This transcript was produced from tape provided by the Council on Competitiveness.
I-N-D-E-X

INTRODUCTIONS
Senator Bill Frist . . . . . . . . . . . . . . . . . 3

FEATURED SPEAKERS
Arnaud de Borchgrave . . . . . . . . . . . . . 5
Director, CSIS Task Force on Global Organized Crime

Alan Brill . . . . . . . . . . . . . . . . . . 9
Senior Managing Director, Kroll Associates

Scott Charney . . . . . . . . . . . . . . . . . 21
Chief, Computer Crime and Intellectual Property Section, Criminal Division, U.S. Department of Justice

REMARKS
Senator John D. Rockefeller . . . . . . . . . . 33

P-R-O-C-E-E-D-I-N-G-S

SENATOR FRIST:
(Tape starts in mid- sentence.) ...experienced compromises to their computer security systems that resulted in significant economic losses. Banks and financial service companies appeared to be particularly vulnerable. Let me go ahead and introduce our speakers. Again, all of you know our speakers have their biographies in the materials with you, but I would like to more formally introduce them. And then after Senator Rockefeller's remarks, we will come straight in with the panel.

Arnaud de Borchgrave, President and CEO of United Press International, was Newsweek's Chief Foreign Correspondent until 1980. He has interviewed the world's most admired leaders and covered the major wars of the last four decades, including seven tours in Vietnam, where he was wounded twice. He was named Editor-in-Chief of the Washington Times in 1985. He presided over major gains in the circulation and influence of that paper. He became Senior Advisor at the Center for Strategic and International Studies in 1991, where he directed the project on global organized crime.

Alan Brill is a Senior Managing Director at Kroll Associates, a leading private investigation and security consulting firm providing info-protection and risk reduction services to businesses worldwide. His work has ranged from large-scale information security reviews for multi-billion dollar corporations to criminal investigations of computer hackers and other cyber-frauds. He is the author of three books in the field of information security and has published dozens of articles on the subject and has appeared on television, 60 Minutes Dateline NBC, and many other programs on the topic.

Scott Charney, Chief of the Computer Crime and Intellectual Property Section of the Criminal Division of the U.S. Department of Justice has been responsible for implementing the Department's Computer Crime Initiative since its creation in February of 1991. He currently supervises 14 federal prosecutors who handle high tech matters on a full-time basis. He authored legislation that substantially amended the Computer Fraud and Abuse Act.

With that, and if Senator Rockefeller is not walking in the door, rather than referring to his remarks, why don't we go ahead and start our panel. We are going to start with   --  

MR. ROONEY:
Arnaud Borchgrave.

SENATOR FRIST:
Mr. Borchgrave. And we are going to expect remarks of about 10 minutes?

MR. ROONEY:
Yes.

SENATOR FRIST:
About 10 minutes. After which, we will go into a free-flow of discussion and questions from the floor, and we will be moderating and keeping the remarks sharp, crisp and to the point. If we get off target, you bring us back.

SENATOR FRIST:
Here comes Senator Rockefeller.

SENATOR FRIST:
Do you want to start or go straight with the panel? We are going to go straight in and then have you make your remarks.

SENATOR ROCKEFELLER:
That is fine.

SENATOR FRIST:
Mr. de Borchgrave.

MR. de BORCHGRAVE:
W.C. Fields was on his deathbed one day reading the Bible and a friend asked him, what are you doing, and he said, looking for loopholes. Which is an allegory for how governments have been behaving since the end of the Cold War. There seems to be a reluctance which at times borders on paralysis to face up to certain rather unfashionable or unpalatable facts of life, such as the steady erosion of the nation state in cyberspace.

The computer, as we all know, has empowered the individual to the detriment of national sovereignty. Today's PCs with power and speed that equal yesterday's super computers of about a billion moves per second will seem quaint tomorrow. Lasers became force multipliers for microprocessors, and cheap high performance sensors will dominate the next 10 years, when the Web will become an interpersonal environment in which information assumes a key role in supporting human interactions. Micro and nano- technology will be next. MIT's Aerospace Engineering Department has developed a rocket engine that is 3 mm wide and 1.5 cm high. In other words, today's snapshot becomes irrelevant tomorrow.

Saul Bellow once said that a great deal of intelligence can be invested in ignorance when the need for illusion runs deep. Unfortunately, the need for illusion is an evergreen commodity. Such as the information superhighway as a bride into the 21st century. Every year   --   there six Ph.D's incidentally   --   only six Ph.D's in computer science whose focus is on information security. And of those six, only one or two are interested in going into academia. We have lost a whole generation of teachers. We should be having thousands in this field, not six. For a very simple reason. The U.S. has erected immensely complex information systems on rather insecure foundations that are now part of this seamless global electronic Web, and those who wish us ill recognize this dependency and are developing weapons of mass disruption, which shares the same acronym with weapons of mass destruction.

Following CSIS's four reports on global organized crime we released last December 15 up here on Capitol Hill, the project that was titled, "Cybercrime, Cyberterrorism and Cyberwarfare" with the subtitle of "Averting an Electronic Waterloo." Adversaries, enemies, terrorist groups, transnational crime syndicates, foreign espionage agencies, and increasingly insider saboteurs all know that our real assets are in electronic storage and not in Fort Knox. The CIA treats information warfare as one of the two principle threats facing the United States. The other one, of course, is weapons of mass destruction and terrorism.

Information warfare weapons are changing the very character of conflict more fundamentally, in my judgment, than anything in history, including gunpowder and nuclear weapons. While weapon systems take up to 18 years to develop, to procure, to produce and to deploy, information warfare weapons double in power and speed every nine months, just like computers. Armed with the tools of cyberwarfare, rogues or sub-state or non-state actors are now powerful enough to destabilize and eventually paralyze targeted states.

IW weapons can and already have outflanked and circumvented military establishments and compromised the underpinnings of both the U.S. military and civilian infrastructure, which these days is one in the same. The U.S. is now playing catch-up. Witness the back page interview in the current issue of Defense News Weekly with General John Campbell, who commands the Pentagon's Computer Network Defense Task Force, which now has just 10 people, and it will have 24 by June. There is no, as those of you surf or cruise the Net know   --   there is no shortage of terrorist recipes on the Net, step-by-step cookbooks for hackers and crackers and of course terrorists.

President Clinton was not referring to the future when he said in his Naval Academy address, totally ignored by the media last May, "Intentional attacks against our critical systems are already underway." Richard Clark, the new cyber czar at NSA expanded on this in a speech last December 7, again promptly ignored by the media, because as you know, our profession was engrossed with the gross at that time.

Eight nations have developed information warfare capabilities comparable to the U.S. arsenal. About 100 others are developing them. And even traditionally friendly nations have used their electronic capabilities to penetrate triple fire walls protecting our systems and penetrated high tech corporations, literally siphoning out billions of dollars worth of proprietary secrets.

