| |
Summary
-
PCIS
supports the President’s proposal for a Homeland Security Department.
A single Department with a clear line of authority would not only
consolidate efforts currently spread across over 100 Federal
organizations, but also would provide national emphasis to improve our
preparedness.
-
Securing
the nation’s critical infrastructures goes well beyond the
government’s traditional role of physical protection through defense of
national airspace and national borders. Because there are no boundaries in
cyberspace, and because the vast majority of the nation’s critical
infrastructures are privately owned and operated, the President’s
Commission on Critical Infrastructure Protection recommended an
unprecedented partnership between private industry and government.
The Partnership for Critical Infrastructure Security (PCIS) was
launched in December 1999 in the World Trade Center to fill this need.
-
As
critical infrastructure assurance has matured over the last five years,
those of us intimately involved recognize its strong suits: public-private partnership, interdependency, and the
recognition that physical business operations of our critical
infrastructures depend on information systems and networks, far more so
than in any other country in the world.
-
We
believe the proposed Information Analysis and Infrastructure Protection
Division includes two all-encompassing mission areas.
The information analysis and warning function alone will be a
full-time job, merging the 100-plus intelligence and law enforcement
databases to administer national threat correlation and support the
Homeland Security Advisory System. The
job of critical infrastructure assurance is too vital to American commerce
to be subsumed by the intelligence gathering and reporting mission.
-
The
private sector wants to share timely cyber vulnerability and
countermeasure information with the government.
However, companies do not believe Federal agencies can protect the
information from Freedom of Information Act (FOIA) requests.
Critical infrastructure threat and vulnerability information
voluntarily shared with the government should be given the same
protections as government classified information.
-
We
encourage you to leverage existing expertise in the NSTAC, the ISACs, and
the PCIS as you shape this new, much-needed Department.
However the government organizes itself, we in the private sector
stand ready to assist any way we can.
Introduction
Chairman Greenwood and distinguished Committee
Members, I am honored to testify before you today in support of the
President’s proposal for a Homeland Security Department.
A single Department with a clear line of authority would not only
consolidate efforts currently spread across over 100 Federal organizations,
but also would provide needed national emphasis to improve our preparedness.
Internet-based technologies are driving
unprecedented productivity increases and dependencies.
As you know, the US government reported that productivity in this
country rose 8.4 percent in the first quarter this year, even with the
sluggish market.
This is unprecedented. In
the past, productivity has been in the 1.5- to 2-percent range during down
market conditions. Emerging
high-growth “tornado” markets such as IP telephony, storage networking,
wireless, optical, virtual private networking, and cable integration of voice,
video, and data are sweeping business sectors worldwide, bringing about both
evolutionary and revolutionary changes in the way businesses and governments
do business. These
changes—increasing bandwidth, exploding connectedness, integration of all
types of applications into multi-purpose devices, distribution of both
processes and storage, and erosion of physical boundaries—bring old and new
vulnerabilities with them. Because
networks are now integral to core business and government practices, security
has become the top or next-to-top requirement of CEOs and Boards.
Both the cyber and physical aspects of security must be integrated into
core networking practices and environments, especially now that we read in the
Washington Post that al-Qaeda is exploring the Internet as a means for attack,
mapping our vulnerabilities in cyberspace, and had detailed information on
digital control systems on a laptop recovered in Afghanistan.
Four years prior to the attacks of 9-11, the
President’s Commission on Critical Infrastructure Protection (PCCIP)
identified eight infrastructure sectors as critical to national and economic
security and the health and safety of American citizens. Securing the nation’s critical infrastructures goes well
beyond the government’s traditional role of physical protection through
defense of national airspace and national borders. Because there are no
boundaries in cyberspace, and because the vast majority of the nation’s
critical infrastructures are privately owned and operated, the commission
recommended an unprecedented partnership between private industry and
government. The Partnership for
Critical Infrastructure Security (PCIS) was launched in December 1999 in the
World Trade Center to fill this need. The
private-sector portion of the PCIS was incorporated as a 501(c)6 non-profit
organization in January 2001, and I was elected its first President and
Chairman of the Board in March of that year.
The PCIS Board and I fully support the
President’s plan and look forward to working with the Administration and the
Congress to further cement the public-private relationships we have forged to
assure the delivery of critical services to our citizens and customers.
In the cyber dimension, private-sector infrastructure companies
represent the front lines of defense against attacks that take an average of
one and one-half minutes, traverse multiple jurisdictions and countries at the
speed of light, and cost the anonymous attacker no more than a personal
computer and downloaded free software.
Partnership for Critical Infrastructure
Security
The mission of the PCIS is to coordinate
cross-sector initiatives and complement public-private efforts to promote and
assure reliable provision of critical infrastructure services in the face of
emerging risks to economic and national security.
