STATEMENT FOR THE RECORD
"Wired World: Cyber Security and the U.S. Economy"
Testimony to the Joint Economic Committee of the U.S. Congress
Frank J. Cilluffo
Chairman Saxton, Chairman Reed, Senator Bennett, distinguished members
of the committee, I appreciate the opportunity to submit to you today,
for the record, my thoughts on U.S. cyber security policy and its
implications for economic security. In holding hearings on this issue,
the Committee should be commended for its foresight. For too long
on the cyber front, we have been focused on the "beep and squeak"
issues, to the neglect of the bigger picture, incorporating the economy
and beyond. By seizing this opportunity to identify gaps and shortfalls
in our current policies, we are taking a significant step forward:
we are paving the way for the future by laying down the outlines of
a solid course of action that will remedy existing shortcomings.
Co-chairman, Cyber Threats Task Force
Homeland Defense Project
Center for Strategic & International Studies
This hearing is all the more timely because a new National Plan
relating to the cyber arena is scheduled to issue from the executive
branch at year's end. Likewise, it seems that an Executive Order
(EO) on the same subject, titled "Security in the Information Age,"
is near completion. This EO has grown legs and is currently being
circulated for comment. And, in his first National Security Presidential
Decision (NSPD 1), promulgated on March 5, 2001, President Bush
emphasized that national security also depends on America's opportunity
to prosper in the world economy. Indeed, cyber security lies at
the core of our economic prosperity, which is our "nerve center"
- and President Bush and his team should be congratulated for having
taken a leading role on this front.
As both Congress and the Executive consider how best to proceed
in this area, we should not be afraid to wipe the slate clean and
review the matter with fresh eyes. To this end, we should ask: what
has worked to date? What has not? What are the gaps and shortfalls
in our current policies? Though it is crucial to conduct our review
with a critical eye, it is equally important to adopt a balanced
viewpoint - one that appreciates both how far we have come and how
far we have to go.
Fortunately, centers of excellence do exist - and we should leverage
and build on them. Only now, with the requisite amount of water
under the proverbial bridge, have we amassed sufficient knowledge
and experience to formulate the contours of a comprehensive cyber
security strategy - that is, one that encompasses prevention, preparedness
and incident response, vis-a-vis the public and private sectors,
as well as the interface between them.
Such a strategy would generate synergies and result in the whole
amounting to more than simply the sum of the parts (which is not
presently the case). Such an approach would also offer enhanced
protection for the "nerve center" that is the U.S. economy.
A Brief Snapshot
Information technology's impact on society has been profound and
touches everyone, whether we examine our economy, our quality of
life, or our national security. Along with the clear rewards come
new risks and a litany of unintended consequences that need to be
better understood and managed by our industry and government leaders.
Unfortunately, our ability to network has far outpaced our ability
to protect networks. Though the myth persists that the United States
has not been invaded since 1812, invasion through cyberspace is
now a daily occurrence. There is no shortage of examples of our
vulnerability, based on past red team exercises. Likewise, demonstrated
capabilities - fortunately, without truly nefarious intent - are
also in evidence. Already, we have seen a young man in Sweden disable
portions of the emergency 911 system in Southern Florida, and a
Massachusetts teenager disable communications to a Federal Airline
Aviation control tower.
Luckily, however, we have yet to see the coupling of capabilities
and intent (aside from foreign intelligence collection and surveillance),
where the really bad guys exploit the real good stuff and become
more techno-sawy. But, while a window of opportunity remains for
us, it will not stay open forever. It is only a matter of time before
the convergence of bad guys and good stuff occurs. Clearly, we can
no longer afford to rely on the two oceans that have historically
protected our country. Instead, we must develop the means to mitigate
risk in an electronic environment that knows no borders.
Against this background, we need a true national debate on infrastructure
assurance and we need to re-think national security strategy - and,
by extension, economic security and our nation's security - accordingly.
