Remarks Prepared for Delivery
by Robert T. Marsh
Chairman, President's Commission on Critical Infrastructure Protection
First Annual International Banking and Information Security Conference
Sponsored by the National Computer Security Association
and Winn Schwartau of Interpact, Inc. & Infowar.Com
New York, New York
February 20, 1997
It's a pleasure and an honor to speak to you at this First Annual International Banking and Information Security Conference. Information security in banking -- and in virtually every other industry -- is a paramount concern here in the United States as well as around the world, and I welcome the opportunity to discuss it with you this morning.
As I looked through the conference program, I saw that you will be addressing many of the issues that concern the commission: infrastructure vulnerabilities, criminal activity, and denial of service, to name just a few.
Let me begin by clearly stating the central message I want to convey today. In my experience as chairman of this Commission, I believe the financial services industry is better postured to address the protection of its infrastructure today than most other industries. Having said that, I also believe it must posture itself for tomorrow's new risks that continue to grow in variety, complexity and magnitude. Furthermore, the assessment of these risks must be accomplished using new models. The revolution in telecommunications and information technology has challenged the relevancy of traditional methods of assessing and managing risk.
Before I talk about those and related issues, I want to tell you about the Commission.
Last July 15, President Clinton signed an Executive Order that begins with this sentence: "Certain national infrastructures are so vital that their incapacity or destruction would have a debilitating impact on the defense or economic security of the United States."
That order created the President's Commission on Critical Infrastructure Protection, of which I am Chairman.
The President identified eight critical infrastructure areas for study: Telecommunications, electric power systems, oil and gas transportation, transportation, banking and finance, water supply systems, emergency services (such as medical, police, fire and rescue), and continuity of government services.
These critical infrastructures are the life support systems of our society. They give us pure water, safe highways and airways, reliable energy, instant communications, and secure financial transactions.
But we cannot take our infrastructures for granted. That is why the Commission was created.
The Commission's mission is to:
- assess vulnerabilities and threats to the critical infrastructure,
- identify relevant legal and policy issues, and assess how they should be addressed,
- recommend to the President a national policy and implementation strategy for protecting critical infrastructures, and
- propose any necessary statutory or regulatory changes
Briefly, why do we have a Commission, and why now?
Basically three reasons:
First, physical terrorism is ever present. By physical I mean, for example, attacks involving explosive devices. Such terrorism, as you well know, continues unabated around the world. A tragic reminder is only a few block away.
Second, there is increased reliance on telecommunications and information technology in all infrastructures. By information technology I mean everything from computer hardware and software to the Internet. This reliance is creating" new vulnerabilities, especially to intrusions into automated systems -- the so-called "cyber" attacks.
Third, tools to exploit these vulnerabilities are readily available, and their use is increasing. In some cases, all it takes to penetrate automated systems is a PC, a phone, and skills that many 14-year-olds seem able to master.
As for terrorism
While our critical infrastructures have not been primary targets per se, America, sadly, is not a stranger to terrorism. The bombings of the World Trade Center and the Oklahoma City Federal building are sobering reminders of the dangers of terrorism by physical attack on our critical infrastructures.
As for increased reliance on telecommunications, it has created new vulnerabilities.
We have pioneered tremendous advances in technology, and reaped extraordinary benefits. What was once unimaginable is now unremarkable. What was once impossible is now expected. Tasks that once took days now take split seconds.
But this capability comes at a price. Our infrastructures have become increasingly reliant on information technology and the telecommunications infrastructure that ties them together. This reliance exposes infrastructures in new ways, and creates new vulnerabilities.
Many companies, such as utilities, are very familiar with natural hazards. But today we are facing a new set of manmade hazards.
As those of you in banking well know, technology has created an interconnected world. Each connection, however, creates new exposure and risk. Companies are becoming increasingly vulnerable to vandalism, theft, unscrupulous competitors, malicious hackers, and criminals.