We are just allowed 10 minutes. I will stop there and handle questions later. Thank you.

SENATOR FRIST:
Thank you very much. Alan?

MR. BRILL:
Thank you. My name is Al Brill. I am a Senior Managing Director at Kroll Associates. I manage the firm's global high tech investigations practice. Kroll Associates, you know, is part of the Kroll-O’Gara Company. We are an international firm. We help corporations to mitigate risk. Those range from very traditional investigative tasks to high tech tasks.

Many of the discussions I have heard over the years about cybercrime and cyberterrorism are rather theoretical, what could happen or what might happen. I thought it would be a useful way to spend my 10 minutes if I talked about what really happens. The kinds of cases that come to us for investigation. We have a group called the Information Security Group in our company that helps prevent things from happening. My group gets a call when something bad happens to good corporations involving cyberspace. We help corporations investigate incidents involving computers, whether they are by outsiders or by insiders. For more than a decade, we have provided some of this country's and the world's leading corporations with looking at incidents of computer intrusion, abuse and misuse.

So I would like to tell you today about the three kinds of cases that we see most frequently today and identify some of the cyber-risks that face American corporations as we together break the Y2K barrier. Just speaking for a second of Y2K, we have seen a couple of risks that most people don't think about. One is that sometimes you are trying to get your Y2K problem fixed, and what you don't know is that all of your code, all of your programs that have many of your real company secrets built into them, suddenly find themselves taking a trip overseas, sometimes to a Third World country that doesn't have a lot of protection of intellectual property. So while you feel good that you are getting your Y2K problem fixed, your data or your secrets are taking a vacation somewhere where a quick copy can occur. Maybe a back door gets put into a program.

But we are not really here to talk about Y2K. We are really here to talk about the things that go wrong. Almost a decade ago, Scott told me something that I have never forgotten. He said that the basic philosophy of his business was that at any given moment there is a percentage of the population that is up to no good. That is true. And a lot of those people these days are quite computer literate. First, we are called on in cases that you can think of as an external penetration or an attempted external penetration. I don't really care whether you call them hackers or crackers or industrial spies, they are out there. And any company that doesn't defend its intellectual property and its proprietary information against these attacks is foolish.

A couple of thoughts to share with you on these. First, many corporations in this country have not acknowledged that they are targets and have not taken reasonable steps to protect themselves. I am not saying there is any approach that is 100 percent perfect. But I am saying that to ignore this problem is dumb. You have to evaluate how you are going to be affected if you lose information and take some steps to protect them, cost effective steps. Remember, many so-called high tech incidents involve very low tech problems like discarding confidential computer reports without shredding them. Second, the software that U.S. and in fact global companies are using today is too often delivered right from the manufacturer with security deficiencies built in. Think of them as holes. This can be very serious. Now the manufacturers find out about these holes, either from their own research or quite frequently from incidents in which the security of their system is breached. Now sometimes various groups will even post the details for exploiting these vulnerabilities before the manufacturers hear about them or get a defense into place. For example, last week Microsoft Corporation released a set of security updates to its extraordinarily popular Office 97 product that closed holes that have been identified. Now there is no question but that they worked very quickly to understand the problem, and not only to develop a solution that would work but that would be easy to install, and that is not easy to do.

Now the major U.S. manufacturers, Microsoft, Netscape, Sun, HP   --   you know them as well as I do   --   generally do a pretty good job of creating these patches for acknowledged problems and posting them on the Web. But here is the problem. We don't see corporations following through to install the patches. Sometimes they don't even know that a patch is out there. What that means is they may be running software with known holes and known ways of using those holes and nobody cares, and that is not good. Information technology departments in most companies haven't wrestled with the problem of how to do continual reinstallation of software that you just installed. To do thousands of installations of major products takes time. And every time there is a new patch, whether you call it a patch, a service release or a new version, you can spend hundreds or thousands of hours updating. Well, if you don't do it, you are running with a hole in security.

Now it is my sense that this problem is no less serious in government, which uses the same software as corporate America, and maybe more serious in terms of potential risk to confidential government data than we have thought about. I don't know of any study that has been done on the government's handling of this issue, putting in security patches when they come up, but I suspect that it would be very valuable and very interesting to take a look at.

Now you have all heard about fire walls. You should know that there are various kinds of fire walls on the market. They range from simple ones that are hardware based and that are quite easy to install, up to very complex software-based ones with tremendous flexibility and tremendous power, but which require ongoing commitment to maintenance to keep closing the holes that get identified. We see too many instances of organizations using more complex fire wall products than they need and of not providing that maintenance. So they want the complexity and they don't want the maintenance. What is the result? You run with holes. Those holes are documented and that is not good. Too often we lose simplicity for no good technological reason. And, in fact, fire walls are not enough.

It is our experience that the majority of incidents involve insiders   --   employees or former employees, contractors, temps, vendors   --   that are already inside the fire wall. Fire walls aren't going to catch them. They are inside of it. So there are new technologies, generally called intrusion detection systems that you will be hearing about in the next year or so that exist and are being developed to catch insider crime. And the government, particularly the Defense Department, has really taken a lead in some of the work in this area and they should be very proud of that lead.

The second kind of case that we encounter does involve instances where the insiders I was just discussing are at the heart of the problem. A frequent scenario   --   a senior technical or management official leaves one company and on the way out misappropriates that employer's intellectual property and proprietary information. This is becoming very common, partially because stealing the information has become so efficient. A 4 mm tape cassette, half the size of an audio cassette, can hold 12 to 24 gigabytes of data, roughly the equivalent of 5 to 10 million pages of text. Just to give you an example, a computer chip which may have a commercial value of billions of dollars, the entire design of that chip fits very easily into one of these cassettes half the size of an audio cassette. The raw material cost for pulling off this kind of a scam is the cost of a tape   --   low end, $4.00, high end, $25.00.

Now unfortunately, some of the new employers are delighted to get this information. Others   --   we hope most are in this category   --   are actually horrified by these thefts and notify the victim. The most interesting thing, and you already all know this, is that most incidents will never be treated as a criminal matter. Assuming that anybody knows that something went wrong, and most of the times that doesn't happen, the incidents are handled either administratively or through civil action.

Let me just give you two phenomenon that I found interesting. First, many companies that would not let an employee touch a computer or see any confidential information without a signed, binding non-disclosure agreement, regularly let temps, who they generally don't know from a hole in the wall walk in, give them a password, and they have access to everything. That makes no real sense. Why would you let a relative stranger access data with less protection than an employee would have?

