“CRITICAL INFRASTRUCTURE PROTECTION: WHO’S IN CHARGE?”
COMMITTEE ON GOVERNMENTAL AFFAIRS
Statement of
John S. Tritak
Director
Critical Infrastructure Assurance Office
Mr. Chairman, members of the
Committee on Governmental Affairs, it is an honor to appear before you today to
discuss the Federal government’s ongoing efforts to help secure our nations’
critical infrastructures. Earlier efforts
are described in some detail in the Report
of the President of the
The Committee on Government Affairs has shown exceptional leadership on a broad range of national and economic security issues. This is particularly true in regard to Critical Infrastructure Assurance. I am therefore grateful for the opportunity to work closely with you and the Congress to develop ways to advance infrastructure assurance for the private sector, for the federal, state and local governments, and in fact; for all Americans.
As you know, President Bush has declared that securing our nation’s critical infrastructures is a priority of this administration and a necessity for our nation. Your continuing interest in this subject signals that securing our nation’s critical infrastructures is a priority of this Committee and Congress as well.
No viable solutions – especially on a matter of such complexity and scope- can be developed or implemented without the executive and legislative branches working closely together, and in the coordinated, complimentary manner that they are.
As vital as our nations’ critical infrastructures
are to the
The work of your committee, along with that of others, will make an important contribution to establishing the consensus and leadership focus needed to safeguard critical government and private sector services against both physical and cyber attacks. As we have so recently seen, the enemy is ruthlessly attacking economic targets – our critical infrastructures – in a misguided effort to bend our wills and rend our resolve.
My comments this morning address the topics suggested in your invitation letter. Specifically:
· The responsibilities of the Critical Infrastructure Assurance Office in helping to ensure the security of our critical infrastructure.
·
The role
of the CIAO in how it relates and coordinates activities with other entities
such as the
· To offer suggestions, where warranted, regarding how to improve the present organizational structure and interactions.
The suggested topics represent a framework and that
framework rests on a foundation that has
· The components of our nation’s critical infrastructure –
· The growing interdependency of our nation’s critical infrastructures -
· Federal entities whose missions include protecting infrastructures -
· Partnerships between federal entities and industry sectors are vital -
If time permits, I shall provide a very high level overview of the status of the federal programs to protect our nations’ critical infrastructure, in particular the formation of public-private partnerships between the government and private sector.
WHAT ARE THE COMPONENTS OF
THE NATION’S CRITICAL INFRASTRUCTURE?
The
These infrastructures are deemed “critical” because their incapacity or destruction – we are painfully witnessing this now - could have a debilitating regional or national impact. These infrastructures relate to:
Critical infrastructure assurance is concerned with the readiness, reliability, and continuity of infrastructure services so that they are less vulnerable to disruptions, so that any impairment is of short duration and limited in scale, and that services are readily restored when disruptions occur.
To complicate matters further, each of the critical infrastructure sectors is becoming increasingly interdependent and interconnected. Disruptions in one sector are increasingly likely to affect adversely the operations of others. We are witnesses to that phenomenon now. The cascading fallout from the tragic events of September 11th graphically makes the business case for critical infrastructure protection. That the loss of telecommunications services can impede financial service transactions and delivery of electric power is no longer an exercise scenario. There can be no e-commerce without “e” – electricity. There can be no e-commerce without e-communications.
Our society, economy, and government are increasingly linked together into an ever-expanding national digital nervous system. Disruptions to that system, however and wherever they arise, can cascade well beyond the vicinity of the initial occurrence and can cause regional and, potentially, national disturbances.
Up until a few short years ago,
critical infrastructure assurance was essentially a state and local
concern. With the introduction of
information technologies, however, it has become a national concern, with
significant implications for the defense of our homeland and the economic
security of the
PRIMARY THREATS TO THE CRITICAL INFRASTRUCTURE
COMPONENTS
Threats
to critical infrastructure fall into two general categories:
·
Physical
attacks against the “real property” components of the infrastructures; and
· Cyber attacks against the information or communications components that control these infrastructures.
Traditionally, Federal policy on the protection of national critical infrastructures against physical attacks has been largely implicit and indirect. At the enterprise level, infrastructure owners and operators have always had the responsibility for protecting their physical assets against unauthorized intrusions. Yet these measures, however effective they might otherwise be, were generally not designed to cope with significant terrorist or state sponsored threats. Nor did they necessarily have to be.
