On the eve of the coup in Moscow, the White House released a document entitled the National Security Strategy of the United States. The preface, signed by President Bush, issues a challenge to the nation. 'We must not only protect our citizens and our interests", the President says, "but help create a new world in which our fundamental values not only survive but flourish. We must work with others, but we must also be a leader".

In other words, the national security strategy of the United States requires a strong national defense and protection of our interests at home and abroad, to be sure: but equally it demands American leadership to promote and consolidate our values of liberty and individual dignity throughout the world.

We must begin a discussion of the protection of the nation's strategic economic information by considering the historic changes we are witnessing, the central importance of the values of freedom and democracy, and the vital mission of America in the century to come.

In the scenes of the streets of Leningrad, in the barricades before the White House of Moscow, throughout the reborn countries of Latvia, Lithuania, and Estonia, in the many Republics now defining their own path, we have seen the triumph of the human spirit over the forces of tyranny. All the power of the Red Army and the Communist Party and the KGB ultimately proved hollow against the determination of brave people to live free.

As strange as it may seem now, It was not so long ago that many were arguing that stability and preservation of the status quo were our most important objectives in Europe. We were told that the Soviet Union's hold over its neighbors must not be threatened; that this was the unhappy but necessary price we had to pay for peace.

For many years, the nations of Central and Eastern Europe submitted to this fate. Czechoslovakia's President Vaclav Havel, whom we welcomed to the White House last month, explained in his essay, "The Power of the Powerless", that the communist system of control succeeded because of the consent of the governed. Not in the positive sense that you and I use those words, but the negative consent of default: Not enough people would stand up and say no.

Yet thankfully, in the final analysis, the people of Central and Eastern Europe did find the courage to say no. They found the courage to reach for the values embodied in the great documents of our liberties and political beliefs. As a result, the Berlin Wall has fallen; and now the Federalist Papers are being widely read throughout the former Soviet Union.

The courage of those who said no should cause us to reflect with some seriousness upon the values that must guide our policies. One lesson is that America's policy of peace through strength, ridiculed by some as misguided Cold War thinking, has proven as right and as great a force for good as we always believed it to be. But another lesson is that a great nation does not lead merely by reacting to threats, but rather by defining its objectives and the opportunities to achieve them.

Today there is great hope throughout the world, as the opportunities for freedom and economic growth have never been greater. And in the aftermath of these remarkable changes, some are saying that "history is over", and that no serious threats to American interests remain. Others have been accused of inventing or exaggerating threats in order to justify old jobs or new ambitions. Most people are simply confused. This is understandable, given that we are poised at a defining moment in history, when an aggressive empire has fallen and a totalitarian claim on the spirit of man has failed.

In the midst of all this uncertainty, knowing with any precision where or when threats to our security may emerge may well be an impossible task. But certainly history teaches that power and ambition, greed and false ideals bring conflict and war÷human foibles that have not gone away. The twentieth century in particular has been marked by aggression, tyrannies, and statist ideologies. As a result, this century, tens of millions have died, scores of millions have fled as refugees, and hundreds of millions more have lived with suffering and oppression. Self-destructive socialist economic policies have brought starvation, poverty, sickness and desperation. And immeasurable creativity and joy have been lost.

The future that each of us would wish for, the future that together as a nation we would work for, is a future in which these evils are held firmly in check; a future in which freedom is both a universal ideal and a universal norm. As the twentieth century draws to a close, our challenge is to exploit the opportunities ahead to ensure that history will record the next hundred years as truly America's century.

To this end, we need to identify those forces and challenges which could threaten American values. And in setting national security strategy, I believe we should measure the seriousness of these threats by the extent to which they would impede the opportunities which will be presented to advance our values in the coming American century. Against this standard, I would like to discuss some of those threats as they relate to our nation's economic strength.

Throughout the Cold War, the Soviet Union was far and away the greatest threat to the United States and our allies, principally owing to its unsurpassed military arsenals, both nuclear and conventional. The other pillar of Soviet power during the Cold War was its militant intelligence gathering and active measures, which had as their target not only the political and military resources of the West, but our economic and technological strength as well.

