Remarks Prepared for Delivery
by Robert T. Marsh
Chairman, President's Commission on Critical Infrastructure Protection
New York Federal Reserve
New York, New York
September 24, 1997
Thank you, George [George Juncker, Vice President of Bank Supervisors] and good afternoon, ladies and gentlemen. I am very happy to have the opportunity to participate in this important conference. It is reassuring to know that members of our nation's financial community are acutely aware of the challenges to the security of our telecommunications and information systems, and are actively moving to address them.
I know that you have been discussing security -- from overall network security to trends in Internet security -- at great length today. I'm going to spend the next few minutes talking about the nationwide security perspective, particularly the security and protection of our nation's critical infrastructures, including the banking and finance industry.
Let me first give you a brief introduction to the Commission and our mission, a review of some of our preliminary recommendations, and then several that relate directly to your community.
In our charter we were directed to consult "with elements of the public and private sectors... and the owners and operators of the critical infrastructures." In keeping with this, it is fitting for me to run some of our ideas by you and invite your reactions.
President Clinton established the Commission last July and charged us to recommend a national policy for protecting and assuring the nation's critical national infrastructures. For just over a year now, we have been working to identify and assess vulnerabilities and threats -- and then to develop a national strategy and an implementation plan.
Besides banking and finance, we have been studying and analyzing telecommunications, electric power, oil & gas delivery and storage, transportation, water, emergency services, and government services -- those life support systems that the President identified as critical because their incapacity or destruction would have a debilitating effect on our defense and/or economic security. Without electric power and telecommunications, for example, our military could not deploy, our banks could not operate, and our citizens could not enjoy their customary high quality of life.
Critical infrastructures have long been lucrative targets for anyone wanting to do harm to another country. For most of our history, the Atlantic and Pacific Oceans were all the infrastructure protection we needed. But during the Cold War, Soviet and US nuclear weapons were targeted against each other's power grids, road and rail networks, energy industries, and telecommunications systems. And in the Persian Gulf War, disabling Iraq's infrastructures was one of the keys to our success -- a lesson noted with interest by many countries in the world.
Clearly there is nothing new about infrastructures being targets. So why was the President motivated to create this Commission at this time?
It was the realization that
- our society was becoming vitally dependent on these infrastructures for its very well-being;
- the infrastructures themselves were becoming increasingly dependent upon information technologies for their functioning;
- they were becoming increasingly interconnected through advances in computers and telecommunications, most especially the Internet, and
- they were consequently becoming increasingly vulnerable to disruption by simple methods readily available to relatively unskilled persons intent on doing harm.
And there was mounting evidence of such danger by the growing number of malicious cyber incidents throughout the nation with each passing day.
Vulnerabilities and Threats
The Commission was tasked to look at both physical and cyber threats to our nation's infrastructures. We have long understood the physical threat, but the fast pace of technology means we are always one step behind understanding the cyber threat. The Commission has focused on getting ahead of the cyber threat, facing tomorrow's challenges today, and avoiding situations that could cause serious problems in the future.
Our research indicates that the vulnerabilities of our infrastructures are increasing. And this vulnerability information is readily accessible. In fact, our data come almost entirely from open sources, much of it available on the Internet.
Our research has also led us to a new understanding of the threat. Neither the actor nor the intent are known, but we do know that the capability to do harm -- the skills and technology necessary -- are expansive, and growing, and getting cheaper by the day. And there is no shortage of opportunity for those seeking to do harm. While once an attack on our nation's infrastructures had to overcome physical distance and physical borders, now an adversary can gain access to the heart of our infrastructures from anywhere instantaneously, and can use that instant access to do harm.
There is a whole new arsenal of "weapons of mass disruption" in the cyber world -- including viruses, "trojan horses," denial of service, and theft of proprietary data. These tools recognize neither borders nor jurisdictions. They can be used anywhere, anytime, by anyone with technology commonly found in an average college dorm room.
A few examples should illustrate the power of bad actors using new tools.
- Langley Air Force Base, just outside Washington DC, and several government and academic sites -- all of which prided themselves on their tight information security regimes -- were targets of a recent e-mail attack. A flood of e-mail messages originating in Australia and Estonia -- and routed through the White House computer system among others -- virtually shut down the Air Base's e-mail for hours until network administrators could construct programs which filtered out the "bad" e-mail messages.
- The 911 system in Miami suffered a similar "denial of service" attack when its phone lines were intentionally flooded with calls.