The Defense Department, Justice Department, and other Federal agencies have contributed significantly to the physical protection of the nation’s critical infrastructures. They have defended our national airspace against enemy bombers and missiles, our national borders against invading armies, and our seas have been made safe from naval threats. Law enforcement agencies have brought to justice an assortment of terrorists and juvenile hacker delinquents.
However, securing the nation’s critical infrastructures against physical and cyber attacks presents a very different problem. Although owners and operators have primary responsibility for protecting their information assets, current efforts are uneven and spotty. In the aggregate, these efforts may not provide a level of security capable of safeguarding against systemic failures on a regional or national level. Federal efforts alone cannot entirely compensate for this security deficit. The Federal government cannot post soldiers or police officers at the perimeters of telecommunications facilities or electric power plants to keep out digital attackers.
The vast majority of our nation’s infrastructures are privately owned and operated. Government action alone cannot secure them. Only an unprecedented partnership between private industry and government will work.
Assuring delivery of critical infrastructure services is not a new requirement. Indeed, the need for owners and operators to manage the risks arising from service disruptions has existed as long as there have been critical infrastructures.
What is new are the challenges to assured service delivery arising from an increased dependence on information systems and networks to operate critical infrastructures. This dependence exposes the infrastructures to new vulnerabilities. Individuals and groups seeking to exploit these vulnerabilities range from the recreational hacker to the terrorist to the nation state intent on obtaining strategic advantage.
The cyber tools needed to cause significant disruption to infrastructure operations are readily available. Within the last three years alone there has been a dramatic expansion of accessibility to the tools and techniques that can cause harm to critical infrastructures by electronic means. One does not have to be a “cyber terrorist” or an “information warrior” to obtain and use these new weapons of mass disruption. Those who can use these tools and techniques range from the recreational hacker to the terrorist to the nation state intent on obtaining strategic advantage. From the perspective of individual enterprises, the consequences of an attack can be the same, regardless of who the attacker is. Disruptions to the delivery of vital services resulting from attacks on critical infrastructures thus pose an unprecedented risk to national and economic security. What if the recent computer viruses – Code Red and Nimda – had hostile payloads in them and did more than just threaten the stability, reliability and dependability of the Internet?
FEDERAL ENTITIES INVOLVED IN INFRASTRUCTURE PROTECTION
Taking the broad view, it would be
accurate to say that each Department and Agency in the Federal government
contributes to the objective of critical infrastructure assurance. The heads of executive departments and agencies
are responsible and accountable for providing and maintaining appropriate
levels of information systems security, emergency preparedness, continuity of
operations, and continuity of government for programs under their control.
Indeed, it can be said that critical infrastructure assurance is the keystone
to the effective administration of government services and broadens the venues
for meaningful public participation in this, the Great Experiment.
More specifically, but yet broadly speaking, there
are three entities within the Federal government with missions to help protect
our nation’s critical infrastructures. Each entity was established in May 1998,
in Presidential Decision Directive 63, which declared critical infrastructure
protection as a national priority.
As I mentioned earlier, critical infrastructure
assurance is a major priority for this administration and congress as well.
EMERGING
THINKING ON CRITICAL INFRASTRUCTURE PROTECTION RESPONSIBILITES
The Administration is finalizing an overarching
concept regarding critical infrastructure protection responsibilities. As we can all appreciate, the events of
September 11th have driven the need to rethink existing strategies and current
resource alignments and responsibilities. I remain confident that the details
of that strategy will recognize the significant contributions that well thought
out critical infrastructure protection and assurance programs can make to
homeland security.
One approach under consideration is to establish a
senior Executive Branch Board to coordinate and have cognizance of Federal
efforts and programs involving:
·
Cooperation with, and protection of, private sector infrastructure, state
and local governments’ critical infrastructure, and supporting programs in
corporate and academic organizations;
·
Protection of Federal departments’ and agencies’ critical assets and
information systems;
·
Continuity of operational and continuity of government for the Federal
government; and
·
Related national security programs.
This order does not alter the existing authorities
or roles of federal departments and agencies.
BOARD
RESPONSIBILITIES
The Board can be expected to include several
Cabinet-level officials who shall recommend policies, and coordinate programs
on critical infrastructure protection, information systems security,
information assurance, emergency preparedness communications, continuity of
operations and continuity of government.
