Statement of Mr. Chairman, it is an honor to appear before you
here today to talk with you about the National Plan for Information
Systems Protection, Version 1.0. This
Subcommittee has shown exceptional leadership on the matter of critical
infrastructure assurance. I
am grateful for the opportunity to discuss the Administration’s efforts
to achieve President Clinton’s goal of establishing a full operational
capability to defend the critical infrastructures of the United States by
2003 against deliberate attacks aimed at significantly disrupting the
delivery of services vital to our nation’s defense, economic security,
and the health and safety of its people.
This cannot be done without the support and participation of the
Congress. I.
Introduction
The
Information Age has fundamentally altered the nature and extent of our
dependency on these infrastructures.
Increasingly, our Government, economy, and society are being
connected into an ever expanding and interdependent digital nervous system
of computers and information systems.
With this interdependence comes new vulnerabilities. One person
with a computer, a modem, and a telephone line anywhere in the world can
potentially break into sensitive Government files, shut down an airport's
air traffic control system, or disrupt 911 services for an entire
community. The threats posed
to our critical infrastructures by hackers, terrorists, criminal
organizations and foreign Governments are real and growing.
The need to assure delivery of critical services over our
infrastructures is not only a concern for the national security and
federal law enforcement communities, it is also a growing concern for the
business community, since the security of information infrastructure is a
vital element of E-commerce. Drawing
on the full breadth of expertise of the federal government and the private
sector is therefore essential to addressing this matter effectively. President Clinton
has increased funding on critical infrastructure substantially during the
past three years, including a 15% increase in the FY2001 budget proposal
to $2.0 billion. He has also developed and funded new initiatives to
defend the nation's computer systems from cyber attack. In
the 22 months since the President signed Presidential Decision Directive
63, we have made significant progress in protecting our critical
infrastructures. In response to the President’s call for a national plan
to serve as a blueprint for establishing a critical infrastructure
protection (CIP) capability, the National Plan for Information Systems
Protection was released last month. It represents the first attempt by
any national Government to design a way to protect those infrastructures
essential to the delivery of electric power, oil and gas, communications,
transportation services, banking and financial services, and vital human
services. Increasingly, these
infrastructures are being operated and controlled through the use of
computers and computer networks. The
current version of the Plan focuses mainly on the domestic efforts being
undertaken by the Federal Government to protect the Nation’s critical
cyber-based infrastructures. Later
versions will focus on the efforts of the infrastructure owners and
operators, as well as the risk management and broader business community.
Subsequent versions will also reflect to a greater degree the
interests and concerns expressed by Congress and the general public based
on their feedback. That is
why the Plan is designated Version 1.0 and subtitled An
Invitation to a Dialogue -- to indicate that it is still a work in
progress and that a broader range of perspectives must be taken into
account if the Plan is truly to be “national” in scope and treatment.
II. The Plan:
Overview and Highlights
President
Clinton directed the development of this Plan to chart the way toward the
attainment of a national capability to defend our critical infrastructures
by the end of 2003. To meet
this ambitious goal, the Plan establishes 10 programs for achieving three
broad objectives. They are:
Objective
1: Prepare and Prevent:
Undertake those steps necessary to minimize the possibility of a
significant and successful attack on our critical information networks,
and build an infrastructure that remains effective in the face of such
attacks. Program
1
calls for the Government and the private sector to identify significant
assets, interdependencies, and vulnerabilities of critical information
networks from attack, and to develop and implement realistic programs to
remedy the vulnerabilities, while continuously updating assessment and
remediation efforts. Objective
2: Detect and Respond: Develop
the means required to identify and assess attacks in a timely way, contain
such attacks, recover quickly from them, and reconstitute those systems
affected. Program 2
will install multi-layered protection on sensitive computer systems,
including advanced firewalls, intrusion detection monitors, anomalous
behavior identifiers, enterprise-wide management systems, and malicious
code scanners. To protect critical Federal systems, computer security
operations centers will receive warnings from these detection devices, as
well as Computer Emergency Response Teams (CERTs) and other means, in
order to analyze the attacks, and assist sites in defeating attacks. Program
3 will develop robust intelligence and law enforcement capabilities to protect critical information systems,
consistent with the law. It
will assist, transform,
and strengthen U.S. law enforcement and intelligence Agencies to be able
to deal with a new kind of threat and a new kind of criminal -- one that
acts against computer networks. Program
4 calls for a more effective nationwide system to share attack
warnings and information in a timely manner.
