Statement of John S. Tritak
Director, Critical Infrastructure Assurance Office
Bureau of Industry and Security
United States Department of Commerce
BEFORE THE HOUSE COMMITTEE ON GOVERNMENT REFORM
SUBCOMMITTEE ON NATIONAL SECURITY, VETERANS AFFAIRS,
AND INTERNATIONAL RELATIONS
June 11, 2002
I. INTRODUCTION
Mr. Chairman, members of the subcommittee, I am honored to appear before you today to discuss the
importance of establishing a cabinet-level homeland security organization.
In his address to the nation last week, President Bush stated that he intended to create a Department of
Homeland Security to ensure that he continues to carry out his most important responsibility as
President of the United States - that of protecting and defending the American people. His decision to
take this monumental step - the most sweeping reorganization of our national security establishment in
over 50 years - was made on the basis of careful study and experience gained since September 11.
The Administration considered a number of organizational approaches for the new department
proposed by various commissions, think tanks, and Members of Congress, including H.R. 4660,
introduced by Representatives Thornberry, Harman and others and S. 2452, introduced by Senators
Lieberman and Specter and others.
The new Department of Homeland Security would be organized into four divisions: Border and
Transportation Security; Emergency Preparedness and Response; Chemical, Biological, Radiological
and Nuclear Countermeasures; and Information Analysis and Infrastructure Protection. The new
department will be comprised mainly of existing organizational elements located in other Federal
departments and agencies. For example, my office, the Critical Infrastructure Assurance Office
(CIAO), now located in the Department of Commerce's Bureau of Industry and Security, will become
part of the new Information Analysis and Infrastructure Protection division.
The Secretary of Commerce and the Under Secretary of Commerce for Industry and Security fully
support the President's plan to create a Department of Homeland Security, including the relocation of
the CIAO from the Commerce Department to the new Department. Even before the proposal for the
new Department was announced, the Under Secretary of Commerce for Industry and Security had
planned to co-locate the CIAO with staff of the Office of Homeland Security and the President's
Critical Infrastructure Protection Board. Having the CIAO as a formal part of the new Department will
strengthen the coordination we have been working to foster and that is at the core of the CIAO's
mission. The country needs a single, unified homeland security structure that will improve protection
against today's threats and be flexible enough to help meet the unknown threats of the future. The
Commerce Department's Bureau of Industry and Security will continue to work with industry on a
range of issues that affect the security of the country.
I would like to take the opportunity now to provide some background on the CIAO and to discuss
briefly some of the specific activities and initiatives we are currently undertaking on behalf of homeland security.
II. BACKGROUND ON THE CRITICAL INFRASTRUCTURE ASSURANCE OFFICE
A. Presidential Decision Directive 63 and Executive Order 13231
The CIAO is not a recent arrival to the homeland security effort: we have been diligently working to
realize the objective of critical infrastructure assurance for four years. Specifically, the CIAO was
created in May 1998 by Presidential Decision Directive 63 (PDD-63) to serve as an interagency office
located at the Department of Commerce to coordinate the Federal Government's initiatives on critical
infrastructure assurance.
Recognizing that "the targets of attacks on our critical infrastructure would likely include both facilities in
the economy and those in the government," and that, as a consequence, "the elimination of our potential
vulnerability requires a closely coordinated effort of both the public and the private sector," PDD-63
called for a "public-private partnership to reduce vulnerability" that is "genuine, mutual and cooperative."
To effectuate this goal, PDD-63 designated a Lead Agency "[f]or each of the major sectors of our
economy that are vulnerable to infrastructure attack," to act as a liaison with the infrastructure owners
and operators in that sector. To complement the work of these Lead Agencies, PDD-63 created the
CIAO to focus on initiatives that cut across industry sectors and are not the existing responsibility of the
Lead Agencies. Its purpose is to ensure a cohesive approach to achieving continuity in delivering critical
infrastructure services.
Under Executive Order 13231 (the Order), issued on October 18, 2001 and entitled "Critical
Infrastructure Protection in the Information Age," the CIAO serves as a member of and an advisor to
the newly created President's Critical Infrastructure Protection Board (the Board). The Board was
created to coordinate Federal efforts and programs relating to the protection of information systems
and networks essential to the operation of the nation's critical infrastructures. In carrying out its
responsibilities, the Board fully coordinates its efforts and programs with the Assistant to the President
for Homeland Security.
