“While we, at CCIA, certainly recognize the need to guard against the possibility of physical and cyber attacks as well as to prevent criminal penetration of our telecommunications and information networks, this report readily admits the government has no evidence of an imminent cyber threat. Yet, sweeping recommendations are proposed for public education, information sharing, and development of cyber-threat counter-measures. If nothing but anecdotal evidence exists, then what is motivating the government to act?” Davidson said.
After reviewing an executive summary of the report presented by the President’s Commission on Critical Infrastructure Protection, CCIA finds that private industry should be concerned less about what the Commission said in its report, than what it didn’t say, including:
- The report calls for implementation of some proven protection tools, including firewalls, password controls, authentication mechanisms and action logs, yet it fails to address the use of adequate levels of encryption, perhaps the best, most-effective means now available to individuals and companies to secure communications and guard digital files against fraud, white-collar crime, economic espionage, and even terrorism. “Is the government looking for an electronic trap-door to our information networks? This report and the Administration’s Framework for Global Electronic Commerce have missed the mark on encryption,” Davidson said.
- The report calls for industry to share information about vulnerabilities to our infrastructure. But it does not state what kind of information it might require businesses to share or how proprietary information would be treated? Would such information effectively increase an infrastructure owner and operator’s liability?
- The report makes broad-brush reference to changes in laws that would be necessary to protect our infrastructure, but doesn’t pinpoint which laws they are they talking about? “Is the Commission suggesting watering-down our privacy and employer-employee relations laws so the companies may know more about their hires? Are changes forthcoming to our antitrust and liability laws so that companies will be freed to share information with each other? And what are the ramifications of these changes?” Davidson said.
- The report calls for the “… development and deployment of ways to prevent attacks, mitigate damage, quickly recover services and eventually reconstitute the infrastructure.” However, there is no discussion about who will bear the cost of doing this. Is government going to pay for the “ruggedizing” of our critical infrastructures, or is the provider or user of the systems to pay?
- The report discusses the need to create a national infrastructure organization structure to develop industry cooperation and information sharing. CCIA’s Davidson asked “Is the beginning of a budding regulatory framework and the establishment of agencies that will dictate to industry what information they must provide and what they must do to protect infrastructures from attack?”
Davidson suggested that the report’s omissions would not exist if private industry had played a greater role in the issues discussion and recommendation formulation processes. “To boast that ‘an advisory committee of industry leaders appointed by the President provided the perspective of the infrastructure owners and operators,’ is an overstatement, at best,” he said. “The Industry Advisory Committee was only recently constituted and held its first and only meeting less than a month ago — more than a year after the formation of the Commission. Industry should feel cheated in this report.”
CCIA is an association of computer and communications industry firms, as represented by their most senior executives. Small, medium and large in size, these companies represent a broad, cross-section of the industry, employing over a half million workers and generating annual revenues beyond 200 billion dollars. CCIA promotes open, barrier-free competition for computer and communications products and services worldwide.