[Sorry, the video for this story has expired, but you can still read the transcript below. ]
GWEN IFILL: Today at the White House, topic “a” was cyber security.
PRESIDENT CLINTON: What we’re going to try to do today is to talk about what the government’s responsibility is for our own systems and networks, what the private sector’s responsibility is — and, as I said before, how to talk about having adequate security, how to protect privacy and civil liberties but also how to keep the Internet open. Keep in mind that one of the reasons this thing has worked so well is it has been free of government regulation.
GWEN IFILL: Two dozen technology executives, academics, privacy advocates, and public officials met with the president today. At issue: How to protect Internet Web sites without encouraging unnecessary government interference.
HARRIS MILLER, Information Technology Association of America: In an automobile, certain standards get set. They meet these specifications and that sits in place for several years so everybody knows that. Unfortunately in the Internet, the security challenges are new every day. And every time someone comes up with a counter measure, then you have the possibility of someone coming up with a new threat. I think what happened last week and the last few weeks has helped to focus the attention of many people in the industry that they are going to have to put more resources into security.
GWEN IFILL: The FBI is still searching for hackers who flooded several popular Web sites with information last week, clogging the Internet and taking several sites off-line for hours at a time.
Today’s White House meeting, scheduled even before last week’s breakdown, is part of a $2 billion Clinton administration cyber security initiative. That plan would provide training and better protection for government computers; it also would attempt to strengthen partnerships with the private sector.
Meanwhile, the FBI reportedly has narrowed its search for those responsible for the hack attacks, interviewing potential suspects, and talking to a hacker known as Mixter, the man who wrote the software believed to be used in the attacks. This week, Mixter released technical information on that program, known as “Tribe Flood Network.” The program lets a computer user tap into perhaps hundreds of computers and secretly install software. That software acts like a time bomb, prompting the computers at a preset time to bombard online sites.
The result: system overload, and in computer parlance, denial of service. In the last few days, the FBI has discovered that computers at several California universities, including UCLA and UC-Santa Barbara were unwitting conduits for the last week’s attacks. And at Stanford, the software infiltrated a piece of hardware known as a router, a central hub for the university’s Internet data.
GWEN IFILL: For more on the intersection of government and the Internet, we are joined by Milo Medin, chief technology officer of Excite@Home, a company that delivers high-speed Internet access and provides news, entertainment, and communication services. Excite was one of several companies disrupted by hackers last week. And Phillip Lacombe, vice president of cyber assurance for Veridian Corporation, which performs network security management for private and public companies. He is also former executive director of the President’s commission on Critical Infrastructure Protection. And Mark Cooper, director of research for the Consumer Federation of America.
Philip Lacombe, what role does government really have in this kind of policing of the Internet or should have?
PHILLIP LACOMBE, Veridian Corporation: Well, I believe that the Internet is an infrastructure which supports a variety of America’s critical infrastructures on which Americans rely for business, for all manner of economic activity and for the functioning of our daily institutions. That Internet must be available and, therefore, it is the responsibility of both the public sector, the government, and the private sector, which owns and operates those networks and those companies that provide the communications to provide security.
So we believe it’s a joint public and private, jointly shared infrastructure responsibility because our day-to-day economic health, our national institutions and our national security rely on the availability and the trustworthiness of the Internet and related networks.
GWEN IFILL: Milo Medin, is that workable?
MILO MEDIN, Excite@Home: I think so. Part of the challenge, of course, is that the network is run by different organizations. And there’s no central management. But it’s not in any of the companies’ best interest to have the system be unstable overall. So we try and work together to assure the stability and connectivity of the system, but we also have to work for the government and law enforcement to be able to better identify problems and prosecute those who cause them.
GWEN IFILL: But, Mark Cooper, he just talks about how ungovernable basically the Internet is. Is that realistic to think that… it’s one thing to talk about how everyone should work together. It’s another thing to figure out how to do that.
MARK COOPER, Consumer Federation of America: Well, in fact, the Internet can, should and will be subject to social order. There will be rules, call them regulation, if you want. The question is how do we set those rules? And in our society, we get to choose the values that the Internet will maximize in our society: Freedom of expression is one, commerce is another, but privacy is another — the ability to choose, to protect your own interests. And the key for us is to make sure that we do that in an open and democratic process. Do we make those choices consciously to demonstrate American values and let the companies make profits as long as they don’t violate my free speech, my privacy, et cetera? And we constantly make those choices. The thing we have to do is know that we’re making those choices and let people participate in those choices.
GWEN IFILL: That was part of the goal of this meeting today. The White House has already come up with a couple of proposals, among them it would like to develop a tracking system for federal and private-sector computer networks, also to make it easier to wire tap phone and data lines and also to slow the proliferation of companies’ ability to encrypt their information — which is to be able to provide more code-breaking access on the Internet. Is this something which you could imagine, Philip Lacombe, is this something that you could imagine the industry accepting?
PHILLIP LACOMBE: The industry is going to fulfill its responsibility to police itself to provide which is in its best interest secure networking capability for its customers. That’s the purpose of the industry. That’s what we’re doing. And we intend to pursue that to the best of our ability. We believe that we have a relationship and responsibility with the government to do that, and that there are things that the government has a responsibility for: Enforcing the law, tracking down people who do harm, whether they do it using cyber tools or physical tools. It’s very much the same.
GWEN IFILL: That’s after the fact. It sounds like these proposals are talking about….
MARK COOPER: Our concern is the problem is that you know, you can probably put a surveillance camera in every computer in the world and watch everything I do. This technology is powerful. I get so say, “Wait a minute, find another way because that’s too invasive.” And the important point is technology can do whatever it wants to do. We have to tell it what to do. I’m sure a lot of people will say, that solution is just too invasive; find another way to track people down and maintain social order. And that’s the point of making sure that we make these decisions.
