Hearing of the United States Senate

Special Committee on the Year 2000 Technology Problem

July 29, 1999

Statement of

John S. Tritak

Director

Critical Infrastructure Assurance Office

 

Mr. Chairman, Mr. Vice Chairman, members of the Committee, ladies and gentlemen, I am John Tritak, Director of the Critical Infrastructure Assurance Office (CIAO). I appreciate this opportunity to discuss the challenges facing our Nation's critical infrastructure community as we approach the Year 2000 conversion period. We are grateful for this opportunity to work closely with Congress and to elaborate on ways to maximize lessons learned from the Year 2000 experience. This includes, in particular, the CIAO's cooperation with the Information Coordination Center (ICC) and the President's Council on Year 2000 Conversion.

CIAO Foundations

The Critical Infrastructure Assurance Office was created in response to Presidential Decision Directive 63 (PDD-63) as a mechanism to assist in the coordination of the Federal Government's initiatives on critical infrastructure protection. PDD-63 assigned the following specific missions to the CIAO:

* integrating the various infrastructure sector plans into a national plan;

* coordinating departmental analyses on how to mitigate unacceptable risks resulting from the U.S. Government's own dependencies on critical infrastructure;

* coordinating a national education and awareness program targeted toward increasing public understanding and participation in protection efforts; and

* coordinating legislative and public affairs to integrate infrastructure assurance objectives into the public and private sectors.

 

The National Plan for Information Systems Protection-Public-Private Cooperation

The CIAO is working diligently to fulfill its responsibilities under PDD-63. Of utmost significance is completion of the first version of the National Plan for Information Systems Protection. This National Plan addresses, for the first time in our Nation's history, a complex interagency process for approaching critical infrastructure and cyber-related issues. These include, but are not limited to, law enforcement, defense, intelligence, procurement, information technology, and privacy matters. Development and implementation of the National Plan will depend on the continued diligence of a broad array of Federal Government agencies and departments, which must serve as a model for sound cyber security practices and critical infrastructure protection.

As you know, efforts to coordinate a partnership with the private sector are part of the CIAO's mission. The CIAO has carefully engaged various infrastructure sectors to begin the lengthy process of developing trust, creating new channels of communication, and improving overall cyber security practices.

In implementing its mandates, the CIAO has focused on issues that cut across the responsibilities of multiple departments and agencies, in order to help ensure a coherent and cohesive U.S. approach to the challenges of achieving the protection of our Nation's critical infrastructures.

Tangible Accomplishments

Since its inception in May 1998, the Critical Infrastructure Assurance Office has met several important milestones. These include:

* establishing and coordinating the efforts of an Expert Review Team that has analyzed and critiqued the critical infrastructure protection plans of numerous Federal agencies;

* hosting a January 1999 conference to improve information sharing with owners and operators of critical infrastructure facilities;

* jointly hosting a Freedom of Information Act (FOIA) workshop with the Department of Justice in July 1999, designed to foster information sharing channels;

* agreeing to serve as chair of the National Colloquium For Information Systems Security Education (NCISSE), and its annual conference in May 2000;

* preparing for a national kickoff this fall of the Partnership for Critical Information Security, a national awareness campaign and public-private partnership mandated in PDD-63;

* establishing a program office, in cooperation with the General Services Administration, to support the piloting of the proposed Federal Intrusion Detection Network (FIDNET) initiative;

* assisting in the coordination of an interagency process for developing long-term research and development strategies consistent with PDD-63; and

* laying the groundwork for creation of the National Infrastructure Assurance Council (NIAC)-an advisory committee for critical infrastructure assurance policy making.

The CIAO continues to strive toward the successful completion of the goals set by President Clinton in PDD-63. The first version of the integrated National Plan is nearing release, and our efforts to assist in the support of infrastructure assurance objectives is ongoing.

It is in this context that we address the important questions presented in your letter of July 20, 1999.

CIAO Interaction with the ICC

The CIAO is supporting the President's stated mission for the ICC in Executive Order 13073, June 14, 1999. The CIAO works to facilitate national, long-term planning for critical infrastructure protection, including developing a national cyber-reconstitution capability. The ICC is responsible for information sharing and coordinating assessments of Year 2000 emergencies among multiple communities, including owners and operators of critical infrastructure facilities, and assisting Federal agencies and the Chairman President's Council on Year 2000 Conversion on reconstitution processes where appropriate. Therefore, a natural relationship exists between our entities.

