Statement of John S. Tritak
Director, Critical Infrastructure Assurance Office
Bureau of Industry and Security
U.S. Department of Commerce
BEFORE THE HOUSE COMMITTEE ON SCIENCE
JUNE 27, 2002

Introduction

Mr. Chairman, members of the Committee, I am honored to appear before you today representing the Department of Commerce. I look forward to discussing with you the important role that the Department of Commerce -- and two particular units within the Department -- would play in the new Department of Homeland Security. It is very clear in this current environment that the country needs a single, unified homeland security structure that will improve protection against today''s threats and be flexible enough to help meet the unknown threats of the future.

A topic of this hearing -- cyber security and its role in our nation''s overall homeland security strategy -- is a subject that I have been involved with intimately for many years. assuming office last year. I am the Director of the Critical Infrastructure Assurance Office (CIAO) in the Department of Commerce. In addition, I am a member of the President''s Critical Infrastructure Protection Board, and I work closely with Board staff in conducting and coordinating critical infrastructure protection activities. I have spoken to the private sector and to state and local government officials on the topic of critical infrastructure assurance and cyber security on several occasions. Through these activities, I have come to appreciate the need for greater coordination of efforts to protect our homeland security including cyber security.

President''s Proposal for a Department of Homeland Security
The President''s proposal to create a new Department of Homeland Security is one key step in the President''s national strategy for homeland security that would significantly enhance this coordination. His decision to take this monumental step -- the most sweeping reorganization of our national security establishment in over 50 years -- was made on the basis of careful study and experience gained since September 11. Under the President''s plan, for the first time, we would have a single Department whose primary mission is to secure our homeland. The Secretary of Commerce, the Under Secretary and I -- as well as all other senior management at the Commerce Department -- fully support the President''s plan and stand ready to undertake necessary efforts to facilitate the creation of this new Department as soon as possible.

In the President''s plan -- which builds on the strong bipartisan work that has been conducted by many Members of Congress -- one of the four divisions of the new Department would be the Information Analysis and Infrastructure Protection Division. In addition to intelligence and threat analysis, one of the primary missions of this Division would be to identify and assess the vulnerabilities of, and take steps to protect, the key resources and critical infrastructures of the United States -- including cyber assets and infrastructures. In order to most effectively accomplish this goal, the President''s plan calls for consolidating the key federal operating units that deal with critical infrastructure protection and cyber security issues within this Division. The new Division will combine functions that are currently fragmented and inefficient, minimize duplication or redundancy of efforts, and ensure that critical infrastructure and cyber security activities can be more closely directed and coordinated.

Two of the operating units that would be transferred to the new Division currently reside in the Department of Commerce -- my office, the Critical Infrastructure Assurance Office (known as the "CIAO") and the Computer Security Division of NIST''s Information Technology Laboratories. In my remaining time, I would like to discuss the principal activities in which these two units are involved so you can more fully understand why the transfer of these units to the new Department would greatly benefit its mission to protect our nation''s critical infrastructures and enhance cyber security.

Critical Infrastructure Assurance Office

The CIAO was created in May 1998 by Presidential Decision Directive 63 to serve as an interagency office located at the Department of Commerce to coordinate the Federal Government''s initiatives on critical infrastructure assurance and cyber security. In addition, pursuant to the Executive Order (October 18, 2001), the CIAO began serving as a member of and an advisor to the President''s Critical Infrastructure Protection Board, which was created to coordinate Federal efforts and programs relating to the protection of information systems and networks essential to the operation of the nation''s critical infrastructures.

The CIAO''s responsibilities for developing and coordinating national critical infrastructure assurance policy focus primarily on three key areas: (1) promoting national outreach and awareness campaigns, both in the private sector and at the state and local government level; (2) assisting Federal agencies to analyze their own risk exposure and critical infrastructure dependencies; and (3) coordinating the preparation of an integrated national strategy for critical infrastructure assurance.

Outreach and Awareness

As you know, securing the nation''s critical infrastructures against cyber attacks goes well beyond the government''s traditional role of physical protection through defense of national airspace and national borders. Because there are no boundaries in cyber space, and because the vast majority of the nation''s critical infrastructures are privately owned and operated, government action alone cannot secure them. Only an unprecedented partnership between private industry and government will work. Forging this broad based partnership between the private sector and all levels of government lies at the heart of the CIAO''s mission.

