* * *
* * *

White House Conference Center
Truman Room
Jackson Place and Pennsylvania Avenue, N.W.
Washington, D. C.

Monday, March 18, 1996

Meeting on the Federal Role in NII Security:
The Dialogue Continues.
March 18, 1996

MS. KATZEN: Welcome. Thanks for coming. I'm Sally Katzen, the administrator of OIRA.

This is the eighth meeting that the Security Issues Forum has held regarding the security of the NII. The first seven meetings were used as a basis for our Security Issues Forum draft report, "NII Security: The Federal Role." We hope this meeting will help us finalize that report and move along to other things.

It is my view that we have come a long way in identifying the issues and the areas of common concern, both to the private sector and to the government. As a user of the NII, the government has significant interest in its security and I think our report reflects that interest.

At the same time, we have long acknowledged that the NII is to be designed, built, owned and operated by the private sector and that the private sector, therefore, has to be a full partner, if not more so, than the government in assuring the security of the NII. The comments that we have received on the report reinforce for us that assumption, that belief.

Today we're going to focus on three areas of the draft report that received the most comments and, not surprisingly, the most attention in the press and with the private sector generally: security products and their certification; infrastructure reliability and vulnerability, including threats and risks; and cryptography. We will have one panel for each of these issues.

Our witnesses on each panel were selected from those who commented on the report. This will give them an opportunity not only -- and I hope I use the term "not only" as a guide -- don't just repeat what you've told us before but use this opportunity to comment on what others have said and to raise other kinds of concerns so that we're not simply repeating what we've already had the benefit of considering.

The first panel, which you see assembled before you, will discuss security, product certification, whether certification or quality assurance is necessary, and, if so, who should be responsible.

The witnesses for the first panel are from the Computer Systems Policy Project, Information Technology Industry Council, and the Information Industry Association. Our government representatives are from the National Institute of Standards and Technology and the Federal Networking Council.

The second panel will discuss infrastructure reliability, what are the risks associated with relying on the NII and are they acceptable. If they are not acceptable, how are they to be mitigated. Witnesses will be from GTE, the Bankers Roundtable, and the U.S. Council for International Business. Our government representatives will be from the National Communications System and the Departments of Defense and Justice.

The third panel will address Cryptography and the questions surrounding the proper balance between the private sector's confidentiality and privacy rights and the government's national security and law enforcement public safety responsibilities. Witnesses include any and all of those from the previous panel and the government representatives are from Justice, the National Security Council and the Office of Science and Policy in the White House and the State Department.

Now, although I am a lawyer and therefore feel comfortable in hearings with all the trappings of due process, I am hoping that we will have a much more informal-type operation here. As I said, I would like to encourage you to comment on other submissions. I hope we will have dialogue.

Do not think of me as sitting at this table on this panel. See me somewhere in between, as having useful conversations among and between all of us.

As we begin each panel I'm going to ask the government representatives to introduce themselves -- without an opening statement, gentlemen -- then I'll ask the witnesses to do the same and offer whatever statements they wish. Thereafter you can ask questions, you can comment, you can engage in dialogue and it will be quite wide open.

The gentleman sitting there with the mouthpiece on is doing us yoeman's service because many of the agency representatives who have an interest in this could not be with us today and we thought it best to keep a transcript of the proceedings.

I think I have handled all of the administrative matters that I've been told to address so let me start by having the first panel discussing product certification.

Dennis, do you want to start and introduce yourself? MR. STEINAUER: No opening statements, huh? (Laughter.) MR. STEINAUER: I'm Dennis Steinauer. I work at the National Institute of Standards and Technology. Actually, I work for Stu Katzke in the Computer Security Division but I also co-chair the Federal Networking Council with Steve Squires.

One of our concerns in the Federal Networking Council is making sure that government use of key elements of the NII, with a particular focus on the Internet, can be done in a safe and secure manner.

MR. SQUIRES: I'm Steve Squires, of ARPA.

MS. KATZEN: Well done.

MR. KATZKE: Stu Katzke, chief of the Computer Security Division at NIST.

MS. KATZEN: Do we have a particular order? Should I start with Oliver? MR. SMOOT: Of course, we could do the same thing. Rip up our prepared statements, because I think at least we were going to say exactly what we said before. But having been given this invitation, I'll say something different.

I began to get seriously involved in standards in 1986 for ITIC.

Particularly since the Europeans launched their single market program the attention to standards and to certification or accreditation has increased many fold. We believe that we have made some false starts and gone down some wrong roads in this. And, in particular, we believe that it's time to start taking apart some of the certification and accreditation layers that have been added to the business process and go back to a more fundamental assurance.

Basically, our position generally with regard to products -- not security or NII products -- is that first, suppliers want satisfied customers because they want repeat business. And the way to get that in this area is for the supplier to be able to test the product once at a location of the supplier's choosing and have that test result accepted world wide, preferably through supplier declaration. So if you want to say that you can form to any standard you should do so and you should be made to stand up to meeting that test.

In many countries of the world there are lots of other bodies that like to help you out by testing and certifying your product. If this is useful to your customer then it is useful to the supplier because it makes for a satisfied customer. But as a general proposition, we don't see the need for or the value of a priori third party testing for products. And when we look at the area of security, frankly, we don't see any different considerations applying them for other products.

I think that's pretty much the basis of our position. And I just re-read your report and I think it pretty much covers the issues that were raised in the report.

MS. KATZEN: Thank you very much.

Dan? MR. DUNCAN: Well, I first started out here in Washington working for a very respected member of the conference who once told me that if you have a good story to tell keep telling it.

(Laughter.) MR. DUNCAN: So I am going to briefly review what we had submitted as written comments and update on a couple of things that I think will show the progress the private sector can make in important areas, including developing standards for security or copyright management information systems. Because that, in my opinion, is what the real crux of the problem comes down to in the NII, and that is the need to protect information that is transferred over electronic networks, specifically information that is proprietary.

I think that is where we need to draw a line as well, between the private sector and its role in the NII and the government and its role in the NII.

For, in fact, the role of the government in the NII should make as much information as is held in the hands of the government accessible to as many people as possible.

The importance of security is certainly there for intellectual property holders. I think that is one reason why you've seen a great endorsement from the industry of current copyright legislation that's before Congress that proposed the inclusion of a new Chapter 12 under Title 17 of the U.S.

Code, which would put both criminal and civil penalties in place for those who tamper with both copyright management information and the systems which have been put in place to protect the copyrighted works that will go out over the NII.

We, in the industry view this as a great step forward. In fact, it is relevant to one of our earlier comments which we submitted back in September, that we need to have a strengthening of criminal laws that will prevent tampering with copyright management devices.

We believe the government should have a limited role in this area. We believe that the most proper role for government would be in educating the general public and perhaps also working with various information industry sectors to make certain they are aware of advances that are going on in other sectors of the industry.

Industry itself is working in that manner. IIA, back in October of last year, began the process of trying to develop a new group that would look from many industry segments at the idea of an interoperable standard for copyright management technologies which would include things like encryption, payment mechanisms, copyright management information and track information for use on the NII. We believe that industry can come to agreement on this but we believe it is an agreement in which industry must take the lead. Industry is best informed of the developments of these technologies, is best able to respond to market demands.

We did invite members from NIST to attend an organizational meeting that we had just a week and a half ago in Washington. Unfortunately, because of the snow storm and many other factors, I don't believe they were able to be there. But we want to encourage their involvement in listening to industry and helping guide us in our talks and how best to reach a consensus on facilitating their operations.

Government is and is going to be increasingly a large user of the NII.

The government is generally not very good at innovating technologies.

That's why we have recommended in our comments that as government finds its needs in cryptography or in protecting information or authenticating information to put out on the NII that it go to private sector products that are generally already acceptable in the marketplace and are already in use. They are ones that can easily be substituted and adapted to.

We feel that if government locks in a certain kind of technology the danger is that it will stay locked there for many years to come and that will not serve either the public's needs or the government's needs, especially if you consider how easily some of these technologies after a few years in the marketplace can be broken into.

We do recognize the special government need for protecting its information when it comes to areas of national security, protecting the national interest and certainly protecting the privacy of individual citizens. But we do not believe the government should have a role in oversight if that is going to lead to either a direct involvement in the standard setting process or regulation of standards that may be developed in the private sector.

In fact, we think history has proven that deregulation spurs development and innovation in this area. We think that's one reason why there are so many deregulatory features in the recent Telecommunications Act that was passed by Congress, a recognition that that industry can only grow if government gets a more limited role in trying to determine how that sector of the economy should grow.

Again, I would emphasize that as government determines its needs to protect certain kinds of information that it make certain that it keep in mind the principles that lie behind the Paperwork Reduction Act of 1995, and that is the government's role in this area is to make more information available, not less information available.

MS. KATZEN: Thank you.

The other Dan.

MR. HOYDYSH: I want to give a little bit of an introductory speech after these two presentations, otherwise I won't have much to say.

I'm Dan Hoydysh. I work for the Unisys Corporation but I'm here to represent the Computer Systems Policy Project, a coalition of 13 chief executive officers. I say that only to give some perspective to the concern that we have. Our CSPP companies employ over 815,000 people worldwide and generate about $216 billion of revenue annually, 16 percent of which is generated from overseas transactions. So while I agree with everything that has been said before and would reiterate some of these points I maybe have a little bit different spin or at least a different perspective on this.

We believe and we testified earlier on in our comments in very simple and straightforward terms that it's the role of the private sector to provide solutions that are acceptable to customers. And we also indicated that we thought it was premature to begin talking about developing any kind of certification process. We think that certification, as has been said, has to be market driven, has to be voluntary and, to the maximum extent possible, using existing mechanisms for which there are ample precedents.

We thought it was premature because as far as we can see at this point there is no real demand in the marketplace for certification on security systems. If that demand were to develop there certainly exist mechanisms through which it could be handled.

