Mr. Chairman, Madame Ranking Member, members of the Subcommittee, ladies and gentlemen, it is an honor to appear before you here today to discuss the challenges facing our Nation in the area of critical infrastructure protection. This Subcommittee has shown exceptional leadership on these issues, and I am grateful for the opportunity to work closely with you and the Congress to find ways to advance infrastructure assurance for all Americans. We all recognize that no viable solutions will be discovered or implemented without the executive and legislative branches working together for our national good.

I. Introduction

America has long depended on a complex of systems – or critical infrastructures – to assure the delivery of services vital to its national defense, economic prosperity, and social well-being. These infrastructures include telecommunications, electric power, oil and gas delivery and storage, banking and finance, transportation, and vital human and government services.

The information age has fundamentally altered the nature and extent of our dependency on these infrastructures. Increasingly, our government, economy and society are being connected together into an ever expanding and interdependent digital nervous system of computers and information systems. With this interdependence comes new vulnerabilities. One person with a computer, a modem, and a telephone line anywhere in the world can potentially break into sensitive government files, shut down an airport's air traffic control system, or cause a power outage in an entire region.

The threats posed to our critical infrastructures by hackers, terrorists, criminal organizations and foreign governments are real and growing. The nature of these threats will be addressed by Mr. Vatis of the National Infrastructure Protection Center (NIPC).

Before I discuss the initiatives the Administration is undertaking to secure our nation’s critical infrastructures, I would like to discuss the historical context within which PDD-63 arose.

In the early 1990s, events such as the 1995 bombing of the Murrah Federal Building in Oklahoma City demonstrated that the federal government needed to address new types of threats and vulnerabilities – many of which the nation was unprepared to defend against.

In response to this tragedy, and other events, the Administration formed an inter-agency working group to examine the nature of the threat, our vulnerabilities, and possible long-term solutions for this aspect of our national security. The Critical Infrastructure Working Group (CIWG), chaired by then Deputy Attorney General Jamie Gorelick, and including representatives from the Defense, Intelligence, and national security communities, identified both physical and cyber threats and recommended formation of a Presidential Commission to address more thoroughly many of these growing concerns.

In July 1996, in response to the CIWG recommendation, President Clinton signed Executive Order 13010 establishing the President’s Commission on Critical Infrastructure Protection (PCCIP or, the Commission). After examining infrastructure issues for over a year, the Commission issued its report, Critical Foundations, Protecting America’s Infrastructures, drawing at least four significant conclusions:

First, critical infrastructure protection is central to our national defense, including national security and national economic power;

Second, growing complexity and interdependence between critical infrastructures may create increased possibility that rather minor and routine disturbances can cascade into national security emergencies;

Third, vulnerabilities are increasing steadily and the means to exploit weaknesses are readily available; practical measures and mechanisms, the commission argued, must be urgently undertaken before we are confronted with a national crisis; and

Fourth, laying a foundation for security will depend on new forms of cooperation with the private sector, which owns and operates many of these critical infrastructure facilities.

II. PDD-63 - Overview

After releasing the PCCIP report, the Administration worked to incorporate these and other recommendations into Presidential Decision Directive 63, which was issued in May 1998.

Most importantly, PDD-63 recognizes the need for a Public-Private Partnership to face these critical issues. The directive specifies sectors of the national infrastructure, primarily in the private sector, that provide critical services or functions. It designates lead agencies in the Federal Government to work as liaisons with their respective sectors to build partnerships. PDD-63 additionally recognizes that the traditional areas of national defense, foreign affairs, intelligence, and law enforcement are fundamental to infrastructure protection, are inherently the domain of the government, and stipulates that sector coordinators be designated for these areas from the associated government agencies.

PDD-63 established the position of National Coordinator for Security, Infrastructure Protection, and Counter Terrorism to orchestrate these efforts. The PDD lays out specific tasks that must be accomplished, time lines for doing so, and organizations for carrying out these missions. Key amongst them are the National Infrastructure Protection Center (NIPC), Directed by Mr. Vatis, and the National Plan Coordination Staff – now called the Critical Infrastructure Assurance Office (CIAO) – which I have the honor of directing.

