Hearing of the United States Senate

Hearing before the

House Government Reform Committee

Subcommittee on Government Management, Information and Technology

March 9, 2000

Statement of

John S. Tritak

Director

Critical Infrastructure Assurance Office

Mr. Chairman, it is an honor to appear before you today to talk about the National Plan for Information Systems Protection, Version 1.0, and the role being performed by the Critical Infrastructure Assurance Office (CIAO) of which I am Director. I am grateful for the opportunity to discuss the Administration’s efforts to achieve President Clinton’s goal of establishing by 2003 a full operational capability to defend the critical infrastructures of the United States against deliberate attacks aimed at significantly disrupting the delivery of services vital to our nation’s defense, economic security, and the health and safety of its people. This goal cannot be reached without the strong support and active participation of the Congress.

I. Introduction

The Information Age has fundamentally altered the nature and extent of our dependency on these critical, nation-wide infrastructures. Increasingly, our Government, economy, and society are being connected into an ever expanding and interdependent digital nervous system of computers and information systems. With this interdependence comes new vulnerabilities. One person with a computer, a modem, and a telephone line anywhere in the world can potentially break into sensitive Government files, shut down an airport's air traffic control system, or disrupt 911 services for an entire community.

The threats posed to our critical infrastructures by hackers, terrorists, criminal organizations and foreign Governments are real and growing. The need to assure delivery of critical services over our infrastructures is not only a concern for the national security and federal law enforcement communities; it is also a growing concern for the business community, since the security of information infrastructure is a vital element of E-commerce. Drawing on the full breadth of expertise of the federal government and the private sector is therefore essential to addressing this matter effectively.

The President signed Presidential Decision Directive 63 in May1998, detailing the Administration’s policy on critical infrastructure protection. In the 22 months since, we have made significant progress in protecting our critical infrastructures. The National Plan for Information Systems Protection (the Plan) was released last month to serve as a blueprint for establishing a critical infrastructure protection (CIP) capability. The plan represents the first attempt by any national Government to design a way to protect those infrastructures essential to the delivery of electric power, oil and gas, communications, transportation services, banking and financial services, and vital human services. Increasingly, these infrastructures are being operated and controlled through the use of computers and computer networks.

The current version of the Plan focuses mainly on the domestic efforts being undertaken by the Federal Government to protect the Nation’s critical cyber-based infrastructures. Later versions will focus on the efforts of the infrastructure owners and operators, as well as the risk management and broader business community. Subsequent versions will also reflect to a greater degree the interests and concerns expressed by Congress and the general public based on their feedback. That is why the Plan is designated Version 1.0 and subtitled An Invitation to a Dialogue -- to indicate that it is still a work in progress and that a broader range of perspectives must be taken into account if the Plan is truly to be "national" in scope and treatment.

The Critical Infrastructure Assurance Office (CIAO) was created by PDD-63 to integrate the various sector plans into the National Plan, coordinate analyses of the U.S. Government's own dependencies on critical infrastructures, assist in the development of national education and awareness programs, and coordinate legislative and public affairs. To the extent Federal efforts to protect its own critical infrastructures require strengthening the security of related computer systems, the CIAO works closely with members of the Chief Information Officers Council and other responsible officials who are responsible for the actual development and implementation of appropriate Federal computer security programs.

President Clinton has increased funding on critical infrastructure substantially during the past three years, including a 15% increase in the FY2001 budget proposal to $2.0 billion. He has also developed and requested funding on new initiatives to defend the nation's computer systems from cyber attack.

II. The Plan: Overview and Highlights

President Clinton directed the development of this Plan to chart the way toward the attainment of a national capability to defend our critical infrastructures by the end of 2003. To meet this ambitious goal, the Plan establishes 10 programs for achieving three broad objectives. They are:

Objective 1: Prepare and Prevent: Undertake those steps necessary to minimize the possibility of a significant and successful attack on our critical information networks, and build an infrastructure that remains effective in the face of such attacks.

Program 1 calls for the Government and the private sector to identify significant assets, interdependencies, and vulnerabilities of critical information networks from attack, and to develop and implement realistic programs to remedy the vulnerabilities, while continuously updating assessment and remediation efforts.

Objective 2: Detect and Respond: Develop the means required to identify and assess attacks in a timely way, contain such attacks, recover quickly from them, and reconstitute those systems affected.