The other issue that I would like to touch upon is the fact that we're here talking about NII but it is our position that the NII can not exist in isolation. It is really an NII/GII issue. And the NII becomes GII as soon as it moves outside the U.S., and that happens hundreds of thousands of times on a daily basis.

We think it's premature to discuss things like certification because we have yet to really resolve the question of how we will be able to deal with security in terms of international transactions; how we're going to be able to deal with interoperable security solutions that are going to work both in the U.S. and in Europe or other parts of the world.

To some degree I think the agenda recognizes that problem. Because if we were strictly talking about what happens in the U.S. the last panel on cryptography would probably be less interesting than it might otherwise be on the theory that there are no plans to impose restrictions on cryptography in the U.S.

But I think there is recognition and I think one of the things we would like to see and we've certainly commented on before is a clear recognition that some of these issues can not fully be resolved and must be resolved on in a global context.

MS. KATZEN: I think it's up to you, gentlemen.

MR. HOYDYSH: One more. I will throw one thing back at the government.

In the report there was a statement about promoting security to which we reacted. We were commenting to what was in it. I guess it would be useful maybe to hear something back as to what more maybe the government had in mind. What was behind that statement on the certification process as well.

MS. KATZEN: If you'd like to hold that thought for just a second, what I heard in the last few minutes was that it's premature to think about this issue. And if one were to think about this issue it certainly shouldn't be done. And even if it were to be done it certainly shouldn't be done by the government. Any comments? MR. STEINAUER: I guess one of the problems might very well be that I think there's a difference in concept of what certification is.

Certification is probably an inappropriate word to have used in the report itself. I think certification implies that there's something out there, if you don't have that seal of approval you can't use it. That's it's a proscriptive process.

I think in most cases where they were talking about security technology or other types of technology in general, that the real concern is that when there are either standards or accepted specifications for a product or a certain type of technology, whether it's for interoperability purposes or for some other type of purposes, such specifications have been agreed upon in whatever community chooses to use those.

Then we feel there is a need by some suppliers and some users, particularly government users and I would suspect also private sector as well -- but there's no question that government users often look to some sort of a validation, which is the term we're using, that given products actually implement a given specification the way they say they do.

Now, I'll let you comment about the value of self-certification. I think we agree that that is one of the spectrum of types of validations or certifications -- pick your word here -- that very well may be appropriate.

In other cases organizations or buyers may say 'No, I really need something a little more than just the vendor saying that this is real good stuff.' So I suspect that a lot of this problem is what really is meant by certification? And I don't think we really view it at this point as something nearly as proscriptive as the name makes it sound.

MR. KATZKE: Let me give you some history on this, where we were coming from in the testing.

DOD developed a number of standards in the past, a signature standard and other types of standards which were very much functionally oriented standards and very easy to test. In fact, over the years we had developed automated testing techniques -- have their products tested, give the test results and then we'd issue a certificate saying 'This conformed to the functional standard.' We moved from that into a standard which was called "Security Requirements Directed Modules, FIPS 140-1." That became a little bit more complex. In meeting that standard we used something in NIST that NIST has available to it called "The National Voluntary Laboratory Accreditation Program," which allows NIST to set up third party testing services, commercial organizations for any kind of testing, not just security testing, and used that program very successfully in conjunction with the Canadians. We have three labs now between the U.S. and Canada that are doing testing against 240-1.

We essentially step out of the way once this is set up. A vendor has a product they want tested. They would go to the laboratory, make any agreements that they have with the laboratory; the product gets tested; the report comes to us; we look at the report; we put the U.S. Government certificate on it and basically we issue the certificate. That can be a discriminator in the market.

What we've done with security is that general security testing is very difficult. It's very difficult to set up the objective tests. You need to do one-of-a-kind testing of various kinds of products. Security may be unique in that case. But I guess I feel that security testing is important and difficult.

Let me give you an international perspective.

This problem is being faced by all governments internationally. We have been working with the U.K, Germany, France, the Netherlands, the Canadians, et cetera in trying to look at security testing. They have experience in the U.K., Germany of setting up labs to do this kind of testing, the same kind of deal. A vendor can take the product to the laboratory, have it tested and get their certificate for it. And they've started addressing the mutual recognition issues which are important to you.

My view is that we're going to have to have some kind of a testing capability within this countryand then work out mutual recognition agreements with other international countries. At least that's the way the European model is in terms of mutual recognition.

We are also working on a common criteria which is sort of -- it's a very general kind of criteria which you can do testing against which is very important, again, for the security purposes. To develop tests for one-of-a-kind things is very difficult. The criteria provides a framework against which you can do testing. I don't want to get into the details of that right now.

I think that the combination of the criteria with the National Voluntary Laboratory Accreditation process and working with industry to set up a forum where anybody, not just the government -- it could be standards organizations like ANSI X-9 -- in fact, we were just talking with them about it this week, ANSI X-9, about a testing program where industry groups can also participate in this process. They can use the Navlab process to work with labs to do tests against standards, specs, whatever they want to.

Once the labs have been accredited to do that it's a totally commercial venture in which the developers would take their products to the labs, get them tested, then these groups -- whoever sponsored the testing, would approve the products that come out. That's one model that can be used.

MR. SQUIRES: Actually, there have been a couple of references to the way things have been done before and to some extent it may have worked. To another extent there are glaring areas where it hasn't worked so well.

The thing that occurred to me in listening to both sides of this conversation is the fact that the world of Net is much different from the world of NADS. Even though we've had a lot of information technology, I think the world of the future, NII and GII, represents a fundamental challenge to both the way the technology will be used and the way society responds, particularly in this area.

What I'm curious about is the extent to which the people in the private sector panel have been thinking about how they'd like to see things change to deal with the way things are turning out to be done on the Net.

MS. KATZEN: The panel is welcome to comment.

MR. SMOOT: Give us an example.

MR. SQUIRES: For example, if you take a look at what happens today on the Net: some group proposes a draft standard that gets widely and openly discussed, prototype implementations are put up, versions are widely distributed and intensive informal testing and evaluation takes place all over the globe, very rapidly feedback occurs and the products get refined.

Is there anything wrong with that? Are there ways to improve that? MR. SMOOT: I think it works real well in this context but I don't think that the IETF context dominates those worlds.

I would assume if you asked Bell Corps -- they have a similar process that has worked fairly well since we split up the AT&T system which accomplishes the same end for their type of product.

I take it the basic thing you're saying is that since we're going into a network dominated era you can't be as stand alone-ish and cowboy-ish about products as you used to be. I can't think of anybody that I deal with who disagrees with that view of the world. We all have to fit into the Net so that we don't cause harm to the network in a sense other than putting too much electricity down the wire.

I think the thrust of our comments generally and in this area are that we don't see the need -- you summarized it very well -- a government gatekeeper or even the need for a single set of private sector gatekeepers unless the customer wants it.

MS. KATZEN: Let me push on that a little bit. Let's just assume for purposes of this discussion that the government would have no role -- none, zero, zilch -- in the setting of the standards or the certification, either piece of that. If that were a given would you still say that there is no need for standard setting or for certification? I heard -- I think it was Dennis, or maybe it was Stuart -- say that gosh, for mutual recognition purp oses you need to have some sort of outside validation. Customer satisfaction may not be the sole criteria for global, let alone domestic acceptance.

I also heard someone suggest that where standards are set -- I'm thinking of, you know, railroad ties and all the trains go over the track without having to come to an end of the line, stop and change their wheel structures. Where things are set you can actually facilitate growth, you can facilitate more transactions.

So let's just assume no government, no how, no way. Are you still saying that there should be no standard setting and no certification except on an individualistic, ad hoc, come as you get it type basis as long as you do not harm to the network, if you want to add that? MR. DUNCAN: That is not what I'm saying. What I said in the written comments -- MS. KATZEN: I think it's important to do this because I suspect that some fear of the government involvement caused people to pull back more than they need.

MR. DUNCAN: As I mentioned, Sally, even as we are trying to get together with various segments of the industry and this interoperable standard setting facilitation, we're trying to get that done. We've invited NIST to be a part of that.

We recognize that there is a certain amount of expertise and experience in the rest of the government as well as what I mentioned earlier. The fact of the matter is that government is an enormous user of this network, is and will be. But there's a big difference, I think, between having the government sitting at a table where standard facilitation is being discussed as a participant in the network and having government sitting at the table saying 'This is what we think we need to do and this is what we think you need to do and then we will oversee all of this.' I think there's a big difference between the two.

MR. HOYDYSH: To follow up, our testimony was -- we didn't say 'Don't do anything ever.' We said it's premature. It's premature because we don't see the market for that implementation. You can rest assured that when 80 percent of our customers say 'We want the government's seal of approval.' we're going to go out and try and get the government's seal of approval.

We're saying let the market dictate how this develops. That's why the question of timing is pretty important and it wasn't entirely clear what your proposal was in terms of providing it.

The other thing I would say is that when you talk about mutual recognition that assumes that you can export something. Right now we're limited in what we can export because there isn't this overwhelming need.

The other factor that comes into play is that the government has a particular need or angle with respect to security solutions that it might not have with respect to other technical solutions. So the government involvement in technical solutions standards or certification raises issues that aren't raised with some other thing because there's a particular need the government has to deal with, maybe they want to impose certain limitations.

What we were saying primarily is it is premature to embark on some kind of a structured process where we define the government is going to do this, the government is going to do that. We're just on the first step of that in terms of demand. We have to wait a while to see how things develop. We didn't say in our thing that the government has absolutely no role.

MS. KATZEN: Is it also premature, if I hear you correctly, to have a private sector certification process in place? You said there is no market demand now for the government to give its seal of approval. Forget government. Is there any sense that there may be a market demand or otherwise for some sense of validation? MR. HOYDYSH: In our particular market and from our companies I haven't heard that mentioned.

