BRUCE J. HEIMAN
AMERICANS FOR COMPUTER PRIVACY
COMPUTER SECURITY & INTEGRITY
COMMITTEE ON THE JUDICIARY
UNITED STATES SENATE
MAY 25, 2000
Introduction and Summary
My name is Bruce Heiman, and I am Executive Director of Americans for Computer Privacy (ACP). ACP is a broad-based coalition that brings together more than 100 companies and 40 associations representing high-tech, telecommunications, manufacturing, financial services and transportation, as well as law enforcement, civil-liberties, pro-family, taxpayer groups, and over 6000 individuals. Our members created ACP to focus on issues at the intersection of electronic information and communications, privacy rights, law enforcement, and national security. A list of our membership is attached to my testimony.
Encryption is an essential component of information security. ACP supports policies that advance the rights of American citizens to encode information without fear of government intrusion, and advocates the lifting of export restrictions on U.S.-made encryption products The Administrations January 14th policy announcement represents a substantive improvement over the prior encryption export policy and a significant movement toward leveling the playing field between U.S. and foreign manufacturers of encryption products. ACP wishes to express its gratitude to the Congress and the Administration for its far-sighted support for liberalization of U.S. encryption export policy.
But more needs to be done. Protecting the critical information infrastructure is essential for U.S. national security, American economic welfare, and our fundamental freedoms.
ACP strongly believes that a voluntary cooperative partnership between government and industry is the only approach that can succeed in protecting critical information infrastructure. ACP supports policies that promote industry-led, market driven solutions to Critical Information Infrastructure Protection and opposes government efforts to impose mandates or design standards. ACP supports giving government the resources necessary to protect its own computer systems, to recruit and train computer security and law enforcement personnel, and to strengthen the governments technological capabilities to investigate and prosecute cyber crime. But ACP opposes government proposals to increase widespread monitoring or surveillance.
Importantly, ACP believes that the government must proceed cautiously and should not rush to pass new legislation. We are concerned about the possibility of overreaction to recent denial of service attacks and Internet viruses. Such an overreaction could generate new laws or regulations which would stifle innovation, harm the very infrastructure that needs protection, and threaten the privacy rights of Americans at work and at home. (ACP has formulated five principles that should structure the current debate concerning Critical Information Infrastructure Protection, which are also attached to my testimony.)
Encryption Is An Essential Component Of Information Security
Encryption is the essential technological ingredient that can ensure the confidentiality, privacy, and authenticity of information. Encryption helps prevent cyber crime and promotes our national security. During the last two years, ACP led the private-sectors effort to permit the widespread use of strong American encryption products in order to protect privacy, promote national security, and prevent crime. With strong Congressional support, we succeeded in persuading the Administration to relax export controls on encryption products.
We commend the Administration on its change in encryption export policy. However, the Administration still requires both licensing and a classification and technical review process for encryption exports. Furthermore, the Administration lacks sufficient resources to meet the nearly 200% increase in classification requests for encryption exports. Despite the new regulations, a lack of government resources results in delayed processing of applications and creates a de facto competitive disadvantage for U.S. companies vis-à-vis their foreign competitors.
Companies of the European Union (EU) will enjoy a further advantage over American companies in world markets due to the EUs recently announced liberalization of its encryption export control policy. The EU essentially created a license-free zone for EU members and another ten countries. In contrast, the United States still requires U.S. companies to apply for licenses to export encryption to foreign countries, except Canada.
On May 15th ACP filed comments urging the Administration to respond to the recent EU encryption export policy. ACP urged the Administration to extend Canada-type treatment to encryption exports to the EU countries and the other countries covered by the EUs new rules. We look forward to working with the Administration to prevent U.S. encryption exporters from being disadvantaged by the EUs new policy.
ACP also continues to oppose any efforts by foreign governments to erect import barriers to American products or to impose domestic controls on the use of encryption. We appreciate the Administrations actions, again with strong Congressional support, in opposition to proposed controls in China and France. Overall, we anticipate the widespread use of encryption in the years ahead.
But More Needs To Be Done To Protect Our Critical Infrastructure
Technology has made many of our Nations essential services enormously more robust and reliable. Our information infrastructure has sparked the dramatic increases in productivity underlying the phenomenal economic success story of the 1990s. Yet the same "interconnectedness" that allows us to increase efficiency and productivity and opens new frontiers of commerce also gives rise to increased vulnerability. All members of ACP are affected by this new vulnerability.
