IWS - The Information Warfare Site
News Watch Make a donation to IWS - The Information Warfare Site Use it for navigation in case java scripts are disabled

Statement by Robert Liscouski
Assistant Secretary for Infrastructure Protection
U.S. Department of Homeland Security

Word Version

Before the House Homeland Select Subcommittee on Infrastructure and Border Security and
Subcommittee on Cybersecurity, Science, and Research & Development
April 21, 2004

Good morning, Chairman Thornberry, Chairman Camp, and distinguished members of the subcommittees. I am pleased to appear before you again today to discuss Information Sharing between the Department of Homeland Security and Critical Infrastructure Sectors.

The recent bombings in Madrid confirm that terrorists are willing to exploit a wide range of infrastructure vulnerabilities. That is why we must continue to be vigilant and flexible in our approach to infrastructure protection. We in the Information Analysis and Infrastructure Protection Directorate (IAIP) take that mandate to heart in our collective efforts and activities to protect the Nation.

Since the inception of DHS in 2003, working in a continuing partnership with private industry, we have made significant progress in evaluating and securing our greatest vulnerabilities. In order for this public-private partnership effort to succeed, increased information sharing is essential. To this end, we are making exceptional progress in expanding our information sharing capabilities with respect to all of the types of information that must be shared including vulnerability information, exploits, threats, incidents, best practices, and early warnings.

Today I will discuss with you an overview of the current level of relationships and information sharing we have with private industry, illustrating accomplishments with specific examples. Then I will describe recent initiatives we have implemented to enhance those relationships. Finally, I will discuss some new initiatives we are planning for later this year.

DHS and Private Sector Relationships
Any effective relationship with private industry requires engagement at all levels. IAIP works hard to maintain a comprehensive relationship with private industry, specifically focusing on the critical infrastructure sectors and the owners and operators of key assets. This relationship operates on three levels: 1) policy and strategy; 2) planning and implementation; and 3) operational execution.

Policy and Strategy
 IAIP serves as the executive agent for two Presidential advisory committees: The National Infrastructure Advisory Council (NIAC) and the National Security Telecommunications Advisory Committee (NSTAC). Both bodies provide policy and strategic advice to the President on enhancing public-private partnerships and on specific strategic issues related to critical infrastructure protection.

The NSTAC is chartered to provide industry-based advice and expertise through the Secretary of Homeland Security to the President on issues and problems related to implementing national security and emergency preparedness (NS/EP) telecommunications policy. It is composed of up to 30 industry chief executives representing the major communications and network service providers and information technology, finance, and aerospace companies. Since its inception, the NSTAC has addressed a wide range of policy and technical issues regarding telecommunications, information systems, information assurance, critical infrastructure protection, and other NS/EP communications concerns.

The NIAC, through the Secretary of Homeland Security, provides the President with expert advice on the security of information systems for critical infrastructure supporting other sectors of the economy: banking and finance, transportation, energy, manufacturing, and emergency government services. Because information and physical security are inextricably linked within many critical infrastructure sectors, the Council has addressed issues that cover both. The NIAC is charged to enhance the partnership of the public and private sectors, propose and develop ways to encourage private industry to perform periodic risk assessments, foster improved cooperation among the Information Sharing and Analysis Centers (ISACs), DHS, and other Federal Government entities; and advise sector specific agencies with critical infrastructure responsibilities, sector coordinators, DHS, and the ISACs. The Council includes chief executives from industry, academia and State and local government.

Both the NSTAC and the NIAC work closely with the Administration and IAIP to identify key policy issues of importance to critical infrastructure protection.


Planning and Implementation
 At the planning and implementation level, IAIP works with cross-sector bodies, such as the Partnership for Critical Infrastructure Security (PCIS). The PCIS Board consists of all the sector leadership entities that comprise the “sector coordination mechanism[s]” referred to in Homeland Security Presidential Directive 7 (HSPD-7). These leadership entities have been previously affirmed by the sector specific agencies. Private industry established the PCIS as a forum to partner across sectors and with the Federal Government to address critical infrastructure.

IAIP also works with the ISAC Council, whose members represent many of the ISACs established in infrastructure sectors. Private industry, on its own volition, organized this forum to share common issues and best practices, and to find common solutions. ISACs are established voluntarily by industry sectors to share information and analysis for alerts, warnings and advisories, and act as a communication vehicle for best practices and other security information tailored for each sector.

