07 January 2000
(The economy, cybersecurity, Information Systems Security Education, FY-2001 budget proposal, cyber-security/G.I. Bill, National Infrastructure Advisory Committee) (4380) White House Chief of Staff John Podesta, Secretary of Commerce Bill Daley, NSC Staff Counter-Terrorism Coordinator Dick Clarke, and James Madison University President Linwood Rose all briefed. Following is the White House transcript: (begin transcript) THE WHITE HOUSE Office thess Press Secretary January 7, 2000 PRESS BRIEFING BY CHIEF OF STAFF JOHN PODESTA, SECRETARY OF COMMERCE BILL DALEY, JAMES MADISON UNIVERSITY PRESIDENT LINWOOD ROSE AND NATIONAL COORDINATOR FOR SECURITY, INFRASTRUCTURE PROTECTION AND COUNTER-TERRORISM DICK CLARKE 10:25 A.M. EST MR. LEAVY: Good morning, everybody. As you know, the President announced his cyber-security plan this morning, and to answer your questions and talk a little bit more about that with the Chief of Staff, John Podesta, Secretary of Commerce, Bill Daley, President Linwood Rose of James Madison University, and joining in the questions will be Dick Clarke, the President's counterterrorism czar. Mr. Podesta. MR. PODESTA: This is the first time I've appeared with a czar, so excuse me if I'm a little bit nervous. (Laughter.) The President made his announcement this morning, but I would just note at the outset that, again, this morning we had a continuing evidence of a robust economy. This year, we had, in calendar year 1999, we're looking at an unemployment for the year that's the lowest since 1969, the lowest Hispanic and African American unemployment rates on record. The economy continues to perform outstandingly. And part of the reason for that is that is the fact that we have a new economy, an economy that's built on information, technology information, infrastructure. It's really beginning to move into all aspects of our economy and the way we handle goods and services. And just as in the 1950s when we were building an economy based on a new transportation system, a new interstate highway system and we put guardrails on that transportation system, we're here today to talk about how we can better protect the information technology and infrastructure of the information technology economy -- not only for the government, but for the private sector, as well. And that's why I'm pleased to be joined by Secretary Daley and President Linwood Rose from James Madison; and, as Dave said, Dick Clarke will join us for questions. The President made the announcement this morning. We have made substantial boosts in the amount of money that the government is spending on this effort to protect our critical infrastructure, and this year's budget will be no exception. We are going to request a 17 percent increase in funding over the FY 2000 budget, and the proposed spending will be across the government. We will be seeking an increase of approximately $2 billion, from $1.7 billion, with increases in every agency and every sector. One of the greatest boosts, I think, will be -- and Secretary Daley will speak about this -- will be in the area of research and development. The R&D now represents 32 percent of our critical infrastructure protection. It's really important that we do that, that we produce, in partnership with the private sector and in partnership with the information technology companies who are at the forefront of this revolution, on new technologies that can be rapidly put into the information infrastructure to begin to provide the kinds of protections that we're here to talk about. So the overall increase in the R&D and R&E portion that we're going to speak to as part of the President's overall commitment to increases in research and development which, again, we'll lay out a future point as we talk about our budget. But with that, let me turn it over to Secretary Daley to talk about the report. SECRETARY DALEY: Thank you very much, John. As you said, no question, we have a new economy and we have an economy that is much more dependent, as we enter this next century, on information technologies. So our defending of this economy is most important to us, especially at a time of great economic boom that we're experiencing. One of the consequences of leading this e-world is that we, as I mentioned, are more dependent on information technologies in our country, and therefore we're more subject to new and different kinds of threats. It is true for our services as governments, and it is also true for the private sector, whether they are large companies or small companies. In our opinion, businesses risk going out of business if their computer networks are obviously disrupted for any great length of time. This is the first time in American history that we in the federal government, alone, cannot protect our infrastructure. We can't hire an army or a police force that's large enough to protect all of America's cell phones or pagers or computer networks -- not when 95 percent of these infrastructures are owned and operated by the private sector. We just spent, as we all know, about $100 billion as a nation, private sector and the public sector, in correcting the Y2K problem. If people had thought about this 25 years ago, we may not have had