As a result, ACP takes extremely seriously the need for increased cyber-security throughout those sectors of our economy such as utilities, banking, communications, transportation, healthcare, and e-commerce that today are so reliant on information systems. The U.S. government, including our national defense establishment, also relies heavily on private-sector networks, products, and services.
The denial of service attacks earlier this year, and most recently the Melissa and Love Bug viruses and their progeny, remind us of the need to secure the information systems on which so many sectors of our economy rely.
ACPs members are working hard to improve computer security and to make the Internet a safe and reliable environment for business and personal use, while preserving the dynamic growth and rapid pace of innovation that have made the Internet such an amazing phenomenon.
A Voluntary Cooperative Partnership Between Government And Industry Is The Only Approach That Can Succeed
In the United States, it is the private sector that develops, owns, operates and maintains the networks, systems, products, and services that make up the information infrastructure. It also is the private sector that possesses the knowledge and expertise necessary to protect it.
So far, the Administration in Presidential Decision Directive 63, the National Plan for Information Systems Protection, Version 1.0, and various other activities has recognized that it should work cooperatively with industry on a voluntary basis to deter, identify, and respond to cyber threats and attacks.
Both the private sector and the government play key roles in Critical Information Infrastructure Protection.
What should the private sector be doing?
First, what information technology companies already have been doing for some time: constantly improving protection in their product lines and networks. Information and communication sector companies accept that improved network and information systems security is imperative, and they are willing to do their part.
Private companies are in the best position to know how to protect infrastructures they have developed, owned and operated. But it is important to understand that there is no one single "silver bullet" for the problem of information security - rather, it is a process of continual improvement.
Second, it is incumbent upon all of us to practice good "security hygiene" and to educate others to do so. For example, many people choose a password that is related to something about them and thus make it easier to figure out. Also, many people do not change their passwords at regular intervals. Others simply choose an English language word rather than a random sequence of letters, symbols, and numbers, which is far more difficult to crack.
Perhaps the recent Internet virus attacks have had a positive effect: all of the attention on Internet viruses has made computer users more wary and less trusting. According to a recent Pew Internet and American Life Project poll reported in the Washington Post, only about 25% of users who received the Love Bug email attachment actually opened it. This is a real improvement. The private sector needs to continue to spread the message that, just as you wouldnt let anybody into your house, so you shouldnt let just anybody into your computer.
Third, industry does need to share information among itself and with the government about threats and vulnerabilities as well as best practices. In this regard, ACP has met with representatives of the National Security Council staff, the FBIs National Infrastructure Protection Office (NIPC), and the Dept. of Commerces Critical Infrastructure Assurance Office (CIAO), and ACP has been encouraged to continue the dialogue. Furthermore, several of ACPs members will be serving on the Presidents National Infrastructure Assurance Council, a CEO-level group that is being formed to advise the President and Cabinet members. Many of ACPs members are also active participants in the Partnership for Critical Infrastructure Security, a cross-sector, cross-industry effort supported by Commerce Secretary Daly and John Tritak, Director of the Critical Infrastructure Assurance Office (CIAO). The Partnership has already met a number of times and established several working groups.
There is an ongoing, serious discussion within industry itself and between industry and government about the possible need for legislation to facilitate the sharing of information among the private sector and between the private sector and government. Such legislation could provide enhanced protection for shared information by removing disincentives for this dialogue imposed by antitrust laws and FOIA requirements and resulting from the apparent ability of third-parties to use such disclosed information against those who provide it.
Of course, the government also has an essential role to play as well.
First, it is important for the government to share information with the private sector. This includes alert warnings of particular threats. We are encouraged in this regard by the approach taken and attitudes shown by the FBIs National Infrastructure Protection Center. However, we think the government needs to keep improving the time it takes from receiving information to issuing an alert.
Second, it is important the government leads by example and gets its own house in order. In this regard, it does appear that the government needs to continue improving as well. The Love Bug virus affected government computers, and the GAO recently criticized the vulnerability of the Executive Branch to the recent virus attacks.
Third, we strongly support law enforcements efforts to increase training of officers, including at the state and local levels, in the detection and prosecution of cyber crime. ACP supports funding to hire and train additional government computer security personnel. We also will continue to work with law enforcement to educate their people.
Fourth, we support strengthening the governments technological capabilities to investigate and prosecute cyber crime. Law enforcement needs to have the same state-of-the-art hardware and software possessed by criminal hackers. ACP supports additional appropriations so that law enforcement has the tools to counter the threat posed by these hackers. We also will continue to work with law enforcement so that government can better understand the technology.