Program 2 will install multi-layered protection on sensitive computer systems, including advanced firewalls, intrusion detection monitors, anomalous behavior identifiers, enterprise-wide management systems, and malicious code scanners. To protect critical Federal systems, computer security operations centers will receive warnings from these detection devices, as well as Computer Emergency Response Teams (CERTs) and other means, in order to analyze the attacks, and assist sites in defeating attacks.

Program 3 will develop robust intelligence and law enforcement capabilities to protect critical information systems, consistent with the law. It will assist, transform, and strengthen U.S. law enforcement and intelligence Agencies to be able to deal with a new kind of threat and a new kind of criminal -- one that acts against computer networks.

Program 4 calls for a more effective nationwide system to share attack warnings and information in a timely manner. This includes improving information sharing within the Federal Government and encouraging private industry, as well as state and local governments, to create Information Sharing and Analysis Centers (ISACs), which would share information among corporations and state and local Governments, and could receive warning information from the Federal Government. Program 4 additionally calls for removal of existing legal barriers to information sharing.

Program 5 will create capabilities for response, reconstitution, and recovery to limit an attack while it is underway and to build into corporate and Agency continuity and recovery plans the ability to deal with information attacks. The goal for Government and the recommendation for industry is that every critical information system have a recovery plan in place that includes provisions for rapidly employing additional defensive measures (e.g., more stringent firewall instructions), cutting off or shutting down parts of the network under certain predetermined circumstances (through enterprise-wide management systems), shifting minimal essential operations to "clean" systems, and to quickly reconstitute affected systems.

Objective 3: Build Strong Foundations: Take all actions necessary to create and support the Nation’s commitment to Prepare and Prevent and to Detect and Respond to attacks on our critical information networks.

Program 6 will systematically establish research requirements and priorities needed to implement the Plan, ensure funding, and create a system to ensure that our information security technology stays abreast with changes in the threat environment.

Program 7 will survey the numbers of people and the skills required for information security specialists within the Federal Government and the private sector, and takes action to train current Federal IT workers and recruit and educate additional personnel to meet shortfalls.

Program 8 will explain publicly the need to act now, before a catastrophic event, to improve our ability to defend against deliberate cyber-based attacks.

Program 9 will develop the legislative framework necessary to support initiatives proposed in other programs. This action requires intense cooperation within the Federal Government, including Congress, and between the Government and private industry.

Program 10 builds mechanisms to highlight and address privacy issues in the development of each and every program. Infrastructure assurance goals must be accomplished in a manner that maintains, and even strengthens, American’s privacy and civil liberties. The Plan outlines nine specific solutions, which include consulting with various communities; focusing on and highlighting the impact of programs on personal information; committing to fair information practices and other solutions developed by various working groups in multiple industries; and working closely with Congress to ensure that each program meets standards established in existing Congressional protections.

The Program: Goals and Descriptions

I would like to highlight a few of the programs in the remainder of my testimony. In these programs, the Administration seeks to accomplish two broad aims of the Plan – the establishment of the U.S. Government as a model of infrastructure protection, and the development of a public-private partnership to defend our national infrastructures.

A. The Federal Government as a Model of Information Security

We often say that more than 90% of our critical infrastructures are neither owned nor operated by the Federal Government. Partnerships with the private sector and state and local governments are therefore not just needed, but are the fundamental aspect of critical infrastructure protection. Yet, the President rightly challenged the Federal Government in PDD-63 to serve as a model for critical infrastructure protection – to put our own house in order first. Given the complexity of this issue, we need to take advantage of the breadth of expertise within the Federal Government to ensure that we enlist those Agencies with special capabilities and relationships with private industry to the fullest measure in pursuit of our common goal.

The President has developed and provided full or pilot funding for the following key initiatives designed to protect the Federal Government's computer systems:

Federal Computer Security Requirements and Government Infrastructure Dependencies. One component of this effort supports aggressive, Government-wide implementation of federal computer security requirements and analysis of vulnerabilities. Thus, in support of the release of the National Plan, the President announced his intent to create a permanent Expert Review Team (ERT) at the Department of Commerce’s National Institute of Standards and Technology (NIST). The ERT will be responsible for helping Agencies identify vulnerabilities, plan secure systems, and implement Critical Infrastructure Protection Plans. Pursuant to existing Congressional authorities and administrative requirements, the Director of the team would consult with the Office of Management and Budget and the National Security Council on the team’s plan to protect and enhance computer security for Federal Agencies. The President’s Budget for FY2001 proposes $5 million for the ERT.