This includes improving information sharing within the Federal
Government and encouraging private industry, as well as state and local
Governments, to create Information
Sharing and Analysis Centers (ISACs), which would share information among
corporations and state and local Governments, and could receive warning
information from the Federal Government.
Program 4 additionally calls for removal of existing legal
barriers to information sharing. Program
5 will create capabilities for response, reconstitution, and recovery
to limit an attack while it is underway and to build into corporate and
Agency continuity and recovery plans the ability to deal with information
attacks. The goal for
Government and the recommendation for industry is that every critical
information system have a recovery plan in place that includes provisions
for rapidly employing additional defensive measures (e.g., more stringent
firewall instructions), cutting off or shutting down parts of the network
under certain predetermined circumstances (through enterprise-wide
management systems), shifting minimal essential operations to “clean”
systems, and to quickly reconstitute affected systems. Objective
3: Build Strong Foundations: Take all actions necessary to create and support the
Nation’s commitment to Prepare and Prevent and to Detect and Respond to
attacks on our critical information networks. Program
6
will systematically establish research requirements and priorities needed
to implement the Plan, ensure funding, and create a system to ensure that
our information security technology stays abreast with changes in the
threat environment. Program 7 will survey the numbers of people and the
skills required for information security specialists within the Federal
Government and the private sector, and takes action to train current
Federal IT workers and recruit and educate additional personnel to meet
shortfalls. Program 8
will explain publicly the need to act now, before a catastrophic event, to
improve our ability to defend against deliberate cyber-based attacks. Program
9
will develop the legislative framework necessary to support initiatives
proposed in other programs. This action requires intense cooperation
within the Federal Government, including Congress, and between the
Government and private industry. Program 10
builds mechanisms to highlight and address privacy issues in the
development of each and every program.
Infrastructure assurance goals must be accomplished in a manner
that maintains, and even strengthens, American’s privacy and civil
liberties. The Plan outlines nine specific solutions, which include
consulting with various communities; focusing on and highlighting the
impact of programs on personal information; committing to fair information
practices and other solutions developed by various working groups in
multiple industries; and working closely with Congress to ensure that each
program meets standards established in existing Congressional protections. I
would like to highlight a few of the programs in the remainder of my
testimony. In these programs,
the Administration seeks to accomplish two broad aims of the Plan – the
establishment of the U.S. Government as a model of infrastructure
protection, and the development of a public-private partnership to defend
our national infrastructures. A. The
Federal Government as a Model of Information Security We often say that more than 90% of our critical
infrastructures are neither owned nor operated by the Federal Government.
Partnerships with the private sector and state and local
governments are therefore not just needed, but are the fundamental aspect
of critical infrastructure protection.
Yet, the President rightly challenged the Federal Government in
PDD-63 to serve as a model for critical infrastructure protection – to
put our own house in order first. Given the complexity of this issue, we need to take advantage
of the breadth of expertise within the Federal Government to ensure that
we enlist those Agencies with special capabilities and relationships with
private industry to the fullest measure in pursuit of our common goal. The Federal component of the National Plan is
presented in two sections, one describing the efforts of civilian Federal
Departments and Agencies to protect their critical systems, the other
describing the efforts of the Department of Defense.
Given its mission to defend the Nation, the Defense Department has
been among the first to respond to the challenge of protecting its own
infrastructure. It serves as
a model for other Departments and Agencies; its programs merit separate
and detailed attention. Accordingly, I will limit my remarks to CIP efforts
being undertaken by civilian Federal Departments and Agencies, deferring
to Assistant Secretary of Defense Money on matters relating to Defense
Department’s programs. The President has developed and provided full or
pilot funding for the following key initiatives designed to protect the
federal Government's computer systems:
Federal Computer Security Requirements and Government
Infrastructure Dependencies.
One component of this effort supports aggressive, Government-wide
implementation of federal computer security requirements and analysis of
vulnerabilities. Thus, in support of the release of the National Plan, the
President announced his intent to create a permanent Expert Review Team (ERT)
at the Department of Commerce’s National Institute of Standards and
Technology (NIST). The ERT
will be responsible for helping Agencies identify vulnerabilities, plan
secure systems, and implement Critical Infrastructure Protection Plans.