As a point of entry into the sector, sector leadership entities have the mission of facilitating sector strategy and policy as well as coordinating a wide range of critical infrastructure planning activities, that include national planning involving critical infrastructures, outreach and awareness, sector vulnerability assessments, requirements for sector information sharing, identifying sector-wide best practices, acting as the sector’s point of contact with the Federal Government at infrastructure protection meetings, and serving as the strategic communication point back into the sector and to its members from the Federal Government.

The critical infrastructure sectors are very diverse in their composition, culture, and operations. Consequently, their level of collaboration and coordination with the Federal Government, and with each other, varies widely between sectors. Recognizing these differences, IAIP has developed a facilitative process to work in partnership with the Federal sector-specific agencies (as defined in HSPD-7) to help the sectors organize themselves as inclusively as possible to identify or construct the "sector leadership entity" for critical infrastructure protection. This leadership entity could be an individual, entity or group. Examples of how IAIP actively engages in this sector development activity can be found today in the Agriculture and Food sectors (in partnership with HHS and USDA), the Public Health sector (in cooperation with HHS), the Postal and Shipping sector, the Water sector (in cooperation with EPA), and the Emergency Services sector.

IAIP leadership met frequently with both the PCIS and the ISAC Council throughout the last year, and continues to meet with them, to understand and gain deeper knowledge of sector issues from the private sector representatives on various aspects of infrastructure protection. Out of one of the briefings provided by IAIP to the ISAC Council, the Council, on its own initiative, developed a series of white papers on information sharing for its own use in strategic planning, and shared them with IAIP.

With the support of IAIP, the PCIS Board and the ISAC Council began holding joint meetings in December, 2003. They have worked jointly and independently on various initiatives. In joint sessions, DHS has provided comprehensive briefings on its initiatives and critical issues, which have led the joint PCIS/ISAC Council to begin identifying specific activities, tools/methodologies development, and programs undertaken by each specific sector and then shared across sectors as best practices to improve each sector's security. This study has helped each sector identify gaps as they compare their activities. This joint body represents a major forum for joint communication with the critical infrastructure sectors.

IAIP has embarked upon national level planning efforts that will involve the private sector in the development and/or implementation of the plan. Under HSPD-7, IAIP has embarked upon the development of the National Infrastructure Protection Plan (NIPP). This National Plan will cover the 13 critical infrastructure sectors and four categories of Key Resources. Sector-Specific Agencies both internal to and external to DHS will have the lead for drafting these 17 sector-specific plans, which will be integrated into the National Plan. The public-private partnership in this Plan will be realized through engaging the private sector in the planning process as represented by their ISACs, sector coordinators, and other recognized sector stakeholders so that their knowledge and information will be reflected in the substance of the Plan itself.

In a second national planning effort under HSPD-5, DHS's Office of Headquarters Integration Staff, along with the Department’s directorates, is developing the National Response Plan. For the first time, the National Response Plan, which integrates the various federal response plans, will include the private sector as an essential element in preparedness, response, and recovery.

Relationships must be maintained at this level in order to assure coordinated and integrated plans and programs that utilize resources optimally and to assure engagement of operational leadership within the private industry for mutual planning and goals setting.

Operational Execution
 At the operational level, IAIP works on daily, periodic and situational basis with ISACs sharing information on threats, developing suggested protective actions, and alert and warnings. There are currently 14 ISACs spanning most of the HSPD-7 critical infrastructures. ISACs serve as a gateway between DHS and the industry for two-way information sharing and provide the industry with an information clearinghouse for each sector. Through the up-to-date distribution lists maintained by the ISACs, DHS is able to quickly disseminate threat warnings to identified entities within each sector.

To a lesser degree, ISACs and their members provide DHS with incident and suspicious activity information. This type of information holds the potential for completing the situational awareness picture (together with Intelligence Community and Law Enforcement information) concerning possible threats to the nation's critical infrastructures. In my organization, the Infrastructure Coordination Division (ICD) and National Communications System (NCS) are the two IAIP divisions responsible for maintaining and enhancing relationships with the private sector through their ISACs, the latter with specific responsibility for the telecommunications sector. Staff from both divisions participate actively in ISAC related Advisory Groups, Committees, Task Forces and Working Groups and maintain day-to-day contact with the ISACs.

