[House Hearing, 108 Congress]
[From the U.S. Government Publishing Office]
THE DHS INFRASTRUCTURE PROTECTION
DIVISION; PUBLIC-PRIVATE PARTNERSHIPS TO
SECURE CRITICAL INFRASTRUCTURES
=======================================================================
HEARING
before the
SUBCOMMITTEE ON INFRASTRUCTURE
AND BORDER SECURITY, AND
SUBCOMMITTEE ON CYBERSECURITY,
SCIENCE AND RESEARCH AND DEVELOPMENT
of the
SELECT COMMITTEE ON HOMELAND SECURITY
HOUSE OF REPRESENTATIVES
ONE HUNDRED EIGHTH CONGRESS
SECOND SESSION
__________
APRIL 21, 2004
__________
Serial No. 108-45
__________
Printed for the use of the Select Committee on Homeland Security
Available via the World Wide Web: http://www.gpoaccess.gov/congress/
index.html
__________
U.S. GOVERNMENT PRINTING OFFICE
23-278 WASHINGTON : 2005
_____________________________________________________________________________
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; (202) 512�091800
Fax: (202) 512�092250 Mail: Stop SSOP, Washington, DC 20402�0900012005
SELECT COMMITTEE ON HOMELAND SECURITY
Christopher Cox, California, Chairman
Jennifer Dunn, Washington Jim Turner, Texas, Ranking Member
C.W. Bill Young, Florida Bennie G. Thompson, MississPpi
Don Young, Alaska Loretta Sanchez, California
F. James Sensenbrenner, Jr., Edward J. Markey, Massachusetts
Wisconsin Norman D. Dicks, Washington
W.J. (Billy) Tauzin, Louisiana Barney Frank, Massachusetts
David Dreier, California Jane Harman, California
Duncan Hunter, California Benjamin L. Cardin, Maryland
Harold Rogers, Kentucky Louise McIntosh Slaughter, New
Sherwood Boehlert, New York York
Lamar S. Smith, Texas Peter A. DeFazio, Oregon
Curt Weldon, Pennsylvania Nita M. Lowey, New York
Christopher Shays, Connecticut Robert E. Andrews, New Jersey
Porter J. Goss, Florida Eleanor Holmes Norton, District of
Dave Camp, Michigan Columbia
Lincoln Diaz-Balart, Florida Zoe Lofgren, California
Bob Goodlatte, Virginia Karen McCarthy, Missouri
Ernest J. Istook, Jr., Oklahoma Sheila Jackson-Lee, Texas
Peter T. King, New York Bill Pascrell, Jr., North Carolina
John Linder, Georgia Donna M. Christensen, U.S. Virgin
John B. Shadegg, Arizona Islands
Mark E. Souder, Indiana Bob Etheridge, North Carolina
Mac Thornberry, Texas Ken Lucas, Kentucky
Jim Gibbons, Nevada James R. Langevin, Rhode Island
Kay Granger, Texas Kendrick B. Meek, Florida
Pete Sessions, Texas Ben Chandler, Kentucky
John E. Sweeney, New York
John Gannon, Chief of Staff
Stephen DeVine, Deputy Staff Director and General Counsel
ThomasDilenge, Chief Counsel and Policy Director
David H. Schanzer, Democrat Staff Director
Mark T. Magee, Democrat Deputy Staff Director
Michael S. Twinchek, Chief Clerk
______
Subcommittee on Infrastructure and Border Security
Dave Camp, Michigan, Chairman
Kay Granger, Texas, Vice Chairwoman Loretta Sanchez, California
Jennifer Dunn, Washington Edward J. Markey, Massachusetts
Don Young, Alaska Norman D. Dicks, Washington
Duncan Hunter, California Barney Frank, Massachusetts
Lamar Smith, Texas Benjamin L. Cardin, Maryland
Lincoln Diaz-Balart, Florida Louise McIntosh Slaughter, New
Robert W. Goodlatte, Virginia York
Ernest Istook, Oklahoma Peter A. DeFazio, Oregon
John Shadegg, Arizona Sheila Jackson-Lee, Texas
Mark Souder, Indiana Bill Pascrell, Jr., New Jersey
John Sweeney, New York Kendrick B. Meek, Florida
Christopher Cox, California, ex Jim Turner, Texas, ex officio
officio
(II)
?
Subcommittee on Cybersecurity, Science, and Research & Development
Mac Thornberry, Texas, Chairman
Pete Sessions, Texas, Vice Chairman Zoe Lofgren, California
Sherwood Boehlert, New York Loretta Sanchez, California
Lamar Smith, Texas Robert E. Andrews, New Jersey
Curt Weldon, Pennsylvania Sheila Jackson-Lee, Texas
Dave Camp, Michigan Donna M. Christensen, U.S. Virgin
Robert W. Goodlatte, Virginia Islands
Peter King, New York Bob Etheridge, North Carolina
John Linder, Georgia Ken Lucas, Kentucky
Mark Souder, Indiana James R. Langevin, Rhode Island
Jim Gibbons, Nevada Kendrick B. Meek, Florida
Kay Granger, Texas Ben Chandler, Kentucky
Christopher Cox, California, ex Jim Turner, Texas, ex officio
officio
(III)
C O N T E N T S
----------
Page
STATEMENTS
The Honorable Christopher Cox, a Representative in Congress From
the State of California, and Chairman, Select Committee on
Homeland Security
Oral Statement................................................. 28
Prepared Statement............................................. 1
The Honorable Jim Turner, a Representative in Congress From the
State of Texas, Ranking Member, Select Committee on Homeland
Security....................................................... 32
The Honorable Mac Thornberry, a Representative in Congress From
the State of Texas, and Chairman, Subcommittee on
Cybersecurity, Science, and Research and Development........... 1
The Honorable Zoe Lofgren, a Representative in Congress From the
State of California, and Ranking Member, Subcommittee on
Cybersecurity, Science, and Research and Development........... 23
The Honorable Dave Camp, a Representative in Congress From the
State of Michigan, a Chairman, Subcommittee on Infrastructure
and Border Security............................................ 21
The Honorable Loretta Sanchez, a Representative in Congress From
the State of California, and Ranking Member, Subcommittee on
Infrastructure and Border Security............................. 25
The Honorable Benjamin L. Cardin, a Representative in Congress
From the State of Maryland..................................... 40
The Honorable Ben Chandler, a Representative in Congress From the
State of Kentucky.............................................. 39
The Honorable Donna M. Christensen, a Delegate in Congress From
the U.S. Virgin Islands........................................ 37
The Honorable Norman D. Dicks, a Representative in Congress From
the State of Washington........................................ 42
The Honorable Bob Etheridge, a Representative in Congress From
the State of North Carolina.................................... 35
The Honorable Sheila Jackson-Lee, a Representative in Congress
From the State of Texas
Oral Statement................................................. 45
Prepared Statement............................................. 2
WITNESSES
PANEL I
Mr. Robert Liscouski, Assistant Secretary for Infrastructure
Protection, Department of Homeland Security
Oral Statement................................................. 3
Prepared Statement............................................. 6
Mr. George C. Newstrom, Secretary of Technology, Commonwealth of
Virginia
Oral Statement................................................. 13
Prepared Statement............................................. 16
PANEL II
Mr. Robert Dacey, Director Information Security Issues, General
Accounting Office
Oral Statement................................................. 48
Prepared Statement............................................. 50
Ms. Diane VanDe Hei, Vice Chair, Information Sharing and Analysis
Center Council
Oral Statement................................................. 80
Prepared Statement............................................. 82
The Honorable Dave McCurdy, Executive Director, Internet Security
Alliance
Oral Statement................................................. 72
Prepared Statement............................................. 74
THE DHS INFRASTRUCTURE PROTECTION DIVISION; PUBLIC-PRIVATE PARTNERSHIPS
TO SECURE CRITICAL INFRASTRUCTURES
----------
Wednesday, April 21, 2004
House of Representatives,
Subcommittees on Infrastructure
and Border Security,
and
Subcommittee on Cybersecurity, Science and Research
and Development,
Select Committee on Homeland Security,
Washington, DC.
The subcommittees met, pursuant to call, at 10:34 a.m., in
Room 2212, Rayburn House Office Building, Hon. Mac THornberry
chairman of the Cybersecurity subcommittee] presiding.
Present: Representatives Thornberry, Camp, Cox, Lofgren,
Sanchez, Dicks, Cardin, Jackson-Lee, Christensen, Etheridge,
Lucas, Chandler and Turner.
Mr. Thornberry. [Presiding.] This hearing will come to
order. I appreciate the witnesses and the members who are here.
There are obviously several substantial hearings going on at
the same time. I know our witnesses will understand as people
come and go. As you know, this is a joint hearing between the
Subcommittee on Cybersecurity, Science and Research and
Development, and the Subcommittee on Infrastructure and Border
Security. Chairman Camp and I will be sharing the gavel.
Since we have two panels and two subcommittees today, I ask
unanimous consent that all members submit opening statements
for the record so that we can move ahead. Without objection, it
is so ordered. I would also request our witnesses to work with
us on that. I think we are going to have votes come at about
12:30 or 1:00. If you could work with us on summarizing your
statements, then I would appreciate it. Without objection your
full written statements will be made a part of the record.
Prepared Statement of the Honorable Christopher Cox, a Representative
in Congress, From the State of California, and Chairman, Select
Committee on Homeland Security
Thank you Chairman Camp and Chairman Thornberry for holding this
important hearing. I join you in welcoming our witnesses today, who
will help us explore the Department's relationship with various
critical infrastructure sectors.
I want to take this opportunity to commend Secretary Ridge, Under
Secretary Libutti, Assistant Secretary Liscouski, and the men and women
of the Information Analysis and Infrastructure Protection (IAIP)
Directorate for their dedication and accomplishments in this critical
area. They have had to build this Directorate from scratch, while
facing both enormous expectations in a time of heightened alert and
unrelenting scrutiny. IAIP gets a lot of attention because it is truly
the nerve center of the great, new Department. IAIP is at the heart of
the Department's core mission to prevent terrorism and protect the
infrastructure that is vital to the security and economic well-being of
our Nation.
