May 22, 1998
PRESS BRIEFING BY RICHARD CLARKE, NATIONAL COORDINATOR FOR SECURITY, INFRASTRUCTURE PROTECTION, AND COUNTER-TERRORISM; AND JEFFREY HUNKER, DIRECTOR OF THE CRITICAL INFRASTRUCTURE ASSURANCE OFFICE
THE WHITE HOUSE
Office of the Press Secretary
________________________________________________________________
For Immediate Release May 22, 1998
PRESS BRIEFING BY
RICHARD CLARKE,
NATIONAL COORDINATOR FOR
SECURITY, INFRASTRUCTURE PROTECTION, AND COUNTER-TERRORISM;
AND JEFFREY HUNKER,
DIRECTOR OF THE CRITICAL INFRASTRUCTURE ASSURANCE OFFICE
The Briefing Room
3:50 P.M. EDT
MR. RUBIN: This is a briefing on the initiatives the
President announced earlier today in Annapolis. The briefers will be
Richard Clarke, the National Coordinator for Security, Infrastructure
Protection and Counter-terrorism; and Jeffrey Hunker, Director of the
Critical Infrastructure Assurance Office. Thanks.
MR. CLARKE: Thank you. I'll keep this brief. You
heard the President's speech in Annapolis, and you've seen the text.
The announcements are based on two national security directives that
he signed yesterday, and you have fact sheets on those. Let me just
run through quickly the three components that come out of those two
directives.
One, created the system of program management for
security issues and counter-terrorism issues. Program management
that focuses on lead agencies, lead agencies being clearly
identified, what agency has the responsibility for the federal
government to lead the interagency process on each issue relevant to
security and counter-terrorism. The lead agency should in turn then
identify a program plan with goals and specific milestones.
The second element, and the subject of PDD 63, is
critical infrastructure protection, or cyber-security. For the first
time, a President said that critical infrastructure protection,
cyber-security, was a national security issue. He called for the
creation of a national protection plan over the course of the next
three years to raise our defenses against cyber-attack. And he
called for a unique, and in his words, genuine private-public
partnership, because the critical infrastructure which could be
attacked, the electrical power grids, the telecommunications grids,
are privately owned and operated. And therefore the government
cannot unilaterally create a defensive structure for critical
infrastructure.
Moreover, the government doesn't have the solution. The
government, under the President's directive, will work cooperatively
with the private sector to develop the National Protection Plan.
We're not saying we have the answers; we're looking forward to a
genuine partnership with the private sector to develop the answers.
The third element of the two directives was an
initiative on weapons of mass destruction consequence management,
particularly biological weapons. And there are four elements to
that.
First, the improvement of a national surveillance system
based on the public health system around the country to detect and
diagnose not only emerging infectious diseases but also a possible
biological weapons use.
Secondly, a response capability to give local
authorities the equipment, the training necessary to deal with an
emergency involving biological weapons or chemical weapons.
Thirdly, a program for the first time to procure
stockpile around the country for the civilian population --
vaccinations and specialized medicines to protect against biological
weapons.
And the fourth element, a research and development
program focusing on genome mapping of pathogens so that we'll be able
to use the new techniques in bioengineering and genetic engineering
to develop better medicines and better vaccinations to protect
against the new advances in biological warfare that can occur using
genetic engineering.
So those are the three elements of the program. We have
issued fact sheets on all of them, but we'll be glad to take any
questions you might have.
Q What kinds of vaccines and special medicines are
going to be stockpiled?
MR. CLARK: The President has asked the Secretary of
Health and Human Services to come back with an answer to those
questions in the very near future. In the discussions to date, HHS
-- which really is the expert on this, and I would refer you to --
but HHS has focused on medicines designed to deal with anthrax and
with smallpox.
Q Anthrax and smallpox?
MR. CLARK: Primarily.
Q Could you say what companies have agreed -- private
companies have agreed to take part?
MR. CLARK: There have been no discussions today with
private companies. The government is right now sizing the
requirement, developing a specific requirement level and a multi-year
program plan. And it would be inappropriate at this point to have
discussions with any companies.
Q Have you got any kind of cost figure for this?
