Clinton Hosts Cyber Security Meeting

16 February 2000

[Thanks to Declan McCullagh]

PRESIDENT CLINTON HOSTS CYBER SECURITY MEETING
The Cabinet Room, The White House
February 15, 2000

Today, President Clinton will host a meeting with senior White House and Cabinet officials and representatives from the Internet and technology communities. In this meeting, the President will lead a discussion on how the public and private sector can work together to provide a secure and reliable Internet. The President will highlight Administration Internet security initiatives including those in the recent $2 billion FY2001 budget request that will help the National Plan for Information Systems Protection. He will also laud new steps that [illegible] taking to address cyber security issues.

Administration officials attending today's meeting include White House Chief of Staff John Podesta, Commerce Secretary William Daley, Attorney General Janet Reno, OSTP Director Neal Lane, OMB Director Jack Lew and NSC Director Sandy Berger.

Please see attached fact sheets and list of industry participants.

###

Cyber Security Meeting Participants List
February 15, 2000

Douglas F. Busch
Vice President of Information Technology, Intel

Clarence Chandran
President, Service provider & Carrier Group, Nortel Networks

Vinton Cerf
Senior Vice President, Internet & Architecture Engineering, MCI Worldcom

Christos Cotsakos
Chief Executive Officer, E-Trade Croup, Inc.

Jim Dempsey
Senior Staff Counsel, Center for Democracy and Technology

Whitfield Diffie
Corporate Information Officer, Sun Microsystems

Nick Donofrio
Senior Vice President and Group Executive, Technology & Manufacturing, IBM

David Farber
University of Pennsylvania

Elliot Gerson
Chief Executive Officer, Lifescape.com

Adam Grosser
President, Subscriber Networks, Excite@home

Dr. Stephen Kent
BBN Technologies (GTE)

David Langstaff
Chairman and Chief Executive Officer, Veridan

Michael McConnell
Booz-Allen

Mary Jane McKeever
Senior Vice President, World Markets, AT&T

Robert Medrano
Senior Vice President, Hewlett Packard

Harris N. Miller
President, Information Technology Association of America (ITAA)

Terry Milholland
Chief Information Officer, EDS

Mudge
@stake

Tom Noonan
Internet Security Systems (ISS)

Ray Oglethorpe
President, AOL Technologies, America Online

Allan Paller
Chairman, SANS Institute

Rich Pethia
Carnegie-Mellon Institute

Geoff Ralston
Vice President for Engineering, Yahoo!

Howard Schmidt
Chief Information Security Officer, Microsoft

Peter Solvik
Chief Information Officer, Cisco Systems

Gene Spafford
Purdue University

David Starr
Chief Information Officer, 3Com

Charles Wang
Chief Executive Officer, Computer Associates International

Maynard Webb
President, Ebay

###

Date: Tue, 15 Feb 2000 15:51 -0500
From: The White House <Publications-Admin@pub.pub.whitehouse.gov>
To: Public-Distribution@pub.pub.whitehouse.gov
Subject: 2000-02-15 Remarks by the President with High-Tech Industry Leaders

THE WHITE HOUSE

Office of the Press Secretary

________________________________________________________________________

For Immediate Release February 15, 2000

                        REMARKS BY THE PRESIDENT
                   IN PHOTO OPPORTUNITY WITH LEADERS
                         OF HIGH-TECH INDUSTRY
                    AND EXPERTS ON COMPUTER SECURITY

The Cabinet Room

11:57 A.M. EST

THE PRESIDENT: The room is smaller than it looks on

television. (Laughter.) Usually I don't get so many of them coming in,

except you guys are -- (laughter.)

Well, first of all, I want to welcome the leaders of the

high-tech industry and experts on computer security to this meeting at

the White House to talk about how to maximize the promise and minimize

the risks to the Internet.

The disruptions at several websites last week highlight how

important the Internet has become to our whole way of life in America,

and how vulnerabilities at one place on the Net can create risks for

all. Our administration has been working for years now to reduce

vulnerabilities in government computers and to encourage the private

sector to do more.

We know that we have to keep cyberspace open and free. We

have to make, at the same time, computer networks more secure and

resilient, and we have to do more to protect privacy and civil

liberties. And we're here to work together.

Last month I released a draft plan to help do our part to meet

these challenges. And in the budget I asked Congress for $2 billion for

cyber security, to safeguard government networks, to detect attacks, to

hire and train more security experts, to increase cooperation with the

private sector. I want to jump-start this effort by providing $9

million right away to begin some of these key initiatives. And so we'll

do what we can.

I understand that many leading industry members, including the

companies represented here today, have agreed to create a mechanism to

share cyber security information, and I applaud that. I am asking

Secretary Daley and my Science Advisor, Dr. Neal Lane, and Richard

Clarke from the White House, to work with these companies to accelerate

our efforts with the private sector.

Now, having said that, and before we open the floor for

questions, I'd like to ask Peter Solvik, who is to my right, the senior

Vice President and chief information officer of CISCO Systems, to say a

few words on behalf of the private sector people who are here today.

Peter.

MR. SOLVIK: Thank you, Mr. President. It is an honor for me

to be here to discuss this important issue. First, I want to thank you

and your team for working cooperatively with industry to pursue and

implement policies that have permitted the astounding growth of the

Internet and e-commerce.

