1998 Congressional Hearings
Intelligence and Security


 

STATEMENT OF

Dr. Jeffrey A. Hunker
Director
Critical Infrastructure Assurance Office

Mr. Chairman, members of Subcommittees, ladies and gentlemen, I am Jeffrey Hunker, Director of the Critical Infrastructure Assurance Office (CIAO). I am pleased to be here today to provide remarks on the Administration's initiatives to protect ourthe nation's critical infrastructures.

Americans expect their light switches, telephones, and ATM machines to work. But, more and more, we are living in a new digital economy, where basic services depend on computer systems that are interdependent. With this interdependence has come new vulnerabilities. One person with a computer, a modem, and a telephone line anywhere in the world can potentially break into sensitive government files, shut down an airport/s's air traffic control system, or cause a power outage in an entire region.

This Administration has been in the lead in promoting the availability to all Americans of new information technologies. At the same time, the President has recognized that we must focus not just on information connection, but also on information protection.

On May 22, 1998,, the President in his remarks to the graduating class at the Naval Academy in Annapolis, outlined two new Presidential Directives to combat international terrorism and attacks on our computer networks and other critical systems upon which our society depends. He emphasized the increasing challenges to our society from non-traditional threats, and noted "that (a)s we approach the 21st century, our foes have extended the fields of battle - from physical space to cyberspace……Rather than invading our beaches or launching bombers, these adversaries may attempt cyber attacks against our critical military systems and our economic base."… Hesaid added that "(i)f our children are to grow up safe and free, we must approach these new twenty-first century threats with the same rigor and determination that we applied to the toughest security challenges of this century."

The President 's two new directives are PDD-62, which contains major initiatives to combat international terrorist threats, including threats to our critical infrastructures, and PDD-63, which is devoted entirely to protecting the nation's critical infrastructures from physical and cyber threats. In my remarks today, I would like to discuss PDD-63 and share with you the goals the President established for securingour the nation's infrastructures, and the milestones and mechanisms he has established for achieving these goals.

Let me note that protecting the nation's infrastructures has long been a policy of the United States, and past studies have identified certain vulnerabilities and challenges. In 1996, the President established the President's Commission on Critical Infrastructure Protection (PCCIP) to bring together previous efforts and provide him a comprehensive assessment of the nation's vulnerabilities, and to recommend remedial actions. The Commission concluded that there is not an immediate threat of national crisis, but was convinced that vulnerabilities are increasing steadily and that means to exploit those weaknesses are readily available. It recommended that a number of practical measures and mechanisms be urgently undertaken before we are confronted with a national crisis.

PDD-63 - SUBSTANCE AND SIGNIFICANCE

PDD-63 identifies critical infrastructure protection as a national security priority. PDD-63's intent is to put in place a process that will take the necessary measures to eliminate any significant vulnerability to both physical and cyber attacks on our critical infrastructures, including especially our cyber-based systems. This provides us with new challenges.

First, although physical threats are real and must be dealt with in new ways, the threat of cyber attack -- from a single computer and telephone connected to the Internet anywhere in the world -- presents a unique, cutting-edge challenge. Second, because over 90 percent of our critical infrastructures are privately operated, even a full court press by the U.S. Government will not succeed unless we can convince private industry to join with us to devise a national plan to protect our infrastructures. Never before in any other area have economic, law enforcement and traditional national security issues been so intertwined. And to add to the difficulties not only are our infrastructures privately operated but also they are interconnected and interdependent, so that an attack on one can have reverberations in others.

PDD-63 establishes a national commitment of protection within 5 years and an interim security capability by the year 2000. The commitment involves establishing the capability to manage and isolate intentional disruptions, thereby limiting the impact of such actions on our national security, defense, and welfare. In order to achieve this goal, several mechanisms will be developed to facilitate better understanding and closer cooperation between all levels of government and infrastructure developers, owners and operators.