With respect to the private sector, the CIAO has developed and implemented a nation-wide industry outreach program targeting senior corporate leadership responsible for setting company policy and allocating company resources. Part of this task involves translating our concerns regarding critical infrastructure protection and cyber security into terms that corporate boards and CEOs will understand. The basic message is that critical infrastructure assurance is a matter of sound corporate governance, and corporate boards, as part of their fiduciary duty, must provide effective oversight of the development and implementation of appropriate security policies and practices.

In addition to infrastructure owners and operators, the CIAO''s awareness and outreach efforts also target other influential stakeholders in the economy. The risk management community -- including the audit and insurance professions -- is particularly effective in raising matters of corporate governance and accountability with boards and senior management. In addition, the investment community is increasingly interested in how information security practices affect shareholder value -- a concern of vital interest to corporate boards and management. With these audiences, the CIAO''s outreach efforts focus on the fact that cyber threats can and will affect operational survivability, shareholder value, customer relations, and public confidence.

Because state and local governments play a significant role in critical infrastructure assurance, the CIAO also has developed an outreach and awareness program for state and local governments. Similar to its program for industry, the CIAO has laid out a plan to implement outreach partnerships with respected and credible channels within state and local government. CIAO also has met with the National Governors Association and the National Association of State Chief Information Officers to encourage input into the National Strategy for Cyberspace Security. As part of its state and local government outreach effort, the CIAO has began a series of four state conferences designed to collect lessons learned and applied from the events of September 11, with the end result being a compendium of community best practices that can be used by state and local governments to increase protection of their critical infrastructures.

Project Matrix

In addition to outreach activities, the CIAO also is responsible for assisting civilian Federal departments and agencies in analyzing their dependencies on critical infrastructures. The purpose of this exercise is to ensure that the Federal government continues to be able to deliver services essential to the nation''s security, economy, or the health and safety of its citizens, notwithstanding deliberate attempts to disrupt such services through cyber or physical attacks.

To accomplish this goal, the CIAO developed "Project Matrix," a program designed to identify and characterize accurately the assets and associated infrastructure dependencies and interdependencies that the U.S. Government requires to fulfill its most critical responsibilities to the nation. Project Matrix involves a three-step process in which each civilian Federal department and agency identifies (i) its critical assets; (ii) other Federal government assets, systems, and networks on which those critical assets depend to operate; and (iii) all associated dependencies on privately owned and operated critical infrastructures.

Once such critical assets and associated dependencies are identified, Federal departments and agencies must assess their vulnerability to physical or cyber attack. If they are determined to be vulnerable, departments and agencies must develop and implement plans to manage the risks posed by potential attacks to the performance of essential functions and services. These plans should seek to deter attacks from happening in the first place, protect critical assets from damage or destruction if attacks occur, mitigate the operational impact of attacks if protective measures fail, restore operations if attacks disrupt services, and reconstitute any assets damaged or destroyed during attacks.

Early experience with the CIAO''s Project Matrix process has demonstrated such significant utility that the Office of Management and Budget has recently issued a directive requiring all Federal civilian agencies under its authority to fund and perform the analysis.

Homeland Security Information Integration Program

The Administration is proposing in the President''s Fiscal Year 2003 budget request to establish an Information Integration Program Office (IIPO) within the CIAO to improve the coordination of information sharing essential to combating terrorism nationwide. The most important function of this office will be to design and help implement an interagency information architecture that will support efforts to find, track, and respond to terrorist threats within the United States and around the world, in a way that improves both the time of response and the quality of decisions. Together with the lead federal agencies, and guided strategically by the Office of Homeland Security, the IIPO will: (a) create an essential information inventory; (b) determine horizontal and vertical sharing requirements; (c) define a target architecture for information sharing; and (d) determine the personnel, software, hardware, and technical resources needed to implement the architecture. The foundation projects will produce roadmaps (migration strategies) that will be used by the agencies to move to the desired state.

The Office of Homeland Security and the CIAO''s Information Integration Program Office will also define near-term pilot projects and proof of concept initiatives that can immediately address short-term OHS requirements. These short--term efforts can offer immediate results while putting in place the foundations for continuous improvement. They will also introduce new and emerging information technologies as appropriate and relevant to the agreed objectives of each pilot project.