Pursuant to existing Congressional authorities and administrative
requirements, the Director of the team would consult with the Office of
Management and Budget and the National Security Council on the team’s
plan to protect and enhance computer security for Federal Agencies.
The President’s Budget for FY2001 will propose $5 million for the
ERT. Under PDD-63, the President directed the CIAO to
coordinate analyses of the U.S. Government’s own dependencies on
critical infrastructures. Many
of the critical infrastructures that support our nation’s defense and
security are shared by a number of Agencies.
Even within Government, critical infrastructure outages may cascade
and unduly impair delivery of critical services.
The CIAO is coordinating an interagency effort to develop a more
sophisticated identification of critical nodes and systems, and to
understand their impact on national security, national economic security,
and public health and safety Government-wide.
These efforts support the work of the ERT in identifying
vulnerabilities of the Government’s information infrastructures, and
provide valuable input to Agencies for planning secure computer systems
and implementing computer security plans.
This research, when complete, will permit the Federal Government to
identify and redress its most significant critical infrastructure
vulnerabilities first, and provide the necessary framework for well
informed critical infrastructure protection policy making and budget
decisions. Federal Intrusion Detection Network (FIDNet). PDD-63 marshals Federal Government resources to
improve interagency cooperation in detecting and responding to significant
computer intrusions into civilian Government critical infrastructure
nodes. The program – much
like a centralized burglar alarm system – would operate within
long-standing, well-established legal requirements and Government policies
covering privacy and civil liberties.
FIDNet is intended to protect information on critical, civilian
Government computer systems, including that provided by private citizens.
It will not monitor or be wired into private sector computers.
All aspects of the FIDNet will be fully consistent with all laws
protecting the civil liberties and privacy rights of Americans. To support this effort, the Administration will
propose funding in the President’s FY2001 Budget ($10 million) to create
a centralized intrusion detection and response capability at the General
Services Administration (GSA). This capability will function in consort
with GSA’s Federal Computer Incident Response Capability, and assist
Federal Agencies to:
FIDNet
is intended to promote confidence in users of Federal civilian computer
systems. It is important to
recognize that FIDNet has a graduated system for response and reporting
attack and intrusion information would be gathered and analyzed by
home-Agency experts. Only data on system anomalies would be forwarded to
GSA for further analysis. Thus, intrusion detection would not become a
pass-through for all information to the Federal Bureau of Investigation or
other law enforcement entities. Law
enforcement would receive information about computer attacks and
intrusions only under long-standing legal rules – no new authorities are
implied or envisioned by the FIDNet program. One additional benefit of Government-wide intrusion
detection is to improve computer intrusion reporting and the sharing of
incident information consistent with existing government computer security
policy. Various authorities
require Agencies to report criminal intrusions to appropriate law
enforcement personnel, which include the National Infrastructure
Protection Center. FIDNet will support law enforcement’s
responsibilities where cyber-attacks are of a criminal nature or threaten
national security. In short, FIDNet will: ·
be
run by the GSA, not the FBI; ·
not
monitor any private network traffic; ·
confer
no new authorities on any Government Agency; and ·
be
fully consistent with privacy law and practice. Federal Cyber
Services (FCS). One
of the nation’s strategic shortcomings in protecting our critical
infrastructures is a shortage of skilled information technology (IT)
personnel. Within IT, the shortage of information systems security
personnel is acute. The Federal Government’s shortfall of skilled information
systems security personnel amounts to a crisis. This shortfall reflects a
scarcity of university graduate and undergraduate information security
programs and the inability of the Government to provide the salary and
benefit packages necessary to compete with the private sector for these
highly skilled workers. In attacking this problem through the Federal
Cyber Services initiative
described below, we are leveraging the initial efforts made by the Defense
Department, National Security Agency, and some other Federal Agencies. The President’s Budget for FY2001 will propose $25 million
for this effort. The
Federal Cyber Services training and education initiative, highlighted by
the President at the Plan’s release, introduces five programs to help
solve the Federal IT security personnel problem. ·
a
study by the Office of Personnel Management to identify and develop
competencies for federal information technology (IT) security positions,
and the associated training and certification requirements. ·
the
development of Centers of IT Excellence to establish competencies and
certify current Federal IT workers and maintain their information security
skill levels throughout their careers. ·
The
creation of a Scholarship for Service (SFS) program to recruit and educate
the next generation of Federal IT managers by awarding scholarships for
the study of information security, in return for a commitment to work for
a specified time for the Federal Government. This program will also
support the development of information security faculty. ·
The
development of a high school outreach and awareness program that will
provide a curriculum for computer security awareness classes and encourage
careers in IT fields. ·
The
development and implementation of a Federal Information Security awareness
curriculum aimed at ensuring computer security literacy throughout the
entire Federal workforce. Research
and Development. A key component to our ability to protect our critical infrastructures
now and in the future is a robust research and development plan.
