Statement for the Record of Ronald L. Dick,
Director, National Infrastructure Protection Center
Federal Bureau of Investigation
Before the
Senate Committee on Governmental Affairs

October 4, 2001

Mr. Chairman, Ranking Member Thompson, and members of the committee, thank you for inviting me here today to testify on the topic, “Critical Infrastructure Protection: Who’s in Charge?” Holding this hearing demonstrates your individual commitment to improving the security of our critical infrastructures and this committee's leadership on this issue in Congress.  Our work here is vitally important because the stakes involved are enormous.  The September 11 attacks on the World Trade Center and Pentagon have demonstrated how a significant disruption to the transportation industry or any other critical infrastructure will certainly have a ripple effect on others.  My testimony today will address our role in protecting the Nation’s infrastructures and how we coordinate with other entities.

 As set forth in Presidential Decision Directive 63, the mission of the NIPC is to provide “a national focal point for gathering information on threats to the infrastructures” and to provide “the principal means of facilitating and coordinating the Federal Government’s response to an incident, mitigating attacks, investigating threats and monitoring reconstitution efforts.”  The Directive defines critical infrastructures to include “those physical and cyber-based systems essential to the minimum operations of the economy and government,” to include, without limitation, “telecommunications, energy, banking and finance, transportation, water systems and emergency services, both governmental and private.”  The NIPC is the only organization in the federal government with such a comprehensive national infrastructure protection mission.  The NIPC gathers together under one roof representatives from, among others,  the law enforcement, intelligence, and defense communities, who collectively provide a unique analytical perspective to threat and incident information obtained from investigation, intelligence collection, foreign liaison, and private sector cooperation.  This perspective ensures that no single "community" addresses threats to critical infrastructures in a vacuum; rather, all information is examined for its potential for simultaneous application to security, defense, counterintelligence, terrorist or law enforcement matter.

While developing our infrastructure protection capabilities, the NIPC has held firm to two basic tenets that grew from extensive study by the President's Commission on Critical Infrastructure Protection.  First, the government can only respond effectively to threats by focusing on protecting assets against attack while simultaneously identifying and responding to those who nonetheless would attempt or succeed in launching those attacks.  And second, the government can only help protect this nation's most critical infrastructures by building and promoting a coalition of trust, one . . . amongst all government agencies, two . . . between the government and the private sector, three . . . amongst the different business interests within the private sector itself, and four . . . in concert with the greater international community.  Therefore, the NIPC has focused on developing its capacity to warn, to investigate, and to build partnerships, all at the same time.  As our techniques continue to mature and our trusted partnerships gel, we will continue to witness ever-better results.

 Over the past three years, we cultivated a number of initiatives that have developed into increased capabilities, all of which are being actively used to mitigate the terrorist threat and to prepare our response to the events of September 11th.  The NIPC has developed InfraGard into the largest government/private sector joint partnership for infrastructure protection in the world.  We have taken it from its humble roots of a few dozen members in just two states to its current membership of over 2,000 partners.  It is the most extensive government-private sector partnership for infrastructure protection in the world, and is a service we provide to InfraGard members free of charge.  InfraGard expands direct contacts with the private sector infrastructure owners and operators and shares information about cyber intrusions and other critical infrastructure vulnerabilities through the formation of local InfraGard chapters within the jurisdiction of each of the 56 FBI Field Offices and several of its Resident Agencies (subdivisions of the larger field offices).

A key element of the InfraGard initiative is the confidentiality of reporting by members.  The reporting entities edit out the identifying information about themselves on the notices that are sent to other members of the InfraGard network.  This process is called sanitization and it protects the information provided by the victim of a cyber attack.  Much of the information provided by the private sector is proprietary and is treated as such. InfraGard provides its membership the capability to write an encrypted sanitized report for dissemination to other members. This measure helps to build a trusted relationship with the private sector and at the same time encourages other private sector companies to report cyber attacks to law enforcement.

InfraGard held its first national congress from June 12-14, 2001.  This conclave provided an excellent forum for NIPC supervisors and InfraGard members to exchange ideas.  InfraGard's success is directly related to private industry's involvement in protecting its critical systems, since private industry owns almost all of the infrastructures.  The dedicated work of the NIPC and the InfraGard members is paying off.  InfraGard has already prevented cyber attacks by discreetly alerting InfraGard members to compromises on their systems.  On May 3, 2001, the InfraGard initiative  received the 2001 WorldSafe Internet Safety Award from the Safe America Foundation.

