The Y2K apocalypse failed to materialize. But the resulting complacency about computer-induced disaster proved short-lived as we were besieged by denial-of-service attacks and computer viruses. Businesses were effectively shut down; government services were temporarily suspended. The attacks highlighted the need to do more to secure the systems that so many sectors of our economy, as well as the federal government, rely upon.
Protecting the privately owned and operated computer networks that make up our "critical information infrastructureÓ which extends from utilities to banking, to communications, to transportation, to health care, to e-commerce is essential for Americans' national security, economic welfare, and fundamental freedoms. But how this is done will be key to its success and the information technology industry has a vital interest in seeing that we do it the right way.
So far, the government has said that it will work cooperatively with industry to deter, identify, and respond to cyber threats and attacks. Yet by treating our information infrastructure as a national security asset, the government has laid
the basis for future control and regulation through technology mandates or federal standards. Such actions would hamper efforts to improve cybersecurity. They would also impose significant costs on industry and reduce the privacy of businesses and consumers on the Internet.
In May 1998, President Bill Clinton issued Presidential Decision Directive 63, calling for a national effort to strengthen the country's defenses against unconventional threats to its increasingly vulnerable and interconnected computer infrastructure. The government's announced goal is to establish a reliable, secure information infrastructure by 2003, using the full authorities, capabilities, and resources of the government as necessary.
In January of this year, the administration released the first version of its National Plan for Information Systems Protection. The two major stated objectives are (1) to make the federal government a model of information security and (2) to build a voluntary public-private partnership to protect the national information infrastructure. The president also requested $2 billion from Congress for programs and research.
A bureaucratic soup of acronyms has been created to analyze and respond to threats and to work closely with the private sector. The administration's effort is directed by Richard Clarke, national coordinator for security, infrastructure protection, and counter-terrorism at the National Security Council. The Department of Defense is receiving the lion's share of the funding, primarily to secure its own systems and to conduct research and development. Within the Federal Bureau of Investigation, a National Infrastructure Protection Center, headed by Michael Vattis, has been established to coordinate threat assessment and warnings, as well as law enforcement investigations and responses. At the Department of Commerce, a temporary Critical Infrastructure Assurance Office (CIAO), headed by John Tritak, serves as a national planning center to coordinate with the private sector.
The government is also working hard to encourage private businesses to do more to improve security and to share information and best practices among themselves and with the government. At the CEO level, a National Infra structure Assurance Council will advise the president and the Cabinet. The Partnership for Critical Infrastructure Security is a cross-sector, cross-industry effort supported by the CIAO. A few individual companies have joined the FBI's Infraguard program. And the information technology industry itself is considering creation of a center that would gather, analyze, sanitize, and disseminate information to industry members and the government.
A HELPING HAND?
Is there any real reason for industry to be concerned about all this government activity? The administration has said that it will work cooperatively with the private sector. But where "encouragement" fails to yield desired results, forced compliance may follow. In meetings and at conferences, officials from the NSC, DOD, DOC, and FBI all say that regulation remains an option. The private owners and operators of the information infrastructure could someday be required to meet federal standards, use federal technologies, and follow federal policies and practices. There are several very good reasons why that kind of government intervention would be a bad idea:
- The government does not have the expertise. It's the private sector that has the knowledge necessary to protect the information infrastructure. The government has hardly done an exemplary job of protecting even its own systems. It is unsettling at best to contemplate Washington as the arbiter of specific security objectives and the judge of whether industry has achieved desired results.
- Regulation would be counterproductive. The best cybersecurity solutions will be market-driven and industry-led. New laws, regulations, or standards would be self-defeating, stifling innovation, artificially channeling R&D, and harming the very infrastructure that needs protection. Moreover, companies' incentive to improve security could be eviscerated if they are forced without fair compensation to license a new tool or technique that the government deems critical.
- Government standards would raise costs. Washington should not mandate technologies or require companies to implement government-developed standards regardless of whether they are reasonable for a particular situation or whether more cost-effective alternatives exist. There is also the possibility that companies will be forced to pay licensing fees for technology that only the government wants them to use.
- Government intervention could violate privacy rights. Threats to computer security should not be used as a broad justification for violating personal and corporate privacy. Indeed, as more of our lives are conducted electronically, it is essential that these communications and transactions be shielded from unjustified examination. We do not need widespread surveillance or monitoring of citizens at home and work under the guise of information infrastructure protection.
- Government action could compromise business secrets. Forced public-private partnerships raise concerns regarding the disclosure of companies' proprietary information. Will the shared information be subject to disclosure under the Freedom of Information Act? Will there be carve-out protection for trade secrets? Will the information be classified? What will the liability implications be?
Mandatory compliance in this area would not be unprecedented. Consider that after three years of government- industry "partnership" in developing wiretapping standards pursuant to the Communications Assistance to Law Enforcement Act, the FBI rejected those standards and sought to impose its own gold-plated requirements, which would have significantly expanded FBI capabilities despite contrary congressional direction and billions of dollars in costs to industry. Another example of government overreaching is the original plan for the Federal Intrusion and Detection Network, or FIDNET. The administration first proposed that the FBI monitor Internet traffic generally within this country. In the wake of strong congressional and private sector criticism, FIDNET's mission was narrowed to monitoring the federal government's own computer networks.
So what would be the best way to protect our critical information infrastructure? Both the private sector and the government have essential roles to play. But a voluntary partnership is the only approach that can succeed.
The private sector needs to:
- Continue improving protection in product lines and networks. Information technology companies are already responding with greater rapidity to virus attacks, often announcing solutions within hours. The recent change in administration policy facilitating the use of strong encryption also helps, as does public education about practicing good "security hygiene." But it is important to understand that there is no silver bullet for the problem of cybersecurity; it is
a process of continual improvement.
- Do a better job of sharing information among industry members and with the government about threats and vulnerabilities as well as best practices. In this regard, legislation could facilitate the sharing of information by removing disincentives imposed by antitrust laws, FOIA requirements, and the apparent ability of third parties to use such disclosures against those who provide them.
At the same time, the government must:
- Share information with the private sector. The FBI's National Infrastructure Protection Center is a step in the right direction. More must be done with greater frequency and efficiency, specifically with respect to warnings of particular threats.
- Get its own house in order. Given the recent report on the ease with which General Accounting Office employees gained access to supposedly secure facilities by posing as law enforcement officers, we can only hope that the government's virtual security is better than its physical security.
- Improve law enforcement's ability to detect and prosecute cybercrime. The government must continue to strengthen its own technological capabilities to investigate crime over the Internet. Additional training is needed, including at the state and local levels. Cybersecurity scholarships and the creation of a new cyber-corps with specialized training would also help.
Information technology has made many of our nation's essential services enormously more robust and reliable. Indeed, the technological advances in our information infrastructure sparked the dramatic rise in productivity underlying the economic success of the 1990s. Yet the same interconnectedness that allows us to increase efficiency and opens new frontiers of commerce and government make us more vulnerable.
Better protection of our computer networks is essential to the public and private sectors. But the government should not overreact to denial-of-service attacks and Internet viruses. These legitimate threats to computer security do not call for new powers of regulation, new burdens on industry, or loss of fundamental rights of privacy. Giving government the resources to fight cybercrime is a priority. Broad new government authority is not.