THE WHITE HOUSE
Office of the Press Secretary
PRESS BRIEFING BY CHIEF OF STAFF JOHN PODESTA; SECRETARY OF COMMERCE WILLIAM DALEY; PRESIDENT OF INFORMATION TECHNOLOGY ASSOCIATION OF AMERICA, HARRIS MILLER; PRESIDENT OF EBAY TECHNOLOGIES, MAYNARD WEBB; AND THE CHIEF INFORMATION OFFICER OF MICROSOFT, HOWARD SCHMIDT ON THE PRESIDENT'S MEETING ON CYBER SECURITY The James S. Brady Press Briefing Room
1:43 P.M. EST
MR. SIEWERT: Here to brief on the President's meeting with cyber security we have a number of administration officials and private sector representatives. Mr. Podesta, the Chief of Staff, will kick it off. He'll be followed by Secretary Daley, who has been heading up the effort to work with industry on these issues. And then we'll hear from Harris Miller, the President of Information Technology Association of America; Maynard Webb, the President of eBay Technologies; and Howard Schmidt, the Chief Information Security Officer of Microsoft.
MR. PODESTA: Good afternoon. People can join me if they want. Let me briefly say that I'm going to try to summarize what happened at the meeting, but I think it was an excellent discussion today with the President, members of the Cabinet, leaders of the Internet and e-commerce companies, civil liberties organizations, security experts, reformed hackers, some academic people. I know that many of you have been outside and have heard from people who were inside the meeting. But let me try to briefly summarize what was said and the dialogue that took place, and try to put it in some order.
I think that everyone recognized that the potential of the Internet, the positive implications, the strength that it has brought to the economy needs to be kept in mind as we seek a stronger security situation and address these problems, to build a solid foundation -- a solid security foundation to keep this economic miracle, which the Internet has become, going and strengthening our own economy.
The comments went into the following areas: We need to raise the level of security practice. I think that many of the people in the room commented on the fact that many tools were out there to deal with security threats, but many of the tools were not being used. We need to be more pro-active. One of the participants said that in much of the software that's shipped, that the default mechanisms are never switched on for about a third of the software that's shipped by one of the venders -- so that we need to be more pro-active in getting the tools out and getting them in use, to practice better hygiene, as many of the people commented.
We need to make the government, secondly, a role model. We're not doing a good enough job in making sure that the government's own systems are secure. We need to enhance the security on the government systems, and make sure that they're not broken into, that the firewalls are in place, and that we're practicing good security procedures.
We need to increase both the short-term R&D -- again, which is mentioned in the President's program that has been released as part of his budget -- as well as the long-term R&D to make sure that the hardware, the software and the networks that are part of the global information infrastructure are more secure and evolve in a way in which security is built in at the front end, rather than thought about at the back end, when solutions will be more difficult to implement and more expensive to implement.
I think all of that supported the -- and I think there was strong support in the meeting -- for the President's budget initiative, as we have talked before in this briefing room, of over $2 billion to invest in enhancing security, increasing R&D, creating an institute to work in partnership with the private sector to do more research and development on the security issues.
There was a commitment from industry, and a commitment to share information on a cross-sector basis. The people who follow me will discuss that with greater specificity. But we've had some very good success on the Y2K model. We've had good success already in Secretary Daley's efforts to build a partnership with the private sector to work on these security issues. And we need to get going, enhance those efforts, and get some real solutions on the table.
The solutions that we talked about did not involve greater government regulation, or really even greater governmental power. They were things that we could do, again, in partnership with the private sector to increase security. I think the point was made that we do not need to reduce privacy as we enhance security in the network. Privacy and security go together, in fact.
The Attorney General discussed the fact that -- and a number of the people in the meeting chimed in -- that we need to -- sometimes I think these questions are handled in a way that make them seem rather simple, or low-key, or kind of funny or cute; and that they're not cute. The events of last week show that they can -- they involved attacks that can involve a good deal of money. And again, that will be discussed as we go along -- but that enforcement efforts are a necessary part of this effort. And she invited the business community to come together with her to talk about how we can better enforce the laws that are already on the books.
