js-397: Remarks by <script type="text/javascript"> var wmNotice = "UNT Web Archive - External links, forms, and search boxes may not function within this collection. Url: http://ustreas.gov/press/releases/js397.htm time: 0:12:28 Sep 17, 2008"; var wmHideNotice = "hide"; var contextRoot = "https://webarchive.library.unt.edu/eot2008/"; </script> <script type="text/javascript" src="https://webarchive.library.unt.edu/eot2008/js/disclaim.js"></script> <br>Michael A. Dawson<br>Deputy Assistant Secretary for<br>Critical Infrastructure Protection and Compliance Policy<br>To<br>Protecting the Financial Sector – A Public and Private Partnership<br>Chicago, Illinois<br>Protecting Critical Financial Infrastructure



	FROM THE OFFICE OF PUBLIC AFFAIRS May 21, 2003 js-397 Remarks by Michael A. Dawson Deputy Assistant Secretary for Critical Infrastructure Protection and Compliance Policy To Protecting the Financial Sector – A Public and Private Partnership Chicago, Illinois Protecting Critical Financial Infrastructure I would like to begin by thanking the Federal Deposit Insurance Corporation for its leadership in helping to organize this event. The turnout has been tremendous. In the weeks leading up to this event, I am told, we had to abandon plans to hold the meeting in a room that would hold a mere 200 people. We had to accommodate more. That is a testament to the fine job that the FDIC has done in putting this event together. Thank you, Chairman Powell, Michael Zamorski, and Karl Krichbaum, for your leadership. It is also, of course, a testament to all of you in the audience today. All of you took time out of busy schedules to come learn more about what the government and the private sector are doing to protect our critical financial infrastructure. I appreciate your commitment. I know that you have work to do, customers to serve. Our job is to make sure that we share enough information during these sessions to make your investment of time worthwhile. We will do our best. Needless to say, the strong turnout is no surprise. Chicago's leadership in homeland security is well known. Just last week, Chicago and Seattle showed great leadership by hosting exercises simulating terrorist attacks and testing government and private sector responses to those tasks. I participated in exercises for the Treasury Department in Washington, and was impressed by what I saw Chicago do, learn, and teach other Americans. I wish to highlight two other examples of Chicago's leadership. The first is the fine work done by Chicago Office of Emergency Management and Communications Executive Director Cortez Trotter. During my last trip to Chicago, I met with Director Trotter. I saw the hard work he and his team are accomplishing at Chicago's emergency coordination center. Recently, Director Trotter established a desk within that center for representatives of Chicago's financial community. That means that during emergencies, Chicago's financial community will be able to share information on a real-time basis with first-responders, government officials, utility officials, and others. This can be crucial to protecting the employees of Chicago's financial institutions, protecting the institutions' customers, and to speeding recovery efforts in the event of a disruption. Thank you, Director Trotter, for your leadership. You have made Chicago's financial infrastructure safer. I also wish to thank the Options Clearing Corporation for the leadership it has shown. The OCC has been generous with its time and information – not just with me, but with others in the Chicago financial community. Vice Chairman Hender, you and your team have led by example, and done important work to protect your employees and your customers. Ro Kumar has generously committed his time and expertise to the Financial Services Sector Coordinating Council – more about that later. And, lest you need any assurance, you are extremely well-represented in Washington by Susan Milligan. Thank you for your leadership. I will focus my remarks on some of the principles that guided the Department of the Treasury during and after the attacks of September 11. These principles continue to guide us as we work to prevent future attacks; to minimize vulnerabilities to attacks; and to prepare to recover from attacks, should they occur. I will explain what these principles mean for national-regional cooperation, focusing on our efforts to improve information sharing. Guiding Principles Every thing that we do at Treasury to protect the critical financial infrastructure is guided by a few important principles. I will talk about three, although there are others. First, as the President has said, the highest responsibility of government is the protection of its citizens. We are devoted to protecting the critical financial infrastructure, because it is essential to meeting that responsibility. For one thing, the most important component of our financial infrastructure is the people who make it work. We must protect the safety of the tellers, loan officers, traders, and technicians that make up our financial infrastructure. Americans trust these employees with their money. Financial services employees, in turn, trust us with their lives. We have a profound obligation to keep these employees safe. For another thing, Americans depend on the critical financial infrastructure to make the economy work and grow. As Treasury Secretary Snow has said, the financial system is the engine of our free enterprise economy. We have to protect this engine so that it can continue to support growth in the American economy, so