Honorable John T. Spotila
Administrator, Office of Information
and Regulatory Affairs
Office of Management and Budget
Subcommittee on Government
Information, and Technology
July 26, 2000
Cyber Attacks - War without Borders
Good morning, Mr. Chairman and Members
of the Committee. Thank you for inviting me here to discuss Administration
efforts in the areas of computer security and associated critical infrastructure
protection. We know that our government and our nation rely increasingly
on computer systems to support nearly every critical governmental and
business function. Government and industry are now more interconnected
than ever, operating in a shared risk environment, with our interdependence
growing daily. The integrity and availability of our systems and, where
appropriate, the confidentiality and privacy of information in those systems
are today more important than ever.
The President has given high priority
to cyber security and the protection of our nation's critical information
assets. He understands the growing risks that our nation faces from cyber
threats. In May 1998, after reviewing the report of his Commission on
Critical Infrastructure Protection, he issued Presidential Decision Directive
63, on "Critical Infrastructure Protection."
This Directive provided a framework
for government action. It pointed out that interconnected computer systems
are necessary for the provision of essential national services. It recognized
that a potential future attack against the United States might take the
form of a cyber attack against our critical computer systems. It acknowledged
that government and industry face essentially the same risk in this area
and must work in close partnership to mitigate that risk. Indeed, as today's
hearing also recognizes, it took into account that this risk is shared
The Directive also called on all
Executive branch agencies to assess the vulnerabilities to their systems
and the nation's critical infrastructures -- communications, energy, banking
and finance, transportation, emergency services, and public health. It
placed special emphasis on protection of the government's own critical
assets and establishing the government as a model for information security.
This is where OMB's primary role lies and where we have been concentrating
To implement the Directive, the
President appointed Richard Clarke of the National Security Council as
the nation's first National Coordinator for Security, Infrastructure Protection,
and Counter-Terrorism. Later, the National Security Advisor announced
the appointment of Jeffrey Hunker as Senior Director for Critical Infrastructure
Protection, in the Office of Transnational Threats. Both have worked tirelessly
to increase national awareness of the scope of the problems in this area,
working closely with OMB to help formulate sound approaches to addressing
The Directive called for the development
of a detailed National Plan for Information Systems protection, so that
we could better defend against cyber disruptions. It also established
a Critical Infrastructure Assurance Office (CIAO) at the Department of
Commerce to coordinate government interaction with industry, develop the
national plan, and assist federal agencies in identifying and prioritizing
their own critical assets.
The Directive also established at
the FBI the National Infrastructure Protection Center (NIPC) as a national
focal point for gathering information on threats to the nation's critical
infrastructures. The NIPC's Director, Michael Vatis is also testifying
before you today.
In January of this year, the President
announced the issuance of version one of the National Plan for Information
Systems Protection. He pointed out that the Plan was the first major element
of a more comprehensive effort and that it would evolve and be updated
as we increase our knowledge of our vulnerabilities and of emerging threats.
The plan called for a number of government-wide and agency-specific security
initiatives, as well as increased cooperation with industry and others
in the private sector. In this last regard, we note that CIAO under the
leadership of its Director, John Tritak, has worked with industry to build
the Partnership for Critical Infrastructure Security, now comprising more
than 130 representatives from major U.S. corporations. The Partnership
is meeting this week in San Francisco.
In February of this year, in the
wake of a series of distributed denial of service attacks against a number
of major electronic commerce websites, the President held a Cyber Security
Summit with key information technology leaders. At this summit, which
I attended, the private sector leaders emphasized their desire to participate
in partnerships with the government and with one another to facilitate
the sharing of information on cyber attacks and common vulnerabilities.
The President's Chief of Staff,
John Podesta, has been personally engaged in these security issues. He
has directed the agencies to take specific actions to improve security
and to report to him on the status of the security posture of their websites.
Just last week, he delivered a major speech outlining the Administration's
position on cyber crime legislative reforms designed to upgrade 21st
Century law enforcement capabilities and also enhance privacy and civil
liberties in cyber space.
The President's FY 2001 budget proposed
approximately $2.0 billion for agency critical infrastructure protection
and computer security programs out of a total information technology budget
of about $40 billion. This security total is a 15% increase over the FY
2000 enacted total of $1.8 billion. It includes funding to help detect
computer attacks, coordinate research on security technology, hire and
train more security experts, and create an internal expert review team
for non-defense agencies. These initiatives are vitally important.
Regrettably, many of our requests
for security funds face an uncertain future in the appropriations process.