MR. KATZKE: I mentioned just this week or last week when I went to the ANSI X-9 meeting -- the reason I went down there is because they were thinking of setting up their own testing capability and wanted to hear what kind of things we were doing and how they might be able to piggyback on some of the ideas that we had. We talked about this. It's a very broad program.

MR. HOYDYSH: I'm talking from strictly market and customer perspectives.

I haven't gotten the word yet from our companies or from our people that this is an issue.

MR. KATZKE: The X-9 group, our customers, our users, they're commercial users -- the financial community -- and they're very interested in how to do this.

MR. SQUIRES: The question that comes to mind then is if it is premature how do you decide? MR. HOYDYSH: It's premature but you have to tell us what is premature.

At least I think I'm saying it's premature to establish some kind of major effort organizations or whatever.

What is it that you have in mind? MR. SQUIRES: I'll tell you one practical thing that we're trying in the context of the Federal Networking Council, and that is that a collection of federal test beds and federal interest test beds are working together to improve the information, security and some other interoperability features of their Nets. These tend to be high performance Nets but they can also be more typical performance Nets. But they tend to be operating in the gray areas between the research community and something which is a full blown, fully developed commercial product they're using.

They're taking results that come out of the normal research community process as a prototype for what comes out of the normal collaboration between the research community and the research sectors of industry, try to understand how to really make them work in a fully interoperable way among the different test beds. These are fully heterogeneous test beds. How to add the security features to them and enhancements to them so that they can improve their security and privacy.

And in the process we hope to learn how to make the transition between sort of a research experimental enterprise and transition into commercial practice. We're not quite sure where the boundary is.

One thing we have said is that we will be willing to experiment with the NIST laboratory process by simply doing pilots if that community of users has reason to believe that a certain collection of technologies really is at the point where they're ready to proliferate and they have a pretty good idea of what it needs but they no longer want to do it themselves, they'd like to try to spin up a group that works with them to make them more efficient. And they can also use those results for other sectors. That seems to be the kind of process that might work. We don't know.

So here's a case where the Federal Networking Council has embarked on this experimental technology and policy development because we're in this gray area between the research community and the full-blown commercial deployment.

MR. DUNCAN: I'm a little confused. The activity you just described, is that something that's going on within the government and with government employees involved or are you involving private sector companies? MR. SQUIRES: It involves private sector.

MR. DUNCAN: Private sector contractors to the government agencies? MR. SQUIRES: Yes. Because some of the federal networks and some of the federal interest networks actually have a significant amount of private sector involvement. For example, the NSF super computing centers, which is some of the federal interest networks, is essentially the private sector.

But there is the NSF connection.

MR. DUNCAN: But they're developing these products for government use.

MR. SQUIRES: What they're doing is they're taking products out of the research communities -- prototype products out of the research community, what look like reasonable products -- commercial, off the shelf products, but maybe using them early. Using them, say, in a more expansive way than they might otherwise use them. And they're using them to try to improve the security of the test beds.

MR. DUNCAN: "Their test beds" being government test beds? MR. SQUIRES: Government and government interest test beds.

MR. DUNCAN: One of the things we come in on that I would like to emphasize is if these are products being created for government use, basically the government is using them to put out government kinds of information. And if you're thinking of doing something in the way of standardizing across government entities in our view that is something that could be a public good. And if you're doing it for the government then it should be made public. And other parts of the society, especially private industry developing products, ought to be able to know what you're up to and have a right to whatever things you are developing. I think that's a proper role for government to do.

I have no difficulty with you developing test bed models and developing ideas for software products if you think there's a need on the part of government to have those sort of products. But except in very rare cases where they can not be made more available to the public, something they could take a look at to see if they could improve, something that could spur economic growth and development in this area because of national security interests or because of protection of personal privacy or whatever, they should be made open and available so they could then take them and use them. I think that would be a good way to facilitate a process by which everybody sort of knows what's going on in the marketplace.

MS. KATZEN: Let me respond to Dan's question earlier about what did we mean "being somewhat hesitant." I'm usually not that sort. Let me suggest that there were at least two points that we were trying to advance.

One is following up on where Steve just was with the other Dan in terms of making federal security products available to the private sector, the sharing of information and facilitating of people using and developing materials.

There was somebody who made a comment about the federal government isn't very innovative. No, but every once in a while we have an idea or two and if we do we ought to be sharing those. So that's part of one of it.

MR. KATZKE: Like, say, the Internet.

MS. KATZEN: The Internet, that was not a bad idea.

The second piece -- MR. DUNCAN: Although it's been more developed by the private sector.

MS. KATZEN: Absolutely.

MR. SQUIRES: And we took full advantage of it.

MR. DUNCAN: So did we.

MS. KATZEN: But the second part, which is the part that I was sort of trying to pursue in my somewhat provocative questions early on, was the concept that the government might be able to promote the development of private sector certification standard setting efforts; promote the convening at the table at which people are sitting to discuss their various needs, as you welcomed in your comments. Everyone come to the table to discuss the needs and to try to come to some resolution of this; government promotion of the process. That would be done through private laboratories.

That would be done through private standard setting organizations.

That is why I was pushing on is it the fear of the government's involvement that made everybody pull back and say 'No, we don't ever want anything like this ever in our lifetime,' which would be a normal response to government. 'I'm from OMB. I'm here to help you.' Ha, ha, ha is the normal reaction that that gets.

But we honestly thought that there was a virtue to having standard setting and certification done through the private sector and was looking to see if there was a government role in promoting that private sector process. But I'm not getting anything on that and that's why I feel so frustrated and why I keep pushing on this issue.

MR. SMOOT: I don't think that that came through at all in the text.

Second, based on what you just said, let's totally separate standard setting and everything else.

I think as maybe Steve, Stu and Dennis have said, we're entering an era where developing and accepting and using standards is going to be much more critical to the success of your product as the success of the network, the NII or GII.

In that process, at least my members want everybody who has something to say to be involved so that we come out with standards that are both relevant to the marketplace and technically feasible and implementable at a price that you can make a buck on. So we, for instance, given your hypothetical earlier, we want the government involved heavily in the standards setting process.

However, the clipper standard and the digital signature standards are counter-examples to that. They are NIST issued standards without going to the private sector. Turning, for instance, to the IETF in a way that is very applicable to that kind of technology sort of does the standard setting and implementation testing and certification, because you don't get to have a final standard unless it actually works.

Or, most of the time it works because you're only doing limited testing.

That works very well. But one of the big problems that we see is over-generalizing from that. That's sort of one side.

On the certification side, certification usually has been used to assure somebody of something but it's not always true that certification is used to assure that something definitely works. Frequently it is used to limit market access or to control what goes on the market.

You are exactly right within the area of computer security. I believe there is a significant concern in the private sector that a government run certification program would be used to control what goes on the market, whether for good reasons or for lack of resource reasons. You only have to look at the experience with the Orange Book certification process at NSA saying 'Gee, it was a big hurdle to jump through, cost a lot of money, took a long time and I don't know of any company that made any money out of the products that went through the process.' MR. MC CONNELL: Unisys, in fact, is one of the only companies.

MR. HOYDYSH: You should see how well we've done.

(Laughter.) MR. SMOOT: As a further example of all of that, perhaps for good reasons, the European community developed a system of directives that are highly dependent on standards and to some extent on requiring third party certifications. So within the business community when you say "certification" in a global context it has an overlay of governments, like the EU, requiring certain things before you have access to their market.

They did this at least ostensibly so that they could pool together the 14 national markets -- now 20-some -- which have strong traditions of their own product families, especially telecommunications. It's very hard work but it has a whole lot of impacts outside of the European union.

The only reason we're having MRE talks with the European Union is because of the market closing aspects of that. There is no technical or business justification to do that for any other reason.

MS. KATZEN: That's very helpful. Thank you.

MR. DUNCAN: I still think we have to be realistic here. When the federal government walks into a room with private industry and starts talking about these issues it's like the 800 pound gorilla. Maybe Congress cut it down to 750 pounds by the end of the year but it's still a very large player here, not only because of the size but also because it is the government.

I think even when we talk about things like promoting standard setting by the government I think that's when you begin to get into kind of a dangerous area. I think it's proper for government for its own needs to look to see if there are standard ways for the government to adapt technology that works best for the government. As they do that they should make that a very open process, they should make it a very open process, not just to the benefit of the private sector but equally of benefit to the general public who is going to be using, hopefully, the vast amount of the information the government is creating and trying to manage or protect in some manner to insure authentication.

But I think it's a much more proper role for government to listen to what the private sector itself is doing. The private sector is not lagging behind in trying to develop these technologies. There are a myriad of them out there.

The private sector also clearly is not now lagging behind in the attempt to try and come to the same sort of general agreement on how best to make these things work better for the purpose of the private sector's needs and also the customer's needs. Because, you know, as Ollie had mentioned earlier, we only do this because we need to get a fair return on investment. We need to make a buck. We are not developing technologies so that they aren't going to be useful by people and still protect whatever needs need to be protected to make sure they get accurate information, that it's authentic, that it's at a fair price and that they can be assured that what they're getting is what they looked for in the first place.

I think government can play an important role in that but I don't think government should lead the way and bring industry into the room and say 'This is what you need to do now.' It's great to have an educational forum. It's great for you to gauge where things are in the marketplace. And if people from the private sector come to you and say 'We really need government to step in at this point and do this then I think that's an appropriate time for them to get much more involved. Until that comes, however, I think we have a tendency to chill progress and innovation as opposed to aiding progress and innovation.

MR. HOYDYSH: When Sally indicated there were two points as to what you meant by that statement in the report certainly the first one is easy to understand. We know what that involves.

But then in your second point you said "Promote private sector efforts and certification through private laboratories." I'm still not clear, when you say "promote" exactly how do you intend to promote for one and what do you expect to gain out of it? What's the benefit of the whole process for the society, to industry. You're role in promoting is still not terribly clear of what this means.

