Senate Judiciary Committee
Subcommittee on Technology, Terrorism and Government Information
John S. Tritak
Critical Infrastructure Assurance Office
Mr. Chairman, it
is an honor to appear before you here today to talk with you about the
National Plan for Information Systems Protection, Version 1.0. This Subcommittee
has shown exceptional leadership on the matter of critical infrastructure
assurance. I am grateful for the opportunity to discuss the Administration's
efforts to achieve President Clinton's goal of establishing a full operational
capability to defend the critical infrastructures of the United States
by 2003 against deliberate attacks aimed at significantly disrupting the
delivery of services vital to our nation's defense, economic security,
and the health and safety of its people. This cannot be done without the
support and participation of the Congress.
Age has fundamentally altered the nature and extent of our dependency
on these infrastructures. Increasingly, our Government, economy, and society
are being connected into an ever expanding and interdependent digital
nervous system of computers and information systems. With this interdependence
comes new vulnerabilities. One person with a computer, a modem, and a
telephone line anywhere in the world can potentially break into sensitive
Government files, shut down an airport's air traffic control system, or
disrupt 911 services for an entire community.
The threats posed
to our critical infrastructures by hackers, terrorists, criminal organizations
and foreign Governments are real and growing. The need to assure delivery
of critical services over our infrastructures is not only a concern for
the national security and federal law enforcement communities, it is also
a growing concern for the business community, since the security of information
infrastructure is a vital element of E-commerce. Drawing on the full breadth
of expertise of the federal government and the private sector is therefore
essential to addressing this matter effectively.
has increased funding on critical infrastructure substantially during
the past three years, including a 15% increase in the FY2001 budget proposal
to $2.0 billion. He has also developed and funded new initiatives
to defend the nation's computer systems from cyber attack.
In the 18 months
since the President signed Presidential Decision Directive 63, we have
made significant progress in protecting our critical infrastructures.
In response to the President's call for a national plan to serve as a
blueprint for establishing a critical infrastructure protection (CIP)
capability, the National Plan for Information Systems Protection
was released last month. It represents the first attempt by any national
Government to design a way to protect those infrastructures essential
to the delivery of electric power, oil and gas, communications, transportation
services, banking and financial services, and vital human services. Increasingly,
these infrastructures are being operated and controlled through the use
of computers and computer networks.
The current version
of the Plan focuses mainly on the domestic efforts being undertaken by
the Federal Government to protect the Nation's critical cyber-based infrastructures.
Later versions will focus on the efforts of the infrastructure owners
and operators, as well as the risk management and broader business community.
Subsequent versions will also reflect to a greater degree the interests
and concerns expressed by Congress and the general public based on their
feedback. That is why the Plan is designated Version 1.0 and subtitled
An Invitation to a Dialogue -- to indicate that it is still a work
in progress and that a broader range of perspectives must be taken into
account if the Plan is truly to be "national" in scope and treatment.
II. The Plan:
Overview and Highlights
directed the development of this Plan to chart the way toward the attainment
of a national capability to defend our critical infrastructures by the
end of 2003. To meet this ambitious goal, the Plan establishes 10 programs
for achieving three broad objectives. They are:
1: Prepare and Prevent: Undertake those steps necessary to minimize
the possibility of a significant and successful attack on our critical
information networks, and build an infrastructure that remains effective
in the face of such attacks.
1 calls for the Government and the
private sector to identify significant assets, interdependencies,
and vulnerabilities of critical information networks from attack,
and to develop and implement realistic programs to remedy the vulnerabilities,
while continuously updating assessment and remediation efforts.
2: Detect and Respond: Develop the
means required to identify and assess attacks in a timely way, contain
such attacks, recover quickly from them, and reconstitute those systems
2 will install multi-layered protection
on sensitive computer systems, including advanced firewalls, intrusion
detection monitors, anomalous behavior identifiers, enterprise-wide
management systems, and malicious code scanners. To protect critical
Federal systems, computer security operations centers will receive
warnings from these detection devices, as well as Computer Emergency
Response Teams (CERTs) and other means, in order to analyze the attacks,
and assist sites in defeating attacks.