It can no longer be a case of the government leading and the private
sector following. In other words. Silicon Valley and the Beltway,
where the sandal meets the wingtip, must stand side by side and
on equal footing in addressing these issues and formulating responses.
Building a Business Case
Cyber security and its implications for economic security represent
twenty-first century challenges. Twentieth century approaches and
institutions simply will not work. Instead, we need new organizations,
novel management practices and an array of new tools. Though this
is not an area where government can go it alone, it can - and must
- set a good example. In fact, only through leading by example can
the government realistically hope for the private sector to commit
the sort of effort - in time and resources - expected of them.
But, while government is eminently well suited to do certain things,
others are best left to industry to do. Put another way, just as
important as identifying what government should do, is identifying
what it should not do. What follows below is an attempt to put flesh
on these skeletal statements in so far as they relate to cyber security
and its implications for economic security.
Before proceeding to focus on sector-specific (that is, public
and private) strategies, however, I would like to lay out briefly
a few general guiding principles. In particular, a solid approach
to critical infrastructure protection and information assurance
(CIPIA) must, in my view, be centered on three "prongs," namely:
policy, technology and people. Underpinning this triadic structure
must be education and awareness, and superceding it must be leadership.
Without leadership, the entire structure crumbles because policy
priorities are only sustained if they are supported by political
will and the necessary resources.
1. Government: Leading by Example
The starting point for discussion here must surely be PDD 63. Promulgated
in May 1998, this Directive established a structure to protect critical
infrastructure. Among other things, PDD 63 created a National Infrastructure
Protection Center (NIPC); a National Infrastructure Assurance Council
(NIAC); and a Critical Infrastructure Assurance Office (CIAO). Unfortunately,
this Directive has proved to be long on nouns and short on verbs.
Put another way, planning is everything - plans are nothing: the time
has come for implementation and execution.
But planning, implementation and execution are all complicated
by the fact that the government is presently organized along vertical
lines - even though cyber security constitutes a cross-cutting mission.
Among other things, this makes it difficult to assure accountability.
Against this background, we need to streamline and re-adjust the
workings of our public sector, and coordinate its constituent components
so as to increase efficiency, clarify responsibilities and heighten
accountability - all the while bearing in mind that outreach to
the private sector is equally critical.
Recommendations for action on the public sector side follow below.
They are organized topically so as to reflect the preferred three-pronged
approach to CIPIA mentioned above.
Critical to the public sector effort is having, at its apex, a single
individual endowed with the requisite powers and responsibilities
to make the system work. To this end, we should appoint a senior government
official with clout or "teeth" - that is, an Assistant to the President
for CIPIA or a Deputy National Security Adviser within the National
Security Council - whose efforts would be institutionally supported.
This position would be confirmed by Congress and, among other things,
would be empowered to issue directives regulating the security of
federal agencies' information technology and systems; and conduct
audits/inspections so as to ensure government-wide (federal) civilian
agency accountability in the area of cyber security. In addition to
formulating and overseeing, on an annual basis, a one-year plan containing
specific milestones to be met by the government, this position would
also be responsible for shepherding the interagency community to develop
five-year plans and RDT&E efforts.
The foregoing proposal, with its centralizing features, is intended
to streamline and replace the myriad of structures that currently
exist. Notably, a similar motive apparently underlies the EO that
is currently being formulated. There is a good chance that the EO
will establish some sort of a Board, with a Chair, with an eye towards
clarifying and delineating responsibilities in the area of cyber
security, and heightening accountability.
Returning to my own proposed architecture, a central office, presided
over by an Assistant to the President, could be tasked with crucial
operational and administrative responsibilities. For instance, it
could assemble an expert review team - in effect, a "red team" of
25 to 30 people possessing requisite technical skills - with an
eye toward risk mitigation. And, in conjunction with the General
Accounting Office, the red team could be tasked with testing for
federal government agencies' (cyber-related) vulnerabilities and
with identifying best practices. In fact, I would go so far as to
suggest that there ought to be required, by law, an annual test
of each agency's vulnerabilities and capabilities (with the latter
assessing their ability to respond to events). Further, based on
the results of the annual testing process, we could derive baselines
that would be applicable across the board, so as to hold all agencies
subject to the same standard of account.
