Statement of John S. Tritak
Director, Critical Infrastructure Assurance Office
Bureau of Industry and Security
United States Department of Commerce
BEFORE THE HOUSE COMMITTEE ON GOVERNMENT REFORM
SUBCOMMITTEE ON NATIONAL SECURITY, VETERANS AFFAIRS,
AND INTERNATIONAL RELATIONS
June 11, 2002

I. INTRODUCTION

Mr. Chairman, members of the subcommittee, I am honored to appear before you today to discuss the importance of establishing a cabinet-level homeland security organization.

In his address to the nation last week, President Bush stated that he intended to create a Department of Homeland Security to ensure that he continues to carry out his most important responsibility as President of the United States - that of protecting and defending the American people. His decision to take this monumental step - the most sweeping reorganization of our national security establishment in over 50 years - was made on the basis of careful study and experience gained since September 11. The Administration considered a number of organizational approaches for the new department proposed by various commissions, think tanks, and Members of Congress, including H.R. 4660, introduced by Representatives Thornberry, Harman and others and S. 2452, introduced by Senators Lieberman and Specter and others.

The new Department of Homeland Security would be organized into four divisions: Border and Transportation Security; Emergency Preparedness and Response; Chemical, Biological, Radiological and Nuclear Countermeasures; and Information Analysis and Infrastructure Protection. The new department will be comprised mainly of existing organizational elements located in other Federal departments and agencies. For example, my office, the Critical Infrastructure Assurance Office (CIAO), now located in the Department of Commerce's Bureau of Industry and Security, will become part of the new Information Analysis and Infrastructure Protection division.

The Secretary of Commerce and the Under Secretary of Commerce for Industry and Security fully support the President's plan to create a Department of Homeland Security, including the relocation of the CIAO from the Commerce Department to the new Department. Even before the proposal for the new Department was announced, the Under Secretary of Commerce for Industry and Security had planned to co-locate the CIAO with staff of the Office of Homeland Security and the President's Critical Infrastructure Protection Board. Having the CIAO as a formal part of the new Department will strengthen the coordination we have been working to foster and that is at the core of the CIAO's mission. The country needs a single, unified homeland security structure that will improve protection against today's threats and be flexible enough to help meet the unknown threats of the future. The Commerce Department's Bureau of Industry and Security will continue to work with industry on a range of issues that affect the security of the country.

I would like to take the opportunity now to provide some background on the CIAO and to discuss briefly some of the specific activities and initiatives we are currently undertaking on behalf of homeland security.

II. BACKGROUND ON THE CRITICAL INFRASTRUCTURE ASSURANCE OFFICE

A. Presidential Decision Directive 63 and Executive Order 13231

The CIAO is not a recent arrival to the homeland security effort: we have been diligently working to realize the objective of critical infrastructure assurance for four years. Specifically, the CIAO was created in May 1998 by Presidential Decision Directive 63 (PDD-63) to serve as an interagency office located at the Department of Commerce to coordinate the Federal Government's initiatives on critical infrastructure assurance.

Recognizing that "the targets of attacks on our critical infrastructure would likely include both facilities in the economy and those in the government," and that, as a consequence, "the elimination of our potential vulnerability requires a closely coordinated effort of both the public and the private sector," PDD-63 called for a "public-private partnership to reduce vulnerability" that is "genuine, mutual and cooperative." To effectuate this goal, PDD-63 designated a Lead Agency "[f]or each of the major sectors of our economy that are vulnerable to infrastructure attack," to act as a liaison with the infrastructure owners and operators in that sector. To complement the work of these Lead Agencies, PDD-63 created the CIAO to focus on initiatives that cut across industry sectors and are not the existing responsibility of the Lead Agencies. Its purpose is to ensure a cohesive approach to achieving continuity in delivering critical infrastructure services.

Under Executive Order 13231 (the Order), issued on October 18, 2001 and entitled "Critical Infrastructure Protection in the Information Age," the CIAO serves as a member of and an advisor to the newly created President's Critical Infrastructure Protection Board (the Board). The Board was created to coordinate Federal efforts and programs relating to the protection of information systems and networks essential to the operation of the nation's critical infrastructures. In carrying out its responsibilities, the Board fully coordinates its efforts and programs with the Assistant to the President for Homeland Security.

