the National Security Council, and we literally are bringing in the top experts from all over the country, to lecture on everything from counter-proliferation to controlling domestic and international terrorism, to trade constraints and so forth. 

This is designed primarily for full-time law professors and professors in related disciplines, but we also take a number of active-duty military attorneys and other government attorneys who have national security responsibilities. If anybody here is interested in attending, either see me or see Donna Ganoe out front; I don't think you will be disappointed. You can ask Scott about it for a more objective take, but with that little caveat, that little commercial, welcome and let the games begin. Scott? 

Mr. Silliman: Lastly, I'd like to invite to the podium Gary Sharp. Gary and I have known each other for a number of years, when we were both on active duty. There's always about a five-month timeline in planning a conference like this. You first have to choose a topic that you hope is going to be in the news at the time the conference actually occurs, and Gary was instrumental and extremely helpful in working to ensure that we had just the right folks here, the right panelists; he was working very closely with Michelle Van Cleave to ensure that the types of issues that we wanted to have were appropriate to this forum. So I'd like now to welcome Gary to come up, and welcome you on behalf of the Aegis Center for Legal Analysis. Come on up here, Gary. 

Mr. Sharp: Good morning, this is really a pleasure to be here this morning, I am Gary Sharp and I'm a representative of Aegis Research Corporation. This is, as Scott has said, the first opportunity that we have had to co-host a legal conference with the Center on Law, Ethics and National Security here at Duke, as well as the Center for National Security Law at Charlottesville. I've been an admirer of those folks and those centers for a number of years, and it's really a pleasure to have the opportunity to work with them once again. I'm very pleased with the turn-out we've had, and the number of honored guests and speakers that we have invited, and who have honored us with their presence, but we meet at a time, I believe, of very profound change. And it has all been driven by technology. It hasn't been driven by the law, it has been driven by technology. 

Telecommunications systems and computers have been around for a long time. The telephone was invented in 1876; the radio in 1906; the television in 1926 and the personal computer in 1975. But it wasn't until the natural evolution of the synergy, the merging of our telecommunications and our computers together, that we have seen the tremendous benefit that we may have in the 21st century, and how it can really change our way of life. But the synergy also represents, perhaps the greatest vulnerability, not only to our industry, but also to our national security. 

Now we all read in recent headlines about the massive attacks against the Department of Defense computer systems, by teenagers, against the Pentagon computer systems; we've read a lot about corporate espionage over the Internet; we've read about the loss of millions of dollars to the commercial transactions, the electronic transactions, in the banking industry; and we read scores of other topics on the vulnerabilities that we are exposed to, through the Internet, this new friend that we have in the national security community. 

Now these headlines make your participation even more important and even more timely today at this conference. We're all here to explore and to learn how we can shape the rule of law to protect our nation's computers, and our computer-dependent systems. And to do so, I think we have truly an all-star cast of speakers and panelists that are from industry and academia, as well as government, that can explain the various equities, and help us in our exploration over the next couple of days. 

Now the ultimate challenge, I believe, for the United States, is to quickly develop a national strategy to decisively defend our nation's computers and computer-dependent systems. Unfortunately, Professor John Norton Moore is not with us today, so it's only appropriate to quote very briefly from him, in his studies on terrorism that he captured in a book that was published this last year. John Norton Moore warns us that "the generally weak response of a democratic nation to low-intensity attack is a major part of the synergy that contributes to the continuation of such attacks." And if we, government, industry, and academia - if we fail to come up with a national strategy in the near future, then we are also part of the problem, because we don't pull together to come up with a solution. 

Now, finally, to conduct what I think is some very serious business, we have the very pleasurable and hospitable surroundings here at Duke University, I don't think that we could have a much better day for a conference, so we have a number of people, armed guards, at the door to ensure there's not too many people playing hooky this afternoon; but on behalf of Bill Geiger, the president of Aegis Research Corporation, I welcome you all to the conference and I look forward to learning a lot from you all. We hope that this conference is going to be an opportunity to raise public awareness of the threat, as well as the legal issues. We hope that it's an opportunity to facilitate discussion among the different disciplines that are important and critical to protecting our infrastructure, and we hope that it will build relationships and friendships between government, academia, and industry, that will help us protect our great nation's critical information infrastructure. Scott? 

Mr. Silliman: Thanks Gary, that's a good challenge for all of us. What we're going to do over the course of the next two days is try to involve you with the panelists and the speakers. To that extent, many of you I know have been to probably more conferences than I have. Bill Eckhardt is out there and I know he's at almost every conference I go to or participate in; but one of the things I've always found is that you must make sure that you have time enough for audience questions, comments, and participation with the panelists. So if you look at the program that we've structured for you, over the next two days, you'll see that we've tried to leave more than enough time, up to a half an hour's worth of time, for you to ask questions, make comments to each of the six panels, and we're going to have a wireless microphone that will be available at the end of each panel. And I would ask you that if you have a comment, we'll just ask you to rise or signify that you want to make a comment or question, and one of the students who are with us at the conference will bring you the microphone. We're providing a video and audio record of this entire conference for many many purposes, so we'll ask you to stand and use the microphone. 

I do want to repeat the fact that this conference would not have been possible without the very strong support of the Smith Richardson Foundation, and that foundation is represented today and tomorrow by Dr. Marin Strmecki, and we're glad that he's here, as well as the Aegis Research Corporation, represented by Bill and LeAnn Geiger. So we're delighted that both organizations are represented and we're very appreciative of the fine support. 

I'm going to invite my panelists to come up now and we'll go ahead right into the first panel. 

Framing the Issues: An Overview

Monday, April 20th, 9:00 A.M.
Moderator: Scott Silliman
Panelists: John RyanJack Danahy
Robert Giovagnoni

Mr. Silliman: I think it goes without saying that we have come a distance since we experimented with the first rudimentary offensive cyber tools in the Persian Gulf War. As Gary mentioned, major advances have been made in our technological capability to degrade and even defeat a potential enemy's computerized information systems, oftentimes without even leaving our own shores. The advent of the worldwide Internet enables a "hacker," armed simply with a high-speed computer and a modem, to break into and adversely impact a nation's critical information systems, all from the safety of his own home or office. While our military leaders continue to develop new ways to exploit the offensive capabilities of what has become known as "information warfare," we have, at the same time, been forced to acknowledge that we are not alone in possessing these tools and these technologies, and that we are, therefore, just as vulnerable to this mode of attack as our potential adversaries. Newspaper accounts over the past two months have verified that even our Pentagon computer systems are not secure from hacker techniques widely available on the Internet, with several hundred such systems being penetrated, and, in a few cases, system administrator level privileges even being acquired by the hackers. 

But our greatest vulnerability surely lies in our critical infrastructure systems: those networks of independent, mostly privately owned, man-made systems and processes that function collaboratively and synergistically to produce and distribute a continual flow of essential goods and services. The President's Commission on Critical Infrastructure Protection, in reporting its findings just six months ago, identified eight of our national infrastructures which it deemed to be vital to our defense and economic security: transportation; oil and gas production and storage; water supply systems; emergency services such as medical, police, fire and rescue; banking and finance; electrical power systems; telecommunications; and continuity of government operations. Our traditional use of military force to safeguard these systems is no longer adequate to meet the growing threat of a computerized attack against one or more of these critical infrastructures, but the question remains as to how we can achieve the most effective and efficient defensive posture when the threat encompasses the entire spectrum of government and privately-held industry. Other questions similarly beg for answers. Since many of our infrastructures serve the needs of both military and civilian constituencies, are they all lawful targets under international law? Do some of our recently enacted laws that protect privacy in e-mail and Internet communications actually deter us from identifying and working to find those who hacked into our systems? These and many other such questions have no easy answer, but they must be addressed and resolved as quickly as possible if we as a nation are to remain secure. 

Our first panel this morning, the first of the conference, is called "Framing the Issues: An Overview," and is designed to lay a very general foundation for you of the threat we face to our critical infrastructures, and of the principal issues involved in information assurance. In that regard, our comments will hopefully serve as the predicate for the successive panels that will follow. 

Our three panelists all come very well-credentialed to give us the best possible overview, and I'll introduce them each just prior to their speaking. The first panelist to address us is John Ryan, the Associate General Counsel for Law Enforcement for America Online. John served for 14 years as Chief of Major Crimes and Investigations in the office of the New York City Prosecutor before becoming Director of Investigations for AT&T Wireless in 1993. He is the former Chairman of the Cellular Telecommunications Industry Association Fraud Task Force and the former Vice President of the High Technology Crime & Industry Association. He has been for some time a member of the American Society for Industry Security, and I know of no one better versed in the intricacies of cyberspace and online services, and the specific types of threat to these services that are posed by cyber attacks, than our first panelist. Please help me in welcoming to the podium John Ryan. 

Mr. Ryan: Thank you, Scott. Good morning. I must admit I think that's a dubious distinction to have been ordained as the expert in this area. It seems that my days are spent on investigating the dark side of the Internet, and at times you forget that it was designed for legitimate purposes, and the vast majority of its users are legitimate individuals. 

When Gary first contacted me and invited me to speak at this conference, the first thing I did was to decide for myself, how does the Internet qualify as a critical infrastructure? If you consider the genesis of the Internet, it certainly was not designed to be a critical infrastructure; on the contrary, it was designed to serve as a secondary, back-up, means of communications, essentially between members of the academic community and the military establishment. Many people forget that it was the defense department that actually was the original sponsor of the Internet. 

Well, we have evolved, and the evolution, to me, was made painfully clear in November of 1996. On the 13th of November, AOL experienced its first system-wide shutdown. We were shut down for approximately 17 hours. Now in the scheme of things, it didn't seem that critical an issue. We thought we'd be up and running in a matter of hours, we asked, what is really the damaging impact here? Well, as you can imagine, we were painfully educated by hearing from our members in the form of lawsuits, attorney general class actions, the regulatory agencies in Washington pounced on us, but most importantly we heard from our members-what impact this shut-down had on their basic communications and way of life and doing business. 

What started out as a communications medium has now evolved into much more. You see the grid here representing the different channels or features that are made available on America Online. This is similar in many regards to many of the other large service providers-Microsoft, AT&T, Compuserve, etc. You see that not only do people communicate via the Internet, they now conduct every type of transaction, interest and hobby that they do off-line, in an on-line environment. To throw out a few factoids: In 1993, there were three million active users of the Internet. By the end of 1997, there were over 100 million members. Presently, the traffic on the Internet is doubling every 100 days. America Online itself has over 12 million members, and now we have an international presence, where our service is available to over 123 countries. So you see it is no longer a secondary communications medium. 

This represents the international landscape that the Internet is involved in now. [Visual aid] This represents the issues that have complicated this medium. Let me run through some of the more salient services and features that the Internet does provide. Presently over 18 million members in the U.S. alone conduct some of their banking transactions on-line. You see every major bank now has a presence on the Internet. In every business plan that is filed now within the financial industry the Internet is now a critical component of their future way of doing business. You can do anything off-line in an on-line environment. Right now, 30% of securities commissions are generated through transactions over the Internet. Insurance companies have decided to make the Internet their primary way of doing business going forward. When you think about the reasons, it's very simple; a) it's a global medium; b) it's rather inexpensive; and c) you cut down on the need to have actual interpersonal interaction between the customers and the business side. 

In the latest commerce report which was issued last week, it was predicted that by the year 2002 the Internet will generate over $300 billion dollars in revenue. That's in less than four years' time, $300 billion dollars. In addition to the financial services that are conducted on-line, many people still use it for personal reasons. Reasons such as a health center, individuals who have a particular illness or malady, can go to a site that is focused on dealing with the issues associated with that condition; there may be professionals who sponsor and interact with the visitors to that site; and the reason why I'm showing you these features, because when you understand what is available, how the Internet is used, who is using it, you understand that a) it is indeed a critical infrastructure, and b) more importantly, it is vulnerable and attractive to be abused. These are some of the other general interests that members typically use the Internet for. Anything as mundane as where to go to eat, who to communicate with, entertainment-what movies to see, the full gamut. 

What has the Internet created? You've seen what it offers. Now it attracts a new cyber-terrorist. What is of interest to a cyber-terrorist? Well, you saw here, that clearly there is a wealth and treasure trove of financial and personal data that is now stored by an interactive service provider, such as America Online. Consider that within our own data banks, we have the personal information of more than 12 million individuals. We can track, if we chose to, where they shop, what bank they use, where they travel to, what their hobbies are, who they communicate with, and have a record of their entire financial portfolio as well as their personal data. When you consider that this medium is a repository of that type of data, it is easy to understand why it is now attractive to a cyber-terrorist. 

What has the industry experienced and what has the industry done in response to this new cyber-threat? Well, since the genesis of the Internet was not geared with the element of fraudulent use, clearly the academics and the military establishment, when they were the primary users, did not envision the evolution of this medium in the period of time that it has evolved. So the protocols that were established were very minimal. To this day, there is no entity whether it be on the government side, or within private industry, that has any enforcement capability or authorization to impose any rules of engagement for using the Internet. Think about that. It's an open frontier, if not properly used. 

What have we seen already as successful threats and attacks? Well, I described to you a benign system shut-down and denial of the service, but we've seen a designed attack that crippled the network for almost a week. Panix Network, based in New York, was shut down for several days last year through a very simple strategy. Scary, when you think about it, how easy it is. The individuals responsible for this attack merely sent off thousands upon thousands of intentionally misaddressed messages, within seconds, every five minutes, and the network basically was unable to recognize the inception of this mail, and when it was sorting it out, trying to determine in an automated fashion whether it should accept and how it should route these messages, it essentially melted down. And they could not fix it for a week. Now think about again the lack of protocols. If someone were to send a misaddressed message on the Internet, if someone were to create a false domain, thereby obliterating the source of origin, when an ISP receives these messages, its protocol is if it's not a valid recipient within its own network, it automatically sends it back to the point of origin. Well, the fraudsters realized that there is in their scheme no legitimate point of origin. What is happening to that mail? It is either crippling the network that is attempting to process it, or if it has a filter, if it does anticipate these types of attacks, it is sending it back to the point of what it perceives to be the correct origin. But in the typical fact pattern, that information is fraudulent. So many ISP's are being shut down by larger ISP for merely attempting to re-direct mail that cannot be received. A very simple, benign scheme, and yet capable of catastrophic results. Mail bombing is a simple but real phenomenon. How is the industry responding to that simple attack? You've probably all heard of the notion of spam-the unsolicited dissemination of junk commercial e-mail. And AOL alone, on a daily basis, out of 28 billion pieces of mail or files that are transmitted through our network, approximately five million of those, on any given day, may be junk mail. Amazing, isn't it. We instituted a lawsuit in federal court, and it took one year for a judge to determine that a proprietary network such as AOL had the right to determine the protocol of how mail is sent and received into its own network. It took one year to determine that very basic fact. Well that sounds great, we had a nice victory in federal court, great precedent, we felt very good about it. Before we got back from the courthouse, the same individual sent out another mass mailing of hundreds of thousands of pieces of mail, and we said, well, we have a decision here, what can we do with it? The answer has been, not much, because these fraudsters understand that the anonymity that the Internet provides allows them to move from provider to provider, disguising themselves, so that by the time a network such as AOL which is the largest and dedicates significant resources to these issues traces the source, they've moved on. So clearly you see the very simple way that a large network can be impacted because of the lack of standard Internet protocols. 

What are the other threats that we've seen? In addition to basic network intrusions and denial of service, we see that because of the data we store, that we have now spawned a new type of criminal. Consider what you can do with personal data. We have seen individuals compromise accounts, take over the identity of the legitimate user, and use that account and that identity to facilitate other types of criminal activity-both on-line and off-line. Credit card fraud, for instance, is the new cottage industry on the Internet. Most providers use a credit card as the authorization and preferred mode of payment to open an account. AOL itself has over ten million credit card numbers in its data banks. So we can design, and we have designed, what we consider to be a very robust security system. But you don't need to be skilled to penetrate and be a successful cyber-terrorist. Many of the users of the Internet are not sophisticated. We have shifted our emphasis from the more sophisticated computer-savvy type individual to mainstream America. AOL in fact is criticized as the point and click communications medium. That's very true, and we stand behind that. But that creates a very vulnerable member who is subject to very basic social engineering types of fraud. Every day, we have members who willingly give out their credit card numbers, their financial data, to those who impersonate a member of AOL, their staff, or someone in an authority position. When you're at home and you get a phone call, unsolicited, and someone asks you for personal or financial data, you say politely no thank you, good bye. Yet that same type of solicitation is very successful on the Internet. 

So we have learned that we must build protective and safety features within our way of doing business. We have decided to have the following responses. First and foremost: basic codes of conduct. Since there are no mandatory Internet protocols, we are mandating that when a member signs up with AOL, they agree to adhere to some very basic rules of the road or modes of behavior. We have adopted and announced a zero-tolerance policy for abusive behavior. Now that sounds very simple and very basic, but I can assure you that for the state of mind of the users of the Internet this was a tremendous leap. We were subjected, and still are, to tremendous criticism for basic rules of behavior that off-line are assumed. In addition, we have instituted registration protocol and validation procedures. The most fundamental flaw of the Internet is the degree of anonymity that it allows a user. Most companies to date do not know who is using their service. Very few companies have any verification protocols. So we have instituted real time registration procedures at least to ensure that we have a reasonable degree of assurance that we know who we are doing business with. 

Now that's not only important to us; it's more important to the law enforcement and national interest. I handle compliance issues for AOL, and on a monthly basis we get over 250 formal requests for data and information. I get feedback from law enforcement; when they conduct their investigation, we give them our member's name who they believe is the subject of their investigation, they knock on their door, a grandmother answers it, doesn't even have a computer in the house. You can see how frustrating that is to law enforcement. So this basic verification process is some assurance that when you and law enforcement and the military and intelligence agencies identify a suspect, you have some degree of assurance that that is a real person; and that person had some responsibility and involvement in the behavior that you are investigating. 

This points to the most critical need for cooperation between private industry and government. Even though the mindframe of the service provider and its members is frankly to keep Big Brother out, there is a critical need to have rules of engagement where the private industry can support the legitimate needs and interests of law enforcement. We have seen that not only are our members the victims of these attacks, but we now see the impact it has on the global picture-national security. You have read-this week, talk about timing, Scott-the successful efforts of the National Security Agency when they conducted a field test to determine the risk and vulnerabilities of not only military and intelligence networks, but equally as important, private networks. Because we now see that private networks serve as a platform for penetration into other networks, including the military and intelligence networks. So we need to have a partnership with these agencies. We have started process in which we are opening up our technologies, our technicians, to have a dialogue, with agencies such that are represented here today. We understand that our medium is somewhat foreign and unique, that there needs to be basic training and greater awareness of the nuances of our technology. You need to know where subjects are coming from, how they are operating within a certain network, and most importantly, who can you go to at any given time, to get the information you need, and what is needed. 

We are working closely with the Justice Department, in particular the Computer Crimes and Intellectual Property unit, that has the federal lead in the criminal enforcement area of both investigating and prosecuting cyber-attacks. We are learning that there is in fact some federal guidance in this area. There is an electronic communications privacy act that acts as a basic guideline to determine the interaction between law enforcement, government, and private industry. Private industry and the military learned, in a very unfortunate incident, which I'm sure many of you read about recently, what could happen to an individual when those rules of engagement are not adhered to. You've all probably heard of the McVeigh case. A very simply, innocuous transfer of some personal information led to some much larger issues. But there was a learning experience there: it educated both the military and private industry that we need to know the rules of engagement, and we need to act in adherence to them. And as a result of that, we have initiated with the Department of Defense, a series of training seminars. Very basic-what data is maintained in your network, how long is it available? Critical issue-in a typical Internet environment, data has a very short life span. At AOL, for example, mail in files that have been transmitted, once received last only two days before they are routinely purged from our system. They are no longer available unless they were stored or preserved by the subject or members themselves. So consider a typical case, a kidnapping case, where the abductor has sent a message indicated the method in which they should make arrangements to make a payment, if they do not make a formal request to preserve or turn over that information, that information will be lost. Very simple. So the need for training is critical. 

What jurisdictional issues have evolved? You see here by AOL's network scheme, that our entire infrastructure is resident within Vienna, Virginia. Now I mentioned earlier that we have a global presence-we have markets in over 123 countries. Again, everything passes through Vienna, Virginia. I get requests from German intelligence agencies when a German citizen using or accessing our network is sending communications that are of interest to their concerns. And when they seek to get those communications, they are astounded that they are told to go through the Justice Department and international protocol to acquire that information that was sent and received by German citizens. So you can imagine the dialogue that we have with international law enforcement entities. And yet this is not unique to AOL. The largest service providers almost exclusively have their networks based within the United States. Now it certainly makes it somewhat more convenient to U.S. agencies, but it certainly complicates the scheme for the international entities. But more importantly, going forward, clearly that network strategy will change, as the international markets develop and become more robust, these networks will spread out. They will no longer be based solely in the United States. So consider this: consider the U.S. interest, when those same communications are being transmitted totally with international borders and yet now the service that holds that information is totally outside the United States. How do they get that data? Can they go to a U.S. company, or need they go to international agencies, and what response will they get? So you see how complex these issues are; there's no simple answer, but the basic response is cooperation and understanding. Thank you. 

Mr. Silliman: Thanks John, I think you've underscored not only the extensive array of services available on the Internet now, which had previously not existed, but also this blurring between industry and government which causes us to force ourselves to look to a partnership between industry and government for an ultimate resolution of this problem of information assurance. 

Just before I introduce Jack, let me invite those who have come in who are sitting in the back there, who probably can't see, to come up front where we have some seats available. 

Our second panelist this morning is Jack Danahy, who is the Director of Engineering for GTE Internetworking's Managed Security Services. Jack currently supports security at more than 300 customer sites by providing security management, monitoring and response. He is a charter member of the National Computer Security Association consortia for Encryption Technology and for ISP Security, and is a member of the High Technology Criminal Investigators Association. He is a contributor to the House Subcommittee on Information Security, the Cross-Industry Working Team, and the President's Commission on Critical Infrastructure Protection. Prior to his arrival at GTE Internetworking, Jack was awarded patents for his work in service-centric monitoring of distributed systems during his eight years with Hewlett-Packard. He comes to our panel this morning with extensive knowledge of the types of cyber attacksÂ…documented cyber attacksÂ…which confront both our government and industry. I welcome to the podium Jack Danahy. Jack? 

Mr. Danahy: Thanks. I come with a bit more pragmatic viewpoint of what's been going on. This is the first forum I think that I've addressed, where I think there's actually an opportunity for real progress. I'll tell you why-typically, I'm speaking to many more ponytails in the audience, than we have right here. And the debate typically takes on the form of the latest technical solution to some fairly esoteric technical problem. But the problems we're talking about solving here are not technical problems-frankly, as we were just discussing a little bit earlier this morning-I could have solved most of the technology issues we face about ten years ago. The problem now is one of business and practicality-of helping people make the right business decisions to solve these problems. It's not so much how you might protect information-how do I protect networks, but how do I get businesses and organizations to figure out how to protect themselves. And I think that this is the type of forum and the type of exposure, that drives those types of issues-how to get business to recognize that this is in their own self-interest-and to get the government to recognize that it's in its own self-interest-to protect these vital infrastructures. 

Recently, I met with Gary Sharp at the U.S. Army War College, doing some information assurance exercises, and some of you were there as well. And we got to talking about specific instances-you know war college exercises, those types of forums tend to be very much theoretical; we begin to apply some of the knowledge, but largely they're based in hypothetical scenarios. Hence, we got to talking one evening over some very real war scenarios that had in fact happened, that happened fairly recently, and so we thought it might be helpful to present some of those, to put a real face on what has been a pretty abstract set of issues. 

So let's talk about four security compromises. I've handed off the paperwork already, to be printed up-you'll notice that one of them is going to be different-since one of them was Panix, which John was good enough to go through for you. The beauty of our industry is-there are so many of them I just picked another one. [Laughter] One thing we're not going to do is we're not going to get wound around the axle talking about encryption. It happened last night over the course of dinner to a certain extent because when people are thinking about Internet security, they're typically thinking about issues that I consider to be popular-whether it would be child pornography, Senate Resolution 454, which largely deals with Internet gambling, or encryption-these are all content-based issues. And if I look at the real threat to our infrastructure, it's not so much that someone will be accessing that data, nor is it that someone will be using it for a less-legitimate purpose-I see the biggest problem is that it might go away. When we talk about the fundamental infrastructure that supported us that existed much prior to the Internet, be it electrical power or telephone service, it's the lack of those things that one notices first. And it's the most crippling effect on our infrastructure. So I'm going to focus more on those issues that directly affect our capacity between and toward the nation and the nation's business. 

One last note-I originally gathered all the fodder for this presentation by the end of March, business being what it is, to try to get it out of the way, and interestingly enough in the two weeks since then we've had the attacks on the Pentagon, the attacks including the NSA's Eligible Receiver exercise being so successful and the crashing of an ISP in the Midwest. Unfortunately its tough to be up to date in an industry that's changing this fast. 

So the first example that I want to use was reported in March 1998, about three weeks ago. It centers around a Bell Atlantic local loop. Now for those of you who are not in telco, a local loop is really a computer. It takes a bunch of different types of lines, voice lines, data lines, typically coming in on copper, brings them all together, spits them out in a fiber link which can handle a ton of data much more efficiently. And the local loop was in central Massachusetts, and the attack actually occurred on March 10, 1997. I don't know why it wasn't until March of 1998 until we found about it. It's an example, a good example, of a common weakness we build into our systems. Bell Atlantic needed the remote technicians to have access to that local loop computer. There would be something down in the field, some section of wire wouldn't be operating the way they thought it was, and so they established remote access for the technicians. And in so doing, thinking about the legitimate use of the technology, they didn't take into consideration some less legitimate uses of the technology. An aggressive young teenager found these modems. The general vicinity of the attack was Worcester, Massachusetts – actually a town called Rutland. Once this teenaged attacker managed to find a way in through this opened up back door to the local loop machine, he shut down the local loop. So that's bad enough-you've got 600 residents of the small town of Rutland who didn't have telephone access, including 911. 

It's actually much worse, because this same telephone exchange provides the communications mechanism for the nearby Worcester, Massachusetts Airport, a good-sized airport. Because they didn't have the telephone lines, which were actually used to route the radio traffic from the aircraft around the airport to the central tower, they had to move to a fairly shaky back-up system, consisting of cell phones and battery-operated radios. And it wasn't just the tower-the people who do the printing of the progress of incoming and passing traffic and report this to the tower couldn't print that out. The airport fire services were disabled, as were airport security services, not to mention four or five local air freight vendors who couldn't take incoming or outgoing traffic. 

Now it took Bell Atlantic technicians a little better than two hours to figure out there had been a security breach, and they couldn't fix it for another four and a half. So the outage lasted for over six hours. It was not made public until March 19th, 1998, because Bell Atlantic requested a year to fix the security hole that had allowed this person to make this kind of access. 

Let's talk a little bit about the investigation. Now here we have a teenager, breaking into a modem, who disabled the loop carrier in one small section of the state of Massachusetts. The investigation comprised cooperation from (I'm going to read this) the U.S. Attorney General's office, the Secret Service, the FBI, Bell Atlantic, the U.S. Postal Inspection Service, the Office of the Inspector General of the Social Security Administration, the Office of the Massachusetts Attorney General, the Office of the Worcester District Attorney, the Massachusetts State Police, and police departments in Oxford, Leicester – another small neighboring town – and Rutland. So at the end of the investigation, they found the teenager who had broken in. And this teenager accepted a plea agreement, not surprisingly, although he was the first juvenile to face a federal criminal computer crime investigation, he accepted a plea agreement, paying restitution of some trivial amount to Bell Atlantic, got put on probation, he forfeited his computer equipment, and is now performing community service. So if you stop and think about the scope of the investigation, the result isn't that hot. If you stop to think about the simplicity with which a teenager using fairly well-known and easy to use automated hacking tools to break in, that's pretty problematic, particularly when we're talking in a forum here about organized, sponsored possible attacks against similar infrastructures. 

I mean, it's clearly not good-we've got a teenager who knocked out regional telephone service. We have a well-established telephone company with an exposed back door. We have an airport dependent upon this somewhat evidently flimsy infrastructure. Oh, by the way, when the hacker's wandering around and then gets caught and starts mumbling his confession he also confessed to breaking into the local pharmacy and copying down all the private patient records. We have a two-hour detection window, a six-hour outage window, a cross-agency working group to find a problem for a year before they implement a solution, and this is just one incident. 

Another well-known infrastructure attack is Panix. John stole that one, so I'm not going to go through it again. But we'll talk about another one, the Silicon Investor. Silicon Investor is much like those interest groups John did a good job of portraying here that everybody flooded the Internet to talk about Â…. Silicon Investor is the largest financial information trading group to go to. You go to the website, you can chat with people about everything from why the Dow is up to why high tech is down. They average about 8500 hits a week. It's very, very busy. And coincidentally, they're the largest user of Microsoft's NT server technology for providing the web pages. So here's a very large organization, with a very large constituency who are coming to them very regularly to share data, and understand new investment strategies, advertisers post constantly there, pay large amounts of money to be seen in this very public forum, offering their Internet-based services. So, in about two weeks prior to this event, some not-hostile people had discovered a vulnerability in the NT server, and old holes had reopened in terms of the way that it processed requests and processed the usage of memory. 

And so we had a two week window where they (we'd like to think of them as the bad guys) had the means to do something bad, and this highlights a very large problem in our industry as a whole. Reputable firms providing information on security vulnerabilities don't like to do so until such a time as there's a fix. And logically, on its face, it makes sense. If I am a reputable organization, such as a certain establishment just discussed, and I hear there's a vulnerability, I'm not about to go shouting that there's a vulnerability for which there's no fix. And so the standard mode of practice says that I'm going to contact a vendor, and help them understand the nature of the problem. They're going to wind into the development of the product, and when they have a fix for it, then I can help the fact that the vulnerability exists. Let's face it, I wish it were better, Â…sure myself but that's six or eight weeks. We're talking our very best case, that's six or eight weeks. 

So now what we have is a positive group that has the means and the wherewithal to develop the Â…, and we have good-meaning people trying to develop a fix, and it's taking longer, because there's a window in there. During that window, it's Â…. Very simple denial of service attack, a little bit similar to the one John described, except in this case, they simply send traffic that the machines can't parse at all. It's not just falsified, so you're spending a lot of time responding to erroneous traffic, it's actually bad traffic, you're trying to digest but you're choking. And so the servers went down, they were down only for about six or eight hours, but that six or eight hours is very important to the Silicon Investor because their community depends upon the income Â…. 

One other note I wanted to make about the Panix attack, the type of flooding that was used against them is very popular. Particularly interesting, with regard to the way Panix handled the attack, was that they're located in New York, very close to New Jersey, and so they called on Bill Cheswick, who did some seminal work on firewalls and technology, and asked Bill to come on by to see what he could do. And in fact the attacks eventually continued in a sporadic fashion up till today. They've managed to take control of them; they can understand when they're under way, and they can block them when they happen, but the sad part, and perhaps the scariest part for this organization, is that there really is no way to preclude them from happening at all. You simply have to react to them when they happen, and be spending enough diligence on watching your systems, to be aware of when the attack is underway and respond. 

The types of denial of service that we've seen, whether it be at Silicon Investor or Panix, actually highlights a larger hole. If I look at the current trends in Gartner or any other respectable analyst reports, more and more of our traditional telephone traffic is going to be riding data networks. I know that AOL offers a long-distance offering, I know that several Internet providers are offering long-distance telephone service, taking advantage of the backbone in which invested to provide what looks like telephone networking traffic. 

So these same denials of service which currently are knocking out websites which are arguably not vital to our national infrastructure could, in the not too distant future, be disabling those very mechanisms which we currently rely upon for our communications. 

One more denial of service scenario that I need to quickly talk about, specifically in light of John's number that 30 percent of all exchanges are now happening on the Internet, was an incident, Bloody Monday, you all remember, a couple of years ago, when the stock market basically tanked, where investment was high, and people started selling out of stocks right and left and the market took a precipitous downturn. We had a meeting with some of the other security units, and talked about the fact that for a good portion of that time, our compatriots in these Internet-based exchange brokerages were really worried because so many transactions were happening, you know, to look at them, people who've accessed the real time data, who understood that the market was going down pretty fast and wanted to get out, a lot of them are already on-line, and they were hitting the sell, sell, sell button, as fast as they could, and so a lot of these service providers who hadn't necessarily expected to be getting a million transactions a day, their resource was really pushed to the limits, so they were saying how tight they felt. But we said that would have been an excellent time to execute a denial of service Â… and that being that when the market is dumping a hundred, hundred and a half points every half hour or so, the fact that I can delay your transaction for half-an-hour, an hour, half a day, will mean that that provider, that provider of that Internet based transaction, will likely not be viewed as particularly viable by the time the sun rises the next day. 

So, there are some real business issues to be considered that are related to our day-to-day commerce, our day-to-day transactions, it is no longer just an arena that people like me worry about, it's an arena that people like you worry about. Let's just take that one step further. I wanted to dive out of Fred's Nuts and Berries at ten, because I knew it was going to go down, and the berry market being what it is, it eventually tanked at two, due to the market holdout. I had 10,000 shares and tried to sell them at ten, and I tried to sell them at nine, and I finally sold them around six. So I've lost a considerable pile of dough. Who owns the liability for my loss? I trusted my buyer to execute things, and I'm sure it says somewhere in my contract "in a respectable period of time." So who's going to pay me back my loss? Is it going to be a vendor of the service? Is it going to be whatever computer the attack was executed from? Where do we decide where the downstream liability ends? And how do we decide how to recompense all the individuals who lose the dough? 

And I've had for some number of months, around 12 or 18, this idea that downstream liability is part of this issue, specifically around this particular type of attack. Because of the fact that, if I leave my car with the keys in it sitting on the side of the road and somebody takes it and proceeds to run over all the cats in the neighborhood or something, I'm going to hold some responsibility for that action, because I did not take adequate care of this resource which could foreseeably be used as a weapon, and I think that specifically, in terms of the attacks as John accurately described to you, you really can't find out what the real source was, Â… but only until you accept and hold some responsibility for not securing this in such a way as there couldn't be attacks by others. 

So that's one type of attack, denial of service. It's fun, it's exciting and more importantly, it's automated. Most of these denial of service attacks, if you go on to the website, and I encourage you all to do this when you get back to your offices, type words like "root kit" or "syn attack" into your browser and see how many hits you get. Most of these tools are automated with graphical user interfaces that many software companies would love to see. You simply type in the name of the machine you want to attack, name of the users you want to mailbomb, and it goes and it does it for you. So generally this talks to sort of a lowering of the bar that lots of people have to get over to make these things happen. Really anybody can, if you can type "root kit" you can break into systems. So all right. That's one kind of attack. 

More glossy is the website attack. I'm going to talk a little bit about Kriegsman Furs. Kriegsman Furs is a very popular, very well documented attack. It was recognized that the exact same hole was exercised to break into the Air Force website, the Department of Justice website, the British Labour Party website, more websites I don't care to mention in this short forum. Basically what happened was that the website was co-opted by people who a) knew how to break into the system; and b) didn't like fur. And so Kriegsman Furs had a very lush website. People who are buying furs don't want to go to Fred's Nuts and Berries' website. It's kind of boring. They want rich production values, they want lush images, they want an experience sort of like walking into a fur gallery or whatever you call them. And so they broke into the system using a vulnerability that had been known for months, many months, and they took it over. What they did was, they didn't do the ordinary hacker kinds of things to do on websites, which is to post as many obscenities and nude images as they could possibly find. What they did was to change it into an anti-fur advertising site. So for three days, from Friday till Monday, that site showed pictures of, unfortunately, poor slaughtered animals, and happy animals prior to slaughter, and had pointers to all the relative animal-protection websites, solicitations for donations, "do-you-really-want-to-buy-a-fur?"-"are-you-that-cruel" kind of stuff. And I really can't imagine this did much to create new sales through the web, that people came there saying wouldn't it be nice to buy a mink coat. Yikes, so that's what a skinned mink looks like. No, not very good; and importantly, Kriegsman Fur had actually paid for this. They were not just paying for the silent website they put up, they were paying for the connections, so as these however many hits came back and forth, they were actually paying for that traffic, that forcefully advocated to people not to buy furs. That's what it is. But frankly, the way I look at it, the activists weren't as smart as they could have been. A smarter hacker would have said, "well, here's this e-mail link for a catalog. Wow, look at these lush production values-I really want one of those catalogs." It's much simpler even than hacking up the face of a website to change who that catalog request goes to. You send it to ILikeAnimals.com instead of KriegsmanFurs.com. And now you have this comprehensive list of people who make excellent targets for solicitations, e-mails on the cruelty to animals. It's like the Â…wish list, you know the whole thing comes to you in bulk. And frankly, given the amount of attention this company paid their website, they probably never would have noticed, especially if you had to know there were two locations, so you had to Â…. 

And secondly, think about it in a different context. What if it had been a competitor? A competitor who had crashed the website, now Fred's Furs, Berries and Nuts? Now I take all those customer contacts – thank you very much, Kriegsman, for providing me with these contacts. They get nothing, and I get a list of new customers. And because I get access to their computer systems I can actually look at their pricing and make sure I'm a couple of bucks lower on a stole this month. So you can see it's clearly a problem. 

There was a similar exploit to this undertaken at a major ISP in California, where somebody broke into the server, took control of it, and sat there collecting credit card numbers. They collected a hundred thousand credit card numbers. But unfortunately someone else was watching, gathering the information. This happens constantly, if we look at the generic cause of this, of the Pentagon attacks. Success of those attacks, those things were largely caused because of the fact that someone co-opted a machine, sat around and waited to get more passwords, used those passwords to move forward, and frankly this exact same attack has been going on probably since the mid-80s, when I started watching. So this is nothing new. There is nothing new in the world. 

So far we've talked about the corporate side of networks, right? We've talked about people providing services, who are getting co-opted by nasty people on the outside. And that's only half the problem. That's the problem we're trying to solve today. Bob and I had a conversation last night about how this is such a quickly-moving target. You know, the nature of my information being current and timely, but the market's moving so quickly right now we're going to have a discussion today and I believe that most of the discussion and most of the panelists are going to talk about ways we solve problems around encryption or identification of sites they've cracked, or protecting your private information in your company, etc. This is like today, and frankly, maybe yesterday's question. Today's question/tomorrow's question is, "what about all these private users?" John has eight million customers on AOL, who are running around, using their AOL-equipped browser, and going to all these websites, websites that they really don't know what's on them. My father just got his first computer, he's in his seventies, and he has a great time sort of wandering around to various sites talking about various topics; but on his browser, nothing is turned on in terms of accepting active content. Java, for example, is active content; ActiveX on Microsoft is active content. They're great technologies, they make the Web so much more dynamic, so much to be able to tell who you are. Unfortunately, they also give people who are using them additional insight into what you do day to day. Let me give you a quick example. In the end of 1996 and beginning of 1997, there was a German group of hackers, a hackers' community, called the Chaos Computer Club. They get in the newspapers all the time. They designed an interesting ActiveX applet. Now an applet is a little teeny program, you stick it in a web page, and when somebody pops up your web page, they automatically download it. And it runs. It does stuff. You go to a banking site, it does mortgage calculation. If you go to a stock site, it'll tell you how the progress of the stock has gone, track it through time, that kind of thing. So those are applets. So, this applet, if you go to the site, it'll download, and you can actually look at it, I believe it looks like the period at the end of a sentence. So you didn't know it was arrivingÂ….it arrives, once you get it on your system it'll look around. It says, is this person, first off, running an operating system? Â…Is it running Quicken? Is this person a financial application user? Then, if you say "yes," it would say, "excellent." Question number 3, "does this person process their banking transactions over the wire, do they like to use the Internet to do their checking?" And if you say "yes" to that, they say "thank you very much," they know where the transaction log is and they've hidden a couple of extra pieces of code on the Internet. They say "all right, make sure you direct an extra twenty or thirty marks to this account, and another twenty or thirty marks to this account." This is something they haven't done in the field to collect extra money for the clubhouse, this was something they did to demonstrate that this idea of active content was a lot more dangerous than it appeared on its face. 

So that problem, the fixing of that end-user problem, now that's hard. I mean frankly, we can fix the companies, and I hope you guys can make that happen, because if people start worrying about the fact that regardless of their profit that the liability associated with leaving their computer systems open will bankrupt them, that I think we can solve. That is pretty much convincing people that there is a need to indemnify themselves articulating insurance regulations, etc., perhaps more so insurance regulation than government regulation. It's basically to help people understand that there is a physical cost to doing this poorly. The greater problem I see is on that individual hindsight, whether it be any of us in our offices across the Web, or people at home who are wholly unsuspecting of any of these problems. It's raising their awareness that I think is a particular challenge, establishing best practices that we recommend to the general public. I think that's a particularly tragic problem. 

So, that's a thumbnail sketch of a bunch of fairly recent stuff that we've looked at. What we hope to come out of this with is sort of a discussion of how could these people have done things differently. You know, what are the best practices they could have put in place so that these things don't happen. You know, frankly you look at the Bell Atlantic scenario, and what they really should have done is make sure that only people who were really supposed to get on that modem, actually get on that modem. But who tells them that, you know? Who establishes that? The second instance, if we use Panix, for example, or we use Silicon Investor, how can help stop that denial of service? Well, that becomes a major responsibility to carriers. Again, it's the best practice method, trying to figure out how we help ISP's the best ways to beat this traffic, not only from getting on to the network, but frankly, from leaving the network, you know. I know Norm Laudermilch at UUNET has done a lot of good work in trying to figure out how to keep bad people from pushing bad traffic across his network or his customers. That's important. Websites, honestly, these sites were broken, including the government's sites, by a hole that was three or four months old. It was well known for three or four months. I mean the community knew it probably six months before. So this is just a question of the best practice run. How do I identify "due diligence" in keeping my system secure? The last issue, of personal privacy, frankly I think is the most problematic. Because that is all about public awareness, and all about raising the base level of what people know, about Internet security. 

So, I've got a lot more anecdotes if you want to catch me during the break, but I've tried to put a real world face on it for you, so you can see that this isn't just what used to be Â….community, and I was one of them, riding around like "if you don't protect your networks, I can push the big red button"-it's not like that anymore. Now it's just a lot of regular kinds of information, stored on these big computers, regular information about your health, your family's well-being, your spending habits, your private correspondence. And all that's accessible unless people do the right thing. So, a real world face on abstract issues. Thanks. 

Mr. Silliman: Thanks again, Jack. Our last panelist this morning before we open it up to questions and comments from you is Bob Giovagnoni, who is the General Counsel for the President's Commission on Critical Infrastructure Protection, and a gentleman who I've known for a number of years. Bob is a career Air Force officer and attorney with 26 years of service who, prior to holding his current position with the Commission and its Transition Office, served in a variety of challenging leadership positions within the Air Force Judge Advocate General's Department. He is not only a recognized expert on the law relating to cyberspace, but is an accomplished trial attorney as well, with extensive experience as a prosecutor, a defense counsel, and a military judge. I'm delighted that Bob could take time from his busy schedule up in Washington to come down and join us; and so Bob, I welcome you to the podium now. 

Mr. Giovagnoni: Thank you, Scott. I'm looking at my watch, I've got about six minutes, if we're going to have a half-hour question timeÂ…. 

John Ryan already got up here and spoke to you about cooperation and understanding as the key to solving the problem; and Jack, I think, is essentially saying, use what you have. And I guess it's up to me to maybe find a way, or maybe suggest to you considerations with regard to how to get access to what we have so you can use it. 

First of all, before I jump into that, by way of perspective, when we talk about the national information infrastructure, I've experienced that we have a tendency as individuals or a group to think of it only in terms of the Internet, and the computer on our desktop. We think of it as a way of communication, e-mail as an alternative to the telephone, and in many ways it is. However, I believe the greatest lesson I've learned in being on the Commission and working with law enforcement in catching hackers is that it's much bigger than that. We're talking also about data systems that run our energy distribution systems, we're talking about automated production facilities and we're even talking about microwave towers and microwave communications. 

By way of example, last year I had the opportunity of talking to an individual who is responsible for running, I believe it was three, fully-automated oil refineries. And he told me he ran them over the Internet. I told him he was crazy. I couldn't begin to conceptualize how you could run a business, real-time, considering just the standard slow-downs on the Internet when people are out there using it. He said, "that's not really a problem." He said, "we considered that, in putting together the system, the plants were scheduled to receive an update every 30 minutes," because as I understand it (and I have very little understanding of the work in an oil refinery), the market is so volatile they change production about every hour or half-hour, to produce what's demanded at that point in time. And they had just set up the plants, to continue to run for a period of time beyond the 30 minutes on the last input. So if they were to lose connectivity, they had a backup system. (I'm glad he thought of it, because it would never occur to me and I thought I'd been around a lot.) 

Another instance is the World Trade Center. When the bomb blew up in the World Trade Center, it did not take out the communications lines since the telephone communications lines are underneath the streets in the area. It was the people who took out the communications lines. The folks who were concerned about what was going on, as a result of the bomb, the people with families in that tower. There are 50,000 people who are supposed to be working in that tower and when the bomb stuck it effectively took down the telephone lines. It forced some intermediary banks that conduct financial transactions between other banks, to use microwave towers to communicate in order to close the financial business for that day so that we didn't have a crisis in the financial market. 

To me, as a result of my experience on the Commission, the interdependencies of our national infrastructure as they exist today make the national infrastructure, all of it, all part of the NII. I see them as synonymous. As our Commission pointed out from the very beginning of its report, our critical infrastructures, and we've talked about energy, banking and finance, transportation, vital human services, and telecommunications, must be viewed in a new context in the information age. (I think that's real important.) I think this perspective is absolutely essential in addressing the problem and trying to solve it. 

All that having been said, it's not my intention to talk to you now about what the Commission report did, although I see the Chairman in the back with much anxiety, he thought I was going to steal his thunder. I suspect, at lunch, he's going to talk to you about what our Commission had to say. And tomorrow you're going to have the benefit of the Special Assistant to the President for the NSC, Mr. Dick Clarke, talk to you about what happened to the report after it was turned in and where he thinks it's going to be going. What my role is, having been elected by the panel to be clean-up, is to make sure we cover the waterfront and make sure I do it in the right amount of time. I believe both Jack and John have done a great job of laying out where we are, and the substance of the problem. 

What I'm going to try to share with you, in the next few minutes, from our perspective, is a very small but critical filler in this whole puzzle. I believe it's essential to the understanding of what we will be talking about these next few days. To my way of thinking, the key to information sharing, which in turn is the key to partnership, and ultimately industry cooperation so that we can insure our national infrastructures, is a clear and mutual understanding of just what information we're talking about. Why do I say that? It's this absence of a clear understanding of just what we're talking about, I believe, which has proven to be the most insurmountable problem to going forward with the solutions that the Commission has identified over the past year. 

The long answer goes something like this: Were we to have a conversation with an FBI agent assigned to the National Infrastructure Protection Center, and discuss reporting vulnerability information to someone other than law enforcement. I believe the reaction would be that you have a duty to report the crime to law enforcement. From a law enforcement perspective, dual reporting creates many problems. They (law enforcement) may not get access to the evidence to make the case, and they cannot fulfill their information warning responsibilities. And in large part, I believe they're correct in that position. My question to you though is: "when I mentioned that you had this conversation about vulnerability information, was I talking about an intrusion; evidence of a crime; or was I talking about best practices – some type of a firewall you might be able to put up around Windows' NT system, in order to make it more protected – not necessarily having anything to do with a crime and maybe not necessarily having to be reported to the FBI. 

My point is – Where you sit is what you see! We all have a tendency to assume, from our perspective, what we mean by vulnerability of information. It's based upon mindset, and as a result we don't necessarily communicate. Until that understanding is reached and understood, I don't think we're going to make a lot of progress. 

Now to me, the first step in coming up with a common understanding of what is to be shared is to look at the roles of both the government and the private sector as defined by the Commission in our report. The private sector role as it's defined by the Commission has two parts. One is to report attacks, and two is to use the tools available to them to assure their own infrastructure. The government, on the other hand, is to collect information about perpetrators and tools, conduct research on new tools (R & D), and share information with the private sector, so the private sector can take the steps necessary to protect itself. Putting it another way, the private sector needs to raise the level of assurance and report crimes, and the government is supposed to do everything else. 

That being said, what then is the vulnerability information that needs to be shared? Is it a keystroke log of an intrusion? Is that what we're talking about? Is it the way we configure a server? How about a study that points up the vulnerability of a municipal water system? What about the blueprints of the building where you conduct your business? Or a yet-unknown bug in a commercially available operating system that you might have? Or a way of implementing part of the system so as to make it more secure? What is supposed to be shared? My answer is – all of the above. 

More importantly, what are the obstacles to the sharing, and can they be overcome? To answer this, I think you need to accept a basic proposition, one which I do–, that you need to crawl before you can walk, as well as the fact that each application, where that information is going to be used, is really dependent upon the uniqueness of the situation-it's situational. The debate as to what should be shared as it currently exists, as I perceive it, centers in part around the unwillingness of industry to share proprietary information with the government – based upon the perception that the government can't protect it. Or if it can protect it, it's going to do so by classifying it. Now most of us in the government who deal with industry and have access to proprietary information know that industry doesn't handle classifying proprietary information very well. Nor do any of the special interest groups who feel that there are too many secrets in the government and feel that we need to be more open and make that information more accessible. Additionally, sharing information, from industry's perspective, with law enforcement could lead to maybe opening a criminal investigation, based upon what they made available. From a law enforcement perspective, sharing information with industry may compromise information. There are many more permutations to this, and I could go on and on, but the point I'm trying to make is that each side to this debate, (sharing so that we can get access to those best practices and do something with them) is looking for a trusted information-sharing mechanism, and a guaranteed protection of the information provided. I believe that if you could create this mechanism, in many cases it's going to require enabling congressional legislation, maybe some modification of FOIA, and arguably we may have to come up with a classification system. For obvious reasons, at this point in our development, I don't know that any of that will be forthcoming, which really forces us to dissect what we're looking for – a little bit deeper. 

To address the most obvious obstacles to information sharing, let's go back over those examples I gave you a few moments ago. First, the keystroke log of an intrusion – for many reasons this needs to be shared with law enforcement. As evidence of a crime, and the details of what happened to a particular business, it probably needs to be closely held. But some of that information also needs to be shared with industry so that they can protect themselves against similar attacks. How this can be done presents its own series of problems – for example how do you give notice to industry from a law enforcement perspective (maybe a signature written on the attack, so that it uniquely marks the individual) without giving the hackers a heads-up that they're leaving a signature, so they can be identified? How do you share that information in a way to allow protection, and at the same time not give notice. If you don't share that information that a bad actor may do some bad things to a number of businesses, and you have no way of stopping that? How do we create that information sharing? I think it's probably the most difficult problem we have. 

I guess the question I have asked myself is: "Is my concern real?" For the answer we might look at the comments of Glenn Davidson, the Executive Vice-President of the Computer and Communications Industry Association, when he testified to the Subcommittee on Technology of the Committee on Science for the House of Representatives. His comment from a private industry perspective is, "If the government purposely or inadvertently released information about network vulnerabilities and security breaches, clients and customers could sue providers and operators for damages, claiming that these firms knew that the vulnerabilities existed and insufficient steps were taken to prevent them. We, in industry, would need protection from such frivolous lawsuits." 

If you share that information, would you consider some form of limited short-term protection where industry would provide restrictive controls over that information and confidential access while the investigation was going on? That's a solution, it's one that they came up with at Lawrence Livermore, where they conducted a workshop after the Commission's report was filed to see if they could fine tune it. Where that could go as a solution I'm not sure. But trying to solve this one particular problem-how do you share that intrusion information-is in probably the most difficult obstacle category. I don't really know that you could start crawling there. 

I know it was a concern to Ms. Reno, when she spoke at Livermore, and her comment was, in asking the national infrastructure protection center to try to deal with the problem, that "the Department of Justice and the FBI want to be strong, good partners. We have a responsibility to work through the concerns that people may have so that they trust us. Private business may be concerned about confidentiality. Business does not want to have proprietary information made public. The FBI, on the other hand, has a duty to provide an early warning to the community to prevent further attacks. We must work together to see how we can walk that narrow line and ensure that we do our duty in terms of preventing further attacks while at the same time maintaining the confidentiality of the person or institution or business involved." That too, may not be the way to crawl. 

Well, how about the second example I gave you? Let's deal in a hypothetical case of a municipal water system that takes a look at itself, and they produce a report concerning contaminants and toxins. And in the course of that report, let's say, hypothetically speaking, they, using publicly available information, calculate a chemical in a quantity placed in their water distribution systems at a certain point which could easily kill 3000 people. And let's just say, hypothetically speaking, that city is aware of 50 other cities with similar water systems and similar problems. How do you share that kind of information? Is it national security information? I don't know. Does it deal with the national defense, if arguably you say you're only killing 3000 people and it doesn't defeat the nation's ability to protect itself, possibly not. Where is the solution on how that information, which is arguably publicly available information, which is not propriety information, is protected? Do you do what the Commission did, which is go to the Security Policy Board and say: "How about putting together a work group?" – get the folks from the special interest groups, get Congress involved, get the governments involved, state and local and federal, get industry involved, and let's take a look at this type of information. Is there a way that we can share it and protect it without classifying it? I don't know if today is enough time to come up with that answer. That also may be one of the more difficult areas to solve. 

And then, finally, what about the example I gave you about the unknown bug in your system that needs to be shared, or that you have a better way to secure this system? Can this be shared with some ease? Probably so. Among industry and government, I don't see why not. What we're talking about here is best practices. My fellow speakers were also talking about best practices. "Best practices," to me, is an opportunity for industry to share information among itself. All they really need to do is set up some kind of website with maybe certificate access to it, give it some protection, and even law enforcement can partake in it. What we're looking for is, if you can't protect the Windows NT system because it gets fingered and once you know it's Windows NT system – you can take it down – maybe by putting up two different types of firewalls so that when the standard hacker ping comes through they don't recognize it as a Windows NT system and pass it by – that's a solution – the kind of solution that can be passed back and forth. 

My bottom line is that this may be the best place for us to start to crawl. If we are going to start sharing information, we can't talk about the obstacles to sharing it – sharing criminal intrusion information, we can't talk about the obstacles to sharing information about vulnerabilities like the water system. We have to find common ground. To me the common ground is best practices. There's very little risk to government, there's very little risk to industry, and there's very little risk to law enforcement. If we can start sharing that way, maybe we can find more effective ways to build on that so that we can share "more difficult to share" information. And while we're sharing what's easy to share, we can start at the same time building the ladders that get us up to the levels of concern. And we need to do that. I think that the need to do that was pointed out very effectively by George Tenet, the Director of the CIA, when he spoke at Senator Nunn's policy forum down in Atlanta just recently. His comment, or one of the three points made, is "we cannot keep building new capabilities on a poor foundation of security. We are staking our future on a resource that we have not yet learned to protect." We've got to do that. Working to share best practices is a beginning, to me with little or no down side. And I recognize that there's no one size fits all. But you've got to start somewhere, and as I said this may be the way we can take that first step in building toward more difficult information-sharing problems down the road. 