In addition, the Protective Security Division (PSD), also within the Office of Infrastructure Protection, has worked with owners and operators of specific categories of critical assets to develop and tailor protective practices for these assets. An example of this type of product is the guidelines for protecting refineries that the oil industry published last year. This type of work complements the "buffer zone" approach for communities that the division has developed and deployed over the last fourteen months. In addition, PSD is deploying regional/ field security representatives to work directly with the owners and operators of critical infrastructure facilities and community leaders to address protective measures. Together, these practices constitute a holistic approach to infrastructure protection, looking at the activity from a "whole systems" perspective, and providing for a "layered" defense for the nation’s critical assets.

In support of integrated operations, DHS's predecessor agencies have granted security clearances to industry representatives when the purpose is to help the Federal Government maintain and enhance our national security, which includes critical infrastructure protection. Clearances historically have been given to individuals who have unique expertise, not available in government, on critical infrastructure protection, operations, or technology or who must take specific protective actions in response to classified information. In the past, IAIP sector analysts have specifically relied on ISAC and industry experts, generally with secret-level clearances, to help them assess sector threat, risk, and vulnerability information. In particular, these industry representatives work closely with DHS analysts to ensure that government-generated warning products (e.g. Advisories and Information Bulletins), when declassified to permit broad industry distribution, still contain information that provides "value added" actionable intelligence when disseminated to sector members. DHS is continuing to refine and working to accelerate the process for granting security clearances to key sector individuals to assist DHS, and ultimately their own sectors, regarding the production and receipt of timely and actionable threat information.

In February, 2003, President Bush issued the National Strategy to Secure Cyberspace (“the Strategy”). DHS recognized that in order to meet many of the mandates in the Strategy and other objectives addressing greater national cyber security, we needed to create an operational mechanism for building a cyber security readiness and response system. As such, through an initial partnership with the CERT Coordination Center (CERT/CC) at Carnegie Mellon University, we created the U.S. Computer Emergency Readiness Team, or US-CERT. Through that partnership, US-CERT is able to leverage, rather than duplicate, existing capabilities and accelerate national cyber security efforts. US-CERT provides a national coordination center that links public and private response capabilities to facilitate information sharing across all infrastructure sectors and to help protect and maintain the continuity of our Nation’s cyber infrastructure. The overarching approach to this task is to facilitate and implement systemic global and domestic coordination of deterrence from, preparation for, defense against, response to, and recovery from, cyber incidents and attacks across the United States, as well as the cyber consequences of physical attacks. To this end, US-CERT is building a cyber watch and warning capability, launching the US-CERT Partnership Program to build situational awareness and cooperation, and coordinating with U.S. Government agencies and the private sector to deter, prevent, respond to and recover from cyber – and physical – attacks. Through its Internet portal, US-CERT is a crucial component of – and a distribution tool for – our cyber security awareness activities.

On January 28, 2004, the Department of Homeland Security through US-CERT unveiled the National Cyber Alert System, an operational system developed to deliver targeted, timely and actionable information to Americans to secure their computer systems. As the U.S. Government, we have a responsibility to alert the public of imminent threats and to provide protective measures when we can, or least provide the information necessary for the public to protect their systems. Furthermore, it is also important to inform the public about the true nature of a given incident, what the facts are, and what steps they can and should take to address the problem. The offerings of the National Cyber Alert System provide that kind of information, we have already issued several alerts and the initial products in a periodic series of “best practices” and “how-to” guidance messages. We strive to make sure the information provided is understandable to all computer users, technical and non-technical, and reflects the broad usage of the Internet in today’s society. As we increase our outreach, the National Cyber Alert System is looking at other partners to distribute information to as many Americans as possible.

As the strategy acknowledged, one of our most important constituencies is the private sector. It is estimated that eighty-five percent of America's critical infrastructure is owned and operated by private companies, and technology developed by industry continues to fuel the growth and evolution of the Internet. In December 2003, the National Cyber Security Division (NCSD) co-hosted the first National Cyber Security Summit in Santa Clara, California with the Information Technology Association of America, TechNet, the Business Software Alliance, and the U.S. Chamber of Commerce. This event was designed to energize the public and private sectors to implement the Strategy. The Summit allowed the Department of Homeland Security to work side-by-side with leaders from industry to address the key cyber security issues facing the Nation. Five interest areas were established to focus specifically in the areas of:

* Increasing awareness
* Cyber security early warning
* Best practices for information security corporate governance
* Technical standards and common criteria
* Security across the software development lifecycle

Perhaps most importantly, the Summit served as a call to action. It represented a logical transition point from developing a national strategy to energizing the public-private partnership to implement concrete, measurable actions to improve the security of America’s cyber systems. Over the past few weeks, summit participants have put forward options for potential solutions in each of these key areas for both the public and private sector. We are excited that the private sector is showing such initiative and we are committed to working together.

