SECURITY LEGISLATION – Homeland Defense: New Rules of War after 9/11

The war against terrorism is forcing government and business to forge new alliances. Federal government actions since Sept. 11, including legislation enacted by Congress and policies issued by the White House, aim to broaden cooperation between the private sector and law enforcement officials charged with counter-terrorism efforts. Those actions include new ways companies can work with government using IT to thwart conventional attacks, and there are more to come. Every week brings new government proposals to get companies more involved in homeland defense.

Those new policies are al-ready reshaping the CIO’s job in many companies. Technology executives have been called on to install systems to help officials find terrorists, share more information about the weaknesses of their own IT infrastructures and help their CEOs advise the government on how to protect the nation from attacks on critical industries such as utilities and financial services. To help CIOs tackle these assignments more effectively, certain policies are promoting new technologies for both information and physical security, as well as giving companies tax breaks for upgrading network security.

CIOs are in the best position to help determine how these emerging rules of engagement will affect the way their company uses IT to conduct business in an increasingly less secure world. “It’s important [that CIOs] look at the government as a partner,” says Michael Vatis, a former FBI official who is now director of the Institute for Security Technology Studies at Dartmouth College. In turn, he adds, government can share information about IT security threats and vulnerabilities that might be difficult for CIOs to learn on their own.

Vatis also cautions that government policy could have “potentially negative effects” on the CIO’s job. Therefore, it’s up to CIOs to play a strategic role in shaping the rules through as many channels as possible, including corporate lobbyists and government-industry committees formed to address homeland defense. At the very least, keeping an eye on emerging laws and regulations can help CIOs plan their own cyberdefense strategies and identify opportunities to cooperate with government agencies to protect both corporate and national interests. (See “A Sorry State,” Page 46, to learn how IT will help the State Department cope with post-Sept. 11 challenges.)

There are several legislative categories, all under the auspices of homeland defense, wherein policies have already been or will soon be enacted. Here is a look at what is coming and how it may affect the CIO role.

Coordinating Cyberdefense

The high-profile task of advising the government on critical infrastructure protection and information security falls on the National Infrastructure Advisory Council, the corporate advisory board created in October by President Bush. This new council, which includes 30 CEOs and equivalent executives from the corporate world, academia, and state and local governments, will develop a national strategy for cybersecurity and suggest standards and best practices for putting it in place.

Although CIOs won’t officially serve on the council, they can have a critical role behind the scenes working with CEOs to identify risks to the nation’s computer infrastructure as well as developing and deploying information security measures recommended by the group, according to Richard Clarke, special adviser to the president for cyberspace security. Clarke is also the head of a new committee of federal agencies called the Critical Infrastructure Assur-ance Board that will consult with the council.

At a forum on critical infrastructure protection sponsored by the government and the U.S. Chamber of Commerce last November, Clarke said that officials learned during the Y2K crisis that CEOs need to be put on the spot to make their company fix major technology problems. “You can talk to CIOs until you’re blue in the face about the importance of security, and they’ll say, ’I agree, I agree.’ But you have to reach the CEO to get the funding,” Clarke says.

Strategic Cooperation: Other councils are also encouraging business and government cooperation. In its report issued in October, the Gilmore Commis-sion, a panel chartered by Con-gress three years ago to recommend domestic responses to terrorism, endorsed the idea of involving private sector, state and local executives in crafting cyberdefense strategies. George Foresman, a member of the Gilmore Commission and de-puty state coordinator of emergency management for the Commonwealth of Virginia, says a formal approach like that has advantages over the informal groups currently working with federal agencies.

It will be easier, Foresman says, for CEOs to get support and funding from corporate boards of directors and stockholders for information security projects if they can explain how these projects fit in to the big picture.

Partnerships IN Policing

Airlines will soon be required to deploy state-of-the-art computer security to prevent tampering with passenger lists?which law enforcement officials used to identify the Sept. 11 hijackers?to comply with the aviation security law enacted in November by President Bush.

The new law also paves the way for additional voluntary security measures that could result in airlines deploying new IT systems. For instance, the law authorizes the Department of Transportation to develop national requirements for a computer system that airlines would use to prescreen frequent fliers. This would free security officials to scrutinize less familiar passengers. This type of system would likely use a computer-based identification card linked to a passenger’s profile in an airline database, according to a House Aviation Subcommittee aide who worked on the bill. The aide, who requested anonymity, said that although airlines wouldn’t be required to deploy such a system, most “are itching to do this,” because it would help them speed passengers through security checks.

The new aviation law is one example of legislation or regulations, whether passed or pending, that enlist the private sector to help government agencies ferret out terrorist suspects or thwart future attacks?using IT to do so. Eventually, the government could impose requirements, or at least strong incentives, for companies in many industries to report data, screen customers or deploy specific information security measures, even if there aren’t any proposals currently on the drawing board, says Vatis.