Best practices as I understand it are really what your system administrators want access to. The folks that are in the trenches, that are defending these systems, want to know how to keep others out and make the system operable. We may have a good beginning, I strongly suggest that you consider that. And thank you. 

Mr. Silliman: If we have done anything in the last hour and twenty minutes, it is to have raised questions that beg for answers, portrayed issues that are out there that I would suggest many of the American people do not know about. You do. And, as all of our speakers have indicated, and I particularly want to allude to Jack's comment, it is such a fast-moving track that you've got to start somewhere and deal with today's problems and yet still try to anticipate the problems of tomorrow. 

I didn't leave a half-hour but I've left at least 15 or 16 minutes for questions and answers, and we've got Amanda McMillian from Duke Law School who will have the microphone. So if you've got a question or comment, please stand, identify yourself for the record and ask any of the panelists or all of the panelists what you want. 

Participant: Chuck de Caro, AEROBUREAU, a neighbor of John Ryan. Jack, my first question is, does the story you told about the kid in Massachusetts really tell you about how we're organized? Why would you take a kid who beat 15 agencies and send him to community service? Why not put him in charge of teaching the dunderheads at those 15 agencies that couldn't get around a teenager, that aren't organized for reality? 

John, it's your turn. Let's talk about the railroads in California at the turn of the century-the means and the information highway of the day. Do you remember the political effects of those railroads, basically control of California fell to Hopkins, Stanford, those boys, and what they were able to do, was not an on and off kind of terrorism, they could, but the structure of the service was [incremental?]Â…, and that is, they get to control the politics, because they could raise the rates at will. If you want to be Compton California, and you want a town, I open a valve for you, a spurt, if I want it to grow I lower the rates, if I want it to shrink I increase the rates. So they had great political effect over people who couldn't vote over what they decided to do. Now you work for a guy named Steve Case, who decides, on his own, who gets a 10% increase, like that from $19 to $21, and he does it arbitrarily with no ability for the people using the service to play a part. So there's another thing, the political power manifested by people in charge of information systems and what they do to a greater whole, the freedom of the greater whole. I'd like you to think about that and give me a comment. 

Mr. Silliman: Okay, anyone want to take a shot? Jack, first? 

Mr. Danahy: Sure, that's fine. The short answer – why don't we make it two questions, really, and one of them is implicit – why the hell did it take them so long to figure out who it was, and based on that, finding out who it was, shouldn't we somehow canonize this kid and put him in charge of the Aegis Center for teenaged juvenile delinquency? [Laughter] The facts of the matter are, that the kid is the problem, the knowledge that the kid used to break that system is available on any of a hundred websites. This information is well known, generally available, and so frankly, both the company that had the problem and the investigative institutions who were tracking him down had access to all of it to begin with if they felt compelled to look at it. 

Secondly, the duration of the exercise in identifying the culprit and the fact that they needed this cross agency working group to figure out who it was, is largely not a fact that people didn't spend enough time gathering that information up front, as they were securing the system, you know, any security team will tell you that half of the battle is gathering enough information to know both a) what's going on, and b) what did I do wrong that brought me to this bad place I'm at right now so I make sure it doesn't happen again. In the absence of both of those, you needed all those people. As I look at it ideally, were that line well-secured or at least well-monitored, the investigation takes very little time at all. And the kid basically should get the same punishment as some other joyrider gets who grabs a car with the keys in it. The overall problem being, that someone should have been trying to preclude that access in the first place. I'm very much against what's happened; I forget the name of the kid who now is in Israel, who was actually supposedly the educator of the high school crackers probing the Pentagon. He was somebody who came up with three ideas, got in a chatroom with a couple of kids from the U.S., and taught them the wonderful lessons of cracking. Steve Roman did an excellent job at Ohio State monitoring the way that these communities grow, to get a bunch of people together in one of these chatrooms, and one person sets up a server and teaches, literally teaches, the way we do this distance learning now, others how to break into systems. No, you did that wrong; I can watch your keystrokes; you've done that wrong. And then you watch these people go and try it, and they lie about the fact they've broken into something and you come back and see "I just broke into Fred's Nuts and Berries, here we go again." So I don't believe the kids are the problem; I don't believe in glorification of people who use the equivalent of a hammer to break through a plate-glass window. I think the basic problem is we have to create what is an acceptable benchmark baseline, that people have to get over, before they're allowed to connect. I'll let John handle the question. 

Mr. Silliman: John? 

Mr. Ryan: Well, let me start off by saying that I don't think any one individual, any one company controls access for the protocols of the Internet, including pricing. I think clearly, like any other industry or business, pricing is a market-driven initiative, and I think you are suggesting, if I understood you correctly, that one company could have an inordinate amount of control or influence in this medium. I think the reality is, in the U.S. alone, there are over 4500 ISP's, from the small Mom and Pop server in the garage, to the AOL's and Â….. of the world. So I don't think this is a medium that structures itself financially any differently than any other industry. 

Participant: Bob Minehart, Army War College. This is primarily focused towards John, but I'll take from anyone. I come from the government, so the government perspective is natural, and I'm very interested in your perspective, the commercial side, and you've portrayed AOL very well. You have been able to show the point and click action getting on-line, and you've shown you're very attentive to your member's rights and their needs, and I see all that, and you've also shown where you've been willing to work well with law enforcement, but my question comes from the next move. When does AOL believe it'll have point-and-click privacy, i.e., the capability to encrypt their messages and do things, and where are you going to fall in working with law enforcement? Will you work with each other? Will you not? How's that going to work? 

Mr. Ryan: Well, we are actively engaged in a dialog now in the encryption debate with the FBI, with Justice, with some of the other interested agencies. I think what's developed over the past several weeks, actually, is an initiative on both sides to move from their entrenched positions to try to seek a more pragmatic common ground. The reality is, this debate's been going on for a number of years now, and certainly there've been no winners, and everybody on both sides have been losers. Our European counterparts have a different scheme, different statutes; we are losing as an industry market share, that's a reality; and I think it's clear that industry should recognize the legitimate interest of the law enforcement community. So I think we've actually had a series of meetings, where we're trying to, in an off-line environment, really discuss what the true issues are, what the true needs of law enforcement are, and, more importantly, how can industry accommodate those interests and at the same time develop their financial markets? To answer your question about personal encryption, I think right now the priority candidly is in the financial arena. We need to address that first, and then I think we will consider and learn how we can incorporate that same type of data security in member-to-member communication. 

Mr. Silliman: And I should add that we'll be having, tomorrow, a whole panel dedicated to this concept of encryption. Bob? 

Mr. Giovagnoni: If I could just add, on the law enforcement issue, I believe the Attorney General took a very big step forward when she established the National Infrastructure Protection Center. From what my experience has been over the last few years, there has been a degree of willingness between industry and law enforcement to talk-they just haven't found a medium to do that, and as they're coming to the table, and talking, the only problem that they're running into is how can you share the information without the down side liability versus compromising your case? They are working together, I've seen it with AOL, I've seen it with just about any one who's involved with these, with the major intrusions. It's not an unwillingness to share, there's a willingness to share. There's cooperation between both; it's just we haven't figured out how to do it without the down side down the road. 

Mr. Silliman: Other questions. And if you could please stand and identify yourself? 

Participant: My name is John Shissler, I'm from the government, I'm here to help you. [Laughter] Yeah, actually I work with the Joint Staff too. I have a question that once again is in the hypothetical realm because it addresses some of the problems that we're dealing with. Basically, it revolves around both laws and the interaction of laws and some of the principles we kind of hold dear within the United States. For example, when you talk about the public's right to know, you have for example the EPA mandating and setting up a database that has a listing of hazardous material sites around the United States because the public has a right to know about what's stored in their backyard. Then you have a terrorist website, for example Hezbollah, which does have a publicly-identified World Wide Web site, you can click onto it using Yahoo. They search that, find out there's a fertilizer plant in city XYZ, and it's kind of nearby, and they go to someone who they've hired, a hacker working in Europe for example, bounces through three or four Internet service providers who include America Online, then proceeds to attack the data system that controls that plant, causing the chemical spill or a problem like that. How do you deal with all those problems? Specifically, the public's right to know, privacy rights, problems with intelligence oversight law, for the Intel community. If we want to look into how this person broke into this data system, well they went through a U.S. system, which means it's really a law enforcement issue; but since they guy comes under Lebanon, it's really sort of an intelligence/national security issue. How do you deal with all of those problems? 

Mr. Silliman: Bob, you going to answer that? 

Mr. Giovagnoni: Well, I'm going to answer part of it, and I'd like you to take this the right way because what you're saying is a matter of grave concern and a lot of people are thinking about that. That's one of the reasons I raise the issue of putting together a security policy board to try to find a way to share information. The one thing that you have to keep in the back of your mind, and the logic is very pointed in this way, but what you're saying, notwithstanding how they caused this attack, is that we are an open nation; we make information publicly available. We make too much information publicly available, and as a result people get hurt. So maybe what we really need to do is look at restricting the First Amendment, and that's where the problem comes in. Now that logic is a jump to make the point, but what we're saying here is that we have too much information, and it's hurting us. Well, there are some privacy right interests, there are constitutional concerns as to what you do once you start curtailing information, on what steps you're taking to limit some very basic and essential rights. We're looking to this workshop to come up with an answer. 

Mr. Silliman: We've got time for one more question. All the way in the back. Richard Myers. 

Participant: Richard Myers, a student at Carolina Law. Jack, you had mentioned earlier the need to educate the public about vulnerability of financial information. The Quicken example really struck me as one where it seems the problem and the solution to the problem may be self-defeating and that people won't use Quicken and use Internet service providers to do their financial transactions if they don't trust it. So the problem creates itself, and I'm curious as to what you see as the tension there between educating the public as to how to protect this kind of information while not at the same time stopping them all together from doing that. 

Mr. Danahy: Thanks for the opportunity to sort of proselytize one of my two security virtues, which is really frankly they shouldn't be using them both together. What happens is, in our industry, I am culpable, I take responsibility. We can build functionalities as fast as we can, because everyone wants the latest, newest and whizziest way to get business done. And we typically develop these things in the absence of any sort of security context. And so if I look at the technologies that have been developed, and I look at the time that's been spent on a technology, such as ActiveX, and I don't mean to be painting Microsoft with a broad brush, it happens to a lot of companies. ActiveX has been pushed and pushed and pushed as a technology, without having any time taken to understanding how it would affect the security of the people who use it. Take privacy. Quicken was never intended to be run on a system that would be laid bare by another type of service. So I don't hold Quicken responsible for this. I look at the question I asked to Richard Clarke, following the War College exercise, which was how do we, as a nation, try and help industry regulate its own rush to new functionalities so they understand that they have to provide some requisite amount of security? The short answer is that they shouldn't use it together, and I believe that the balance is to give them all the information that we have, so that they can protect themselves. If there's a Doberman running around Main Street in Canton, where I live, I don't think the businessmen there are going to complain that I warned the townspeople not to go on Main Street today because they're going to lose the shopping. I have to do my due diligence to make sure that my constituency is well protected. So I think the overall solution to this problem long term is to create the information awareness that says, Wow, I'm now a customer, I can't use Quicken in your product, so I'm going to buy another product. And I think what happens is, fairly short order, it becomes a priority in the development cycle as does the new features and functionality. 

Mr. Silliman: Thank you, Jack. We're going to go ahead and take a break now, and I would encourage you to see the panelists, if you didn't get a chance to ask a question here, during the break, but join me in thanking them all for their participation. We'll be back here at 11:00 for the second panel. 

Interests and Equities: Responsibilities and Roles of Industry and Government

Monday, April 20th, 11:00 A.M.
Moderator: Robert Turner

Panelists: Richard Marshall
Russell Stevenson
Michelle Van Cleave
Mr. Turner: Good morning, ladies and gentleman. My name is Bob Turner, and I'm the Associate Director of the Center for National Security Law at the University of Virginia. It is my great privilege to moderate this morning's second panel. 

When conferences are being planned, it is interesting to observe sometimes how they pick moderators. Sometimes moderators are distinguished experts, who people feel lend an aura of distinction or class to a program, which they might not otherwise attend. Perhaps people that are so busy that if you asked them to come and present a paper, they would simply not have the time. 

A lesser category of moderators is composed of people who the sponsors feel indebted to, but whom they really don't want to trust with substantive responsibilities. If there's anyone out there who's envious of my role here today, I've been assured by Scott that for just $20,000 you can moderate this same panel at next year's conference; for $30,000 your money can get one conference and a dinner speaker introduction. 

Moving down the line, there's another category from which moderators are often selected, and that is sponsoring organizations. I can see it now, it's Scott and friend Robbie sort of sitting around, and they say, "well, who are we going to get to moderate the second panel? Well, if we have somebody who's not going to be there, they'll want us to fly them in, so let's let John Norton Moore do it, he'll be happy to do it." And then they found out John was teaching today and tomorrow, and they said "well, wait a minute, it's even better if we have Turner-he'll bring his camera and take pictures and video and tape and everything else and feel important-he'll feel important." 

So anyway, that's how I got here. It's sort of like Mikey in the old "Life" cereal commercials, you know? Give it to Mikey, he'll moderate it! So I agreed to do it. I have that policy where they call me four months in advance and to get them off the phone I'll say yes, and then about six weeks ago I said, "now what is this panel I'm going to be moderating?" So I got out the schedule and I looked at it and I saw the title and it says, "Interests and Equities." I looked at it again and said, interests and equities, and I said, "I didn't take that course in law school." I don't think even I know what that's all about, but I gather after some inquiry that our role today is to discuss the relative role of the public and private sectors in protecting our information infrastructure in the coming century. I bet Scott thought I'd say something insightful about this subject, but I had a very wise mother, and when I was a small child she gave me that old sage advice, that "son, it is much better to be silent and be thought a fool, than to speak up and remove all doubt." She was a very loving mother. I remember when I was five years old and they sent me off to Georgia Military Academy, in the late 1940s, and she came to our first parade. She's sitting there watching us march by, and sure, my tie was a little crooked and my shirttail was out, but she looked out and she beamed to my father, her husband, "Look, our Bobby's the only one who's in step!" [Laughter.] 

Well, my real contribution to the panel was not picking the speakers or picking the topic, but deciding who should go first, second and third, and it was a daunting task, knowing as much as I did about the topic. And so I said first of all, well, all that really matters is that you be fair and nobody complains, so let's be alphabetical. So I put all the names in alphabetical order. Then I thought about it, and said, "no, wait a minute, we've got somebody from the executive branch, and somebody from the private sector, and somebody from the Congress, and the person from the private sector is certainly not going to be able to say very much about government policy and what's wrong with it, unless he or she has a chance to hear what the government policy is." So I said we ought to start off with somebody from the government telling us what the problem is, and why we need to do something, and then perhaps somebody from the private sector telling us whether that's the right thing to do and we ought to do something else. Then, of course, we'll bring in somebody from the Congress who's going to tell us – whether it's what we ought to do or not – what we're likely to do, because the reality is Congress is going to have an awful lot to do about anything the United States does in this area. Certainly any major policy in this area that requires criminal sanctions is going to have to go through Congress. There is, as I'm sure you know, the old adage "The President proposes and Congress disposes." So anyway, after careful thought I've listed them down in order, first the executive branch, then the private sector, and then the legislative branch, only to find that I had them in alphabetical order. 

Now it's been said that figures don't lie, but liars figure, and I don't want to suggest that I was capable of playing around some with the alphabet, but I will tell you that if the natural order of things had come up differently I was perfectly prepared to introduce my old friend, Michelle Van Cleave, first, or else Michelle Van Cleave last. She was very flexible in that regard, but it didn't prove necessary to call her Ms. Cleave, so we won't do that today. [Laughter.] 

Our first speaker is a dear and old friend, and among his other distinguished accomplishments, he was a graduate of the fourth National Security Law Summer Institute at the University of Virginia. He didn't do very well, so if he screws up today don't blame us. 

At any rate, Richard H.L. Marshall is the Associate General Counsel for Information Systems Security at the National Security Agency. Back in the years when I was in government we used to call that No Such Agency, even though it was much larger than the CIA, of course, but nobody knew it existed. Now, of course, NSA stands for Nothing is Secret Anymore. A graduate of the Citadel more than three decades ago, Rich Marshall had a distinguished career as an Air Force JAG officer, following his graduation from Creighton University Law School. He graduated with honors from the advanced program at the Army JAG school in Charlottesville, which now offers an LL.M. for that same amount of work. He also graduated with honors from the National Security Management Program of the National Defense University. He studied at Harvard Law School and Georgetown Law School, from which he holds an LL.M. in international and comparative law, and at other law schools as well. 

I tried to get more information on Rich, but I was basically told that if you had a need to know, you'd have been told by now, and if we told you any more we'd have to kill you, so I didn't push. I did ask others about him, and about the most sensitive thing I could find out is that he was the originator of the controversial "Don't Ask, Don't Answer" program to educate Americans about information infrastructure security. 

He is a highly respected expert on this topic – he's been working on it for years. Please join me in giving a warm welcome to Richard Marshall. 

Mr. Marshall: The truth can now be told on how the selection was made to be the first panelist to speak. The plus about me being on crutches is that I'm not going to be able to talk that long. I understand that a person's attention span lasts about as long as circulation in his lower extremities, and I'm limited to one extremity-I'm standing on one foot most of the time, I can't put any weight on the left foot. Now you're all asking yourselves, how did this accident really happen? I'm here to tell you the august truth: there are two things that Bob didn't openly disclose about me that I feel in honesty I should share with you. Number one, I'm first generation Dead; I'm still mourning the death of Jerry Garcia. So if I go off on a little fringe, you'll have to understand that's what it's about. But don't be terribly concerned, because having helped develop the Air Force drug program, and having had many opportunities to contribute at the office, and, [laughter] when the social action people recognize your face, and you're selected at random right after the Jerry Garcia concerts, and you always pass with flying colors, I'm a real believer in that program. 

The second thing you need to know is that this accident really occurred – It was a freak accident. I am a convert to snow boarding. Now I know a lot of you are active skiers, and you think there is some kind of a social conflict between skiers and snow boarders, and there isn't as long as you stay out of our way, especially when you see a 52-year old guy coming down the slopes and his 13-year old son is trying to catch up with him, knowing that the force of gravity does have a stronger effect on a larger body that's going downhill. And there's no greater thrill in public at my age than to hear your 13-year old son say, "Cowabunga, Daddy dude!" So I wear my crutches with pride. As far as the cost-reduction program, they left off one of my initials. I'm very proud to have a full middle name, Richard Henry Lee. Just to let you know the government is doing its part for cost savings. [Laughter] 

Now this is kind of a recap of what we discussed today, and this shouldn't catch you as any real surprise. It should make you feel good, actually, to know that this is an ongoing effort; there's a lot of work that's been going into this. It is an unfinished product, but these are some of the things that we want to talk about: security of the defense information infrastructure and the national information infrastructure. Now let me describe what both of those are. The defense information infrastructure is that telecommunications network, that telecommunications systems, that the defense department uses to communicate. And that doesn't make any difference whether it's classified information, military information, or day-to-day contract information. That is part of the defense information infrastructure. Now the interesting aspect is that there is no bifurcation, there is no bright line distinction, between the defense information infrastructure and the national information infrastructure. And you're going to quickly ask, "why isn't that so?" "Can't you make a distinction between super-highways, and safe highways?" The answer is no, because the defense information infrastructure rides on the national information infrastructure. View the DII, if you would, as a pipe that is part of a larger pipe that we call the NII; or to look at it another way, the DII is a hand that fits inside the NII glove. Now it is bigger than the government, it is bigger than industry, indeed it is bigger than the individuals, and if there is going to be a solution to this problem, and I think we can all agree it's a problem, it's going to rely largely on individual responses. Individual reactions. And I'm not here to pontificate; I think you'll reach that same conclusion by the end of the panel's presentation today. Now, this whole concept of the national infrastructure and the defense information infrastructure is kind of like kudzu – it just grew. There was no management from the top, and indeed, trying to manage it from the top, whether you're doing it in a constructive way, or whether you're trying to do it for security, it's just not going to work. It just will not work. So we have to work together to achieve a common solution. 

Now we take for granted many of the information technologies that we use today, and we really don't understand that they're all computer-based. How many of us use a telephone answering machine in our homes? Most of us do. How many of us are able to access that telephone answering machine, from a distance – remotely? Most of us can't – we haven't mastered the technology. How many of us realize that that telephone answering machine is not a telephone – it is a computer? You're dealing with stored electronic communications. That happens on a day-to-day basis. When you get e-mail, that is electronic communications. Does that come in a voice? Yes. Is it digitized? Can it be manipulated? Can it be made more secure? Issues to think about. 

Now, the electronic information that we're dealing with, these are the four variables that you want to rely on. You want it to be authentic, you want to make sure it's accurate, you want it to be available when needed, and in certain circumstances you want that content to be private – issues that were discussed earlier this morning. The critical information infrastructure must be protected from electronic attack. That was the theme of the morning's first panel and that's a common theme here. The central focus, though, is we must remember it's the components – not just the backbone, not just the Internet. 

Now, the infrastructure is at risk. There have been a hundred examples that are easily cited – several of them were broached today. Let me talk about two of them, very quickly, that illustrate this, and you can extrapolate that what's in the DII is even worse in the NII. I'll cite three particular authorities for that – one is the Senator Sam Nunn Commission, and that is available on a website, it's a GAO report. It talks about the computer vulnerabilities of the DOD systems, and it comes up with the astounding conclusion that DOD computer systems are kind of like an igloo to a polar bear – they're crunchy on the outside and soft and chewy on the inside. Now what do I mean by that? You can exploit vulnerabilities – you can exploit personalities. If I can break into Bill's system and pretend to be Bill, then I can very easily say – because I know Bill has a trusted relationship with Colby – I can pretend to be Bill and go into Colby's system, and Colby will say, "gee, I trust Bill, I know everything he's saying is accurate, authentic, etc." - all of those other variables. That's what I mean by exploiting trusting relationships. 

Last year, there was a very interesting exercise called Eligible Receiver. It was a JCS-sponsored exercise, and one of the variables that I thought was rather unique was that there was a DOD adversary, a no-holds-barred, go in and break the system, bring down the DOD telecommunications net adversary. Now we can talk about it now, because it's been in the press recently. It was an absolutely fascinating exercise, it was not a command post exercise, it was a live fire exercise. And the communications systems of the DOD for this exercise were in fact brought down. Now, it wasn't the failure of individuals – it was the systemic failure of not being able to react and to protect the systems. And it illustrated at a very high level that we don't have a handle on how to detect, react, and protect our information systems. And if the Department of Defense has this vulnerability, can you imagine what vulnerabilities an organization – and I use that term loosely – such as the national information infrastructure, whatever that is, as ephemeral as it may be, might have? 

Rapid growth in critical unprotected networks. Those breed additional insecurities. Now, you might have the most secure system in your home – I would imagine you use Windows 95, and you permitted Bill Gates to come in and check your system. I mean, if you registered with Bill Gates & Co., you permitted them to come in and check what you've got on your system. Now you'd be alarmed if I told you that if you had an Internet service provider, you permitted that Internet service provider to come in and modify the way your system works. You feel comfortable about that? I mean, certainly you can trust your Internet service provider, I mean if you can't trust America Online, by God, who can you trust? [Laughter] I'm getting an answer, I guess. 

Now, think about the vulnerabilities here – they are shared vulnerabilities. I may be as secure an individual, in terms of computer security, as anyone in the room, but as soon as I link up to you, it's the lowest common denominator. A very vivid example – how many of you saw the Super Bowl on TV? How many of you saw it live? I happened to have experienced that – it was an amazing event. I was discussing information system security issues there, and the person next to me said, "you know, Rich, information system security and the vulnerability is kind of like everyone here at the Super Bowl today, drinking from the same beer cup." Yuck! Think about the vulnerabilities there! I might trust the person next to me, because he was my brother, but what about somebody in another seat? You don't know – what you don't know in terms of the vulnerabilities. So as soon as you plug into the Internet, you're accepting everyone else's vulnerabilities. Kind of scary – but there's a solution. 

Let's go to the next slide. On the right is the NII, rapid growing, we have that, essential public services listed on the left, these are the things you need to watch for. We're talking about everyday events. Disgruntled employees – "I'm upset, I don't like being fired, so therefore I'm going to bring down the computer system." One of the first things Washington law firms do, when they walk someone out the door, is to take away their password – make sure they don't have computer access before they are even advised that they are going on terminal leave, as it were. Hackers – a nuisance, sometimes, more than a nuisance. Solar Sunrise – anybody familiar with that? I don't want to go into a lot of detail, because it's all been in the newspaper, freely available on the Web. It was a concentrated group of individuals, a small number it appears, who were very successful in isolating and identifying some key nodes on the DII that, if exercised, could have had an adverse impact on this nation's ability to wage war in the Gulf. Now that is significant, and to sit there and say it's hackers, it's innocent, they're just kids, let's clone them and make them security gods, can't buy into that. Individuals, criminal elements, transnational organized crime, terrorist groups – those are the biggies. 

Now you're asking yourself, why in the world are we talking about this as a national security problem, when what Rich is obviously talking about is what – an FBI issue – crime, and that's one of the tough nuts we've got to crack. Where is the firebreak between a crime and a national security issue? Â….in the bag of peanuts, Â…the first person who comes up with that good answer. 

I'm going to go out on a limb here and suggest that there is a merging of two traditional views. Based on our discussions last night, I think this is still correct, but I will leave some leeway for Russ to respectfully disagree. The national security view is that protected information has an intrinsic value – it's national interest, you've got to protect it at all costs. And that's why they use the paradigm of risk avoidance. If you need to go to the airport, and you want to be really secure, you have someone take you there in an M-1 tank. Not very cost-effective, but pretty secure. Now, if you're a business person, on the other hand, if you're driven by the bottom line, if your object is to make money, you want to reduce those costs. So you only want to protect that information that is necessary to be protected, as cheaply as possible. Cost avoidance, risk avoidance type of issue. The cost of doing business – you pass it on to the consumer. Now it happens every single day, and I realize I'm stealing a little bit of your thunder, and you can correct me if I'm wrong, which I know I'm not, [laughter] Â….Note the confidence that arrogance breeds. 

One of the reasons we pay such a high price for the use of credit cards is because banks are being ripped off on a daily basis by cyber terrorists. And that delta, the money that the banks are not letting us know is being stolen, results in higher interest rates, higher transaction costs. That's a graphic example of the cost of doing business – you pass it to the customer. As long as the customer pays, and continues to use the service, that business is not going to complain that much. And the point that was made earlier in the presentation, is how does government get business to cooperate in sharing information, to lower this delta, lower this cost, this transaction cost, this cost of doing business. And remember that banks are in the business to make money. If they advertise that they have a certain vulnerability, do you really think, being the rational persons that we are, that we're going to move all our money to that bank? Or are we going to move it to one of their competitors? Think about that for a moment. I'm suggesting that there's a merging of the two views, and the national and the private sector are inextricably intertwined, just like the DII and the NII are intertwined. And they are going to work together to come up with common solutions. I'm not suggesting that the government should be in the position to dictate solutions. Nor am I in the position of saying that private industries should be the ones who come up with all the solutions. It should be a joint effort, commonly agreed on. When you're dealing with contracts, or any type of litigation, if you've got a joint effort commonly agreed on, your enforcement mechanisms are reduced to zero, because people agree on how it should look. 

Now, this slide is much better in PowerPoint, and the reason it's much better in PowerPoint is that it's visually dynamic. And what I mean by visually dynamic is that that bubble in the middle, the zone of cooperation, moves around. Don't view that cluster of bubbles as static. That zone of operation shifts depending on the particularized need. Everyday threats have to be done at the local level. The more complex the threat, the more complex the solution. Now imagine if you would, and I know this is a strange example, all of us have automobiles that have locks on them, don't we? That's a form of security. What would we do if automobiles did not come equipped with locks – with security features? Would we wait for the government to dictate a solution for us? Would we want private industry to dictate a solution or would we try to go ahead and do something ourselves, such as putting padlocks on our Cadillacs. That's kind of a tacky solution. There would be a growth industry, little boutique markets that would provide lock systems, security systems for our cars. And that's indeed what has happened, and not only in the cars, but also in computer systems. So solutions are being worked from the ground up. 

Don't be alarmed at what I'm going to tell you. I'm not telling you a state secret. I'm not telling you something that has not been publicly known for ten years. But it's going to be new to many of you. The National Security Agency is in the information-protect business. And they have been in the information-protect business for a long time. Now what kind of information do they routinely protect? The kind of information that you would expect them to protect – classified national security information. You do not want your adversary, your adversary of the month or whatever, to be able to raid your communications and determine what your military capabilities or your political intentions are. I mean, that is a given – that's basic political science. And one of the ways to protect that is with certain techniques to make sure that your systems are secure. And you have to deal with more than just content – you know, the idea of driving a tank down a highway – you also need to make sure that that highway in fact works, that you're going to be able to have some vehicle transit there. Translate that to be the defense information infrastructure. Now NSA evaluates commercially available products. They evaluate those commercially available products against a standard, the standard that the industry agrees with, to hold a certain level of security goodness, a certain level of security functionality. Now it doesn't say that this particular system processes information quicker, better, cheaper than another system, but it does give you a feel for how secure that information may be processed, if properly configured, etc., I mean there are a number of caveats on that. But it does give a system operator a better feel of how to structure their particular system. 

Now, NSA's charter is limited to national security systems. But NSA can also work with the National Institutes for Standards and Technology, and help influence standards that are used not only in the defense department but also elsewhere in the government. I would suggest to you that a current role of the government is to help influence those standards, working in an active partnership with business and with industry to come up with a common solution. 

This is almost a recap of what I've just said, but it also points the way to some other initiatives that are under way. There is a very active program with NIS where there will be joint evaluations of commercial products for security goodness, and these evaluations will take place not just by government entities but by private entities as well. Sort of a Good Housekeeping seal of approval, the security goodness for your products. 

Thank you very much for your attention. I certainly enjoyed seeing a lot of familiar faces, I'm never going to say old faces, because I resemble that remark, but certainly friendly faces. Thank you very much. 

Mr. Turner: Thank you very much, Rich. Our second speaker of this morning's panel is Russell B. Stevenson, Jr., who is the Senior Vice-President, the Secretary, and the General Counsel of CyberCash. Now, it's not very well known, but the Security Committee at CyberCash consists of precisely those same three officers. Somebody once said the only way to keep a secret is don't tell anybody, and they figured if he only whispers when he talks to himself their secrets at least are safe. I don't even know what CyberCash does, but I'm impressed with their attitude toward information security. Just to give you an idea of what I'm talking about, Russell's bio or resume was about one-fifth as long as the one we got from the National Security Agency on Rich. Now I wanted to know more about this guy, I'd never heard of this group or anything, and so I called Donna Ganoe, our Center's administrator. 

Some years ago we had an intelligence community official come down and give a speech and we asked him if he could fax us a resume, and we got what appeared to be a business card back a couple days later, and so I sat down and I came up with a little form, and it asked a lot of questions, just to tell us really who these people are, and we told them, if you want your honorarium, you'll fill out the form. So I told Donna, send this guy Russell Stevenson one of our standard forms. He was a tough nut to crack. Part one of my form was called family background, and under the question "mother," he wrote "yes." I asked Rich Marshall for help, figuring NSA keeps a record on all these guys – I figured as much, and he said we'd done a better job than they had, they'd been debating whether he had a mother! And so they were going to put this in their records. But we're resourceful at the Center for National Security Law, and so when all else failed, I called Scott Silliman, and I said see what you can find out on this guy Russell Stevenson. 

And two or three minutes later, Scott called me back, and I was just really impressed at the amount of data he had come up with. He told me that Russ Stevenson graduated with distinction from Cornell University in 1964, with a degree in mechanical engineering, mostly A's, and he had earned his J.D. cum laude from a small college in New England, "Hahhvahd," was that it? Well anyway, from Harvard Law School. For more than a decade he was a full-time law professor at George Washington University, teaching corporations, securities regulation, international business transactions, and international economic development (I've actually got a list of his former students if anyone is interested). He served as Deputy General Counsel at the Securities and Exchange Commission for several years, authored two books, numerous articles – we've got copies of all of those. Scott also gave me the number of his Visa card, the combination to his gym locker, and two PIN numbers that must have some value. I told Scott, I said, "this is incredible, where'd you get it?" And he said, "I just typed Russell B. Stevenson in the Search window in Netscape Navigator and it all came right back up!" 

Anyway, the Internet is the source for a great deal of information, and I have the impression that most of this is accurate; and for those reasons please give a warm welcome to Russell B. Stevenson. 

Mr. Stevenson: Thank you, I think. What Rich didn't tell you is that the real reason that he is hobbling around on crutches is a clever defensive manuever. He knows that I wouldn't beat up on somebody on crutches. 

I am going to talk this morning about some very general notions of the relative roles of the government and the private sector in dealing with the issues we've been talking about at this conference. But before I leap in to my prepared remarks, I can't resist reacting to some of what has gone on already this morning, by trying a little bit to put some of this discussion in perspective. I think it's important that we keep it in perspective because there has been altogether too much hype on all sides of every issue relating to the Internet in particular. I think it helps if we step back a minute and look at what the problem really looks like, and since we talk about it in terms of the information superhighway, I'm going to use some highway analogies. 

Some years ago, I was talking at a conference and somebody put up his hand and said, "Oh, the Internet will never work, it's slow, it's klutzy," and so forth. Think about it. That reminds me of something that someone might have said in about 1910 about the highway system. If you think about it, we are in the development of the technology and the deployment of the Internet about where the automobile was in 1910. The information or the highway, the superhighway in those days consisted of cobblestoned city streets and rutted dirt roads, and you probably had to steer around steaming piles of brown stuff left by other means of conveyance. There was no standard technology – it wasn't clear if the motive power in the long run was going to be the internal combustion engine or the steam engine or electricity or something else. You couldn't go much above 20 or 30 miles an hour, most places, and it was a good thing, too, because safety standards were non-existent – the seat belt didn't come into common use until the 60's, airbags in the 70's, the National Highway Transportation Safety Agency didn't come into existence until, if I remember correctly – sometime in the 60's it started to adopt federal standards. And so we've come a long way, in a complex process of interaction among business, technology, and government to get to where we are with the automobile and the highway system today, which obviously has radically changed the way we live our lives. Another lesson we can learn from the highway history is that I could tomorrow start saving tens of thousands of lives a year if I were a philosopher king by simply decreeing that the maximum speed limit on any street or highway in this country was to be 30 miles an hour. Now that's obviously not something we're prepared to do as a society, and likewise I could probably reduce cyber crime and cyber terrorism on the Internet and other pieces of the electronic infrastructure by adopting some Draconian measures that would crimp the development of the Internet and make it much less useful to all of us. 

The point is that there has to be some balance between dealing with issues of security and protection against crime and terrorism and letting the medium develop and be used to bring the convenience and efficiency that it offers. And I'm an optimist, I believe the stock market is where it is today largely because we are entering into the early years of a digital revolution which is going to be as significant for the evolution of our economy as the Industrial Revolution was. I think we are at risk if we are not careful of slowing that down, and if we treat it respectfully and carefully we can all benefit from it substantially. 

To come back to the main subject, the role of the government and the private sector, I'd like to make two points about the role of the government. First of all, I strongly believe that public policy in this area should limit collective action, by which I mean laws and regulations, to those aspects of the infrastructure in which there's likely to be what economists call a market failure. That is, aspects in which the aggregate behavior of individuals acting in their own self-interest produces a sub-optimal result. Second of all, in adopting policy for protecting the information infrastructure, it is important that we not forget the iron law of unintended consequences. And finally I'm going to say a word – because I can't resist it – about the issue of encryption and its role in the protection of the infrastructure. 

Let me begin with the problem of market failure. It's obvious that there are tremendously powerful incentives for private industry to protect itself against attacks by terrorists, criminals, hackers, thieves, so forth, and to protect its customers, because, whatever you might say, anyone who is in business on the Internet is not going to thrive if it is known that their service can't be trusted because information provided by their customers is not safe in their hands. In a perfect world, the combined action of all these private actors operating on the Internet would produce an optimal degree of security. But of course, we don't live in a perfect world and we have to admit that. I see there being two distinct aspects of the imperfection I'm talking about. First, individuals do not always pursue their own self-interest with perfect knowledge or with perfect efficiency. You've heard some recitations of examples of break-ins and other problems on the Internet, and all of them or almost all of them have been in large part or entirely a result of the inadequacies of various people who exist on the Internet in protecting themselves against attack using readily available technology. As was said in the earlier panel, this is not a technology problem, it's a business problem; and even more it's a human problem. Anyone who has read through the long list of break-ins and problems on the Internet and thought carefully about it will recognize that, in the vast majority of cases, the problem was somebody didn't put a password on a computer, or used an inadvisable password that was subject to a dictionary attack, or it was the result of a disgruntled employee who walked out with a laptop with a bunch of keys on it or a bunch of passwords on it. Issues of physical security, human security and simple good practices can go a long way toward solving a lot of these problems, but let's face it, businesses don't always act in their self-interest, and I believe there is a role of the government in helping to develop best practices, research on technology, dissemination, education – that can in fact be very powerful and useful. 

The second potential area of failure is a failure of the network itself – a failure resulting from flaws in its design or operation of the network that risk bringing down the entire network. In the past few years, we have seen a number of examples of this sort of network failure in the national power grid, where there have been blackouts or brownouts covering large sectors of the country, and in the telephone system, where again there have been some periods of outage covering large cities or large areas. I am not by any means an expert in the technology of protection of these systems, but it strikes me that it is at least likely that the way we are organized to provide the networked services of the Internet is not likely to lead to an optimal result, and that some role of a government agency in finding out where the weaknesses are and doing something about fixing them is probably correct. 

Let me talk now about the law of unintended consequences. According to the law of unintended consequences, which most of you are familiar with, any major change in policy, however well intended, is certain to have unintended, adverse consequences, which will usually be significant and will sometimes outweigh the beneficial consequences. Congress should keep this principle firmly in mind when formulating policy regarding the electronic infrastructure. This problem is only amplified when the government is dealing with rapidly changing technologies, like the one we're talking about here today. Laws move at the speed of Congress. The Internet moves at the speed of light. We mustn't forget that. This creates a great risk that regulation intended to protect the infrastructure will end by, at best, slowing the pace of the development of the technology and its deployment, and, at worst, stifling beneficial innovation that might ultimately have made the regulation unnecessary. 

Finally, let me come to encryption. I recognize there's going to be a panel on this tomorrow, which unfortunately I won't be present at. But it should be said, and underlined, that of all the technologies on which the security of a computer network depends, encryption is perhaps the most important. Without it, sensitive communications would be vulnerable to interception by terrorists, thieves, spies, and the merely curious. With strong encryption, users of the Internet can communicate among each other with little concern that their messages will be read by anyone other than the intended recipients. 

U.S. policy on encryption has been – I might say confusing and controversial – but let me use a more technical term: an unholy mess. Unfortunately, some participants in the controversy persist either in willful ignorance, or deliberate refusal, to acknowledge the importance of encryption in the security of our networks. It is no small irony that the law enforcement interests who argue so ardently for limitations on encryption seem to fail to recognize the increased vulnerability of networks to break-ins and other criminal or terrorist activities that would result from the weakening of security when encryption is weak. 

Encryption is a complex technology. The systems that employ it as a tool for security are equally complex, and are evolving rapidly. Regulatory constraints on the use of encryption, or forcing the use of certain design parameters will inevitably weaken the security of electronic networks. We mustn't forget that in addressing this issue. That's not to say that there are not legitimate interests for law enforcement and national security, that might call for some approaches to encryption that are different from those that might otherwise evolve out of action of the private sector, but we have to remember that there's a balance that has to be struck. 

To sum up, then, let me offer some broad recommendations and a particular one. 

First, we should probably limit the role of the government in protecting the infrastructure to research and education aimed at enabling private actors to protect their interests more efficiently and to identifying those weaknesses in the electronic infrastructure as a whole that cannot be effectively addressed by the private sector because of market failure. 

Second, we should be hesitant to adopt regulatory measures – that is, compelling certain behaviors in the private sector – until we are clear on the consequences both intended and unintended of those measures. 

Finally, we should pay particular attention to the importance of encryption in assuring the security of our networks and not go off on one side of that debate without paying attention to the consequences. Thank you. 

Mr. Turner: Thank you very much, Russ. Our final panelist this morning is a very old dear friend of mine, and one of the mainstays of the Washington, D.C. national security law community. I think I first met Michelle Van Cleave about 1981; every time I listen to her I find myself to be more impressed. She's one of those rare individuals who has substantive expertise not only as a lawyer but as an expert on a wide range of national security topics. Michelle holds M.A. and B.A. degrees in international relations from the University of Southern California; and a J.D. from the U.S.C. School of Law. She spent several years in private law practice in Los Angeles, and in 1980 moved to Washington on the Defense Department transition team for President-elect Ronald Reagan. From 1981 to 1989, she served as Defense and Foreign Policy Advisor to Congressman Jack Kemp. She spent five years as General Counsel and Associate Director for National Security Affairs in the White House Office of Science and Technology Policy. She's also served as the Minority Counsel to the Committee on Science, Space and Technology of the U.S. House of Representatives. Currently, she serves as Staff Director and Chief Counsel to the Subcommittee on Technology, Terrorism and Government Information of the U.S. Senate Committee on the Judiciary. Whether we introduce her as "Ms. Cleave" to start our panel off, or hold her in reserve to clean up as "Ms. Van Cleave," one thing is clear; she's in the middle of this debate in the legislative branch of the government. Many if not most constraints designed to limit the freedom of American citizens to access and exchange information via the Internet and their right to use the same technology to destroy the rights of others on the Internet, and certainly any controls to which criminal sanctions will attach, will have to come through the Congress of the United States. So now that we've heard from the executive branch, and the private sector, certainly not every view from either, but articulate and able views both, to tell us what ought or ought not to be done, let's turn the microphone over to Michelle, to hear her thoughts, and perhaps she will actually speculate a bit as to what she thinks might actually take place, as Congress continues its work in this important area. Please give a warm welcome to Michelle Van Cleave. 

Ms. Van Cleave: Well, good morning, I don't know how much of that charter I can fulfill in my allotted time, but we'll set forth and see what we can do. 

We've been asked on this panel to talk about the roles and responsibilities of government and the private sector, and I have to say Â…and infrastructure protection as our topic is given, and I have to say there have been a lot of conferences and seminars and studies devoted to this topic. Most of them lead very quickly to the conclusion that it's very important that there be a lot of information-sharing between government and the private sector, that this is very, very important. And in keeping with this view the Clinton Administration is in the process now of developing a presidential decision directive on infrastructure protection, and has under consideration the creation of a new body that would be an industry body convened for the purpose of being able to funnel information to government and to receive information from government. This idea was also reflected in the Commission's report – you may hear a little bit about that at lunch. 

I have to say that the problem I have with the common wisdom on the need for information-sharing is that we have a cart-before-the-horse situation. Few perspectives have emerged in answer to the questions, what information? With whom should it be shared? In what manner? And to what ends? In approaching public policy questions of this sort, I believe that it is very important, particularly in a distinguished academic setting like this, to be well grounded in seminal, scholarly texts that have to do with the subject matter in which the question arises. So I have consulted the essential textbook on information-sharing to try and get some insight into this issue: Men Are from Mars; Women Are from Venus. Subtitled appropriately for our purposes, "A Practical Guide for Improving Communication and Getting What You Want in Your Relationships." And I thought I would share one passage with you that goes as follows: "Men are from Mars, and on Mars, if you want support, you simply have to ask for it. Men are not instinctively motivated to offer their support; they need to be asked. This can be very confusing, because if you ask a man for support in the wrong way, he gets turned off. And if you don't ask at all, you'll get little or none." 

For all the talk about information-sharing, it often seems that industry is from Mars and government is from Venus, or maybe it's the other way around, I don't know. But it seems to me, that when it comes to protecting the infrastructure, the time has come to get around to we in government asking very specifically for support, so we can get moving. 

Despite repeated prodding from the Congress, the Clinton Administration has yet to answer the most basic questions. In 1996, the Congress directed that the Administration come forward with a report on what it would take to design an indications and warning architecture that would tell us when the infrastructure was under attack from abroad. You know, starting with big-picture questions. That report hasn't come in yet. In 1997, the Congress directed again, in law, that the President report on a national strategy to defend the nation against an infrastructure attack – again, the big picture. That report has yet to be received. Last year, Congress required that the Director of Central Intelligence report on our counter-intelligence strategy to protect critical infrastructure nodes – which is to say, how do you keep foreign governments from acquiring information that would be critical to be able to attack critical nodes. That report did come in last month – but mostly supports the conclusion that we have no strategy. So we do have the Commission report – you're going to hear a bit more about that today, I believe at lunch. But that report again is a recommendation from an outside body – it is not the Administration's conclusion. The Administration has been struggling with what to do with respect to that report and we have yet to get a presidential decision directive; they're still waiting. 

So today we need to start here with the basics. "Infrastructure protection" or "infrastructure assurance" (take your pick) are not very well-defined terms. In fact, one or the other is often used to mean very different things, and I think we have already experienced today that people are talking about this subject matter presenting all kinds of diverse aspects of what it really means to be concerned about protecting the infrastructure. I think that in order to analyze what we need to do, the roles and responsibilities of government and industry, we need to ask, "what is it we are protecting the infrastructure against" (the threat question)? "What are we assuring the infrastructure to do" (the value question)? And – perhaps the central question for this panel – "who is 'we'?" 

The answers to these questions are essential to establishing a common vocabulary, as well as to developing national strategy and policy for infrastructure protection and assigning roles and responsibilities. Whether we call it infrastructure protection or assurance, I believe that these concepts embrace three different categories of protection and reliability concerns, each with its own distinct set of requirements and objectives. 

At the first level of concern, all of us in our daily lives rely on infrastructure services, which may be disrupted by the day to day hazards encountered in the business of providing these services. The public utilities need to be protected, they need to protect themselves, against disruptions in order to assure services to consumers; and the owners and operators of these industries have long experience in managing such operations. 

At the next level, essential government services rely on infrastructure support in times of national security emergencies. There is a long-standing tradition of government-industry planning to assure essential capabilities in times of crisis, across the full range of threats from natural disasters to nuclear war. We need to update this planning to take account of new threats and new technologies – a point I will return to. 

Finally, there is a very new concern, brought about by the advent of the information age: the growing threat of information warfare. Because our infrastructures rely so completely on the information systems that control and maintain them, we have to be concerned about the vulnerability of the United States to information-based attacks on that infrastructure. National security planners are only just now beginning to appreciate the extent of our national vulnerability. If left unaddressed, these emerging threats could impact the supreme national interests of the country. 

In my view, the roles and responsibilities of government and industry will vary widely, depending on what level of infrastructure assurance we're talking about. These are not hierarchical levels; they're just analytical levels. So I'd like to talk about each of these levels in turn. 

The first is the day to day business operations. Owners and operators of the various infrastructures are responsible for the safety of those infrastructures and the reliability and the general security of their own infrastructures. These responsibilities are inherent in the business of providing infrastructure services. Part of what customers pay for and expect in return from their providers is reliability and the prompt restoration of services should they be disrupted for any reason. 

Critical U.S. infrastructures are highly resistant and resilient because their architectures and operations have been designed to provide nearly perfect service in the commercial environment. The telecommunications infrastructure, for instance, is extremely effective at rerouting around obstacles or breaks in service, and the routing protocols are designed to choose intelligently optimum pathways. While everyone has had some exasperating personal experience with some aspect of infrastructure service (your lights go out, your phone isn't working, or your checking account has some kind of disparity, flight delays, whatever), these shortcomings are on the margins. The American economy (as well as, to a large extent, the nation's security) is strengthened by these vast infrastructure services, because they work so extremely well in the face of day-to-day kinds of problems. 

What about computer intrusions we've talked about so much? Clearly, every day, hackers are trying their luck, to see how far they can get in breaking into big information systems. For the most part, these intrusions are at the nuisance level. But as cyber-based disruptions grow in severity or frequency, owners and operators will be driven by commercial necessity to improve their security against such acts. And as we've heard, that is going on today. 

Industry associations that develop standards for reliability, the liability insurance industry, industry security professionals, and law enforcement have the general experience and existing information-sharing relationships necessary to respond to these concerns. I believe that industry is fully capable of making its own cost-benefit decisions about what information to share with competitors about instances of security breaches, that will be in everybody's common interest. And the reporting and investigation of information-based crime should follow the same path as other crimes – although law enforcement agencies will continue to need greater expertise in investigating computer crime. 

At this level of infrastructure protection, do we really need some new government mission or bureaucracy? To date, there has been no central management of this level of infrastructure concerns by either government or the private sector; rather, the robustness of the various infrastructures against this level of threat has been the result of independent decisions taken by industry, at times reinforced by the various regulatory agencies on a case-by-case basis, and supported by specific legislation as required, basically along the standards that were outlined by our previous speakers. It seems to me that central management at this level of infrastructure assurance would be a bad idea. It would imply unprecedented government intrusiveness into private sector business, that would be deemed intolerable, unnecessary, and unworkable. But that is not the end of the story. 

The second level of infrastructure assurance is emergency or disaster preparedness planning. The federal government is a customer of infrastructure services and relies upon critical infrastructures in order to carry out its responsibilities for public safety and responding to these emergencies. Particularly in times of national emergencies or crises, citizens look to the government to be able to provide emergency services (and to defend the country in times of war). 

Infrastructure disruptions from whatever source (natural disasters, mischief, criminal acts, terrorism, foreign attacks) that may impact national security require central national security planning for reliability, redundancy and reconstitution. The federal government (supported by state and local governments, as well as the private sector) has long had these programs called National Security and Emergency Preparedness (NS/EP) programs, to assure the continuity of these essential government services in times of national emergency, including those services necessary to aid in the reconstitution and restoration of the nation's vital infrastructures. This traditional planning has embraced telecommunications, emergency services (health, medical, fire, water, energy, transportation, banking and other financial services) – in short, all of the major infrastructures that are identified in Executive Order 13010 that established the President's Commission on Critical Infrastructure Protection. 

By charter, it is the Federal Emergency Management Agency (FEMA) that is responsible for centrally managing these NS/EP programs. The President also has a directive out to all departments and agencies who themselves are specifically tasked for these continuity-of-operations planning capabilities. Most of these programs, which achieved maturity during the post WWII and even into the Cold War era, have withered substantially since the end of the Cold War, along with the information-sharing networks and analytic capabilities which were established to support them. 

I believe that perhaps the best example of the infrastructure assurance – NS/EP sharing idea is the organization called the NSTAC, the National Security Telecommunications Advisory Committee, which many of you may be familiar with. This is an organization that advises the President on telecommunications requirements for enduring telecommunications across all kinds of crises, and it's made up of the CEOs of major telecommunications companies – there's some rotation in their membership. They've been a standing organization since they were created after the breakup of AT&T in the early 1980s, and remain a successful example of this government-industry planning to assure emergency capabilities in times of crisis. They're also supported by a government entity called the National Communications System, which is an organization made up of 23 departments and agencies that are major users or providers of telecommunications services. They work hand-in-glove with industry, including a 24-hour coordinating committee that's industry-manned at the DISA headquarters, the Defense Information Systems Agency headquarters, and it is an enduring capability. 

What's come out of those kinds of so-called NS/EP planning? There have been joint exercises for preparedness training, which establish a common base of experience and trust. They establish personal relationships which, interestingly enough, become very important in government-industry interaction – personal relationships and trust, knowing who you can talk to and how you can talk to them, who'll pick up on the other end of the phone, becomes a very important part of making this kind of effort work. Because the information exchanges that underlie NS/EP limited planning are focused on a clear, common purpose, experience has shown that there is a greater willingness to be sharing information because you know what that information is going to be used for. By contrast, a government effort simply to elicit information because we're generally concerned about infrastructure protection is likely to be met with, "Why should we in industry be providing all our critical vulnerability data to the government when we don't know what will become of it? No, thank you." 

The NS/EP responsibilities of FEMA and other departments and agencies could quickly be reinvigorated with an injection of national leadership, modernized strategies, direction, and reasonable support. But this kind of preparedness planning is, in and of itself, not sufficient to meet all infrastructure assurance needs. When we consider the prospect of a deliberate attack on the nation's critical infrastructures, we move beyond these flexible emergency services-type planning to the need for a dedicated national strategy to deter such attacks and protect the country against a strategic infrastructure attack. 

This brings us to the third level of infrastructure protection – the possibility of a deliberate attack against critical infrastructures, either by terrorists or by a foreign adversary. While the importance of the physical security of hydroelectric dams, or rail switches, or air control towers, and the like has long been understood, the prospect of cyber terrorism has focused new attention on the critical infrastructure nodes. PDD (Presidential Decision Directive) 39, "U.S. Policy on Counterterrorism," sets forth policy and assigns responsibilities for reducing vulnerabilities, deterring terrorism, enhancing counterterrorism capabilities, and responding to these attacks. The responsibility for the management of the federal response to acts of terrorism in the United States rests with the Attorney General. She has created a National Infrastructure Protection Center at the FBI, which has been assigned responsibilities for prevention, interdiction and investigation. This will not be easy; indeed, some question whether the FBI will be able to do much against cyberterrorists at all. In particular, unlike physical acts of terror, cyber attacks potentially could be carried out without any of the terrorists ever physically entering the United States. 

A key threshold goal is to centrally receive intrusion reports that may be evidence of terrorist activities. At present, infrastructure businesses and industries are subject to a complex maze of incident reporting requirements, derived from law, regulation, industry standards, and various contractual arrangements including insurance agreements. But cyber intrusions present a new and yet largely unaddressed concern. For the most part, infrastructure services are monitored for status, but not for integrity against cyber intrusion. 

Some have posited the notion that if intrusion detection instruments could be developed and integrated into infrastructure systems, it may be possible then to detect unauthorized intrusions either when an attack is underway, or as precursors preparatory to a cyber attack. As yet, it is far from clear whether intrusion diagnostics can be refined to the point where a single, discrete intrusion will be susceptible to detection and accurate interpretation. 

However, assuming that more precise diagnostic tools could be developed and were deployed, the operations of those assurance systems would need to be in the hands of the infrastructure owners and operators. To the extent operators were able to detect unauthorized criminal or other potentially destructive intrusions into their network, one would expect that those incidents would be reported to law enforcement equally with evidence of other criminal activity (such as trespass, theft, destruction of property, etc.). 

Some have questioned whether certain infrastructure owners and operators would be willing to provide this kind of information, given the potential commercial implications of reporting on their vulnerability. But most other criminal activity does get reported which also has commercial implications. If infrastructure owners would make the decision to invest in information system diagnostics, they would do so in full awareness of the federal law enforcement resources available to them to call upon. Having detected an intrusion, they will want to block it (which they alone will be competent to do or direct), with the goal of having the criminals or terrorists caught and prosecuted. Therefore, in the future, given the technical base, the flow of incident reporting on infrastructure intrusions to federal law enforcement entities should be a straightforward decision by the victims, consistent with their self-interest. Of course if they don't build the technical base, there won't be much to report. 