Second, we have done a number of investigations where false evidence has been deliberately planted in corporate computers to either substantiate allegations of harassment or to create a document that later gets claimed as evidence of a substantial debt that never really existed. This is certainly an example of why we need well-trained computer forensic investigators, who can not only locate potential evidence in a huge hard drive on a computer, but can actually analyze it to determine its evidentiary validity as well.

I want to tell you that we are being frequently, almost daily, called in to assist in a third type of incident. And that is companies being harmed by information posted about them on the Internet. Anonymous postings on Websites like Yahoo Finance or Silicon Investor may contain information that is not just incorrect but is widely wrong. Now sometimes the people who are posting this say they are insiders or claim to be financial analysts. We have seen cases of lies posted that damage not only corporations but innocent individuals as well. And sometimes we get called in not because the information being posted to the Internet is false, but because it is true. Now posting unreleased financials, for example, or releasing a technology secret is a wonderful way to cause a short-term movement in a stock. And why not do this? In today's world of day trading, the short term is really short. And putting out some unauthorized truth or a complete fiction can move the price just enough to act on it. I know this is an area that our securities regulators are looking at.

There is no doubt the need for technically qualified investigators to track down perpetrators through the Internet is growing. They are in short supply. We have investigated a number of cases of information releases over the Internet. Many of these cases did not turn out to be for the personal profit of the perpetrator. Why did they do it? I was fired. I was laid off. I've got something against the company and I am going to get even. A colleague of mine, Ernie Broad, but an Op-Ed piece a while ago in the Wall Street Journal that said that in today's mergers and acquisitions environment, companies are setting themselves up for this get-even mentality, but yet they don't think about that.

Here is another one. I hate the company. I work there and they pay me, but I hate them and I want something bad to happen to them. Another one that is even more interesting is I love the company and I am so proud to put this information out to show how good we are doing, and it never occurs to them that maybe they shouldn't be doing that. And the final one is I really don't give a damn about the company, but I like demonstrating on the Internet how smart I am. We have seen that a few times.

When we are faced with this kind of a case, we come up against the problem of assumed anonymity on the Internet. You can register at any of these discussion sites and every question they ask you to identify yourself, you can lie and you still get registered. So looking at a registration doesn't help. Sometimes our clients go into court to get court orders to obtain detailed information from site operators. We look for the Internet address that the registration and problem messages come from and we can trace those in many cases. It is really interesting when you trace it and it shows up on the desk of a former employee at a new employer. We just had one that showed up in a public library on a public use machine, which was kind of interesting.

The issue, obviously for your consideration is if and where to place the limit on free versus sanctionable speech. Clearly, using the Internet to do things like manipulate stock prices is no more acceptable than manipulating it in any other way.

Let me just close with an observation. When it comes to the investigation of computer crime and computer related terrorism, our nation's ability to investigate is dependent on the ability of trained law enforcement personnel. Even though the training provided by the organizations most thought of in this area   --   Search Group, Federal Law Enforcement Training Center, FBI Academy   --   do a great job, I would urge you to compare the supply with the demand. We don't have enough people in any level of law enforcement trained for technology investigations. I did an informal survey a few years ago, and it indicated that in many cases more taxpayer money was being spent to provide computer skills to prison inmates than it was to make high tech training available to law enforcement. And from what I hear, some white collar criminals, when they get the opportunity to take some of these computer courses, they say that they wish they had been arrested years before. This is graduate school and it is free   --   a hell of a tuition deal.

So any assistance that you folks can provide to make resources available to the law enforcement community for handling Internet-based investigations and computer forensics would be a great help. Again, thank you for inviting me. I hope you will always feel free to call on me if my experience or those of my colleagues can be of assistance. Thank you.

SENATOR FRIST:
Thank you, Mr. Brill. Let me just remind everybody, after Mr. Charney we will be taking questions   --   Senator Rockefeller will make some comments and we will be taking questions. I believe there are cards in your folders. You are welcome to use those cards or   --   and what we would prefer   --   is just come to the microphone and identify who you are and we will do questions at that point. Mr. Charney.

MR. CHARNEY:
Thank you. It is a pleasure to be here. What I actually want to do is start with kind of a top-down view. Because if you look at the agenda, what it says is cybercrime and cyberterrorism. These terms get thrown around, but people don't think a lot about what they mean. So let's make sure we are talking about the same thing.

In criminal activity, computers are used in three ways. First, they are weapons and targets in offenses. Somebody takes their computer to attack another computer   --   hacking. That is traditional computer crime. The second thing is computers as tools to facilitate traditional offenses. When somebody distributes child pornography on the Internet, it is still distribution of child pornography. If I take my computer and manipulate a system to steal money, it is still fraud. I will give you an example. We had a case involving a travel agency. A couple of travel agents figured out if you book people on planes after the flight has left the gate, you don't have to pay for the ticket. So they were taking this guy named John Doe and putting him on flight after flight after flight. Why would they do that? Well, you don't have to pay for the ticket, but you still get the frequent flyer miles. So then they were cashing in all the awards. That is still fraud against the airline program. There is nothing magical about that. Okay? The computer just provided a new way to do it.

The third thing is a computer as a filing cabinet. It is a storage device. And in a lot of our cases, whether it is a hacking case or a traditional offense, we need to go find evidence, which means we have to go seize a computer. The reason this is so important, however, is this. In the legitimate world, computers also have three purposes. First of all, they are storage devices for legitimate material. Second, they are communications devices for real-time communications like chat and store and forward like e- mail, and they are publishing devices. Everyone can be a publisher. So if you have a child pornographer who is downloading kiddie porn and he also has a political newsletter, when you get your search warrant and seize the computer to take the kiddie porn away, you've shut down the press.

So when you think about these issues, you need to think at the highest level first and figure out what are we talking about. Are we talking about a case where we are talking about hacking, traditional computer crime, which raises one set of problems, are we talking about facilitating offenses, which raises a different set, or are we talking about storage and access to data and the seizure of data that is all co- mingled on one platter, which raises a different set of questions.

Now having said that, when we talk about cyberterrorism, what we are really talking about is traditional computer crime for a particular motive. Terrorists work to create terror and often for some ideological reason, rather warped perhaps, but still. And when we are talking about cyberterrorism, we are talking about attacks on our network designed for the most part to deny service to systems   --   shut down the phone network, shut down power systems, shut down banking and finance. Although the term is new in some respects and people are catching on now, this is not a new problem. It just wasn't a massive public problem.

In 1988, Robert Morris launched the Morris Worm and shut down 6,000 computers in 24 hours around the world. But we were not as dependent on the Internet. In 1989, the Legion of Doom in Atlanta penetrated Bell South and had the ability, by their own admission, to shut down the phone system for the entire southeastern United States.

