Statement of Donald L. Evans
Secretary
U.S. Department of Commerce
Hearing before the
Committee on Appropriations
United States Senate
May 9, 2001
Mr. Chairman and Members of the Committee:
I appreciate the opportunity to appear today to discuss the Commerce Department's activities related to combating terrorism. The Administration currently is reviewing all aspects of U.S. terrorism policy. Although the results of that review are still a few weeks away, several points are clear.
First, the threat of terrorist attacks against U.S. interests at home and abroad is real. The President has stated that combating terrorism will be a priority of his Administration. My colleagues from the Departments of State, Defense, and Justice and from the intelligence community already have testified as to the seriousness of the threat and the compelling need for Federal action in this area.
Second, there are no simple solutions to combating terrorism. No single agency has all the answers or core competencies to tackle by itself this difficult national security challenge. There is no master plan for reorganizing the Federal Government that would eliminate all of the problems associated with carrying out a successful counter-terrorism strategy. Although some reorganization may well be needed, it is not a substitute for effective coordination across Federal agency jurisdictions.
Third, the threat of terrorism affects our nation's economic interests. That is why the Department of Commerce is involved in this issue. The Commerce Department has the expertise and the experience to deal with the business community on matters relating to national and economic security. For years, the Department has been responsible for administering and enforcing controls over the exports of certain U.S. items that could contribute to the military potential of terrorist countries and organizations. These controls, which I will briefly discuss this morning, have been and will continue to be essential to the fight against terrorism.
I also will discuss the Department's more recent role in protecting the Nation's critical infrastructures. As you know, our critical infrastructures are increasingly at risk of cyber attack from a constellation of new threats. These threats include, but are not limited to, terrorism. Securing critical infrastructures against such threats presents a challenge quite different from that of defending the Nation's airspace against bomber or missile attacks, and our borders against invading armies or infiltrating terrorists. One cannot post soldiers or police officers at the perimeters of electric power plants or telecommunications facilities to keep out digital attackers. Indeed, securing the Nation's critical infrastructures cannot be achieved by government action alone; it requires an unprecedented partnership with private industry. Working with the private sector and promoting such partnerships across industry sectors is a core competency of the Commerce Department. Any discussion of the Department's efforts in combating terrorism would be incomplete, therefore, without a discussion of its role in promoting critical infrastructure protection policy.
I. Combating Terrorism
Let me turn, first, to our system of export controls. Within the Commerce Department, the Bureau of Export Administration manages matters affecting industry and national security. The Bureau administers an export licensing and enforcement system that controls exports of dual-use goods, commodities, software, and technology for purposes of national security, nonproliferation, and various foreign policy concerns. The Bureau administers these controls in consultation with the Departments of State, Defense, and Energy and the intelligence community. Under the authority of the Export Administration Act, our export licensing system includes controls on exports to certain countries designated by the Department of State as supporters of terrorism. The Bureau controls the export and re-export of U.S.-origin items that could contribute to the military potential of three countries designated by the State Department as terrorist countries -- Cuba, Syria, and North Korea -- and the re-export of such items to a fourth terrorist country -- Libya. These export controls apply to a wide range of items that could be used by such countries for the development of nuclear, chemical and biological weapons and the missiles that deliver them, for the acquisition of conventional arms, and for other terrorist activities.
The Bureau also controls the export of U.S.-origin items to all terrorists and terrorist organizations on the State Department's lists of Foreign Terrorist Organizations. The Treasury Department itself is responsible for controls on the export and re-exports of U.S.-origin items to Iran, Iraq, and Sudan and the export of U.S.-origin items to Libya.
In addition to its licensing function, the Bureau of Export Administration is responsible for enforcement activities regarding the exports subject to the Export Administration Act. The Bureau works with the Federal Bureau of Investigations and the Department of the Treasury and its enforcement agencies in investigating exports to terrorist organizations or to terrorist- supporting countries. The Bureau also works with regional task forces and interagency enforcement groups on counter-terrorism issues, such as the Interagency Intelligence Committee on Terrorism, which is a working group designed to enhance communication within the intelligence community regarding terrorism issues. The Bureau's investigative efforts can result in the imposition on exporters of criminal penalties and/or civil fines and the denial of export privileges. In recent years, the Bureau also has been involved in several successful prosecutions relating to terrorist groups.