There was some discussion about enhancing the education and the ethics that go into the use of the Internet; that it isn't cool to trash systems, and that the academic community has an important role to play in both spreading that message and in working with people who are being trained to use these tools, to do those in a proper way.
And finally, there was a good deal of discussion that this is a global issue, a global network, a global problem. It can't be resolved simply by efforts by the United States government, or even by the United States private sector. We need to work in partnership to enhance security, but we need to work around the world on solutions that, as the global information infrastructure is interconnected, will have a reach beyond our borders.
So with that, let me turn it over to Secretary Daley to talk about his efforts in the new partnership.
SECRETARY DALEY: Thanks, John. Let me first thank the participants in the discussion, and the turnout from the private sector was absolutely terrific.
Our information economy is strong, and it is resilient. But last week's incidents were really a wake-up call for all of us. It's an attempt, for those of us who have been trying to work to address some of these problems. It's a first wake-up call for us in government to make sure that our systems are adequately protected, and we are doing that at the direction of the President. All of us are checking our systems to make sure that we have adequate protections. And then at the same time, it is obviously good business for the business community to do that, to make sure that the confidence that is within the American people today about our economy, and about our systems, remains. And that's their interest, and our interest is to make sure that our economy stays strong. And so much of it is dependent upon the infrastructure, which is -- the vast majority of which, of course, is in the hands of the private sector.
So it was a good discussion, as John outlined. We have a number of efforts that we have begun to do with the private sector. We had the first meeting last October of -- or December, pardon me, of about 80 companies in broad -- from different sectors of the economy; not only the high-tech industry, but the -- not only the information sector, but the transportation, energy, telecommunications sectors all working together. And our next partnership meeting will be next week at the Chamber of Commerce, to try to develop mechanisms by which we can share information and move forward, but in a multi-sector approach and not just a narrow sector.
So I appreciate the tremendous, already the tremendous support that the private sector has given to our efforts at the Department of Commerce to try to work with them. We can support them. It is not about the government regulating this, or taking steps to take actions that would at all impede the Internet, because of course it is the dynamic engine that is driving our economy today, and we must keep that open. And we will make sure that it is protected, those of our systems. But the private sector is taking the lead in making sure that the overall systems of theirs are protected. So I thank them very much for their strong involvement in the partnership.
MR. MILLER: Hello, I'm Harris Miller. I'm President of the Information Technology Association of America. We are one of the three associations officially designated by the Department of Commerce to be the sector coordinator for the information and communications sector, along with the Telecommunications Industry Association and the United States Telephone Association. And we also help to facilitate the planning of the industry participants for today's meeting.
It was a very, very positive meeting. We had very excellent turnout from many leaders of the information technology and Internet industries. And they were able to deliver to the President and to the Cabinet officials and other senior government officials very clear messages about our interests and concern in focusing on information security on the Internet.
And we provided to the President and the other U.S. government officials who were present a statement, which has been endorsed by 38 companies just initially, and 10 high-tech trade associations, committing to sharing information and working together through a mechanism, particularly to focus on cyber attacks, vulnerabilities, countermeasures, and best information security practices. Participation in this mechanism will be voluntary, industry-led, and may be virtual.
During the meeting today, the companies helped to share with the President and the other officials many of their views on the particular technology challenges that are being faced in dealing with this; that even though some of the technology challenges in protecting the Internet are relatively easy to address, in fact it's a very hard issue. As one of the industry representatives said, both the blessing and the curse of the Internet is that it is so open, and that makes it such a tremendous challenge. And we indicated that the technology challenge is very important.
We also shared with the President the need for industry itself to focus much more on widespread adoption of best practices -- that when technology solutions are available, when best practices are available, it is important we make sure not just within the industry, the Internet industry itself, but across sectors, that we share this information. And that's why the partnership that Secretary Daley referred to and that Howard Schmidt will discuss in a minute is so very important.
We also discussed with the President the important global nature of this challenge, and the need to move forward in looking at this issue on a global basis.