So this is not really new stuff. It is a decade old. What is different is because of the proliferation of computers as they get cheaper and cheaper, because of the globalization of network technologies, that threat is now everywhere. And the key thing to remember is that when you are under attack   --   when someone attacks DOD or they are attacking a phone network, what you don't know is who is doing it, why they are doing it, and where they are located. The only thing you know is a victim. So if a Bell company comes into us and says we are under attack, they are trying to shut down our network, they might be able to tell us that. They might tell us how the person is trying to shut it down. But they won't know what kind of attack this is, where it is coming from, and who is doing it. If you think back about a decade or a little more, when there was a Korean jetliner shot down by the Russian military, when that event happened, everyone said it is state-sponsored. It might be a rogue military pilot, but it is state- sponsored. Why? Because civilians don't have access to fighter jets. But if I take my computer and shut down an airport, is that state-sponsored? Maybe not. In Worcester, we had an airport shut down by a juvenile. And one of the things about that case that is so important is he wasn't attacking the airport. He was attacking a telecommunications switch. You see, it was a small airport with an unmanned tower. When pilots came in, they would radio to the tower, which was unmanned, which would send the communication over the telecommunication service to turn on the landing lights at the airport. You shut down the phone switch, the signal comes down and the landing lights don't go on and the planes have to be diverted.

Which raises the other issue about cyberterrorism, which is we are dependent on all of these networks. They are all interdependent with one another. And no one quite knows how and where. So what you have is the risk of what we call a cascading effect. When you think about attacks on a network, it is not just the network itself that is hit. If you shut down telecoms, a lot of other things fall. Emergency services fall because you don't have 911. Banking and finance can fall because they need the telecommunications lines. So a lot of things trickle as a result.

Now criminals, we talk about is the threat real. Well, first of all, the answer is clearly yes. There has been a lot of documentation, including by people on this panel about it. But it is also somewhat common-sensical. Why? Because if you remember, the Internet was built as a military system to make sure that communications would be available even if a certain communication center was hit. It was the electronic equivalent to the Interstate Highway System. Eisenhower wanted to make sure we could move troops around the country. So you build this grid of highways, and you send your troops from New York to San Francisco on Route 80. If Route 80 gets bombed, you send them south on 95 and across on 70. So the Internet was built to do the same thing for DOD.

Because when it was built it was only used by trusted users   --   DOD, academics, contractors   --   you didn't have a computer crime problem. So no security was built into the network. Then in 1980, two things happened. IBM comes out with the PC. DOD makes the Internet a public resource. Now you have embedded an insecure network and everybody using it. That is the state of play today. And to top that off, as the network develops and as new products come to market, the push to get products to market and get them there before everyone else means that the attention to detail on the security side is not there. For example, if you bought a car and twice a day your car stopped and you had to restart it for no reason, you would return the car under your state's Lemon Law. But if you have a computer and twice a day it freezes and you have to reboot it, you consider yourself lucky. Your expectations about computers do not match your expectations about other kinds of products. There is a high failure rate.

As a result of that, when something is going on and computers are not working, the first response is not we have a problem, it is just the network is not working. Let's reconstitute it and get it going. No one stops to ask is there some sort of attack or penetration or precursor of an attack. Nor am I saying it is sensible to ask, because you will be chasing down every bizarre Windows error for no purpose. But the point of the matter is we have this insecure network and new products are not necessarily solving the problem, and so criminals are going to migrate to this network.

Why? Well, one is the point that Alan cited before, which is there is always a percentage of the population up to no good. And as the whole population becomes computer literate, a certain percentage of those criminals will be using computers. Why would they do that? Because computer networks have some real advantages in committing crime over conventional networks. Think about narcotics trafficking. I want to sell cocaine in the U.S. I have got product in Colombia. That means I have to move product to the U.S. I need boats, cars, planes, people. I have to bring the drugs past the border, which means I am subject to search with no search warrant because it is a border search. Then I need a distribution network in the U.S. They are going to collect money and the money has to be laundered. All of those things raise opportunities for law enforcement. We arrest dealers on the street and we run them back against the organization. We have FINSIN looking for money laundering and flow. We have got border searchers.

Now you think about some of our hacker cases, like the Cuckoo's Egg in the 1980's, where the KGB paid German hackers to steal DOD data. A guy in Germany is sitting in Hanover. He signs on to a local provider, a local call. He accesses the Internet, accesses DOD, downloads some data, and hangs up the phone. Where is the opportunity? Okay?

So one of the difficulties is that the Net provides you global opportunities for access and it also allows you anonymous opportunities for access. You can do anonymous telnet sessions and other things where you can just keep banging on people forever and it would be very hard for them to identify.

Now, there are reasons you want anonymity in communications networks. There are lots of them. We have it in the mail and phone network. I can send mail no return address and I can go to a pay phone. And in fact, I can do harm with those anonymous mailings. I can send worst case scenario or mail bomb or I can threaten someone over the phone. So people look at the Internet and say we need the same kind of anonymous communications. And it is true that there are reasons we want that. The police use it for tip lines so people can report things who wouldn't otherwise report if they thought they were going to be identified and be a witness. You've got whistleblowers who want to rat out a government agency but are afraid of retribution. You have people who just care about their privacy. They want to inquire about a product and not be put on every mailing list in America. You've got people like rape victims who might want to get together and chat about the experience of being raped and living through it, but they don't want to be identified.

The difficulty is, unlike mail and phone, which is primarily one-to-one communications medium, Internet is one to many. And it is not just a communications medium. It has lots of different functions. So I can do telnets, take remote access of a computer and shut it down. It is very hard to shut down a phone network with one telephone. So because of the global connectivity and because of the power of the Internet and because of the ability to remain anonymous, it is not surprising that criminals are going to gravitate to that environment and use it to attack critical systems, as they get both the technology, which is getting cheaper and cheaper, the expertise, and the tools. In the old days, we could tell a good hacker from a bad one. Do you know how? The bad hackers, they were hunting and pecking on the keyboard. Now, of course, all the tools are automated with nice graphical interfaces. So when you see a sophisticated attack, you don't know if you have a sophisticated hacker or a moron who downloaded a tool. And because the attack is sophisticated, you have to address it as if it is the most severe attack, remembering you don't know who he is, where he is, or what his motives are   --   whether he is state-sponsored or not.