In conjunction with its enforcement activities, the Bureau places special emphasis on preventive efforts to stop illegal exports of chemical weapons precursors, biological agents, and nuclear weapons and missile development equipment before they can occur. The Bureau uses several methods to prevent illegal exports, including:
reliability of foreign consignees to receive controlled items;
ensure compliance with the terms and conditions of a U.S. export license;
shipments to countries of concern for counter-terrorism and nonproliferation
reasons;
end-users of national security and nonproliferation concern; and
who, because of their association with weapons of mass destruction or other
programs of concern, may endanger the safety of United States citizens, facilities, and companies at home and abroad.
In addition, the Bureau of Export Administration seeks to extend the influence and impact of U.S. export controls by assisting other nations to strengthen their own export control systems. Through the State Department's international export control assistance program, which addresses problems relating to nonproliferation, the Bureau works to strengthen the legal, regulatory, and enforcement regimes that other countries have established to interdict materials and know-how that might be destined for terrorist end-users and end uses.
Finally, the Bureau of Export Administration supports U.S. anti-terrorism activities through the Defense Priorities and Allocations System, which is authorized by the Defense Production Act. This system grants the Bureau the authority, if necessary, to ensure that U.S. commercial contractors provide critical industrial products and services on a timely basis to U.S. Government departments and agencies, so as to prevent or respond to a terrorist event.
I would now like to turn to the subject of critical infrastructure protection and the Department's role in this activity, which relates to the fight against terrorism.
II. Critical Infrastructure Protection
Critical infrastructures consist of those systems and capabilities essential to the minimal operation of the Government and economy. They include telecommunications, energy, the Nation's water supplies, transportation, banking and finance, and health and emergency services. These infrastructures are necessary to ensure the delivery of services vital to the Nation's defense, economic prosperity, and security, and the health and safety of its citizens.
Increasingly, our critical infrastructures depend on information systems and networks to operate. There has been a dramatic expansion of accessibility to the tools and techniques that can cause harm to critical infrastructures by electronic means. Moreover, those who can use these tools and techniques range from the recreational hacker to the terrorist to the nation state intent on obtaining strategic advantage. Disruptions to the delivery of vital services resulting from attacks on critical infrastructures thus pose an unprecedented risk to national and economic security.
In May 1998, Presidential Decision Directive 63 (or PDD-63) established critical infrastructure protection as a national security priority. That Directive called for a national capability to protect our critical infrastructures from intentional acts, especially cyber attacks, that could significantly diminish the abilities of:
The Federal Government to perform essential national security missions and to ensure the general public health and safety;
State and local governments to maintain order and to deliver minimum essential public services; and
The private sector to ensure the orderly functioning of the economy and the delivery of essential telecommunications, energy, financial, and transportation services.
The Executive Branch assigned overall responsibility for policy development and coordination of this initiative to a National Coordinator for Security, Infrastructure Protection, and Counter-Terrorism at the National Security Council. The Federal Government also established the Critical Infrastructure Assurance Office (CIAO) as an interagency office to support the National Coordinator in carrying out these policy development and coordination functions. CIAO coordinates national policy planning and outreach initiatives with private industry, and assists Federal agencies in analyzing their critical infrastructure dependencies and interdependencies. Because of its preeminent role in working with private industry, CIAO is located in the Department of Commerce. Within the Department, CIAO is located in the Bureau of Export Administration because of that Bureau's lead role in managing national security issues that involve the U.S. business community.
I should note that PDD-63 also established at the FBI a National Infrastructure Protection Center (NIPC). NIPC serves as the Nation's threat assessment, warning, and incident response center for cyber attacks, and also facilitates law enforcement investigations of cyber-related crimes. While CIAO and NIPC both engage in industry outreach, their efforts are complementary rather than duplicative. As discussed below, CIAO focuses on raising national awareness across industry sectors, influencing corporate information assurance policy, promoting market solutions for greater cyber security, and identifying and addressing statutory and regulatory issues that potentially discourage or undermine business incentives to maximize voluntary efforts at securing critical infrastructures. On the other hand, NIPC seeks to encourage private industry to share information about system capabilities and computer incidents and vulnerabilities for purposes of assisting companies in preventing specific types of attacks and investigating such attacks when they occur.