The NIPC also reaches out to the entire public with its website at nipc.gov, which to date has provided systems administrators and home users alike with significant warnings about cyber threats and vulnerabilities.  As recently as last week, we provided information systems security advice through our website,  InfraGard, and our other partnerships, to better protect the public from the Nimda worm.  In fact, based on our prior responsiveness to the Code Red worm and our joint efforts with the private sector in publicizing preventive measures that business and home users could put in place, we believe the impact of the Nimda worm, which took advantage of similar software vulnerabilities as Code Red, was significantly reduced. 

Our website  provides the public with the ability to report computer attacks and intrusions online, simply by filling out and submitting an Incident Reporting Form.  The NIPC also provides timely information on cyber vulnerabilities, hacker exploit scripts, hacker trends, virus information, and other critical infrastructure best practices through its bi-weekly publication Cybernotes.  The NIPC provides policy and decision-makers information about current events, incidents, developments and trends related to critical infrastructure protection through its monthly publication called Highlights and, more significantly, by bringing groups together to meet on important issues.  We have established these and other mechanisms to promote meaningful two-way communication with the public, and they are seeing active use.

The NIPC's Watch Center operates around the clock and communicates daily with the Department of Defense and its Joint Task Force for Computer Network Operations (JTF-CNO).  The Watch Center is also connected to the Watch Centers of several of our close allies. U.S. Army Major General Dave Bryan, Commander of the JTF-CNO, recently remarked that, "The NIPC and JTF-CNO have established an outstanding working relationship.  We have become interdependent, with each realizing that neither can totally achieve its mission without the other."  I couldn't agree more.  The NIPC's ability to fulfill the expectations and needs of its Department of Defense component is achieved by the inter-agency structure of the Center, which includes the NIPC's Deputy Director Rear Admiral James Plehal, USNR, and the NIPC's Executive Director, Steven Kaplan, a Supervisory Special Agent from the Air Force Office of Special Investigations.  The Section and Unit Chiefs in the Computer Investigation and Operations Section and the Training, Outreach, and Strategy Section are from the FBI.  The Assistant Section Chief for Training, Outreach and Strategy is detailed from the Defense Criminal Investigative Service, and the Unit Chief of ISAC Support and Development is a senior CIA analyst.  The Section Chief of the Analysis and Warning Section is from the CIA and his deputy is a senior FBI agent.  The head of the NIPC Watch and Warning Unit is reserved for a uniformed service officer, and the head of the Analysis and Information Sharing Unit is staffed by a National Security Agency manager. The Center's staffing demonstrates our desire for broad, high-level, multi-agency ownership of the NIPC and our collective commitment to achieve meaningful and effective coordination across the law enforcement, intelligence, defense, and other critical government operations communities.

 Within the Center, the NIPC has full-time representatives from a dozen federal government agencies, led in number by the FBI and the Department of Defense, as well as from three foreign partners:  the United Kingdom, Canada, and Australia.  We are also strong partners with the General Services Administration's Federal Computer Incident Response Center, FedCIRC, in order to further secure our government technology systems and services.  We also team up regularly with the CIA and NSA to work on matters of common concern.  In addition to interagency participation, the NIPC has established information sharing connectivity with a number of foreign cyber watch centers, including in the UK, Canada, Australia, New Zealand, and Sweden.  And, we continue to take advantage of the FBI's global presence through its Legal Attache offices in 44 nations.

