Testimony Before The House Select Committee on Homeland Security
on Cyber Security, Science and Research & Development
Subcommittee on Infrastructure and Border Security
“ The DHS Infrastructure Protection Division: Public-Private Partnerships
to Secure Critical Infrastructure”
Diane VanDe Hei
Vice Chair, ISAC Council and Executive Director Association of Metropolitan Water Agencies and WaterISAC
Word Version April 21, 2004
Good afternoon, Chairman Thornberry, Chairman Camp, and distinguished
members of the subcommittees. It is an honor and a privilege to
meet with you today to discuss the private sector interaction with
the Department of Homeland Security (DHS).
I would like
to thank both the Cyber Security, Science, Research & Development
Subcommittee and the Infrastructure and Border Security Subcommittee
for creating this important opportunity and inviting the ISAC Council
to be here today.
My name is Diane VanDe Hei. I serve as Vice Chair of the Information
Sharing and Analysis Center (ISAC) Council. I am also Executive
Director of the Association of Metropolitan Water Agencies as well
as the Water Information Sharing and Analysis Center (WaterISAC).
ISACs originated when the Federal Government issued its policy
on Critical Infrastructure Protection, otherwise known as Presidential
Decision Directive 63. PDD-63 has been replaced with HSPD-7, to
authorize and encourage national critical infrastructures to develop
and maintain ISACs between the private sector in cooperation with
federal government as a means of strengthening security and protection
against cyber and operations attacks.
The ISAC Council
Homeland security presents significant challenges for the ISAC
community and we look forward to working directly with you in the
coming months. The work you are doing is extremely important and
you have the commitment of the ISAC Council to do everything we
can to assist in protecting the critical infrastructures of the
I am here today
to briefly discuss the ISAC Council and its role in protecting
infrastructures. Members of the subcommittees,
the ISAC Council voluntarily formed almost two years ago. Our goals
are to discuss interdependencies and how we can develop better
communications – among the various sectors and across borders – as
well as what information should be shared on both physical and
cyber issues within the sectors and with the government.
has grown from representing eight sectors to include 14 sectors.
to the private sector membership, the ISAC
Council also includes government ISAC’s such as Emergency
Management and Response who report to DHS as well as the Multi-state
Early on the
ISAC Council saw the need to be a very inclusive group. Although
each of our sectors is unique in composition they
are also intimately intertwined with each other, and a catastrophe
in one sector can impact many others. We have seen this on a number
of occasions. Take 9/11 for example, we had a physical impact on
the twin towers, which impacted telecommunications and electric
services,as well as closing Wall Street for four business days.
Additionally, the northeast power outage impacted several sectors
including drinking water, wastewater, transportation and small
To improve the ISACs and to help communicate with government,
the ISAC Council has developed eight white papers that reflect
the collective analysis of members of the ISAC Council and cover
a broad set of issues and challenges. The topics include:
• Government – Private
• HSPD-7 Issues and Metrics
• Information Sharing and Analysis
• Integration of ISACs into Exercises
• ISAC Analytical Efforts
• Policy Framework for the ISAC community
of the Major ISACs
• Vetting and Trust
These papers recognize the critical leadership role played by
the private sector, with respect both to the operational infrastructures
established in ISACs for analysis and information sharing and in
the interaction of ISACs with the Department of Homeland Security
and other government agencies addressing the challenges of critical
infrastructure protection. We have shared these papers with Hill
staff, DHS and GSA.
We believe that these papers are only the beginning steps in tackling
the serious policy and process issues challenging the implementation
of an effective private sector and government information sharing
and analysis partnership. The ISAC Council is continuing to work
on concrete actions to increase ISAC support to the nation. To
facilitate this effort, the ISAC Council members communicate on
a daily basis (conference calls or by email) on operations and
on a as needed basis for large new vulnerability announcements
Government – Private
One of the primary challenges to government and the private sector
is the establishment of trusted partnerships. I believe we all
agree that partnerships between government and the private sector
are essential and since 9/11, it has become even more critical
for these partnerships to mature in order to effectively address
homeland security issues.
As you all know, trusting partnerships cannot be legislated, regulated,
or even stipulated. Nor can partnerships be purchased, traded or
Partnerships are built between people and organizations that recognize
the value in joint collaboration toward a common end. They are
fragile entities that need to be established and maintained by
all participants and built upon a foundation of trust.
We have learned
that our ISAC’s need the full support and
confidence of certain key elements of the government to create
and maintain a successful and comprehensive security plan. Furthermore,
we are also keenly aware that we, the critical infrastructures,
need to maintain a trusted relationship with our government partners
so that we can work with them and their staffs to maintain the
delicate balance between security and privacy.
Our relationship with DHS has had a few bumps in the road, but
overall we have progressed and, I believe, have a common goal and
agree on the strong need to partner in information sharing and
As with the
maturation of DHS, so have each of our collective ISAC’s.
I do believe that the government assisting the private sector
funding for certain sectors is ideal. The
WaterISAC, for example, has received funding from Congress and
the U.S. Environmental Protection Agency (EPA) while we continue
to build the private sector contribution to the ISAC. Although
the information on the WaterISAC -- available to 54,000 community
water systems (90 percent publicly owned and 10 percent investor
owned) and 15,000 publicly owned treatment works -- is available
to all subscribers, our fee for service to these utilities is tiered
based on population served. By doing so, we hope to make the WaterISAC
affordable to all drinking water and wastewater utilities. In addition
with the help of congressional funding, this year we will broaden
the reach of the WaterISAC by developing a push email system that
will be capable of reaching thousands of drinking water and wastewater
utilities with federal advisories and notices.
Other ISACs, as you might expect, are structured differently depending
on the composition of the sector and the breadth and scope of the
services the sector decides is needed. That being said, we must
keep our ISAC models in tact, meaning that the government should
not attempt to dictate how the individual ISACs are structured
nor how information is provided, analyzed and reported to government.
On a very positive note, DHS has agreed to pilot the HSIN network
with the water and electric sectors and has also provided funding
to do tabletop exercises with the Financial, Telecommunications,
and Electric Sectors.
In addition, DHS IAIP regularly meets with the ISAC Council and
listens to many of our concerns regarding the need for their strong
support of the ISACs and the improvement of our information sharing
The ISAC Council plays an important role in homeland security.
It brings together diverse sectors, examines commonalties and most
importantly cements trusting partnerships that allows us to share
information, learn the best from each other and enhance communication
among interdependent sectors.
If I could
leave you with two recommendation it would be these: We need
to ensure that the private sector’s investment
in their ISACs is built upon and strengthened. Once lost, this
type of voluntary commitment will be very difficult if not impossible
to rebuild. Secondly, we need your help to insist that the private
sector be included “up front” in the analysis of intellligence.
Government must learn to trust infrastructure owners/operators
with real information that allows us to apply our resources in
a smart way to protect the infrastructure.
Thank you for the opportunity to testify today. I would be happy
to answer any questions.