By way of illustration, a central intrusion detection center - initially
directed only towards federal government operations and systems -
could serve a series of critical functions:
In leading by example, however, it is crucial that the government
pay heed not only to its own organizational structure but also to
the human side of the equation. This is where education and training
come in. Here, at least two key issues arise: the cultivation of technical
expertise and capability, as well as the formulation of appropriate
(if not best) management practices.
- First and foremost, such a center could provide the government
with indications and warning (1&W) of intrusion and attack.
- Second, the center could, in conjunction with its principal
function, create an "infocon" system (analogous to the "defcon"
warning apparatus), which would spur the taking of additional
precautionary measures in response to a warning of intrusion or
- Third, the center could maintain the ability to deploy an emergency
response team for incident management.
- And fourth, the center could regularly disseminate software
patches of known vulnerabilities throughout the federal government
in non-crisis situations.
My own position on education and training is quite radical: we
should establish an actual discipline, at the university level,
in information assurance. This would involve the creation of an
actual field of study (not just a degree program) that would bring
together into a cohesive whole a variety of subject areas (such
as electrical engineering, computer science and information security)
that are currently dealt with in piecemeal fashion. And this is
more than simply an idle recommendation. Indeed, it is a matter
of concern that an exceedingly high percentage of students presently
pursuing studies of this sort are foreign nationals. Together with
universities and industry, government could provide the impetus
for an initiative of the type described. The same trio of actors
could even co-fund the endeavor, with the expectation that all three
would ultimately benefit from bringing the project to fruition.
From the government's perspective in particular, the aim would
be to attract the best and the brightest to public service for at
least a portion of their careers. Unless we succeed in doing so,
in the long run, our national security will suffer. Put another
way, recruitment and retention are, for the public sector, issues
as pressing as education and training. Further to this point, I
would suggest that we introduce reward programs that would not only
lay out a promotion path but also establish recognition mechanisms
that would stand alone (separately from promotion per se). Relatedly,
pay scales for those with relatively rare but highly prized skills
should be revisited and adjusted upwards. (Though President Clinton's
National Plan for Information Systems Protection did speak to training
and recruitment, the Plan did not address squarely the challenge
of retention within the public sector).
2. The Private Sector: A Crucial New Partner
Government can - and should - also provide specific incentives to
the private sector to better protect its own systems. For instance,
government could act as the catalyst for the establishment of industry-wide
standards for information assurance in different business sectors,
and could establish liability limits against disruption of service
for companies using security "best practices." Equally, tax breaks
or equivalent "credits" could be accorded to companies that use certified
safety products and enforce specific types of security procedures.
(The mechanism for certifying the safety and effectiveness of security
products should be the consensus product of a private-sector dialogue
that government should facilitate).
Government could also grant relief from specific provisions of
antitrust laws to companies that share information related specifically
to vulnerabilities or threats. Notably, the Freedom of Information
Act (FOIA) has been a significant obstacle to public-private information
sharing to date because companies run the risk of having sensitive
or proprietary data compromised if it is revealed to the public,
and fear damage to shareholder confidence if vulnerabilities are
publicly acknowledged. Fortunately, FOIA-related obstacles are now
being recognized and addressed, and Senator Bennett in particular
should be commended for his leadership in this area.
Furthermore, government could provide extraordinary liability
relief to the private sector in the case ofcyberwarfare (similar
to the indemnification authorities set up in the case of destruction
of commercial assets through conventional warfare). Financial relief
for digital disasters would have insurance companies insuring to
a certain level, with government intervening in cases of massive
outages or shutdowns. Likewise, a consortium of insurance, software
and hardware companies could create a pool for reinsurance purposes.
