13 October 1998
Source: http://www.access.gpo.gov/su_docs/aces/aaces002.html

-----------------------------------------------------------------------

[Congressional Record: October 12, 1998 (Senate)]
[Page S12359-S12362]
From the Congressional Record Online via GPO Access [wais.access.gpo.gov]
[DOCID:cr12oc98-142]


              NATIONAL SECURITY AND INFORMATION TECHNOLOGY

  Mr. KERREY. Mr. President, in the last 15 years America has been
invaded by what has been known as information technology. Like the body
snatchers of ``Alien'' that penetrated deep into the human body,
computers and communication technologies have penetrated deep into our
lives. Unfortunately, the ``Alien'' metaphor may not be apt since for
the most part we have invited this force into our homes.
  We invited these technologies into our homes and our businesses
because they allowed us to do things faster, to do things better and to
do things cheaper. Among other things these technologies have reduced
the cost of running a home, made our businesses more competitive,
opened new markets by bringing buyers and sellers closer together, and
expanded the horizons of our students not to mention adding
entertainment value to our lives.
  The good news of computer and associated communication technology
have been offset by our growing dependence. To see how much we are
dependent one need only look at the high level of concern surrounding
the Y2K problem. Computer software is written so that at a second after
midnight on January 1, 2000, while hundreds of millions of humans will
be celebrating the end of an old millennium and the beginning of a new,
our computers will act as if it is January 1, 1900. To the machines
this will be the equivalent of day light saving century.
  To some this is the beginning of a humorous and good news story: No
income tax, a chance to correct the terrible mistakes of the past 100
years, and so forth. However, for those who operate our banking,
emergency response, air traffic control, and power systems this will be
nothing to laugh at. So dire are the predictions of some who understand
how dependent on computers and software we have become that they talk
as though they are storing up food and medical supplies just in case.
  None of this would have happened if the century had ended 20 years
earlier because computers, chips, and microprocessors were not yet
running things. Twenty years ago I was hearing people tell me about how
computers were

[[Page S12360]]