The Homeland Security Act of 2002 requires IAIP to integrate
information from various public and private sources to form a
comprehensive picture of the terrorist threats we face, and to map this
assessment against the vulnerabilities of our critical infrastructure
to produce a prioritized and risk-based plan for securing our homeland.
This is not a one-time task, but a continuous responsibility, in a
dynamic and constantly changing environment. We have no choice but to
continue to press IAIP to build the analytic capabilities necessary to
carry out its mandate under the Homeland Security Act. Risk-based
assessments produced by IAIP must guide both the Department's overall
homeland security strategy and the allocation of resources to priority
areas.
The President has exerted strong leadership in the effort to secure
our critical infrastructure. He has issued a national strategy, as well
as a Homeland Security Presidential Directive (HSPD-7). To secure our
critical infrastructure both documents envision a strong, sustained
public-private partnership. Eighty-five percent of our critical
infrastructure is owned by the private sector, and it is appropriate
that the private sector take a lead role in protecting these assets,
with assistance--including the provision of actionable threat-based
information--and oversight by the Federal government.
The President's fiscal year 2005 budget request includes $51.6
million for IAIP's ``outreach and partnership'' program, a 27-percent
increase over the previous year. This increase is a strong indication
of his commitment to enhancing the public-private partnership to
protect critical infrastructure. Among other things, this program is
intended to develop and coordinate strategic relationships between
public and private entities for national planning, outreach and
awareness, information sharing, and protective actions.
One key manifestation of the public-private partnership envisioned
by the Homeland Security Act is the continued operation of--and in some
cases, the creation of new--Information Sharing and Analysis Centers
(ISAC) for critical infrastructure sectors. Part of this hearing will
focus on obtaining information from the General Accounting Office on
its soon-to-be-completed review of the ISAC model, and exploring how
this model can be enhanced.
As we continue to work with DHS to enhance the public-private
partnership, we must resist efforts to make DHS the regulator of more
and more sectors of our economy. The Homeland Security Act clearly bars
any such role for DHS, and we should alter that formula only with great
caution. I see no reason to do so now or for the foreseeable future.
Mr. Chairmen, we share the bold vision of a safer America laid out
in the Homeland Security Act, the national strategies, and HSPD-7. We
are prepared to provide rigorous constructive oversight of critical
infrastructure protection activities and to act as full partners with
the Department, other government entities, and the private sector in
helping realize that vision.
Thank you, Mr. Chairmen, and I yield back the balance of my time.
Prepared Opening Statement of the Honorable Sheila Jackson-Lee, a
Representative in Congress From the State of Texas
Mr. Chairman, Thank you for convening this hearing on a subject
that is extraordinarily important to the safety of the American public.
I would like to welcome Assistant Secretary Liscouski back, as well as
this distinguished panel. It seems that indeed the Department of
Homeland Security is making progress in this area--putting people and
facilities in place to protect our nation's critical infrastructure.
However, a chain is only as strong as its weakest link. For
example, say I have a dozen chemical plants in my District in Houston.
If we spend billions of dollars and five years and make 11 of them
absolutely invulnerable, but we leave just one looking like the ones we
all saw on 60 minutes last fall, with unlocked gates, absent guards,
and unprotected tanks of deadly gas--what have we accomplished? A
would-be terrorist wanting to attack Houston would just have to spend
an extra day plotting his attack--going through the phone book and
driving by each chemical plant listed. It is essential that that we
plug ALL of the holes. We need to know where our vulnerabilities are,
and develop a comprehensive system to address those vulnerabilities.
That is why many of us have been standing behind the Ranking Member
of this Committee, urging the DHS to complete a thorough risk
assessment of our nation's critical infrastructure. That is why we need
to have clear performance metrics for critical infrastructure
protection. That is why we need seamless communication between federal
and state governments and the private sector. To get those things done,
we will need a fully staffed and functioning Office of Infrastructure
Protection. Until then, we are all at risk.
Today we should hear the progress being made within DHS and in
their work in the field. Do they have the funds, the expertise, and the
authority they need to get the job done? Is those in the private sector
willing partners? It will also be important to hear whether
stakeholders outside the DHS are getting the guidance they need.
I look forward to the discussion, and to working together we these
two subcommittees to ensure that we keep pushing the process forward.
So with that, let me turn directly to our witnesses. On our
first panel, we have two distinguished witnesses. The first is
Mr. Robert Liscouski, the Assistant Secretary for
Infrastructure Protection from the Department of Homeland
Security. He has been with us a number of times before.
Secretary Liscouski, thank you for being here. You are
recognized for a summary of your opening statement.
STATEMENT OF THE HONORABLE ROBERT LISCOUSKI, ASSISTANT
SECRETARY, INFRASTRUCTURE PROTECTION, DEPARTMENT OF HOMELAND
SECURITY
Mr. Liscouski. Mr. Chairman, thank you for the opportunity
this morning. It is always a pleasure to appear before your
committees. I thank you again for your recognition of the
importance of this topic. I do have an oral statement, but I
will try to go through this as quickly as I can in recognition
of our time constraints.
Since the inception of DHS, we have been working very
strongly to develop partnerships with the private sector. We
have made significant progress in evaluating and securing our
greatest vulnerabilities. In order for this public and private
partnership effort to succeed, we recognize that we have to
increase our efforts at information sharing. To this end, we
are making very good progress. Some would call it exceptional
progress in expanding our information-sharing capabilities with
respect to all types of information that must be shared,
including vulnerability information, exploits, threats,
incidents and best practices, as well as early warnings.
Our critical infrastructure sectors are very diverse, as
you well know. Consequently, the level of collaboration and
coordination with the Federal Government and each other within
the context of the private sector varies widely between the
sectors. We recognize these differences, and IAIP has developed
a very facilitative process to work in partnership with the
Federal sector-specific agencies as defined in HSPD-7, and to
help sectors organize themselves as inclusively as possible to
identify or construct the sector leadership entity for critical
infrastructure protection.
At the operational level, IAIP works daily on a periodic
and situational basis with ISACs, sharing information on
threats and developing suggested protective measures and alerts
and warnings. As you know, there are currently 14 ISACs
spanning most of the HSPD-7 critical infrastructures. The ISACs
serve as our gateway between DHS and the industry for tooling
information sharing and provide the industry with information
as an information clearinghouse for each sector.
Through up-to-date distribution lists maintained by the
ISACs, DHS is able to quickly disseminate threat warnings to
identify entities within each sector. To a lesser degree,
however, ISACs and their members provide DHS with incident and
suspicious activity. This has become very much more of a robust
information-sharing capability. This information holds for us
the potential for completing the situational awareness picture,
together with the intelligence community and law enforcement,
which is vital for us to understand the threats that we are
facing.
My organization is responsible for maintaining and
enhancing those relationships with the private sector through
the ISACs and through other efforts. Our staff actively
participates in ISAC-related advisory groups, committees, task
forces and working groups to maintain day-to-day contact with
those ISACs.
In protecting our country, we need to address the
protection from a holistic perspective, not one which is
artificially divided between a physical and a cyber-world. On
January 28 of this year, the Department of Homeland Security,
through the US-CERT, unveiled our national cyber security alert
system, which is an operational system to develop and deliver
targeted, timely and actionable information to Americans to
secure their computer systems. We strive to make sure that the
information provided is both understandable to all computer
users, technical and non-technical alike, and reflects the
broad usage of the Internet in today's society.
Our national strategy for cyber-security acknowledged one
of the most important constituencies is the private sector. It
is estimated that 85 percent of our critical infrastructure is,
of course, owned and operated by the private sector, and the
technology developed by the technology industry continues to
fuel the growth and the evolution of the Internet, as well as
obviously being ridiculously embedded in our business
processes. In December 2003, the National Cyber Security
Division co-hosted our first national cyber security summit,
which allowed the Department to work side by side with leaders
from industry to address key cyber-security issues facing the
nation.
Other partnership efforts with the private sector include
our National Cyber Security Alliance and Stay Safe Online,
which is a public-private organization created to educate home
users and small businesses on cyber security best practices.
Let me just take a moment to talk about the ISACs. The
ISACs have emerged over the last several years as the primary
conduit for critical information sharing between the Federal
government and our infrastructures and key resources throughout
the industries. The ISACs continue to evolve, although they
began with a focus on cyber back in the PDD-63 days. They now
include physical vulnerabilities as well. This emphasis has
really been gaining momentum since September 11. This just
demonstrates the recognition that the ISACs have matured, as
well as our strategy to include our physical and cyber
strategies are interlinked.
The blackout of August 14 last year is a good example of
the cooperation and effective communication between IAIP and
the industry, and specifically the electric power industry
through the electric industries electric sector ISAC. At the
time of the power outage, the electric sector ISAC had been
well established and the lines of communication between the
ISAC and IAIP were in place. Shortly after the blackout, the
IAIP electric sector specialists were on the phone with the ES
ISAC to establish a preliminary estimate of the extent of the
outage to determine how far it had spread and to what
extent.Following the discussions with the ISAC, we were able to
make an assessment that the outage did not appear to have been
caused by terrorist activity, and this information was quickly
passed on to the Secretary and to the White House.
Every couple of hours throughout the night and somewhat
less frequently over the next few days, the ES ISAC conducted
conference calls with the industry representatives to assess
restoration efforts, the results of which were daily summarized
in situation reports that were provided to senior officials
within DHS and the White House.
Since the creation of DHS, we have been leveraging newly
integrated capabilities in the Department to reach out to the
private sector. For example, in coordination with the U.S.
Secret Service, shortly after the creation of DHS a financial
services ISAC exercise was held in New York. The event was well
received by the financial sector participants. We built on that
effort and we are working with state homeland security advisers
to continually put out more tabletop exercises. DHS has
recently conducted exercises in Chicago, San Francisco and
Houston, and we are currently conducting one in St. Petersburg,
Florida with the FS ISAC.
The Administration and Congress have provided additional
tools to enhance our information-sharing capabilities with the
ISAC. I will just go through that very quickly. As the primary
operational interface with the nation's critical
infrastructures, my Infrastructure Coordination Division, or
ICD, continues to pass timely and substantive threat
information to the private sector. We regularly hold daily,
sometimes weekly teleconferences. Sector analysts provide
critical infrastructures and ISACs with threat updates on
terrorist activities potentially affecting their systems and
facilities.