In terms of industry's expectations for government, we were very pleased that President Clinton reiterated that industry leadership here is key, that collaboration with the government is also a part of this, but dealing with the issue of Internet security must be industry-led. And the President and his Cabinet members in attendance, and Mr. Podesta, reaffirmed that, and that is very positive, because the Internet has succeeded and become such a tremendous engine of economic growth and opportunity not just now but into the future because of industry leadership. And that was a very positive message coming out of the meeting.
In terms of next steps coming up, Mr. Schmidt will discuss the partnership meeting coming up next week. I also indicated that our association, along with others, will be pulling together many companies and other associations in two weeks, following the partnership meeting -- companies within the industry sector in particular -- to talk about, how do we now operationalize this commitment to establish a mechanism? What concrete steps do we need to take to make sure that the information sharing is carried out in the most efficient and effective way possible? So we're going to move quickly; this isn't some kind of long-term plan. It's a short-term plan to move quickly, and you should be seeing some outcomes happening in the very near future.
Thank you very much.
MR. WEBB: Hello, I'm Maynard Webb, and I'm the President of eBay Technologies. eBay strongly applauds the efforts that are going on to work across the industry and with our government friends and our educational partners to work on the ways to combat this. There is no silver bullet for what we're going after, it's a difficult problem. But when we work together we can solve it, as we're able to do in resolving our effort last week -- working with our industry venders and partners and ISPs.
So we're very excited about the work that's going on here and look forward to participating strongly in it.
MR. SCHMIDT: Good afternoon. I'm Howard Schmidt, and as was pointed out by both Secretary Daley and Harris Miller, next week we kick off phase two, if you would, the Partnership for Critical Infrastructure Security. We had our first meeting in New York in December of last year. Next Tuesday is the meeting that works on specific areas of concern, areas of sharing of information.
We have five work groups currently established for the meeting next week, looking at issues cross-sector. This is not strictly an IT sector, this is transportation, energy, communications -- all the various sectors -- looking at interdependencies and vulnerability assessments; best practices sharing, which is really key; the awareness and outreach, making sure that everyone has the information they need to make this much more secure. Also issue relative to legislation and public policy development, and a couple of other very key areas such as research and development and work force development as well.
We want to make sure that -- we're very much in support of the President's national information assurance plan. It was offered up about a week or so back. All these issues map directly to that plan, and we cross-sector, cross-industry, are all behind that and will continue to work that through the Partnership for Critical Infrastructure Security. Thank you.
Q Mr. Podesta, as we speak, do you have an ironclad assurance that some malicious hacker, to pick a site, couldn't pick White House.gov and bring it down?
MR. PODESTA: We probably should go back and check, based on the question. (Laughter.) Look, I think we shouldn't overstate the problem, we can't understate the problem. I think that there are -- even yesterday, in the President's on-line interview on CNN.com, we had hackers get into that. So I think that anything I could say in answer directly to that question would probably just throw out a challenge.
I think that what we have done, I think has worked, again, to try to develop this partnership, to try to develop solutions, to try to make those solutions more widely available and raise the level of knowledge, and therefore, raise the level of implementation of security fixes. I think we're trying to do a good job in the federal government, and Bill mentioned this in his comments, by surveying all the sites, not just our national security sites, but all the sites of the federal government, to try to enhance the level of security in those individual sites.
But I don't think there's any single magic bullet, or it would be foolish of me to stand up and say that no hacker could attack our website. In fact, that's happened in the past and that person was caught and prosecuted. But I think we can do a lot better job than we have done in both enhancing the federal government level of security -- and that's what our $2 billion initiative is all about -- as well as sharing with our private sector partners the information that we have and developing the research and development to deal with the tools to go after the kinds of things that are out on that.
Q Does the private sector feel the laws on the book are stringent enough on hackers?
MR. PODESTA: Well, I might let them answer that.
Harris, do you want to --
MR. MILLER: We're examining that right now. During the meeting, the Attorney General said she would be interested in having a follow-up meeting with industry to discuss this. I think there is a feeling in industry right now that some courts do not take these cases seriously enough. There is a feeling in industry, which I don't think the Attorney General would disagree with for one second, that the federal government does not have all the technology resources to always do the forensic work necessary or to do the prosecution necessary, and so they need additional resources also. But as to whether specific statutes need to be amended, I think that requires further analysis and discussion.
