THE WHITE HOUSE Office of the Press Secretary ________________________________________________________________ For Immediate Release May 22, 1998 PRESS BRIEFING BY RICHARD CLARKE, NATIONAL COORDINATOR FOR SECURITY, INFRASTRUCTURE PROTECTION, AND COUNTER-TERRORISM; AND JEFFREY HUNKER, DIRECTOR OF THE CRITICAL INFRASTRUCTURE ASSURANCE OFFICE The Briefing Room 3:50 P.M. EDT MR. RUBIN: This is a briefing on the initiatives the President announced earlier today in Annapolis. The briefers will be Richard Clarke, the National Coordinator for Security, Infrastructure Protection and Counter-terrorism; and Jeffrey Hunker, Director of the Critical Infrastructure Assurance Office. Thanks. MR. CLARKE: Thank you. I'll keep this brief. You heard the President's speech in Annapolis, and you've seen the text. The announcements are based on two national security directives that he signed yesterday, and you have fact sheets on those. Let me just run through quickly the three components that come out of those two directives. One, created the system of program management for security issues and counter-terrorism issues. Program management that focuses on lead agencies, lead agencies being clearly identified, what agency has the responsibility for the federal government to lead the interagency process on each issue relevant to security and counter-terrorism. The lead agency should in turn then identify a program plan with goals and specific milestones. The second element, and the subject of PDD 63, is critical infrastructure protection, or cyber-security. For the first time, a President said that critical infrastructure protection, cyber-security, was a national security issue. He called for the creation of a national protection plan over the course of the next three years to raise our defenses against cyber-attack. And he called for a unique, and in his words, genuine private-public partnership, because the critical infrastructure which could be attacked, the electrical power grids, the telecommunications grids, are privately owned and operated. And therefore the government cannot unilaterally create a defensive structure for critical infrastructure. Moreover, the government doesn't have the solution. The government, under the President's directive, will work cooperatively with the private sector to develop the National Protection Plan. We're not saying we have the answers; we're looking forward to a genuine partnership with the private sector to develop the answers. The third element of the two directives was an initiative on weapons of mass destruction consequence management, particularly biological weapons. And there are four elements to that. First, the improvement of a national surveillance system based on the public health system around the country to detect and diagnose not only emerging infectious diseases but also a possible biological weapons use. Secondly, a response capability to give local authorities the equipment, the training necessary to deal with an emergency involving biological weapons or chemical weapons. Thirdly, a program for the first time to procure stockpile around the country for the civilian population -- vaccinations and specialized medicines to protect against biological weapons. And the fourth element, a research and development program focusing on genome mapping of pathogens so that we'll be able to use the new techniques in bioengineering and genetic engineering to develop better medicines and better vaccinations to protect against the new advances in biological warfare that can occur using genetic engineering. So those are the three elements of the program. We have issued fact sheets on all of them, but we'll be glad to take any questions you might have. Q What kinds of vaccines and special medicines are going to be stockpiled? MR. CLARK: The President has asked the Secretary of Health and Human Services to come back with an answer to those questions in the very near future. In the discussions to date, HHS -- which really is the expert on this, and I would refer you to -- but HHS has focused on medicines designed to deal with anthrax and with smallpox. Q Anthrax and smallpox? MR. CLARK: Primarily. Q Could you say what companies have agreed -- private companies have agreed to take part? MR. CLARK: There have been no discussions today with private companies. The government is right now sizing the requirement, developing a specific requirement level and a multi-year program plan. And it would be inappropriate at this point to have discussions with any companies. Q Have you got any kind of cost figure for this? MR. CLARK: That's part of what the President has asked HHS to develop, and the Office of Management and Budget is working with them to develop, in the very near future, a multi-year phased plan that would perhaps begin with funds this year but certainly would stretch out over the course of several years. Q Will the infrastructure -- the government-based infrastructure groups have information that is not available to the public, and how will they decide what people in the private sector are entitled to this information and which Americans aren't entitled to this information? MR. CLARK: I think it's actually more the other way around. The private sector is going to have information that the