Where Industry and Security Intersect
What's New | Sitemap | Search
Thank you very much. It is a pleasure to be here today. I would like to extend my sincere appreciation to Attorney General John Cornyn for holding what will be the first in a series of conferences on critical infrastructure assurance and community partnerships.
You might ask why someone with the title "Under Secretary of Commerce for Export Administration" would speak on critical infrastructure assurance and homeland security. The term "Export Administration" in my title is really a bit misleading. The Bureau of Export Administration actually handles a range of issues at the intersection of industry and national security. Our mission is to protect U.S. national and economic security, while at the same time seeking to further U.S. economic interests.
Critical infrastructure assurance and homeland security are important aspects of our mission. I actually serve as the Commerce Department’s representative on the President’s Critical Infrastructure Protection Board, as the Chairman of the Board’s Standing Committee on Private Sector and State and Local Government Outreach, and as the official designated within the Commerce Department to coordinate all homeland security activities. Along with my colleagues, I have been devoting a substantial amount of time to these issues, especially in the wake of the terrorist attacks of September 11.
Those attacks have had a profound effect on all of us. They may well be ushering in a new era of U.S. foreign policy. And they certainly have changed the way many of us think about globalization, economic security, and what we now call homeland security.
I would venture to say that, prior to September 11, most people here would have thought of globalization primarily in terms of increased economic integration throughout the world -- whether it be increased trade, increased flows of information and capital, increased foreign investment, or increased mobility of labor and the means of production. I also think it is fair to say that, prior to September 11, most of us would have viewed globalization as an overwhelmingly positive force, contributing greatly to our economic prosperity. After all, the decade of the nineties was one of unprecedented economic growth and the enormous generation of wealth that resulted, in large part, from increased economic interaction and trade. Under these circumstances, protecting economic security usually meant maintaining access to global markets and supplies of critical resources by promoting free and fair trade.
September 11, however, brought into focus another important dimension of globalization -- the collision of cultural and political values that often occurs between people from different societies and countries. Indeed, with globalization, we can no longer safely assume that problems that may seem far away from our country will not affect us. September 11 made it clear, once again, that there are extremists in the world that reject freedom, modernization, social diversity, and political pluralism. For many of these terrorists -- including Osama bin Laden and al-Qaeda -- the targets of attack focus on our economy and our way of life. In his taped messages, bin Laden has called for strikes against key sectors of the U.S. economy "through all possible means." Indeed, there is now specific evidence that al-Qaeda has obtained detailed information about U.S. power plants, dams, and other key infrastructure assets.
These actions indicate more than a desire by the terrorists to destroy the material resources of the American economy; they imply a fundamental contempt for American values and the American character. The aim of the terrorists is as simple as it is twisted: They want to destroy what is uniquely and quintessentially American in the hope that our economy and national power will collapse, compelling us to abandon our global engagement.
That is why homeland security must involve much more than protecting life and property within the borders of the United States from terrorism, though that is unquestionably of paramount importance. Homeland security also must involve preserving our way of life despite the fact that terrorist attacks may periodically find their mark. Nothing would please our enemies more than for the United States to become repressive, protectionist, and insular in response to terrorist attacks. But homeland security should not mean isolationism. And economic security must not now be seen as somehow incompatible with globalization.
To the contrary, we seek to secure our homeland precisely so that we can enjoy the full benefits -- economic and otherwise -- of globalization. Homeland security and globalization are the flip sides of the same coin. One should not come at the expense of the other. Homeland security means government, industry, and the public working together to defend our way of life so that we can continue to enjoy our freedoms at home and advance our interests abroad. By taking steps to secure ourselves -- from the national level right down to the community level -- we will better enable ourselves to maintain our global involvement, to preserve our open and dynamic economy, and to conduct ourselves in a manner that is fully consistent with our core values and beliefs.
Critical infrastructure assurance is an essential element of our overall approach to homeland security. As many of you know, critical infrastructures refer to those industries, institutions, and distribution networks that provide a continual flow of goods and services essential to the nation’s defense and economic security, the functioning of its government, and the welfare of its citizens. These infrastructures relate to information and communications; electric power; oil and gas storage and distribution; banking and finance; transportation; water supply; and emergency assistance. They are the enablers of economic activity, as well as essential to the delivery of vital government services. That is why they are deemed "critical" -- because their disruption could have a debilitating regional, national, or even international impact.
Protecting our critical infrastructures from disruption is not a new concept. The need to manage the risks arising from physical attacks and service disruptions has existed for as long as there have been critical infrastructures. However, as a result of advances in information and communications technology, there is a threat to critical infrastructures that goes beyond that of physical attacks. Each of the infrastructure sectors increasingly relies on shared information systems and networks for its operations. The very information systems and networks that facilitate commerce also leave us increasingly vulnerable to a new type of threat -- that of cyber attacks. And the interconnected nature of our infrastructure sectors significantly magnifies the consequences of service disruptions. Disturbances originating locally or in one sector are more likely than ever before to cascade regionally or nationally and affect multiple sectors of the economy.