Q To go to the opposite side of this thing, the truth is that you can't have convenience and really tight security on the Internet. A lot of these companies are chasing money and security is not the top issue. Isn't there some culpability on the part of these sites that don't include the patches? We're talking about now service attacks -- that's an inconvenience. There's also been several reports about databases being compromised -- 300,000 or more credit card numbers being stolen because they didn't have good enough security. We have laws to deal with the hackers. What about some culpability on the site of the e-commerce sites that are not protecting the privacy because they're being inadequate or apathetic about installing these patches?
MR. MILLER: First of all, I disagree with the premise of your question. Every company that does business on the Internet understands that in terms of customer loyalty, relationship with the marketplace, that they have to, in fact, be focused on security. None of you in this audience, not I, no one in this room is going to go on a website where we believe that the information that we're providing to that company through the website is going to be prey to anybody who wants to get access to it. And these companies understand that.
Now, I think there is a legitimate question about the level of resources and the adoption of some of these best practices, because the challenge is constantly changing. That's one of the difficulties of security on the Internet. In an automobile, certain standards get set. You say, okay, you need airbags and they need these specifications, and that sits in place for several years. And so everybody kind of knows that. Unfortunately, in the Internet the security challenges are new every day, and every time someone comes up with a countermeasure, then you have the possibility of someone coming up with a new threat.
I think what happened last week and what has happened in the last few weeks has helped to focus the attention of many people in the industry that they are going to have to put more resources into security, and certainly the meeting today and the information that was developed by the meeting that Secretary Daley held on December 8th and the follow-up meeting next week does show that people on the Internet -- not just the information technology industry, not just the .com industry, but all industries which are now part of this new economy are prepared to work together.
This is not an issue where you somehow get some kind of competitive advantage over your competitor because you somehow have better security. Everyone realizes we're in this together, we must protect the Internet so that the consumers and the businesses and the governments who do business on the Internet are confident that the information they share is protected, and that an individual and corporate privacy is protected.
Q On the question of whether the laws are adequate to deal with hackers, Mr. Podesta, when President Clinton announced the change in encryption policy last September, he said the administration would promote a cyberspace electronic security act. We haven't heard more from the administration on whether you intend to submit a request to tighten the laws to deal with either malicious hackers or people who make use of encryption in ways that are not conducive to law enforcement.
MR. PODESTA: Well, I mentioned that the Attorney General invited people into a separate dialogue on that question. We're working to try to make sure -- I think both of these points were made -- we need to make sure the laws are adequate and tight. And I think that the Justice Department will discuss that with the private sector and with representatives of the civil liberties community, the privacy community, and make sure that we can move forward, and see if we need updates of the laws that were largely about a decade old now. They were mostly passed in the mid 1980s -- to see if there are any additional authorities or tweaks in those laws. But the basic framework of the computer crime statute, the Electronic Communication Privacy statute, et cetera, are in place.
But whether those need to be enhanced, I think the Attorney General will discuss with representatives of the Hill and people here. But in addition to that -- and I think Harris also mentioned this -- we need to make sure that we have adequate funding and adequate resources both on the law enforcement side and the security side, to make sure that we have the tools available and that the FBI and others have the expertise.
One of the problems I think that got raised in the meeting -- not to facetiously -- is that every time we develop expertise in the federal government there is such a draw from this powerful economy that's going on that people leave government service and get into the private sector. And that's one of the reasons I think that the President has proposed this program to create a federal cyber service in which people can get trained in the security fields in exchange for debt forgiveness or college loan forgiveness, to move forward and give back in government service some years of service, kind of modeled on the ROTC program.
Q Are you saying that this administration has no plans at this point to call for tighter laws to deal with --
MR. PODESTA: I think we're still examining that and we'll discuss that again with the private sector, and we may have some more to say about that.
Q Mr. Podesta, it took the PanAm 103 crash to have the government move away from a no double standard policy for terrorism warnings. Was there a consensus in this meeting that as far as cyber threats go, there should be complete public access to all information the government or the private sector has about potential security threats? Or are there still going to be circumstances where private warning is appropriate?