The Chair will also be the Special Advisor to the
President for Cyberspace Security.
The Chair will report to the Assistant to the
President for National Security Affairs on national security related
issues.
Upon the creation of an office for Homeland
Security, the Chairman shall report to the head of that office on issues
related to homeland security.
Upon the creation of an office for combating
terrorism, the Chair shall report to the head of that office on issues related
to combating terrorism.
The Director of CIAO probably will also be a member
of that Board. In addition, he will be a
member of the Boards Coordination Committee.
Other members of the Coordination Committee include:
·
The Manager of the National Communications System;
·
The Vice Chair, Chief Information Officer’s Counsel;
·
The Information Assurance Director, NSA;
·
The Deputy Director of Central Intelligence for Community Management; and
·
The Director of the
PRESIDENTIAL
ADVISORY PANELS
The Chair of the President’s
Critical Infrastructure Protection and Continuity Board is to work closely with
panels of senior experts from outside the government that advise
the President. Two such groups that are
specifically mentioned are:
·
The National Security Telecommunications Advisory Committee (NSTAC),
created by Executive Order 12382, provides the President advice on the security
and continuity of communications systems essential for national security and
emergency preparedness.
·
The National Infrastructure Advisory Committee (NIAC), created by the new
E.O., with membership appointed by the President, shall provide the President
advice on the security of the infrastructure supporting other sectors of the
economy:
§
Banking and Finance
§
Transportation
§
Energy
§
Manufacturing, and
§
Emergency government services.
·
The Critical Infrastructure Assurance Office is to provide NIAC with
administrative services, staff, and other support services as may be necessary.
CURRENT
ORGANIZATIONAL STRUCTURE
The previous administration assigned overall
responsibility for policy development and coordination for critical
infrastructure assurance to the National Coordinator for Security,
Infrastructure Protection, and Counter-Terrorism at the National Security
Council.
The Executive Branch also established the Critical
Infrastructure Assurance Office (known as CIAO) as an interagency office to
support the National Coordinator in carrying out these policy
development and coordination functions.
CIAO coordinates national policy planning and
outreach initiatives with private industry, and assists Federal agencies in
analyzing their critical infrastructure dependencies and interdependencies.
More specifically, CIAO focuses on raising national awareness across industry
sectors, influencing corporate information assurance policy, promoting market
solutions for stronger and more robust cyber security, and identifying and
addressing statutory and regulatory issues that potentially discourage or
undermine business initiatives to maximize voluntary efforts at enhancing
critical infrastructure assurance.
Presidential Directive 63 also
established a
PROTECTING OUR NATION’S CRITICAL INFRASTRUCTURE
CIAO’s responsibilities in developing and coordinating national critical infrastructure policy focus on three key areas:
· Promoting national outreach and awareness campaigns both in the private sector and at the state and local government level –
· Assisting Federal agency analyses of critical infrastructure dependencies; and
· Coordinating the preparation of an integrated national strategy for critical infrastructure assurance.
I want to share with you my views on what must be done and what we have done
The first role is to raise national awareness about the problem of critical infrastructure assurance. The primary focus of these efforts should be on the critical infrastructure industries. The target audience should be the corporate boards and chief executive officers who are responsible for setting company policy and allocating company resources. The basic message should be that critical infrastructure assurance is a matter of corporate governance and risk management. Senior management must understand that they are responsible for securing corporate assets -- including information and information systems. Corporate boards must understand that they are accountable, as part of their fiduciary duties, to provide effective oversight of the development and implementation of appropriate infrastructure security policies and best practices.
Prior to September 11th, the challenge of our national awareness effort was to present a compelling business case for corporate action. Government concerns about economic and national security were not seen as providing such a case. Threats of “cyber terrorism” and “information warfare,” while legitimate, were not readily executable in the market – they appeared too remote and irrelevant to a company’s bottom-line. That has all now changed.
The threats to critical infrastructure are being translated into business impact that corporate boards and senior management understand. Business impact includes operational survivability, shareholder value, customer relations, and public confidence. Corporate leaders are beginning to understand that the tools capable of disrupting their operations are readily available, and are not the monopoly of nation states. The risks to their companies are serious and immediate and, thus, require prompt attention.