One of the hard parts is that old laws that apply in real space may be hard to apply in cyberspace, which is a new place. So maybe we need new laws or maybe the old laws just can’t work. And what we have to work out is the principles of privacy that we had in real space, we may want in cyberspace. Technology is very powerful so we have to be very careful in solving one problem we don’t create other problems.
GWEN IFILL: Milo Medin, one of the things the president was asked today during his little briefing was after last week’s attacks, it became clear that a lot of bank computer experts had gotten advance warning about this, but this was something that either wasn’t sure with the government or other industries. Is that a weak link?
MILO MEDIN: I think, in general, some industries prefer not to disclose their security problems or break-ins for fear of upsetting the economic markets’ trust in the institution, et cetera. We have to work together to be information because the hackers work together, together in sharing tools and ways of breaking into systems. So the government and industry together have to be able to understand what’s going on, what the attacks are, developing counter measures proactively and most importantly, I think, getting the word out to people about how to prepare their systems and how to be able to deal with these things, not reactively but before the attacks come.
GWEN IFILL: You all three are talking about the government working together with the private sector but I guess I just don’t know what that means if the three specifics that I stated that anybody here is rushing to embrace.
MILO MEDIN: Part of the problem is because of the explosion in the Internet economy, a lot of people — people like myself who used to work for NASA — have left the government and are in the private sector. And it’s very difficult particularly in law enforcement to hold on to people. A lot of the FBI agents, et cetera, are not given the set of tools and capabilities they need to actually go out there and help. We have to work with the agencies to be able to go out there and actually find these people and prosecute them. It’s not something to be done by one person.
PHILLIP LACOMBE: If I might, Gwen, you mentioned the Federal Intrusion Detection Network. That is actually a proposal contained in the national plan released by the White House and the critical infrastructure insurance office I think two weeks ago. That is actually a plan in which the government would protect its own networks. It would, in essence, lead by example, by providing the intrusion detection required so that it could insure that its networks were available when needed and secure. That seems to me to be a rather prudent step by the government, a way of, as I said, leading by example.
GWEN IFILL: And leading the way for the private sector who wants to protect itself rather than looking to federal government to do the same.
PHILLIP LACOMBE: As I said, I believe it’s a joint responsibility but largely the private sector is responsible for protecting itself, yes.
MARK COOPER: The most important thing here is we’re having a discussion about what government can do and should do. One of the difficulties we have is the minute we say we need a rule here, everyone says don’t regulate the Internet. The Internet needs to be regulated and will be either by private sector, but also by public sector. So once you admit and recognize that you need rules for cyberspace, just like you have in real space, then we can start to address the problem in an open and educated, informed way.
GWEN IFILL: You talked a minute ago about playing by old rules with new rules out here to be pursued. For instance, how does the FBI police something that crosses international boundaries? We heard in the News Summary about the Canadian Mounties, the Royal Mounties getting ready to pursue these hackers. How do we do that?
MARK COOPER: The really new thing about the Internet is it makes the technologies control and the ability to speak and enter, it changes the balance. It destroys the old balance that we have in real space, and so we struggle to figure out how to control the freedom that it gave us, but, in fact, if we don’t control it, we will end up with anarchy. And that’s when people start to address the problem and say, look, we want this tremendously powerful economic and social institution but we have to put some rules in place. And now we’re getting over the question of any rule is bad. No, we need some rules here. International is a big problem. If I get defrauded in the Internet, where do I sue? Well, what we have to do is agree on a place where we can impose that order. We would like it to be in our country. The other countries want it in their countries, international institutions, but we have to decide some way to impose order.
GWEN IFILL: How big a problem is it at its root that so many… There is such distrust between Silicon Valley and Washington…How do you begin to figure out what it is that the federal government and the private sector can work together on…
PHILLIP LACOMBE: This is a step in that direction.
GWEN IFILL: Excuse me.
PHILLIP LACOMBE: This is a step in that direction, the president’s meeting, the fact that we have a Secretary Daly in the Department of Commerce leading a partnership of over 130 companies that are coming together later this month to work in that direction. I think we see those… evidence of the industry beginning to work together even more, and industry working with government.
GWEN IFILL: Milo?
MILO MEDIN: I would also say that while there is some hostility over certain issues, like encryption and other things regarding export controls, Washington and Silicon Valley both need to work together closer. I know we work with the government quite well, and, you know, the policy-makers, I think, have taken a position that says, “we’re going to look first to see if the industry can deal with problems and solve them themselves before we step in. Because predicting the future is a very, very hard thing to do. And the technology moves so quickly that by the time you put regulations and rules in place, it may only apply to something that used to be the situation.
GWEN IFILL: But aren’t some of these rules already in place? Isn’t it just a question of knowing how to use them?
MILO MEDIN: And the tools and the motivations to law enforcement to actually be able to exercise those rules and be able to prosecute people.
GWEN IFILL: And the resources.
MILO MEDIN: And the resources.
MARK COOPER: When you design the network, you’re making the rules. If you make choices about infrastructure, about how you deploy your routers, about the way people access them, you’re actually making the rules. The important point is that if the Internet — and Silicon Valley — wants to be the dominate institution in society, the super highway, if you will, then they have to meet the government because in our society, that government plays a role in insuring certain basic values. And they have now suddenly started to meet very reluctantly the government.
MILO MEDIN: We’ve done it for a while.
MARK COOPER: But they now understand that you need the government to impose these rules and we’re getting over this notion that if it’s government, it can’t be good for us because in order to affect all of our lives, you have to start to accept those responsibilities.
GWEN IFILL: It sounds like a long and winding road yet. Philip Lacombe, Mark Cooper, Milo Medin, thank you very much.