National Strategies for Infrastructure Protection

Finally, the CIAO also plays a major role with respect to the development and drafting of the two national strategies relating to critical infrastructure protection -- the National Strategy for Cyber Space Security and the National Strategy for Homeland Security. Specifically, the CIAO coordinates and facilitates input from private industry, as well as state and local government, to the national strategies. The Office of Homeland Security has enlisted the CIAO to provide coordination and support for its efforts to compile information and private sector input to its strategy to protect the physical facilities of critical infrastructure systems. The CIAO, working with its private sector partners, also has been instrumental in coordinating input from the private sector to the cyber space security strategy.

NIST Computer Security Division

NIST''s Computer Security Division (CSD) supports the President''s vision of strong cyber security and its crucial role both in homeland security as well as in E-Government by enabling improvements in service to our citizens through secure electronic programs.

CSD receives approximately $10 million of direct congressional appropriations, funding a NIST staff of about 51 full-time-equivalents (FTE''s), which support both its Federal and industry computer security responsibilities. CSD focuses its attention on a few key areas, including cryptographic standards and guidelines; public key infrastructure; security research; agency assistance, and the National Information Assurance Partnership (NIAP), which is jointly managed by NIST and the National Security Agency (NSA) to focus on increasing the number and quality of IT security products.

CSD works with industry and government to establish secure, interoperable information technology systems and networks in four key areas:

Developing cryptographic methods for protecting the integrity, confidentiality, and authenticity of information resources. The division addresses such technical areas as: secret and public key cryptographic techniques, advanced authentication systems, cryptographic protocols and interfaces, public key certificate management, smart tokens, cryptographic key escrowing, and security architectures;

Researching, developing, and applying current and emerging technology to protect the integrity, confidentiality, reliability, and availability of IT systems. The Division is involved in technical areas such as advanced countermeasures, intrusion detection, firewalls, and scanning tools, vulnerability analysis/mitigation, access control, incident response, security criteria/metrics, assurance methods, and internet security;

Developing security management guidance and promoting awareness of security threats, requirements, and division work products. It addresses such areas such as risk management, security program management, training and awareness, contingency planning, personnel security, administrative measures, and procurement. It also serves as the focal point for division support of outreach activities and services to support expert review team security support to Federal agencies; and,

By developing, managing, and promoting security assessment tools, techniques, services, and supporting programs for testing, evaluation, and validation. The division addresses such areas as development and maintenance of security metrics, security evaluation criteria and evaluation methodologies, security-specific criteria for laboratory accreditation, guidance on the use of evaluated and tested products, research to address assurance methods and system-wide security and assessment methodologies, security protocol validation activities, and appropriate coordination with assessment-related activities of voluntary industry standards and bodies and other assessment regimes.

In addition to the activities described above, NIST has specific statutory responsibilities under the Computer Security Act and the Government Information Security Reform Act (GISRA) for developing standards and guidelines to assist Federal agencies in the protection of sensitive unclassified systems. In support of this mission, CSD conducts standards and research to help industry produce more secure -- yet cost-effective -- products for the marketplace. Having more secure products available in the marketplace benefits Federal agencies because agencies use commercial products to secure their systems.

In carrying out its security responsibilities under GISRA and the Computer Security Act, CSD works very closely with the Office of Management and Budget (OMB). CSD''s experts work with OMB representatives on the Federal Chief Information Officers Council, the Federal Computer Security Program Managers'' Forum, the Committee on National Security Systems, and will soon also serve on the newly formed Committee on Executive Branch Information Systems Security.

Conclusion

As the President and Governor Ridge have noted, today no Federal agency has homeland security -- including cyber security -- as its primary mission. Responsibilities for homeland security are dispersed among more than 100 different agencies of the Federal Government. The President''s plan would combine these various operating units with responsibility for cyber security -- including the CIAO and NIST''s Computer Security Division from the Commerce Department -- into a single division so that the operations and activities of these units could be more closely directed and coordinated. This will serve to increase the efficiency and effectiveness of the Federal Government''s critical infrastructure assurance and cyber security efforts.

Thank you, and I welcome any questions that you may have.