TESTIMONY OF THE HONORABLE GEORGE C. NEWSTROM
SECRETARY OF TECHNOLOGY, COMMONWEALTH OF VIRGINIA
CHAIR, SECURITY COMMITTEE OF THE NATIONAL ASSOCIATION OF STATE CHIEF
INFORMATION OFFICERS (NASCIO)
HOUSE SUBCOMMITTEE ON CYBERSECURITY, SCIENCE, RESEARCH AND DEVELOPMENT
AND HOUSE SUBCOMMITTEE ON INFRASTRUCTURE AND BORDER SECURITY
HEARING ON PRIVATE-PUBLIC PARTNERSHIPS: INFORMATION SHARING BETWEEN
THE DEPARTMENT OF HOMELAND SECURITY AND CRITICAL INFRASTRUCTURE
April 21, 2004
Chairman Thornberry, Chairman Camp and Members of the Subcommittees,
Thank you for inviting me to appear before you today. I am before
you today wearing two different hats: one representing the Commonwealth
of Virginia as its Secretary of Technology and the second as the
Chair of the Security Committee of the National Association of
State Chief Information Officers (NASCIO).
I would like
to offer my perspective on the issues of partnership and information
with particular regard to Virginia’s
cross-sector efforts to secure its critical and information infrastructures
and NASCIO’s efforts to coordinate DHS’s interaction
with the states on these matters. Virginia and NASCIO appreciate
your attention to this important matter and willingness to get
input from a state and organization that have direct stakes in
the outcome. We believe that success in cross-sector infrastructure
assurance and information sharing will be the result of persistent
effort by many parties, advancing in spurts during times of urgency
and more incrementally during times when trust and cooperation
must be solidified for the long haul.
Efforts By NASCIO
At NASCIO, as I indicated, I serve as chair of their Security Committee.
This committee addresses the role of state Information and Communications
Technology (ICT) both in terms of how it supports the wider needs
of state homeland security directors and in how state governments
should be protecting their critical information assets. We also
oversee NASCIO’s Interstate Information Sharing and Analysis
Center (ISAC) efforts, which arise out of a July 2002 memorandum
of understanding with DHS’s Infrastructure Coordination
Division (ICD), led by James Caverly.
infrastructure is the only part of America’s
critical infrastructures that are under attack everywhere, all
the time. Unfortunately, “cyber” threat on a national
scale is still treated as secondary to any physical threat whether
it be chemical, biological, radiological, nuclear, and explosive.
NASCIO believes that, while cyber-terrorism per se is still an
emerging threat, we must press forward toward a coordinated, intergovernmental
approach to protecting governments’ critical information
assets if we are to ensure that critical governmental business
functions—especially those supporting homeland security—will
be available when needed. If we can secure our systems from hackers
and organized criminals, we will have gone a long way toward securing
them from terrorist and enemy nation states.
long realized the interdependencies of federal, state, and local
systems, which drives the need for an intergovernmental
approach. Toward that end, we produced a document in 2002, titled “Public-Sector
Information Security: A Call to Action for Public-Sector CIOs” that
emerged from a forum convened by NASCIO in the wake of 9/11. We
also convened a roundtable discussion that included local, state,
and federal participants last July here in Washington.
lessons we have learned are that government ICT personnel should
a core component to state and local emergency
response capabilities, because without everything from databases
to wireless communications the first responders cannot do their
jobs. Also, given the fact that the states, counties, and cities,
are the primary mechanisms for delivering critical services to
citizens – including federal programs, if the information
systems of a state or local government go down, the ability of
the other levels of government to do business within that jurisdiction
will be significantly impaired, if not interrupted. This creates
a cascading effect.
Supporting State Homeland Security Decision-Makers
While the CIO
is charged with protecting the state’s critical
information assets, he or she is also charged with managing the
day-to-day operations of a wide variety of information systems
and infrastructure that support first responders and homeland security
leadership. Up to now, homeland security ICT has primarily been
defined as those systems serving law enforcement and emergency
managers. However, as state efforts to fuse information for intelligence
and all-hazards incident-management purposes become more sophisticated,
a wide range of information systems will be drawn into the effort,
including those from public safety, public health, transportation,
and agriculture among others.
at the state and local level is less about organizational change
and more about cultural adjustment. Homeland security, like
technology, requires an enterprise approach that synchronizes and
harmonizes disparate parts under a common umbrella. Key to succeeding
with this cultural change is achieving vertical and horizontal
sharing and integration of information – something that requires
effective application of technology. This will require the CIO,
with statewide oversight, to help manage the development and deployment
of systems that can meet the ever-changing needs of homeland security
decision makers while maintaining appropriate levels of privacy
and security. Our adversaries will continue to change their tactics.
