Where Industry and Security Intersect
What's New | Sitemap | Search
Thank you very much, Bill, for your kind introduction. I also would like to thank the organizers and sponsors of this conference for bringing us together for today's proceedings.
As Bill has mentioned, I have recently joined the Commerce Department. During my first few weeks there, I have spent a fair amount of time working with John Tritak and the Critical Infrastructure Assurance Office in getting up to speed on critical infrastructure issues. I have certainly been around complex public policy issues for many years. But, having now been exposed in detail to the subject of critical infrastructure assurance, there is no doubt in my mind that this is one of the more important and difficult public policy issues that I have confronted.
What is at stake is nothing less than the long-term viability of our nation's infrastructures to continue delivering critical services essential to our defense, economy, and way of life. The challenges are great and the solutions are still in the early, formative stages.
The information age has fundamentally -- and irreversibly -- altered the way our economy and government operate. Dependence on information systems and networks exposes government and industry to vulnerabilities that did not previously exist. Those who might exploit these vulnerabilities are numerous. They range from the recreational hacker to the terrorist to the nation state intent on obtaining a strategic advantage. Even more disturbing, the tools needed to cause a significant disruption to infrastructure operations are readily available. Indeed, one does not have to be a "cyber terrorist" or an "information warrior" to obtain and use these new weapons of mass disruption. In fact, from the perspective of individual companies, the consequences of an attack can be the same, regardless of who the attacker is.
The Federal government itself is limited in how much it can do on its own to address these problems. This is a significant departure from the past -- and from the way the government traditionally thinks about policy issues. In the past, the Defense Department, the Justice Department, and other Federal agencies did a lot to protect the physical aspects of our critical infrastructures. They did so by securing our national borders against invading armies and infiltrating terrorists, and by securing our national airspace against enemy bombers.
Protecting our infrastructures against cyber attacks, however, presents an entirely different problem. The Federal government cannot keep out digital invaders by posting soldiers or police officers at the perimeters of electric power plants or telecommunica-tions facilities. Nor do I think you would want the government to do that, even if it could. Because there are no boundaries or borders in cyberspace, and because the vast majority of the nation's infrastructures are privately owned and operated, the best approach is for government and industry to work together -- in partnership -- to solve the problem.
I can assure you that the Bush Administration is fully committed to partnering with industry to advance this process. Just last week the President issued a press release stating that his Administration will develop with industry a new national plan for critical infrastructure assurance. The Commerce Department's Critical Infrastructure Assurance Office, which is within my Bureau, will coordinate this effort.
The purpose of the national plan will be to present an integrated public-private strategy for government and industry to chart a common course toward achieving the overall goal of national critical infrastructure assurance. The plan will serve not only as a guide for action, but also as a vehicle for creating consensus in Congress and with the American people on how to proceed. This will be the beginning of an ongoing, dynamic process that will necessarily be modified and refined over time.
As I have indicated, the Federal government cannot solve critical infrastructure issues alone. This raises the obvious question – what is, or should be, the role of government? I submit it is at least twofold.
First, I think that the Federal government has a leading role in assuring the delivery of those essential services which it must provide to the American people. These range, for example, from the effective mobilization and projection of U.S. forces overseas to advance vital national security and foreign policy interests, to timely warnings of weather disturbances such as hurricanes, to the delivery of social security checks (which are essential to many Americans). Of course, in many instances, the delivery of these services depends on privately owned and operated infrastructures. Where it does, the relevant Federal department and agency must work with the specific company or companies involved to ensure adequate security measures are established and maintained, on mutually agreed upon terms.
Second, I think the Federal government has a supporting role to play in ensuring that a sufficient level of critical infrastructure services is available to maintain a smoothly functioning national economy. Here, the preferred approach is to promote market rather than regulatory solutions, focusing specifically on corporate governance and risk management. That is where all of you in this room come into the picture, and why what you are doing is so important.
I am told that when the previous Administration first issued its directive on critical infrastructure protection in 1998, some in industry were at a loss as to how to address the Federal government's concerns. That is because those concerns, as initially presented, could not be translated into business terms that corporate boards and senior management would understand -- such as operational survivability, shareholder value, customer relations, and public confidence in the company. Only when infrastructure concerns are translated into these types of business terms will the market respond effectively.
The new Secretary of Commerce, Don Evans, is a former CEO and former member of several corporate boards. He understands this point very well. In a hearing last week before the Senate Appropriation's Committee, he underscored the need for corporate governance, rather than Federal governance, to be an essential component of critical infrastructure assurance policy.
This audience also understands that message. The six audit summits that were convened last year have contributed greatly to getting the word out to the auditing community, to corporate directors, and to senior management. Your recently published report summarizing the main conclusions of those summits was a first-rate piece of work.
Nonetheless, there is much work left to be done, and the task you have set for yourselves is a difficult one. There are still many who doubt the severity of the problem of protecting our critical infrastructures. There are still others who acknowledge the problem, but intend to do nothing until a major incident -- such as a "digital Exxon Valdez" or a "cyber Bhopal" -- forces them to do so. Overcoming such obstacles will be a measure of your leadership, and of the government's.
That a terrible incident has not yet occurred is precisely why you and the rest of industry have a golden opportunity now to shape the public policy landscape. Once such an event occurs, the specter of government regulation, and civil litigation, will not be far behind. The fact that new laws and regulations might be ill conceived or ill advised may not be a bar to their passage, especially if lawmakers and regulators conclude that industry is incapable of self-governance in this area.
So, it is my hope that with conferences such as today's, we can work together in charting a more constructive course and promoting effective corporate governance solutions before they are thrust upon us. I thank you, and I wish you good luck in today's proceedings.
In April of 2002 the Bureau of Export Administration (BXA) changed its name to the Bureau of Industry and Security(BIS). For historical purposes we have not changed the references to BXA in the legacy documents found in the Archived Press and Public Information.