Earlier this year, the CIAO lent full-time help to coordinate critical infrastructure issues at the ICC. The ICC Deputy Director for Critical Infrastructure Requirements concentrates full-time on focusing ICC efforts on complex critical infrastructure and Year 2000 issues and coordinating with the CIAO.

The CIAO-ICC cooperation occurs in multiple areas on a daily basis. This includes:

* CIAO Technical Support-The CIAO staff with knowledge of, and expertise in, critical infrastructure assurance planning will continue to consult with the ICC as the conversion period approaches. The CIAO staff members are familiar with both government programs and private sector constituents, and offer insights to ICC staff to prevent duplication of effort.

* Computer Emergency Response Team Coordination-The CIAO's ongoing contact and relationships within the computer emergency response community will assist the ICC with its complex mission. These computer emergency response professionals contribute a technical base of expertise and status reporting through the National Infrastructure Protection Center (NIPC) on suspected cyber intrusions or anomalous activity.

* Industry Expertise and Support-The CIAO personnel have amassed knowledge and expertise with regard to owners and operators of critical infrastructures in the private sector. The CIAO staff members continue to provide insights and contacts to the ICC.

This type of assistance results directly from close contact and cooperation among the CIAO and ICC at multiple levels. In addition to daily staff contacts, leadership of both organizations meets frequently to exchange information and develop solutions to pertinent issues.

Lessons Learned from the ICC

The Year 2000 event represents a nationwide cyber and critical infrastructure challenge. Thus, the ICC and its work are clearly relevant to the CIAO's long-term efforts to assist the National Coordinator and the interagency process in facilitating critical infrastructure assurance initiatives. During the Year 2000 Conversion period, the ICC will undertake the complex task of coordinating information sharing among multiple communities, including critical infrastructure owners and operators. The CIAO intends to take full advantage of the opportunities presented by this unique, unprecedented event to learn more about information sharing channels, customs, and sensitivities within diverse industries, as well as with Federal and state governments.

From a long-term critical infrastructure perspective, the Year 2000 event serves as a kind of laboratory in which the Federal Government and the private sector work out appropriate responses to significant cyber challenges. In support of the ICC, the CIAO will focus on at least three areas of interest.

* First, the CIAO will focus on methods of working closely with industry. Undoubtedly, challenges associated with public-private partnerships are the most important facing the critical infrastructure community; they are also the most complex. Private sector's fear of government regulation undermines legitimate efforts within government to form closer and more productive partnerships with industry-many of which result directly from PDD-63 coordination efforts. The CIAO will work closely with the ICC in its efforts to engage the private sector and learn from Year 2000 problems, challenges, and various solutions.

* Second, the CIAO will focus on the ICC's efforts to engage non-governmental organizations and academia. As an example, the ICC and the CIAO are cooperating to meet and generate cooperation from the National Research Council (NRC) and the National Academy of Sciences (NAS). Both the NRC and NAS have excellent working relationships within multiple critical infrastructure communities. The ICC is mining these and other academic-based sources of knowledge and expertise for the Year 2000 challenge. The CIAO expects to learn more about how resources in these communities can aid long-term critical infrastructure initiatives.

* Third, the CIAO hopes to gain from ICC's interactions with Congress and agencies throughout the Executive Branch. Both the President's Council on Year 2000 Conversion and the ICC are working closely within the Federal Government to meet the many complex challenges ahead. The Year 2000 issue has drawn together these institutions in an important dialogue-in effect, placing critical infrastructure protection on a fast track. The CIAO must listen to the ongoing discussions and apply lessons learned to long-term critical infrastructure planning. These discussions have already increased awareness of multiple complex issues.

Use of ICC Assets after the Year 2000 Conversion Period

The knowledge gained, the capabilities developed, the information channels established, and the momentum created at the ICC will constitute an invaluable national asset, one bought and paid for by the American taxpayer. Like any valuable asset, we should take advantage of it and look at ways to retain what is needed.

The ICC experience during the Year 2000 conversion period will provide important contributions to the Federal Government's efforts to develop the plans and means for responding appropriately to significant cyber events and emergencies. How, and in what ways, this capability is preserved after the Year 2000 conversion period will be given careful consideration.

Information Exchange Channels

Both the ICC and the CIAO have worked hard to facilitate development and use of information sharing channels with industries that own and operate critical infrastructure facilities. Information channels are being established by the NIPC and by the emerging Information Sharing and Analysis Centers (ISAC). As indicated throughout this testimony, full-scale implementation of PDD-63 requires robust information exchange between government and industry.