3 will develop robust intelligence
and law enforcement capabilities to protect critical information systems,
consistent with the law. It will assist, transform, and strengthen
U.S. law enforcement and intelligence Agencies to be able to deal
with a new kind of threat and a new kind of criminal -- one that acts
against computer networks.
4 calls for a more effective nationwide
system to share attack warnings and information in a timely manner.
This includes improving information sharing within the Federal Government
and encouraging private industry, as well as state and local Governments,
to create Information Sharing and Analysis Centers (ISACs), which
would share information among corporations and state and local Governments,
and could receive warning information from the Federal Government.
Program 4 additionally calls for removal of existing legal barriers
to information sharing.
5 will create capabilities for response,
reconstitution, and recovery to limit an attack while it is underway
and to build into corporate and Agency continuity and recovery plans
the ability to deal with information attacks. The goal for Government
and the recommendation for industry is that every critical information
system have a recovery plan in place that includes provisions for
rapidly employing additional defensive measures (e.g., more stringent
firewall instructions), cutting off or shutting down parts of the
network under certain predetermined circumstances (through enterprise-wide
management systems), shifting minimal essential operations to "clean"
systems, and to quickly reconstitute affected systems.
3: Build Strong Foundations: Take
all actions necessary to create and support the Nation's commitment to
Prepare and Prevent and to Detect and Respond to attacks on our critical
6 will systematically establish research
requirements and priorities needed to implement the Plan, ensure funding,
and create a system to ensure that our information security technology
stays abreast with changes in the threat environment.
7 will survey the numbers of people
and the skills required for information security specialists within
the Federal Government and the private sector, and takes action to
train current Federal IT workers and recruit and educate additional
personnel to meet shortfalls.
8 will explain publicly the need
to act now, before a catastrophic event, to improve our ability to
defend against deliberate cyber-based attacks.
9 will develop the legislative framework
necessary to support initiatives proposed in other programs. This
action requires intense cooperation within the Federal Government,
including Congress, and between the Government and private industry.
10 builds mechanisms to highlight
and address privacy issues in the development of each and every program.
Infrastructure assurance goals must be accomplished in a manner that
maintains, and even strengthens, American's privacy and civil liberties.
The Plan outlines nine specific solutions, which include consulting
with various communities; focusing on and highlighting the impact
of programs on personal information; committing to fair information
practices and other solutions developed by various working groups
in multiple industries; and working closely with Congress to ensure
that each program meets standards established in existing Congressional
I would like to
highlight a few of the programs in the remainder of my testimony. In these
programs, the Administration seeks to accomplish two broad aims of the
Plan - the establishment of the U.S. Government as a model of infrastructure
protection, and the development of a public-private partnership to defend
our national infrastructures.
A. The Federal
Government as a Model of Information Security
We often say that
more than 90% of our critical infrastructures are neither owned nor operated
by the Federal Government. Partnerships with the private sector and state
and local governments are therefore not just needed, but are the fundamental
aspect of critical infrastructure protection. Yet, the President rightly
challenged the Federal Government in PDD-63 to serve as a model for critical
infrastructure protection - to put our own house in order first. Given
the complexity of this issue, we need to take advantage of the breadth
of expertise within the Federal Government to ensure that we enlist those
Agencies with special capabilities and relationships with private industry
to the fullest measure in pursuit of our common goal.
To this end, the
President has developed and provided full or pilot funding for the following
key initiatives designed to protect the federal Government's computer systems:
Security Requirements and Government Infrastructure Dependencies.
One component of this effort supports aggressive, Government-wide implementation
of federal computer security requirements and analysis of vulnerabilities.