MR. CLARK: That's part of what the President has asked
HHS to develop, and the Office of Management and Budget is working
with them to develop, in the very near future, a multi-year phased
plan that would perhaps begin with funds this year but certainly
would stretch out over the course of several years.
Q Will the infrastructure -- the government-based
infrastructure groups have information that is not available to the
public, and how will they decide what people in the private sector
are entitled to this information and which Americans aren't entitled
to this information?
MR. CLARK: I think it's actually more the other way
around. The private sector is going to have information that the
government doesn't have. Let me explain why I say that. The private
sector is where the critical infrastructure is -- the telephone nets,
the electric power grids. They will know far better than the
government when they're being attacked, when they're being probed,
what their vulnerabilities are. And so what we're really trying to
do is establish a system whereby they are willing to share with the
government what might be proprietary information, what might be
information that's protected by privacy rights. We understand those
sensitivities, but we also know that unless there's a partnership
between the government and the private sector, they may not be able
to develop and design a defense system to protect themselves against
critical infrastructure cyber-attack.
So there's going to have to be a sharing; we're going to
have to work it out. But the information will at least be flowing in
two directions -- I think primarily from the private sector to the
government.
Q Was there a secret drill a few months ago about how
to respond to a chemical weapons attack? Can you talk about that for
a little bit?
MR. CLARK: There was an exercise -- a tabletop as we
call it -- which means nothing happened in the real world; everyone
involved was around the table -- there was a tabletop exercise last
month to examine what might happen in a biological weapons incident.
And the purpose of those kind of exercises -- we've had
them now for the last four or five years; in fact last year's was on
cyber-attack; this year's was on biological weapons -- they're
designed primarily to identify roles and missions. You say to a
group from 12 or 13 agencies, if this happened who would do what? And
you start getting very interesting answers and identify possible
conflicts in roles and missions, or in some cases you identify that
it's not clear that anybody thinks it's their responsibility.
That was the thrust of the exercise. It was very
useful. As a result of it, the Attorney General has tasked some
studies. The Defense Department is doing some. It's the kind of
thing that we do routinely, but they're very productive.
Q The President said today that intentional attacks
against our critical systems already are underway. He was talking
about cyber-systems there I think. Is he just talking about hackers
who are mischievous, perhaps malicious, or is he talking about actual
terrorists who are already doing that kind of thing?
MR. CLARKE: When there is an attempt to crack into a
computer system, it's very difficult to know where it's originating.
The point of origin that shows up on the incoming message may not in
fact be the actual point of origin. It's possible to spoof the
computer so that it thinks it's coming from one place, in fact it's
coming from somewhere else. There is also a technique where you can
bounce through several computers. It can originate in one, bounce to
another, bounce to another, bounce to another, and then do the
attack.
So we know that every day in the United States there are
hundreds of attempts to do nonauthorized intrusions. Are they for
purposes of vandalism? Are they for purposes of industrial
espionage? Or are they for purposes of doing reconnaissance of
systems for a possible future attack? It's very difficult to know.
And one of the things that the President's initiative hopes to create
is a system whereby we can find out what is the baseline on a
day-to-day basis, who is doing the attacking, and for what purpose.
MR. HUNKER: One of the key conclusions of the
President's commission that laid the intellectual framework for the
President's announcement today was that while we certainly have a
history of some real attacks, some very serious, to our cyber-
infrastructure, the real threat lay in the future. And we can't say
whether that's tomorrow or years hence. But we've been very
successful as a country and as an economy in wiring together our
critical infrastructures. This is a development that's taken place
really over the last 10 or 15 years -- the Internet, most obviously,
but electric power, transportation systems, our banking and financial
systems.
And as we get increased connectivity, each of these
systems becomes increasingly vulnerable not only to attacks directly
against it, but also to the secondary effects of attacks that might
affect a system elsewhere -- very similar to what we saw with the
kind of cascading collapse of electric power in the West last year.
We could see that also on the electronic basis as well. So we
certainly have threats and a history of threats that's out there, but
the real challenge and the real concern is for the future.
Q Do you have any evidence that the Chinese
government might have been behind the recent hacker attack,
penetration of the Pentagon?
MR. CLARKE: I think any particular hacker attack is
best discussed either with the Pentagon or the Justice Department.