B. Role within the Department of Commerce
PDD-63's emphasis on public-private partnerships underscores that critical infrastructure assurance is
as much about economic security as it is national security. The CIAO articulates the business case for
this national commerce issue. Because issues of economic security, and the vitality of America's
business sector, fall squarely within the jurisdiction of the Department of Commerce, placement of the
CIAO in that cabinet agency enhances the CIAO's ability to facilitate ongoing dialogue with business
communities. Moreover, the Department has been a champion of the CIAO's work.
Indeed, the Commerce Department recently changed the name of the Bureau of Export Administration,
in which CIAO is located, to the "Bureau of Industry and Security" (BIS). This change reflects the
Department's growing awareness of the relationship between national security and business affairs and
more accurately portrays the broad scope of the agency's responsibilities. BIS addresses issues where
industry and national security intersect, including the administration and enforcement of export controls,
defense trade advocacy, and critical infrastructure protection. The Under Secretary of Commerce for
Industry and Security, Mr. Kenneth I. Juster, is a member of the Board and Chairman of the Board's
Standing Committee on Private Sector and State and Local Government Outreach. BIS also
coordinates all of the Commerce Department's homeland security activities; through the CIAO, leads
the Federal Government's outreach to the private sector regarding critical infrastructure protection and
cyber security; and assists U.S. industry in complying with the Chemical Weapons Convention and
other international arms agreements.
III. MAJOR CIAO ACTIVITIES AND INITIATIVES
CIAO's responsibilities for developing and coordinating national critical infrastructure policy focus on
three key areas: (1) promoting national outreach and awareness campaigns both in the private sector
and at the state and local government level; (2) assisting Federal agencies to analyze their own risk
exposure and critical infrastructure dependencies; and (3) coordinating the preparation of an integrated
national strategy for critical infrastructure assurance.
A. Outreach and Awareness
The vast majority of all critical infrastructures within the United States are owned and operated by the
private sector or by state and local government. Protecting these critical infrastructures from disruption
is not a new concept. The need to manage the risks arising from natural disasters, physical attacks, and
service disruptions has existed for as long as the infrastructures have existed. The infrastructure owners
and operators always have had primary responsibility for assuring that their critical services, including
the securing of critical physical assets against unauthorized intruders. Yet these measures, however
effective they might otherwise be, generally were not designed to cope with significant military or
terrorist threats.
The Defense Department, Justice Department, and other Federal agencies have contributed significantly
to the physical protection of the nation's critical infrastructures through the defense of our national
airspace and borders against attacks from abroad. However, even the Federal government does not
have the resources to protect all individual critical infrastructure facilities. Securing the nation's critical
infrastructures against cyber attacks presents yet another difficult problem. The Federal government
cannot post soldiers or police officers at the perimeters of telecommunications facilities or electric
power plants to keep out digital attackers.
For this reason, the Federal government acting alone cannot hope to secure our nation's critical
infrastructures. The national policy of infrastructure assurance can only be achieved by a voluntary
public-private partnership of unprecedented scope involving business and government at the Federal,
State, and local levels. Forging a broad based partnership between industry and government lies at the
heart of the CIAO's mission.
1. Private Sector Activities
CIAO has developed and implemented a nation-wide industry outreach program targeting senior
corporate leadership responsible for setting company policy and allocating company resources. The
challenge of such an effort is to present a compelling business case for corporate action. The primary
focus of the CIAO's efforts continues to be on the critical infrastructure industries (i.e., information and
communications, banking and finance, transportation, energy, and water supply). The basic thrust of
these efforts is to communicate the message that critical infrastructure assurance is a matter of corporate
governance and risk management. Senior management is responsible for securing corporate assets -
including information and information systems. Corporate boards are accountable, as part of their
fiduciary duty, to provide effective oversight of the development and implementation of appropriate
infrastructure security policies and best practices.
