Statement of
John S. Tritak
Director
Critical Infrastructure Assurance Office
U.S. Department of Commerce

Before the Senate Committee on
Governmental Affairs

May 8, 2002

Mr. Chairman, members of the Committee, I would like to thank you for bringing attention to one of the most fundamental challenges to national security and critical infrastructure assurance - information sharing.

The Critical Infrastructure Assurance Office (CIAO) is an interagency entity established in 1998 by Presidential Decision Directive 63 particularly to work with the private sector and other Federal agencies to raise awareness about the importance of critical infrastructure assurance, to develop an integrated national critical infrastructure assurance strategy, and to help articulate the business case for this national commerce issue, which heretofore had been primarily viewed as a national security matter. To help facilitate the ongoing dialogue with the business communities, CIAO is appropriately located in the Department of Commerce, specifically in the Bureau of Industry and Security. This successor to the Bureau of Export Administration represents the intersection of national security and business affairs.

To an increasing extent, national security, government's ability to deliver vital services, and business' ability to transact commerce all depend on the critical services supported by U.S. critical infrastructures. Moreover, these infrastructural systems are themselves increasingly interdependent on one another. Accordingly, it has been the policy of the United States to protect critical infrastructure systems against disruption, thereby protecting the public, safeguarding the integrity of economy, and ensuring the uninterrupted delivery of essential human and government services, and the national security of the United States. This policy seeks to ensure that any such disruptions will occur only infrequently, cause the least damage possible, be manageable and of minimal duration. The CIAO plays an integral role in this process.

As this Committee is aware, however, the vast majority of the critical infrastructure facilities in our nation are owned and operated by the private sector. For this reason, the Federal government, acting alone, cannot hope to secure our nation's homeland. Rather, the national policy of infrastructure assurance can only be achieved by a voluntary public-private partnership involving businesses and other private sector organizations and government at the Federal, State, and local levels. Indeed, since 1998, the Federal government has called for an unprecedented partnership between private industry and government to safeguard U.S. infrastructures against the threats of physical and cyber attack - a partnership that embraces the sharing of vulnerability and threat information through a trusted medium and in a trusted environment.

Encouraging the appropriate exchange of information within and among the infrastructure sectors and between the sectors and government provides infrastructure operators with a more accurate and complete picture of their operational risks, as well as the techniques and tools for managing those risks. It is also an invaluable tool to enable the government to direct resources to assist the private sector and to undertake appropriate law enforcement and other activities against wrongdoers.

Towards a Trusted Process

In its simplest terms, national infrastructure security requires trust - our common trust that the critical services upon which our society and economy depend will be robust enough to withstand assault, even deliberate attack, and continue to function as intended. Fortifying trust in our critical systems, however, demands that we first forge genuine trust in our relationship with the private sector partners who bear the front-line responsibility for infrastructure assurance. Establishing this trusted environment - both in fact and in perception - is no small challenge, but it is the task before us today.

Trust in any relationship based on voluntary cooperation requires predictability. Commerce functions best in a predictable and stable economic and political environment. Information sharing, like commerce, requires a predictable and stable process where the outcomes are certain, not when the outcomes are problematic. In other words, the information sharing process operates best when the participants are confident that the information shared will be used for an appropriate purpose and will not be used to harm their business interests.

Both the government and the private sector possess an interest in ensuring the orderly functioning of the national economy. That common interest creates a strong incentive for the private sector to voluntarily take the steps necessary to secure their critical facilities and systems, including sharing appropriate information.

Some in industry have argued that voluntary information sharing cannot proceed to a fully matured corporate activity until the reach and impact of laws governing information sharing are clarified. What is needed is a process with clear, well-defined rules that bring certainty to the terms of the information exchange. Without a tacit understanding of the rules governing the handling and use of shared information, it will be impossible to build a healthy process for exchange. The absence of such a process places our nation at significant risk.

What Information is Needed?

National security is fundamentally about protecting the health and safety of the American public; preserving the operational integrity of our free, democratic society, our economy and our government institutions; and safeguarding our way of life. Critical infrastructure assurance, as a subset of the measures that collectively comprise national and homeland security, seeks more narrowly to maintain continuity of the delivery of critical services, and protection of the related facilities, upon which government and our national economy depend to function. In this context, information sharing is not an end in itself, it is merely a means to end, but one that since September 11th has emerged as a central component in the provision of the common defense.

To maximize the capability of all participants to evaluate risks and make more informed investments to augment security measures, the information shared may cover a broad range, depending on the circumstances. Some examples of categories for information sharing include data on system vulnerabilities and interdependencies, threat intelligence and warning alerts, "incident" information concerning various aspects of attacks on or attempts to disrupt infrastructure systems (e.g., the timing of incidents, whether the incident is cyber or physical in nature, the characteristics of the target and the method of attack, etc.); trend analyses, and effective practices. Our security as a nation depends on our collective ability to understand vulnerabilities, detect incidents, prevent attacks, protect essential infrastructures, and, as necessary, rapidly respond and reconstitute systems.