MS. KATZEN: I think the difficulty in being very clear is because there isn't a single idea. One of the reasons for having the draft paper and comments was to get people's ideas on how the government could promote -- not just for us to answer the question.

You talked about the educational campaign. That's an attribute in which you all feel very comfortable. There may be other attributes in which you feel comfortable. So when you say to me 'What did you mean by this?' or 'What did you say by this?' part of it was to use deliberately vague terms to see the reaction that we would have.

And what would we get out of it? There are some who believe that there is a virtue in having a certification, a validation process, even if it is wholly done in the private sector, but that it would facilitate the growth of the NII. And even though we are not responsible for it, we want to act as a catalyst. We want to act as a stimulator. We want to act as an encourager. And if the encouragement f a standard setting or certification process -- and I understand there's a distinction between the two. I'm just using them as two sides of the same coin. And if that were to facilitate the growth of the NII we get something out of that because this is, I think, an affirmative public good. So it's not completely altruistic but it's probably closer than you suspect.

MR. HOYDYSH: I understand that. It's in everyone's interest for the NII to go and the NII or the GII to be secure.

The real question that I want to grapple with is to whether your promotion actually advances that goal or retards it.

MS. KATZEN: That's what we're getting on comments.

Last comments from you, gentlemen, before we move to the next panel.

MR. STEINAUER: I have a couple. One: you had commented about making sure that government work got out and wasn't kept secret. Under very limited circumstances I would suggest that the flow of information has been very good. And I would think that the stuff that Steve and I are working on in the Federal Networking Council and a lot of this other stuff, that's getting out. There is no attempt whatsoever of keeping that secret.

MR. DUNCAN: That's to encourage, not to criticize. To encourage that kind of activity, to continue it. That's what we're doing.


The other thing that you had commented on was government developing things for its own use. I think to a very large extent that part of the world has really changed. 99 percent of what the government does and the products it needs to do it, both in information technology and the security standpoint, is probably exactly the same. It may rearrange things sometimes and in some cases we're more concerned with one part of the problem more than others but the basis technology is the same.

And indeed, what the government wants to be able to do is to confidently buy things off the shelf, not have to write its own standards. Not have to do all of the things that it has done in the past because it couldn't find things that it felt were necessary.

And I think now both the private sector and the government are much closer than they've ever been in understanding the need for security technology.

And I'll be frank, I think the government led the way earlier on in suggesting there was a need out there, trying to get people to do it and forcing at least government agencies to do things that they might not otherwise have been able to justify. I think that is no longer a big gulp.

I think everybody understands, particularly in the last couple of years, that if we don't solve these problems and get the technology that we already have in use we aren't going to exploit the opportunity of the technology.

MS. KATZEN: Stewart.

MR. KATZKE: I wanted to say something. If you look at recent events -- I've been with the Security Program for 20 years now, the government and industry were very much in sync with each other in terms of what's happening in the security effort. We very often worked in the voluntary standards community. Sometimes we came up with standards and they adopted them; sometimes they came up with standards the other way around.

Whichever. Vice versa.

But the point is, for some of the standards that we started developing we developed the performance tests for those standards and the process by which they were able to get their testing done. That was a desirable thing.

Recently the government has taken a turn, I think out of that direction because of the special needs that the government has. So if you judge what's happened in security by the current events you're going to get a distorted picture of what the government has done in terms of testing and working in the voluntary standards and working with industry. I think there are areas that we can work, in fact, with industry which are less controversial and which are important for security.

The reason why we got into specifically the criteria area is because we saw with the NII a need for quality products that people were going to use to build this infrastructure. It's not the total solution but at least if you don't start with good quality products showing me generally what you're going to put together is not going to be very good. A large part of the quality is assembling the pieces.

The other point is that you're sort of in a Catch-22 situation. You say there's more demand for it. Maybe if we had programs in which we had some kind of a certification process and that was a discriminator amongst products in the market then maybe people would start choosing the ones that were accredited, certified, whatever you want to call it. Then people would start jumping on the bandwagon. Just another thought.

MS. KATZEN: Steve, you get the last word if you want it.

MR. SQUIRES: I'm looking at WWW.FFC. It will describe the collaboration framework and we'll also set up a workshop on this topic a couple of months from now.

MS. KATZEN: Having had the commercial, we will now have the commercial break. Thank you very much for your participation.

We hope you'll sit through the next panel, stay around and invite Tom Carty, John Rippey, Melanie Janin, Diane Fountaine, Fred Herr, Sheila Dryden and David Keyes.

(Pause.) MS. KATZEN: This is our second panel on reliability of the information infrastructure. Why don't we start with Tom Carty, from GTE.

MR. CARTY: Thank you.

MS. KATZEN: I'm sorry, let me do exactly what I did last time because they didn't give that much trouble.

Could we have each of the government persons identify themselves? Diane? We'll come back to her.

MS. DRYDEN: Sheila Dryden, the principal director for Emergency Preparedness Policy within the Department of Defense.

MR. KEYES: David Keyes, from the FBI. I'm representing the Department of Justice as well.

MR. HERR: Fred Herr, with the National Communications System. I also serve as chairman of the Reliability and Vulnerability Working Groups of the IITM.


Tom? MR. CARTY: I guess I'll start. Tom Carty, from GTE. Just by way of background, I've been involved as a company and as an individual in developing security infrastructure for the government for the past 15 years and have just recently launched a commercial venture, if you will, in providing security infrastructure.

Just to let you know a little bit about the background. But our experience of providing infrastructure, what we've learned is infrastructure becomes a very gating item in bringing to market, if you will, a large-scale security-enhanced system to reality, much more so than the individual technology associated with security.

The security management aspect of the security offerings, if you will, are really a process of creating a system to manage security and a process for managing the risk associated with that security.

And as with all opportunity comes risk. The opportunity we see in the NII and certainly the benefits associated with that have risks, but we believe those risks are manageable. I believe that also, in fact, no system put forth will be without risk and the real issue is how do you balance the risk within a system.

To start with, risks must be understood. The vulnerabilities associated with anything that will move forward from an infrastructure point of view needs to be better understood than is presently available today.

Therefore, I believe education is a very important aspect of moving security infrastructure forward. The responsibilities must be clear.

And associated with that are the liabilities that would be incurred with any security infrastructure offering. So I believe there's a large amount of work that really needs to be done in moving the security infrastructure forward. Not that the risks are unmanageable, not that they can't overcome and not that we can't put forward a system to manage or to operate within those risks. But I believe there's an awful lot that still needs to be done. Part of that is, I believe, establishing policy and making a clear statement or a framework in which to work.

I believe there is also a management framework that needs to be addressed in terms of interoperability, in terms of policy interpretation and in terms of how do you manage, if you will, recovery from unanticipated events.

So if you start looking at risks associated with the security infrastructure I believe that there are a number of management issues that need to be addressed. And it's not so much a technology issue as it is a management issue that needs to be dealt with.

MS. KATZEN: Thank you.

Melanie? MS. JANIN: I'm Melanie Janin. I'm with the U.S. Council for International Business. I work on information policy issues generally as well as international telecommunications.

The U.S. Council represents over 300 major U.S. multinational companies so I would be a fool to say that I disagree with anybody in the private sector that's been here today. So -- MS. KATZEN: You agree with everything that's been said.

MS. JANIN: I endorse only the private sector.

And a second caveat is that I have much more to say on cryptography, which is where I spend a lot of my time and effort. MS. KATZEN: I know you'll save that until later.

MS. JANIN: Right. But just a few general comments, if I can.

The U.S. Council a year and a half ago -- actually almost two years ago now, released a booklet on the NII -- there are copies out in the hall for you -- called "Private Sector Leadership: Policy Foundations for NII." It deals with information security, intellectual property, privacy and telecommunications liberalization issues. I believe that statement is very valid today.

Four general points that I wanted to make: as the other panel said, the U.S. Council believes that he NII will form an integral part of the GII so any policies or decisions or implementation that's done would have to be done with that in mind. And all of the work that we do in our Committee on Information Policy at the Council is done with a focus on global issues and we do work with other national governments and with other multinational companies throughout the world.

The second point is the government has a supporting role in the creation of the NII and that is to craft a legal and regulatory environment that is conducive to competition and to the growth of the NII and GII along those lines.

Third: there's a belief that the government should not compete with the private sector in terms of research, product development or the provision of services and that the government should be technology neutral and not favor one technology over the other.

Finally, the government should not attempt to develop, recommend or mandate network standards concerned with interconnectivity, interoperability or security.

A final point more related to this specific panel. The one section of our comments that relate specifically here is the issue of where it says "Government role and responsibilities: That the government will ensure adequate emergency response capability on the NII." Our comments from the U.S. Council here were that we're not really certain how this would happen since the government neither owns nor controls the NII. I was told that that comment is why I have been placed on this panel.

MS. KATZEN: We're hoping you'll give us some insight on what you think we should do.

MS. JANIN: I, in all honesty, would be interested to hear from everybody what the meaning of that phrase was and if there's been any further thinking on that.

And that's all for now. I'll have more to say on cryptography a little later.

MS. KATZEN: John? MR. RIPPEY: Thank you, Ms. Katzen.

I want to praise OMB for doing this and bringing the Bankers Roundtable in late. I think if government innovates slowly I think bankers may be even slower than government. We're here in a room full of high tech people and thinking how the banking industry combines high tech and low tech with the emphasis definitely on the low tech. We are happy to be here among some people who are really forward looking. The Roundtable represents the nation's major banking companies. Our members have 70 percent of the U.S. banking assets and they employ about a million people. And, of course, a number of our members are global enterprises. We have basically the top 100 banking institutions.

We, in our letter last fall, noted that banks are not new to electronic commerce in the sense that the global payments system for wholesale payments has been going on for years and has been very reliable, but not perfect. I think Tom's point about reliability is very well taken because there have been some glitches, even in the large denomination payments.