PDD-63 focuses the nation’s efforts on aspects of critical and immediate importance -- and I emphasize that these must be the efforts of the whole nation, for success will come only from the efforts of the private sector, state and local governments, and the Federal Government working together in an integrated and cooperative manner. Our efforts fall in three broad categories.

A. Defense and Intelligence Components

The first is the Federal Government agencies involved in defense and intelligence efforts. The armed forces and intelligence agencies have requirements and systems that are unique to their special role. This has long been recognized in law, in the way we structure these organizations, and in our national philosophy. Their efforts are, as would be expected from the sensitive and well established nature of their mission, much further along in achieving critical infrastructure protection than those of the other parts of the Federal Government. In many ways they have set the example for other agencies’ efforts, and they currently share their experiences and advise on how the rest of the government might proceed. Their contribution has been very important in shaping the policy and programmatic reality the rest of the government is currently trying to establish. Mr. Richard Schaeffer, Director of the Information and Infrastructure Assurance Office for the Defense Department, has submitted a statement for the record on this and other matters, so, in cause of brevity, I will refer you to it and cover their efforts no further.

B. Government as Model

The second category of effort can be called “Government as a Model.” We often say that more than 90% of our critical infrastructures are neither owned nor operated by the Federal Government. Partnerships with the private sector and State and Local Governments are therefore not just needed, but are the fundamental aspect of critical infrastructure protection. Yet, the President rightly challenged the Federal Government in PDD-63 to serve as a model for critical infrastructure protection – to put our own house in order first. As such, the Administration has focused what might appear to be a disproportionate amount of our effort early in the process on doing this by establishing a coordinated and integrated approach across the Federal Government.

Federal Computer Security Requirements and Government Infrastructure Dependencies

One component of this effort supports aggressive, government-wide implementation of federal computer security requirements. Thus, in support of PDD-63, the President forwarded to Congress a request for a FY 2000 budget amendment that would enhance computer security and critical infrastructure protection in the Federal Government. This proposal would fund a permanent 15-member team at the Department of Commerce’s National Institute of Standards and Technology (NIST) responsible for helping Agencies identify vulnerabilities, plan secure systems, and implement Critical Infrastructure Protection Plans. The budget amendment would also establish an operational fund at NIST for computer security projects among Federal Agencies, including independent vulnerability assessments, computer intrusion drills, and emergency funds to cover security fixes for systems identified to have unacceptable security risks. Among others, the Director of the team would consult with the Office of Management and Budget and the National Security Council on the team’s plan to protect and enhance computer security for Federal Agencies.

Under PDD-63, the President directed the CIAO to coordinate analyses of the US Government’s own dependencies on critical infrastructures. Many of the critical infrastructures that support our nation’s defense and security are shared by multiple agencies. Even within government, then, critical infrastructure outages may cascade and unduly impair delivery of critical services. The CIAO is coordinating an interagency effort to develop a more sophisticated identification of critical nodes and systems and their impact on national security government-wide. These efforts will support the work of the ERT in identifying vulnerabilities of the government’s computer infrastructures, planning secure computer systems, and implementing computer security plans. This research, when complete, will provide important information to maximize national security research and development, budgeting, and for implementing Federal computer security requirements and critical infrastructure planning within each agency.

Federal Intrusion Detection Network (FIDNET)

PDD-63 marshals resources to improve interagency cooperation in detecting, and in responding to computer intrusions into civilian government critical infrastructure nodes. To support this effort, the Administration recently sent to Congress a FY2000 Budget Amendment to create a centralized intrusion detection and response capability in the General Services Administration (GSA). Through the use of additional staff and enhanced technology, Federal Agencies will improve upon their abilities to:

detect computer attacks and unauthorized intrusions;

share attack warnings and related information across agencies; and

respond to attacks.

This amendment would provide GSA funds to pay for additional technology and personnel dedicated to intrusion detection and response. The additional personnel would improve Federal Agencies’ ability to detect attacks, analyze data, and communicate attack information more swiftly, building on the existing Federal Computer Incident Response Capability (FedCIRC). The additional technology, in the form of state-of-the-art intrusion detection systems, would ensure a consistent capability in Agencies to protect critical systems.