The last thing I will leave you with is responding to all of this in a global environment is really tough. It is very tough for governments. It really comes down to how do you enforce sovereign roles and rules in a global Internet. Let me leave you with this story. About four years ago or five years ago now, you remember there was a big healthcare reform proposal and we were looking as a country at a lot of different things. I got a call from Don Perigoff. Don Perigoff is my counterpart, DOJ Canada. He said he wanted to come down and talk about computer crime. So I said fine. So Don comes down with the RCMP and he says, you know, in Canada we have a national healthcare system. I said, I know. We are looking at it as a potential model for the United States. He said, well, we have fraud in the healthcare system. Well, I was shocked. I couldn't believe it. Canada? Fraud? Who thought? I said, all right, so what. He says, well, in fact we investigate fraud in the healthcare system. I said, so do we. He said, well, our records are maintained by the federal government. I said, well we have some government records, VA and stuff. Most of it is private. He said, well, here is the thing. Even though they are government records, we need to get a search warrant to go get the records to prove the fraud. I said, well, that makes sense because medical records are private and we use search warrants and grand jury subpoenas and whatever, fine. He said, well you see, we were thinking about this. Suppose we go to a government system administrator with a search warrant and we ask him to turn over the records. That is how it usually works and it is fine. But we were thinking, what if the system administrator is involved in the fraud. I said, well that would be a bad thing. You see, I am a sharp guy. And he says, that is right. We give the guy the warrant and he doesn't give us the right data and he claims it is lost or this, that and the other thing. So we decided that if we have a case where the system administrator is getting kick-backs, the RCMP is going to get down off their horses, handcuff the guy, and they are going to execute the search. So I said, Don, why do I care? He said, all our medical records are stored in Ohio. So I said, you can't do that. You can store them here, but you have no authority to execute a Canadian search warrant on U.S. territory. And he said, they are my records. So I said, then you shouldn't have put them in my country. I said, why would the Canadians put all their healthcare records in Ohio? He said, it is really funny. Storage is a lot cheaper in Ohio than in Ottawa.

SENATOR ROCKEFELLER:
One of the   --   there are two, I think, key ingredients to this tech forum. One is that we have more seating and a larger room. On the other hand, we didn't know there were going to be so many people. We are very happy about that. But there are two main ingredients. One is that we have really superb presenters. And in some cases, they will be in sharp disagreement with each other as we move on over the months and frankly over the many years that we hope to be doing this and more frequently too. In which case, it makes for a sharper debate and it is easier for people to question the one because competitive juices are raised. In this case, in a very important beginning, all three of them, all excellent and all very stimulating to you, didn't necessarily disagree. So then, as always, the burden of all of this and the purpose of all of this shifts to you, particularly those of you who are Congressional staff and I will say more about that just before the close of the thing before you are fleeing at 1:55.

But the burden is basically on you to interact with the presenters. Bill Frist and I are here to make sure that it is bipartisan and non- ideological, and that we don't take positions. Our presence in a sense reaffirms that. We will always be here at all of these things. But the burden now is on you to ask the questions, either through green cards, which you have, or at the microphone. I have a couple that I can start if you want. I think they might have been trumped up by Peter. But that doesn't make any difference. The burden is on you. That is what I am trying to say. This deal doesn't work without you asking questions, probing, and letting the presenters have a chance to respond.

So having   --   there are microphones and there are green cards. I want to see lots of activity. Do you want to step to the microphone, sir? Go ahead.

PARTICIPANT:
Let me just get things started with a question for the panelists. Is encryption more valuable for corporations and government as a defense or is it more valuable for law enforcement as a means of enforcing law and carrying out investigations?

SENATOR FRIST:
Any of the panelists jump right in. If it is not directed to you   --   and then we will go down the line if you have something to say. We will keep the answers pretty crisp, though.

MR. CHARNEY:
The answer is that you can't balance it in that way. The answer is crypto is really important to protect privacy, commerce, security of data. I would care a lot less about hackers getting into systems if your data were encrypted when it was taken away. The difficulty is like other dual-use technologies, criminals and terrorists are already using crypto, and if you use unbreakable crypto, then we can't get to the plain text. What that means in practice is we've shifted the balance of power between the individual and the state in a way that may turn out to be quite harmful. Specifically, if you think about the Fourth Amendment, we could have put a period after "shall issue", that is, no warrant shall issue. And the government would never be allowed to invade your private space. In fact, we didn't do that. We took a balancing approach where we said you should have private space, but if a neutral and detached magistrate gives us a court order, we can invade your privacy. With unbreakable crypto, we can get our search warrant, execute it, and never get the data. What that means is in kiddie porn cases, terrorist cases and other stuff, we are just not going to be able to prosecute people.

MR. BRILL:
The thing we are seeing in the private sector is that sometimes a corporation's use of encryption can backfire on itself. We have seen cases where a disgruntled employee as opposed, I guess, to the gruntled employees, will use cryptography to lock the company out of its own information. Sometimes because they are unhappy and they feel they should get perhaps more of a raise, sometimes they are just unhappy. But there are cases where companies have to go through some tremendous problems to regain control of their own data because of this technology being so available.

MR. de BORCHGRAVE:
I just wanted to add one thing that I didn't have time to say earlier. You heard a lot of talk about the insider saboteur and the disgruntled employee. They have chat rooms and what has come to light recently at the DIA is that foreign espionage agencies have entered these chat rooms pretending to be disgruntled employees and then recruit in turn three or four disgruntled employees and attack a high tech target.

SENATOR ROCKEFELLER:
It is stunning how huge it is, isn't it? How huge the problem is. Here is a question from a Congressional office. "Are there certain sections"   --   this is for anyone   --   "Are there certain sections of the economy that are better prepared against cybercrime? The banking system, for example, versus public transportation, number one. Number two, would you please explain how the government should direct its limited funds to protect our critical infrastructure?"

PARTICIPANT:
That is Scott's field.

MR. CHARNEY:
The answer is not all sector's are treated equal. You can see that because, for example, in the banking and finance sector, they are much more security conscious than they are in certain other sectors. So they are much more careful, even with things like home banking, of deploying things like encrypted tunnels and fire walls and the like. So not all sectors are the same. Academic sectors tend to be historically very open, banking and finance tend to be very closed.

As for the government's limited resources, this is a multi-disciplinary problem obviously. So what the government has done on the law enforcement side is establish the National Infrastructure Protection Center at the FBI, but it is interagency and many agencies are there now. And the goal is to pool our expertise, which is admittedly limited, to address this problem. Remember, when we need computer science lawyers and computer science investigators, we are competing with companies in Silicon Valley for that same talent. So the only way to do this effectively is of course try and recruit better, retain, and all that stuff, but also pool those resources in a centralized place. And what we are doing, for example, is we now have 10 FBI squads around the country where we pool resources of 10 or 12 agents together, so they can work these cases and work it together so they can stay up on the technology. And so we are doing that. Of course, there is a lot more, which I won't take the time to cover now, in PDD-63 and the National Plan. There are many efforts underway to try and secure our critical infrastructure. The difficulty for governments, whether it be the Executive Branch, Congressional Branch or whatever, is this. Historically, responsibility and control are linked. We assume responsibility for a problem and we control it. So at a bank robbery, we put the tape around the scene, we look at the video tapes, we dust for prints, and we take responsibility for solving the crime and we take control of the scene. In infrastructure protection, the responsibility to the public stays with the government, but the control of the infrastructures is in the private sector. And when you divorce responsibility from control, you get a whole new set of problems.

