THE WHITE HOUSE
Office of the Press Secretary
For Immediate Release February 15, 2000
PRESS BRIEFING BY
CHIEF OF STAFF JOHN PODESTA;
SECRETARY OF COMMERCE WILLIAM DALEY;
PRESIDENT OF INFORMATION TECHNOLOGY ASSOCIATION
OF AMERICA, HARRIS MILLER;
PRESIDENT OF EBAY TECHNOLOGIES, MAYNARD WEBB;
AND THE CHIEF INFORMATION OFFICER OF MICROSOFT, HOWARD SCHMIDT ON THE
PRESIDENT'S MEETING ON CYBER SECURITY
The James S. Brady Press Briefing Room
1:43 P.M. EST
MR. SIEWERT: Here to brief on the President's meeting with
cyber security we have a number of administration officials and private
sector representatives. Mr. Podesta, the Chief of Staff, will kick it
off. He'll be followed by Secretary Daley, who has been heading up the
effort to work with industry on these issues. And then we'll hear from
Harris Miller, the President of Information Technology Association of
America; Maynard Webb, the President of eBay Technologies; and Howard
Schmidt, the Chief Information Security Officer of Microsoft.
MR. PODESTA: Good afternoon. People can join me if they
want. Let me briefly say that I'm going to try to summarize what
happened at the meeting, but I think it was an excellent discussion
today with the President, members of the Cabinet, leaders of the
Internet and e-commerce companies, civil liberties organizations,
security experts, reformed hackers, some academic people. I know that
many of you have been outside and have heard from people who were inside
the meeting. But let me try to briefly summarize what was said and the
dialogue that took place, and try to put it in some order.
I think that everyone recognized that the potential of the
Internet, the positive implications, the strength that it has brought to
the economy needs to be kept in mind as we seek a stronger security
situation and address these problems, to build a solid foundation -- a
solid security foundation to keep this economic miracle, which the
Internet has become, going and strengthening our own economy.
The comments went into the following areas: We need to raise
the level of security practice. I think that many of the people in the
room commented on the fact that many tools were out there to deal with
security threats, but many of the tools were not being used. We need to
be more pro-active. One of the participants said that in much of the
software that's shipped, that the default mechanisms are never switched
on for about a third of the software that's shipped by one of the
venders -- so that we need to be more pro-active in getting the tools
out and getting them in use, to practice better hygiene, as many of the
We need to make the government, secondly, a role model. We're
not doing a good enough job in making sure that the government's own
systems are secure. We need to enhance the security on the government
systems, and make sure that they're not broken into, that the firewalls
are in place, and that we're practicing good security procedures.
We need to increase both the short-term R&D -- again, which is
mentioned in the President's program that has been released as part of
his budget -- as well as the long-term R&D to make sure that the
hardware, the software and the networks that are part of the global
information infrastructure are more secure and evolve in a way in which
security is built in at the front end, rather than thought about at the
back end, when solutions will be more difficult to implement and more
expensive to implement.
I think all of that supported the -- and I think there was
strong support in the meeting -- for the President's budget initiative,
as we have talked before in this briefing room, of over $2 billion to
invest in enhancing security, increasing R&D, creating an institute to
work in partnership with the private sector to do more research and
development on the security issues.
There was a commitment from industry, and a commitment to
share information on a cross-sector basis. The people who follow me
will discuss that with greater specificity. But we've had some very
good success on the Y2K model. We've had good success already in
Secretary Daley's efforts to build a partnership with the private sector
to work on these security issues. And we need to get going, enhance
those efforts, and get some real solutions on the table.
The solutions that we talked about did not involve greater
government regulation, or really even greater governmental power. They
were things that we could do, again, in partnership with the private
sector to increase security. I think the point was made that we do not
need to reduce privacy as we enhance security in the network. Privacy
and security go together, in fact.
The Attorney General discussed the fact that -- and a number
of the people in the meeting chimed in -- that we need to -- sometimes I
think these questions are handled in a way that make them seem rather
simple, or low-key, or kind of funny or cute; and that they're not cute.
