NATIONAL SECURITY AND INFORMATION TECHNOLOGY (Senate - October 12, 1998)

[Page: S12359]

Mr. KERREY. Mr. President, in the last 15 years America has been invaded by what has been known as information technology. Like the body snatchers of `Alien' that penetrated deep into the human body, computers and communication technologies have penetrated deep into our lives. Unfortunately, the `Alien' metaphor may not be apt since for the most part we have invited this force into our homes.

We invited these technologies into our homes and our businesses because they allowed us to do things faster, to do things better and to do things cheaper. Among other things these technologies have reduced the cost of running a home, made our businesses more competitive, opened new markets by bringing buyers and sellers closer together, and expanded the horizons of our students not to mention adding entertainment value to our lives.

The good news of computer and associated communication technology have been offset by our growing dependence. To see how much we are dependent one need only look at the high level of concern surrounding the Y2K problem. Computer software is written so that at a second after midnight on January 1, 2000, while hundreds of millions of humans will be celebrating the end of an old millennium and the beginning of a new, our computers will act as if it is January 1, 1900. To the machines this will be the equivalent of day light saving century.

To some this is the beginning of a humorous and good news story: No income tax, a chance to correct the terrible mistakes of the past 100 years, and so forth. However, for those who operate our banking, emergency response, air traffic control, and power systems this will be nothing to laugh at. So dire are the predictions of some who understand how dependent on computers and software we have become that they talk as though they are storing up food and medical supplies just in case.

None of this would have happened if the century had ended 20 years earlier because computers, chips, and microprocessors were not yet running things. Twenty years ago I was hearing people tell me about how computers were going to change the world. It would be 5 more years before I had my first personal computer: an Apple IIE. In 1983 portable computers were available to those with strong backs or a fork lift. E-mail was in its infancy. The internet was 10 years away from its grand opening to the public. Software was built into mainframes and was available to those who knew how to navigate the procession of prompts and confusing signs. Speed was a snail's pace. Capacity was like a rain drop in the desert.

Mr. President, what happened in the past 20 years is that we were thirsty for the things a computer could do for us. Rapid and accurate calculations enabled even small businesses to get costs under control. Personal computers empowered us. Desk tops enabled us.

Lap tops liberated. Decision making - once driven from the top down by men and women with MBA degrees--has been distributed outward and downward.

Mr. President, now, any PC or Macintosh with average speed and power with state of the art connectivity makes its user a publisher, broadcaster, editor, opinion maker, and analyst of large amounts of previously confusing data.

Advances in computer and telecommunications technology have spurred change and growth in our economy. These changes have generated wealth and jobs by creating new businesses and destroying old ones. Market oriented businesses have had to adjust or perish. Public institutions, because of the nature of democracy--in other words, Majority rules but narrow interests win elections--have been changing much more slowly.

Slowly but surely the work of transferring knowledge from a teacher to a student is being done with the assistance of computers, software, and new systems where new skills are needed.

The vision of this 1998 IRS Restructuring and Reform Act is that this agency will move from a paper to an electronic world. The National Imaging and Mapping Agency--a consolidated combat support agency--will in a few years talk about maps as those things we used in the good old days back when dinosaurs roamed the Earth.

In fact, nowhere are the changes of the computer age more pronounced than in our military and intelligence gathering forces, which is what I choose to discuss on the floor today. Computers and communication technologies have made America's fighting forces stronger and more effective. We should be proud of the men and women who have trained and prepared themselves to take advantage of these new tools.

However, we also need to be alert to a hard truth: With strength comes vulnerabilities. Just as Achilles was held by his heel as he was dipped in the potion that made him unbeatable, we need to be alert to those small spaces where a determined enemy could do us great harm.

If we are to maintain our economic success and provide the security our citizens expect and deserve, we must as a nation turn to address our weaknesses.

The ability of people to use information technology to reach into our homes and to amass vast amounts of personal data threatens our sense of privacy. The omnipresence of this technology has caused our society to develop a dependency on silicon chips and the wires that connect them. And, the connectivity that now brings us so many benefits may also be a vulnerability that nations and terrorists could use to threaten our security.

We have been blessed by our dominance in high-technology industries and in our society's acceptance of new information technology. Information systems are the backbone of America's telecommunications and electrical power grids, banking and finance systems, our transportation systems, broadcast and cable industries, and many other businesses besides. They have helped American workers become more productive, have brought new efficiencies in the use and distribution of resources, and have helped our Nation grow to be the most advanced and competitive economy in the world.

We owe a large part of that success to the ingenuity, perseverance, and vision of America's information technology companies and their employees. The story of how computer companies started in garages can grow into multibillion dollar corporations is almost legendary. An industry virtually non-existent twenty five years ago has brought enormous wealth and opportunity to thousands of Americans.

