IP: National Security in the Information Age

[Dave Farber <farber () central cis upenn edu>]

I was at the Colorado meeting and Gorelick's speach was after dinner (it
was a good dinner and my reaction to her speach ruined the afterglow of the
meal. I took the opportunity to ask her why when she asked for rational
discourse, did you use almost every trigger word there was to cause
irrational conversation. She declined to answer (took a lot of words to so
not do). After a number of the military folk there commented to me that
they were happy I asked her that question.


All in all the military wanted to defend the constitution.


Dave




Obtained from  Upside Online - Online 






National Security in the Information Age


(Given at a conference at the U.S. Air Force Academy)
Colorado Springs, Colorado -- February 29, 1996
The Honorable Jamie S. Gorelick, Deputy Attorney General of the United States
<9607.html>Return to Cybersense


Thank you for that kind introduction. I very much appreciate the
opportunity to speak with you this evening about national security in the
information age.You have brought together a truly remarkable collection of
people for this conference. This is precisely the sort of cross-section of
government and industry that is needed for us to begin working through the
difficult policy questions that must be resolved.


In some ways, what we are experiencing today is sort of the "Big Bang"
moment in the development of information technology: New technology is
virtually exploding onto the scene, with important developments occurring
almost daily. With each new technological innovation, there are not only
myriad new opportunities for business and new conveniences for consumers,
but also new legal and policy issues for national policymakers to confront.
And since, as many of you know, policy making in Washington is not always
lightning- quick, it will not surprise you to learn that the development of
technology has to a large degree outpaced our planning and actions.


Fortunately, though, this has begun to change. Tonight, I would like to
speak with you about some of the important developments that are taking
place in Washington concerning national security in the information age.
More importantly, I want to underscore the importance of developing and
continuing a dialogue between government and industry on these issues.
Simply put, no matter what we try to do in Washington, we will get nowhere
unless we successfully enlist the assistance and cooperation of the private
sector.


At the same time, though, the private sector must recognize that a
government role is also indispensable. Government and private industry are,
in a very real way, interdependent in this area. No workable solution to
the myriad problems can be devised by one or the other unilaterally. We
have to work together.




----------------
One of the most striking things about the explosion of new information
technology over the last couple of years, in this "Age of the Internet," is
the way in which that technology is often portrayed as an unqualified
"good." The exponential growth of the Internet, the expansion of digital
and cellular phone systems, and the proliferation of unbreakable encryption
are viewed by some as unconditionally positive developments.
Correspondingly, any effort to regulate the use of these new technologies
is seen as "bad," as the work of neo-Luddites, and as inevitably doomed to
failure. 


We are witnessing this phenomenon right now in the raging debate over
efforts to restrict pornography on the Internet. We saw it last year in the
debate over the FBI's effort to ensure that it can continue to conduct
legally authorized wiretaps on digital telephones. And we see it, too, in
the ongoing effort to develop a national encryption policy, in which we
seek to encourage the use of strong encryption while protecting the
interests that all of us have in effective law enforcement and national
security systems.


In all of these debates, the decibel level is high. Many critics of
government start from the proposition that any involvement by Washington is
necessarily bad. In such circumstances, it is difficult even to engage in
rational discourse, let alone find common ground.


Clearly, we need to step back, take a deep breath, and recognize a
fundamental principle for starters: technology is not inherently "good."
Nor is it inherently "evil." Rather, it is a tool whose virtue and worth
depend on the use to which people put it.


Everyone recognizes this simple proposition in the case of nuclear
technology. Obviously, that technology can be enormously useful -- if
harnessed correctly, it can end our dependence on fossil fuels, satisfy our
energy needs, and reduce pollution caused by burning coal, oil or gas. But
it also is potentially evil, if it is turned into nuclear weapons used by a
rogue state or terrorists to kill innocent people.


But this notion of "moral neutrality" is not the universal view when it
comes to information technology. It is easy to grasp the potential good of
this technology. The spread of the Internet, for instance, can greatly
enhance our lives in countless ways: It can connect people across vast
distances; it can disseminate knowledge to far-flung corners of the earth;
it can spread the message of democracy to people who labor under tyrannical
regimes; it can improve our own democratic process by allowing candidates
to distribute their message more broadly and cheaply or by permitting the
people to make their voices -- and their votes -- heard more clearly; it
can allow parents to spend more time with their children by
"telecommuting"; it can improve our children's education by providing even
the poorest school districts with electronic access to our best teachers;
and it can improve the lives of our senior citizens by allowing them to
communicate with relatives or shop without leaving their homes. The
possibilities are truly endless.