It has been particularly difficult to gain support for cross-cutting initiatives,
despite their importance to our computer security efforts. We should be
more open to innovative approaches in this area and look for opportunities
for synergy and interagency cooperation.
Several important cross-cutting
government initiatives are at risk in the appropriations process, but
can still be salvaged:
Department of Commerce
$5 million at the National Institute
for Standards and Technology (NIST) to establish an expert security
review team to help agencies review their systems and programs, identify
unacceptable risks, and assist in mitigating them. This program would
operate in the context of NIST's statutory responsibilities under
the Computer Security Act of 1987 and Clinger-Cohen Act of 1996 to
issue security guidance to the agencies.
$50 million to create the Institute
for Information Infrastructure Protection at NIST. The Institute would
work collaboratively with industry and academia to fill research and
development gaps for key security technologies. Industry often has
no incentive to invest in long-term research and development without
a clear market need. Research would be performed at private corporations,
universities, and non-profit research institutes.
General Services Administration
$5.4 million to maintain the
Federal Computer Incident Response Capability (FedCIRC), the central
government non-law enforcement focal point for responding to attacks,
promoting incident reporting, and cross-agency sharing of data about
common vulnerabilities. A portion of this funding will also continue
government support of Carnegie-Mellon University's highly acclaimed
Computer Emergency Response Team (CERT).
$10 million for next generation
intrusion detection. This funding would be used to establish the Federal
Intrusion Detection Network (FIDNet) which would complement FedCIRC
by standardizing ongoing agency computer intrusion detection activities,
automating many of the cumbersome manual processes now employed, and
providing a centralized expert analytic capability that does not exist
at most agencies.
Department of Treasury
$7 million at Treasury to complete
the development of an interoperable government-wide infrastructure
to permit authenticated electronic transactions and thus promote the
electronic delivery of services to the public. In our traditional,
paper-based world, government, industry, and the public rely on trusted
and verifiable relationships, photo IDs, notarized signatures, and
face-to-face contact to authenticate one another's identity prior
to conducting business. We need a similar authentication capability
in our new electronic world. This funding would translate paper-based
relationships into similar trusted and verifiable electronic relationships.
Office of Personnel Management and
the National Science Foundation
$7 million at the Office of
Personnel Management and $11.2 million at the National Science Foundation
for Federal Cyber Services/Scholarships for Service. The Scholarship
for Service effort will help develop the next generation of Federal
information technology managers by awarding scholarships for the study
of information assurance and computer security in exchange for Federal
OMB's Role in Government Computer
In February, OMB Director Jacob
Lew issued important guidance to the agencies on incorporating security
and privacy requirements in each of their FY 2002 information technology
budget submissions. In the future, when requesting approval for information
technology funds, agencies must demonstrate how they have built adequate
security and privacy controls into the life-cycle maintenance and technical
architectures of each of their systems. Without an adequate showing, the
systems will not be funded.
Let me use this point to illustrate
OMB's role in computer security and put it in the context of today's hearing.
While OMB does have a broad, government-wide role in formulating the President's
budget, promoting the effective agency use of agency resources, and promoting
sound agency management practices, including oversight of the use of agency
information resources, our specific role for security is limited to policy
development and oversight for unclassified government information and
computer systems. We have no direct role in law enforcement or international
affairs. While we maintain a close relationship with operational agencies,
we have no operational responsibilities ourselves.
We are very much committed to the
protection of Federal computer systems. We recognize that security, or
information assurance as it is sometimes called, consists of a number
of separate components:
assuring that information will be kept secret, with access limited
to appropriate persons for authorized purposes;
Integrity -- assuring
that information is not accidentally or maliciously altered or
destroyed, that systems are resistant to tampering, and that they
operate as intended;
Availability -- assuring
that information and systems will be ready for use when needed;
Reliability -- assuring
that systems will perform consistently and at an acceptable level
of quality; and
assuring that users of systems and parties to transactions are
verified and known so that the sender knows that data has been
delivered and the recipient knows the sender's identity. With
authentication comes nonrepudiation, since neither party can later
deny having sent or received the data.
The Legal Framework
Congress has provided a sound legal
framework for the Executive branch to address computer security needs.
OMB has built on this statutory framework. Relying on our general authority,
we issued our first computer security policy in 1978. That policy defined
a minimum set of controls for the security of Federal automated information
systems tailored to the processing environment of its time -- a centralized
environment running mostly custom-developed application software. In 1985,
we updated that guidance as part of new, comprehensive guidance on information
resources management, OMB Circular A-130. Appendix III of A-130, "Security
of Federal Automated Information Systems," began to address the security
vulnerabilities introduced by remote processing -- which at that time
occurred largely through dial-up communications.