Our multi-agency team works with Information Sharing and Analysis Centers (ISAC’s) throughout the country, including those that represent the Financial Services Sector, the Electric Power Sector, the Telecommunications Sector, and the Information Technology industry.  In addition to these private sector partners, we have provided threat briefings to the Water, Oil and Gas, Financial,  Electrical Energy, Information Technology, Telecommunications, and  Railroad Sectors.  Since September 11^th, the NIPC has been providing sector briefings almost every day.  We are also connected with the 18,000 police departments and Sheriff's offices which bravely serve our nation daily and in times of crisis.  This past March the NIPC and the Emergency Law Enforcement Services Sector Forum completed the nation's Emergency Law Enforcement Sector Plan together with a "Guide for State and Local Law Enforcement Agencies."  This significant achievement represents the nation's first and only completed sector plan and it is being used as a model by the other critical infrastructure sectors.  Taken together, the Plan and the Guide provide our emergency law enforcement first responders with procedures that are immediately useful to enhance the security of their data and communications systems. 
                                                                                                                               
While the NIPC works diligently with its interagency and private sector partners, it has embraced other initiatives and fulfilled its role in leading the critical infrastructure protection effort.  This is evidenced by its coordinating actions as Chair of the Incident Response Sub-Group of the Information Infrastructure Protection and Assurance Group established by National Security Policy Directive-1.  The NIPC also routinely disseminates information through its participation in task forces and working groups that meet regularly. NIPC senior leadership participates in weekly senior level meetings to exchange strategic level information with the Assistant Secretary of Defense for Command, Control, Communication and Intelligence.  Further collaboration is demonstrated through the NIPC's designation as chair of one of the subcommittees that is revising the National Plan. 

While the NIPC has made great strides over the last three years, we recognize the need to do better, and we are working diligently to improve.  In a GAO report dated April 25, 2001, the NIPC was recognized as having an effective investigative training and InfraGard program.  In his prepared statement for the May 22, 2001 hearing, GAO's Director of Information Security, Mr. Robert F. Dacey, stated:

First, the NIPC has provided valuable coordination and technical support to FBI field offices, which have established special squads and teams and one regional task force in its field offices to address the growing number of computer crime cases. The NIPC has supported these investigative efforts by (1) coordinating investigations among FBI field offices, thereby bringing a national perspective to individual cases, (2) providing technical support in the form of analyses, expert assistance for interviews, and tools for analyzing and mitigating computer-based attacks, and (3) providing administrative support to NIPC field agents. For example, the NIPC produced over 250 written technical reports during 1999 and 2000, developed analytical tools to assist in investigating and mitigating computer-based attacks, and managed the procurement and installation of hardware and software tools for the NIPC field squads and teams.

Over the past three years, NIPC has provided training for more than 2,500 participants from federal, state, local and foreign law enforcement and security agencies.  The NIPC's training program complements training offered by the FBI's Training Division as well as training offered by the Department of Defense and the National Cybercrime Training Partnership.  Trained investigators are essential to our successfully combating computer intrusions.
                                                               
Enhancing Capacity for Strategic Analysis

The GAO recognized that the NIPC’s ability to completely achieve its mission was most affected by a shortfall of personnel resources.  Specific recommendations included enhancing capacity for strategic analysis.   I am pleased to report progress in this area.

We have established four strategic directions for our capability growth through 2005:  prediction, prevention, detection, and mitigation.  None of these are new concepts but NIPC has renewed its focus on each of them in order to strengthen our strategic analysis capabilities.   NIPC has worked to further strengthen its longstanding efforts on the early detection and mitigation of cyber attacks.  These strategic directions will be significantly advanced by our intensified cooperation with federal agencies and the private sector.  As the recent Leaves, Code Red and Nimda worm incidents demonstrate, our working relations with key federal agencies, like FedCIRC, NSA, CIA, and the Joint Task Force - Computer Network Operations (JTF-CNO), and private sector groups such as SANS, the anti-virus community, and the major Internet service providers and backbone companies have never been closer.  Our most ambitious strategic directions, prediction and prevention, are intended to forestall attacks before they occur.  We are seeking ways to forecast or predict hostile capabilities in much the same way that the military forecasts weapons threats.  The goal here is to forecast these threats with sufficient warning to prevent them.   A key to success in these areas will be strengthened cooperation with intelligence collectors and the application of sophisticated new analytic tools to better learn from day-to-day trends.  The strategy of prevention is reminiscent of traditional community policing programs but with our infrastructure partners and key system vendors. 

As we work on these four strategic directions:  attack prediction, prevention, detection, and mitigation, we will have many opportunities to stretch our capabilities.  With respect to all of these, the NIPC is committed to continuous improvement through a sustained process of documenting "lessons learned" from significant events.  The NIPC also remains committed to achieving all of its objectives while upholding the fundamental Constitutional rights of our citizens.

