STATEMENT OF

GLENN K. DAVIDSON

EXECUTIVE VICE PRESIDENT

OF THE COMPUTER & COMMUNICATIONS INDUSTRY ASSOCIATION

TO THE

SUBCOMMITTEE ON TECHNOLOGY OF THE COMMITTEE ON SCIENCE

U.S. HOUSE OF REPRESENTATIVES

ON

THE REPORT AND RECOMMENDATIONS OF

THE PRESIDENT'S COMMISSION ON CRITICAL INFRASTRUCTURE PROTECTION

NOVEMBER 6, 1997

Chairwoman Morella, Ranking Member Gordon, Members of the Subcommittee;

I am Glenn Davidson, Executive Vice President of CCIA, the Computer &

Communications Industry Association. Thank you for the privilege and honor

of appearing before you today to discuss the work and recommendations of the

President's Commission on Critical Infrastructure Protection.

CCIA, as you may know, is an association of computer and communications

companies, including hardware manufacturers, software developers,

communications equipment manufacturers, telecommunications and online service

providers, systems integrators, third-party vendors, and others.

We have followed closely the work of the Commission since its establishment

in July of 1996 and, at times, have had occasion to exchange ideas with the

Commission. In fact, its former chairman, the distinguished Tom Marsh, spoke

at a meeting of the Association last June.

Let me say, right from the start that we, at CCIA, fully understand and

identify with the need to guard against any attacks capable of disabling our

Nation's first-rate infrastructure – systems absolutely vital to the normal

functioning of our government and economy. We recognize that in today's

information age, such attacks can be more than just physical, and that the

dangers of "techno-terrorism" are real.

But we understand neither the basis for the Commission's sweeping

recommendations nor the reason its work and report are shrouded in secrecy

-- especially when the Commission readily admits it has no evidence of an

imminent cyber threat. In the report's transmittal letter, General Marsh

says, and I quote, "We found no evidence of an impending cyber attack which

would have a debilitating effect on the nation's critical infrastructures."

Why is it that the National Research Council can make some very important

decisions concerning information security -- in its report on cryptography --

without its work or report being classified? Why is the Commission hiding

behind the mantle of classified information?

Allow me to suggest that if the public, generally, and industry,

specifically, are to accept the Commission's recommendations --

recommendations calling for public awareness and eduation, information

sharing, legal reforms, and the development and deployment of potentially

quite-costly cyber-threat counter-measures -- then it must provide more than

anecdotal evidence. It must come forward with its threat assessment so it

may be discussed, debated, and understood by the public.

Allow me now to turn to the Commission's report and the recommendations we

have concerns about.

Encryption

The report calls for the immediate and universal implementation of various

protection tools – including firewalls, password controls, authentication

mechanisms and action logs – to guard against cyber attacks. On this we

couldn't agree more.

However, the report fails to advocate the use of the strongest available

encryption, perhaps the most effective means to individuals and companies to

secure communications and protect digital files against fraud, white-collar

crime, economic espionage, and even terrorism.

Despite its 178-page length, the report devotes nary a page to the subject of

encryption. It states, on page 74, that the "establishment of trustworthy

key management infrastructures is the only way to enable encryption on a

large scale and most include the development of approriate standards for

interoperability on a global scale." Call it what you will ... key

management, key recovery or key escrow, but industry will tell you that such

a system cannot work on a large scale. Just ask the National Research

Council, which came to the same conclusion.

Later, the report urges the Administration to "... promote efforts to plan

for the implementation of a KMI [or key mangement infrastructure] that

supports lawful key recovery on an international basis." We already know

that international adoption of key recovery will not happen, as the OECD

rejected the Administration's proposal earlier this year.

So, why does the government continue to push key recovery. Is the

government looking for an electronic trap-door to our information networks?

Cost Burden

The report also calls for the "development and deployment of ways to prevent

attacks, mitigate damage, quickly recover services and eventually

reconstitute infrastructure." However, there is no discussion about who will

bear the cost of doing this. Is government going to pay for "ruggedizing"

our critical infrastructures to suit its national security and law

enforcement objectives. Or are the providers and users going to be the ones

that pay?

Even before the report was submitted, it was clear which way the Commission

was leaning on this subject – it assumed that industry would have to pick up

most of the tab. At a September 24 briefing he had in New York for banking

and securities industry technologists, General Marsh stated that "some of the

recommendations might be too costly for industry alone." He added: "At a

minimum, therefore, we assume joint financing by government and industry."

We, in industry, have long understood the need for information security and

network reliability. Providers and operators of public-switched networks

have long established redundant networks in the event of natural and even

man-made catastrophes. And providers of private-switched networks have done

much the same – at the request or insistence of their clients. We have also

developed and utilized firewalls, password control, encryption technology and

other security tools to protect the integrity of our systems.

However, if our Nation's security and law enforcement agencies desire a

higher level of security and reliability of our systems and networks, then

they should be the ones to pay for it. The cost of the difference between

what we provide our customers and what the government wants should be borne

by the government.

It is here that I must take issue with an underlying premise of the report.

In its Forward, the report says that the "National defense is no longer the

exclusive preserve of government ...." I ask you: Since when is the

Nation's defense the responsibility ... in full or in part ... that of the

business community's?