Therefore, our information systems must be able to help state homeland
security directors and DHS gather the information they will need
to counter these evolving threats.
Focused Action By The Federal Government Is A Necessity
It is so important that the federal government consolidate its
information dissemination capability. While it might be necessary
to have separate public safety, military and cyber efforts, we
should not have multiple, uncoordinated information dissemination
efforts within each of those categories as we do now. Virginia
knows from first hand experience that the FBI and DHS are issuing
separate information products to the law enforcement and non-law
enforcement communities respectively. This makes it difficult for
state homeland security directors and CIOs to understand the full
spectrum of threats faced by the state without staying abreast
of multiple channels and fusing the information internally.
NASCIO knows by way of its work with all the states, that other
federal agencies, particularly those in the departments of Justice
and Health and Human Services, are issuing cyber alerts to their
state and local programmatic counterparts, which are not incorporated
into the National Cyber Security Division (NCSD) of DHS alert products.
NASCIO would be very willing to work with Mr. Yoran and the new
Federal Chief Security Officers Council to develop an intergovernmental
warning process so that state CIOs, homeland security directors,
and program specific leadership receives coordinated, consistent
as well as timely alerts and notices.
the ‘911 Commission’ has heard now on many occasions,
the issue may be less on what and how much we know but who knows
it and who they share the information with. In the area of cyber
security, we are doing well at countering attacks on our infrastructure
AFTER they happen. Isn’t our real objective to try to identify
potential attacks in advance so that we can avert the costly efforts
to eradicate them after they happen? The only way to do this is
to ‘connect the dots’ - share information across federal
and state agencies in a timely AND focused manner.
Sharing Information with the States
NASCIO has been actively engaged in sharing cyber-threat and incident
information with and among the states as part of our Interstate
ISAC program. We have also gathered information for targeted requests
from DHS and provided feedback on the effectiveness of various
information sharing and analysis practices. We have drawn on the
goodwill of our corporate partners to provide the states with supplemental
information to help them respond to fast-moving threats like worms
applaud Amit Yoran’s
recent efforts at the National Cyber Security Division (NCSD)
to engage the states directly and make
the US-CERT a valuable tool for the entire ICT-using community,
including individual U.S. citizens. We are currently working with
Jim Caverly at ICD to further refine our ISAC program. We know
that DHS, NASCIO, and individual states have very limited resources
to contribute to any information sharing effort. Therefore, we
seek to have an information sharing and analysis program that is
as transparent as possible between DHS and the states. We also
want it to provide targeted services with a definable return on
the sweat equity investment by the states. This will take time.
But, NASCIO has found its partners at NCSD and ICD to be very receptive
to our suggestions for improvement and we remain committed to ensuring
the success of any information sharing efforts with the states.
Our NASCIO Security Committee currently has two deliverables in
progress for 2004, which might be of interest to you:
• A state
and local addendum to the National Strategy to Secure Cyberspace.
Following a meeting with DHS and White House cybersecurity leadership,
the National Governors Association (NGA) began working with NASCIO
to take on the joint role of serving as ad hoc coordinators for
the state and local sector. In that role, we will be forming a
task force or working group to produce a brief addendum that will
highlight the key sector implications of the strategy. It will
also provide an opportunity to put forth some additional recommendations
for action by our sector. This group will include state, county,
and municipal chief information officers (CIOs) and chief information
security officers (CISOs) as well as participants from the telecommunications
directors, utilities commissioners, and educational community.
the role of the CIO in homeland security decision support.
NASCIO will shortly be releasing a detailed brief on the role
of the CIO in supporting intra-state intelligence and situational
awareness efforts, which combine to provide homeland security leadership
with what we are calling “decision support.” It will
include several calls for very precise state and federal action
that we hope will prepare the states to fulfill the goals of the
recently released National Incident Management System (NIMS) as
well as support the ongoing deployment of new and enhanced information
sharing networks by DHS CIO, Steve Cooper.