Mr. President, information technology has transformed our Nation's economy, and, as we enter into the 21st century, our Nation's livelihood will depend on continued development of this industry. But the wonder of this technology is how its success has brought extraordinary changes to other aspects of our lives.

Modern information technologies provide us with unheard-of opportunities in education, business, health care, and other life-enriching areas. Information technology empowers people to continue their educations and upgrade their skills throughout life. Education no longer ends at the schoolhouse door. In addition, new technologies are extending lifesaving medical care to remote rural areas and promoting healthy communities across the country. These new avenues to information better inform our electorate, and the improved means of communication make it far easier for individual citizens to express their views to the general public and to their elected representatives.

In combination, these technological benefits allow people--both young and old--to develop new skills, explore new interests, and improve their lives.

America's technological strength is the envy of nations around the globe. But that strength, if not understood and protected, may also be our Achilles' heel.

We have been blessed this year with a number of warnings about this grave and far-reaching threat. We have been blessed with warnings about the interdependence of our information infrastructures, the interlocking network that can make local hospitals and airports victims just as easily as multinational corporations and media conglomerates. We need to heed the warning and respond to this danger.

Just a few weeks ago, the media reported that the electronic mail programs the vast majority of Americans use had vital, hidden flaws.

Simply opening an e-mail message could unleash a malicious virus and allow that virus to freeze your computer, steal data, or erase your hard drive. I realize there are some people in the United States--many of them here in the Senate--who still do not use e-mail. But our society today relies upon electronic mail for use in Government and commercial communications, for business management and project coordination, and personal entertainment and missives. A malicious person could potentially have used these flaws to blackmail people or companies, to disrupt Government and commercial activity, or to sabotage civilian or military databases.

Just a few months ago, one satellite orbiting more than 22,000 miles above the state of Kansas began tumbling out of control. It was the worst outage in the history of satellites. By conservative estimates, more than 35 million people lost the use of their pagers, including everyone from school children and repairmen to doctors, nurses, and other emergency personnel.

All of that was the result of one small computer on a satellite 22,000 miles into outer space.

Earlier this year, we were in the middle of a very tense standoff with Saddam Hussein. And we were able to track an attack on the Pentagon's computer system to a site in the Middle East, in the United Arab Emirates. There was a legitimate question at the time: Was this an act of war? Was it a terrorist? Or was it, as it turned out to be, teenage hackers inappropriately and illegally using their home computers? The implications of an effective attack against our military's information systems would be devastating during a time of crisis. This attack failed, but will we be as fortunate in the future?

I do not think these incidents are a statement about software companies, the satellite industry, or teenage computer aficionados.

These incidents are a warning--loud, clear, and wide--about the dependence of the American economy and the American people on information technology. Our use of information technology has helped us achieve and maintain our status as the world's strongest nation. But our dependence on information technology also brings exploitable weaknesses that, like the Lilliputians to the giant Gulliver, may enable our weaker adversaries to cause great damage to our nation.

In Jonathan Swift's tale, the Lilliputians used their mastery of mathematics and technology to defeat their much more powerful adversary Gulliver. Today, weaker adversaries may use their mastery of information technology to invade our privacy, steal from our companies, and threaten our security.

The revolution in Information Technology has propelled the United States to an unparalleled position in the global economy. The principles of freedom and democracy that we champion are ascendant throughout the world.

We have the world's largest economy, and we trade more than any other nation. Our military strength, in conventional and nuclear terms, is greater than that of any other nation. In short, we are the sole remaining superpower in the world.

And yet, we still find ourselves vulnerable to individuals or groups--terrorists, criminals, saboteurs--who have a fraction of the manpower, weaponry, or resources we possess. In many ways, we are a technological Gulliver. America's massive shift toward an economy that is based on information technology has been a mixed blessing. Because we have the most complex, multifaceted economy, we are a multifaceted target.

And our strategic vulnerability has risen hand-in-hand with our economic power. Like the Lilliputians, there are people who have used the principles of mathematics and science to master technology.

They are so small in scale compared to the threats that we usually see that we have to strain our eyes just to identify them and figure out what they are doing. Gulliver, if you recall, did not win his freedom with a single act or weapon. He used a combination of things: sometimes he used his power, sometimes he used wit, and he learned from his experience how to deal with his adversaries.

Mr. President, Congress urgently needs to establish a bipartisan agenda designed to create more economic opportunities in technology and to close our vulnerabilities. The following is my attempt to suggest what is needed:

1. We need more competition, not less. Congress passed the Telecommunications Act of 1996 with the hopes of increasing competition and improving access to communications technologies. Unfortunately, competition has not developed on the scale anticipated when the Act was passed.

