Measures to alleviate the risks of computer terrorism and infrastructure failure, announced today by President Clinton, have already drawn fire from both the private sector and computer security experts. Clinton says he wants to make sure the nation’s telephone and computer networks are safe from malicious attack and breakdown. His critics say he’s going the wrong way about it, and handing over too much power to the FBI and the Department of Justice. The dependence of the world’s telecommunications and computing infrastructure on single points of failure came sharply into focus this week, when a problem with single satellite’s guidance system brought down 90 per cent of the US pager network. Clinton made reference to this incident in his commencement speech to the US Naval Academy in Annapolis, Maryland, and pointed out that such an event could be the result of sabotage. As we approach the 21st century, our foes have extended the fields of battle from physical space to cyberspace, he said. Our vulnerability, particularly to cyber attacks, is real and growing. The president announced the appointment of NSA global affairs chief Richard A. Clarke to the position of national coordinator on critical infrastructure and other forms of terrorism, including biological warfare. Clarke’s appointment arises from a report presented by the President’s Commission on Critical Infrastructure Protection (PCCIP). That report called for extensive co-operation between government and the private sector. Accordingly, Clinton has said that Clarke will work with both sectors through four joint bodies: a National Infrastructure Protection Center (NIPC), an Information Sharing and Analysis Center (ISAC), a National Infrastructure Assurance Council (NIAC) and a Critical Infrastructure Assurance Office (CIAO). However, even before Clinton announced these initiatives, United Press International CEO James Adams had attacked them. In a speech titled Big problem – bad solution, Adams told the Online News Summit of a Joint Chiefs of Staff exercise called Eligible Receiver, which saw a team of hackers successfully infiltrate air traffic control systems, power grids, oil refineries and military logistics. Adams said that while the PCCIP had started out well, its final report had polarized the community into two camps – one large team arguing for a Centers for Disease Control-type co- operative body to tackle the threat, and the other consisting of only the Department of Justice and the FBI. To make a long and torturously bureaucratic story short, the Department of Justice and the FBI won, he said. Underlying this whole secret debate in which none of you participated, was a central but fatally flawed assumption: The government knows what’s best for the Infosphere. They tell and we do. They order and we follow. I don’t think so. Peter G. Neumann, a researcher with SRI and the author of the book Computer-Related Risks, agreed that Clinton’s proposals are superficial and inadequate. It’s a bit of a joke, really, isn’t it? he said. The same administration whose cryptography legislation is trying to dumb security down, here and elsewhere, has completely overlooked the fact that operating system and network security is extraordinarily weak. Neumann says the vulnerabilities in critical telecommunications and computing infrastructure will not be alleviated until there is a way of getting significant authentication and cryptography results out of the research community and into the commercial marketplace. It’s very sad that at present, commercial interests have no interest in doing things the right way, he concludes.