MR. PODESTA: The short answer to your question about the meeting is that that issue wasn't discussed. I think there was a recognition that we needed to have cross-sector dialogue, discussion, and sharing of information -- sharing of security solutions across sectors, not limited to one sector or another -- and that the meetings that Bill intends to hold next week and in the future to create this partnership and create potentially a center for exchanging that kind of information, the details of which still need to be worked out.
SECRETARY DALEY: There is -- I think it would be fair to say there's been a hesitancy to share information in the past. I think that is changing. I think the incidents of the last week, the sort of support that the President got today at the meeting, and the statements made by Harris. And we are looking forward to next week's meeting to begin to put together a mechanism, led by the private sector, in which this sort of information can be more widely shared.
Of course, there's no way we could force somebody to tell something that they found out in the private sector, or to give some sort of proprietary information about their own company. But this whole process is to try to get a better acknowledgement of the fact that we're all interconnected, and that has to be acknowledged. And how do we deal with this interconnection, and diminish the negatives of it?
Q Mr. Podesta, you had talked about the need for more R&D, research and so on. Are you all planning on revisiting the 2001 budget and perhaps asking for a little bit more?
MR. PODESTA: Well, as you know, we've got a 16 percent increase in the 2001 budget over FY '99. And much of that is aimed at enhancing the R&D accounts in that budget. We -- Neal Lane has been charged with -- he's meeting with the PCST, the President's Committee on Science and Technology, or thereabouts -- on Friday, to discuss how we go forward with developing the institute, which will be housed at NIST, to begin to develop a research and development plan for broader Internet security. And we want to involve the private sector in partnering in that institute as well. And our Science Advisor Neal Lane, head of OSTP, will be dealing with that on Friday, and may have more to say about that.
But the accounts themselves, in terms of R&D, were plussed up to a good extent in this 2001 budget. And one of the things that I think we got strong support from the private sector on is a commitment to see that those are not just -- they're not just proposals, but they actually get enacted into law. I think last year we asked for about $1.75 billion, and -- $1.77 billion, and the Congress appropriated about $1.75. So we've had pretty good success with getting those accounts appropriated. But we've obviously done a big plus-up here, and we want to make sure that we get that money appropriated.
SECRETARY DALEY: If I could just add one thing. The program John mentioned that's going to be through NIST is $50 million, which is obviously a substantial amount to begin this process for R&D.
Q Mr. Podesta, the President said he was going to cut loose $9 million to jump-start some of these initiatives? Where is that $9 million going? Where's it coming from?
MR. PODESTA: That really is to do some preparatory work, some jump-start work, spade work if you will, to get the work going on our cybercorps, our federal cyber-service initiative, to get people involved in colleges to go into the security field and return for some government service, as well as to begin this institute that will be housed eventually at NIST.
Q Mr. Daley, when you have this meeting, this cross-sector meeting, there's been stories and questions all day today about how the financial industry, the banking industry, has this network that's set up to share information. They insisted that that information not be shared with anyone else. Are you going to implore them, strong-arm them, whatever term you want to use, to come in and share information as well? Because as far as they're concerned, the people I've talked to, they've said they don't want to share information. Everybody else is fine, but they're not going to share information about when they're getting hacked -- because they had a heads-up last Friday, or before that, on the 4th, that something was going on. And nobody else knew.
SECRETARY DALEY: I would only implore somebody. I would never do anything beyond that. (Laughter.) And of course, we will do that and we will do it strongly, as the President did today. The fact of the matter is, we are all interconnected. Some companies may take that position that they'll share nothing with anyone, but the fact of the matter is at some point that worm may turn on them and they would wish that someone else had shared some information with them.
So the fact is the private sector, hopefully, by encouraging their colleagues in different sectors, will be able to move someone who may have that attitude that you indicated.