Today, Internet, e-commerce, and information technology

represent over one-third of the economic growth in the United States.

And certainly we're enjoying an unprecedented time of economic growth,

expansion and success in the United States. Furthermore, it's estimated

that electronic commerce could reach $1.5 trillion by the year 2003.

That's why it's more important than ever that we provide a strong and

secure foundation for the digital economy.

We're certainly not facing a crisis, but the events of last

week show that everyone -- Internet users, Internet companies, and

government -- need to work together to strengthen Internet security. I

know that you've challenged industry to do our part, and I'm pleased to

say that the companies represented here today have joined more than 30

major Internet and information technology companies, as well as 10

industry trade associations, and we've pledged to work together on this

issue.

We're committed to increasing the security of the Internet by

sharing information on cyber attacks, vulnerabilities, countermeasures,

and best practices as a concrete way of improving security of the

Internet. We look to government to play an important role by

coordinating this activity, ensuring its own systems are secure, and

continuing to support important R&D efforts.

Again, I want to thank you for your leadership on this

important issue. We're very committed to work together so that the

Internet continues to grow and reach its full potential in the 21st

century.

THE PRESIDENT: Thank you.

Q Mr. President, is there such a thing as a plan to actually

secure the Internet?

THE PRESIDENT: Secretary Daley says there is. (Laughter.)

Let me say, what we're going to try to do today is to talk about what

the government's responsibility is for our own systems and networks;

what the private sector's responsibility is; and as I said before, how

to talk about having adequate security, how to protect privacy and civil

liberties, but also how to keep the Internet open.

And keep in mind, one of the reasons this thing has worked so

well is that it has been free of government regulation. The only

contribution the government made to the Internet was the early research

over 30 years ago, now, I guess, is when it started -- '69. And there

may be more work for us to do in research here. But I think that,

insofar as we can, we ought to stay with what brought us here.

The companies and the sector they represent in this room are

about 8 percent of our employment; they do represent, as Peter said,

over 30 percent of our growth. And so the trick is going to be how to

do what needs to be done on security and privacy, and still keep it

flourishing and growing.

But we ought to approach this with determination and we

shouldn't be surprised that these things have happened. It's just a

replay of what has always happened whenever there's a new way of

communicating, a new way of making money throughout human society --

there's always going to be somebody that tries to take advantage of it.

And we'll figure out how to deal with it and go on.

Q Mr. President, one issue involved here is the sharing of

information, and there are some reports this morning that banks were

conscious of efforts to disable their systems, but did not share that

information more broadly. Can the government solve that without forcing

industry or business to disclose information it would rather keep

private?

THE PRESIDENT: I think -- let me tell you what I know about

that, and there may be something I don't know, so I will offer that

caution at the outset. The Justice Department, the FBI had certain

information that they made broadly available, and I think the banks were

in better shape to take advantage of that information than others were.

And I think one of the purposes of this meeting is to figure what do we

do from here forward to make sure that everybody is in the same

position.

But I don't think that, based on what I know now, we should be

out there finger-pointing at any sector of the economy and what they

didn't do. I think that they were just better organized to engage in

information sharing and to set up the defenses necessary to guard

against this. And what we really want is for every sector of our

economy to be in the same position.

Q Mr. President, oil prices have now risen above $30 a barrel.

Does that increase a need to do -- is there anything you can do about

that? Or are you more sympathetic to arguments toward releasing the

Strategic Petroleum Reserve?

THE PRESIDENT: I think we have to watch this the next few

days. There are going to be some important meetings with the oil

producing countries in the next few days and we will know more about

this in a week or 10 days about what the trends are going to be.

But the American people are handling the price increase pretty

well in terms of every aspect of our lives because of increased energy

efficiency, except for home heating oil, where you have, in the

Mid-Atlantic states and New England, unfortunately, so many people still

dependent upon a source of heating which the rest of the country left

long ago, and they are unbelievably burdened by this.

Now, we've released $200 million in LIHEAP funds so far; we

can release more. But that eases the burden on the poorest of our

citizens, but there are a lot of working people on modest incomes that

are just getting killed by this because of their reliance on home

heating oil. And I have not closed off any options. I'm monitoring

this on a daily basis. It's a deeply troubling thing.

But I think the rest of our country should know -- I mean, a

lot of people are feeling the pinch, maybe if they drive long distances,

because the price of gasoline has gone up. But there is a group of

Americans, middle class and lower-middle-income Americans, who have

limited disposable incomes, who have no option to heat their homes but

home heating oil. They're the people that are really getting hurt. And

I hope -- and, obviously, the poor would be devastated by it, but we're

monitoring that daily to make sure we've released enough of the federal

funds that we have that go directly to benefit them.

And so this is a daily watch, and we'll just have to see where

we are. And I may have more to say as the days go by. But we should

know more in a week about what the trend lines are going to be and

what's going to happen to the price of oil over the next few month.

Q Mr. President, did the White House deny congressional

committees access to e-mails it subpoenaed?

THE PRESIDENT: I believe that we have complied with every

request -- and there have been thousands. If the American people knew

how much of their money we had to spend complying with requests for

paper and e-mails, they might be quite amazed. But we certainly have

done our best to do that. There has never been an intentional effort to

do that, and I think that we are in full compliance. I believe we are.