PDD-63 calls for a new mechanism to coordinate critical infrastructure protection planning within the government. The PDD establishes a Critical Infrastructure Coordination Group, which will be one of four interagency groups established by

PDD-62 as a comprehensive new structure to address counter-terrorism issues. A newly appointed National Coordinator for Security, Infrastructure Protection and Counter-terrorism, designated in PDD-62, will chair all four interagency groups. Agency participation will be at the Assistant Secretary level or above.

PDD-63 establishes several other mechanisms for the government and encourages the private sector to create its own mechanism(s) for information sharing and cooperation. The PDD creates a national planning office -- the Critical Infrastructure Assurance Office. The PDD also establishes the National Infrastructure Protection Center, an interagency Center at the FBI -- whose mission is to gather threat and vulnerability information from all sources, disseminate analyses and warnings of threats to both government and private sector consumers, and provide the focal point for coordinating the Federal Government's response to an incident, mitigating attacks, and investigating threats and attacks.

PDD-63 calls for the development of sector plans in each sector of our critical infrastructure. It calls for appointment of a senior Liaison Official in each government agency responsible for a specific infrastructure, and for that individual to identify and work with a private Sector Coordinator, or Coordinators, to develop a plan that is specifically tailored to address the unique facets of each infrastructure. For example, the Department of Energy will work with the energy sector; the Department of Transportation will work with the transportation sector, and so forth. These teams will identify those critical components, which, if attacked, would result in serious degradation to the respective sector. Working together, government and private industry will develop a plan to eliminate significant vulnerabilities as well as contain and minimize the impact of any actual attack.

PDD-63 calls for development of a national plan drawing on the sector plans to be coordinated by the Critical Infrastructure Assurance OfficeCIAO. At a minimum, this plan will include the following six elements:

1. An initial vulnerability assessment, followed by periodic updates, for each sector of the economy and each sector of the government that might be a target of an attack.

2. A remedial plan to mitigate intentional exploitation of identified vulnerabilities.

3. A national center to warn of significant infrastructure attacks.

4. A plan for responding to in-progress attacks in order to isolate and minimize damage, as well as to effect immediate restoration of essential services.

5. An education and awareness program to sensitize individuals to the importance of security.

6. Federally sponsored research and development that will help develop and disseminate technologies to minimize our vulnerabilities.

PDD-63 calls for the Federal Government to lead by example in securing its own systems. As we are well aware, this will be a major challenge. We have significant capabilities in security information management areas. We also have significant vulnerabilities in those same areas. We must develop better practices, including government-wide information security standards, to reduce our vulnerability to attack. This will result in Federal Government information and networks that are better protected from unauthorized intrusion, disruption, or modifications. The management procedures developed and recognized as "best practices" could then be shared with private industry.

PDD-63 calls for establishment of a public-private partnership to accomplish its goals. This is a crucial component of this effort. As envisioned by the PDD, this partnership will demand a new level of trust, cooperation, and mutual understanding between the government and private sector.

PDD-63 calls for appointment of functional coordinators to address cross-cutting issues. The PDD calls for the Departments of State, Defense, Justice/FBI and the Central Intelligence Agency to take the lead in addressing issues of foreign affairs; national defense; law enforcement and internal security; and foreign intelligence, respectively. For example, PDD-63 recognizes that infrastructure protection cannot succeed as only a domestic effort, since the threat may come from anywhere in the world. The Department of State will develop a plan to build on efforts already underway to expand cooperation with friendly and like-minded governments, institutions and multinational corporations to address internationally the multifaceted problems of critical infrastructure protection. As you are aware, elevated sensitivities to terrorism threats over the past several years have resulted in increased government efforts to protect our national critical infrastructures. In 1995, Presidential Decision Directive 39 tasked the Attorney General to review the vulnerability of infrastructures to terrorist attacks and to provide the President with options for protecting key assets. In December 1995, the Attorney General convened the Critical Infrastructure Working Group, a small working entity of senior government representatives, to address this issue.