You probably can't see this too well but there are actually triangles here. The triangle on the left indicates the value of transactions. The triangle on the right is the number of transactions. So it doesn't take rocket science to realize that every day in the G10 countries over a trillion dollars is settled successfully.

Also every day there are well over a billion cash transactions done. So the dollar amount of a trillion dollars, there are relatively few transactions. But the dollar amount of those billion cash transactions is minute. So what we're seeing with the evolution of theInternet is there is going to be a transition in the banking business and the payments system from large denomination but fairly infrequent relative to transactions -- fairly infrequent transactions to much more rapid and numerous electronic transactions but in much smaller dollar denominations.

So in one sense, while we are moving to have many more transactions done electronically than we had before, the systemic risk to the banking system is not going to be all that significant.

There are risks now in the large denomination or wholesale payments system. Probably the biggest single risk is what's called "insolvency risk," where a player bank could go suddenly insolvent and not be able to settle at the end of the day. That, in fact, happened in '74 with the Herrstadt Bank in Germany. That caused enormous ripples in the payment system and caused the central banks to get together and try to reverse how that happened and how it could never happen again.

But it's inconceivable if we move to an Internet-type banking system where consumers are heavily engaged that any failure of, let's say, an Internet bank could cause a ripple in the banking system.

For example, the first Internet bank is Security First Network Bank that operates out of Kentucky. It's a joint venture of Wachovia Corporation and Huntington Bankshares. I have no idea what its footings are but it just started in October so it can't be very big. If that were to fail tomorrow due to some computer glitch or let's say a computer hacker came in and destroyed the entire bank it would hardly show up on the bottom lines of Huntington and Wachovia and certainly wouldn't cause a blip in the entire banking system.

So when we're talking reliability here I think the point we would like to make is that we do have a very reliable wholesale payments system out there that works very well. And what we're moving toward -- and it seems to be fairly rapidly -- is to transition banking mentality and banking operating systems into delivering electronic payment services to individual consumers. In that transition there are all kinds of issues of standards, interoperability, whether it will work, whether consumers will go for it and so forth and so on.

But we have to keep in mind that in terms of the government's interest, the taxpayer interest, exposure to risk and so forth it is not a big risk.

The bigger risk, really, is that if there were a meltdown in, say, Security First Network Bank customers would walk away and would be turned off by Internet banking and wouldn't come back. That's the real risk. It's a market risk, not a payments risk or systemic risk.

We also are concerned -- it was mentioned in the earlier panel -- with what I would refer to as downloading of policies from international bodies into sovereign states such as the good old U.S.A., and the European union seems to be the one that gets the most attention, probably because they have the most bureaucrats per square foot. Their recent privacy directive is going to cause us difficulties, our members, in dealing with it.

One of the functions that we would urge government to be involved in -- I don't know how within government. You know, what agency should take the lead or what have you -- is to keep an eye on these fellows and ladies over there in Brussels and to have much stronger input before these things happen. Because we're either going to have to have that directed on down or else it's going to become the de facto standard on privacy in the United States for financial transactions, and it's way ahead of where we are.

It may be the ideal privacy standard from the point of view of a consumer advocate but it doesn't really work very well in the real world. And there's a danger there that while we talk about letting the private sector work and let a thousand flowers bloom and the government not interfere, over in Brussels they haven't heard that message and we're getting sort of back door policies imposed on us.

So I think it's very helpful for the OMB to be involved in this kind of issueand I would urge the attention given to the international aspect of it.

We're most comfortable and we deal all the time with the Fed and the Treasury. And, as you know, the controller of the currency has been designated as the Treasury's electronic guru or whatever you want to call it -- coordinator for all of the technology going on in the Treasury.

We're comfortable with that. We deal with the Controller's office all the time so we have no problem in dealing on a day to day basis on technology issues or other issues with the government.

So we're not here to say there's no role for government, because there is a role. But what we would say is we certainly don't need at the moment -- forget Brussels for a minute -- any government action regulatory or legislative in the privacy or security area because things are still evolving.

Security First Network Bank obviously has some software that they're very comfortable with to provide privacy and confidentiality and security to their customers but that's only the first one. By probably the end of the year there will be a half dozen Internet banks, just electronic banks, and they obviously will be using different software. So it's much too early for the government to come in and begin to worry about systemic risk because of Internet financial transactions.

So I guess we have a foot in both camps. There is a clear role for government but right now the government role needs to be more of a monitoring and coordinating rather than it does a regulatory or legislative aspect.


I have my usual two provocative comments but since we have so many on the government panel I think I'll defer for a few moments until we see what kind of discussion and debate we get started on our own.

Fred, do you want to start? MR. HERR: Sure.

I guess I'd like to address Mr. Carty's comments and specifically ask for a little bit more information on a couple of points that he made specifically relating to industry understanding risk and better understanding vulnerabilities.

What role would you see the government having in helping industry understand the risks and specifically the vulnerabilities? MR. CARTY: I believe when it comes to a security infrastructure I believe that the wealth of experience certainly within this country and globally rests with the government today. I don't think that position will be retained in the long term, by the way.

But as a result of being in that position today I believe there is a significant amount of education and sharing of information that the government can make available to private industry. And I believe this will also result in better product that will also support, I guess, the commerce and the development of commerce within the country.

I come from the point of view of having recently worked on the SEP standard, the standard that's being developed for Secure Electronic Payments that's being done by MasterCard, VISA and some of the other larger credit card companies. It became very, very clear in the process of doing that that one of the greatest benefits of a very short lived experience, if you will, was the openness under which this was conducted. I have probably seen more insight and ideas come forward in the open forum that that was created in than I've seen in any other single place to date.

I think the government has a wealth of information. I think the government ought to be prepared to make much of that information available today in educating people so they understand what risks they are accepting, what are the vulnerabilities and what then are the risks associated with those potential vulnerabilities and let the decision then belong to private industry as to whether they would like to move forward and accept those risks under the conditions put forward.

But I believe education is a tremendous part of what needs to be overcome.

And we're in the process -- we have just launched, as I said earlier, a commercial product and a service offering education in this particular area. Security infrastructure isprobably one of the greatest barriers that currently exist. So I think this is something the government could really help tremendously and I think it's going to result in furthering, if you will, better products on the open marketplace.

MR. HERR: If I could follow up a second. Does that indicate that you believe that industry does not fully understand the risks and the vulnerabilities that it faces? MR. CARTY: Actually, I've been very surprised. I believe in selective industries -- in particular, the financial industry is very, very astute and very aware of many of the issues associated with it.

But as you start talking about an NII at the national level -- and I also honestly believe the comment that Dan made earlier, that you can't say that any longer. It has to be spoken of in the context of a GII or a global.

When you start talking commerce commerce isn't just limited to the United States. Clearly, we have global corporations and global trading partners.

We have to be ready to address those type of issues.

So I believe there are segments within the industry that are very, very well educated -- maybe better than the government is -- in some of this but I think it needs to go much broader than that. Especially when we start talking in terms of how are we going to help the citizenry of the country and how are we going to do things that are going to benefit the populous, there's an awful lot of education that really needs to be done.

MR. HERR: If I might take a moment for a commercial message. As I mentioned, I chair the Reliability and Vulnerability Working Group of the IITF. The group recently completed a risk assessment of the NII. One of the conclusions of that risk assessment program, the overwhelming conclusion is that the members of the individual sectors need to understand the risks and vulnerabilities to their sector in a lot more detail than they currently do.

So I agree completely with your conclusion. We believe the industry needs to do a great deal to understand its vulnerabilities but clearly it is a joint government/industry responsibility because the government does have a lot of information that can help the industry understand its risks.

MS. KATZEN: David? MR. KEYES: I have quite a few things that I could start talking about and keep going well beyond the designated time.

MS. KATZEN: I won't let you do that. That's not a risk.

(Laughter.) MR. KEYES: But I wonder if there are any specific questions that you wanted to address to me or to the Department of Justice. If not, I can go into some of the thoughts that I had in response to yours.

MR. CARTY: I have a comment. I'd like to raise a comment at least to the federal government.

I believe my opinion is that the government is moving too slowly in this arena in terms of moving forward and trying to understand what are the issues that must be faced to put into place some reasonably secure -- trustworthy is probably a better term -- NII or GII that could be taken advantage of.

I believe that there are a number of areas where the government could come forward. For example, I believe I made the comment originally that without policy that we will move in the direction of least resistance but we won't move necessarily in the direction we wish we had chosen.

I don't think we'll ever get policy necessarily to the point that every person is going to believe what's stated. I believe there's a framework that needs to be established.

The government is probably in a far better position having done this many times to do this, to establish some sort of framework. I believe the federal government is in a very leveraging position and has a tremendous advantage over industry in the sense that when industry first had an installed base you had an installed base of customers on which you could run experiments on a large scale. I believe there's a lot still left to be learned and understood about a large scale security infrastructure.

MR. KEYES: And speaking to the areas that the Department of Justice and the FBI are involved in, I think they fall more into the areas that Melanie raised. Of course, we work daily with the banking industry and I'm very grateful to GTE for its assistance on the intrusion case that you were very helpful on.

From the Department of Justice perspective, we aren't involved in standard setting. We're sort of an operational response entity within the government.

The Attorney General and the Deputy Attorney General, whom I've met on this issue several times in the last couple of months, are very, very concerned about improving the ability of the Department of Justice to speak to the issue of threat and warning; to give the private sector threat information, vulnerability information based on a knowledge base of other cases and experiences that have come to the criminal justice system from any number of different sources.

The Department of Justice believes that there is a need to improve the ability of the federal government to provide operational responses to attacks on the national information infrastructure. Because whatever else they may be, in almost every instance an attack on the national information infrastructure is crime and generally a crime that invokes the Interstate and Foreign Commerce clause of the Constitution and brings it under some sort of federal criminal investigative venue.