The private sector primarily wants from the government information on potential relevant threats, which the government may want to protect in order not to compromise sources and methods or ongoing investigations. The basic business model is framed around survival: keep the company in business. This imperative requires that the business meet the needs of paying customers while at the same time protecting the interests of shareholders and other investors. These interests, of course, include retaining and increasing the value of the company, increasing revenue and earnings, and maintaining public and customer confidence in the business' operations and management practices, including the oversight of physical and information assets. Implicit in this model is the understanding that operations will be conducted in compliance with applicable laws and regulations.

In contrast, the government needs information from the private sector that will facilitate its ability to (1) monitor and track patterns of attacks; (2) provide warning information to other potentially vulnerable entities; (3) focus outreach and awareness efforts; and (4) undertake effective law enforcement action against perpetrators. Specifically, the government wants detailed information on cyber-network intrusions and system vulnerabilities, which companies may wish to withhold as proprietary. A company may also want to protect the disclosure of certain information to prevent a loss of public confidence in that company's ability to protect its operations and assets. In addition, publication of information about vulnerabilities can also draw additional attacks before protection can be put in place.

Moreover, the amount of information collected by industry and government agencies is potentially overwhelming. Millions of probes are launched everyday on our nation's networks. Some of these represent actual attempts at intrusion. The government can help by being more specific about the characteristics of information it finds most useful to reduce the burden of information sharing on private businesses and help them to manage it. A recent initiative by CXO Media, in partnership with the NIPC and the U.S. Secret Service, to streamline reporting forms for voluntary sharing of data by industry reflects the type of private-public partnership that is possible. Unfortunately, even with that result, the same concerns that are the subject of this hearing surfaced in public comment when the product was rolled-out.

We have seen progress, however. Industry sees Information Sharing and Analysis Centers (ISACs) as providing a benefit. Five of the eight critical infrastructure sectors identified in PDD 63 have created ISACs to identify threats and vulnerabilities within their industries and prevent them from escalating and disrupting business operations. Moreover, through the Partnership for Critical Infrastructure Security (PCIS) various industries have engaged in cross-sector dialogues to examine interdependencies, multi-sector information sharing, legislative and public policy issues, research and workforce development, and industry participation in the preparation of the national strategies for homeland and cyberspace security. Collectively, these activities improve the overall effectiveness of sector assurance efforts.

The ISACs have also served to underscore the limits of the private sector's present comfort level for information sharing. For example, for more than five years, industry has repeatedly voiced concern about the possibility that sensitive business proprietary information shared with the government for infrastructure assurance purposes would become vulnerable to public disclosure under the Freedom of Information Act (FOIA). This uncertainty has become a key impediment to sharing certain information with the Federal government. Similarly, private sector entities have been hesitant to move very far past the formative stages of ISAC development to undertake intensive analysis of vulnerabilities and development of responses due to an expressed concern that such activities might expose them to liability under the antitrust laws.

To the extent that companies perceive that information sharing may, in fact, increase their potential exposure, a common sense risk assessment argues in favor of caution. Addressing the uncertainties concerning potential FOIA and antitrust exposure may not, standing alone, suffice to catalyze all members of the private sector to embrace information sharing. However, it is becoming increasingly evident that some action on these issues by the government is necessary to demonstrate to its private sector partners the importance that the Federal government places on information sharing and on appropriately safeguarding the information that it receives.

Since 1998, the Federal government has been asking private industry to share data about its vulnerabilities but has been unable to resolve the concerns industry has raised about information sharing. Over the course of the last year, several measures have been introduced in both Houses of Congress, which speak to many of these issues. S. 1456, now pending before the Senate, directly addresses industry's concerns relative to FOIA, antitrust, and other potential liability exposure. I believe this bill and others like it represent important attempts to remedy those concerns and to invigorate that trust that I spoke of earlier. I can assure you that they are receiving very serious consideration from the Administration, and I commend it to the attention of the executives of our private sector partners, as well.

Transparency in government and, as the events of September 11th underscored, security of our homeland represent a tension common to our dynamic, capitalistic, open, and democratic system. Harmonizing these countervailing public interests and maintaining the appropriate balance between them is the public policy challenge.

Let me be clear: there are no "silver bullets" here. While legislation such as a narrowly crafted FOIA solution may be needed to facilitate information sharing, standing alone, it is unlikely to be sufficient to achieve that objective. The critical factor is still trust. Equally important is the response of the federal government to information sharing. The government must be a good partner analyzing the data and providing warning and information to the public, infrastructure sectors, or targeted companies.

Another key challenge that will need to be addressed is how the federal government will be able to share information received from the private sector with state and local governments. This presents an equally challenging policy conflict between Federal preemption and states' rights that will require careful and thoughtful consideration and, I believe, coordination and consultation with the Federal government's State and local government partners.

Conclusion

Information sharing is playing, and must continue to play, an important role in advancing our nation's efforts to secure critical infrastructures in the United States. The American economy is the most successful in the world. However, the same technological capabilities that have enabled us to succeed can now also be turned against us in the information age. Corporate assets and infrastructures can be exploited and turned against the American people, as we witnessed in the events of September 11th. Powerful computing systems can be hijacked and employed to launch attacks that can disrupt operations of critical services that support public safety and daily economic processes. In such an environment, sharing information is essential to both government and industry to make better-informed decisions and to take more timely and effective action.

Thank you for the opportunity to appear before you today. At this time I welcome any questions that you may have.