for the Record of Ronald L. Dick,
National Infrastructure Protection Center
Bureau of Investigation
Senate Committee on Governmental Affairs
October 4, 2001
Chairman, Ranking Member Thompson, and members of the committee,
thank you for inviting me here today to testify on the topic,
“Critical Infrastructure Protection: Who’s in Charge?”
Holding this hearing demonstrates your individual commitment to
improving the security of our critical infrastructures and this
committee's leadership on this issue in Congress. Our work here is vitally important because the stakes
involved are enormous. The
September 11 attacks on the World Trade Center and Pentagon have
demonstrated how a significant disruption to the transportation
industry or any other critical infrastructure will certainly have
a ripple effect on others. My
testimony today will address our role in protecting the Nation’s
infrastructures and how we coordinate with other entities.
As set forth in Presidential Decision Directive 63, the mission
of the NIPC is to provide “a national focal point for gathering
information on threats to the infrastructures” and to provide
“the principal means of facilitating and coordinating the
Federal Government’s response to an incident, mitigating
attacks, investigating threats and monitoring reconstitution
Directive defines critical infrastructures to include “those
physical and cyber-based systems essential to the minimum
operations of the economy and government,” to include, without
limitation, “telecommunications, energy, banking and finance,
transportation, water systems and emergency services, both
governmental and private.”
The NIPC is the only organization in the federal government
with such a comprehensive national infrastructure protection
mission. The NIPC
gathers together under one roof representatives from, among
others, the law
enforcement, intelligence, and defense communities, who
collectively provide a unique analytical perspective to threat and
incident information obtained from investigation, intelligence
collection, foreign liaison, and private sector cooperation.
This perspective ensures that no single
"community" addresses threats to critical
infrastructures in a vacuum; rather, all information is examined
for its potential for simultaneous application to security,
defense, counterintelligence, terrorist or law enforcement matter.
While developing our infrastructure protection capabilities, the
NIPC has held firm to two basic tenets that grew from extensive
study by the President's Commission on Critical Infrastructure
the government can only respond effectively to threats by focusing
on protecting assets against attack while simultaneously
identifying and responding to those who nonetheless would attempt
or succeed in launching those attacks. And second, the government can only help protect this
nation's most critical infrastructures by building and promoting a
coalition of trust, one . . . amongst all government agencies, two
. . . between the government and the private sector, three . . .
amongst the different business interests within the private sector
itself, and four . . . in concert with the greater international
the NIPC has focused on developing its capacity to warn, to
investigate, and to build partnerships, all at the same time.
As our techniques continue to mature and our trusted
partnerships gel, we will continue to witness ever-better results.
Over the past three years, we cultivated a number of initiatives
that have developed into increased capabilities, all of which are
being actively used to mitigate the terrorist threat and to
prepare our response to the events of September 11th.
The NIPC has developed InfraGard into the largest
government/private sector joint partnership for infrastructure
protection in the world. We
have taken it from its humble roots of a few dozen members in just
two states to its current membership of over 2,000 partners.
It is the most extensive government-private sector
partnership for infrastructure protection in the world, and is a
service we provide to InfraGard members free of charge.
InfraGard expands direct contacts with the private sector
infrastructure owners and operators and shares information about
cyber intrusions and other critical infrastructure vulnerabilities
through the formation of local InfraGard chapters within the
jurisdiction of each of the 56 FBI Field Offices and several of
its Resident Agencies (subdivisions of the larger field offices).
A key element of the InfraGard initiative is the confidentiality
of reporting by members. The
reporting entities edit out the identifying information about
themselves on the notices that are sent to other members of the
InfraGard network. This
process is called sanitization and it protects the information
provided by the victim of a cyber attack.
Much of the information provided by the private sector is
proprietary and is treated as such. InfraGard provides its
membership the capability to write an encrypted sanitized report
for dissemination to other members. This measure helps to build a
trusted relationship with the private sector and at the same time
encourages other private sector companies to report cyber attacks
to law enforcement.
InfraGard held its first national congress from June 12-14, 2001.
This conclave provided an excellent forum for NIPC
supervisors and InfraGard members to exchange ideas.
InfraGard's success is directly related to private
industry's involvement in protecting its critical systems, since
private industry owns almost all of the infrastructures.