So the Department of Justice is very interested in improving the coordination within the Department of Justice and, indeed, with other criminal investigative entities at the state, local, federal and international level to enable a more rapid, robust and thoughtful response to the victim, which in most instances in terms of the Department of Justice, would involve the private sector.

Since the Department of Defense, the NCS and others respond to DOD problems within the FBI, we have merged capabilities between our National Security Division and our Criminal Investigative Division specifically dealing with computer based attacks. We're attempting to look at this simply on the basis of the attack as opposed to the motivation of the attacker. That is an issue we attempt to sort out later.

We believe we need to improve our coordination with the private sector, which is very, very good within the banking and finance industry. I think it's exceptional with the telecommunications industry in connection with our legal authorities there.

We are attempting to expand our outreach program for training through the American Society of Industrial Security, which consists of approximately 25,000 private businesses.

We've initiated threat and warning notification capabilities through a fax system and an Internet system and a system of live briefings that we have traditionally given in the counterintelligence and counter-terrorism arena but hope to incorporate the criminal justice perspective of information infrastructure into those programs.

And at the risk of having spoken too long, I pass at this point.

MS. KATZEN: Sheila -- thank you -- do you want to talk about the DOD? MS. DRYDEN: Sure.

I would just like to say that I think there are a lot of discussions that are taking place with a variety of departments and agencies on this issue.

It is an evolving issue. The departments are actively working to identify issues and propose options for information protection and infrastructure assurance throughout those discussions. It continues to the point that the government and corporate partnership needs to be developed. And that's a very strong point and that continues to pervade all of the discussion.

I think all of the government departments and agencies that we've discussed this with realize the importance of bringing in the corporate America partnership. We also believe that there probably will need to be incentives developed as opposed to mandates with the private sector for working on these infrastructure assurance initiatives.

Within DOD, we don't think DOD should be leading the government effort.

You know, we have a lot of expertise, we have a lot of knowledge in this area but we don't think we should be taking thelead on it. We have a lot of interest in it also because we rely very heavily on the information infrastructure so we're very interested in making sure the information is there when we need it, to make sure the information infrastructure assurance capabilities are there. We don't think DOD should be leading that government effort.

It's an issue that's much larger than the Department of Defense. It requires a lot of interagency involvement. Within DOD, CQI has the lead on automated information security. But within policy services directorate that was recently set up, the infrastructure insurance policy directorate; so that does let you know that the department is very interested in this area.

MS. KATZEN: Diane? MS. FOUNTAINE: I'm Diane Fountaine. I think I probably missed the introductions. I am a deputy manager for the National Communications system. We essentially coordinate the government and industry's requirements in the telecommunications area for national security and emergency preparedness response. I'd like to make a couple of comments that will relate, Melanie, to your question on adequate emergency response capability; and Tom, also to your point on the government's probably leading role in policy establishment.

I think the government is in a position to espouse and define the government's requirements for a minimum set of capabilities to any particular infrastructure. In the telecommunications infrastructure, I coordinate the Federal requirements for national security emergency preparedness, minimum response capabilities. To that extent, we can ask industry, as a part of that, to be able to respond to our requirements in this regard.

With respect to policy, we can establish policy in that area, and I guess when it gets to the private citizen in the private sector, I assume the government's role would best be something like an Underwriter's Lab, where we determine what a private citizen might require for a minimum set of functionalities to assure that that citizen is protected either with respect to privacy or delivery of service in any given infrastructure. And that policy will be established, but then industry would respond in kind as to capability in those regards.

That kind of takes government back a step from the actual private sector provision.

MS. KATZEN: Let me raise two thoughts from hearing the different sides speak, for you all to speak to.

Tom, you had raised education, which I think goes to the question of data on threat and communicating it. And right now the government has probably a better handle on that than anyone else. How long we retain that advantage remains to be seen.

There is always a slight tension between widely disseminating information on threats and, in fact, helping to facilitate the carrying out of those threats. After the Oklahoma City bombing there was discussion whether or not one should give the recipe for building those kinds of bombs and how easy it was to get the kind of pieces together because then it could be replicated.

If you think about the NII in its broadest sense and the interconnectivity of the different uses of it with power grids, telecommunications, financial, health information, everything coming together, to what extent is the education function and education about potential threats going to be either informative or are you suggesting education of solutions to minimize those threats? Is that the educational function that you see the government taking? And, again, I'm trying to be responsive to Melanie.

What's the government doing in here in the first instance? A: we have this information; B: it's somewhat scary if you actually know what's going on; C: who do you tell it to and how do you get something to happen. That was one piece of what I was hearing.

I warned you there were two. The second piece is, again, your question that Diane tried to respond to: what do you mean that the government is going to insure that we're going to be able to respond? Fortunately, the kinds of attacks that have taken place have been relatively discreet, relatively contained. We may not be so lucky. When the East Coast lost aviation or telecommunications a couple of years ago there was at first an uproar. How did the government let this happen? That subsided quickly and it was recognized -- I guess it was telecommunications went out and AT&T and the others got it back up and working fairly quickly. People forgot about it in fairly short order, although who do planning didn't.

But if there were a serious attack that took out all power grids, maybe all radar for airplanes, a little bit of the electrical backing for the Securities and Exchange, the Stock Market and just a few other isolated hits I think the fingers would point quite quickly, Melanie, to the building across the street saying 'How did this happen? How did we leave ourselves so vulnerable?' So I think there's a compelling need on at least the government's side to try to anticipate some of these concerns. But we need a lot of help, as others have been saying, in terms of who is actually responsible. Are we responsible for making sure the banking system continues to work even though the underlying infrastructure is knocked out from under? We're talking about the risks of the payment. What about the risks of the communications? There is a lot that goes electronically or whatever -- radio, television, telecommunications. So those are two pieces of it.

What we did in our report -- and again, I keep coming back to the document-- was to raise this as a serious issue. It was written, as was the other piece we discussed earlier, in relatively vague terms to say 'Hey, folks.

What do you think is the government's role in identifying the threats, communicating them, suggesting risk management approaches actually to the point of assuming responsibility at some level for restoration?' And that's I think what we're trying to do.

I must say, what we got back was not too terrifically helpful. It was sort of 'You guys don't belong -- the government doesn't belong in here and think twice before you do very much about this. And you may have some interest but, you know, we can't quite figure out what it is.' I think it's real and I think we need help in fashioning the real government role in this area. That's what this panel, I think, should be about. And that's what I'd like to hear in the last 15 or 20 minutes.

MR. CARTY: An opinion on that. My opinion on it is that I believe government is one of the few organizations that are in a position to worry about this on a very much global or national scale. So that when you start talking about infrastructure elements such as whether there will be communications backbone or the banking system or whatever commerce or business is not necessarily going to worry about how do we pull that back together following some national level catastrophe or semi-national level, at least.

Are there back up mechanisms to provide the same level of service on a very, very large scale? I think that's something the government certainly should be participating in.

I think it's a role -- it had in the past in many ways and I think it's a role that they bring together a lot of the thoughts, I believe, and are in a position to bring together a lot of the required industry to put together solutions, to provide that level of service should there be a serious problem.

Where do you look for it within industry? Who do you look to? I don't think that exists today. I don't think I know where you'd turn to to find that solution. So I think there is a place for government in providing that or at least bringing together those that would provide the solution.

MS. KATZEN: Melanie? MS. JANIN: Well, as I said before, I really don't have the expertise in this area. Not just directly responding to his comments but back to the emergency response comment in the paper, if the government were to take on that role it says here "an extension of this role to assure the priority of communications to the NII when emergencies occur will be necessary." How is the government planning to afford this? Is there a liability issue that needs to be covered here? I have no answers for you.

MS. KATZEN: These are the questions. These are some of the questions in which if you accept the fact that there is a threat and that there could be something they keys nationwide that I use are backbone or infrastructure and that there is a legitimate government role how are we to carry it out? We can't do it all ourselves. That's what we're looking for and instead we're getting 'Oh, my God.' What we really need is some dialogue. That's what we're hoping to get here.

John, do you have any thoughts on this? MR. RIPPEY: I'm afraid I do. I think you're mixing apples and oranges.

I don't mean in the pejorative way but we responded to the paper in terms of an industry that's trying to cope with new electronic technologies that are emerging and creating new ways of delivering products and services to people. So we saw your rhetoric there more or less as a potentially preemptive strike or messing around with something that hasn't developed yet, which is how do you get stuff to people in reliable ways and in ways that honor their needs for privacy and so forth. So that's why you've got the stiff arming.

If you put your comments in the context of national security or some sort of a volcanic calamity or whatever that would just wipe out all sorts of communications you'd get a much different response because I worked at the Fed in the '70s -- I haven't been back since but I know in the '70s I had to bunk in some bunker down in Virginia where we were all going to go and I guess they were going to give us -- each one of us had cash and we were going to go to the difference Reserve banks and hand out money on the streets because it was thought important at the time. They had a huge bundle of cash stored under the mountain. So I felt pretty good.

Somebody's thought about this, you know? And I didn't for a minute decide that it would work or not, that wasn't my job.

So that if things have improved since then there is definitely a government role to keep the payment system alive in any kind of large scale emergency whether it's war, famine or whatever.

I mean, that's almost like a wholly separate issue that yes, that is a governmental thing. It's much too big for private enterprise and it needs to be coordinated, obviously, with other countries, states and so forth -- I mean U.S. states.

So we'd be very supportive of anything that appeared reasonable in that area to make sure that the payment system and that businesses and consumers could get back to normal as fast as possible, because otherwise things would just get worse. But that wasn't what we were addressing in the paper.

MS. KATZEN: Okay. I am glad you're not stiff arming the at least somewhat edited version of the paper.

Last comments from our government members. Diane? MS. FOUNTAINE: None.

MS. KATZEN: Sheila? MS. DRYDEN: I think it is important for the private sector to have a focal point within the government to come, to bring issues to, information.