going to change the world. It would be 5 more years before I had my
first personal computer: an Apple IIE. In 1983 portable computers were
available to those with strong backs or a fork lift. E-mail was in its
infancy. The internet was 10 years away from its grand opening to the
public. Software was built into mainframes and was available to those
who knew how to navigate the procession of prompts and confusing signs.
Speed was a snail's pace. Capacity was like a rain drop in the desert.
  Mr. President, what happened in the past 20 years is that we were
thirsty for the things a computer could do for us. Rapid and accurate
calculations enabled even small businesses to get costs under control.
Personal computers empowered us. Desk tops enabled us.
  Lap tops liberated. Decision making - once driven from the top down
by men and women with MBA degrees--has been distributed outward and
downward.
  Mr. President, now, any PC or Macintosh with average speed and power
with state of the art connectivity makes its user a publisher,
broadcaster, editor, opinion maker, and analyst of large amounts of
previously confusing data.
  Advances in computer and telecommunications technology have spurred
change and growth in our economy. These changes have generated wealth
and jobs by creating new businesses and destroying old ones. Market
oriented businesses have had to adjust or perish. Public institutions,
because of the nature of democracy--in other words, Majority rules but
narrow interests win elections--have been changing much more slowly.
  Slowly but surely the work of transferring knowledge from a teacher
to a student is being done with the assistance of computers, software,
and new systems where new skills are needed.
  The vision of this 1998 IRS Restructuring and Reform Act is that this
agency will move from a paper to an electronic world. The National
Imaging and Mapping Agency--a consolidated combat support agency--will
in a few years talk about maps as those things we used in the good old
days back when dinosaurs roamed the Earth.
  In fact, nowhere are the changes of the computer age more pronounced
than in our military and intelligence gathering forces, which is what I
choose to discuss on the floor today. Computers and communication
technologies have made America's fighting forces stronger and more
effective. We should be proud of the men and women who have trained and
prepared themselves to take advantage of these new tools.
  However, we also need to be alert to a hard truth: With strength
comes vulnerabilities. Just as Achilles was held by his heel as he was
dipped in the potion that made him unbeatable, we need to be alert to
those small spaces where a determined enemy could do us great harm.
  If we are to maintain our economic success and provide the security
our citizens expect and deserve, we must as a nation turn to address
our weaknesses.
  The ability of people to use information technology to reach into our
homes and to amass vast amounts of personal data threatens our sense of
privacy. The omnipresence of this technology has caused our society to
develop a dependency on silicon chips and the wires that connect them.
And, the connectivity that now brings us so many benefits may also be a
vulnerability that nations and terrorists could use to threaten our
security.
  We have been blessed by our dominance in high-technology industries
and in our society's acceptance of new information technology.
Information systems are the backbone of America's telecommunications
and electrical power grids, banking and finance systems, our
transportation systems, broadcast and cable industries, and many other
businesses besides. They have helped American workers become more
productive, have brought new efficiencies in the use and distribution
of resources, and have helped our Nation grow to be the most advanced
and competitive economy in the world.
  We owe a large part of that success to the ingenuity, perseverance,
and vision of America's information technology companies and their
employees. The story of how computer companies started in garages can
grow into multibillion dollar corporations is almost legendary. An
industry virtually non-existent twenty five years ago has brought
enormous wealth and opportunity to thousands of Americans.
  Mr. President, information technology has transformed our Nation's
economy, and, as we enter into the 21st century, our Nation's
livelihood will depend on continued development of this industry. But
the wonder of this technology is how its success has brought
extraordinary changes to other aspects of our lives.
  Modern information technologies provide us with unheard-of
opportunities in education, business, health care, and other life-
enriching areas. Information technology empowers people to continue
their educations and upgrade their skills throughout life. Education no
longer ends at the schoolhouse door. In addition, new technologies are
extending lifesaving medical care to remote rural areas and promoting
healthy communities across the country. These new avenues to
information better inform our electorate, and the improved means of
communication make it far easier for individual citizens to express
their views to the general public and to their elected representatives.
  In combination, these technological benefits allow people--both young
and old--to develop new skills, explore new interests, and improve
their lives.
  America's technological strength is the envy of nations around the
globe. But that strength, if not understood and protected, may also be
our Achilles' heel.
  We have been blessed this year with a number of warnings about this
grave and far-reaching threat. We have been blessed with warnings about
the interdependence of our information infrastructures, the
interlocking network that can make local hospitals and airports victims
just as easily as multinational corporations and media conglomerates.
We need to heed the warning and respond to this danger.
  Just a few weeks ago, the media reported that the electronic mail
programs the vast majority of Americans use had vital, hidden flaws.
  Simply opening an e-mail message could unleash a malicious virus and
allow that virus to freeze your computer, steal data, or erase your
hard drive. I realize there are some people in the United States--many
of them here in the Senate--who still do not use e-mail. But our
society today relies upon electronic mail for use in Government and
commercial communications, for business management and project
coordination, and personal entertainment and missives. A malicious
person could potentially have used these flaws to blackmail people or
companies, to disrupt Government and commercial activity, or to
sabotage civilian or military databases.
  Just a few months ago, one satellite orbiting more than 22,000 miles
above the state of Kansas began tumbling out of control. It was the
worst outage in the history of satellites. By conservative estimates,
more than 35 million people lost the use of their pagers, including
everyone from school children and repairmen to doctors, nurses, and
other emergency personnel.
  All of that was the result of one small computer on a satellite
22,000 miles into outer space.
  Earlier this year, we were in the middle of a very tense standoff
with Saddam Hussein. And we were able to track an attack on the
Pentagon's computer system to a site in the Middle East, in the United
Arab Emirates. There was a legitimate question at the time: Was this an
act of war? Was it a terrorist? Or was it, as it turned out to be,
teenage hackers inappropriately and illegally using their home
computers? The implications of an effective attack against our
military's information systems would be devastating during a time of
crisis. This attack failed, but will we be as fortunate in the future?
  I do not think these incidents are a statement about software
companies, the satellite industry, or teenage computer aficionados.
  These incidents are a warning--loud, clear, and wide--about the
dependence of the American economy and the American people on
information technology. Our use of information technology has helped us
achieve and maintain our status as the world's strongest