The events of last week show that they can -- they involved attacks that
can involve a good deal of money. And again, that will be discussed as
we go along -- but that enforcement efforts are a necessary part of this
effort. And she invited the business community to come together with
her to talk about how we can better enforce the laws that are already on
There was some discussion about enhancing the education and
the ethics that go into the use of the Internet; that it isn't cool to
trash systems, and that the academic community has an important role to
play in both spreading that message and in working with people who are
being trained to use these tools, to do those in a proper way.
And finally, there was a good deal of discussion that this is
a global issue, a global network, a global problem. It can't be
resolved simply by efforts by the United States government, or even by
the United States private sector. We need to work in partnership to
enhance security, but we need to work around the world on solutions
that, as the global information infrastructure is interconnected, will
have a reach beyond our borders.
So with that, let me turn it over to Secretary Daley to talk
about his efforts in the new partnership.
SECRETARY DALEY: Thanks, John. Let me first thank the
participants in the discussion, and the turnout from the private sector
was absolutely terrific.
Our information economy is strong, and it is resilient. But
last week's incidents were really a wake-up call for all of us. It's an
attempt, for those of us who have been trying to work to address some of
these problems. It's a first wake-up call for us in government to make
sure that our systems are adequately protected, and we are doing that at
the direction of the President. All of us are checking our systems to
make sure that we have adequate protections. And then at the same time,
it is obviously good business for the business community to do that, to
make sure that the confidence that is within the American people today
about our economy, and about our systems, remains. And that's their
interest, and our interest is to make sure that our economy stays
strong. And so much of it is dependent upon the infrastructure, which
is -- the vast majority of which, of course, is in the hands of the
So it was a good discussion, as John outlined. We have a
number of efforts that we have begun to do with the private sector. We
had the first meeting last October of -- or December, pardon me, of
about 80 companies in broad -- from different sectors of the economy;
not only the high-tech industry, but the -- not only the information
sector, but the transportation, energy, telecommunications sectors all
working together. And our next partnership meeting will be next week at
the Chamber of Commerce, to try to develop mechanisms by which we can
share information and move forward, but in a multi-sector approach and
not just a narrow sector.
So I appreciate the tremendous, already the tremendous support
that the private sector has given to our efforts at the Department of
Commerce to try to work with them. We can support them. It is not
about the government regulating this, or taking steps to take actions
that would at all impede the Internet, because of course it is the
dynamic engine that is driving our economy today, and we must keep that
open. And we will make sure that it is protected, those of our systems.
But the private sector is taking the lead in making sure that the
overall systems of theirs are protected. So I thank them very much for
their strong involvement in the partnership.
MR. MILLER: Hello, I'm Harris Miller. I'm President of the
Information Technology Association of America. We are one of the three
associations officially designated by the Department of Commerce to be
the sector coordinator for the information and communications sector,
along with the Telecommunications Industry Association and the United
States Telephone Association. And we also help to facilitate the
planning of the industry participants for today's meeting.
It was a very, very positive meeting. We had very excellent
turnout from many leaders of the information technology and Internet
industries. And they were able to deliver to the President and to the
Cabinet officials and other senior government officials very clear
messages about our interests and concern in focusing on information
security on the Internet.
And we provided to the President and the other U.S. government
officials who were present a statement, which has been endorsed by 38
companies just initially, and 10 high-tech trade associations,
committing to sharing information and working together through a
mechanism, particularly to focus on cyber attacks, vulnerabilities,
countermeasures, and best information security practices. Participation
in this mechanism will be voluntary, industry-led, and may be virtual.
During the meeting today, the companies helped to share with
the President and the other officials many of their views on the
particular technology challenges that are being faced in dealing with
this; that even though some of the technology challenges in protecting
the Internet are relatively easy to address, in fact it's a very hard
issue. As one of the industry representatives said, both the blessing
and the curse of the Internet is that it is so open, and that makes it
such a tremendous challenge. And we indicated that the technology
challenge is very important.
We also shared with the President the need for industry itself
to focus much more on widespread adoption of best practices -- that when
technology solutions are available, when best practices are available,
it is important we make sure not just within the industry, the Internet
industry itself, but across sectors, that we share this information.
And that's why the partnership that Secretary Daley referred to and that
Howard Schmidt will discuss in a minute is so very important.
We also discussed with the President the important global
nature of this challenge, and the need to move forward in looking at
this issue on a global basis.