that it can continue to create jobs for American workers. It is hard to overstate our dependence on the financial infrastructure. We depend on it to receive our paychecks; to withdraw cash from an ATM; to pay for our groceries with cash, check, debit cards, or credit cards; to finance the purchase of a house or a car; to save for our children's education; to plan for a secure retirement. Americans have confidence in our financial infrastructure. And they should. Our financial infrastructure is the most resilient in the world. Our job is to keep it that way, to ensure the resiliency of the infrastructure in the face of evolving threats. Second, we are committed to ensuring that our financial institutions continue to function even during – especially during – times of stress. Of course, the physical safety of your employees and customers comes first. But absent a specific and credible threat to physical safety, it is important for financial institutions and markets to continue to operate as close to business-as-usual as possible. There are several important reasons for this. One is that it is precisely during times of stress that Americans need the financial system most. As I mentioned earlier, just last week Chicago participated in an exercise involving a hypothetical biological attack. Think about what the public response to that would be. Think about how much worse it would be if people could not withdraw cash from ATM machines, if hospitals could not pay employees or suppliers. The same is true of our markets. During times of stress, investors need to price the impact of that disruption on assets. The longer they are prevented from pricing the impact, the more anxiety builds and the worse the consequences will be, we believe, when markets eventually re-open. A third guiding principle is that we want to promote decentralized decision-making and problem-solving, both as we prepare for disruptions and as we weather them. We favor a cooperative, public-private partnership as we work together to protect our financial infrastructure. In the event of a disruption to the payment system, for example, we want the subject matter experts in payments systems to fix it. We don't want them to wait for guidance from Treasury on how to fix it. Just fix it. You are in the best position to determine what steps you should take to protect your employees and your customers. We will help where we can, but we intend to stand out of the way and let the financial institutions and the regulators that are closest to the problems find the solutions. These principles have important implications for national-regional cooperation. State and local governments are, of course, right here, right now. Financial institutions are closer to their employees and customers than we are in Washington. We often think of state and local officials as first responders – rescuing and treating victims after an attack. I suggest to you that in many instances, state and local authorities and private financial institutions may be first protectors as well. It may be a local policeman who notices something suspicious about a truck. It may be state and local police who are the first on the scene to protect a component of our critical infrastructure after we learn of a specific and credible threat against it. It may be – indeed, it almost certainly is – the private financial institution that is in the best position to correct vulnerabilities in its systems before worms, viruses, or bugs infect. I saw this first hand yesterday. Several weeks ago, a critical financial institution approached Treasury with a simple question. What's the plan? What is the plan for a coordinated federal, state, and local response to protect the critical institution if a specific and credible threat against it were to emerge? I had to confess to this important institution that there was no specific plan for coordinating a federal, state, and local response, despite its importance. As later became clear, many of agencies who would be involved in protecting the institution did, in fact, have a plan for what they would do. But this was not always the case. And those agencies that had a plan had not coordinated that plan with all of the agencies that they needed to. Treasury made this institution a deal. We agreed to jointly host an all day exercise where we would outline a coordinated plan. We brought everyone together, every agency that would likely have a role in protecting the institution. We had the local police department, the county sheriff, the state police, the governor's office, the state attorney general's office, the Federal Bureau of Investigations, the Bureau of Alcohol, Tobacco and Firearms, the United States Secret Service, the Homeland Security Council, the Homeland Security Department, appropriate financial regulators, representatives from the intelligence community, and many others. We hired a first rate consulting firm to conduct a "war game" – an exercise in which this collection of protectors was presented with a hypothetical specific and credible threat. We reacted to this hypothetical threat and documented our reactions. From this exercise, we will develop a plan and answer the institutions request. One thing that was clear from the exercise was that the state and local authorities would be the first protectors on the scene. They would be the ones with detailed knowledge about the institution and its environs: where the nearest airports are, not just the big ones, but the smaller regional and municipal airports; where the nearest railroad tracks are; where the