[[Page S12361]]

nation. But our dependence on information technology also brings
exploitable weaknesses that, like the Lilliputians to the giant
Gulliver, may enable our weaker adversaries to cause great damage to
our nation.
  In Jonathan Swift's tale, the Lilliputians used their mastery of
mathematics and technology to defeat their much more powerful adversary
Gulliver. Today, weaker adversaries may use their mastery of
information technology to invade our privacy, steal from our companies,
and threaten our security.
  The revolution in Information Technology has propelled the United
States to an unparalleled position in the global economy. The
principles of freedom and democracy that we champion are ascendant
throughout the world.
  We have the world's largest economy, and we trade more than any other
nation. Our military strength, in conventional and nuclear terms, is
greater than that of any other nation. In short, we are the sole
remaining superpower in the world.
  And yet, we still find ourselves vulnerable to individuals or
groups--terrorists, criminals, saboteurs--who have a fraction of the
manpower, weaponry, or resources we possess. In many ways, we are a
technological Gulliver. America's massive shift toward an economy that
is based on information technology has been a mixed blessing. Because
we have the most complex, multifaceted economy, we are a multifaceted
target.
  And our strategic vulnerability has risen hand-in-hand with our
economic power. Like the Lilliputians, there are people who have used
the principles of mathematics and science to master technology.
  They are so small in scale compared to the threats that we usually
see that we have to strain our eyes just to identify them and figure
out what they are doing. Gulliver, if you recall, did not win his
freedom with a single act or weapon. He used a combination of things:
sometimes he used his power, sometimes he used wit, and he learned from
his experience how to deal with his adversaries.
  Mr. President, Congress urgently needs to establish a bipartisan
agenda designed to create more economic opportunities in technology and
to close our vulnerabilities. The following is my attempt to suggest
what is needed:
  1. We need more competition, not less. Congress passed the
Telecommunications Act of 1996 with the hopes of increasing competition
and improving access to communications technologies. Unfortunately,
competition has not developed on the scale anticipated when the Act was
passed.
  Nearly 3 years after the Act, most telecommunications customers lack
the ability to simply switch telephone companies. In 1999 I hope
Congress will make changes in the law needed to bring the benefits of
competition - lower prices and higher quality - to the American
household.
  2. We need a special effort to make technology a part of our
educational system. More money should be appropriate for research and
training. Regulations need to be written so the market can offer
curricula-relevant courses to students in the home and school. We need
to settle the disputes surrounding the E-Rate so our school boards can
plan and budget accordingly.
  3. We need bipartisan agreement on how to protect privacy and
security. The encryption debate has hobbled our efforts to write laws
that enable our law enforcement and national security agencies to carry
out their mission of keeping Americans safe while harnessing the power
of the market to increase security and privacy.
  Any discussion of security on-line must inevitably involve encryption
issues. Over the past five years, the debate over encryption policy has
pitted law enforcement, national security, privacy, and commercial
interests against one another. Yet, all these interests would agree
that providing security in our public networks is essential to fully
exploit the potential of information technology.
  Personal privacy in the digital world should not suffer at the hand
of unreasonable export laws. Therefore, Congress should take action in
the coming year to remove export restrictions on encryption products of
any strength. I am confident that through cooperation between
Government and industry, encryption can be exported without