That's what Mr. Podesta told me right before we came out.

Q Would you entertain one last question, sir? We've always

heard for the last four or five years that it was going to take an

electronic Pearl Harbor -- many of the people around this table I've

interviewed over the last four or five years and they've agreed that's

the kind of impact we would need for everybody to play together and work

together. Is that what happened last week?

THE PRESIDENT: Well, I hope not. (Laughter.) I think it was

an alarm. I don't think it was Pearl Harbor. We lost our Pacific fleet

at Pearl Harbor -- I don't think the analogous loss was that great. But

I think it --

Q Was it of concern --

THE PRESIDENT: Look, it's a source of concern, but I don't

think we should leave here with this vast sense of insecurity. We ought

to leave here with a sense of confidence that this is a challenge that

was entirely predictable; it's part of the price of the success of the

Internet; and we're all determined to work together to meet it. And so,

yes, we got an alarm, but I wouldn't say -- I wouldn't analogize it to

Pearl Harbor.

We're all here; we're going to figure out what to do. But you

need to let us work now. Thank you very much.

END 12:07 P.M. EST

Date: Tue, 15 Feb 2000 17:40 -0500
From: The White House <Publications-Admin@pub.pub.whitehouse.gov>
To: Public-Distribution@pub.pub.whitehouse.gov
Subject: 2000-02-15 Press Briefing by John Podesta on Cyber Security

THE WHITE HOUSE

Office of the Press Secretary

________________________________________________________________________

For Immediate Release February 15, 2000

PRESS BRIEFING BY
CHIEF OF STAFF JOHN PODESTA;

                  SECRETARY OF COMMERCE WILLIAM DALEY;
            PRESIDENT OF INFORMATION TECHNOLOGY ASSOCIATION
                       OF AMERICA, HARRIS MILLER;
             PRESIDENT OF EBAY TECHNOLOGIES, MAYNARD WEBB;
AND THE CHIEF INFORMATION OFFICER OF MICROSOFT, HOWARD SCHMIDT ON THE

PRESIDENT'S MEETING ON CYBER SECURITY

The James S. Brady Press Briefing Room

1:43 P.M. EST

MR. SIEWERT: Here to brief on the President's meeting with

cyber security we have a number of administration officials and private

sector representatives. Mr. Podesta, the Chief of Staff, will kick it

off. He'll be followed by Secretary Daley, who has been heading up the

effort to work with industry on these issues. And then we'll hear from

Harris Miller, the President of Information Technology Association of

America; Maynard Webb, the President of eBay Technologies; and Howard

Schmidt, the Chief Information Security Officer of Microsoft.

MR. PODESTA: Good afternoon. People can join me if they

want. Let me briefly say that I'm going to try to summarize what

happened at the meeting, but I think it was an excellent discussion

today with the President, members of the Cabinet, leaders of the

Internet and e-commerce companies, civil liberties organizations,

security experts, reformed hackers, some academic people. I know that

many of you have been outside and have heard from people who were inside

the meeting. But let me try to briefly summarize what was said and the

dialogue that took place, and try to put it in some order.

I think that everyone recognized that the potential of the

Internet, the positive implications, the strength that it has brought to

the economy needs to be kept in mind as we seek a stronger security

situation and address these problems, to build a solid foundation -- a

solid security foundation to keep this economic miracle, which the

Internet has become, going and strengthening our own economy.

The comments went into the following areas: We need to raise

the level of security practice. I think that many of the people in the

room commented on the fact that many tools were out there to deal with

security threats, but many of the tools were not being used. We need to

be more pro-active. One of the participants said that in much of the

software that's shipped, that the default mechanisms are never switched

on for about a third of the software that's shipped by one of the

venders -- so that we need to be more pro-active in getting the tools

out and getting them in use, to practice better hygiene, as many of the

people commented.

We need to make the government, secondly, a role model. We're

not doing a good enough job in making sure that the government's own

systems are secure. We need to enhance the security on the government

systems, and make sure that they're not broken into, that the firewalls

are in place, and that we're practicing good security procedures.

We need to increase both the short-term R&D -- again, which is

mentioned in the President's program that has been released as part of

his budget -- as well as the long-term R&D to make sure that the

hardware, the software and the networks that are part of the global

information infrastructure are more secure and evolve in a way in which

security is built in at the front end, rather than thought about at the

back end, when solutions will be more difficult to implement and more

expensive to implement.

I think all of that supported the -- and I think there was

strong support in the meeting -- for the President's budget initiative,

as we have talked before in this briefing room, of over $2 billion to

invest in enhancing security, increasing R&D, creating an institute to

work in partnership with the private sector to do more research and

development on the security issues.

There was a commitment from industry, and a commitment to

share information on a cross-sector basis. The people who follow me

will discuss that with greater specificity. But we've had some very

good success on the Y2K model. We've had good success already in

Secretary Daley's efforts to build a partnership with the private sector

to work on these security issues. And we need to get going, enhance

those efforts, and get some real solutions on the table.

The solutions that we talked about did not involve greater

government regulation, or really even greater governmental power. They

were things that we could do, again, in partnership with the private

sector to increase security. I think the point was made that we do not

need to reduce privacy as we enhance security in the network. Privacy

and security go together, in fact.