DHS is also a sponsor of the National Cyber Security Alliance (NCSA) and StaySafeOnline, a public-private organization created to educate home users and small businesses on cyber security best practices. Other NCSA sponsors include: The Federal Trade Commission, AT&T, America Online, Computer Associates, ITAA, Network Associates, and Symantec. DHS is providing matching funds to expand the NCSA end-user outreach campaign, which will include a Fall 2004 Public Service Campaign to increase awareness among Americans about key cyber security issues.

In operational relationships of this kind, adding value, efficiency and customer orientation is the key to building trust and sustaining relationships. IAIP has worked hard to enhance its capabilities in this regard over the last year with these activities. These relationships represent on-going efforts that are essential for efficient planning and implementation coordination. The long term commitment of communications between the federal government and the private entities is an essential element of building successful public-private partnerships.

Private Public Partnerships Information Sharing
 Adequate, actionable information is an essential enabler for all facets of critical infrastructure protection, from deterrence to response. Congress recognized its importance in the new tools it provided to DHS to obtain and protect, analyze and disseminate information from a wide variety of sources. Private industry owners and operators of critical infrastructure have long understood their responsibility for assuring their operations under a multitude of circumstances ranging from accidents to natural disasters. They now must add terrorism to the list of natural and manmade hazards they must consider and accommodate in their investments and response preparedness. The Federal government alone cannot protect this nation's expansive and widely distributed national infrastructures. IAIP needs private industry to be fully engaged in our national CIP program. Consequently, two-way information sharing with the owners and operators of critical infrastructures remains one of our highest priority public private partnerships.

Current Information Sharing Initiatives
The Information Sharing and Analysis Center (ISAC) has emerged over the last several years as a primary conduit for information sharing between the Federal government and many critical infrastructures and key resource industries. Each ISAC structure and operations tends to reflect the culture, structure and operating processes of their sector. The ISACs continue to evolve. They began with a focus on cyber security vulnerabilities and incidents. Since September 11, 2001, most share information on physical incidents as well.

ISACs have widely varying levels of maturity and capability. ISACs have served a valuable role in private partnership information sharing. The purpose of the ISAC is to provide an efficient conduit for dissemination, sharing and communications of indications, warnings, and advisories related to potential threats vulnerabilities and incident data.

The Northeast Blackout of last year is a good example of cooperation and effective communications between IAIP and the Electric Power industry through the industry's Electric Sector - ISAC. At the time of the power outage the ES-ISAC had already been well established and lines of communication between the ISAC and IAIP were in place. By approximately 4:30 pm EDT, 15 minutes after the initiation of the power outage, the IAIP's electric sector specialist was on the phone with the ES-ISAC to establish a preliminary estimate of the extent of the outage and to determine whether it had ceased to spread. Following discussions with the ISAC, we were able to make an assessment that the outage did not appear to have been caused by terrorist activity. This information was immediately elevated to Secretary Ridge and to the White House.

Every couple of hours throughout the night, and somewhat less frequently over the next several days, the ES-ISAC conducted conference calls with industry representatives to assess restoration efforts. These calls were summarized in a Situation Report that was provided to senior officials within DHS and to each IAIP Infrastructure Sector lead for cross-infrastructure sharing purposes (since every sector depends upon electricity). In addition, the ES-ISAC structure was used effectively to share information with other industry sectors that are dependent on electricity. For example, on the evening of the power outage, the IAIP electric power staff addressed a conference call of the Financial Sector-ISAC and was able (based on earlier ES-ISAC inputs) to estimate the duration of the interruption of power supplies to New York City. In summary, the August 14th power outage demonstrated that the ISACs are an effective mechanism for receiving information from the private sector as well as for providing information to the private sector during a crisis.

A long standing example of the utility of ISACs is the National Communications Center Telecommunications-ISAC, which is the primary DHS interface with the Private Sector for the telecommunications infrastructure. Built on an existing information sharing body, the NCC Telecom-ISAC is grounded by well-established trust. This mature, close relationship with industry is Government-supported, which facilitates the ISAC's ability to provide a value-added service, reaching out to the entire sector. This has provided a great role model for other ISACs.