The program – much like a centralized burglar alarm system -- would operate within legal requirements and Government policy concerning privacy, civil liberties, and promoting confidence in users of Federal civilian computer systems. Attack and intrusion information would be gathered and analyzed by Agency experts. Only data on system anomalies would be forward to GSA for further analysis.

Neither the Federal Bureau of Investigation nor other law enforcement entities would receive information about the computer attacks and intrusions -- except under long-standing legal rules and where an Agency determines there is sufficient indication of illegal conduct. Also, private entities will not be wired to the FIDNet – no private sector entity is part of this civilian government program.

In short, FIDNet will be run by the GSA, not the FBI; will not monitor any private networks or email traffic; will confer no new authorities on any government agency; and will be fully consistent with privacy law and practice.

Education and Training

One of the nation’s important shortcomings in our efforts to protect our critical infrastructures is a shortage of skilled information technology (IT) personnel. Within the subset of information systems security personnel, the shortage is acute. Within the Federal Government, the lack of skilled information systems security personnel amounts to a crisis. This shortfall of workers reflects a scarcity of university graduate and undergraduate information security programs. In attacking this problem, we will leverage the initial efforts made by the Defense Department, National Security Agency, and some Federal Agencies.

The Federal Cyber Services (FCS) training and education initiative introduces five programs to help solve the Federal IT security personnel problem.

The Completion of an Office of Personnel Management IT occupational study. This study will help identify the number of IT security positions in the Federal Government, and the training and certification requirements for these positions.

The development of Center(s) for Information Technology Excellence (CITE). These Centers will train and certify current Federal IT security personnel and maintain their skill levels throughout their careers. It will leverage the significant progress made by the Defense Department and other federal agencies on this issue.

The creation of a Scholarship for Service (SFS) program to recruit and educate the next generation of Federal IT security workers and managers. This program will fund up to 300 students per year in their pursuit of undergraduate or graduate degrees in the IT security field. In return, the students will serve in the Federal IT workforce for a fixed period following graduation. The program will also have a meaningful summer work and internship element. An important part of the SFS program is the need to identify universities for participation in the program and assist in the development of IT security faculty and laboratories at these universities.

The development of a high school recruitment and training initiative. This program would identify promising high school students for participation in summer work and internship programs that would lead to certification to Federal IT workforce standards and possible future employment. This effort will also examine possible programs to promote computer security awareness in secondary and high school classrooms.

The development and implementation of a Federal INFOSEC awareness curriculum. This awareness effort is aimed at ensuring the entire Federal workforce is developing computer security literacy. It will leverage several outstanding existing federal agency awareness programs.

Research and Development

A key component to our ability to protect our critical infrastructures now and in the future is a robust research and development plan. The interagency Critical Infrastructure Coordination Group (CICG) has created a process to identify technology requirements in support of the Plan. Chaired by the Office of Science and Technology Policy (OSTP), the Research and Development Sub-Group works with Agencies and the private sector to:

gain agreement on requirements and priorities for information security research and development;

coordinate among Federal Departments and Agencies to ensure the requirements are met within departmental research budgets and to prevent waste or duplication among departmental efforts;

communicate with private sector and academic researchers to prevent Federally funded R&D from duplicating prior, ongoing, or planned programs in the private sector or academia; and

identify areas where market forces are not creating sufficient or adequate research efforts in information security technology.