In addition to infrastructure owners and operators, the CIAO's awareness and outreach efforts also
target other influential stakeholders in the economy. The risk management community - including the
audit and insurance professions - is particularly effective in raising matters of corporate governance and
accountability with boards and senior management. In addition, the investment community is
increasingly interested in how information security practices affect shareholder value - a concern of vital
interest to corporate boards and management.
In partnership with these communities, the CIAO has worked to translate threats to critical
infrastructure into business case models that corporate boards and senior management can understand.
Corporate leaders are beginning to understand that tools capable of disrupting their operations are
readily available not merely to terrorists and hostile nation states but to a wide-range of potential "bad
actors." As a consequence, they beginning to grasp that the risks to their companies can and will affect
operational survivability, shareholder value, customer relations, and public confidence.
The CIAO has also worked actively to facilitate greater communication among the private infrastructure
sectors themselves. As individual Federal lead agencies under PDD-63 formed partnerships with their
respective critical infrastructure sectors, private industry representatives quickly identified a need for
cross-industry dialogue and sharing of experience to improve the effectiveness and efficiency of
individual sector assurance efforts. In response to that expressed need, the CIAO assisted its private
sector partners in establishing the Partnership for Critical Infrastructure Security (PCIS). The PCIS
provides a unique forum for government and private sector owners and operators of critical
infrastructures to address issues of mutual interest and concern. It builds upon, without duplicating, the
public-private efforts already being undertaken by the Federal Lead Agencies.
2. State and Local Government Activities
The CIAO has developed an outreach and awareness program for state and local governments to
complement and support its outreach program to industry. State and local governments provide critical
services that make them a critical infrastructure in themselves. They also play an important role as
catalyst for public-private partnerships at the community level, particularly for emergency response
planning and crisis management. The issue of securing the underlying information networks that support
their critical services was a relatively new issue before September 11. State and local governments tend
to be well organized as a sector, with multiple common interest groups.
Similar to its program for industry, the CIAO has laid out a plan to implement outreach partnerships
with respected and credible channels within state and local government. CIAO has also met with the
National Governors Association and the National Association of State Chief Information Officers to
encourage input into the National Strategy for Cyberspace Security.
The front lines for the new types of threats facing our country, both physical and cyber, clearly are in
our communities and in our individual institutions. Smaller communities and stakeholders have far fewer
resources to collect information and analyze appropriate actions to take. Consequently, in February of
this year, the CIAO began a series of four state conferences on Critical Infrastructures: Working
Together in a New World, designed to collect lessons learned and applied from the events of
September 11 from New York, Arlington, and communities across the United States. The intent of this
conference series is to deliver a compendium of community best practices at the end of the first quarter
of 2003. The first conference was held in Texas and the second in New Jersey. The last two will be
held in the latter part of 2002 and the first quarter of 2003.
B. Support for Federal Government Infrastructure Activities
1. Homeland Security Information Integration Program
The Administration is proposing in the President's Fiscal Year 2003 budget request to establish an Information Integration Program Office (IIPO) within the CIAO to improve the coordination of information sharing essential to combating terrorism nationwide. The most important function of this office will be to design and help implement an interagency information architecture that will support efforts to find, track, and respond to terrorist threats within the United States and around the world, in a way that improves both the time of response and the quality of decisions. Together with the lead federal agencies, and guided strategically by the Office of Homeland Security, the IIPO will: (a) create an essential information inventory; (b) determine horizontal and vertical sharing requirements; (c) define a target architecture for information sharing; and (d) determine the personnel, software, hardware, and technical resources needed to implement the architecture. The foundation projects will produce roadmaps (migration strategies) that will be used by the agencies to move to the desired state.
The Office of Homeland Security and the IIPO will also define near-term pilot projects and proof of concept initiatives that can immediately address short-term homeland security requirements. These short-term efforts can offer immediate results while putting in place the foundations for continuous improvement. They will also introduce new and emerging information technologies as appropriate and relevant to the agreed objectives of each pilot project.
2. Federal Asset Dependency Analysis
The CIAO also is responsible for assisting civilian Federal departments and agencies in analyzing their dependencies on critical infrastructures to assure that the Federal government continues to be able to deliver services essential to the nation's security, economy, or the health and safety of its citizens, notwithstanding deliberate attempts by a variety of threats to disrupt such services through cyber or physical attacks.
