Remarks Prepared for Delivery
by Robert T. Marsh
Chairman, President's Commission on Critical Infrastructure Protection
Meeting of The Bankers Roundtable
September 11, 1997
Thank you, Madame Attorney General, and good morning, ladies and gentlemen. It is indeed a pleasure to join you this morning. On behalf of the entire Commission, please accept my appreciation for your time and insights in discussing this matter of national importance.
Let me first give you a brief introduction to the Commission and our mission, a review of some of our preliminary recommendations, and then several that relate directly to the banking and finance community.
The Commission was charged by the President to consult "with elements of the public and private sectors... and the owners and operators of the critical infrastructures." In this vein, my goal is to run some of our ideas by you and invite your reactions.
President Clinton established the Commission last July and charged us to recommend a national policy for protecting and assuring the nation's critical national infrastructures. For just over a year now, we have been working to identify and assess vulnerabilities and threats -- and then to develop a national strategy and an implementation plan.
Besides banking and finance, we have been studying and analyzing telecommunications, electric power, oil & gas delivery and storage, transportation, water, emergency services, and continuity of government services -- those infrastructures that the President identified as critical because their incapacity or destruction would have a debilitating effect on our defense and/or economic security.
Critical infrastructures have long been lucrative targets for anyone wanting to do harm to another country. Even in ancient times, armies laying siege to fortified cities attempted to interdict their water supplies. US infrastructures have for most of our history been protected by the broad oceans separating us from our enemies, but during the Civil War both sides attacked each other's supporting infrastructures -- railroads and telegraph lines and even one privately-owned oil field. In more recent times, Soviet and US nuclear weapons were targeted against each other's power grids, road and rail networks, energy industries, and telecommunications systems. So there is nothing new about infrastructures being targets.
So why was the President motivated to create this Commission at this time? It was the realization that our society was becoming vitally dependent on these infrastructures for its very well-being, that the infrastructures themselves were becoming increasingly dependent upon each other for their functioning, and that they were becoming increasingly vulnerable to disruption by simple methods readily available to relatively unskilled persons intent on doing harm. And there was mounting evidence of such danger by the growing number of malicious cyber incidents throughout the nation with each passing day.
The Commission was uniquely tailored for this task. In recognition of the fact that the critical infrastructures are largely owned and operated by the private sector, the Commission is a joint public and private venture. Half the Commissioners are full-time career government senior executives, and half are senior representatives from the private sector who have agreed to serve a year as full-time government employees.
A Presidentially-appointed Advisory Committee of key industry leaders provides the unique perspective of owners and operators of the infrastructures as they assist and advise us. I have consulted individually with each member of this group, and they met last Friday for a full-day session that included
briefings on the Commission's work and a lengthy discussion of our tentative recommendations.
As part of our consultation efforts, we met with more than 5,500 individuals, corporations, associations, and government agencies around the country. We held public meetings in Los Angeles, Atlanta, Houston, Boston, and St. Louis. We talked with hundreds of people from industry, academia, science, technology, the military, and government.
Our goal all along has been to create a public-private partnership to protect our future. Government alone cannot solve the problem.
Addressing this challenge is why we are here with you today. We seek your input. I invite your views on our preliminary recommendations.
I would like to start with a few of our core recommendations that cut across all the infrastructures, then follow with a few that may be of particular interest to you in the banking sector. I think you will be pleasantly surprised not to hear recommendations that call for more regulation or tighter laws.
Information Sharing / National Structures
One of our toughest problems -- across all infrastructures -- is the sharing of information. There is already a heavy volume of information passed by industry -- especially banks, as you well know -- to government as part of the regulatory process and through law enforcement.
Managing the new risks inherent in an information-based society requires a different type of information exchange within the industry and between industry and government. Furthermore, managing these new risks calls for partnership at many different levels, from policy-making aimed at preventing a crisis to responding if such a crisis occurs. The Commission has some specific proposals in this regard:
These recommendations lay the foundation for the "trusted environment" to achieving the public-private partnership essential for protection into the next century.
We strongly endorse a policy of reliance on the private sector for problem-solving, solutions, and technology, but we also see a need for government to create a strong focal point for infrastructure protection. Thus we will recommend:
- Tasking Federal Lead Agencies to bring together the owners and operators of the infrastructures to create the means for sharing information that is acceptable to all. The objective is to achieve voluntary participation of all players within each infrastructure and to assemble and exchange information without fear of attribution to specific sources.
- Creating an Office of National Infrastructure Assurance to formulate policy and oversee government activities in infrastructure assurance and cyber security. This small Office and its support staff will promote and facilitate the public-private partnership, coordinate federal programs, integrate the government-wide infrastructure assurance R&D effort, assess vulnerabilities, and support the National Infrastructure Assurance Council.
The sum of these efforts is to create channels for information to flow between decentralized private industry and centralized government organizations. For example, the federal lead agencies are the "adapter plug" from government to industry -- they facilitate the flow of government information to the private sector. The Sector Infrastructure Assurance Coordinator is the "adapter plug" in the opposite direction -- they facilitate the flow of private sector information to the government.
The Commission surveyed the federal government's research and development activities, and many of the private sector's, to identify programs developing the tools required to accomplish the infrastructure protection mission. We also solicited the views of many experts in information and infrastructure assurance regarding R&D needs. Our research revealed a range of technology needs for infrastructure assurance and a number of R&D efforts that should be accelerated. We identified that about $150 million per year is being spent on federal R&D for information assurance, which represents about 60 percent of the overall expenditures on infrastructure related R&D. We identified very little R&D effort on the types of real-time detection, identification and response tools that the Commission believes are going to be required. Consequently, we recommend a doubling of federal funding for R& D in this area to $500 million per year.
