He is the Executive Vice-President for Strategic Relations for iDefense, a private agency specializing in information intelligence. He is also the former General Counsel for the President's Commission on Critical Infrastructure Protection (PCCIP) and General Counsel and Assistant Director of the Critical Infrastructure Assurance Office. (CIAO).

Well, yes. But I want to make a distinction here. I don't know that you can totally secure something within the internet. . . . The internet, when it was originally designed, was designed to be open. And now we are trying to protect it in the way that you can close all the doors, and by its very nature, it won't happen. Not in the foreseeable future. Maybe never. So what you have to be able to do, if you are concerned about protecting a particular system . . . is to put obstacles in the way of someone who wants to get access to it. . . .

But there's no way of being on the internet that's not risky?

No. You cannot build a wall around your computer and assume it will never be attacked, or that it will be protected totally, unless, of course, you're connected to nothing, and you lock it in a room, and never use it. . . .

If I am on the internet, what are the chances that I am vulnerable to some kind of an intrusion or loss?

Well, I would almost say that there's a 100 percent chance that you're vulnerable. The internet itself is vulnerable. You are vulnerable, no matter where you are on the internet. . . .

All this additional risk to the integrity and the security of people's information and their assets has raised some pretty interesting new thinking on liability questions. Who is ultimately going to be responsible in the case of breakdown?

I think liability is a very real issue, and probably one of the greatest driving forces that we're going to be dealing with in the next few years. . . . What we also see now is government regulation coming out. If you take a look at Gramm-Leach-Bliley Act,which is the banking finance law, and the proposed Treasury regulations, they are putting responsibility on boards of directors and managers to risk-manage proactively, and very extensively. And when you take a look at the law and the regulation, it may raise the bar with regard to liability for CEOs and boards of directors who want to protect the information. . . .

What are you learning about the security of the system from tests that have been ongoing? What do we know about that overall condition of security?

The strongest recommendation of the President's Commission was-- and that is right now--that the most pressing concern is education and awareness. When you go in to all of these systems, you're finding out that, yes, people had patches, but didn't know how to install them, so they didn't install them. They don't have the necessary resources. . . .

Are you really saying that what we are learning from the tests we're doing that it is a very insecure place?

Oh, absolutely. And one of the reasons it's insecure is people don't know what they're doing in many cases, and the people that you do have don't have the training, education, awareness, etc., to protect the system you have.

Is that just an inherent set of circumstances that we buy with the technology, or can we do something about that?

I don't know that it's inherent. I think we can do something about it, and that's what the President's Commission report was all about. . . . Once people understand, once we understand the internet, and once we understand the consequences of our act when we take a laptop home and we take a computer disk from work, and we load it at home, and maybe take it back . . . then we have a better way of dealing with it. . . .

If you're asking me, "Can we evolve or can we develop this so that you have the ability to make it so that no one can break into anything?" I don't think that will ever happen. So you can't make it that secure. But you can make it secure, in the sense that, as people become aware of security practices and how the system works, you can protect the information that you want to protect by making conscious decisions.

How big a problem are hackers?

. . . I find hacking an interesting development in understanding the system. All of these hackers that we deal with today were growing up on the internet when it was more open. Ten, fifteen years ago, they were at home on their computer, playing. And most of us learned what's right and what's wrong from our parents. They tell us, "Don't put your hand on the stove or you'll get it burned," or, "You shouldn't tell a lie." . . . That didn't take place on the internet. So a Lord of the Flies-type of environment was created there, because there were no restraints. No one looking over their shoulders to tell them what's right and wrong. And now we have industry coming on in, and saying, "We need to make this secure and you shouldn't do this because it hurts others." And that creates a problem for the hackers that are out there, because their sense of what's right and wrong is different than the sense of what industry believes is right or wrong. . . .

Hackers are a problem, for business and for my personal use of the internet, because they raise the cost of me having access to it. It raises the cost of doing business, and that's a concern. But on the other side, young hackers have a problem, because we're taking away something that they feel, at this point, is theirs--something that was open and free. . . .