Thus, in support of the release of the National Plan, the President announced
his intent to create a permanent Expert Review Team (ERT) at the Department
of Commerce's National Institute of Standards and Technology (NIST). The
ERT will be responsible for helping Agencies identify vulnerabilities,
plan secure systems, and implement Critical Infrastructure Protection
Plans. Pursuant to existing Congressional authorities and administrative
requirements, the Director of the team would consult with the Office of
Management and Budget and the National Security Council on the team's
plan to protect and enhance computer security for Federal Agencies. The
President's Budget for FY2001 will propose $5 million for the ERT.
Under PDD-63, the
President directed the CIAO to coordinate analyses of the U.S. Government's
own dependencies on critical infrastructures. Many of the critical infrastructures
that support our nation's defense and security are shared by a number
of Agencies. Even within Government, critical infrastructure outages may
cascade and unduly impair delivery of critical services. The CIAO is coordinating
an interagency effort to develop a more sophisticated identification of
critical nodes and systems, and to understand their impact on national
security, national economic security, and public health and safety Government-wide.
These efforts support the work of the ERT in identifying vulnerabilities
of the Government's information infrastructures, and provide valuable
input to Agencies for planning secure computer systems and implementing
computer security plans. This research, when complete, will permit the
Federal Government to identify and redress its most significant critical
infrastructure vulnerabilities first, and provide the necessary framework
for well informed critical infrastructure protection policy making and
Intrusion Detection Network (FIDNet). PDD-63
marshals Federal Government resources to improve interagency cooperation
in detecting and responding to significant computer intrusions into civilian
Government critical infrastructure nodes. The program - much like a centralized
burglar alarm system - would operate within long-standing, well-established
legal requirements and Government policies covering privacy and civil
liberties. FIDNet is intended to protect information on critical, civilian
Government computer systems, including that provided by private citizens.
It will not monitor or be wired into private sector computers. All aspects
of the FIDNet will be fully consistent with all laws protecting the civil
liberties and privacy rights of Americans.
To support this
effort, the Administration will propose funding in the President's FY2001
Budget ($10 million) to create a centralized intrusion detection and response
capability at the General Services Administration (GSA). This capability
will function in consort with GSA's Federal Computer Incident Response
Capability, and assist Federal Agencies to:
detect and analyze computer attacks
and unauthorized intrusions;
share attack warnings and related
information across Agencies; and
respond to attacks in accordance
with existing procedures and mechanisms.
FIDNet is intended
to promote confidence in users of Federal civilian computer systems. It
is important to recognize that FIDNet has a graduated system for response
and reporting attack and intrusion information would be gathered and analyzed
by home-Agency experts. Only data on system anomalies would be forwarded
to GSA for further analysis. Thus, intrusion detection would not become
a pass-through for all information to the Federal Bureau of Investigation
or other law enforcement entities. Law enforcement would receive information
about computer attacks and intrusions only under long-standing legal rules
- no new authorities are implied or envisioned by the FIDNet program.
One additional benefit
of Government-wide intrusion detection is to improve computer intrusion
reporting and the sharing of incident information consistent with existing
government computer security policy. Various authorities require Agencies
to report criminal intrusions to appropriate law enforcement personnel,
which include the National Infrastructure Protection Center.
FIDNet will support
law enforcement's responsibilities where cyber-attacks are of a criminal
nature or threaten national security.
In short, FIDNet
be run by the GSA, not the FBI;
not monitor any private network traffic;
confer no new authorities on any Government Agency; and
be fully consistent with privacy law and practice.
Cyber Services (FCS). One of the
nation's strategic shortcomings in protecting our critical infrastructures
is a shortage of skilled information technology (IT) personnel. Within
IT, the shortage of information systems security personnel is acute. The
Federal Government's shortfall of skilled information systems security
personnel amounts to a crisis. This shortfall reflects a scarcity of university
graduate and undergraduate information security programs and the inability
of the Government to provide the salary and benefit packages necessary
to compete with the private sector for these highly skilled workers. In
attacking this problem through the Federal Cyber Services initiative described
below, we are leveraging the initial efforts made by the Defense Department,
National Security Agency, and some other Federal Agencies. The President's
Budget for FY2001 will propose $25 million for this effort.