It is perhaps unlikely that infrastructure owners and operators would decide to invest in sophisticated diagnostic tools for cyber attack based solely on the potential for terrorist attacks. This is a risk management decision, and it may well be their judgment that their exposure of an individual infrastructure would be too small to warrant the cost if the only potential attacks were from hostile terrorists. It is also unclear whether the federal government would be willing to pay for the costs of such diagnostics against terrorist threats, especially given that the greater threat at present is physical terrorism, rather than cyber based. But when one adds the prospect of strategic infrastructure attack as an instrument of warfare, these cost/benefit calculations for the government must change. 

U.S. intelligence is slowly coming to discern the capabilities and plans of foreign states in the area of information warfare – and the picture is disturbing. As these capabilities grow – and they will grow – there is a real possibility that the vital infrastructure activities of the private sector could become primary targets of a strategic information warfare attack on the United States. For national security planners, a large-scale information attack on the U.S. infrastructure may bear similarities to a terrorist attack, but there would also be some important differences. 

If you read the President's Commission's report, or review drafts of the emerging Presidential Decision Directive on infrastructure protection, you will not see very much about this strategic dimension of infrastructure protection. And yet, Deputy Secretary of Defense John Hamre has warned that we are likely to encounter an Electronic Pearl Harbor. It seems to me the country would be better served if we took these threats seriously now, and began to find ways to protect ourselves against them, before that Pearl Harbor hits. 

This will not be easy. And, to succeed, it will require a genuine government-industry partnership of unprecedented scope. 

There are many difficult questions of first impression that arise in trying to design national strategy for infrastructure protection at this level. There are a couple of points in developing that strategy I would mention. 

A national strategy to deter and defend against infrastructure warfare is likely to be complex, marked by unique information collection, sharing, fusion, analysis and exploitation requirements. Such a national strategy at a minimum would require a national architecture for indications and warning of strategic infrastructure warfare, requiring the traditional "outward" look of intelligence at the activities of foreign adversaries, as well as somehow an "inward" look at the status of the infrastructures themselves and its ability to pull those kinds of analyses together in a central place where they can be analyzed and warning disseminated. 

A national indications and warning system for infrastructure warfare would require central management. But it should be possible to construct reporting requirements and dissemination requirements that would not overly burden industry and would protect industry's commercial exposure, and protect privacy, while providing the status and incident reports that would be of value to national security planners. 

The point I would like to leave you with is this. When you're talking about the roles and responsibilities of government and industry it depends on what you mean by infrastructure protection. Each of these three strata of infrastructure assurance has unique operational characteristics. Not all activities require central management by the federal government. Not all or even much of the role for federal government, not all information, nor all forms of information, concerning infrastructure operations, vulnerabilities, or threats need to be shared at the same levels or among the same actors. And the need and requirements for preparedness, warning and response vary at each level. 

I don't know how they do things on Mars or Venus, but I can see how, on Earth, we can't get anywhere in deciding roles and responsibilities for infrastructure protection until we have a national strategy that lays out what needs to be done and why. And we're still waiting to get the President's Decision Directive, and when it comes forward, hopefully, we will look at that document and evaluate its adequacy in terms of setting out a national strategy, if it's there at all. Thank you. 

Mr. Turner: Thank you very much, Michelle. I've been sitting here, thinking to myself, maybe I did this wrong, maybe I should have put Michelle on earlier and then asked Rich Marshall to get up and give us his national security infrastructure strategy. And then I remembered, Rich is an old dear friend, and I want to keep him that way, so he'll come back next year, so I'm not going to call upon him at this point. But it is question time, and we have saved roughly 25 minutes for questions, so if somebody wants to start off by asking Rich what are you going to do, I won't leap in, but first come first serve. I see a question over here. 

Participant: Ted Kennedy, GTE. You mentioned the fact, Michelle, that the President has yet to release a directive, and you talked a little bit about sort of vagaries of the national security plan; and frankly, from my viewpoint, I'm sort of sitting here saying, thank goodness. I view that there is a great deal of difficulty in raising the overall educational level of our legislators, in understanding what these issues are, and that extends to the Chief Executive as well. These problems are hard, and they're complex, and they're new. In October, when the Presidential Commission Report first came up, there was a lot of Â…..brought out by the fact that there's an equal partnership, and that's been said at every one of these forums that I've been at, and that's been six months. John Ryan brought good data to the table on the number of people taking advantage of the Internet going forward so in the intervening six months since we understood that there was a problem and a need for partnership and education, we've had probably tens of thousands of machines connect, hundreds of thousands of unsuspecting people hooking up to the Internet. As anxious as I am to see what the President's plan is and see what sort of legislation we can put forth, my bigger worry is, when are we going to actually start informing the process? When are we actually going to see concrete output in terms of sessions dedicated to simply the rudimentary education of those people who hold so much power, in terms of defining the way this industry, this market is going to go forth? I'm curious to know, I guess Michelle has most of the new information, to understand where you see short-term milestones happening that tell us there's actually some progress being made here. 

Ms. Van Cleave: My view is that it would really help if the government would get its act in order and figure out what those things are that we in the government should be doing in order to say these are the concerns that we have at this point. It's fine to talk about the deeper education and I support that. The government has an important contribution to make, but education is not fully government's responsibility, thank God. But we do need to understand in the government at a national strategy level is what are the real threats that we're talking about for national security purposes – get ourselves organized there – and by the way, if we can get organized there and be able to tell industry in fact what we need in order to do this high-level protection, there would be a lot of collateral benefits to improve the security of the networks. When are we going to move forward? I'm hoping every week that the PDD is coming out next week. I don't share your happiness that it's taken this long, I am very frustrated. I work with Senator John Kyl from Arizona; it was his legislation introduced in 1995, and incorporated in the 1996 Defense Authorization bill that first directed the President to do something. And instead of coming forward with the report that has been directed, we have the Commission from this executive order, saying we're going to study this a little bit longer, so we've been studying and studying and studying. We'd like to get a decision out of this Administration so at least we've got a marker to say, we're not going to have all of the answers going into it, but here's what we think up front, and let's take this as a basis, let's see if it's right or wrong, we've got something to shoot at, and then let's move forward and see if we can do a better job. 

Mr. Marshall: I'm delighted to have an opportunity to address certain aspects of the question. Number one, I think the solution is going to be more driven bottom-up, than top-down. The users of telecommunication systems, the information infrastructure, have got to stand out on their front porch or back deck, waving a skewer of flame, saying "I'm mad as hell, I'm not going to take this anymore!" Until the level of frustration reaches that end, we're not going to see that much change. Why? In part, economics. What value-added is this for industry to tell a user of a product, "this thing is not secure the way it's set up"? Computer manufacturers and vendors love to say "plug and play," and to make it a brainless exercise to come on to the Internet. Let me offer an example: my 87-year old mother. I point to her with pride. My brother is a computer nerd, and I say that in the politest fashion, out in California. And if you don't like him, he's a SEAL, so he knows how to deal with you. He's a good guy, that's why he's my brother, he's my friend. We got my mother a fantastic Gateway 2000 computer – that's not an implied endorsement, that was just the way we worked it – full system, all kinds of magic stuff. My 87-year old mother can be a hacker. Now that scares the living daylights out of me. Why can she be a hacker? Because all she has to do is go to the hackers' sites, download them, and they give you instructions, and if you can't read, if you need some tutelage, that's readily available on the Internet. Is that acceptable? I don't think so. But yet it's readily available and it makes it easy for her to be a criminal. I don't like my mother having that aspect of going to jail. So it's got to be a low-level solution. I want security out of the box – I want instructions from the vendor on how to set up my system so that I have a certain level of security. We insist on that with automobiles. We insist on that with our health programs. What's wrong with that kind of approach? Now, let me shift a little bit on the other side and throw in some government Â…. I do think that government has a role in this. I think the government role is primarily with the Defense Department, because I think we all agree there's a little more at stake in the information that we're trying to protect, defense information. Those that go in harm's way really want to be able to survive and not have the adversary have access to that information. Enlightened self-interest, perhaps, but it's there. That is going to drive the raving of a security boss. An entity such as Microsoft is very interested in selling software – to whom? – everybody. Now you would think, DOD is not a big market venture for Microsoft. And yet Microsoft was very interested in having one of their products, Windows NT, evaluated by NSA. Now NSA didn't go to Bill Gates and beat him up on the head, neck and shoulders with a lead-filled walking stick. Their group came to NSA and said, we think you can do value added. And there are other companies that do this as well. And I'm not disclosing state secrets; this is readily available information. Companies come to NSA and ask for help. NSA provides that help in a very open, free environment. In fact there is some legislation that arguably demands that we do that. The Federal Technology Transfer Act results in cooperative research and a development agreement. Information technology that's owned by the government should be shared, and that is in fact what is ongoing. That makes the security goodness of each product better. But it is going to require a certain amount of cooperative effort on the people who demand it, the people who supply it, the people who can help set standards. And I really think there has to be a common effort. Does that answer your question, or just further the confusion? 

Mr. Stevenson: Well, now that Rich is sitting down and is not wearing his crutches anymore I'm going to take him on, on one issue. A couple of things Rich said implied that private industry involved in providing services over the Internet has inadequate incentives to provide security. Let me tell you, CyberCash is in the business of providing Internet payment systems, so we're handling financial transactions, and one of my nightmares as general counsel, and I'm not the entire security committee, thank God, because I assure you our systems would not be secure at all if I were, but one of my nightmares is that we will suffer a break-in of some sort and lose some data, and in this day and age it's pretty hard to keep that secret, and then we will be in trouble with our customers, who are financial institutions and merchants and consumers. That would be a disaster for our business. So we have every incentive in the world to keep our own systems secure and I dare say that most other people in the business have similar incentives simply because if you're dealing with the public and you're accepting information and it is even leaked, incorrectly, that your system is insecure, you're going to lose business. So we do have various incentives in the private sector to take care of our own systems, where, as I was trying to say, it's not clear that acting individually we produce a system that is as strong collectively as we need. That is where I think the real role for the federal government is. In addition, the one thing Rich suggests of providing technical assistance, providing a center of knowledge, a center for education, where people who are smaller players and are perhaps less capable of creating their own security can come for assistance – I think that's another useful role. 

Mr. Turner: I have a question back here from the gentleman right straight ahead of me in the uniform. Major? 

Participant: Actually, I had one question, you've been talking about protecting tangible things, structures. How do we protect intangibles? For example, if someone hacked in and modified the filings in the SEC database, just to say we're filing and creating a new stock, we're on the stock market; modifying a candidate's medical records two days before the election that he published on his web page, that maybe indicated that he had a problem with an STD a couple years back; creating an event that happens through the only natural processes; but their integrity, their reputation, has been destroyed, and that resulted in something that could significantly affect the United States Government or the economy. 

Mr. Turner: Any volunteers? 

Mr. Marshall: I'll take a stab. You're talking basically liability issues, and I'm going to do what my roommate used to do who graduated with honors in history. If he didn't like the question the professor asked, he rephrased the question and gave him the answer that he knew, and that's what I'm going to do. The crux of the problem is that most of the difficulties we're running into in terms of computer security are known vulnerabilities – no magic. Eligible Receiver, 1997. JC-directed exercise, DOD red team, etc. Nothing exotic, nothing erotic. Off the Web, basic-level hacker tools. Now, I joked about my mother being able to do that, and I'm not taking anything away from the red team, because it did a fantastic job, but when you take an individual who flunked physics three times, and can be taught in a Wednesday afternoon (a series of Wednesday afternoons, but I'm a slow learner), being infused with Mountain Dew (I mean, that's the badge of belonging, is when you get to do a Dew with the ponytails), I can learn to do that, it is really scary, because I'm not technologically gifted, I'm technologically challenged. I know the buzz words, and that's what I am. So the red team break-ins were nothing exotic. You can do patch and pray and hope that that works, but you need to move fast, the Solar Sunrise stuff, every break-in was preventable. That's the sad part. We got answers, we're just not applying them. 

Mr. Turner: Did anyone else want to comment? Bill Eckhardt has a question here, Bill? 

Participant: I live in a city, in the middle of the United States, in Kansas City, and I see a whole new concept with national security, I see the threat of anthrax and I see the military all of sudden trying to have some link with the local police chiefs and with governors who do the same sort of planning that I hear from the national level. I live in a city that lots of hazardous cargo moves through, and with napalm being turned around and sent and a whole bunch of things. This happens all the time. I'd rather expect that some of those same principles and differences of the government having been looking at this and coming together may apply to some of the industry things that I hear mentioned here. But I'd just be interested in your thinking, when you talk about government planning, and I know we're talking about informational systems, but is it always the federal government we're talking about, or are we talking about some sort of regional or state government that ought to be involved in this? 

Ms. Van Cleave: Well, you've in one question broadened the scope of, and appropriately so, of what we're about this morning. The issues that you've raised suggest that in today's world, the things that we need to be concerned about from a national security perspective bring home a lot of threats to the American people, where we really didn't need to worry about those things much anymore. Information warfare is one category, but the possibility of terrorists employing weapons of mass destruction is yet another, and traditionally the country has looked to the federal government to be responsible for the nation's defense. And that is a role that the military has been able quite well to perform. The questions today suggest that it's not going to be possible for the U.S. military, in traditional ways, to be taking on the military intelligence committee, to be taking on all of the things that now must be charged to the nation, from a national security perspective. You properly raise the role of state and local governments, certainly when we look to terrorists' threats – we're having hearings over the next two days on bio-terrorism. One of the big questions there has to do with, look, any time an incident like that occurs, the first responders are going to be the local people on the scene. Unless they're trained and equipped and ready to go, there's going to be devastating consequences and tragedies. So the need to reach out and be able to train and equip those people is very important. But again, in doing that, we look back to the federal government to come forward with the training and everything that we need to do that, plus have the mobile capabilities to be able to surge forward to a scene. It would require integration, and from an information warfare perspective as well, I am convinced that state and local, like you're talking about, regulation of public utilities, Â…..that again is done at the state and local level. Integrating these things in order to have a real robust national capability to defend against information attacks will be very important, but that keeps coming back to the point that industry is competent, and state and local government are competent in their spheres of responsibility and activity. There's also a properlyÂ… uh, roles and responsibilities that the public, the citizens of this country, expect the federal government in Washington to step forward and Â….up to those things. I believe that in laying out what the big picture is, and what the big strategy is, into which all the other parts can fit, that really is the responsibility of national leadership in Washington, and it would be nice to see that. 

Mr. Turner: Other comments? Over here, on the right, and then we've got a question over here. 

Participant: Dan Kuehl, from the School of Information Warfare at the National Defense University. Michelle, I want to pose you a question, but first I want to comment on something Rich said, because when you mentioned Eligible Receiver, you talked about no-holds-barred. And indeed, there were lots of holds barred, as you're well aware. There were certain agencies that did not participate, the red team followed American law; those are holds that in the future they might not pay much attention to. 

Michelle, I'm kind of concerned that the characterization of the third level – the information warfare attack – is characterized as cyber-terrorism. The question I want to direct to you is whether or not DOJ can be as responsive as we need it to be, because much of the discussion of I/W takes place at the level of where we're going to take down the entire transportation infrastructure, or whatever. And in point of fact, that is probably not possible, nor is it necessary. I would offer a hypothetical that someday, in a Desert Shield II or III, some small country somewhere has asked us for help, and in the process of trying to respond to that request for assistance, someone intrudes into some very specific places, like the tanker coordination center. We find that our efforts to do global airlift management falls apart for about five days. And before we get everything put back together, that small country says, never mind, we'll do it ourselves. The point I'm making is that, you might be able to create some very important political results with some very focused and specific things that the law enforcement of the "apprehend and prosecute" mindset will not be able to respond to. 

Ms. Van Cleave: I'm glad you brought that up; I agree with you wholeheartedly. There is a sphere here where law enforcement, including federal law enforcement, has an important role to play, and it's in the criminal dimension of the subjects that are at issue for us this morning. But when it comes to the national security dimension, the notion that you would ask law enforcement agencies to take on those responsibilities, is really counter-cultural and counter to their training capabilities and resources. This needs to be an inter-league national level effort, and that means that the capabilities that are resident in Rich's agency, for example, need to be integrated into a larger national architecture that is also going to draw on the resources and capabilities of the Department of Defense. We need to have a broad strategy, invested at that level. Now at the FBI, Janet Reno has created this new National Infrastructure Protection Center and she's stepped out and done that, and I respect her and what she's trying to do by calling attention to this problem; but the danger is, and the assumption is that, once you create that, you've solved the problem. You haven't even begun to touch the problem, because saying that the Bureau is going to do a better job of investigating intrusions into the network is one thing, but saying that we're going to have a national capability to be able to discern when we may be coming under attack and to take action to defeat or deny the objects of that attack is quite something else. So that's where I do agree, and I thank you for pointing that out. 

Mr. Marshall: Let me add two more comments. It's difficult to describe a firebreak between law enforcement and a national security issue. Indeed, the phrase national security is pompously ambiguous. We all recognize it when we see it but it's very difficult to describe. The default position for the World Trade Center was, what – terrorism, you know, a criminal act. Later when it was seen to be state-sponsored they turned to some other reaction. But the public reaction up front was this is a law enforcement issue. In the crash of the airplane that exploded off the coast of New Jersey, the initial reaction was that this had to have been done by a state-sponsored terrorist act. It turned out to be something else. You don't want to make the mistake in trying to come up with that distinction. You can go through a hundred examples and come up with some interesting anecdotes, but they don't really give any clear guidance; and the way the nation's military responses are structured there is a big break between law enforcement issues, and military response issues. If you try to fuse the two, that can be extremely dangerous. We really need to be mindful of those overarching issues. 

Ms. Van Cleave: But with respect, though, I mean we are moving toward needing to integrate those capabilities against threats that require them. The example of bio-terrorism that was brought up a moment ago is exactly the kind of instance where you need to have and where we do have, we better, integration between law enforcement and military capabilities. And I think this is a subject matter also that lends itself to better understanding of how those assets need to be integrated. 

Mr. Marshall: I have to agree with you there, but I also want to recall the situation with the disco bombing in Germany. That was a domestic act, involving law enforcement activity on the part of the German government. It was later determined, through National Security means of verification, that is was state-sponsored terrorism that resulted in military reaction. But I think that's the exception rather than the rule. 

Ms. Van Cleave: Hopefully. No one wants to see that repeated. 

Mr. Turner: We've got about four minutes left; I had a question over here. Yes sir. 

Participant: I'm Jake Schaffner, I'm from the DCI's community management staff. I started out in this game in the summer of '94, when we were first learning to spell I/W, and was one of the founding fathers and the deputy director for information ops on the Joint Staff. I did that for about three and a half years, working the offense, how we're going to kick the crap out of the other side; and now I've moved over to a place where most of the discussion is what are we going to do about the defense – predominantly an intelligence association with an assist on law enforcement. 

My observation, a personal one, is I think the call for the strategy is too early and it's a bit of a cheap shot, and that the call that was brought up here by Mr. Danahy for education is a critical one. Most of the position papers that we find ourselves putting out, and most of the discussions that we get involved in with the Joint Staff, OSD, a variety of places, tend to fall on deaf ears because we're forced to fight the war of the sound byte. We only have fifteen minutes with a congressman, sometimes much less with congressional committee members, and in most cases what we find, and I hope this is not at risk of over-generalization, is that we spend 99 percent of the time trying to educate each other and we generally never come to the actual debate or discussion. We're down to the final 30 seconds before lunch, so this is indicative of the type of thing that's going to happen again. But what we have right now, and the observation is, we have a huge overlap of responsibility that has occurred, and potentially the nation took a wrong step at the beginning, maybe, maybe not. We have defined most of these functional effects on us as law enforcement-related. So the NICP is here, the Attorney General is moving out. I've been involved in the PDD XXYY, we have another one now with continuity of government operations, which is related, and we have potential future revisions to other PDDs related to this too. And they're all intermeshed. And what we find is that each of those individually is being done by separate groups of people, because the overall education level that these are inter-related activities, may have to be discussed in context as a whole, is not there. It's not there at our leadership level. You know, Mr. Marshall's observation that these things are coming from the bottom up is the accurate one. Most of the innovation in the Department of Defense during the period of time I was there was from the junior to mid-grade personnel, and most of our upper leadership never contributed to the discussion. They didn't contribute because it was a lack of appreciation or knowledge. I find the same thing when I'm starting to view across the intelligence community; the same effect is happening there. It's mostly the worker bees who are discussing this right at the moment. This is one of the few fora that I've been in where some of the managers or leaders have shown up to actually listen to the types of complexities that we're dealing with. But I think the strategy's a bit premature yet. We have an awful lot of education to go out for our managers yet before we're about to jump into some things, because the number one impact that I personally observe we're going to have on this country is a re-definition of the right to privacy. To do the warning function, and to do the function that Justice is not structured to deal with right away on a timely basis, which is response, we're going to have to cut across some things that are holding up the hot pursuit, or the hot investigation because we are dealing with classic privacy issues – get the warrant, explain all this type of stuff. Those are just observations to throw out there. 

Mr. Turner: My clock says it's 12:45; we can't leave without giving somebody a chance if they want to respond to that– 

Ms. Van Cleave: Well, only because he said it was a cheap shot in saying we need strategy, so I feel compelled to say something. He's come into the intelligence community, walked in the door and decided to try to figure out how to get everybody organized without them running off in twenty different directions when it comes to this information warfare stuff, and what does he need? He needs a strategy, and he knows it, so he's the one who's going to try to put in place for the community, the intelligence community, some kind of strategy. You've got a lot of work bubbling up. Thank God for the individual work that's going on throughout the Administration, in the private sector and elsewhere, to try and do things, because collectively, we're all better off because of all this work going on. But darn it, I worked in the White House for five years in two past administrations, and I know that the people who are there also have responsibilities. One of the responsibilities that they have is to try to lay out a framework – if you don't like the word strategy, let's try the word framework – a framework that says this is what we're about, so that all pieces can know where they can fit in best. It may not be right, it may not be perfect, it may change over time, but just to come up with this sort of framework-thinking – that is in my view, approaching a kind of a national strategy, is what we really do need to make coherence and make progress out of a lot of different things that are going on. So I think conferences like this also contribute to that. So thank you very much. 

Mr. Turner: Thank you very much, panel. 

Lunch Address

Monday, April 20th, 1:00 P.M.
Speaker: Robert Marsh

Mr. Silliman: Ladies and gentlemen, I realize that many of you have just been served your dessert, and I apologize for that, but I want us to start the program so that we'll have more than enough time for questions and comments to our guest speaker. 

We're really pleased and privileged to have as our luncheon speaker this afternoon Robert T. "Tom" Marsh, the Chairman of the President's Commission on Critical Infrastructure Protection. He's a West Point graduate and a retired Air Force 4-star general, with his last service assignment being as Commander of Air Force Systems Command where he directed the research, development, test and acquisition of aerospace systems for the United States Air Force. General Marsh has an extensive background as an aerospace consultant. He serves as the Chairman of the Board of CAE Electronics, Inc. and Converse Government Systems Corporation. He's the Director of Teknowledge Corporation and a Trustee of the Mitre Corporation. He is also the Director of the Air Force Aid Society. General Marsh is a member of the Board of Visitors of the Carnegie-Mellon Software Engineering Institute and was Chairman of the Board of Visitors of the United States Air Force Institute of Technology. Finally, from 1989 until 1991 he served as the first Chairman of Thiokol Corporation as it transitioned from Morton-Thiokol to separate company status. I've just given you a few of the many distinguished accomplishments of our speaker, but it should be obvious from this very brief sampling that with his vast experience both in government, via his military service for so many years – he retired in 1984 – and more recently, in commercial industry, he has a unique understanding of both government and industry needs in the area of critical infrastructure protection. So at this time, I'd like to welcome to the podium General Tom Marsh. General Marsh? 

General Marsh: Thanks very much, Scott. Well, I'm very, very happy to be here today. All your questions and discussions this morning are right down the alley of what we've spent the last almost two years now exploring, so naturally I'm happy to give you the perspective of what we on the President's commission came up with. 

I guess I'll start out by saying we're really here to talk about one of the greatest unsung strengths of the nation – and that is its critical infrastructures. You know we take them all for granted – they are the life support systems of the nation, but on the other hand, whenever we throw the switch, we expect the lights to come on; when we turn the spigot, we expect to get pure water; you pick up the phone, you know you'll get a dial tone there; when you dial 911, you're pretty assured of some kind of emergency response in the very near term; you go to the airport, the ticket counter in the morning, and you can go almost anyplace in these United States before the end of the day. So, we take it for granted, that we'll have all these services. Well, you know, it may not ever be so. They really are less robust than most believe, and that is what our Commission, and what I'd like to talk about here today, is all about. 

Last October, the Commission concluded our efforts. It was an intensive fifteen-month study of the infrastructures. That's where my perspective then arises, from that work that we did. The report, which was submitted in October, does outline a national policy, an implementation strategy, and recommendations that we believe will serve to better protect the infrastructures from both physical and cyber threats, I might say, and assure their continued operation. 

While we have a fairly good understanding of the physical threats facing our critical infrastructures, the fast pace of technology which you all know, very very well, renders us always one step behind having a good thorough understanding of the cyber threat. Thus the Commission's work and in fact our report focus primarily on coping with this new and evolving cyber challenge. 

To give you some perspective, and we've talked about this this morning, on the challenge as we saw it, imagine, if you will, that you do have that widespread power outage in a major city's downtown district, that shuts down thousands of businesses, and incidentally you know that did occur not too long ago over in Auckland, New Zealand; maybe also the Department of Defense computer systems are invaded and compromised; telecommunications centers at a major financial center in New York City and across the East Coast are temporarily out of service; the main air traffic control system is disabled, as was described this morning by somebody making an authorized intrusion into their computers; maybe a regional 911 emergency system disabled because someone spammed out the phone lines with repeat calls. All of this, let's imagine, and perhaps more, in a relatively period of time. 

What do we do when faced with such situations? Who is in charge? Is it natural or unintended? Or is it a concentrated attack? Should detected intrusions and disruptions be reported, and if so, to whom? And, recognizing that most of these systems that we just described are privately owned and operated, what can and should be government's involvement? 

These are some of the questions the Commission grappled with – questions there really are no easy answers to, which you also explored this morning. Questions that we hope our recommendations will help lay the foundation for addressing. 

Critical infrastructures have long been lucrative targets for anyone that wants to attack another country. Our nation relies on its infrastructures – or our nation's life support systems, as I view them – for national security, for overall public welfare, and for our economic strength. Those who would attack the infrastructures would do so to reduce our ability to act in our national security interest, or erode confidence in critical services, you discussed that this morning, perhaps to create public unrest, and/or to reduce American economic competitiveness. In the Gulf War, as you well know, disabling Iraq's infrastructures was one of the keys to our success – and it was a lesson noted with much interest by many countries around the world. 

The Commission was established by Executive Order in July of 1996. A joint government and private sector endeavor, it was charged to develop a national policy and an implementation strategy for protecting the infrastructures. And these were the eight infrastructures that the President identified for us to focus on. They were considered vital in that their incapacity or their destruction would have a debilitating impact on the defense and economic security of the United States. 

The composition of the Commission was unique. We were truly a public-private partnership with a group of twenty outstanding Commissioners from both the public and the private sector. Half were executives from the involved departments and agencies in Washington; the other half were executives from infrastructure companies and organizations bringing industry experience, expertise, and perspective to the Commission. All worked full time on the Commission – along with a highly competent staff of approximately fifty personnel, and extensive contract support. 

Our findings, conclusions, and recommendations are very different from what we anticipated – and different from what many of our stakeholders anticipated. Many thought that this was a problem that government alone could attack and resolve in relatively easy steps. But during the past year, we concluded that protecting our infrastructures is a public-private undertaking that requires a new kind of partnership, and protecting the infrastructures is going to take time – requiring long-term efforts and a new way of thinking. 

Our approach recognized that most of the infrastructures operate within an existing framework of government policy and regulation. But they are also privately owned competitive industries; and as such, protection recommendations should not adversely affect their competitive position. We recognized that any solution would have to be viable in the marketplace as well as the public policy arena. Thus, we adopted the following guiding principles. 

First, we knew this could not be just another "Big Government" unilateral effort. Government must set the example, but it is the owners and operators who are key to success. They have a strong economic stake in protecting their assets and maximizing customer satisfaction. They understand the infrastructures and know best how to respond to disruptions. 

Second, while we may be undergoing an information revolution, we concluded that utilizing the best ideas and processes from current structures and relationships was the preferred way to proceed. This means building on existing organizations and relationships as well as promoting voluntary cooperation. Partnership between industry and government will be far more effective than legislation or regulation. 

Finally, this is a long-term effort, which requires continuous improvement. We must take action in practical increments. There is no "magic bullet" solution. We must aim not only to protect the infrastructures, but also to enhance them. 

In the past, broad oceans and peaceable neighbors provided all the infrastructure protection we needed. That changed during the Cold War. Technology made geography less relevant. We became subject to attack by bombs and missiles, but even then, we knew who the enemy was, and where the attack would originate. Now computers and electrons change the picture entirely. The capability to seriously disrupt our infrastructures is widely available at relatively little cost. This is the "new geography" on which the Commission focused its efforts – a borderless cyber geography whose major topographical features are technology and change. 

So, who is the threat? Well, the "bad actors," as we call them, are those with the capability and intent to do harm. While we have not found a "smoking keyboard," if you will – that is, we do not know who has the specifically focused intent to do harm – we do know a lot about the capability to do serious damage to these systems. We characterize capability as a combination of skills and tools – skills that we've found even most teenagers have, and dangerous tools that are readily available – especially on the Internet. In short, the capability to do harm is widespread and growing. 

The bad actors who use these tools range from the recreational hacker – who thrives on the thrill and the challenge of breaking into another's computer – to the national security threat of information warriors intent on achieving strategic advantage. Common to all threats is the insider. We could spend millions on technology to protect our infrastructures, but a well-placed insider – whether suborned by an enemy, or a disgruntled employee acting alone – could render nearly all protection useless. Hence, the special attention that we paid to the insider problem in our report. 

The new arsenal of "weapons of mass disruption" in the cyber world include "Trojan horses," viruses, bombs, and spamming attacks that can be used to alter or steal data, or deny service. These tools recognize neither borders nor jurisdictions. They can be used anywhere, anytime, by anyone with the capability, technology, and intent to do harm. And they offer the advantage of anonymity. And when these tools are used, their effects can be magnified by the growing complexity and interdependence of our infrastructures. Such interdependence creates an increased possibility that a rather minor or routine disturbance can cascade into a regional outage. Technical complexity may also permit interdependencies and vulnerabilities to go unrecognized until a major failure occurs. 

The Commission was faced with a new geography, new tools, and evolving interdependencies. In light of these new conditions, we examined the respective roles of the private sector and the federal government. We concluded that the private sector has a responsibility to protect itself from the known established threats, such as individual hackers and criminals. And that the federal government has a larger responsibility to protect our citizens from terrorist and nation state attacks. In short, we found that infrastructure protection is a shared responsibility. Specifically, the private sector must take prudent measures to protect itself from commonplace hacker tools. But, it turns out, these same tools will likely be used by the terrorist and the information warrior, albeit for more dangerous purposes. So when the private sector protects itself against attack from commonplace hackers, they also will be playing a significant role in national security. 

It follows then, that the federal government must assume responsibility for collecting information about the tools, the perpetrators, and their intent from all sources, including the owners and operators of the infrastructures and much share this information with the private sector so that industry can take the necessary protective measures. 

In some respects, our most important finding is that adapting to this new age requires thinking differently about infrastructure protection. We are facing a new and different set of national security challenges as we approach the third millenium. Specifically, we found that we have real and serious vulnerabilities. And incidentally, we don't chronicle those carefully in an unclassified report, there's a separate classified report that details the Commission's finding with respect to the vulnerabilities of each of the sectors. 

We found that information sharing between government and industry is the most immediate need. The federal government has an important role in the new alliance. National awareness of infrastructure threat, vulnerability, and interdependence issues must be elevated. Responsibility is shared among owners and operators and government. The existing legal framework is imperfectly tuned to deal with cyber threats. Current research and development efforts are inadequate to the task. And finally, infrastructure protection requires a focal point in government. 

Protecting our infrastructures into the 21st century requires greater understanding of their vulnerabilities and decisive actions to reduce them. After fifteen months of consultation, research, assessment, and deliberation, the Commission's fundamental conclusion is that waiting for a serous threat to appear is a dangerous strategy. Now is the time to act to protect our future. And this action requires a new partnership to address the risks to our nation's infrastructures. 

Outreach was a cornerstone of our effort. In fact, our conclusions and recommendations result directly from the conversations and meetings we had with over 6000 individuals from industry, academia, science, technology, the military, and government. We held five public meetings around the country; participated in numerous conferences; hosted simulations, games, focus groups and workshops; and increased awareness of this effort through the media and our website. 

Before outlining the Commission's recommendations, I would like to tell you where the report is now. Last October, once the report was completed, an Interagency Working Group was formed at the request of the National Security Council to examine the report's recommendations, suggest priorities for implementation, and prepare an interagency perspective on the report to forward to the President for action. A Transition Office was formed from several former Commissioners and the Commission staff to support the NSC staff with the implementation planning. In conjunction with the interagency effort, an Advisory Committee of private sector CEOs prepared its observations concerning the report and circulated them to the NSC and the Principals Committee. The Advisory Committee will remain intact and continue to provide executive advice to the Principals. 

The Commission's recommendations are the products of much research, discussion, and deliberation. They are founded on shared core principles and they are based on fact. They are aimed at improving coordination and establishing roles for infrastructure protection, fostering partnerships among all stakeholders, and coordinating diverse interests. The recommendations fall generally into three categories: actions the federal government must take; actions the private sector owners and operators of the infrastructures must take; and actions that must be taken in partnership by government and industry. 

During our extensive outreach efforts, we heard time and again that the owners and the operators of the infrastructures need more information about cyber threats. They said that a trusted environment must be built so that they can freely exchange information with each other and with government without fear of regulation, loss of public confidence, liability or tarnished reputation. The Commission's recommendations lay the foundation for creating a new collaborative environment that includes a two-way exchange of information, not more burdensome regulation. Our recommendations focus on protecting proprietary information and ensuring anonymity when necessary; easing legal impediments to information sharing, such as antitrust provisions and the Freedom of Information Act; and creating information-sharing mechanisms both within industry and between industry and government. 

As to other actions the government should take, we recommended specific steps to ensure owners and operators and state and local governments are sufficiently informed and supported to accomplish their infrastructure protection roles. Some of our recommendations require that federal agencies play a greater role in developing tools, techniques and methodologies relating to information assurance, such as: federal agencies offering their expertise to encourage owners and operators to develop and adopt security-related standards, with the participation of federal and state agencies, industry associations and standards groups, and law enforcement and intelligence agencies; and the National Institute of Standards and Technology, among other agencies, expanding the availability of risk assessment services to the private sector and encouraging industry – and assisting when necessary – to develop risk methodologies. 

We also recommended as was mentioned this morning that the U.S. Security Policy Board study and recommend how best to protect private sector information on threats and specific vulnerabilities of critical infrastructures, and finally, that the funding for the Nunn-Lugar-Domenici domestic preparedness program be doubled to expand and accelerate mitigating the effects of weapons of mass destruction attacks. There has been recent progress in this area with Secretary Cohen's announcement that they were going to form up the teams from the National Guard in the states to assist the first responders. 

Key to the success of these initiatives is educating our citizens about the emerging threats and vulnerabilities in the cyber age. We must change the way of thinking about technology and the resulting threats and vulnerabilities. The Commission's recommendations are aimed at all levels of education, from grammar to graduate school and beyond. They include a series of White House conferences to spur new curricula in computer ethics and intellectual property for elementary and secondary schools; a nationwide public awareness campaign, simulations, and round table discussions to educate the general public as well as industry and government leaders; grants by the National Science Foundation to promote graduate level research and teaching of information network security; and partnership among the Department of Education, other federal agencies, and industry to develop curricula and market demand for properly-trained information security technicians, managers, and administrators. 

Infrastructure assurance is a joint responsibility, but the federal government has an unmistakable duty to lead the effort. Clearly, the federal government must lead by example as it exhorts the private sector and state and local governments to raise the level of security of their systems. The federal government must aggressively pursue the tools, practices, and policies required to conduct business in the cyber age. This includes improving government information security through developing, implementing, and enforcing best practices and standards – and then conducting certification and measures against those standards; working with industry to expedite efforts for pilot information security and encryption key management programs; elevating and formalizing Information Assurance as a foreign intelligence priority; recruiting and retaining adequate numbers of law enforcement personnel with cyber skills; and finally, conducting a thorough risk assessment of the National Aerospace System and its planned sole reliance on the Global Positioning System. 

We examined a full range of legal issues relating to protecting the critical infrastructures with three goals in mind: increasing the effectiveness of government's protection efforts; enhancing the private sector's ability to protect itself; and enabling effective public-private partnership where most needed. We propose revision of specific major federal legislation as it relates to the critical infrastructures and the cyber threat. Examples are the Stafford Act and the Defense Production Act. We have modest recommendations in the area of criminal law and procedure – specifically, the Federal Sentencing Guidelines – to take into account the true harm done by attacks on the critical infrastructures. We call for an expert study group – representing labor, management, government, and privacy interests – to make recommendations for long-term reform in the employer-employee relationship while balancing security and privacy. And, finally, we recommend easing legal impediments to information-sharing, such as, as I mentioned earlier, antitrust provisions, federal and private liability, and the Freedom of Information Act. 

Federal research and development efforts are inadequate to meet the challenge of emerging cyber threats. About $250 million is spent by the government each year on infrastructure assurance-related R&D, of which most – 60% or $150 million – is dedicated to information security – the kind of work the National Security Agency pursues. There is very little research supporting a national cyber defense. The Commission believes that real-time detection, identification, and response tools are urgently needed, and we concluded that market forces are insufficient to drive the private sector R&D required to meet these needs. Thus we recommend doubling federal R&D funding for infrastructure protection to $500 million the first year, with 20% increases each year for the next five years. We recommend this funding target such topics as risk management, simulation and modeling, decision support, and early warning and response. 

While much of the policy-making apparatus for R&D currently exists, there are other arrangements needed to formalize the public-private partnership necessary for infrastructure protection. The Commission report includes recommended arrangements for information sharing and policy formulation. At the policy making level, we recommend: an Office of National Infrastructure Assurance – located within the White House – to serve as the federal government's focal point for infrastructure protection; a National Infrastructure Assurance Council comprised of selected infrastructure CEOs and Cabinet officials to propose policy and advise the President; and an Infrastructure Assurance Support Office to support both the Council and the National Office. At the operational level, we recommend Private Sector Infrastructure Assurance Coordinators or clearinghouses as focal points within each sector of the infrastructures to share information; federal Lead Agencies to be designated to promote and assist in establishing the private sector coordinators or clearinghouses; and then we proposed an Information Sharing and Analysis Center staffed by both private industry and government to receive and share information about infrastructure threats, best practices, and incidents – we recommend it to be located in the private sector; and, finally, a Warning Center designed to provide operational warning whenever possible of an attack on the infrastructures, either physical or cyber, to be located within the FBI. Ms. Reno just announced the stand up of this Infrastructure Protection Center just this last month. 

Just as the risks as shared between the public and the private sectors, so will the solutions be found. Our national and economic security has become a shared responsibility; one that will require a new kind of partnership between government and industry; one which encourages information-sharing and one which requires the government to lead by example. And to all of you, I really do thank you for your interest in this issue, which I believe is of the utmost national importance, and we know that the Commission with all of our effort has only laid the foundation for what we hope will be on ongoing dialog about how best to protect this nation's life support systems. For those of you who haven't had an opportunity or who would like to read the report, it may be downloaded from our Web site, which is www.pccip.gov. And with that I thank you again, and I'd be pleased to try to answer your questions. 

Mr. Silliman: Thank you, General Marsh. We do have time for some questions. Are there any questions? 

Participant: [inaudible] 

General Marsh: We believe that there is this category of information, the vulnerabilities of the infrastructure, which poses us a new classification challenge. We don't want to categorize it as military, confidential, or secret or top secret, but we believe that there has to be some additional protection for sensitive vulnerability data that becomes available to the government by way of its information-sharing mechanism, and we believe that information, that vulnerability information, should not be made available to the general public on the basis of, as a result of a FOIA action. So, we're looking to a rather narrowly-defined, sharply-defined category of information, vulnerabilities of critical infrastructures, to be precluded from FOIA requests. 

Participant: Sir, may I say we're obviously not the only advanced country that relies upon advanced technologically-based infrastructures. What kind of interest or involvement have we had from other countries who might themselves be in the same difficulties? 

General Marsh: I'm sure glad you asked. First, before I answer the question, let me tell you, that the one shortcoming of our effort, well, there are probably several, but at least one important one, is we did not explore the international aspects of the problem. We just didn't have the time or resources to do it. We knew full well that there was no such a thing as secure U.S. infrastructures, that we don't have such things. They are in the main international infrastructures. And so we believe a major challenge lies ahead to take the steps to engage our foreign business partners and our allies to join in the same effort that we have undertaken and reach unanimity on the kind of protective measures that are needed on an international basis. And so that's a big void in our effort. To answer your question of what interest did we see on the part of others – we've seen some interest. The Japanese have recently commissioned an effort along the very lines of the one we've undertaken. The Canadians are very interested and I believe have moved out on a somewhat similar effort, and a few of our European allies have shown an interest and I would expect them to move out. So they're looking at what we've done and I would expect a number of them to follow our lead. 

Participant: [inaudible] 

General Marsh: We definitely did not want to propose, and we debated it at great length, you can imagine, or deliberated, we did not feel it made sense to try and go into government and excise out of the existing agencies their infrastructure-protection related functions and try to centralize those. We felt that the Department of Defense has a mission and obviously the Attorney General has a mission and on and onÂ…law enforcement. And so we decided what needed to be done was to improve the flow of information and to get a national coordinator, and if that national coordinator is within the White House, a primary function of that coordinator is to coordinate the efforts of the national agencies and make sure that is a coordinated effort and not a bunch of disjointed efforts, and then of course to interact with the private sector. So that's how we saw it. We did not propose and definitely resisted changing the fundamental roles and responsibilities of the existing agencies. 

Mr. Silliman: General Marsh, I want to take the opportunity again to thank you, sir, for joining us, and let me give you a small token of our appreciation from a couple of sponsoring organizations; again, sir, we're delighted that you were with us today. 

General Marsh: Thank you very much. 

Mr. Silliman: We need to give the hotel staff here about 10 minutes to rearrange and get us back into classroom function, so Tom, why don't we start running your panel in about 10 minutes. Let's take a break. 
 
 

Economic Warfare and Corporate Espionage

Monday, April 20th, 2:30 P.M.

Moderator: Thomas Hemingway

Panelists: Jonathan Cain

Richard Horowitz

Greg Schaffer
 
 

Mr. Hemingway: I am Tom Hemingway, and it's my pleasure to watch over this afternoon's session on economic warfare and corporate espionage. I've got to tell you, when I was first asked to participate with these distinguished speakers, I was a little curious about the title "economic warfare." I'd heard of "corporate espionage," but it's not at all unknown in the business community. According to a study that was reported in the Corporate Intelligence Review, the competition is viewed differently from market segment to market segment in the United States. Compare this comment from one interviewed subject – "Business is basically warfare. In warfare, no self-respecting company would think of going to war without a G2 operation. And how can you engage in warfare when you really don't have a good picture of your enemy?" with "Well, if a disgruntled employee goes to a competitor and says, 'Gee, I have this, this and this,' most American companies will just go 'Nope, we don't want any part of you.' And a lot of times within this industry, they'll call you up and say, 'Just to let you know, Joe Blow just contacted us.'" 

Now I tend to be a bit of a skeptic, and I think that chasing the bottom line, there are going to be more people who would fall closer to the first category of interviewee than would be in the second category. The problem now, we've all seen corporate espionage for years and years and years. The long lens photographs of the new automobile being developed, reverse censored engineering has been around for years and years and years. But the information age, I suggest, has made corporate espionage much easier, and a much, much greater challenge to defend against. At the same time, as our panelists this morning commented, the information age and the 'Net are increasing and improving and our capability is expanding at the speed of light. And the legal remedies that are available to the people who advise corporations are not necessarily keeping apace. 

To provide you with a map through the minefield of economic warfare and corporate espionage, we have three distinguished panel members this afternoon. Jonathan Cain is the Chairman of the Technology and Intellectual Property group of the acclaimed Virginia law firm of Mays & Valentine. Mr. Cain, among the variety of services he offers his clients, provides counsel on the protection of copyrights, trademarks, trade secrets and compliance with regulatory schemes, and the avoidance of criminal and civil sanctions for regulatory violations. 

Richard Horowitz is the President of Legal and Investigative Services. He is an attorney and private investigator, who specializes in corporate and international and security-related issues. He has been a frequent speaker and lecturer not only domestically but internationally, on issues of terrorism, security and investigative techniques. 

And Gregory Schaffer is a trial attorney in the Computer Crime and Intellectual Property section of the Criminal Division of the U.S. Department of Justice. His areas of responsibility include federal wiretap law, computer search and seizure issues, and economic espionage and on-line investigations. 

We're going to go ahead and proceed alphabetically, and I told Greg that he has got the clean-up responsibility from the issues that the private sector members of the panel raise. Without further adoÂ…Jon? 

Mr. Cain: Thank you, Tom. I suppose that it's appropriate in a session that involves espionage that I have to begin with a confession. I'm an intellectual property lawyer. I am not and have never purported to have any expertise whatsoever in the fields of terrorism, counter-terrorism, national security, or the term I heard last night for the first time, "the law of war," but I do know something about theft of information. I understand about how people steal it, why they steal it, and the consequences of doing so as well as something about how to protect it. That's what intellectual property lawyers do for a living. But faced with this new environment and this new audience, I went to what I considered to be the quickest, most current reference on the subject, the Report of the President's Commission on Critical Infrastructure Protection. I started looking for the relevant points in what I viewed to be the legal framework and the kind of problems that this new era of information warfare was going to present to us. And let me tell you some of the things I found. 

The first statement I found was that the legal framework does not reflect the current technology. I take issue with that to a certain extent. There is in fact not a great deal, in my judgment, about the kinds of problems, setting aside for the moment state-sponsored strategic information warfare, but the kinds of hacker problems, and the everyday issues that we spent a great deal of time talking about this morning, that are not already addressed by the current legal structure. 

The second statement I saw was one which said, "Changes in law are needed to increase deterrence." As a lawyer with some criminal experience, when I hear the word "deterrence" I hear criminal sanctions. And sure enough, a little farther on, I saw the statement, "Initially, all cyber attacks will have to be treated as crimes, regardless of where they originated or the purpose of the attack." Now if you listen to this statement, in many respects it's hard to argue with, but it also pre-judges the question. "Attacks" is a very charged word. It's difficult to find it elsewhere in the criminal law. Frankly, we talk about assault, we talk about trespass, we talk about all kinds of fraud, we talk about lots of things, but "attack" is not one of the words we're frequently confronted with. It assumes two things, I think: it assumes some kind of unauthorized invasion or trespass, with the intent to damage or destroy property. I think that's what "attack" means. But it's not entirely clear. 

And because it's not entirely clear, I tried to reformulate that phrase, and let me offer this to you as a suggestion. Let's put the shoe on the other foot for a minute. Let's talk about "a breakdown or the failure of security for an element of the infrastructure which is exploited by an unauthorized user." Now if you'll accept for the moment this reformulation of what is perceived to be the problem, it forces us to ask the question: should every such breakdown in security of an infrastructure element be treated as a crime? And I think, looked at from that light, the question becomes much more ambiguous. In other words, what is it that treating every failure of security as a crime gets us? And my suggestion to you is that it doesn't get us a whole lot. We don't make a lot of progress. 

I say that based on two analogs; they are two analogs that are familiar to intellectual property lawyers. There are two other statutes, at least two – there might be others, but I'm going to talk about two today – in which federal felonies have been created to deter the theft of information. One of them is felony copyright infringement, and the other is felony misappropriation of trade secrets. The first is contained in Title 17, the copyright title of the United States Code, and the second is more colloquially known as the Economic Espionage Act. What has the experience with these two statutes shown us? The criminal penalties in the copyright law have existed for a long time, but in the early 1990s, under pressure from the entertainment and commercial software industries, the penalties for infringement were increased significantly. And several years later, in the fall of 1996, I contacted the Department of Justice, and spent an afternoon trying to find somebody who could tell me whether or not the Department of Justice had ever brought a case for criminal copyright infringement. In October of 1996, the answer was, "We don't think so." 

Now, I hate to say, and I don't think it was the consequence of an article I wrote in a technology publication that's published in the Washington area that's called Washington Technology, that had any effect on that, but in April of 1997, the FBI started an operation they called Operation Counter Copy. Operation Counter Copy had the espoused purpose of deterring, through the imposition of criminal prosecutions, what was deemed to be a very widespread and serious threat to the American economy as a result of these kinds of intellectual property infringements. There were about a dozen cases brought as a result of Operation Counter Copy. There were a few having to deal with counterfeit handbags and counterfeit wristwatches, but the majority had to do with copyright infringements. With no exceptions that I know, all of those cases dealt with either music cassettes, entertainment videotapes, or commercially available software packages. These operations were designed to stop the importation and sale of knock-off copies of commercially available materials. Nine hundred infringing videotapes in a store in Bangor, Maine. Four to five hundred copies of motion picture videocassettes in Cleveland. That's what the Department of Justice and the Federal Bureau of Investigation have been devoting their energy to stop and bring to a halt. 

The result of that effort, in April of 1997, may well have been to make the world safe for the Little Mermaid or Spice Girls. But I would suggest to you that there is not one of those cases that could not have been brought by the commercial party that felt itself injured, under civil law, by filing an action for injunctive relief and damages – a civil claim under the copyright statutes. There was absolutely no benefit to having the Department of Justice devote its resources to such claims. I could find no principled distinction in reviewing these cases, between the cases brought by the Department of Justice under the criminal statutes, and the literally hundreds of similar cases that are brought each year by private parties in a civil context. The only difference was that in the criminal cases, people paid fines and some went to jail, but the activity, as far as what was going on in the marketplace, did not change. The result was different there, because in the civil context, you get an injunction, and the materials infringing are destroyed, and the parties – if the judge finds the case worthy, can be awarded damages. 

The second analog, if you will, that I think is relevant is criminal misappropriation of trade secrets. Trade secrets misappropriation as a matter of common law has been around for a very long time. Prior to the enactment of the Economic Espionage Act in October of 1996, virtually every state in the United States had adopted either the Uniform Trade Secrets Act or some relatively similar version of that statute. Nevertheless, the Economic Espionage Act contains essentially two different but related provisions. The first is designed to address state-sponsored, if you will, economic espionage. It's designed to address the problem of a foreign intelligence, state-sponsored agency seeking valuable commercial or military information from commercial enterprises in the United States. The second part of the Act, however, is designed to do exactly what civil trade secrets law does. It is designed to penalize with felony penalties the misappropriation of a piece of information that has value and is generally held secret by a company. That is what a trade secret is, and it is what trade secrets law has traditionally protected for a long time. I did a similar kind of study, and now, I'm sure that later in the afternoon, during the rebuttal period, that I'm going to find out that my list is incomplete, and the only defense to that charge is that I have to rely upon the information that the Department of Justice itself makes available to the public. There may be other indictments and there may be other proceedings that they haven't decided to disclose, and perhaps we'll learn some more; but as it stands today, the information that I've been able to obtain either from the Department or from published sources and newspapers is that there have been six cases since October of 1996 brought under the Economic Espionage Act. The first of those involved a disgruntled employee of PPG Industries, who tried to market some confidential research information about a manufacturing process used by PPG to Owens Corning. This is garden-variety trade secrets misappropriation. 

Now that scenario arises in a number of these cases. Out of the six cases, only two involved a protagonist, an attacker if you will, who came from outside the United States – in other words, where the recipient was a foreign entity. And in both those cases, it was a Taiwanese company. The first involved the effort to obtain information about the drug taxol, an anti-cancer drug, that's a product of Bristol-Meyers; and the second involved an effort to get some technology having to do with the development of adhesive products, pressure sensitive adhesives by a company known as Avery Denison Corporation. Once again, one's kind of forced to ask, are we making the world safe for post-its? Four of these six cases involved disgruntled employees. They were cases where the initiator of the misappropriation was an employee of the company whose information was being stolen – he was an insider. It was not something where he was approached by an outside person; the insider went out and tried to market the information. 

Every single one of these cases, again, could have been brought by the private parties involved under civil law. Now, I will say, that with respect to the two Taiwanese companies, pursuing those plans would have been difficult – obtaining personal jurisdiction over the defendants; the process would have been difficult. No more difficult, it turned out, however, than trying to extradite those people from Taiwan. The question one has to ask oneself is whether the felonization of these civil wrongs is an effective deterrent, or at least any more of an effective deterrent, than the currently existing civil remedies? And I think one can effectively make the argument that at least, based on these two analogs, there is serious doubt about that. 

When you approach the idea of increasing deterrence for attacks on the infrastructure, and the response is we're going to have to treat all these attacks as felonies, and if necessary modify the criminal laws to account for that, I think it is fair to ask whether or not that is likely to produce the result that we're all seeking, without unintended consequences, number one, and number two, will it be effective? I would argue that criminalization, inappropriately applied, has detriments as well as potential benefits. The first is, it seems to me, is that criminalization creates an expectation of federal enforcement that cannot realistically be met. Take, for example, either the trade secrets misappropriation analog or the copyright infringement analog. There is no conceivable way that the Department of Justice, with all good intentions, can equal or exceed the effort, time, money, legal talent, investigatory skill, and effort that is put into those cases by private parties. There are many, many times the number of dollars, man-hours, and resources, other resources, devoted to the civil infringement cases – civil misappropriation cases, than are devoted to anti-criminal prosecutions. And second, it seems to me, it is a matter of policy in the United States. We have to ask ourselves, is it appropriate to have federal law enforcement making selective determinations about which videotape infringement they're going to pursue, and by that I mean draw the analog, which so-called "attack" are they going to pursue? In those cases, where we're not talking about something that is a state-sponsored attack, I suggest that our record, our history today, has not been particularly or exceptionally good in making principled distinctions between the cases that we're going to pursue criminally, and those that we're going to allow to proceed civilly. 