Under PDD-63, the President directed the CIAO to coordinate analyses of the U.S. Government’s own dependencies on critical infrastructures. Many of the critical infrastructures that support our nation’s defense and security are shared by a number of Agencies. Even within Government, critical infrastructure outages may cascade and unduly impair delivery of multiple critical services. The CIAO is coordinating an interagency effort to develop a more sophisticated identification of critical nodes and systems, and to understand their impact on national security, national economic security, and public health and safety Government-wide. These efforts support the work of the ERT in identifying critical nodes of the Government’s information infrastructures that require vulnerability analyses, and provide valuable input to Agencies for planning secure computer systems and implementing computer security plans. This research, when complete, will permit the Federal Government to identify and redress its most significant critical infrastructure vulnerabilities first, and provide the necessary framework for well informed critical infrastructure protection policy making and budget decisions.

Federal Intrusion Detection Network (FIDNet). PDD-63 marshals Federal Government resources to improve interagency cooperation in detecting and responding to significant computer intrusions into civilian Government critical infrastructure nodes. The program – much like a centralized burglar alarm system – would operate within long-standing, well-established legal requirements and Government policies covering privacy and civil liberties. FIDNet is intended to protect information on critical, civilian Government computer systems, including that provided by private citizens. It will not monitor or be wired into private sector computers. All aspects of the FIDNet will be fully consistent with all laws protecting the civil liberties and privacy rights of Americans.

To support this effort, the Administration proposes funding in the President’s FY2001 Budget ($10 million) to create a centralized intrusion detection and response capability at the General Services Administration (GSA). This capability will function in consort with GSA’s Federal Computer Incident Response Capability, and assist Federal Agencies to:

detect and analyze computer attacks and unauthorized intrusions;
share attack warnings and related information across Agencies; and
respond to attacks in accordance with existing procedures and mechanisms.

FIDNet is intended to promote confidence in users of Federal civilian computer systems. It is important to recognize that FIDNet has a graduated system for response and reporting attack. Intrusion information would be collected and analyzed by home-Agency experts. Only data on system anomalies would be forwarded to GSA for further analysis. Thus, intrusion detection would not become a pass-through for information to the Federal Bureau of Investigation or other law enforcement entities. Law enforcement would receive information about computer attacks and intrusions only under long-standing legal rules – no new authorities are implied or envisioned by the FIDNet program.

One additional benefit of Government-wide intrusion detection is to improve computer intrusion reporting and the sharing of incident information consistent with existing government computer security policy. Various authorities require Agencies to report criminal intrusions to appropriate law enforcement personnel, which include the National Infrastructure Protection Center.

FIDNet will support law enforcement’s responsibilities where cyber-attacks are of a criminal nature or threaten national security.

In short, FIDNet will:

be run by the GSA, not the FBI;
monitor only Federal Government networks, not monitor any private network traffic;
operate within current legal authorities, and confer no new authorities on any Government Agency;
be fully consistent with privacy law and practice, and
provide a coordinated analysis process for early identification of malicious intrusion attempts against Federal networks.

Federal Cyber Services (FCS). One of the nation’s strategic shortcomings in protecting our critical infrastructures is a shortage of skilled information technology (IT) personnel. Within IT, the shortage of information systems security personnel is acute. The Federal Government’s shortfall of skilled information systems security personnel amounts to a crisis. This shortfall reflects a scarcity of university graduate and undergraduate information security programs and the inability of the Government to provide the salary and benefit packages necessary to compete with the private sector for the limited number of these highly skilled workers. In attacking this problem through the Federal Cyber Services initiative described below, we are leveraging the initial efforts made by the Defense Department, the National Security Agency, and some other Federal Agencies. The President’s Budget for FY2001 proposes $25 million for this effort.

The Federal Cyber Services training and education initiative, highlighted by the President at the Plan’s release, introduces five programs to help solve the Federal IT security personnel problem. The programs include all facets of information assurance education and training in order to address the immediate need for more skilled professionals, create a pipeline for recruitment of new professionals, and promote a national commitment to information assurance.

a study by the Office of Personnel Management to identify and develop competencies for Federal information technology (IT) security positions, and the associated training and certification requirements.

the development of Centers of IT Excellence to establish competencies and certify current Federal IT workers, and maintain their information security skill levels throughout their careers.