The Attorney General discussed the fact that -- and a number

of the people in the meeting chimed in -- that we need to -- sometimes I

think these questions are handled in a way that make them seem rather

simple, or low-key, or kind of funny or cute; and that they're not cute.

The events of last week show that they can -- they involved attacks that

can involve a good deal of money. And again, that will be discussed as

we go along -- but that enforcement efforts are a necessary part of this

effort. And she invited the business community to come together with

her to talk about how we can better enforce the laws that are already on

the books.

There was some discussion about enhancing the education and

the ethics that go into the use of the Internet; that it isn't cool to

trash systems, and that the academic community has an important role to

play in both spreading that message and in working with people who are

being trained to use these tools, to do those in a proper way.

And finally, there was a good deal of discussion that this is

a global issue, a global network, a global problem. It can't be

resolved simply by efforts by the United States government, or even by

the United States private sector. We need to work in partnership to

enhance security, but we need to work around the world on solutions

that, as the global information infrastructure is interconnected, will

have a reach beyond our borders.

So with that, let me turn it over to Secretary Daley to talk

about his efforts in the new partnership.

SECRETARY DALEY: Thanks, John. Let me first thank the

participants in the discussion, and the turnout from the private sector

was absolutely terrific.

Our information economy is strong, and it is resilient. But

last week's incidents were really a wake-up call for all of us. It's an

attempt, for those of us who have been trying to work to address some of

these problems. It's a first wake-up call for us in government to make

sure that our systems are adequately protected, and we are doing that at

the direction of the President. All of us are checking our systems to

make sure that we have adequate protections. And then at the same time,

it is obviously good business for the business community to do that, to

make sure that the confidence that is within the American people today

about our economy, and about our systems, remains. And that's their

interest, and our interest is to make sure that our economy stays

strong. And so much of it is dependent upon the infrastructure, which

is -- the vast majority of which, of course, is in the hands of the

private sector.

So it was a good discussion, as John outlined. We have a

number of efforts that we have begun to do with the private sector. We

had the first meeting last October of -- or December, pardon me, of

about 80 companies in broad -- from different sectors of the economy;

not only the high-tech industry, but the -- not only the information

sector, but the transportation, energy, telecommunications sectors all

working together. And our next partnership meeting will be next week at

the Chamber of Commerce, to try to develop mechanisms by which we can

share information and move forward, but in a multi-sector approach and

not just a narrow sector.

So I appreciate the tremendous, already the tremendous support

that the private sector has given to our efforts at the Department of

Commerce to try to work with them. We can support them. It is not

about the government regulating this, or taking steps to take actions

that would at all impede the Internet, because of course it is the

dynamic engine that is driving our economy today, and we must keep that

open. And we will make sure that it is protected, those of our systems.

But the private sector is taking the lead in making sure that the

overall systems of theirs are protected. So I thank them very much for

their strong involvement in the partnership.

Harris?

MR. MILLER: Hello, I'm Harris Miller. I'm President of the

Information Technology Association of America. We are one of the three

associations officially designated by the Department of Commerce to be

the sector coordinator for the information and communications sector,

along with the Telecommunications Industry Association and the United

States Telephone Association. And we also help to facilitate the

planning of the industry participants for today's meeting.

It was a very, very positive meeting. We had very excellent

turnout from many leaders of the information technology and Internet

industries. And they were able to deliver to the President and to the

Cabinet officials and other senior government officials very clear

messages about our interests and concern in focusing on information

security on the Internet.

And we provided to the President and the other U.S. government

officials who were present a statement, which has been endorsed by 38

companies just initially, and 10 high-tech trade associations,

committing to sharing information and working together through a

mechanism, particularly to focus on cyber attacks, vulnerabilities,

countermeasures, and best information security practices. Participation

in this mechanism will be voluntary, industry-led, and may be virtual.

During the meeting today, the companies helped to share with

the President and the other officials many of their views on the

particular technology challenges that are being faced in dealing with

this; that even though some of the technology challenges in protecting

the Internet are relatively easy to address, in fact it's a very hard

issue. As one of the industry representatives said, both the blessing

and the curse of the Internet is that it is so open, and that makes it

such a tremendous challenge. And we indicated that the technology

challenge is very important.

We also shared with the President the need for industry itself

to focus much more on widespread adoption of best practices -- that when

technology solutions are available, when best practices are available,

it is important we make sure not just within the industry, the Internet

industry itself, but across sectors, that we share this information.

And that's why the partnership that Secretary Daley referred to and that

Howard Schmidt will discuss in a minute is so very important.

We also discussed with the President the important global

nature of this challenge, and the need to move forward in looking at

this issue on a global basis.

In terms of industry's expectations for government, we were

very pleased that President Clinton reiterated that industry leadership

here is key, that collaboration with the government is also a part of

this, but dealing with the issue of Internet security must be

industry-led. And the President and his Cabinet members in attendance,

and Mr. Podesta, reaffirmed that, and that is very positive, because the

Internet has succeeded and become such a tremendous engine of economic

growth and opportunity not just now but into the future because of

industry leadership. And that was a very positive message coming out of

the meeting.