I would now like to discuss with you four distinctive ways that the Department is involved with critical infrastructure protection. Through the CIAO, we coordinate outreach and consultation with the private sector and state and local governments. Through the National Telecommunications and Information Administration, the Department has lead agency responsibility for the Information and Communications sector. Through the National Institute of Standards and Technology, we develop standards, measurements, and testing methodologies to safeguard information systems. Finally, the Department has its own critical systems that it must protect against failure, such as the environmental satellite system of the National Oceanic and Atmospheric Administration.
A. The Critical Infrastructure Assurance Office
Under PDD-63, the CIAO's responsibilities in developing and coordinating national critical infrastructure policy have focused on three key areas: (1) promoting national outreach and awareness campaigns; (2) assisting Federal agency analyses of critical infrastructure dependencies; and (3) coordinating the preparation of an integrated national plan for critical infrastructure assurance.
1. National Awareness and Outreach
CIAO promotes activities that inform business and technology leaders across industry sectors of the need to manage the risks that accompany the benefits associated with reliance on information systems. CIAO focuses on initiatives that cut across industry sectors and are not the existing responsibility of agencies. CIAO's outreach activities are reflected in the following three major initiatives: (i) the Partnership for Critical Infrastructure Security; (ii) outreach to the business risk management community; and (iii) common support to public-private partnerships with specific critical infrastructure sectors.
Partnership for Critical Infrastructure Security: As individual Federal agencies formed partnerships with each critical infrastructure sector, there emerged a need for cross-industry dialogue and sharing of experience to improve effectiveness and efficiency of individual sector assurance efforts. The Partnership for Critical Infrastructure Security was convened in response to that expressed need. This 150-company partnership provides a forum for government and private sector owners and operators of critical infrastructures to address issues of mutual interest and concern. The Partnership also engages other stakeholders in critical infrastructure protection, including the risk management (audit and insurance), investment, and mainstream business communities. The Partnership, which builds upon public-private efforts already underway by the Federal Lead Agencies, is organized by industry for industry, with the U.S. Government acting as a catalyst and a participant.
Major topics being considered by the Partnership include: approaches to assessing interdependency vulnerabilities; multi-sector information sharing; legislative and public policy issues; research and workforce development; industry participation in preparing the next version of the national plan; and outreach to state and local governments.
Business Risk Management Community: The business risk management community, consisting of auditors, financial security analysts, the insurance community, the legal community, and financial reporting boards, serve as unique channels of communication to senior leadership of industry. These groups work with industry in assessing business risks, communicating noteworthy changes to those risks, and supporting the management of such risks.
CIAO began in the Spring of 1999 to implement an awareness and education partnership with a consortium consisting of the Institute of Internal Auditors, the National Association of Corporate Directors, the American Institute of Certified Public Accountants, and the Information Security Audit and Control Association. This consortium brought the involvement of a number of noted insurance firms, risk management professionals, legal counsel, corporate board members, audit experts, and Wall Street security analysts.
The consortium held a series of five regional conferences, called "Audit Summits." These meetings were hosted or sponsored by prominent companies, such as J.C. Penney, Home Depot, New York Life Insurance, Oracle Corporation, Arthur Anderson, Deloitte & Touche Tohmatsu, PriceWaterhouseCoopers, and KPMG. The target audiences were directors of corporate boards, chief auditors, and other corporate senior executives. The meetings produced a report that provided guidance for corporate boards on managing information security risks.
Support For Industry Sector-Federal Lead Agency Partnerships: CIAO provides support for the Federal Lead Agencies and their counterparts in industry for outreach and awareness building, specifically through the sponsorship of workshops on common issues shared by many of the sectors, including risk management approaches, information sharing, and legal obstacles.
2. Analyses of Critical Government Assets and Systems
CIAO launched an initiative -- labeled "Project Matrix" -- to fulfill its mandate under PDD-63 to "coordinate analyses of the U.S. Government's own dependencies on critical infrastructures." Under this program, CIAO assists Federal agencies in identifying the assets, networks, and associated infrastructure dependencies and interdependencies that are required to deliver services vital to the Nation's security, economy, and health, welfare, and safety.
Project Matrix involves a three-step process. In Step 1, the Project Matrix team identifies and prioritizes each agency's critical assets. In Step 2, the team develops a topology of the agency's business operations and identifies significant points of potential failure associated with each critical asset. In Step 3, the team identifies those critical infrastructure dependencies that are associated with critical assets.