Efforts Specific to the Commonwealth of Virginia
undertaken by the Commonwealth of Virginia in securing its critical
and infrastructure has been primarily focused
on the development of partnership among key state and local agencies,
the private sector and Virginia’s institutions of higher
education to develop and implement strategies for securing and
maintaining critical infrastructure.
of today’s committees know very well, Virginia
is home to the Pentagon one of the three sites in the United States
that was attacked on September 11, 2001. The memory of that day
and its aftermath continue to permeate the consciousness of those
serving in Virginia’s state government and local communities
while serving as a guide for Virginia’s efforts in homeland
security and critical infrastructure protection component.
To respond to these challenges, the Commonwealth of Virginia has
three specific efforts underway that will be discussed today. These
Secure Virginia Panel
National Capital Region – Critical Infrastructure Vulnerability
• The Virginia Alliance for Secure Computing and Networking (VA SCAN)
The Secure Virginia Panel
As one of his first acts of office to respond to the challenge
of protecting the Commonwealth, the Governor of Virginia, Mark
R. Warner, signed Executive Order 7 on January 31, 2002, establishing
the Secure Virginia Initiative and convening the Secure Virginia
Panel. In bringing together state government, local government
and the private sector, the Secure Virginia Panel and its working
groups has served as the primary conduit for developing public-private
partnerships to deal with the challenges in preparing for emergencies
and disasters of all kinds, including terrorism.
Through the Critical Infrastructure Working Group (CIWG) of the
Secure Virginia Panel, Virginia is tackling many of the same challenges
that are also being addressed by the federal government. Also comprised
of members representing state government, local government and
the private sector, the CIWG is specifically charged with making
recommendations that strengthen cyber and physical security for
critical infrastructure throughout the Commonwealth. By identifying
failure and inter-dependency points in critical infrastructure
security and developing a methodology for prioritization of those
points, the CIWG is attempting to answer three critical questions:
1. What critical infrastructure is needed to keep government operational?
2. How does the Commonwealth of Virginia best coordinate with local
government and the private sector?
3. What organizational structure is best suited to ensuring a coordinated
approach to both cyber and physical security of critical infrastructure
located in Virginia?
To answer these questions, the CIWG has outlined six objectives
that it plans to meet by December 2004. These objectives are as
1. Development of a governance model that can best coordinate
critical infrastructure protection and risk mitigation.
2. Identification of critical infrastructure.
3. Identification of inter-dependency and failure points in critical
4. Development of a methodology to prioritize critical infrastructure
5. Assignment of responsibility within state government for coordinating
critical infrastructure cyber and physical security efforts.
6. Coordination among the public sector, private sector and institutions
of higher education to ensure the development and utilization of
a consistent assessment methodology.
are facilitated by prior recommendations that have been developed
by the Secure
Virginia Panel. Specifically, in 2002,
the Panel recommended legislative changes that would protect from
FOIA the disclosure of critical infrastructure information submitted
to state government by the public sector. Titled the ‘Sensitive
Records Protection Act’ (HB 2210), the legislation was passed
by the 2003 General Assembly and subsequently signed into law by
Capital Region – Critical Infrastructure Vulnerability
The vulnerability of the National Capital Region was made painfully
obvious on September 11th, 2001. The coordinated partnership by
the federal government, the states of Virginia and Maryland and
the District of Columbia to the unique situation of our Capital
region demonstrates the cooperative approach towards homeland security
and critical infrastructure protection that is being pursued today.
Under the auspices
of the post 9 /11 funding provided by Congress, Urban Area Security
Initiative Grant Program as well as the Department
of Justice Community Oriented Policing (COPS) program, funded through
the Department of Homeland Security’s Office for Domestic
Preparedness, a leading regional effort for critical infrastructure
protection in the National Capital Region is being lead by George
Mason University. This effort is part of a broader set of NCR initiatives
being orchestrated by the Mayor of DC and Governor’s of Virginia
and Maryland under the auspices of their representatives on the
Senior Policy Group in partnership with community leaders.
The Urban Area
Security Initiative (UASI) is a program that helps develop sustainable
models to enhance security and overall preparedness
to prevent, respond to, and recover from acts of terrorism in high-density
population centers. Specifically, UASI was created to “enhance
the ability of first responders and public safety officials to
secure the area’s critical infrastructure and respond to
potential acts of terrorism. Initially, seven metro areas were
identified: New York City, Washington, D.C., Los Angeles, Seattle,
Chicago, San Francisco, and Houston. For the 2004 fiscal year,
this number increased to 50, now including smaller cities such
as Orlando, Florida, and New Haven, Connecticut.