Similarly, strong encryption has the potential for better protecting
people's privacy and for increasing our ability to conduct electronic
commerce without fear of theft or fraud. 


But what has too often been ignored is the potential for the new technology
to be put to evil uses. Thus, absent regulation, the Internet allows the
distribution of child pornography nationwide at the push of a button,
without any control over who is exposed to it. Similarly, it can permit
much greater invasion of privacy and damage to reputation if private facts
about a person, or malicious slander, can be spread so quickly and easily.
In the old days, when gossip spread by word of mouth, harm was necessarily
limited. But now someone can be "electronically slammed" around the world
in minutes. And, the more people begin to rely on the Internet to conduct
electronic commerce and everyday communications, the greater potential
there is for invasion of their privacy as credit companies and service
providers acquire vast amounts of personal information about people's
purchases, hobbies, interests, phone records, and other details of their
everyday lives. In the past, it would have taken weeks of intensive
investigation into a person's life to put together a picture of him that
can now be developed in minutes. And electronically stored private
information -- such as credit or health records -- not only can be accessed
quickly, but also can be altered. 


Encryption, too, can be used for sinister purposes. With the proliferation
of unbreakable encryption, law enforcement stands to lose some of its most
effective tools against terrorists and organized crime groups.
Court-ordered wiretaps that allows us to intercept communications and
prevent a terrorist plot are rendered worthless. Stored data files that
might hold the key to bringing down an international drug cartel or child
pornography ring will be undecipherable, allowing some of the most heinous
criminals to go free. 


Just imagine, for a moment, if we found someone who was abusing innocent
children to manufacture graphic, hard-core child pornography. Imagine that
law enforcement successfully obtained a warrant to search his office for
evidence, including his computer files. Imagine, though, that we go to all
that effort to catch this criminal, only to find that the list of children
that he uses to produce his pornography is encrypted with DES. He's
disposed of his only key (or at least he claims he did). No key is held in
escrow. Dead end for us. Is this really the type of constraint we want?
Unfortunately, this is not an imaginary scenario. This problem is a real one. 


Or, imagine an employee who encrypts crucial company documents just before
he quits the company, leaving the company helpless to access the plain text
. Or a widow who finds that all of her deceased spouse's probate files are
encrypted, but he did not leave a key. 


Beyond these examples of potential ill-uses [sic] of information
technologies, there are broader social problems that are harder to measure,
but which we are slowly coming to recognize instinctively. For instance, if
people are spending hours on end in chat rooms, conversing with faceless
strangers thousands of miles away, will they spend less time actually
talking with their children, their parents and their friends? What will
this do to interpersonal relations and children's intellectual and
emotional development? 


And what effect will the Internet have on the nature of communication
itself? Anyone who has used e-mail has experienced the misunderstandings
that arise so frequently in electronic conversations. Something odd
happens, whether it is that people feel more free to discard social
conventions like politeness and to be brutally candid when they are looking
at a computer screen instead of a human face; or whether it is the lack of
tone, intonation or facial expression that accompanies spoken communication
and can subtly change the meaning of a person's actual words or signal that
someone is only joking; or whether it is the lack of care that goes into
messages that someone fires off on her keyboard rather than taking the time
to think out a handwritten letter. Something happens that simply engenders
misunderstandings and hurt feelings more frequently in e-mail than in
casual conversations by the water cooler or written letters to friends.
We've all experienced this, but we don't quite know what the implications
are. 


The metaphor of the "Information Superhighway" has become a cliche by now,
but let me invoke it one last time before putting it to rest! Imagine if,
at the advent of the automobile, all of the states, as well as individual
companies, just started building their own roads all over the place, with
no speed limits, no lane markings, no highway patrol or emergency rescue
services, no emergency exits, no safety inspections for trucks or passenger
vehicles. I think everyone would recognize that this would be a recipe for
disaster. But now as we are constructing our information superhighway,
which is a thousand times more complicated than our automotive highway
system -- and provides opportunity for much greater damage if abused --
many people are telling the government to just get out of the way and let
NII develop on its own, with no restrictions, nonregulation, no effort even
to protect our information infrastructures from attack or abuse. This
simply does not make sense. 