This involves more than either physical or cyber security alone, and it
spans actions from prevention, planning, and preparation to business
continuity, recovery, and reconstitution.
Presidential
Decision Directive 63 followed the PCCIP recommendations by establishing
Sector Liaison officials in the pertinent Federal Lead Agencies involved in
critical infrastructure assurance, to work with Sector Coordinators who were
industry leaders in the private sector in each of the critical sectors. We structured the PCIS Board so that those Sector
Coordinators always represent a majority of Directors to ensure that the PCIS
continues to meet the needs of all the infrastructure sectors. The PCIS currently has over 80 corporate members from all the
critical infrastructure sectors, plus ad hoc representation from all pertinent
Federal lead agencies and the National Association of State Chief Information
Officers.
To illustrate the level of support in industry
for the PCIS, the Board members are either presidents or chief operations or
information security officer equivalents in their organizations:
Presidents:
-
Airports
Council International—North America
-
Association
of American Railroads
-
Association
of Metropolitan Water Agencies
-
Information
Technology Association of America
-
North
American Electric Reliability Council
COO/CISO or Equivalent:
-
Bank
of America
-
BellSouth
-
Cellular
Telecommunications & Internet Association
-
Conoco
-
Consolidated
Edison of New York
-
Microsoft
-
Morgan
Stanley
-
Union
Pacific Corporation
-
US
Telecommunications Association
-
Telecommunications
Industry Association
Lead agencies, coordinated by the Critical
Infrastructure Assurance Office (CIAO) of the Department of Commerce, fully
participate in PCIS working groups and its public-private coordinating
committee. Our current “top
six” initiatives are:
-
Coordinate
private-sector input to the National Strategy for Critical Infrastructure
Assurance, especially those areas of cross-sector interest and dependency;
-
Serve
as a clearinghouse for digital control systems security efforts, including
research and development, exercises and tests, and awareness;
-
Publish
an “Effective Practices” compendium, in collaboration with the CIAO,
starting with lessons learned during the recovery from the 9-11 attacks;
-
Provide
critical infrastructure assurance awareness materials and references for all
PCIS members and the public;
-
Develop
a risk assessment guidebook for use by any region or sector, concentrating
on cross-sector dependencies; and
-
Facilitate
cross-sector information exchange, augmenting efforts by the industry
Information Sharing and Analysis Centers (ISACs) and government cyber
warning and information organizations.
As a
public service to promote awareness of the need to take steps to secure home and
small business computers, another public-private partnership, the National Cyber
Security Alliance, was incorporated as a 501(c)3 educational foundation within
the PCIS earlier this year. The web
site, www.staysafeonline.info,
has experienced over 5 million page views since February, and we believe this
campaign is helping to lower the risk that America’s growing broadband user
base could be used to stage denial of service attacks against our
infrastructures.
The President’s Proposal
After reviewing the President’s proposal, we
believe it provides a clearer and more efficient organizational structure to
accomplish homeland security missions than currently exists in the Federal
government. Consolidating
information analysis and warning; chemical, biological, nuclear, and
radiological countermeasures; emergency preparedness and response; border and
transportation security; and critical infrastructure assurance is a much-needed,
logical response to the continuing threats of terror against the United States.
Additionally, Section 732 shows foresight in
taking advantage of current business practices such as “other transactions”
for research and development and prototyping, creation of employer-employee
relationships for contracting, authorization to invoke 40 U.S.C. 474, and
flexible acquisition and disposition of property. These practices should encourage innovation, rapid
procurement, advanced research, and beneficial contracting relationships with
industry, but will require discipline and oversight.
I’d like to concentrate the remainder of my
remarks on two key areas we believe still need work:
first, additional emphasis on critical infrastructure assurance
activities; and second, the removal of barriers to public-private information
sharing.
After over 20 years as a Marine officer, it is
second nature for me to relate everything I do to mission.
In business as well as in government, those organizations that structure
themselves and order their actions around their missions are the most
successful. The mission of critical
infrastructure assurance is imbedded within the overall mission of Homeland
Security, but needs additional organizational emphasis.
As critical infrastructure assurance has matured
over the last five years, those of us intimately involved recognize its strong
suits: public-private partnership,
interdependency, and the recognition that physical business operations of our
critical infrastructures depend on information systems and networks, far more so
than in any other country in the world.
The PCIS defined critical infrastructure
assurance two years ago as: “efforts
to promote and assure reliable provision of critical infrastructure services in
the face of emerging risks to economic and national security.”
Economic
and national security are important to assuring our critical infrastructures,
but the essence of the mission is assuring the delivery of services over the
infrastructures. Those services are
what our citizens and customers expect and need, especially in time of crisis,
and they include accurate and uninterrupted financial transactions, on-time and
safe transportation, reliable electric power, available and dependable
information and communications, safe and clean drinking water, safe and
available oil and natural gas, and timely emergency services.