Nearly 3 years after the Act, most telecommunications customers lack the ability to simply switch telephone companies. In 1999 I hope Congress will make changes in the law needed to bring the benefits of competition - lower prices and higher quality - to the American household.

2. We need a special effort to make technology a part of our educational system. More money should be appropriate for research and training. Regulations need to be written so the market can offer curricula-relevant courses to students in the home and school. We need to settle the disputes surrounding the E-Rate so our school boards can plan and budget accordingly.

3. We need bipartisan agreement on how to protect privacy and security. The encryption debate has hobbled our efforts to write laws that enable our law enforcement and national security agencies to carry out their mission of keeping Americans safe while harnessing the power of the market to increase security and privacy.

Any discussion of security on-line must inevitably involve encryption issues. Over the past five years, the debate over encryption policy has pitted law enforcement, national security, privacy, and commercial interests against one another. Yet, all these interests would agree that providing security in our public networks is essential to fully exploit the potential of information technology.

Personal privacy in the digital world should not suffer at the hand of unreasonable export laws. Therefore, Congress should take action in the coming year to remove export restrictions on encryption products of any strength. I am confident that through cooperation between Government and industry, encryption can be exported without compromising the legitimate needs of law enforcement and national security. A compromise can be crafted if all parties, both private and public, are willing to work together to solve the common goal of maintaining America's national security in the new digital age.

4. We should create in law a panel consisting of members of Congress, Administration officials, and leaders in high-technology industries to address the implications of information technology on our society and our security. We should also create a new national laboratory for information technology that will both perform research in this field and serve as a forum for further discussions of the issues arising from information technology.

Mr. President, it is this fourth idea--a new panel and a new laboratory--that I would like to discuss today. Why do we need this?

We need this, for starters, because the new threat of information warfare requires a new paradigm in which the military must rely like never before on other organizations and institutions to achieve success.

Even if all of the information safeguards for the Defense Department's data, equipment, and operations were airtight, that would not be adequate. Currently, more than 95% of all wide-area defense telecommunications travel on commercial circuits and networks. And it would be impossible to replicate that type of capability on our own.

Should an electronic attack come, it will likely not be aimed just at military targets, but at civilian sectors as well. It is not simply that the private sector relies on the military. The military relies on the private sector.

That is one reason we as a government cannot afford to ignore the defense of the public and private sector infrastructure: We cannot do our most basic job--protecting national security--without that.

In this new world of technology, if one of us gets tripped, we all risk a fall.

Our Government, as it is now organized, can scarcely cope with these new challenges. We need to address the development and vulnerability of the American information infrastructure now. The regulatory frameworks established over the past 60 years for telecommunication, radio and television may not, in fact, most likely will not, fit the Information Economy. Existing laws and regulations should be reviewed and revised or eliminated to reflect the needs of the new electronic age.

As a government, we need to reassess the areas of responsibility of our different parts, and the lines of authority that connect them, to ensure we are best organized to face this threat.

More than two dozen federal agencies have either jurisdiction or a direct interest in the regulation of information technology as it applies to national security or electronic commerce. The Congress is no better off. In Congress, some 19 committees are responsible for legislation on the same issues.

The Government has much to offer, through our understanding of security concepts and technology, along with the vulnerabilities of information technology and systems. We are strongly committed to share this knowledge with the private sector. Such partnerships are crucial, but there are some pitfalls, and we will need to build a balanced approach. For example: We have to be careful not to give the impression that Government wants to increase its involvement in the day-to-day operations of individual businesses.

This is not at all the case, and few things will drive the private sector away like the potential for more Government intrusion and regulation.

`Government Knows Best' is not the message we want to send.

As a general principle, Government should step in only when problems exceed the capabilities of the private sector and the remedies of the marketplace. However, in cases where there are no reasonable business reasons for companies to make preparations, such as to counter a coordinated, simultaneous attack against multiple infrastructures, then Government should be prepared to provide economic incentives and support.

A natural market exists for security and, ultimately, that will be our best course of action: a solution that combines the entrepreneurial strength and energy of the private sector with the national mission of the Government.

One cannot overstate how important it is to get the Government-industry relationships right, because without them as a foundation, the value of all other efforts will be significantly diminished. A fundamental challenge in many cases is getting information about vulnerabilities and threats itself, and this simply cannot be done without the foundation of public-private sector information sharing. We cannot solve this by unilateral Government efforts. We have to move together to solve it.

Mr. President, it is no surprise that both the Government and private sector are finding this difficult and complicated and frustrating. To combat cyber attacks--whether by terrorists, spies, disgruntled employees, pranksters--one needs both technical sophistication and cooperation among numerous companies, agencies and nations.

It is going to be imperative for the protection of our information infrastructure that the private sector, national security officials, and law enforcement work together--not just on this issue, but on issues for the future.