Fifth, we support the idea of new cyber security scholarships and the creation of a new "cyber corps" of those with specialized educations in the prevention, detection, investigation, and prosecution of cyber crimes and in the protection of our critical infrastructure. Today, there are not enough academic centers offering curricula in cyber security. Government and the private sector should join together to incubate such schools in order to develop tomorrows leaders in cyber security.
Government Must Proceed Cautiously
While Critical Information Infrastructure Protection is very important to both the private-sector and the government, ACP also believes it is important that government not overreact to the recent denial-of-service attacks and Internet viruses. Indeed, precipitous action can do far more harm than good.
First, it is important to remember that Internet viruses such as the Love Bug are not a new problem and in fact represent a complex, variegated problem. To be more specific, according to the Washington Post, information technology companies have identified roughly 40,000 different viruses, including 29 separate versions of the Love Bug. Information technology companies constantly upgrade their products and support services to provide protection against similar attacks. Indeed, only private companies as opposed to the government have the quickness and agility to stay abreast of the rapidly developing technology of cybersecurity.
Second, information technology companies are responding with greater rapidity to such attacks. It is usually only a matter of hours before a virus has been detected and analyzed and a software patch fixing the problem is posted on the Internet for free download. Thus, according to many calculations, the response to the Love Bug virus was much quicker than the response to the Melissa virus.
Third, the public is becoming better educated about "security hygiene." The recent Pew Poll reported in the Washington Post is encouraging: only one in four recipients of the Love Bug virus actually opened the attachments in the face of widespread dissemination about the dangers of the virus. We believe that individuals at home and at work are beginning to evaluate critically the messages and information they receive and to take seriously their security responsibilities whether it be changing their passwords, using better encryption, or updating their anti-virus software.
Fourth, there is little doubt that true cyber crime is illegal under our existing laws and that such crimes could be prosecuted. Moreover, private sector individuals with particular expertise have, and will continue to, cooperate with and assist law enforcement in investigating and prosecuting cyber criminals. I should note that ACP does not think it appropriate or desirable to use the possible absence of sufficient laws in other countries to enact new legislation in the United States that might infringe on privacy rights.
Fifth, we strongly believe that new government controls, technological mandates, or federally imposed standards will not lead to better Critical Information Infrastructure Protection. It is essential that the government not use legitimate threats to computer security as a justification for assuming new powers of regulation, imposing new burdens upon industry, or mandating that the private sector use particular technologies or processes. Such commands would backfire by stifling innovation, artificially channeling R&D, and harming the very infrastructure that needs protection.
Sixth, government must not violate personal and corporate privacy in the quest for Critical Information Infrastructure Protection. Once again, the government should not use legitimate threats to computer security as a justification for threatening fundamental rights of privacy. Indeed, as more of our lives are conducted electronically, it is essential that we ensure the security and privacy of information, communications, and transactions that dominate our daily lives from unjustified and unwarranted government examination. The government must not increase widespread surveillance or monitoring of Americans at home and work. While we fully support giving law enforcement the requisite resources and training to investigate and prosecute cyber crime, it is quite another thing to say that, just because some will commit cyber crime, it is necessary to watch closely what everyone is doing.
One example of this danger is the governments original plan for FIDNET the Federal Intrusion and Detection Network. As originally conceived, the Administration proposed that the FBI monitor Internet traffic generally within this country. We are pleased that, in response to widespread Congressional and private sector criticism, the Administration has changed FIDNETs mission to be, more appropriately, one of monitoring the federal governments own computer networks. This is much more in line with what companies do in terms of monitoring their own information systems and it is something quite concrete, which can improve information security. However, troubling proposals keep bubbling up. The Washington Post recently reported on the FBIs plan to build a "casa de web" data mining computer system for recording and analyzing Internet activity.
Chairman Hatch, you and Senator Leahy and other members of the Committee have introduced legislation addressing different aspects of cyber crime and critical infrastructure protection. As we have explained, there are some positive steps that could be taken. But there is no need to rush forward with legislation. Indeed, ACP has questions and concerns about several aspects of these bills (e.g., the proper role of the FBIs NIPC, international cooperation standards, and the extension of trap and trace devices and pen registers to electronic communications). This area is both legally and technologically complex. Hearings such as these are essential. ACP believes that at this point much legislation concerning Critical Information Infrastructure Protection is in fact premature.