Americans for Computer Privacy "ACP" -- is a broad-based coalition that brings together more than 150 companies, associations and interest groups and more than 6000 individuals.
Our members created ACP to focus on issues at the intersection of electronic information, privacy, law enforcement, and national security.
During the last two years, ACP led the private-sector's effort to permit the widespread use of American encryption products. With strong Congressional support including many on this Committee -- we succeeded in persuading the Administration to change its policy and relax export controls.
That's important because greater use of encryption will help prevent cyber crime and promote our national security.
But more needs to be done to protect our critical information infrastructure. ACP takes extremely seriously the need for increased cyber-security throughout those sectors of our economy that today are so reliant on information systems.
ACP strongly believes that a voluntary cooperative partnership between government and industry is the only approach that can succeed in protecting critical information infrastructure.
So what should the private sector do?
First, companies need to keep improving information security -- just like they have been doing for years. It is the private sector that owns and operates the networks, systems, products, and services that make up the information infrastructure. It also is the private sector that possesses the knowledge and expertise necessary to protect it. Unfortunately, there is no one single "silver bullet" for the problem of information security -- rather, it is a process of continual improvement.
Second, we all have to practice good "security hygiene" and to educate others to do so. We seem to have made some progress according to a recent Pew poll reported in the Washington Post, only about 25% of users who received the Love Bug email attachment actually opened it. That's real improvement. The private sector needs to continue to spread the message that, just as you wouldn't let anybody into your house, so you shouldn't let just anybody into your computer.
Third, industry needs to share information among itself and with the government about threats and vulnerabilities, as well as best practices. In this regard, ACP has met with representatives of the National Security Council, the FBI, and Department of Commerce. Furthermore, several of ACP's members will be serving on the President's National Infrastructure Assurance Council, a CEO-level group that is being formed to advise the President and Cabinet. Many of ACP's members are also active participants in the Partnership for Critical Infrastructure Security, a cross-sector, cross-industry effort.
Of course, the government also has an essential role to play. There are five things the government should do:
First, it is important for the government to share information quickly with the private sector. This includes alerts of particular threats.
Second, government should lead by example. Government needs to do a better job of protecting its own computer systems.
Third, government needs to increase training of law enforcement personnel, including those at the state and local levels. ACP strongly supports funding for this purpose.
Fourth, the government needs to strengthen its technological capabilities. ACP supports funding so that law enforcement has the same state-of-the-art hardware and software possessed by criminal hackers.
Fifth, we support the idea of new cyber security scholarships and the creation of a new "cyber corps" of those with specialized educations in cyber-security.
I want to conclude with an important point. ACP strongly believes that the government must proceed cautiously and should not rush to pass new legislation.
There is little doubt that true cyber crime is already illegal under our existing laws and could be prosecuted. Moreover, the private sector will continue to cooperate with and assist law enforcement in investigating and prosecuting cyber criminals as it has done in the past.
We are concerned about the possibility of overreaction to recent denial of service attacks and Internet viruses.
It is essential that the government not use legitimate threats to computer security as a justification for assuming new powers of regulation or imposing new burdens on industry. New government controls, technology mandates, or federally imposed standards will not lead to better cyber-security. Instead they would stifle innovation and harm the very infrastructure that needs protection
The government also should not use legitimate threats to computer security as a justification for threatening privacy rights. The government must not increase widespread monitoring of Americans, as was proposed in the original FIDNET plan. We fully support giving law enforcement the requisite resources and training to investigate and prosecute cyber crime. But just because we know someone will commit cyber crime, it is not appropriate to watch closely what everyone is doing.
Chairman Hatch, you and Senator Leahy and other members of the Committee have introduced legislation addressing different aspects of cyber crime and critical infrastructure protection. As we have explained, there are some positive steps that could be taken. But there is no need to rush forward with legislation. Hearings such as these are essential to examine the complex issues. Indeed, ACP has questions and concerns about several aspects of these bills and I would be pleased to answer questions.