In terms of next steps coming up, Mr. Schmidt will discuss the

partnership meeting coming up next week. I also indicated that our

association, along with others, will be pulling together many companies

and other associations in two weeks, following the partnership meeting

-- companies within the industry sector in particular -- to talk about,

how do we now operationalize this commitment to establish a mechanism?

What concrete steps do we need to take to make sure that the information

sharing is carried out in the most efficient and effective way possible?

So we're going to move quickly; this isn't some kind of long-term plan.

It's a short-term plan to move quickly, and you should be seeing some

outcomes happening in the very near future.

Thank you very much.

MR. WEBB: Hello, I'm Maynard Webb, and I'm the President of

eBay Technologies. eBay strongly applauds the efforts that are going on

to work across the industry and with our government friends and our

educational partners to work on the ways to combat this. There is no

silver bullet for what we're going after, it's a difficult problem. But

when we work together we can solve it, as we're able to do in resolving

our effort last week -- working with our industry venders and partners

and ISPs.

So we're very excited about the work that's going on here and

look forward to participating strongly in it.

MR. SCHMIDT: Good afternoon. I'm Howard Schmidt, and as was

pointed out by both Secretary Daley and Harris Miller, next week we kick

off phase two, if you would, the Partnership for Critical Infrastructure

Security. We had our first meeting in New York in December of last

year. Next Tuesday is the meeting that works on specific areas of

concern, areas of sharing of information.

We have five work groups currently established for the meeting

next week, looking at issues cross-sector. This is not strictly an IT

sector, this is transportation, energy, communications -- all the

various sectors -- looking at interdependencies and vulnerability

assessments; best practices sharing, which is really key; the awareness

and outreach, making sure that everyone has the information they need to

make this much more secure. Also issue relative to legislation and

public policy development, and a couple of other very key areas such as

research and development and work force development as well.

We want to make sure that -- we're very much in support of the

President's national information assurance plan. It was offered up

about a week or so back. All these issues map directly to that plan,

and we cross-sector, cross-industry, are all behind that and will

continue to work that through the Partnership for Critical

Infrastructure Security. Thank you.

Q Mr. Podesta, as we speak, do you have an ironclad assurance

that some malicious hacker, to pick a site, couldn't pick White

House.gov and bring it down?

MR. PODESTA: We probably should go back and check, based on

the question. (Laughter.) Look, I think we shouldn't overstate the

problem, we can't understate the problem. I think that there are --

even yesterday, in the President's on-line interview on CNN.com, we had

hackers get into that. So I think that anything I could say in answer

directly to that question would probably just throw out a challenge.

I think that what we have done, I think has worked, again, to

try to develop this partnership, to try to develop solutions, to try to

make those solutions more widely available and raise the level of

knowledge, and therefore, raise the level of implementation of security

fixes. I think we're trying to do a good job in the federal government,

and Bill mentioned this in his comments, by surveying all the sites, not

just our national security sites, but all the sites of the federal

government, to try to enhance the level of security in those individual

sites.

But I don't think there's any single magic bullet, or it would

be foolish of me to stand up and say that no hacker could attack our

website. In fact, that's happened in the past and that person was

caught and prosecuted. But I think we can do a lot better job than we

have done in both enhancing the federal government level of security --

and that's what our $2 billion initiative is all about -- as well as

sharing with our private sector partners the information that we have

and developing the research and development to deal with the tools to go

after the kinds of things that are out on that.

Q Does the private sector feel the laws on the book are

stringent enough on hackers?

MR. PODESTA: Well, I might let them answer that.

Harris, do you want to --

MR. MILLER: We're examining that right now. During the

meeting, the Attorney General said she would be interested in having a

follow-up meeting with industry to discuss this. I think there is a

feeling in industry right now that some courts do not take these cases

seriously enough. There is a feeling in industry, which I don't think

the Attorney General would disagree with for one second, that the

federal government does not have all the technology resources to always

do the forensic work necessary or to do the prosecution necessary, and

so they need additional resources also. But as to whether specific

statutes need to be amended, I think that requires further analysis and

discussion.

Q To go to the opposite side of this thing, the truth is that

you can't have convenience and really tight security on the Internet. A

lot of these companies are chasing money and security is not the top

issue. Isn't there some culpability on the part of these sites that

don't include the patches? We're talking about now service attacks --

that's an inconvenience. There's also been several reports about

databases being compromised -- 300,000 or more credit card numbers being

stolen because they didn't have good enough security. We have laws to

deal with the hackers. What about some culpability on the site of the

e-commerce sites that are not protecting the privacy because they're

being inadequate or apathetic about installing these patches?

MR. MILLER: First of all, I disagree with the premise of your

question. Every company that does business on the Internet understands

that in terms of customer loyalty, relationship with the marketplace,

that they have to, in fact, be focused on security. None of you in this

audience, not I, no one in this room is going to go on a website where

we believe that the information that we're providing to that company

through the website is going to be prey to anybody who wants to get

access to it. And these companies understand that.

Now, I think there is a legitimate question about the level of

resources and the adoption of some of these best practices, because the

challenge is constantly changing. That's one of the difficulties of

security on the Internet. In an automobile, certain standards get set.