The dedicated work of the NIPC and the InfraGard members is
paying off. InfraGard
has already prevented cyber attacks by discreetly alerting
InfraGard members to compromises on their systems. On May 3, 2001, the InfraGard initiative
received the 2001 WorldSafe Internet Safety Award from the
Safe America Foundation.
The NIPC also reaches out to the entire public with its website at
nipc.gov, which to date has provided systems administrators and
home users alike with significant warnings about cyber threats and
recently as last week, we provided information systems security
advice through our website, InfraGard,
and our other partnerships, to better protect the public from the
Nimda worm. In fact,
based on our prior responsiveness to the Code Red worm and our
joint efforts with the private sector in publicizing preventive
measures that business and home users could put in place, we
believe the impact of the Nimda worm, which took advantage of
similar software vulnerabilities as Code Red, was significantly
Our website provides
the public with the ability to report computer attacks and
intrusions online, simply by filling out and submitting an
Incident Reporting Form. The
NIPC also provides timely information on cyber vulnerabilities,
hacker exploit scripts, hacker trends, virus information, and
other critical infrastructure best practices through its bi-weekly
The NIPC provides policy and decision-makers information
about current events, incidents, developments and trends related
to critical infrastructure protection through its monthly
publication called Highlights and, more significantly, by
bringing groups together to meet on important issues.
We have established these and other mechanisms to promote
meaningful two-way communication with the public, and they are
seeing active use.
The NIPC's Watch Center operates around the clock and communicates
daily with the Department of Defense and its Joint Task Force for
Computer Network Operations (JTF-CNO).
The Watch Center is also connected to the Watch Centers of
several of our close allies. U.S. Army Major General Dave Bryan,
Commander of the JTF-CNO, recently remarked that, "The NIPC
and JTF-CNO have established an outstanding working relationship.
We have become interdependent, with each realizing that
neither can totally achieve its mission without the other."
I couldn't agree more.
The NIPC's ability to fulfill the expectations and needs of
its Department of Defense component is achieved by the
inter-agency structure of the Center, which includes the NIPC's
Deputy Director Rear Admiral James Plehal, USNR, and the NIPC's
Executive Director, Steven Kaplan, a Supervisory Special Agent
from the Air Force Office of Special Investigations. The Section and Unit Chiefs in the Computer Investigation and
Operations Section and the Training, Outreach, and Strategy
Section are from the FBI. The
Assistant Section Chief for Training, Outreach and Strategy is
detailed from the Defense Criminal Investigative Service, and the
Unit Chief of ISAC Support and Development is a senior CIA
analyst. The Section
Chief of the Analysis and Warning Section is from the CIA and his
deputy is a senior FBI agent.
The head of the NIPC Watch and Warning Unit is reserved for
a uniformed service officer, and the head of the Analysis and
Information Sharing Unit is staffed by a National Security Agency
manager. The Center's staffing demonstrates our desire for broad,
high-level, multi-agency ownership of the NIPC and our collective
commitment to achieve meaningful and effective coordination across
the law enforcement, intelligence, defense, and other critical
government operations communities.
Within the Center, the NIPC has full-time representatives from a
dozen federal government agencies, led in number by the FBI and
the Department of Defense, as well as from three foreign partners:
the United Kingdom, Canada, and Australia.
We are also strong partners with the General Services
Administration's Federal Computer Incident Response Center,
FedCIRC, in order to further secure our government technology
systems and services. We
also team up regularly with the CIA and NSA to work on matters of
common concern. In
addition to interagency participation, the NIPC has established
information sharing connectivity with a number of foreign cyber
watch centers, including in the UK, Canada, Australia, New
Zealand, and Sweden. And,
we continue to take advantage of the FBI's global presence through
its Legal Attache offices in 44 nations.
Our multi-agency team works with Information Sharing and Analysis
Centers (ISAC’s) throughout the country, including those that
represent the Financial Services Sector, the Electric Power
Sector, the Telecommunications Sector, and the Information
Technology industry. In
addition to these private sector partners, we have provided threat
briefings to the Water, Oil and Gas, Financial,
Electrical Energy, Information Technology,
Telecommunications, and Railroad
September 11th, the NIPC has been providing sector
briefings almost every day. We
are also connected with the 18,000 police departments and
Sheriff's offices which bravely serve our nation daily and in
times of crisis. This
past March the NIPC and the Emergency Law Enforcement Services
Sector Forum completed the nation's Emergency Law Enforcement
Sector Plan together with a "Guide for State and Local Law
Enforcement Agencies." This significant achievement represents the nation's first
and only completed sector plan and it is being used as a model by
the other critical infrastructure sectors.
