As the world grows more reliant on electronic communications, the United States is increasingly vulnerable to terrorist acts carried out over the Internet and private networks, a presidential commission announced today.
"A personal computer and a simple telephone connection to an Internet service provider anywhere in the world are enough to cause a great deal of harm," the report warns. "The right command sent over a network to a power generating station's control computer could be just as effective as a backpack full of explosives, and the perpetrator would be harder to identify and apprehend."
A classified report prepared by the President's Commission on Critical Infrastructure Protection, which was convened last year to study the threat of electronic terrorism, was delivered to the White House Monday. A declassified executive summary released today outlines the findings of the commission.
The summary goes on to list a number of recommendations that would apply to the communications, banking, and electric power industries, among others, including the following:
A "sector-by-sector cooperation and information-sharing strategy" in order to develop "ways to prevent attacks, mitigate damage, quickly recover services, and eventually reconstitute the infrastructure." "Reconsideration" of laws related to protecting the infrastructure against cyberterrorists. A concerted effort to develop new means of preventing network attacks. Establishing a "national organization structure" to carry out specific recommendations.
Although the recommendations made public remain vague, at least one trade group already is criticizing them, saying they may create undue government intrusion. Privacy groups also have expressed concerns about the commission's goals.
Glenn Davidson, a vice president at the Computer and Communications Industry Association, said the vagueness of the recommendations, especially those relating to changing laws, make them potentially dangerous.
The implications "scare me to death," he noted. "Are they talking about changing antitrust laws, employment laws?"
Davidson also was critical of the recommendation to create a national organization structure, which would be headed by an office of national infrastructure assurance that would be closely connected to the National Security Council and the National Economic Council.
"Those could be potentially regulatory agencies that dictate to the critical infrastructure providers what to do, and for a large part of an industry that has flourished without regulation, that's of great concern to me," Davidson said.
Privacy groups also say that recent speeches delivered by commission chair Robert Marsh give them reason to worry about the specifics of the plans.
Among the items Marsh pushed at a recent meeting before a bankers' group were changes in federal polygraph laws for "those who are in the business of providing information security services." Marsh also has recommended making "some of the tools that the federal government uses to perform background checks and issue security clearances more readily available to employers within the critical infrastructure."
"The commission seems to have adopted a siege mentality that we really haven't seen since the end of the Cold War in the name of protection against so-called cyberthreats," said David Sobel, legal counsel for the Electronic Privacy Information Center. He said the recommendations Marsh has outlined may have unintended consequences. One proposal, for instance, would allow information about power plants to remain secret. "That raises interesting and difficult issues, such as will the local community near a nuclear power plant be able to get information about it, or will it get withheld."
Privacy advocates are also criticizing the commission for remaining nearly silent on the issue of cryptography, something civil libertarians and computer industry representatives insist is necessary in order to protect confidentiality and security online.
But Carla Sims, a spokeswoman for the presidential commission, defended the report. "We're complying with fair information practices," she said. "I think that the folks making those claims don't know what's actually in the report."