compromising the legitimate needs of law enforcement and national
security. A compromise can be crafted if all parties, both private and
public, are willing to work together to solve the common goal of
maintaining America's national security in the new digital age.
  4. We should create in law a panel consisting of members of Congress,
Administration officials, and leaders in high-technology industries to
address the implications of information technology on our society and
our security. We should also create a new national laboratory for
information technology that will both perform research in this field
and serve as a forum for further discussions of the issues arising from
information technology.
  Mr. President, it is this fourth idea--a new panel and a new
laboratory--that I would like to discuss today. Why do we need this?
  We need this, for starters, because the new threat of information
warfare requires a new paradigm in which the military must rely like
never before on other organizations and institutions to achieve
success.
  Even if all of the information safeguards for the Defense
Department's data, equipment, and operations were airtight, that would
not be adequate. Currently, more than 95% of all wide-area defense
telecommunications travel on commercial circuits and networks. And it
would be impossible to replicate that type of capability on our own.
  Should an electronic attack come, it will likely not be aimed just at
military targets, but at civilian sectors as well. It is not simply
that the private sector relies on the military. The military relies on
the private sector.
  That is one reason we as a government cannot afford to ignore the
defense of the public and private sector infrastructure: We cannot do
our most basic job--protecting national security--without that.
  In this new world of technology, if one of us gets tripped, we all
risk a fall.
  Our Government, as it is now organized, can scarcely cope with these
new challenges. We need to address the development and vulnerability of
the American information infrastructure now. The regulatory frameworks
established over the past 60 years for telecommunication, radio and
television may not, in fact, most likely will not, fit the Information
Economy. Existing laws and regulations should be reviewed and revised
or eliminated to reflect the needs of the new electronic age.
  As a government, we need to reassess the areas of responsibility of
our different parts, and the lines of authority that connect them, to
ensure we are best organized to face this threat.
  More than two dozen federal agencies have either jurisdiction or a
direct interest in the regulation of information technology as it
applies to national security or electronic commerce. The Congress is no
better off. In Congress, some 19 committees are responsible for
legislation on the same issues.
  The Government has much to offer, through our understanding of
security concepts and technology, along with the vulnerabilities of
information technology and systems. We are strongly committed to share
this knowledge with the private sector. Such partnerships are crucial,
but there are some pitfalls, and we will need to build a balanced
approach. For example: We have to be careful not to give the impression
that Government wants to increase its involvement in the day-to-day
operations of individual businesses.
  This is not at all the case, and few things will drive the private
sector away like the potential for more Government intrusion and
regulation.
  ``Government Knows Best'' is not the message we want to send.
  As a general principle, Government should step in only when problems
exceed the capabilities of the private sector and the remedies of the
marketplace. However, in cases where there are no reasonable business
reasons for companies to make preparations, such as to counter a
coordinated, simultaneous attack against multiple infrastructures, then
Government should be prepared to provide economic incentives and
support.
  A natural market exists for security and, ultimately, that will be
our best course of action: a solution that combines the entrepreneurial
strength and energy of the private sector with the national mission of
the Government.