Companies are also increasingly vulnerable to so-called "insiders" -- people with legitimate access to the company's systems. Insider "cyber attacks" are increasing, particularly in this age of mergers, consolidation and downsizing.
Furthermore, these interconnected systems are characterized by a highly efficient but sometimes delicate interdependence. If service fails in one area, it can adversely affect several others. Whether caused by an inadvertent keystroke, or an intruder who wants to disrupt operations, the ripple effect can be far-reaching.
Information technology and telecommunications have brought great speed and precision to industrial, governmental, and military operations, but reduced the tolerance of both individual organizations and the economy as a whole to error or delay.
And with interdependence comes complexity. The sheer sophistication of automated systems multiplies the number of potential errors or disruptions, and the potential magnitude of their impact.
In the past, you put a guard at the door, and your assets were protected. Today, there is no door -- or too many doors, depending on how you look at it. And you can never be sure who will drop in for a visit by way of the Internet.
And as for tools to exploit these vulnerabilities
Even amateurs have access to the technological tools needed to penetrate systems and cause trouble.
Because of the availability of Internet hacker sites, infrastructures are always in danger from persons intent on penetrating or disrupting their operations.
Unlike Willie Sutton, who had to go to the bank to rob it, today's hacker can try to rob it from home using a PC. And he doesn't even have to be in the same city -- or country. The information age makes it possible for individuals armed only with computers to gain access to our infrastructures without physically crossing our borders.
Given all this, a great many people -- especially the President -- are very interested in doing something to better protect our infrastructures. And the Commission is clearly an effort to get something done. Further, it demonstrates that the President is committed to taking action before a crisis occurs, rather than after-the-fact.
I want to emphasize that we are not here to proclaim the sky is falling, but to talk about investments today to secure a safer tomorrow. Our infrastructures are robust. But there are clearly new challenges before us, and we must address them before they become serious. The Commission represents prudent planning for the future.
I've been asked how this Commission is different from past efforts to address similar issues. The major difference is that there is widespread recognition that the nature and scope of the threat have changed as the result of advances in technology, particularly information technology and telecommunications. The weight of anecdotal evidence is sufficiently persuasive to warrant a serious collaborative effort to address this problem -- to determine how serious it is, how serious it might become, and what to do about it.
Those are some of the issues the Commission is facing. Let me discuss what I see as their implications for the banking industry.
Interdependencies within the financial services industry are concentrated in four primary areas:
- payment systems;
- securities and commodities exchanges;
- outsources; and
- external dependencies.
The payment systems are the backbone of the banking and finance infrastructure. With trillions of dollars moving through the FedWire and other systems daily, the impact of a disruption would be severe.
The securities and commodities exchanges rely heavily upon clearing, settlement, and depository organizations. For example, with the New York Stock Exchange frequently trading upwards of 500 million shares a day, this electronic back office processing is essential.
A less obvious interdependency is the growing trend of outsourcing of vital functions. In 1996, for instance, more than 72 percent of the top 100 banks had outsourced at least one "core function." This allows companies to better focus on primary business functions and reduce overhead. However, it also represents increasing concentration and consolidation of these services. Any disruption to one of these third-party organizations would ripple across every company that relies upon those services.
Finally, the financial services industry relies on other infrastructures -- utilities, transportation, and particularly telecommunications.
The bottom line of the financial industry's interdependencies is that they occur almost universally behind the scenes, where information is transmitted or processed. The significant interdependencies have resulted in a small number of large service providers supporting large segments of the infrastructure. While this allows for economies of scale and efficient operations, significant vulnerabilities are created, with concurrent risk.
Risk is also evident in the trends of products, services and scope of operations within the industry. Let me address just a few of these trends:
Much of the change in the industry can be attributed to relaxing regulatory requirements, particularly regarding the scope and nature of business and ownership. We see this in many other industries. By the year 2000, for example, at least a third of the U.S., population will choose an electric power provider in the same way it now chooses a long-distance telephone carrier. And regarding telecommunications, I'm sure most of you read about the World Trade Organization's agreement last Saturday to open the world's telecommunications markets. Given that 80 percent of the world's people don't own a telephone, and fully half have never even used one, the potential impact of this agreement is significant.