the situation where we would have had to spend so much. Y2K taught us many things. One is that we must be prepared. So the President and the Vice President asked us to develop a national plan to defend America's cyberspace. Twenty-two federal agencies have worked on this. It is the first attempt by any nation to do something like this. Today we have our first version. As you can see, it is designated version 1.0. (Laughter.) It focuses on what we in the federal government can do to protect our federal assets. But for this to be a true national plan, later versions must include, and will include, what the private sector, and also the state and local governments, can do. Last month, I met with industry leaders, and we are already in the process of building a true partnership with them. Cooperation, rather than new regulations, will bring more resources to the table, and we will therefore have the opportunity to produce results faster. That is the political reality, and in our opinion, one of the greatest challenges that government faces in this century is, how do we deliver services more effectively. In dealing with the private sector, we can learn a lot from them. By partnering and sharing information, we can improve our own efforts, and also work with them to make their systems, and ours, more secure. The end result is that we will all, therefore -- and our economy will be better off. The American people can read this report on our website by the end of today, on the White House's website, and also on the NSC website. And if any of you would like a copy for your own files, we'd be happy to supply them for you. And it's my pleasure at this point -- there are a number of universities who are looking and are forward-leaning. About eight universities are developing curriculums in cybersecurity. One of them is James Madison University, and it is a pleasure to introduce Lin Rose, the President of James Madison. MR. ROSE: Thank you. Good morning. As president of an institution that, several years ago, recognized the need for information security education, I'm particularly encouraged by today's news. As a nation, we do face a critical need for information assurance experts. Our economic growth has been fueled by our leadership in information technology, and we have become more dependent upon computing and electronic networks than any other country in the world. That distinction also makes us more vulnerable than any other country in the world. Our information systems, if not carefully protected, may be accessed by those whose intentions are much more serious than just mischief. Dependence upon electronic data systems is no longer unique to computing and telecommunications alone. Power generation, banking and finance, transportation, water supply and emergency services are all dependent upon information systems and are susceptible to disruption by hackers and criminals. To protect these systems, we must have more information assurance people -- people who have the talent and expertise to evaluate system vulnerabilities, who understand encryption methodologies to protect critical data, and who are able to design trusted systems and provide for intruder monitoring and detection. Higher education is the key to providing more of these professionals. Universities have begun to address this work force need, but if we are to accelerate the numbers of competent professionals at the rate that is required, federal support for faculty development and student assistance is essential. The standard academic mechanisms and processes are too slow to satisfy the current and projected demand in a reasonable amount of time. Without external stimulus and support, we will simply fail to protect our country's information infrastructure. Like most new professional programs, much of the activity and information security has been focused at the graduate level. For example, with the support and encouragement of Virginia Senators Warner and Robb, as well as Congressman Goodlatte, at James Madison University we now offer a master's degree in information security. That program, intended for working professionals, is the only degree program in the country provided to students via the Internet. Approximately one-half of the students are from government, while the remaining participants come from business and industry. Programs such as this one must be expanded. It is imperative, however, that we develop undergraduate programs that will prepare information security specialists. The cyber-service model advanced in the President's plan will provide incentives to attract students in greater numbers. The cyber-service will also attract the interest of colleges and universities who are wrestling with the numerous curricular opportunities available to them in technology-related fields. In short, this program, once fully implemented, will produce the desired results. Eight institutions, designated by the National Security Agency as centers of excellence in information security education, have been working with the administration over the last 18 months to examine methods for expanding informations security education. With the announcement of this plan, others will be certain to join in a national