B. Role within the Department of Commerce

PDD-63's emphasis on public-private partnerships underscores that critical infrastructure assurance is as much about economic security as it is national security. The CIAO articulates the business case for this national commerce issue. Because issues of economic security, and the vitality of America's business sector, fall squarely within the jurisdiction of the Department of Commerce, placement of the CIAO in that cabinet agency enhances the CIAO's ability to facilitate ongoing dialogue with business communities. Moreover, the Department has been a champion of the CIAO's work.

Indeed, the Commerce Department recently changed the name of the Bureau of Export Administration, in which CIAO is located, to the "Bureau of Industry and Security" (BIS). This change reflects the Department's growing awareness of the relationship between national security and business affairs and more accurately portrays the broad scope of the agency's responsibilities. BIS addresses issues where industry and national security intersect, including the administration and enforcement of export controls, defense trade advocacy, and critical infrastructure protection. The Under Secretary of Commerce for Industry and Security, Mr. Kenneth I. Juster, is a member of the Board and Chairman of the Board's Standing Committee on Private Sector and State and Local Government Outreach. BIS also coordinates all of the Commerce Department's homeland security activities; through the CIAO, leads the Federal Government's outreach to the private sector regarding critical infrastructure protection and cyber security; and assists U.S. industry in complying with the Chemical Weapons Convention and other international arms agreements.

III. MAJOR CIAO ACTIVITIES AND INITIATIVES

CIAO's responsibilities for developing and coordinating national critical infrastructure policy focus on three key areas: (1) promoting national outreach and awareness campaigns both in the private sector and at the state and local government level; (2) assisting Federal agencies to analyze their own risk exposure and critical infrastructure dependencies; and (3) coordinating the preparation of an integrated national strategy for critical infrastructure assurance.

A. Outreach and Awareness

The vast majority of all critical infrastructures within the United States are owned and operated by the private sector or by state and local government. Protecting these critical infrastructures from disruption is not a new concept. The need to manage the risks arising from natural disasters, physical attacks, and service disruptions has existed for as long as the infrastructures have existed. The infrastructure owners and operators always have had primary responsibility for assuring that their critical services, including the securing of critical physical assets against unauthorized intruders. Yet these measures, however effective they might otherwise be, generally were not designed to cope with significant military or terrorist threats.

The Defense Department, Justice Department, and other Federal agencies have contributed significantly to the physical protection of the nation's critical infrastructures through the defense of our national airspace and borders against attacks from abroad. However, even the Federal government does not have the resources to protect all individual critical infrastructure facilities. Securing the nation's critical infrastructures against cyber attacks presents yet another difficult problem. The Federal government cannot post soldiers or police officers at the perimeters of telecommunications facilities or electric power plants to keep out digital attackers.

For this reason, the Federal government acting alone cannot hope to secure our nation's critical infrastructures. The national policy of infrastructure assurance can only be achieved by a voluntary public-private partnership of unprecedented scope involving business and government at the Federal, State, and local levels. Forging a broad based partnership between industry and government lies at the heart of the CIAO's mission.

1. Private Sector Activities

CIAO has developed and implemented a nation-wide industry outreach program targeting senior corporate leadership responsible for setting company policy and allocating company resources. The challenge of such an effort is to present a compelling business case for corporate action. The primary focus of the CIAO's efforts continues to be on the critical infrastructure industries (i.e., information and communications, banking and finance, transportation, energy, and water supply). The basic thrust of these efforts is to communicate the message that critical infrastructure assurance is a matter of corporate governance and risk management. Senior management is responsible for securing corporate assets - including information and information systems. Corporate boards are accountable, as part of their fiduciary duty, to provide effective oversight of the development and implementation of appropriate infrastructure security policies and best practices.