You say, okay, you need airbags and they need these specifications, and

that sits in place for several years. And so everybody kind of knows

that. Unfortunately, in the Internet the security challenges are new

every day, and every time someone comes up with a countermeasure, then

you have the possibility of someone coming up with a new threat.

I think what happened last week and what has happened in the

last few weeks has helped to focus the attention of many people in the

industry that they are going to have to put more resources into

security, and certainly the meeting today and the information that was

developed by the meeting that Secretary Daley held on December 8th and

the follow-up meeting next week does show that people on the Internet --

not just the information technology industry, not just the .com

industry, but all industries which are now part of this new economy are

prepared to work together.

This is not an issue where you somehow get some kind of

competitive advantage over your competitor because you somehow have

better security. Everyone realizes we're in this together, we must

protect the Internet so that the consumers and the businesses and the

governments who do business on the Internet are confident that the

information they share is protected, and that an individual and

corporate privacy is protected.

Q On the question of whether the laws are adequate to deal

with hackers, Mr. Podesta, when President Clinton announced the change

in encryption policy last September, he said the administration would

promote a cyberspace electronic security act. We haven't heard more

from the administration on whether you intend to submit a request to

tighten the laws to deal with either malicious hackers or people who

make use of encryption in ways that are not conducive to law

enforcement.

MR. PODESTA: Well, I mentioned that the Attorney General

invited people into a separate dialogue on that question. We're working

to try to make sure -- I think both of these points were made -- we need

to make sure the laws are adequate and tight. And I think that the

Justice Department will discuss that with the private sector and with

representatives of the civil liberties community, the privacy community,

and make sure that we can move forward, and see if we need updates of

the laws that were largely about a decade old now. They were mostly

passed in the mid 1980s -- to see if there are any additional

authorities or tweaks in those laws. But the basic framework of the

computer crime statute, the Electronic Communication Privacy statute, et

cetera, are in place.

But whether those need to be enhanced, I think the Attorney

General will discuss with representatives of the Hill and people here.

But in addition to that -- and I think Harris also mentioned this -- we

need to make sure that we have adequate funding and adequate resources

both on the law enforcement side and the security side, to make sure

that we have the tools available and that the FBI and others have the

expertise.

One of the problems I think that got raised in the meeting --

not to facetiously -- is that every time we develop expertise in the

federal government there is such a draw from this powerful economy

that's going on that people leave government service and get into the

private sector. And that's one of the reasons I think that the

President has proposed this program to create a federal cyber service in

which people can get trained in the security fields in exchange for debt

forgiveness or college loan forgiveness, to move forward and give back

in government service some years of service, kind of modeled on the ROTC

program.

Q Are you saying that this administration has no plans at this

point to call for tighter laws to deal with --

MR. PODESTA: I think we're still examining that and we'll

discuss that again with the private sector, and we may have some more to

say about that.

Q Mr. Podesta, it took the PanAm 103 crash to have the

government move away from a no double standard policy for terrorism

warnings. Was there a consensus in this meeting that as far as cyber

threats go, there should be complete public access to all information

the government or the private sector has about potential security

threats? Or are there still going to be circumstances where private

warning is appropriate?

MR. PODESTA: The short answer to your question about the

meeting is that that issue wasn't discussed. I think there was a

recognition that we needed to have cross-sector dialogue, discussion,

and sharing of information -- sharing of security solutions across

sectors, not limited to one sector or another -- and that the meetings

that Bill intends to hold next week and in the future to create this

partnership and create potentially a center for exchanging that kind of

information, the details of which still need to be worked out.

SECRETARY DALEY: There is -- I think it would be fair to say

there's been a hesitancy to share information in the past. I think that

is changing. I think the incidents of the last week, the sort of

support that the President got today at the meeting, and the statements

made by Harris. And we are looking forward to next week's meeting to

begin to put together a mechanism, led by the private sector, in which

this sort of information can be more widely shared.

Of course, there's no way we could force somebody to tell

something that they found out in the private sector, or to give some

sort of proprietary information about their own company. But this whole

process is to try to get a better acknowledgement of the fact that we're

all interconnected, and that has to be acknowledged. And how do we deal

with this interconnection, and diminish the negatives of it?

Q Mr. Podesta, you had talked about the need for more R&D,

research and so on. Are you all planning on revisiting the 2001 budget

and perhaps asking for a little bit more?

MR. PODESTA: Well, as you know, we've got a 16 percent

increase in the 2001 budget over FY '99. And much of that is aimed at

enhancing the R&D accounts in that budget. We -- Neal Lane has been

charged with -- he's meeting with the PCST, the President's Committee on

Science and Technology, or thereabouts -- on Friday, to discuss how we

go forward with developing the institute, which will be housed at NIST,

to begin to develop a research and development plan for broader Internet

security. And we want to involve the private sector in partnering in

that institute as well. And our Science Advisor Neal Lane, head of

OSTP, will be dealing with that on Friday, and may have more to say

about that.

But the accounts themselves, in terms of R&D, were plussed up

to a good extent in this 2001 budget. And one of the things that I

think we got strong support from the private sector on is a commitment

to see that those are not just -- they're not just proposals, but they

actually get enacted into law. I think last year we asked for about

$1.75 billion, and -- $1.77 billion, and the Congress appropriated about

$1.75. So we've had pretty good success with getting those accounts

appropriated. But we've obviously done a big plus-up here, and we want

to make sure that we get that money appropriated.