All these services are interlinked in the Internet Economy; they depend
more and more on networks to carry out basic business; and 85 percent of them
are owned and operated by the private sector.
The line between physical and cyber assets is becoming even more blurred
by the widespread use of digital control systems—electronically controlled
devices that report on kilowatt hours transmitted, gallons per hour of oil and
water, cubic feet of natural gas, traffic on “smart roadways,” and can
actually control physical assets like flood gates; oil, gas, and water valves
and flow controllers; ATM machines; and the list keeps growing.
Industry defines critical infrastructure
assurance to include both physical and cyber assets, but by “physical” we
mean those assets essential to the delivery of each infrastructure’s critical
services. Cyber security also
includes physical threats to critical infrastructures such as intentional or
unintentional interruptions of the high-technology support to the
infrastructures, like a backhoe cutting a key fiber-optic line.
An
effective Critical Infrastructure Assurance organization
Title II of the Homeland Security Act establishes
an Under Secretary for Information Analysis and Infrastructure Protection.
We believe these are two all-encompassing functional areas.
The information analysis and warning function alone will be a full-time
job, especially considering the monumental task of merging the 100-plus
intelligence and law enforcement databases in order to effectively administer
national threat correlation and support the Homeland Security Advisory System.
The job of critical infrastructure assurance is too vital to American
commerce to be subsumed by the intelligence gathering and reporting mission.
Similar to a corporate Chief Executive Officer, the Secretary should have
the flexibility to organize the Department to meet the requirements needed to
protect America’s critical infrastructures.
The mission of Critical Infrastructure Assurance
includes:
-
Coordinating
vulnerability assessments of key resources and critical infrastructures;
-
Development
and maintenance of the National Strategy for Critical Infrastructure
Assurance;
-
Facilitating
true partnerships with private industry and state and local government to
address critical infrastructure issues;
-
Taking
or influencing measures necessary for securing key resources and critical
infrastructures;
-
Facilitating
and defining requirements for cutting-edge research and development to
enhance long-term critical infrastructure assurance;
-
Facilitating
cross-sector and public-private sharing of critical infrastructure threat,
vulnerability, and countermeasure information;
-
Promoting
awareness and education at all levels of critical infrastructure assurance
issues, including public and private roles and responsibilities; and
-
Coordinating
with other executive agencies, state and local governments, and the private
sector regarding critical infrastructure assurance.
Coordination with Non-Federal Organizations
Section 701 of the proposal requires the
Secretary of Homeland Security to coordinate with state and local officials and
the private sector in carrying out the mission of the Department of Homeland
Security. Since most of the
critical infrastructures are owned and operated by the private sector,
coordination with the private sector has become an established norm, led by the
efforts of the Critical Infrastructure Assurance Office (CIAO).
The CIAO has developed working, productive relationships with the
infrastructure leaders, the audit and =other risk management industries, and now
the National Governors’ Association and the National Association of State CIOs.
It also has facilitated the development of the PCIS and the various
industry Information Sharing and Analysis Centers (ISACs). The various Under Secretaries should be given responsibility
for coordinating with state and local governments and the private sector in
their respective areas of responsibility, although it is understood and useful
for the office of the Secretary of Homeland Security to coordinate activities
across the entire Department.
Removing information sharing barriers
Information sharing is key to solving problems
together. The best leaders know
that the more their people know about the problems they’re trying to solve,
the better they will be able to use their intellect, creativity, and drive to
solve them most effectively. Most
critical infrastructure sectors have established Information Sharing and
Analysis Centers (ISACs) to share information on cyber threats, vulnerabilities,
countermeasures, best practices, and other solutions. Some of these are strictly in the private sector, while
others include public and private participation.
Some have been sharing critical information for a number of years, and
some organizations added ISAC-type information to other normal reporting or
information exchange responsibilities previously established.
As ISACs mature, their effectiveness in sharing both warnings and
countermeasures within their industries is dramatically improving, in both
quality and timeliness. They are
developing a depth of knowledge that enables analysis and trending, beneficial
to their industries and member companies. To
date, these include:
-
Financial
Services ISAC,
-
Telecom
ISAC,
-
Information
Technology ISAC,
-
Energy
ISAC (oil and gas),
-
Electric
Power ISAC,
-
Emergency
Law Enforcement Services, and
-
Surface
Transportation ISAC.
The water, food safety, chemical and
manufacturing, aviation, and firefighting sectors are in the process of
establishing ISACs.
Several government organizations have cyber
information sharing missions:
- FedCIRC (GSA),
-
DoDCERT
(DoD),
-
NSIRC
(IC), and
-
NIPC
(FBI).