In terms of industry's expectations for government, we were
very pleased that President Clinton reiterated that industry leadership
here is key, that collaboration with the government is also a part of
this, but dealing with the issue of Internet security must be
industry-led. And the President and his Cabinet members in attendance,
and Mr. Podesta, reaffirmed that, and that is very positive, because the
Internet has succeeded and become such a tremendous engine of economic
growth and opportunity not just now but into the future because of
industry leadership. And that was a very positive message coming out of
In terms of next steps coming up, Mr. Schmidt will discuss the
partnership meeting coming up next week. I also indicated that our
association, along with others, will be pulling together many companies
and other associations in two weeks, following the partnership meeting
-- companies within the industry sector in particular -- to talk about,
how do we now operationalize this commitment to establish a mechanism?
What concrete steps do we need to take to make sure that the information
sharing is carried out in the most efficient and effective way possible?
So we're going to move quickly; this isn't some kind of long-term plan.
It's a short-term plan to move quickly, and you should be seeing some
outcomes happening in the very near future.
Thank you very much.
MR. WEBB: Hello, I'm Maynard Webb, and I'm the President of
eBay Technologies. eBay strongly applauds the efforts that are going on
to work across the industry and with our government friends and our
educational partners to work on the ways to combat this. There is no
silver bullet for what we're going after, it's a difficult problem. But
when we work together we can solve it, as we're able to do in resolving
our effort last week -- working with our industry venders and partners
So we're very excited about the work that's going on here and
look forward to participating strongly in it.
MR. SCHMIDT: Good afternoon. I'm Howard Schmidt, and as was
pointed out by both Secretary Daley and Harris Miller, next week we kick
off phase two, if you would, the Partnership for Critical Infrastructure
Security. We had our first meeting in New York in December of last
year. Next Tuesday is the meeting that works on specific areas of
concern, areas of sharing of information.
We have five work groups currently established for the meeting
next week, looking at issues cross-sector. This is not strictly an IT
sector, this is transportation, energy, communications -- all the
various sectors -- looking at interdependencies and vulnerability
assessments; best practices sharing, which is really key; the awareness
and outreach, making sure that everyone has the information they need to
make this much more secure. Also issue relative to legislation and
public policy development, and a couple of other very key areas such as
research and development and work force development as well.
We want to make sure that -- we're very much in support of the
President's national information assurance plan. It was offered up
about a week or so back. All these issues map directly to that plan,
and we cross-sector, cross-industry, are all behind that and will
continue to work that through the Partnership for Critical
Infrastructure Security. Thank you.
Q Mr. Podesta, as we speak, do you have an ironclad assurance
that some malicious hacker, to pick a site, couldn't pick White
House.gov and bring it down?
MR. PODESTA: We probably should go back and check, based on
the question. (Laughter.) Look, I think we shouldn't overstate the
problem, we can't understate the problem. I think that there are --
even yesterday, in the President's on-line interview on CNN.com, we had
hackers get into that. So I think that anything I could say in answer
directly to that question would probably just throw out a challenge.
I think that what we have done, I think has worked, again, to
try to develop this partnership, to try to develop solutions, to try to
make those solutions more widely available and raise the level of
knowledge, and therefore, raise the level of implementation of security
fixes. I think we're trying to do a good job in the federal government,
and Bill mentioned this in his comments, by surveying all the sites, not
just our national security sites, but all the sites of the federal
government, to try to enhance the level of security in those individual
But I don't think there's any single magic bullet, or it would
be foolish of me to stand up and say that no hacker could attack our
website. In fact, that's happened in the past and that person was
caught and prosecuted. But I think we can do a lot better job than we
have done in both enhancing the federal government level of security --
and that's what our $2 billion initiative is all about -- as well as
sharing with our private sector partners the information that we have
and developing the research and development to deal with the tools to go
after the kinds of things that are out on that.
Q Does the private sector feel the laws on the book are
stringent enough on hackers?
MR. PODESTA: Well, I might let them answer that.
