Plugging holes against cyberattacks

Sen. Bob Bennett received the RSA Award for Excellence in the Field of Public Policy at the RSA Conference this week.

It was not a random honorific: Bennett, the chief deputy majority whip and a member of the Senate Republican leadership team, has been especially active when it comes to high-tech issues.

The Utah Republican was chairman of

If I can hack into Verizon, it could cause the commander in the field to wonder if the signal he just received actually came from Rumsfeld.

the special committee responsible for the relatively glitch-free Year 2000 computer switch and for the Critical Infrastructure Protection (CIP) Working Group, the Senate's central clearing house for cybersafety and CIP issues.

Bennett also sponsored the Critical Infrastructure Information Security Act of 2001. We caught up with Bennett at the RSA Conference to discuss his views on cybersecurity and the outlook for legislative action this year on cyberissues.

What kind of progress has the government made in defending critical infrastructure from cyberattacks?
We are trying to improve our ability to deal with cyberthreats, but 9/11 obviously changed the focus. Congress is understandably more focused on preventing kinetic attacks, as opposed to cyberattacks. But we will deal with cyberattacks. Al-Qaida is much crippled from where they were, but we fear that another attack could occur. That's something we could get a handle on.

How do you get a handle on preventing further attacks?
An attack has to be organized, and there is always an intelligence opportunity that occurs. Particularly since 9/11, we are focused far more on intelligence gathering. A terrorist war is an intelligence war; it's not two armies massed in the field to clash with each other. We are monitoring known al-Qaida cells, and the breaking up of Iraq and capturing Saddam Hussein has given us a rich trove of intelligence.

We are getting information out of Iran and other places that have sheltered terrorists, as well as diplomatically from other countries' intelligence services. You monitor the chatter between al-Qaida cells and between terrorist groups. That's why we do an orange alert--partly because the chatter is telling us they are planning something and partly to send a message to them: We are listening and know your chatter level is higher than it was.

Clearly, information technology plays an important role in capturing and sharing information.
IT is an essential part, but at some point, someone who wishes this country ill will say, "Forget trying to put a bomb in the Transamerica Pyramid," for example, and attempt to shut the economy down with cyberattacks.

		Get Up to Speed on... Enterprise security Get the latest headlines and company-specific news in our expanded GUTS section.

I've been pushing the Department of Homeland Security to stay focused on that, even as they worry about cargo containers that might have nuclear material. You have to do that as a first line of defense, but the cyberattack is easer to mount. It does not require danger to those who mount it; you don't have to be a suicide bomber. The overall landscape requires a whole new paradigm of thinking.

What kind of paradigm shift does cybersecurity require?
In the threat environment of the future, corporations are the first line of vulnerability. If I am somebody who wishes the country ill, I am not going to attack the Department of Defense or the CIA, which is where most attacks are currently targeted. Let me hack into a private corporation, such as Verizon, and see if I can cause a massive service interruption. When Secretary of Defense Donald Rumsfeld picks up the phone and says he wants to talk to the commander at Central Command, Verizon handles the telephony.

Doesn't the Defense Department have back-up systems?
Probably not anymore. In the old days--in the 1950s--they had private networks, but they found the public network to be more reliable and a whole lot cheaper. If I can hack into Verizon, it could cause the commander in the field to wonder if the signal he just received actually came from Rumsfeld. You can multiply the examples. If I wanted to bring the country to its knees, I would attempt to shut down the Fedwire, which clears all financial transactions electronically in this country.

How well protected is the Fedwire from cyberattacks?
Federal Reserve Chairman Alan Greenspan and I have had this conversation, and he agrees with me that the Fedwire is a most sensitive target. He insists that the Fedwire is extremely well protected.

I want the company I am dealing with on the Internet to know everything about me so that it won't accept an order from somebody who pretends to be me.

But every year, the sophistication of the attackers gets better, and it's a constant sword-and-shield kind of battle.

For our secure future, we need a complete system of information sharing so that people in the private sector can say to the government, "This is what is happening to us," and the government can then analyze the data and say there is no sign of a coordinated attack or that it is a sophisticated coordinated attack. We can then go back to the company experiencing the attack and notify others to the danger. About 85 percent to 90 percent of the vulnerability we have as a society is in private hands, not government hands.

Folks should be able to share info with the Department of Homeland Security without being subjected to the Freedom of Information Act (FOIA). I don't want Osama bin Laden to mount a cyberattack, and when the company reports on the attack to the government, bin Laden finds a lawyer somewhere to file a FOIA request.

The CIP bill did receive a great deal of brush-back from people on both ends of the political spectrum.
We solved it and got it through Congress. But a major paradigm shift in attitude has to take place in the future. Privacy activists have to understand that the most significant advance in privacy will come from information sharing. That's counterintuitive, but the fear of information sharing is based on the assumption that the only reason someone wants your information is because they want to damage you. The fact is that the reason people want the information is to protect you.

Isn't that a two-edged sword? The temptation to abuse the use of the information, and the issue of individuals owning and controlling their personal information is a subject of much debate.
Yes. It's been an interesting political experience for me, because the far left--who generally lead privacy advocacy, like Ralph Nader--say you can't let information out, because corporations get a hold of it, and the far left hates corporations. We've had these debates in Congress. People say to me that a corporation will be able to target you, and I ask, "Why is that bad?" If a corporation knows me better, then they can target their products that will serve me better.

The far right is equally or more suspicious about government. The reaction to the Patriot Act, for example, was, "These people can read my library record." Why would the government want to read your library records, if you were not connected to any threat? You are assuming that the government has nothing better to do.

Don't you think that people want a choice and some control over what information they provide or that a corporation can use?
I can opt out.

There is a great potential to abuse the information, and we have seen instances of personal information leaking out or used inappropriately. Do you believe that people should have more control over their own information?
The reality is that corporations want repeat customers. They are not going to drive away customers. Having run a business, I know that I don't want to tick my customers off. If I use that information in any way, that causes my customers to leave; I'm a loser. On the other side, we've got the government. We've got to protect the homeland, and to do that, we have to have a free flow of information.

Ironically, the best way to prevent identity theft is for the corporation you turn to when your credit card is stolen to have enough information about you that they can prevent theft. If you say you don't want the company to have the information and share it, you are in a box--the information can't be shared with the police department or other law enforcement agencies.

We are in a whole new world. It's not a question of whether information should be shared but rather with whom the information should be shared. I want the company I am dealing with on the Internet to know everything about me so that it won't accept an order from somebody who pretends to be me. If it knows everything about me, the company can better serve me, and I won't get scammed by someone pretending to be me.

Back to info sharing. The FBI and other government agencies have been criticized for lack of information sharing and poor use of technology. Has there been progress on this front?
In the present atmosphere--an election year--the most precious thing we have in the Senate right now is floor time. Senate Majority Leader Bill Frist will not bring a bill to the floor unless it will pass by unanimous consent. He will not bring anything to the floor that will be contentious or requires significant debate.

We have 67 legislative days left in this session, and the huge issues are soaking up all the floor's time. We have appropriation bills, the energy bill to consider again and others. Anything in this area that gets passed had better be pretty noncontroversial. In this legislative atmosphere, don't look for anything until 2005, unless it's absolute milquetoast.