Today's computing environment is
significantly different. It is characterized by open, widely distributed
processing systems using commercial off-the-shelf software. While effective
use of information technology often reduces risks to Federal programs
(for example, reduced risks from fraud or errors), the risk to and vulnerability
of Federal information resources has increased. Greater risks result from
increasing quantities of valuable information being committed to Federal
systems, and from agencies being critically dependent on those systems
to perform their missions. Greater vulnerabilities exist because so many
Federal employees have access to Federal systems, and because these systems
now interconnect with outside systems and the Internet.
Two years after the issuance of
Appendix III to Circular A-130, Congress enacted the Computer Security
Act of 1987 (P.L. 100-235) requiring agencies to improve the security
and privacy of Federal computer systems, plan for the security of sensitive
systems, and provide mandatory awareness and training in security for
all individuals with access to computer systems. The Computer Security
Act established the National Institute for Standards and Technology (NIST)
as having the lead in setting standards for the security of unclassified
Federal information technology.
The Paperwork Reduction Act (PRA)
of 1995, P.L. 104-13, then established a comprehensive information resources
management framework which subsumed preexisting agency and OMB responsibilities
under the Computer Security Act. It recognized our transition to an increasingly
internetworked information environment, and the security and privacy challenges
which go along with that transition.
OMB revised Appendix III to Circular
A-130 in February 1996 to address specifically the computer security mandate
of the 1995 PRA. The revised Appendix updated policies and set responsibilities
for the security of Federal information systems including the confidentiality,
availability, and integrity of information and systems.
Overall, OMB Circular A-130 sets
forth government-wide polices for a wide variety of information and information
resource management issues. The body of the Circular addresses agency
management of information and information systems including capital planning
issued Appendix II defines policy for information architectures and implementation
of the Government Paperwork Elimination Act. Appendix III sets security
policy. In Appendix II -- our guidance on the Government Paperwork Elimination
Act -- we address the authentication and nonrepudiation elements of security
Appendix III implements another
Computer Security Act requirement by directing the Department of Commerce
(through NIST) to issue appropriate security standards and guidance, update
security training guidelines, provide guidance for security planning,
provide guidance and assistance to Federal agencies on appropriate security
when interconnecting with other systems, coordinate agency incident response
activities, evaluate new technologies, and apprise Federal agencies of
their security vulnerabilities.
Importantly, Appendix III also requires
Federal agencies to adopt a minimum set of risk-based management controls.
Four controls are described: assigning responsibility for security; security
planning; periodic review of security controls; and management authorization.
These controls are intentionally not technology dependent. Instead, they
focus on the management controls agencies need to assure adequate security
of the information technology now in the hands of millions of Federal
users. Technical and operational controls should support these management
More recently, the Information Technology
Management Reform Act of 1996 P.L. 104-106 Div. E (Clinger-Cohen Act)
linked OMB and agency computer security responsibilities firmly to agency
information resources management, capital planning, and budget processes.
It established agency Chief Information Officers who report to agency
heads as the responsible focal point for agency information resources
management, including security. Agency CIOs are responsible for oversight
of the security policies and practices embodied in the Computer Security
Act, the Paperwork Reduction Act of 1995, and OMB Circular No. A-130.
These responsibilities include the need for explicit consideration of
security requirements in the development of agency information technology
architectures and the need to ensure appropriate levels of security awareness
The Clinger-Cohen Act tied agency
information resource management responsibilities, including security,
to the capital planning and budgetary oversight process the agency engages
in with OMB. When OMB reviews information technology investment plans
generally, or when it examines specific major information systems, it
evaluates agency security planning and practices. This reflects the influence
Lastly, Clinger-Cohen recodified
and highlighted Commerce's computer security responsibilities, particularly
in the area of standards and guidelines. The Act underscored the requirement
for agencies to ensure that their security planning was consistent with
the standards and guidelines developed by NIST. NIST issued comprehensive
security planning guidance in December 1998.
In 1998, the Government Paperwork
Elimination Act (the Paperwork Elimination Act) addressed OMB and agency
responsibilities for conducting business in an electronic environment.
It required that agencies provide for the optional use and acceptance
of electronic documents and signatures, and introduce electronic record
keeping when practicable. It provided that electronic records and their
related electronic signatures must not be denied legal effect, validity,
or enforceability merely because they are in electronic form. It also
contemplated Federal acceptance of a range of electronic signature alternatives.