The NIPC is also enhancing its strategic analysis capability through the
“data warehousing and data mining" project.  This will allow the NIPC to retrieve incident data originating from multiple sources.  Data warehousing includes the ability to conduct real-time all-source analysis and report generation.

Enhancing Cooperative Relationships Among Federal Agencies
                                                                                                                               
The placement of the NIPC under the jurisdiction of the FBI endows the Center with both the authorities and the ability to combine law enforcement information flowing into the NIPC from the FBI field offices with other information streams derived from open, confidential, and classified sources.  This capability is unique in the federal government for reasons of privacy and civil rights. 

The NIPC has established effective information sharing and cooperative investigative relationships across the U.S. Government.   A written protocol was signed with the Department of Transportation's Federal Aviation Administration (FAA) which will reinforce how information is shared between FAA and NIPC and how that information will be communicated.  This protocol documents a long-standing informal process of information sharing between NIPC and FAA.  Informal arrangements have already been established with the Federal Communications Commission,  Department of Transportation’s (DOT) National Response Center, DOT Office of Pipeline Safety, Department of Energy’s Office of Emergency Management, and others, which allow the NIPC to receive detailed sector-specific incident reports in a timely manner.  Formal information sharing procedures should soon be completed with several other agencies, including the National Coordinating Center for Telecommunications and the Federal Emergency Management Agency’s National Fire Administration. 

The NIPC has developed into a truly interagency center and this in itself fosters cooperative relationships among agencies.  It currently consists of detailee from the following U.S. government agencies:  FBI, Army, Office of the Secretary of Defense, Air Force Office of Special Investigations, Defense Criminal Investigative Service, National Security Agency, General Services Administration, United States Postal Service, Department of Transportation/Federal Aviation Administration, Central Intelligence Agency, Department of Commerce/Critical Infrastructure Assurance Office, and a representative from the Department of Energy.  Canada, the United Kingdom, and Australia also each have a detailee in the Center. 

                                The NIPC functions in a task force-like way, coordinating investigations in a multitude of jurisdictions, both domestically and internationally.  This is essential due to the transnational nature of cyber intrusions and other critical infrastructure threats. 
                                To instill further cooperation and establish an essential deconfliction process among the investigative agencies, the NIPC asserted a leadership role by forming an Interagency Coordination Cell (IACC) at the Center.  The IACC meets on a monthly basis and includes representation from U.S. Secret Service, NASA, U.S. Postal Service, Department of  Defense Criminal Investigative Organizations (AFOSI, DCIS, NCIS, USACIDC), U.S. Customs,  Departments of Energy, State and Education, Social Security Administration, Treasury Inspector General for Tax Administration and the CIA.  The cell works to deconflict investigative and operational matters among agencies and assists agencies in combining resources on matters of common interest. The NIPC anticipates that this cell will expand to include all investigative agencies and inspectors general in the federal government having cyber or other critical infrastructure responsibilities.  As we noted on May 22, 2001, the IACC has led to the formation of several task forces and prevented intrusions and compromises of U.S. Government systems.  The IACC was instrumental in coordinating the augmentation of the PENTTBOM investigation in the aftermath of the September 11 attacks.
                                                                                               
                                Since 1998, the NIPC has been developing the FBI’s Key Asset Initiative, identifying over 5,700 entities vital to our national security, including our economic well-being.   The information is maintained in a database to support the broader effort to protect the critical infrastructures against both physical and cyber threats.  This initiative benefits national security planning efforts by providing a better understanding of the location, importance, contact information and crisis management  for critical infrastructure assets across the country.  We have  worked with the DoD and the CIAO in this regard.  Following the September 11, 2001, events and at  the request of the National Security Council, the NIPC has leveraged the Key Asset Initiative to undertake an all-agency effort to prepare a comprehensive, centralized database of critical infrastructure assets in the United States. 