In addition to infrastructure owners and operators, the CIAO's awareness and outreach efforts also target other influential stakeholders in the economy. The risk management community - including the audit and insurance professions - is particularly effective in raising matters of corporate governance and accountability with boards and senior management. In addition, the investment community is increasingly interested in how information security practices affect shareholder value - a concern of vital interest to corporate boards and management.

In partnership with these communities, the CIAO has worked to translate threats to critical infrastructure into business case models that corporate boards and senior management can understand. Corporate leaders are beginning to understand that tools capable of disrupting their operations are readily available not merely to terrorists and hostile nation states but to a wide-range of potential "bad actors." As a consequence, they beginning to grasp that the risks to their companies can and will affect operational survivability, shareholder value, customer relations, and public confidence.

The CIAO has also worked actively to facilitate greater communication among the private infrastructure sectors themselves. As individual Federal lead agencies under PDD-63 formed partnerships with their respective critical infrastructure sectors, private industry representatives quickly identified a need for cross-industry dialogue and sharing of experience to improve the effectiveness and efficiency of individual sector assurance efforts. In response to that expressed need, the CIAO assisted its private sector partners in establishing the Partnership for Critical Infrastructure Security (PCIS). The PCIS provides a unique forum for government and private sector owners and operators of critical infrastructures to address issues of mutual interest and concern. It builds upon, without duplicating, the public-private efforts already being undertaken by the Federal Lead Agencies.

2. State and Local Government Activities

The CIAO has developed an outreach and awareness program for state and local governments to complement and support its outreach program to industry. State and local governments provide critical services that make them a critical infrastructure in themselves. They also play an important role as catalyst for public-private partnerships at the community level, particularly for emergency response planning and crisis management. The issue of securing the underlying information networks that support their critical services was a relatively new issue before September 11. State and local governments tend to be well organized as a sector, with multiple common interest groups.

Similar to its program for industry, the CIAO has laid out a plan to implement outreach partnerships with respected and credible channels within state and local government. CIAO has also met with the National Governors Association and the National Association of State Chief Information Officers to encourage input into the National Strategy for Cyberspace Security.

The front lines for the new types of threats facing our country, both physical and cyber, clearly are in our communities and in our individual institutions. Smaller communities and stakeholders have far fewer resources to collect information and analyze appropriate actions to take. Consequently, in February of this year, the CIAO began a series of four state conferences on Critical Infrastructures: Working Together in a New World, designed to collect lessons learned and applied from the events of September 11 from New York, Arlington, and communities across the United States. The intent of this conference series is to deliver a compendium of community best practices at the end of the first quarter of 2003. The first conference was held in Texas and the second in New Jersey. The last two will be held in the latter part of 2002 and the first quarter of 2003.

B. Support for Federal Government Infrastructure Activities

1. Homeland Security Information Integration Program

The Administration is proposing in the President's Fiscal Year 2003 budget request to establish an Information Integration Program Office (IIPO) within the CIAO to improve the coordination of information sharing essential to combating terrorism nationwide. The most important function of this office will be to design and help implement an interagency information architecture that will support efforts to find, track, and respond to terrorist threats within the United States and around the world, in a way that improves both the time of response and the quality of decisions. Together with the lead federal agencies, and guided strategically by the Office of Homeland Security, the IIPO will: (a) create an essential information inventory; (b) determine horizontal and vertical sharing requirements; (c) define a target architecture for information sharing; and (d) determine the personnel, software, hardware, and technical resources needed to implement the architecture. The foundation projects will produce roadmaps (migration strategies) that will be used by the agencies to move to the desired state.

The Office of Homeland Security and the IIPO will also define near-term pilot projects and proof of concept initiatives that can immediately address short-term homeland security requirements. These short-term efforts can offer immediate results while putting in place the foundations for continuous improvement. They will also introduce new and emerging information technologies as appropriate and relevant to the agreed objectives of each pilot project.

2. Federal Asset Dependency Analysis

The CIAO also is responsible for assisting civilian Federal departments and agencies in analyzing their dependencies on critical infrastructures to assure that the Federal government continues to be able to deliver services essential to the nation's security, economy, or the health and safety of its citizens, notwithstanding deliberate attempts by a variety of threats to disrupt such services through cyber or physical attacks.