The recommendations of the Critical Infrastructure Working Group were incorporated into Executive Order 13010, issued in July, 1996. This Executive Order established the President's Commission on Critical Infrastructure Protection (PCCIP), which was comprised of private sector and senior government representatives. Its mission included assessing the scope and nature of infrastructure threats and vulnerabilities; and, recommending a comprehensive national policy and implementation strategy for protecting critical infrastructures from physical and cyber threats. The Commission completed its work in October, 1997, initially reporting its findings in a report titled Critical Foundations, Protecting America's Infrastructures, to the National Security Council (NSC).

Subsequently, the NSC convened an Interagency Working Group (IWG) to review the PCCIP report, and other expert sources, in order to prepare a coordinated perspective on the methodologies that could be best utilized to protect our infrastructures. Throughout this IWG process, several concepts were identified time and time again as critical elements of any comprehensive effort to protect the flow of essential goods and services upon which we have come to depend.

STRATEGIC OBJECTIVES

Underlying these actions called for by the PDD are five strategic objectives:

Building a Public-Private Partnership: We need an effective partnership between government and infrastructure owners and operators, with increased sharing of information relating to infrastructure threats, vulnerabilities, and the interdependencies. The fact is, right now, best practices as to how to protect against cyber attacks, and information about real or potential threats, are frequently not shared between companies, and between those in the private and public sectors who could act on the knowledge.

We will better organize the government to meet these needs. We will consult with owners and operators to encourage the creation of a private sector Information Sharing and Analysis Center (ISAC), including identifying possible methods of providing federal assistance to facilitate ISAC start-up. We will also work to remove administrative, organizational, and legal impediments to information sharing, including concerns about l____liability and information classification, as well as improved protection for industry trade secrets and other confidential business data.

On May 22 of this year, President Clinton signed Presidential Decision Directive 63, Critical Infrastructure Protection. The PDD incorporates the IWG's work, and articulates the Administration's policy for protecting our infrastructures from intentional disruptive acts. This includes the goals of establishing an initial operating capability to protect our infrastructures no later than the year 2000; and, establishing and maintaining the capability to manage and geographically isolate disruptions, to ensure minimal detriment to our national welfare, within five years. In order to accomplish this end-state, the PDD delineates several strategic objectives; mandates leadership responsibilities, and, establishes formal structures to effectively implement associated programs.

The most critical component of the PDD is the strategic objective to promote a partnership between government and infrastructure owners and operators. This partnership will facilitate increased sharing of information relating to infrastructure threats, vulnerabilities, and interdependencies. The anticipated benefit will be an active program which exchanges information on anomalous activities and suspicious incidents, as well as distributes meaningful integrated analyses of government and private sector data, on an almost real-time basis to appropriate decision-makers. Activities delineated in the PDD that will facilitate achieving this objective include:

Developing and implementing a sector Vulnerability Education and Awareness Program.

Consulting with owners and operators to encourage creation of a private sector Information Sharing and Analysis Center (ISAC), including identifying possible methods of providing federal assistance to facilitate ISAC start-up.

Establishing the National Infrastructure Protection Center (NIPC) to provide a focal point for gathering information on threats and issuing warnings.

Developing methodologies that will remove administrative, organizational, and legal impediments to the information sharing process, including liability issues, the necessity of information classification, as well as improved protection for industry trade secrets and other confidential business data. And,

Establishing formal structures that will facilitate effective partnership and encourage private industry participation in development of a national policy for infrastructure assurance; identify the capabilities and responsibilities of federal agencies for infrastructure continuity; and enhance national incident planning, response, mitigation, and restoration activities.

Paramount to establishing these structures is the appointment of a National Coordinator for Security, Infrastructure Protection, and Counterterrorism. The National Coordinator will be responsible for integrating infrastructure issues into the national security venue; ensuring interagency coordination for policy development Education and Awareness: We need to educate and inform decision-makers and private industry, government, and the general public about infrastructure assurance, especially the importance of protecting their own information. Universities and schools need to develop a broader base of information assurance technical talent, and integrate a sharper focus on computer ethics and advanced information security technology in education programs. As part of a continuing national awareness campaign to develop national strategies for enhancing infrastructure security, we plan to help organize a series of White House conferences for education and awareness; and the National Academy of Science and the National Academy of Engineering will sponsor roundtables of federal, state and local officials, as well as industry and academic leaders.

