Cyberattacks knit closer ties between US, industry
Private Internet firms, long wary of government, are gathering at the White House tomorrow.
WASHINGTON — The FBI is engaged in an intense cyberhunt in the wake of last week's unprecedented attacks on some of the world's largest Web sites. But it's not hunting alone.
Working hand-in-glove with the feds is the private sector, the same Internet and high-tech companies that have consistently rebelled against government interference in their pioneering industry.
The unusual cooperation foreshadows a new security order in which the government and the private sector will have to work together to a degree not seen except in national emergencies.
"It can no longer be a case of the government leading and the private sector following," says Frank Cilluffo, cyberwar expert at the Center for Strategic and International Studies here. "We have to rethink our national security. Our economic security is our national security. We have to expand who sits at the table."
That is the impetus behind a White House meeting tomorrow, in which the sandals of Silicon Valley will meet the wingtips of Washington to try to forge a combined force for Internet security. It's an uneasy alliance for both sides, and one which will likely go through several incarnations, but last week's attacks indicate some kind of partnership may present the strongest force against cyber-terrorism.
At the summit, President Clinton will expand on his "national plan" for online security, which he outlined in January. Internet executives, meanwhile, are expected to announce new voluntary, cooperative defense measures, according to a National Security Council (NSC) official.
Moreover, in his 2001 budget, the president is pushing several initiatives to tighten links between the government and the private sector in defending the nation's infrastructure against hackers or cyberterrorists.
Arguments for a partnership
To understand why a partnership may be imperative, consider that 95 percent of the Pentagon's telecommunications needs are linked to private networks.
The $2.03 billion budget proposal includes funds for a new institute that would set federal and private energies to work filling research-and-development gaps, such as detecting computer intrusion. It would also subsidize college for students who promise to work for the government in cybersecurity jobs, instead of taking more lucrative positions in the high-tech industry.
Another aspect of the president's plan is to establish industry groups in which sectors share security information with one another and, possibly, with the federal government.
One such consortium already exists in the banking and finance industry, and another in the telecommunications industry. Only the latter, though, links to the government.
Mr. Clinton is urging the establishment of six such groups, including transportation, the Internet, energy, and emergency services.
The NSC official hopes tomorrow's summit will give "impetus" to the Internet group. "We're willing to unilaterally share intelligence with trusted partners, but industry needs to organize itself," says the official.
It is precisely the issue of "trusted partners," however, that is the greatest challenge to a public-private partnership in cyberdefense. While both sides have something to give - the government with its vast intelligence and law-enforcement experience, and the nimble Internet companies with their huge economic potential - they also confront old mistrusts in any new relationship.
"People are naturally wary of having the FBI in their underwear drawer," says Roy Thetford, director of CyberSecurity Center, a group within Carnegie Mellon University in Pittsburgh. "A lot of these companies are afraid to disclose to the government that they've been compromised."
For years, for instance, the federal government has blocked US companies from exporting high-end encryption technology overseas. Federal security agencies argue that the data-scrambling equipment would make it much more difficult to track terrorists.
But their solution - a special "back door" in which the government under certain circumstances could peek at the data - has proved unacceptable to encryption firms. No foreign company or government will buy software if they believe the FBI or CIA could read it, the companies say.
"We sort of feel we're between a rock and a hard place," says Mr. Thetford, whose group aims to move information-security technology from the lab to the commercial sector. "We really want to secure the infrastructure. On the other hand, we don't want to jeopardize privacy."
Designed as a decentralized system, the Internet works like a giant chain. Even if some sites enhance their own security, attackers can still get to them by targeting weak links in the network. On Friday, for example, two California universities acknowledged that each of their computing systems was manipulated and then used in last week's attacks.
Those attacks are already spurring Internet-connected businesses to beef up their defenses. Internet-security firms report business has jumped dramatically in the past few days.
And with good reason. Even a few hours' downtime or service slowdowns are costly. The attacks will probably cost the affected Web sites more than $100 million in lost sales and advertising, the Yankee Group estimates.
Significant steps in the direction of public-private cooperation have already been taken. As White House spokesman Joe Lockhart points out, it's not as if the officials and executives meeting tomorrow need to be introduced to one another. The administration has been working with the private sector for several years to determine its cyberdefense strategy.
Y2K was a promising start
Indeed, ground zero for the Web investigation - the National Infrastructure Protection Center at the FBI - includes workers from industry. That's unique in government investigation, the FBI says. And observers inside the Beltway and out point to successful coordination in handling the Y2K threat.
Still, most observers, including the president, agree the nation is only at the beginning of a completely new relationship in defense against threats in the Information Age.
"No entity - government or otherwise - has all the expertise in this," says Daniel Schrader, vice president of new technology for Trend Micro, an antivirus company based in Cupertino, Calif.
"It will definitely be a partnership," he says. "Someday we may evolve into a new type of enforcement order. [But] I don't think we're going to see it anytime soon."
(c) Copyright 2000. The Christian Science Publishing Society