GLENN K. DAVIDSON
EXECUTIVE VICE PRESIDENT
OF THE COMPUTER & COMMUNICATIONS INDUSTRY ASSOCIATION
SUBCOMMITTEE ON TECHNOLOGY OF THE COMMITTEE ON SCIENCE
U.S. HOUSE OF REPRESENTATIVES
THE REPORT AND RECOMMENDATIONS OF
THE PRESIDENT'S COMMISSION ON CRITICAL INFRASTRUCTURE PROTECTION
NOVEMBER 6, 1997
Chairwoman Morella, Ranking Member Gordon, Members of the Subcommittee;
I am Glenn Davidson, Executive Vice President of CCIA, the Computer &
Communications Industry Association. Thank you for the privilege and honor
of appearing before you today to discuss the work and recommendations of the
President's Commission on Critical Infrastructure Protection.
CCIA, as you may know, is an association of computer and communications
companies, including hardware manufacturers, software developers,
communications equipment manufacturers, telecommunications and online service
providers, systems integrators, third-party vendors, and others.
We have followed closely the work of the Commission since its establishment
in July of 1996 and, at times, have had occasion to exchange ideas with the
Commission. In fact, its former chairman, the distinguished Tom Marsh, spoke
at a meeting of the Association last June.
Let me say, right from the start that we, at CCIA, fully understand and
identify with the need to guard against any attacks capable of disabling our
Nation's first-rate infrastructure – systems absolutely vital to the normal
functioning of our government and economy. We recognize that in today's
information age, such attacks can be more than just physical, and that the
dangers of "techno-terrorism" are real.
But we understand neither the basis for the Commission's sweeping
recommendations nor the reason its work and report are shrouded in secrecy
-- especially when the Commission readily admits it has no evidence of an
imminent cyber threat. In the report's transmittal letter, General Marsh
says, and I quote, "We found no evidence of an impending cyber attack which
would have a debilitating effect on the nation's critical infrastructures."
Why is it that the National Research Council can make some very important
decisions concerning information security -- in its report on cryptography --
without its work or report being classified? Why is the Commission hiding
behind the mantle of classified information?
Allow me to suggest that if the public, generally, and industry,
specifically, are to accept the Commission's recommendations --
recommendations calling for public awareness and eduation, information
sharing, legal reforms, and the development and deployment of potentially
quite-costly cyber-threat counter-measures -- then it must provide more than
anecdotal evidence. It must come forward with its threat assessment so it
may be discussed, debated, and understood by the public.
Allow me now to turn to the Commission's report and the recommendations we
have concerns about.
The report calls for the immediate and universal implementation of various
protection tools – including firewalls, password controls, authentication
mechanisms and action logs – to guard against cyber attacks. On this we
couldn't agree more.
However, the report fails to advocate the use of the strongest available
encryption, perhaps the most effective means to individuals and companies to
secure communications and protect digital files against fraud, white-collar
crime, economic espionage, and even terrorism.
Despite its 178-page length, the report devotes nary a page to the subject of
encryption. It states, on page 74, that the "establishment of trustworthy
key management infrastructures is the only way to enable encryption on a
large scale and most include the development of approriate standards for
interoperability on a global scale." Call it what you will ... key
management, key recovery or key escrow, but industry will tell you that such
a system cannot work on a large scale. Just ask the National Research
Council, which came to the same conclusion.
Later, the report urges the Administration to "... promote efforts to plan
for the implementation of a KMI [or key mangement infrastructure] that
supports lawful key recovery on an international basis." We already know
that international adoption of key recovery will not happen, as the OECD
rejected the Administration's proposal earlier this year.
So, why does the government continue to push key recovery. Is the
government looking for an electronic trap-door to our information networks?
The report also calls for the "development and deployment of ways to prevent
attacks, mitigate damage, quickly recover services and eventually
reconstitute infrastructure." However, there is no discussion about who will
bear the cost of doing this. Is government going to pay for "ruggedizing"
our critical infrastructures to suit its national security and law
enforcement objectives. Or are the providers and users going to be the ones
Even before the report was submitted, it was clear which way the Commission
was leaning on this subject – it assumed that industry would have to pick up
most of the tab. At a September 24 briefing he had in New York for banking
and securities industry technologists, General Marsh stated that "some of the
recommendations might be too costly for industry alone." He added: "At a
minimum, therefore, we assume joint financing by government and industry."
We, in industry, have long understood the need for information security and
network reliability. Providers and operators of public-switched networks
have long established redundant networks in the event of natural and even
man-made catastrophes. And providers of private-switched networks have done
much the same – at the request or insistence of their clients. We have also
developed and utilized firewalls, password control, encryption technology and
other security tools to protect the integrity of our systems.
However, if our Nation's security and law enforcement agencies desire a
higher level of security and reliability of our systems and networks, then
they should be the ones to pay for it. The cost of the difference between
what we provide our customers and what the government wants should be borne
by the government.
It is here that I must take issue with an underlying premise of the report.