While we witnessed on September 11 a physical attack directed at our financial infrastructures, we also must be concerned about our vulnerability to cyber attacks. I refer to potential cyber attacks not as weapons of mass destruction, but as weapons of mass disruption. One person with relatively little training, inexpensive equipment, and access to the Internet has the potential through cyber attack to wreak havoc on an entire network or infrastructure. Securing the nation’s critical infrastructures against cyber attacks goes well beyond the government’s traditional role of physical protection through defense of national airspace and national borders. Because there are no boundaries in cyberspace, and because approximately 90 percent of the nation’s critical infrastructures are privately owned and operated, government action alone cannot secure them. Only an unprecedented partnership between private industry and government will work.
Our preferred approach is to promote market rather than regulatory solutions in managing the risks posed to critical infrastructures. One of my jobs is to raise awareness that massive disruptions due to deliberate cyber attacks are a risk management problem that companies must solve, with government playing a supporting role. Part of this task involves translating our concerns into terms that corporate boards and CEOs will understand. The basic message is that critical infrastructure assurance is a matter of sound corporate governance, and corporate boards, as part of their duty of care, must provide effective oversight of the development and implementation of appropriate security policies and practices.
Securing critical infrastructure must therefore become as integral a part of a company’s strategic planning and operations as is marketing or product development. Companies must institutionalize the process of identifying critical assets, assessing their vulnerabilities, and managing the risks associated with these vulnerabilities. Security -- including cyber security -- is now essential to business assurance and continuity. Corporate America cannot outsource this function to federal, state, or local government. And regulation cannot ensure proper implementation of cyber security within complex organizations. In the final analysis, only with the major contribution coming from the private sector can we secure the national economy from the threat of massive cyber-based attacks.
One of the biggest challenges facing government and industry is not only securing our critical assets, but working together to manage public and market expectations so that terrorist attacks that may temporarily damage our infrastructures do not result in widespread disengagement from economic activity. In my view, it is this disengagement, as much as, or perhaps more than the actual destruction of economic assets, that poses the greatest risk to our national economic security. Economic security, ultimately, is not about eliminating the risk of terrorism, but about maintaining an orderly functioning national economy notwithstanding terrorist attacks.
To be sure, much of what I have said addresses matters that are national and global in scope. But there is an old saying in business that directly applies to our concerns about critical infrastructure assurance -- "think globally, act locally." In the final analysis, all disasters are local. That was certainly the case on September 11. If we are truly to secure the nation’s homeland, we must proceed by securing our respective communities, one by one.
Indeed, the community represents an essential focal point for building a foundation for any national initiative that seeks to influence the public. All of us live in communities and look to the community for leadership to assure our safety, our economic opportunities, and our quality of life. The first people on the scene in a crisis are not the feds, but the local emergency response teams. We need leadership at the local level to survive terrorist attacks. Public confidence starts in the community and is dependent on how well the community plans ahead, responds to crises, and reestablishes order from chaos. It was not by accident that the public "face" in New York and Washington, D.C. on September 11 and in the days thereafter was the mayor of each of these cities.
Despite the horror and devastation of September 11, New York, Pennsylvania, and Virginia demonstrated just how well this nation’s communities can respond to serious crises. If it were not for the brilliant planning and execution of both the state and local governments and locally-based companies, the consequences of the September 11 disaster would have been far, far worse. It is important that we capture -- and make widely available -- the lessons learned and best practices arising from the experiences of those who were on the front lines during the hours, days, and weeks that followed the attacks. That is the ultimate purpose of this Conference as well as the ones that will follow -- to compile and publish a compendium of successful practices that can be used by other communities to enable them to benefit from the experiences of those who were on the front lines on September 11.
I must say that I am very impressed by the quality of presentations and discussion that took place yesterday. We are off to a great start in identifying those practices that worked -- and those that did not -- for the benefit of other state and local leaders who want to ensure that their communities are prepared to respond to a terrorist attack.
In the end, the events of September 11 have made clear that, with globalization, we all now find ourselves on the front lines of U.S. national and economic security. Terrorists seek to undermine confidence in our public and private institutions and in our ability to manage the consequences of their attacks. In response, the federal government must work collaboratively and in partnership with state and local governments, with the private sector, and with local citizens. To the extent that government and private industry are believed to be doing everything within reason to protect the public from harm, the public’s confidence in its institutions will remain intact despite such attacks. We can have the best national strategy for homeland security that the most brilliant minds in Washington can devise, and yet we will fail in our endeavor if local communities do not meet the immediate challenges of a terrorist disaster. Your work is essential to winning the war against terrorism. Only together can we reap the maximum economic benefits of globalization while still protecting ourselves and our country.
Thank you very much.