- And we have all heard of regional Internet service providers being "down" for several hours -- sometimes by deliberate actions to deny service -- a problem made ever more serious when with the growing number of businesses and government services relying on the Internet for day-to-day business transactions.
Given this new geography -- in which information is power -- the Commission concentrated has concentrated on understanding what is needed to protect and assure our nation's critical infrastructures in the cyber age.
The Commission was uniquely tailored for this task. In recognition that the critical infrastructures are largely owned and operated by the private sector, the Commission is a joint public and private venture. Half
the Commissioners are full-time career government senior executives, and half are senior representatives from the private sector who have agreed to serve one year as full-time government employees.
A Presidentially-appointed Advisory Committee of key industry leaders provides the unique perspective of owners and operators of the infrastructures as they assist and advise us. And a Steering Committee of senior government officials, including the Attorney General, helps us weave our way through the tangled web of governmental equities.
As part of our consultation efforts, we met with more than 5,500 individuals, corporations, associations, and government agencies around the country. We held five public meetings where we spoke with hundreds of people from industry, academia, science, technology, the military, and government.
Our goal all along has been to create a public-private partnership to protect our future. Government alone cannot address the problem. My aim here today is to further promote that partnership.
I would like to start by sharing with you a few of our core recommendations. These are ones that cut across all the infrastructures, then follow with a few that may be of particular interest to you in the banking sector. I hope you will be pleasantly surprised not to hear recommendations that call for more regulation or tighter laws.
Information Sharing / National Structures
One of our toughest problems -- across all infrastructures -- is the sharing of information. There is already a heavy volume of information passed by industry -- especially banks, as you well know -- to government as part of the regulatory process and in support of law enforcement.
But managing the new risks inherent in an information-based society requires a different type of information exchange within the industry and between industry and government. We do not mean more burdensome regulatory demands. We do mean a cooperative, collaborative environment in which business and government participate in a two-way exchange of information focused on protecting our infrastructures.
Managing these new risks calls for partnership at many different levels, from policy-making aimed at preventing a crisis through responding if such a crisis occurs. Our goal is not to supersede existing relationships you might have with law enforcement or other government agencies, but to establish the appropriate channels that best accommodate the cyber threat.
The Commission has some specific proposals to facilitate 1) identifying the information needed to best protect our infrastructure and 2) sharing -- while protecting -- that information. These recommendations lay the foundation for a "trusted environment" necessary for achieving the public-private partnership essential for protection into the next century.
At the policy-making level, we will recommend a very high level council comprised of senior CEOs from throughout the critical infrastructures, meeting regularly with selected Cabinet Officers. This National Infrastructure Assurance Council would propose policies and focus attention on infrastructure concerns. The purpose is to open the door of policy formulation to include the private sector infrastructure owners and operators -- those that are closest to the problem and best know the range of solutions.
At the operating level, our recommendations focus on enhancing industry and government's information exchange, including
Clearly, we strongly endorse a policy of reliance on the private sector for problem-solving, solutions, and technology. But we also see a need for government to create a strong focal point for infrastructure protection. Thus we are proposing a high-level advisory position to the President, along with a small staff to coordinate the federal government's infrastructure assurance program and support and interact with the National Council.
The sum of these efforts is to create flexible, reliable channels for information to flow between decentralized private industry and centralized government organizations. In essence, the federal lead agencies will be the "adapter plug" from government to industry -- to facilitate the flow of government information to the private sector -- and the Sector Infrastructure Assurance clearinghouses will be the "adapter plugs" in the opposite direction -- to facilitate the flow of private sector information to the government.
Research & Development
We found that research and development efforts by the federal government are inadequate to deal with emerging cyber threats. Only about $250 million per year is being spent on federal infrastructure-related R&D, of which 60 percent -- or $150 million -- is dedicated to information security. There is very little R&D effort on the types of real-time detection, identification, and response tools that the Commission believes are necessary. We concluded that market demand is currently insufficient to spur that which is required over the longer term. Consequently, we recommend a doubling of federal funding for R& D in this area to $500 million per year.
Education and Awareness
Key to the success of these initiatives is educating all the stakeholders about the emerging threats and vulnerabilities in the cyber dimension. The Commission's recommendations are aimed at all levels of education, from graduate programs to grammar school. The Commission will propose a three-pronged education initiative, which includes:
- Grants by the National Science Foundation aimed at educating a new generation of professionals in information security and infrastructure protection.
- A series of conferences sponsored by the White House designed to spur new curricula in computer ethics and intellectual property for elementary and secondary schools.
