I have been asked to address you today concerning the role of the Government in protecting U.S. companies from industrial espionage. Our Government has already taken some steps in this arena, but no matter how well-conceived a program might be, there are few certainties about the degree of success which may be achieved. Certainly, we will find no clear answers to our dilemma in the short time we will spend together on the subject today.

The challenge represented by industrial espionage is a challenge to the U.S. Government because of the threat posed to the nation's economy, and a challenge to American companies which must respond to the threat with or without help from the Government.

When we assume the task of protecting ourselves against industrial espionage, we should not become so overwhelmed by the electronic wizardry surrounding computers and modern communications that we lose sight of the fact that what we are trying to do is to protect U.S. companies from the loss of vital trade secrets, secrets which are locked away in computers and computer systems÷secrets on which the U.S. enterprise depends for its competitiveness, its profitability, its survival.

Let me pose four basic questions which you may wish to think about in the context of your own experiences in the government, in the private sector, or in both.

First, what form. if any, should the Government's approach in protecting U.S. industrial interests take÷statutory, regulatory, educational?

Second, from what sources and by what methods would the Government derive the information it requires in order to tailor its intelligence role to the security needs of American industry at large?

Third, to what extent must the burden for protecting companies rest upon industry itself, rather than the Government?

Fourth, in a democratic society selling its wares in an imperfect and unscrupulous world, where is the balance point between security÷secrecy÷and open, free trade to be found?

Now, as to the first question, what approaches are we taking? The National Security Agency has created a National Computer Security Center to provide the U.S. Government with the means to protect its computers and computer-held manipulated data, and the Department of Commerce has been authorized to provide guidance and protection to those in the private sector. Data encryption standards have been developed; information programs have been initiated; and many publications have been provided to the private sector.

The General Accounting Office (GAO) has performed innumerable audits and investigations into the security programs and attitudes of various critical U.S. institutions, such as the Federal Reserve. The GAO, along with the House Judiciary Committee, is continuing even now to examine the question of industrial espionage in greater depths.

The media has worked with a vengeance to make all Americans keenly aware of the vulnerability to unauthorized access of computers and all their peripheral components by individuals or organizations bent upon stealing or damaging the data contained in them.

Is there anyone in this audience who is not aware of the potential for damage by a computer virus÷even if you might not know exactly what a computer virus is?

We have, indeed, turned up the technological and administrative heat on this problem of computer security. As a nation, we have made some progress. But, let's for just a moment that we have succeeded in solving the technological problems that cause all the computer security issues we could ever have. Let's assume that our hardware and software has been. and forever more will be, absolutely 100% protected against unauthorized access of any conceivable kind by any hypothetical wrongdoer or adversary. And let's assume that our codes and ciphers are impregnable.

Alas, we have only scratched the surface of the information protection dilemma facing U.S. industry.

Why? Well, let me share with you a couple of reasons:

First, were I an industrial spy given the task of penetrating a highly secret computer/communications system and extract-Secrets, I would not attack the system itself. What I mean is that I would not invest in an assortment of sophisticated computers in an attempt to break all the codes and ciphers hoping to empty the computer system. Instead, I would seek to suborn someone with access to the information I need to permit me to enter the system as a legitimate user. That someone might be an executive, a secretary, a records clerk, or even a trash collector. Once my use of the system achieved a semblance of legitimacy, I could extract and use the information with little fear that its true owners would ever become aware of my existence.

This scenario is not all that far-fetched. A few years ago, an organization with which I am associated, and which provides security services to the private sector. was engaged by a major U.S. manufacturer to investigate why it had lost three successive, potentially lucrative, off-shore drilling contracts to the same Japanese competitor. The reason proved to be that the company's computer data, which contained vital bids and proposal information, was being siphoned off÷apparently legitimately÷by a former executive, who was selling it to the Japanese competitor, allowing them to construct bids which the U.S. company could not possibly match. There was no technological breach of the computer system. No codes were broken, no ciphers solved. No high-technology spying was used. It was a plain, simple act of bribery÷a betrayal for money ÷industrial treason, if you will.

Many of you may be familiar with the First Chicago Bank case which occurred a few years ago. There, a group of high school drop-outs ripped off the bank's electronic fund transfer system to the tune of some $49 million dollars. They were caught only because they withdrew several million dollars more than was in the account of one of the bank's major depositors. First Chicago used a computer communications system that was made up of very sophisticated, high-technology equipment. But it was all for naught, because transfers were authenticated and confirmed via unsecured telephones. Thus, all the existing high-tech protections in place were circumvented and at the mercy of easily accessible public phone lines.

There is another important reason that solving the technological problems of computer and communications security only scratches the surface of our information protection problem: while the computer might be the most prolific single source of the information which it stores, manipulates and provides, it is by no means the only source.

