Hearing before the

House Government Reform Committee

Subcommittee on Government Management, Information and Technology

June 22, 2000

Statement of John S. Tritak

Director

Critical Infrastructure Assurance Office

Mr. Chairman, I am pleased to appear before you today to talk about the important issue of assuring the effectiveness of the Nation's critical infrastructures. I am the Director of the Critical Infrastructure Assurance Office, or CIAO. The CIAO, which is administratively housed at the Department of Commerce, is the primary staff coordination point for the government's efforts to implement Presidential Decision Directive 63 and to develop the National Plan for Critical Infrastructure Protection.

The CIAO was created by PDD-63 to integrate the various industry sector plans into the National Plan, coordinate analyses of the U.S. Government's own dependencies on critical infrastructures, assist in the development of national education and awareness programs, and coordinate legislative and public affairs. To the extent Federal efforts to protect its own critical infrastructures require strengthening the security of related computer systems, the CIAO works closely with members of the Chief Information Officers Council and other responsible officials who are responsible for the actual development and implementation of appropriate Federal computer security programs.

America has long depended on its critical infrastructures for the delivery of services vital to its defense, prosperity, safety and well being. The need for the owners and operators of these infrastructures to plan against and respond to service disruptions caused by either technical failures or natural disasters, such as hurricanes and earthquakes, has existed for as long as there have been electric power plants, gas and oil pipelines, telecommunications networks, railroads, and banks and financial institutions.

In other words, critical infrastructure assurance is not new. What is new is America's growing dependence on information systems and networks to operate those infrastructures. Inter-dependent computer networks are rapidly becoming an integral part of doing business in the Information Age. Restructuring, including deregulation, is driving companies to apply these new technologies more widely to perform core business functions and operations. It is also requiring participation in open markets. An increasing number of transactions are being conducted over the Internet, virtual private networks, and limited dedicated networks. More and more, our nation's infrastructures are being wired together into an ever-expanding digital nervous system. Going on-line is no longer an option, it is a market imperative.

The benefits of all this have been enormous in terms of competitiveness, efficiency and quality of service. But these benefits do not come without risks. The interplay between complexity and technology increases geometrically the different ways technical system failures can occur. More importantly, cyber tools are readily available to individuals or groups to attack and disrupt our infrastructures, whether for fun, profit, revenge, or political or strategic gain. Recent events show that it doesn't take much to cause costly disruptions to the nation's information infrastructure. Just think what those with the resources and motivation might do. One does not have to be an alarmist, nor believe that a massive cyber-attack capable of crippling the nation's infrastructure is just around the corner, to argue for taking preventative action now.

Two years ago President Clinton issued his Presidential Decision Directive 63, establishing the defense of the nation's critical infrastructures against deliberate attacks, particularly those waged in cyberspace, as a national security priority.

In doing so, he presented us with a rather unique national security challenge, one which the Federal Government's national security establishment cannot solve alone. With over 90% of our critical infrastructures being privately owned and operated, assuring the delivery of services vital to the nation's defense and economy must be accomplished in public-private collaboration, with market rather than regulatory solutions being the preferred path.

This is not always easy or quick and those who want rapid solutions should recognize that the need to get all of the relevant parties together will often take time. But I believe that in the long run it is the best approach that we can take, and progress is being made.

President Clinton has requested increased funding for critical infrastructure protection substantially during the past three years, including a 15% increase for the FY2001 budget proposal to $2.0 billion. The National Plan for Information Systems Protection was released earlier this year. The current version of the Plan focuses mainly on the domestic efforts being undertaken by the Federal Government to protect the Nation's critical cyber-based infrastructures. A significant portion of the current plan aims at putting the Federal Government's own infrastructures in order.

Later versions will focus on the efforts of the infrastructure owners and operators, as well as the risk management and broader business community. Subsequent versions will also reflect to a greater degree the interests and concerns expressed by Congress and the general public based on their feedback, including, for example, a more detailed focus on privacy considerations. That is why the Plan is designated Version 1.0 and subtitled An Invitation to a Dialogue -- to indicate that it is still a work in progress and that a broader range of perspectives must be taken into account if the Plan is truly to be "national" in scope and treatment. We hope to issue the next version of the Plan, or at least its outline, by the end of this year.

Industry leadership is essential to protecting our nation's infrastructures. Many of our efforts in government have been directed at raising awareness among industry leaders of the business case for action. They have a commercial interest in maintaining a secure business environment that assures public confidence in their institutions. We can also help identify problems, good practices in management policies and strategies, convene meetings, promote R&D;, and investigate legal and legislative reforms, when appropriate.

A strategy of cooperation and partnership within the private sector, as well as between the private sector and the U.S. Government is the foundation upon which our efforts to secure the nation's infrastructures are based. We are committed to building partnerships with the private sector to protect our computer networks.

The Administration's Partnership for Critical Infrastructure Security is just such a collaborative effort between industry and government. The Partnership serves as a forum in which to draw the individual infrastructure sectors together to facilitate a dialogue on cross-sector interdependencies, explore common approaches and experiences, and engage other key professional and business communities that have an interest in infrastructure assurance. By doing so, the Partnership hopes to raise awareness and understanding of, and to serve, when appropriate, as a catalyst for action among, the owners and operators of critical infrastructures, the risk management and investment communities, other members of the business community, and state and local Governments.

