The President's Commission on Critical Infrastructure
Before the Subcommittee on Technology
Committee on Science
United States House of Representatives
November 6, 1997
Good afternoon, Madame Chairwoman and members of the subcommittee. On behalf of my fellow Commissioners -- several of whom are with me today -- I am pleased to be here today to discuss with you the work of the Commission and outline the principal findings and recommendations reflected in our report, Critical Foundations.
Since you are familiar with the background of the Commission and have received copies of our report, so I will try to condense our fifteen-month effort into our significant findings and recommendations. I also request that my written statement be submitted for the record.
Our most important finding is that adapting to this challenge requires thinking differently about infrastructure protection. We must look through the lens of information technology as we approach the third millennium.
We have long understood physical threats and vulnerabilities, but the fast pace of technology means we are always running to catch up in the cyber dimension. Thus the Commission's work and our report focus primarily on developing the street smarts for the cyber world.
We knew this could not be a Big Government effort. In fact, infrastructure protection is a shared responsibility. The private sector should be responsible for prudent business investments that will protect against individual hackers and criminals. These same steps will also assure a level of protection against cyber terrorist attack, adding a level of national security. The federal government must collect information about tools, perpetrators, and intent -- and then share this information so that industry can take the necessary protective measures.
Finally, this is a long-term effort which requires continuous improvement. There is no "magic bullet" solution.
After fifteen months of research, consultation, assessment, and deliberation, the Commission concluded the following:
Waiting for disaster is a dangerous strategy. Now is the time to act to protect our future. And this action requires a new partnership to address the risks of protecting our nation's infrastructures.
The Commission's recommendations fall generally into three categories:
- actions the federal government must take;
- actions the owners and operators of the infrastructures must take; and
- actions that require partnership between government and industry.
We heard time and again that the owners and operators of the infrastructures need more information about cyber threats and that they need a trusted environment where they can freely exchange information without fear of regulation, loss of public confidence, incurred liability, or damaged reputation.
The Commission's recommendations lay the foundation for creating a new collaborative environment that includes a two-way exchange of information. Our recommendations focus on protecting proprietary information and ensuring anonymity when necessary; reviewing legal impediments to information sharing, such as antitrust provisions and the Freedom of Information Act; and creating information sharing mechanisms both within industry and between industry and government.
We recommend specific steps the government must take to ensure owners and operators and state and local governments are sufficiently informed and supported to accomplish their infrastructures protection roles. This includes:
- Expanding the availability of government risk assessments to the private sector and encouraging -- and assisting, if necessary -- industry to develop risk methodologies; and
- Doubling funds appropriated under the Nunn-Lugar-Domenici domestic preparedness program.
Education and Awareness
Educating our citizens about the emerging threats and vulnerabilities in the cyber dimension is key to the success of any of our initiatives.
The Commission's recommendations range from grammar to graduate school and beyond. They include:
- A series of White House conferences.
- A nationwide public awareness campaign.
- Grants by the National Science Foundation for graduate level work on network security.
Leading by Example
The federal government must lead the way in the partnership by pursuing the tools, practices, and policies required to conduct business in the cyber age. This includes:
- Improving government information security through best practices and standards.
- Formalizing Information Assurance as a foreign intelligence priority.
- Recruiting and retaining law enforcement personnel with cyber skills.
We examined a full range of legal issues relating to protecting the critical infrastructures. We propose the following:
- the further review of major federal legislation relating to the critical infrastructures and the cyber threat;
- an expert study group -- representing a wide range of interest groups -- to make recommendations for reform in the employer-employee relationship; and
- easing legal impediments to information sharing such as antitrust provisions and the Freedom of Information Act.
Research and Development (R&D)
Federal research and development efforts are inadequate to meet the challenge presented by emerging cyber threats. About $250 million is spent each year on infrastructure assurance-related R&D, of which 60 percent -- $150 million - is dedicated to information security. There is very little research supporting a national cyber defense.
We recommend doubling federal R&D funding for infrastructure protection to $500 million the first year, with 20% increases each year for the next five years. This funding should target areas such as risk management, simulation and modeling, decision support, and early warning and response.
Institutionalizing infrastructure protection requires several channels between the public and private sectors.
At the policy-making level, we recommend:
At the operational level, we recommend:
- an Office of National Infrastructure Assurance -- located within the White House -- to serve as the federal government's focal point for infrastructure protection;
- a National Infrastructure Assurance Council comprised of selected infrastructure CEOs and Cabinet officials to propose policy and advise the President; and
- an Infrastructure Assurance Support Office to support both the Council and the National Office.
- Sector Infrastructure Assurance Coordinators or clearinghouses as focal points within each infrastructure to share information;
- federal Lead Agencies to promote and assist in establishing the sector coordinators;
- an Information Sharing and Analysis Center staffed by both private industry and government to receive and share information about infrastructure intrusions to be located in the private sector; and
- a Warning Center designed to provide operational warning whenever possible of an attack on the infrastructures, either physical or cyber, located within the FBI.
Just as the risks are shared between the public and the private sectors, so will the solutions be found. Our national and economic security has become a shared responsibility -- one that will require a new kind of partnership between government and industry -- one which encourages information sharing and one which requires the government to lead by example.
I believe the findings and conclusions of the Commission are based on accurate and reasonable information and analyses. Our recommendations, if implemented, will create the partnerships and structures essential to reducing vulnerabilities in our infrastructures. They will provide the impetus for research and development efforts to increase information security and provide a cyber defense system. They will increase the nation's ability to prepare, protect, and respond to any threats, strategic or otherwise, directed against our infrastructures, thereby ensuring their continued, effective operation in support of our defense, economic growth, and general well being.
This completes my statement, Madame Chairwoman. I will be pleased to answer any questions you or your colleagues may have.