All computer data exists, sooner or later, in other forms. We have by no means achieved a paper-less society. All of that digitized, communicated, and computerized information is guaranteed to turn up in a wide variety of places, and in a wide variety of forms, probably simultaneously. It will be the subject of countless conversations in board rooms, private chats and telephone conversations÷both before and after it is or was committed to the computer files. It will appear÷if only in bits and pieces÷in correspondence. Computer printouts will be made. Copy machines will copy it, and users will distribute those copies at meetings, to associates; some will even be mailed.

And what, exactly, in the context of protecting U.S. companies from industrial espionage, should our Government do about that? What, indeed, should industry do about that?

The problem we create for ourselves in this information and communications dependent society is that we generate so much information so rapidly, and we pass it about so freely, that we are in clear danger of losing more of it from inadvertence than we are by having it purposefully stolen by some industrial spy. That, I submit, is everybody's problem÷not just the United States Government's.

Which brings us back to my set of earlier questions.

You will recall that the first question had to do with which courses of action the U.S. Government should take in protecting U.S. companies. I must admit that I am not prepared to address the potential for any kind of effective legislation on this subject beyond what exists in the realm of export controls, licensing requirements, and the like. Sanctions and criminal penalties, in the long run, do less to prevent information loss than does a visceral appreciation on the part of industry regarding where its own best economical interests lie.

There are some practical regulatory approaches which are being applied. For example, a Presidential Directive now requires that certain defense-related industries, and others involved in specified kinds of business with the U.S. Government, have in place viable Operations Security÷OPSEC÷ programs. It requires that companies are corporately aware of the kinds of information they hold about government programs that must be protected. It makes companies responsible for understanding who might wish to acquire prejudicial access to that information. It also mandates that companies have in place, programs to ensure that the information is adequately protected.

This step by the Government has had a generally favorable impact across the board on U.S. businesses and industry in the sense that it has created a new awareness of the possibility for the loss of their competitive edge. This has, at least in some cases. caused a new look to be taken at the threats to information loss both from inside and from outside industry.

Shortly after that [Presidential] directive was issued. the Interagency Operations Security Support Staff [IOSS) was created to assist Government agencies in developing and implementing OPSEC programs. The IOSS acts to assure that these agencies and the contractors with whom they are doing business comply with the directive.

Most of that is in fairly embryonic stages, but the net long-term effect of the program is almost certain to be extremely helpful in slowing the loss of vital U.S. data.

This, of course. is not a new problem to us. Following World War II, the West was seized with the fear of losing technology to the Communist bloc. Our response was COCOM ÷ the Coordinating Committee for Multilateral Export Controls. Although COCOM never achieved the status of a formal treaty, it was faithfully supported by the U.S., UK, France. FRG, Japan Italy, Belgium, Netherlands, Luxembourg, Canada, Norway, Greece and Turkey. Some decades later, the issue was given new impetus by President Reagan's determination, and I quote, "to stop the hemorrhage of technology," from the U.S. to the East.

COCOM began its life on New Year's day, 1950. We are now more than 40 years into the recognition of this technology loss. Not only have we not solved it, but we are faced with an increasingly complex environment within which to address it÷ given the rapidly advancing technologies of communications and computer science, and our increasing need to generate and to distribute ever greater amounts of information.

So it seems the Government, by simply putting more federal laws on the books is probably unable to deal effectively with the information explosion and all its implications. But it can make some important inroads into the problem by providing a regulatory underpinning÷such as National Security Decision Directive 298÷for the required implementation of government-related industries with reasonable information and operations security programs. It can make use of tools÷such as the IOSS÷ and the education of U.S. industry, which is essential to the private sector's awareness of the threat. This is the type of information recently furnished by the GAO in its reviews of security programs and problems. Therefore, the education of American industry to the realities of the threat must continue to constitute a primary role of the U.S. Government in promoting industrial security. It has long been my conviction that effective information protection derives more from awareness, attitude and attentiveness, than it does from rule, regulation, or fear of retribution.

My second question had to do with the sources of information that the U.S. Government might use or have available which would help to tailor its security assistance to U.S. industry.

When most people contemplate the sources of US. Government information, they think first about the intelligence community, and obviously, those sources exist. The idea of using them outside government is a complex problem for all of us. In most countries there exists a very close association and a free flow of information from national intelligence sources into the commercial sectors÷and that condition exists in most of the countries we have traditionally labeled 'friends", as well as those who have for many decades been considered adversaries. I am not sure there is a great deal we can do about foreign behavior. For one thing, should we Americans decide that certain kinds of intelligence information were to be provided to benefit U.S. industry, who will determine which industries would be given that information and how would we give it to them? Can you imagine the intensity of the in-fighting and the competition? Not to mention the impact on our already litigious society.

Moreover, the national intelligence agencies of many countries have industrial and commercial targets that are of greater significance to them than military and political targets. In the past, that has not been the case in the United States.

What this means to American companies is that the adversary, in the campaign to protect information vital to survival is, as often as not, a nation, a country, a national intelligence enterprise, and not simply one or more industrial or commercial competitor.

And that leads us to the need for a close and continuing cooperation between industry and those Government agencies that can provide the tools and training necessary for the protection of our industries from their real, and most competent, economic adversaries.