water and sewer accesses are; where the central offices are through which the institution's telecommunications lines are routed; where the electrical substations are; and so forth. It was also clear that the institution would have to actively participate in its own protection, working with local authorities to help them identify vulnerabilities and to find ways of carrying on their business despite the increase in physical security. Given their important role as first protectors, the federal government should work to share timely threat information with state and local law enforcement authorities and, where possible, with the private sector. One of my responsibilities is to help make sure this happens for information relating to the critical financial infrastructure. There are several ways that we are trying to improve information sharing between the federal government and first protectors – state and local authorities and the private sector. For example, the President established the Financial and Banking Information Infrastructure Committee, the FBIIC. This Committee is now sponsored by the President's Working Group on Financial Markets – an interagency task force lead by Secretary Snow, Chairman Greenspan, Chairman Donaldson, and Chairman Newsome –Treasury chairs the FBIIC. Its members include the Federal Reserve Board, the Securities and Exchange Commission, the Commodity Futures Trading Commission, the Federal Deposit Insurance Corporation, the Office of the Comptroller of the Currency, the Office of Thrift Supervision, the National Credit Union Administration, and the Office of Federal Housing Enterprise Oversight. It includes state authorities as well – the Conference of State Banking Supervisors, and the National Association of Insurance Commissioners. One of the things that we use the FBIIC for is as a mechanism to evaluate and share available threat information. For example, Treasury has installed secure telecommunications equipment and arranged for appropriate security clearances for personnel in the members of FBIIC, so that we can effectively share sensitive and even classified information. Where appropriate, we can share information with an individual institution, in the case of a specific and credible threat against a specific institution, or with the financial sector more generally. Another important mechanism for sharing information is the Financial Services Sector Coordinating Council. The Council is led by Rhonda MacLean, a senior executive with Bank of America. Treasury appointed Ms. MacLean last June. She has done an outstanding job. Over two dozen financial services trade associations have joined the council. Among many other things, the Council has worked to collect and disseminate considerations for private institutions to bear in mind in the event that the threat advisory level is at some point in the future raised to red. The Council is also working to construct a repository of table-top exercises, war-games, and tests. This repository will provide a central source for the industry to learn what is happening in the critical financial protection area. In the future, the repository will be a useful tool as we move to more coordinated, inter-institutional testing and planning. Our hope is that we can improve from the situation we have today, in which many well-intentioned exercises are taking place, but without much coordination between exercises. We need to improve coordination so that the exercises build on each other and, over time, systematically improve the resiliency of the industry as a whole. The government and the private sector did a good job of coordinating the planning, preparation, and testing for Y2K. We hope we can replicate that experience in this context. A third mechanism for sharing information is the Financial Services Information Sharing and Analysis Center, the FS/ISAC. Under the leadership of Suzanne Gorman, a senior executive at the Securities Industry Automation Corporation, the FS/ISAC has emerged as a leader in information sharing. For example, many of you will remember that in January of this year a worm called Slammer rocketed around the internet. The FS/ISAC was instrumental in alerting the financial services sector to this threat. We believe that the FS/ISAC was largely responsible for the fact that the financial sector experienced relatively low disruption from the worm. Each sector has an ISAC, and I am proud of the fact that the Financial Services ISAC was both the first and the best. I am even more proud of the vision that Ms. Gorman has shown to enhance the value proposition of the FS/ISAC by expanding its membership base; improving cross-sectoral information sharing; and working to encourage members to contribute more information, not just receive it. Treasury was pleased to devote resource to the FS/ISAC as it planned these improvements. We look forward to supporting the FS/ISAC as it implements its next phase. Already, I am told by Homeland Security officials that they regard the FS/ISAC's vision as a model that other ISACs can look to and learn from. These are some of the ways that we work to share information among the federal government, state and local government, and the private sector. It is our biggest challenge. Without effective information sharing, state and local authorities can be only first responders – arriving on the scene after attacks. We cannot afford that. We must ensure that state and local authorities and the private sector have the opportunity to serve as first protectors, disrupting and preventing attacks before they occur.