Among the changes to be urged by the panel are tax deductions to ease the purchase of secure computer technology, longer jail terms for hackers, an extra $250 million per year of government investment in anti-hacker technology and the creation of a joint government-industry security center, said Robert Marsh, a former Air Force general now serving as chairman of the commission established last July by President Bill Clinton. The government-industry center would allow government and industry officials to quietly swap information about hacker attacks, Marsh said, bolstering protection of computer networks used to operate the telephone, air traffic control and banking system, as well as the computers used to manage the flow of electricity, water, fuel and gas.
"If the plan is implemented, within a matter of several years we can be much, much better protected than we are today," said Marsh.
But many industry officials have other ideas. If the government is worried about the impact of hacker attacks during wartime, it should fix its own networks and allow the information technology industry to provide whatever anti-hacker defenses the market demands, said Bill Poulos, the Washington-based manager of technology policy issues for Electronic Data Systems, Plano, Texas.
If government officials want more security than what the market demands, "send us the specifications, tell us what government wants and attach the check," Poulos said.
Moreover, "there is no consensus about the nature and magnitude of the [hacker] threat," argued Steven Aftergood, an analyst with the Washington-based Federation of American Scientists. Without good information on any threat, "it is hard to endorse the expenditure of billions of dollars ... [and] maybe the marketplace will adapt with enough ability to minimize the threat," he said.
Marsh's panel, which includes 10 government officials, 10 industry and academic experts and an affiliated group of industry advisers, has won support for its plans from the public and from industry, he said. He's also got support from two influential Washington insiders; Sam Nunn, who served as a Democratic Senator from Georgia until 1996, and Jamie Gorelick, who served as deputy attorney general until early this year.
"We see the need for a joint public-private sector activity to gather information, analyze it and issue warnings based on those analyses," Marsh said. The center is needed because the networks are vulnerable to destructive hacker attacks, and because industry officials are reluctant to publicize security flaws that might generate embarrassing press reports or expensive lawsuits, said proponents.
However, "it is a private sector job to educate [people] about how important it is to improve security practices and disseminate information about the threats," said Rhett Dawson, president of the Washington-based Information Technology Industry Council.
Industry officials already swap information about hacker attacks, so "we don't necessarily think you need to have a government clearinghouse over the private sector," said Dawson, whose group is funded by companies such as EDS and IBM Corp., Armonk, N.Y.
"We think we do have the economic incentive to deal with national security threats" posed by hackers, Dawson said.
"We are not in favor of a government organization to which we must report," said Poulos.
In response, Dawson's group is trying to create an Information Security Foundation that would try to educate companies and citizens about the dangers posed by poor computer security. The foundation has drawn interest from information technology manufacturers and from banks, he said, adding "we don't have any commitments, but we think this is a better way to go."
Also, a group in Baltimore is trying to win industry support for another industry-only center that would swap information among companies and raise public awareness of hacker threats. The group, which is partially funded by companies such as Dell Computer Corp., Austin, Texas, is run by WarRoom Research LLC, a small consulting firm based in Baltimore.
So far, Marsh's planned center has no takers from industry. "We don't have a commitment. We have interest" from companies, he said.
Dawson and Poulos also expressed opposition to another feature of Marsh's plan; the drafting by industry of nationwide standards that would show executives what steps they should take to combat hacker attacks.
Once drafted by industry, insurance companies would insist that companies adopt the standards or else pay higher premiums for insurance against hacker attacks, say proponents. Also, lawyers suing on behalf of a client who has suffered financially from a hacker attack could cite a company's failure to adhere to the standards as evidence that it was careless about the danger posed by hacker attacks, say proponents.
Also, "we would expect the government [procurement rules] to give preference to those companies that meet the standards," said Marsh.
However, "standards-setting right now is adequate," responded Dawson.
"Standards-setting is industry-led, voluntary, market-driven. ... Any attempt by a government to insert itself into that process would not be good," said Poulos.
Dawson welcomed another feature of Marsh's plan that urges the tax laws be changed to allow companies to deduct the entire cost of a new computer system from their next tax bill. "How can you argue with that?... It would be interesting if they get Treasury sign-off on that," said Dawson.
Other features of Marsh's draft plan include proposed changes to antitrust law, the Defense Production Act, the War Powers Act, the Computer Security Act of 1987, and the federal sentencing guidelines.
The antitrust law should be amended to ease companies' sharing of information about hacker attacks, while the computer security act should be changed to increase government agencies' focus on protecting the reliability of their networks, rather than just protecting the secrecy of their data, he said. The sentencing guidelines should be toughened to increase penalties on hackers guilty of breaking into computer and networks, he said.
Marsh declined to provide further details about the proposed changes, saying only that "we will probably make some recommendations to bring them up-to-date to cope with the cyberthreat."
Among the spending programs envisaged by Marsh is doubling the federal government's annual research into computer security technology from the current total of roughly $250 million to $500 million.
Also, the government should consider offering interest-free loans to help companies buy computers and networks secure enough to defeat sophisticated hacker attacks by hostile foreign countries, rather than just routine hacker attacks by thieves, he said. The fund would support spending "above and beyond what you would expect a prudent business to take in its own interest," he said.
One issue that the commission will largely ignore is the raging controversy over encryption. Department of Justice and FBI officials want curbs on the sale of unbreakable encryption technology that can be used by criminals to hide their activities. In response, industry executives and civil liberties advocates say widespread use of encryption technology would defeat computer hackers and also protect citizens' privacy from government intrusion.
"We will be supportive of the administration's [encryption] position as it firms up," said Marsh.
Marsh will send his final recommendation to a steering committee that includes the deputy attorney general, the deputy secretary of defense, a White House official and a representative from Vice President Al Gore's office. The committee can change the report before sending it to Clinton's desk, said Marsh. No one date has been set for final approval by Clinton, said Marsh.
"That's above my pay grade, but I would not expect this to drag on very long," because the commission's report is being written in close consultation with the steering committee, he said.
Industry officials can lobby against the commission's report once it reaches the White House or when it is debated by Congress, which must pass the laws needed to implement the recommendations.