The information sharing is a two way street. To have a focal point within the government is important and also for the government to have a focal point within the private sector as much as that would be possible. There are so many entities out there. But I think that would improve the information sharing.

MR. MC CONNELL: If I could just comment on that last point. In the private sector I think it's instructive how you, John, have been talking about, you know, you're dealing with the Fed and Treasury. And it's probably that, in fact, other industries who aren't represented here today-- GT&E is used to working, obviously, with the FBI but also the FCC.

That's the group that you look to. So we may find it's true that as organizations which are the normal places where there's already a good industry/government interface.

MR. RIPPEY: The problem, though, is that because privacy cuts across so many areas I like the OMB model -- I have to say that -- in terms of pulling the differentagencies together or the different interest groups together. Because, yes, we can deal with privacy, let's say, on electronic benefits transfers at Treasury but there are other levels and issues of privacy that Treasury won't be bothered with that some other government agency will be. That would also be affecting what we do. So I really like this OMB -- whatever you call it -- coordinating mechanism to bring together these disparate interests.

And I think it's unique in my experience that this is going on and it's very helpful if you can keep it going in the technology area. That will be a big step forward in terms of working.

MS. KATZEN: We'll have those comments printed in bold.

(Laughter.) MS. KATZEN: David? MR. KEYES: We look at the response requirement from two different perspectives, the first being an operational response and the second being a consequences management response.

When you look at the threat that exists in warning the national information infrastructure -- indeed the global information infrastructure-- it ranges from a teenage person with a modem all the way up through organized crime into terrorism and into international relations and activities up to and including war.

On Thursday I had six new cases come across my desk which represented precisely -- it was an excellent example of the range of problems that presently exist up to and including one national security matter that is really kind of shocking in how it took place and who was involved.

A response capability means that you have to have someone who can coordinate containment of an intrusion and limit the damage that's taking place but also do it in a manner that identifies the intruder and enables the government to make a response. On the consequences management side of things you need a capability that can rebuild and cure the system to make sure that that capability is once again bold and robust.

The government players that represent those two different responses, an operational response and a consequences management response, are spread throughout the executive branch. The NCS is an outstanding example of planning and preparation and positioning the government to deal with telecommunications problems that arise.

And as this problem is better understood, as our knowledge base expands perhaps we'll be in a better position to carry over that type of expertise into the other key infrastructures, not just telecommunications but the eight different infrastructures that we'll address in the Justice Department.

MS. KATZEN: Fred, the last word.

MR. HERR: I guess I'll end up where I started and that is I think that the issue is clearly one that the government and industry need to work on together. I don't think we can look on it as a government responsibility and an industry responsibility. I think we need to work together. There is plenty of work here for both segments to work on.

NSTAC, the President's National Security Telecommunications Advisory Committee, and the NCS and government have done that very effectively, I believe, in the telecommunications area. And I think that model serves us well in seeing how we can work together in other areas at the NII.

MS. KATZEN: On that note, I thank the second panel.

I welcome the third panel. Our government representatives will be Scott Charney, from Justice; Ed Appel and Mike Nelson. Is there somebody here from State? Wonderful. Come join us.

(Pause.) MS. KATZEN: Now, we have two people who are willing to come front and forward. Surely there are many in the audience who have an interest in this issue and the courage to come forward. We'll take comments from the floor as well but they're going to get first crack.

If I can have the government people simply identify themselves. No opening statements, please. Scott? MR. CHARNEY: Scott Charney, chief of the Computer Crime Unit, Criminal Division, Department of Justice.

MS. BIANCANELLO: Rose Bianconello, deputy director of Defense Trade Controls, Department of State.

MR. NELSON: Mike Nelson, White House Office of Science and Technology Policy, co-chair of the Emergency Group on Telecommunications.

MS. KATZEN: All right.

Melanie, you have been waiting for this moment. The clock is ticking.

You have a few moments. Go. MS. JANIN: Actually, we're all embroiled in this because Fiona and Mike and a group of other U.S. Council members were together on Friday afternoon trying to solve these global problems.

What I'm referring to in terms of cryptography, a major issue for U.S.

Council members and has been for a while, is the need to coordinate cryptography policies across national borders. It only makes sense in this day and age.

The U.S. Council has a set of business requirements for encryption that I think if I talk about one more time Mike Nelson is probably going to have a heart attack and walk out of the room, so I won't. But these requirements were written, again, a year and a half ago. At the end of this paper there is a recommendation that the U.S. government work with the private sector in the U.S. and abroad and with other foreign governments to try to come up with some consensus on global cryptography policy that would help us all out in the long run. The process that is starting now is drafting, we hope, an OECD guideline on cryptography policy. Mike and Scott are going to be very involved in that.

The U.S. Council, just by way of background, is the American affiliate of the business committee that reports directly to the OECD. So in that sense we are the U.S. national committee that gives private sector input to the OECD process. I'll let Fiona talk about ITI but ITI is also involved as a member of the U.S. Council and they've got affiliates throughout the world as well.

I can be more specific as the conversation goes on if you want.

In general, regarding this report, there was a final comment towards the end, I think, on promoting international cooperation on encryption and security issues, and there was mention of 'Gee, that's the process going on in the Brussels meeting last year as well as the OECD security guidelines in '92.' So I would just like to commend that recognition in the report of those activities and to say, you know, if enough transpires over the next few months to include these developments in the OECD that are going on now, that could be a very valuable addition to the report. And I'd be happy to be in touch with anybody on that over the next few months.

MS. KATZEN: Fiona? MS. BRANTON: Thanks.

I just would like to echo everything Melanie just said. We are working very closely. We share very similar perspectives.

I'm going to reiterate some of the things we said in our comments on the report. I wanted to start by saying that we thought the report had some really good, important and valid observations in the early section, especially about how cryptography is really moving from being a technology that was used almost exclusively for law enforcement and national security and is now getting into the kind of technology that businesses and users really need. So much more commercial interest in the technology.

As we move into an increasingly on line world it is becoming more essential the businesses and users are able to protect the integrity of their information and their privacy. So it seems to us that cryptography-- and I think the report makes the same observation -- that cryptography is really essential in maintaining our economic strength.

Then finally, the report did note that cryptography is really crucial to the growth of the NII and the GII. And I would just like to start by saying that we thought that it was really good that the report recognizes all those principles and the fact that federal security policies really need to take into account all those changes that are going on. So we appreciate that recognition.

We did, of course, have some specific comments on the recommendations in the report. First, and probably foremost, is the fact that the report seems to support a very large central role for the government and it seems like developing cryptographyproducts. It sounds like the report recommends that the government take the lead in developing cryptography products. We would much rather see private sector led, industry driven solutions that meet consumers needs, including having the federal government participate in the industry-led voluntary standards process. So it's really who's going to be leading the parade here.

We also noted that we would like to see the U.S. government update export policies that are keeping U.S. companies from competing overseas on some of these products; look to industry-developed solutions to meet government security needs to the extent possible, rather than developing our solutions, and refrain as much as possible from prescribing the kind of technologies for solutions that the private sector can't use. We really believe that the commercial needs will vary incredibly widely, and it would be best to let the markets and the consumers arrive at solutions that would be available.

ITI's been working, since we submitted our comments on this paper, with our sister organizations in Europe, Japan and Canada, which we call the Quadripartite Group. We've produced a set of encryption principles for all of these companies internationally to bring up, and I think the main kind of principles that we would like to see are security policies that balance the needs of government, private users and businesses, and that accordingly work internationally. We feel very strongly that we need to have international policies.

The principles strongly advocate a market-driven approach. In particular, we focused on users' rights to protect their information and their ability to choose a solution that will meet their needs. So as you go forward with that refinement in the report, if that's what you're going to do, try to keep those two in mind: the industry-driven, user kinds of solutions.

MS. KATZEN: Anyone else from the private sector out there that didn't feel courageous enough to come forward and speak at this time? Hearing none -- (Laughter.) MS. KATZEN: Scott, if you wanted to respond to questions or comments of any kind and then we'll go on to Rose and Mike.

MR. CHARNEY: I think what we've seen in the past 18 months to two years of work on this is that there is a growing consensus between the private sector business and the government. There is a growing conceptual agreement about what needs to be done.

There is no question that we need strong cryptography for end users, for businesses, for government. There is no question that we have to be sensitive to the fact that this is a global marketplace and that we need products that will sell and sell overseas.

There's also no doubt that the government has certain equities that it needs to protect which is clearly tested in cases where we have search warrants, wire taps, et cetera for national security concerns.

So when we start with that conceptual agreement what we're learning now is that the devil is in the details, as we say, because we have to figure out a way that we can satisfy all these different equities, both the private sector and the government, in some sort of workable formula. That also has to be a formula that we can take overseas and make work in an international environment.

So I have no problem with anything that has been said. And I actually think that the OECD drafting committee that will be convening in the near future is actually probably a step in the right direction because it's a good forum for the right countries to get together and try to figure out how this can be done. And, of course, we can act as a table so we have not only business representation there but there may be business representation within the national delegations as well. So it seems like the right forum to try and hash out those details.

The only concern that I still have that needs to be addressed in that regard, of course, is that OECD principles, if we look at the privacy principles or the security guideline principles, tend to be at a fairly high abstract level. And when we're talking about the devil is in the details you're not talking about that level of abstraction but, rather, much more specific approaches. And it's yet to be seen whether the OECD can get down to that.


MS. BIANCANELLO: I hate to say it but I am probably one of those details as a regulator. And I think the state's role, as we've been looking at it, has been to try to balance that national security issue which is brought to us by DOD as well as the industry marketing initiative.

I think we've probably done a good job in recognizing in I guess the early '80s the need for the banks, in particular, to have encryption and getting it exported in ways that would serve them well.

We've tried to do that also over the last two years and I think there is a movement on the part of commercial users or uses that keeps going faster than the regulatory process can perhaps meet. We welcome a relationship with industry on this issue even though there have been disagreements about the controls of the agencies. We welcome input on the ways to do the job better.