In its Forward, the report says that the "National defense is no longer the
exclusive preserve of government ...." I ask you: Since when is the
Nation's defense the responsibility ... in full or in part ... that of the
Later, on page 19, the report goes on to say that "Shared threats demand a
shared response, built from increased partnership between government and the
owners and operators of our infrastructure." For me, the phrase "shared
response" is code for: You, too, are going to pay!
CCIA believes that requiring American industry to bear the cost of building
such super-rugged infrastructure security upgrades would constitute an
excessive financial burden that would blunt the competitive edge of American
The report calls for industry to share information – with each other as well
as with the government – about the vulnerabilities of our infrastructures,
and even about incidents of penetration.
While we, at CCIA, are not opposed in principle to sharing such information,
it's putting this principle into practice that concerns us. Somehow, I doubt
the sharing of information between government and industry would be two-way.
If the government purposefully or inadvertently released information about
network vulnerabilities and security breaches, clients and customers could
sue providers and operators for damages, claiming that these firms knew that
vulnerabilities existed and insufficient steps were taken to prevent them.
We, in industry, would need protection from such frivolous lawsuits.
Furthermore, if a major foreign partner cannot be assured of confidentiality
in certain important dealings with an American partner – in other words, if
such dealings are an open book to the U.S. Government – nothing prevents that
major client from turning to a Japanese corporation that can keep its secrets
secret. In today's global economy, these concerns are not hypothetical –
they are real.
The Commission also recommends the modification of our Nation's antitrust
laws, so that companies would be free to share information with each other
and our government. To my knowledge, industry is not asking for safe harbor
from our antitrust laws. Allow me to suggest that were it not for the U.S.
government's vigorous enforcement of our antitrust laws, the dynamic,
innovative, entrepreneurial and competitive computer and communications
industry that we know today – and enjoy the fruits thereof – would not even
exist. Our laws are certainly flexible enough to allow for some information
exchanges for mutually beneficial purposes.
The report makes broad-brush reference to changes in other laws. Such
changes it argues, would be necessary to protect our infrastructure. Well,
candidly, some of the envisioned changes bother us.
On page 98, the report calls for sponsoring "legislative activities leading
to a finding that certain critical infrastructures are instrumentalities of
interstate commerce." If this means federal regulation of the Internet and
the World Wide Web, we must object."
Organizing the "Partnership"
The report also discusses the need to create a national infrastructure
organizational structure to develop industry cooperation and information
sharing. In discussing the roles of various new "infrastructure-related
organizations," the report, on page 49, suggests that Sectors' Lead Agencies
would be charged with drafting new legislation and regulations as required
and propose the use of federal incentives to faciliate private investment in
assurance programs." I ask you, is this the beginning of a new regulatory
structure and establishment of agencies that will dictate to industry what
information it must provide and what it must do to protect infrastructures
I will conclude by suggesting that we address this matter at a slower, more
reasoned pace. Let's release the Commission's full report and allow it to be
publicly discussed and debated. If General Marsh really wants to see
"buy-in" from all sectors, as the report suggests on page 65, then the
American people need and deserve to understand the threat assessment so they
may appreciate and accommodate the changes in actions that are envisioned
And let's allow our Nation's fundamental principles of individual and
economic liberties dictate how and where we proceed.
We can protect the complex infrastructures that we are all so proud of,
without doing anything that can impose debilitating strictures on American
Thank you very much for your time….
November 4, 1997
The Honorable Constance A. Morella
Chairwoman, Subcommittee on Technology
Committee on Science
U.S. House of Representatives
Rayburn House Office Building, Room 2320
Washington, D.C. 20515-6301
Dear Chairwoman Morella:
To the best of my knowledge, the Computer & Communications Industry
Association -- the organization with which I am affiliated and on whose
behalf I am appearing before your committee on Thursday, November 6 -- has
neither received a grant nor a contract from the federal government during
the past two fiscal years.
(original is signed)
Glenn K. Davidson
Executive Vice President
Biographical Sketch of Glenn K. Davidson
Glenn K. Davidson is Executive Vice President, Chief Operating Officer, and
Corporate Secretary for the Computer & Communications Industry Association.
Better known as CCIA, the association’s membership includes computer
hardware manufacturers, software developers, communications equipment
manufacturers, telecommunications and on-line service providers, re-sellers,
systems integrators, and other firms in related business ventures. These
firms are represented in the Association by their most senior corporate
officials. (For more information about CCIA, please consult its Web site at
Mr. Davidson first joined CCIA in 1985, but left in 1990 to work in the
Administration of then-Virginia Governor L. Douglas Wilder. He served
successively as the Governor’s representative in Washington, D.C., as
Director of the Virginia Liaison Office; as his press secretary and
communications director; and finally as his chief of staff and transition
director. Mr. Davidson returned to CCIA in 1995.
Prior to joining CCIA, Mr. Davidson was employed by a professional services
firm, providing strategic planning and analysis support to such diverse
clients as the Gas Research Institute and the U.S. Departments of Defense and
Energy. He also worked as an aide to several Congressmen and a Congressional
Mr. Davidson earned a bachelor’s degree in international studies from The
American University as well as a master’s degree in science, technology and
public policy from George Washington University.