MR. de BORCHGRAVE:
One of the problems that we have seen at the Center for Strategic and International Studies on NIPCI, the National Infrastructure Protection Center   --   which is designed, of course, to get the private sector to work hand-in- glove with the public sector, public and private cooperation   --   there is a reluctance to do this because it comes under DOJ, specifically the FBI. That is one. And the growing phenomenon in this country is the disconnect between what we call the wingtip culture and the sandal culture.

PARTICIPANT:
I had a question about your last remark on behalf of Justice about responsibility and control. What I understood you to say is that you wanted both responsibility and control of the private infrastructure?

MR. CHARNEY:
No, absolutely not. All I am saying is when you have responsibility on one hand to make sure, for example, networks are secure but you don't control it, what you need to do is figure out ways to find synergy between critical infrastructure protection issues and market force issues. Because the market is driven by the economic factors. And if you look at the state of security generally, you will find that one of the reasons we have these problems today with all the penetrations is that industry has not devoted a lot of money to computer security. They are devoting the money to upgrading and selling product.

PARTICIPANT:
So then you would believe that the banking model as an example in which it has encryption and additional self-protections would be the best thing for humans or corporations to install to protect themselves from exactly the invasions that as I understood your description is on a world-wide basis difficult to police against.

MR. CHARNEY:
That is exactly right. And one of the things that you hope through education is that more sectors and more companies   --   and I think Alan will bear this out   --   but as they get attacked and as they pay more attention and as we do a better job of educating them, they devote more attention to securing their own infrastructure.

PARTICIPANT:
Thank you.

MR. BRILL:
I think Scott is absolutely right. One of the things we have noted is that in Silicon Valley, where we have the IPO's du jour, companies that go from zero to a billion dollars in 3.5 nanoseconds apparently, many of them don't have any particular interest in computer security. They are very focused on doing what they do. And even though essentially the total value of that company is an intellectual product in a computer, there is very little security. Less than many people would think. I understand why that happens, but it is scary.

MR. de BORCHGRAVE:
One other thing that came to light about security at a recent joint meeting between Georgia Tech and CSIS, which was a multi- agency conference, is we discovered that not only are there 2000 sites out there on the Web that offer hacking tools, but that no one in USG today is tasked to monitor those 2000 sites.

SENATOR ROCKEFELLER:
We will go to a card quickly and then we will come right back to the microphone. Question, "To safeguard critical national systems and systems involved in protecting lives, for example air traffic control, against hacking, why isn't there a parallel wireless Internet where computers and servers are connected via transmitter, satellites and the like?"

MR. de BORCHGRAVE:
I don't have that technical expertise. Do you?

MR. BRILL:
It just seems to me that any alternative you can come up with, somebody can attack. If you go to a wireless, it is not that difficult necessarily to attack a wireless system. When you say how come it didn't, it is hard to say. The Internet, when it was started back in the late 1960's, who knew what it was going to end up as? I didn't think it was going to be a C-change when I was back in the military in the late 1960's. Nobody dreamed. As a result, if you don't dream, you don't plan. Nobody is in charge of the Internet and there is no guarantee of security, delivery of a message, or anything else. It is what it is.

MR. de BORCHGRAVE:
What could be ... (Tape 1, side 1 ends mid-sentence.) ... United Kingdom. So at this rate, we will have about a billion people or one-sixth of humanity on-line by 2005. 25 percent of global commerce will be on-line or at least Internet connected. So that just multiplies problems for both law enforcement and intelligence.

MR. CHARNEY:
May I add one thing on this point please, Senator? The fact is, there are critical systems with some redundancy built in. That is always true. The difficulty is when you look at the scope of communications traffic, building a redundant system like a wireless system with enough band width to carry that much traffic is not very realistic. And if you are talking about, okay, everyone is using this communications medium, so let's build this wireless redundant system that will stay idle until this system collapses. Who is going to fund and pay for that system? There is no market driver to do it.

SENATOR ROCKEFELLER:
The same question or just part B   --   it is more of a statement. "It seems the only way to protect fully against hackers is to employ a lot of them and pay them to keep driving new ways to hack into systems. Then infrastructure guardians will be more vigilant." Is that what you were saying, Scott earlier?

MR. CHARNEY:
Well, let me be   --   we don't hire hackers, of course. The security industry actually went through this experience. For a while, hacking became a resume builder. And once industry started hiring hackers, what ended up happening was you got a lot more of them. And then people started drawing analogies to the fact that you want to see if your home security is any good, hire someone who just got out of prison for burglary. In fact, there are a lot of legitimate places where you can go to find out whether your systems are secure and what the latest techniques are. And if you are insured, then I think you probably want to go with someone licensed and bonded and not convicted.

MR. BRILL:
And I would just like to say one thing. People ask all the time how come it seems that our infrastructure has become less secure instead of more secure? I just have one thought about it. If you look 25 or 30 years ago, almost everything was custom built   --   main frame, big iron, all custom programming. Today, everything is off-the-shelf. It is PC-based. They use standard equipment, standard software, and standard operating systems where there is more knowledge of how to attack them. You know, if you want to be secure, don't let people know how you are securing things. That is one of the basic rules. If you put something in your car and it says protected by and it has got a brand name on it, you have probably just helped somebody break in. What I want to do is to have something that says, it is protected and if you try to get in here, we are going to get you, but I am not going to tell you how I protected it. I am not going to help you.

SENATOR ROCKEFELLER:
We will go to the microphones.

PARTICIPANT: May name is Dan Kopelman and I am with Congressman Tim Credo's office. Just by brief way of background, I have a master's degree in computer information systems. So I have been playing with some of this computer stuff for a while. One of the concerns that I have expressed to the Congressman is with putting more computers on desktops. The E- rate I suppose is a wonderful thing. However, has there been any analysis done on the level of accessibility increase to people that are mischievous? Not necessarily meaning to attack but doing things like shutting down phone switches. Just from personal experience when I was a student, on the VAX PDP-11, we did a lot of capturing of passwords and such before the lockdowns came and those are very real concerns that still exist today.

MR. BRILL:
I couldn't agree with you more. Every time we make computers more accessible, we don't necessarily think about what goes with that. We give our kids computers and then we suddenly watch while they are trading software, which is licensed. And you look and say, that is fine, Johnny or Susie. And we put it in schools and we put it into libraries. We are making it accessible without necessarily having the training or the smarts that go with it, and that is always a potential danger.

PARTICIPANT:
Can you address   --   have there been any analysis of the security concerns addressed?