In addition to infrastructure owners and operators, awareness efforts also should target other influential stakeholders in the economy. The risk management community -- including the audit and insurance professions -- is particularly effective in raising matters of corporate governance and accountability with boards and senior management. In addition, the investment community is increasingly interested in how information security practices affect shareholder value -- a concern of vital interest to corporate boards and management.
Facilitate Corporate Action
Once the private sector acknowledges the problem of critical infrastructure assurance as one that it must solve through corporate governance and risk management, a second role for the government is to facilitate corporate action. The government should encourage information sharing within and among the infrastructure sectors and, as appropriate, between the sectors and government. The information shared could include system vulnerabilities, cyber incidents, trend analyses, and best practices. The reason companies should be encouraged to share this kind of information is because by doing so they will obtain a more accurate and complete picture of their operational risks, as well as acquire the techniques and tools for managing those risks. Pending legislation in the Senate and House are steps in the right direction.
The Federal government also should encourage the infrastructure sectors to work together on developing contingency plans for coordinating their responses in the event of major service disruptions, whatever the precipitating cause. As the infrastructures become more interdependent, there is a growing risk that restoration efforts undertaken by one sector could adversely affect the operations or restoration efforts of another, potentially contributing to further service disruptions.
In addition, the government should work with industry in identifying potential legal and regulatory obstacles that may impede information sharing or might otherwise interfere with voluntary efforts by the business community to maximize information security efforts. For example, some in industry have argued that voluntary information sharing cannot proceed to a fully mature corporate activity until the reach and impact of laws governing anti-trust and tort liability and the Freedom of Information Act are clarified. Again, pending legislation in Congress will help pave the way.
The Federal government has two direct interests in critical infrastructure assurance – assuring essential government functions and services and ensuring an orderly functioning of the national economy. Each of these tasks requires a close working relationship with private industry for its advancement. In addition, there needs to be a national planning process to coordinate the respective activities of government and industry in these endeavors.
CIAO promotes activities that inform business and technology leaders across industry sectors of the need to manage the risks that accompany the benefits associated with reliance on information systems. CIAO focuses on initiatives that cut across industry sectors and are not the existing responsibility of agencies.
CIAO’s outreach activities are reflected in the following four major initiatives:
· The Partnership for Critical Infrastructure Security;
· Outreach to the business risk management community;
· Outreach to the state and local governments; and
· Common support to public-private partnerships with specific critical infrastructure sectors.
Partnership for Critical Infrastructure Security:
As individual Federal agencies formed partnerships with each critical infrastructure sector, there emerged a need for cross-industry dialogue and sharing of experience to improve effectiveness and efficiency of individual sector assurance efforts.
The Partnership for Critical Infrastructure Security was convened in response to that expressed need. This partnership of over 70 companies provides a unique forum for government and private sector owners and operators of critical infrastructures to address issues of mutual interest and concern.
The Partnership also engages other stakeholders in critical infrastructure protection, including the risk management (audit and insurance), investment, and mainstream business communities. The Partnership, which builds upon public-private efforts already underway by the Federal Lead Agencies, is organized by industry for industry, with the U.S. Government acting as a catalyst and a participant.
Major topics being addressed by the Partnership include: approaches to assessing interdependency vulnerabilities; multi-sector information sharing; legislative and public policy issues; research and workforce development; industry participation in preparing the emerging version of the national strategy; and outreach to state and local governments.
In that regard, CIAO implemented an awareness and education
partnership with a consortium consisting of the
The consortium held a series of five regional conferences, called “Audit Summits.” These meetings were hosted or sponsored by prominent companies, such as J.C. Penney, Home Depot, New York Life Insurance, Oracle Corporation, Arthur Anderson, Deloitte & Touché Tohmatsu, PriceWaterHouseCoopers, and KPMG. The target audiences were directors of corporate boards, chief auditors, and other corporate senior executives. The meetings produced a report that provided guidance for corporate boards on managing information security risks (hold up copies of the reports!).
ISACs were called for in Presidential Decision Directive 63, a document that incorporated the recommendations put forward by the President’s Commission on Critical Infrastructure Protection. ISACs are informal structures implementing processes that are intended to encourage industry to share information about cyber intrusions or attacks with each other, and as deemed appropriate, with government agencies. ISACs have now been created in several industry sectors and within the Federal government. At the present time, the following ISACs are in place or are being formed:
· Information Technology
· Financial Services
· Electric Power
· Telecommunications
· Rail Industry
· Oil and Gas
CONSTITUTIONAL OBLIGATIONS
One interest is the assured performance of essential functions and services by the Federal government in accordance with its Constitutional obligations to “provide for the common defense,” “promote the general welfare,” and “insure domestic tranquility.”