government doesn't have. Let me explain why I say that. The private sector is where the critical infrastructure is -- the telephone nets, the electric power grids. They will know far better than the government when they're being attacked, when they're being probed, what their vulnerabilities are. And so what we're really trying to do is establish a system whereby they are willing to share with the government what might be proprietary information, what might be information that's protected by privacy rights. We understand those sensitivities, but we also know that unless there's a partnership between the government and the private sector, they may not be able to develop and design a defense system to protect themselves against critical infrastructure cyber-attack. So there's going to have to be a sharing; we're going to have to work it out. But the information will at least be flowing in two directions -- I think primarily from the private sector to the government. Q Was there a secret drill a few months ago about how to respond to a chemical weapons attack? Can you talk about that for a little bit? MR. CLARK: There was an exercise -- a tabletop as we call it -- which means nothing happened in the real world; everyone involved was around the table -- there was a tabletop exercise last month to examine what might happen in a biological weapons incident. And the purpose of those kind of exercises -- we've had them now for the last four or five years; in fact last year's was on cyber-attack; this year's was on biological weapons -- they're designed primarily to identify roles and missions. You say to a group from 12 or 13 agencies, if this happened who would do what? And you start getting very interesting answers and identify possible conflicts in roles and missions, or in some cases you identify that it's not clear that anybody thinks it's their responsibility. That was the thrust of the exercise. It was very useful. As a result of it, the Attorney General has tasked some studies. The Defense Department is doing some. It's the kind of thing that we do routinely, but they're very productive. Q The President said today that intentional attacks against our critical systems already are underway. He was talking about cyber-systems there I think. Is he just talking about hackers who are mischievous, perhaps malicious, or is he talking about actual terrorists who are already doing that kind of thing? MR. CLARKE: When there is an attempt to crack into a computer system, it's very difficult to know where it's originating. The point of origin that shows up on the incoming message may not in fact be the actual point of origin. It's possible to spoof the computer so that it thinks it's coming from one place, in fact it's coming from somewhere else. There is also a technique where you can bounce through several computers. It can originate in one, bounce to another, bounce to another, bounce to another, and then do the attack. So we know that every day in the United States there are hundreds of attempts to do nonauthorized intrusions. Are they for purposes of vandalism? Are they for purposes of industrial espionage? Or are they for purposes of doing reconnaissance of systems for a possible future attack? It's very difficult to know. And one of the things that the President's initiative hopes to create is a system whereby we can find out what is the baseline on a day-to-day basis, who is doing the attacking, and for what purpose. MR. HUNKER: One of the key conclusions of the President's commission that laid the intellectual framework for the President's announcement today was that while we certainly have a history of some real attacks, some very serious, to our cyber- infrastructure, the real threat lay in the future. And we can't say whether that's tomorrow or years hence. But we've been very successful as a country and as an economy in wiring together our critical infrastructures. This is a development that's taken place really over the last 10 or 15 years -- the Internet, most obviously, but electric power, transportation systems, our banking and financial systems. And as we get increased connectivity, each of these systems becomes increasingly vulnerable not only to attacks directly against it, but also to the secondary effects of attacks that might affect a system elsewhere -- very similar to what we saw with the kind of cascading collapse of electric power in the West last year. We could see that also on the electronic basis as well. So we certainly have threats and a history of threats that's out there, but the real challenge and the real concern is for the future. Q Do you have any evidence that the Chinese government might have been behind the recent hacker attack, penetration of the Pentagon? MR. CLARKE: I think any particular hacker attack is best discussed either with the Pentagon or the Justice Department. One thing that we should make clear is that the White House involvement in critical infrastructure is at the policy level; It is not at the operational level. And it's not just inappropriate for us to answer questions about specific attacks, we really often don't know. Q Is there going to be legislation proposed in connection with these directives, or does the President have all the authority he needs just on an executive