Taken together, the Plan and the Guide provide our
emergency law enforcement first responders with procedures that
are immediately useful to enhance the security of their data and
While the NIPC works diligently with its interagency and private
sector partners, it has embraced other initiatives and fulfilled
its role in leading the critical infrastructure protection effort.
This is evidenced by its coordinating actions as Chair of
the Incident Response Sub-Group of the Information Infrastructure
Protection and Assurance Group established by National Security
Policy Directive-1. The
NIPC also routinely disseminates information through its
participation in task forces and working groups that meet
regularly. NIPC senior leadership participates in weekly senior
level meetings to exchange strategic level information with the
Assistant Secretary of Defense for Command, Control, Communication
and Intelligence. Further
collaboration is demonstrated through the NIPC's designation as
chair of one of the subcommittees that is revising the National
While the NIPC has made great strides over the last three years,
we recognize the need to do better, and we are working diligently
to improve. In a GAO
report dated April 25, 2001, the NIPC was recognized as having an
effective investigative training and InfraGard program.
In his prepared statement for the May 22, 2001 hearing,
GAO's Director of Information Security, Mr. Robert F. Dacey,
First, the NIPC has provided valuable coordination and technical
support to FBI field offices, which have established special
squads and teams and one regional task force in its field offices
to address the growing number of computer crime cases. The NIPC
has supported these investigative efforts by (1) coordinating
investigations among FBI field offices, thereby bringing a
national perspective to individual cases, (2) providing technical
support in the form of analyses, expert assistance for interviews,
and tools for analyzing and mitigating computer-based attacks, and
(3) providing administrative support to NIPC field agents. For
example, the NIPC produced over 250 written technical reports
during 1999 and 2000, developed analytical tools to assist in
investigating and mitigating computer-based attacks, and managed
the procurement and installation of hardware and software tools
for the NIPC field squads and teams.
Over the past three years, NIPC has provided training for more
than 2,500 participants from federal, state, local and foreign law
enforcement and security agencies.
The NIPC's training program complements training offered by
the FBI's Training Division as well as training offered by the
Department of Defense and the National Cybercrime Training
investigators are essential to our successfully combating computer
Enhancing Capacity for Strategic Analysis
The GAO recognized that the NIPC’s ability to completely achieve
its mission was most affected by a shortfall of personnel
recommendations included enhancing capacity for strategic
analysis. I am pleased to report progress in this area.
We have established four strategic directions for our capability
growth through 2005: prediction,
prevention, detection, and mitigation.
None of these are new concepts but NIPC has renewed its
focus on each of them in order to strengthen our strategic
NIPC has worked to further strengthen its longstanding
efforts on the early detection and mitigation of cyber attacks.
These strategic directions will be significantly advanced
by our intensified cooperation with federal agencies and the
private sector. As
the recent Leaves, Code Red and Nimda worm incidents demonstrate,
our working relations with key federal agencies, like FedCIRC, NSA,
CIA, and the Joint Task Force - Computer Network Operations (JTF-CNO),
and private sector groups such as SANS, the anti-virus community,
and the major Internet service providers and backbone companies
have never been closer. Our
most ambitious strategic directions, prediction and prevention,
are intended to forestall attacks before they occur.
We are seeking ways to forecast or predict hostile
capabilities in much the same way that the military forecasts
weapons threats. The
goal here is to forecast these threats with sufficient warning to
prevent them. A
key to success in these areas will be strengthened cooperation
with intelligence collectors and the application of sophisticated
new analytic tools to better learn from day-to-day trends.
The strategy of prevention is reminiscent of traditional
community policing programs but with our infrastructure partners
and key system vendors.
As we work on these four strategic directions:
attack prediction, prevention, detection, and mitigation,
we will have many opportunities to stretch our capabilities.