The complexity of pulling together a public-private partnership cannot be underestimated. Many industry groups view government as a regulator, and a perception exists that sharing information can only result in harm. For other industry sectors, there may not yet be a clear-cut business case for action-that is, one that necessitates a robust public-private partnership.

However, the fallout from the Year 2000 conversion has offered government and industry a snapshot of how partnering may benefit multiple parties. The Chairman of the President's Council on Year 2000 Conversion and the Director of the ICC have worked tirelessly to meet with multiple critical infrastructure communities and to offer information-sharing resources during the conversion period.

As an example, the cyber incident monitoring and response capability being developed at the ICC will include a diverse public-private partnership, all sharing information during the conversion period. This includes such disparate groups as the Small Business Administration, GSA, the CERT(r) at Carnegie-Mellon University, and the Office of Science and Technology Policy (OSTP). This partnership structure will survive the Year 2000 issue and should offer new information exchange channels in the future. Indeed, the seeds of trust are being planted during this difficult period, but are expected to bear fruit for the critical infrastructure community at a later time.

The CIAO has been actively working to assist in the development of similar public-private information sharing structures and channels. CIAO personnel are active within the industry groups, quietly addressing impediments to information sharing. These experts are also assisting in building a case for action-a prerequisite for information exchange and a robust partnership.

ICC Roles with respect to Cyber-Reconstitution

The CIAO is prepared to assist the ICC during the Year 2000 conversion period. This includes specific activities aimed at taking advantage of existing institutions, resources, and plans. These activities also recognize existing agency roles and missions, including congressional grants of jurisdiction.

Executive Order 13073 provides:

(b) At the direction of the Chair, the ICC will assist in making preparations for information sharing and coordination within the Federal Government and key components of the public and private sectors, coordinating agency assessments of Y2K emergencies that could have an adverse affect on U.S. interests at home and abroad, and, if necessary, assisting Federal agencies and the Chair in reconstitution processes where appropriate.1

(c) The ICC will:

(1) consist of officials from executive agencies, designated by agency heads under subsection 3(a)(2) of this order, who have expertise in important management and technical areas, computer hardware, software or security systems, reconstitution and recovery, and of additional personnel hired directly or by contract, as required, to carry out the duties described under section 5 of this order;

(2) work with the Council and the Office of Management and Budget to assure that Federal efforts to restore critical systems are coordinated with efforts managed by Federal agencies acting under existing emergency response authorities."

Reconstitution activities may typically encompass restoration of critical infrastructure service delivery, mission-critical systems, or infrastructure facilities. Most often, these activities are directed by owners and operators of the infrastructure facilities and systems. Owners and operators throughout the U.S. have worked diligently to prepare for the Year 2000 conversion period, have tested vital systems, and in many cases, have required up- and down-stream vendors to prove Year 2000 compliance.

ICC restoration and reconstitution responsibilities should not, therefore, be a call for government to take responsibility for reconstituting infrastructure systems during the Year 2000 conversion period. Rather, government will rely on stakeholders to fulfill principal responsibility for reconstituting vital systems that fail as a result of the Year 2000 issue.

The government should, however, carefully track attacks on critical systems during the Year 2000 conversion period that result in severe regional or national service impairment, whether from insiders or terrorists. This is especially important where national security, wide-spread economic, and public health issues are at stake. This monitoring and response role for malicious acts, as opposed to Year 2000 failures, is the mission of the NIPC. Government efforts to track, assess, coordinate, and facilitate reconstitution of affected systems under these circumstances complements industry's own efforts to care for clients, shareholders, and customer base.

Reconstituting vital computer systems and infrastructure services presents various specific challenges. Many of the infrastructure systems are owned and operated within the private sector, precluding direct government involvement. Further, where these systems are owned or operated by the government, or where government is the recipient of essential services, monitoring and coordinating reconstitution activities is highly complex.

The CIAO will assist the ICC in coordinating critical infrastructure resources and intellectual talent in belief that there are tangible benefits as we truly enter into the information age. The ICC will steward the coordination role for supporting and focusing this capability to handle cyber assurance activities during the Year 2000 conversion period.

Conclusion

The CIAO sees the important work being done by the President's Council on Year 2000 Conversion and the ICC as an opportunity to listen and learn. We also feel strongly that the Year 2000 issue offers an additional opportunity to meet with and explore new ways of working with the private sector. This Nation's cyber security will depend on our efforts to forge an alliance with private sector to implement PDD-63 and Congress' information technology agenda, and we are proud to be a partner in this effort on behalf of all Americans.

 

1 Amendment to Executive Order 13073, Year 2000 Conversion (June 14, 1999) (emphasis added).

2

 

1