In the past, the Federal Government would conduct readiness and terrorism exercise in the absence of private sector participation. For example, in the TOPOFF-1 and TOPOFF-2 exercise series, the private sector owners and operators of infrastructure were excluded from "exercise play", with the sole exception of hospitals, which were always one of the key operations being "stressed and tested" in those types of exercises. In contrast, based on prior planning and coordination by the U.S. Secret Service component of DHS, a Financial Services (FS)-ISAC Table Top Exercise was held in New York, March 2003 soon after the standup of the Department. DHS staff attended the exercise to observe the scenario play and to ensure that participants were aware of DHS's role, including ICD role, in aiding with real-world recovery operations. The event was well received by the financial sector participants.

Building on this effort and working with the state homeland security advisors, DHS has continued these exercises in, Chicago, San Francisco, Houston, and now, concurrent with this testimony, from 19-22 April 2004, the FS-ISAC is hosting its next Tabletop exercise in St. Petersburg, Florida. The exercise will include two days of interactive tabletop play. DHS is sponsoring this event and staff will be actively participating in the exercises.

From the lessons learned of TOPOFF-2 and these other table top exercises, IAIP recognizes the need to engage our private sector partners in these planning and execution of these national level exercises. Exercises, of all kinds, tabletop, command post and full scale; are powerful 'best practice' training tools and provide another venue for information sharing. IAIP plans to continue to include the private sector in future exercises whenever it makes sense to do so.

New Information Sharing Initiatives
 The Administration and Congress have provided additional tools to enhance information sharing with the private sector. I will now discuss IAIP's new information sharing initiatives.

As the primary operational interface with the nation's critical infrastructures, ICD continues to pass timely and substantive threat information to the private sector. At daily and/or weekly teleconferences, sector analysts provide the critical infrastructures via the ISACs with unclassified threat updates on terrorist activities potentially affecting their systems and facilities. In addition, classified threat briefings are presented to cleared ISAC representatives and their industry members on a quarterly or semi-annual basis. To maintain appropriate situational awareness for each sector – a key division objective – ICD analysts on an ad hoc basis also provide timely assessments of high threshold threats to critical infrastructures through the ISACs. In addition, ICD sector analysts routinely assist IA analysts in preparing warning products that identify and communicate infrastructure-specific threats and incident trends.

The National Infrastructure Coordinating Center (NICC) uses the Infrastructure Protection (IP) Executive Notification Service (ENS) to quickly notify ISAC leadership and Sector Coordinators of critical infrastructure events ranging from notification of imminent threats, dissemination of sector-specific warning products, and changes in national threat level. ENS delivers rapid internal and external messaging capability among government and private sector partners and provides Interactive Secure Authentication, which ensures confidentiality of communications, as well as confirmation of receipt.

Protected Critical Infrastructure Information
Critical to the Department of Homeland Security's mission is the ability to effectively share information with homeland security partners across the country to better protect the nation's critical infrastructure. The Critical Infrastructure Information (CII) Act and implementing regulations provide private industry assurances that critical infrastructure information they voluntarily share with the government will be protected from release to the public and from use in civil litigation. The PCII Program enables the Department to receive critical infrastructure information that would not have previously been available to the government, thereby allowing for a better understanding of threats, vulnerabilities and the security of the nation's critical infrastructure.

With the protection from FOIA disclosure offered by the CII Act, the private sector can share sensitive and confidential information that can be analyzed to identify threats and vulnerabilities. Such analysis will provide the basis not only for developing measures to deter the threats and mitigate the vulnerabilities to which the critical infrastructure is exposed, but also for improving Federal, State, and local governments' emergency preparedness posture to respond to any attacks more effectively.

The benefits to private industry are both practical and patriotic. Information sharing will result in better identification of risks and vulnerabilities, which individual companies can use to help protect their assets. By voluntarily sharing such critical information, private industry demonstrates responsiveness to Government need and the public good. Private industry is demonstrating good corporate citizenship that may save lives and protect our hometowns. By participating in the PCII Program, industry is helping to safeguard and prevent disruption to the American economy and way of life.