Such functions and services are vital to advancing our national security, foreign affairs, economic prosperity and security, social health and welfare, and public law and order. Examples from the pages of our nations’ newspapers include:
Increasingly, these services depend ultimately on privately owned and operated infrastructures. To advance this vital Federal interest, the government must take a leading role and satisfy a number of requirements.
Each Federal department and agency must identify:
· Its essential functions and services and the critical assets responsible for their performance;
· All associated dependencies on assets located in other departments and agencies that are necessary to performance or delivery; and
· All associated dependencies on privately owned and operated critical infrastructures that also are essential to performance or delivery of services.
To illustrate, the Commerce
Department is responsible for providing timely warnings of hurricanes through
its
Indeed, thousands of people died
during the
In 1992, Hurricane Andrew would have been even more devastating than it was had the TCP not been able to provide timely information about the storm, thereby enabling thousands to evacuate from those areas where the storm’s predicted strength threatened to be greatest.
Although the TPC is a critical
asset, it does not operate in isolation; it depends on a variety of other
government agency assets, as well as assets owned and operated by private
government contractors. These include
satellite imaging and analysis centers and radio transmission facilities
located in
Operational disruptions at any one of these facilities could impede the delivery of timely hurricane warnings just as effectively as operational disruptions at the TPC itself.
Furthermore, the TPC depends on specific providers of critical infrastructure services to operate, including Florida Power & Light for electric power, and Bell South & MC 2000 for telecommunications. Disruptions to these services also could impede TCP operations that are necessary to deliver hurricane warnings.
Once such critical assets and associated dependencies are identified, Federal departments and agencies must assess their vulnerability to physical or cyber attack. If they are determined to be vulnerable, departments and agencies must develop and implement plans to manage the risks posed by potential attacks to the performance of essential functions and services.
These plans should seek to deter attacks from happening in the first place, protect critical assets from damage or destruction if attacks occur, mitigate the operational impact of attacks if protective measures fail, restore operations if attacks disrupt services, and reconstitute assets if damaged or destroyed during attacks.
Where performance of essential government functions and services depends on privately owned and operated infrastructures, Federal departments and agencies must work with the owners and operators of these specific infrastructure companies -- on mutually agreed upon terms -- to ensure adequate security measures are established and maintained.
Finally, the government needs to
acknowledge that there are limits to how far the private sector will go in
securing its infrastructure in response to market forces and concerns for
corporate governance. Where this occurs,
the government must explore other options to prevent market failures from
posing an unacceptable risk to the economic and national security of the
The Federal government needs to anticipate and prepare for instances, like it is now, where it will have to become actively engaged in coordinating the restoration efforts of one or more infrastructure sectors. This is especially true where refraining from doing so could result in service and unacceptable economic disruptions spreading to other sectors or to other regions of the country.
The Federal government also will need to identify areas of research and development that the market is unlikely to pursue. One such area is interdependency analysis and modeling. Little is currently known about how specific types of disruptions in one infrastructure sector affect the operations of the others. Improving our understanding in this area and developing predictive tools for assessing the potential impact of service outages on various sectors of the economy – and government -- are essential to developing better means for early warning and response.
A common means of communicating overall critical infrastructure policy is essential. A national strategy developed jointly between government and industry is an effective means for arriving at a consensus about respective roles and responsibilities. Its purpose is to present an integrated public-private strategy for government and industry to chart a common course toward achieving the overall goal of national critical infrastructure assurance.
This document will serve not only as a guide for action, but also as a vehicle for creating consensus in Congress and with the American people on how to proceed. A national strategy also helps to establish the basis with the Congress and the American public for proposing legislative and public policy reforms where such reforms are needed to advance national policy.
The development of a national strategy should not be viewed as an end in itself. It should be part of a dynamic process in which government and industry continue to modify and refine their efforts at critical infrastructure assurance, adjust to new circumstances, and refine the national strategy as appropriate.
CLOSING REMARKS
Thank you for the opportunity to share my views with
you this morning. I look forward to continuing our dialogue.