The creation of a Scholarship for Service (SFS) program to recruit and educate the next generation of Federal IT managers by awarding scholarships for the study of information security, in return for a commitment to work for a specified time for the Federal Government. This program will also support the development of information security faculty.

The development of a high school outreach and awareness program that will provide a curriculum for computer security awareness classes and encourage careers in IT fields.

The development and implementation of a Federal Information Security awareness curriculum aimed at ensuring computer security literacy throughout the entire Federal workforce.

Research and Development. A key component to our ability to protect our critical infrastructures now and in the future is a robust research and development plan. As part of the structure established by PDD-63, the interagency Critical Infrastructure Coordination Group (CICG) created a process to identify technology requirements in support of the Plan. Chaired by the Office of Science and Technology Policy (OSTP), the Research and Development Sub-Group works with Agencies and the private sector to:

gain agreement on requirements and priorities for information security research and development;

coordinate among Federal Departments and Agencies to ensure the requirements are met within departmental research budgets and to prevent waste or duplication among departmental efforts;

communicate with private sector and academic researchers to prevent Federally funded R&D from duplicating prior, ongoing, or planned programs in the private sector or academia; and

identify areas where market forces are not creating sufficient or adequate research efforts in information security technology.

That process, begun in 1998, has helped focus efforts on coordinated cross-government critical infrastructure protection research. Among the priorities identified by the process are:

technology to support large-scale networks of intrusion detection monitors;

artificial intelligence and other methods to identify malicious code (trap doors) in operating system code;

methodologies to contain, stop, or eject intruders, and to mitigate damage or restore information-processing services in the event of an attack or disaster;

technologies to increase network reliability, system survivability, and the robustness of critical infrastructure components and systems, as well as the critical infrastructures themselves; and

technologies to model infrastructure responses to attacks or failures; identify interdependencies and their implications; and locate key vulnerable nodes, components, or systems.

The President’s Budget for FY2001 proposes $606 million across all Agencies for critical infrastructure related R&D investment.

The need exists, however, to coordinate R&D efforts not just across the Federal Government, but between the public and private sectors as well. A fundamentally important initiative that has the ability to pull disparate pieces of the national R&D community into closer relationships is the Institute for Information Infrastructure Protection (I³P). This organization is created to identify and fund research and technology development to protect America's cyberspace from attack or other failures. I will discuss the I³P in detail when I address Public-Private Partnership issues.

Public Key Infrastructure. Protecting critical infrastructures in the Federal Government and private sectors requires development of an interoperable public key infrastructure (PKI). A PKI enables data integrity, user identification and authentication, user non-repudiation, and data confidentiality through public key cryptography by distributing digital certificates (essentially electronic credentials) containing public keys, in a secure, scalable, and reliable manner. The potential of PKI has inspired numerous projects and pilots throughout the Federal Government and private sectors. The Federal Government has actively promoted the development of PKI technology and has developed a strategy to integrate these efforts into a fully functional Federal PKI. The President’s Budget for FY2001 proposes $7 million to ensure development of an interoperable Federal PKI.

To achieve the goal of an integrated Federal PKI, and protect our critical infrastructures, the Federal Government is working with industry to implement the following program of activities:

Connect Agency-wide PKIs into a Federal PKI: DoD, NASA, and other Government Agencies are actively implementing Agency-wide PKIs to protect their internal critical infrastructures. While a positive step, these isolated PKIs do not protect infrastructures that cross Agency boundaries. Full protection requires an integrated, fully functional PKI.

Connect the Federal PKI with Private Sector PKIs: Private sector groups are actively developing their own PKIs as well. While a positive step, these isolated PKIs do not protect infrastructures that cross Government or industry sector boundaries.

Encouraging development of interoperable Commercial Off-the-Shelf (COTS) PKI Products: Limitation to a single vendor’s solution can be a serious impediment, as most organizations have a heterogeneous computing environment. Consumers must be able to choose COTS PKI components that suit their needs.

Validating the Security of Critical PKI Components: Protecting critical infrastructures require sound implementation. The strength of the security services provided to the critical infrastructures depends upon the security of the PKI components. Validation of the security of PKI components is needed to ensure that critical infrastructures are adequately protected. NIST is pursuing a validation program for PKI components.

Encouraging Development of PKI-Aware Applications: To encourage development of PKI-aware applications, the Government is working with vendors in key application areas. One example is the secure electronic mail projects that have been performed jointly with industry.