Finally, I think that when one recognizes the fact that the greatest risk, whether it be for intellectual property theft – or trade secrets infringement – comes from insiders. You have to look at what the consequence of these statutes is going to be, in the operation everyday, the operation of commercial enterprises. As currently drafted, the Computer Fraud and Abuse Act makes a distinction between trespassers and authorized users. Authorized users who either inflict negligent or reckless damage on the system for which they are authorized to have access, commit no crime. They only commit a crime if they inflict intentional damage. By contrast, an unauthorized user commits a crime even if his damage is negligent. I suppose one can draw an argument that makes sense as to why that ought to be the case; but if we're looking at the effect, the outcome in terms of the protection of the infrastructure, it doesn't seem to make any difference. It shouldn't make any difference, whether the "attacker" is authorized and does it recklessly, or unauthorized and does it negligently. The effect on the users and on the society at large is going to be the same. Nevertheless, that is one of the conundrums that one faces when one starts to try to create these kinds of felonies. 

Finally, I think that talking about this issue as a question of "attack," as I mentioned, I think it may be somewhat counter-productive. I think we've all recognized and we've heard today that the real, the basic responsibility lies with the owner of the information, the owner of the infrastructure. And it's thinking of these things less in terms of "attacks" from the outside and more in terms of breakdowns or failures of the owners or those responsible to protect them, may actually help to advance, may help to create the proper incentives to advance the protection of all the interests. The lesson from trade secrets law is that self-protection by the owner is the single-most critical element, and placing the blame on the "attacker," if you will, places the blame at the wrong place. By that I mean not that the attacker shouldn't be responsible, but that it doesn't create proper incentives. Thanks very much. 

Mr. Horowitz: I'm going to take a slightly different approach, not from Jonathan Cain, but from some of the substance of the conference so far. I'm going to analyze two significant points, and time permitting, I'll analyze a third point. 

The first point I want to analyze is the threat from non-cyber sources that the private sector is confronted with. The second point I'd like to discuss is the difference between national security espionage and corporate espionage, and there being one main difference between the two types of espionage. And the third point, time permitting, is some of the politics that has developed around this Economic Espionage Act that's been on the books for the last year and a half, and perhaps more on that during the panel discussion later on. 

Now when it comes to cyber threats versus non-cyber threats, kids have been blowing their fingers off attempting to construct bombs with these manuals for decades. And no one seems to take an interest or at least the media doesn't seem to take an interest unless the kid learned how to construct the bomb on the Internet. But whenever a kid blows his finger off constructing a bomb and it's from the Internet, you'll see it on the front page of The New York Times and you can do a Nexis search on it, you can see how many different stories there are about kids blowing their fingers off with bombs, all from the Internet, and you won't find a story about a kid doing this without learning from the Internet. So I'd like to focus on threats from non-cyber sources. 

Let's say you've got a pacemaker in your heart, and we want to know if the microwave oven in your kitchen is leaking radiation which affects the pacemaker. So you buy one of these devices, called a frequency counter, and what it does is it counts the frequency, it counts the frequency of a particular transmission that it can pick up – a perfectly legitimate and legal device, radio technicians can't work without them. You can buy them for a couple hundred dollars and it will, on this readout, show you the frequency and if there's any leakage from the microwave. You could plug into a computer and it could download all the frequencies, there are thousands of frequencies all over the place; if you see a frequency of 123 megahertz, you know that there's an airplane near by; if you see a frequency of 901 megahertz, you know somebody's talking on a cellular phone nearby; and, of course, you can plug all the frequencies into a scanner, and through the scanner to the frequency that appears and listen to whatever it is that is being transmitted. 

Now it was always illegal to intercept cellular telephone calls. But the devices or the scanners that did so, until April 1994, were constructed such that you could intercept cellular telephone calls. After April 1994 the law was changed; you could no longer construct a scanner to intercept cellular telephone calls. However, those that were built prior to the new law could still be purchased, you just can't use them for that purpose. Let's say you have an old scanner that can't intercept cellular telephone calls, so you buy one of these little devices, it's called a frequency converter, and it will convert the 800 or 900 megahertz cellular transmission to a 400 or 500 megahertz cellular transmission and just attach it to the scanner, attach the antenna to this little device. These were also affected by that new law in April 1994; after April 1994 these things could no longer be manufactured. Those that were manufactured prior to April 1994 could be purchased, owned – just not used. Then, of course, there's one of these little devices. When you're punching in your social security number or PIN number or account number on your telephone, there's a chip in the receiving end that will translate the tones into digits. That same chip is in this little device. And if you can intercept some kind of non-cellular transmission and plug it into this device, as you're punching your touchtone keypad, the numbers are going to come out here on this little device – called a touchtone decoder. It's perfectly legal. Telephone repairmen use them; they can't do their job without this. So if you intercept a cellular transmission, though not legal, a cellular telephone call with this, and the person at the time is buying tickets with his credit card, you attach this device and you can intercept whatever numbers he's punching in at the time. 

Now let's turn to slide number one. Just to give you a sense that this is legal, these are some publications that were written by some Â… espionage communications, there are thousands and thousands of frequencies in there, hundreds of countries, police frequencies, world press service, you can listen in to or intercept transmissions from people out in the field, sending transmissions back to their headquarters. Next slide please. If you have particular interest in telephone calls, there's a book called Tuning in on Telephone Calls. Next slide. You notice on the bottom, it says for $40 you can unlock your scanner. That's talking about one of these devices, excuse me the one on the bottom left, Serious Eavesdropping, one of these devices; the one on the bottom right, for $40 that company will take your scanner, reconfigure the circuitry and enable it to intercept cellular telephone calls even if it wasn't constructed to intercept telephone calls. Next slide. If you want to do it yourself, this is a book which will tell you which wire to switch in order to enable a scanner not constructed to intercept cellular telephone calls into one that is able to intercept them. That was changed in April of 1994. Prior to April 1994, you couldn't build one that could intercept; however, no company would construct one without being able to change one or two wires to reconfigure the circuitry such that it could intercept because if one company wouldn't, you wouldn't buy that one, you would buy the other one! After April of 1994 they were prohibited from constructing them such that they could be changed, but here is a book telling you which wires to switch. Next slide. 

If you look at the top right, the one over on the top right, these are all devices you can buy from hobby magazines. With this little device on the top right, for $140, that will intercept a pager message from somebody else's pager, because whatever chip that's inside that person's pager, you could intercept a signal that it's transmitting, and you can plug that thing, signal, or serial number into this device and it can intercept somebody else's pager message. Next slide. 

Change gears with me from telephone calls to other types of bugs. This is from a book on electronic penetrations. Look at chapter two, interception of a suburban residential telephone; chapter three, interception of a business data communication. Next slide. Look all the way to the bottom. Two-point-two. Signal acquisition strategy. "A possible strategy for the interceptor is as follows. Visually trace drop wire to the distribution terminal. Climb pole, open terminal, and note color of decoder. Visually trace distribution cable to the Â…feeder." Now go to the next line, the book is, the author of the book is kind enough to give you some diagrams to show how to do the work easily. Next. 

Of course, wearing body microphones is also a technique of espionage, whether it be corporate espionage or national security espionage. This is a book that will explain the difference in field strength of the body transmitter, whether it's worn in the front part of the body or the side part of the body. And this has implications, depending on how sophisticated you are in what it is you're trying to accomplish. 

Now, change gears from electronic penetration. This is the Wall Street Journal, June 17, 1991. I'll read the first paragraph. "In Houston's posh River Oaks section a guard at an executive's home recently noticed two men grabbing bags of trash and throwing them into a bin. As the van rode off, the guards wrote down the license number which was traced to the French Consul General in Houston. Renard Doulet, [?], French Consul General, now says he and an assistant were only picking up bags of grass cuttings to fill a hole dug for the Consul's swimming pool, that could not be completed because of his own Â…." [Laughter]. Now, what's interesting here, is if you look at the subtitle, talking about "Nation's spies now are seeking industrial secrets," it says they may intercept messages and plant moles to retrieve data useful to their company. Now, intercepting messages is not legal. Planting moles in the private sector is not legal because there's a duty of agency that an employee has and you can't violate that duty of agency for any reason. You might not like what this French Consul General did, but truth is, nothing he did was illegal. This is a perfectly legal tool, a method of collecting information, and what the man did was not illegal. Now you can argue that it was inconsistent with the diplomatic status that he was given, but the act itself was not illegal. I know that there was a move in Connecticut, I don't know what happened to it, but two summers ago some law student at Yale submitted a paper to some legislators arguing that they should prohibit collecting people's garbage for competitive reasons, because it seems like an unethical thing. I don't know if it ever passed, but in the rest of the country you would be permitted. I think in parts of California there are some counties that forbid it, but to my mind that's a foolish way of doing it, because in principle I think it's not an enforceable rule, because if you see somebody going into somebody's garbage, then the policeman is going to ask him, "what are you looking for? Food or competitive information?" And unenforceable rules give a competitive advantage to unethical people, because ethical people won't do it because it's not legal. Unethical people will do it because they now they're not going to get caught. So in principle those unenforceable rules give competitive advantage to the wrong people and therefore I think it's a bad idea. 

Move on to the next slide. Let's say I'm in the private sector and I walk up to a competitor and I say, "Would you please let me know who your clients are?" He says no. What do I do? I follow him around to see who his clients are. I know exactly who he meets with, every day of the week for a month. And I put together his client list. Is that legal? The answer is yes, because following a person around is not illegal. The fact that I can, that the result of the activity was I came up with that same client list that he would not have wanted to give to me (I'll talk about that in more detail a little later on), in principle that particular act is not an illegal act. There is a book telling you how, teaching you how to go ahead and do it. Go to the next slide. This is a page from the book if you want to do it by car. Training exercises. So you see this stuff does exist. Next slide. 

Moving a little towards the center. There was an incident, an issue of a few years ago. During the Gulf War, there was a young teenage girl who claimed to have been a witness to Iraqis' taking babies out of incubators and throwing them on the floor. She testified before Congress to that effect, that this is what she saw. It turned out that that teenage girl was the daughter of the Kuwaiti ambassador; the Kuwaiti government hired a PR firm to come up with some method of influencing American public opinion toward Kuwait, and that whole thing was a fictional chapter that the PR firm came up with. This is from a 60 Minutes edition investigating that particular incident. If you look at the second paragraph, on the left, they're interviewing the journalist that found this out, and he says as follows: "So I set out to try to find out, like any reporter does, and I started asking questions. And I finally heard a rumor that Niyera [sp?], which was the name of the girl, was the daughter of the Kuwaiti ambassador, so I used an old reporter's trick. I called up the embassy, and I said, 'Niyera did a terrific job at the Caucus and I think her father must be very proud.' The ambassador's secretary said to me, 'You're not supposed to know that; no one supposed to know she's the ambassador's daughter.'" [Laughter] Now, two points. First of all, I don't believe that what the secretary said, because it never works out that easily. The second point is, if you would turn to the next slide, you see there are entire books, kind of like hand-me-downs, of little tricks that you can play on people. And it's not really an old reporter's trick. When I give these presentations, more people ask me how to get a book like this than any other thing. [Laughter] You look at the table of contents, Overcoming Â… and Overcoming Rejection. Banking and Financial Â….how to get it. How to get information out of banks; how to get information out of telephones. So the authors of these books don't differentiate between pretext calls that induce someone to violate his duty of confidentiality, in which you will find yourself exposed to legal liability, and pretext calls that do not. The principle – if I call you up and trick you into telling me something, I haven't violated the law. If that trick induces you to breach your duty of confidentiality, like if you're at a bank, or a hospital, or the phone company, you're going to have exposed yourself to legal liability. So these folks don't make that point, but as you see most people don't realize you can buy books with stories on how to trick people to give you information over the phone. And I spoke to one, for example, one security director at a major company – the company's product is a recognized product – they have a 800 customer service line; he tells me that 20% of the calls that are called to the non-800 number, to the regular numbers, he believes are pretext phone calls by competitors trying to get information, because if you have a question for the company you call the 800 number. That's what most people do. If you call the regular number and ask for a particular person at a particular desk, he calculates that as being pretext questions asked by competitors trying to seek information. 

Now, let me move on to the second point, which is the difference between national security espionage and corporate espionage. One very major significant difference, which Jon Cain actually touched upon (and Jon was the first person to use the phrase "trade secret" all day; nobody else had used it before), was between national security espionage and corporate espionage. In corporate espionage you're dealing with trade secrets, and in national security espionage you're dealing with classified information. You're walking down the street, and you see a document on the sidewalk. It says "Central Intelligence Agency – Top Secret." Can you pick it up and take it home? I mean you don't have to know statutes to understand that you really shouldn't have this. You should give it back. Somehow, you know you should get it back to where it belongs; you really shouldn't be in possession of this, you should give it back. I'm walking down the street, and I see a document that says "Confidential" with the name of my competitor on the document, and this is my competitor's proprietary information. Ethically, what should I do? Call them up, and say you found it, and return it, and don't use it, and that's all. Legally, what can I do? You can use it, you can do whatever you want to, because you're under no legal responsibility to return it to the competitor. That's the main difference between national security and corporate espionage. National security espionage – you can't be in possession of this information. You've got to give it back, even if you come across it inadvertently. When it comes to corporate espionage, I have every right to try to seek out your trade secrets. There's a catch to it. It is legal for me to target your trade secrets. The catch is, I don't do anything illegal in the process. But if I want to know what your trade secrets are, I'm fully entitled to go out and try to figure them out. Otherwise, if it would be illegal to figure out someone else's trade secret, then conceptually, there should be policemen at the libraries, asking you what it is you're figuring out. Are you doing research on the competitor? If so, you better cut it out. Arguably, you could then hold the library liable for providing the competitor with information such that they were able to figure out your trade secrets. And the difference between trade secrets and national security information is classified information; if this is classified, you can't have it. Trade secret laws or common law or uniform trade secret act, trade secret is that information which the other party took reasonable precautions to keep secret. Now, what does a trade secret mean? A trade secret means that the law will protect the holder of that trade secret from someone who uses improper means to acquire it. That's what a trade secret means as opposed to national security, where you can't have it in any case. So if I say to my people, people at my company, go figure out why the competitor is doing better than we are. And then, a week later, I bump into the CEO of the competitor's company, and I say to him, "How come you guys are doing better than we are?" And he says to me, "I can't tell you; it's a trade secret, we've got procedures and strategies and I just can't tell you." Now I'm on notice it's a trade secret; do I have to go back to my company and tell them to stop trying to figure out why they're doing better than we are? The answer is, of course, no. I'm entitled to figure it out, provided that nothing I did was illegal in the process. 

Now, all too often, the word espionage is simply used when you're talking about things you don't like the other side to look up. If I break into your office and crack the safe, it could be trespassing, it's stealing, it's lots of things, it's espionage, it's misappropriation of trade secrets. If I go in front of your house and pick up the garbage, that's not espionage. You might call it espionage, because it's a nice word to use, it sounds good, but there's nothing illegal in that act. If I commission my competitive intelligence people to figure out the marketing strategy of the competitor – what his strategy will be next year – and they analyze all the ads that the competitor has put in the paper for the last ten years, come up with a 50-page document, then this is the market strategy based on what he's done so far, and this is what we can expect him to do next year. Then, another employee says to me, "you know what? Maybe I shouldn't have done this, but I broke into their office, cracked the safe, took a copy of their marketing strategy and here it is." Now I've got both books in front of me, and they seem to be the same. So now I know that this book, or this report, that my people put together based on analyzing ads is the same as the information that was in the safe. Can I use it? The answer is yes, because nothing I did in coming up with that report was illegal. The fact that I came up with their actual accurate strategy is irrelevant to the fact that nothing I actually did was illegal. Now let me point to two legal sources which, whatever the reason, are not, in my opinion, quoted enough when it comes to these kinds of business relationships. First is the Restatement of Torts § 708, "One who causes loss of business or occupation to another merely by engaging in a business or occupation in good faith is not liable to the other for the loss so caused, though he knows that the loss will result." That's called the privilege to compete. Normally, I'm not entitled to cause you harm. It's sort of a basic principle of torts; I can't cause you harm. I think it's a little more complicated than that in the law, but that's the basic principle. Next slide. 

Look at the rationale on the left-hand side. "The privilege to compete with others includes the privilege to adopt business methods, ideas, or processes of manufacturing; whereas otherwise, the first person in this field with a new process or idea would have a monopoly which would tend to prevent competition." So there it says, in black and white, according to this commentary, I'm entitled to adopt your ideas. If I walk into your store, and I realize that the way you set up the merchandise is a better idea than the way I set up the merchandise, I go back to my store, set up the merchandise the way you do, and then my business goes up, your business goes down. Can you come to me and complain and say you stole my idea? Did I steal your idea, or did I adopt your idea? Well, I adopted your idea. Well, is it a nice thing to do? Maybe yes, maybe no. Have I exposed myself to legal liability? The answer is no, because there's nothing in that act, taking that idea, which was illegal. Look at number three. "One limitation to this rule is when the thing copied is a trade secret," and if you look on the bottom, you see there's a "significant difference of fact between trade secrets and processes or devices which are not secret, in that knowledge of the latter is available to the copier without use of improper means, or knowledge of the former is ordinarily available to him only by use of such means. It is the employment of improper means to procure the trade secret rather than the mere copying or use which is the basis of liability." So you see, the mere fact that I copied or took your idea, in and of itself, is not actionable. I have to take your trade secret using a particular method which in and of itself is illegal. 

Now this, compared to national security espionage where the information itself by statute I can't try to get, I can't inadvertently pick up, this is a very big, significant difference within the two. And if you consider what kind of legal defenses there are to corporate espionage and the whole world of trade secrets, you can't view it as if you're dealing with national security information. All too often, when as I mentioned before, people are successful in figuring out information about your company that you don't want them to know, you always start using the words like espionage and spying, when in reality the other side is not only legally allowed to seek out your information, but in a sense it's part of healthy competition to try to seek it out. So these are the two points that I wanted to cover in my time, and I'd be happy to answer questions later on. 

Mr. Schaffer: I'm going to try to address some of the questions or issues raised by Jonathan and Richard; if I get to them, as I go through my talk, I will. If I don't, I'm sure they'll point it out to me. 

First of all, thank you for having me here. Let me tell you a little bit about the section of the Department of Justice that I work with. I'm with the Computer Crime and Intellectual Property section, which is part of the Criminal Division of the Department of Justice. We are tasked with a fairly broad range of responsibilities. They include dealing with computer intrusions, under 18 U.S.C. § 1030, the Economic Espionage Act, and communications privacy under the Electronic Telecommunications Privacy Act. Virtually anything that has to do with the Internet and the computer industry will come through us at some point in the process, and we have primary prosecuting responsibility on the criminal side for these statutes. We've got 17 attorneys in the section, and that's up from five just a couple of years ago. We hope to continue to grow; we need to grow. We provide support for a network of U.S. Attorneys at every U.S. Attorney's office. There's a CTC network, of Computer and Telecommunications Coordinators (there's at least one in every U.S. Attorney's office), and they are the front line for prosecuting these cases and we provide support. In some cases, we will actually prosecute the cases directly out of main Justice, but for the most part, it's the U.S. Attorneys that have to handle these cases. 

In coming here today, I was asked to talk primarily about the Economic Espionage Act, but I will touch on some other issues as well. One of the questions that Jonathan Cain raised is why criminalize? Is it really necessary in some of these situations to have a federal criminal law applicable to the kinds of activities that have been handled in large part under civil cases in the past? For reasons that really have been identified by these two gentlemen, I think that the EEA is a good example of a situation where we did need a federal criminal law, and I think when we look at the Act a little bit we can figure out why. 

The real issue that Congress was concerned about, and they had perhaps a couple of concerns, but Congress looked at the U.S. economy and made a startling realization that everybody who's in this room has probably already made. That is that information has become astonishingly valuable to our economy over the past 50 years. There's been a tremendous transition from an economy that was based on things, the widgets of our law school days, to pure information. If you look at this statistic, and this statistic is already getting a little bit old, the tangible assets, as opposed to the intellectual property assets, of mining and manufacturing companies in 1982 was about 62%. By 1992, it's only 38%. And this reflects the fact that today, the technology, the know-how, of how to bring ore out of the ground, is often worth more than the ore. Now when you understand that, and you realize the implications for our economy, you realize that the Economic Espionage Act was put in place to protect something that is truly vulnerable. And that is possibly one of the most important things to take away from an understanding of the Act. The fact is, stealing the ore is almost impossible to do; you need trucks, you need infrastructure, you need all kinds of dollar value material, to go out and steal something like ore. But to steal the knowledge of how to get the ore out of the ground can be as simple as having a single computer that accesses the Internet, and it's the hacking knowledge and capability to break into a competitor's system and pull that information down off the Internet. It can be done fast, it can be done easily, and it can be done all too often without being detected. Our job at the Justice Department and the investigative agencies that are represented in this room is to make sure that that's not what is going to happen. We have various laws in place to protect these materials. The EEA is one of those and I'd like to talk about it in a little more detail. 

The other issue that Congress realized is that, in addition to the fact that this stuff was easy to steal and that it was very important to the economy, state-sponsored economic espionage is a reality. The fact is there are a number of nations that are all-too-involved in using their former spying resources to now go after economic jewels. There's a whole industry of people who were engaged in the Cold War who now do not have as much to do; and frankly, this is something that they can do. They're capable of it, they're talented at it, and it's something that we need to be concerned about. It's interesting. Congress was very concerned about this issue, as we'll get into a little bit later on. Indeed, it was the primary concern that they had when they passed the Economic Espionage Act, and for various reasons the Act changed as it went through the process. But that was the primary concern. 

Finally, there are competitive pressures. Both foreign companies and U.S. companies are clearly looking to get a hold of each other's trade secrets and, unfortunately, they don't always do it in a legal way. The fact is, doing all that research to find out what the competitor's marketing plan really is takes a lot more time than walking through the door and taking the marketing plan or getting on the Internet and pulling it down from an insecure network facility. So, unfortunately, not everybody will play by the rules. 

One of the trickiest problems about economic espionage prior to the passage of this act is that it would often slip between the cracks of existing federal prosecutorial tools. Ultimately, the problem that was faced by federal prosecutors, and these were a different set of problems than Congress may have perceived at the time, is that typical kinds of espionage activity could not be easily prosecuted under existing laws. Take a typical hypothetical. If you had a company and you hired a consultant, and the consultant was brought in to do security work for you, and that consultant was given widespread access to your network in order for him to be able to make a determination about the security that you needed to put in place, and that consultant realized that he found on your system materials that were worth many times more than the consulting fee that he was going to take, so he makes a copy of the materials and puts it on his own personal jazz disk, a gigabyte of your information. Let's say that your company is in Washington, D.C., and he takes that disk and he drives across the bridge into Virginia and he sells it to one of your competitors for $150,000. Well, prior to the passage of the EEA, you had a real problem prosecuting that case. There were a couple of things you could do. You could turn to state law, but I will point out that, notwithstanding Jonathan's comment, it really isn't true that every state has a protection of trade secrets law on the books. In fact, only about 27 of the states have comprehensive trade secret legislation, and those laws are somewhat different from one another. The definitions are somewhat different in how trade secrets are defined. In the long run, it was very difficult to apply those laws when the material was crossing state borders and may have involved multiple jurisdictions. On the other hand, you could use federal law, but none of the laws on the books were really appropriate to the situation that is presented by this hypothetical. One of the things you could do is use the Interstate Transport of Stolen Property statute, 18 U.S.C. § 2314. The problem with that statute, frankly, is that not all courts were confident that theft of trade secrets, as we've defined them, i.e. material on a disk where the disk was not stolen, would be deemed to violate the statute. Indeed, there's a case from the 10th Circuit, U.S. v. Brown, in 1991, that ruled that if there was no stolen material or physical object that was taken across the border, you didn't have a violation of the act. There were other cases, U.S. v. Riggs, which is a Northern District of Illinois case, I think it's 1990, which went the other direction. You had some circuit splits and it was a problem to apply the statute. You could go with mail and wire fraud, assuming that you had mail or wire involvement in the crime. But if someone downloaded things onto a disk at the desktop, and carted it across the border themselves, those statutes would not be applicable. You could go with 18 U.S.C. § 1030, which is the Computer Fraud and Abuse Act, and, in some instances, a lot of the instances that we're concerned about here, that act might have some applicability. But where a computer was not accessed without authorization, you've got a problem. Remember, in our hypothetical, we've got a situation where you've brought a consultant in to do security work for you and you've given him access to your entire system. Under those circumstances, it may be hard to apply 18 U.S.C. § 1030 to the crime. 

So, what did Congress do? They essentially passed an act that was intended to address two issues: one is the state-sponsored espionage that they were very concerned about, and I mentioned earlier that that was the original focus of the Act. Indeed, that was the only portion of the Act as originally drafted. The problem with that is, it would have violated various treaty provisions which require us to treat foreigners the same as we treat U.S. citizens, or treat the U.S. the same as we treat the foreigners. Ultimately, the decision was made to go ahead and make the Act have parallel tracks. But the ultimate Act has two portions: 1831 criminalizes state-sponsored espionage, and 1832 criminalizes the traditional theft of trade secrets. This is really the first ever law that was specifically tailored to the theft of trade secrets at the federal level. 

So what are the elements of a § 1831 violation? They are that the defendants stole, or without authorization of the owner, obtained, destroyed, or conveyed information; that the defendant knew the information was proprietary; that the information was a trade secret, or in the case of an attempt or a conspiracy that the defendant believed the information was a trade secret, and we'll talk about that in a few moments when we talk about specific cases; and finally that the defendant knew that the offense would benefit or was intended to benefit a foreign government, instrumentality, or agent. 

Section 1832 is the commercial theft of trade secrets; it parallels § 1831 to a great extent. The same requirements with respect to stealing or without authorization obtaining, destroying, or conveying information; knowing it was proprietary, the information needs to be a trade secret or again, they need to have believed that it was a trade secret; but the defendant intended to convert the trade secret to the economic benefit of someone besides the owner. In the context of § 1831, you don't need to establish that it was for economic benefit. If there was some political or other motivation behind the theft, that's enough in the § 1831 context; it is not enough in § 1832. There must be a showing that the defendant knew or intended that the owner of the secret would be injured, and that the trade secret was related to a product that was produced or placed in interstate or foreign commerce. 

The definition of trade secrets in the Act is extremely broad. Indeed, if you took all the state acts, and you combined them such that you got the widest possible definition of a trade secret through that combination, that's the type of definition you would get and we have in the federal law. It covers all types of information, however stored or maintained; the owner needs to have taken reasonable steps to protect the information; and it has to derive independent economic value by virtue of the fact that it is not generally known to the public. 

In the context of the Internet, and this is an important question for those who are advising clients in this area, I don't know that there is a clear answer to the question of "What are reasonable steps to keep the material secret at this point?" As you know, and as we've been talking about most of the morning, there are a lot of techniques available out there to hack into systems, and I leave it up to you to ponder whether or not the use of known hacking tools to get beyond system security would create problems with respect to this framework. 

Finally, Â… under § 1831 the penalties are 15 years and $500,000 for individuals, and a $10,000,000 fine for corporations; under § 1832, you have 10 years for individuals and $200,000 or $5,000,000 for corporations, and there are some alternative penalty provisions available under the Act as well. It is true that there have been only six cases approved for prosecution to date. There is an agreement between the Department of Justice and the Congress with respect to the Act. The Attorney General wrote a letter to Congress at the time that the Act was passed, and it was indicated in that letter that all prosecutions would be approved either by the AG, the Deputy AG or the Assistant Attorney General for the Criminal Division before they were allowed to go forward. So the Act is gaining a lot of scrutiny, these initial prosecutions are being carefully vetted by the Department, and indeed, the Computer Crime and Intellectual Property section has the responsibility to take a first look at these cases and to make recommendations up the chain as to whether or not a particular prosecution should go forward. The fact that there have been only a few prosecutions, and the fact that those prosecutions to date have not been voluminous is not a bad thing. It is probably, I would argue, a good thing. The fact that we don't arrest every speeder on the highway doesn't mean that we shouldn't have a speeding law. Indeed, the point of prosecutions under this act or under any act, perhaps with the exception of violent criminal acts, is to create deterrence more than to catch everybody who does the act. We recognize that it's not possible to catch every person who does. It is also true that in almost every case, whether it's under the copyright act, or criminal provisions of the trademark act, or this act, there is going to be a possibility of a civil action that would address these issues. But the cases that have gone forward thus far do fall into the category of cases where you would want to have criminal prosecution available. For example, in the PPG case, which Jonathan brought up, this is a case that involved a disgruntled employee who did in fact take information and try to sell it to Owens Corning. This is someone who was with, I believe, the janitorial staff. It was someone who took a quantity of information out of the building – this is not someone who you could reach – to the level of the damage that he caused to the company or could have caused to the company – through a civil action. The civil action would have been largely worthless to the company. It is appropriate for the government to deter that kind of behavior in situations where civil actions simply wouldn't be effective. 

Another case, the Kai-Lo Hsu case in Philadelphia, is the next case that was approved. This is a case in which the defendants were charged with the attempted theft of trade secrets, and conspiracy to steal trade secrets. Let me go back for one second to where – you don't even need to change the slide. One important thing, and I want to point this out with respect to all of these cases, is that to a great extent, these cases were brought with the assistance and cooperation of the victims, and the theme that I've heard this morning is all too important in the context of these EEA cases as well. If we don't have cooperation between the government prosecutors and the investigators and the affected companies, the victims in these cases, it's very hard to prosecute. And in the Owens Corning case, where Owens Corning is approached by someone from the competitor with a bunch of information, Owens Corning went to the FBI, and they reported the incident and they turned the information over, and they made that prosecution possible. I want to point out that right now the cases we're seeing are traditional cases in the sense that they haven't been happening over the Internet. But Scott Charney of our section, the chief of Computer Crimes and Intellectual Property, has a theory that relates to why computer crimes are increasing and why we're seeing more and more computer crime all the time. His theory is that at any given point in time, a certain percentage of the population is up to no good. That's the entire theory! Someone pointed out that in 1900 we had cars but we didn't have very good roads, and we're about at the same place with the Internet. We're sort of figuring a lot of things out now. Well, let me tell you: the auto theft industry was not big in 1900. There was not a lot of chop shops and an entire industry built around the theft of automobiles and/or various other crimes that involved the use of automobiles. The fact that we don't have a tremendous volume of cases of economic espionage today, happening over the Internet, is simply due to the fact that criminals haven't yet gotten into doing it this way, but it will come and we see it moving in that direction all the time. In any event the Kai-Lo Hsu case is another case which was an attempted theft of trade secrets. The individuals were charged with attempt in a sting operation, and the interesting thing about this case is that there's currently a dispute over what should happen with the information once the case is brought for trial. The defendants have sought production of the actual trade secrets in the case. They've said, well, we didn't get it, but what we'd really like to do is get it in discovery [laughter], and the judge said, okay! [Laughter] This case is on appeal, and hopefully that decision will be reversed. But that's the status of Kai-Lo Hsu. 

The Yang case, U.S. v. Yang, is out of Cleveland. It involves the Four Pillars Company and Avery Denison. This is a case in which the defendants were charged with obtaining trade secrets of Avery Dennison with respect to adhesive products, and a cooperating witness who pled guilty and admitting supplying materials over an eight year period to two competitors of Avery Dennison assisted in a sting operation as well. The defendants were arrested after meeting with the cooperating witness. That case is scheduled to go to trial in September of 1998. This again is a case in which the defendants were overseas and were brought to the United States, or came to the United States for various meetings. This is a case that civil action probably would not have been able to address. 

The next case that's been approved for prosecution is U.S. v. Stephen Davis, out of Nashville. The victim was Gillette Corporation. The defendants were charged with the theft of a product that was in development – a new shaving system that was being developed. The defendants worked for a contractor to Gillette, the Wright Company, and the defendants essentially removed all kinds of materials from Gillette; they were ultimately caught by Gillette. They were removed from the project that they were doing consulting work on, and they went and tried to sell the materials to, among other, Bic, ASR, and Warner-Lambert. Again, I believe the purported purchasers, those who were being offered to purchase, may have been involved in bringing that case to justice. 

The next case is Turillo v. Cohen, out of the Houston District. The victim there was Deloitte & Touche – this was the first case that actually involves software or something related to the cyber world. This was a fairly simple scheme: take some software source code, take Deloitte & Touche's name off of it, put your name on it, and sell it. That was accomplished in exchange for a very large signing bonus and, at this point, it is a pending case as well. 

Finally, the last case, which I think is one of the more interesting cases, is U.S. v. Campbell; out of the Atlanta area. This is a case in which a former employee of the Gwinnett Daily Post offered to sell confidential marketing strategy information to the Atlanta Journal-Constitution for $150,000. The Constitution declined, but called the FBI first, and, ultimately, they did that notwithstanding the fact that they were in a heated litigation with the Daily Post, and the material allegedly would have gone to issues in litigation. The defendant communicated through classified advertising in the papers. That's how they tried to get the ransom that they were seeking, and ultimately they were arrested in a sting operation after providing some of the confidential information. 

So those are the cases that have been approved to date. I think that we will see a change in the type of cases as time goes on. I think that we will indeed eventually see Internet-based theft of trade secrets, that all of the techniques that you're currently seeing today in terms of just hacking activity will become more focused as the bad guys figure out how to use these tools and become a little more focused on the Internet as a resource for this kind of research. In light of that, I think it's extremely important that industry and government work together to address those cases that come to light, and to make sure that there are disincentives built into the system to prevent the kind of activity that really can have a tremendous impact both on our economy and on the sense of well-being for American industry. As long as we're ahead, we're a target, and I think that right now, we're likely to see more of this activity in the future. Thank you. 

Mr. Hemingway: Jonathan, I think that you'll probably get some agreement about the biggest threat from within coming from the postal department, but let me ask you, what, in light of your comments, what role do you see the federal government having? 

Mr. Cain: Well, Tom, as I think I said at the outset, I believe there is a role for government in those instances of state-sponsored, if you will, efforts to damage or take information. I don't disagree at all that there is a role for the Department of Justice and the FBI for prosecuting criminally instances where you have a state-sponsored activity. I would simply point out, however, that the record to date has been that the espoused purpose, for example, of the Economic Espionage Act was to stop exactly that type of activity, and it has not been the subject of a single prosecution. So we seem to have the cart driving the horse. That's my principal point. 

Mr. Hemingway: Questions from the floor? 

Participant: Dan Kuehl, from the School of Information Warfare at NDU. A quick comment and a question. The comment is that perhaps one of the reasons why we've seen the limited cases we've had so far is because the kinds of cases you've brought up are more like, "Psst! I've got trade secrets here!" There's a human interaction involved there, that's a necessary part of it; whereas the Internet intrusion takes that piece out of it, and maybe we'll see more of that. 

The question I have is primarily for Richard and somewhat for Jonathan, because you seem to be drawing a very distinct line between state-sponsored and not state-sponsored, between national security and non-national security economic stuff. One of the things I try to do with my students at the War College is physically, if necessary, beat out of them the concept that there is pristine national security and then "other stuff." If Airbus Industries is involved in trying to come up with a new wing design that Boeing has, and it's going to mean a $5 billion difference in sales, if that's not national security in the confines of the President's national security strategy, I don't know what is. And I'd appreciate your comments on that. 

Mr. Horowitz: Well, the distinction that I brought up was with respect to the type of law that would be applicable to a particular case – not the implications of the case on national security. So if you're talking about Boeing wings, if that's a trade secret, it's subject to trade secret law. If that particular trade secret has implications for national security, it's not necessarily an issue that's going to affect it legally. Does that answer your question? 

Mr. Kuehl: Not exactly. 

Participant: I'll try something similar; I'm Captain Bill Gravell, Special Assistant to the Chief of Naval Operations. 

In 1995, two Iranian citizens then employed by the Intel Corporation were apprehended passing the details of the P7 microchip to Iran. The P7 is the one that'll be introduced about a year from now. It was then in alpha testing – very, very early, very developmental. Then, as now, Iran was not assessed as having the capability to indigenously produce microchips, microprocessors. So the question of their interest in getting it in order to produce it indigenously for some economic advantage can be ruled out in this case. This is a question for the panel generally. Given that this particular microprocessor and any other like it will very probably be at the center of practically everything done by our nation in the interests of its security, its economic well-being and everything else, as alluded to by many members, what are the legal considerations in this case? Had the events occurred today, would, Mr. Schaffer, these people be prosecutable under the EEA? As suggested by virtually all the panelists, there would be problems of extradition, if you attempted to prosecute criminally, or difficulties relative to civil prosecution as well. How would you proceed in a case like this? For the record, by the way, the total action taken at the time was that the two individuals were fired and left the country by getting an airplane ticket and going home. 

Mr. Schaffer: The extradition problems are obviously beyond the scope of what I can really address. It's the same problems that we had from everything from ShineBine [?] to the more recent analyzer case that was discussed earlier today where you've got a hacking intrusion that's occurring from Israel. To the extent that we don't have extradition treaties in place for these kind of situations, and we've got somebody overseas, we're going to have a difficulty and we may need to address extradition, specifically in the context of computer intrusion problems. I think that that's something that's being taken up by the DA's, the Council of Europe, and various international bodies that are concerned about the cross-border search and seizure issues and the various problems that are presented by a global information infrastructure that doesn't follow the traditional notion of borders, and that you've got to be in the country to commit a crime that is going to affect the country. I think that the act you're describing probably qualifies as a theft of trade secrets under the Act, and I think that depending on whether or not there was indication that it was state-sponsored, whether that proof is there, it might be a § 1831 or certainly a § 1832 if it wasn't, if it didn't qualify as a § 1831. It's certainly the kind of case that would fall under the auspices of the Act. 

Participant: Commander Sirgg from East Carolina University. Mention was made of the problem after the end of the Cold War of a bunch of unemployed or underemployed spies riding around. I think it's worth noting that in the Soviet Union, I mean the ex-Soviet Union, Russia, the KGB has been drastically reorganized with the intent, among other things, to reduce the type of oppression that occurred before. But there are substantial indications that quite a number of these people, the original KGB, have now been transferred to economic espionage. There are a couple of ameliorated concerns, I suppose; one, that they're not familiar with our overall corporate structure and the marketing system, and two, that even if they get trade secrets the ability of the Russian industry at the present time to utilize it effectively is relatively low. 

Mr. Hemingway: With that, I think we've run out of time. As General Marsh commented at noon, the President's Commission did not address the international implications of the problems facing the infrastructures. So I would suggest to Judge Everett and Scott Silliman that that may be a topic for you to use for a follow-on conference. 

Participant: [Unidentified participant] I would like to ask a question now. I realize that we've run out of time, but I'm struggling with the issue of how to provide support to law enforcement and the intelligence community, and also how to determine how to respond to rather nebulously-defined foreign threats. I don't think we came to a conclusion here this afternoon on a couple of key points that appear to be radically in conflict. As you've described it here this afternoon, it's commonly accepted commercial practice to attempt to gain the trade secrets of another. That's fine. The only question that matters to the law are the specific means to obtain them. If it's commonly accepted commercial practice to attempt to obtain the trade secrets of another, why should we care whether it's state-sponsored or not, except upon a question of the means? Now you seem to be asking in one case, Mr. Cain, for assistance from the government to level the playing field of an American corporation fighting an entire other nation's intelligence apparatus, attempting to gain one U.S. corporation's secrets, and in another case we talked about state sponsorship and the question comes to someone like myself, how do you even determine that if firms are not necessarily going to cooperate in the sharing of the knowledge that they have potentially been penetrated. Another thing that I would bring up is that a lot of these cases you bring up, Mr. Schaffer, appear to be not at all applicable to the two questions I just raised. If the issue is how do you get this government to define means such that we can appropriately prosecute against them, to keep the playing field level, or how do you get the U.S. government engaged in keeping the playing field level so that you're not competing against the foreign nation-state. We didn't address either of those this afternoon, but they should've appeared at least to me to have been logical outcomes of the talks that you gave us or the discussion. And I open this up to comment. What role do you see in the government helping you out against that kind of a threat? 

Mr. Cain: I draw a distinction between economic espionage, to use the loaded term, sponsored by governments, and that which is commercial in source. Not so much on the grounds of leveling the playing field, as you put it, although that's certainly a legitimate ground I suppose, but on the ability of the private party who has been damaged to obtain a remedy or a relief in the civil context. 

Mr. Horowitz: I can't speak for the government, but I do not foresee the Department of Justice using an EEA to stop foreign competitors trying to gain a competitive advantage from legal means. But that's not what the Act was intended to do, and I don't foresee it happening. I think what you said was well put, that it is routine practice for competitors to try to get or acquire trade secrets of others. If they do it with legal means, I don't foresee the government getting involved in that. There's no reason for getting involved in private sector business. Now there have been numerous cases over the years of the FBI, or the government, having a information that a foreign company, a foreign entity, is attempting to obtain the trade secrets of U.S. companies, and the FBI warning through the security director's warning the company where it happened. But that is not to say that in those situations, now that the EEA is on the books, that the government and the Department of Justice can indict for that act. So the government may want a company that Â….after their trade secret using all kinds of inducements, it doesn't mean that they can indict for what it is that the foreign entity is using. 

Mr. Hemingway: Greg, did you want to comment? 

Mr. Schaffer: The Act really sets thresholds for illegal behavior regardless of which side of the equation you're on, whether it's foreign-sponsored or commercial espionage. The Act sets a floor for that activity, and if it doesn't reach that floor, it's simply not criminal activity and it's not going to be addressed by the Justice Department in any event. Whether or not state law or just civil actions being brought below that threshold will address those issues and draw a distinction, I don't know. But from the criminal perspective, the concern is that you do have, when it's state-sponsored, a far greater capability; you've got potentially an entire country's backing, going up against a U.S. corporation or perhaps an industry, and that has more serious implications, and it needs to be addressed by the more serious punishments available under the Act. 

Mr. Hemingway: O.K., with that, if you have any more questions, I encourage you to approach the bench and talk with the speakers. Thanks very much and have a good evening. 
 
 

Dinner Address

Monday, April 20th, 7:00 P.M.

Speaker: Hon. Porter Goss
 
 

Mr. Turner: Ladies and gentlemen, it is my distinct pleasure this evening to present our dinner guest, our keynote speaker for the conference. When Scott Silliman sent me an e-mail several weeks ago, saying that it looked like we might get Congressman Porter Goss to be our dinner speaker, I sent back an immediate urgent message in all caps, saying, "IF YOU GET HIM, I'LL COME." It was my great pleasure to hear him give a speech last November to an American Bar Association National Security Law group, as part of a conference, and it was so good, that the standing committee and I both decided that it should be published in the next newsletter rather than holding it for the conference proceedings. It was one of the best speeches I've heard in many years. 

Our speaker is a 1960 graduate of Yale, with honors. From there he went into Army Intelligence, where he spent two years before joining the Central Intelligence Agency where he was a clandestine intelligence officer for about a decade, before retiring on a medical retirement. In 1971, he moved to Sanibel, Florida, and played the key role in its incorporation effort. He founded Sanibel's weekly newspaper, the Island Reporter, becoming a journalist in the process. He was elected to Sanibel's first City Council and became not only its first mayor, but continued to serve for four consecutive terms. In 1988, he was elected to the United States House of Representatives, receiving 72% of the vote. In 1990, he was one of only three freshman Republican Members of Congress to run unopposed. In 1992, the Democrats apparently had forgotten, and they did put up opposition, and he only got 82% of the vote, but that was enough to make him the top Republican vote-getter in the House of Representatives. In 1994, he again ran unopposed, and in 1996, three out of every four voters in his district that voted, voted for Congressman Goss. 

As a member of the House of Representatives, he has established a remarkable record. He served on the House Foreign Affairs Committee. He also served on the House Rules Committee (which is quite unusual for a junior member of the House), where he played a leading role in the campaign for term limits provisions. He volunteered for service on the House Ethics Committee, and one of the realities of Congress is that nobody likes to be on the Ethics Committee because then you have to pass judgment on your colleagues. Those colleagues may be your friends, and certainly you don't want to condemn your friends for their wrongful behavior, and if they are political enemies, it makes you look very bad and also creates pay-back time considerations, and so normally people who go on the Ethics Committee are dragged kicking and screaming to the process. But Congressman Goss understood Jefferson's admonition that the first principle of good government is honesty, and he has worked tirelessly to try to clean up the institution. One of the interesting things about Congressional ethics is that the polls for years showed that Members of Congress as a group were vying with lawyers and used-car salesmen for the very bottom of the approval ratings as an institution; ironically, with military officers being at the very top of that list. But when you ask people to rate their own Congressman, almost invariably, they give him or her high marks – across the country. This is an interesting phenomenon, but the reality is, there is room for improvement. There are an awful lot of very decent people working in Congress, patriotic honorable people, and I don't have to prove that case because I'm about to present one of the best examples, but there is room for improvement. Another function that he has served is on the Bipartisan Ethics Reform Task Force. He has been a Deputy Republican Whip in the House of Representatives; and, after serving just one term on the House Permanent Select Committee on Intelligence, Congressman Goss was selected Chairman of that Committee. 

So, it gives me great pleasure to introduce, and I invite you to join me in giving a warm welcome to, Congressman Porter Goss. 

Rep. Goss: Thank you. We've got the important business done now, I think we can all go home. That was wonderful, thank you very much. I am very, very grateful to be here. I've to confess two things right off the bat: I am not an attorney, and I can barely turn on a computer. I'm not sure I'm in the right room. 

I have two special guests of my own I invited tonight, in addition to Tim Sample here, who you know is a committee staffer par excellence, our deputy staff director who keeps things moving for us. I also have the daughter of my chief of staff who is here to spy on me to make sure I do right, and she'll report back to her mother – Amy Wooley, who is at Â… Elon, and Leslie Siler, a friend of hers. 

I want to thank you all for your hospitality here, not only the three centers involved who have done this, Scott, who has gone out of his way to help me find my way from the airport here, set me up in a marvelous room – this is very nice of you, and I do have some things I want to say, probably way too many things. If I go on for awhile, then I may stop, and depend on you to ask the right questions, but I'll try and give you some hints. 

We are at a point of opportunity here tonight – the people in this room represent a huge opportunity to get something done that needs to be done. I think you've started on that theme, and I think you know it. It's the time to do it today – it's not yesterday and it's not tomorrow – it's now, that we've got to deal with the question of what's going on out there in the areas of information warfare and both the protection side of that and the offensive side of it. 

There's plenty of obstacles, there's plenty of reasons why we can't do it, there's plenty of excuses but I don't think that we want to dwell on the excuses – I think we want to get on with the job. The fact that the Cold War is over does not mean that the threat's gone. We all know it. We've got to understand that there is not a constituency that believes that, necessarily, in this country. We have to build a constituency that understands we still have a need in this country for national security capacity preparations, activities and wisdom. We've had a bunch of "bad" surprises in our life: Pearl Harbor, Khobar Towers, we probably all could think of quite a list of them. The Trade Center certainly sticks in my mind as something that was a little too close for comfort. So in today's world, which is a very different world than the world just a few years ago, we've got a different sort of job to do, when we start talking about the issue of information assurance. And information assurance is an area that has got a lot more involved with it than technology. The policy, the morality, the whole question of activity – the range is there. 

I can remember, it wasn't long ago, when "national security" was simple. It was pretty easy to understand that there was aggression and there was expansionism and there was territorial imperative, and I remember all of those maps with red ink on them and Time magazine would come out and every year there would be a little more red ink on the map of the globe, and that was bad, so we all got together to think about how there could be less red ink. We've seen in this past century, the beginning of the century, we've seen Prussian militarism and that wasn't attractive, and then we got in the Second World War with the Nazi and the Japanese totalitarianism and that wasn't attractive, and then we had "hot" wars in Korea and Vietnam and quiet wars in Afghanistan and other places, basically communist-generated. So during that period, we all know we all had the nuclear threat hanging over our heads, and I know not many people in this room are old enough to remember it, but I remember vividly, I think it was the Johnson campaign, the little girl in the fields with the flowers and the mushroom cloud in the background. That probably said it as well as it's ever been said, about the real concern we had about what a gut-wrenching problem nuclear war really was. 

Today, I think we've got apathy – apathy about national security and bunch of other things. We're awfully well-off in this country, and sometimes I'm not sure we understand that. I think there's a bunch of reasons, why we do have that, and why people don't feel there are big threats out there. Everything's gone away and there's nothing to worry about. You think of recent headlines, countries we've sent troops to and places we've been engaged, Haiti, Nicaragua, Panama – nobody really thinks the navies of those countries are going to set sail and threaten our harbors or our borders tomorrow, so it's hard for people to sort of project themselves into what the problem is in this national security. 

Joe Nye, at the Kennedy School of Government at Harvard, has pointed also to something else that's more troubling – a growing distrust of government by some Americans. They don't see the role of government as protective and defensive – they see it as threatening or perhaps dangerous. You think for a minute, wow, what is this guy saying? Well, think a little bit about incidents we've seen in Waco, and Ruby Ridge, and the Republic of Texas, and Oklahoma City, and ask yourself the question, if everybody thinks the same way we do. They don't. 

I think that whether we call this calculated disinterest or apathy that's going on, I think part of it stems from a lack of leadership. Again, I'm going to try not to be partisan. I am a Republican, but I'm going to try to be very fair, because talking about national security we all know is not a partisan issue. I don't care who's the party in the White House – any administration that comes to power or stays in power focusing on domestic policies to the exclusion of foreign policy, is not doing a favor for our country and is ignoring our history. Today, we, as a government, try to allay fears, while conducting foreign policy on an ad hoc basis, in my view. Let me give you three examples – I'll be quick because these are all fresh things you know about. 

How many times have you heard the President of the United States saying children of America can go to sleep tonight without worrying because there are no ICBMs, nuclear warheads pointed at you tonight in the United States of America. Everybody thinks that's great – so do I. What he didn't tell you is how long it would take to re-aim those rockets and get them ready to go again, and it's not a period of a very long time. In fact, it is a shorter period of time than I'm going to talk tonight, and that's not a comment on how long I'm going to talk tonight. [Laughter.] The point about it is, the threat is there. Now, if you've read the newspapers today, and I haven't read them all, but as I understand we're at Round Three now with the Duma, and Yeltsin, and the new genius over there, the young man who I don't know very much about, Kiryenko, I've read some of the stuff, seems like a reasonable choice, but I don't think Mr. Zhironovsky's really happy, or Lebed, or some of the others that had designs on this, so I would say we're dealing with a, very definitely, with an unstable situation. And then when you add on top of that, the fact that we know where the chain of command lies with the Strategic Rocket Forces, and we know what the relative sense of poverty there is over there, and the quality of life deteriorating for those folks in the chain of command, and you know that there's a market out there, all kinds of people racketeering, and selling all kinds of stuff, whether it's suitcase nukes or something else that's useful for mischief somewhere else. That's all ongoing, it's happening today as we go along. And then on top of that you discover, and again I've got to be fairly careful, and I know Tim will lay the flag on me when I start getting into security areas, but the very people in Russia that we are cooperating Â… to work with us on a confidential basis, to deal with the anti-proliferation problem seem to be less than honorable in their dealings with us, and in fact there seems to be some complicity going on in the sale of some things that shouldn't be sold to some people who shouldn't be buying these things, who are our enemies, and would clearly do some mischief. This is not a comfortable situation. I don't care if the rockets aren't pointed at us. It's not a comfortable situation, trust me. 

And, then, there is China. Now, China's in the news today because they've got a wonderful thing – they've discovered human rights, and they've released their prisoner from jail, so we probably don't have too much to do about China. Actually, the President has told us that China has "changed its cheating ways" but that only comes to proliferation technologies. I'm not sure it's true everyplace else and I'm not sure it's true, in fact I have reason to believe that it's not true, when it comes to delivering weapons of mass destruction to other countries that are not supposed to be getting them. I would suggest that what China has changed is its ability of deception. They've gotten better at it, or perhaps we've gotten worse at perceiving it; I don't know which it is. But I don't think we can overlook China's long, sordid history as a proliferator; that's what it is. I think that it would be very foolish to lower barriers to more U.S. exports to China of advanced technologies, unless we know exactly where they're going and what's going to happen. And I wonder about allowing U.S. business to enter the reported $50 billion Chinese nuclear reactor market. Great business – I was in China last fall. The competition is aggressive and I don't want our businessmen or our commerce or our trade to be disadvantaged in any way. But the stupidest thing we can do is to discount what the track record is over there and go ahead and give them stuff that's going to turn out to be, to provide a surprise we didn't want. 

The third area is the Iraq area, and I discussed this a little with my tablemates, so I'll abbreviate it so I don't bore you more with it. I think we came out second best, in the last round with Saddam Hussein. But I think we were lucky to come out as well as we did, because we were on a course that was going to put us out not only at second best but not even in the finishing field. I think to have carpet-bombed Baghdad would have been one of the dumbest, stupidest, immoral things that this country could have done, what an amazing thing it is. Here we are talking about, gee, it's okay to have collateral damage, because carpet-bombing is a weapon we have to have at hand, but gosh, we don't want to deal in psychological warfare, because that's immoral. Now think about that for a minute. Information warfare to destabilize Saddam Hussein is not a good idea, because it's immoral – we don't this information, misinformation stuff, that's bad, bad guys do that. But it's okay, I mean, we know there's going to be five or ten thousand innocent victims and we'll be seeing them on CNN every single night. You know it. And if we don't have collateral damage, I guarantee you Saddam Hussein will make the collateral damage, because he's that kind of a guy. 

So you'd think we'd get it, right, I don't think we did very well on that at all, and what puzzles me about it is after all of these years with Fidel Castro, where we have finally, I think finally realized that the problem is not the Cubans, it's Fidel Castro. I think, why can't we apply that? The problem is not the Iraqis, it's Saddam Hussein. Let's deal with Saddam Hussein and Fidel Castro. Let's leave the other innocent victims out of it. 

Okay, I've mentioned a couple of troubled areas we know about, and I could get into the transnational threats here, again, we're talking still about why we need security, and I don't have to spell out, I'm sure that that terrorism, the narcotics and the racketeering, and all that goes along with that, and how that has really changed the way we operated, because we're dealing with cross-borders stuff now. These are not things that fall in those geographical little areas. Terrorists just aren't over here, terrorists are everywhere. You've got to deal with them everywhere. And that really messes up our oversight, incidentally, because our oversight is neatly tailored, and if these terrorists don't operate in these neat little boxes we don't have the appropriate oversight. 

That's not good. When we get down to some of the other things that we seem to get distracted with these days, there's the obvious hotspots, in addition to these other bigger problems; the Balkans, we all know where the Balkans are, we've had troops there for quite awhile, Korean peninsula, you're going to continue to hear about Korea for a long time. North Korea is not yet in this century. And it's not even going to be in this century when this century is over, it is so far behind. That is a closed society, that is dysfunctional. I have been there this year, last year, last August, and it is pathetic, the people are starving. So there's a long way to go in places like that. All these things, the Gaza Strip and the West Bank, continuous effort there, the Congo's there, jumps up, Sierra Leone, something else going on in Africa. What it is, it's patch, patch, patch, patch, patch ad hoc-ery, is what we're doing, and we don't really seem to have what I would call a fully-thought-out strategy about national security. And I think it's high time we did. The world is different. The threat is still there. The technology is changing. We need a new concept, we need a new prep strategy, we need it now, a big piece of the action is technology, and that's where you'll walk ahead. 