By October 21, 2003, agencies must have electronic filing and electronic
signature capabilities in place. OMB published its guidance on implementing
the Act in the Federal Register on May 2nd 2000. The guidance describes
the methods agencies can use to provide for the authentication of digital
Are current policies effective?
In reviewing our recent efforts
in the area of computer security, OMB has taken a close look at the effectiveness
of our current policies. In general, we believe that our policies and
guidance for unclassified applications are adequate, although some updating
and additional detail would be helpful. We plan to provide additional
detail in our upcoming revision to these policies. Indeed, reports from
GAO, including its assessment of security practices of leading private
sector organizations, show that OMB policies and NIST guidance are properly
focused on a risk-based, cost effective approach and reflect the right
balance between strong security and mission needs.
As discussed earlier, OMB Circular
A-130 establishes an overall framework for government information and
information resource management. We must integrate security within this
framework to ensure that it remains cost-effective, forms an integral
part of agency business processes, enables rather than impedes agency
missions, and operates effectively over time.
How can we ensure effective policies?
We recognize that security measures
must function effectively in the real world of agency missions and business
operations. To accomplish this, we focus on a number of key principles:
We should consider widely diverse
views and attempt to accommodate unique agency needs. Agency information
management practices often affect the public, industry, and state
and local governments. In considering new approaches to security we
need an open and transparent process that encourages and makes good
use of public comment.
Although the views of the general
security and national security community are essential in developing
sound security policy, they are not the only ones we should consider.
Agency CIOs, program officials, and others also have important perspectives
and their views are essential in the policy development process.
Ultimately, the responsibility
for security of systems and programs should lie with each agency and
with the specific program officials in each agency. Unless we develop
policy that fits within that context, security will become an afterthought.
Compliance always improves when
we build security into our systems and work processes in close coordination
with the program officials that are closest to the affected operations.
Funding and managing security
apart from a program encourages program officials, system owners and
users to ignore it. Separation sends a signal to them that security
is not their job. If program officials and users do not take responsibility
for security, then security officers and others must do so, often
by employing resource intensive compliance inspections. This approach
carries risk since the only time one knows the level of compliance
is during or immediately following an inspection.
Good design and good planning are
the keys to successful security. They are the keys to successful security.
For good design, security must be compatible with and enable -- not unnecessarily
impede -- system performance, business operations, and the mission. When
security unnecessarily slows the system or hinders the mission, users
often work around it or ignore it completely. To work effectively, security
must be part of the system architecture, built-in so that users will "buy-in."
Good planning requires that we fund
security and privacy as part of the life-cycle costs for each system.
To identify true system costs and adequately plan for future system or
program operations, we must account for all of the resources necessary
to operate the systems, including security. Indeed, attempting to fund
security independent of the program or system within which it lives makes
it far more difficult to build a business case for the security component.
If it isn't tied to the mission, how can one demonstrate security's support
of the mission?
Our approach provides maximum flexibility
for agencies so that they can make appropriate, informed choices in applying
necessary security controls that are consistent with their unique circumstances.
It minimizes conflicts that could easily arise from any centralized approach
to widely diverse agencies with a broad range of varied and shifting requirements.
How can we improve compliance?
As GAO, our agency Inspectors General,
our own program reviews, and industry and private security experts all
agree, most security problems come not from a lack of policy, but rather
from ineffective or incomplete implementation of existing policies and
guidance. We are very much aware of this risk in the Federal context.
In government, ineffective implementation can arise from inadequate resources,
lack of management attention, and inadequate employee training. In the
past few years, a great deal of agency management attention focused on
Y2K remediation, drawing on agency resources and delaying full implementation
of the Clinger-Cohen approach. There is much more to be done before we
reach full implementation of our existing security guidance.
We believe agencies must meet the
following three goals to ensure successful security policy implementation:
They must achieve consensus
and get user buy-in when initially setting policy so that the product
will be better.
They must tie security to their
capital planning and investment control process and to their budgets.
They must establish and maintain
senior management support.
OMB will do all that it can to encourage
and help the agencies in these efforts.
To identify specific problems regarding
implementation, we are collecting empirical data from the agencies. We
began in June 1999 with a systematic review of agency risk management
processes. We are now focusing on the security posture of 43 high impact
government programs such as Medicare, Medicaid, the Air Traffic Control
System, Social Security, and Student Aid.
Our findings to date are illuminating.
