FROM THE OFFICE OF PUBLIC AFFAIRS

I am delighted to have this opportunity to speak to you today about some of the policy developments and challenges that face those of us working in and with the high tech industry. The Women in High Tech Coalition, I can safely predict, will thrive because the challenges are infinite and the need for collaboration among leaders limitless. I particularly want to thank Jessica Wasserman for inviting me to share some of my recent experiences with you.

As background, let me say that I have spent many years working in the financial sector, at the New York Stock Exchange and as Commissioner for the Commodity Futures Trading Commission, for example. In these positions I witnessed technological innovations in the office, the trading room, back office operations, information management, and in other aspects of communication and financial transactions. I also saw financial tumult in U.S. and foreign markets during my career, and like the rest of you, lived through economic cycles of growth and contraction.

All of this was useful experience for the new challenge I undertook last July when I became Treasury Assistant Secretary for Financial Institutions. I also had the good fortune to join an experienced Treasury team dedicated to the financial and economic prosperity of the country, led by a Secretary, who by his own admission, is results oriented.

With the horrors of September 11 came a sudden reordering of priorities within the Administration, and at Treasury. I would like to focus my remarks on one aspect of the work in which I am involved that has taken on new urgency in recent months, namely, the protection of the critical financial infrastructure of the nation.

During the past few months I have spent a great deal of time thinking about and working on ways to secure the technology and systems that comprise our national financial infrastructure. This is not a job that industry can do alone, nor is it a purely governmental function. It requires collaboration, coordination, focus and planning.

In 1997 a presidential commission studied the vulnerabilities of critical sectors of the economy to non-traditional threats, principally cyber and terrorist threats. Based in part on the commission's findings, a 1998 Presidential Decision Directive (PDD 63) directed Treasury to coordinate with the financial sector to mitigate the vulnerabilities facing the financial sector and to develop plans for ensuring the continuity of operations and rapid recovery of critical financial assets in the event of attack.

By 2001 the Treasury/industry partnership had established a Banking and Finance Sector Coordinating Committee, created the Financial Services Information Sharing and Analysis Center (FS/ISAC), opened a Financial Services Security Laboratory to provide ex ante security standards for new technologies, and prepared a national plan for critical infrastructure protection in the sector.

The challenge grew exponentially following the unimaginable events of September 11. Instantly, we learned that the focus on cyber security was insufficient, and that government needed to play a more active role.

On balance, the financial sector responded well, due in no small measure to the preparatory work done for Y2K. For the most part, major financial institutions activated their business continuity plans, and banking and payment systems remained open for business. Debt and equity markets reopened the following week, thanks to the collaborative efforts of financial regulators and market players.

Clearly, however, we needed greater coordination between industry and all levels of government. There was no central, authoritative source of information on the system as a whole, and no list of key contacts, for example. We also needed to bring front-line and local authorities into closer coordination with key federal and industry officials. In addition, it appeared that small- and medium-sized institutions and state regulators were less well prepared than major financial institutions and federal authorities.

On October 16, President Bush issued Executive Order 13231, Critical Infrastructure Protection in the Information Age. That order established the Critical Infrastructure Protection Board to coordinate federal efforts and programs that relate to protection of information. It also established 10 standing committees. I chair the Financial and Banking Information Infrastructure Committee, the FBIIC. All of the federal financial regulators serve on that committee, that is, the federal bank, thrift, and credit union regulators, together with the Securities and Exchange Commission and the Commodity Futures Trading Commission. In the coming months we will develop a system for rapidly communicating and disseminating information among Treasury and the federal financial regulators at times when minutes are crucial.

We will also undertake regular, periodic, and comprehensive assessments of critical infrastructure vulnerabilities in the financial services sector. Remember, the last major vulnerability study for the sector was completed in 1997. A great deal of technological innovation has occurred since then, for example, through global accessibility to the ubiquitous Internet and the exponential improvements in computer capabilities at ever decreasing costs.

Technology advances have also made financial firms more vulnerable in some important ways. Transactional web sites are a doorway for hackers, as we know too well, and computer and data centers have grown more concentrated and potentially more vulnerable as a result. We have also experienced skill shortages in some areas, and must face the daunting fact that redundant systems may require duplicative workforces to maintain and operate them.

Looking further ahead, we need to develop a comprehensive crisis management capability. In addition to vulnerability assessment, we must consider scenario analysis, contingency planning, gap analysis, and response and recovery procedures. Regulators, like the institutions they regulate, need to review their continuity of operations plans in light of the evolutionary developments of recent years and the specific lessons learned from the September 11 attack.

We will need to reach out to our counterparts in foreign governments who are facing the same challenges. Through bilateral and multilateral exchanges of information and working relationships we will strengthen our global financial infrastructure and promote quick and certain recovery of lost capabilities should the unthinkable happen.

Technology, I find, is both a means to achieving security objectives and an end in itself, for it is the sophisticated financial networks, systems, and components that we need to secure. Security, we know, relies upon the timely and effective sharing of information.

Information sharing about vulnerabilities, threats, intrusions and anomalies is crucial to a successful government-industry partnership for critical infrastructure protection. There are legislative proposals from Senators Bennett and Kyl, for example, as well as a similar House bill, aimed at mitigating industry's concerns about any potential adverse consequences of sharing information with other companies and with the government. Businesses feel they could be vulnerable to litigation for anti-trust or other anti-competitive practices, that sensitive corporate information could be released publicly through the Freedom of Information Act, or that they may face other liabilities. Treasury has some questions about the practical implications of such legislation, but we have indicated our willingness to Congress, the Department of Justice, and other interested parties in government and industry on trying to encourage effective information sharing.

The ultimate objective of all of these efforts is to preserve and protect the physical and technological security of our nation's critical assets. In the wake of the Enron debacle, another type of security - Americans' retirement security - has assumed center stage among our nation's leadership. The President has expressed his strong, personal concern that Enron employees lost their life savings through no fault of their own. These events have wide-ranging repercussions causing concern among the millions of Americans whose life savings are in their 401(k) and pension plans.

As you know, the Justice Department is pursuing a criminal investigation. The Department of Labor and the Securities and Exchange Commission are also conducting separate investigations for potential violations of their regulations.
If anyone at Enron broke the rules, they will be punished.

At the same time, we need to look at the policy issues presented by the Enron case. We need to determine whether the rules that apply to 401(k)s, pensions, and other types of retirement plans are adequate to ensure that individuals do not lose control over the life savings they own. We also need to review whether accurate information is available so that individuals can make wise saving and investment decisions. Women, given their longer life spans and the fact that they are more likely to take time off from the paid workforce to tend to family responsibilities, have a particular interest in assuring that retirement rules are adequate.

Last Thursday the President directed the Secretaries of Treasury, Commerce, and Labor to convene a working group to analyze pension rules and to develop recommendations to strengthen retirement security. That working group has already begun its work. We will look at a broad range of issues, including the rules governing diversification, temporary lock out, and the availability of information to employees.

We must ensure that the rules enhance opportunities for individuals to invest in our economy and ensure that their ownership of their life savings is protected. For individuals to make the best possible decisions, they must know that the rules prevent anyone from taking those decisions away from them.

Whether in government or the private sector, we operate in a dynamic business world. It is a global environment, influenced by events, often beyond our control, an information tidal wave that challenges and expands our intellectual capacity, and a domestic economic and political setting that is in a constant state of adaptation.

Whatever role you play in this high tech arena, whatever your background, you will find it is people working together who will have the greatest success. You have demonstrated your understanding of this in establishing the Women in High Tech Coalition. I wish you well and thank you for this opportunity to meet with you.