Hearing of the Subcommittee on Technology, Terrorism and Government Information "Critical Infrastructure Protection: Toward a New Policy Directive"

March 17, 1998

This hearing is a reunion of sorts for those of us who have been concerned about the security of the critical networks that form the backbone of our telecommunications, transportation, defense, energy and other systems. Almost two years ago, I had the pleasure of testifying before Senator Sam Nunn at the seminal hearings he organized on "Security in Cyberspace." Those hearings highlighted the vulnerabilities of our critical national computer networks and the information stored in and carried on those networks to the threat of attack by hackers, high-tech criminals and spies. It was at those hearings that then Deputy Attorney General Jamie Gorelick announced the establishment of the President’s Commission on Critical infrastructure Protection.

For a decade now, some of us in Congress have been saying that this issue needs coordinated attention at the highest levels of our government as well as by the private sector, which owns and controls the bulk of our critical infrastructure systems. The two co-chairs of the presidential advisory committee have served with distinction at the highest levels of our government and now in the private sector, and are ideally suited for the task of leading our nation’s efforts to protect our critical infrastructure from 21st Century threats. We are lucky that they have continued their service to the country by co-chairing this advisory committee, and I welcome them here today.

Whether we work in government or in the private sector, we negotiate daily through a variety of security checkpoints designed to protect ourselves from being victimized by crime or targeted by terrorists. Senate buildings, for instance, use cement pillars placed at entrances, photo identification cards, metal detectors and security guards to protect our physical space. These security steps and others have become ubiquitous in the private sector as well.

Yet all these physical barriers can be circumvented using the wires that run into every building to support the computers and computer networks that are the mainstay of how we do business. This reality was recently driven home when the Pentagon revealed on February 25 that its unclassified computer networks had been broken into with a synchronized cyber-attack.

A well-focused and more malign cyber-attack on the computer networks that support telecommunications, transportation, water supply, banking, electrical power and other critical infrastructure systems could wreak havoc on our national economy or even jeopardize our national defense.

We have been aware of the vulnerabilities to terrorist attacks of our computer networks for almost a decade. In 1988, I chaired hearings of the Subcommittee on Technology and the Law on high-tech terrorism. It became clear to me that merely "hardening" our physical space from potential attack would only prompt committed terrorists to switch tactics and use new technologies to reach vulnerable softer targets, such as our critical infrastructures. In fact, witnesses testified at the 1988 hearing about the need for the executive branch to establish an ad-hoc committee or "preparedness council" to coordinate with industry a systematic review of the vulnerabilities of our interrelated critical infrastructures and finding smart technical solutions to defend them. It took a some time, but finally we have in place the necessary advisory group to identify the vulnerabilities of our critical infrastructure and work with the private sector on our best defenses.

We must "harden" our infrastructures to ensure our security. New technologies are available for defensive countermeasures, if only we would use them. Encryption is one such technology. At the 1988 High-Tech Terrorism hearing, R. James Woolsey, who subsequently became the director of the Central Intelligence Agency, testified about the need to do a better job of using encryption to protect our computer networks.

I have long advocated the use of strong encryption by individuals, government agencies and private companies to protect their valuable computer information and have sponsored legislation to encourage the widespread use of encryption. Unfortunately, we still have a long away to go to update our country’s encryption policy to reflect that this technology is a significant crime and terrorism prevention tool.

A good example of where the use of encryption would serve to prevent crime better than any new criminal laws is with "clone telephones." The Senate is poised to pass a bill, S.493, that Senator Kyl shepherded through this Committee to amend current laws penalizing the theft of cellular telephone service. This theft amounts to $650 million in losses per year to cellular service providers and their customers. Yet if strong encryption were used to encrypt the radio waves transmitted from cellular phones to the nearest cell tower, stealing those signals for use in a clone phone would be much more difficult if not impossible. Using strong encryption would be far more effective to prevent the large financial losses and loss of privacy resulting from the use of clone telephones than any criminal laws we could consider passing.

We have taken steps to amend our criminal laws to provide additional protections to critical computer networks and the information on those networks. For example, I sponsored an amendment to the Violent Crime Control and Law Enforcement act of 1994 to penalize the transmission of destructive computer viruses and other forms of unauthorized access into government and private computers. Similarly, in the last Congress, joining with Senators Kyl and Grassley, we sponsored the National Information Infrastructure Protection Act, which later became law, to increase protection under federal criminal law for both government and private computers.

Targeting cybercrime with up-to-date criminal laws and tougher law enforcement is only part of the solution. While criminal penalties may deter some computer criminals, these laws usually come into play too late, after the crime has been committed and the injury inflicted. We should keep in mind the adage that "the best defense is a good offense." Americans and American firms must be encouraged to take preventive measures to protect their computer information and systems.

That is where encryption technology comes in. Encryption is one important tool in our arsenal to protect the security of our computer information and networks. Nevertheless, a prominent expert on computer security told Senator Nunn at the "Security in Cyberspace" hearings last year that:

"U.S. cryptographic policy has generally not been sufficiently oriented toward improving the infrastructure, in that it has been more concerned with limiting the use of good cryptography. U.S. crypto policy has instead acted as a deterrent to better security."

[Senate Governmental Affairs Permanent Subcommittee on Investigations Hearings on "Security in Cyberspace", June 21, 1996, S. Hrg. 104-701, testimony of Peter Neumann, at p. 351].

Encryption cannot be the sole source of protection for our critical computer-based infrastructure, but we need to make sure the government is encouraging -- and not restraining -- the use of strong encryption and other technical solutions to protecting our computer systems.

The Commission on Critical Infrastructure Protection submitted a report to the White House last October with a number of important recommendations about the type of cooperative relationship between private and public sectors that would be helpful in securing these infrastructures, and the constructive, educational and research roles that federal agencies can play in enhancing computer security.

I remain concerned about the report’s recommendation for deployment of large-scale key recovery encryption systems, which allow for surreptitious decryption by law enforcement agencies. Despite making this recommendation, the report made no effort to answer the significant questions that have been raised by leading cryptographers about the security risks inherent in large scale key recovery systems, which introduce new vulnerabilities and targets for attack, as well as about the costs and feasibility of implementing such systems.

I have raised at other hearings -- most recently at the hearing this morning before the Subcommittee on Constitution, Federalism and Property Rights on "Privacy in the Digital Age: Encryption and Mandatory Access" -- my continuing concern that the Administration is forging ahead both domestically and internationally with their Key Management Infrastructure (KMI) plan without all the necessary facts about vulnerabilities, costs and feasibility. Until those significant questions are fully considered and answered, we should be cautious in adopting grand key recovery encryption schemes that may only exacerbate system vulnerabilities and at such an exorbitant cost that individuals and private businesses eschew encryption altogether.

I look forward to working with other members of Congress, the Administration, and the presidential advisory committee on protecting our critical U.S. infrastructure so that we enter the 21st Century prepared to meet the technological challenges of tomorrow.