Promote "Best Practices": The Federal Government should lead through example by protecting its information and networks from unauthorized intrusion, disruption or modification, and sharing these "best practices" with private industry. The actions that support this objective will include: vulnerability analyses for each sector of the economy and Federal Government; infrastructure assurance simulations involving senior public and private officials; assistance by the Department of Commerce, the General Services Administration, and the Department of Defense for Federal agencies to implement "best practices" for information assurance; consultations to propose and develop ways to encourage private industry to perform periodic risk assessments of critical processes, including information and telecommunications systems; and the Department of Commerce and the Department of Defense, working together with the private sector, offering their expertise to develop security-related best practice standards.

Examine Legislative and Legal Issues: There shall be an evaluation of the executive branch's legislative authorities and budgetary priorities regarding critical infrastructures. The evaluations and recommendations, if any, will be coordinated within OMB. Also, we will consult with and seek input from the Congress on approaches and programs meeting the objectives of PDD-63. We believe this effort will increase the effectiveness of Federal infrastructure assurance and protection.

Enhance Research and Development: We need effective, efficient research and development efforts, coordinated among government entities and with the private sector, to develop and disseminate the technologies required for infrastructure protection. This objective will be accomplished through a research and development agenda, subject to multi-year planning and taking into account private sector research, to manage funding and minimize infrastructure vulnerabilities on a rapid but achievable timetable. For example, the Department of Defense has requested $69.9 million FY99 funding to continue their research efforts at protecting their infrastructures. This committee has been very supportive of the Department of Defense's efforts, and has fully funded their request. We thank you for that continued support.

THE ROLE OF THE CRITICAL INFRASTRUCTURE ASSURANCE OFFICE

The strategic objectives which I have just enumerated were extracted, to a large extent, from the recommendations contained in the PCCIP Critical Foundations report. The expertise which contributed to this report has been effectively integrated into the efforts to implement Finally, I would like to briefly outline the role of the Critical Infrastructure Assurance Office, of which I am director. PDD-63 calls for a national plan coordination office, which we have named the Critical Infrastructure Assurance Office. PDD-63 charges this Office with integrating the various sector plans into a National Infrastructure Assurance Plan and coordinating analyses of the U.S. Government's own dependencies on critical infrastructures. The Office will also assist in coordinating a national education and awareness program as well as associated legislative and public affairs.

To put it succinctly, I see the Critical Infrastructure Assurance Office as the engine that will help drive the train of the development of the national plan. We have been fortunate to be able to take advantage of the unique expertise and talent of the former commissioners and staff of the President's Commission on Critical Infrastructure Protection. We hope to assist the National Coordinator to achieve the creation of a successful national plan to protect the nation's critical infrastructures from intentional, debilitating attacks.

The office is currently being supported by the Department of Defense as the Executive Agent. Beginning in Fiscal Year 1999, the CIAO will become an office within the Department of Commerce. At this time, the office is scheduled to terminate at the end of FY 2001, concurrent with the development of the capability to protect our critical infrastructures from intentional, debilitating attacks.

In conclusion, I would like to emphasize that PDD-63 provides a workable and innovative foundation from which to build a capability to protect our critical infrastructures. But like any foundation, it requires an extensive amount of understanding, cooperation, and coordination among all participants. We welcome your interest, assistance and wisdomI would like to solicit your assistance in this endeavor of national importance. I again wish to , and to again express my appreciation for this opportunity to address the subcommittees. your group.

Mr. Chairman, thank you for your interest in the complex issues involving infrastructure protection. At this time, I will be pleased to answer any questions.