Harris, do you want to --
MR. MILLER: We're examining that right now. During the
meeting, the Attorney General said she would be interested in having a
follow-up meeting with industry to discuss this. I think there is a
feeling in industry right now that some courts do not take these cases
seriously enough. There is a feeling in industry, which I don't think
the Attorney General would disagree with for one second, that the
federal government does not have all the technology resources to always
do the forensic work necessary or to do the prosecution necessary, and
so they need additional resources also. But as to whether specific
statutes need to be amended, I think that requires further analysis and
Q To go to the opposite side of this thing, the truth is that
you can't have convenience and really tight security on the Internet. A
lot of these companies are chasing money and security is not the top
issue. Isn't there some culpability on the part of these sites that
don't include the patches? We're talking about now service attacks --
that's an inconvenience. There's also been several reports about
databases being compromised -- 300,000 or more credit card numbers being
stolen because they didn't have good enough security. We have laws to
deal with the hackers. What about some culpability on the site of the
e-commerce sites that are not protecting the privacy because they're
being inadequate or apathetic about installing these patches?
MR. MILLER: First of all, I disagree with the premise of your
question. Every company that does business on the Internet understands
that in terms of customer loyalty, relationship with the marketplace,
that they have to, in fact, be focused on security. None of you in this
audience, not I, no one in this room is going to go on a website where
we believe that the information that we're providing to that company
through the website is going to be prey to anybody who wants to get
access to it. And these companies understand that.
Now, I think there is a legitimate question about the level of
resources and the adoption of some of these best practices, because the
challenge is constantly changing. That's one of the difficulties of
security on the Internet. In an automobile, certain standards get set.
You say, okay, you need airbags and they need these specifications, and
that sits in place for several years. And so everybody kind of knows
that. Unfortunately, in the Internet the security challenges are new
every day, and every time someone comes up with a countermeasure, then
you have the possibility of someone coming up with a new threat.
I think what happened last week and what has happened in the
last few weeks has helped to focus the attention of many people in the
industry that they are going to have to put more resources into
security, and certainly the meeting today and the information that was
developed by the meeting that Secretary Daley held on December 8th and
the follow-up meeting next week does show that people on the Internet --
not just the information technology industry, not just the .com
industry, but all industries which are now part of this new economy are
prepared to work together.
This is not an issue where you somehow get some kind of
competitive advantage over your competitor because you somehow have
better security. Everyone realizes we're in this together, we must
protect the Internet so that the consumers and the businesses and the
governments who do business on the Internet are confident that the
information they share is protected, and that an individual and
corporate privacy is protected.
Q On the question of whether the laws are adequate to deal
with hackers, Mr. Podesta, when President Clinton announced the change
in encryption policy last September, he said the administration would
promote a cyberspace electronic security act. We haven't heard more
from the administration on whether you intend to submit a request to
tighten the laws to deal with either malicious hackers or people who
make use of encryption in ways that are not conducive to law
MR. PODESTA: Well, I mentioned that the Attorney General
invited people into a separate dialogue on that question. We're working
to try to make sure -- I think both of these points were made -- we need
to make sure the laws are adequate and tight. And I think that the
Justice Department will discuss that with the private sector and with
representatives of the civil liberties community, the privacy community,
and make sure that we can move forward, and see if we need updates of
the laws that were largely about a decade old now. They were mostly
passed in the mid 1980s -- to see if there are any additional
authorities or tweaks in those laws. But the basic framework of the
computer crime statute, the Electronic Communication Privacy statute, et
cetera, are in place.
But whether those need to be enhanced, I think the Attorney
General will discuss with representatives of the Hill and people here.
But in addition to that -- and I think Harris also mentioned this -- we
need to make sure that we have adequate funding and adequate resources
both on the law enforcement side and the security side, to make sure
that we have the tools available and that the FBI and others have the
One of the problems I think that got raised in the meeting --
not to facetiously -- is that every time we develop expertise in the
federal government there is such a draw from this powerful economy
that's going on that people leave government service and get into the
private sector. And that's one of the reasons I think that the
President has proposed this program to create a federal cyber service in
which people can get trained in the security fields in exchange for debt
forgiveness or college loan forgiveness, to move forward and give back
in government service some years of service, kind of modeled on the ROTC
Q Are you saying that this administration has no plans at this
point to call for tighter laws to deal with --
MR. PODESTA: I think we're still examining that and we'll
discuss that again with the private sector, and we may have some more to
say about that.
Q Mr. Podesta, it took the PanAm 103 crash to have the
government move away from a no double standard policy for terrorism
warnings. Was there a consensus in this meeting that as far as cyber
threats go, there should be complete public access to all information
the government or the private sector has about potential security
threats? Or are there still going to be circumstances where private
warning is appropriate?
