Stewart Baker (Washington Techway)

• Steptoe & Johnson • Baker Bio • TechNews.com • Web Special: Privacy • Tech Policy Headlines • Tech Policy Primer (Flash 5 required) • America at War

Information Technology and the War on Terrorism
Guest: Former NSA general counsel Stewart Baker

Wednesday, June 19, 2002, Noon EDT

Join computer security, privacy and surveillance expert Stewart Baker of the law firm Steptoe & Johnson to find out how the government and the private sector are using the Internet to fight terrorism, and how they prevent the Internet from being used as a weapon against themselves.

Submit Your Questions and Comments: Baker will be online at Noon EDT Wednesday. The discussion will be moderated by washingtonpost.com tech policy editor Robert MacMillan.

On TechNews.com: A wide range of tech policy issues are detailed in the Understanding Tech Policy (Flash required). Also, interesting homeland security issues are highlighed in an article by Washington Post reporter Ariana Eunjung Cha, "Citizen Tips on Terrorists: Leads or Liabilities?"

Editor's Note: Washingtonpost.com moderators retain editorial control over Live Online discussions and choose the most relevant questions for guests and hosts; guests and hosts can decline to answer questions.

To read the most recent responses, click "Get New Text" or select "Automatically Update Page."

Robert MacMillan: Good afternoon, and thanks for joining us. Today we are hosting Stewart Baker, former general counsel for the National Security Agency, now an attorney for DC law firm Steptoe & Johnson. Mr. Baker is a noted technology expert and is taking questions on the Internet and security in the 21st century, as well as some related topics.

Robert MacMillan: Hello Stewart. Thanks for joining us online today. Can you tell us whether the U.S. government views the Internet as a tool that can be used to fight terrorism, or as a potential weapon against which we need to defend ourselves?

Stewart Baker: Hi, Robert. The answer to your question is "Yes." Yes, the US sees the Internet as a tool for fighting terrorism. And yes, the US sees it as a potential weapon that can be used against us.

You can see that in the Administration's proposal to create a Homeland Security Department. It is full of language about fostering information sharing, where the Internet will be part of the effort. At the same time, it pulls together every agency with a computer security role and makes them a prominent part of the homeland defense effort.

Reston, Virginia: Mr. Baker,
Do you feel that the "IT Infostructure" may become a target for the terrorists, and if so, how to best combat it?
Thank you,
Jim Wilkins
Reston, VA

Stewart Baker: Well, maybe. There's no doubt that a well-organized, well-educated group could cause a lot of havoc on the Internet. But I'm not sure how much appeal that would have for terrorists. I can see why WMD -- weapons of mass destruction -- might appeal to terrorists. But screwing up the Internet for everyone is more WMA -- a weapon of mass annoyance. That isn't the business that terrorists are in.

On the other hand, the next time we go to war, we have to expect our opponent to attack the Internet, so preparing for that, building defenses against that, is a worthwhile thing.

Robert MacMillan: Regarding the idea of "weapon of mass annoyance," if we do experience the unlikely event of a big Internet shutdown, do we still expect that the water will flow, the nuclear reactors won't melt, etc.? Or are we now TOO reliant on the Internet to run critical infrastructures?

Stewart Baker: I don't think we're too dependent yet. Email is probably the most critical tool that depends on the Internet. If we didn't get email for a day, it wouldn't be the end of the world. In fact, it would be the closest that adults get to a snow day. Long term, we could probably limp along for a week without email, as long as the phones worked.

This is mostly because the Internet is still unreliable enough on a daily basis -- without terror attacks -- that people don't rely on it to carry essential services. On the other hand, the Internet does make it easier for hackers to break into the systems they've targeted. Also, the spread of Internet protocols to internal systems means that hacking those systems may be easier than it was in the old mainframe days.

Washington, D.C.: I've bin thinking about how the new laws are laden with potential for abuse. For example, Carnivore and similar programs might flag this message because I spelled "been" incorrectly and used the word "laden" in the same sentence.

I also have a hard time imagining how any department could possibly sift through all the e-mails, especially spams, and do any kind of real analysis. Imagine just trying to sort through, say, all the e-mails sent to and from The Post.

Shouldn't we spend our time and money more productively? It seems like one option that is always forgotten by the current politicians is to realize that this is one small planet and we need to improve education, health and opportunities around the world and at home?

Stewart Baker: If you're proposing that we spend more on international health initiatives and less on intelligence gathering to capture terrorists like bin Laden, I don't agree. Bin Laden was raised in the lap of luxury with every possible health and education benefit, but he still hates us and will for as long as he lives, no matter what we do for poor people in other countries. Sometimes you just have to confront your enemies and win. I think that's where we are now with Islamic terrorism.

You're right about the possibility that searching the Internet for key words could produce a flood of data, most of it irrelevant. (Although Carnivore, or DCS-1000 as it's now called, doesn't do that kind of searching; probable cause is still needed to read or even screen the content of email messages in the United States.)