Got to have some leadership. We were talking, again, at dinner, about who's your choice to lead? I haven't identified my choice to lead, I wish I could tell you that there's an individual out there, an American who's qualified, willing, and able and wants to accept the challenge of getting a full grasp of what we're here about, and understanding and making Americans understand, and getting the support we need to fund it, and do the hard work that is necessary to build national security. But I don't know anybody who could do that, who's willing to do it, today, to step up and take on that job. 

Some say that the United States does not have a consistent and comprehensive foreign policy. We read about it every day in the paper – pick your columnist. Some say we don't have any national security policy – pick your columnist. Of course, the measure is photo ops, in some people's views, and sometimes it looks like that's the way our foreign policy works. Watch CNN, check out the foreign policy coverage. That's not the way it should be, and that's the way too much of the world perceives it. When I talk to our colleagues and allies overseas, and my counterparts at the parliaments that I go to, the chairmen of the intelligence committees – nobody really has quite the arrangement we do, but I do have counterparts – they are puzzled about what we are doing here; they are puzzled about what our course is, what our vision is and what they should be doing. And when we talk about some of the things like encryption, they are more than puzzled, they're concerned. 

I now ought to talk to what the issue about is tonight – the threat to our information infrastructure here. And unfortunately the model that seems to fit our whole question of foreign policy and national security seems to be the same model on our threat to our infrastructure and technology. I think we're being reactive and I think we're being ad hoc. Frankly, we're not prepared. 

I suppose the good news tonight is there is some nascent public awareness in this; the fact that you're all here is very good news. The fact that there's some other people who understand why you might be here is good news. I can remember a couple of years ago somebody came up to me and said, you know, Y2K is a terrible problem, we've got to deal with it in government, it's going to be very expensive, and I happen to be a former member of Congress and I happen to now represent this firm that happens to have the technology, and so you need to pay attention to Y2K, and since this guy happened to be from North Carolina, and a very good friend of mine, I said tell me about this, what is Y2K, let's start there. And so when I finally figured out what Y2K was, and learned about how every computer's going to die, in exactly one year and fifteen days, or whatever it is, we'd better do something about it. So that began to make some sense to me. Well, it made some sense to some other people too, it's very expensive to deal with that. Then we started talking about some other things, and suddenly somebody started reading stories in a newspaper about hackers who were breaking into the Defense Department's computers, now nobody believed that! That can't happen, it doesn't work that way. Well, it works that way. It shouldn't have come as a surprise to DOD because I know you've talked a little bit about Eligible Receiver, and don't know how much you had on it, but Eligible Receiver was a very interesting exercise that Defense did last year, and I credit them mightily for doing it. It focused on the vulnerability of the U.S. infrastructure, and I just want to take a minute to go through some of the rules, because I want to point out to you, that even though the findings were pretty dire, in that, in Eligible Receiver, the people who were doing the exercise had their hands tied behind their back. Let me tell you – the techniques they used were derived solely from open source research. They were not allowed to use any secret or classified tools. So no "collateral" intelligence was allowed to come in. No "insider" information was provided at all. No human, no spies inside, nothing like that. Every element of the attack had to exploit an actual, real-life vulnerability of the target system. Had to be real, not hypothetical. The team's operations were restricted by many rules, most important of which was that no U.S. laws could be broken. And, some other laws, some involving security that I won't get into. But basically they had to play by very narrow rules. Plus, they were only given, I think, three months to do the job. 

Now, if this had been the real thing, the real crazy out there, the real actor who's trying to do this, they would have gone after any systems that were poorly protected to minimize detection. That's the first thing that would have happened, and they would have found a lot. For legal reasons, we couldn't do that in this exercise that was done. The length of time that a real adversary would have put on this would have been a year and a half or two years or something like that – not a very small period of time. The "attacks" were primarily the types that would deny service, now that's a very important point. Denying service is one thing, but they're not things like going in and doing intelligence collection, data exfiltration, data manipulation (that's the one I like best, the data manipulation) and data destruction and so forth. Data manipulation – this how dangerous that is. You depend on it, you think it's healthy, and well, you bet your life on it, and you fly into a hill, because somebody manipulated the information. You never knew it till too late. That to me is the kind of thing that speaks out. And obviously the other thing, that they didn't get, was that any adversary would extract anything of value, and everything of value, including personal data –which would be fun to use, to your advantage, particularly in a politically dynamic place like Washington. 

So, we saw spectacular results. But we also saw that the people who were running that exercise weren't even given anything like a free rein. That should have sounded some very serious warning bells. The other thing that I think we ought to know, and others may know better than I, is that the defense and national information infrastructures are absolutely interdependent. National decision-making system that we have now is much too slow, it's much too cumbersome. I told you the oversight doesn't work. We've got an "indications and warnings" process in this area that is inadequate, and I equate it, absolutely, I think it's a fair analogy, that this would be just about like entering a horse and carriage at the Indianapolis 500 – you get about the same result. You may get about half-way around the lap before you get run over. 

So we've got our evidence; we've got to do our job, and that's one of the reasons why we're here, and I understand you had a report on the Marsh Commission today, which is a good result, that people are working on this. 

I mentioned before, two months ago there was the now well-publicized real attack on numerous Department of Defense computers. This is other than the exercise. I guess you talked about this, summarized it this morning, got into this a little bit. The thing about this is that this is two kids, two hackers, supposedly, I don't know how much help they had, and if I did I couldn't tell you. Two hackers went in there, and they found all kinds of vulnerabilities, and they worked them. And that, to me, is an extremely real thing. This is not something that somebody has made up; this is not a funny movie out of Hollywood. This is real. The more troubling part of it is, is when I read some of the tape, read the Wall Street Journal here, about this attack, whatever security experts are who were quoted extensively, you think they're like high government sources who won't be identified, they were quoted as saying things like, "The tools exist to defend the sites [if] people wish to defend them." Or, "Most of the recent attacks have just been 'ankle biters.' They're relatively unsophisticated efforts using easily available software that are more a nuisance than a danger." Or, "such 'security breaches' generally amount to nothing more than the equivalent of 'a kid walking into the Pentagon cafeteria.' If they get into the war room, that's something different. But this sort of thing goes on every day." I don't think this stuff does go on every day. If it does go on every day, we're going to be in deep trouble. 

Finally, I wanted to say one other thing. This is an observation that came to me one morning. I was having breakfast not long ago with Clarence Page, who's a columnist for the Chicago papers, a syndicated columnist. And he was in a forum somewhat like this, and he was talking about the marvels of technology and what it means in our life. And the great wisdom, all the Solons around the table, jumped up and said, well yes, we think it's the equivalent of the Good Work Bible that they put out. This impact on humanity and civilization, where we are today, cyberspace, the networks and computers. A little man in the front row jumped up and said, no. You've got it wrong. This is the same as the discovery of fire. This is Promethean. And I think that's right. Because fire has the ability to do wonderful things and benefits for civilization and society, and also a huge amount of damage as well. So you've got to manage it. And I think that's right. 

I think right now, where we are, is in danger of another electronic Pearl Harbor, or an electronic Pearl Harbor, another Pearl Harbor but electronic Pearl Harbor this time. And that is not something I want to countenance or even think about, but the warnings are there, and we've got to do it. I'm sure you've had conversations today, as you go on through these things, it's pretty much the same litany that I heard about where to be on January 1st in the year 2000, which is home in bed, with a supply of water and food and some candles and matches and so forth, and it's the same litany that I'm hearing now, about what happens if somebody really does try to make mischief, what happens to our air traffic? Now those of you who fly into Washington National a lot are used to having the power out in the tower, and so have I, and going back to Charlotte, as a result, but when you think of all the things that could go wrong and all the vulnerabilities out there, whether it's your bank records, or whether you turn your electric on and your air conditioning doesn't work in your Florida, in Floridian heat, or your heat in your house in New England, or whatever it is, the hospitals – it's an endless scene. It's just endless. Just try and erase computers from your life today and what would it look like? And then you begin to get the answer. 

I think now that I wanted to talk just for a second about encryption. Encryption is something that I am mightily seized on. And I want to pick up on a little bit that Tim reported to me from some of the questions that you've had. I believe that it is very important to protect our, all of our information, that's obvious, it doesn't need to be stated. We know the consequences of not doing that. And we know we aren't doing it well. But I think equally, we have to understand what can happen with technology if we make sure that all the people in the world have our best defensive strategies and devices. And if they do, I am afraid that some of them will be used against us. And I have in mind people like terrorists, drug traffickers, and others. We quite often talk about uncrackable encryption. And if those things are sold in the marketplace, and our technology has those things to sell, will we therefore ever be able to deal with the bad people who use them? And there is a very legitimate law enforcement and national security concern about that. And I can tell you the impact on the ability for us to deliver good intelligence to our decision makers would be dramatically impacted, if the world was filled with unbreakable encryption. It would make a big difference. It would make a huge difference to the law enforcement people. We don't have a very good hand-off system right now between overseas and domestic in the way we deal with things, because you may remember, we have an unusual situation. Intelligence is not nice, spying is bad, Americans don't spy on Americans; therefore, the CIA and all of the intelligence community, basically only works abroad, and law enforcement handles stuff domestically. And we understand that. And unfortunately, those markers of Queensbury Rules which have served us very well are not the markers of Queensbury Rules that anybody else in the world is playing by right now. Even the Brits, who I've talked to a lot about this, have said to me, you have a different approach to it than we do. We have MI5. That says it all. They basically understand that they have a reason to know what's going on and they want good information throughout their country. They have a little problem called the Troubles. And they deal with the Troubles in varying ways. But one of the ways they do it is intelligently with good eyes and ears and good information. Well, we never had that approach to it. So we do our stuff overseas, do law enforcement here, and we try to make a handoff, and we've been pretty clumsy about building that network and it's something we're going to have to do better and quicker. 

But the fact of the matter is, that if we take away the capability to have a court ordered, court sanctioned ability to get at material, we are going to make the war on drugs very difficult. We're going to make control of terrorism very difficult, racketeering will be ever so much more complicated to ferret out, you go down a whole list. It's a very tough decision. The matter of encryption is before the United States Congress today for a very simple reason: democracy works. Representative government works. The industry got together and went to the appropriate committees and said, look. We would like to sell this stuff overseas, it's what we do, it's great, it's going to make us lots of jobs, lots of dollars, lots of friends, it's going to be terrific. And I agree with all of that. And now is the time to do it because others are beginning to dabble in the market. 

But I've also got to tell you, that there are two sides. And the other side's national security and the law enforcement side. And it turns out that the people who were talking to the Commerce Committee inevitably were interested in commerce, and the administrative agency that was involved with this, the Commerce Department, inevitably was interested in commerce. Nobody bothered to ask the national security people what they thought, or the law enforcement people what they thought. And when the thing finally had steamrollered its way through a certain amount of noise and progress in the House, suddenly we woke up one day and said, "These people really mean it. We'd better look at this, there's two sides to this." And we basically drew a line in the sand and said "Stop, time out," we went to the Administration and said "Deal with this, give us a policy." Administration's been struggling mightily with it, as you know, the effort overseas to bring the international parties together so far has been stillborn, would be a useful way to characterize it. The French have gone off in one direction, they won't allow encryption. I'm not quite sure how they police it, but they won't allow it. The Brits do it a little differently – all of the countries are waiting for us. They understand that the big enchilada, the big customer, is the United States of America, and the United States government, and they're waiting for us to get on with it, and we're not getting on with it. We need a policy, we need to deal with it. My view is that we need some type of a key recovery system or something the technology can come up with, but obviously it can't be anything that is easily abused, because then you've defeated the purpose of your protection. 

So that process alone has pointed out to me that our oversight isn't up to this, our administrative policy-making isn't up to this, we are not dealing with the new technology well, we're not dealing with the world situation well, and this is a good test case for us to work with, because it comes at a time when the United States of America is at peace, enjoying prosperity, we have blue sky and there is no reason on earth why we can't get down to brass tacks, focus on this and come up with a solution. 

So, the fact that I've been here tonight, and allowed to make that message, is extremely important to me. I hope you heard that message; I hope you'll deal with that message. I hope you'll help us build a constituency, and I hope very strongly that you'll get engaged in this. This is our future. This is our quality of life, this is our national security, this is our kids' well-being. It deserves our best attention. I know there are a lot of very bright people in this room, and a lot of great capability in this room. That's the challenge in Congress and all of us, to make sure we do our job to resolve this thing quickly. Now we'll go on to the rest of the story. 

I thank you very much, and now I'd like some questions. 

Participant: [inaudible] 

Rep. Goss: I would suggest that the statement I made about our oversight not working because it's not a fit, not only because of the fact between domestic and overseas, because as you know, we have got several government cabinet officer departments involved in this. We've got DOD of course, we've got Commerce, we've got Justice, and then we've got the intelligence community, that's a pretty handsome array of people. The legislation we're dealing with comes out of the Justice Committee. It involves matters of interest to the Commerce Committee, and it's causing real heartburn with the Armed Services Committee, with the Intelligence Committee, and with one aspect of the Judiciary Committee. Now, the fact that the people who are interested in making this go, as people quite often ask me, is "lobby" a bad word? "Lobby" is not a bad word at all. Lobby means extend information back and forth. Somebody did a very good job of saying, look, we've got to do something about the export of this stuff. But the problem is it's not just the export. It's the import as well, because if we are going to have a policy overseas, we've got to have a policy in this country. It makes no sense otherwise. So you can't just deal with it; you've got to deal with the whole thing. And that brings in another committee. And we could go on with lots of committees. 

Now, if we are going to be driven by the Â….of congressional oversight committees, we are going to fail. Democracy is going to fail. Oversight is there for a reason. Great balance of power, it's a hugely good thing. But the turf-fighting that goes on along those lines is of no consequence whatsoever, it means nothing, absolutely nothing. And that should be the last consideration. If it takes somebody to knock heads to make that happen, my answer to your question is I would like to see the intelligence committees combined, I would like to see just one intelligence committee and I would like to see things like encryption, primarily the property of the Intelligence Committee, from the national security side. I am reasonably sure we could work with the Commerce people, the Judiciary people, on the other two sides. I'm not concerned about that at all. But as a primary function I think that the single most important piece of that happens to be what will happen to our supply of good, timely information to our decision makers if we end up with uncrackable stuff all over the place? 

Mr. Turner: Scott asked me to make an announcementÂ…If you've got a question, please stand up and try to project, so everybody can hear, soÂ…next question. 

Participant: We started to get into an issue this morning at the end of the panel and left it to die off, about the First Amendment. The United States Constitution is a wonderful document, that's been resilient for two-plus centuries, and the Bill of Rights, etc., but it also was written in a first-wave world, and we now have a third-wave technology, right? Do we need to examine some of our fundamental constitutional protections, such as freedom of speech, to make it, if we need to make it, and alter it in the face of the technology that we now have? 

Rep. Goss: I think it's very, very dangerous to redesign the thirtieth floor at the same time you're starting to tinker with the foundations. My answer to the question is I think that the foundations have served us very, very well. The interpretations that have gone on evolutionarily since the beginning are the areas that, are the ones that keep us engaged, and I would rather stick with that process. Now, should the courts, should somebody bring something to the Supreme Court, and should we therefore have an interpretation by the Supreme Court whose job it is to do this, the answer is we may very well have some issues that come up that way. I don't know of anything that comes into the picture right now that would make me get into the First Amendment; I just don't see it. I mean, if we've gotten to the point where's it's wrong to scream "fire" in a crowded moviehouse, and we understand that, and we've gotten to the point where we can have zoning on property rights, and we can understand that, then I think that we are in a relatively easy area, because we understand war, I'm not sure we understand the War Powers Act, but we manage to [laughter] understand war, and we understand Â…, and we've got that part down pretty well, so I basically think it's just a question of, the toolbox is right, it's just getting the right tool out to deal with this thing. That'd be where I am, but you know, if you've got a specific that we haven't thought of, let us know. 

Participant [previous speaker]: No, actually I don't, I mostly raised the issue because I teach at the National Defense University. It's one of those questions I like to roll off my students, not that I have an answer to it, but to make them think about those issues, even if it's just to clarify and sometimes make more concrete what they have already thought through in their careers. 

Rep. Goss: Well, I think it's always good, I mean we test, we have tremendous tests on the First Amendment. We're talking about campaign reform, there are an awful lot of people in this country, I won't get far into this, but there are an awful lot of those people in this country who can't understand why we have more political freedom, that is, money is political expression, than we appear to have religious freedom. I can take money into a school, but I can't take a prayer into school. And when I go to talk to people about things like that, you know, we get into these discussions, and get into the First Amendment. I think that the fact that this country is going through a very big divide right now, and a very healthy debate to try and bring that divide closer together. I think it's very important that it happens and of course a very wonderful time and in the right place. We do it with words, hopefully with intelligence, whereas some other countries seem to do it different ways that aren't quite so Â…. 

I think you wore these people out today. You've got to stand or we won't let you talk. 

Participant: [inaudible] 

Rep. Goss: We have a lot of debate on this. There are some people who want to have a constitutional convention; there are some people who want to constantly amend the Constitution through the state route. It's constant testing, it's constant questioning. My answer would be, I like the system of government just as we have now. I like the representative form of government. I think it is a very thoughtful form of government, and I think the strength of this country lies in its very, very many little different parts and places. I can tell you, that I have a much happier time back in my home community than I do in Washington, D.C. I love being home. It's a great place. I went there to live there because I wanted to be there. I picked it out. I was born in Connecticut, though when I got to make a choice I went to Florida. Now, I'm sorry about that, Connecticut, but the weather's too cold in the winter for an old guy like me. And Florida's wonderful. Washington is a constant sense, I mean there's a community in Washington, I'm not talking about the community of Washington, but the business of Washington – there is a constant sense of ebb and flow and listen and take and adjust and compromise and mold and it's fun, when you're trying to work for a purpose and you have people all set together on a common purpose. It's not fun when there are several purposes, and everybody is trying to spin and score points on somebody else's expense and that has been too much the way Washington has been, in my view. I don't think that the United States Congress is going to solve a lot of the great problemsÂ…. 

[end of tape] Â….and we can legislate forever and probably technology or medicine is going to resolve that issue before the debate ends. And mostly the abortion issue is a political issue. It's not even a medical issue or a moral issue. It's a political issue, it's gotten to be. When we vote on it on the floor of the house, it's all politics, it's a score of points, how many abortion votes do we have a year? I've lost count, 16? I mean, how many times can you revisit it? No. I find that the representative form of democracy is wonderful in the sense that I get to go to my community and see the real America at work and play, and then I have a chance to try and bring that to my fellow colleagues, and share and make the country do the right thing. But I find that the process of Washington is not working as well as I hoped it would. But I am not ready to change it, definitely not. It's still good. Representative form of government Â… democracyÂ…..is excellent. Yes sir. 

Participant: [one of the participants asked a question about encryption] 

Rep. Goss: Well, that's a lot of questions rolled into one. The whole encryption question, it seems to me, is that you've got to understand that there's got to be a world system, that we all are basically working with. There's got to be one system that is driven by commercial reasons, in other words, people are using this system because if you aren't in this system, you don't get the benefit of the network. And if you don't get the benefit of the network, you don't compete. So, when I'm talking about the United States government doing business this way, or in France, you know, the Western allies, and everybody else, try to get everybody to agree to go to whatever the regime will be, I think that you get a large percentage of the business. You don't get anywhere near 100 percent, but you get a large percentage. And there are always going to be freelancers out there, that are going to come up with a better product, and they're going to be out there, peddling it off in the bushes to the mischief-makers. There's no question about that. I'm not suggesting this is a Pollyanna-ish view here, at all. I believe that what will happen, however, is that if you get the great majority and all of the legitimate business properly protected, with the right assurances that law enforcement, properly authorized, can get in to plain text somehow if necessary when legitimate law enforcement or national security purposes, whatever those checks and balances are built in as we've done with telephone taps or whatever else. I think that's a big chunk of it. Now, that also allows our guys to go out and work a little harder on that 20 percent or whatever it is, that's mischief-making, and frankly, you're probably never going to get all of those. Frankly, you're going to have to go to the human factor on those. You're going to have to figure out if it's, you know, where's the weak link in the chain, the weak link in the chain is the human being who doesn't quite understand how to use it or what it means. And frankly, that has served us very well, so far, it's not going to serve us forever, but it should be Â…. 

The other thing, you know this idea that the government is going to have the key has got to be put out of people's minds. Yes, that was an idea that was put out there at one point. I don't think anybody is advocating giving the government the key now. I equate this a little bit to like creating a poison that is really good for killing rats, and this is a wonderful poison, we will sell it world wide to kill rats. Unfortunately there's no antidote for this poison. The question is, are there some people who will then take that poison and use it not to kill rats, but to use it on people, for which there is no antidote, say American people, say American people overseas, tourists, airplane pilots, CEOs, that's the problem. I don't like the idea of putting something out without an antidote. And it's really all we're really saying, that the right people ought to be able to deal with this under the right restraints and controls. Now I am not advocating, I have never advocated giving Big Brother anything. Remember, I'm a Republican, we don't do that stuff. I do believe, however, there are ways to suggest that somebody else can have a key, or somebody could create a system that has a way to get the plain text, so that there is a recovery. One of the things that's been suggested to us in this debate, is that if you create an absolutely uncrackable system, and only two people know this stuff, one of them dies, you've got a problem. There's a lot more to this, obviously, than we're talking about. With information assurance, we're talking about the whole question of certifications and authorizations and is it real, authentication, did I get it, was it tampered – all of that stuff. But I'm only talking about the encryption piece. To me the encryption piece is the easy piece. If we can't figure this one out, then I don't know how we're going to deal with the rest of it. Now, the problem isn't technology, it's the ethics. The problem is the horse and buggy, and the horse and buggy is about to be run over by the race cars. Yeah, and you're right, pretty soon nobody will notice the horse and buggy at all, and they won't care anymore, and it will be gone, you're absolutely right, it will be gone. So when I say now is the time, I mean now. And this thing has been on the legislative front burner for about nine months. It's got a whole bunch of co-sponsors, some have come off, incidentally, since it's been explained that this is not just Commerce and Judiciary, that it is now National Security and Intelligence. And members have come up and if they begin to take an interest in this they understand that there's a little bit more to this than responding to the guy who sells the software, who runs the software operation, and they're history. Now I've heard from those folks tooÂ…..I get my Â… back, and they say well, that's not the side we're interested in, we're only interested in the exporting side. So I say it doesn't work that way, it's got to all work together in a comprehensive package. So that's really the take on it. And I don't pretend I have the answer. I don't know. That's why I'm saying that people who understand technology have got to figure out a way to get us to plain text if there needs to be a right, and still preserve the protection. 

Rep. Goss: We'll do two more, quickly, I'll make the answers short. 

Participant: Let me throw a curve ballÂ…..if there's no leadership on your side, who's going to step up to the plate? 

Rep. Goss: Let me say if there's no leadership, I don't mean that as a pejorative comment. I'm not making a shot. I don't see on either side of the aisle, I don't see anywhere on the political landscape right now, a person who wants, who can win, who is seized with the initiative, and the time, and the commitment to go do this, hopefully has caught the fire of the people in this country; has caught on in any way. There's just no Winston Churchill out there to make the speech right now. Now, in hard times, we rise to great heights. I hope we don't have to do it that way. I'd rather try it the other way. So some people say, what about Colin Powell? Colin Powell would be great, I don't know if he knows anything about this or would want to do it. He said he didn't want to run for President so maybe he doesn't want to do this. How about Dick Cheney? If I could get Dick Cheney to do this, it'd be the greatest accomplishment of my life. I have a great deal of confidence in Dick Cheney. I think that there are people there, but I don't think anybody is seized yet and I haven't identified anybody, so when I say an absence of leadership, I mean nobody has put their arms around this and said, "Folks, it's time!" Bill Gates is fighting for his life on another thing. Maybe he understands this, but I think he sees one side of it and not the other side of it. And you can't have it that way, it's got to be balanced. 

Participant: [inaudible] 

Rep. Goss: I think you're absolutely right. That is a very good question. I don't think anybody is suggesting that the encryption legislation is going to get into the First Amendment or have anything to do with the Constitution, I don't think it's going to go that far. But I do think that there's a real urgency, because while we're sitting here, people are going into different systems, creating mischief, making deals, stuff is going on, we're losing jobs, we're losing market share; all of that's probably true. And so I think that this is a solution that needs to be found, otherwise the problem is going to outrun us but I don't think it's a Constitutional question, but I totally agree with you on the Constitution, I don't like messing with it. 

Thank you all very much, you've been very kind. 

Mr. Turner: Congressman, we thank you very much. I have a couple of very small, de minimis tokens of appreciation from sponsoring groups. I have a number of things I'd like to say about what I heard; just about everything you said I agreed with, but on the second to last question about who's going to stand up and take the leadership and so forth, I was sitting here listening to you say you didn't know who should do it. I would give you the same advice I gave the Senate Intelligence Committee when they asked me for my opinion on this whistleblower bill, I said if you pass it and you want to know where the lawbreakers are, well I'll use the same answer and say if you want to know who can lead this country, go look in the mirror. Thank you very much. 

Rep. Goss: I appreciate that, and all I wanted was to be reassured that these are Ethics-approved. I've been told they are, and if they're not they will be displayed and not possessed. Thank you.
 
 
 
 

Information Conflict in the 21st Century

Tuesday, April 21st, 8:30 A.M.

Moderator: Gary Sharp

Panelists: Daniel Kuehl

William Gravell

Chuck de Caro
 
 

Mr. Sharp: Good morning, ladies and gentlemen. We hope that everybody's enjoying the conference so far – I know that we are, from our perspective. We're learning a lot from the interaction that we're getting from you. Today's panel is "Information Conflict in the 21st Century." Sun Tzu taught us in the fourth century B.C. that "the battle is won before it is actually fought." Little did he know how true that would really be in the age of information conflict that we have already entered. Let's focus on the title of the panel for just a few minutes. "Information Conflict in the 21st Century." We carefully chose the phrase "information conflict" for a certain connotation. When we first started looking in the early 90s at the IW issues, we were thinking of it in a military context; we were thinking from purely a command and control aspect. There were about five or six subsets of command and control warfare, such as psychological operations, electronic warfare, and Â…. But that was a context, because we really didn't have our arm completely around the problem back then, so we thought about IW in the context of simply command and control warfare. And that's how you will see most of our standing rules of engagement and other doctrine that's focused right now in writing. And as we began to evolve, we started thinking in the context of a greater picture, and started looking at the government and the nation as a whole, involved in a thing called information operations, where we maintained IW as something of a subset of information operations, but information operations is now a broader construct that we're going to be trying to use when we are talking about the issue of information in the 21st century. 

So we chose information conflict to try to describe something that is a little bit broader, in perspective, than that. We're not really sure what it is, but that's what the three speakers we have here this morning are going to try and explore for us. Dan's going to talk about things out of the box. He'll look at 21st century conflict, and how we perceive that it may be – not how it will be, but how it may be in the 21st century. And I think that we have three speakers this morning, that are very dynamic, that are going to be so provocative and exciting that if you haven't had a chance to get your caffeine yet this morning, you probably won't need it to stay awake with our three speakers this morning. 

I will first introduce each of them in turn, as they go through their presentations, but first I'd like to collectively say one thing about all three of them – all three of them have written and lectured more than I could probably read off to you in the next hour. What I'd like to do is only mention very briefly one thing that each of the three of them has written. Over the last four or five years I have collected and come close to reading everything that I could find on information warfare and information operations. Only recently have I found a book, called "Cyber War," that I thought was the most provocative and the most interesting that I could find on the future thinking about how everything's going to be working in the future. Do not think that I'm getting paid for plugging this or anything at all, but I wanted to highlight for you that Chuck de Caro, as well as Dr. Dan Kuehl, have both written chapters in what I think is one of the premiere texts in the area. Dr. Kuehl has written a chapter on strategic information warfare and comprehensive situational awareness, and Chuck de Caro has written a chapter on software, which he'll be talking to you a little bit about this morning. 

Maybe not as provocative, but perhaps as influential, has been an institutional publication that was primarily authored and edited by our second speaker today, Captain Bill Gravell. Most of you have probably seen this pamphlet, this publication, on "Information Warfare: A Strategy for Peace and a Decisive Edge in War," and this was a product that's put together by the Joint Staff and an organization that I'll talk to you about a little bit later, but this was primarily authored and edited by Captain Gravell. 

We could probably go on and on this morning, talking about some of the other things that they've written and they've done, but our first speaker this morning is Dr. Dan Kuehl. He is going to discuss information warfare and give us a glimpse about what 21st century conflict may look like. Dan has his Ph.D. in history and is a professor at the School of Information Warfare and Strategy at the National Defense University, where he teaches military strategy and national security policy. His doctoral dissertation focused on the Air Force employment of electronic warfare in the ten years immediately after World War II. Dan is also the chairman of the Information Operations Department at the Information Resources Management College at the National Defense University. Dan retired as a lieutenant colonel in 1994, after nearly 22 years in the United States Air Force, and I would guess that the two tours of duty that he enjoyed the most were his 2500 hours that he spent underground in North Dakota as a Minuteman ICBM missile crew commander, and the three years he spent underground at the Pentagon on the Air Staff where he was one of the planners for Instant Thunder, which was the strategic air campaign against Iraq. As part of his follow-up duties on that, just before he retired, he was very instrumental in writing a number of post-war lessons learned as well as the critiques of the Persian Gulf War. Dr. Kuehl? 

Dr. Kuehl: Thank you, Gary. What Gary asked me to do this morning was to make recognition of the fact that a good segment of the audience a) is not a member of the information warfare community, and b) really has no connection to the military; and to scope out the groundwork and the basis for some of what's going to come afterwards. So I'm going to talk about "information warfare" and "information IN warfare." By the way, on the screen you see my e-mail address, so if you have any questions about what you see, send an e-mail and we'll be glad to chat with you in cyberspace. Next slide please. 

Gary mentioned outside of the box thinking, so I think it's probably useful at first to set out what that box is that we're going to step outside of. These are some of the things that I want to discuss – first of all, to give you a little bit of the context and background in 20th century warfare, because that's what we're moving from. Then I want to discuss the differences between information IN war, and information warfare, and threaded throughout that discussion you'll hear me talk about perhaps some changes that are driving us in this direction, some of the new concepts, perhaps the new target categories that we're going to be faced with and dealing with in the future.

What is war? Well, unless you're a military historian or a closet Clausewitzian (and I'm both of those, by the way), you probably have not read Carl von Clausewitz's massive tome on war, the philosophical and theoretical exploration of what warfare was. Clausewitz wrote in the early 19th century, and I've bold-printed the two phrases or two words that are probably most-often focused on when reading Clausewitz, that war is an act of physical force, a pulsation of violence. Physical force – violence. And that's the paradigm of warfare that probably most of us either have or came from. Less often remarked upon but still in book one, chapter one is the reason for that force and violence, which is the imposition of our will on the adversary. What I want to explore today is how we go about imposing that will on an adversary or how an adversary might impose that will on us. Within the paradigm of warfare that Clausewitz described, there were two critical actors – warriors and states. The warriors were the people, the army, the navy, the uniformed military that engaged in warfare and combat in the service of the state; whereas the state was the recognized political entity that had the authority to direct war and direct warriors into combat. As you'll see later on today, I want to get into a little bit on how that class of warriors, how those actors known as states, keep changing in response to the information age. A part of the construct of warfare in the 19th century was the first international codification of institutional norms for how this activity known as war would be carried out. We saw some of that discussion yesterday when we started talking about the laws of war and how the legal environment has to evolve to shape what different agencies can do, etc. A part of the context of war in this century has been the nature of the modern industrial state and the influence of technology on warfare. I want to spend a few minutes discussing those things. Next slide. 

When you look at warfare in the 20th century, one factor sneaks up and grabs you by the throat – the unprecedented killing and dying power of the modern industrial ideological nation-state. We saw that in World War I, we saw that in World War II – the amount of destructive force that the modern nation-state can bring to bear in conflict is unbelievable, and the amount of destruction that the modern nation-state has been able to withstand has been equally unbelievable. That's the paradigm of warfare that we come from. What has made that possible are the various sources of power that the modern nation-state is able to draw upon, that cut across all different layers, elements of society. What we are seeing is that it appears that what were once traditionally protected sanctuaries or groups are no longer protected. If you look at Hague, 1899, there were prohibitions against the attack of undefended towns. Please tell me what an undefended town is an era of nation-wide air defense. Protected groups in the Clausewitzian paradigm would have included non-combatants, and non-combatant community is an important part of the modern law of war. One of those groups, of course were women. Well, what happens when you have thousands of Rosie the Riveters? And thousands of previously-protected individuals that are engaged in critical activities that support the power of the state? It changes our paradigm of what warfare is. 

If you know your air power history, and I am an air power historian, but if you're clear on the concept of the industrial web, the basis for American strategic bombing in World War II against Germany, the industrial web was nothing more than a series of interlinked infrastructures, which of course ties into the reason for this conference. Those infrastructures draw their strength and support from wide areas of society. We are evolving towards in this century, I would argue – this is not a good trend – what I've called "war to the death." World War I was, in some ways, and this is going to sound strange, the last of the great traditional limited wars. I know that sounds strange to use that term in reference to a war that killed tens of millions of people, but it was fought for traditionally-limited political objectives. That's no longer the case, and as we saw in World War II and increasing throughout the rest of the century, wars have been fought for the extermination of ethnic groups, religious entities, entire political states, and that's part of the paradigm of warfare that we're moving into in the next century. 

Another part of this is the influence of technology on war. The 20th century has seen the evolution of what I call "multi-dimensional" warfare. A hundred years ago, warfare was simple. That's a pretty ludicrous thing to say, but I mean it in the sense that it happened on this surface, right here, on the plane of the earth. It was one-dimensional. Then we applied airplanes and submarines to warfare and it became three-dimensional in about two decades. Sort of a 1920s thing. Above the surface, on the surface, below the surface. The rest of the century has just intensified that trend, as we've moved into space, outer space, and moved into cyber space, and I'll talk more about cyber space in a few minutes. This evolution towards multi-dimensional warfare has had an impact upon the traditional law of war. We see examples of how the traditional concept of the law of war has had a very uncertain fit with the technological revolution we've gone through – for example, unrestricted submarine warfare, now outlawed. It would be useless to discuss and debate the militarization of space; it's been militarized for forty years. We are debating the implications, perhaps, of weaponization of space, and perhaps even in the future, net-war, computer network attack, etc. What I'm driving at is that, and this is particularly applicable to an audience that has so many real professionals in it, technology has always raced out ahead of the law. The law is a reactive body, and so we are struggling now in a legal sense to make heads and tails of what the impact of the information age is on national security and on warfare. 

As Gary mentioned, the first terminology that we in the military really started using in relation to information warfare earlier in this decade was command and control warfare. I would like to call it information technology IN war; information technology in support of blast, heat, fragmentation – all important things that the military needs to be able to do, and we can do that very well. Gary mentioned that I had a role in the planning of Instant Thunder. I have very vivid memories of being down in the basement of the Pentagon, during the war, faxing target photographs to my colleagues over in the black hole with notations such as, "third window down, third window from the left." Put a weapon into that precise location – that's an incredible capability we now have in modern military systems – but it still is the same old kinetic destructive warfare. We need to be evolving beyond that. That is the foundation for, but it's not the same as, information warfare. Next slide. 

Here are some of the changes that I think are driving us from information technology in war to information warfare. One is the evolution of cyber space. Cyber space is not a metaphor; it's not as William Gibson, author of Necromancer, described it, a "collective hallucination." Cyber space is a real and physical operational environment in which we conduct military operations now; we did during World War II, and we will in the foreseeable future. A part of this evolution is a trend that we call "digital convergence," which is the capability to take almost any kind of information that you can imagine – music, photography, books, anything on print, etc. – and digitize it, turn it into ones and zeros. And when you can do that, you have an unprecedented ability to manipulate it, change it, alter it, exploit it, ship it anywhere around the world, etc. Digital convergence. Then you link that with the next bullet, a trend that I call the "digital omnilinking" of the telematic world. The omnilink involves electronic and digital networks that span the globe. We have an unprecedented ability to connect people on a global basis. Every single day that goes by, more and more individuals – I mean such as you and me – more and more agencies – whether that be economic, business, political, governmental, military forces, even entire countries – are making the decision that to be successful, you have to plug into that electronic-digital world. And that is changing the face of global politics, global strategic balances, it's changing the faces of combat and warfare. Related to this is a term, an issue that we raised a few times yesterday, of SCADA – Supervisory Control And Data Acquisition – the means by which the central computer systems that control infrastructures reach out, contact their component elements, monitor for status, and direct autonomous actions. When you bring all of those factors together, we have – and if I have a thesis this morning, this is it – we have information as an identifiable and distinct environment in which we are beginning to operate. 

That brings us to "What is information warfare?" I was surfing the Web a week or so ago, looking at site in Georgetown, and I found myself quoted as saying, "Anyone who makes more than $5 a day and works east of the Mississippi River has their own definition of information warfare." Whether or not I said that – I probably did; it sounds like me – I certainly believe it. In concert with that – that's why they call it information warfare, the struggle to control and exploit the information environment that I posited a few minutes ago – how can we do it? The electromagnetic pulse designed to disable electronic systems that, for example, control the flow of energy within a society; computer network attack, that country A could use against country B to seize control of an air defense system, make it go shields down; perhaps the use of a morphed television broadcast designed to discredit leadership and perhaps raise the specter of ethnic revolt in a country. The information environment is simultaneously virtual and textual – who of us has never used the phrase, "What's the political environment right now?" There's a contextual-virtual aspect to the information environment, but there's also a physical aspect to it, as I mentioned earlier, that's cyber space, and what that creates is potential to operate against targets, the adversary's ability, the adversary's wealth. What might some of those new targets be? One, that you're probably all familiar with, is hardware. The physical things that we use to control the flow and supply of information – the means that we transmit data, the means that provide functionality to those infrastructure elements that the PCCIP explored. We are less familiar with things like software as a target. Either the coded program – instructions that tell data systems how to work – or even the digital content itself of the data that we send around the world. Even less well understood is a concept called wetware – the part that's between the ears. The human factor; the beliefs, the perceptions, the mindsets that govern how human beings act and make decisions. Whether it's one brain, whether it's 50 brains in Appropriation, whether it's 5 billion brains, residents, inhabitants, the citizenry of a society, it raises the specter of "Soft War." I know that my friend Chuck is going to discuss that later on this morning. This generates new concepts for warfare. Admiral Cebroski, author of an article in the January 1998 issue of US Naval Institute Proceedings, eloquently described a concept of use to us, called network-centric warfare, meaning that the ability to control and operate within command and control information supply systems will be the dominant factor in future warfare. He may very well be correct, but I suggest that that's a relatively narrow piece of the pie view. Next is a concept that I've been trying to do some writing on – wetware-centric warfare, meaning making the wetware, the human factor, the decisive target and decisive element of our information operations – all information lenses by which a populous group derives their perceptions. This is not new: the Brits did it extraordinarily well from 1914 to 1917, and I could tell you some more stories about that if we had more time. 

The third concept that I have seen recently is entropic-centered warfare, which has, as its objective, the generation of entropy, the generation of disruption and disorder within societal elements. That would suggest that one of the reasons why the PCCIP was created was the threat of entropic-centered warfare against the United States because of our dependencies on those data and information systems. 

Of course, what this raises, the question it begs is, is this warfare? How does this fit with that Clausewitzian paradigm of force and violence? The hypothetical I gave you a couple of minutes ago might leave the enemy military degraded, might leave them defenseless to attack, might leave their population in disorder, but does the non-kinetic generation of effects parallel what we did in Desert Storm, where we had to drop the bombs across the borders, is that still warfare? I don't know, that's a question we're going to debate here today. Does war require force, violence, explosions and bloodshed? I'm not sure, but let me give you a potential answer to that. This is the target list from Operation Dangerous Opportunity – posited for April 2005. Every year, and it's happening right at this instant, students from the Army, Navy, Air Force, and Marine Corps War Colleges travel to the Air Force wargaming center at Maxwell Air Force Base in Alabama, to engage in a multi-school war game. They played the Blue forces. The students from the National Defense University, the National War College, Industrial College of the Armed Forces and my old school, the School of Information War, played the Red team. This is the Red team's information operations target list last year against Blue. Interesting – military command control and logistics control. Purely traditional military elements. But look at the stuff that's under it – banking, energy control, telecomms, etc. How does that fit into the paradigm of warfare – especially when the means used to affect those is non-kinetic – does not cross physical boundaries or borders, etc.? All with the objective of degrading the ability and the will of the Blue forces to engage in operations. 

So, in conclusion, and I'll try to set the stage here for Bill and for Chuck, for those of you whose memories go back to the Vietnam era, you may remember a trite little phrase that said when you're standing in the swamp and you're up to your ass in alligators, it's hard to remember that your initial objective was to drain the swamp. Let me suggest that in the field of information warfare, we're standing in the swamp right now dueling with the alligators, trying to find our way through the morass that we're standing in. First of all, I mentioned the Clausewitzian paradigm that there are warriors who engage in warfare in the service of the state. Are we seeing the rise of a new warrior-class? The keyboard warrior, or as one of our colleagues calls them, the ultimate revenge of the nerds. And I'll mention that we ran through the example yesterday of Analyzer, the person who's masterminding the computer breakins against the DOD – you know what Analyzer is doing now? He's in the Israeli army – drafted. I would suggest that that's really a pragmatic use of those kinds of skills. Would there be value in taking someone like Kevin Mitnick, and instead of locking him away, putting him in the service of his country or something? I don't know if that'd be a good idea or not, but we're trying to think outside the box here today. 

What's the role of kinetic force and kinetic violence in future warfare when we might be able to create some of those same effects without resolution to blowing things up and breaking things? What are the political ramifications of doing something like that? The legal regime in which we now exist for interstate relations and warfare is founded upon the overriding importance of physical, territorial sovereignty. As we're all aware, where are the lines of sovereignty in cyber space? We haven't even begun to try to draft out where those lines are. Who are the actors? In the Clausewitzian paradigm you had identified warriors and identified nation-states – physicality. But in the cybernetic world in which we're living now, the information age, we have virtual actors, non-state actors that don't have territory, don't have population, many don't even have easily identifiable leadership, but that are able to conduct operations that have political impacts on a global scale. The use of infrastructures that span the dualities of civilian support in society and support to military operations is central to this discussion and central to the Report of the President's Commission. The boundaries between the architectures, infrastructures, are fairly blurry. The legal responsibilities and tasking in the future for who protects those elements may also become blurry. We all recognize that about 95% of the DOD's communication needs are handled by the plain old telephone system. It may very well be a legitimate target in wartime. The DOD did have a responsibility for protection of those infrastructures. 

How do you do BDA – I don't mean bomb damage assessment, I mean byte damage assessment – in this environment. The military planner or analyst may have a hard time working their way through that. And my last comment and bottom line is, the paradigm of warfare that we have lived in for the past one hundred years or longer has focused on the means used, physical force and violence, creation of destructive ends in support of state policy. Let me suggest that in the world in which we are moving towards, information conflict in the 21st century, we need to take a new look at the ends attained rather than the means used, because it may very well be that when Country A reaches inside Country B and uses electrons to turn off the air defense system, Country B says, I've been attacked and I'm going to respond with deadly force and the traditional form of warfare would arise. With that, I look forward to questions and I'll turn the panel back over to my colleagues. 

Mr. Sharp: Thank you, Dan. Our second speaker today will be Navy Captain William Gravell. Captain Gravell is a 1973 Annapolis graduate. He was commissioned as a line officer, and qualified as a surface warfare officer during his first tour aboard a guided missile cruiser. He, too, has spent a fair amount of time underground, or I should say underwater; he's had five submarine deployments, and balanced that out with 13 aircraft carrier deployments. It was certainly something to keep him busy over the years. He's also studied Russian, and he has graduated with honors from the Defense Language Institute. He's also been formally trained as a cryptologic officer, and has significant experience, from looking at his resume, in information attack, information protection, as well as cryptologic exploitation. Both of the tours that I picked out of his fairly impressive resume to talk about this morning were in the Pentagon. In 1983, he was hand-picked to serve on the staff of Chief of Naval Operations, to create and then manage, which he did for three years, the entire Navy's command control communications countermeasures program. He left from there, went back out to the fleet, and then in 1994, when he was serving in Bosnia as one of the eight American citizens that were there on the ground receiving fire, he was again hand-picked to come back to the Pentagon to serve on the Joint Staff where he created and was the first division chief of the Joint Information Warfare Division, J6K. If we can pause for a moment, it's important to discuss some of the things that he did while he was there in J6K, because we've been talking about them all day yesterday. The J6K was really the first serious effort that we had to approach integration of the defense information infrastructure and national information infrastructure protection in a very broad context. He pioneered and led a number of international efforts and was one of the members of the selected states to look at IW protection issues. He also served as alternate DOD commissioner to the President's Commission on Critical Infrastructure Protection. He was one of those very few people – we've heard a lot about Eligible Receiver – but what we haven't told you yet is that Eligible Receiver was a no-notice exercise that only a handful of people knew about and designed and planned up front before the Red team attacked. Most of the people involved were on the receiving end of the Red team attack because it was in fact a no-notice exercise conducted by the Chairman. Captain Gravell was one of those very few who helped plan and construct Eligible Receiver from the outset. 

I worked on the Joint Staff for the same three years that Captain Gravell was there on J6K, and I can tell you from my personal observations, watching him there, that I believe that he has contributed more to our nation's vision of what information warfare and information operations is, and to a fuller understanding – not that we're there yet – but to a fuller understanding of the interagency responsibilities by the interaction that he's had with all the other fellow agencies of government while he served at J6K. 

Captain Gravell is going to share with us today a few of his thoughts on the evolving nature of national security and national security law and the information age. Captain Gravell? 

Captain Gravell: Well, like the Sundance Kid, I'm better when I move, so at some point I'm going to get down and start moving around and waving my arms. I'm going to try and move through this very quickly; now, I will invite your attention to the package that I've left out there on the desks; you'll find very little commonality between those words and the ones I'm going to express. Part of that has to do with the fact that this is an enormously broad subject, and I'm going to only be able to get the high points in 20 minutes. I'm going to basically start with the notion that the American military is information-dependent. I'll do that very very quickly, because it's an easy sell. From there I'll move to examine the fundamental relationships and domestic equities, including legal relationships, and then we'll examine questions regarding national security. 

[Slide] Again, a survey view of the American military in the late 20th century. I will declare as a matter of fact that there are fewer military capabilities, material capabilities of every sort in the United States military today than at any time since the 1930s, since the serious advent of military aviation, since the development of the aircraft carrier, and so on. The effect of that, coming at a time when the military is also being called upon to do more different things than it has historically done, means necessarily that each unit is being required to do more, in two dimensions: More different things, which it may or may not have been initially intended to do when it was designed; and more of each thing. The way that those two are achieved, and quite effectively so, is through wholesale adaptation, adoption rather, of information technologies and command/control mechanisms, which I will briefly discuss. They basically herd into three categories: (you just heard a reference to network-centric war-fighting. I draw from that nascent concept when I speak of this.) 

A set of things having to do with the way in which we gather information, some of which is organic to our forces and some of which comes to us via national intelligence; a set of things with which we act upon that information, that is to say, precision guided weapons. (As a data point for you, in 1991 in the desert, approximately 10 percent of the weapons and the weapons platforms were capable of working in this way. At the turn of the century, virtually all weapons platforms will be capable of utilizing all of the so-called "smart bombs."); and finally, the information backbone, if you will, or the connectivity that allows all this information to be shared in a vast sea of knowledge, which everyone can access in ways I'll describe in a moment. The effect of this is that military power in the United States goes beyond overwhelming – it's absolutely insuperable. No one with television in 1991 is suicidal enough to even contemplate directly confronting American military power. As we read classified and even unclassified writings from all of our potential opponents, and some of our most envious friends, we see this reaffirmed time and again. The issue, therefore, is not how we will fight, but how we should accommodate those with whom we fight because they know the enemy can't overwhelm us. 

The notion of bringing in allies and fighting in joint ways is essentially a political development of the late 20th century. That's a whole discussion by itself, but suffice to say that from the point of view of information operations, a military organization is a complicating factor because it demands relationships across organizational, technological and sometimes language barriers. 

Finally, there is the notion of offensive information warfare, which I will only acknowledge the existence of. I've been working in the field since 1983; I bet no one in this room, (maybe four or five people in this room) knew about it back then or even earlier. Only in the very recent past has this black art been acknowledged as a component of American military power. Impressive in its own way, it opens up numerous questions of several sorts. 

[Slide] Continuing to discuss the American military, there are certain technical characteristics around which the organizational structures – I've just described the operational features – revolve. One is something called "open architecture." Think of a house, which has electric current in it. If one were to construct a house on an open architecture, you would be able to bring any appliance into that house and plug it into an outlet on the wall, and the number and type and shape of the prongs on your plug would match the outlet. Furthermore, the power, the electric current in the house, in several variables of voltage and phase, would also be correctly matched to the appliance. So you plug it in, turn it on, and it works, without any fire or anything. You all say, big deal – what's the surprise? Take it from someone who's spent ten years living overseas on three continents – folks, it doesn't happen that way automatically! The next question is, generic hardware. Generic hardware means things like: in the Navy, we have something called the F&A18, the Fighter and Attack plane number 18. This is a new concept. This means that literally with the push of a button in the cockpit, the pilot in an instant can reconfigure the communications systems, the target engagement systems, the target displays, the radar, and even control surfaces, in some respects, to make the airplane think that's it's fundamentally changed, in spite of the fact that the metal composition of the plane is totally unchanged. This is achieved with software; this is the coming thing. One airplane, with the ability to do what I described earlier – do more different stuff. This is progress; this is good news. It also means, however, that software is utterly critical in the design, and in the construction, and then the successful operation of the platform for as long as it's used. These generics, which are not necessarily controlled throughout their manufacture by people you would consider trustworthy, become a matter of vulnerability. As a matter of record, the F22, which is the next big "good thing" for the U.S. Air Force, (and apologies to my light-blue shirted colleagues,) has two million lines of computer code in it, 40 percent of which is being written off shore. The nominal cost of writing computer code is $100 a line – that's the industry standard average. Over in India it costs $65. Guess where the F22 is being coded, by and large? And, the industry standard of the cost of validating or verifying computer code is 40 percent higher than the cost of writing it in the first place. Ask yourselves how much money we've spent in validating and verifying that code? This is just an anecdote; this isn't picking on any one service or project; this is a trend. The bottom line, essentially, is that America's forces are incredibly powerful, more so than any time in the past, but they are that to the extent of, and by virtue of, the mechanism of information technologies Â…. If that is true, you can easily see that by stripping away that value-added, you end up with a force that is considerably vulnerable. That's my problem in the first instance, but now let's talk about how it becomes all of ours, as we think about ways in which an opponent might seek to do that. 

[Slide] I was astonished to learn yesterday that the average juris doctor has never heard of the Laws of Armed Conflict. I won't embarrass anyone by asking for a show of hands of which of the lawyers in the room encountered that particular body of law in law school. I'm told, reliably, that it's a small fraction. So I'm going to try to skip quickly through something that I have some reason to believe most of you haven't been educated in. Simply stated, there's a body of law called "The Laws of Armed Conflict." One of the court findings in that regard came at Nuremberg in 1946 in which Karl Doenitz, then the – former, that is – head of submarine forces of the Nazi Navy, was tried and acquitted of the charge of unrestricted submarine warfare as being an inherently abominably form of warfare – inherently in violation of the laws of armed conflict. He was acquitted on the charge. Thus, the law and the courts have held that the conduct of attacks by surprise, without warning against any vessel or platform conveying material of war to the support of an opposing belligerent – wherever and however encountered – are a legitimate act of war. Third parties, neutrals, women and children, in the captain's cabin – everybody. And I might add that other legal purists have held that, in fact (it was never tested in court), the United States was "at war" in 1991 – that a state of war, that would have held up in the international court, was in place between the United States and Iraq at that time. The effect of that is, although Saddam Hussein did not – then or now – possess submarines that were likely to challenge America on the high seas, he does possess the ability to hurt extensively and to reach into and influence America's information networks. What are the implications of attacking one of those data systems, perhaps in such a way as to derail a trainload of tanks moving from Fort Hood to the seaport at Galveston? What are the implications if, in so doing, that train rolls over and squishes a busload of kids going to Baptist Bible camp? Or the implications of public reaction? What are the liabilities involved? Will insurance indemnify the UP (Union Pacific Railroad, the carrier in question)? Or will the "acts of war" clause in the insurance policy be used to decline coverage? This, in fact, we saw happening in the Gulf. You may recall that happening with regard to American-flagged tankers in the Persian gulf in approximately 1987, partly because Lloyd's of London was withdrawing insurance coverage under the acts of war clause. Those tankers, third party tankers, were carrying what was judged to be war materiel in what was declared to be a war zone. In a larger context, the point that would be made here is, think about the amount of effort that went into creating the campaign strategy executed in Iraq in 1991. Think about the complexity, the timing, the sequencing of events. Now think about the effect of a public outcry – an emotional public outcry – fueled by congressional footstomping, that would disrupt that timeline and potentially lead to the commitment of forces or the taking of actions before the decision makers felt that the battlefield had been adequately prepared. Recognize the difference between the effect of a natural disaster and the act of an evil human being in our society. Think of the floods in North Dakota versus the Oklahoma City bombing. Think also what happened immediately upon the Oklahoma City bombing – remember what happened, right away? There was an outcry – "I saw two Arab-looking people running away – Let's go get those guys!" Â…. Self-defense is an interesting concept – we've heard it suggested that everybody's entitled to protect themselves. In the case I've cited, the UP is entitled to protect itself – it's entitled to put up firewalls and prevent people from getting in, and to take them to court and prosecute them if they do get in and disrupt. But I will tell you that as a matter of technical truth, once they are in, it's too late, folks. You cannot prevent them from degrading or destroying, having penetrated your defenses. So at what point in the time line, or at what point in a process line, does that right of self-defense become operative? Are you entitled to preemptively attack someone who appears to be, in your judgment, preparing to attack? Well, there's a legal slippery slope. This takes us back to the 19th century, when trap guns, that were intended to prevent poaching in fields, were subsequently declared unlawful. Interesting legal questions. We cannot correctly, I suggest, compare the rights of self-defense as held in law that relate to physical property. They do not extend directly to virtual property. 