Although quantifying risk in the cyber area is difficult because
of the lack of experience and actuarial data, insurance companies
should be encouraged to include in their portfolios limited liability
indemnification policies against cyber disruption. Here, government
should be the catalyst, not the enforcer, for the creation of parameters
In addition to "incentivizing" the private sector in the ways
outlined above, government should seek to solidify partnerships
between the public and private sectors. Already, under the auspices
of the CIAO, the Partnership for Critical Infrastructure Security
has brought together hundreds of leading corporations and various
federal agencies to address the problems of infrastructure assurance.
This is a good example of a step in the right direction - but we
need to do more.
By way of illustration, we should try to improve public-private
cooperation through information sharing on: vulnerabilities, warnings
of ongoing attacks or threats, hacker modus operandi, and solutions
and defenses to established threats and attacks. In doing so, we
should try to learn from our experience with the National Infrastructure
Protection Center (NIPC). Looking to the fUture, we should aim to
leverage the NIPC's strengths and encourage it to focus on investigations.
Recent criticism of the Center is to some extent unfair because
the Center was tasked from the get-go with "mission impossible."
In any case, both the NIPC and the FBI which houses it, should be
encouraged to focus on core competencies. At the end of the day,
the NIPC, as an initiative, represents a good start - but one that
must be supplemented with more robust models.
Cross-sector cooperation on information sharing is especially
important because each sector has its own comparative advantage:
whereas government possesses the core insights on CIP from a national
security perspective, the private sector possesses the core insights
on information security management. With this in mind, government
should continue to assist the private sector by interacting constructively
with information sharing and analysis centers (ISACs), which are
sector-specific associations on the industry side, and by continuing
to facilitate cyber security discussions within these various sectors
(including banking and finance, telecommunications, and information
Key Issues and Challenges
The suggestions above are not exhaustive, of course. And, even
if it were possible to cover the field, it must be conceded that
no matter how concerted our efforts are, there will be failures,
whether in the public or the private realm. For this reason, reconstitution
(that is, the restoration of essential systems and services) is
a matter that we cannot afford to ignore. Indeed, continuity of
operations and government may be the key to deterrence: if we can
restore our systems and provide business continuity in relatively
short order following an attack, the incentive to engage in further
attacks of the same sort in future should be diminished.
Our policies in response to threats of any kind, moreover, must
not stifle the engines of innovation that drive our economy and
enhance our lives. We cannot afford to overreact or put up too many
virtual or physical walls. Indeed, the worst possible victory granted
cyber attackers would be one that compromised our precious, hard-won
rights and values, leaving our society less open, less tolerant
and less free. Put another way, it simply makes no sense to infringe
upon civil liberties in order to preserve them.
In particular, some seem to think that privacy, security and electronic
commerce are mutually exclusive. This is just not so. The "game"
is not zero-sum: we can - and should - ensure privacy, security
and e-commerce. Indeed, I would go so far as to say that
you cannot have privacy without security, and without security,
e-commerce can never flourish.
Plainly, the challenges that we face are great. But we, as a nation,
are up to the task. At the end of the day, it all comes down to
leadership -not only in government, but in the private sector and
on the part of individuals, too. Critically, the president and Congress
must demonstrate political will on this matter. But that alone will
not be enough. We all share responsibility for this issue and we
must all muster the will, and be prepared to contribute the resources,
to deal with it.
In closing, I offer the comments above in the spirit of this hearing,
that is, to determine the best course of action. For the past year,
I have co-chaired with Arnaud de Borchgrave a Task Force on Cyber
Threats, coordinated by Sharon Cardash, as part of the Homeland
Defense Project at the Center for Strategic & International Studies.
This is not to say that we (CSIS) have all the answers. To the contrary,
our recommendations represent just one possible course of action
among many-and it is up to you. Congress, to decide, together with
the executive branch, precisely which course should be pursued.
Thank you for the opportunity to share my thoughts with you today.
It is with sincere regret that I offer apologies for being unable
to appear before you in person. If, however, you have any questions
for me, I would be delighted to answer them either in writing or
in person. I look forward to working with you in future.