With respect to all of these, the NIPC is committed to
continuous improvement through a sustained process of documenting
"lessons learned" from significant events.
The NIPC also remains committed to achieving all of its
objectives while upholding the fundamental Constitutional rights
of our citizens.
The NIPC is also enhancing its strategic analysis capability
"data warehousing and data mining" project. This will allow the NIPC to retrieve incident data
originating from multiple sources.
Data warehousing includes the ability to conduct real-time
all-source analysis and report generation.
Enhancing Cooperative Relationships Among Federal Agencies
The placement of the NIPC under the jurisdiction of the FBI endows
the Center with both the authorities and the ability to combine
law enforcement information flowing into the NIPC from the FBI
field offices with other information streams derived from open,
confidential, and classified sources. This
capability is unique in the federal government for reasons of
privacy and civil rights.
The NIPC has established effective information sharing and
cooperative investigative relationships across the U.S.
written protocol was signed with the Department of
Transportation's Federal Aviation Administration (FAA) which will
reinforce how information is shared between FAA and NIPC and how
that information will be communicated.
This protocol documents a long-standing informal process of
information sharing between NIPC and FAA.
Informal arrangements have already been established with
the Federal Communications Commission,
Department of Transportation’s (DOT) National Response
Center, DOT Office of Pipeline Safety, Department of Energy’s
Office of Emergency Management, and others, which allow the NIPC
to receive detailed sector-specific incident reports in a timely
information sharing procedures should soon be completed with
several other agencies, including the National Coordinating Center
for Telecommunications and the Federal Emergency Management
Agency’s National Fire Administration.
The NIPC has developed into a truly interagency center and this in
itself fosters cooperative relationships among agencies.
It currently consists of detailee from the following U.S.
government agencies: FBI, Army, Office of the Secretary of Defense, Air Force
Office of Special Investigations, Defense Criminal Investigative
Service, National Security Agency, General Services
Administration, United States Postal Service, Department of
Transportation/Federal Aviation Administration, Central
Intelligence Agency, Department of Commerce/Critical
Infrastructure Assurance Office, and a representative from the
Department of Energy. Canada,
the United Kingdom, and Australia also each have a detailee in the
The NIPC functions in a task force-like way, coordinating
investigations in a multitude of jurisdictions, both domestically
and internationally. This
is essential due to the transnational nature of cyber intrusions
and other critical infrastructure threats.
To instill further cooperation and establish an essential
deconfliction process among the investigative agencies, the NIPC
asserted a leadership role by forming an Interagency Coordination
Cell (IACC) at the Center. The
IACC meets on a monthly basis and includes representation from
U.S. Secret Service, NASA, U.S. Postal Service, Department of
Defense Criminal Investigative Organizations (AFOSI, DCIS,
NCIS, USACIDC), U.S. Customs,
Departments of Energy, State and Education, Social Security
Administration, Treasury Inspector General for Tax Administration
and the CIA. The cell
works to deconflict investigative and operational matters among
agencies and assists agencies in combining resources on matters of
common interest. The NIPC anticipates that this cell will expand
to include all investigative agencies and inspectors general in
the federal government having cyber or other critical
As we noted on May 22, 2001, the IACC has led to the
formation of several task forces and prevented intrusions and
compromises of U.S. Government systems.
The IACC was instrumental in coordinating the augmentation
of the PENTTBOM investigation in the aftermath of the September 11
Since 1998, the NIPC has been developing the FBI’s Key
Asset Initiative, identifying over 5,700 entities vital to our
national security, including our economic well-being.
The information is maintained in a database to support the
broader effort to protect the critical infrastructures against
both physical and cyber threats.
This initiative benefits national security planning efforts
by providing a better understanding of the location, importance,
contact information and crisis management
for critical infrastructure assets across the country.
We have worked
with the DoD and the CIAO in this regard.
Following the September 11, 2001, events and at
the request of the National Security Council, the NIPC has
leveraged the Key Asset Initiative to undertake an all-agency
effort to prepare a comprehensive, centralized database of
critical infrastructure assets in the United States.