That process, begun in 1998, led to the Administration budget request for FY2000 of $500M for critical infrastructure protection research. Among the priorities identified by the process are:

technology to support large-scale networks of intrusion detection monitors;

artificial intelligence and other methods to identify malicious code (trap doors) in operating system code;

methodologies to contain, stop, or eject intruders, and to mitigate damage or restore information-processing services in the event of an attack or disaster;

technologies to increase network reliability, system survivability, and the robustness of critical infrastructure components and systems, as well as the critical infrastructures themselves; and

technologies to model infrastructure responses to attacks or failures; identify interdependencies and their implications; and locate key vulnerable nodes, components, or systems. C. Public-Private Partnership

Thirdly, and as discussed above, one of the most important components of PDD-63 implementation is the development of collaborative partnerships among and between the private sector, state and local governments, and the Federal Government. The importance of this effort cannot be overstated and is made clear by considering just a few scenarios. If the natural gas delivery system you rely on for heat and cooking fails in January due to an attack on the computer systems that direct its operations, you will take small comfort in fact that the Federal Government has a critical infrastructure protection plan in place. In fact, all our efforts to put the Federal Government’s house in order and to serve as a model for industry will be of little service if our government information systems are impossible to break into, but the electrical power that they operate on is shut down by malicious actions of a foreign government. The list of examples goes on and on, and none of these systems is owned or operated by the Federal Government.

These vignettes put the situation in perspective – we are faced with a fascinating and challenging problem. This is the first time I am aware of in our national history that by creating policy and expending resources, the Federal Government cannot alone solve a national security problem. So what are we doing about it? If by “we” you understand “the government” then the answer must necessarily be unsatisfactory – because the government alone cannot protect the nation’s infrastructures. But if by “we” you understand “the nation” – the Federal Government in a coordinated and integrated effort with state and local government, industry, academia and other concerned groups – then I am happy to report that we have made a good beginning, and are developing a strong future.

Just last Friday, Treasury Secretary Summers announced the formation of the Financial Sector Information Sharing and Analysis Center – “ISAC” for short. ISACs are private sector owned and operated entities that serve as focal points for their associated sector of the economy. Because they are defined individually by their member organizations, they will not all be identical. They are, however, all to be the coordinating and analyzing body for cyber attacks on their specific sector. I want to emphasize that these ISACs are neither set up, nor supervised by the Federal Government, although the Federal Government will assist these critical sectors in setting up their ISAC, through the Sector Liaisons, if asked. The government will share what information we can on cyber attacks with the ISACs to help them protect their sector, and we will encourage them to share appropriately sanitized information with us to help us protect government agencies and functions. But this sharing from ISACs to government will be on an entirely voluntary basis, both in amount of information and the level of detail. No requirement exists or will exist that mandates information sharing.

While these ISACs, would work within the sectors of the economy that own and operate critical infrastructure, as stipulated in PDD-63, this is not intended to be limiting. Other sectors or groupings within industry could establish ISACs, and we would assist them in this. Furthermore, practically every aspect of our nation relies on critical infrastructures. This makes CIP a fundamentally important issue for not just those companies that own and operate critical infrastructure, but also for those that rely on it to do business. They can and must have a voice in this public/private partnership.

Recently, the President issued an Executive Order establishing a National Infrastructure Assurance Council (NIAC). This Presidential advisory body will be comprised of leaders from the Private Sector, State and Local governments, and the Federal Government. It will examine key aspects of critical infrastructure assurance, and report to the President.

The final indispensable members of this partnership are state and local governments. They have the fundamentally important roles of providing and regulating many if not most essential services. They are the front line forces in the event of disasters or attacks on infrastructures. Some have moved quite far in their critical infrastructure protection efforts – New Mexico, for example, under the direction of Dr. Dan O’Neil, has a very strong and growing critical infrastructure protection partnership with key private sector entities. Furthermore, we have long had strong relationships with state and local governments on specific issues related to critical infrastructure protection, such as state and local emergency management organizations with FEMA, and state and local law enforcement agencies through the FBI and others national law enforcement agencies. This area is one in which much work remains to be done, and I look forward to working with each Congressional Delegation as we define the issues and solutions.

III. Conclusion

In conclusion, much has been done since PDD-63 was issued in 1998. My staff and I are committed to building on this promising beginning, coordinating the government’s efforts into an integrated holistic program for critical infrastructure protection under the direction of the National Coordinator for Security, Infrastructure Protection, and Counter-Terrorism. We have much work left to do, and I look forward to with the members of this committee, indeed with the Congress as a whole, as we wrestle with this developing field and implement solutions. I look forward to your questions.