[Slide] This slide is fairly complicated, and now I'm going to start moving. We've heard a lot of discussion about the notion – Indications and Warning – and the term has been glibly thrown around – let's examine it for a minute. I put it to you that "indications" and "warning" are two, fundamentally dissimilar, processes. It is a matter of detecting an indication, and of disseminating a warning, about those insights. We start with the question, "what am I protecting, and to what extent am I protecting it?" What's the threat? Let's think about one of the quintessentially successful examples of I&W – North American ballistic missile defense. When we understand that the Soviet Union possesses nuclear-warhead-tipped rockets that we wish to not have land on American cities, we can construct a very successful I&W concept relating to that specifically, because we know that the vulnerability has certain dimensions and features to it. We know that the rockets will have to come over the North Pole. We know some things about orbital ballistics, orbital mechanics and so on. We understand how they would work in physical terms, we understand how much specific impulse, how much rocket power would be required to get a certain mass a certain distance, how long that would take. From these insights, we are able to create sensors specific to those insights. Now a truck scale, a bathroom scale, and a pharmaceutical scale all measure the same physical process – weight. But they're obviously not interoperable and interchangeable. The reason is because the additional features of specificity and the accuracy and of the total range over which the sensory inputs must be accurate have to weigh into it. So how can we talk about building sensors which will be variously emplaced in government, civil, or some combination of both areas until we have some idea what we're modeling, based on what specific vulnerabilities, based on what, precisely, we're trying to protect. Here I think Michelle Van Cleave has some excellent points. Now, in the case of North American air defense, all of this taken together leads to analysis by people who are focussed on the specific question, who can then disseminate warning to a party or a group of interested parties, including people like the President, Strategic Air Command and the military. Let's now contrast that to a hypothetical case involving information warfare. We could sit here for weeks and think about precisely what is the information base of America we seek to protect. I personally have been staring at this subject for years and years, and I have some ideas, but I would never suggest that I've got it all figured out. I defy anyone in here to think that they do. I suggest to you we don't know the extent of it – are we protecting against the destruction of our nation? I put it to you that on the notion of "Information Pearl Harbor," if your test of that occurrence is the same kind of physical destruction and explosions that occurred in December '41, you're on the wrong track – we're never going to see that. However, the nation and its "values" can be influenced in ways that don't necessarily have that much to do with physical destruction. Once we know what we're trying to do here (and I put it to you this is not something that is properly done or doable by the intelligence community, the FBI, the Pentagon, or all of those put together), this is a national debate. Then the rest of this can be done. Think about the relationship to the civil stakeholders. Awareness can occur. Fora such as this are contributory to that, and have been going on for awhile. Agreements by which the sensory requirements specific to the problem will be implemented can then be struck. Today, as Michelle and others have suggested, if the government says "Tell me about your attacks" and seeks to achieve agreements on that, the default mode is to either believe that the government is being overly-intrusive, which it is in some cases, or that the government doesn't know what it wants, which is often true. Consequently, nothing useful comes along. Analysis linked to a dissemination architecture permits you to know what warning you're putting out and to who are affected, and the set of people affected must necessarily include all those who represent collectively the holders and operation of the vital national interest. 

[Slide] Thus, the salient questions. (I'm almost out of time so I'm going to only touch on these briefly.) What are our vital national interests? If the preservation of the nation and our way of life is not actually threatened, and I would suggest it is not, then what are the guiding and driving interests to our nation in the information age? I will suggest to you that it's economics, it's the economy. I would suggest to you that in the next quarter to half century, the nations which will advance or recede in the international arena are those who will embrace information technologies, primarily in their economies. Who are our opponents? Well, if this is true then some of those who are our good friends in national security terms, as seen classically, are our opponents and competitors economically. Notwithstanding all of the new multinational actors, including subnational, transnational, multinational corporations, don't forget all the old bad guys are still out there. Certainly government-civil collaboration will occur. On what terms of reference? What's the legal basis for government to impose itself or to ask questions? What does it want? What does it need? Government and the civil community must meet together on a level playing field. What are the quids pro quo? Risk management. In the nuclear case, when Kennedy was talking to Kruschev about nuclear weapons and Cuba, every American from him all the way down to all of us, doing duck and cover drills in our grade schools, had the same things on the table, the same things were at risk. We win it all or we lose it all. Every American was in the same boat. The leadership spoke for the nation. Think about the contrast to the information age. If an electric power provider contemplates his risk management and the degree to which he's going to protect against risks of an outage, his calculus, his costs, are the direct cost of repairing his damage and the inability to bill for the period of the outage. That's the down side, absent the possibility of consequential damage liability, which is another nascent legal question. On the other hand, a guy that runs the refrigerated meat-packing company downstream, who is a customer of that power station, is wiped out in eight hours. So the down side for him is extremely different, responding to the same event. 

[Final slide] In the old days, people like me, whether as a military officer or as a practitioner from the intelligence community, and people like law enforcement, worked in organizations. We comprised a process resembling a pie. We each had a slice of the pie. We understood that we worked very differently, and we were proud of those differences. And we said 'I will take this slice; you will take that slice, and the difference between us is just a knife edge apart. The two will fit together elegantly, and between us we will get the job done." As we have heard amply demonstrated (and, I would suggest, fully correctly, everything in government and thus, by extension, everything in our society is legitimately and necessarily part of the problem, and the solution, in the information age, such that no one authority will be permitted to "rule." The only thing that will work is to collaborate in ways not historically done, in relationships that will look more like a casserole than a pie in their implementation. And that, ladies and gentlemen, is about all the time that I have; we're looking forward to your questions. Thank you very much for your attention. 

Mr. Sharp: Thank you, Captain Gravell. Finally, we have Mr. Chuck de Caro, who's going to round off this morning's panel with a discussion of soft war, which involves the hostile use of global television. Chuck is a former member of the 20th Special Forces Group, "Airborne," as they like to say, and he has had what appears to me to be a very exciting career in journalism since he's left the army. He has served as a CNN special assignment correspondent who has specialized in combat reporting, from Nicaragua, Grenada, and Surinam, investigative reporting on the illegal drug operations, foreign espionage and criminal gangs, as well as defense reporting on U.S. and foreign military activities. Most interestingly, he is a technical advisor to three TV magazines: Hard Copy, Sitings, and Encounters, and also a technical advisor to three TV dramas: Magnum, Quantum Leap, and JAG. Most impressively, he is now the founder and the CEO of AEROBUREAU Corporation, and at AEROBUREAU he and his staff have designed, built, have flown and operate the world's first flying news center, a four engine Lockheed electro airliner that can fly over 4250 miles, land on a 3000 ft. airstrip, and set up first class news bureau operations that can last independently for a week without any kind of resupply or assistance. From talking to Chuck over the last couple of weeks, I've really had the sense that I was talking to somebody I'd normally read about, an adventurer, an entrepreneur that I'd read about in a novel somewhere – "Soldier of Fortune" perhaps. So I believe we're very fortunate to have Chuck here this morning. Mr. de Caro? 

Mr. de Caro: A couple of rules: if you cross your arms, that's the same thing as asking a question. If you go to sleep, it's the same thing as asking a question, and you will get assistance from me right away. If you're knitting, it's like asking a question. I call my lecture, "Sats, Lies, and Video Rape." Sats for satellites, lies when you use the satellites and you transmit it, video rape is what happens if you don't pay attention to this lecture. 

Clausewitz said that war is the controlled application of violence to constrain the enemy to accomplish our will. However, Clausewitz was constrained by the technology of his time. The only way in his day to affect the will of the enemy was to marry your king to his queen, or charge across the border with enough cold steel and gunpowder to kill enough of the enemy's military so that they would have no option but to surrender. Hence, they accomplished your will. 

But Sun Tzu, a thousand years before that, the ancient Chinese military philosopher, said the acme of skill is not to win a hundred victories in a hundred battles. That's not the acme of skill. The acme of skill is to subdue the enemy without fighting. And now a late 20th century invention, global real-time television, gives us the ability to achieve what Sun Tzu had set forth, which is to defeat the enemy without having a fight. And I call that new kind of warfare "SOFTWAR," the hostile use of global television to shape another nation's will. An entire nation's will, an entire body politic, as a monolithic unitary system. Shape it – by changing its view of reality. How is this possible? 

Television. Because television transmits information to video illiterates, and if you haven't been in my class before, you're all video illiterates, solely on perception of images and sound rather than hard facts. Famous example: how many here either saw, live, in those days, the Kennedy-Nixon debate, or for you younger people, do you remember who Kennedy was? Did you ever see it – John Kennedy, not junior with the hair – [Laughter]. 

If you look at the transcript of that debate, both had served in World War II, they've both been professional pols for a decade, they knew what they were talking about. By the way, every third word was "communism." That's the transcript. But perception – this was the first time that Americans had seen presidential candidates debating live – and what happened? Dick Nixon walks in, five o'clock shadow, beads of sweat, high contrast black and white television, and five o'clock shadow. John Kennedy walks in in dark blue suit, full theatrical makeup, he had a natural charisma – huge. Most people don't know what telegenics are – the ability to come across and make you believe. That's why they pay anchormen three, four million dollars a year. Do you think that's a crapshoot? No, that's real – a real, demonstrable ability. Telegenics. So, basing the information flow on perception rather than reality. 

How does it do this? Let's talk about the idiosyncrasies of the medium of television, not the news media – that's a poor term, that doesn't describe the medium itself – the electronic pen and paper. How many people who haven't been to my class, recognize any of these terms. Good – then you're all video illiterates. What makes TV work? B roll makes TV work – in the old days, for example, you would interview a general on film, about the B-52. Well, it's a guy with a talking head – that's the A roll – boring. The B roll – the good stuff – eye candy – those pictures of that great big B-52 coming screaming along, smoking, at 50 feet – that's the B roll, that what I want. 

How many people watched Miami Vice? How much content was eye-candy (FBI guy, you got it, right?). Okay. B-roll – short hand feedback. Television transfers a huge amount of information in very little time. Everybody look around the room and count to four – everybody. Thousand one, thousand two, thousand three, thousand four – Stop. Now, describe in the same level of detail with words, as with radio, the number of people, the colors, the sound of my voice, the same four seconds. Ready, set, go – thousand one, thousand two, thousand three, thousand four – Stop. That's why command and control, with television, all the broad band guys, is much better than all these narrow band guys in the back. Television transfers a huge amount of information – now what happens? Politically, now I'm trying to describe all this stuff, we use – we have to use – shorthand. But the shorthand taints – let me give you an example: Whitewater, Watergate, OJ – huge amounts of information, direct – but it also taints the conversation, the political thought of an entire nation. 

Political throw weight – it has an effect. Why do you think McDonald's sells so many hamburgers? It has a tremendous effect, but it affects different people in different ways, like a MIRV – Multiple Independently-targeted Re-entry Vehicle – comes down, hits a bunch of targets. What happens when you launch another missile? You make the rubble bounce. Same with television, you get an idea – it shapes you. Your perception changes. You see it again, what happens? What you see on television is a crapshoot. Let me give an example: If you happen to be down at 34th and Vine with a camera, you're going to get a picture. You're not there; you get nothing. Television is a strange medium; it automatically lies. Back to B roll, talk about B roll. When you write a report – somebody hold up a report. Here's a report, and if you have photographs on it, what do you use the photographs for when you write a report – what do the photographs do? Support what you've written. In television, it's the other way around. It's just backwards. If you've got ten seconds of B roll on 34th and Vine, ten seconds, and you've got 15 seconds of script, what happens to the other five seconds? You get black. So you have to write the words, depending on what the pictures are, instead of the other way around. It's automatically backwards. So if you're a video illiterate, you've not any better than those 17-year olds – how many commanders here? How many people have been commanders – no commanders? Okay. How about those 18-year olds who go down and car shop, oh, it's only a hundred dollars a month, well, going till infinity, because they didn't know the grammar of the fine print. Well let me tell you, you're all like those 18 year-olds – unless you understand this, and you're making decisions at the political level, you've got problems! 

Now, who can think of one incident when all these things happened at once? All right, so you're in a satellite, you're looking down at Earth, it's all black on Saturday night and you're saying, you're looking over let's say Germany and you see this car chase and the polizei are chasing a car at 300 kilometers an hour, and which decides not to pull over. When it does finally get pulled over, the occupant jumps out and fights the polizei. What reasonable man or woman is going to say, there's going to be an altercation and the polizei are going to win? How about Singapore, or Japan. That ought to do it. 

Who ever heard of Rodney King? Well what would happen that night? Who shot the video? Some guy. Who was it? Does anybody here know? It's a big deal because everybody knows about Rodney King and all the subsequent events, right? It was a guy named George Holiday who stumbled out in his bathrobe and took the pictures that night. Guess what – George got a picture of Rodney taking a shot at the cops – assaulting the cops. Well what happened was at that very moment, George picked up the camera, with the tripod attached, and moved it, and you get this jerky video, you get the first assault – you get the jerky video so you get a better shot. Well the boys at the local California TV station, when they got the thing, chopped it so they get the best what?-the best B roll. How long was the Rodney King incident from end to end – anybody know? About 30 or 40 minutes, from end to end, from the time he got chased to the time the ambulance pulled away. How much video did George shoot? Nine minutes. How much did you see? Thirty seconds. Were there massive political effects by this? If you had known now what I just told you, would it have been different? Would you have wanted to see the whole thing with the poor video? All this over television. 

Let's talk about television news – all you people think they're all limp-wristed liberals, pinkos, right? Wrong. Doesn't matter anymore because news is global. Tell me what is the primary operating reality of television news, anybody's television news, anywhere in the world? What's the primary operating reality? The answer is budget. You can't do news unless you go out the door. You got to get in a cab, you got to bring your crew – budget. How much does it cost to send me, say a moderately rated, network television reporter, to go on a story for a day? How much? One day. Two grand. But how much does it take to send a camera crew out after him? Two thousand bucks a day, first eight hours, plus time and a half, for the next four, plus double time for the next two, then triple time for every hour after that. Two thousand bucks. How much does it cost to send that truck, with the satellite uplink behind you so you can do a live opening of the supermarket? Four to five grand a day, plus the two or three man crew, plus time and a half, plus double time. Now, how much does it cost, to get this whole gang, this 7000 pound pencil, and run it to Bosnia? You're looking at about $20,000, $30,000 a day – hotel, airlift, all that. Now, did you ever notice that before American troops appeared in Bosnia that all reports there were done by people in foreign accents? British mostly. Why? Who said cheaper? Maybe you'll be a producer in their next career. OK – well think about it. The cost is a thousand dollars a pop. Well, what happens? What are these guys on – who's on quality control? And what are these guys after? They're after what we call bang-bang, eye candy, B roll, so what are you going to get? People shooting at one another. 

Let me ask you something, you people all saw stuff from Bosnia. Who ever saw a secondary? Who knows what a secondary is? Tell them what a secondary is. Yeah, it goes boom. How many people saw anything go boom? What the hell kind of war is that? Okay, it was because the people were looking for the fighting; whenever we have a war we'd have the specific little instances of guns going off. But the same reporter was doing the reporting for several different networks, changes the ending, OK, stringer, so you think you've seen ten different reports, the same report ten times. The effect is ten times greater; one firebomb you think it's a war. 

Naïve Editorial Stance: How many people remember Saddam Hussein patting a British kid on the head? How did that happen? Ed, no relation to Ted, Turner decided hey, let's put it on. He was roundly criticized, but he said "hey, we put Thatcher on, we put Bush on, we cover the football games live, why not put the dictator on?" That ought to put it in context. Oh really? That's the same as saying Adolf Hitler reading about Mein Kampf is the same as FDR talking about Â…. But it went on. 

Random access coverage. Why was my friend Peter Arnett in Baghdad, and with all the subsequent political effects? Why? Because he felt like it. He was bureau chief in Tel Aviv, went to Greece, (can't go from Tel Aviv to Baghdad), Greece first, then over there; the other guy was screwing up, he took over, just like that. How did he get them to stay there? Marlin Fitzwater asks Tom Johnson, who was then the brand new president of CNN, "Hey, get these boys outta there, we're starting a damn war here in ten minutes." And he said, "Yes, fine," and then checked with Ted. And Ted says, and this was quoted in Vanity Fair and the Washington Post, "Well, we've got the reporters there, and I," (Ted Turner, elected by nobody) "have decided we're going to stay there." One man, boom, changes history with one decision. 

Media amplifier. Pay attention to this. Any comparison on television automatically implies Â… what? Parity. So now you have George, freely elected, most powerful man in the world, and you have a 10th rate, pot-bellied dictator. Who wins in that comparison? Saddam, every time. 

Warped Mirroring: How many people watched CNN during the war? Everybody. And everybody else in the world. Everybody else in the world is watching CNN at the same time, correct? So they're seeing the same information. You're all wrong, you're all dead wrong, because we were watching CNN; they're watching CNI – Cable News International, which has a throw weight – remember we were talking about throw weight? The amount of time you see on TV? Here, we're watching the CNN mix – the CNI mix is a mix of CNN, CNN Headline, and World News Â… cheap Â…propaganda from affiliates around the world. Their throw weight is different so the political effect is different. So what's the first thing you guys are going to do when you go back to your war rooms? Get CNI, so you all know how the allies, the neutrals and the bad guys, are thinking. You know what their information flow looks like – this is critical stuff. Because a lot of political judgments – the road of death, remember that? We're going to end the war because of the road of death. Anybody following the war – those weren't tanks on the road of death, those were Iraqis with stolen Mercedes, and buses full of loot, who had gotten their own way Â… and the A-10s came zooming over and ate them for breakfast. All this because of global television. Does everybody understand? 

Now, what does this mean? It means that television is a truly ubiquitous medium and the United States must be able to operate in this environment, because we've seen that global television has instantaneous effects. What it's done is this: television acts as the poor man's C4I. Think about that: global instantaneous medium is the poor man's C4I – command and control and intelligence. How? Let me ask you something. Who knows about the sobs and the violin which breaks-my-heart with monotonous languor? Who knows what that is? That's right the code words broadcast on the BBC that launched the French Underground's attacks on D-Day, June 6, 1944. Command and control for free. That was the BBC radio then. 

So now we use television. See my insignia? Don't start a war. Put it on this lapel – Start a war. I can buy, as a country, I can buy a commercial on global TV and lay it on for sure, guaranteed it's going to show up at twelve noon, either start the war or not start the war? And you don't even have a clue what it is. How's that compare to GCCS? Okay, now: how much does this cost? Where's the CIA guy hiding in here? What's it going to cost us to pay the intelligence community? Twenty-six point six, get ready for the B-word, billion, billion with a "b," billion dollars. How much does it cost to get CNN? Thirty bucks a month. You're a developing nation; which one are you going to win on this course: $26.6 billion; $30 a month? Can you make political or tactical decisions from real-time information coming to you? Yes or no? You're a dictator. I'm the President. You have ticked me off; I am going to bomb you, OK? CNN – or global television – presents the Senate majority leader, saying "No, there are other issues" and the Speaker of the House saying "No, no. No way." What are you going to do, Mr. Dictator? Â….Well you don't have a budget of $26 billion, so what you're going to do is you're going to sit there, watch it, and judge the response and, continue doing it. Now you're watching global television, and you see the President, the Vice-President, the Speaker of the House, the Senate majority leader, drooling out the right sides of their mouths, F117s leaving Norfolk, what are you going to do now? Dig a hole. That is a tactical reaction to mil-pol level information. 

What else does global television do? It provides the poor man's C squared W. Command and control warfare. Now we're not talking piss-ant stuff; we're talking shaking an entire body politic. How does this work? If I get a two way medium, I can project information. I'll take a tactical event, and turn it into strategic power. Can anybody think of an example? I'll give you a couple. Bosnia. Now, I'm in Bosnia. The President says, "I'm going to bomb you." All right, it looks serious, so what do I do? I go find myself a Canadian, and I staple him to the target set. Does anybody remember that? You staple a Canadian to the target, and what happens? We don't bomb him. Any F-111 guys here? No air defense? No fighter pilots? Let's think about this in terms of cost. How many missiles do you need to stop one squadron of the United States Air Force? Ten to one? Twenty to one? Let's say ten to one. $250,000 a missile, that's $2,500,000 to stop one squadron for one day. How long did the Bosnian Serbs hold off any Western action? About 18 months! Think about that! Now, principles of war: mass, yeah; they were attacking the body politic, for numerous political views, surprise, simplicity, security, but what is this a wonderful example of? Some West Pointer, jump up. West Pointers, jump up! Economy of force, sit down. Economy of force, think about it! We send a squad (ten people) to capture a fire team (five Canadians), OK, we multiply it by global television and what do we get? We get a strategic effect – we stop the entire western air force for 18 months. Is this a militarily usable phenomenon, is it like hiding behind a mountain, is it using the terrain? You betcha. But we, the United States, were the victims of soft war, and not the propagators. You think this is a one time incident? 

How many think that Mohammed Aideed was some loincloth-wearing stupid guy who just got lucky? No, Aideed was highly educated, at Moscow then England and France, spoke multiple languages, knew about business, all kinds of things – he was smart – and was watching CNN all the time. How do I know that? I interviewed President Carter. He was doing his own diplomacy. He said, "oh yeah, he was watching, he, Aideed, was watching all the time, and recording, all the time, so he was getting information – boom, just like that. How do I know? I was there." 

So the then-Assistant Secretary of Defense for Public Affairs, she was cute, she was blonde, she was former ABC and connected, she was out there briefing. So what does she say? "We're going to send the Rangers to Mogadishu," and in that instant, Aideed said, oh, Rangers, well, let's see, a company, OK, 200 Rangers, 80 percent white, short hair. Dave Martin jumps up, and says "Hey, I understand Delta is being interspersed with the Rangers, because they can use their counter-terrorist hostage barricade tactics, Â…." Aideed in that instant goes, "Hmmm, Delta, 100 guys, 90 percent white, long hair." OK, then I jump up and say, "Hey I went to Ranger school! Where's the artillery, where's the tanks?" And Kathleen gets this kind of pained look, and the Air Force guy goes "Oh, we have support troops all right there. Right, ash and trash guys." And Aideed goes, "no tanks." Why weren't there any tanks? Yeah, why? You know this, don't you? Because a video illiterate was in charge! His name was Les Aspin, and he says, his top secret cables were printed in the Washington Post; he said "Hey, we didn't like the image of tanks." What was this guy saying? He was thinking George C. Scott, in Patton, or the student against the tanks in Tiananmen Square. The fool didn't understand television. Think about this – if you can't see a tank, where's your B roll? "I'm Chuck de Caro, reporting live from Mogadishu, where CNN has learned that an entire American tank companyÂ…." that's all you need. How big is a tank company, does anyone here know? Fourteen tanks. "An entire American tank company has been deployed. If you look at the dotÂ…do you see that dot? The two tanks under camouflage here. There are six more in this building. You can't see them, I know, but they're really there." Where is the image, where is the B-roll? How much has the United States Army spent on command and control of tanks in the last twenty years? How hard is it to move one tank company across a ten-by-ten kilometer area to get them all in one place at one time? Not very hard. 

And yet the Secretary of Defense didn't do that; he let the Rangers in alone and Aideed in Mogadishu knew in real time Â… size, activity, location, unit, time, equipment and direction. Did he have all that? What did it cost him? $30 a month. We're in a new reality already, it's a mil-pol reality, a continuum. You don't believe me? 

Here we go again. How about these boys? The very next week, in Haiti, okay, think of the steel drum music. What else do we have in common? You know what happened? I'll tell you what happened. They see on global television what is going on in Somalia. And they go, "Gee, what can we do to take advantage of this situation?" So what do they do? They call upon a Canadian, another Canadian; how many people know that Col. Ceydras' mil-pol advisor was Canadian? And he dreams up the idea, let's give the Americans, let's get information from C4I, the cheap one. What don't Americans want? Body bags. Let's give them an impression that Haiti is not a great place if you don't want body bags. So what do they do? They stage a riot on a dock! How many people remember a riot on a dock? It was staged! Now, here I am, it's seven o'clock in the morning, I wake up and I watch Good Morning America, here's proof! Here's the Caribbean over here, the sun angling behind, on the rioters, and they're rioting on camera! So I wake up, I look at this, and I go back to sleep. Why? Because I'm a cynical reporter, and I say, who riots at seven o'clock in the morning? What reporter is up to cover the riot? This is a fiction; I go back to sleep. Meanwhile, the National Security Council, the children, are running up and down the walls, "Oh my god, what are we going to do now," and what happens? The U.S.S. Harford County, albeit on a U.N. mission, but it is a great big gray boat with white numbers and the American flag on the end, does a 180 in front of the camera and goes away. What is the end-point of war? Constrain the enemy to accomplish our will. Who won the war? Huh? We're a super-power, and we're getting pushed around by Lilliputians because they're taking advantage of the TV reality! 

Now you think, well, gee, when we were young, a young revolutionary testosterone-filled body politic, and the best army in the world came here to fool with us, the Brits came over, best logistics, best training, best discipline, and expected us, hey, to form a big square, and we'll fight you out on the common, to which our revolutionary forefathers said, "You've got to be crazy; we're going to shoot you from behind these rocks and trees, and bleed you to death." Which is what we did, until we got support from France – you're laughing, you forgot your history. So you think any other non-superpower is going to deal with us, tank for tank, ship for ship? No way, they're going to fight the best way they can, take all advantages they can. By the way, our revolutionary forefathers, you know what they did with the information about this battle? As soon as the newspapers came out, they put them out on the first boat out to England, OK, the information about the fight got to Parliament weeks before the British General put in his official report. Who won that fight? We did. So all we have to do is look back on our own history to see about the soft war of the present and the future. 

I will leave you with that, and I'll take your questions from back up here. Thank you. 

Mr. Sharp: I think we asked the question, what is the face of future warfare, and we got some pretty good insights of what that's going to be. We focused a lot yesterday and today on the protection of information and the protection of information infrastructures, but what we have forgotten about is remembering that the real key to IW is the decision maker. That's really the objective in offensive information operations. Now we have to protect our infrastructure because of the casualties and the inconveniences that it would cause us here in the States, but don't forget the soft war applications, the offensive information warfare applications. We're trying to affect the decision maker. And we have about ten minutes left for questions and answers, and we have a student here, who's going to pass around the roving mike. Do we have any questions for our panelists? 

Participant: I was going to say that having been a 13-month victim of the Haitian vacation I'm very familiar with some of the problems we're dealing with in the news media. My question really goes a lot to what Mr. de Caro had to say about taking it a step further. One, you can't control the news media, but my experience both in Bosnia and in Haiti was that most of the local camera crews hired locals, and they have agendas. And if you have a camera crew that's made of pro-Aristide people, they shoot the scene one way, and if it's made up of pro-Cedras people, they shoot the scene another way. Or to put it more precisely, if it's a Bosnian Serb who's taking the pictures you see one scene, and if it's a Bosnian Muslim you see something else on TV that night. But you also see a linkage between what's going on in other countries around the world and domestic U.S. interest groups. People use the Internet, use TV, and so on, and the interest groups within the United States who have absolutely every legitimate reason to stand up for their rights as part of their freedom of expression, our foreign countries that we're dealing with, they leverage those interest groups to affect U.S. policy. And they affect U.S. policy in ways that they, that country, that foreign country, that supports their objectives, and it's fairly effective. I was wondering if I could get some comments from Mr. de Caro on how to deal with that, because I think that is going to be the linkage you're going to see increasing in the future, especially using the Internet, video, TV, and those types of things, as opposed to trying to take on the U.S. military toe-to-toe, airplane-to-airplane. 

Mr. de Caro: You can do two things. One is education, and the other is organization. For all it does, the concept of the strategic, the operational, and the tactical all go out the window. It's demonstrated, you can take a tactical advantage and have strategic effects, or you can take strategic advantage and have a tactical effect. So how many junior officers are trained to deal with the effects of global television, knowing whether he shoots or doesn't shoot his weapon, right now, this second, will have instantaneous effect going straight to the President, will come right back down and have more tactical effect. We are neither trained nor organized to deal with the reality of the world as it is. Not the way we wish it would be. So the answer to your question directly is education on these kinds of things, broadly based, through every levelÂ….The people that we use, the soldiers, sailors, airmen, marines, we have to look at a different way of picking and training these people, truly. That's my answer. 

Mr. Kuehl: Can I add a comment to that? There is a common perception, because you see in print all the time, that the United States has become totally casual and insensitive. That's probably true in some paradigm but remember that in the 1930s there were other countries that said the United States is soft, weak and won't fight. I have offered the belief in some quarters that a terrorist attack, for example, somewhere in some part of the world that kills 100 Americans, would cause us to wither and walk away. Maybe, maybe. And maybe it would just generate the opposite response. And I think it behooves some leaders in the world to think about things like that very carefully because I think there's a point you can push the United States beyond where our response is not we're going to back away – our response is we're going to crush you, and I think it behooves some countries' leaders to think in those terms. 

Participant: First, I would like to thank the panel for probably the most stimulating hour and a half that I have spent in months. I thank you for that. I was going to make the comment that the government has learned lessons too. There are four parts to a military operation; the fourth part I submit again, when President Reagan bombed Libya, not only do you have to train, plan and execute, one now has to justify. One justifies in the presidential statements, one justifies in statements before you go to war; the prime person that's going to have to deal with the press is usually the assistant J3, on the joint staff, who's going to have to come out nightly, and explain what happens. And that's not all bad. Clausewitz talks about the necessity of having the trilogy, having a dialog, between the military, the government, and the people; I can think of nothing healthier than explaining the use of blood, the cost, what you're trying to accomplish, the fact that if you don't do it properly with the people who believe in the rule of law you lose wars – all of those sorts of things are immensely important, and my comment is that if the government has not lost its lesson – we deal very differently with matters military, from the Saigon Follies to CNN, from the government's point of view. And that, I submit, is a reaction, almost gut reaction, to the same sorts of things we heard from the other side being used against us. Thank you. 

Captain Gravell: I'll make a quick point in that regard. Thank you for that comment and I would offer another factor that relates to that in something that I said about domestic equities. Now that we have lost our ability of our two hundred year long strategy of projecting our military off our shores and resolving conflicts there in order to preserve our homeland as a sanctuary, and indeed our homeland and our people are themselves potentially belligerents, certainly targets, in a conflict; then the question becomes what the capabilities versus the responsibilities are within government and larger society for domestic protection. The nature of an attack is not necessarily defined by the attack itself – that is, terrorism is not something that is identifiable unambiguously in every case, any more than an incendiary bomb explosion is unambiguously terrorist versus arson versus insurance fraud versus homicide. It is seen in contextual terms as a characterization of motive assigned by the victim. And so the question of who is responsible for terrorism, in accord with PDD 39, versus who is responsible for prosecuting the wars of our nation, is going to be very interesting when there is an understanding that the wars of our nation are being fought in our territory. And if we don't have a formulation of how this relates, law enforcement, military, unconventional military if you will, and other equities and capabilities, the important fact -- we're certain to be at least off balance and potentially very disadvantaged when it does occur, as it will someday. 

Mr. de Caro: There's another issue here, and that is, if you're going to be having an assistant J3 explain it to the American people, you'd better get somebody who's good on television, period. Don't get some geek up there, who stares and starts to sweat, because people are going to read it the wrong way. No, your point is valid. You'd better get somebody good, just like you get a good J3 out in the field – there's a qualitative difference. If you're going to be a spokesman, you'd better be able to speak. And if you're going to be an operational guy, you'd better be trained very well. 

Participant: Don't you see what that does to a poor commander, who not only has to help run the show, but has to be CEO-enough to explain it. 

Mr. de Caro: Caesar was a good orator. 

Participant: I suspect so. 

Mr. de Caro: So maybe we ought to add that when we start looking at our OERs, and saying, can this man lead? Can this man project information, because in reality, if you're going to be a junior officer, you're going to be on global television. If you can't explain what you're doing, the opposite effect will occur. 

Participant: Thank you. The title of this very fascinating panel was Information Conflict in the 21st Century. It strikes me that we've focused today on one aspect of conflict, which is people who are shooting or threatening to shoot at either U.S. interests or our allies. I wanted to raise, though, two other potential threats that I think we're going to have to be dealing with. One, and it was alluded to in the panel, is the issue of economic warfare. I'm reminded that a colleague of mine, shortly after taking his oath of office in the Commerce Department to defend the republic, commented to me, "Gee, I didn't realize what they were really talking about was the French." And of course, the other element that comes to mind is the growing threat from organized crime, and really the increasing sophistication of those sorts of groups. I wanted to ask the panel if they could just talk in terms of both of those issues. 

Mr. Kuehl: Well, certainly, in terms of one of them, and I tried to allude to that, and I just didn't have time to explore it more in depth, the issue of virtual actors and non-state, non-governmental entities. Just go out and surf the Internet right now and you will find a myriad of political actors out there and interest groups that, in some cases, Greenpeace, for example, have enough political interest, agenda, and perhaps political power that they function as a virtual state, in the interests of their own specific agenda, what they're trying to accomplish. You raise a wonderful point and I think we're going to see more and more of that in the future. The challenge that I would suggest is that, and I tried to allude to this in my remarks, the laws and the regime of territorial and physical sovereignty that we operate in right now are probably not equipped very well to handle that. 

Captain Gravell: I would add only very, very briefly to that; you raise an excellent point that we could spend weeks talking about, and I'll offer a couple of anecdotes that show how complex it can be. 

When elements of the former Soviet intelligence apparatus, now organized into something that looks a lot like our NSA, are approached by criminal elements – the Mafia – inside the former Soviet Union, inside Russian, and corrupted officials make state capabilities, state-trained individuals, state-owned material resources available to support a criminal enterprise, and that criminal enterprise acts with national intelligence support against America, some very interesting questions come up. Is this an act of war, because of the degree to which state capabilities are brought to bear? Does it depend upon the target? Well, the target is the American banking system and the stability – is there an argument that the stability and respect and trust in American currency is affected, in a way which is classically been held to be one of our vital national interests? This gets to the whole question of the role of government in supporting our key industries, our infrastructures, in thwarting such attacks, or retaliating or responding to them, and, as suggested yesterday, by the President's Commission, re-examining the legal structure with which they're responded to, as a matter of civil, domestic criminal, or international law? 

Mr. de Caro: They're there, we have to organize to deal with them, a criminal title, the mafia, Â… communications Â… we see Ted Turner makes the decisions in his regime, Randolph Hearst did that in the last century. Now we have international actors like Murdoch and others who have huge consolidated media empires, who, even if neutral, have monumental effect, depending on whether or not you get the information, how much you get, and when they decide to give it to you. Â….The answer to this is organization. The preamble of the Constitution says "provide for the common defense," and it later says raise an army and a navy. Maybe we ought to go back to that – how do we provide a common defense in this casserole, which is a wonderful description of what we've got. 

Participant: As Bill knows, we've been doing a lot of thinking on the operations side of the Joint Staff and other places about the nature of future war and doing the actual planning for it, and the term that comes up most frequently now is not war anymore; it's competition. The United States, as a nation today, all of us together competing against corporations. Organized crime. Other nation-states. Rarely do you have military or military discussions anymore. We're beyond that. The point I would like to leave you with is, has it not passed the leadership completely by, as babes in the wood, that the media affects things. You get pluses and minuses, various levels of sophistication; it's probably a good generalization that most are unsophisticated as regards the effects of TV, but the people that become more important when we start looking at the competition in the future are the ones who are most reluctant to admit and most naïve in admitting they play a crucial role, and this is the journalistic community, because there is this great feeling of wanting to have a dispassionate, ecumenical voice in things. Many of them at least allude to that on TV, and as you point out in the concept of soft war, things can be won and lost on the street. And you have to decide at some point where your loyalties lie as to who's going to win. 

Mr. de Caro: It doesn't matter. It doesn't matter – news information transfer is global and you've gotta deal with it. Another Â… boy out there, his name is Tony Â… [ ?] you know who he is? He's the commander of central command. And he had a great idea. The media is like the terrain. That's what Tony says. Good idea. Deal with it. You got a mountain, deal with it. You got a desert, deal with it. Don't look for excuses. Let me ask you something: do you remember the Iraqi fighters at the base in Iran, when we got live pictures of those? Remember those? How the hell do you think they got there? I'll tell you what happened. A bunch of Japanese, doing a National Geographic sort of special in Japan, they're driving along the highway by accident. Here the Iraqi fighters come down, they stop the car, they come up, they say "Banzai!" get this film, hop in a Â…from Tehran, it bounces across the world, pops up on CNN on our screen, completely random. Now where, captain, where, where, where is the loyalty and ethics of journalists today? What do they care? It's going to wind up on this global infrastructure. 

Mr. Sharp: I invite the Captain as well as anybody else who'd like to come up and join the discussion, and while most of the folks take a break, they've all volunteered to stand by and talk with you. We need to be back in the room by 10:30 for the next panel.
 
 
 
 

Encryption and Information Assurance

Tuesday, April 21st, 10:30 A.M.

Moderator: Peter Feaver

Panelists: William Crowell

F. Lynn McNulty

Marc Rotenberg
 
 

Mr. Feaver: My name is Peter Feaver and I'm an assistant professor here at Duke University. The University is deciding right about now whether I'll become an associate professor or not, so maybe my title will change in the middle of this talk. 

About a year ago I was at a conference similar to this, where I was one of the speakers on the panel. And the moderator got up and said, "We have a very distinguished panel with usÂ…We have one person who's a towering figure in the world; a historical figure, wherever I go around the world, everyone knows this person and comments on the insights and brilliance of his mind. He has one of the most powerful minds that I've encountered; he is really one of the great men of the world today. We also have Peter Feaver on the panel." And once again I find myself playing the Spud Webb or Sesame Street role of one of these things does not fit. We have very distinguished experts on encryption and information assurance and we also have me. I agreed to do it, though, because the topic is so intriguing and so devilishly simple on the surface to explain and yet so impossibly and perhaps insolubly complex when you get into the nuts and bolts. And I think that all three of our speakers will touch on that. 

Let me just frame the puzzle for you that our speakers are going to talk about. The puzzle is how do you ensure that law enforcement has the ability to protect us against the bad guys without in so doing surrendering a very important industry to competitors and without violating the basic civil rights, the things that law enforcement is trying to protect? And there's a series of quotes – these are all taken from the last two weeks of news articles on this topic. It's been extremely timely in the news. Here's a quote from last summer, from Attorney General Janet Reno, who wrote to the Congress and said, "Let there be no doubt: without encryption's safeguards, all Americans will be endangered." Without encryption's safeguards, all Americans will be endangered, and that's why she was arguing we need the encryption key system advocated by law enforcement. At the same time, and in the same article, you get a response from Deborah Triant, who's a chief executive for one of the encryption providers, Check One Software Technologies, and her quote is, "If any company thought that it would lose business but stop terrorism by going along with the FBI it would do so in a minute, but of course," she says, "terrorists and criminals would just circumvent U.S. law by obtaining computer equipment abroad." So all of the mechanisms that law enforcement is advocating are useless and are only going to hurt business, she says. At the same time, you have the privacy concerns and privacy advocates suggest that the law enforcement solution is equivalent to the government installing surveillance cameras in all of our homes, but promising that they're not going to turn those cameras on until it's necessary to investigate whether we're committing a crime. How many of us would agree to that kind of system? Not many. 

And so, you've got three almost irreconcilable interests competing against each other, and that's why we have the Secretary of Commerce say, I think just last week, if I'm not mistaken, Secretary of Commerce Daley giving the following quote publicly on the record: "The truth is that while our policy goal – balance – is the right one, our implementation has been a failure. We have not been able to agree amongst ourselves or with the business community on how to reach that balance." It's very rare that you'll have a principal go out in public, and admit that the government has botched it as poorly or as thoroughly as Secretary Daley claims. 

Well, we have the right team assembled here to explain to us how the government has botched it and what we can do about it to improve. We're going to present it in the order that you see listed. Let me just describe the three presenters and then we'll let them get at it. We have Bill Crowell here, who will go first, and he is currently with Cylink, which is a private industry information security provider, but for most of his career he was with the National Security Agency, where he rose finally to be the Deputy Director. And of special interest to this panel, he served as a member on the Cabinet-level committee charged with developing the policy on encryption. He's not the government spokesperson – not then and certainly not now – however, from his vantage point, inside and now outside of government, he is a good position to describe what the rationale behind the government position is and also provide a very informative critique thereof. 

Next will be Lynn McNulty, who's Director of Government Affairs for RSA Data Security, Incorporated. RSA, as you may or may not know, is the world's leading supplier of commercial encryption products. We are all RSA customers, whether we know it or not. However, for most of his career, he was working in the government in a variety of positions, responsible for computer security. As a professor of political science, I'm pleased to note that both Bill and Lynn were political science undergraduates, so there is a career for people with political science expertise. You don't have to become a lawyer, like our third speaker, Marc Rotenberg, who is the Director for the Electronic Privacy and Information Center, which is one of the leading public advocacy centers in the area of information technology, law, and privacy. He's taught on the law of privacy at George Washington College of Law. He is of course one of the nation's leading experts on computer law, security, and especially computer privacy. 

Please join me in welcoming all three of our distinguished panelists, and then, Bill, will you take over. 

Mr. Crowell: Thanks very much, Peter. I'm glad that Peter pointed out that I'm not the government spokesperson for this. I'd like to think, and I think that both Marc and Lynn know this, that in all of my engagement in the subject I've tried to be a neutral and balanced person who offers some technical insight into the very difficult subject that we have at hand. 

I'd like to start by telling you a story. It's a true story. For those of you who are interested in history, it will be one of the featured stories on the Discovery Channel exposé on NSA coming up pretty soon next month on the 4th of May. It's a history of the Normandy invasion, and it's a story which is little known and little told about the exploitation of some communications that led to that invasion. It seems that the United States broke a code prior to World War II called the Magic Code or the Purple Code, which was Japanese diplomatic code. Most Americans know about that code because it's the one that the Japanese diplomats used to send the 14-part message to Washington that reportedly was the one that would have given us warning of the invasion of Pearl Harbor. In fact that message did not give any warning on Pearl Harbor. The 14th part, which was late to arrive, simply said that the Japanese planned to break diplomatic relations with the United States. The Japanese had an ambassador who went by the name of General Oshima. General Oshima was a friend of Hitler's and of Hemler's, and, as such, was treated in November 1943 to a tour of all of the Normandy defenses. When he got back to Berlin, he wrote a 12-page report on where all of the installations were, where all of the reserve forces were, where all of the special armaments were and so on. And he sent it in the code we call Purple. NSA's predecessors read that message and reported the results to General Eisenhower in November of 1943, a full seven months before the invasion at Normandy in June 1944. What's important about this story is the rest of the story. The rest of the story is that the Germans, the Nazis, never learned about that success. And so Eisenhower's planning for more than seven months of the invasion at Normandy was successful because the Germans did not have the ability to read the United States' communications and we were able to protect both the operational plans and the knowledge that we had derived from the message. So what's the point of this story? The point is that national security is not just about intelligence, but it's also about protecting information. It's a balance between these two interests. 

Encryption policy has, at least for me, in my time really proven to be one of the most complex and most difficult subjects that I've seen on the horizon for a long time. It requires us to somehow balance not only the national security interests that we have, but also to balance personal privacy interests; public safety interests, for example, law enforcement; and business interests. We have not been successful in finding acceptable solutions in balancing these. And part of the reason is that all of the parties involved seem to be seeking a 100 percent solution of their particular part of the interest. It's essential that we solve this policy dilemma, because the widespread use of encryption is critical to being able to protect the critical infrastructure of the United States. We no longer have oceans to protect us in cyber space. There are no borders in cyber space. Our protection comes from being able to erect some borders within cyber space using the science of encryption and a lot of other things that I'll describe as I go along. 

But we also need to take care to balance all of these interests as we try to find a solution. We should not decide to abandon one of these interests in order to satisfy 100 percent of one of the four. Encryption is a major societal issue, whether we know it as a society or not. We can use it to protect information, we can use it to hide activities, and we can use it to electronically shred information; and all of these capabilities exist in the use of encryption without any controls whatsoever. Now Time has described U.S. capitalism and technology as the engine of change for the entire world today. And I think as you look around at what's been happening over the last decade you have to believe that that's true. I now live in Silicon Valley, and perhaps it's because the lens in Silicon Valley magnifies what's going on in information technology, but I certainly see the engine of change in that particular area. We have become uniquely dependent on information technology, now, to keep our economy competitive, to make our government more efficient, and to keep our defenses honed. And building all of this on a poor foundation of security is not a good plan for the future. Our defenses, for example, depend on information superiority. But as I pointed out, cyber space has no boundaries, and we live in the same space with our adversaries and with those who would attack our information systems. The vulnerabilities are there and the incentives are many; there's intellectual property, there's a lot of money being passed through these networks every day, and there's military effectiveness information, including the ability to mobilize our military forces – in our public, undefended networks. The adversaries who would attack them are a wide range of people – criminals, terrorists, state-sponsored information warriors – and so what is needed, in my view, is security (and everyone knows that – that's the protection that we all seek from living in a party line, which is the network). But I would like to make sure that you know that we must seek one other thing along with it, and that is trust. Security is about locks, fences, and guards. Trust is about whether or not they work. Encryption is not a solution without building trust into the system that it will support. So security in the network is about encryption, authentication, digital signatures, and data integrity – and trust in the network is about building sensible means of key management, digital certificates, and security policies (what you can do with your certificates). And most of the discussion, so far, has centered on encryption, and about "genies being out of bottles." And that is really not the place to center this story. I happen to like some of the points that are made by New Yorker magazine cartoons, and there's one that I have quoted several times or described several times in talks that I've given, because it is such a real favorite to describe the dilemma of our networks, security and trust situations. The cartoon is of two Dalmatians, each sitting in front of a computer, and one turns to the other and says, "On the Internet, they don't know you're a dog." And there is so much truth to that story because it is about how the Internet works and how security works on the Internet, and about the need for building trust into networks in order to realize their potential. 

Now, I do this often, Marc and Lynn, I apologize to both of you because you've heard this before. When you make policy, you have to understand the issue on which you are making policy, so I'm going to give you a three-minute lesson on public key cryptography. First of all, what is public key cryptography, and how is it different from what has preceded it in the marketplace of security? Well, the first thing that happens is that each of you would either be able to manufacture or be given a public key and a private key, and as the names imply, one of those could be made public and the other would be kept private to yourself. If I want to encrypt something and send it to one of you, I have to know your public key. So if I want to send it to Rick, I have to know Rick's public key, and I mathematically combine his public key with the message that I want to send him. Once I do that, I no longer can read the message. That's the distinctive nature of public key cryptography. I cannot read the message that I originated in order to send it to him. So if I didn't keep a copy of it, I have no way of recovering it. At least not in reasonable times. If I want to sign something digitally, then I use my private key, and I send it to Rick or to any of you, and since you would know my public key, I've made it public, you would be able to decrypt it and verify that it came from me. So that's the magic of the mathematics of public key cryptography – it really is magical. But think for a second about what I've just described. Where is the trust? The trust is that it really is Rick's public key, and the trust is that it really was my public key that matched my private key that allowed them to read the signature. So the problem is, can you trust the source from which you got the public key? And that's a very important part of this policy dilemma – we must be able to build what's called a public key infrastructure, or a key management infrastructure (KMI), in order for people to be able to certify that a public key belongs to an individual, or a company, or to an anonymous person who has paid cash for this privilege. Notice, Marc, that I've learned to include anonymous people. 

So the KMI is a very central part of this whole structure in order to be able to build trust in the networks. And when this policy of key recovery began, it began because of this dilemma that I've told you about, that once you encrypt something in a public key, if you do not have the private key you cannot recover the information. When I say you cannot recover the information, I mean in many, many, trillions of times the age of the universe, you cannot recover the information. So there really are public policy issues involved in the use of encryption, and there are personal and business issues involved as well, in trying to make sure that you are able to regain the information that you encrypt. Now, the government policy that was announced in the fall of '96 was based on an attempt to balance all of the interests, public safety, national security, personal privacy, and business. It presumed that business would have an interest in managing the use of encryption. It presumed that they would want to create the public key infrastructure and key management infrastructure that would put trust into the use of encryption. It presumed that they would have a need to create various means of recovering information once it was encrypted, in order to protect their business interest, or else it would be lost forever. And the term chosen to describe this function, unfortunately, was key recovery. The emphasis was on recovering information, but the term chosen was key recovery because it would allow the person to recover the information. It also presumed that law enforcement would be able to use the systems that were created by businesses to recover their own information to recover information under warrant, the same way they recover information today, by presenting a warrant and being able to request all documents concerning certain subjects. Notice that I have not described the situation in which law enforcement had 100 percent capability to recover information. The policy was never based on 100 percent satisfaction of any interest – law enforcement, national security, or any other interest. In fact, the national security interests were never even specifically addressed. The policy on both key management infrastructure and key recovery had been constructed by the private sector as a voluntary act with no specific technical approach being specified and the policy tied relaxation of export controls to the adoption of key recovery by manufacturers of encryption. 

So why didn't it work? What went wrong? Well, first of all, there was too little dialog – some might even say no dialog – between the interested parties in business, privacy groups, and the Congress – and the Administration. Secondly, there was little understanding of cryptography – not even the basics that I just described very briefly a few minutes ago – security versus trust, and the infrastructure that was needed. Thirdly, there was no, I repeat, no leadership on the issue. In the government, everyone had the opportunity to seek their own interest, and there was no one in charge. In business, there was very little structure, and very few CEOs of businesses even had any special knowledge of the issue. The public debate was one-sided; it was Big Brother characterization, and using Chuck's terminology earlier, there was a lot of short-hand feedback. Immediately, the policy was labeled Clipper Chip, and the headlines read, "the government wants your keys." The connection between key recovery and export control was ill defined and certainly not understood. They are two separate issues, and somehow or other, we kept trying to connect them. Domestic use was about law enforcement, and international use and agreement was about building international key management infrastructures, and also protecting other countries' law enforcement – never a good idea that you put your own policies off on another country – it has something to do with sovereignty. Worst of all, the policy and practice didn't match. The policy said that we would encourage key recovery; the practice demanded that key recovery be in the product and that key recovery agents be set up in foreign countries – countries that did not want key recovery. We eliminated the free exports to banks and to other special interest critical infrastructure elements, and we created chaos. 

Now, what's the path ahead? First of all, it's very important that industry and government begin a more careful dialog. We have to foster a key management infrastructure to grow trust in public networks, and we need something to be done to do that – whether it's insurance companies that demand that it be done, in order for you to get insurance coverage, or audit companies, or whether it's the government through some incentive structure – it still needs to be done. We need to concentrate our energy on methods for key, or information recovery, as a business need and as something that law enforcement can use as a means of accessing information. And we need to relax export controls on critical infrastructure internationally. Our critical infrastructure is not a domestic issue anymore; we get much of our critical needs for most services through the international web, and we have to recognize that and protect them. Then we should finally let key recovery products be exported to those parts of our own infrastructure – multinationals and banks and so on – that would be in our benefit. 

My final summary: a decade from now, we're going to look back on this and wonder why it took so long to solve the problem. The extreme demands on either side of this issue are just that: they're extreme. And what's needed now is a dialog between industry and government that concentrates on solutions and getting on with the protection of critical infrastructure internationally. Thank you very much. 

Mr. McNulty: Thank you very much, it's a pleasure to be here today. Since I've retired, I've gone to work mostly as a consultant and recently for a company. As a result, I don't get the opportunity to speak as much as I used to, so I'll be interested to see whether I can pull this off without getting too nervous or forgetting what I was going to say. But I'm very pleased to be able to be here today; to be part of this very important meeting, and to discuss a very, very important issue. I concur in the assessment and the emphasis that Bill gave it in his remarks. For the last several years I thought that this issue was going to one of the defining issues on what kind of society that we're going to be in the 21st century, because there's so many different components to it – the privacy issue, the infrastructure protection business requirements issue, the law enforcement issue, and the national security issue. Perhaps only in a democracy can we have this interplay of issues and of interested people and go through a very, very public debate on a very sensitive issue that affects a lot of different components of our society. But it is something we're going to have to solve, as we move into the 21st century, as we take advantage of the information age, and actually come to some grips of some sort with cryptography policy that will carry us forward into the 21st century. 

As one who's spent a lot of my career in government trying to sell computer security, particularly among the civil agencies of government, it was a tough sell. And I'm very pleased to see that somebody's come forward and said, "hey, there's some critical issues in the unclassified arena, the non-traditional military-diplomatic arena that require consideration of computer security issues." While I was at the State Department as the manager or director of information systems security, I used to lead off at briefings saying that I was one of the few computer security officers in the U.S. government that had hostile intelligence officers as authorized users of systems I was responsible for. And that was back in the days when we had local nationals in Eastern Europe and in Russia that were assistant managers of systems at our embassies overseas. And the attitude there was, "it's all unclassified"; why would we need to worry about that. And I think we finally may have gotten beyond that point, but it was a tough sell back in the mid-80s on some of those particular issues. 

I think that in some respects, the policy, the equity issues over encryption, have obscured the real issue with respect to how we're going to protect our information systems. I was interested to hear Senator Nunn, who's the co-chair of the Critical Infrastructure Advisory Panel, in testimony up on the Hill about a month ago, say that the encryption issue is serving to obscure and deflect interest away from the fundamental issue of protecting critical infrastructures. He cited the fact that of all the public comments that were received on the critical infrastructure protection report, the great majority of them dealt with the issue of encryption, which in some respects was tangential to what the report had to say and the very many recommendations that were set forth in that report. I was also interested to hear Senator Nunn say that, in his opinion, the law enforcement community had to accept some sort of compromise and it would have to go beyond the current debate on encryption. 

Now I happen to represent a company that provides encryption tool kits that are incorporated into many, many of the commercial products that all of you use on your desktops or in your company and corporate systems. It's phenomenal to see the growth that has taken place in the commercial marketplace for encryption and the general level of interest that's out there. Our marketing people have posted a figure on our website lately that says there are over 300 million copies of RSA-enabled products out there that are out in the commercial marketplace right now. Now the important thing is that very few of these are probably being used either at all or very well, if they're being used. So I think we really have some time to address this particular issue, before we are overwhelmed with the actual use of the cryptography that is out there and is in the installed base, and is being used effectively by people, most of whom are law abiding citizens, but maybe a few of whom would use cryptography for other than lawful purposes. 

It's also interesting to note that about five or six years ago, our company started hosting a small kind of conference on cryptography. When I was going out there to get beaten up defending the Clipper Chip, and other encryption policies, the attendance at this conference was around 250 people. In the last two years, the commercial interest in cryptography has significantly changed. We hosted our annual conference in January this year, up on Nob Hill in San Francisco – we filled a Masonic auditorium up there with 3500 people, and next year we're moving the conference to the San Jose Convention Center where we expect probably 4000, 4500 people. Most of the people who attend this meeting are no longer the cryptographers with beards, the ones some people used to confuse as rocket scientists or nuclear scientists. They are people with coats and ties and people who represent the business community and the user community. This subject is of now prime consideration for business, and people on the vendor side and the user side are very, very interested in the use and application of cryptography. 

Now, there are also a lot of developing standards out there that are going on with respect to electronic payments, secure e-mail, network encryption. And a lot of this is going on without taking into account the public policy issues that are raised over cryptography. We've also seen significant consolidation going on in the security product industry. There is big money in security products. Our company was acquired for over $600 million by another company not too long ago. A company that has a patent on key recovery systems, Trusted Information Systems, was acquired for $300 million by another company, which, by the way, also acquired PGP not too long ago. How they're going to reconcile that particular corporate structure, I don't know yet; but it makes an interesting consolidation to watch in action. 

So what I'd quickly like to do is cover some of the cryptography policy developments in the last few years. I'm going to omit the parts that Bill's already talked about, so as to not burden you with duplicate information, and then go on to some of the things that I see happening right now. 

