Statement of
John S. Tritak
Director
Critical Infrastructure Assurance Office
U.S. Department of Commerce
Before the Senate Committee on
Governmental Affairs
May 8, 2002
Mr. Chairman, members of the Committee, I would like to thank you for bringing attention to one of the
most fundamental challenges to national security and critical infrastructure assurance - information sharing.
The Critical Infrastructure Assurance Office (CIAO) is an interagency entity established in 1998 by
Presidential Decision Directive 63 particularly to work with the private sector and other Federal
agencies to raise awareness about the importance of critical infrastructure assurance, to develop an
integrated national critical infrastructure assurance strategy, and to help articulate the business case for
this national commerce issue, which heretofore had been primarily viewed as a national security matter.
To help facilitate the ongoing dialogue with the business communities, CIAO is appropriately located in
the Department of Commerce, specifically in the Bureau of Industry and Security. This successor to the
Bureau of Export Administration represents the intersection of national security and business affairs.
To an increasing extent, national security, government's ability to deliver vital services, and business'
ability to transact commerce all depend on the critical services supported by U.S. critical
infrastructures. Moreover, these infrastructural systems are themselves increasingly interdependent on
one another. Accordingly, it has been the policy of the United States to protect critical infrastructure
systems against disruption, thereby protecting the public, safeguarding the integrity of economy, and
ensuring the uninterrupted delivery of essential human and government services, and the national
security of the United States. This policy seeks to ensure that any such disruptions will occur only
infrequently, cause the least damage possible, be manageable and of minimal duration. The CIAO plays
an integral role in this process.
As this Committee is aware, however, the vast majority of the critical infrastructure facilities in our
nation are owned and operated by the private sector. For this reason, the Federal government, acting
alone, cannot hope to secure our nation's homeland. Rather, the national policy of infrastructure
assurance can only be achieved by a voluntary public-private partnership involving businesses and other
private sector organizations and government at the Federal, State, and local levels. Indeed, since 1998,
the Federal government has called for an unprecedented partnership between private industry and
government to safeguard U.S. infrastructures against the threats of physical and cyber attack - a
partnership that embraces the sharing of vulnerability and threat information through a trusted medium
and in a trusted environment.
Encouraging the appropriate exchange of information within and among the infrastructure sectors and
between the sectors and government provides infrastructure operators with a more accurate and
complete picture of their operational risks, as well as the techniques and tools for managing those risks.
It is also an invaluable tool to enable the government to direct resources to assist the private sector and
to undertake appropriate law enforcement and other activities against wrongdoers.
Towards a Trusted Process
In its simplest terms, national infrastructure security requires trust - our common trust that the critical
services upon which our society and economy depend will be robust enough to withstand assault, even
deliberate attack, and continue to function as intended. Fortifying trust in our critical systems, however,
demands that we first forge genuine trust in our relationship with the private sector partners who bear
the front-line responsibility for infrastructure assurance. Establishing this trusted environment - both in
fact and in perception - is no small challenge, but it is the task before us today.
Trust in any relationship based on voluntary cooperation requires predictability. Commerce functions
best in a predictable and stable economic and political environment. Information sharing, like
commerce, requires a predictable and stable process where the outcomes are certain, not when the
outcomes are problematic. In other words, the information sharing process operates best when the
participants are confident that the information shared will be used for an appropriate purpose and will
not be used to harm their business interests.
Both the government and the private sector possess an interest in ensuring the orderly functioning of the
national economy. That common interest creates a strong incentive for the private sector to voluntarily
take the steps necessary to secure their critical facilities and systems, including sharing appropriate information.
Some in industry have argued that voluntary information sharing cannot proceed to a fully matured
corporate activity until the reach and impact of laws governing information sharing are clarified. What is
needed is a process with clear, well-defined rules that bring certainty to the terms of the information
exchange. Without a tacit understanding of the rules governing the handling and use of shared
information, it will be impossible to build a healthy process for exchange. The absence of such a
process places our nation at significant risk.
What Information is Needed?
National security is fundamentally about protecting the health and safety of the American public;
preserving the operational integrity of our free, democratic society, our economy and our government
institutions; and safeguarding our way of life. Critical infrastructure assurance, as a subset of the
measures that collectively comprise national and homeland security, seeks more narrowly to maintain
continuity of the delivery of critical services, and protection of the related facilities, upon which
government and our national economy depend to function. In this context, information sharing is not an
end in itself, it is merely a means to end, but one that since September 11th has emerged as a central
component in the provision of the common defense.
To maximize the capability of all participants to evaluate risks and make more informed investments to
augment security measures, the information shared may cover a broad range, depending on the
circumstances. Some examples of categories for information sharing include data on system
vulnerabilities and interdependencies, threat intelligence and warning alerts, "incident" information
concerning various aspects of attacks on or attempts to disrupt infrastructure systems (e.g., the timing of
incidents, whether the incident is cyber or physical in nature, the characteristics of the target and the
method of attack, etc.); trend analyses, and effective practices. Our security as a nation depends on our
collective ability to understand vulnerabilities, detect incidents, prevent attacks, protect essential
infrastructures, and, as necessary, rapidly respond and reconstitute systems.