MR. BRILL:
I don't know of anything that directly covers that, no.

MR. CHARNEY:
I only know of one that I heard about. It was from a former IBM who is now a security consultant. I don't know if Al or Arnaud would remember it. But what they actually found in a particular company is that there was a lot of thievery within the company, mostly nickel and dime stuff. Then they put computers in the front office and millions were disappearing. Because it turned out that the higher level people, when they think crime they think big numbers, you know, not pencils. So it was kind of an interesting problem for them.

MR. BRILL:
If you can get away with $100 million as opposed to $25.00.

MR. de BORCHGRAVE:
Talking about big numbers, the average computer theft now by insiders is $2.7 million per company.

SENATOR ROCKEFELLER:
Just a moment. I can't resist this one because this is obviously from a gruntled person. It says, "For the Senators, are you comfortable with the levels of computer security in the U.S. Senate? Do you really know what they are? I do". That was the question.

MR. BRILL:
I hope they are gruntled.

SENATOR ROCKEFELLER:
Obviously that was directed at Bill Frist.

PARTICIPANT:
Hi. I am Sun Yun Shung from the American Association for the Advancement of Science, and my question is directed to all the panelists. It seems that in order to assess this threat of cyberterrorism and come up with defense strategies, there needs to be a joint effort between the government and industry. Are there any plans underway for such cooperation right now?

MR. CHARNEY:
Well, actually there are several. One, of course, is that as was announced about a week ago, industry is going to start a personnel exchange program with the National Infrastructure Protection Center to put industry and government together to do a lot of the threat analysis, warning and data collection that needs to be done on incidents to figure this out. Also, because there are concerns for industry in sharing data with the government, particularly when vulnerabilities might undermine their products or give other companies competitive disadvantages or advantages, they also have established what is called ISCs, which is Information Sharing Centers, in industry sectors to share information. And for each sector, there is a government coordinator. So like Treasury is in charge of the banking and finance sector and the banks, through BITS, the Banking Industry Technological Secretariat, and the American Bankers' Association, they set up these ISCs and they share the information. Additionally, there is a model project going on in Cleveland called Infraguard. Local companies in Cleveland got together with the FBI and established a small regional area network to exchange data on threats, vulnerabilities and other kinds of information. The information comes from the companies to the Bureau in two forms   --   a complete form, which gives us the information we need to take appropriate law enforcement action, and a sanitized form, which can be disclosed to the Infraguard group in a way that doesn't undermine anybody's products and systems. And that Infraguard project is now expanding because the Information Technology Association of America, the largest trade association for the computer-related companies, and the FBI and DOJ have hooked up together to start trying to populate the Infraguard projects all over the country.

MR. de BORCHGRAVE:
Can't improve on that.

SENATOR ROCKEFELLER:
This comes from somebody who is barely literate but who I know to be absolutely brilliant. So it is coming. "Why aren't more cybercrimes prosecuted given the amount of fraud and crime that you suggest is going on?"

MR. CHARNEY:
The short answer to that question is I don't know what statistics you are looking at, but the number of both arrests and convictions has been growing very rapidly. The difficulty is in assessing how many there are. The reason for that is the Justice Department proposed to the Sentencing Commission that we revise the sentencing guidelines to deal with computer crime sentences. In part because a lot of harms like invasion of privacy were not taken into account in the guidelines. They were strictly monetary. So the Sentencing Commission began by doing a study of computer-related sentences. And they went to the courts and looked for all the convictions under 18 U.S.C. 1030, the Computer Fraud and Abuse Act, between the Act's most recent amendment back then, 1986, and roughly 1992, and they came back with 76 cases. So we looked at the 76 cases and we said, the Legion of Doom hacked into Bell South and it is not there. Masters of Deception hacked into South and it was not there. Why? Because in a lot of these cases what happens is the FBI works the case, takes it into a prosecutor's office who charge wire fraud and mail fraud. So what ends up happening   --   because normally if you have computer abuse across state lines, you also have wire fraud at the same time. Prosecutors are much more comfortable with wire fraud statutes. So the Sentencing Commission looked at it and ended up putting a footnote saying there is no way to tell how many convictions there actually are. And the reason for that is there are thousands and thousands of wire fraud convictions and there is no way we can go through them all to figure out which ones have computers and which ones don't. So the best we can really do is look at 1030 convictions, start with the baseline and see where we are today, and the numbers are skyrocketing. They are still not very high in terms of true hacker cases, and the reason for that is it is really hard to find hackers because they are all over the world and the technical infrastructure that is developed on the Net does not allow you to find the source of communication so you can arrest somebody. And as long as the market forces are driving towards bulk billing and you've got the EU Data Directive of 1995 and Telecom Directive of 1997 saying that European service providers cannot keep traffic data anymore, how are you going to find people? If you can't find them, you can't convict them.

MR. de BORCHGRAVE:
That is the biggest problem is anonymity in cyberspace. Recently there has been a new software program called NMAP, which enables an attacker, say attacking the Pentagon, to pretend that he is attacking through six different countries including Russia and China, and he may only be a few miles away. The Pentagon has had a lot of trouble with this recently. They have been under attack, as you know, constantly, about 100 attacks a day. DISA, the Defense Information Systems Agency, two or three years ago did launch 38,000 attacks against their own systems and only 4 percent of the people under attack realized they were being attacked. And of the 4 percent, only 1 in 150 reported it to superior authority.

MR. CHARNEY:
And let me build on that in a real life example. Because this is very true, this weaving problem between countries. When we were gearing up for air strikes against Iraq quite some time ago, all of a sudden there were penetrations into the Defense Department coming through the Middle East. The original call I got, which needless to say was in the middle of the night, was we are gearing up for air strikes and we are being attacked from the Middle East and maybe this is information warfare. Maybe this is a preemptive strike. The first words out of my mouth is we don't know where this is coming from. We can't jump to conclusions. It turned out to be two teenagers in Cloverdale, California. Similarly, we have had people weave through countries, through the U.S., and attack foreign sites. And the risk you run is that that foreign government won't be quite so smart and they will think they are under attack from us when they are not. So this is a very real problem because a lot of the decisions we make early on in the case   --   is this war, is this hacking   --   depends on whether you have enough facts to know who is doing it to you for what purpose, and in these cases, you just don't have those facts. It is also going to require the country as a whole to rethink to some extent the traditional line between criminal law enforcement here and intelligence over here. Because after the Church Committee and stuff, the notion was we need to separate these two functions and keep them distinct. If DOD is being attacked and you don't know if it is a foreign intelligence service or a teenager in Cloverdale, California, what do you do with that information? Do you tell the intelligence side or not? Do you tell the criminal side or not? Do they share information or not? Do we want to keep walls in place so that neither side knows what the other side is doing and so the whole thing gets mucked up? It is going to be a real problem.