As part of the structure established by PDD-63, the interagency
Critical Infrastructure Coordination Group (CICG) created a process to
identify technology requirements in support of the Plan. Chaired by the
Office of Science and Technology Policy (OSTP), the Research and Development Sub-Group works with Agencies and
the private sector to: ·
gain
agreement on requirements and priorities for information security research
and development; ·
coordinate
among Federal Departments and Agencies to ensure the requirements are met
within departmental research budgets and to prevent waste or duplication
among departmental efforts; ·
communicate
with private sector and academic researchers to prevent Federally funded
R&D from duplicating prior, ongoing, or planned programs in the
private sector or academia; and ·
identify
areas where market forces are not creating sufficient or adequate research
efforts in information security technology. That
process, begun in 1998, has helped focus efforts on coordinated
cross-government critical infrastructure protection research. Among the
priorities identified by the process are: ·
technology
to support large-scale networks of intrusion detection monitors; ·
artificial
intelligence and other methods to identify malicious code (trap doors) in
operating system code; ·
methodologies
to contain, stop, or eject intruders, and to mitigate damage or restore
information-processing services in the event of an attack or disaster; ·
technologies
to increase network reliability, system survivability, and the robustness
of critical infrastructure components and systems, as well as the critical
infrastructures themselves; and ·
technologies
to model infrastructure responses to attacks or failures; identify
interdependencies and their implications; and locate key vulnerable nodes,
components, or systems. The
President’s Budget for FY2001 will propose $606 million across all
Agencies for critical infrastructure related R&D investment. The
need exists, however, to coordinate R&D efforts not just across the
federal Government, but between the public and private sectors as well.
A fundamentally important initiative that has the ability to pull
disparate pieces of the national R&D community into closer
relationships is the Institute for Information Infrastructure Protection
(I3P), an organization created to identify and fund research
and technology development to protect America's cyberspace from attack or
other failures. I will
discuss this in detail when I address Public-Private Partnership issues.
Public Key Infrastructure.
Protecting critical infrastructures in the Federal
Government and private sectors requires development of an interoperable
public key infrastructure (PKI). A PKI enables data integrity, user
identification and authentication, user non-repudiation, and data
confidentiality through public key cryptography by distributing digital
certificates (essentially electronic credentials) containing public keys,
in a secure, scalable, and reliable manner. The potential of PKI has
inspired numerous projects and pilots throughout the Federal Government
and private sectors. The Federal Government has actively promoted the
development of PKI technology and has developed a strategy to integrate
these efforts into a fully functional Federal PKI.
The President’s Budget for FY2001 will propose $7 million to
ensure development of an interoperable Federal PKI. To achieve the
goal of an integrated Federal PKI, and protect our critical
infrastructures, the Federal Government is working with industry to
implement the following program of activities: ·
Connect Agency-wide PKIs into a Federal PKI:
DoD, NASA, and other Government Agencies, are actively implementing
Agency-wide PKIs to protect their internal critical infrastructures. While
a positive step, these isolated PKIs do not protect infrastructures that
cross Agency boundaries. Full protection requires an integrated, fully
functional PKI. ·
Connect the Federal PKI with Private Sector PKIs:
Private sector groups are actively developing their own PKIs as well.
While a positive step, these isolated PKIs do not protect infrastructures
that cross Government or industry sector boundaries. ·
Encouraging development of interoperable Commercial
Off-the-Shelf (COTS) PKI Products:
Limitation to a single vendor’s solution can be a serious impediment, as
most organizations have a heterogeneous computing environment. Consumers
must be able to choose COTS PKI components that suit their needs. ·
Validating the Security of Critical PKI Components:
Protecting critical infrastructures require sound implementation. The
strength of the security services provided to the critical infrastructures
depends upon the security of the PKI components. Validation of the
security of PKI components is needed to ensure that critical
infrastructures are adequately protected. NIST is pursuing a validation
program for PKI components. ·
Encouraging Development of PKI-Aware Applications:
To encourage development of PKI-aware applications, the Government
is working with vendors in key application areas. One example is the
secure electronic mail projects that have been performed jointly with
industry. B. Public-Private Partnership Inter-dependent computer networks are an
integral part of doing business in the Information Age.