[[Page S12362]]

  One cannot overstate how important it is to get the Government-
industry relationships right, because without them as a foundation, the
value of all other efforts will be significantly diminished. A
fundamental challenge in many cases is getting information about
vulnerabilities and threats itself, and this simply cannot be done
without the foundation of public-private sector information sharing. We
cannot solve this by unilateral Government efforts. We have to move
together to solve it.
  Mr. President, it is no surprise that both the Government and private
sector are finding this difficult and complicated and frustrating. To
combat cyber attacks--whether by terrorists, spies, disgruntled
employees, pranksters--one needs both technical sophistication and
cooperation among numerous companies, agencies and nations.
  It is going to be imperative for the protection of our information
infrastructure that the private sector, national security officials,
and law enforcement work together--not just on this issue, but on
issues for the future.
  Many fear these discussions would lead to Government intrusiveness
and abuse of power. Americans have always had a healthy skepticism
towards Government power and our Constitution sets strict limits on
what Government can and cannot do. We are a strong and vibrant nation
directly because we enjoy rights of free speech, free assembly, and
against unreasonable searches and seizures. Information technology can
allow us greater exercise of those rights. When we examine the security
of information technology, these rights must remain our guiding
principles, and our Government policies should reflect them.
  We must get past the suspicion between the private sector and
Government and move forward. The information infrastructure is vital to
America's defense and to America's economy and we cannot preserve one
without protecting the other.
  Here we need two things: First, we need a mechanism that transcends
narrow organizational politics to bring consensus; and, secondly, we
need a facility for advanced research into information technology
protection that also provides a venue for constructive and ongoing
dialog with industry, the Government, and academia.
  I believe Congress should act as soon as possible to create a blue-
ribbon panel of top federal officials, key leaders from Capitol Hill,
and experts from the high-technology field to address the issues of
information assurance, infrastructure protection, and encryption that
cut across committee lines. We need to have a panel that can speak with
authority on both politics and policy.
  From the White House, we need to see a commitment of time, attention,
and resources at the highest levels.
  Cabinet officers need to play an active role in shaping the solutions
that are going to emerge from such a panel. These issues are
complicated and they have far-reaching implications, so at the end of
the day we need to have leaders in their respective areas--Cabinet and
Cabinet-level officials--who are prepared to forge the necessary
compromises and make the case to industry and to the public. Congress
needs to take a similarly pragmatic approach. Committee chairpersons,
with their expertise in different areas and institutional memory, need
to be on this panel and give it all the attention they would a piece of
legislation. But in addition we need to acknowledge the politically
charged nature of these issues and be prepared to deal with them. So I
propose that we not only have representatives by issue area, but
representatives who are designated to speak for each major faction in
the Congress: a representative of the majority in the Senate, and one
for the House, a representative of the minority in the Senate, and one
for the House, and representatives of the legislative caucuses that
have an interest.
  Clearly Government cannot do this alone. We need the perspective, the
insight, and the vision of experts who are part of the developments in
the information technology field and who can predict on the basis of
that experience where technology is going. We need their expertise and
a willingness to work with their government, for otherwise this problem
will only grow worse. The panel I envision must therefore have a strong
component of private sector experts devoted both to the advancement of
technology and to the security of our country.
  The complement to this Congressional panel should be a forum where
Government, industry, and academic officials can work on these problems
in a systematic, confidential, and dispassionate way. I propose that we
learn from our experience and look to those models of industry-and-
Government cooperation that have worked in the past.
  We can learn from agencies like the National Safety Transportation
Board, DARPA, and other federally funded research and development
centers. Specifically, Congress should pass legislation that would
enable the President to create a new national laboratory and research
facility to address information infrastructure protection. The role and
mission of such an organization would be to target those specific areas
that are now suffering from sporadic, contradictory, or insufficient
attention.
  We must have a structure that can address the entire range of
national security planning and execution--in other words, threat
assessment and evaluation, development of requirements, R&D,
acquisition and procurement, development of strategy and the conduct of
operations across the entire spectrum, from large-scale conflict to
peacekeeping and operations other than war. But this center would also
help develop techniques, policies, and procedures to make civilian and
commercial information technologies secure.
  To accomplish that mission, the information technology laboratory
would have to: Support research and development by industry or
Government-industry consortiums that aims to protect our privacy,
shield our commercial interests, and defend our nation against
information technology threats; ensure that there is a secure conduit
for the exchange of information about security threats; provide a forum
for developing and managing responses and contingency plans, both
directly and in cooperation with a national command authority.
  The Information Technology Laboratory would be funded through annual
appropriations as a Federally Funded Research and Development Center.
But it should also be able to establish fee-based contracts with
agencies of federal, state, and local government as well as
universities for specific services so that budget costs could be kept
to a minimum.
  The Information Technology Laboratory could also contract with
private industry to do research and development, while taking special
precautions to protect the confidentiality of proprietary data or
information. The laboratory would also report annually to the
appropriate oversight committees in Congress and the President.
  In just four years from now, knowledge and information workers will
make up one third of all the workers in our multi-trillion dollar
economy. We can create a safe corridor for their passage to the next
century. Or we can continue to talk past each other while the
Information Superhighway attracts more and more robbers and frauds and
terrorists.
  We need to come to this task with a clear sense of purpose and full
understanding of the urgency involved. America has gained much from
information technology, and stands to gain much more as these systems
mature. Our future depends on the success of this technology.
  But that success and our security depend on finding the policies and
practices that will identify and correct vulnerabilities before they
are exploited. Together, I am certain we can address this problem. In a
noble but imperfect democracy such as ours, answers are not impossible,
they are only impending. I look forward to working with my colleagues
to face this challenge. I yield the floor.
  Mr. CRAIG addressed the Chair.
  The PRESIDING OFFICER. The Senator from Idaho is recognized.

                          ____________________