basis? MR. CLARKE: As I said, the President has asked the Office of Management and Budget to work with the Department of Health and Human Services to look at a multi-year program on the biological weapons protection front, and that will undoubtedly result in some appropriations. In terms of new authorities, the Attorney General has asked her staff to look at the biological weapons issue to see if there are new authorities -- legislative authorities needed. And part of the work that Jeffrey's office will be doing with the Justice Department on the cyber side is trying to see whether or not new legislative authority is needed to do cyber-protection. Q Is there any way to protect against the satellite failure that we had a couple of days ago? MR. CLARKE: Well, we don't really know yet what happened. At least I don't know what happened. And until we do, it's going to be a little difficult to say how you could protect against that. I think we're best waiting to see what happened. That's a clear case of the private sector being critical to our national infrastructure. A satellite owned and operated entirely by a private company, and nonetheless having an enormous effect nationwide as a single point of failure. It's a very good example of how there are single points of failure that we don't even know about because of the growth of our infrastructure, the rapid growth of our infrastructure, and the fact that, frankly, we haven't been thinking as a nation about the critical infrastructure, the vulnerability of it, the fragility of it, the interdependence that has been generated over the course of the last five or 10 years. Q When I was asking you about private industry cooperation, I was talking about in terms of infrastructure protection. I thought that Dell and some other companies, Bell South, IBM, you had had discussions with them. Is that not true? MR. CLARKE: In the course of the President's commission work last year, the President's commission had discussions with hundreds of private companies, in the telecommunications area, the electric power area, the computer area. Yes, absolutely. And what we're hoping to do now is to continue that dialogue to find out from them what they think their vulnerabilities are, to help them assess what their vulnerabilities are, and to find if there isn't a way for us together, government and private sector, to coordinate our efforts in research and development, to coordinate our efforts in information sharing, so that we can raise higher the barriers of defense for critical infrastructure and cyber-security nationwide. Q But you don't consider that as part of this effort. It's not going on now. MR. CLARKE: It was underway throughout the work of the President's commission. Now that the President has issued this national security directive calling for a public-private partnership, it will be underway again. MR. HUNKER: Let me add to that. Critical infrastructure is unique in that we have interest from the Defense Department and the defense community, the intelligence and the law enforcement community, but this is also an economic agenda as well. The safe, efficient, secure functioning of electronic and information technologies is a prime foundation, is a critical foundation, for the economic growth that we've had. There are statistics that suggest over the last five years that 25 or more percent of the economic growth we've seen has come out of information technologies. So, when we talk in terms of critical infrastructure protection and cyber-protection, we're talking first and foremost about good business practices for the companies and the industries that are providing jobs through information technologies. We're also similarly talking about the fact that it is, in most cases, those very same private infrastructures that are providing the basis for much of our national defense. I've seen the statistic -- I don't know where it came from -- that suggests that 95 percent of all the Defense Department telecommunications requirements are coming off of private networks. This gives you a sense in terms of the real unity between our national security interests, traditionally defined, and our economic security interests, and the real melding of the two. Q There seems to be something of an interface between what you're talking about and what Treasury has been talking about regarding the way that the markets operate today and the tremendous amount of money that's moving back and forth. I was wondering if these kinds of problems entered into your considerations -- you mentioned the connection between economics and national security -- and how you viewed that situation, how to protect against attacks on the U.S. financial system? MR. CLARKE: Well, Jeffrey is probably better situated to answer that question, but I'll joint point out, as it says in the fact sheet, in the President's directive, what he calls for is a public-private partnership sector by sector throughout the economy. And he identifies specific sectors. One of them is banking and finance. And he designates the Treasury Department to be the federal lead in organizing the U.S. government effort to talk to the banking and financing sector and work out mutually a way of improving their cyber-defenses. Thank you. END 4:05 P.M. EDT