Keeping an Eye on Imports: Another bill in the works, the Customs Border Security Act sponsored by Rep. Philip Crane (R-Ill.), would require importers to send electronic cargo and crew manifests to the U.S. Customs Service for every shipment that crosses the border. Similar to airline passenger prescreening, electronic shipping manifests would enable logistics companies to bypass time-consuming border inspections by allowing customs officials to build profiles of low-risk shipments and carriers, according to Bill Primosch, director for international business policy with the National Association of Man-ufacturers. Officials could then pay more attention to suspicious cargo or unfamiliar shippers.

Sandra Scott, international trade and customs advocate with Akron, Ohio-based Road-way Express, says many large shipping companies such as hers already have information systems that maintain this data for their own purposes. She says her industry has argued for electronic shipping manifests for years because it would eliminate wasteful paperwork. Delays in modernizing the Customs Ser-vice’s computer systems have stymied deploying that type of system, but homeland defense concerns have now made the project a high priority, says Scott. At press time, an aide to Crane said that passage of the bill was likely this year.

Rules of Disclosure

The Sept. 11 attacks have improved the chances for passage of a bill that would limit the legal liability of companies that disclose their security vulnerabilities to government officials or share them with competitors. The government needs information about network intrusions in order to accurately assess threats to the nation’s critical infrastructure and issue warnings when appropriate.

Sen. Robert Bennett (R-Utah) and Rep. Tom Davis (R-Va.), sponsors of this proposal, say more companies would provide that data if they were convinced the public or antitrust prosecutors couldn’t get hold of it and sue them for alleged negligence with corporate data or collusion.

Concerns about legal ramifications “need to be taken off the table,” says John Puckett, former CIO with Toysmart.com and GTE Internetworking, and now vice president of business development with Polaroid. Puckett is also a member of the Private Sector Council, which gives federal agencies advice on using IT. Puckett thinks the proposal by Bennett and Davis would encourage companies to share information, much like a similar law?which shielded companies from being sued if they disclosed their Y2K weaknesses?convinced executives to admit to those problems. The bill would prohibit government agencies from releasing any security-related information in responses to Freedom of Infor-mation Act requests.

Key lawmakers oppose the measure. Senate Judiciary Committee Chairman Sen. Patrick Leahy (D-Vt.) and open-government advocates think companies could use the bill to hide information about their financial weaknesses from investors. Vatis says existing laws already protect sensitive corporate data from disclosure.

David Marin, spokesman for Davis, says opposition to the bill has softened in recent months. At press time, Davis and Bennett were looking for a high-priority bill to which they could attach their proposal and guarantee its passage this year, says Marin.

The Gilmore Commission would rather have Congress create a nonprofit corporation to collect vulnerability and threat information from companies, sanitize it by removing any information that could be used to identify the source and then pass that information on to other companies and authorities. As a private entity, the nonprofit wouldn’t be subject to public disclosure laws, says Foresman. To date, lawmakers haven’t taken up the proposal, but Congress and the White House have acted on several of the commission’s other suggestions, most notably the idea to establish the Office of Home-land Defense.

Better Security, Fewer Taxes

Rep. Jerry Weller (R-Ill.) wants to give tax breaks to companies that follow information security best practices or use certified computer security products.

Weller tried unsuccessfully to get his bill, which would let companies immediately write off the cost of computer and physical security devices, in-cluded as part of an economic stimulus package that was being negotiated in Congress at press time. Instead, he decided to support another of the bill’s provisions, which would allow bigger write-offs for companies that buy any computer software during the next three years.

Weller’s spokesman, Ben Fallon, says the language in the economic stimulus bill “is really the initial salvo in this process.” Weller intends to push deductions for security technology again this year. “Budget constraints wouldn’t allow it [the first time around],” Fallon says. He adds that Weller doesn’t know exactly how much his plan would cost.

“If you know you can write something off [faster], you make more sensible business decisions [about technology investments],” says Harris Miller, president of the Information Technology Association of America. “One hopes that in that decision making there is investment in security upgrades.”

On the Horizon

The first homeland de-fense and antiterrorism policies affecting CIOs were enacted within weeks of Sept. 11. Others will take months or even years to develop as policy makers learn more about terrorist threats and how companies can help combat them. Even ideas with no clear congressional or White House champions today could gain support with time or political pressure. Washington heeds the squeakiest wheels, whether they are CIOs or others who may not be as well informed about CIOs’ needs.

Not every policy will affect every company in the same way, so the impact of these new policies will be different for every CIO. “CIOs are a diverse community,” observes the Gilmore Commission’s Foresman. “What they need to do is sit down as the manufacturing sector, the energy sector, the services sector and begin hammering out what they need from the government. [Then] they need to see what comes out of the Bush administration and have something to react to.”

One thing is clear, says Foresman?business and government are no longer antagonists. “The whole idea that it’s ’us’ and ’them’ doesn’t exist,” he says.