In addition, the ICD sector analysts routinely assist our
intelligence analysts from IA in preparing the warnings that
identify and communicate infrastructure-specific threats and
trends. The Critical Infrastructure Information Act was
recently enacted at the request of the private sector, and
provided implementing regulations to private industry with
assurances that critical infrastructure information they
voluntarily share with the government will be protected from
release to the public from use in civil litigation.
The PCII program enables the Department to receive critical
information that would not have been previously available to
the government, thereby allowing a better understanding of
threats and vulnerabilities and the security of our nation's
critical infrastructure.
We recognize the need for better coordination for
information flow in the private sector and we have established
consequently the National Infrastructure Coordination Center
under the Infrastructure Coordination Division. Now in its
third month of official operation, the NICC provides
operational awareness of the nation's critical infrastructures
and key resources in collaboration with both private partners
and our counterpart government agencies.
Another key component of our strategy is connectivity. With
the announcement of the Homeland Security Information Network,
HSIN, DHS provides a new capability for enhancing many of the
critical infrastructures ISACs' capabilities to communicate
with their sectors. The system provides a secure encrypted
backbone capability for participants to communicate sensitive,
but unclassified information with DHS, with each other, and
other communities of interest which may have information useful
to them. It provides a collaborative feature that allows
government and industry participants to work together in real
time on problem solving. It has an alerting and notification
feature to disseminate information to members of a sector or
across sectors.
The system provides a capability for sectors to interact
with each other as necessity dictates. The features within that
system provides for basic and common communication service
among ISACs. I would be happy to discuss that further.
Let me just conclude by saying that in today's threat
environment where threats and vulnerabilities are continuously
evolving in both physical and cyber space, we need critical
infrastructure sectors' coordination and cooperation and
expertise and creativity to find the most effective,
sustainable, consistent and measurable ways to protect their
sectors. The partnerships we have developed and will continue
to develop will improve upon the relationships we have, but
they are absolutely key to the success of our goal to protect
our nation and its critical infrastructure.
Mr. Chairman, thank you.
[The statement of Mr. Liscouski follows:]
Prepared Statement of the Honorable Robert Liscouski
Good morning, Chairman Thornberry, Chairman Camp, and distinguished
members of the subcommittees. I am pleased to appear before you again
today to discuss Information Sharing between the Department of Homeland
Security and Critical Infrastructure Sectors.
The recent bombings in Madrid confirm that terrorists are willing
to exploit a wide range of infrastructure vulnerabilities. That is why
we must continue to be vigilant and flexible in our approach to
infrastructure protection. We in the Information Analysis and
Infrastructure Protection Directorate (IAIP) take that mandate to heart
in our collective efforts and activities to protect the Nation.
Since the inception of DHS in 2003, working in a continuing
partnership with private industry, we have made significant progress in
evaluating and securing our greatest vulnerabilities. In order for this
public-private partnership effort to succeed, increased information
sharing is essential. To this end, we are making exceptional progress
in expanding our information sharing capabilities with respect to all
of the types of information that must be shared including vulnerability
information, exploits, threats, incidents, best practices, and early
warnings.
Today I will discuss with you an overview of the current level of
relationships and information sharing we have with private industry,
illustrating accomplishments with specific examples. Then I will
describe recent initiatives we have implemented to enhance those
relationships. Finally, I will discuss some new initiatives we are
planning for later this year.
DHS and Private Sector Relationships
Any effective relationship with private industry requires
engagement at all levels. IAIP works hard to maintain a comprehensive
relationship with private industry, specifically focusing on the
critical infrastructure sectors and the owners and operators of key
assets. This relationship operates on three levels: (1) policy and
strategy; (2) planning and implementation; and (3) operational
execution.
Policy and Strategy
IAIP serves as the executive agent for two Presidential advisory
committees: The National Infrastructure Advisory Council (NIAC) and the
National Security Telecommunications Advisory Committee (NSTAC). Both
bodies provide policy and strategic advice to the President on
enhancing public-private partnerships and on specific strategic issues
related to critical infrastructure protection.
The NSTAC is chartered to provide industry-based advice and
expertise through the Secretary of Homeland Security to the President
on issues and problems related to implementing national security and
emergency preparedness (NS/EP) telecommunications policy. It is
composed of up to 30 industry chief executives representing the major
communications and network service providers and information
technology, finance, and aerospace companies. Since its inception, the
NSTAC has addressed a wide range of policy and technical issues
regarding telecommunications, information systems, information
assurance, critical infrastructure protection, and other NS/EP
communications concerns.
The NIAC, through the Secretary of Homeland Security, provides the
President with expert advice on the security of information systems for
critical infrastructure supporting other sectors of the economy:
banking and finance, transportation, energy, manufacturing, and
emergency government services. Because information and physical
security are inextricably linked within many critical infrastructure
sectors, the Council has addressed issues that cover both. The NIAC is
charged to enhance the partnership of the public and private sectors,
propose and develop ways to encourage private industry to perform
periodic risk assessments, foster improved cooperation among the
Information Sharing and Analysis Centers (ISACs), DHS, and other
Federal Government entities; and advise sector specific agencies with
critical infrastructure responsibilities, sector coordinators, DHS, and
the ISACs. The Council includes chief executives from industry,
academia and State and local government.
Both the NSTAC and the NIAC work closely with the Administration
and IAIP to identify key policy issues of importance to critical
infrastructure protection.
Planning and Implementation
At the planning and implementation level, IAIP works with cross-
sector bodies, such as the Partnership for Critical Infrastructure
Security (PCIS). The PCIS Board consists of all the sector leadership
entities that comprise the ``sector coordination mechanism[s]''
referred to in Homeland Security Presidential Directive 7 (HSPD-7).
These leadership entities have been previously affirmed by the sector
specific agencies. Private industry established the PCIS as a forum to
partner across sectors and with the Federal Government to address
critical infrastructure.
IAIP also works with the ISAC Council, whose members represent many
of the ISACs established in infrastructure sectors. Private industry,
on its own volition, organized this forum to share common issues and
best practices, and to find common solutions. ISACs are established
voluntarily by industry sectors to share information and analysis for
alerts, warnings and advisories, and act as a communication vehicle for
best practices and other security information tailored for each sector.
As a point of entry into the sector, sector leadership entities
have the mission of facilitating sector strategy and policy as well as
coordinating a wide range of critical infrastructure planning
activities, that include national planning involving critical
infrastructures, outreach and awareness, sector vulnerability
assessments, requirements for sector information sharing, identifying
sector-wide best practices, acting as the sector's point of contact
with the Federal Government at infrastructure protection meetings, and
serving as the strategic communication point back into the sector and
to its members from the Federal Government.
The critical infrastructure sectors are very diverse in their
composition, culture, and operations. Consequently, their level of
collaboration and coordination with the Federal Government, and with
each other, varies widely between sectors. Recognizing these
differences, IAIP has developed a facilitative process to work in
partnership with the Federal sector-specific agencies (as defined in
HSPD-7) to help the sectors organize themselves as inclusively as
possible to identify or construct the ``sector leadership entity'' for
critical infrastructure protection. This leadership entity could be an
individual, entity or group. Examples of how IAIP actively engages in
this sector development activity can be found today in the Agriculture
and Food sectors (in partnership with HHS and USDA), the Public Health
sector (in cooperation with HHS), the Postal and Shipping sector, the
Water sector (in cooperation with EPA), and the Emergency Services
sector.
IAIP leadership met frequently with both the PCIS and the ISAC
Council throughout the last year, and continues to meet with them, to
understand and gain deeper knowledge of sector issues from the private
sector representatives on various aspects of infrastructure protection.
Out of one of the briefings provided by IAIP to the ISAC Council, the
Council, on its own initiative, developed a series of white papers on
information sharing for its own use in strategic planning, and shared
them with IAIP.
With the support of IAIP, the PCIS Board and the ISAC Council began
holding joint meetings in December, 2003. They have worked jointly and
independently on various initiatives. In joint sessions, DHS has
provided comprehensive briefings on its initiatives and critical
issues, which have led the joint PCIS/ISAC Council to begin identifying
specific activities, tools/methodologies development, and programs
undertaken by each specific sector and then shared across sectors as
best practices to improve each sector's security. This study has helped
each sector identify gaps as they compare their activities. This joint
body represents a major forum for joint communication with the critical
infrastructure sectors.
IAIP has embarked upon national level planning efforts that will
involve the private sector in the development and/or implementation of
the plan. Under HSPD-7, IAIP has embarked upon the development of the
National Infrastructure Protection Plan (NIPP). This National Plan will
cover the 13 critical infrastructure sectors and four categories of Key
Resources. Sector-Specific Agencies both internal to and external to
DHS will have the lead for drafting these 17 sector-specific plans,
which will be integrated into the National Plan. The public-private
partnership in this Plan will be realized through engaging the private
sector in the planning process as represented by their ISACs, sector
coordinators, and other recognized sector stakeholders so that their
knowledge and information will be reflected in the substance of the
Plan itself.
In a second national planning effort under HSPD-5, DHS's Office of
Headquarters Integration Staff, along with the Department's
directorates, is developing the National Response Plan. For the first
time, the National Response Plan, which integrates the various federal
response plans, will include the private sector as an essential element
in preparedness, response, and recovery.
Relationships must be maintained at this level in order to assure
coordinated and integrated plans and programs that utilize resources
optimally and to assure engagement of operational leadership within the
private industry for mutual planning and goals setting.
Operational Execution
At the operational level, IAIP works on daily, periodic and
situational basis with ISACs sharing information on threats, developing
suggested protective actions, and alert and warnings. There are
currently 14 ISACs spanning most of the HSPD-7 critical
infrastructures. ISACs serve as a gateway between DHS and the industry
for two-way information sharing and provide the industry with an
information clearinghouse for each sector. Through the up-to-date
distribution lists maintained by the ISACs, DHS is able to quickly
disseminate threat warnings to identified entities within each sector.
To a lesser degree, ISACs and their members provide DHS with
incident and suspicious activity information. This type of information
holds the potential for completing the situational awareness picture
(together with Intelligence Community and Law Enforcement information)
concerning possible threats to the nation's critical infrastructures.