effort to advance and address this critical work force shortage. The consortium of these eight universities, along with the National Colloquium for Information Systems Security Education, which includes representatives from government, business and education, will continue to build the necessary curriculum, promote awareness of security issues, conduct research, establish competency standards and develop an information clearinghouse, as well as generally promoting the profession. The support provided through this plan will reinforce and enhance the effort. By empowering higher education to be part of the solution to the national information security problem, the President has set forth a plan that will provide the nation and its citizens with the assurance that our businesses, our government and our personal interests are secure and protected. Thank you. Q: Mr. Podesta, would you mind going over those figures again, as to what the President is asking for, and the increase that is, and what the breakdown is? MR. PODESTA: Dick, you want to join us? Q: Gene.Randall didn't get that. (Laughter.) MR. PODESTA: There is a 17 percent increase in funding in the proposed FY 2001 budget. Proposed spending across the government will increase to $2.0 billion, from -- the Congress appropriated last year $1.75 billion, based on a request from the administration of $1.77 billion. So they actually did -- we were successful in achieving most of what we requested in total dollar amounts. But we're asking now for a 17 percent increase in that amount to a total of approximately 2.03, I think is the accurate number. Do you want to give a little bit more on the breakdown, Dick? MR. CLARKE: Sure. We have these nice color charts to pass out; if you haven't already received them, we'll get them to you. As John said, it's a 17 percent increase that we're asking for in 2001 over the appropriated money from 2000. There was a similar request, similar increase last year. So the compounded effect of that over the last two years is considerable. The largest increase in the percentage basis is for research and development. The President, as he said, is proposing an institute for information infrastructure protection. This is a research organization that will work closely with the private sector. It's not a building, it's not a new bureaucracy, it's a funding mechanism so that the federal government can match private sector funds and plug the holes in the R&D requirements. R&D will rise the President's plan from $461 million last year to $621 million in the year 2001. Q: Secretary Daley, this cyber-security version of the G.I. Bill that the President talked about this morning, what would be the required service, postgraduate, and in what agencies would these people find employment? SECRETARY DALEY: I don't think we've worked out the details as to the length of service that would be required. We obviously want to work with the institutions and work with the federal agencies as to what sort of length of service they thought would be appropriate. Q: Are you talking about two years, three years, four years? It's four years in the G.I. Bill, isn't it? MR. CLARKE: Yes. The typical federal requirement is a year of service for every year -- a year of service for every year of scholarship. So if, for example, someone had a four-year undergraduate program at James Madison or somewhere else, we would expect them to do four years of service in the federal government, in any federal department that wanted them, helping that federal department to protect its own computer systems. So these are IT security managers that would help the federal government improve security on federal computers. Q: Do you know what the job designation would be, in terms of federal pay scale? MR. CLARKE: Well, one of the things that the Office of Personnel Management is looking at -- Q: For example, will they make more money than Mr. Leavy or -- (laughter.) MR. CLARKE: That's not hard. That's not hard. One of the things that OPM, the Office of Personnel Management, is looking at is whether or not we have to abandon the normal federal grades -- GS7, GS8, GS9. For example, if you graduate now with a bachelor's of science in computer information, typically you would become a GS7. Now, that's going to earn somewhere in the area of $28,000 to $30,000. That same person, with that same degree, can go out to the Dulles access road or Silicon Valley, and earn $90,000 to $120,000. So we have to look seriously, and OPM is going to look seriously, at adjusting the grade structure. So we might not use the normal federal grade structure to pay IT security workers. Q: What's the biggest threat that you're trying to guard against? Is it hackers and vandalism? Is it criminals? Or is it domestic or foreign terrorism? MR. CLARKE: I think it's all of the above. There's a spectrum, from the teenage hacker who sort of joy rides through cyberspace, up through industrial espionage, up through fraud and theft. And up at the far end of the spectrum, to another country using information warfare against our infrastructure. Q: Mr. Podesta, or Secretary Daley, is the catalyst for this the situation that happened with the White House computer last