For the National
Capital Region, a strategy was developed to provide a strategic
for preventing and reducing vulnerability
in the region. The strategy was developed based on a number of
inputs: the results of an assessment completed by communities in
the National Capital Region in July 2003, the National Strategy
for Homeland Security, the Eight Commitments to Action for the
National Capital Region, and the State Template published by the
Homeland Security Council. The Strategy focuses on four areas:
planning, training, exercise, and equipment. George Mason’s
activities fall within the planning area.
The grant from the Department of Justice Community Oriented Policing
(COPS) program, complementing the efforts undertaken through the
UASI initiative, focuses on the telecommunications, water, energy,
and transportation sectors in the Commonwealth of Virginia.
In cooperation with five universities, including James Madison
University, the University of Virginia, Virginia Polytechnic Institute
and State University (Virginia Tech), the University of Maryland,
and Howard University, the NCR Critical Infrastructure Vulnerability
Assessment Project focuses on improving regional and sectoral methodologies
for conducting vulnerability assessments. The ultimate objective
of the project is to raise the level of security in the National
Capital Region by ensuring that critical infrastructure sectors
address the most important security concerns. The project seeks
to enhance the capability and capacity of the National Capital
Region to reduce vulnerability, minimize damage and increase resiliency.
In addition to the regional universities engaged in this initiative,
GMU is also working collaboratively with industry and government.
The Virginia Alliance for Secure Computing and Networking (VA SCAN)
The Virginia Alliance for Secure Computing and Networking (VA
SCAN) is a partnership of universities that seeks to strengthen
information security programs within the Commonwealth of Virginia.
The partnership includes security professionals from George Mason
University, James Madison University, the University of Virginia
(UVA), and Virginia Polytechnic Institute (VA Tech) as well as
researches and staff from the Institute for Infrastructure and
Information Assurance (3IA) at JMU, the Center for Security Information
Systems at GMU, and the joint GMU/ JMU Critical Infrastructure
Protection Project (CIPP). Representatives from other Virginia
institutions, including Mary Washington College, Radford University,
The Virginia Institute of Marine Science, The College of William
and Mary, Virginia Commonwealth University, and the Virginia Military
Institute serve as advisors to VASCAN partners.
VA SCAN began offering products and services in March of 2003.
The offerings are based on the principle that the most lasting
improvements to security programs can be made not by performing
security functions for organizations, but rather by educating and
guiding management and staff teams in defining and carrying out
their own security strategies and operations. Some of the products
and services offered include:
• A Virginia – Critical
Infrastructure Response Team (CIRT) group for tracking security
• Self-assessment checklist for Commonwealth of Virginia security
• Security policy development and security awareness training
• Onsite training and security instructional materials
Onsite consulting on a variety of security topics and an “ask
the expert” email service
• Web-based toolkit of security tools and best practices
Mr. Chairman and members of the subcommittees, Virginia and all
the states represented by NASCIO are moving forward in the context
of protecting critical infrastructures from physical and cyber
vulnerabilities. This effort is requiring new ways of thinking
and new types of relationships between public federal and state
efforts. Much progress has been made but there is much more to
do. I enjoy a close working relationship with Virginia’s
homeland security team, state as well as local, as well as the
leaders of the federal efforts at DHS. I know that we do not
have all of the answers and we frankly do not have all of the
questions. But we know that protecting our critical assets from
cyber and physical threats is key to ensuring the safety of Americans
and protecting our economic security.
In conclusion, my message to you is that, despite the continuing,
daily attacks on our nations information infrastructure, cybersecurity
is still seen as a secondary threat, and the interdependence of
federal, state and local systems absolutely require a closer, more
cohesive approach. Secondly, we are encouraged by the organization
and leadership at DHS to move smartly and timely with the assistance
of their state and local partners, and in particular, the recent
re-evaluation of the ISAC approach and the new opportunities for
effective change that represents. NASCIO will do what it can to
assist by working with DHS's ICD and NCSD divisions to arrive at
the most effective approach, and also by developing the state and
local addendum to our National Strategy.
Let me take
a moment to thank Robert Liscouski, Assistant Secretary for Infrastructure
Protection, DHS; Jim Caverly, director, Infrastructure
Coordination Division; Amit Yoran, director, National Cyber Security
Division; Steve Cooper, chief information officer, DHS and George
Foresman, Virginia’s Assistant to the Governor for Commonwealth
Preparedness for all that they do towards our common goals.
Mr. Chairmen, I thank you and the members of your committees for
the opportunity to testify before you today.