In my organization, the Infrastructure Coordination Division (ICD) and
National Communications System (NCS) are the two IAIP divisions
responsible for maintaining and enhancing relationships with the
private sector through their ISACs, the latter with specific
responsibility for the telecommunications sector. Staff from both
divisions participate actively in ISAC related Advisory Groups,
Committees, Task Forces and Working Groups and maintain day-to-day
contact with the ISACs.
In addition, the Protective Security Division (PSD), also within
the Office of Infrastructure Protection, has worked with owners and
operators of specific categories of critical assets to develop and
tailor protective practices for these assets. An example of this type
of product is the guidelines for protecting refineries that the oil
industry published last year. This type of work complements the
``buffer zone'' approach for communities that the division has
developed and deployed over the last fourteen months. In addition, PSD
is deploying regional/ field security representatives to work directly
with the owners and operators of critical infrastructure facilities and
community leaders to address protective measures. Together, these
practices constitute a holistic approach to infrastructure protection,
looking at the activity from a ``whole systems'' perspective, and
providing for a ``layered'' defense for the nation's critical assets.
In support of integrated operations, DHS's predecessor agencies
have granted security clearances to industry representatives when the
purpose is to help the Federal Government maintain and enhance our
national security, which includes critical infrastructure protection.
Clearances historically have been given to individuals who have unique
expertise, not available in government, on critical infrastructure
protection, operations, or technology or who must take specific
protective actions in response to classified information. In the past,
IAIP sector analysts have specifically relied on ISAC and industry
experts, generally with secret-level clearances, to help them assess
sector threat, risk, and vulnerability information. In particular,
these industry representatives work closely with DHS analysts to ensure
that government-generated warning products (e.g. Advisories and
Information Bulletins), when declassified to permit broad industry
distribution, still contain information that provides ``value added''
actionable intelligence when disseminated to sector members. DHS is
continuing to refine and working to accelerate the process for granting
security clearances to key sector individuals to assist DHS, and
ultimately their own sectors, regarding the production and receipt of
timely and actionable threat information.
In February, 2003, President Bush issued the National Strategy to
Secure Cyberspace (``the Strategy''). DHS recognized that in order to
meet many of the mandates in the Strategy and other objectives
addressing greater national cyber security, we needed to create an
operational mechanism for building a cyber security readiness and
response system. As such, through an initial partnership with the CERT
Coordination Center (CERT/CC) at Carnegie Mellon University, we created
the U.S. Computer Emergency Readiness Team, or US-CERT. Through that
partnership, US-CERT is able to leverage, rather than duplicate,
existing capabilities and accelerate national cyber security efforts.
US-CERT provides a national coordination center that links public and
private response capabilities to facilitate information sharing across
all infrastructure sectors and to help protect and maintain the
continuity of our Nation's cyber infrastructure. The overarching
approach to this task is to facilitate and implement systemic global
and domestic coordination of deterrence from, preparation for, defense
against, response to, and recovery from, cyber incidents and attacks
across the United States, as well as the cyber consequences of physical
attacks. To this end, US-CERT is building a cyber watch and warning
capability, launching the US-CERT Partnership Program to build
situational awareness and cooperation, and coordinating with U.S.
Government agencies and the private sector to deter, prevent, respond
to and recover from cyber--and physical--attacks. Through its Internet
portal, US-CERT is a crucial component of--and a distribution tool
for--our cyber security awareness activities.
On January 28, 2004, the Department of Homeland Security through
US-CERT unveiled the National Cyber Alert System, an operational system
developed to deliver targeted, timely and actionable information to
Americans to secure their computer systems. As the U.S. Government, we
have a responsibility to alert the public of imminent threats and to
provide protective measures when we can, or least provide the
information necessary for the public to protect their systems.
Furthermore, it is also important to inform the public about the true
nature of a given incident, what the facts are, and what steps they can
and should take to address the problem. The offerings of the National
Cyber Alert System provide that kind of information, we have already
issued several alerts and the initial products in a periodic series of
``best practices'' and ``how-to'' guidance messages. We strive to make
sure the information provided is understandable to all computer users,
technical and non-technical, and reflects the broad usage of the
Internet in today's society. As we increase our outreach, the National
Cyber Alert System is looking at other partners to distribute
information to as many Americans as possible.
As the strategy acknowledged, one of our most important
constituencies is the private sector. It is estimated that eighty-five
percent of America's critical infrastructure is owned and operated by
private companies, and technology developed by industry continues to
fuel the growth and evolution of the Internet. In December 2003, the
National Cyber Security Division (NCSD) co-hosted the first National
Cyber Security Summit in Santa Clara, California with the Information
Technology Association of America, TechNet, the Business Software
Alliance, and the U.S. Chamber of Commerce. This event was designed to
energize the public and private sectors to implement the Strategy. The
Summit allowed the Department of Homeland Security to work side-by-side
with leaders from industry to address the key cyber security issues
facing the Nation. Five interest areas were established to focus
specifically in the areas of:
Increasing awareness
Cyber security early warning
Best practices for information security corporate
governance
Technical standards and common criteria
Security across the software development lifecycle
Perhaps most importantly, the Summit served as a call to action. It
represented a logical transition point from developing a national
strategy to energizing the public-private partnership to implement
concrete, measurable actions to improve the security of America's cyber
systems. Over the past few weeks, summit participants have put forward
options for potential solutions in each of these key areas for both the
public and private sector. We are excited that the private sector is
showing such initiative and we are committed to working together.
DHS is also a sponsor of the National Cyber Security Alliance
(NCSA) and StaySafeOnline, a public-private organization created to
educate home users and small businesses on cyber security best
practices. Other NCSA sponsors include: The Federal Trade Commission,
AT&T, America Online, Computer Associates, ITAA, Network Associates,
and Symantec. DHS is providing matching funds to expand the NCSA end-
user outreach campaign, which will include a Fall 2004 Public Service
Campaign to increase awareness among Americans about key cyber security
issues.
In operational relationships of this kind, adding value, efficiency
and customer orientation is the key to building trust and sustaining
relationships. IAIP has worked hard to enhance its capabilities in this
regard over the last year with these activities. These relationships
represent on-going efforts that are essential for efficient planning
and implementation coordination. The long term commitment of
communications between the federal government and the private entities
is an essential element of building successful public-private
partnerships.
Private Public Partnerships Information Sharing
Adequate, actionable information is an essential enabler for all
facets of critical infrastructure protection, from deterrence to
response. Congress recognized its importance in the new tools it
provided to DHS to obtain and protect, analyze and disseminate
information from a wide variety of sources. Private industry owners and
operators of critical infrastructure have long understood their
responsibility for assuring their operations under a multitude of
circumstances ranging from accidents to natural disasters. They now
must add terrorism to the list of natural and manmade hazards they must
consider and accommodate in their investments and response
preparedness. The Federal government alone cannot protect this nation's
expansive and widely distributed national infrastructures. IAIP needs
private industry to be fully engaged in our national CIP program.
Consequently, two-way information sharing with the owners and operators
of critical infrastructures remains one of our highest priority public
private partnerships.
Current Information Sharing Initiatives
The Information Sharing and Analysis Center (ISAC) has emerged over
the last several years as a primary conduit for information sharing
between the Federal government and many critical infrastructures and
key resource industries. Each ISAC structure and operations tends to
reflect the culture, structure and operating processes of their sector.
The ISACs continue to evolve. They began with a focus on cyber security
vulnerabilities and incidents. Since September 11, 2001, most share
information on physical incidents as well.
ISACs have widely varying levels of maturity and capability. ISACs
have served a valuable role in private partnership information sharing.
The purpose of the ISAC is to provide an efficient conduit for
dissemination, sharing and communications of indications, warnings, and
advisories related to potential threats vulnerabilities and incident
data.
The Northeast Blackout of last year is a good example of
cooperation and effective communications between IAIP and the Electric
Power industry through the industry's Electric Sector--ISAC. At the
time of the power outage the ES-ISAC had already been well established
and lines of communication between the ISAC and IAIP were in place. By
approximately 4:30 p.m. EDT, 15 minutes after the initiation of the
power outage, the IAIP's electric sector specialist was on the phone
with the ES-ISAC to establish a preliminary estimate of the extent of
the outage and to determine whether it had ceased to spread. Following
discussions with the ISAC, we were able to make an assessment that the
outage did not appear to have been caused by terrorist activity. This
information was immediately elevated to Secretary Ridge and to the
White House.
Every couple of hours throughout the night, and somewhat less
frequently over the next several days, the ES-ISAC conducted conference
calls with industry representatives to assess restoration efforts.
These calls were summarized in a Situation Report that was provided to
senior officials within DHS and to each IAIP Infrastructure Sector lead
for cross-infrastructure sharing purposes (since every sector depends
upon electricity). In addition, the ES-ISAC structure was used
effectively to share information with other industry sectors that are
dependent on electricity. For example, on the evening of the power
outage, the IAIP electric power staff addressed a conference call of
the Financial Sector-ISAC and was able (based on earlier ES-ISAC
inputs) to estimate the duration of the interruption of power supplies
to New York City. In summary, the August 14th power outage demonstrated
that the ISACs are an effective mechanism for receiving information
from the private sector as well as for providing information to the
private sector during a crisis.
A long standing example of the utility of ISACs is the National
Communications Center Telecommunications-ISAC, which is the primary DHS
interface with the Private Sector for the telecommunications
infrastructure. Built on an existing information sharing body, the NCC
Telecom-ISAC is grounded by well-established trust. This mature, close
relationship with industry is Government-supported, which facilitates
the ISAC's ability to provide a value-added service, reaching out to
the entire sector. This has provided a great role model for other
ISACs.
In the past, the Federal Government would conduct readiness and
terrorism exercise in the absence of private sector participation. For
example, in the TOPOFF-1 and TOPOFF-2 exercise series, the private
sector owners and operators of infrastructure were excluded from
``exercise play'', with the sole exception of hospitals, which were
always one of the key operations being "stressed and tested" in those
types of exercises. In contrast, based on prior planning and
coordination by the U.S. Secret Service component of DHS, a Financial
Services (FS)-ISAC Table Top Exercise was held in New York, March 2003
soon after the standup of the Department. DHS staff attended the
exercise to observe the scenario play and to ensure that participants
were aware of DHS's role, including ICD role, in aiding with real-world
recovery operations. The event was well received by the financial
sector participants.