To carry out this mission, the CIAO developed "Project Matrix," a program designed to identify and
characterize accurately the assets and associated infrastructure dependencies and interdependencies
that the U.S. Government requires to fulfill its most critical responsibilities to the nation. These are
deemed "critical" because their incapacitation could jeopardize the nation's security, seriously disrupt
the functioning of the national economy, or adversely affect the health or safety of large segments of the
American public. Project Matrix involves a three-step process in which each civilian Federal
department and agency identifies (i) its critical assets; (ii) other Federal government assets, systems, and
networks on which those critical assets depend to operate; and (iii) all associated dependencies on
privately owned and operated critical infrastructures.
Once such critical assets and associated dependencies are identified, Federal departments and agencies
must assess their vulnerability to physical or cyber attack. If they are determined to be vulnerable,
departments and agencies must develop and implement plans to manage the risks posed by potential
attacks to the performance of essential functions and services. These plans should seek to deter attacks
from happening in the first place, protect critical assets from damage or destruction if attacks occur,
mitigate the operational impact of attacks if protective measures fail, restore operations if attacks
disrupt services, and reconstitute any assets damaged or destroyed during attacks.
Where performance of essential government functions and services depends on privately owned and
operated infrastructures, Federal departments and agencies must work with the owners and operators
of these specific infrastructure companies - on mutually agreed upon terms - to ensure that adequate
security measures are established and maintained.
Early experience with the CIAO's Project Matrix process has demonstrated such significant utility that
the Office of Management and Budget has recently issued a directive requiring all Federal civilian
agencies under its authority to fund and perform the analysis.
C. Integrated National Strategy for Critical Infrastructure Assurance
Threats to critical infrastructure fall into two overlapping categories: (1) physical attacks against the "real
property" components of the infrastructures; and (2) cyber attacks against the information or
communications components that control these infrastructures. PDD-63 charged the CIAO, as
secretariat for the National Coordinator, to integrate infrastructure assurance plans developed by each
of the individual infrastructure sectors into a comprehensive "National Infrastructure Assurance Plan." In
January 2000, the CIAO coordinated the release of the National Plan for Information Systems
Protection, Version 1.0 which articulated a complex interagency process for approaching critical
infrastructure and cyber-related issues in the Federal government. As a consequence of the events of
September 11, however, the President restructured the responsibilities for developing strategies to
respond to these two categories of threats.
The attacks on the World Trade Center and the Pentagon underscored the need to devote greater
attention to securing and defending against the threat of physical attack upon our nation's homeland. To
address this need, the President, on October 8, 2001, established the Office of Homeland Security and
charged it "to develop and coordinate the implementation of a comprehensive national strategy to
secure the United States from terrorist threats or attacks."
In view of the scope of the mission assigned to the Office of Homeland Security, the President
separately created the President's Critical Infrastructure Protection Board and gave it responsibility for
"ensur[ing] protection of information systems for critical infrastructure, including emergency
preparedness communications, and the physical assets that support such systems." In keeping with this
mission, the Board is developing a national strategy for cyberspace security.
In the post-September 11 environment, the CIAO continues to play its role to coordinate and facilitate
input from private industry - and now, state and local government - to the national strategies on critical
infrastructure protection. The Office of Homeland Security has enlisted the CIAO to provide
coordination and support for its efforts to compile information and private sector input to its strategy to
protect the physical facilities of critical infrastructure systems. Our office, working with the Lead
Agencies and our private sector partners including PCIS, has been instrumental in coordinating input
from the private sector to the cyberspace security strategy.
IV. CONCLUSION
For the last four years, the CIAO has been actively involved in coordinating our nation's efforts to
ensure the reliability of its critical infrastructure systems and facilities, both public and private. I believe
our office has demonstrated a track record of success and has earned its reputation as an honest broker
in its endeavors that is both recognized and appreciated in the Administration. We look forward to the
opportunity to serve under the new Department for Homeland Security. I thank you for the opportunity
to appear before you today.
At this time I will welcome any questions that you may have