Five Federal agencies currently participate in Project Matrix, including the Departments of Commerce, Energy, Health and Human Services, the Treasury, and the Social Security Administration.
3. National Plan
PDD-63 directs CIAO to coordinate the preparation of a national critical infrastructure assurance plan. The Clinton Administration issued the first National Plan for Information Security Protection in January 2000. That plan focused on Government critical infrastructure protection programs. The Bush Administration currently intends to publish a second version of the National Plan later this year. Its purpose will be to present an integrated public-private strategy for Government and industry to chart a common course toward achieving the overall goal of national critical infrastructure assurance. This document will serve not only as a guide for action, but also as a vehicle for creating consensus in Congress and with the American people on how to proceed. The Partnership for Critical Infrastructure Security will be the focal point for coordinating private industry drafting of individual sectors plans. CIAO will then pull together these individual sector plans and integrate them with the plans of Federal departments and agencies to produce a single, unified National Plan.
B. Lead Agency Responsibilities
PDD-63 also designated Lead Agencies for each of the critical infrastructure sectors. Commerce is the Lead Agency responsible for the Information and Communications (I&C) sector. The Department has delegated this responsibility to the National Telecommunications and Information Administration (NTIA) because of its role in formulating and implementing U.S. telecommunications policy. NTIA's Lead Agency responsibilities include: developing an awareness and education outreach program for the I&C sector with regard to threats and vulnerabilities; assisting the sector in identifying, mitigating, and eliminating those vulnerabilities; advancing compatible solutions for the global I&C infrastructure by working with foreign governments, international organizations, and multinational corporations; and providing industry with information on results from U.S. Government research and development on critical infrastructure protection.
1. Sector Awareness and Outreach
In its outreach efforts, NTIA works closely with the Consortium for Infrastructure Protection, which is comprised of the three trade associations that are the industry coordinators for the I&C sector. The Consortium includes the Information Technology Association of America, the Telecommunications Industries Association, and the United State Telecom Association. NTIA also works directly with key telecommunications and information technology companies and with other organizations, such as the President's National Security Telecommunications Advisory Committee. Recently, NTIA expanded the scope of its outreach efforts to include Internet and wireless communications companies. NTIA's major outreach effort in Fiscal Year 2000 was the Telecommunications and Information Security Workshop held in Tulsa, Oklahoma, last Fall. The purpose of the workshop was to identify emerging security issues and potential solutions as information networks are integrated into existing telecommunications systems to support both telephony and data services.
2. Sector Information Sharing and Vulnerabilities
In terms of sharing sector information on potential vulnerabilities, NTIA supported an industry-led initiative to create the Information Technology Information Sharing and Analysis Center. The Center, which consists of 19 of the Nation's leading information technology companies, will enable the IT industry to report and exchange information about electronic incidents, threats, attacks, vulnerabilities, best security practices, and other protective measures. NTIA intends to host a conference with members of the Center to identify and address potential impediments to information sharing between the Center and the Federal Government.
NTIA also entered recently into a joint venture with the Defense Department to assess the vulnerability of military bases and associated critical infrastructures within the cities and towns comprising the Rocky Mountain Corridor. NTIA and the Defense Department are preparing a study on this effort to showcase the cooperation between Government and industry in conducting the vulnerability assessment. NTIA was instrumental in obtaining an agreement from Qwest, the principal carrier in the Rocky Mountain Corridor, to share proprietary information with the Defense Department to evaluate the vulnerabilities of its network. Building on the success of this project, NTIA and the Defense Department will conduct a similar effort in Hawaii.
In addition, NTIA plans to partner with the Department of Energy in a pilot program, begun in Chicago in 1999, to enhance local critical infrastructure emergency preparedness plans. This program -- the Chicago Metropolitan Area Critical Infrastructure Protection Program -- is based on cooperation between the Federal Government and local agencies, and is designed to serve as a model for other regions of the United States. The pilot program has focused on electric power and natural gas, with the telecommunications portion of the program projected for fiscal year 2002.