Building on this effort and working with the state homeland
security advisors, DHS has continued these exercises in, Chicago, San
Francisco, Houston, and now, concurrent with this testimony, from 19-22
April 2004, the FS-ISAC is hosting its next Tabletop exercise in St.
Petersburg, Florida. The exercise will include two days of interactive
tabletop play. DHS is sponsoring this event and staff will be actively
participating in the exercises.
From the lessons learned of TOPOFF-2 and these other table top
exercises, IAIP recognizes the need to engage our private sector
partners in these planning and execution of these national level
exercises. Exercises, of all kinds, tabletop, command post and full
scale; are powerful 'best practice' training tools and provide another
venue for information sharing. IAIP plans to continue to include the
private sector in future exercises whenever it makes sense to do so.
New Information Sharing Initiatives
The Administration and Congress have provided additional tools to
enhance information sharing with the private sector. I will now discuss
IAIP's new information sharing initiatives.
As the primary operational interface with the nation's critical
infrastructures, ICD continues to pass timely and substantive threat
information to the private sector. At daily and/or weekly
teleconferences, sector analysts provide the critical infrastructures
via the ISACs with unclassified threat updates on terrorist activities
potentially affecting their systems and facilities. In addition,
classified threat briefings are presented to cleared ISAC
representatives and their industry members on a quarterly or semi-
annual basis. To maintain appropriate situational awareness for each
sector--a key division objective--ICD analysts on an ad hoc basis also
provide timely assessments of high threshold threats to critical
infrastructures through the ISACs. In addition, ICD sector analysts
routinely assist IA analysts in preparing warning products that
identify and communicate infrastructure-specific threats and incident
trends.
The National Infrastructure Coordinating Center (NICC) uses the
Infrastructure Protection (IP) Executive Notification Service (ENS) to
quickly notify ISAC leadership and Sector Coordinators of critical
infrastructure events ranging from notification of imminent threats,
dissemination of sector-specific warning products, and changes in
national threat level. ENS delivers rapid internal and external
messaging capability among government and private sector partners and
provides Interactive Secure Authentication, which ensures
confidentiality of communications, as well as confirmation of receipt.
Protected Critical Infrastructure Information
Critical to the Department of Homeland Security's mission is the
ability to effectively share information with homeland security
partners across the country to better protect the nation's critical
infrastructure. The Critical Infrastructure Information (CII) Act and
implementing regulations provide private industry assurances that
critical infrastructure information they voluntarily share with the
government will be protected from release to the public and from use in
civil litigation. The PCII Program enables the Department to receive
critical infrastructure information that would not have previously been
available to the government, thereby allowing for a better
understanding of threats, vulnerabilities and the security of the
nation's critical infrastructure.
With the protection from FOIA disclosure offered by the CII Act,
the private sector can share sensitive and confidential information
that can be analyzed to identify threats and vulnerabilities. Such
analysis will provide the basis not only for developing measures to
deter the threats and mitigate the vulnerabilities to which the
critical infrastructure is exposed, but also for improving Federal,
State, and local governments' emergency preparedness posture to respond
to any attacks more effectively.
The benefits to private industry are both practical and patriotic.
Information sharing will result in better identification of risks and
vulnerabilities, which individual companies can use to help protect
their assets. By voluntarily sharing such critical information, private
industry demonstrates responsiveness to Government need and the public
good. Private industry is demonstrating good corporate citizenship that
may save lives and protect our hometowns. By participating in the PCII
Program, industry is helping to safeguard and prevent disruption to the
American economy and way of life.
National Infrastructure Coordination Center (NICC)
The NICC is currently developing capabilities towards its targeted
operational capacity. Now in its third month of official operation, the
NICC is collecting and analyzing best practices. While this analysis
begins with watch center models, it also includes management practices,
information sharing systems, and other process development models from
a broad range of industries. The NICC will also work with its IAIPs
public and private sector partners to ensure that its operational
models most effectively and efficiently meet their needs.
DHS designed the NICC specifically to maintain operational
awareness of the nation's critical infrastructures and key resources in
collaboration with both private partners and counterpart government
agencies. The NICC also, by design, provides DHS with the ability to
coordinate information sharing between government, ISACs, and other
industry partners. The NICC functions as an extension of the Homeland
Security Operations Center (HSOC).
Homeland Security Information Network
With the announcement by the Secretary of the Homeland Security
Information Network (HSIN) in March, DHS provides a new capability for
enhancing many of the critical infrastructure ISACs' capabilities to
communicate with their sectors. The system provides a secure encrypted
backbone capability for participants to communicate Sensitive But
Unclassified (SBU) information with DHS, with each other, and other
communities of interest that have information that may be useful to
them. It provides a collaborative feature that allows government and
industry participants to work together in real-time on problem solving.
It has alerting and notification features to disseminate information to
members of a sector or across sectors. The system provides the
capability for sectors to interact with each other on the system as
necessity dictates. These features provide support for a basic and
common communications service among ISACs.
By providing access to these capabilities to the critical
infrastructure ISACs, IAIP adds value as a partner to the ISACs by
removing duplication of costs in implementation and operations, and
accelerates the development of value of the ISACs to their sectors.
From experience with its use through the JRIES community (consisting of
law enforcement at Federal, state and local levels) the collaborative
and real-time aspects of the system actually increases the pace and
volume of information sharing. Pilots with volunteer critical
infrastructure sectors will begin this year, with support from the
Infrastructure Coordination Division.
We have seen great progress in two way information sharing with the
private sector and these examples are illustrative of our efforts.
Conclusion
This Administration has upheld a consistent policy that public
private partnerships be one of the pillars of national critical
infrastructure protection. Partnerships are an essential element
described in every national strategy document that we have published on
homeland security and critical infrastructure protection. This policy
recognizes the new environment of terrorism, where both threats and
vulnerabilities are continuously evolving in both physical and cyber
space, will require an unprecedented adaptability and cooperation of
the stakeholders. Since 85 percent of the critical infrastructures are
owned and operated by private industry, how could a sustained effort be
institutionalized to protect them? Only a full understanding by the
stakeholders of their own vested interests related to this issue could
sustain such an effort and commitment. Public-private partnerships are
the only means that is responsive enough and adaptive enough to
accomplish our national goals in a scalable, sustainable, and effective
way.
We have learned many lessons about developing effective
partnerships both from our legacy agencies and from our own experiences
since DHS was implemented in 2003. I would like to share three of these
with you today. Lesson 1--Partnerships require a set of mutually
determined objectives and deliverables to achieve a value proposition
and trust. Lesson 2--Participation in planning and objectives setting
is essential to the success of the partnership. Both sides must
understand the expectations, values, concerns, risks and individual
objectives of each participant. Lesson 3--Constant communication
between all of the parties is an essential imperative.
With years of experience by agencies that are now part of DHS, the
successful partnerships built between federal lead agencies and their
counterparts in industry were those where the federal lead agencies
educated and learned, convened, listened and responded and then
supported their industry counterparts who took the lead to implement
programs to protect themselves. The Federal government sharing useful,
actionable information on threats induces greater information sharing
by industry in return. Making it easy for industry to receive and
provide information, providing products and services in return, based
on that information, and working with owners and operators to develop
and implement consistent and generally accepted protection practices,
will add value to any partnership.
In all relationships, there are challenges. Strong long-term
relationships depend, however, on how well the participants handle,
learn from, and adapt to those challenges. Some lessons learned from
the recent past in our dialogue with industry include involving them in
planning, mutual goals setting and development of operational learning,
such as input into our national plans, the NIPP and NRP, and direct
participation in major exercises such as TOPOFF3. We have responded and
adapted to many of the needs and expectations of industry in support of
their protection strategies and programs.
Some private institutions have committed tremendous resources in
time and money to supporting this national initiative, not just for
their individual institution but for their industry as whole. Even
before 9/11, some were doing so. Terrorists have innumerable weapons
and targets of choice in our open society. In order to sustain an
effective national CIP program, we need critical infrastructure
sectors' cooperation, expertise and creativity to find the most
effective and efficient ways to protect their sectors. It is incumbent
upon DHS to develop and strengthen these partnerships and we will do so
because there is more to do to help secure our homeland.
Mr. Thornberry. Thank you.
Also on our first panel, we have Mr. George Newstrom, who
is the Secretary of Technology and Chief Information Officer
for the Commonwealth of Virginia. He also serves as the
Chairman of the Security Committee of the National Association
of State Chief Information Officers. Secretary Newstrom, thank
you for being with us, and you are recognized for 5 minutes to
summarize your statement.
STATEMENT OF THE HONORABLE GEORGE NEWSTROM, SECRETARY OF
TECHNOLOGY, COMMONWEALTH OF VIRGINIA
Mr. Newstrom. Thank you, Mr. Chairman and members of the
committee. I will summarize my statement. You have the full
text in front of you right now. The Chairman has already
introduced me and the two hats that I come to you with today.
At NASCIO, I serve as the Chair of the Security Committee.
This committee addresses the role of information and
communications technology, both in terms of how it supports the
wider needs of state homeland security directors and how state
governments should be protecting their critical information
assets. We also oversee NASCIO's Interstate Information Sharing
and Analysis Center, the ISAC, which arose from a 2002
memorandum of understanding with DHS's Infrastructure
Coordination Division led by Jim Caverly.
Information infrastructure is only part of America's
critical infrastructure that is under attack everywhere all the
time. Unfortunately, cyber attacks on a national scale are
still treated as secondary to any physical threat, whether it
is chemical, biological, radiological, nuclear or explosive.
NASCIO believes that while cyber terrorism per se is still an
emerging threat, we must press forward toward a coordinated
intergovernmental approach to protecting government's critical
information assets if we are to ensure that critical government
business functions, especially those supporting homeland
security, will be available when needed.