The NIPC maintains an active dialogue with the
international community, to include its participation in the
Trilateral Seminar of the International Cooperation for
Information Assurance in Sweden and the G-8 Lyon Group (High Tech
Crime Subgroup). NIPC
has briefed visitors from a number of countries, including: Japan,
Singapore, the United Kingdom, Germany, France, Norway, Canada,
Denmark, Sweden, Israel, and other nations over the past year. In addition, NIPC personnel
have accepted invitations to meet with government
authorities in Sweden, Germany, Australia, the United Kingdom, and
Denmark in recent months to discuss infrastructure protection
issues with their counterparts.
The NIPC sends out infrastructure information to address
cyber or infrastructure events with possible significant impact.
These are distributed to partners in private and public sectors.
A number of recent advisories sent out by the NIPC (see for
example Advisory 01-022, titled "Mass Mailing Worm
W32.Nimda.A@mm”) serve to demonstrate the continued
collaboration between the NIPC and its partner FedCIRC.
The NIPC serves as a member of FedCIRC's Senior Advisory
Council and has daily contact with that entity as well as a number
of others including NSA and DoD's Joint Task Force - Computer
Network Operations (JTF-CNO). On issues of national concern, the recent incident involving
the Leaves, Code Red and Nimda worms are good examples of the
NIPC's success in working with the National Security Council and
our partner agencies to disseminate information and coordinate
strategic efforts in a timely and effective manner.
Improving Information Sharing
The NIPC actively exchanges information with private sector
companies, the ISACs, members of the InfraGard Initiative, and the
public as part of the NIPC’s outreach and information sharing
NIPC's aggressive outreach efforts, we receive reports from many
ISAC member companies. The NIPC has proven that it can properly safeguard their
information and provide useful information in return. This reporting is partially responsible for the issuance of
more warning products each year.
Over the past two years the NIPC and the North American
Electric Reliability Council (NERC)—the ISAC for the electric
power sector—have established an indications, analysis and
warning program (IAW) program, which makes possible the timely
exchange of information valued by both the NIPC and the electric
power sector. This
relationship is possible because of a commitment both on the part
of NERC and the NIPC to build cooperative relations. In the days following the September 11 attacks, NIPC and NERC
held daily conference calls.
The close NERC-NIPC relationship is no accident but the
result of two interrelated sets of actions.
First, as Eugene Gorzelnik, Director of Communications for
the NERC, stated in his prepared statement at the May 22, 2001
[T]he NERC Board of
Trustees in the late 1980s resolved that each electric utility
should develop a close working relationship with its local Federal
Bureau of Investigation (FBI) office, if it did not already have
such a relationship. The Board also said the NERC staff should
establish and maintain a working relationship with the FBI at the
Second, the NIPC and NERC worked for over two years on building
the successful partnership that now exists.
It took dedicated individuals in both organizations to make
it happen. It is this
success and dedication to achieving results that the NIPC is
working to emulate with the other ISACs.
The NIPC also continues to meet regularly with ISACs from other
sectors, particularly the financial services (FS-ISAC) and
telecommunications (NCC-ISAC) ISACs, to establish more formal
information sharing arrangements, drawing largely on the model
developed with the electric power sector.
In the past, information exchanges with these ISACs have
consisted of a one-way flow of NIPC warning messages and products
being provided to the ISACs. However, in recent months the NIPC has received greater
participation from sector companies as they become increasingly
aware that reporting to the NIPC enhances the value and timeliness
of NIPC warning products disseminated to their sector.
Productive discussions held this spring with the FS-ISAC,
in particular, should significantly advance a two-way information
exchange with the financial services industry.
The NIPC is currently working with the FS-ISAC and the
NCC-ISAC to develop and test secure communication mechanisms,
which will facilitate the sharing of high-threshold, near
real-time incident information.
In the meanwhile we are working with these ISACs to share
information. In March
2001, we were commended by the FS-ISAC for our advisory on
e-commerce vulnerabilities (NIPC Advisory 01-003).
According to the FS-ISAC, that
advisory, coupled with the NIPC press conference on March
8, 2001, stopped over 1600 attempted exploitations by hackers the
day immediately following the press conference.
I remain encouraged by the progress the NIPC has made in its first
three years. Our
multi-agency partnership has developed unique national
capabilities that have never before been achieved.
We will continually improve in the coming years in order to
master the perpetually evolving challenges involved with
infrastructure protection and information assurance.
Thank you for inviting me here today, and I welcome any
questions you have.