One thing that we should make clear is that the White House
involvement in critical infrastructure is at the policy level; It is
not at the operational level. And it's not just inappropriate for us
to answer questions about specific attacks, we really often don't
know.
Q Is there going to be legislation proposed in
connection with these directives, or does the President have all the
authority he needs just on an executive basis?
MR. CLARKE: As I said, the President has asked the
Office of Management and Budget to work with the Department of Health
and Human Services to look at a multi-year program on the biological
weapons protection front, and that will undoubtedly result in some
appropriations. In terms of new authorities, the Attorney General
has asked her staff to look at the biological weapons issue to see if
there are new authorities -- legislative authorities needed. And
part of the work that Jeffrey's office will be doing with the Justice
Department on the cyber side is trying to see whether or not new
legislative authority is needed to do cyber-protection.
Q Is there any way to protect against the satellite
failure that we had a couple of days ago?
MR. CLARKE: Well, we don't really know yet what
happened. At least I don't know what happened. And until we do,
it's going to be a little difficult to say how you could protect
against that. I think we're best waiting to see what happened.
That's a clear case of the private sector being critical to our
national infrastructure. A satellite owned and operated entirely by
a private company, and nonetheless having an enormous effect
nationwide as a single point of failure. It's a very good example of
how there are single points of failure that we don't even know about
because of the growth of our infrastructure, the rapid growth of our
infrastructure, and the fact that, frankly, we haven't been thinking
as a nation about the critical infrastructure, the vulnerability of
it, the fragility of it, the interdependence that has been generated
over the course of the last five or 10 years.
Q When I was asking you about private industry
cooperation, I was talking about in terms of infrastructure
protection. I thought that Dell and some other companies, Bell
South, IBM, you had had discussions with them. Is that not true?
MR. CLARKE: In the course of the President's commission
work last year, the President's commission had discussions with
hundreds of private companies, in the telecommunications area, the
electric power area, the computer area. Yes, absolutely. And what
we're hoping to do now is to continue that dialogue to find out from
them what they think their vulnerabilities are, to help them assess
what their vulnerabilities are, and to find if there isn't a way for
us together, government and private sector, to coordinate our efforts
in research and development, to coordinate our efforts in information
sharing, so that we can raise higher the barriers of defense for
critical infrastructure and cyber-security nationwide.
Q But you don't consider that as part of this effort.
It's not going on now.
MR. CLARKE: It was underway throughout the work of the
President's commission. Now that the President has issued this
national security directive calling for a public-private partnership,
it will be underway again.
MR. HUNKER: Let me add to that. Critical
infrastructure is unique in that we have interest from the Defense
Department and the defense community, the intelligence and the law
enforcement community, but this is also an economic agenda as well.
The safe, efficient, secure functioning of electronic and information
technologies is a prime foundation, is a critical foundation, for the
economic growth that we've had. There are statistics that suggest
over the last five years that 25 or more percent of the economic
growth we've seen has come out of information technologies.
So, when we talk in terms of critical infrastructure
protection and cyber-protection, we're talking first and foremost
about good business practices for the companies and the industries
that are providing jobs through information technologies. We're also
similarly talking about the fact that it is, in most cases, those
very same private infrastructures that are providing the basis for
much of our national defense. I've seen the statistic -- I don't
know where it came from -- that suggests that 95 percent of all the
Defense Department telecommunications requirements are coming off of
private networks. This gives you a sense in terms of the real unity
between our national security interests, traditionally defined, and
our economic security interests, and the real melding of the two.
Q There seems to be something of an interface between
what you're talking about and what Treasury has been talking about
regarding the way that the markets operate today and the tremendous
amount of money that's moving back and forth. I was wondering if
these kinds of problems entered into your considerations -- you
mentioned the connection between economics and national security --
and how you viewed that situation, how to protect against attacks on
the U.S. financial system?
MR. CLARKE: Well, Jeffrey is probably better situated
to answer that question, but I'll joint point out, as it says in the
fact sheet, in the President's directive, what he calls for is a
public-private partnership sector by sector throughout the economy.
And he identifies specific sectors. One of them is banking and
finance. And he designates the Treasury Department to be the federal
lead in organizing the U.S. government effort to talk to the banking
and financing sector and work out mutually a way of improving their
cyber-defenses.
Thank you.
END 4:05 P.M. EDT