If we can secure our systems from hackers and organized
crime, we will have gone a long way toward securing them from
terrorist and enemy nation-states. NASCIO has long realized the
interdependence of Federal, state and local information systems
which drive the need for intergovernmental approach. Toward
that end, we produced a document in 2002 titled Public Sector
Information Security, a call to action for public sector CIOs
that emerged from a forum convened by NASCIO in the wake of 9-
11. We also convened a roundtable discussion that included
local, state and Federal participants here last July.
The primary lessons we have learned are that government
ICT, information and communications technology personnel,
should be considered core competencies to state and local
emergency response capabilities because without them,
everything from databases to wireless communications first
responders cannot do their job. Also, given the fact that
states, counties and cities are the primary mechanism for the
delivery of critical services to citizens, including Federal
programs, if the information systems of states or local
governments go down, the ability of the other levels of
government to do business within jurisdictions will be
significantly impaired, if not interrupted. This creates a
cascading effect.
While the CIO is charged with protecting the state's
critical information assets, he or she is also charged with
managing the day-to-day operations of a wide variety of
information systems and infrastructures that support first
responders in homeland security leadership. Up to now, homeland
security has primarily been defined as those systems involving
law enforcement and emergency managers. However, as state
efforts fuse information from intelligence and all-hazard
incident management purposes become more sophisticated, a wide
range of information systems will be drawn together in an
effort from public safety, public health, transportation and
agriculture, among them.
Homeland security at the state and local level is less
about organizational change and more about cultural adjustment.
Homeland security, like technology, requires an enterprise
approach that synchronizes and harmonizes disparate parts under
a common umbrella. Key to this success with this cultural
change is achieving vertical and horizontal sharing and
integration of information, something that requires effective
application of technology. This will require the CIO, with
statewide oversight, to help manage the development and
deployment of systems that can meet the ever-changing needs of
homeland security decision makers.
As a caution and an urge to the Federal Government, we ask
that the Federal Government consolidate its information-
disseminating capability. While it may be necessary to separate
public safety, military and cyber efforts, we should not have
multiple, uncoordinated information dissemination efforts
within each of these categories as we do now. Virginia knows
from first-hand experience that the FBI and DHS are issuing
separate information products to law enforcement and non-law
enforcement communities respectively. This makes it difficult
for state homeland security directors and CIOs to understand
the full spectrum of threats faced by states, without staying
abreast of multiple channels and fusing the information
internally.
NASCIO knows by the work with other states that the other
Federal agencies, particularly those in the Departments of
Justice and Health and Human Services, are issuing cyber alerts
to state and local programmatic counterparts which are not
incorporated in the National Cyber Security Division, NCSD, of
DHS. NASCIO would be willing to work with Mr. Amit Yoran and
the Federal Chief Security Officers Council to develop an
intergovernmental warning process so state CIOs, homeland
security directors and program-specific leadership receives
coordinated, consistent and timely alerts and notices.
As the 9-11 commission has heard now on many occasions, the
issue may be less on what and how much information we know, but
how knows it and who they share it with. In the area of cyber
security, we are doing well at countering attacks on
infrastructure after they happen. Isn't our real objective to
try to identify potential attacks in advance so that we can
avert costly efforts to eradicate them once they happen? The
only way to do this is by connecting the dots, sharing
information across Federal and state agencies in a timely and
focused manner.
NASCIO has been actively engaged in sharing cyber threat
and incident information with and among states as part of our
interstate ISAC program. We have also gathered information and
targeted requests from DHS and provided feedback on the
effectiveness of various information sharing analysis
practices. We have drawn on the goodwill of our corporate
partners to provide the states with supplemental information to
help them respond to fast-moving threats like worms and
viruses.
Regarding specific efforts by the Commonwealth of Virginia,
as members of today's committee know very well, Virginia is
home to the Pentagon, one of the three sites in the United
States that were attacked on September 11. The memory of that
day and its aftermath continue to permeate the consciousness of
those serving in Virginia State government and the local
community, while serving as a guide for Virginia's efforts in
homeland security and critical information protection. To
respond to this challenge, Virginia has three specific efforts
under way. One is the Secure Virginia Panel. The second is the
National Capital Critical Infrastructure Vulnerability
Assessment Project. Three is the Virginia Alliance for
Securing, Computing and Networking. You have all those in the
detailed comments in my testimony.
The first one is a public-private partnership that the
Governor of Virginia established within 30 days of coming into
office. The second one is the District of Columbia, the State
of Maryland and the Commonwealth of Virginia working together
to ensure the entire region's assets. The third is the Virginia
Alliance for Securing Computing and Networking is in the
educational community to secure our research networks that are
very instrumental to all of us.
Mr. Chairman and members of the subcommittee, Virginia and
all the states represented by NASCIO are moving forward in the
context of protecting critical infrastructure from physical and
cyber vulnerabilities. This effort is requiring new ways of
thinking and new types of relationships between Federal and
state entities. Much progress has been made, but there is much
to be done.
I enjoy a close working relationship with Virginia's
homeland security team, state as well as local, as well as the
leaders of the Federal efforts in DHS. I know that we do not
have all the answers. We may not even have all the questions.
But we know that protecting our critical assets from cyber and
physical threat is a key to ensuring the safety of Americans
and protecting our economic security.
My message to you, in conclusion, is first, despite the
continuing daily attacks on our nation's information
infrastructure, cyber security is still seen as a secondary
threat and the interdependence of Federal, state and local
systems absolutely requires closer and a more cohesive
approach. second, we are encouraged by the organization and the
leadership at DHS to move smartly and timely with the
assistance of their state and local partners, and particularly
the recent evaluation of the ISAC approach and the new
opportunities for effective change that it represents.
NASCIO will do what it can to assist by working with DHS,
ICD and NCSD divisions to arrive at the most effective
approach, and also by developing the states and local addendum
to our national security strategy.
Let me take a moment and thank Robert Liscouski, Assistant
Secretary, sitting next to me, as well as Jim Caverly, who
heads ICD, and Amit Yoran, the Director of the National Cyber
Security Division, as well as Steve Cooper, the CIO of the
Department of Homeland Security. These folks have worked with
us, as well as George Foresman, Virginia's Assistant to the
Governor for Commonwealth Preparedness, to meet the goals that
we have outlined.
Mr. Chairman, thank you, and members of this committee for
the opportunity to be here with you today.
[The statement of Mr. Newstrom follows:]
Preprared Statement of the Honorable George C. Newstrom
Chairman Thornberry, Chairman Camp and Members of the
Subcommittees,
Thank you for inviting me to appear before you today. I am before
you today wearing two different hats: one representing the Commonwealth
of Virginia as its Secretary of Technology and the second as the Chair
of the Security Committee of the National Association of State Chief
Information Officers (NASCIO).
I would like to offer my perspective on the issues of partnership
and information sharing with particular regard to Virginia's cross-
sector efforts to secure its critical and information infrastructures
and NASCIO's efforts to coordinate DHS's interaction with the states on
these matters. Virginia and NASCIO appreciate your attention to this
important matter and willingness to get input from a state and
organization that have direct stakes in the outcome. We believe that
success in cross-sector infrastructure assurance and information
sharing will be the result of persistent effort by many parties,
advancing in spurts during times of urgency and more incrementally
during times when trust and cooperation must be solidified for the long
haul.
Efforts By NASCIO
At NASCIO, as I indicated, I serve as chair of their Security
Committee. This committee addresses the role of state Information and
Communications Technology (ICT) both in terms of how it supports the
wider needs of state homeland security directors and in how state
governments should be protecting their critical information assets. We
also oversee NASCIO's Interstate Information Sharing and Analysis
Center (ISAC) efforts, which arise out of a July 2002 memorandum of
understanding with DHS's Infrastructure Coordination Division (ICD),
led by James Caverly.
Protecting Governments' Critical Information Assets
The information infrastructure is the only part of America's
critical infrastructures that are under attack everywhere, all the
time. Unfortunately, ``cyber'' threat on a national scale is still
treated as secondary to any physical threat whether it be chemical,
biological, radiological, nuclear, and explosive. NASCIO believes that,
while cyber-terrorism per se is still an emerging threat, we must press
forward toward a coordinated, intergovernmental approach to protecting
governments' critical information assets if we are to ensure that
critical governmental business functions--especially those supporting
homeland security--will be available when needed. If we can secure our
systems from hackers and organized criminals, we will have gone a long
way toward securing them from terrorist and enemy nation states.
NASCIO has long realized the interdependencies of federal, state,
and local information systems, which drives the need for an
intergovernmental approach. Toward that end, we produced a document in
2002, titled ``Public-Sector Information Security: A Call to Action for
Public-Sector CIOs'' that emerged from a forum convened by NASCIO in
the wake of 9/11. We also convened a roundtable discussion that
included local, state, and federal participants last July here in
Washington.
The primary lessons we have learned are that government ICT
personnel should be considered a core component to state and local
emergency response capabilities, because without everything from
databases to wireless communications the first responders cannot do
their jobs. Also, given the fact that the states, counties, and cities,
are the primary mechanisms for delivering critical services to
citizens--including federal programs, if the information systems of a
state or local government go down, the ability of the other levels of
government to do business within that jurisdiction will be
significantly impaired, if not interrupted. This creates a cascading
effect.
Supporting State Homeland Security Decision-Makers
While the CIO is charged with protecting the state's critical
information assets, he or she is also charged with managing the day-to-
day operations of a wide variety of information systems and
infrastructure that support first responders and homeland security
leadership. Up to now, homeland security ICT has primarily been defined
as those systems serving law enforcement and emergency managers.
However, as state efforts to fuse information for intelligence and all-
hazards incident-management purposes become more sophisticated, a wide
range of information systems will be drawn into the effort, including
those from public safety, public health, transportation, and
agriculture among others.
Homeland Security at the state and local level is less about
organizational change and more about cultural adjustment. Homeland
security, like technology, requires an enterprise approach that
synchronizes and harmonizes disparate parts under a common umbrella.
Key to succeeding with this cultural change is achieving vertical and
horizontal sharing and integration of information--something that
requires effective application of technology. This will require the
CIO, with statewide oversight, to help manage the development and
deployment of systems that can meet the ever-changing needs of homeland
security decision makers while maintaining appropriate levels of
privacy and security. Our adversaries will continue to change their
tactics. Therefore, our information systems must be able to help state
homeland security directors and DHS gather the information they will
need to counter these evolving threats.