The private sector primarily wants from the government information on potential relevant threats, which
the government may want to protect in order not to compromise sources and methods or ongoing
investigations. The basic business model is framed around survival: keep the company in business. This
imperative requires that the business meet the needs of paying customers while at the same time
protecting the interests of shareholders and other investors. These interests, of course, include retaining
and increasing the value of the company, increasing revenue and earnings, and maintaining public and
customer confidence in the business' operations and management practices, including the oversight of
physical and information assets. Implicit in this model is the understanding that operations will be
conducted in compliance with applicable laws and regulations.
In contrast, the government needs information from the private sector that will facilitate its ability to (1)
monitor and track patterns of attacks; (2) provide warning information to other potentially vulnerable
entities; (3) focus outreach and awareness efforts; and (4) undertake effective law enforcement action
against perpetrators. Specifically, the government wants detailed information on cyber-network
intrusions and system vulnerabilities, which companies may wish to withhold as proprietary. A company
may also want to protect the disclosure of certain information to prevent a loss of public confidence in
that company's ability to protect its operations and assets. In addition, publication of information about
vulnerabilities can also draw additional attacks before protection can be put in place.
Moreover, the amount of information collected by industry and government agencies is potentially
overwhelming. Millions of probes are launched everyday on our nation's networks. Some of these
represent actual attempts at intrusion. The government can help by being more specific about the
characteristics of information it finds most useful to reduce the burden of information sharing on private
businesses and help them to manage it. A recent initiative by CXO Media, in partnership with the NIPC
and the U.S. Secret Service, to streamline reporting forms for voluntary sharing of data by industry
reflects the type of private-public partnership that is possible. Unfortunately, even with that result, the
same concerns that are the subject of this hearing surfaced in public comment when the product was
rolled-out.
We have seen progress, however. Industry sees Information Sharing and Analysis Centers (ISACs) as
providing a benefit. Five of the eight critical infrastructure sectors identified in PDD 63 have created
ISACs to identify threats and vulnerabilities within their industries and prevent them from escalating and
disrupting business operations. Moreover, through the Partnership for Critical Infrastructure Security
(PCIS) various industries have engaged in cross-sector dialogues to examine interdependencies, multi-sector information sharing, legislative and public policy issues, research and workforce development,
and industry participation in the preparation of the national strategies for homeland and cyberspace
security. Collectively, these activities improve the overall effectiveness of sector assurance efforts.
The ISACs have also served to underscore the limits of the private sector's present comfort level for
information sharing. For example, for more than five years, industry has repeatedly voiced concern
about the possibility that sensitive business proprietary information shared with the government for
infrastructure assurance purposes would become vulnerable to public disclosure under the Freedom of
Information Act (FOIA). This uncertainty has become a key impediment to sharing certain information
with the Federal government. Similarly, private sector entities have been hesitant to move very far past
the formative stages of ISAC development to undertake intensive analysis of vulnerabilities and
development of responses due to an expressed concern that such activities might expose them to
liability under the antitrust laws.
To the extent that companies perceive that information sharing may, in fact, increase their potential
exposure, a common sense risk assessment argues in favor of caution. Addressing the uncertainties
concerning potential FOIA and antitrust exposure may not, standing alone, suffice to catalyze all
members of the private sector to embrace information sharing. However, it is becoming increasingly
evident that some action on these issues by the government is necessary to demonstrate to its private
sector partners the importance that the Federal government places on information sharing and on
appropriately safeguarding the information that it receives.
Since 1998, the Federal government has been asking private industry to share data about its
vulnerabilities but has been unable to resolve the concerns industry has raised about information sharing.
Over the course of the last year, several measures have been introduced in both Houses of Congress,
which speak to many of these issues. S. 1456, now pending before the Senate, directly addresses
industry's concerns relative to FOIA, antitrust, and other potential liability exposure. I believe this bill
and others like it represent important attempts to remedy those concerns and to invigorate that trust that
I spoke of earlier. I can assure you that they are receiving very serious consideration from the
Administration, and I commend it to the attention of the executives of our private sector partners, as well.
Transparency in government and, as the events of September 11th underscored, security of our
homeland represent a tension common to our dynamic, capitalistic, open, and democratic system.
Harmonizing these countervailing public interests and maintaining the appropriate balance between them
is the public policy challenge.
Let me be clear: there are no "silver bullets" here. While legislation such as a narrowly crafted FOIA
solution may be needed to facilitate information sharing, standing alone, it is unlikely to be sufficient to
achieve that objective. The critical factor is still trust. Equally important is the response of the federal
government to information sharing. The government must be a good partner analyzing the data and
providing warning and information to the public, infrastructure sectors, or targeted companies.
Another key challenge that will need to be addressed is how the federal government will be able to
share information received from the private sector with state and local governments. This presents an
equally challenging policy conflict between Federal preemption and states' rights that will require careful
and thoughtful consideration and, I believe, coordination and consultation with the Federal government's
State and local government partners.
Conclusion
Information sharing is playing, and must continue to play, an important role in advancing our nation's
efforts to secure critical infrastructures in the United States. The American economy is the most
successful in the world. However, the same technological capabilities that have enabled us to succeed
can now also be turned against us in the information age. Corporate assets and infrastructures can be
exploited and turned against the American people, as we witnessed in the events of September 11th.
Powerful computing systems can be hijacked and employed to launch attacks that can disrupt
operations of critical services that support public safety and daily economic processes. In such an
environment, sharing information is essential to both government and industry to make better-informed
decisions and to take more timely and effective action.
Thank you for the opportunity to appear before you today. At this time I welcome any questions that
you may have.