Many fear these discussions would lead to Government intrusiveness and abuse of power. Americans have always had a healthy skepticism towards Government power and our Constitution sets strict limits on what Government can and cannot do. We are a strong and vibrant nation directly because we enjoy rights of free speech, free assembly, and against unreasonable searches and seizures. Information technology can allow us greater exercise of those rights. When we examine the security of information technology, these rights must remain our guiding principles, and our Government policies should reflect them.

We must get past the suspicion between the private sector and Government and move forward. The information infrastructure is vital to America's defense and to America's economy and we cannot preserve one without protecting the other.

Here we need two things: First, we need a mechanism that transcends narrow organizational politics to bring consensus; and, secondly, we need a facility for advanced research into information technology protection that also provides a venue for constructive and ongoing dialog with industry, the Government, and academia.

I believe Congress should act as soon as possible to create a blue-ribbon panel of top federal officials, key leaders from Capitol Hill, and experts from the high-technology field to address the issues of information assurance, infrastructure protection, and encryption that cut across committee lines. We need to have a panel that can speak with authority on both politics and policy.

From the White House, we need to see a commitment of time, attention, and resources at the highest levels.

Cabinet officers need to play an active role in shaping the solutions that are going to emerge from such a panel. These issues are complicated and they have far-reaching implications, so at the end of the day we need to have leaders in their respective areas--Cabinet and Cabinet-level officials--who are prepared to forge the necessary compromises and make the case to industry and to the public. Congress needs to take a similarly pragmatic approach. Committee chairpersons, with their expertise in different areas and institutional memory, need to be on this panel and give it all the attention they would a piece of legislation. But in addition we need to acknowledge the politically charged nature of these issues and be prepared to deal with them. So I propose that we not only have representatives by issue area, but representatives who are designated to speak for each major faction in the Congress: a representative of the majority in the Senate, and one for the House, a representative of the minority in the Senate, and one for the House, and representatives of the legislative caucuses that have an interest.

Clearly Government cannot do this alone. We need the perspective, the insight, and the vision of experts who are part of the developments in the information technology field and who can predict on the basis of that experience where technology is going. We need their expertise and a willingness to work with their government, for otherwise this problem will only grow worse. The panel I envision must therefore have a strong component of private sector experts devoted both to the advancement of technology and to the security of our country.

The complement to this Congressional panel should be a forum where Government, industry, and academic officials can work on these problems in a systematic, confidential, and dispassionate way. I propose that we learn from our experience and look to those models of industry-and-Government cooperation that have worked in the past.

We can learn from agencies like the National Safety Transportation Board, DARPA, and other federally funded research and development centers. Specifically, Congress should pass legislation that would enable the President to create a new national laboratory and research facility to address information infrastructure protection. The role and mission of such an organization would be to target those specific areas that are now suffering from sporadic, contradictory, or insufficient attention.

We must have a structure that can address the entire range of national security planning and execution--in other words, threat assessment and evaluation, development of requirements, R&D, acquisition and procurement, development of strategy and the conduct of operations across the entire spectrum, from large-scale conflict to peacekeeping and operations other than war. But this center would also help develop techniques, policies, and procedures to make civilian and commercial information technologies secure.

To accomplish that mission, the information technology laboratory would have to: Support research and development by industry or Government-industry consortiums that aims to protect our privacy, shield our commercial interests, and defend our nation against information technology threats; ensure that there is a secure conduit for the exchange of information about security threats; provide a forum for developing and managing responses and contingency plans, both directly and in cooperation with a national command authority.

The Information Technology Laboratory would be funded through annual appropriations as a Federally Funded Research and Development Center. But it should also be able to establish fee-based contracts with agencies of federal, state, and local government as well as universities for specific services so that budget costs could be kept to a minimum.

The Information Technology Laboratory could also contract with private industry to do research and development, while taking special precautions to protect the confidentiality of proprietary data or information. The laboratory would also report annually to the appropriate oversight committees in Congress and the President.

In just four years from now, knowledge and information workers will make up one third of all the workers in our multi-trillion dollar economy. We can create a safe corridor for their passage to the next century. Or we can continue to talk past each other while the Information Superhighway attracts more and more robbers and frauds and terrorists.

We need to come to this task with a clear sense of purpose and full understanding of the urgency involved. America has gained much from information technology, and stands to gain much more as these systems mature. Our future depends on the success of this technology.

But that success and our security depend on finding the policies and practices that will identify and correct vulnerabilities before they are exploited. Together, I am certain we can address this problem. In a noble but imperfect democracy such as ours, answers are not impossible, they are only impending. I look forward to working with my colleagues to face this challenge. I yield the floor.

[Page: S12362]

Mr. CRAIG addressed the Chair.

The PRESIDING OFFICER. The Senator from Idaho is recognized.

END