In my view, we really have two choices: We can begin now, jointly, to try
to come up with solutions to some of the difficult issues raised by the
growth of the information infrastructure in a rational, measured, and
prudent way. Or we can wait until a crisis occurs, until some
cyber-catastrophe suddenly crystallizes these issues in the public's mind
and leads to an outcry and a call for immediate government response. But,
if history teaches us anything, it is exactly this sort of crisis mode,
when the government is pressured to respond to some recent outrage, that we
are most likely to overreact and enact bad policy [sic]. Let's try to do it
now, while cooler heads prevail; let's work together to come up with
solutions that serve the publicinterests. 


The telecommunications industry, to its great credit, understands this
interdependence. As a result, I think the president's national security
telecommunications advisory committee -- a joint government-industry body
-- has been highly successful in crafting solutions to the particular
problems faced by the telecommunications industry. The NSTAC serves as a
model, in many ways, for what we need to do for the rest of our industries
that rely on the national information infrastructure. 




----------------


Let me now turn to the particular problems posed by the information
revolution for our national security. You have heard a lot over the last
two days about the growing dependence on the information infrastructure in
all sectors of society -- military, political, economic, academic and
cultural -- and about the increasing interconnectedness of all these
sectors. The implications for national security are becoming more apparent:
as we become more interconnected, we are also more vulnerable to attack
from many different sources. The information and control systems for our
critical industries, for instance, are more vulnerable to penetration and
disruption; information can be more easily stolen, distorted or destroyed;
and the very operation of those industries can be brought to a halt more
quickly and easily. 


The issue of how we address our vulnerability to such attacks has often
been referred to as a "defensive information warfare." But this term can be
misleading. It suggests that the issue is a problem only for our defense
establishment, and should be addressed as part of our national defense
strategy. Certainly, the military sits on a vulnerable platform consisting
of different critical infrastructures. But civil society sits on that same
platform. This is therefore also an issue for the civilian world. Every
person and institution that is connected to the information superhighway is
vulnerable to attack, not just those people and institutions involved in
our defense mission. 


Moreover, the sources of attacks are not limited to nation states or other
foreign powers during times of war. Rather, they can run the gamut from the
disgruntled employee who steals or destroys his employer's information out
of malice; to the criminal who steals proprietary information for pecuniary
gain; to terrorists who seek to cause widespread death or destruction to
intimidate or coerce the government; to foreign intelligence agents who
want surreptitiously to access or manipulate classified or proprietary
information; and, finally, to the hostile state using cyber-attacks as an
instrument of war. Obviously, not all of these attacks are directly related
to defense. All of them are, however, of interest to law enforcement. 


The statistics illustrate, in broad strokes at least, how the cyberthreat
is increasing, for both industry and government. From 1991 to 1995, the
number of Internet hosts increased from approximately 750,000 to over 5
million, an expansion of over 500 percent. Not surprisingly, over a
three-year period from 1991 to 1994, the number of security incidents
reported to the Computer Emergency Response Team (or CERT) at Carnegie
Mellon University increased 498 percent, and the number of sites affected
worldwide was up 702 percent. 


Recent surveys reinforce the CERT statistics. One survey of 246 companies
revealed that the monthly rate of incidents involving the theft of
corporate proprietary information rose 260 percent from 1985 to 1993. Only
32 of these companies were willing to quantify their losses, which amounted
to $1.8 billion. In the other survey, almost one quarter of the 898
organizations queried reported a computer crime within the previous 12
months. And last summer, the Defense Information Systems Agency (DISA),
reported that attacks on DOD computer systems had doubled from only the
year before and were then running at a rate of two a day. 


Let me give you a few examples of the types of cyber-crimes we have seen in
recent years to put some flesh on the bones of these statistics. These
cases illustrate how vulnerable we already are, both as individuals and as
institutions, and provide a window into our future. 




* In 1994, nine people, including an MCI employee, were indicted for a
scheme involving a $50 million telephone calling card fraud. Using a
sniffer program (which monitors network traffic), they captured and used
more than 150,000 calling card numbers. The scheme had been directed by
hackers in Germany who then made international calls to attack U.S.
computer networks. 




* A computer hacker broke into files at a bank and a credit union, and then
used the information to apply for credit cards in the victim's name. The
criminal then used these cards to go on a buying spree. The victim's
ability to obtain credit was ruined and had to be painstakingly
reestablished. 




* Hackers broke into Lawrence Livermore Laboratory computers and used them
to store illegal hard-core pornography. Nearly 2,000 MB with 1,000 images
were found on one Internet-linked computer. 




* We have seen transmission of child pornography files by e-mail through
America Online. 




* Con artists have used electronic bulletin board systems to hype recently
purchased penny stocks, driving up the price and giving the con artists a
profit. 