year, and several infiltration situations with some of the federal government computers last year, as well? MR. PODESTA: Well, I wouldn't describe that as the catalyst for this. I think we've been working on this for some time, and have -- as I think Dick noted, this has been going on in a kind of serious formulation as a policy for several years, and precedes the situation, which was resolved -- with the hacker at the White House -- with an arrest, that occurred last year. But I think that, obviously, every agency, every department of government, but every private sector institution that's relying on the information infrastructure. It's not just computers; it's the electric power grid, it's the other things that we learned so much about during our run-up to Y2K. The banking, financial industry -- increasingly every single sector of the economy is tied in, linked through e-commerce, through the use of computer technology, to this kind of critical infrastructure which has developed over the course of the '70s, '80s and '90s. And so I think that it's a high national security priority, to begin to protect all of the infrastructure, not just the federal government infrastructure. And that's why we're excited about having a partnership with the university community and the private sector. SECRETARY DALEY: Let me just add, what the White House experienced, I would imagine every agency in the government, we have experienced, from harmless, seemingly harmless invasions, to others that gave us great concern. So what happened here was replicated, I would assume, in every department. Q: A follow-up: how vulnerable are the systems right now? SECRETARY DALEY: Well, we believe they're much better. I speak for our agency, and obviously this program that we've put out with the 22 agencies, believe that our federal program right now in protecting our systems and our assets, is much better than obviously we were before we went through this process. Q: Secretary Daley, just to follow up on some of the questions here, can you give us -- what are some credible scenarios for the type of thing that you're trying to prevent here? We all know about the teenage hacker, or the cyber-vandal. But can you give us some scenarios for the more elaborate types of problems -- SECRETARY DALEY: Well, remember when there was that -- when was that lightning strike in Florida that hit the system, that basically knocked out -- MR. CLARKE: Two years ago. SECRETARY DALEY: Two years ago -- knocked out most of the East Coast, much of the grid along the East Coast. That was obviously an act of nature. No one, at that point, understood how everything was connected along the East Coast, and would be so affected for a couple of hours. And that, I think, woke up not only some of us in government, but surely affected the private sector's attitude about a better understanding of the interconnection and our involvement in trying to address this. It will not be solved, though, without partnership. Q: Okay, you mentioned foreign governments. And to what extent do foreign governments have the capability to engage in this kind of disruption? And are you looking at disruptions on the part of foreign governments to private sector operations, or just the government? MR. CLARKE: We are aware, now, over the course of the last two years, that several other nations have developed offensive information warfare units, organizations, tactics, doctrine and capability. Now, that doesn't mean they're going to use them. But it means that they're developing them, they're getting better all the time. And in a crisis, historically, nations have attacked each other's infrastructure. Nations have gone after, in warfare situations or crisis situations, electric power grids, telecommunications, transportation networks. So it's not inconceivable to have a scenario in the future in which a future opponent might think that they could attack our civilian, privately-owned infrastructure through computer attack. Q: Can you say which countries those are? Q: And do we have such an offensive capability ourselves? MR. CLARKE: You'd have to ask the Defense Department about that. And, no, we're not going to name names of other countries. Q: Why not? I mean, what's the big secret? Q: Why shouldn't you tell us? Q: The President kicked off this initiative almost two years ago. And I know that you had a May '99 deadline, or a self-set May '99 deadline for putting out this report. What's taking so long? And why isn't the physical protection included in this, because as you have just said, you can just as easily take down critical infrastructures with physical attacks. MR. CLARKE: We had a May 1999 self-imposed deadline. We decided not to meet that deadline; but, rather, to take the time to get it right; to take the time to do the sort of consultation that we have done with the Congress, and with the private sector. Secretary Daley mentioned that last month he met with 94 companies in New York as part of that consultative process. As John Podesta said, this is version 1.0. There are going to be other versions as the dialogue continues with the Congress and with the private sector. Q: It's my understanding as well that the NIAC hasn't stood up