Today there is enormous confusion and uncertainty over the future of Soviet military forces and policy. In the words of the Secretary of Defense, "The former USSR remains a nuclear superpower in the midst of a revolution÷a situation without parallel in history. The continuing existence of enormous military capabilities in a state which is in the throes of a revolution÷and the accompanying potential for violence and chaos÷present a new kind of security challenge for the United States and its allies." As with the military threat that may be posed by the successor to the central government, in like manner we are unable to define with precision the intelligence threat that might emerge from the power that is heir to those Soviet institutions.

Will the Russian Republic inherit a KGB that picks up where the Soviet KGB left off? Or will changes in relations and the absence of communist party control fundamentally transform the nature of that threat? We don't know. But given that even a relatively more benign nation, if armed with 30,000 nuclear weapons, still has to be of concern to us, likewise any nation that inherits the Soviet KGB must be accorded serious attention.

And I would note that to date, the FBI reports no diminution of KGB or GRU espionage activity.

Whatever happens in the former Soviet Union, the knowledge and experience represented by the KGB, and those who have learned from the KGB, are realities. The Communist regimes still ruling China, Cuba, North Korea and others remain as threatening as ever. The increasing sophistication, availability and proliferation of espionage technology is also a reality. So we must take into account the possibility that organized, sophisticated and aggressive hostile intelligence threats will remain with us for some time to come.

In addition to these more or less traditional threats, there are a growing number of non-traditional threats. For example, it is possible that KGB intelligence officers may even now be circulating their resumes, looking for new work outside the former USSR. There may no longer be much demand for their ideological services, but many of these officers do have finely honed skills in the collection of technological and economic information. Possible targets would not be limited to the U.S. government, but could well include other nations and the U.S. commercial sector as well.

In today's world, there is a perceived premium for high technology, particularly weapons technology, that can turn a small nation into a threat to its region, its neighbors, or indeed to the U.S. itself and the Western world.

Proliferation of the technologies for weapons of mass destruction and their delivery systems is an increasing problem for the United States. Much of this technology that has already leaked has been obtained through theft and illegal diversion. Moreover, non-proliferation regimes which seek to control formal transfer of these technologies, while necessary to slowing down proliferation, may in fact generate intensified espionage efforts in the face of legal barriers.

Finally, we are in an age where national security allies have become economic competitors÷with their own special interests in America's technology and wealth. And while the efforts of non-Communist countries and firms to access U.S. research and technology are largely legal, open and direct, they are not exclusively so.

As a consequence, when it comes to commercially valuable financial and technical information, private American firms may find themselves competing not just with other companies but against foreign governments as well. President Bush has stated, "Historically, foreign governments÷and to some extent foreign businesses÷have tried to obtain our secrets and technologies." What many may not realize is that other nations frequently share this data with their private businesses both formally and informally÷the competitors of U.S. commerce and industry÷to give them national economic advantage.

When we see foreign government and foreign competition spying on U.S. business and industry, it is not surprising that some are asking why can't the U.S. use our intelligence assets to support our private sector. This appeals to our sense of fairness, on one level, but there are some very difficult questions associated with such an undertaking.

When the new Director of Central Intelligence, Robert Gates, was asked about this issue at his confirmation hearings, he confessed that:

One of the problems that we've wrestled with for at least a dozen years is how to take some of this information that we gather, that in essence practically falls into our hands, and make it useful to people. And the honest answer... is that we can't find a way. We've tried for 10 years or more to find a way to get it into the hands of U.S. business and we can't find a way to do that so it does not somehow get all tangled up in the law, in advantaging one company over another.

Why is this so difficult? Apart from the obvious concerns over the protection of intelligence sources and methods, there are many serious legal questions as well, especially of the Equal Protection variety. For example, given the complex nature of the international marketplace of multinational corporations, and transnational holding companies and investors. and foreign subsidiaries, how would we define what constitutes an American company? Such a distinction would be crucial not only in identifying eligible beneficiaries of intelligence sharing, but also in defining the targets for collection. How would priorities be set among competing private sector requirements for limited intelligence resources? How would those requirements be developed and tasked fairly?