Agencies need to improve their integration of security into their capital
planning and investment control processes. As mentioned earlier, in February
of this year, we provided the agencies with the first step towards a solution
-- specific security criteria that agencies must meet before they receive
FY 2002 funding for information technology investment requests. These
criteria require agencies to demonstrate explicitly how their information
technology investments provides for adequate security controls and how
they account for the costs of those controls over the life of each system.
Additionally, OMB's budget preparation
guidance to the agencies this year will add a requirement that they include,
for each system, a percentage amount for security. Over time, we believe
this will give us better information on true security costs.
We are working with the NSC, the
CIO Council, NIST, GSA, GAO, and others on a number of specific projects
to assist the agencies and enhance government-wide security. These include:
Testing a systematic process
of identifying, assessing, and sharing effective security practices.
The CIO Council has developed a searchable database and website to
facilitate this activity.
Finalizing security performance
measures (metrics) against which agencies can assess their security
programs and take steps to mature them over time. Agency comments
on the final draft of this assessment framework are due this week.
NIST and the CIO Council are scheduling a workshop for August to discuss
the comments broadly. It is significant to note that our assessment
framework compares favorably with the results of a similar effort
by a major financial institution widely recognized as an industry
leader in security.
Creating a formal process for
coordinating the government-wide response to cyber incidents of national
significance. This process includes the formation of a working group
consisting of OMB, the FBI, Departments of Justice, Defense, and Commerce,
the intelligence community, GSA, and the CIO Council, along with a
senior level steering group consisting of senior officials from the
above agencies, the NSC and OSTP.
Improving the operational effectiveness
of the Federal Computer Incident Response Capability (FedCIRC) in
responding to lower level incidents and coordinating federal agency
sharing of information regarding common vulnerabilities and computer
incidents. Several years ago, OMB designated FedCIRC as the primary
avenue for agencies to fulfill their information sharing responsibilities.
OMB and the CIO Council are working together to enhance that capability.
Using the FedCIRC organization
to promote more timely agency installation of patches for known vulnerabilities.
Many successful attacks against government and industry systems have
been the result of old vulnerabilities for which vendor patches are
readily available at no cost. Installing such patches is not, however,
a trivial task; it requires considerable time and effort on the part
of systems administrators who often are busy just keeping their systems
up and running efficiently. We hope to provide some relief through
this cross-cutting initiative if we can obtain necessary future funding.
Reviewing security policies
and practices of the national security community to see if they have
applicability for those agencies that operate in an unclassified environment.
Where appropriate, those policies and practices will be adapted for
general agency use.
Exploring with the CFO Council
the viability of establishing a security benchmark or standard expectation
for the security of agency financial systems. This effort may prove
to be an effective pilot for establishing similar benchmarks for other
discrete classes of information and systems. At the same time, we
want to move carefully in this area to avoid the temptation to establish
one-size-fits-all security requirements.
Developing a government-wide
Public Key Infrastructure (PKI) - a trusted digital signature infrastructure
that will facilitate a broad range of services including tax filings,
regulatory submissions, student and small business loans, benefit
applications, grants, and many more. The PKI will be essential to
agency implementation of the Paperwork Elimination Act. The Federal
PKI Steering Committee, sponsored by the CIO Council, is working with
government agencies and industry to field a comprehensive network-based
infrastructure to support a federal PKI. Part of this task involves
allowing digital signatures from different government agencies and
different vendors to interoperate. A pilot, "Certificate Bridge
Authority" successfully tested this interoperability in April
and will be operational later this year. The PKI, through digital
signature services and encryption, provides four of the basic security
services I mentioned earlier -- confidentiality, integrity, authenticity,
and non-repudiation. For all of these efforts, adequate future funding
will be essential.
These are innovative efforts that
show great promise. They need Congressional support if we are to fulfill
On a current note, we are very supportive
of the Government Information Security Act of 2000, now part of the pending
FY 2001 Defense Authorization Act. The Administration worked closely,
in a non-partisan way, with the authors of this legislation. We share
a desire to meet the security needs of the government and promote security
as an essential management function. The Federal government has come a
long way since the original Computer Security Act was passed in 1987.
There have been significant technology and policy changes along the way.
If it becomes law, the Government Information Security Act will update
our statutory framework in a thoughtful and constructive manner.
We appreciate your interest in all
of these matters and look forward to continuing our close cooperation
with the Committee in this important area. We value our partnership with
you and hope that this hearing will mark a further strengthening of our
joint efforts on behalf of the American people.