At the RSA Conference this week, Senator Bob Bennett (R-Utah) was awarded the RSA Award for Excellence in the Field of Public Policy. Bennett, Chief Deputy Majority Whip and a member of the Senate Republican leadership team, has been active in forming economic policy and high-tech issues. He was chairman of the special committee responsible for the relatively glitch-free Year 2000 computer switch and for the Critical Infrastructure Protection (CIP) Working Group, the Senate's central clearinghouse for cyber safety and CIP issues. Senator Bennett sponsored the Critical Infrastructure Information Security Act of 2001. I caught up with him at the RSA Conference to discuss his views on cyber security and the outlook for legislative action this year on cyber issues.

ZDNet: Clearly IT plays an important role in capturing and sharing information.

Bennett: IT is an essential part, but at some point someone who wishes this country ill will say, forget trying to put a bomb the Transamerica pyramid, for example, and attempt to shut the economy down with cyber attacks.

I've been pushing the Department of Homeland Security to stay focused on that even as they worry about cargo containers that might have nuclear material. You have to do that as a first line of defense, but the cyber attack is easer to mount. It does not require danger to those who mount it-you don't have to be a suicide bomber. The overall landscape requires a whole new paradigm of thinking.

ZDNet: What kind of paradigm shift does cyber security require?

Bennett: In the threat environment of the future, corporations are the first line of vulnerability. If I am somebody who wishes the country ill, I am not going to attack the Defense Department or the CIA, which is where most attacks are currently are currently targeted.

Let me hack into a private corporation, such as Verizon, and see if I can cause a massive service interruption. When [Secretary of Defense] Donald Rumsfeld picks up the phone and says he wants to talk to the commander at Central Command, Verizon handles the telephony.

ZDNet: Doesn't the Defense Department have back up systems?

Bennett: Probably not anymore. In the old days, in the 1950's, they had private networks, but they found the public network to be more reliable and a whole lot cheaper.

If I can hack into Verizon, it could cause the commander in the field to wonder if the signal he just received actually came from Rumsfeld. You can multiply the examples. If I wanted to bring the country to its knees, I would attempt to shut down the Fedwire, which clears all financial transaction electronically in this country.

ZDNet: How well protected is the Fedwire from cyber attacks?

Bennett: [Federal Reserve] Chairman Alan Greenspan and I have had this conversation, and he agrees with me that the Fedwire is a most sensitive target. He insists that the Fedwire is extremely will protected. But, every year the sophistication of the attackers gets better and it's a constant sword and shield kind of battle.

For our secure future, we need a complete system of information sharing so that people in the private sector can say to the government, "This is what is happening to us," and the government can then analyze the data and say [there is] no sign of a coordinated attack or that it is a sophisticated coordinated attack. We can then go back to the company experiencing the attack and notify others to the danger. About 85- to 90 percent of the vulnerability we have as a society is in private hands, not government hands.

This was my info sharing legislation. Folks should be able to share info with Department of Homeland Security without being subjected to the Freedom of Information Act (FOIA). I don't want Osama Bin Laden to mount a cyber attack, and when the company reports on the attack to the government, Bin Laden finds a lawyer somewhere to file a FOIA request.

ZDNet: The bill did receive a great deal brush back from people on both ends of the political spectrum.

Bennett: We solved it and got it through Congress. But a major paradigm shift in attitude has to take place in the future. Privacy activists have to understand that the most significant advance in privacy will come from information sharing. That's counterintuitive, but the fear of information sharing is based on the assumption that the only reason someone wants your information is because they want to damage you. The fact is that the reason people want the information is to protect you.

ZDNet: Isn't that a two-edge sword? The temptation to abuse the use of the information and the issue of individuals owning and controlling their personal information is a subject of much debate.

Bennett: Yes. It's been an interesting political experience for me because the far left--who generally lead privacy advocacy, like Ralph Nader-- say that you can't let information out because corporations get a hold of it, and the far left hates corporations. We've had these debates in Congress. People say to me that a corporation will be able to target you, and I ask: Why is that bad? If a corporation knows me better, then they can target their products that will serve me better.

The far right is equally or more suspicious about government. The reaction to the Patriot Act, for example, was, "these people can read my library record." Why would the government want to read your library records if you were not connected to any threat. You are assuming the government has nothing better to do.

ZDNet: Don't you think that people want a choice and some control over what information they provide or that a corporation can use?

Bennett: I can opt out.

ZDNet: There is a great potential to abuse the information, and we have seen instances of personal information leaking out or used inappropriately. Do you believe the people should have more control over their own information?

Bennett: The reality is that corporations want repeat customers. They are not going to drive away customers. Having run a business, I know I don't want to tick my customers off. If I use that information in any way that causes my customers to leave, I'm a loser.

On the other side, we've got the government. We've got to protect the homeland, and to do that we have to have a free flow of information. Ironically, the best way to prevent identity theft is for the corporation you turn to when your credit card is stolen to have enough information about you that they can prevent theft. If you say you don't want the company to have the information and share it, you are in a box--the information can't be shared with the police department or other [law enforcement] agencies.

We are in a whole new world. It's not a question of should information be shared, but with whom the information should be shared. I want the company I am dealing with on the Internet to know everything about me, so it won't accept an order from somebody who pretends to be me. If it knows everything about me, the company can better serve me and I won't get scammed by someone pretending to be me.

ZDNet: Back to info sharing. The FBI and other government agencies have been criticized for lack of information sharing and poor use of technology. Has there been progress on this front?

Bennett: In the present atmosphere, an election year, the most precious thing we have in the Senate right now is floor time. [Senate Majority Leader] Bill Frist (R-Tennessee) will not bring a bill to the floor unless it will pass by unanimous consent. He will not bring anything to the floor that will be contentious or requires significant debate. We have 67 legislative days left in this session, and the huge issues are soaking up all the floor's time. We have appropriation bills, the energy bill to consider again, and others. Anything in this area that gets passed had better be pretty non-controversial. I thought my FOIA bill was pretty non-controversial, but it was a long slog. In this legislative atmosphere, don't look for anything until 2005, unless it's absolute milquetoast.

You can write to me at dan.farber@cnet.com. If you're looking for my commentaries on other IT topics, check the archives.