- Partnership between the Department of Education and industry to develop curricula and market demand for educated and ethical technicians and managers.
Banking and Finance Findings and Recommendations
Beyond those already mentioned, we have a number of recommendations ranging through the areas of law enforcement, education and awareness, assistance to state and local governments, and many unique to certain infrastructures. But in the interest of time, I will focus briefly on those of specific interest to banking and finance.
At the outset, I want to acknowledge that we found that due to both effective regulation and industry diligence, individual institutions within the U.S. banking and financial system are more advanced than those in other sectors in their use of sophisticated tools and procedures to safeguard their operations from theft, fraud, and cyber crime. We applaud your vigilance in these areas.
We all know that both the financial service industry and government require strong public confidence -- the industry in order to grow, and the government to sustain political viability. Each is central to the daily lives of virtually every American, and the degree of trust the public is willing to place in them depends directly on the reliability of the services provided. Infrastructure -- as the carrier of the communications and transactions which deliver those services -- is, therefore, critical to the performance of both.
But, as you well know, major trends of change -- globalization, industry restructuring, Internet banking, and cyber cash -- combine to create new risks. This is true within the financial services industry as well as the telecommunications and electric power industries upon which financial services heavily depend. These trends will result in new complexities and interdependencies, and hence new kinds of system-wide risks. These must be assessed carefully as you move forward.
The range of cyber threats for exploiting these vulnerabilities begins with the most likely but least consequential activities of hackers, and extends to the currently least likely but highest potential impact attack by a nation state or terrorist group. Current defenses against common hackers and criminals are quite good. However, it is the vulnerability to a possible coordinated attack on physical operations centers, or on the complex "system of systems" which enables this industry to function world-wide, that is of rising concern.
Some examples of specific actions to reduce these existing vulnerabilities include:
- Enhanced contingency planning throughout the financial system, including the use of strategic simulations to regularly test out such plans under a variety of circumstances.
- Geographic dispersion of such key industry utilities as clearing houses and depositories to mitigate the risk of physical attack.
- Availability of a government owned satellite-based communication system linking major money center banks with funds transfer and clearance centers for use in the event of catastrophic power or telecommunications outages.
- Continued improvement of internal controls and physical security measures.
- Establishment of a contingency data center for key industry messaging and data storage systems.
These recommendations represent the best case solutions for maximum security at the national level. We acknowledge these might not pass muster as cost-beneficial investments at the individual institution level in the industry's risk management processes. At a minimum, therefore, we assume joint financing by government and industry. Some may even require full government funding if it is determined that the national security risks well exceed the reasonable business risk involved.
The Commission will recommend that government encourage and participate in the development of privately-established standards in those sectors where they are presently absent and, in those sectors where standards already exist, review them against national policy goals. The goal is voluntary standard-setting and adherence, not another big government mandate. The New York Federal Reserve's paper on "Sound Practices Guidance on Information Security" is exactly the type of effort that the Commission commends. This paper comprehensively defines the risks and problems you face and offers excellent advice on how to deal with them in ways that are both appropriate and effective.
Privacy Issues in the Employer-Employee Relationship
Throughout its year-long effort, the Commission has struggled to address the competing interests of security and privacy and the trade-offs between them. We have specifically studied the nexus of security and privacy in the employer-employee relationship. We will recommend that some of the tools that the federal government uses to perform background checks and issue security clearances be made available to employers within the critical infrastructures, at least in filling certain sensitive positions within those infrastructures. These would afford you the ability to inquire into and make use of criminal history information, employment histories, and credit history information. Amendments should also be made to federal polygraph law to include within the scope of current exemptions those who are in the business of providing information security services. These amendments would not make it mandatory that covered employers polygraph employees, but merely allow them to do so to the extent permitted under applicable state law.
Well, that was a quick trip through some of our activities. As you can see, we have been studying a wide range of issues and will have some fairly far-reaching and comprehensive conclusions. I hope this will add to your earlier discussions about the many dimensions of information security.
As a final note, this is the first time since I have been involved in government that I've seen the government actually trying seriously to get ahead of a problem before it becomes a crisis. We at the Commission know we are merely laying the foundation for long term efforts that will build upon our research and recommendations. But we know that we must take prudent steps now to protect and assure our nation's critical infrastructures.
This challenge requires a new way of thinking and creation of a new culture for both government and industry. Narrow point solutions are not the solution.
Again, thank you for inviting me to join you today.