But I suspect the people who make that point aren't really trying to solve a problem but are just looking for an excuse to end some intelligence gathering techniques. Usually the answer to too much data is to use more sophisticated tools to sift it. Collecting less data isn't going to help us respond to terrorism. Doing more processing of the data we collect will help us prevent future attacks.

Washington D.C.: Stewart,

Please tell us how our government is
using its new power under the PATRIOT ACT to look at our
e-mail, watch what sites we visit, and
follow our medical, financial, political, and
social interactions.

What are they allowed to do? Do you think
this is even possible, given the enormous
quanity of internet communcations? Won't
this, in the end, just be used against US
citizens just as much as "terrorists"?

Stewart Baker: There were a lot of questions like this. Let me offer a general answer.

First, by and large, the fear that government will be monitoring ordinary citizens is overhyped. Inside the US, or where a communication is known to involve Americans, it's not easy to get authority to intercept email or web sessions. It may require an elaborate Title III wiretap order. In other cases, if the government is seeking something other than content or it's looking for historical data, a court order or subpoena is required.

While the dominant press theme about USA PATRIOT was that this was a hasty bill full of dubious civil liberties incursions, in fact the bill mostly updated existing authorities to account for changes in technology. To take one example, it was already possible before USA PATRIOT for the government to use a special order to get the phone numbers called by a target (but not the content of the calls). Could the same authority be used to get the "to" and "from" line of emails (but not the email's content)? No one knew for sure. USA PATRIOT made it clear that the same order could be used for both purposes. That's a change in the law, and it helps law enforcement, but it isn't exactly a radical revision of our civil liberties. Most of USA PATRIOT makes that kind of change.

Arlington, VA: How is the international community responding to their internal security issues? Are they watching us and waiting? We have heard that some of the European countries are forming public/private partnerships to address their national security.

Stewart Baker: This is an interesting question. In the past decade, Europe has emerged as a "fast follower" of the US in making IT policy. So an issue that the US is struggling with usually shows up on European radar screens within a few months. Of course, since Europeans tend to be more enthusiastic about governmental solutions, it's not uncommon for the European Union to get out in front of the US in actually implementing such solutions. Sometimes that's good; sometimes not.

In the area of critical information infrastructure, the EU followed this pattern, beginning to focus a lot of policymaker attention on the problem after the Clinton Administration first began to express concern about it. As far as I know, the European effort has not gone much beyond what we've done here -- establishing information sharing fora and the like. But Europe already has one tool our government doesn't.

All personal data in Europe must be adequately safeguarded under the data protection directive. So a breakdown in a company's computer security almost by definition creates a risk that the company will be charged with violating European law. At least that's what the lawyers in our Brussels office tell me.

I'm sure Dick Clark in the White House would like to have that hammer in his back pocket for the times when industry doesn't seem to be paying enough attention!

Robert MacMillan: Richard Clarke is the National Security Council's cyber-security point man, and not the one-time American Bandstand host. -ed.

Alexandria, VA: PGP used to give the average Joe cheap encryption. Now that NAS has dropped PGP, I imagine its development will be picked up by the German free software developers, funded by the German government. Oddly enough, SAP, the business software is also written by Germans. Not to be an alarmist, but are we
keeping on eye on the Germans?

Stewart Baker: You've put your finger on a slightly sore point.Our relations with Germany are going to be stressed a bit by September 11. Because of its history, Germany is probably the most civil-liberties-conscious country in Europe. That's one reason its government embraced the idea of cheap encryption for the masses. (The other has to do with unease about who might be spying on German companies.) In a related development, the Germans have said that they may not provide us with evidence that they have against Zacarias Moussaoui because they (actually just their elites) feel so strongly that the death penalty is wrong. I think most Americans feel that sort of position is morally obtuse (not to mention appalling); most European elites think it's morally necessary. So we'll be seeing some strain in the relationship as the war against terror moves forward.

Washington DC: Is the government going to ask or lean on
companies like Microsoft to fix their
security problems, in the interest of
stopping terrorism, of course? How will
the government get big business to
change their ways to combat terror?
There are a lot of US companies that
make all sorts of weapons that can be
used against us as easily as a box
cutting knife. And they are available on the
Internet.

Stewart Baker: I think Microsoft is feeling plenty of pressure on the security front from customers, not just the government, and they're certainly saying the right things. But security is not easy to do right, and it's not cheap. At the end of the day, Microsoft and other companies are only going to do things that can be economically justified -- unless the government enacts a law requiring more than that.

So if you're worried about backroom pressure tactics on business, that's probably your best protection. The companies in the end are going to insist that the government pass a law to make sure the playing field is even for all. And the last I looked, it was pretty difficult to pass a law without anyone noticing. If the deal isn't in the public interest, it will have a hard time surviving the legislative process.

Robert MacMillan: That will wrap it up for today. Thanks very much to Stewart Baker, and thanks also to everyone who joined us today - even if they had to beam in all the way from Mongolia. ;)

   |      |