MR. de BORCHGRAVE:
Scott, you said that this was two California teenagers, but they were also helped by the analyzer from Israel.

MR. CHARNEY:
Correct.

MR. de BORCHGRAVE: And it was so serious at the time that they thought the attack was coming from Iraq, because it was the time of one of the build-ups in the Gulf.

SENATOR ROCKEFELLER:
Please?

PARTICIPANT:
I am Trisha Remo, and I represent two SAIC companies that both are engaged in computer security and have been long before it was a hot issue. One of them is Global Integrity and the other is Telcordia Technologies, formerly Bellcore. And just in response to all that has been said about the phone network, let me say that there are people at Telcordia who are making sure that Bell South's switch does not come down. It can be done. These are the people who are quietly working away to make sure that that doesn't happen. We are also working with the ITAA under PD-663   --  

MR. CHARNEY:
63   --   PDD-63.

PARTICIPANT:
To link up with the government and share resources. My concern and our concern is that now that this has become a hot issue, do we take a risk in sharing information? By virtue of the same fact that the Internet is public and information is there to be shared, are we going to be taking a risk sharing our network vulnerabilities and sharing vulnerabilities in the way that you described with creating data bases? Or should there just be like the people in Telcordia working silently away and nobody really ever knew they were there protecting the phone network? There is that balance too between making a very big deal about it and just doing it very silently, and that is a dilemma.

MR. CHARNEY:
Right. And it is going to continue to be a problem. In the case where the airport was shut down, what the hacker had stumbled upon was a flaw in a switch that we then learned from talking to the company could be exploited in other places. And you run into a real problem. If you go out public and say we found this vulnerability, if the hackers get to it before the system administrators patch it, you have bought yourself a world of trouble. On the other hand, if you don't in some method get the information out, then the patch isn't deployed and the vulnerability remains, and then the next time you have this problem, it turns out the government knew about it and didn't do anything about it. That is why we have gone to the Infraguard model, which allows companies and governments, a more trusted community   --   we don't do it on Internet public postings. We try and do it in trusted communities so we can fix the problems without essentially just educating bad guys on how to attack our systems.

MR. BRILL:
The bad guys do a great job of educating each other. That is the one thing that is amazing.

PARTICIPANT:
Yes.

MR. BRILL:
If there is a hole in a system, the odds are it is going to be in one of a limited number of places and the word is going to get around whether the administrators do anything about it or not. So they are communicating and we better communicate too. Otherwise, they are going to get smarter than we are and that gap is going to kill us.

PARTICIPANT:
Right. Using encryption, I hope, we are going to communicate.

SENATOR ROCKEFELLER:
Just before you   --   I want to say a couple of things because we promised everybody we would end on time even if some of us didn't start on time. The purpose of this, I hope you understand   --   and, Bill, if you want into this, just kick me. You will notice there aren't any Senators or Congressmen here. It is not that we don't welcome them or that we are not interested in them. We are interested in Congressional staff. That has been the same theory in the Alliance for Healthcare that Bill and I co-chair that has been going on for about 10 years now. It is all staff. And what staff does is as the word gets around   --   and this, I think, will be much more powerful because of the subject matter and the currency of it, but also the complexity of it   --   that people or staff members will begin to feel an addiction. Almost like if they don't show up to these meetings   --   and I am really serious about this. It sounds a little obnoxious to say it. But if they don't show up that they are going to be missing out on some really important things. This is duplicative of nothing else that happens. There is an Internet Caucus that 100 Senators belong to, I am sure, and probably 2 or 3 show up for it. But our theory is   --   Bill's and my theory is that the way that we can project a difference in what I think or what we both think is a relative lack of knowledge in Congress on both sides about the depths   --   not just the current hot issues of decency and pornography, but the deeper issues that form the base of the triangle of knowledge of all of this can only come as staff are knowledgeable to begin with and as staff become more knowledgeable and then begin to get angry with the people that they work with or for that they are not participating in this debate more. That is the reason that you are here. That is why we don't want Senators and Congressmen. I mean, if they come in, we won't throw them out. But we don't give them lunch.

So the point is that we are going to do this. We are going to start off   --   this being the first meeting   --   once a month, and I am going to give you the next two and I want you to write them down. But we will probably then pick up the pace, so that we will be doing it every three weeks. We have done that again with the Alliance for Health Reform for 10 years now, and the D-106, which you all know to be the largest room in the Senate, is no longer big enough to hold staff that sign up   --   legislative assistants or all the people that sign up for this. Trade press is important to us obviously too. There are lots of reasons for that.

So I want you to get addicted. Bill and I openly do. We want you to always be here. What we do on our side is to guarantee you absolutely first rate   --   I mean, you tell me that you have heard three people as good as this in the last four months and I will say something nasty. You haven't. You just haven't. I mean, they were sensational and you know it was interesting. And the point is that this just goes on and on and on because this problem is going to go on. And even, as Arnaud said, as fast as we are learning here, all of us together, the world will be moving much more rapidly.

The next one is going to be on April 15, and it is going to be "Privacy in a Transparent Society." Well, we did that. And Meg Whitman, who is president of eBay will be here as will David Brin, who has written a book entitled "The Transparent Society", and Marc Rotenberg, Director of the Electronic Privacy Information Center will be here. The one following that will be on May 19. Please write it down. Please be here. We will have an air conditioned bigger room and enough lunches for you. It is going to be "High Speed Communications Access; Who will control the last mile?" Another subject, another area. We will have people from America Online here, At Home Network, and Chairman Bill Kennard of the FCC will be here. So the people are going to be excellent. What we need is you and we need your active participation   --   your questioning, your probing in any form.

The one on April 15 will be in HC-5, which is an obscure and new basement. The next one on high speed communication will be in SC-5   --   SC-5. HC-5 and SC-5, first and second. Having said that, it being after 2:00, do you want to threaten the future?

PARTICIPANT:
A quick question.

SENATOR ROCKEFELLER:
All right. Go ahead.

PARTICIPANT:
We have heard a lot about intrusions of the Pentagon and others. But surely the Pentagon does not link its nuclear weapon systems up to the Internet. Could you comment on any security systems that are taken that keep them separate from what hackers can access?

MR. de BORCHGRAVE:
The problem with the Pentagon is that 95 percent of its traffic moves along public lines, 5 percent is on secure   --   their own system and their own communications network. But 95 percent moves along the public network and that is why it is so vulnerable. DISA, the Defense Information Systems Agency, moves the equivalent of one entire Library of Congress every four hours. Or put a different way, it moves the equivalent of a pile of books 680 miles high every 24 hours.

SENATOR ROCKEFELLER:
With that, thank you.

(Whereupon, the meeting was adjourned.)