The ISACs are developing an Inter-ISAC
Information Exchange Memorandum of Understanding, and some ISACs have signed
MOUs with the NIPC. PCIS is
facilitating cross-sector information exchange by developing a common taxonomy
and co-hosting multi-ISAC and public-private action meetings in conjunction with
the President’s Office of Cybersecurity.
Both the private sector and the government agree that the exchange of
timely cyber vulnerability and countermeasure information would greatly benefit
the cause of protecting our critical infrastructures, and the private sector
wants to share this kind of information with the government.
However, even with all the efforts toward
public-private information exchange, in no case is the private sector sharing
sensitive cyber vulnerability information with the government.
The main reason for this is that companies do not believe Federal
agencies can protect the information from Freedom of Information Act (FOIA)
requests. Under the current law, companies have no assurance that information
they share with a government agency will be treated confidentially, and agencies
are not required to commit to confidentiality at the time of disclosure.
Agencies are not even required to initiate the FOIA exemption process
until a FOIA request is received. When
it is received, the agency is asked to defend the information’s
confidentiality, and is not required to inform the originator if it believes it
has enough information to proceed.
Critical
infrastructure threat and vulnerability information voluntarily shared with the
government should be given the same protections as government classified
information. HR 2435, the Cyber
Security Information Act, and S 1456, the Critical Infrastructure Information
Security Act, are attempts to provide very narrowly written exemptions for
infrastructure threat and vulnerability information shared with the government. Congressmen John Davis and Jim Moran and Senators Robert
Bennett and Jon Kyl have been working on combining the language of the two
bills. I urge the Committee to
endorse this language.
Detractors
claim that these new exemptions would provide walls behind which companies could
hide environmental accidents and hazards, or that companies would use them to
violate citizens’ or employee privacy. Neither
claim is true. Industry wants the
exemption language written narrowly so as to cover only infrastructure threat
and vulnerability information, and welcomes specific exclusions covering spills
or other environmental accidents. Industry
wants to share critical information with the government in a trusted working
environment. Let’s remove the
exemption ambiguity in the current law and start sharing information with each
other so that we can deter a digital 9-11 before it happens.
The other side of the information-sharing coin is
information from the government to the private sector.
This process also needs work. Industry
is generally dissatisfied with the quality and timeliness of cyber security
information flowing from the government. One
example will serve to illustrate the problem.
The Klez.H worm began proliferating on April 17 this year.
The IT-ISAC issued an advisory on that day, and the Computer Emergency
Response Center Coordination Center at Carnegie Mellon University posted its
alert on April 19. The NIPC
advisory was not issued until April 29, 12 days later, and there was no new
information in that alert. This
does not mean that the NIPC isn’t doing everything it can to release
information. On the contrary, they
participate in daily conference calls with at least two ISACs, and strive to
overcome their intelligence classification and law enforcement sensitivity
problems that are not present in the private sector.
Delays in NIPC reporting may be due to protecting intelligence sources
and methods, or because they decide not to repeat information already disclosed
by the private sector or CERT/CC. Removing
the FOIA barrier to information exchange will open up the private sector as an
unclassified source of valuable information for NIPC and others working hard to
protect the country.
Regarding intelligence and law enforcement
agencies, the proposal does not clarify jurisdiction issues between CIA, FBI,
Secret Service, and other organizations that could be involved in cyber
investigations. Private industry
appreciates choice in its service suppliers.
However, many companies do not know under what circumstances nor whom to
call when they suspect cybercrime in their networks. Industry needs clear information about the various agencies
regarding their programs, jurisdictions, competencies, and points of contact.
Conclusion
The PCIS and I think the proposed Homeland
Security Department is vital to providing needed focus to the area of Critical
Infrastructure Assurance for America. There
is still much opportunity, as we move forward together, to remove redundancy,
improve communication, and clarify roles—organizing to support commerce is
vital to our economic and national security.
It is vitally important to make progress in developing processes and
providing legislative support to facilitate sharing of security information and
alerts between government and the private sector.
It is also important to improve information sharing from the government
to industry, and to clarify jurisdiction among the myriad intelligence and law
enforcement agencies involved in cyber security and cyber investigations.
Finally, I encourage you to leverage existing expertise in the National
Security Telecommunications Advisory Committee, the ISACs, and the PCIS as you
shape this new, much-needed Department. However
the government organizes itself, we in the private sector stand ready to assist
any way we can.
On behalf of the PCIS and our 80 member
companies, I would like to thank you for your time today.
I’ll be glad to answer any questions you may have.
US Bureau of Labor
Statistics, “Productivity and Costs, First Quarter 2002, Revised,” USDL
02-318, May 31, 2002.
Barton Gellman,
“Cyber-Attacks by Al Qaeda Feared: Terrorists
at Threshold of Using Internet as Tool of Bloodshed, Experts Say,”
Washington Post, Thursday, June 27, 2002; Page A01
|
|