The Federal Cyber
Services training and education initiative, highlighted by the President
at the Plan's release, introduces five programs to help solve the Federal
IT security personnel problem.
study by the Office of Personnel Management to identify and develop
competencies for federal information technology (IT) security positions,
and the associated training and certification requirements.
development of Centers of IT Excellence to establish competencies
and certify current Federal IT workers and maintain their information
security skill levels throughout their careers.
creation of a Scholarship for Service (SFS) program to recruit and
educate the next generation of Federal IT managers by awarding scholarships
for the study of information security, in return for a commitment
to work for a specified time for the Federal Government. This
program will also support the development of information security
development of a high school outreach and awareness program that
will provide a curriculum for computer security awareness classes
and encourage careers in IT fields.
development and implementation of a Federal Information Security
awareness curriculum aimed at ensuring computer security literacy
throughout the entire Federal workforce.
and Development. A key component
to our ability to protect our critical infrastructures now and in the
future is a robust research and development plan. As part of the structure
established by PDD-63, the interagency Critical Infrastructure Coordination
Group (CICG) created a process to identify technology requirements in
support of the Plan. Chaired by the Office of Science and Technology Policy
(OSTP), the Research and Development Sub-Group works with Agencies and
the private sector to:
agreement on requirements and priorities for information security
research and development;
among Federal Departments and Agencies to ensure the requirements
are met within departmental research budgets and to prevent waste
or duplication among departmental efforts;
with private sector and academic researchers to prevent Federally
funded R&D from duplicating prior, ongoing, or planned programs
in the private sector or academia; and
areas where market forces are not creating sufficient or adequate
research efforts in information security technology.
That process, begun
in 1998, has helped focus efforts on coordinated cross-government critical
infrastructure protection research. Among the priorities identified by
the process are:
to support large-scale networks of intrusion detection monitors;
intelligence and other methods to identify malicious code (trap
doors) in operating system code;
to contain, stop, or eject intruders, and to mitigate damage or
restore information-processing services in the event of an attack
to increase network reliability, system survivability, and the robustness
of critical infrastructure components and systems, as well as the
critical infrastructures themselves; and
to model infrastructure responses to attacks or failures; identify
interdependencies and their implications; and locate key vulnerable
nodes, components, or systems.
Budget for FY2001 will propose $606 million across all Agencies for critical
infrastructure related R&D investment.
The need exists,
however, to coordinate R&D efforts not just across the federal Government,
but between the public and private sectors as well. A fundamentally important
initiative that has the ability to pull disparate pieces of the national
R&D community into closer relationships is the Institute for Information
Infrastructure Protection (I3P), an organization created to
identify and fund research and technology development to protect America's
cyberspace from attack or other failures. I will discuss this in detail
when I address Public-Private Partnership issues.
Public Key Infrastructure.
Protecting critical infrastructures in the Federal Government
and private sectors requires development of an interoperable public key
infrastructure (PKI). A PKI enables data integrity, user identification
and authentication, user non-repudiation, and data confidentiality through
public key cryptography by distributing digital certificates (essentially
electronic credentials) containing public keys, in a secure, scalable,
and reliable manner. The potential of PKI has inspired numerous projects
and pilots throughout the Federal Government and private sectors. The
Federal Government has actively promoted the development of PKI technology
and has developed a strategy to integrate these efforts into a fully functional
Federal PKI. The President's Budget for FY2001 will propose $7 million
to ensure development of an interoperable Federal PKI.
To achieve the goal
of an integrated Federal PKI, and protect our critical infrastructures,
the Federal Government is working with industry to implement the following
program of activities:
Agency-wide PKIs into a Federal PKI: DoD, NASA, and other Government
Agencies, are actively implementing Agency-wide PKIs to protect
their internal critical infrastructures. While a positive step,
these isolated PKIs do not protect infrastructures that cross Agency
boundaries. Full protection requires an integrated, fully functional
the Federal PKI with Private Sector PKIs: Private sector groups
are actively developing their own PKIs as well. While a positive
step, these isolated PKIs do not protect infrastructures that cross
Government or industry sector boundaries.
development of interoperable Commercial Off-the-Shelf (COTS) PKI
Products: Limitation to a single vendor's solution can be a
serious impediment, as most organizations have a heterogeneous computing
environment. Consumers must be able to choose COTS PKI components
that suit their needs.
the Security of Critical PKI Components: Protecting critical
infrastructures require sound implementation. The strength of the
security services provided to the critical infrastructures depends
upon the security of the PKI components. Validation of the security
of PKI components is needed to ensure that critical infrastructures
are adequately protected. NIST is pursuing a validation program
for PKI components.