3. International Activities
NTIA has worked closely with the U.S. Department of State and other Federal agencies in facilitating international discussions on cyber-security and critical infrastructure protection. NTIA participates in bilateral discussions with Canada, the United Kingdom, and Australia. In addition, NTIA and the CIAO will host a 30-member delegation from Japan later this Spring. At the request of private industry, NTIA also has agreed to establish its International Outreach Subcommittee as a forum for the private sector to provide its perspective on critical infrastructure matters being raised in bilateral discussions and multilateral venues, such as the UN, the OECD, APEC, and the Council of Europe.
4. Research and Development
Finally, NTIA has produced and shared with private industry a number of reports on research and development by the U.S. Government relating to critical infrastructure protection. Providing such information enables the private sector to proceed with research and development projects that do not duplicate those of Federal departments and agencies.
C. Standards and Guidelines to Protect Information
The third role of the Commerce Department regarding critical infrastructure protection involves the development of standards, measurements, and testing methodologies needed to protect information and improve the security of information systems. The Department's National Institute of Standards and Technology (NIST) undertakes this responsibility. NIST also has specific statutory responsibilities for the development of standards and guidelines for the protection of Federal sensitive (unclassified) systems and, given the Office of Management and Budget's statutory role for policy and oversight of Federal information systems, works closely with the OMB in carrying out this mission.
NIST has actively been involved in information technology security since the 1970s. Formal statutory responsibilities for security were later assigned to NIST by the Computer Security Act of 1987, and were strengthened by the Information Technology Management Reform Act of 1996, and underscored by the Government Information Security Reform Act of 2000. NIST's activities in support of Federal information security include: developing standards and guidelines for Federal computer systems, which incidentally are often adopted by private industry on a voluntary basis; developing validation procedures for evaluating the security of computer-related products; leading the operations of the Computer Security Expert Assist Team, which provides Federal departments with an assessment of their computer security programs; engaging the national security community to make use of their security products, where appropriate and cost-effective, for the protection of unclassified systems; and providing general technical assistance to Federal agencies upon request.
NIST also works directly with IT industry and users in activities focused on critical infrastructures. These activities include: participating in voluntary programs to test commercial products against security specifications and promote security in commercial products; leading the critical infrastructure protection grants program to fund necessary external research that is not being adequately addressed by private industry; performing research and conducting studies to determine the nature and extent of the vulnerabilities of sensitive systems; promoting U.S.
industry and Federal interests in international standards processes; and assisting the private sector, upon request, in using and applying the results of programs and activities.
An example of the kinds of efforts undertaken by NIST is the development of the new advanced encryption standard. NIST conducted a worldwide, multiyear project to develop this new technical standard. The encryption standard will be used to protect a wide variety of Federal information, such as tax and social security records, as well as sensitive private sector information throughout the world, including financial and health information. In developing the advanced encryption standard, NIST worked with the private sector in an open, participatory process to evaluate and build consensus for the new standard.
Another collaborative effort by NIST, this time with the National Security Agency, is the National Information Assurance Partnership. This Partnership combines the extensive security experience of both agencies to promote the development of technically sound security requirements for IT products and systems and appropriate metrics for evaluating those products and systems. Important constituencies, such as the healthcare sector and the telecommunications industry, have developed security profiles in collaboration with the National Information Assurance Partnership.
D. Critical Systems
The Department's fourth role with respect to critical infrastructure involves protection of its own critical systems. In this regard, the National Oceanic and Atmospheric Administration seeks to ensure that satellite remote sensing platforms and data distribution systems, which are vital to national security, are protected from failures, whether caused by natural disasters or terrorist attacks. Systems under the protection program include redundant satellite command and control facilities for geostationary and both civilian and military polar-orbiting environmental satellite systems, and systems within both the National Weather Service Telecommunications Gateway, and the National Environmental Satellite, Data, and Information Service's Office of Satellite Data Processing and Distribution. These systems protect our Nation's citizens from natural disasters, and enable our Armed Forces to effectively protect our national security.
In conclusion, Mr. Chairman, I believe that the Department of Commerce makes an important contribution to our Government's ongoing efforts to combat terrorism and protect our critical infrastructures. What we bring to the table is expertise and experience in working with private industry on matters relating to national and economic security. Our efforts are intended to complement, not duplicate, those of other agencies, such as the Departments of State, Defense, and Justice. I am committed to working with them and you to ensure that our combined efforts achieve their final result of successfully combating terrorism.
This concludes my statement. I will now be happy to answer any questions you may have.