MR. PODESTA: The short answer to your question about the
meeting is that that issue wasn't discussed. I think there was a
recognition that we needed to have cross-sector dialogue, discussion,
and sharing of information -- sharing of security solutions across
sectors, not limited to one sector or another -- and that the meetings
that Bill intends to hold next week and in the future to create this
partnership and create potentially a center for exchanging that kind of
information, the details of which still need to be worked out.
SECRETARY DALEY: There is -- I think it would be fair to say
there's been a hesitancy to share information in the past. I think that
is changing. I think the incidents of the last week, the sort of
support that the President got today at the meeting, and the statements
made by Harris. And we are looking forward to next week's meeting to
begin to put together a mechanism, led by the private sector, in which
this sort of information can be more widely shared.
Of course, there's no way we could force somebody to tell
something that they found out in the private sector, or to give some
sort of proprietary information about their own company. But this whole
process is to try to get a better acknowledgement of the fact that we're
all interconnected, and that has to be acknowledged. And how do we deal
with this interconnection, and diminish the negatives of it?
Q Mr. Podesta, you had talked about the need for more R&D,
research and so on. Are you all planning on revisiting the 2001 budget
and perhaps asking for a little bit more?
MR. PODESTA: Well, as you know, we've got a 16 percent
increase in the 2001 budget over FY '99. And much of that is aimed at
enhancing the R&D accounts in that budget. We -- Neal Lane has been
charged with -- he's meeting with the PCST, the President's Committee on
Science and Technology, or thereabouts -- on Friday, to discuss how we
go forward with developing the institute, which will be housed at NIST,
to begin to develop a research and development plan for broader Internet
security. And we want to involve the private sector in partnering in
that institute as well. And our Science Advisor Neal Lane, head of
OSTP, will be dealing with that on Friday, and may have more to say
But the accounts themselves, in terms of R&D, were plussed up
to a good extent in this 2001 budget. And one of the things that I
think we got strong support from the private sector on is a commitment
to see that those are not just -- they're not just proposals, but they
actually get enacted into law. I think last year we asked for about
$1.75 billion, and -- $1.77 billion, and the Congress appropriated about
$1.75. So we've had pretty good success with getting those accounts
appropriated. But we've obviously done a big plus-up here, and we want
to make sure that we get that money appropriated.
SECRETARY DALEY: If I could just add one thing. The program
John mentioned that's going to be through NIST is $50 million, which is
obviously a substantial amount to begin this process for R&D.
Q Mr. Podesta, the President said he was going to cut loose $9
million to jump-start some of these initiatives? Where is that $9
million going? Where's it coming from?
MR. PODESTA: That really is to do some preparatory work, some
jump-start work, spade work if you will, to get the work going on our
cybercorps, our federal cyber-service initiative, to get people involved
in colleges to go into the security field and return for some government
service, as well as to begin this institute that will be housed
eventually at NIST.
Q Mr. Daley, when you have this meeting, this cross-sector
meeting, there's been stories and questions all day today about how the
financial industry, the banking industry, has this network that's set up
to share information. They insisted that that information not be shared
with anyone else. Are you going to implore them, strong-arm them,
whatever term you want to use, to come in and share information as well?
Because as far as they're concerned, the people I've talked to, they've
said they don't want to share information. Everybody else is fine, but
they're not going to share information about when they're getting hacked
-- because they had a heads-up last Friday, or before that, on the 4th,
that something was going on. And nobody else knew.
SECRETARY DALEY: I would only implore somebody. I would
never do anything beyond that. (Laughter.) And of course, we will do
that and we will do it strongly, as the President did today. The fact
of the matter is, we are all interconnected. Some companies may take
that position that they'll share nothing with anyone, but the fact of
the matter is at some point that worm may turn on them and they would
wish that someone else had shared some information with them.
So the fact is the private sector, hopefully, by encouraging
their colleagues in different sectors, will be able to move someone who
may have that attitude that you indicated.