For the most part, these attacks appear to come from "unstructured" sources
-- that is, they are unrelated incursions by individuals or small groups
usually seeking to steal information or services or to cause disruption
purely out of malice, but with no grand design or organization. In terms of
national security, though, the greatest threat will come from "structured"
sources: organized crime groups (we have seen instances of this), and, more
importantly, terrorist organizations, foreign intelligence agencies, and
foreign military services. These are the entities whose efforts are the
best financed, the most focused, and the most likely to cause widespread
damage to our national security by disrupting elements of our
infrastructures that depend on the information superhighway. 


Even for these structured threats, law enforcement plays a critical role.
Under Presidential Decision Directive 39, which was issued last summer and
sets out the administration's counterterrorism policy, the Department of
Justice (through its component, the FBI) is the lead agency responsible for
combatting terrorism in the United States. And Executive Order 12333, which
has been the guiding instrument for the intelligence community since 1981,
designates the FBI as the lead agency for counterintelligence matters. So
clearly, law enforcement has an important role in protecting our national
security against the new cyber-threats. 


Our most immediate concern right now is the terrorist threat. As our
society becomes more and more dependent on the information superhighway, we
must expand our focus beyond the traditional "physical" attacks by
terrorists that we have encountered in the past, and to anticipate and
protect against cyber-attacks that could cause as great, if not greater,
impact as a well-placed bomb. 


It's not hard to imagine how terrorists could use cyber-tools to wreak
massive havoc in this country. Consider the World Trade Center case, for
example. There was some evidence suggesting that the conspirators in that
case intended to cause the tower to collapse, in order to disrupt the
financial markets on Wall street. That same objective could also be
accomplished through an electronic attack on the energy or
telecommunications systems that supply lower Manhattan, or on the
information systems of the banking and financial institutions themselves. 


The threat is not simply hypothetical. We have already seen attacks on
elements of the infrastructure that, although apparently not committed by
terrorists, illustrate the vulnerabilities that are present in our
information networks, and demonstrate the urgency of our situation. 




* The pending case involving Citibank is one example. Between June and
October in 1994, approximately 40 wire transfers were attempted from
Citibank's cash management system through the use of a computer and phone
lines from St. Petersburg, Russia, by compromising the password and user
identification code system. Citibank was successful in blocking most of the
transfers or recovering the funds from recipient banks, limiting its
losses. But the potential loss was enormous. Still, imagine what the impact
might have been if the intruders' intent was not to steal funds from a few
accounts, but to bring down the entire bank's accounting system; or to zero
out the records of thousandsof accounts; or to disrupt several major banks
simultaneously. 




* In 1989, the "Legion of Doom" in Atlanta, Georgia remotely accessed the
administrative computers of Bell South and wiretapped calls and altered
phone services. It could have shut down the phone network for the
Southeastern United States. 




* From 1993 to 1995, a man in California gained control of the computers
running local telephone switches, and discovered information concerning
U.S. government wiretaps conducted pursuant to the Foreign Intelligence
Surveillance Act (FISA). He also uncovered a criminal wiretap and warned
the target. 


Now, in part through the efforts by joint industry-government bodies such
as the President's National Security Advisory Committee (NSTAC),
telecommunications carriers have taken steps to prevent, or to minimize and
contain the damage from, this sort of attack, in order to avoid the sort of
regional disruption threatened by the Legion of Doom. But I don't know
anyone who thinks that this sort of disruption is no longer a real
possibility. 


The banking and telecommunications infrastructures are not the only ones
that have been affected. 




* In 1992, a computer intruder was arrested for tampering with the
Emergency 911 systems in Virginia, Maryland, and New Jersey in order to
introduce a virus and bring down the systems. 




* Also in 1992, a fired employee of an emergency alert network sabotaged
the firm's computer system by hacking into the company's computers, causing
them to crash for about 10 hours. During that time, there was an emergency
at an oil refinery. The disabled system was therefore unable to alert
thousands of nearby residents to a noxious release from the refinery.
Beyond that, the computer crash potentially jeopardized hundreds of
thousands of people in 22 states and six areas of Canada where the alert
network operated. 


And, of course, the government itself has not been immune to such attacks. 




* A computer hacker penetrated computer or phone systems of universities,
government departments and companies. In the U.S. marshals' computer, he
found the locations of individual federal prisoners, putting the security
of our institutions at risk. He also stole from an air force base a
computer access card, which he then sold through the mail. 