We've seen basically, as Bill said, that cryptography covers four different functions, only one of which is involved with confidentiality. You have basic protection for encryption, confidentiality of authentication, integrity and nonrepudiation. There are many, many benefits to be derived from the use of cryptography, particularly for authentication and integrity, which we have not taken advantage of either in the private sector or in the civil side of government. One only has to look back on the flap that the Social Security Administration got into when they wanted to bring up their personal earnings and benefits statement database on-line, and did not, probably because of some of the problems going on, take advantage of the use of cryptography and digital signatures that were imbedded in some of the Web browsers they were looking at. As a result, they had to pull back the announcement that they were making the earning statements available to individual citizens; they had to totally retool the program, and probably waste a lot of money and time and public confidence in the process. I think we must also remember that cryptography is important, but not the only integral component of a secure information system. We have to start taking a system wide view on information systems security. And there are a lot of things that should be done to make sure that our information systems security is appropriate, besides employing cryptography. 

Now the current interest of the public is really focused on what's going on in the Internet. We see it as a company; many of our new licensees for our cryptographic tool kits are people who are licensing our products so they can build Internet-related software and hardware products. The public's perception is, what they're primarily interested in is to try and use the Internet to protect my credit card when I want to buy something over the Internet, or protect sensitive information that is being shipped by me. And currently right now, the answer to that is, it's probably not; but there are a lot of tools coming down the road, particularly in the financial world, that will allow that to happen. Some of the licensees that we've had for our cryptography products lately are interesting. We licensed the organization that provides technical services to the whole cable TV industry for possible use in cable modems. Now obviously, cable modems are coming down the road and they're going to take our license and probably proliferate that into the Internet services that are going to be provided by your local cable TV company. We've also licensed cryptography to a company that provides technical support to state lotteries around the country as well. Are they going to go on-line, are they going to use it in some respect? We've also got a license lately to an outfit in California called Silicon Gaming that is making software driven slot machines. So you can see that they're moving into that as well. There's a whole area out there for electronic money and electronic cash, which is dependent upon cryptography. 

Now, there's I think some of the current debates going on is this continuum flipping back and forth, or change one, change two, change three, that has happened with respect to Administration cryptography policy. We started out back in 1993 with something called the Clipper Chip. I think that the way that was handled, and the technology that was there, tended to poison the well in terms of any kind of constructive debate that we could have on cryptography policy. Since then I think the Administration has moved, albeit slowly, toward a much more reasonable policy, in terms of trying to emphasize the private sector use of cryptography, trying to identify where business interests and government interests coincide, but I don't think we're there yet. And I think Secretary Daley's presentation and his speech last week recognized that we're not there yet for the very reasons that Mr. Crowell cited in his presentation. We've seen patterns where the government has tried to influence the commercial market place through the promulgation of standards, and has tried to shape government procurements and export controls. I don't think, with the possible exception of export controls, any of these strategies have been particularly successful over the last four or five years. We are starting to see where the Administration is saying that they have a balanced approach. They have run various key recovery demonstration projects. Interestingly enough, there were 13 key recovery demonstration projects that were briefed to the public last November. Eleven out of those 13 were for key recovery for stored data. The issue of key recovery for stored versus transmitted data seems to be an issue that we haven't really addressed and settled yet. It's my opinion that in that area there is a clear convergence of business interests for key recovery for stored data along with the government's interests, and we ought to try to leverage that synergy to the extent possible. It's interesting at the first meeting of the Key Recovery Advisory Committee, that is helping business develop a federal key management standard, that when they went around the table, most of the vendors there said that they had heard from their customers an interest in key recovery for stored data but none for transmitted data. It seems to be that we, in some respects, have our priorities reversed on that particular issue. 

There is a key recovery standard being developed by the federal government right now. The next meeting of that group will be in Boston on Thursday. The interesting issue is going to be that Microsoft let it be known at the last meeting that they would not support any federal standard that required that the key recovery feature come out of the box with the "enabled-on" feature. And so that issue is going on and will be discussed at the next meeting in Boston. 

We've also had many international discussions, and I think Marc probably will touch on that in some of his presentation, because there's some FOIA (Freedom of Information Act) material that's coming out that's very interesting. I'd like to contrast and maybe close with what's going on in the U.S. versus what's going on in Canada right now. Earlier in the year, the Canadians put out a draft cryptography policy document. It's called a Cryptography Policy Framework for Electronic Commerce. And they actually said this is our government's thoughts right now, we've got various options, we'd like to hear from the public in Canada as to what their thoughts are on this. And they decomposed the problem into three components: stored data, transmitted data, and export controls. Should the key recovery be market driven, should there be minimum standards established by the government, or mandatory standards. And the next major component was real time communications. Should they have the status quo, which is basically no key recovery right now? Should there be statutory requirements on telecommunications providers or should there be a public key infrastructure kind of approach where key recovery is designed as an integral part of the national infrastructure of Canada? And finally, they asked for public comment on export controls, and three options were given: relax, maintain, and extend. I thought it was a novel and kind of refreshing way to actually start talking, to start a public dialog on cryptography, and one that perhaps we should have tried in the United States. I think we missed a golden opportunity to have a realistic public discussion on cryptography policy after the National Research Council released its report on cryptography policy. This was called, I forget, the short title of the report was called Crisis. And I think actually, that accurately reflects the nature of what the state of our policy is with this country right now. 

There's been a couple of recent developments; Secretary Daley's speech currently shows that there is at least disagreement within the Administration over strategy and tactics. But I think one of the more interesting ones that has come out recently is a report from the Economic Strategies Institute, which, for the first time, tried to come to grips with what is the economic loss to be suffered as a result of export controls. And these people came up with a figure that over the next ten years the U.S. economy would stand to lose $35 to $95 billion dollars as a result of continued export controls on cryptographic products. Now, whether you believe those figures or not – who knows? It's a good start; people ought to start actually dialoging on some of those points, and let's see if we can't come up with some economic impact. 

I was at a recent meeting at the German embassy where a manufacturer of cryptographic products sat there, told everybody in the room that he thought the current U.S. export policies were great, because his company was going like gangbusters and setting up virtual shopping malls with 128-bit encryption all over Europe. They recently established subsidiaries in Belgium, Singapore, and Â…, and he thought that the lack of competition from the U.S. was great, and thought the U.S. should stay the course on export controls. So, that's an interesting perspective to hear from a German software vendor. 

I guess finally I'd like to conclude and say a new public interest group has sprung up, called the Americans for Computer Privacy. They have an objective to try to pass the SAFE bill, and also to fight any attempt for domestic controls. This has significant private sector backing, a lot of trade associations, which range from the National Association of Manufacturers, U.S. Chamber of Commerce, to the Association of Floral Telegraph delivery people in the United States. And it should be interesting because this is the first time, I think, that the cryptography issue has been worked like a political issue. They have gotten two very swift political operatives working at the head of this group, and it seems to be well-funded and is very media sensitive, and will probably take this issue to the airwaves at some point in time in the future. 

So, in closing, I agree with Bill that we haven't found the right balance yet, we haven't treated it in some respects as the serious public policy issue that it really is, and I think it's time that we get down and get serious about cryptography policy. It's actually time to start really using it to protect the critical infrastructures and the sensitive business and government communications and databases that we have in this country. Thank you very much. 

Mr. Rotenberg: My name is Marc Rotenberg; I'm Director of the Electronic Privacy and Information Center, and I'd like to thank you for the opportunity to be here this morning to give you another perspective on the encryption issue. 

When I saw who'd be on the panel this morning, I thought it would be interesting to see how we would be seated, and appropriately Bill is at one end of the panel, I'm at the other end of the panel. From my perspective, I seem to be on the far left, and from your perspective I guess I'm on the far right. We're a little bit more closely seated. I like what Peter said at the outset of this panel. There is something about the encryption issue which at one level seems very simple. We have some competing concerns: we have the concern of law enforcement, well-founded, that encryption can frustrate a criminal investigation, make it difficult to protect public safety; we have the national security concern, well-founded, about access to important intelligence; and then on the other side of the ledger, we have concerns about industry and economic competitiveness and technological innovation and losing markets to foreign competitors, and we also have concerns among private civil liberties organizations about the rights of citizens who need to have a limited government to protect privacy. And at some level, that's all very straightforward and lends itself to political words like compromise and balance and finding a sensible solution. 

But at another level, as Peter also suggests, I think the matters are actually much more complex. It requires us to look at historical trends to understand what's happening today in our economy and the changing role of technology and even perhaps the changing definition of national security. It requires us also to look at technological trends and to understand what it is that's happened in the last two decades in computer security, and particularly development of encryption, to create new opportunities and technologies to protect privacy and security. We need to conduct some sort of risk assessment that allows us to look at the costs and benefits of different policy options, and finally we need to look at the international dimension, to look at what our allies and our trading partners are doing and to try to assess our policy in light of the many other countries and institutions that are developing their own policies. 

So it's really on this second level that I'm going to talk this morning. I'm going to look at four areas. The first will be the changing role of encryption; the second will be the development of U.S. policy, where I will say for the most part we've actually been fairly slow to adapt to recent changes; my third point will have to do with what's happening outside the United States and the significant costs to our country that I think our current policy is imposing on us; and my final point will be about future directions and where I think we need to go from here. 

Let me begin, though, with the critical first area, and that is the changing role of encryption technology in our society today. As Bill pointed out at the beginning of his talk with the story of the planning leading up to the invasion of Normandy, encryption has, for a very long time, played a critical role for the military in protecting vital secrets for real-time operations, for planning and for intelligence gathering. I'm sure that will always be the case. There's nothing that's going to change about the importance of being able to keep secrets from your enemies. What has changed is that in the last twenty years, there has been a phenomenal growth in the civilian side of the use of encryption. The use of encryption for everything from local network security to commercial off-the-shelf software, to private e-mail communications, to authentication – virtually any application that you can imagine today in the digital world can make use of encryption in some way. Let me give you just two recent examples. There's an on-line bookstore – I don't know if many of you have heard of it – called Amazon.com. It's actually one of the more successful Internet businesses; I think it's a bit of irony worth noting, by the way, that the Internet has given rebirth to the sale of books on-line. I'm not sure if any of the public would have predicted that a decade ago, and it keeps me properly humble for what I'm going to say this morning. But Amazon.com is out there, and they're doing a good business. People like me who want to order gifts for friends, or books for members of my family, can go to their website and select from an order form a series of books. Now, how am I going to pay for these books on-line? I can call them up if I wanted to and give them my credit card number, but that really defeats the purpose of the Internet. So what Amazon does is to set up a secure means for me to enter my credit card number on my keyboard in my home in Washington and transfer it to their center – I don't even know, frankly, where it is – but from my computer to their computer, my credit card number, expiration date and name are all encrypted – so that anyone who might get access to that packet moving across the Internet is not going to be able to make any use of it. And that's true whether I'm using Netscape Communicator or the Internet Explorer; it's a feature of browser software, the SSL, the Secure Soft Layer, and it affects millions of people using the Internet today for electronic commerce. It is what provides the privacy and security that makes on-line payments possible. 

Let me give you another recent example. My wife just signed up with a local Internet service provider; she had been assigned a user account and a password she wanted to change. Â…I dial into the local service provider – they, also taking advantage of the SSL feature in browser software, allowed me to have secure communication from our computer to their computer so that I could transfer the user name and ID password in a fashion that would not be accessible to others. And you can quickly imagine that if those features were not available to people using the Internet today, the opportunities for real crime – I mean widespread crime, of all this sensitive information, moving across these new computer networks – would skyrocket. 

What then are the key features in the last couple of decades that have transformed the role of encryption? One, which Bill describes, was the development of public key encryption, basically ending the need for the creation of a secure private channel before an encoded communication could occur. You know that historically, generally speaking, you needed a way to exchange codebooks so that people could exchange in private key methods, method key methods, scrambled messages. Through public key encryption, which basically takes advantage of one-way problems, things that are easy to solve in one direction, but not in another, made it possible for two people who had never met before to exchange a private communication without a third party getting access to the content or at least understanding the content of that communication. That was truly revolutionary, and makes it very difficult today to manage through a central point a sole key system that would somehow prevent others who might choose to have private messages and private exchanges from doing so. Public key encryption, then, is the first critical development. 

The second critical development, of course, is the growth of the Internet, which makes it possible to move information across boundaries around the world in real time. I say that but I have to qualify that that was a long time coming through the telecommunications system, but never before have we been able to move the types of information, the breadth and depth of information that we are able to move today on the Internet, and it really does make a difference. And finally the growth of the digital economy. My point about Amazon.com reminds us that in the years ahead, we're going to see more and more transactions taking place on-line. There will be more opportunities where people will be typing credit card numbers, using new forms of cash payment, to conduct business. And in this world, security and privacy are absolutely critical. 

Now, my second point is that we are, therefore, in a period of significant change, and we like to say, you know, software lags three years behind hardware and public policy is about ten years behind that. And that's roughly where we are today, I think, in the encryption debate – maybe closer to ten or fifteen years. We are still having a debate about encryption in this country as if it were sometime in the 1980s, and we have still not properly appreciated the important widespread role that encryption plays in the protection of privacy and security. Think for a moment about the number of different ways you use locks and seals in your personal life or your business life. You have a lock on your car, on your house, your file cabinets, maybe you have a safe, you seal letters and envelopes, things that you don't want other people to see, get access to; all of those different techniques in the physical world are being transported to the digital world. And it is encryption that's making it possible to provide that kind of privacy and security in this on-line environment. The premise that it is necessary in each one of these configurations to factor in the law enforcement concern or the intelligence concern, however well meant, is simply not practical; it is simply not realistic. It is leading to a tremendous distortion in public privacy and the development of safeguards and procedures that are necessary for American citizens in this new information environment. But the problem is not hard to understand. For a long time, in fact, we have treated encryption as a munition, and it was only in the past year, when authority was transferred from the State Department to the Commerce Department, when we began to take the first step toward recognizing that encryption is not a munition and that it plays a critical role in the civilian economy. 

I think we made another mistake. Law enforcement said, "we have a problem with this technology – it is going to make it difficult for us to get access to information that we need to protect the public." And they can put out a couple of scenarios involving people engaged in a terrorist act that I think are quite serious and need to be taken seriously, and I have been one of the first people to admit that I think there are going to be problems created by encryption for the law enforcement community. But to proceed from that understanding to a conclusion that requires that all encryption techniques facilitate real-time access to the encoded data is going to create complete chaos. Think for a moment about those examples I gave at the outset. Purchasing a book at Amazon.com; changing the password for my wife at a local Internet service provider. Does it make sense in either of those examples to create copies of the keys that were used to enable those communications and those transactions so that they might be accessed at a later point as part of a criminal investigation? And if you can imagine a scenario where they might be useful, and I think it's perhaps possible to construct such a scenario, consider next the risk of having those keys lying about for third party access. Perhaps it isn't the police officer acting with a lawful warrant who wants access to the key that provides my credit card number. And perhaps it isn't the police officer with a lawful warrant who wants access to the private key that allows me to change my wife's password and ID – we have to seriously consider the down side problem here. It is significant. 

So the policy has been slow to change in the U.S., and it is imposing a real cost on system security and on economic development. Let me say a few words also about what's happening on the international front. In the international dimension, the cryptography issue is particularly important, because as people on both sides of this debate have pointed out, even if the United States were successful in its efforts to regulate the use of encryption, there is still the very serious problem of what do you do if there are countries out there that allow the free development of encryption without the law enforcement access; without the key recovery or key escrow features. You can imagine a world, for example, where you have regulations in the U.S. that require that all encryption manufactured, sold, and developed in the United States provides for lawful access, but perhaps those regulations don't exist in Germany. Or they don't exist in Japan. Or they don't exist in Israel. U.S. manufacturers would then find themselves in the situation of providing inferior products in a very competitive global market, whereas the bad guys would still be able to get access to the strong encryption outside of the U.S. and use it for the scenarios that you're most concerned about. 

Well, let me tell you what is happening on the international front. I can speak from some experience on this point. I spent a couple years participating with the OECD – that's the Organization of Economic Cooperation and Development – it's like a mini United Nations based in Paris of 29 of the leading industrialized nations that include the U.S. and Canada, much of Europe, Japan, Australia, New Zealand; trying to develop a global framework for cryptography policy. And there was a lot of agreement on certain principles, systems should inter-operate, product development should be market-led, there should be user choice, countries should work together. But on the central question of whether cryptography policy should require law enforcement access to private keys, outside of the United States and France, which is the only country right now that mandates by law the creation of trusted third parties to escrow these keys, there was no support for that policy. Simply no support. Now the United States has worked closely with Great Britain, and there have been over the last couple of years a couple of different efforts through the department of trade and industry to generate support for this policy, but to date, the U.K. government is still not on board. So you have essentially the U.S. pushing for key escrow, and you have France pushing for key escrow, I suggest for different reasons, by the way. Where I think the U.S. is looking at this issue from more of a global perspective, I think France has more of its own national sovereignty at the heart of its concern. It's basically looking out for its ability to conduct its own law enforcement activities within national borders. But Germany is going ahead with strong encryption policy, and that position was reaffirmed last year when their economic minister, Mr. R---, called for the development of strong encryption products. In fact, the European Union, in a statement issued at the convention last July in Bonn, the Declaration of the Ministers, said that we need strong encryption and indicated that they were not going to support the key escrow / key recovery techniques. 

Now this has created a very difficult dilemma for the United States. As Peter said at the outset, Secretary of Commerce Daley this past week has described the implementation of U.S. policy as a failure. But he said something else which I think was equally important. He said that this policy has also imposed enormous costs on the U.S.'s ability to do business with its trading partners and its allies, because the longer we continue to push for the key escrow / key recovery techniques, and the longer our allies resist this, the more difficult we have made it for us to exercise leadership on other issues. For this reason, I think we need to begin to think about changing directions. 

Now, it's a very difficult process in Washington when you have powerful entrenched groups with strong arguments on their side, and, as I said, I don't think anyone doubts the sincerity or concern of the national security and law enforcement arguments. But at the same time, from my perspective, I think if you look at history, and if you look at the technical developments, and if you look at what's taking place around the world, you will eventually conclude that that approach that has been favored by the law enforcement national security community is simply no longer practical. Even if we wanted to pursue a policy, and I don't think there's support for this policy, but if we wanted to pursue a policy based on real-time access to every encoded communication in a world that will be filled with millions and billions and trillions of these transactions, we simply could not do it. 

And so the question becomes, how do we address this concern. What is it that we need to do? I think we first have to recognize that encryption does pose a threat, and we have to understand that threat. I think at the same time we also have to understand that in the law enforcement function, there are two important, but not equal, interests. There is crime detection, but there is also crime prevention. And one of the problems with reducing the strength of encryption that is available to American citizens and American businesses is that it has made it more difficult to prevent the types of crime that might occur and the types of crime made possible; people have access to credit card numbers, and use them to try to Â…so I believe a greater emphasis on crime prevention, and the ability of strong encryption, and anticipation that we are going to have some serious problems involving the use of encryption, it's both the most sensible and the most realistic policy for us to pursue. And while it's very tempting in the political realm to talk about the need for balance and compromise, I don't think that's the right direction today. Thank you very much. 

Mr. Feaver: Thank you. We now have the opportunity to ask questions, and I'll abuse the moderator's privilege to ask the first question. If you listen to the information warfare community and the kind of talks that began this morning and have and could have been extended, you get the sense that other people's data is lying out there to be manipulated easily; can be read easily; manipulated easily; stolen easily, and so forth. And so there are wonderful opportunities for offensive IW. If you sit on this panel though, you hear that strong encryption is about to close off the data of everybody – good guys and bad guys – from the U.S. government. And at least to my untutored and inexpert ear, it sounds like there's a contradiction. Which is true – is the IW community correct, that you can exploit people's data in interesting ways – the Chuck de Caro type scenarios, or are you guys correct, that once strong encryption spreads, you won't even be able to read the e-mail of our 15-year old son? 

Mr. Rotenberg: I don't think I actually said that, Peter. The examples I was talking about relate to the traffic as it moves from point to point, and the role that encryption plays in protecting that traffic. But as people who do intelligence and also criminal investigations will tell you, it's oftentimes the end point of people who have access to the systems who are the most valuable sources of information. You can construct scenarios where people would make it very difficult, and my experience is more on the civilian side, to get access to data. But the 100 percent fool-proof outcome I don't think anyone on this panel anticipates any time soon. 

Mr. Crowell: Peter, I think that both are true. And I think they're both true for the following reason. There are 300 million copies, Lynn says, of encryption out there. I'd like to ask people, aside from the military people who may use it in their official roles, how many of you use encryption? That number is going to be shifting over time, because some of the impediments to using encryption will disappear. Those impediments are not policy impediments. Strong encryption has been available in this country, unimpeded, throughout this entire debate. What are the impediments? They're the cost; ease of use, in other words, do you have to just click on a button or do you have to go through a whole bunch of steps to make it work? Transparency – you don't even know it's happening in some cases. Performance – does it keep you from doing the job that you normally do as well or as fast as you used to do it? And the list goes on. Down at the bottom of the list is that policy hasn't made good use of encryption. But all of this list is going to disappear over time. And so encryption will become much more readily available and much more used. Final point, though: none of us believe that the risk is really very high of not using encryption. Let me ask the military people here who use encryption like STU3's all the time; whether during the Iraqi war any of you ever placed a phone call without pushing the button to make it go secure? I have seen the studies, and the studies say that most of you never pushed the button, during the war, when it was high risk for American lives. And so, we're going to see a world in which there is encryption everywhere, it's going to be easy to use, transparent, all these kinds of things, and people are going to not use it. And that's of enormous concern to me. By the way – last thing – I happen to be very, very concerned about privacy. And I do not equate encryption and privacy as issues. Every time I cruise the Net, the person on the other end is getting information about me that is private information, and I would much rather see more attention given to how that information is gathered and used while we sort out the policy issues than the way it's being treated today. 

Participant: Bob Minehart, Army War College, and I'm trying on some hats here, the corporate hat, as to looking at encryption. And I've heard the argument for over a few years now that high grade cryptography was going to be available from overseas and all that. And Marc, you've alluded to the fact that countries like Germany, France and suchÂ…France saying that they're going to going with recovery, or key management, and we can hear your comments on Germany. But as I look at it, try to throw on a commercial hat and look out, I don't know if I'd really trust countries out there if we look at some of the things that some of our friends, France and Israel, even though they say they're not doing key recovery, how do I know that they're not letting back doors in? But I would think, and it's hard to do because I'm an American, that most other countries, international companies, might look at America and say OK, they have key recovery – I can trust in what they're saying. They're telling us up front there's key recovery, and as long as we're legitimate we trust them on that point. How do you know there's not back doors being put in by one of these other governments and their strong encryption? Do you feel really comfortable with that? And then the other perspective was, when you talk about law enforcement and prevention, I think prevention is very important. We see in many cases, some public, some not public, where law enforcement is frustrated in gathering evidence for prosecution. From that perspective, how do you see assisting the prosecution in gathering evidence and all that? 

Mr. McNulty: Let me handle the last part of that. It's interesting because people are trying to find ways for compromise on that particular issue. And one of the variations of the same bill that was passed, I think, by the House Commerce committee last year, did include authorization for establishment of something called the Net Center, which would basically provide law enforcement a high-tech capability to address issues related to encryption and advanced telecommunications. And that's one of the alternatives sitting out there to help law enforcement work this particular issue. If you can't give them a key recovery capability, then give them the capability to at least work to break into the system to find a disk or something where there's encryption involved. And those are the kind of alternatives we're throwing around these days in Washington. 

Mr. Crowell: I'll just add to the second part of the question again. I think that there are many approaches, both operational and technical, that law enforcement should be investigating today, making sure they have the lawful base to engage in. One of the problems is that there's a shortage of people who really understand information technology in this country, and there's a real shortage of people who understand information technology in the law enforcement arena. We need to do something about that – we need to establish centers and advisory boards and we need to do other things and allow tools that are more in keeping with the Net world. That's not to say that that would replace key recovery for the recovery of documents, because as Marc even said, for stored documents, there is a business in recovering those. Â….[inaudible] 

Mr. Rotenberg: On your first question about the risks that an overseas product may have Â….[inaudible] but I don't think that concern is necessarily any less Â… [inaudible]. So really, we have to take each product on its merits and make an assessment. One of the issues that the cryptography community feels very strongly about, which has created some problems in the national security community, is the need to conduct as much of the research and publication as openly as possible. That's one of the best ways that you have to test and evaluate arguments, to say just take a look at this, do you think there are any problems with it. But of course that runs into some problems concerning types of applications where they receive Â…. It's very important, as the point that Bill made, which is the need to establish trust. When the White House proposed the Clipper encryption scheme in 1993, and said this is what we plan to do, and by the way the algorithm is secret, it made it difficult for people who were even partial to the proposal to say let's see if we can try to make this work. It made it difficult for them to convince others that it was a good idea because there was no way to prove or at least to test the adequacy of the algorithm, and I think there is a lesson there, and the question raised today, there is a cost in secrecy, and it's particularly clear in a lot of these applications. 

Mr. Crowell: One quick footnote. This trust issue extends well beyond encryption. There are people in various elements of our government and defense who worry about "foreign derived software." Well, you know, when you look at information technology, inside that suitcase is a computer the components of which came from all over the world. The software embedded in the hardware came from all over the world. And if I buy U.S. software from the Northwest corner of the United States, it came from all over the world. So trust in that world is going to be hard to find, and we have to find new ways of demanding trust Â… a very difficult world. 

Participant: My question is for Mr. Rotenberg. I'm Jake Schaffner, community management staff. You only had a brief mention at the very end of your talk about putting more of the emphasis on crime prevention than detection. I'd like to get more specifics on that, since most of your talk was spent on attacking some of the government arguments in its behalf. 

Mr. Rotenberg: It's a good question. My view is that the best way to prevent crime is to make strong encryption widely available to users of these networked computers. And that doesn't necessarily give an admission to a law enforcement agency, because one of the best ways you have to protect yourself is to have good logs that involve good common sense and to protect your systems with the best tools that American companies can provide for you. That was my example of SSL Â….come and use your idea. I think it's the right way to go. And if you can imagine a world where people don't have good logs, you will see problems with crimeÂ…. 

Mr. McNulty: Let me add to that. I think that was a fundamental conclusion that was contained in the 1996 National Research Council Report on Cryptography. One of their fundamental recommendations or findings basically said that, on the whole, the commission which was composed of eminent Americans including former Attorney Generals, former deputy director of the National Security Agency, other people of similar qualifications, came to the conclusion that the net gains to the U.S. for the use of cryptography outweighed the dead losses that were inherent in the proliferation of strong cryptography. And I think that was one of the more striking conclusions that unfortunately has been neglected, in an under-read volume out there. 

Participant: The National Research Council Report also said that we should preserve export controls at the time, as I recallÂ…. 

Mr. McNulty: Â…No, it did not recommend coupling 56-bit Â… key recovery. 

Same participant: No, it didn't, but it did say maintain export controls and keep them limited to levels that are not that much different from what we currently have, so what is, it seems like the strong interest Â… the National Research Council allegedly is Â….export controls Â… that they in fact said we should preserveÂ… 

Mr. Rotenberg: I think that reading is not quite right. I mean, in fact, the report did say to liberalize export controls and to move immediately to 56-bit key length, without any key recovery or key escrow requirement. 

Participant: Which you can do today, Â… as long as you have a plan to develop key recovery Â…. 

Mr. Rotenberg: Â…No, you can't Â…. 

[Participant and Mr. Rotenberg speaking concurrently; voices indistinguishable]

Mr. Rotenberg: You have to be precise on this because the recommendation the NRC made was to move to a 56-bit key length without key escrow or key recovery – that was clearly an intention to liberalize export controls. So let's not say there was an intent to maintain the status quo; that's not accurate. Then we have to ask the question, what is the current policy? Is the current policy to recognize 56-bit key lengths without key escrow or key recovery, as recommended? The answer is no, the commerce regs that were issued this past year said you can go to 56-bit Â… if you have a plan within two years to implement key escrow / key recovery. So we have not yet even moved as far as the NRC report recommended. 

Participant: I think that's accurate, and I agree with that; my point is that they did not adopt the position of Americans for Computer Privacy, or your organization or others, that wanted to liberalize or remove all those export controls. 

Mr. Rotenberg: Oh, I agree with you there. That's right. 

Mr. Crowell: Well, I would just for the sake of complete accuracy like to say that the Report was actually written but not published prior to the key recovery policy, employment of the policy; in fact, prior to there being the invention of key recovery versus key escrow – key escrow meaning there is a back door, and it's stored in some safe place; key recovery being there is no back door, you only use trusted parties for access through normal keys. So it's a little unfair to say that the NRC study didn't recommend key recovery, because frankly, they didn't know about it. 

Mr. McNulty: Well, again I remember on recommendation five or six of that, basically maybe I'm summarizing correctly or incorrectly, before the government goes off and advocates key recovery for the whole society, it ought to try it on itself. And I think that that – you know, part of those key recovery demonstration projects that I alluded to in my presentation were part – were so inconsistent with the NRC report that the government ought to try it on itself and understand some of the complexities, the costs, and technical issues that come with that. 

Mr. Crowell: We're getting wrapped around the axel on key escrow versus key recovery. They do not like key escrow and Â…. I totally agree with them, key escrow was bad security. 

Mr. Minehart: Â….How about traditional crime, where the apogee is the Internet as their C2 network. Now how is your prevention Â… going to help report individual crime? [inaudible] 

Mr. Rotenberg: I think you still have to consider the security of your targets where encryption can play an important role, but I think that the risks of the use of the Internet have promised significant …. Over the last ten years I've worked on privacy legislation with the Fraud and Abuse Act which was passed in 1984 and was the work of the Senate Judiciary Committee. My view of computer theft is that the best approach is to focus on the underlying bad, whatever the harm is – whether it's the theft or the destruction or it's a criminal concept that would exist whether or not the Internet was there. One of the developments is to focus on the use of the network or the use of a computer or, recently, the use of encryption as an independent criminal offense. It's almost like making use of a typewriter or pencil to commit a crime … and I think that's …. So I think you're going to have strong laws, … people who commit the crime … techniques [inaudible]. In terms of the … detection, which is the respect in which we're most interested, and I've actually spent a fair amount of time reading the wiretap reports of the U.S. Office of Administrative Reports – they go back now 25 years. And we see the use of wiretap techniques around the country …. The thing that's most interesting to me about this whole debate is that wiretap, real time intercept on the law enforcement side, is actually a very, very small part of investigating a crime. Even electronic surveillance, as many of you probably know, involves quite a bit more than wiretapping, there's bugs, … a lot of ways to gather information that don't involve real time intercepted communications generally. Those opportunities and those techniques, for better or worse, are becoming much more credible today than they were in the past, and when law enforcement says we're having a problem in intercept, I think it may be true.
 
 
 
 

Lunch Address

Tuesday, April 20th, 1:00 P.M.

Speaker: Richard Clarke
 
 

Mr. Sharp: Good afternoon, ladies and gentlemen. I hope you've had the time to have a good lunch. It is my distinct pleasure to have the opportunity to introduce to you this afternoon Mr. Richard A. Clarke. Mr. Clarke has had an exemplary career of service to our Nation. After graduation from the University of Pennsylvania and MIT, he has held a series of very senior positions in the Department of Defense as well as the Department of State since 1973. To name just a few for you, in the Reagan Administration, he served as the Deputy Assistant Secretary of State for Intelligence; in the Bush Administration, he served as the Assistant Secretary of State for Political Military Affairs; and since the beginning of the Clinton Administration, some seven years, Mr. Clarke has served as Special Assistant to the President for National Security Affairs and Senior Director of Global Issues on the staff of the National Security Council. I've seen Mr. Clarke lecture several times before, and I've seen him in action in the interagency, and I can tell you he is truly a pro, and he is a very engaging speaker. So ladies and gentlemen, please join me in a very warm welcome for Mr. Clarke. 

Mr. Clarke: Well, with that kind of introduction there's no place to go but down. Thank you all for inviting me to this conference. I'm very glad to be here; I've just come in from Washington, and I've had a fairly harrowing day getting here. Not because the airlines had any problems, but because yesterday I received a briefing on the Year 2000 computer glitch, which has to have an acronym and is known as "Y2K." Since I've had this briefing, everywhere I look I see potential problems. All day today from the time I left the house and got into the taxi, all I've seen is one potential problem after another. I got into the taxi and there on the dashboard of the taxi was a computer to dispatch the taxis. Got to the airport – needed some money, went to an ATM machine and realized it was a computer. Went to the head of the line at the ticket counter and tried to get my ticket and realized they were looking things up in the computer. Everywhere I went there were things that could "break down" on New Year's Eve of the Year 2000. My favorite candidate for the Y2K glitch, however, is the elevator. Someone recently realized, as part of this ever-expanding search for things that might break down, that a lot of elevators in this country have computer chips in them. And the computer chips are programmed to make the elevator act up if it hasn't been inspected or serviced at periodic intervals. And so we face the very real prospect that at the stroke of midnight, on New Year's Eve in the Year 2000, hundreds of elevators are going to celebrate the coming of the millenium by descending to the first floor, turning out their lights, and causing their doors to go like this repeatedly. [Laughter.] 

Actually, most of the major Y2K problems have in fact been identified and, at least in this country, most of the Y2K problems of the major systems will be addressed by that New Year's Eve. I still wouldn't go to a New Year's Eve party on the top of the World Trade Center if I were you. 

But looking around at day to day life, and seeing our reliance upon computers – the taxis, the ATM machines, the airlines, the elevators – it highlights not only the Y2K problem, but the Y2K problem is the tip of the iceberg in terms of our vulnerability as a nation, our vulnerability as an economy, our vulnerability as a military superpower, because of the increasing reliance that we have as a society on computers – vulnerable computers, interrelated computers. And so your conference today is a very timely one, and I really want to thank you for it and I want to thank the sponsors for putting it on. It's an opportunity for me to preview with you a Presidential Decision Directive that the President will sign and issue before the end of the month. Since he hasn't yet signed it, as of when I came into the lunch, everything I say is by way of a preview, and by way of what could happen, and not by any means to suggest that the President's prerogatives are being abused. But there is an important Presidential Decision Directive coming out. It is based on the work of the Marsh Commission – the President's Commission on Critical Infrastructure Protection. I think as we talk about the Directive and talk about the road ahead, we really have to pause and thank the Commission – thank General Marsh, thank the other Commissioners and the staff of that commission – for the groundbreaking work that they did in a very short period of time to give us the kind of recommendations that can be useful. So many presidential commissions create reports that collect dust or become coffee table books – the Marsh Commission has given us a set of detailed recommendations which are being incorporated into the President's Decision Directive. 

So let me, before I go into the Directive, try to place the issue of information assurance – information protection, infrastructure protection – in the historical context in which the President has repeatedly placed it, for the President has given literally scores of speeches over the course of the last six years, talking about the new age that we find ourselves in, and the new nature of the threats that come with it. He's talked about how, with the end of the Cold War era and the beginning of the new information age, the very forces that are causing the global village to occur – causing the integration of markets, causing the spread of knowledge – those very forces have a down side or a dark side. Because the very integration of markets and the reliance upon information systems brings with it new opportunities for opponents. Today we are the world's only remaining superpower, which, by the way, is an acronym that spells "worse." It is worse in some ways to be the world's only remaining superpower, because it means that no other nation has military capability in a league with ours. Therefore, we are not going to face an opponent again in the near future that lines up its tanks in the desert, or lines up its artillery axle to axle, or sends its bombers toward our homeland. Our opponents – and we will have opponents – will have to find new ways, or additional ways, to attack us. Because although we are the world's only remaining superpower, that does not mean there aren't people out there with ill will and the intent to use force against us. Some of those threats are countries. Some of those threats are terrorist groups. Some of those threats are international organized crime cartels. But from all of them we face a new kind of threat. 

This new kind of threat is what the military call an asymmetrical attack, or put more simply, attacking our Achilles heel. And where is our Achilles heel? It's here – it's at home – it's in the homeland, where terrorist groups, cyber attackers, people who have gotten their hands on weapons of mass destruction can come and find us relatively defenseless. We saw in the case of the World Trade Center how a very small group of people could enter this country and wreak havoc. And the secret of the World Trade Center disaster, as bad as it was, was that it came very close to being much worse. Because if it hadn't been for some extraordinary measures taken that day, several major financial houses would not have been able to close their books, and there would have been financial chaos. The World Trade Center was a wake-up call for what terrorists could do by coming to this country, and so, in a similar vein, was the attack in the Tokyo subway, using saran nerve gas. It demonstrated for the first time how a terrorist group – one we had never heard of, I might add – how a terrorist group can put its hands on weapons of mass destruction and wreak havoc in an urban environment. 

Just as the World Trade Center and the Tokyo subway were wake-up calls for these new kinds of threats, so Eligible Receiver, the Defense Department exercise in 1997, was a wake-up call for a lot of people who hadn't heard the alarm bell yet for the vulnerability of our defense systems to computer attack. And if you didn't hear that alarm bell in 1997, you heard it again during the Iraqi crisis when we were building up our forces and sending them to the Persian Gulf, and the Defense Department computers came under attack throughout the country from a few teenagers. Eligible Receiver was a daring thing for the Pentagon to do. It was a self-attack, something that very few organizations are really willing to do. What it proved was that using unclassified techniques – techniques that are readily available to the public off Internet bulletin boards – you could, over a very short period of time, do very significant damage to the Department of Defense. And for awhile, the Defense Department players – that is to say, the people who were going about their real world business and didn't know the exercise was going on – also didn't know the attack was going on. And before we see that as a criticism of the Pentagon, I have to tell you I believe that the Defense Department is way ahead of the power curve with regard to the rest of the government and, in many cases, with regard to the private sector. And if the Defense Department can be attacked as successfully as it was in Eligible Receiver and recently by some teenagers, then I think we have to fear for the survivability of our civilian information infrastructure, because while corporations around the country are beginning to worry about computer hacking, their concern is largely with fraud, with theft, with economic espionage, and with pure malicious vandalism. Corporations are not worrying about the kind of attack that could occur on them if the attacker were a nation-state, with all of the additional sophisticated techniques and infrastructure of its own that a nation-state or a large-scale terrorist group or a large-scale criminal cartel could bring to play. Why is it that such groups would attack private companies, private sector installations? The very same reason that in World War II, allied bombers and Nazi bombers and Japanese bombers bombed civilian infrastructure, bombed power plants, bombed ports, bombed pipelines. For that very same reason – that the private sector IS the strength of the United States – the private sector IS our economic power. And in the future, instead of flying overhead with bombers to blow up the power plants, it may be possible – it may be possible today – to have the same effect by attacking them not with bombers, but with computers – not even coming into the United States with computers, but staying outside of our territory, and attacking telecommunications grids, electrical power grids, financial markets, by cyber attack. 

All of these things that can strike us are possible. Attacks in our homeland. Attacks using terrorism, using weapons of mass destruction – chemical, biological weapons, and even nuclear weapons – and attacks using cyber warfare. Alone – or in combination. Why would they do it? They would do it to slow our military response. What if the Iraqi crisis of two months ago had been an Iraqi war again, and what if the movement of our troops to the Persian Gulf had been slowed by attacks on our Defense computer systems, or by attacks on our civilian computer systems? The Department of Defense, just as our economy in general, relies on privately owned telephone companies, privately owned electrical power grids. Think of the effect that you could have on a major port of embarkation for our troops. When you realize that our military is dependent upon getting to places like the Persian Gulf or the Korean Peninsula in a timely way, because our plans are all built on very narrow assumptions about our deployment times, then you realize one of the things that you can do with information warfare – to slow our military response and give yourself a major leg up. 

But beyond slowing our military response, there are other reasons for people to attack us. They could try to exact revenge. We all know Saddam Hussein tried to kill President Bush in Kuwait in 1993. And Saddam Hussein could exact revenge against this country using cyber warfare. Do any of us doubt that he would do that? Or you could use cyber warfare to intimidate or to coerce the United States. Criminal cartels such as the international drug cartels in Latin America have vast amounts of money. It's estimated that over $70 billion a year is spent in this country on cocaine and heroin – that money flows in large part to the criminal cartels in Latin America. With that kind of money, and the kind of expertise they've already demonstrated, is it inconceivable that someday the drug cartels could use cyber warfare against us and say that more will follow if we continue to attack them in the jungles of South America, if we continue to de-foliate the cocaine fields in Columbia? Is it inconceivable that a terrorist group would say to us that they would attack us with cyber warfare, wreak havoc on Wall Street, or that they had done so and they would do even more, unless we, let's say, withdrew our support for the state of Israel. Is that so inconceivable? I think not. I think that the prospect of information warfare – either as part of an overall military engagement or as part of political engagement, as part of a war of terrorism or a war of intimidation – I think it's all very believable. And that's why the President's Directive and the work of the Marsh Commission is extremely timely and extremely important to our future as a country. 

The President's Directive will call for a national plan for information security. It will not be that national plan, for reasons I think that should be obvious – we don't know all the answers, but we have some idea about what some of the questions are. The national plan that the President will call for will have six major components. Number one, a plan for a system to detect and diagnose and warn about attack. Just as the Defense Department didn't realize it was under attack during Eligible Receiver, so many of our facilities around the country today could already have been attacked and may be about to be attacked and they may not know it. Before a major crushing attack will occur through information warfare, there will be reconnaissance – computer reconnaissance. People will test systems – they will try to implant trap doors; they will try to implant logic bombs and Trojan horses. We need a system that can detect attempts to do that in the private sector, in the private sector computer systems that control our power grids, our banking and finance, our telecommunications. So number one is a system to detect, diagnose, and warn of cyber attacks. 

Number two is an immediate review of obvious vulnerabilities and a plan to remedy those obvious vulnerabilities. Many of you around these tables already know about some vulnerabilities. Many of you may have your password on your computer as "password." That turns out to be a very common practice, evidently. That's one of the more obvious vulnerabilities, but there are many others that can be identified easily and fixed easily. 

Number three is a plan to island or to isolate attacks when they are occurring. Assuming we have a system that can detect an attack when it's underway – we need then to be able to act rapidly, to take that attack and put a wall around it. So if it's an attack, for example, on the electrical power grid system, it's not an attack that trips the entire national power grid, all of which is inter-connected. Or if it's an attack on a telecommunications system, it doesn't spread out across that inter-connected telecommunications system to knock all the phone lines in the country off. 

Fourth is a plan for reconstitution – something you're going to talk about after lunch. How can we quickly get minimal essential services back on-line. What are minimal essential services? The Commission, frankly, sort of dodged that question. What are they, and how can we do triage in a crisis and get them back on-line? We all know that we want the hospitals to get electrical power, and most hospitals have back-up generators; but beyond those simple questions, how do we reconstitute national communications? How do we reconstitute minimal essential banking services if somehow our banking networks have been knocked off-line? 

And the fifth part of the plan: a nation-wide program of education and awareness training. Just as there are simple fixes to simple problems, like teaching people kinds of passwords that are more effective for their computers, so we need to be able to teach people in general that the kinds of mistakes they can make on their computer systems at work can open up vulnerabilities to their entire computer network by taking that floppy disk that came to you in the mail and downloading it onto your workstation – you can be endangering the entire network. A program of education and awareness to get that kind of message out across the country. 

And sixth, and perhaps most important, a coordinated program of increased research and development. We need to know all of the research and development that's going on that's federally funded that's relevant; and we also need to know all of the research and development that's going on in the private sector that's relevant. And we need to be able to leverage the federal involvement in R & D. 

How do we create an ambitious national plan like that? Well, first of all, we don't let the bureaucrats do it. I say that as a bureaucrat. We, as bureaucrats, know that there are problems; we don't know all the problems; and we sure as hell don't know all of the answers. We know only a very few of them. And so the President's Directive calls for a public-private partnership to create the national protection plan. For each sector of our economy, the President will designate a government liaison officer, if you will, at the senior level, who will then work with that component of the private sector. And so for the energy sector, there will be a senior official in DOE; for the banking and finance sectors, a senior official in the Treasury Department. And these senior officials and their staffs will seek to work with organized groups in each of those sectors to come up with a sector plan for information protection, which we will then knit together into a national plan. 

One thing we do know is that we are not looking for extensive new federal government regulation. If we can bring about the level of protection we need without regulation, using market forces, using industry cooperation, that is far preferable. And so we seek a partnership – a partnership to do several things: develop the plan – yes, most importantly. Also a partnership to do specific things, such as develop an agreed list of best practices that each sector of the industry could use in its computer security work. A partnership with the private sector to develop certification procedures, so that personnel could be certified as information specialists, information security specialists, but also so that companies can be certified to do the type of Red Team attack and evaluation that NSA did so well on the rest of DOD as part of Eligible Receiver. The private sector needs to have that kind of red-teaming but they need to know the people they're hiring to do it are certified against some generally accepted standard. We need a partnership to coordinate on research and development so that we know what's going on in the private sector and we don't duplicate it. And we need a partnership to create that network of warning and analysis centers, so that the FBI's new information protection center can have partners in the private sector to work with, to know when penetrations are occurring that could be reconnaissance; to know what techniques are being used against companies. Without violating the proprietary rights of those companies, and without violating the privacy act. A partnership to create centers in the private sector that can do that kind of information analysis and warning. 

That's an ambitious plan. And we know that plan cannot be completed in a year. The President's Directive, in fact, will call upon us to work over the course of the next three years to develop the plan; and as we're developing it, to begin to implement it. But we certainly don't even envision the plan can be implemented in three years; merely that it can be completed over that course of time if we have the partnership with the private sector that we hope to build and that we need to do this job. 

The national plan, however, will not be a document that is completed three years hence and given to the President and the Congress, and that's the end of it. The national plan needs to be a living document that evolves as the threat evolves; that changes as technology changes and as our understanding improves. 

That Presidential Directive, I think, will be fairly unique in many respects; but in one respect in particular. Usually, in this country, we do not engage in massive national efforts involving the private sector, involving all of the United States government, unless a major disaster has already occurred. America became the arsenal for democracy and got the private sector to convert into that arsenal for democracy only after Pearl Harbor. America created the greatest space program in the world, the program that took the man to the moon, the program that has spawned an entire new industry, but only after Sputnik was launched. This time, through the President's direction, and through the work of the Commission he appointed, we may, for once, be ahead of the power curve. But how far, how far ahead of the power curve? Some of us think that we may be well ahead of the threat, and others of us think that that power curve is like that great pipeline that the surfer surfs off of Hawaii. And we may be the surfers, looking up and seeing that huge wave above us, about to crash on top of us. I don't know which scenario is correct. I do know this: with the President's Directive this month, we are beginning. And we hope it's in time. Thank you very much and I will be glad to take your questions. 

Participant: We've had keys for 50 yearsÂ….we had an absolutely positive offense with which we could beat any adversary in sight. What you are proposing is a Maginot line, a defensive mechanism, with no retaliatory ability against an aggressor. Without that, it's useless. It's like building a Maginot line expecting the Fuhrer not to come through Belgium. How do you feel about offensive capability Â….? I'll be happy as a member of private industry to help you with that. 

Mr. Clarke: Maybe you can tell me when I said we shouldn't have offensive capability. I don't find that in my text. In fact, I don't find any mention of offensive capability at all in my text. 

Participant: Understood, sir. But on the other hand, it's like the line in Dr. Strangelove: "How good is a Doomsday Machine when you're going to make the announcement on Thursday?" Unless an adversary understands that there's certain and quick and total retaliation for these attacks upon the United States, whether they go against the government or private industry, where is the fear engendered in his heart to think twice about any action against us? 

Mr. Clarke: Well, I don't think any potential adversary needs to doubt that the United States will retaliate. Our record of having retaliated is pretty good. And I talked about the World Trade Center attack. There were seven individuals behind that attack. Over the course of the three years following that attack, they scattered all over the world. They hid in half a dozen different countries, and they hid pretty deep. And they're all down in the federal lock-up. Or you can look at someone like Emil Conzey, who stood outside the CIA headquarters with an AK-47 and sprayed federal workers on their way to work, and then ran, and then hid, and hid pretty deep, and is down in the Fairfax County, Virginia lock-up. Or you can talk to the people in the Iraqi Intelligence Agency who planned the assassination attempt on President Bush in Kuwait in 1993, who went to work one day to find their four beautiful brand new high-rise towers all in rubble. We have a pretty good record at retaliating. No one should doubt that we will retaliate. No one should doubt that no matter how far they run or no matter where they hide we will get them, whether they're a terrorist group, whether they're somebody like Pablo Escobar, who ran a major drug cartel and ended life with nine bullets in his head in Cali, Columbia. Or whether they're a country like Iraq, or Libya, both of whom should be enjoying great prosperity because they are great oil-producing countries, and both of whom are enjoying, in fact, enormous economic dislocation because the United States has retaliated. We will always retaliate against those who attack us, but in the words of the famous Israeli general, we will do so at a time and a place of our own choosing. And if I can modify his remark, I will say a time and place and method of our own choosing. If someone attacks us using cyber warfare, we are not limited to responding to that attack by cyber warfare in return. If someone engages in cyber warfare against us, they might find a fleet of bombers over their head, or a special forces team coming through the door, or as, in the case of many of these terrorists that I've mentioned around the world, an FBI arrest team coming through the door. We are obviously engaged in the development of offensive capability in the information warfare area. But beyond that, I'm not going to talk about it. Yes sir. 

Participant: Sir, I'd like to follow up on your point about means and methods, and I'm fully agreeing with what you said. One of the issues that we have been exploring here today and yesterday is the issue of whether or not information warfare, cyber attack, is a use of force. The international legal structures in the world today about retaliation and use of force are based upon a use of force – the UN forces, etc. etc. There is no continuity whatsoever – you're well aware of us – that a cyber attack against the structure such as Eligible Receiver, etc. etc. would be considered to be a use of force. What efforts are we trying to engage in to bring this issue on a global basis more towards the lines of what you and I, I think would both agree on, is reality – that things such as ER are indeed perhaps a use of force. 

Mr. Clarke: Well, to the extent that we're concerned about international law and the use of force – international law requires that the use of force be (a) in self-defense, and (b) proportionate. It seems to me that if the cyber attack is vandalism; the cyber attack is a "king of the hill" game played by teenagers around the world, that that's not a use of force. If the cyber attack is aimed at destroying our banking system, our electrical power grids, our military capabilities, if it has the same effect as though it were an attack from a bomber, from a cruise missile, then I think it has to be considered a use of force. And I think the whole range of response capabilities that we have at our disposal would appropriately be used to get someone who did it. We're not engaged, however, as you suggest we maybe should be, in international discussions about that. We are engaged in international discussions about cyber crime, and, in fact, the President has made this a major agenda item of the Group of Seven economic powers who will be meeting in two weeks in Birmingham, England. The major agenda of the United States in Birmingham is international organized crime, and, as a subset of that, cyber crime. At that level we are engaged in discussions. What we're not doing, and I think it's appropriate, is engaged in discussions with other countries in international fora about the concept of cyber warfare. Just as I am reluctant to discuss what we're doing in offensive cyber warfare, so I think I'm reluctant to have the United States engage in international discussions with potential opponents about what is cyber warfare. And potential opponents are not only those who would attack us to destroy our systems – our traditional enemies. Potential opponents are also, frankly, some of our traditional friends, who would use a form of cyber warfare to engage in industrial espionage. So I think we have to look very carefully at the nature of international discussions on this issue. Eventually, in some way, in some form, in some limited sense, it'll be appropriate. But one of the things we need to do is begin – and frankly, the Commission didn't address the international dimension – one of the things we need to do is to begin to think about how we want to engage other countries in a discussion of cyber warfare. I don't think we want to rush into it. Yes sir. 

Participant: Â….[inaudible] 

Mr. Clarke: Well, I'm sorry I didn't hear Michelle yesterday, but I have heard Michelle, and she and I have had long discussions on these issues. The draft Presidential Directive calls specifically for the Executive Branch to enter into a dialog with the Congress on these issues, and specifically on the development of the national plan. I am unaware of any major disagreement between the Congress and the Executive Branch on this set of issues. Now, as we get down into the details of developing the national plan, there may be differences. Differences may emerge about what are the appropriate levels of research and development. Differences may certainly emerge if the private sector doesn't cooperate and people start thinking about regulation. Then I think there's the whole potential for disagreement between the branches of Congress and the Executive Branch. But right now, frankly, I see a partnership with Congress as much as I see a partnership with the private sector as being essential for us to deal with these issues. The Commission called for vastly increased amounts of research and development. We're studying exactly what that level ought to be and where those budgets ought to be located, because right now most of the research and development that's going on is going on in NSA, and in the Defense Department. There is research elsewhere, but it's not well coordinated. We're going to need a lot of Congressional support if we are going to get appropriations for vastly increased research and development. So we look for a partnership with the Hill, and as soon as the President signs the Directive I will be going to the Hill with the Directive, and going from office to office and briefing every Senator and Congressman I can find up there. And I am already guaranteed by Michelle that Senator Kyl will hold a hearing about a day after the President signs the Directive. So you may all, I hope, have a chance to see that directive on our websites, both the National Security Council website and the President's Commission website, before the end of the month, and when you do see it we look forward to hearing from you about what your reaction is. Just because one form of information warfare is denial of service, just don't all e-mail us at once. 

Mr. Sharp: Thank you very much, Richard, for your remarks. On behalf of the Centers, we have a small token of appreciation for your taking the time and effort today to address us. Once again, ladies and gentlemen, let's give a warm thank you. We now have time for a ten-minute break, and we're supposed to reconvene at 2:15, immediately adjoining, for the next panel.
 
 
 
 

Response and Reconstruction

Tuesday, April 21st, 2:15 P.M.

Moderator: Thomas Wingfield

Panelists: John Powers

Doug Hoell

Kirk Bailey
 
 

Mr. Wingfield: My name is Tom Wingfield. I am the Deputy Director of the Aegis Center for Legal Analysis, and I'll be hosting today's last panel. 

Life is good in America because things work. As General Marsh said yesterday at lunch, when we flip the switch, the light comes on; when we turn on the tap, clean water flows; when we pick up the phone, the call actually goes through. We're able to assume that things are going to work because of our infrastructures – what Lincoln referred to as the strong sinews that bind up the nation. These infrastructures are highly efficient, highly developed, and highly effective. The reliable infrastructures are basically the foundation for creating the wealth of our nation, and also the quality of life that we enjoy today. They're fundamental to developing and projecting military power that makes our diplomacy credible. They make it possible for us to enjoy the inalienable rights, and take advantage of the freedoms we inherited from the Founding Fathers. If any of this sounds familiar, I hope it does. It's taken directly from the Marsh Report. That report has given us a framework to talk about a very unwieldy subject. Now that we have this framework, we can actually discuss the issues of critical infrastructure protection intelligently. We've covered quite a few of these issues in the last two days, but now it's time to turn to what I consider to be the most important – at least the most immediate – of the issues, and that is response and reconstruction. Or, to use the taxonomy of the field, response, restoration, and reconstitution. 

