 |
Testimony Before The House Select Committee on Homeland Security
by Diane VanDe Hei Introduction Good afternoon, Chairman Thornberry, Chairman Camp, and distinguished members of the subcommittees. It is an honor and a privilege to meet with you today to discuss the private sector interaction with the Department of Homeland Security (DHS). I would like to thank both the Cyber Security, Science, Research & Development Subcommittee and the Infrastructure and Border Security Subcommittee for creating this important opportunity and inviting the ISAC Council to be here today. My name is Diane VanDe Hei. I serve as Vice Chair of the Information Sharing and Analysis Center (ISAC) Council. I am also Executive Director of the Association of Metropolitan Water Agencies as well as the Water Information Sharing and Analysis Center (WaterISAC). Background ISACs originated when the Federal Government issued its policy on Critical Infrastructure Protection, otherwise known as Presidential Decision Directive 63. PDD-63 has been replaced with HSPD-7, to authorize and encourage national critical infrastructures to develop and maintain ISACs between the private sector in cooperation with federal government as a means of strengthening security and protection against cyber and operations attacks. The ISAC Council Homeland security presents significant challenges for the ISAC community and we look forward to working directly with you in the coming months. The work you are doing is extremely important and you have the commitment of the ISAC Council to do everything we can to assist in protecting the critical infrastructures of the United States. I am here today to briefly discuss the ISAC Council and its role in protecting critical infrastructures. Members of the subcommittees, the ISAC Council voluntarily formed almost two years ago. Our goals are to discuss interdependencies and how we can develop better communications – among the various sectors and across borders – as well as what information should be shared on both physical and cyber issues within the sectors and with the government. The Council has grown from representing eight sectors to include 14 sectors. In addition to the private sector membership, the ISAC Council also includes government ISAC’s such as Emergency Management and Response who report to DHS as well as the Multi-state ISAC. Early on the ISAC Council saw the need to be a very inclusive group. Although each of our sectors is unique in composition they are also intimately intertwined with each other, and a catastrophe in one sector can impact many others. We have seen this on a number of occasions. Take 9/11 for example, we had a physical impact on the twin towers, which impacted telecommunications and electric services,as well as closing Wall Street for four business days. Additionally, the northeast power outage impacted several sectors including drinking water, wastewater, transportation and small businesses alike. To improve the ISACs and to help communicate with government, the ISAC Council has developed eight white papers that reflect the collective analysis of members of the ISAC Council and cover a broad set of issues and challenges. The topics include: • Government – Private
Sector Relations These papers recognize the critical leadership role played by the private sector, with respect both to the operational infrastructures established in ISACs for analysis and information sharing and in the interaction of ISACs with the Department of Homeland Security and other government agencies addressing the challenges of critical infrastructure protection. We have shared these papers with Hill staff, DHS and GSA. We believe that these papers are only the beginning steps in tackling the serious policy and process issues challenging the implementation of an effective private sector and government information sharing and analysis partnership. The ISAC Council is continuing to work on concrete actions to increase ISAC support to the nation. To facilitate this effort, the ISAC Council members communicate on a daily basis (conference calls or by email) on operations and on a as needed basis for large new vulnerability announcements and/or incidents. Government – Private Sector Partnerships One of the primary challenges to government and the private sector is the establishment of trusted partnerships. I believe we all agree that partnerships between government and the private sector are essential and since 9/11, it has become even more critical for these partnerships to mature in order to effectively address homeland security issues. As you all know, trusting partnerships cannot be legislated, regulated, or even stipulated. Nor can partnerships be purchased, traded or incorporated. Partnerships are built between people and organizations that recognize the value in joint collaboration toward a common end. They are fragile entities that need to be established and maintained by all participants and built upon a foundation of trust. We have learned that our ISAC’s need the full support and confidence of certain key elements of the government to create and maintain a successful and comprehensive security plan. Furthermore, we are also keenly aware that we, the critical infrastructures, need to maintain a trusted relationship with our government partners so that we can work with them and their staffs to maintain the delicate balance between security and privacy. Our relationship with DHS has had a few bumps in the road, but overall we have progressed and, I believe, have a common goal and agree on the strong need to partner in information sharing and analysis. As with the maturation of DHS, so have each of our collective ISAC’s. I do believe that the government assisting the private sector with baseline funding for certain sectors is ideal. The WaterISAC, for example, has received funding from Congress and the U.S. Environmental Protection Agency (EPA) while we continue to build the private sector contribution to the ISAC. Although the information on the WaterISAC -- available to 54,000 community water systems (90 percent publicly owned and 10 percent investor owned) and 15,000 publicly owned treatment works -- is available to all subscribers, our fee for service to these utilities is tiered based on population served. By doing so, we hope to make the WaterISAC affordable to all drinking water and wastewater utilities. In addition with the help of congressional funding, this year we will broaden the reach of the WaterISAC by developing a push email system that will be capable of reaching thousands of drinking water and wastewater utilities with federal advisories and notices. Other ISACs, as you might expect, are structured differently depending on the composition of the sector and the breadth and scope of the services the sector decides is needed. That being said, we must keep our ISAC models in tact, meaning that the government should not attempt to dictate how the individual ISACs are structured nor how information is provided, analyzed and reported to government. On a very positive note, DHS has agreed to pilot the HSIN network with the water and electric sectors and has also provided funding to do tabletop exercises with the Financial, Telecommunications, and Electric Sectors. In addition, DHS IAIP regularly meets with the ISAC Council and listens to many of our concerns regarding the need for their strong support of the ISACs and the improvement of our information sharing capabilities. Summary The ISAC Council plays an important role in homeland security. It brings together diverse sectors, examines commonalties and most importantly cements trusting partnerships that allows us to share information, learn the best from each other and enhance communication among interdependent sectors. If I could leave you with two recommendation it would be these: We need your help to ensure that the private sector’s investment in their ISACs is built upon and strengthened. Once lost, this type of voluntary commitment will be very difficult if not impossible to rebuild. Secondly, we need your help to insist that the private sector be included “up front” in the analysis of intellligence. Government must learn to trust infrastructure owners/operators with real information that allows us to apply our resources in a smart way to protect the infrastructure. Thank you for the opportunity to testify today. I would be happy
to answer any questions. |