Not only do these concerns present serious legal difficulties, but they also call into question the practical benefits of any intelligence sharing regime. And on a political level, any U.S. policy to collect commercial intelligence would have adverse consequences for our intelligence and other relations with key allies.

Finally, is the collection, analysis and dissemination of intelligence to support commercial ventures a proper role for the U.S. government from an ethical point of view? If what we mean by that question is, should the U.S. be in the business of industrial espionage, the answer is clearly no. Any such undertaking would require a radical restructuring of the way our intelligence agencies do business, new legal regimes, and a new public mandate that would be a sharp departure from the national security assignments of the past.

Frankly I am concerned that speculation about a future industrial espionage mission for the CIA has simply led to more misunderstanding and confusion, and diverted attention away from what should be the central question: What is the proper role for the U.S. government in the protection of private sector vital information and technology?

In recent years, the United States has come of age in recognizing the strategic importance of the security of our information, our technology, and the communications and computer systems which enable us to use them productively. The challenge now is to act on that knowledge. And I believe our success will be measured by how well the Government and the private sector work together to secure our nation's vital strategic information against an increasingly sophisticated, aggressive and diverse threat.

The work ongoing on the new National Industrial Security Program, under development as a joint Government-lndustry initiative, is an important example of this necessary partnership so far as government contractors are concerned. And we do understand the role of the government in the protection of government information and technology. While we may not have come as far as we need to in terms of resources or energy or thinking in carrying out that role, basically we understand what needs to be done to protect U.S. government information.

But for the most part, the nature of government and private sector interaction in protecting strategic information raises important and largely unanswered questions.

In the first place, there is an inherent tension between the need for secrecy and the fundamental values of a free and open society. Rapid strides in scientific and technological endeavors are severely hindered by limiting the free exchange of ideas and technology. Yet such information can be used by adversaries, both military and economic. to their advantage. And of course, we're not just talking about R&D, but tremendous volumes of financial and business information and other proprietary data as well.

So how does a society' based on openness, decide that certain things must nevertheless be protected? I don't know where the balance should be drawn, but I believe that it should be possible to find a balance that respects and supports our basic values. Within the United States we believe in the free flow of information, but we don't believe in insider trading. We rigorously protect free speech but respect in both law and values the confidentiality of privileged communications. We support robust competition but honor patents and copyrights that protect intellectual property.

In short, we do recognize important constraints on the free flow of information. Based on the rule of private property, we need to find a way to extend that kind of basic fairness to the international situation.

To do this, I believe we must start with a coherent technology and information security policy that sets forth what information we must protect and why we should do so, in a way that supports our values and especially our deeply held belief in and respect for the free exchange of ideas. Indeed, unless we address the need for secrecy and the protection of information and technology as part of an integrated, rational, and evenhanded policy, our protection programs are likely to result in unfairness and inefficiency, they will not command support, and they won't work.

This is true because the elements of counterintelligence, countermeasures and security which we single out as "information security"÷just as with the security of military secrets÷ do not exist in a policy vacuum with an intrinsic value apart from their ultimate purpose. Practically, they do not stand by themselves. Both intelligence and security are contingent activities. The axiom that intelligence is useful only if it leads to or helps to execute policy is likewise true of security. What the government and the private sector do in counter-intelligence, countermeasures and security must be driven by our policy objectives.

To date there is no generally accepted general theory of how the elements of strategic economic and technological information should be identified, integrated and protected. They include such diverse concerns as non-proliferation of weaponry, dual-use technology transfer and export controls, and the identification of technologies critical to the nation's future security and economic well-being. Moreover the explosion of technologies to store, process and transmit information makes protecting select pieces of information extremely difficult.

Developing a comprehensive national policy for information protection will not be an easy task. It's one thing for the government to identify technologies and information critical to foreign relations, military operations, or intelligence activities, but what about those things in the private sector that are also vital to the United States, such as financial and trade secrets, commercial properties, and industrial R&D? Given that the government does not own or control this strategic information and technology, how are we to arrive at a workable national policy to protect it?