If the worst does happen, and America does become subject to infrastructure attack in the real world, we're going to need thoughtful and highly trained experts that will be able to step in at a moment's notice and just make everything better. Luckily for us, we have such experts, and luckily for us, we have three of them here today on the panel. Dr. John Powers, immediately to my left, served as the FEMA Commissioner to the Marsh Commission and also was the Commission's Executive Director. In FEMA he held a series of responsible positions, including managing federal response to the great Midwest flood that put large portions of Minnesota, Wisconsin, and Illinois under water. Before his time at FEMA, Dr. Powers served at the Department of Energy, and before that he was a consultant for a wide array of federal acronyms. Perhaps most impressively, at the age of 19, he began Naval flight training. On successfully completing that program, he was commissioned as an officer in the United States Marine Corps. As a Reservist, he went on to command a Reserve A-4 Squadron, and he also developed the Marine Corps Mobilization Management Plan, and the DOD-wide Master Mobilization Plan. Today, he's inaugurating an intriguing new private enterprise. Using a multi-disciplinary approach, he hopes to identify and neutralize disgruntled employees before they actually go postal. Dr. Powers holds a Bachelor of Science degree from Columbia, a Master of Divinity degree from Princeton, and a Ph.D. in physics from the University of Pennsylvania. 

To Dr. Powers' left is Doug Hoell. He is the Deputy Director of North Carolina's Division of Emergency Management. After graduating from N.C. State, Mr. Hoell held a series of emergency management positions, beginning as the administrative officer for the Raleigh – Wake County Emergency Preparedness Agency. He went on to the North Carolina Division of Emergency Management as an educational specialist. He became a contract trainer for FEMA, and then became a radiological emergency preparedness program specialist for the same organization. Coming back to North Carolina, he became the manager of a field office, and then finally became Chief of the Operations section. 

And then last on our panel, at the far end of the table, is Kirk Bailey. He comes to us from Seattle, where he is the Information Security Administrator for Regency Blue Shield, the largest health insurance provider for Washington State – actually covering the four-state area. Mr. Bailey has worked as an information technology professional for going on 25 years now. He has been in the banking and insurance industries. Over the years his expertise in mainframe systems, distributed computing and network environments served him well as he's handled problems in system controls, system administration and special system protection. Now, this background alone would qualify him to sit on this panel, but there's another hidden dimension to Kirk Bailey – and that is, in 1995, he founded what's called the Agora. For those of you whose high school Greek is a little bit rusty, the Agora is the Greek term for marketplace or meeting place. And Kirk's Agora is a regional association of information systems security personnel, professionals, technicians, experts, and officials – from government agencies, private sector, government and law enforcement. It's an absolute model of the kind of bottom up initiative and effort that may solve quite a few of the problems of critical infrastructure protection that are not immediately amenable to a top down federal solution. 

Well, having said all that, I'd like to turn the podium over to Dr. John Powers for a God's eye view of response, restoration, and reconstitution. John? 

Mr. Powers: I'm not sure I'll quite live up to that opening, but I'm glad you mentioned the Midwest floods. I want to contrast what happened in '93 with the threat that we have to deal with here. When I sat in my office in Chicago, and talked to my response directors (I call them in western Minnesota every day), they would say, "It's rainingÂ…it's still raining. It's raining some more. Nine inches, seven inchesÂ…" We pretty much knew in advance that we were going to have serious problems. We always underestimated by about two feet just about how high the water was going to get – but we knew it was going to get high. So we had the time to put in place the measures that we needed to have in order to respond. 

I want to thank you and the sponsors of this conference for the opportunity to address the issues, to address the subject that has occupied much of my professional life over the last fifteen years. From my perspective, there is no single more important topic than response, restoration, and reconstitution. In the United States, our information systems are wide-open to attack and there's not a lot we can do to combat a determined adversary. The answer to this is that we must always be ready to respond, restore, and reconstitute. 

The reason that we're open is obvious – our constitutional protections of a free and open society. But there is a cost to these protections – we are much more vulnerable to a successful attack. Woolsey and Kupperman, in their 1984 report, "America's Invulnerabilities," highlighted the relative ease by which a determined adversary could visit terrible harm on our nation by taking out one or more key nodes of our backbone infrastructures. In many respects the nation has been fortunate that bombs and guns have remained the vehicle of choice among the unhappy people who wish to vent their unhappiness. 

The only major attempt on any country's infrastructures, at least that I'm aware of, was the failed attempt by the IRA to destroy some 30 plus targets around London. Had they succeeded, the effects would have been devastating. It failed because it was too ambitious, had too many people involved, and the plot was compromised. However, with only slightly more modest goals, any one of us could cause devastating damage to this nation, and do so with minimal risk to ourselves. 

Somebody here mentioned a deterrence policy. We have one but we have a problem with plausible denial. In a cyber attack, that is a serious issue. We could get the tools we need to attack this country – it would take a lot of work – but it could be done. Given the openness of our society, given that law enforcement is correctly constrained from implementing some of the more heroic measures that might protect us better, the nation is vulnerable. And it is critical that we pay attention to response, restoration, and reconstitution. 

Response, as I will use it here, refers to what we do to ease the effects of the attack on people. Doug will speak a lot more about this in a moment, but this includes food, shelter, rescue, etc. These are the things that FEMA coordinates in the initial phase of a disaster in supporting the states – what we did in the Midwest after the '92 floods. If, for example, the electric power grid in the Northeast was shut down in the middle of the blizzard in February, there would be a huge number of people in danger of severe exposure. How we would solve this problem is one element of response. The national plan that addresses this is the Federal Response Plan, and it is coupled in most states with state response plans. But for the most part, however, response is not something applicable to information systems per se. 

Restoration, which is a term I'm coining for this aspect of reconstitution, is a more relevant and certainly a more challenging topic. By restoration we mean the sorts of things that we can do quickly using available resources to close as much as possible the gap between remaining supply and demand. Let me repeat: close the gap between supply and demand. 

After the Woolsey and Kupperman report was published with much fanfare in '84, we held a conference with the National Security Council, DOE, FBI, and the North American Electric Reliability Council (NERC). The NERC coordinates the high-power grid across most of Canada, the United States, and some of Mexico. Mike Gant, the president, upon listening to our tales of horror and impeding doom, asserted that things were not as bleak as we imagined. Even if an adversary, he said, was able to cut 80 percent of the power to a city by destroying stepdown transformers, which reduce the voltage to the grid, he felt there were a lot of things that could be done to increase supply and reduce demand. 

First of all, all of the local generation capacity should be immediately brought to 100 percent power. There are, however, two problems of doing this. Most of the local power is gas-fired, and the pipeline control systems and pumps might have been destroyed by the loss of electric power. You heard, I believe, earlier about the problems of computer dependencies. This is a good example. Second, the major providers – the major distributors, for example in Atlanta, Georgia Power, do not or may not own all of the independent, local generating capacity. While neither of these problems is insurmountable, both will need prior planning. 

Now if you ask me what is the major theme of what I'm trying to say, it is this: the need for prior planning. The next thing to do is to shed all non-critical load, i.e., reduce demand. Unless, however, the local utility has contracts with clearly understood service priorities, this will be fraught with big legal problems – who gets cut off, on what basis, and on what authority? In addition to shedding load, and running the local peaking units at 100 percent power, there are other possible things to do to balance supply and demand. One is to bypass the stepdown transformers by transmitting at a lower voltage. It can be done, it's not trivial, takes a lot of timing, and it at the cost of a tremendous reduction in electrical efficiency. But it does give you more power. Another is to cannibalize other systems for their damaged parts. All of these things, however, take some form of preparedness. 

Ten years ago, we had a national database that kept current inventory of critical components. This was stimulated by the formation conference that we held at our special facility. One day, while visiting Ed Badalato, he got a call from a utility in northern Vermont that a critical component in their transmission system was knocked out and much of the northern part of the state had been blacked out, and it couldn't be restored until they got this component. He went to a database, located a spare in Arizona, cut a deal, and within 12 hours that part was in Vermont and the utility system was back up. This only could have happened had that database been operating. And it was kept current, at least at the time. I have no idea what the currency is today, I think the information has not been kept up. 

The third of our three topics – reconstitution – is what we do to return things to the status quo ante. In general, this is much less time-sensitive than restoration, and this is why I break the term recovery or reconstruction into restoration and reconstitution. For the most part, reconstitution planning takes place after an event. There are two major exceptions to this principle: a) when there are long lead-time components potentially at risk, and b) when we're concerned about information systems. Information systems are unlike any other engineered systems. Both the information on the systems and the system protocols themselves change frequently. If you are managing stock accounts, for example, having an almost-okay information system may not be good enough – you may have to restore the status quo ante before resuming normal operations. In such cases, the most important preparedness action is to make system back-ups that are frequent enough to enable the operators to reconstruct the system with minimal delays. This can be done. The Social Security Administration asserts that it can do that. Most of our financial systems, our banks, assert that they can do that. Another important preparedness action is having alternate operating sites that will not be damaged if the primary operating sites are unusable to critical needs. 

The key ingredient to our ability to respond, restore, and reconstitute is time. We know that we can fix things eventually, so the question is always how quick is quick enough? This is a problem that has hounded me for years, and I've never really solved it. An illustration from another setting arose in 1978. I was asked to brief Bernie Traynor on the adequacy of the draft mobilization plan for the Marine Corps. A group had been set up in the headquarters of the Marine Corps to craft the plan. Unfortunately, it was dominated by the "if something happens we will figure out what to do then" type thinking. This has always been the bane of the contingency planner, and the reason I'm going into my new business. 

In any case, I indicated to General Traynor that if the Marine Corps's objective – this was in the middle of the Cold War – the Marine Corps's objective was to have these forces on-line and operationally ready in 30 to 45 days, then the plan as written was fine. If, however, it needed to have its forces in place and ready in five to eight days, which I think was what was called for by the DOD plans, then the plan as written was totally unacceptable. General Traynor, after asking me to validate my assumptions, directed that the plan be fixed. The fixes were neither easy nor cheap. Planning is expensive. Good planning can be very expensive. 

The moral of this story is two-fold: the first is that the key issue in planning is how quickly do we need to be able to respond, restore, and reconstitute. FEMA, my parent agency, ignored this in the late 1980s, and its unacceptable performance in Hugo, Loma Prieta, and Andrew almost resulted in the Agency being disestablished. The second is that the contingency planner needs a powerful ally in top management to get it right, and this is what I had in Traynor. One of my disappointments during this period was my inability to get my parent agency to assume responsibility for the leadership in this area. Contingency planning is a hard sell. 

Response, restoration, and reconstitution requires forethought, and that will create both technical and legal issues. Real readiness can involve huge resources, and the folks responsible for corporate profitability will ask what is the risk – what is the cost of preparedness? The road to readiness involves four key steps: assess the vulnerabilities, examine all the possible contingencies that could exploit these vulnerabilities, assess the possible consequences of a disruption, and determine the capabilities needed to respond and restore. This involves an analytic component and a management component. The analytic component is mainly related to doing the analysis correctly. Please, folks, do the analysis correctly! There's too much shoddy analysis already in this field. The management component is how much readiness should we buy. 

Let me briefly deal with the analytic component. There is a tremendous variance in how one might approach a business risk assessment. At the far, "do it right" end of the spectrum, there was a nuclear power plant study in the 1970s, the so-named Rasmussen study. The stakes were huge – the future of the nuclear power industry hung in the balance. The resources devoted to this study were extensive – mathematics were not only thorough, but elegant. The analysis was spectacular – a mathematician's delight. 

At the low end of the risk assessment was a qualitative assessment done by one of our major oil producers. There was a total lack of sophistication, and in comparison to the Rasmussen study, it was the equivalent of the doodling of a junior high school student. I probably should use another metaphor because junior high school students are pretty sharp nowadays, particularly on computers. 

While that work offended my analytic sensitivities, was it negligent? I have absolutely no idea how a court would view it. If there was a disruption, and the _____ litigated, the company would argue that their method adequately simulated all of the key factors, and that they had fulfilled their responsibilities to their users. Notwithstanding the view representing the company, you would not want me on the jury. 

This is the same question we addressed before: how much is enough? Every time we think about vulnerabilities, threats, consequences, and abilities, the same question arises. Most businesses respond well to the threats that they know. For example, electric utilities in Eastern Carolina respond to outages from hurricanes quite well. They see lots of hurricanes. It's not clear, however, how well they would respond to an information attack that reprogrammed their protective systems and destroyed their control systems. 

One of the interesting questions for you is the responsibility of companies to prepare for unexpected events. Given the propensity of organizations to do little to prepare for low-probability contingencies, what we recommend depends on your company's response, restoration, and reconstitution planning. An option is to think about shifting the burden of managing the consequences of destruction to the end-users. Â…. If a gas pipeline is disrupted by a domestic terrorist group, who is responsible for the secondary and tertiary losses resulting from the disruption? Did the company take all prudent and reasonable actions to protect its pipeline? We sponsored a conference last year involving executives and their lawyers from major insurance companies and major utilities and we never even got close to an answer to that question. Perhaps we should print a version of Murphy's Law in our contracts. It might read, "If your business is dependent upon the continuity of a particular service, you should assume that someday that service will fail, and you had better have a back-up plan." All end-users should be aware that all support systems are interruptible, especially information systems. Shouldn't they verify and take all prudent preparedness actions themselves? Last week, on the way to an information security conference in Minneapolis, I read an article in a publication called Security Management about a company on the Red River in North Dakota whose business is managing the distribution of goods through its information systems. So if it's information systems aren't working you can't do business – it's as simple as that. The article began, "As the river rose, the company made back-up tapes." Now, that's just unbelievable, absolutely unbelievable! How can you wait until the river rises? This is the attitude that you're going to run into with your companies, and this is why I'm making a big deal of contingency planning. 

Companies dependent upon their information systems learn that those systems are fragile. There's a whole new cottage industry springing up that is providing back-up data files that are physically separated from the operating sites of the companies and are being supported. In addition, alternating operating sites with adequate information systems can also be provided, as companies learn more that their information systems are vulnerable to disruptions, as such services are become increasingly possible and profitable. 

We could spend the next couple of hours discussing options that would improve response, restoration, and reconstitution capabilities, and in the question and answer period I'll be pleased to offer some of them. All of these, however, involve contingency planning – and contingency planning for unusual events in corporate America is a hard sell. As a legal advisor to any company, especially a backbone infrastructure company, your job will be to assess what is possible, what is practical, and advise the company on a prudent course of action. I hope that you are successful in getting your companies better prepared than the one on the Red River I just described. 

Thank you. 

Mr. Hoell: Good afternoon. After listening to discussion throughout the morning and afternoon, I'm at the point of questioning myself, "Why am I here?" because you people are speaking ahead of where the state of North Carolina is today in terms of infrastructure and information infrastructure protection. However, if you would pause, consider what we do, and envision the Division of Emergency Management and State response capabilities, we're going to be the people who respond when the lights go out. We are going to be the people who implement the State's and local government resources for aiding the people who have been affected. We are going to be the people there on the ground first, and that is not saying that the federal government and other State government agencies will not be there to help. But we are going to be the first responders because they are going to call us. They are going to call the State folks to come out and help. 

My topic today is on the role of the State Emergency Response Team – that is, North Carolina's Emergency Response Team in response to destruction (and quite frankly) what we are faced with is consequences. We realize we have a lot of vulnerable things out there that could go down and we could have problems. If we handle it well all along, then we are beginning to identify the things, the vital facilities out there that could be affected. Consequently, you also identify the resources that we can bring to bear on those kinds of problems. For example, the electric power goes down, if we are aware of what vital facilities will be affected in terms of hospitals or other extended care facilities, we can bring generators to at least deal with the problem temporarily until other suitable arrangements can be made. 

We really came from the old Civil Defense Program – basically that is where our program started out. We were Civil Defense in the 1950s. We were dealing with a potential nuclear war threat, and we have evolved over the years to where, just like the Federal Emergency Management Agency (FEMA), the State Emergency Management Agency deals mainly with more direct natural disasters. So those are the kinds of things that more has been done to prepare for – to look at what is going to happen to our infrastructure if we are affected by a hurricane, tornado, flood, winter storm, or something of that nature. As John said earlier, we can deal with a power outage if we have a hurricane, but there would be similar problems and events if we had an attack on the information infrastructure that depleted the electric power. So again, we would be the ones that would be responding. 

To begin, I think it is appropriate to at least provide you with information on how we are structured. Our enabling legislation is General Statute 166A – there are packets out front and it is included in it, everything's in the packets out there. But bottom line is that our legislation does allow our government to have general direction and control over State Emergency Management Programs. The Governor can delegate this authority down to the Secretary of North Carolina's Department of Crime Control and Public Safety, Richard Moore. The Governor can also enter into and make mutual aid agreements, and North Carolina is a participating state in the Emergency Management Assistance Compact. This includes North Carolina with a group of 19 other states, that in the event of emergency and inadequate resources at the State level, we can call upon our neighbors (that are also members of the Emergency Management Assistance Compact) to bring their resources to help. So it just compounds our capability to respond to natural disasters and natural emergencies, but also any other type of event that might occur. It also allows our Governor to use all the State's resources that have been organized in a group called the State Emergency Response Team. They activate whenever there is an event in our State Emergency Operations Center, that is where we work and I will reference our organization as I go along. 

North Carolina's Department of Crime Control and Public Safety Secretary Moore has the authority to activate the State plan. That is to activate the State Emergency Operations Center, to bring forth members of the State Emergency Response Team so we can do our jobs when an event occurs. Basically, the State Emergency Response Team is a coordination of effort which ensures we have all the right players at the table, so when we actually begin to make decisions, everybody is in place to do their job. The plan is basically informative of what the Governor's power entails. The Governor can also declare a state of emergency and initiate evacuations and other various things of that nature. It also establishes the authority for local emergency management agencies within the State. For example, we have an Emergency Management Agency in every county of the State, as well as one with the Eastern Band of Cherokee Indians. Consequently, there are actually 101 Emergency Management Programs within the State in addition to the State's program. 

What has been formulated in North Carolina is incident command. We reorganized in August 1977, primarily because of response to Hurricane Fran and the lessons that we learned as a result. We realized that we were responding to emergencies without proper prior planning. We accomplished a reasonably good job but we felt like we had learned a lot of lessons after Fran. Therefore, we reorganized our entire program under Incident Command. The Hazard Mitigation Group falls under the Division of Emergency Management. This group is seeking opportunities to prevent hazards. In fact, North Carolina received about $94 million from Hurricane Fran and other disasters that is being applied to reconstruction or moving people out of harm's way. Buying people out of their homes, for example, so that those particular structures do not flood a second, third and fourth time. 

In summary, we are aspiring to do a better job to prevent hazards from happening. We are incorporating these responsibilities into reconstruction and trying to teach people how to build better and stronger homes. There is a program in North Carolina entitled "Blue Sky" located at the eastern part of the State that is essentially about building practices – how you can build better, stronger places to live. 

Second, we have a Public Information Group. This organization is our media group providing information to the media, as well as receiving feedback from outside sources. Therefore, we are delivering factual messages. We basically go in two pools, one is education whereby we educate people along the lines of family preparedness, which is how to better prepare for emergencies and disasters in North Carolina. Therefore when tragedy does occur, information is delivered to the public as to what action should be taken as a result of that crisis. I manage North Carolina Division of Emergency Management Operations Group which includes Emergency Services Group. Emergency Services is simply the red lights and sirens group. They are the Office of Emergency Medical Service representatives from State government, the Fire and Rescue representative within the North Carolina Department of Insurance, law enforcement agencies – the Highway Patrol, the North Carolina Department of Motor Vehicles, the Wildlife Management (and those type of law enforcement people out there), and our Regional Hazardous Material Response Team. They are represented at a table inside the Emergency Operations Center to ensure that they can be called upon immediately if there is a need for emergency services, law enforcement, and/or traffic control. If we need emergency response to trapped victims in a building, for example, we call upon the Office of Emergency Medical Services or the Department of Insurance, Fire and Rescue Division for their searching capabilities. Another table is Human Services and they are our problem solvers. Basically, they solve the problems of sheltering, mass feeding, medical and sanitation requirements, and areas along that line. Therefore, we have representation comprised of mental health people, Social Services, Council on Aging, Red Cross, Salvation Army, Public Health, Public Water Supply and the Food Banks. 

We also have Infrastructure and they are basically our clean-up and our rebuilding capability. Represented at the Infrastructure table is the North Caroina Department of Transportation and their mission is to clean debris when disasters occur. Roads must be accessible and in condition for moving the resources into areas that are impacted. We also have personnel from the Division of Energy with their mission being to readily assist in obtaining adequate public utilities. Personnel from the Division of Forestry are there for debris clean-up. We also have a field contingent of the State Emergency Response Team and the North Carolina Division of Emergency Management. Under our direction are several field officers throughout North Carolina's three branches (which are the Western, Central, and Eastern Branches). Each branch office is comprised of basically seven or eight people who are in touch with local governments on a regular routine daily basis. Their responsibility is to assist local government, administer a proper capability assessment and determine what kinds of things are going to be affected if and when we do have a major event, whether it be a hurricane or some damage to our infrastructure through some other way of doing things. 

We are involved in a program where (for each event), we are looking at the same thing that the military does with battlefield deployment, such as how are we going to deploy the State's resources out to meet the deficits of local government resources. This makes great sense to us. It is basically going out for each event, within two days advance notice of the incident and determining the resources needed to deal with the generated problems – what do you have and not have, and of those things you are lacking, we (at the State level) must determine where we are going to obtain it. We now have that information today; therefore, we are much better prepared to go out in the field and deliver the resources we must have if and when an event does occur. We arrange logistic operational support areas and our field staff manages that logistical support and operational support. They basically channel resources forward if an event occurs. 

In December, 1997 (this past year) this was not clear to us. It was not something we had practiced because this is all resulting as we evolve better into this disaster response business. In January, we had floods in the western part of our State, followed by winter storms in the same area, followed by tornadoes in March in the central part of our State. For those events, we deployed our Logistics/Operational Support areas, staffed them with National Guard resources, Department of Transportation resources, State Highway Patrol resources, Forestry resources – the particular things that were needed to get on the ground and do the job, and so we practiced. We have begun to move out of theory and into the real world with these programs, and we think they work. We think they will work very well for us, maybe for development. But we are beginning to make a difference, I believe. 

The State Emergency Operations Center also has a Planning and Information group and their mission is to gather information from our own people in the field (in a lot of cases) who are being deployed to impacted counties. For example, when we had the floods in Mitchell County, we placed people in that county. We also placed people in Avery County which was also affected. We had a staff person in those counties who could offer advice to local government officials about establishment of priorities. These are things we need to be focusing on, as well as doing – getting information back to the State EOC in terms of situation reports, so that we can get a full picture of what is going on over the entire disaster event. Then, at the State level, our Information and Planning people begin to develop an incident action report as well. Therefore, we have our priorities established, we know what kinds of resources we have available to us, and what priorities we are going to commit them to ensuring we do not get into the conflicts of, "Well, send all your resources over here right now," because we have established priorities and established a plan. We can defend that plan against the political requests that would move the resources somewhere else. If there is no plan, if it is not known what the priorities are, then an example of what happens is a county government official calls their Representative or Senator, who in turn calls the Governor's office, who in turn calls my boss and says, "We've gotta get all the resources over here." Well, we can not do that, because if we do, we are robbing the place where the resources should be. But in order to defend ourselves, we must have a bona fide plan. We must know what we are going to do before the time comes so that resources are not moved without any real plan for their use. 

We also have a Logistics group basically comprised of the National Guard and Contract Services. We have gone beyond the state of North Carolina and developed contracts with business groups who can deliver resources to us that we do not have readily available, for example, shower units to support our people in the field. If we are going to set up a tent city or something (just to make it a little bit more comfortable for folks in the field), we want to bring in some resources that we do not own. Therefore, we have gone to contractors outside of the State to bring in additional resources like that. 

We also have a Finance group, and our Finance group generally follows us in the field. They track the money spent and the things we are doing, so that if we do seek federal disaster assistance, federal aid for our disaster, there is a record of expenditures and what we have committed ensuring us that we can go back to the Federal Emergency Management Agency for recovering expenses due to our losses. 

That leads me into our Disaster Reconstruction process. If there is an event in the state of North Carolina (whether it be natural disaster or something that would affect our infrastructure), our government (by law) is able to declare that a state of emergency or state of disaster exists in the State. Basically, it is a prerequisite to requesting federal assistance. Secondly, we would compile a damage assessment. We need to determine how significant the event is for the state of North Carolina – are all resources committed and just how serious is the problem. The information gathered through a quality damage assessment supports the Governor's request for federal aid. The Federal Emergency Management Agency (FEMA) would evaluate (along with us) a preliminary damage assessment. Actually, this would follow the damage assessment that has been previously completed, but we would be able to identify the significant problems at hand. When they come as partners we can assess again and say, "These are the significant problems, these are the things that we can not deal with as a State, these are the things for which we need federal support." FEMA will make a recommendation to the President based upon our request, as well as having observed our disaster data and determining whether federal disaster assistance is justified. 

If we obtain a disaster declaration, it will release three programs. The first program is an Individual Assistance Program that deals with people problems. The first item on their delivery list would be disaster assistance for housing. This would ensure that people can be put back in their own homes if possible. However, if that is not possible, there is renter's assistance to obtain safe and sanitary housing somewhere close to the disaster (if possible). 

The second program is the Small Business Administration Loan. If people can borrow money, that is what they need to do. However, when money is borrowed, it must be paid back. Fortunately, a lot of times, the Small Business Administration Loans are at a reduced interest rate. If victims can not borrow money, if they are on a fixed income or have more significant problems and they need to be helped, there is an Individual Family Grant Program whereby the federal government can grant money to people who have suffered as a result of the disaster. They can be helped in the Individual Family Grant Program, but it has a limit of up to $13,400 and that is the cap on the program. 

There are other programs (other local programs) such as unemployment, food stamps, mental health counseling and legal advice and other things that can be offered along that line. Also there are inter-faith groups, volunteer groups to help people who fall through the cracks, more or less, if they can not be helped by the federal programs. 

The second program under disaster declaration is the Infrastructure or Public Assistance Program. Public Assistance deals with public properties, public utilities, the road systems, etc. It is a 75/25 grant – the federal government pays 75 percent of repairing those parts of the damaged infrastructure – the State has historically paid the remaining 25 percent. That is not to say that the State is required to do that, but that is the precedent that we have set. 

The third program is the Hazard Mitigation Program. A percentage of all the disaster money (the public assistance money, the individual assistance money) is basically taken and used as hazard mitigation money. That is the money that is used to try to prevent these things from happening again or try to build things a little bit stronger as they are reconstructed. 

So how does the North Carolina and the State Emergency Response Team become involved with national information infrastructure protection in the 21st century? Planning – I think that is the key word. We have to do a hazard assessment and hazard vulnerability. We must determine what the potential scenario is – what the likely targets are and what is going to happen; and quite frankly, we have got a lot of work to do in the state of North Carolina. What are the potential results? Who is going to be affected? What are the people problems that are going to result from these attacks? How do the results affect people in publicly-owned infrastructure; and then if possible, we need to develop an event-based forced deployment list so that when these events do occur, we know what resources are needed. 

Capability assessment – we must look at what resources actually exist, what a county does have and what kind of bearing does it have on these kinds of events we are talking about in this conference. What additional resources would be needed and where would they come from? How soon would they be available? Who owns the resources and what agreements must be made – mutual aid agreements? Can we draw upon our partners in the Emergency Management Assistance Compact and do they have things that they can bring to bear? If not, then do we go to the federal government, or where do we go? These are things that I think we need to research. 

We have programmed this planning into our operational capabilities, and to be honest with you, we are just beginning that process. We have begun to discuss terrorism as an issue for planning in the state of North Carolina. We have invited groups such as the SBI, the Highway Patrol, the National Guard, the Office of Emergency Medical Service, Fire and Rescue people, hospitals – all of our State Emergency Response Team, but what we are looking at are those violent acts that we talked about earlier this morning. Those things are bound to come along and how do we respond with resources to that? We have not begun to scratch the surface of the information infrastructure and the problems that can occur there. 

How do we treat it? How do we deal with response (and I say that response and recovery would be like any event that affects people and public infrastructure)? We would activate our State Emergency Operations Center. We would gather people in State government that make decisions to deploy resources. We would (in fact) set up our Logistics Operational Support area in the field. We would (in fact) deploy people to the most severely impacted communities or places in the State, and they could provide good reconnaissance using that information to develop all situation reports so we could develop an action plan, supposedly working with the State's resources; and from outside the State, where additional resources are. So it is just the same business for the hazard responses such as floods, tornadoes and the hurricanes that we respond to – it's just a different disaster event and one that requires some quality planning. 

So, no doubt, we have much to do in preparation for these types of terrorist or sabotage events. But as the probability for these events increases, we must also enhance our capabilities to respond to the consequences. 

Mr. Bailey: Good afternoon. For those of you that have suffered too much information overload today, I want you to know, I'm going to be mercifulÂ…. 

First of all, I'd like to take this opportunity to thank our hosts, who provided me with this opportunity to be here today. It's a delight to be here. I come all the way from Seattle, and not only have I been pleased with the enrichment and the good information I've been able to digest here, but I'm also thrilled with this new neck of the woods I've discovered. In Seattle we're quite proud of where we live, and coming from Seattle and coming out here and finding this area is a delight. 

As a weather-worn, corporate information security professional Â… stuck in the trenches Â… dealing with realities of all kinds that we've been talking about today, I have developed very strong opinions. So before I start my comments, and for the comfort of my employer's General Counsel, I'm obligated to offer this standard disclaimer. So I beg your indulgence here (and I also want you to take note Â… I've been doing a lot of public speaking lately and I'm getting pretty good at this:

"The views and opinions that I express here today do not necessarily represent, in whole or in part, the views or opinions of my employer, Regence BlueShield or any of its affiliates, or wholly owned subsidiaries licensed to conduct business in the State of Washington Â… or that of The Regence Group, headquartered in Portland, Oregon Â… or any of its affiliated plans Â… licensed to conduct business in Oregon, Washington, Idaho, or Utah."With that being said, I would also like to take the time now to share my perspectives with you, and again I will merciful by being brief in my comments. 

For the last several years, those of us in private industry who have had the formidable task and responsibilities of protecting our employers' technology and infrastructures, have not enjoyed the luxury to any great extent of being able to speculate, hypothesize, debate, theorize, or otherwise indulge in that kind of discussions about these issues that affect us. We are directly accountable to our CIOs, CEOs, the Board of Directors, and the stockholders, and more importantly, the customers, for performing successfully our responsibilities. In the case of my customers, I have the added incentive to do a good job because over 1.2 million Washington State citizens have their medical records on our systems Â… I care very much about privacy. 

We are in effect in the hot seat. I've hesitated to use those words – there's a private story about "hot seat" that I have to bring up. Just so you know, I always like to share light and amusing stories during my speeches. I had the rare privilege a few months ago of attending a conference similar to this one that was held at Lawrence Livermore National Laboratory. And I had the even rarer privilege of being able to sit in a special break-out session with very distinguished individuals, people I never expected to be able to meet, including Janet Reno, the Attorney General of the United States of America. One of the things she did to engage that particular audience was she invited some of us in the room to speculate on what we would do if we were in fact Attorney General of the United States. We all had ideas. Anyway, I stepped up to the microphone and I began my comments with the statement, "you should know, the Attorney General should know that both she and I, in our jobs, sit in the 'hot seat.'" Just as I finished saying this Ms. Reno held up her hand to stop me. For one freezing moment I thought I was going to be vaporized into a black hole of shame for having offended the Attorney General of the United States, but she leaned into the microphone with a twinkle in her eye and she said "You don't have a special prosecutor!" That was really neat. That made my statement even more memorable. She is a remarkable person. 

We're in the hot seat. We must respond with immediate answers and solutions. I can assure you that security professionals in the field are overwhelmed by an avalanche of difficult problems being dumped on us by the new technology initiatives. We consider ourselves continually scrambling pragmatists. So today, I'm offering some pragmatic comments and views. Beyond all the traditional emergency responses, disaster recovery and business resumption practices that are conjured up in the minds of folks who discuss the issues of reconstruction and response, I believe there are other, new, urgent and more problematic strategic requirements that need to be addressed when it comes to the cyber threats facing our technological infrastructure. Let me take a moment to conjure up in your minds some Stephen King-type images to illustrate the point I'm going to make. 

Just for a moment, imagine a hurricane as a life form with a brain. An intelligent, analytical mind of its own, and an existence with two functional purposes: to sustain itself, and to seek out and destroy. Imagine that willful storm. Now consider fire. The same ominous intelligence and functional purposes. Imagine the sorry firefighters arriving on the scene with the additional horrific challenges that would exist if this was so. Think of the wicked flame deliberately and insidiously seeking to protect and hide itself in an ember state, waiting to blaze back into existence to harm its victims. Imagine an earthquake, a horrible rumbling monster, that will intelligently look for every crack, nook, fissure and fault that it could exploit to help sustain itself, to optimize its destructive power. Finally, imagine the same kind of thing with a flood. 

Now, as difficult and as challenging as it is to deal with real-life disasters, as our experts are here to discuss, think about how difficult, different, and inadequate our current standard response and emergency management practices would be if disasters were shaped by these kinds of horrific machinations of earth, wind and fire? Unfortunately, the frightening reality for folks like me is that is the very real nature of the potential electronic storms and the disasters that could be rendered to them in today's information age and in my information technology systems. And yes, it is a whole new ball game that we're playing in the field to try to deal with this – with all new rules. All the traditional information systematic practices, including business resumption and disaster recovery practices, are now inadequate for most or all of the necessary missions or tasks we need to accomplish our mission in the information technology area. Consider, for example, what are we allowed to try to recover in a disaster that won't stop? Traditional disaster recovery practices, which I've had some experience with in the corporate sector, assume an end to the cause – a point where there's cessation, where you can assess your damage and begin reconstruction. Now think about a dedicated, highly skilled mercenary attack team, deliberately training its expertise and its talents against your technology infrastructure. And they will not quit. They will not stop. They're a disaster. If you restore your systems, or even build an entirely new network, they've still got you. They've still got you because you're still obligated to conduct business with your already-existing business partners who they know about, so you have to establish the same network links, which are extremely vulnerable. And what's the potential solution? A suggestion that you have to go out to your customers and your business partners and ask them to help reconstruct a new network and new systems, and they extend their resources and money to do that, to support your particular link? I don't think so; I think instead they would consider you a distracting, irritating, untrusted network that they choose to disconnect from. 

The maxim, "necessity is the mother of invention," characterizes how practices and tools are evolving in the realm of the relatively few individuals who are directly involved in the actual work of managing and protecting systems, networks and data. That's how it's characterized. The good news is that there are some useful strategies now emerging that prove the value of these people's work. And I think we're being improved by it. 

Some of these new strategies are being demonstrated in something called the Agora, which was mentioned earlier, that has bloomed in the Northwest region of the United States, and I'd like to talk just a little bit about this effort. About three and a half years ago, I came to the uncomfortable conclusion as the man responsible for protecting my corporation's network systems and data – and it's an extensive network – I came to the realization as I was trying to manage my responsibilities by myself, that I could not be successful at my job. Based on everything that I knew about information security and systems administration Â… it was impossible for me to be successful in fulfilling my assigned responsibilities. It was a startling moment Â… a bit of a gut wrencher. So I did what I thought was reasonable to do. Aside from informing my management about my assessment, I started calling my corporate colleagues Â… other security folks in the field and asked them how they felt about their jobs, about their issues. The more people I called, the more individuals I got to be candid with me, the more it became apparent that many of us in corporate America in the Northwest part of the United States were feeling the exact same condition. 

So in late October of 1995, I convinced my senior management they needed to sponsor a risky proposal – the formation of the Agora. The name Agora comes from the Greek word for marketplace, which is the name of the market which existed in the ancient Greek city-state of Athens, which was the first democracy in the world. We found it an appropriate name because the activities which took place in the Agora in ancient times were the exchange of valuable information between merchants and people to enrich their business perspectives and personal lives as well. So we assumed that name. 

I asked my senior management to give me permission to disclose company secrets, to share potentially embarrassing information with our corporate neighbors, law enforcement and even competitors. I asked them, in short, if they would be willing to trust me to openly share our corporation's dirty laundry – the realities and truths of what we were living with. I also asked them to pay the initial costs of supporting the start-up of this organization. I also asked them to support a lot of coffee and donuts because I intended to involve a lot of law enforcement officers, and we intended to meet very early in the morning. 

Much to my surprise and delight – I consider this probably my biggest professional success – my management agreed with my proposal. They trusted me and gave me the O.K. to go ahead with the project. In November of 1995, one month after I approached my senior management, the first meeting of the Agora took place. It happened in our building in Seattle. I invited 50 key people I thought needed to be there and it snowed that night and I only had half of them show up. Seattle doesn't deal well with snow, but those people who did show up were valuable contributors, and it worked. An ember was ignited, and it started to grow. Today the mailing list of the Agora includes over 300 individuals and those 300 individuals represent over 100 of the business enterprises in the Northwest region of the United States. It also has in attendance participants from over 50 law enforcement agencies, government agencies, including federal, state, and local. The membership includes not only security professionals such as myself and the law enforcement people, but also specialized engineers, "Mission Impossible" people, people with very specialized talents and technology, people that are interested in the same issues that we are. It also includes some academics who have come forward with very interesting ideas about policies. It includes other individuals of no particular stature who have remarkably candid views about some issues that we've talked about today. We've been working very hard at establishing a unique organization. 

The best thing going for the Agora participants is the incredible value found in the sharing of information and the partnership that has been built between the public and private sector organizations. We have successfully built these trusted networked relationships by carefully prohibiting what we call the three P's: these are any actions which are motivated by profit, politics, or self-promotion. We have no room for that kind of thing, and those are the ailments that quickly take away from what we are trying to do. We also use confidentiality agreements to strengthen the integrity of the association. We work very hard at being a non-entity, a non-organization, a fuzzy entity, I guess – it's hard to get your arms around it. We have no formal charter, we have no officers, we don't have any organizational traditions except that of confidentiality, we have no offices, we have no phones, we have no website, we have no list-serve, no e-mail – we have nothing. All communications regarding meetings goes out by regular mail and word of mouth, and the participants list is maintained by one person and only one other person has a backup for security reasons. He is a hand-picked individual and it rotates. As a matter of fact, only two people know at any given time who that individual is. We are trying this non-organizaton stuff that sounds a little bizarre because we think that it has some strategic potential. We have had no publicity, which is key for a lot of our senior executives and our Board of Directors. We've had no publicity up until recently, and that was sort of a bone we had to give out to the press because we had some investigative reporters that heard about us. There are, as a matter of fact, only two private sector companies that have gone on the record officially in the media as admitting that they have employees who are participating in this organization. They are my employer, which took a leadership role in it, and they have weighed the risks against the potential of being viewed as a leader in information security, and decided that that's what they wanted to do, which they did. The other organization that stepped forward and admitted that they supported the Agora is Microsoft. There have been many government and law enforcement organizations, on the other hand, that have stepped forward and readily admitted in the press and openly that they support the Agora activities. They include the local office of the U.S. Customs, the United States Secret Service, the FBI, and also the Royal Canadian Mounted Police. Also, some local county prosecuting attorneys are actively involved. They were quoted in the newspaper. And a few state agencies like the Washington State Department of Social Services, our largest state agency with 18,000 employees. It is an extensive network. 

The Agora is an evolving think-tank. There's open communication among a lot of divergent industries, professionals and their counterparts, and competing organizations talk comfortably about mutual problems and challenges. There's no better person for me to talk to than my counterpart in my competitor's office. We've got the same problems. And we maintain respect for any marketing information we glean from those discussions, and we respect that. The support I get from this kind of participation is invaluable in meeting my objectives. 

There are many Agora participants working very hard on what we consider key elements of new response strategies that organizations need to develop. Let me quickly list a couple of these things that are going on. The first thing we're doing is we're building a remarkable and extensive network of professionals. The experience and experiences found in this network are very nice, grass-roots, powerful in potential, education, training and awareness. Programs for some of the things we're suggesting Â…. advocating Â… that need to be established develop easily and naturally. There's a prosecuting attorney by the name of Ivan Orton in Seattle, who has prosecuted any number of young individuals who have misused computers in our systems. He is sick and tired of interviewing these people, working with these people; he's frustrated by what he sees as a trend, so he's very interested in establishing a kindergarten through 12 computer ethics training program for the schools. And he came to us because of his interest, and we supported him with resources, financial resources, in support of the logistics and publication of materials, expert editors to help edit and set up the curriculum to make it a valuable program for non-professional teachers since he's not a professional teacher. Right now, today, this week, he is running a pilot program on children in elementary school. It's being observed by other PTSAs (Parents, Teachers, Students Associations). We intend to try and have their participation and forge a meaningful K–12 non-intrusive sort of program. It's a delight to see this forming. 

Then there's Leanne Shirey, a Seattle police vice officer. An interesting young woman who I care very much about, who has the unfortunate task of doing key investigations of child rape cases, especially those involving the Internet. She's one of SPD's – Seattle Police Department's – chief technical experts. She's very much involved with child pornography. She is sick and tired of her horrible duties, and she wants to do something about it, so she came forward to the Agora and we're trying to facilitate her immediate needs. She has decided that one of the things she could do to help the situation is to build a training-the-trainer program that will accomplish two things: it will give law enforcement officers a boost with their efforts at community policing, and will solve her problem Â… because the community police Â… police officers she wants to train as trainers who are teaching the parents to go home and be partners with their children as they explore the Internet. All of which works for the Agora. Downstream, ten years from now, my corporate neighbors who are part of this association will have children and parents and households that are helping to mitigate the emerging problems, not add to them. We're helping her program. She's gone way out – she's got connections and the Agora's got some connections and we have some unusual opportunities unfolding with this specific training-the-trainer program. The federal law enforcement training center in Atlanta has talked about reviewing and embracing an on-going support for that particular program and servicing and helping it nationally out of their center in Georgia. We have also piloted this particular program. 

Corporations have been solicited Â… we have solicited ourselves Â… and some have agreed to open up some new technology training opportunities so badly needed by local law enforcement officers. There are openings in corporate training programs that companies have spent money on but are not able to fill with corporate personnel. We want to leave these chairs open for law enforcement because the horrific realization we've had regarding law enforcement is that they are way behind the curve in their ability to deal with the issues at hand. So we have training opportunities for law enforcement, free of charge, that can be shared to help close the "expertise gap." Also, we have an incredible teaching mechanism that's going on ad hoc – we have law enforcement officers calling up technicians in corporations, some of the best around, who are willing to come out and share their expertise with these officers. Law enforcement folks now have access to private sector experts that are willing to answer technology questions. Problems or technology questions that they think are existing in their own domain of work are now shared openly with trusted partners. 

The education is a two-way street; we're not going to cast aspersions that law enforcement is not contributing – they're contributing a lot. They're sharing with us, in exchange for the technical advice Â…, very important practices we need to have to deal with new information threats. They're teaching us investigative practices; how to preserve a chain of evidence, interview and interrogation techniques – things we're not exposed to as corporate security professionals. These are valuable tools that I've already used in my work. 

These are training programs that are breaking down traditional and unnecessary barriers. I salute these kinds of efforts. The reason I can salute and take no credit for it is because it's the other people who are doing it. 

Here's a quick run down of some of the other things. I won't elaborate on them much:

I like to consider the Agora the "Techno-NATO" of the Northwest. Mind you I'm not claiming or intend to suggest that we have all the answers, but we are successfully cooking up a pretty good soup, and a lot of people are liking it in the Northwest. I have become convinced that it's going to be through efforts like this, like the Agora, that solutions to some of the more challenging issues will be found. 

In conclusion, I want to underscore the importance of the sage counsel offered by my friend Bob Giovagnoni, during the first panel session yesterday. He told us that before you learn how to walk you have to learn how to crawl. This statement was in regard to the problematic issues and the importance of information sharing in the private sector and in the government. It was suggested by him that we begin building our necessary new strategic partnership by doing something that doesn't hurt – sharing things that can't hurt, best practices. The man is right on the money. All my experience with the Agora over the last three years says he's right. It's the simple way to build trusted relationships. In the spirit of the proposal, I also want to offer another suggestion for all of you, especially for those of you who work in law enforcement and government. Why don't you think about taking the initiative and the time to pick up the phone and call any private enterprise in your region, in your area, down the block, and try to get hold of the security professional in that organization. And if you hit it off, if you share some interesting curiosities about each other and what you do, I suggest you invite him or her out for lunch or coffee and start engaging them in discussions about issues. I think you will be surprised and very pleased to discover how much you share in common and how valuable you are to each other. Give it a shot. Let's find the common ground – let's find that floor without splinters and start learning how to crawl. It's essential that we take some action instead of just debating. I suggest we get down to work and make those phone calls and learn how to make that crawling effort. I thank you for your attention, and I look forward to answering your questions. 

Mr. Wingfield: I'd like to thank all the members of the panel for their presentation. We still have a bit of time for questions, so if you have any questions for the panel, please let us know. Professor Kuehl. 

Participant: It's always nice to wrap up a conference on a high note, and I don't know if you planned it this way, but Kirk, your message was certainly a high note. The question I want to ask you is, if I take a handful of seeds, and throw them out on concrete, they're going to die. But if I throw them into prepared ground that's been watered, etc. etc., they're going to grow. You obviously had prepared ground there for this idea to grow in. What created the conditions for that? 

Mr. Bailey: The key to talking about these issues of corporations, and I mentioned this to the Attorney General, is you have to approach the people who are living with the horrific realities, folks like me, information security professionals. We are prepared because of the burden of our responsibilities to talk about anything, and to work with anybody. We also understand the nature of security and the nature of how to keep information confidential. So the fertile ground is nothing more than a naturally-resulting condition, and I believe that security administrators are there because the biggest obstacle for us – getting corporations to boost support for the activities of the Agora – rests with the issue of the security, the individual security administrator in those corporations not being considered a prophet in our own land. When I walk into a project meeting, I'm considered a pariah. I represent the worst possible news for any project or initiative in the corporation. I represent restrictions, delays, and more money. So we don't have an active voice, or haven't had an active voice, but we've become an active voice because I can assure that the Commission's good work clearly pointed out a condition that's occurred in corporate America, and that is, Â…. We are vulnerable, so corporations are learning this at the highest level because it's an emergency, and they're anxious to find results. They're listening to security issues. 

Participant: Because of the first responders, they're the ones who may be up against the weapons of mass destruction pattern, because the first people there are going to be fire and police, has North Carolina looked into WMD, and are you utilizing, you know, trying to use the Guard, not the national, but the state guard. Can you talk about that for a little bit? 

Mr. Hoell: We do have the state National Guard, and as far as weapons of mass destruction, we're vulnerable. I mean, our first responders are not trained to deal with those kinds of issues. Those are the things that we are beginning to look at as a group. We have just scratched the surface. We have a program actually. We started about four weeks ago and have had our first terrorism meeting. We began to look at those kinds of issues and just what we ought to be doing. We do have a group in North Carolina called SORT, it's a medical response unit funded and supported by the federal government Â… actually off the top of my head, I don't know what the acronym stands for, but it's a response team, a special operation response team. They're located in Winston-Salem. They have all kinds of capability for nuclear/biological response, but again we're not prepared, the state of North Carolina – our resources are not ready. We have a long ways to go. 

Participant: With regard to the subordinate providers to your first responders, what value-added have you seen and what support can you see having potential aid in the fighting process that you have? 

Mr. Hoell: We're just getting there. We have just formed our task force and just begun to look at those issues. We really have not written any kind of a plan at this point. I will say we have written a draft plan (that being just very short, maybe a dozen pages) addressing what agencies of State government would have particular responsibilities, but our response again is looking at some kind of an event. We're looking at how these resources – fire, law enforcement and emergency medical response – can be better managed. More planning must be done. We have not gotten to that level of detail. 

Participant: The second part of the question was, you had mentioned something, I think I remember correctly when you said you had an emergency management compact – apparently you have a coalition with other states for mutual support. Have the states done anything, or are they planning to look at different areas of expertise so that there's no duplication with the states so that you can go to one state to get additional support in a particular area. Is that part of the planning process in that compact? 

Mr. Hoell: That's something that states are just now really beginning to become partners in. What we are doing in the state of North Carolina is to better develop all the capabilities, ensuring we have expertise we can share with other states and through the National Emergency Management Association, which is made up of the State Directors of Emergency Management Agencies across the country. They are beginning to develop some standards and capabilities so that when and if we call upon another state, they can merge resources that we do not have with our resources. They must understand incident command. That is the reason for going to incident command as our structure because incident command is recognized across the country for firefighting resources. If we can better develop this for all state resources, then we know when they respond. We can fit those resources into the organization like that. 

Mr. Wingfield: Judge? 

Judge Everett: Doug, as a fellow North Carolinian, and realizing that we have more military personnel in our state than in any other, I wondered to what extent your organization is coordinating with the folks at Camp LeJeune, Cherry Point, Fort Bragg, and Seymour Johnson? 

Mr. Hoell: Whenever we activate our State Emergency Operations Center for an event, the First Army comes as the military – as the military support. They send a liaison to our State Emergency Operations Center, and right now, that is Colonel Rick Brown. He will come as our military liaison. He can go back and draw on the military resources once we have a presidential disaster declaration. So, in cooperation with the Federal Emergency Management Agency, First Army sends their support and provides military resources as needed. 

Mr. Wingfield: I think we have time for one more question. Back row. 

Participant: One of the, should I say, interesting characteristics of cyber attack that I've heard mentioned in the last few days is the fact that we may not know that we are under attack at the time when the effects are being felt either on businesses or communities – the effect on vital services. My question really to the entire panel right now is how have you thought about this issue and how do we deal with the fact that, unlike a hurricane or other natural disaster, we may not know what is going on until far after the actual impact has occurred? 

Mr. Hoell: I'm concerned (from my point of view) that we would simply be dealing with effects. If we saw the lights going out, for example, and things of that nature, then obviously we have to deal with that. But how to stop it, or how to put it back on line, or how to bring things back up again is certainly beyond our capability at this point, and maybe even on down the road. And I will defer to the others. 

Mr. Bailey: There have been two incidences in the Northwest area involving two service organizations that sustained such an attack. The one that alarmed us the most was a publicized – modestly publicized – incident that involved a troublesome customer that attacked a small ISP (Internet Service Provider). The ISP became irritated with and initiated actions that eventually got a foreign exchange student kicked out of a local university. This all happened because of threatening remarks and hacker type activities that he had been conducting. To make a long story short, this individual took retribution against a particular business and managed to hire a mercenary attack team to render that business inoperable. In the time between when they noticed – when the attacks that were being sustained were noticed, and when they began, turns out to have been a period of about 40 days, which is part of the model that we're using in our "mercenary attack scenarios" that we have been profiling. The sustained attack was remarkable. You should know that within four days after the student got kicked out of school, the mercenaries had seized complete total communication control over their organization, and were monitoring phone calls over a period of about five weeks. They monitored and watched, during this particular intrusion incident, to be able to gather all of the intelligence they needed to time their attack, and how to attack based on personalities. So that scared us. So we are working on building Â… working on ideas Â… on developing the best way of responding. We have developed some techniques for telecommunications and voice communications in conjunction with telephone companies to figure out Â… and we're still trying to find when do we take intensive actions to get rid of the potential threatÂ…. It's a very difficult and fascinating issue. But there are good people working on it; it's not an unÂ…. 

Mr. Powers: In short, the answer to your question is probably I don't know. When, during the Commission's proceedings, I assumed responsibility for the state and local government services aspect of our program and I visited one of our Northeast states, and separately, I talked with the Chief Information Officer and then also the head of the Intelligence Unit at Â…, the director which they had at the intelligence unit indicated that their systems had detected a barrage of intrusions and intrusion attempts in their system and they were working with the FBI very tightly to identify and then to track these. Separately the CIO had no connection with the state police, which I find somewhat an unhappy concept. But anyway, he indicated to me directly that the state had only had one intrusion in the last six years or three years at the time. And we tracked the person down and arrested him – it was a teenage kid. My kids didn't speak to me for three weeks after we did that, which was a very unhappy event from this particular end of the ethics thing. But you really need to look for these intrusions, and if you don't look for them, you're not going to find them. And if you think you're not being attacked, then you probably have a bigger problem, and bigger than you actually are aware of. 

Mr. Wingfield: Thank you very much. Please join us in a warm round of applause for our panel. 

Mr. Silliman: Let me just make a few very, very brief closing comments. Our objective in this conference was fairly simple. We recognized five months ago that this was a topic that required a bringing together of industry and government to discuss some of these issues. We didn't seek to come out with any nice resolutions that would solve the problem. Some of these problems are going to take years to solve – as we've heard from all our panelists and speakers. But we wanted to at least provide a forum. And if you've noticed that in the panels we've tried to have some kind of balance between industry and government so that we can have an open dialog here – sometimes for the first time. We hope that what we started in this conference will go forward – with Dick Clarke and the National Security Council, and the PDD, with industry, with the different initiatives that will be looked at in Congress in various committees. Most of all, we appreciate your being here, because many of you – all of you – are experts in this field. Your contributions, your questions, your comments, have added immeasurably to the success of this conference. 

Let me just make a few administrative matters. Again, as I said before, we very much solicit your critiques on how we can do this better next year. I really mean it – we look at them, we analyze them, we try to carry them out so that we can provide those of you who come to our conferences a more meaningful two day event. There are some hand-outs still left out on the table for those of you who have not picked them up of the speaker's comments, so if you have not gotten a copy of some of the comments then they are out there. 

I do want to acknowledge a couple of folks. First of all, as far as the co-sponsors of this conference, I am gratefully indebted to Gary Sharp from the Aegis Center for Legal Analysis and to Bob Turner from the University of Virginia, Center for National Security Law for their tremendous contributions in helping to put this on. But the real work was done by a couple of young ladies who you've seen out there at the tables. Donna Ganoe from the Center for National Security Law, who is standing up in the blue dress, has done a lot of the work, and the young lady who has done the bulk of it and has had to live with me for five months while we put this thing together is my staff assistant, Anita Wright. I would also be remiss if I did not again mention that this conference could not have been possible without the tremendous support from two organizations: one the Smith Richardson Foundation – Marin Strimecki had to leave early – and the Aegis Research Corporation represented by Bill Geiger. Bill, we're delighted that you and your wife could come join us for this conference and we very much appreciate your support in this endeavor. 

Lastly, we have a reception sponsored by the Journal of Comparative and International Law at Duke, a very prestigious journal. Christian Broadbent and his staff are hosting all of us in a reception at the courtyard of the law school which will start at 4:30. We really do invite you to come down. If you've never been to our law school, it's a lovely building. We're going to be meeting in the courtyard, so we'll be outside, and it'll be a chance for you to also mix and mingle with some of the students and some of the faculty who are going to be joining us. We really hope that you can join us. We appreciate your coming; we hope that this has been not only professionally rewarding for you but personally enjoyable. The weather worked out and we hope that the facilities here were good. So God bless, have safe travel back, and we hope to see you down at the reception.