A brief history illustrates the rapid progress being made by the Partnership. Commerce Secretary Daley, Bureau of Export Administration Under Secretary William A. Reinsch, Gregory Rohde, the Assistant Secretary for Communications and Information, and I met with senior members of over 80 Partnership companies in December 1999 in New York, and again In February in Washington, D.C., with over 220 senior members of more than 120 Partnership companies, to encourage business leaders to adopt information security as an integral business practice. The Partnership agreed to address such important issues as cross-sector vulnerability assessments, information sharing, and R&D; requirements.

In early February, Secretary Daley met with the President and 25 senior executives concerned about the recent disruptions to the Internet. His meeting reinforced the need for further cooperation between government and industry to help the private sector develop its action agenda for cyber security.

The incidents of early February are not cause for pushing the panic button, but they are a wake up call for action.

The work of the Partnership is ongoing. In July the Partnership will sponsor a plenary conference in San Francisco to continue the process of organization and to evaluate the progress that has been made to date by its working groups.

The Partnership is still very much a work in progress, but it has made dramatic strides in the months since it began. The Partnership builds on the excellent work already underway between Federal Lead Agencies (i.e., the Department's of Commerce, Defense, Justice, Treasury, Transportation and Energy) and their industry sector counterparts, including communications, banking and finance, transportation, and energy, to promote information sharing arrangements and develop sector plans to address potential vulnerabilities.

Considerable progress has been made in the area of information sharing.

The financial services industry was one of the first to create an Information Sharing and Analysis Center (ISAC). The Secretary of the Treasury announced the opening of the banking and financial services information security facility, the FS/ISAC, in October 1999. The center is a joint public-private industry initiative designed to facilitate the sharing of information about cyber-threats to the financial services industry.

As noted in Dr. Oslund's statement, last year, the National Communications Center, under the leadership of the National Security Telecommunications Advisory Committee (NSTAC), established an information sharing center for the telecommunications industry. In addition, members of the NSTAC have been sharing their 18 years of experience in information sharing with other infrastructure owners and operators as they begin to develop similar arrangements in their own sectors.

The North American Electric Reliability Council (NERC) has been actively working with the multi-agency National Infrastructure Protection Center (NIPC) to put in place information sharing arrangements on top of their current processes to report on physical events. They have begun a pilot program where electric utility companies and other power entities transmit cyber incident reports to the NIPC. These reports are analyzed and assessed to determine whether an NIPC warning, alert, or advisory to the electric utility community is warranted. In addition, the NIPC and the FBI continue to play a prominent role in developing InfraGard, a national cross-sector information sharing and analysis initiative.

The Department of Energy has been working with both the National Petroleum Council and NERC to develop industry-wide approaches by sharing information on good practices and lessons learned.

The information technology industry is responding to President Clinton's call during February's White House Computer Summit for that sector to create information sharing arrangements to better deal with deliberate attacks for that sector. This week, Harris Miller, President of the Information Technology Association of America (ITAA), announced that ITAA, as sector coordinator for the information and communications sector, will organize an information technology ISAC. The ISAC will be created in July, and will have a staff that will share real-time information on cyber threats, risks, and vulnerabilities.

One of the key issues cited in the debate on increased information sharing is the removal of disincentives to such sharing. In 1997, the President's Commission on Critical Infrastructure Protection (PCCIP) stated:

"We envision the creation of a trusted environment that would allow the government and private sector to share sensitive information openly and voluntarily. Success will depend on the ability to protect as well as disseminate needed information. We propose altering several legal provisions that appear to inhibit protection and thus discourage participation."

The PCCIP went on to include the Freedom of Information Act (FOIA), privacy, anti-trust provisions, and protection from liability among the areas that needed to be analyzed. In addition, at its organizational meeting at the beginning of this year, the Partnership for Critical Infrastructure Security included among its action items the removal of disincentive for information sharing. Therefore, we applaud the intent and objectives of the proposed Cyber-Security Information Act.

Based on my experience with these issues over the past year, I believe that sharing of information regarding common vulnerabilities, threats, and interdependencies is important to effective security controls across the interconnected and shared risk environment within which both the government and industry operate. As the bill points out, promoting prompt, thorough and secure information sharing is clearly a matter of national importance.

H.R 4246 would create a new exemption from FOIA to protect industry submitted critical infrastructure vulnerability information. As a general matter we support maximum government openness while recognizing that certain information, such as that related to cyber vulnerability and voluntarily submitted by industry, should be protected from wide dissemination. As with any exemption from government openness, we need to study this proposal very carefully. While we applaud the objectives of HR 4246, we need to ensure that we are striking the right balance between the goal of information sharing and government openness. Similarly, we should be confident that any proposed provisions dealing with anti-trust and liability protection are measured to achieve their intended goals and do not create unintended results. As the bill points out, promoting prompt, thorough and secure information sharing is clearly a matter of national importance. I think that the ability to develop and share information on common vulnerabilities and incidents between the government and the owners and operators of our critical infrastructure systems would be a useful step toward this important goal. We are looking forward to a full and vigorous national discussion on this important legislation.

Thank you again for this opportunity to testify. I look forward to your questions.