Focused Action By The Federal Government Is A Necessity
It is so important that the federal government consolidate its
information dissemination capability. While it might be necessary to
have separate public safety, military and cyber efforts, we should not
have multiple, uncoordinated information dissemination efforts within
each of those categories as we do now. Virginia knows from first hand
experience that the FBI and DHS are issuing separate information
products to the law enforcement and non-law enforcement communities
respectively. This makes it difficult for state homeland security
directors and CIOs to understand the full spectrum of threats faced by
the state without staying abreast of multiple channels and fusing the
information internally.
NASCIO knows by way of its work with all the states, that other
federal agencies, particularly those in the departments of Justice and
Health and Human Services, are issuing cyber alerts to their state and
local programmatic counterparts, which are not incorporated into the
National Cyber Security Division (NCSD) of DHS alert products. NASCIO
would be very willing to work with Mr. Yoran and the new Federal Chief
Security Officers Council to develop an intergovernmental warning
process so that state CIOs, homeland security directors, and program
specific leadership receives coordinated, consistent as well as timely
alerts and notices.
As the `911 Commission' has heard now on many occasions, the issue
may be less on what and how much we know but who knows it and who they
share the information with. In the area of cyber security, we are doing
well at countering attacks on our infrastructure AFTER they happen.
Isn't our real objective to try to identify potential attacks in
advance so that we can avert the costly efforts to eradicate them after
they happen? The only way to do this is to `connect the dots'--share
information across federal and state agencies in a timely AND focused
manner.
Sharing Information with the States
NASCIO has been actively engaged in sharing cyber-threat and
incident information with and among the states as part of our
Interstate ISAC program. We have also gathered information for targeted
requests from DHS and provided feedback on the effectiveness of various
information sharing and analysis practices. We have drawn on the
goodwill of our corporate partners to provide the states with
supplemental information to help them respond to fast-moving threats
like worms and viruses.
We applaud Amit Yoran's recent efforts at the National Cyber
Security Division (NCSD) to engage the states directly and make the US-
CERT a valuable tool for the entire ICT-using community, including
individual U.S. citizens. We are currently working with Jim Caverly at
ICD to further refine our ISAC program. We know that DHS, NASCIO, and
individual states have very limited resources to contribute to any
information sharing effort. Therefore, we seek to have an information
sharing and analysis program that is as transparent as possible between
DHS and the states. We also want it to provide targeted services with a
definable return on the sweat equity investment by the states. This
will take time. But, NASCIO has found its partners at NCSD and ICD to
be very receptive to our suggestions for improvement and we remain
committed to ensuring the success of any information sharing efforts
with the states.
Our NASCIO Security Committee currently has two deliverables in
progress for 2004, which might be of interest to you:
A state and local addendum to the National Strategy to
Secure Cyberspace. Following a meeting with DHS and White House
cybersecurity leadership, the National Governors Association
(NGA) began working with NASCIO to take on the joint role of
serving as ad hoc coordinators for the state and local sector.
In that role, we will be forming a task force or working group
to produce a brief addendum that will highlight the key sector
implications of the strategy. It will also provide an
opportunity to put forth some additional recommendations for
action by our sector. This group will include state, county,
and municipal chief information officers (CIOs) and chief
information security officers (CISOs) as well as participants
from the telecommunications directors, utilities commissioners,
and educational community.
Defining the role of the CIO in homeland security
decision support.NASCIO will shortly be releasing a detailed
brief on the role of the CIO in supporting intra-state
intelligence and situational awareness efforts, which combine
to provide homeland security leadership with what we are
calling ``decision support.'' It will include several calls for
very precise state and federal action that we hope will prepare
the states to fulfill the goals of the recently released
National Incident Management System (NIMS) as well as support
the ongoing deployment of new and enhanced information sharing
networks by DHS CIO, Steve Cooper.
Efforts Specific to the Commonwealth of Virginia
The efforts undertaken by the Commonwealth of Virginia in securing
its critical physical and infrastructure has been primarily focused on
the development of partnership among key state and local agencies, the
private sector and Virginia's institutions of higher education to
develop and implement strategies for securing and maintaining critical
infrastructure.
As members of today's committees know very well, Virginia is home
to the Pentagon one of the three sites in the United States that was
attacked on September 11, 2001. The memory of that day and its
aftermath continue to permeate the consciousness of those serving in
Virginia's state government and local communities while serving as a
guide for Virginia's efforts in homeland security and critical
infrastructure protection component.
To respond to these challenges, the Commonwealth of Virginia has
three specific efforts underway that will be discussed today. These
efforts are:
The Secure Virginia Panel
National Capital Region--Critical Infrastructure
Vulnerability Assessment Project
The Virginia Alliance for Secure Computing and
Networking (VA SCAN)
The Secure Virginia Panel
As one of his first acts of office to respond to the challenge of
protecting the Commonwealth, the Governor of Virginia, Mark R. Warner,
signed Executive Order 7 on January 31, 2002, establishing the Secure
Virginia Initiative and convening the Secure Virginia Panel. In
bringing together state government, local government and the private
sector, the Secure Virginia Panel and its working groups has served as
the primary conduit for developing public-private partnerships to deal
with the challenges in preparing for emergencies and disasters of all
kinds, including terrorism.
Through the Critical Infrastructure Working Group (CIWG) of the
Secure Virginia Panel, Virginia is tackling many of the same challenges
that are also being addressed by the federal government. Also comprised
of members representing state government, local government and the
private sector, the CIWG is specifically charged with making
recommendations that strengthen cyber and physical security for
critical infrastructure throughout the Commonwealth. By identifying
failure and inter-dependency points in critical infrastructure security
and developing a methodology for prioritization of those points, the
CIWG is attempting to answer three critical questions:
1. What critical infrastructure is needed to keep government
operational?
2. How does the Commonwealth of Virginia best coordinate with
local government and the private sector?
3. What organizational structure is best suited to ensuring a
coordinated approach to both cyber and physical security of
critical infrastructure located in Virginia?
To answer these questions, the CIWG has outlined six objectives
that it plans to meet by December 2004. These objectives are as
follows:
1. Development of a governance model that can best coordinate
critical infrastructure protection and risk mitigation.
2. Identification of critical infrastructure.
3. Identification of inter-dependency and failure points in
critical infrastructure protection.
4. Development of a methodology to prioritize critical
infrastructure protection initiatives.
5. Assignment of responsibility within state government for
coordinating critical infrastructure cyber and physical
security efforts.
6. Coordination among the public sector, private sector and
institutions of higher education to ensure the development and
utilization of a consistent assessment methodology.
These efforts are facilitated by prior recommendations that have
been developed by the Secure Virginia Panel. Specifically, in 2002, the
Panel recommended legislative changes that would protect from FOIA the
disclosure of critical infrastructure information submitted to state
government by the public sector. Titled the `Sensitive Records
Protection Act' (HB 2210), the legislation was passed by the 2003
General Assembly and subsequently signed into law by the Governor.
National Capital Region--Critical Infrastructure Vulnerability
Assessment Project
The vulnerability of the National Capital Region was made painfully
obvious on September 11th, 2001. The coordinated partnership by the
federal government, the states of Virginia and Maryland and the
District of Columbia to the unique situation of our Capital region
demonstrates the cooperative approach towards homeland security and
critical infrastructure protection that is being pursued today.
Under the auspices of the post 9 /11 funding provided by Congress,
Urban Area Security Initiative Grant Program as well as the Department
of Justice Community Oriented Policing (COPS) program, funded through
the Department of Homeland Security's Office for Domestic Preparedness,
a leading regional effort for critical infrastructure protection in the
National Capital Region is being lead by George Mason University. This
effort is part of a broader set of NCR initiatives being orchestrated
by the Mayor of DC and Governor's of Virginia and Maryland under the
auspices of their representatives on the Senior Policy Group in
partnership with community leaders.
The Urban Area Security Initiative (UASI) is a program that helps
develop sustainable models to enhance security and overall preparedness
to prevent, respond to, and recover from acts of terrorism in high-
density population centers. Specifically, UASI was created to ``enhance
the ability of first responders and public safety officials to secure
the area's critical infrastructure and respond to potential acts of
terrorism. Initially, seven metro areas were identified: New York City,
Washington, D.C., Los Angeles, Seattle, Chicago, San Francisco, and
Houston. For the 2004 fiscal year, this number increased to 50, now
including smaller cities such as Orlando, Florida, and New Haven,
Connecticut.
For the National Capital Region, a strategy was developed to
provide a strategic direction for preventing and reducing vulnerability
in the region. The strategy was developed based on a number of inputs:
the results of an assessment completed by communities in the National
Capital Region in July 2003, the National Strategy for Homeland
Security, the Eight Commitments to Action for the National Capital
Region, and the State Template published by the Homeland Security
Council. The Strategy focuses on four areas: planning, training,
exercise, and equipment. George Mason's activities fall within the
planning area.
The grant from the Department of Justice Community Oriented
Policing (COPS) program, complementing the efforts undertaken through
the UASI initiative, focuses on the telecommunications, water, energy,
and transportation sectors in the Commonwealth of Virginia.
In cooperation with five universities, including James Madison
University, the University of Virginia, Virginia Polytechnic Institute
and State University (Virginia Tech), the University of Maryland, and
Howard University, the NCR Critical Infrastructure Vulnerability
Assessment Project focuses on improving regional and sectoral
methodologies for conducting vulnerability assessments. The ultimate
objective of the project is to raise the level of security in the
National Capital Region by ensuring that critical infrastructure
sectors address the most important security concerns. The project seeks
to enhance the capability and capacity of the National Capital Region
to reduce vulnerability, minimize damage and increase resiliency. In
addition to the regional universities engaged in this initiative, GMU
is also working collaboratively with industry and government.
The Virginia Alliance for Secure Computing and Networking (VA SCAN)
The Virginia Alliance for Secure Computing and Networking (VA SCAN)
is a partnership of universities that seeks to strengthen information
security programs within the Commonwealth of Virginia. The partnership
includes security professionals from George Mason University, James
Madison University, the University of Virginia (UVA), and Virginia
Polytechnic Institute (VA Tech) as well as researches and staff from
the Institute for Infrastructure and Information Assurance (3IA) at
JMU, the Center for Security Information Systems at GMU, and the joint
GMU/ JMU Critical Infrastructure Protection Project (CIPP).