B. Public-Private Partnership

Inter-dependent computer networks are an integral part of doing business in the Information Age. America is increasingly dependent upon computer networks for essential services, such as banking and finance, emergency services, delivery of water, electricity and gas, transportation, and voice and data communications. New ways of doing business in the 21st century are rapidly evolving. Business is increasingly relying on E-commerce for its commercial transactions as well as for its critical operations. At the same time, recent hacking attempts at some of the most popular commercial Web sites underscore that America’s information infrastructure is an attractive target for deliberate attack or sabotage. These attacks can originate from a host of sources, such as terrorists, criminals, hostile nations, or the equivalent of car thief "joyriders." Regardless of the source, however, the potential for cyber damage to our national security and economy is evident.

The infrastructures at risk are owned and operated by the private sector. The use of information technology is so embedded in the core operations and customer service delivery systems of industry that inevitably, it will be they who must work together to take the steps necessary to protect themselves. The Federal government can help. The first major step is the elevation of awareness across industry of the "business case for action" for leaders within industry. They have a commercial interest in maintaining a secure business environment that assures public confidence in their institutions. We can help identify and publicize problems as well as good practices in management policies and strategies. We can also encourage planning, promote research and development, and convene meetings. In short, we can act as a catalyst for industry to mobilize.

A strategy of cooperation and partnership between the private sector and the U.S. Government to protect the Nation’s infrastructure is the linchpin of this effort. The President is committed to building partnerships with the private sector to protect our computer networks through the following initiatives:

Institute for Information Infrastructure Protection (I³P). The Institute would identify and address serious R&D gaps that neither the private sector nor the Government's R&D community would otherwise address, but that are necessary to ensure the robust, reliable operation of the national information infrastructure. First proposed by the scientists and corporate officials who served on the President's Committee of Advisors on Science and Technology, the Institute is supported by leading corporate Chief Technology Officers. The President’s FY2001 Budget proposes $50 million for the Institute. Funding would be provided through the Commerce Department's National Institute of Standards and Technology (NIST) to this organization.

The Institute will work directly with private sector information technology suppliers and consumers to define research priorities and engage the country's finest technical experts to address the priorities identified. Research work will be performed at existing institutions including private corporations, universities, and non-profit research institutes. The Institute will also make provisions to accept private sector support for some research activities.

Partnership for Critical Infrastructure Security. Last month, Commerce Secretary Daley met with senior representatives from over 120 major corporations, many Fortune 500, representing owners and operators of critical infrastructures, their suppliers, and their customers, to organize a Partnership for Critical Infrastructure Security. Industry has taken the lead on this effort, and is actively pursuing ways to assure their ability to deliver critical services.

The Partnership will explore ways in which industry and Government can work together to address the risks to the nation’s critical infrastructures. Federal Lead Agencies are currently building partnerships with individual infrastructure sectors in private industry, including communications, banking and finance, transportation, and energy. The Partnership will serve as a forum in which to draw these individual efforts together to facilitate a dialogue on cross-sector interdependencies, explore common approaches and experiences, and engage other key professional and business communities that have an interest in infrastructure assurance. By doing so, the Partnership hopes to raise awareness and understanding of, and to serve, when appropriate, as a catalyst for action among, the owners and operators of critical infrastructures, the risk management and investment communities, other members of the business community, and state and local Governments.

National Infrastructure Assurance Council (NIAC). President Clinton established the NIAC by Executive Order 13130 on July 14, 1999. When fully constituted, it will consist of up to 30 leaders in industry, academia, the privacy community, and state and local Government. The NIAC will provide advice and counsel to the President on a range of policy matters relating to critical infrastructure assurance, including the enhancement of public-private partnerships, generally.

IV. Conclusion

In conclusion, the National Plan is an important step forward. My staff and I are committed to building on this promising beginning, coordinating the Government’s efforts into an integrated program for critical infrastructure protection in support of the National Coordinator for Security, Infrastructure Protection, and Counter-Terrorism, and the Federal Government, generally. We are actively working with members of the CIO Council, as well as members of the defense, intelligence, and law enforcement agencies to develop this program. However, we have much work left to do, and I hope to work with the members of this committee, indeed with the Congress as a whole, as we wrestle with this developing field.

Thank you again for this opportunity to testify. I look forward to your questions.