Q CNN reported that on January 29th, a company called
Envisioneering (phonetic) observed that its servers were being used in
an attempt at denial of service attack on both Yahoo and Amazon --
terminated that, but did not really understand the significance until
more than a week later when it met in professional conference on the
West Coast. How will these new entities that you're describing make it
possible for that passage of time does not occur, and will there be a
way that people can -- on-line or by telephone, or whatever --
contribute these reports and --
MR. PODESTA: Well, I think that's the fundamental point of --
I may ask Harris to address this question as well -- which is, by
creating a more formal partnership, by dealing with a situation in which
people have essentially protocols for sharing information and then for
-- for understanding both the attacks, distributing solutions, and then
encouraging people to actually use them, rather than waiting to be --
that was another point I think that was made very strongly in the
meeting today --that people kind of wait for their sites to be attacked
before they implement the appropriate tools that might prevent it. And
I think by creating this partnership, again understanding the security
holes and being able to patch them, and encouraging individual companies
and places in the Net that might be weak points in the Net to actually
implement those solutions, we can essentially cut down on that time that
you describe between understanding an attack may be coming and seeing it
to fruition. So the defensive tools can most clearly marry up with kind
of the offensive threat.
Harris, do you want --
MR. MILLER: I think a lot of what came out at the meeting
today is that there is a lot of information out there, but, for various
reasons, it is not necessarily getting systematically to the widest
possible audience. So this commitment and effort, through this effort
and others, is to get every business person who is on the Internet --
which is soon to be every business person -- to understand that in his
or her risk management assessment, paying attention to information
security has to be a high priority.
And what we're going to try to do in this sharing information
is to make it as simple as possible, because people are very busy.
Business people are very busy with lots of different priorities --
making money, meeting payroll, developing new technology, et cetera, et
cetera. So if we can simplify this as much as possible, make the
information sharing as much as possible, get people to practice what
some referred to in the meeting today and Mr. Podesta mentioned, as good
personal hygiene, realizing this is a priority, then I think a lot of
this problem would be solved.
As one of the people pointed out in the meeting today, the
problem isn't in the Internet, itself, so much. The challenge is
primarily on the businesses and organizations on the Internet. And so
getting them to buy into giving information security a higher priority and making it simple for them to do so is the key to widespread adoption.
Q Mr. Miller, in the Y2K experience it became necessary to
pass legislation to give the business community some antitrust
protection before they could share this kind of information. Do you
think the same thing is going to have to be done for cyber security?
MR. MILLER: Our legal committee is actually looking at that
issue right now to decide whether that would be appropriate and
necessary. There are also questions about information shared with the
government in certain provisions under the Freedom of Information Act,
because obviously companies don't want to share information in what they
believe to be a proprietary closed system, and then find because of
existing FOIA provisions that somehow that information is available.
So one of the provisions which you'll see in the statement
which we issued today, which is fairly general, but it says we're going
to look at all appropriate laws and make sure there are no impediments
to information sharing in the current legal system. And I would hope
that if we identify those we'll be able to work with the administration
and the Congress to get those impediments removed.
Q Mr. Podesta, you said that this was a global problem, a
global issue. Are other countries doing enough? Should they be doing
MR. PODESTA: Well, I think that the other countries are doing
more, and other countries need to step up their efforts. One of the
things that the person who runs the CERT out at Carnegie Mellon said is
that there are now 80 countries that have a similar threat center in
their own countries. Obviously, there are more than 80 countries
connected to the Internet, and within those 80 countries themselves,
there's probably a higher or a lower level of participation.
So I think we need to step up the pace of work around the
world because, again, these are network of networks that are global in
scale and need to be addressed in that fashion -- the borders are going
to matter a little bit less with regard to the kinds of attacks even
that we saw this past week.
MR. MILLER: The private sector is also trying to increase
collaboration globally. My association works with 38 other high-tech
associations worldwide. We've had info-sec on our agenda for the past
year and a half. Again, it's been slow getting other countries to pay
attention to it. I think the events in the last week will help that.
Our next meeting of our global association, which is called the World
Information Technology and Services Alliance, is going to be Geneva next
week -- because we're going to visit the WTO, Mr. Secretary. But while
we're there, one of the issues we will be discussing is information
security, and also under consideration is possibly of a global
We were very instrumental in hosting one of the first global
conferences on Y2K back in 1998, in conjunction with other business
organizations, such as the International Chamber of Commerce. And we're
going to look to see whether a global conference on information
security, either late this year or early in 2001, might also be
THE PRESS: Thank you.
END 2:17 P.M. EST