SECRETARY DALEY: If I could just add one thing. The program

John mentioned that's going to be through NIST is $50 million, which is

obviously a substantial amount to begin this process for R&D.

Q Mr. Podesta, the President said he was going to cut loose $9

million to jump-start some of these initiatives? Where is that $9

million going? Where's it coming from?

MR. PODESTA: That really is to do some preparatory work, some

jump-start work, spade work if you will, to get the work going on our

cybercorps, our federal cyber-service initiative, to get people involved

in colleges to go into the security field and return for some government

service, as well as to begin this institute that will be housed

eventually at NIST.

Q Mr. Daley, when you have this meeting, this cross-sector

meeting, there's been stories and questions all day today about how the

financial industry, the banking industry, has this network that's set up

to share information. They insisted that that information not be shared

with anyone else. Are you going to implore them, strong-arm them,

whatever term you want to use, to come in and share information as well?

Because as far as they're concerned, the people I've talked to, they've

said they don't want to share information. Everybody else is fine, but

they're not going to share information about when they're getting hacked

-- because they had a heads-up last Friday, or before that, on the 4th,

that something was going on. And nobody else knew.

SECRETARY DALEY: I would only implore somebody. I would

never do anything beyond that. (Laughter.) And of course, we will do

that and we will do it strongly, as the President did today. The fact

of the matter is, we are all interconnected. Some companies may take

that position that they'll share nothing with anyone, but the fact of

the matter is at some point that worm may turn on them and they would

wish that someone else had shared some information with them.

So the fact is the private sector, hopefully, by encouraging

their colleagues in different sectors, will be able to move someone who

may have that attitude that you indicated.

Q CNN reported that on January 29th, a company called

Envisioneering (phonetic) observed that its servers were being used in

an attempt at denial of service attack on both Yahoo and Amazon --

terminated that, but did not really understand the significance until

more than a week later when it met in professional conference on the

West Coast. How will these new entities that you're describing make it

possible for that passage of time does not occur, and will there be a

way that people can -- on-line or by telephone, or whatever --

contribute these reports and --

MR. PODESTA: Well, I think that's the fundamental point of --

I may ask Harris to address this question as well -- which is, by

creating a more formal partnership, by dealing with a situation in which

people have essentially protocols for sharing information and then for

-- for understanding both the attacks, distributing solutions, and then

encouraging people to actually use them, rather than waiting to be --

that was another point I think that was made very strongly in the

meeting today --that people kind of wait for their sites to be attacked

before they implement the appropriate tools that might prevent it. And

I think by creating this partnership, again understanding the security

holes and being able to patch them, and encouraging individual companies

and places in the Net that might be weak points in the Net to actually

implement those solutions, we can essentially cut down on that time that

you describe between understanding an attack may be coming and seeing it

to fruition. So the defensive tools can most clearly marry up with kind

of the offensive threat.

Harris, do you want --

MR. MILLER: I think a lot of what came out at the meeting

today is that there is a lot of information out there, but, for various

reasons, it is not necessarily getting systematically to the widest

possible audience. So this commitment and effort, through this effort

and others, is to get every business person who is on the Internet --

which is soon to be every business person -- to understand that in his

or her risk management assessment, paying attention to information

security has to be a high priority.

And what we're going to try to do in this sharing information

is to make it as simple as possible, because people are very busy.

Business people are very busy with lots of different priorities --

making money, meeting payroll, developing new technology, et cetera, et

cetera. So if we can simplify this as much as possible, make the

information sharing as much as possible, get people to practice what

some referred to in the meeting today and Mr. Podesta mentioned, as good

personal hygiene, realizing this is a priority, then I think a lot of

this problem would be solved.

As one of the people pointed out in the meeting today, the

problem isn't in the Internet, itself, so much. The challenge is

primarily on the businesses and organizations on the Internet. And so

getting them

to buy into giving information security a higher priority and making it

simple for them to do so is the key to widespread adoption.

Q Mr. Miller, in the Y2K experience it became necessary to

pass legislation to give the business community some antitrust

protection before they could share this kind of information. Do you

think the same thing is going to have to be done for cyber security?

MR. MILLER: Our legal committee is actually looking at that

issue right now to decide whether that would be appropriate and

necessary. There are also questions about information shared with the

government in certain provisions under the Freedom of Information Act,

because obviously companies don't want to share information in what they

believe to be a proprietary closed system, and then find because of

existing FOIA provisions that somehow that information is available.

So one of the provisions which you'll see in the statement

which we issued today, which is fairly general, but it says we're going

to look at all appropriate laws and make sure there are no impediments

to information sharing in the current legal system. And I would hope

that if we identify those we'll be able to work with the administration

and the Congress to get those impediments removed.

Q Mr. Podesta, you said that this was a global problem, a

global issue. Are other countries doing enough? Should they be doing

more?

MR. PODESTA: Well, I think that the other countries are doing

more, and other countries need to step up their efforts. One of the

things that the person who runs the CERT out at Carnegie Mellon said is

that there are now 80 countries that have a similar threat center in

their own countries. Obviously, there are more than 80 countries

connected to the Internet, and within those 80 countries themselves,

there's probably a higher or a lower level of participation.