                                The NIPC maintains an active dialogue with the international community, to include its participation in the Trilateral Seminar of the International Cooperation for Information Assurance in Sweden and the G-8 Lyon Group (High Tech Crime Subgroup).  NIPC has briefed visitors from a number of countries, including: Japan, Singapore, the United Kingdom, Germany, France, Norway, Canada, Denmark, Sweden, Israel, and other nations over the past year.  In addition, NIPC personnel  have accepted invitations to meet with government authorities in Sweden, Germany, Australia, the United Kingdom, and Denmark in recent months to discuss infrastructure protection issues with their counterparts.

                                The NIPC sends out infrastructure information to address cyber or infrastructure events with possible significant impact. These are distributed to partners in private and public sectors.  A number of recent advisories sent out by the NIPC (see for example Advisory 01-022, titled "Mass Mailing Worm W32.Nimda.A@mm”) serve to demonstrate the continued collaboration between the NIPC and its partner FedCIRC.  The NIPC serves as a member of FedCIRC's Senior Advisory Council and has daily contact with that entity as well as a number of others including NSA and DoD's Joint Task Force - Computer Network Operations (JTF-CNO).  On issues of national concern, the recent incident involving the Leaves, Code Red and Nimda worms are good examples of the NIPC's success in working with the National Security Council and our partner agencies to disseminate information and coordinate strategic efforts in a timely and effective manner.

Improving Information Sharing

                                The NIPC actively exchanges information with private sector companies, the ISACs, members of the InfraGard Initiative, and the public as part of the NIPC’s outreach and information sharing activities.  Through NIPC's aggressive outreach efforts, we receive reports from many ISAC member companies.  The NIPC has proven that it can properly safeguard their information and provide useful information in return.  This reporting is partially responsible for the issuance of more warning products each year.  

                                Over the past two years the NIPC and the North American Electric Reliability Council (NERC)—the ISAC for the electric power sector—have established an indications, analysis and warning program (IAW) program, which makes possible the timely exchange of information valued by both the NIPC and the electric power sector.  This relationship is possible because of a commitment both on the part of NERC and the NIPC to build cooperative relations.  In the days following the September 11 attacks, NIPC and NERC held daily conference calls.  The close NERC-NIPC relationship is no accident but the result of two interrelated sets of actions.  First, as Eugene Gorzelnik, Director of Communications for the NERC, stated in his prepared statement at the May 22, 2001 hearing:

[T]he NERC Board of Trustees in the late 1980s resolved that each electric utility should develop a close working relationship with its local Federal Bureau of Investigation (FBI) office, if it did not already have such a relationship. The Board also said the NERC staff should establish and maintain a working relationship with the FBI at the national level.

Second, the NIPC and NERC worked for over two years on building the successful partnership that now exists.  It took dedicated individuals in both organizations to make it happen.  It is this success and dedication to achieving results that the NIPC is working to emulate with the other ISACs.

 The NIPC also continues to meet regularly with ISACs from other sectors, particularly the financial services (FS-ISAC) and telecommunications (NCC-ISAC) ISACs, to establish more formal information sharing arrangements, drawing largely on the model developed with the electric power sector.  In the past, information exchanges with these ISACs have consisted of a one-way flow of NIPC warning messages and products being provided to the ISACs.  However, in recent months the NIPC has received greater participation from sector companies as they become increasingly aware that reporting to the NIPC enhances the value and timeliness of NIPC warning products disseminated to their sector.  Productive discussions held this spring with the FS-ISAC, in particular, should significantly advance a two-way information exchange with the financial services industry.  The NIPC is currently working with the FS-ISAC and the NCC-ISAC to develop and test secure communication mechanisms, which will facilitate the sharing of high-threshold, near real-time incident information.  In the meanwhile we are working with these ISACs to share information.  In March 2001, we were commended by the FS-ISAC for our advisory on e-commerce vulnerabilities (NIPC Advisory 01-003).  According to the FS-ISAC, that  advisory, coupled with the NIPC press conference on March 8, 2001, stopped over 1600 attempted exploitations by hackers the day immediately following the press conference.

Conclusion:

I remain encouraged by the progress the NIPC has made in its first three years.  Our multi-agency partnership has developed unique national capabilities that have never before been achieved.    We will continually improve in the coming years in order to master the perpetually evolving challenges involved with infrastructure protection and information assurance.  Thank you for inviting me here today, and I welcome any questions you have.