VOICE ON THE HILL

The following is an excerpt from the Sept. 30 testimony by Harris Miller, president of the Information Technology Association of America, before the Technology Subcommittee of the House Committee on Science. Miller was speaking on the Computer Security Enhancement Act of 1999.""ITAA strongly believes that Information Security (InfoSec) will be the next Y2K issue for the information technology industry. What I mean by that statement simply is that InfoSec will require the attention of government and industry around the globe to prevent major threats to our global economy and society. First, frequent reports of vulnerabilities of IT systems are one indicator of the significance of InfoSec. One lesson we all may have learned from the year 2000 challenge is that information technologies now are pervasive, complex and critical. ... As recent headlines indicate, a number of government and industry computer systems have been under cyberattack.As the development and adoption of electronic commerce remains in a nascent stage, the issue of trust becomes increasingly important. Businesses, government and citizens alike must trust the security of their information and the identity of the person or company on the other end. They must know the systems they are using are reliable. Events that shake this trust, whether real or perceived, pose a threat to the development of [electronic commerce] and the continued outstanding growth of the IT industry. From China to Mexico, from Argentina to Germany, countries have come to recognize that IT is the engine of national development, accelerating the expansion of business opportunity and investment while acting as a buffer against economic downturns. The recent Department of Commerce report indicates that an incredible 35 percent of the nation's real economic growth from 1995 to 1998 came from IT. Any threat to the reliability of information systems poses potential threats to the delivery of services to the American public and to the economic health of our nation and other nations around the world. Industry already has begun to address the InfoSec issue through industry-led actions. In our role as sector coordinator for the information and communications sector, appointed by the Department of Commerce, ITAA and its member companies are raising awareness of the issue within the IT industry and through partnership relationships with other vertical industries, including finance, telecommunications, energy, transportation and health services. We are developing regional events, conferences, seminars and surveys to educate all of these industries on the importance of addressing information security. ... Science Committee Chairman James Sensenbrenner's (R-Wis.) remarks introducing H.R. 2413, is intended to accomplish two goals: Assist the National Institute of Standards and Technology 'in meeting the ever-increasing computer security needs of federal civilian agencies,' and to 'allow the federal government, through NIST, to harness the ingenuity of the private sector to help address its computer security needs.' ITAA supports both goals. We support federal efforts that result in increased actions by the civilian agencies to address computer security. Secondly, ITAA strongly supports the second goal, particularly its stated reference to the "ingenuity of the private sector" and its clear message that computer security solutions should be industry-led.Aside from underscoring the importance of computer security, H.R. 2413 also addresses a series of subissues under the information security umbrella. H.R. 2413 acknowledges a shortage of university students studying computer security, and addresses the shortfall by establishing a new computer science fellowship program for graduate and undergraduate students studying computer security.The challenge to find InfoSec workers is enormous, because they frequently require additional training and education beyond what is normally achieved by IT workers.The Computer Security Enhancement Act of 1999 also addresses a public key infrastructure and digital signature technologies. Broadly, ITAA believes that PKI and digital signatures will be essential technological pieces of the bigger picture of information security. While ITAA supports the broad themes outlined above, we would like to make a few suggestions to improve the legislation. One of the major factors contributing to the dramatic growth of the IT industry in the United States has been the environment industry self-governance and the role of marketplace competition. ...In terms of H.R. 2413, ITAA has concerns with the use of the term "standards." Why? Broadly, the IT industry often sees standards as a snapshot of technology at a given moment, creating the risks that technology becomes frozen in place, or that government coalesces around the "wrong" standards.As noted author on business change Geoffrey Moore has described, technology often goes through a period best illustrated as a tornado. During this period, companies are developing competing products to meet marketplace demands in a variety of ways. Gradually, the tornado will play out, and market-driven industry leaders will emerge. The information security market is at this tornado stage, and efforts by the federal government to establish standards would hinder the natural market forces from working.While ITAA acknowledges the desire within the federal government to achieve interoperability of products and systems through standard-setting efforts, we believe the IT industry can address this simply by responding to the marketplace demand. Rather than establishing standards, we respectfully suggest the drafting of guidelines or best practices.The past is littered with mandated standards that have failed. We cannot afford to take that path again. The technology is robust enough to allow custom solutions that allow interoperability. The United States and much of the world are building their economic house on an IT foundation. This is an extremely positive approach to take, delivering tangible benefits to a fast growing percentage of the world's population. As we build this house that reaches to a better, more prosperous and democratic future, we must be ever vigilant of cracks in this structure."