What do you think of these hackers? What do you think of these counterculture people who think that you're a big bully, who think that your company is going to steal democracy out of the system?

I think again, with them, it's an education and awareness. I think what you're dealing with here is that we are moving in on what they consider their territory, and we have to find an accord to educate them. Because right now, industry does have, and we, the American people, do have a valid stake in this, and they have to make room to play. And until they all can use it effectively, until we can educate them as to what should and shouldn't take place, it's a problem. It's a problem, because to catch one young hacker probably takes the resources of 30 or 40 government individuals, or private sector individuals, four to five man-weeks, and what are you going to do? Are we ready to drop the hammer on a 17-year-old, 13-year-old, 15-year-old, when we really don't have a lot of guidelines as to what they should or shouldn't have been doing?

And you're not entirely sure whether he's really out to get you, or is he just playing around?

That's true. In many cases, the ones we catch are the ones that are playing. . . .

What kind of an impression have they individually made on you when you find and meet one?

They're very interesting people. I find that as you get to know them and you garner their trust, they will give you their trust if you have a sincere interest in what they're doing--and I do. They share with you what they've done. They're willing to tell you what they do, and how they do it, because this is their life, and it's a solitary life. When you spend hours and hours in front of a screen, hacking, or whatever it is that you're doing on the system . . . you're there alone. And when someone actually walks in . . . they finally have someone to talk to, and they want to be recognized for what they've accomplished. But I don't think they're going to be different than the rest of us. It's just driven by different life experience, and that they've spent so much time in front of the screen. . . .

Is iDefense a private sector spy agency, a private sector police agency, or a New Age consulting company?

Well, I like the last alternative--a New Age consulting company. . . .

What specifically do your clients come to you for help with?

They are primarily coming for us for information concerning the threat to their businesses. . . . Like viruses. For example, the "Melissa" virus was active in Europe for some eight hours before it came over to the United States. That eight-hour warning would have allowed the companies who can't afford the loss of a system because of that virus to disconnect the system until a patch was provided . . .

[Our clients are] concerned about someone breaking into a system if there's a disgruntled employee. . . . Are they being targeted? Is there some active group that has a some stated focus--like they're interested in protecting the environment, they're interested in protecting this or defending that Are they mad at me? Are they talking to hackers to see if they can attack as a matter of social protest? All of that has become very real today in this environment. It doesn't take long to take down a web site, or to do a denial of service attack. . . .

When something comes down, when somebody is badly hurt, who ultimately is going to be held liable for that?

I don't know. And that's why liability is such a real concern today. If I were to break into your system, and use that to go downstream to another system, there's no clear-cut law saying that there's liability on your part. You only have an obligation to protect the records for your client base, and for your customers and for your corporate owners. There's no real responsibility downstream, since you have not actively done anything. But that doesn't mean that, as the bar is raised, as the business practice says everybody should have a certain security and you don't have that implemented on your system, that tomorrow there won't be an issue of liability, because you didn't have that in place. . . .

Knowing what the industry is doing allows you to address those liability issues, because if you're doing what the state of the art is, or what the rest of the industry is doing, you're using a legal standard as a reasonably prudent person, and there shouldn't be liability. . . . While there may not be liability today, if you act openly and with wanton disregard of things that you could implement down the road, you may find a judge that says, "Well, you should have done it." So knowing what's going on . . . and knowing what everybody else is doing is really key to whether or not there's going to be liability for you today, and maybe liability for everyone else tomorrow. And we're talking big dollars here. Because in the loss of a system, if people are doing an internet business, one attack where they exploited your system could easily cost you $10 million or $30 million, if that loss can be proven and established. . . .

I do know that the courts are not really prepared to look at the damages issue, and how you define damages is unclear. But there are big numbers being thrown around. If I remember correctly, going back a year or two, when Kevin Mitnick was sentenced, Wired magazine ran an article, pointing out that two major corporations said they lost literally millions, $20-plus million each because of the actions he took. And if someone has to pay for that, the lawyers will find a way to come up with creative reasons why someone should pay. . . .