National Infrastructure Coordination Center (NICC)
The NICC is currently developing capabilities towards its targeted operational capacity. Now in its third month of official operation, the NICC is collecting and analyzing best practices. While this analysis begins with watch center models, it also includes management practices, information sharing systems, and other process development models from a broad range of industries. The NICC will also work with its IAIPs public and private sector partners to ensure that its operational models most effectively and efficiently meet their needs.

DHS designed the NICC specifically to maintain operational awareness of the nation's critical infrastructures and key resources in collaboration with both private partners and counterpart government agencies. The NICC also, by design, provides DHS with the ability to coordinate information sharing between government, ISACs, and other industry partners. The NICC functions as an extension of the Homeland Security Operations Center (HSOC).

Homeland Security Information Network
 With the announcement by the Secretary of the Homeland Security Information Network (HSIN) in March, DHS provides a new capability for enhancing many of the critical infrastructure ISACs' capabilities to communicate with their sectors. The system provides a secure encrypted backbone capability for participants to communicate Sensitive But Unclassified (SBU) information with DHS, with each other, and other communities of interest that have information that may be useful to them. It provides a collaborative feature that allows government and industry participants to work together in real-time on problem solving. It has alerting and notification features to disseminate information to members of a sector or across sectors. The system provides the capability for sectors to interact with each other on the system as necessity dictates. These features provide support for a basic and common communications service among ISACs.

By providing access to these capabilities to the critical infrastructure ISACs, IAIP adds value as a partner to the ISACs by removing duplication of costs in implementation and operations, and accelerates the development of value of the ISACs to their sectors. From experience with its use through the JRIES community (consisting of law enforcement at Federal, state and local levels) the collaborative and real-time aspects of the system actually increases the pace and volume of information sharing. Pilots with volunteer critical infrastructure sectors will begin this year, with support from the Infrastructure Coordination Division.

We have seen great progress in two way information sharing with the private sector and these examples are illustrative of our efforts.

Conclusion
 This Administration has upheld a consistent policy that public private partnerships be one of the pillars of national critical infrastructure protection. Partnerships are an essential element described in every national strategy document that we have published on homeland security and critical infrastructure protection. This policy recognizes the new environment of terrorism, where both threats and vulnerabilities are continuously evolving in both physical and cyber space, will require an unprecedented adaptability and cooperation of the stakeholders. Since 85% of the critical infrastructures are owned and operated by private industry, how could a sustained effort be institutionalized to protect them? Only a full understanding by the stakeholders of their own vested interests related to this issue could sustain such an effort and commitment. Public-private partnerships are the only means that is responsive enough and adaptive enough to accomplish our national goals in a scalable, sustainable, and effective way.

We have learned many lessons about developing effective partnerships both from our legacy agencies and from our own experiences since DHS was implemented in 2003. I would like to share three of these with you today. Lesson 1 - Partnerships require a set of mutually determined objectives and deliverables to achieve a value proposition and trust. Lesson 2 - Participation in planning and objectives setting is essential to the success of the partnership. Both sides must understand the expectations, values, concerns, risks and individual objectives of each participant. Lesson 3 - Constant communication between all of the parties is an essential imperative.

With years of experience by agencies that are now part of DHS, the successful partnerships built between federal lead agencies and their counterparts in industry were those where the federal lead agencies educated and learned, convened, listened and responded and then supported their industry counterparts who took the lead to implement programs to protect themselves. The Federal government sharing useful, actionable information on threats induces greater information sharing by industry in return. Making it easy for industry to receive and provide information, providing products and services in return, based on that information, and working with owners and operators to develop and implement consistent and generally accepted protection practices, will add value to any partnership.

In all relationships, there are challenges. Strong long-term relationships depend, however, on how well the participants handle, learn from, and adapt to those challenges. Some lessons learned from the recent past in our dialogue with industry include involving them in planning, mutual goals setting and development of operational learning, such as input into our national plans, the NIPP and NRP, and direct participation in major exercises such as TOPOFF3. We have responded and adapted to many of the needs and expectations of industry in support of their protection strategies and programs.

Some private institutions have committed tremendous resources in time and money to supporting this national initiative, not just for their individual institution but for their industry as whole. Even before 9/11, some were doing so. Terrorists have innumerable weapons and targets of choice in our open society. In order to sustain an effective national CIP program, we need critical infrastructure sectors' cooperation, expertise and creativity to find the most effective and efficient ways to protect their sectors. It is incumbent upon DHS to develop and strengthen these partnerships and we will do so because there is more to do to help secure our homeland.