Analysis & Commentary:

INFORMATION SECURITY WILL BE KEY WITH LAWMAKERS

As reported by Patrick Thibodeau, the September 11 terrorist attacks on the United States are expected to shift government and legislative priorities on a host of technology issues. Internet privacy, for instance, the top technology policy issue barely more than a week ago, will likely be replaced by critical-infrastructure protection as the United States seeks to retaliate against what President Bush has called "an act of war."

What this means is that pending legislation to protect corporate data about security incidents, voluntarily shared with the government, will likely be fast-tracked. Antispam legislation, on the other hand, may get pushed aside, according to officials at trade and privacy groups, as well as congressional sources.

Moreover, as a result of the attacks, private-sector companies are likely to become a lot more receptive about collaborating with the government and one another on information security issues. One congressional source said government officials have said the attacks are likely to be just the beginning of a wave of assaults that probably will include cyberattacks.

"I think there will be more collaboration. The phrase circle the wagons comes to mind," said Bill Riley, manager of security and disaster recovery at Johns Hopkins Hospital in Baltimore, who added that the government can do a lot to facilitate collaboration. "People get a sense about how big the risk is. It's tough to do it on your own."

To get some idea of the importance of information security in the upcoming policy debate, consider this: One of the first hearings Congress held the day following the September 11 attacks was on critical infrastructure protection. Sen. Joseph Lieberman (D-Conn.), who headed the committee hearing, said a "new era" in protecting national security -- including cybersecurity -- had arrived. Although the hearing had been previously scheduled, what was remarkable was that it was even held, since many others were postponed.

Lieberman didn't outline exactly what is needed, and it's still too early to predict exactly what will happen on many technology issues -- which bills will move forward and which ones will stall. Congress, for now, is focused on the immediate terrorism crisis. But people closely involved in technology issues expect a change in focus.

"In all these debates, there is a curve between privacy and security, and I think we're going to see a little shift in that debate," said Ronald Plesser, an attorney at Piper Marbury Rudnick & Wolfe LLP in Washington, who represents firms on technology issues. Plesser believes that shift will be toward security.

There is no doubt that the nation is in a new era. But there are also worries that a shift in balance to security over privacy could give rise to some contentious issues.

U.S. officials often have tried to get expanded surveillance powers over electronic communications. For example, the Clinton administration, worried about its ability to decrypt electronic messages sent by suspected terrorists and criminals, pushed an FBI-backed plan to give law enforcers mandatory key escrow, a backdoor means for giving law enforcement the ability to immediately decrypt intercepted messages. The proposal failed in a wave of public opposition.

William Reinsch, a Commerce Department undersecretary in the Clinton administration and a principal technology policy adviser, said cyberattacks will have a "galvanizing effect" on companies.

"I think it will help persuade companies to take more precautions, develop more redundant systems, develop means of storing their critical information in remote locations," he said. "There will be a lot ... that I think people will be inspired to do."

The Bush administration is expected to release sometime this month a new critical-infrastructure plan. One result will likely be a decisive push for security improvement of federal information systems, which are routinely criticized for poor security in reports by government watchdog agencies.

The White House and Congress, so far, have "been unwilling to fund agencies to the level necessary to adequately protect the cyberassets of the government," said Harris Miller, president of the Information Technology Association of America in Arlington, Virginia.