yet? You don't have a lead for that? Is that true? MR. CLARKE: The President has signed an executive order to create a National Infrastructure Advisory Committee, and we are in the process now of doing the personnel selection for that advisory committee. Q: Gentlemen, there is a real revolution in the way computers are being used now. Fifteen years ago, it was mainly a business application. Now, they're in all parts of the home, and the talk is, within a few years we're going to have IP appliances in people's homes. Shouldn't you be focusing more effort not just on the private sector but, in fact, on the general public? And why does part of this report still suggest that much of this information will be precluded from reaching the general public? MR. CLARKE: I don't think the report at all suggests that information is going to be denied to the general public. What we're looking at in terms of prioritizing our activities are the things which would have the greatest effect on the greatest number of people. And so, if there were a computer attack on a power grid, that would have a great effect on millions of people. It's certainly true that individual computers, your PC at home could be hacked, but chances are no one is going to do that. The real threat is to the larger infrastructures and not to an individual home. Q: John, if I could ask you another unrelated question. Republicans yesterday apparently proposed a package of smaller targeted tax cuts, including the marriage penalty. Is this the kind of tax cut the administration could work with the Republicans on, and do you guys have a position on the marriage penalty tax? MR. PODESTA: Well, I'd like to think that the Republican leadership spent some of the time since the break in November listening to their constituents, and have gotten on a program more similar to the President's which is to address the critical needs of the country -- Social Security, Medicare, education, and the other priorities, and come up with a tax cut that fits within an overall framework of fiscal discipline. They put out some numbers yesterday that were obviously much more consistent with what the President was talking about over the course of the last year than the risky tax scheme they put forward and was rejected by the President, vetoed by the President, and rejected by the American people. But I think we need to see the whole plan, and to try to -- hopefully we can find some consensus, work together, to do those critical priorities -- to address Social Security, to address Medicare, to make the important investments that we've talked about. And, as we have said, we think there's room within the overall context of the surplus to find some targeted tax cuts that will be aimed at the middle class, that will not be loaded up in favor of the wealthiest Americans, but that are spread and aimed at addressing critical priorities. With respect to the marriage penalty, I think we've said that within the context of tax relief, that we're open to discussions about tax relief in that area. But it's got to be part of an overall program that's fiscally disciplined, and that aims at our key priorities. And, obviously, we want to aim our tax cuts at the middle class, and the President's budget, which he will put forward in the next month or so, will aim to do that. Q: Dick, for those of us who still sort of cling to the old technology because it never gives you a fatal exception error, how much distance is it in bridging security between hacking a website and actually getting into the infrastructure and turning things off? MR. CLARKE: The same techniques that people use to find vulnerabilities or back-doors into websites can be used to hack your way into computer-controlled networks. Things like the power grid and railroads and whatnot, telecommunications, are computer-controlled networks. And many of the same principles of finding vulnerabilities and hacking your way into a website are applied in hacking your way into a computer-controlled network. Q: How much extra distance is there? MR. CLARKE: Not much. MR. LEAVY: I'm sorry, last question. Q: Oh, a question about the Fidnet portion that was very controversial with civil liberties groups. And how big is the Fidnet to this whole plan? Is it a central part, or a small piece? MR. CLARKE: We think the federal government has a positive obligation to protect the privacy information, and other information on federal government computer systems. Just as your files, the files about you in the IRS or elsewhere in the government, are in a file drawer with a lock on it, and there's a burglar alarm protecting that office in physical space, so we think there should be a burglar alarm and a lock on files the federal government has in cyberspace. The federal intrusion detection network that we propose is just that. It's a burglar alarm for federal files in cyberspace. It, in no way, will intrude onto private computer systems -- private sector computer systems. It's only a government protection system for government sites. It's designed to protect privacy and enhance privacy. END 10:50 A.M. EST (end transcript) (Distributed by the Office of International Information Programs, U.S. Department of State.)