To carry out this mission, the CIAO developed "Project Matrix," a program designed to identify and characterize accurately the assets and associated infrastructure dependencies and interdependencies that the U.S. Government requires to fulfill its most critical responsibilities to the nation. These are deemed "critical" because their incapacitation could jeopardize the nation's security, seriously disrupt the functioning of the national economy, or adversely affect the health or safety of large segments of the American public. Project Matrix involves a three-step process in which each civilian Federal department and agency identifies (i) its critical assets; (ii) other Federal government assets, systems, and networks on which those critical assets depend to operate; and (iii) all associated dependencies on privately owned and operated critical infrastructures.

Once such critical assets and associated dependencies are identified, Federal departments and agencies must assess their vulnerability to physical or cyber attack. If they are determined to be vulnerable, departments and agencies must develop and implement plans to manage the risks posed by potential attacks to the performance of essential functions and services. These plans should seek to deter attacks from happening in the first place, protect critical assets from damage or destruction if attacks occur, mitigate the operational impact of attacks if protective measures fail, restore operations if attacks disrupt services, and reconstitute any assets damaged or destroyed during attacks.

Where performance of essential government functions and services depends on privately owned and operated infrastructures, Federal departments and agencies must work with the owners and operators of these specific infrastructure companies - on mutually agreed upon terms - to ensure that adequate security measures are established and maintained.

Early experience with the CIAO's Project Matrix process has demonstrated such significant utility that the Office of Management and Budget has recently issued a directive requiring all Federal civilian agencies under its authority to fund and perform the analysis.

C. Integrated National Strategy for Critical Infrastructure Assurance

Threats to critical infrastructure fall into two overlapping categories: (1) physical attacks against the "real property" components of the infrastructures; and (2) cyber attacks against the information or communications components that control these infrastructures. PDD-63 charged the CIAO, as secretariat for the National Coordinator, to integrate infrastructure assurance plans developed by each of the individual infrastructure sectors into a comprehensive "National Infrastructure Assurance Plan." In January 2000, the CIAO coordinated the release of the National Plan for Information Systems Protection, Version 1.0 which articulated a complex interagency process for approaching critical infrastructure and cyber-related issues in the Federal government. As a consequence of the events of September 11, however, the President restructured the responsibilities for developing strategies to respond to these two categories of threats.

The attacks on the World Trade Center and the Pentagon underscored the need to devote greater attention to securing and defending against the threat of physical attack upon our nation's homeland. To address this need, the President, on October 8, 2001, established the Office of Homeland Security and charged it "to develop and coordinate the implementation of a comprehensive national strategy to secure the United States from terrorist threats or attacks."

In view of the scope of the mission assigned to the Office of Homeland Security, the President separately created the President's Critical Infrastructure Protection Board and gave it responsibility for "ensur[ing] protection of information systems for critical infrastructure, including emergency preparedness communications, and the physical assets that support such systems." In keeping with this mission, the Board is developing a national strategy for cyberspace security.

In the post-September 11 environment, the CIAO continues to play its role to coordinate and facilitate input from private industry - and now, state and local government - to the national strategies on critical infrastructure protection. The Office of Homeland Security has enlisted the CIAO to provide coordination and support for its efforts to compile information and private sector input to its strategy to protect the physical facilities of critical infrastructure systems. Our office, working with the Lead Agencies and our private sector partners including PCIS, has been instrumental in coordinating input from the private sector to the cyberspace security strategy.

IV. CONCLUSION

For the last four years, the CIAO has been actively involved in coordinating our nation's efforts to ensure the reliability of its critical infrastructure systems and facilities, both public and private. I believe our office has demonstrated a track record of success and has earned its reputation as an honest broker in its endeavors that is both recognized and appreciated in the Administration. We look forward to the opportunity to serve under the new Department for Homeland Security. I thank you for the opportunity to appear before you today.

At this time I will welcome any questions that you may have