Our third question asked to what extent the onus for protecting against information loss should fall upon industry, rather than upon government.

The answer÷at the operational level, at least÷is that the ball really is in industry's court. Government can help. Government can act÷it can legislate and regulate÷to protect government programs and information. But in the final analysis only industry can clearly delineate its own vital economic interests. And only industry can do what must be done to ensure that those interests are protected.

Fortunately, concerns for information protection have not been limited to Government, The private sector' itself' has been gearing up for some time to be in a position to address these concerns. Private sector tools, based upon technologies and methodologies developed in and by the Government, are becoming increasingly available to almost any commercial enterprise wanting to take advantage of them. Increasingly, private industry has seen the need, and has responded, although the educational process for most U.S. industry is far from 100% effective. Still, enormous problems remain.

Clearly, the Government has provided for the private sector to have available, the best tools and training in the information protection arena. I have already alluded to some of them÷ National Security Decision Directive 298, the Interagency OPSEC Support Staff, training and education programs for defense contractors, GAO audits, the role of the Commerce Department in providing the U.S. commercial sector with adequate communications and computer security devices and so forth.

I have also alluded to the fact that communications and computer security programs are not sufficient in and of themselves to protect American industry against a determined industrial espionage program. How does U.S. industry then undertake to provide itself the protection it requires?

To answer that question fully, I must digress for a moment. Industrial, commercial, financial, business operations of all kinds÷and, particularly those which are competing in the international arena, require the same kinds of protection, although perhaps not to the same degree, that are afforded to military operations or political gambits. The Government cannot, within the constraints imposed by both law and funding, address all of the peculiar vulnerabilities of every U.S. enterprise throughout the world. Nor would the Government or business want this. The Government has, I believe, generated the conditions within which it can lead American industry to an understanding of its information and operations security problems.

It has indicated the kinds of tools that must be applied to address those issues. It is industry's turn to act.

To a large degree, I think, the difficulty in acting÷in government, as well as in industry, lies in how we approach security.

Industrial security traditionally has been perceived as an activity concerned with physical access, reliability of personnel, inspections,÷locks, fences. doors, safes, walls. A necessary, vital and effective set of undertakings.

Economic security, on the other hand, is often viewed as communications and computer hardware and software ÷ codes, ciphers, transmission security, communications center inviolability.

The two seldom meet in ways that are complementary. The first set of security issues falls to people who have backgrounds largely in traditional security disciplines, and often in the private sector. Their backgrounds are in law enforcement or investigations, not at all in security, as I would define it. On the other hand, the security of information most often is left to people whose careers have been devoted to information management in computer or software-related sciences. Their success on the job is measured by their ability to receive, store, manipulate, and provide data or information accurately on demand. They have neither the background in intelligence operations or security. Nor do they have any incentive to overlay security programs on their computer or information services: security programs are usually perceived as incompatible with operational efficiency.

And so, all too often, the buildings and the safes are rendered unassailable. Data is routed efficiently and effectively, and information vital to the success of the enterprise, slips through cracks in the system.

No one has the capability or the understanding of the threat and the adversary to measure them against extant policy, procedures or system vulnerabilities that always exist in those gray areas between uncoordinated and competing security disciplines. These characteristics are almost always both inherent and invisible in the equipment's, systems, or networks in use.

Thus, although U.S. industry can and should continue to look to government for leadership, guidance and help, industry itself must ultimately carry the greatest share of the industrial security burden. It will learn÷as did the major U.S. manufacturer I mentioned earlier÷that its bottom line depends upon it.

The question arises÷where can industry get such help if not from the Government?

The answer is that the private sector has begun to provide this help. For example, at least one private-sector organization approaches the security of commercial and financial enterprises with a unique set of talents÷it has within it a cadre of people whose backgrounds include both intelligence, operations, and security disciplines÷a combination that gives it truly unique insights into the potential vulnerabilities of information systems. Those people are complemented by computer scientists, communications engineers and professionals with cryptologic research and development backgrounds. All that makes them a formidable opponent to any potential industrial spy, hacker or malcontent who would wish to acquire prejudicial access to an information system or any of its components.

So the right kind of help is out there, and most of the people who are competent at providing it have come from careers in the unique government disciplines and agencies that provide the same services to Washington.

Having said that the ultimate responsibility for providing for its security must come from industry itself, with the kinds of assistance from Government mentioned earlier, I have essentially addressed the salient element of what I referred to as my fourth question: that is, the balance point between security and open, free trade in this democratic society of ours. There are limits to what the Government can provide, and limits to what it should provide. But American industry must understand that, in the arena of information protection, the adversary with whom they most often will be confronted will be some competing industry's government. American industry's information security and operations security mechanisms must be equal to the task of taking on the intelligence network of an entire nation.

The compelling reason for protecting American business against industrial espionage is, ultimately, to ensure our survival. That is a goal worthy of the closest kinds of government and industry cooperation.