I don't know the answer to that question, so I would pose it to you. Is there a way in which the private sector could offer its views, understanding, and ideas on how the U.S. public and private sectors together can arrive at such a policy? It seems to me this will require a serious public policy debate in the private sector÷not just narrowly focused "interest group" politics÷ about the place of an information and technology security policy in American society, and the proper roles of government and commercial firms in supporting it.

Let me be clear. Under no circumstances would I advocate any kind of regulatory government activity in protecting private sector information, and I suspect I would get rather solid agreement on that point. But I do see the potential for a sort of shared Operations Security or OPSEC responsibility in a government-industry partnership, in which the government would provide threat and vulnerability data. It would be up to the private sector to determine their level of risk÷because they know the value of their strategic information, and they know their business÷and to apply the security and countermeasures required.

That may seem pretty straightforward, but I do not want to gloss over how difficult it can be in practice to assess what is strategic information and what is not, especially when it comes to information outside the bounds of what is traditionally defined as national security information, The government is currently struggling with these concepts, in such areas as export controls and critical technologies studies.

What is the right mechanism to identify the most vital information and technology assets of the private sector? It seems to me that defining which information is strategically vital in the commercial world is a duty and business function of the private sector. The analysis would vary from company to company, and would be up to each company to do or obtain for itself. So in the identification of what is truly valuable÷the first step in the OPSEC methodology÷the Government would have little role to play.

Now many business people might say, I think I know which of our corporate information is vital or sensitive: what I don't know is how vulnerable that information is, or what the nature of the threat is. Do we need to encrypt fax machines? Do we need to train executives in counterespionage techniques when they go abroad? Is the SIGINT threat serious in Des Moines or Seattle or Oklahoma City? Are international telephone calls being intercepted?

When it comes to both general and specific threat and vulnerability information about foreign government collection activities aimed at U.S. businesses, the government has a near monopoly. We should be exploring ways that general threat data might be made available to the private sector. as part of the government's role in this OPSEC partnership. However, while the government knows a great deal generally about the activities of foreign governments and their intelligence services, there has been too little emphasis to date on collecting against threats to the commercial sector. The FBI is just beginning to look into the foreign counterintelligence requirements of protecting critical technologies and strategic proprietary information, in the development of its National Security Threat List. And across the board, we are seeing an emerging new intelligence mission, as the protection of American private sector strategic information and technology is increasingly viewed as an element of the nation's security.

Providing specific threat data÷that is particular threats targeted against individual companies÷would present more of a problem. The government could arguably provide such data without raising any philosophical or ethical concerns. But in practice would raise some of the same legal and fairness issues, as well as some of the same practical difficulties, that I mentioned earlier in connection with proposals to share positive intelligence with business and industry. Each of these questions would have to be addressed.

General vulnerability data, like general threat data, would also fall within the government's responsibility in an OPSEC framework. The government understands a great deal about private sector vulnerabilities, which are often similar to the government's, because of its knowledge of the capabilities of our adversaries. Today this information is dispersed in different places within the government. In order to provide vulnerability data to the private sector, among other things we would need a way to collect, collate and analyze vulnerability data, with due regard for sources and methods, before the government could make it available. Some of this, of course, is already being done ÷for example, the FBI's DECA briefings, and the State Department's Overseas Security Advisory Council's work. However, this government support does not reach the level that today's business and industry really needs. Although just how much threat and vulnerability data would be of use is an open question, which the private sector needs to answer.

Once strategic information has been identified, and threats and vulnerabilities are known, the next step in the OPSEC process is doing something about it. Here the government clearly has some responsibility, in particular in defeating foreign intelligence services operating in the U.S.

The commercial sector, armed with threat and vulnerability data, should be capable of providing its own security and countermeasures. There is an established and growing industry for providing sophisticated OPSEC to the private sector. While the private sector may well need the government to identify vulnerabilities, it doesn't need an Army major to prescribe how to protect proprietary information and technology. The decisions on whether or not protection is warranted, and how to do so, rest with each firm, as they should.

How to spend money is probably not an area where the private sector really needs more government advice.

In conclusion, I believe that unless Americans in business and industry think seriously about these issues, and come forward with thoughtful and high-minded policy proposals, the government really will be able to do very little to help.