America is increasingly dependent upon computer networks for
essential services, such as banking and finance, emergency services,
delivery of water, electricity and gas, transportation, and voice and data
communications. New ways of
doing business in the 21st century are rapidly evolving. Business is increasingly relying on E-commerce for its
commercial transactions as well as for its critical operations. At the same time, recent hacking attempts at some of the most
popular commercial Web sites underscore that America’s information
infrastructure is an attractive target for deliberate attack or sabotage.
These attacks can originate from a host of sources, such as
terrorists, criminals, hostile nations, or the equivalent of car thief “joyriders.”
Regardless of the source, however, the potential for cyber damage
to our national security and economy is evident. The infrastructures at risk are owned and
operated by the private sector. The
use of information technology is so embedded in the core operations and
customer service delivery systems of industry that inevitably, it will be
they who must work together to take the steps necessary to protect
themselves. We can help. The first major step is the elevation of awareness across
industry of the “business case for action” for leaders within
industry. They have a
commercial interest in maintaining a secure business environment that
assures public confidence in their institutions.
We can also help identify problems, good practices in management
policies and strategies, and publicize them, encourage planning, promote
research and development, convene meetings.
In short, we can act as a catalyst for industry to mobilize.
A strategy of cooperation and partnership between
the private sector and the U.S. Government to protect the Nation’s
infrastructure is the linchpin of this effort.
The President is committed to building partnerships with the
private sector to protect our computer networks through the following
initiatives:
Institute for Information Infrastructure Protection (I3P).
The Institute would identify and address serious R&D
gaps that neither the private sector nor the Government's national
security community would otherwise address, but that are necessary to
ensure the robust, reliable operation of the national information
infrastructure. The President
announced he would propose initial funding of $50 million for the
Institute in his FY2001 Budget. Funding would be provided through the
Commerce Department's National Institute of Standards and Technology (NIST)
to this organization. The Institute was first proposed by the scientists and
corporate officials who served on the President's Committee of Advisors on
Science and Technology, and supported by leading corporate Chief
Technology Officers. Partnership for Critical Infrastructure Security. Last
month, Commerce Secretary Daley met with senior representatives from over
120 major corporations, many Fortune 500, representing owners and
operators of critical infrastructures, their suppliers, and their
customers, to organize a Partnership for Critical Infrastructure Security.
Industry has taken the lead on this effort, and is actively
pursuing ways to assure their ability to deliver critical services.
The Partnership will explore ways in which industry and Government can
work together to address the risks to the nation’s critical
infrastructures. Federal Lead
Agencies are currently building partnerships with individual
infrastructure sectors in private industry, including communications,
banking and finance, transportation, and energy.
The Partnership will serve as a forum in which to draw these
individual efforts together to facilitate a dialogue on cross-sector
interdependencies, explore common approaches and experiences, and engage
other key professional and business communities that have an interest in
infrastructure assurance. By
doing so, the Partnership hopes to raise awareness and understanding of,
and to serve, when appropriate, as a catalyst for action among, the owners
and operators of critical infrastructures, the risk management and
investment communities, other members of the business community, and state
and local Governments.
National Infrastructure Assurance Council (NIAC).
President Clinton established the NIAC by Executive Order
13130 on July 14, 1999. When
fully constituted, it will consist of up to 30 leaders in industry,
academia, the privacy community, and state and local Government. The NIAC will provide advise and counsel to the President on
a range of policy matters relating to critical infrastructure assurance,
including the enhancement of public-private partnerships, generally.
III. Conclusion
In
conclusion, the National Plan is an important step forward.
My staff and I are committed to building on this promising
beginning, coordinating the Government’s efforts into an integrated
program for critical infrastructure protection in support of the National
Coordinator for Security, Infrastructure Protection, and
Counter-Terrorism, and the Federal Government, generally.
We have much work left to do, and I hope to work with the members
of this committee, indeed with the Congress as a whole, as we wrestle with
this developing field. I look
forward to your questions. |