Development of PKI-Aware Applications:
To encourage development of PKI-aware applications, the Government
is working with vendors in key application areas. One example is
the secure electronic mail projects that have been performed jointly
The security of
information flowing over the information highway is a critical element
of E-commerce, as well as to our national security. It is a necessary
part of building trust in the accuracy and integrity of transactions made
over the information infrastructure. There is a growing awareness that
America's information infrastructure - the basis of E-Commerce - is becoming
an increasingly attractive target for deliberate attack or sabotage. A
strategy of cooperation and partnership between the private sector and
the U.S. Government to protect the Nation's infrastructure is the linchpin
of this effort. The President is committed to building partnerships with
the private sector to protect our computer networks through the following
for Information Infrastructure Protection (I3P). The
Institute would identify and address serious R&D gaps that neither
the private sector nor the Government's national security community would
otherwise address, but that are necessary to ensure the robust, reliable
operation of the national information infrastructure. The President announced
he would propose initial funding of $50 million for the Institute in his
FY2001 Budget. Funding would be provided through the Commerce Department's
National Institute of Standards and Technology (NIST) to this organization.
The Institute was first proposed by the scientists and corporate officials
who served on the President's Committee of Advisors on Science and Technology,
and supported by leading corporate Chief Technology Officers.
The Institute will work directly with private sector information technology
suppliers and consumers to define research priorities and engage the country's
finest technical experts to address the priorities identified. Research
work will be performed at existing institutions including private corporations,
universities, and non-profit research institutes. The Institute
will also make provisions to accept private sector support for some research
for Critical Infrastructure Security.
Last December, Commerce Secretary Daley met with senior representatives
from over 90 major corporations, most Fortune 500, representing owners
and operators of critical infrastructures, their suppliers, and their
customers, to discuss the building a Partnership for Critical Infrastructure
Security. Industry has taken the lead on this effort, and organized a
meeting at the U.S. Chamber of Commerce for later this month to give substance
and purpose to the Partnership.
will explore ways in which industry and Government can work together to
address the risks to the nation's critical infrastructures. Federal Lead
Agencies are currently building partnerships with individual infrastructure
sectors in private industry, including communications, banking and finance,
transportation, and energy. The Partnership will serve as a forum in which
to draw these individual efforts together to facilitate a dialogue on
cross-sector interdependencies, explore common approaches and experiences,
and engage other key professional and business communities that have an
interest in infrastructure assurance. By doing so, the Partnership hopes
to raise awareness and understanding of, and to serve, when appropriate,
as a catalyst for action among, the owners and operators of critical infrastructures,
the risk management and investment communities, other members of the business
community, and state and local Governments.
Assurance Council (NIAC). President Clinton established the NIAC
by Executive Order 13130 on July 14, 1999. When fully constituted, it
will consist of up to 30 leaders in industry, academia, the privacy community,
and state and local Government. The NIAC will provide advise and counsel
to the President on a range of policy matters relating to critical infrastructure
assurance, including the enhancement of public-private partnerships, generally.
In conclusion, the
National Plan is an important step forward. My staff and I are committed
to building on this promising beginning, coordinating the Government's
efforts into an integrated program for critical infrastructure protection
in support of the National Coordinator for Security, Infrastructure Protection,
and Counter-Terrorism, and the Federal Government, generally. We have
much work left to do, and I hope to work with the members of this committee,
indeed with the Congress as a whole, as we wrestle with this developing
field. I look forward to your questions.