* Finally, a sniffer was introduced into computers of NASA's Goddard Space
Flight Center, permitting someone to download a large volume of complex
calibration telemetry calculations transmitted from satellites. The sniffer
remained undetected for an unprecedented length of time. 




These are just some examples of the cases we've already seen. But they
should convey to you the urgency of the situation. 


Now, some of my colleagues in government think it's best not to discuss
such cases, or to speculate about possible terrorist cyber attacks,
publicly, for fear of inspiring would-be terrorists to carry out just the
sort of attacks we're concerned about. But I think keeping quiet about the
problem is the wrong approach. Silence will not appreciably lessen the
probability of an attack. We must take it as a given that someone is
already scheming. 


Instead, our main concern should be to get our own house in order and begin
constructing our defenses. This means, first and foremost, that we need to
raise people's consciousness -- both within the government and in the
relevant sectors of industry. This requires that we talk about the threat
and how to combat it. That is why this conference is so valuable. Second,
it means we have to figure out how to organize ourselves within
government,and in the private sector, to fight the threat. 


While the Justice Department is designated as the lead agency for fighting
terrorism in the U.S., we do not look at the cyber-threat solely as a
subset of terrorism. The potential sources of attack are simply too varied.
It would be self-defeating to concentrate on protecting against terrorist
attacks, but to ignore the problem of hackers, foreign espionage agents or
organized crime groups. Yet, despite the breadth of the problem, right now,
there is no single agency, no focal point within the government responsible
for protecting against such attacks. In fact, at last count there some 22
agencies and task forces that thought they had responsibility for some
segment of this problem. Similarly, while many individual companies have
taken steps to secure their information systems, very few industries have
begun considering this problem on an industry-wide scale. But clearly this
problem begs for a comprehensive approach that involves both industry and
government in a cooperative effort. 


So, what needs to be done? Let me set out a roadmap for you, and identify
in particular where I think help from industry is critical. 


First, we have to identify our vulnerabilities. This means identifying
those components of government and the private sector that, if attacked,
would result in the greatest harm to society, on a regional or national
scale. These are what we have begun calling "critical national
infrastructures." We currently break those infrastructures into roughly
eight categories: telecommunications; electrical power systems;
transportation; water supply systems; emergency services (including
medical, police and fire and rescue services); and continuity of government
and government operations. 


We already have a foundation for this effort. Both the Defense Department
and the FBI have what they call key asset programs, which consist of
databases identifying key assets within each category of critical
infrastructures, and containing vulnerability information and emergency
points of contact for each key asset. 


Until now, however, both of these programs have focused on vulnerabilities
to physical attack. DOD and FBI have already set out to broaden the focus
of these programs to include vulnerabilities to cyber-attacks and to
coordinate the two databases. In expanding into the cyber area, we will
need a lot of cooperation from industry, a willingness to share information
with us (on a confidential basis) and to work jointly with us in
determining vulnerabilities. 


The second thing we need to do is identify the scope and sources of the
threat. Again, the defense and intelligence communities have been concerned
with identifyingmilitary and espionage threats in this field. But there has
been very little effort to assess comprehensively the full range of cyber
threats to our infrastructures: who poses a threat? What are their
capabilities? What have they done in the past? What are their intentions? 


This will require a joint effort by the defense, intelligence, and law
enforcement communities, combining their data and doing joint analyses. But
it will also require cooperation by industry. No analysis can be complete
without information about what attacks industry has already experienced,
and by whom. 


On this point, let me say that under-reporting of computer crimes has been
a major problem in getting a handle on the nature and scope of the threat.
There are two principal reasons for this under-reporting. First, many
victims don't even now they are victims. Let me give you one example. The
Justice Department handled a case in 1992 involving a hacker intrusion into
Boeing's supercomputer center in Seattle. The hacker downloaded encrypted
password files and used Boeing's computers to run hacker and cracker
programs. To its great credit, Boeing reported the intrusion to the FBI and
partitioned its system to allow agents to trace the hackers to the source. 


In the course of the investigation, the FBI soon learned that the hackers
had gained access to the entire computer system serving the federal
district court in Seattle. In fact, he had obtained the passwords of both
the system administrator and a federal judge, forcing the courthouse system
to close for a day. Yet, without Boeing's call to law enforcement, the
federal court administrator would not have known that an intruder had
acquired unfettered access to the court's computers. 