Q CNN reported that on January 29th, a company called Envisioneering (phonetic) observed that its servers were being used in an attempt at denial of service attack on both Yahoo and Amazon -- terminated that, but did not really understand the significance until more than a week later when it met in professional conference on the West Coast. How will these new entities that you're describing make it possible for that passage of time does not occur, and will there be a way that people can -- on-line or by telephone, or whatever -- contribute these reports and --
MR. PODESTA: Well, I think that's the fundamental point of -- I may ask Harris to address this question as well -- which is, by creating a more formal partnership, by dealing with a situation in which people have essentially protocols for sharing information and then for -- for understanding both the attacks, distributing solutions, and then encouraging people to actually use them, rather than waiting to be -- that was another point I think that was made very strongly in the meeting today --that people kind of wait for their sites to be attacked before they implement the appropriate tools that might prevent it. And I think by creating this partnership, again understanding the security holes and being able to patch them, and encouraging individual companies and places in the Net that might be weak points in the Net to actually implement those solutions, we can essentially cut down on that time that you describe between understanding an attack may be coming and seeing it to fruition. So the defensive tools can most clearly marry up with kind of the offensive threat.
Harris, do you want --
MR. MILLER: I think a lot of what came out at the meeting today is that there is a lot of information out there, but, for various reasons, it is not necessarily getting systematically to the widest possible audience. So this commitment and effort, through this effort and others, is to get every business person who is on the Internet -- which is soon to be every business person -- to understand that in his or her risk management assessment, paying attention to information security has to be a high priority.
And what we're going to try to do in this sharing information is to make it as simple as possible, because people are very busy. Business people are very busy with lots of different priorities -- making money, meeting payroll, developing new technology, et cetera, et cetera. So if we can simplify this as much as possible, make the information sharing as much as possible, get people to practice what some referred to in the meeting today and Mr. Podesta mentioned, as good personal hygiene, realizing this is a priority, then I think a lot of this problem would be solved.
As one of the people pointed out in the meeting today, the problem isn't in the Internet, itself, so much. The challenge is primarily on the businesses and organizations on the Internet. And so getting them
to buy into giving information security a higher priority and making it simple for them to do so is the key to widespread adoption.
Q Mr. Miller, in the Y2K experience it became necessary to pass legislation to give the business community some antitrust protection before they could share this kind of information. Do you think the same thing is going to have to be done for cyber security?
MR. MILLER: Our legal committee is actually looking at that issue right now to decide whether that would be appropriate and necessary. There are also questions about information shared with the government in certain provisions under the Freedom of Information Act, because obviously companies don't want to share information in what they believe to be a proprietary closed system, and then find because of existing FOIA provisions that somehow that information is available.
So one of the provisions which you'll see in the statement which we issued today, which is fairly general, but it says we're going to look at all appropriate laws and make sure there are no impediments to information sharing in the current legal system. And I would hope that if we identify those we'll be able to work with the administration and the Congress to get those impediments removed.
Q Mr. Podesta, you said that this was a global problem, a global issue. Are other countries doing enough? Should they be doing more?
MR. PODESTA: Well, I think that the other countries are doing more, and other countries need to step up their efforts. One of the things that the person who runs the CERT out at Carnegie Mellon said is that there are now 80 countries that have a similar threat center in their own countries. Obviously, there are more than 80 countries connected to the Internet, and within those 80 countries themselves, there's probably a higher or a lower level of participation.
So I think we need to step up the pace of work around the world because, again, these are network of networks that are global in scale and need to be addressed in that fashion -- the borders are going to matter a little bit less with regard to the kinds of attacks even that we saw this past week.
MR. MILLER: The private sector is also trying to increase collaboration globally. My association works with 38 other high-tech associations worldwide. We've had info-sec on our agenda for the past year and a half. Again, it's been slow getting other countries to pay attention to it. I think the events in the last week will help that. Our next meeting of our global association, which is called the World Information Technology and Services Alliance, is going to be Geneva next week -- because we're going to visit the WTO, Mr. Secretary. But while we're there, one of the issues we will be discussing is information security, and also under consideration is possibly of a global conference.
We were very instrumental in hosting one of the first global conferences on Y2K back in 1998, in conjunction with other business organizations, such as the International Chamber of Commerce. And we're going to look to see whether a global conference on information security, either late this year or early in 2001, might also be appropriate.
THE PRESS: Thank you.
END 2:17 P.M. EST