Advances in telecommunications and information technology have clearly revolutionized the financial services industry. Approximately
2 million Americans are hooked up to on-line banking services today. Moreover, it's been reported that about three-quarters of all spending on information technology has gone into service industries, including financial services. And in terms of innovation, the World Wide Web reached a mass market of 10 million customers in only 5 years -- faster than any other technology, including PCs, VCRs, and faxes. By comparison, the telephone took 38 years to achieve a market of similar size.
We're also seeing a growing trend of consolidation, particularly in the banking sector, where the number of banks has fallen from 14,000 to 10,000. While this allows financial institutions to service a broader customer base and benefit from economies of scale, it also results in geographic and resource concentration, and perhaps greater vulnerability.
Finally, the very nature of today's conference points to the final trend -- globalization. From an overall infrastructure perspective, U.S. companies share critical services with foreign firms, subjecting U.S. firms to foreign disruptions -- and vice versa. Given the tight linkages in global investment, economic or other disruptions abroad can have a direct and significant effect on our domestic economy.
Despite these risks, I believe the financial services industry is better prepared than most other industries to protect its infrastructure. The reason is relatively straightforward: Government, business, and the public demand greater vigilance from the financial services industry than perhaps any other. Telecommunications may be the nerve system of government, but commerce is clearly the lifeblood of this or any other country, and the financial services industry is essential to business.
However, the financial services industry is also confronted with a host of new challenges and questions. You are no strangers to strong risk management and control procedures, but will new competitive pressures drive some financial institutions into uses of information technologies before they are safe? Will technologically-induced systemic risks be created before management practices and public policies can deal effectively with them?
Electronic banking, electronic commerce and cybercash are generally in their nascent stages, but the task remains to determine whether or not existing regulatory and industry approaches are appropriate for the future.
The financial services industry must recognize that the risks to its infrastructure are growing in variety, complexity and magnitude. Furthermore, the assessment of these risks must be accomplished using new models of risk. The revolution in telecommunications and information technology has challenged the relevancy of traditional methods of assessing and managing risk.
Having said that, where do we go from here? How do we address these challenges?
The answer is partnership. The central challenge of the Commission is to forge a cooperative and collaborative effort between the private sector and government at all levels -- Federal, State and local. Partnership is the core of the Commission.
We are pursuing this partnership through non-stop efforts to carry our message throughout the country.
To build awareness throughout this and other industries, we are conducting an aggressive outreach to companies -- particularly industry leaders -- to discuss our goals and solicit participation. We need your help in developing a strategy and recommendations that are compatible with both increased protection and business' bottom line.
To help build public awareness, we will hold a series of public hearings, in cities from Los Angeles to Boston, to ensure everyone will have an opportunity to be heard.
The Commission's philosophy is that the quality of our recommendations to the President can only be as good as the buy-in we foster with the private sector.
We are vitally interested in what the private sector has to say because it owns and operates the critical infrastructures. Private sector involvement is absolutely essential to an informed process of developing a comprehensive national policy and implementation strategy.
In short, the Commission's job is assuring America's future through this partnership.
We are under no illusions that this Commission can solve every infrastructure problem. Instead, we see the recommendations we will develop as a point of departure for implementation. For that reason, we need the best thinking of the private sector up front.
A question I often hear is, "How can we help?"
The answer is: talk to us. Visit us on the World Wide Web at
www.pccip.gov. Give us your best thinking. I welcome and encourage your input. The toughest work of the Commission is still before it -- the actual crafting of strategy -- so we want to hear what you have to say as soon as possible. That's the only way we will achieve solutions that work for everyone.
Thank you for inviting me to speak with you this morning. Good luck with your conference.