Cyberwar Policy Awaits Final Approval

A still-unreleased White House executive order gives industry and privacy proponents only a small role in the preparation of a national cyberspace defense policy, according to government and industry officials.

The long-delayed executive order, titled The President's Commission on National Infrastructure Protection, is awaiting approval by President Bill Clinton, said industry officials. The executive order calls for the creation of a multiagency commission, headed by a chairman drawn from the infotech industry, to sketch by early 1997 a cyberspace defense policy against hackers sponsored by foreign governments, such as Iran and Iraq.

Government officials, such as John Deutch, director of the Central Intelligence Agency, say they are worried that hackers may try to wreck critical information networks, such as the computer-controlled phone system, power grid and air traffic control networks, during a crisis or war.

If approved by Clinton, the commission is expected to hold public hearings where industry officials, privacy proponents and other public-interest groups would be invited to recommend or discourage government defense measures.

Disagreements over industry's role have delayed the selection of the commission's chairman, perhaps delaying approval of the executive order until late summer, said industry and government officials. Industry executives said the dominant role played by government officials on the panel will likely sway its conclusions in favor of government agencies, and weaken much-needed cooperation by the information industries, which include software, computer, telecommunications and systems integration companies. Industry's only representative on the commission is the chairman, whose name has not been released

"What they are doing makes little sense," said one infotech industry executive. Government officials "can regulate until they are blue in the face, but that won't provide security," he said.

Any extra expense undertaken by companies ? such as investing in security technology or adhering to new regulations ? should be funded by the government, he said.

Industry's minimal role also raises concerns that the commission could be used by government to increase its regulation of telecommunications and the Internet.

For example, any effort to defend the nation's information networks will require companies to make large-scale use of encryption technology, which is hindered by restrictive export regulations. ?You can't solve the problem without encryption, and encryption is [too difficult] an issue to do," said an executive working in the information security business.

But government officials have shown no willingness to compromise on their fundamental demand that law enforcement officials be given the ability ? after a court approves a wiretap order ? to crack open messages protected by exported encryption technology, said the official from the systems integration company. On July 8, the Department of Commerce announced it would soon form a 24-member panel of encryption experts to advise government officials as they design an encryption scheme for government use. The panel will include experts from outside the government.

The government should relax its restrictions on encryption, which hurt international sales of U.S. software programs and ease foreign eavesdropping on U.S. companies' communications with overseas subsidiaries and clients, industry officials say.

Privacy proponents are also concerned about the commission's impact. "The concern we have is over military interference in civilian infrastructure... simply because the government classifies too much [information] and wants to control everything," said David Sobel, an attorney with the Washington-based Electronic Privacy Information Center. For example, the government could try to use the commission to ease monitoring of electronic databases and restrict the use of encryption technology within the United States, he said.

The commission is to be run by a small executive panel whose members will include the chairman and representatives from the departments of Justice and Defense. A representative from the Department of Commerce or the Federal Emergency Management Agency may also serve on the panel.

The commission's main working group will include representatives from the departments of Justice, Defense, Commerce, Treasury, Transportation and Energy, as well as from the FBI, FEMA and the National Security Agency. The NSA, Fort Meade, Md., is responsible for protecting classified government communications and for cracking foreign messages.

White House officials have not decided whether to publicize the executive order once it is signed, said one White House official.

The government's dominant role on the commission has also hindered the recruitment of industry executives willing to serve as chairman, said the information security executive.

"Their struggle has been to get a real businessman," not just a former intelligence official or military officer who is now working in industry, he said.