And I think we have to see the regulatory changes over the past 24 months that have helped industry to move more quickly such as the newest distribution agreement. We would welcome further suggestions on how to do that if we need and when we need controls.

MS. KATZEN: Mike? MR. NELSON: Do we have time for questions after this? MS. KATZEN: Sure.

MR. NELSON: I have the task of chairing the interagency group that's developing policy in this area. I've been working in the area for more than three years now, even before Clipper was announced.

I also agree with Scott. I think all of you heard from the two witnesses-- we certainly agree with what we've heard. We particularly agree with Fiona's comment that industry should be developing technologies.

We need to work together to make sure they meet the needs of all the industries. Industry has the expertise and money, and most importantly they have the resources to go out and market the new technologies.

This is an incredibly difficult issue, trying to reconcile the needs of consumers, manufacturers, law enforcement agencies, intelligence agencies.

And we're trying to do it not only in the U.S. but globally, so it's not an easy problem and we haven't found the magic solution yet.

A lot of industry players are developing new approaches but so far we haven't found a way to get around a couple of the key issues. One fundamental problem is that anything the U.S. government approves of, certainly anything we allow for export is immediately suspect and thought to be too weak to be useful. So as we go forward we're facing this terrible perception problem. The assumption is made that if we allow it to be exported it must not be any good.

This is really quite harmful to the security of American companies because today we allow the export of 40-bit encryption. That's pretty good encryption. You can do a lot to protect your data certainly from the janitor, from people who are walking in and download files off your desk, from almost anybody except a handful of very large intelligence organizations. Yet people aren't using it because they are certain it's too weak to be useful because the U.S. government allows it to be exported.

That's one problem.

Another very big problem in this whole area is there is no reliable way for consumers to evaluate the products they're buying. A lot of encryption products say they are one thing when they're not. They have defects in implementation, the algorithm that was developed isn't as good as the creator thought it was. So a lot of the encryption products that are on the market today are not what they should be, are not doing the job that the customers thought they should do.

So we're looking for suggestions from industry on ways we can work with industry to validate and certify some of these products so that we can confidently endorse them.

One of the reasons that DES is the gold standard today is that the U.S.

government said 15 years ago that this is the gold standard we would use for our own use. We need to go a little beyond that. We want to make sure that the individual citizens who are using these products actually are getting the security they need and want. So there are a lot of interesting issues here.

I think the hardest issue for me, though, is dealing with the international aspects of this. The U.S. is well ahead of most other countries in developing policies, in part because we've been having a roaring argument about encryption policies over the last few years. A number of countries have come up with new, creative solutions to put on the table. Many other countries are still getting their arms around the problem, they're still discovering that encryption is an issue. In some countries the policies are still focused on delaying the use of encryption or delaying the spread of encryption. Here in the U.S. our policies are driven by the simple fact that people need data encryption solutions they can use, worldwide solutions they can trust to protect their privacy and data. That's what our policy is driven by.

All of the different agencies that are represented by the working group I chair are working together to try to reconcile all the different interests of those agencies and it's taking time. But we have to move quickly because the technology is advancing and there are lots of opportunities out there where we could be using encryption more effectively than we are because we don't have the solutions yet for all the players.

I've got a quick question for our panel. I've been a little bit frustrated over the last two years that some of the biggest players in the industry -- this is probably directed to Fiona -- that some of the players that I would think could help us find solutions are not really engaged in putting their resources behind developing new data encryption solutions.

Their resources have gone to lobbying to relax the export controls rather than trying to find solutions for the needs of law enforcement, of government, and focus instead on allowing the export of triple DES rather than trying to find some other solutions, whether the export solution or some other approach.

Do you have any ideas on how we as a government could spur investment in this area? MS. BRANTON: Well, I think it's sort of a policy chicken and egg kind of thing. Some of the companies are worried that if they invest a lot of resources in developing the solutions, and the solutions won't be allowed to be used or exported, then they're not going to do it.

MS. KATZEN: I think Michael's question actually goes where I wanted to head, in a slightly different direction. Rather than using resources to develop solutions that are technical, the thing that you're asking for is intellectual contributions and idea contributions.

What I have found increasingly frustrating is -- and you were kind enough in your comments to applaud us for recognizing that there needed to be a balance, because you were fearful that we would always see the national security, law enforcement side. When I talk to businesses, I tend to hear always the desire to export, and the confidentiality side.

If we take Scott's rosy scenario that we all agree on basic principles, and that there has to be some balance, I came to the conclusion over a year ago that the balance was not going to be in the details. It was going to be something creative, something different, some structure on top of a structure. We came up, I guess ten years ago, with the key escrow concept, which is what I say -- it's less technical than it is intellectual. It's a framework, a context, a way of thinking about it.

We have been pursuing key escrow internally in our working groups and our discussions, because there has not been anything else. For years, I represented the private sector. For years, I learned that you can't beat something with nothing. For years, I filed comments with regulatory agencies or went up to Capitol Hill with alternative proposals to get where they wanted to get to my way.

That hasn't happened. And when Mike says to you that these players aren't here, they're using their resources to stop our efforts or to lobby against where we are, I'm frustrated that -- if it's not key escrow, fine. Give us something that balances, and we're not getting that -- she says in a snippy voice.

(Laughter.) MS. KATZEN: Put that; "snippy." MS. BRANTON: I can't really speak for the companies that are not members of my association. And I actually am relatively new to the issue, having just picked it up late last year. But we are really trying to get out of that, you know, black and white process. And we are putting some real thought, and I hope it's creative thought. It's hard to tell this early.

We're looking at different types of solutions. I can't really talk about anything yet. But we are definitely going down this path, because I think we have recognized that, you know, it's just not going to work, these groups fighting.

MS. KATZEN: Melanie? MS. JANIN: A few points.

One is that, you know, there are -- they are under development: the IBM Lotus development, the key escrow, the hardware manufacturers. So things are changing, albeit slowly. But, I mean, it's understandable, you know.

It's what these companies do, it's their product lines, and a lot of this stuff that we feel frustrated about not being able to export is available internationally. And so, their market share is being taken away, and that's a frustrating reality to them, and that's understandable.

But what Fiona said, and ITI and the U.S. Council are aligned on this, is that a lot of the same -- not only companies, but the same members that are active in the Council -- have recognized specifically key escrow as one possible method of managing encryption keys. We now have a working group on key escrow. We're putting together comments on the U.S. government's key escrow criteria, and we hope to bring this dialogue into international fora as well; into the International Chamber of Commerce, where we're the U.S. affiliate there, and into the business committee of the OECD.

So I think we're working on it. And then also, as Mike said, when you're dealing with these issues internationally, alternatives and discussion of alternatives become complex, because you're dealing with terminology. In the case of key escrow, there's a major taint against that terminology abroad. It may seem insignificant to us, but it's very significant to people outside the States.

So I just think it is -- and again, as Mike said, it's a really complex issue, and I would never want to be in the government's shoes for the past ten years, to be flogged time and time again by hundreds of industry groups. So we'll do our best to try to help companies find alternatives.

MS. KATZEN: I think the purpose of our paper on the other two issues and on this issue as well is to stimulate consciousness, to stimulate awareness of the issues, to stimulate response in a constructive vein. You heard it in the other two panels, where we're asking for serious input from the private sector to help us solve what has to be considered to be a common problem. I think nowhere is that more compelling than in this particular tough nut to crack, and if we can get people to come to the table with a receptiveness to talk to one another, then I think we're doing our part -- at least, we're trying to do our part within the government -- to convey this to the private sector.

Final comments? MR. NELSON: There are two pieces to the question to ask. The first one is the big question; what new concepts do we bring? The other one is, how do these companies develop actual products? If we're excited about key escrow, we'd like to see some companies try to implement the kind of schemes that we talked about.

MS. BRANTON: Well, assure them that there's a marketplace.

MR. NELSON: That's the question. It is a chicken and egg. They don't build until they see they're going to make money. But is there any way we can help spur the process -- research grants, guaranteed buys? What do we do? MS. BRANTON: Probably all of that kind of stuff would help. I don't really know. That's the main hurdle right now.

MR. NELSON: It's really very frustrating. Companies that really could be out there and solve this problem are not.

MS. KATZEN: Would you guys like to have the last word on this one? (No response.) MS. KATZEN: I hope everyone's fine.

Let me say this. There was a lot of discussion about putting these panels together. We have received a lot of comments, and I was one who was not all that sanguine that a great deal would come out of this. I have been persuaded that it was not only a very useful effort, but I think a good first step in the next set of steps. It reinforces, as I said, my view that more dialogue rather than less is essential in this area.

I've been surprised a number of times today by how people have read things we wrote. It wasn't how we meant them, folks. And they were nonetheless fairly perceived -- I'm not being critical -- fairly perceived as saying something entirely different. And I found myself wondering how often I've misinterpreted things the private sector has said. So I believe that dialogue works.

Our transcript will be ready whenever it's ready, and will be posted to an Internet site so that people will have access to that. We'll try to keep some of the witticisms in there -- no, actually, we'll scrape all those out.

I want to thank our agency representatives and members of the government for participating and being willing to be put on the spot. I want to thank our volunteers from the private sector, some of whose arms were twisted. I particularly want to thank Glenn Schlarman of my staff, Ed Springer and Bruce McConnell, who were the people who did so much to organize this effort. I refer you to them if you have any further comments or issues you'd like to discuss.

OMB has taken, I think, a leadership role, particularly under Bruce's efforts, to bring together the various groups who have roles to play in this, and I thank all of you in the audience who have not otherwise been commended. Because if it weren't for you, we would have long, long gone away.

So thank you for your patience, your listening, and we hope to see you soon. Thank you.

(Whereupon, at 3:25 p.m., the hearing in the above-entitled matter was adjourned.)