So I think we need to step up the pace of work around the

world because, again, these are network of networks that are global in

scale and need to be addressed in that fashion -- the borders are going

to matter a little bit less with regard to the kinds of attacks even

that we saw this past week.

MR. MILLER: The private sector is also trying to increase

collaboration globally. My association works with 38 other high-tech

associations worldwide. We've had info-sec on our agenda for the past

year and a half. Again, it's been slow getting other countries to pay

attention to it. I think the events in the last week will help that.

Our next meeting of our global association, which is called the World

Information Technology and Services Alliance, is going to be Geneva next

week -- because we're going to visit the WTO, Mr. Secretary. But while

we're there, one of the issues we will be discussing is information

security, and also under consideration is possibly of a global

conference.

We were very instrumental in hosting one of the first global

conferences on Y2K back in 1998, in conjunction with other business

organizations, such as the International Chamber of Commerce. And we're

going to look to see whether a global conference on information

security, either late this year or early in 2001, might also be

appropriate.

THE PRESS: Thank you.

END 2:17 P.M. EST

http://www.usia.gov/cgi-bin/washfile/display.pl?p=/products/washfile/latest&f=00021509.tlt&t=/products/washfile/newsitem.shtml

15 February 2000

Fact Sheet: Strengthening Cyber Security Through Public-Private Partnership

   (National strategy to protect nation's computer network and Internet)
   (670)

   (The following Fact Sheet was released by the White House February 15
   on President Clinton's announcement about strengthening Internet and
   computer network security. Clinton also announced immediate steps the
   government will take to strength security for our nation's computer
   systems.)

   (begin Fact Sheet)

   THE WHITE HOUSE
   Office of the Press Secretary

   February 15, 2000

   Fact Sheet

   Strengthening Cyber Security through Public-Private Partnership

   Today the President and members of his Cabinet met with leaders of
   Internet and e-commerce companies, civil liberties organizations, and
   security experts to jointly announce actions strengthening Internet
   and computer network security. This meeting follows last month's
   release by the President of the National Plan for Information Systems
   Protection, which establishes the first-ever national strategy for
   protecting the nation's computer networks from deliberate attacks.

   During today's meeting, industry executives announced their intention
   to join others to create an Internet industry mechanism to share
   information on cyber attacks, vulnerabilities and security practices
   to better respond to cyber-attacks and deliberate intrusions into
   computer networks. Recently, other industries such as banking and
   finance, and major telecommunications carriers, have created industry
   partnerships for cyber-security.

   The President also announced immediate steps the government will take
   to strength security for our nation's computer systems:

   -- Accelerated Spending on Cyber Security - A $9 million budget
   supplemental for Fiscal Year 2000, jump-starting key initiatives for
   cyber-security contained in the President's FY2001 $2 billion budget
   request for cyber-security. The request will accelerate new programs
   to educate Americans for cyber-security careers, build a system for
   protecting Federal government computers, and create a new Institute
   for Information Infrastructure Protection.

   -- Research and Technology Development for Information Infrastructure
   Development - President Clinton supports federal government research
   and technology development for information infrastructure protection
   that the private sector does not have sufficient market incentives to
   generate on its own. The centerpiece of the federal government's
   efforts in this area will be the Institute for Information
   Infrastructure Protection (I3P), for which the President has requested
   $50 million in his Fiscal Year 2001 budget. The President has also
   requested a supplemental appropriation of $4 million for Fiscal Year
   2000 to jumpstart the Institute's preparations. Science Advisor Neal
   Lane and NSC National Coordinator Dick Clarke will meet this Friday
   with members of the President's Committee of Advisors on Science and
   Technology and other computer security experts, research specialists,
   and industry leaders in an effort to help fill the gaps in the
   nation's research agenda for computer network security.

   -- Partnership for Critical Infrastructure Security - Secretary Daley
   will participate in the first meeting of the Partnership for Critical
   Infrastructure Security next week to maximize cooperation between
   government and private sector initiatives for cyber-security. Since
   the vast majority of the United States' critical infrastructures are
   owned and operated by private industry, the Partnership recognizes and
   acknowledges that the Federal government alone cannot protect these
   infrastructures or assure the delivery of services over them. The
   Partnership will explore ways in which industry and government can
   jointly address the risks to the nation's critical infrastructures. It
   will provide a forum in which the various infrastructure sectors can
   meet to address issues relating to cross-sector interdependencies,
   explore common approaches and experiences, and engage other key
   professional and business communities that have an interest in
   infrastructure assurance. By doing so, the Partnership hopes to raise
   awareness, promote understanding, and, when appropriate, serve as a
   catalyst for action.

   Private sector membership in the Partnership is open to infrastructure
   owners and operators; providers of infrastructure hardware, software,
   and services; risk management and investment professionals; and other
   members of the business community who are stakeholders in the critical
   infrastructures. Government representation will include state and
   local governments as well as Federal agencies and departments
   responsible for working with the critical infrastructure sectors and
   for providing functional support for the protection of those
   infrastructures.

   (end Fact Sheet)

   (Distributed by the Office of International Information Programs, U.S.
   Department of State.)