A second reason for under-reporting is the collateral consequences of
reporting. To put it bluntly, there may be a lot of explaining to do -- to
managers, customers, regulators, or the public. If it is your job to secure
a company's information systems, how eager will you be to confess to people
that your defenses didn't work? Banks are a prime example. If you are
Citibank, you maybe loath to reveal to depositors that their accounts may
be vulnerable to electronic theft. Similarly, a telecommunications carrier
may not want to publicize that its customers' conversations have been
accessed by so-called "phone phreakers." 


The extent of under-reporting is illustrated by some statistics compiled by
DISA. As many of you probably know, DISA tests the security of DOD computer
systems by having its tiger teams "attack" the computes using standard
hacker methods and tools. Over the course of this program, DISA has
accumulated some telling statistics. At last count, DISA tiger teams had
successfully penetrated 88% of the computer systems they attacked. More
startling, system administrators at the successfully attacked sites only
detected 4% of these penetrations. And of the 4 percent who discovered the
intrusion, only 5 percent reported it! If you do the math, you'll see that
of the 10,000 machines attacked, 8,800 were penetrated, only 352 discovered
it, and only 18 reported it. Or put another way, for each report of a
computer intrusion, there were 490 others that went unreported. 


The final step, and probably the most difficult, is to figure out how to
organize ourselves to address the problem. Again, I believe it is a mistake
to think about this problem in compartments: that is, for DOD as a military
problem; for Justice and FBI as a terrorism problem; for the CIA and NSA as
an espionage problem and for private industry as a white-collar crime
problem. The threat is too varied. and the problems too overlapping, to
permit such a fragmented approach. We clearly need one focal point in the
government to take the lead in addressing this issue comprehensively -- to
develop national policy, coordinate the necessary other agencies, and with
industry on developing solutions. We need the equivalent of the "Manhattan
Project" to address the technological issues and to help us harden our
infrastructures against attack. It might be that we can just designate an
existing agency to take the lead. Or we may need a new agency or some
interagency body to perform the task. But some centralized entity is direly
needed to push this effort along. 


Most importantly,though, whatever we decide to do within the government, we
need to enlist the private sector to join in this cooperative venture --
not just in assessing vulnerabilities and threats, but in devising and
implementing solutions. Simply put, without the participation of the
private sector, any effort is bound to come up short. 


There are several reasons for this. First, at the most basic level, most
components of the national information infrastructure, as well as the
critical industries and institutions that depend on the NII, are in private
hands. This means that, absent statutory authority to regulate a particular
industry, the government has limited ability to require private companies
to take protective measures; it can merely advise industry and urge it to
"do the right thing." And even if government convinces industry to take
protective measures, there remains the knotty question of who will pay for
such measures (or for restoration of service after an attack). Although
private companies have an obvious financial incentive to take steps to
reduce thefts, it is less clear that they are willing to incur the costs
necessary to protect their plants or information systems against a purely
malicious or terrorist attack. These are issues that need to be worked out
by industry and government together. 


Second, private sector involvement in crafting and implementing solutions
is needed in order to engender the trust in government that will be
necessary to implement any solution. Few people question the need for a
government role, at some level, in protecting the physical plant of the
nation's critical infrastructures. But the same cannot be said in the
information technology arena. The notion of government involvement in this
area immediately raises concerns about privacy, economic competitiveness,
and protection of proprietary information. The raging debate over the
government's encryption policy is just one example. These concerns are not
easily reconciled with the interests in national security and law
enforcement; but to ignore them would render any effort futile. 


We are currently trying to come up with a framework for addressing all
these issues. No decisions have been made yet, so I cannot report to you on
precisely where we are headed. But I do know that, in the very near future,
we will be reaching out to critical industries to get them integrally
involved in the process. I ask you to join us in this vital effort; to sit
down with us and share your concerns, your ideas, your skill and expertise,
and your energy; and to work with us to begin addressing this problem. 


There are many skeptics who say that we will have to endure the electronic
equivalent of Pearl Harbor or Oklahoma City before the key players in
government or industry wake up to the problem of protecting our information
and other critical infrastructures from the new cyber threats. The fact
that the Olin Foundation and the Air Force are holding this conference,
however, and have succeeded in getting such a diverse and high-level group
of participants disproves this pessimistic view. 


But we cannot stop here. It is not enough to identify the problem and to
talk about it. After this conference, we need to begin taking action. So I
ask you to join us in taking those next steps. We need to educate industry
about the problem, determine its scope, and create a joint approach to
developing solutions. If we in government begin to pause or stumble, prod
us or help us up. There will be much resistance along the way; but given
the importance of the issue, inaction would be intolerable. 


Thank you.