Banking and Finance findings and recommendations
Beyond those already mentioned, we have a number of recommendations ranging through the areas of law enforcement, education and awareness, and assisting state and local governments. But in the interest of time, I will focus briefly on those of specific interest to banking and finance.
At the outset, I want to acknowledge that we found that due to both effective regulation and industry diligence, individual institutions within the U.S. banking and financial system are more advanced than those in other sectors in their uses of sophisticated tools and procedures to safeguard their operations from theft, fraud, and cyber crime. We applaud your vigilance in these areas.
But, as you well know, major trends of change -- globalization, deregulation, Internet banking, and cyber cash -- combine to create new risks. This is true within the financial services industry as well as the telecommunications and electric power industries upon which financial services heavily depend. These trends will result in new kinds of interdependencies, and hence new kinds of system-wide risks. These must be assessed carefully as you move forward.
There are some potential SYSTEMIC vulnerabilities now due to the geographic concentration of of the major exchanges and payment systems operations centers. We are also concerned about the growing dependence on arterial telecommunication networks which are in the process of deregulation and are becoming transnational in their architecture and ownership.
The range of cyber threats for exploiting these vulnerabilities begins with the most likely but least consequential activities of hackers, and extends to the currently least likely but highest potential impact attack by a nation state or terrorist group. Current defenses against common hackers and criminals are quite good. However, it is the vulnerability to a possible coordinated strategic attack on physical operations centers, or on the complex "system of systems" which enables this industry to function world-wide, that is of rising concern.
Some examples of specific actions to reduce these existing vulnerabilities include:
- Establishing contingency trading sites for the major exchanges.
- Geographically dispersing key industry utilities as funds transfer and depositories.
- Establishing an emergency satellite-based communication system linking major money center banks with funds transfer and clearance centers.
- Installing better physical security, especially at exchanges.
- Establishing a contingency data center for key industry messaging and data storage systems.
We have examined several options for influencing market forces within the private sector, including using insurance, loan guarantees, and tax incentives as levers to encourage the private sector to increase investment in infrastructure protection. We are still deliberating this issue.
Privacy issues in the employer-employee relationship
Throughout its year-long effort, the Commission has struggled to address the competing interests of security and privacy and the trade-offs between these two interests. The Commission has specifically studied the nexus of security and privacy in the employer-employee relationship. We are going to recommend that the Administration and Congress study ways to make some of the tools that the federal government uses to perform background checks and issue security clearances more readily available to employers within the critical infrastructures, at least in filling certain sensitive positions within those infrastructures. These efforts may afford you, for example, a greater ability to inquire into and make use of criminal history information, employment histories, and credit history information. Amendments should also be made to federal polygraph law to include within the scope of current exemptions those who are in the business of providing information security services. These amendments could not make it incumbent upon covered employers to polygraph employees, but merely allow them to do so to the extent permitted under applicable state law.
I simply cannot conclude without asking if we have recommended anything that you perceive as onerous. The Commission is very concerned about economic competitiveness in this increasingly global economy, and we want to ensure that we are not proposing any recommendation that might detract from your ability to compete on the world stage.
We on the Commission are relying on these types of open and honest discussions to help us focus our recommendations properly, so they will have the greatest chance for success. We need your feedback.
Frank [Frank Wobst, Chair of Banking Industry Technology Secretariat], what do you think? What have you all been doing in the area of infrastructure protection? How do our recommendations fit in that scheme? Have we recommended anything that would cause hardship to you or your company?
Questions for discussion
Are we on target with your sense of the scope of the problem and the general direction we are going?
I know that I am about to tread on some delicate ground, but I would be remiss if I did not raise a question or two about your willingness to share information about cyber intrusions with law enforcement officials.
- Do you feel that you have any discretion in reporting these types of intrusions? Or are you required to report every electronic penetration?
- If you do have any discretion, what are the factors you take into account in deciding whether or not to call in law enforcement or deal with the situation in another way?
We have often heard that there is no such thing as an unaccounted-for dollar. Are there any creative accounting entries used to make this statement true?
What are the requirements for reporting losses? Is there a specific dollar threshold that requires a report to law enforcement? Is it established nationally by regulation or locally by the workload capacity of the nearest FBI field office?
Do you share information among yourselves concerning the security of the infrastructure as a whole? Overall, we found banking and finance to have the least vulnerability to the cyber threat. Do you share "Best Practices?" What is the role of the federal and/or state regulatory agencies in establishing security standards?
Although the banking and finance industry maintains that there are no issues associated with computer intrusions into databases, we have been advised that banks are actively hiring personnel with substantial backgrounds in computer security. What types of issues are being addressed by these individuals?
As the Suspicious Activity Report contains all instances of suspected criminal activity, are you reporting electronic intrusions into your systems that do not result in the loss of funds, since that type of intrusion is a violation of the Computer Fraud and Abuse Act?
Both the financial service industry and government require strong public confidence -- the industry in order to derive growth, and the government in order to derive political viability. Each is central to the daily lives of virtually every American, and the degree of trust the public is willing to place in them depends directly on the reliability of the services provided. Infrastructure, as the carrier of the communications and transactions which deliver those services, is, therefore, critical to the performance of both. With the retention of public confidence as a common bond, how might the industry and government better cooperate to assure that critical financial services are secured in the information age?
What legal and cultural barriers exist to creating a mechanism for the mutual sharing of new information relating specifically to system-wide threats and vulnerabilities so that the risks they present might be better managed?
The attractiveness of the Internet and the entire global information infrastructure as a means of commercial growth raises significant technological, security, and public policy issues. What are the principal barriers to the development of electronic commerce, how might they be overcome, and what is your estimate of the pace at which electronic commerce -- and electronic banking specifically -- will grow?