Later, on page 19, the report goes on to say that "Shared threats demand a

shared response, built from increased partnership between government and the

owners and operators of our infrastructure." For me, the phrase "shared

response" is code for: You, too, are going to pay!

CCIA believes that requiring American industry to bear the cost of building

such super-rugged infrastructure security upgrades would constitute an

excessive financial burden that would blunt the competitive edge of American

industry.

Information Sharing

The report calls for industry to share information – with each other as well

as with the government – about the vulnerabilities of our infrastructures,

and even about incidents of penetration.

While we, at CCIA, are not opposed in principle to sharing such information,

it's putting this principle into practice that concerns us. Somehow, I doubt

the sharing of information between government and industry would be two-way.

If the government purposefully or inadvertently released information about

network vulnerabilities and security breaches, clients and customers could

sue providers and operators for damages, claiming that these firms knew that

vulnerabilities existed and insufficient steps were taken to prevent them.

We, in industry, would need protection from such frivolous lawsuits.

Furthermore, if a major foreign partner cannot be assured of confidentiality

in certain important dealings with an American partner – in other words, if

such dealings are an open book to the U.S. Government – nothing prevents that

major client from turning to a Japanese corporation that can keep its secrets

secret. In today's global economy, these concerns are not hypothetical –

they are real.

The Commission also recommends the modification of our Nation's antitrust

laws, so that companies would be free to share information with each other

and our government. To my knowledge, industry is not asking for safe harbor

from our antitrust laws. Allow me to suggest that were it not for the U.S.

government's vigorous enforcement of our antitrust laws, the dynamic,

innovative, entrepreneurial and competitive computer and communications

industry that we know today – and enjoy the fruits thereof – would not even

exist. Our laws are certainly flexible enough to allow for some information

exchanges for mutually beneficial purposes.

Legal Initiatives

The report makes broad-brush reference to changes in other laws. Such

changes it argues, would be necessary to protect our infrastructure. Well,

candidly, some of the envisioned changes bother us.

On page 98, the report calls for sponsoring "legislative activities leading

to a finding that certain critical infrastructures are instrumentalities of

interstate commerce." If this means federal regulation of the Internet and

the World Wide Web, we must object."

Organizing the "Partnership"

The report also discusses the need to create a national infrastructure

organizational structure to develop industry cooperation and information

sharing. In discussing the roles of various new "infrastructure-related

organizations," the report, on page 49, suggests that Sectors' Lead Agencies

would be charged with drafting new legislation and regulations as required

and propose the use of federal incentives to faciliate private investment in

assurance programs." I ask you, is this the beginning of a new regulatory

structure and establishment of agencies that will dictate to industry what

information it must provide and what it must do to protect infrastructures

from attack?

Conclusion

I will conclude by suggesting that we address this matter at a slower, more

reasoned pace. Let's release the Commission's full report and allow it to be

publicly discussed and debated. If General Marsh really wants to see

"buy-in" from all sectors, as the report suggests on page 65, then the

American people need and deserve to understand the threat assessment so they

may appreciate and accommodate the changes in actions that are envisioned

here.

And let's allow our Nation's fundamental principles of individual and

economic liberties dictate how and where we proceed.

We can protect the complex infrastructures that we are all so proud of,

without doing anything that can impose debilitating strictures on American

corporations.

Thank you very much for your time….

November 4, 1997

The Honorable Constance A. Morella

Chairwoman, Subcommittee on Technology

Committee on Science

U.S. House of Representatives

Rayburn House Office Building, Room 2320

Washington, D.C. 20515-6301

Dear Chairwoman Morella:

To the best of my knowledge, the Computer & Communications Industry

Association -- the organization with which I am affiliated and on whose

behalf I am appearing before your committee on Thursday, November 6 -- has

neither received a grant nor a contract from the federal government during

the past two fiscal years.

Sincerely,

(original is signed)

Glenn K. Davidson

Executive Vice President

Glenn K. Davidson is Executive Vice President, Chief Operating Officer, and

Corporate Secretary for the Computer & Communications Industry Association.

Better known as CCIA, the association’s membership includes computer

hardware manufacturers, software developers, communications equipment

manufacturers, telecommunications and on-line service providers, re-sellers,

systems integrators, and other firms in related business ventures. These

firms are represented in the Association by their most senior corporate

officials. (For more information about CCIA, please consult its Web site at

http://www.ccianet.org.)

Mr. Davidson first joined CCIA in 1985, but left in 1990 to work in the

Administration of then-Virginia Governor L. Douglas Wilder. He served

successively as the Governor’s representative in Washington, D.C., as

Director of the Virginia Liaison Office; as his press secretary and

communications director; and finally as his chief of staff and transition

director. Mr. Davidson returned to CCIA in 1995.

Prior to joining CCIA, Mr. Davidson was employed by a professional services

firm, providing strategic planning and analysis support to such diverse

clients as the Gas Research Institute and the U.S. Departments of Defense and

Energy. He also worked as an aide to several Congressmen and a Congressional

Committee.

Mr. Davidson earned a bachelor’s degree in international studies from The

American University as well as a master’s degree in science, technology and

public policy from George Washington University.