Representatives from other Virginia institutions, including Mary
Washington College, Radford University, The Virginia Institute of
Marine Science, The College of William and Mary, Virginia Commonwealth
University, and the Virginia Military Institute serve as advisors to
VASCAN partners.
VA SCAN began offering products and services in March of 2003. The
offerings are based on the principle that the most lasting improvements
to security programs can be made not by performing security functions
for organizations, but rather by educating and guiding management and
staff teams in defining and carrying out their own security strategies
and operations. Some of the products and services offered include:
A Virginia--Critical Infrastructure Response Team
(CIRT) group for tracking security threats
Self-assessment checklist for Commonwealth of Virginia
security standards
Security policy development and security awareness
training
Onsite training and security instructional materials
Onsite consulting on a variety of security topics and
an ``ask the expert'' email service
Web-based toolkit of security tools and best practices
Concluding Remarks
Mr. Chairman and members of the subcommittees, Virginia and all the
states represented by NASCIO are moving forward in the context of
protecting critical infrastructures from physical and cyber
vulnerabilities. This effort is requiring new ways of thinking and new
types of relationships between public federal and state efforts. Much
progress has been made but there is much more to do. I enjoy a close
working relationship with Virginia's homeland security team, state as
well as local, as well as the leaders of the federal efforts at DHS. I
know that we do not have all of the answers and we frankly do not have
all of the questions. But we know that protecting our critical assets
from cyber and physical threats is key to ensuring the safety of
Americans and protecting our economic security.
In conclusion, my message to you is that, despite the continuing,
daily attacks on our nations information infrastructure, cybersecurity
is still seen as a secondary threat, and the interdependence of
federal, state and local systems absolutely require a closer, more
cohesive approach. Secondly, we are encouraged by the organization and
leadership at DHS to move smartly and timely with the assistance of
their state and local partners, and in particular, the recent re-
evaluation of the ISAC approach and the new opportunities for effective
change that represents. NASCIO will do what it can to assist by working
with DHS's ICD and NCSD divisions to arrive at the most effective
approach, and also by developing the state and local addendum to our
National Strategy.
Let me take a moment to thank Robert Liscouski, Assistant Secretary
for Infrastructure Protection, DHS; Jim Caverly, director,
Infrastructure Coordination Division; Amit Yoran, director, National
Cyber Security Division; Steve Cooper, chief information officer, DHS
and George Foresman, Virginia's Assistant to the Governor for
Commonwealth Preparedness for all that they do towards our common
goals.
Mr. Chairmen, I thank you and the members of your committees for
the opportunity to testify before you today.
Mr. Thornberry. Thank you. Some very good points.
I yield to Chairman Camp.
Mr. Camp. Thank you, Mr. Chairman.
I appreciate both of your testimonies here this morning.
Assistant Secretary Liscouski, obviously we are very interested
in the role of the ISACs or the Information Sharing and
Analysis Centers in being a link to the private sector in terms
of infrastructure protection. I wonder to what extent you feel
that they have fulfilled their expectations. Do you still view
them as the primary public-private partnership link? To that
extent, I know that under your authority there is a significant
budget for public outreach, nearly $50 million. It is my
understanding none of that has gone to the ISACs. I think a
little bit of funding might help them in their role.
So I am really interested in to what extent you consider
their role important, and still that key link.
Mr. Liscouski. Mr. Chairman, thank you for the question,
and to the point about the partnership with the ISACs. We view
them as critical, along with the other sector-specific agencies
and the sector coordinators, to ensuring that we have not just
the good links to the private sector, but most importantly the
information coming back into DHS to understand what their
concerns are.
Let me just take a moment to address your question by just
taking a step back for a second to say that we recognize that
when PDD-63 was established, the direction the ISACs were going
into was a very good direction, but there was very little
leadership from the private sector to step up to really help
guide those ISACs to provide to the government what their
requirements were.
When we established DHS and I became responsible for those
ISACs, and particularly based upon my private sector
background, it was clear to me that the model we had to change
had to be one which was much more of a private sector-led
model, rather than a government-led model. To that end, and it
is a philosophy we live by today, we established a capability
within my organization for Infrastructure Protection, and
specifically with the Infrastructure Coordination Division, to
be that central point of contact for us into the ISACs; to
establish the links, to formalize those links, but most
importantly to develop or receive the requirements back from
those ISACs.
Based upon that, we developed our fiscal year 2004 funding
profile to ensure that the funding stream that went to the
ISACs met their initial requirements and their evolving
requirements. So we set aside $16 million for outreach that
would be used to assist the ISACs in developing and forming
themselves, as well as assisting them in their communications
capabilities. To date, we have spent approximately $6.5 million
to support the ISACs in the form of creating a common
communications mechanism under the Homeland Security
Information Network, which is a common platform for
communications which we are rolling out to the ISACs, which
effectively provides a no-cost entry for companies to form an
ISAC and then gain access to this information, as well as other
outreach efforts to include administrative support and research
support vis- -vis George Mason University's Critical
Infrastructure Protection Project, which is something we also
fund.
We have been working with the ISACs. Specifically back in
December, we had an ISAC sector summit in which we solicited
from the ISACs their very specific requirements for how they
thought they needed to be funded and where their funding
priorities are and where they remain.
Mr. Camp. What do you think the principal challenges are in
having the ISACs reach their fullest potential?
Mr. Liscouski. It depends upon the ISAC. It is not a one-
size-fits-all model. I think the expectation we have is that we
really need their requirements to be well defined as it relates
to both information sharing on the two-way street. I think we
have overcome many of the big challenges, for instance the
establishment of the ISAC Council, which as it relates to the
ISAC is our point of entry into the broad ISAC community to
make sure we get collective thought well represented back into
the government so we understand what those needs are. That is
one challenge we have overcome.
I think the other challenge is them defining specifically
what their requirements are in terms of not just linking up
with DHS, but most importantly conveying to us what their
information-sharing requirements are.
Mr. Camp. I think one of the critical things is the
coordination of risk assessment by DHS. I think that is
probably one of their most crucial roles. It appears as though
there are multiple requirements for risk assessment depending
on the agency, TSA or Coast Guard, or whatever. What steps are
being taken to resolve this overlap and multiple levels or
layers of risk assessment that really can be an undue burden on
the private sector?
Mr. Liscouski. I agree with that statement. As you know
when DHS was formed, TSA had already been in existence and had
been moving out in its effort very, very aggressively to try to
connect up with the private sector; similarly with the Coast
Guard going out and doing what they were doing; similarly with
Secret Service and others.
So we immediately began to coordinate the efforts for
critical infrastructure protection and come up with common
vulnerability assessments and risk analysis and capabilities
that could be spread across the entire spectrum. Over the past
year, we have been working on that, but we have really been
able to even more consistently address this through the
implementation of the Homeland Security Presidential Directive
Number Seven, which has really given us the impetus to bring
together all the various Federal agencies, not just within DHS,
but across the Federal Government, to understand these programs
and what their priorities are and how each respective sector-
specific agency is going to be addressing those priorities.
That is a normalization effort that we are currently engaging
in right now.
Mr. Camp. OK, thank you. I see my time has expired.
Mr. Liscouski. Thank you, sir.
Mr. Camp. Thank you, Mr. Chairman.
Mr. Thornberry. Thank you.
The gentlelady from California, Ms. Lofgren.
Ms. Lofgren. Thank you, Mr. Chairman.
Just a note, we have both Secretary Ridge and Secretary
Powell downstairs in the Judiciary Committee, so even though I
am very eager to hear what you have to say, I may be bopping
down there in the near future.
I hate to be a nag, but I am going to complain again, Mr.
Liscouski, about the lateness of your testimony. The committee
rules require that testimony be submitted 48 hours in advance.
Once again, yours was received last night at 7:04 p.m., as a
matter of fact is when we go the email. It is just not
sufficient time for the committee members to review the
testimony. There is a reason for the rule and I think it is
offensive for the whole committee. I hope that that is the last
time that this occurs. It is just not acceptable to me. I hope
that that will not occur again.
I want to ask a broad question, if I may. We need a
comprehensive risk assessment of our nation's critical
infrastructure. It seems to me that that has not yet been
completed. I would like to know when the comprehensive critical
infrastructure risk assessment will be completed. Specifically,
I would like to know who within the IAIP is in charge of this
risk assessment work. I would like to know the number of
employees that are assigned to its production and the number of
contractors and the number of detailees, the specific dollar
amount that is assigned to produce this analysis.
I would like to note that I have a number of questions. We
probably will not be able to get through with them. In the
past, we have submitted questions to the Department and
generally we never get answers to them from any of the
witnesses, including yourself. So I would like a commitment for
those questions that we cannot get through that we actually
will get written responses from you. I will not hold you
accountable for our friend Asa Hutchinson and the others who
have not responded, but I hope that the answers can be prompt.
And if you could address the questions that I have asked
now, I would be very appreciative.
Mr. Liscouski. Yes, ma'am. I apologize again for the
lateness of the submission of the testimony. With respect to
the questions that you just referenced, I know I personally
reviewed questions that you have submitted to me, so I know
that they are a work in progress and we will check on what the
status of those is so you can get them in a timely way.
With respect to the comprehensive risk assessment, as I
have said prior when I have appeared before this committee and
others, that is an ongoing process. If we do our job right, and
I know this can be taken out of context, we will continuously
revise that list. We have over 33,000 assets identified in our
national asset database, for which we are doing analysis on
those risk assessments and continually updating those things.
As you are aware based on my previous testimony, the
interdependencies between all those assets continuously change
based upon the threats. So we will never be satisfied based
upon the evolving threat environment, that we should sit back
and say that because we have done one risk assessment for one
particular asset, that we should not go back and revisit that.
So that is a continuous process.
I know it is a difficult thing, but the enormity and the
complexity and the scope of our critical infrastructure
protection mandates that we continuously revise and review our
risk posture and the changing threats, both of group
capabilities, as well as their intent. second, this is not just
a DHS effort, but this is a Federal Government as well as a
state and local and a private sector effort. So many of those
things over which we have responsibility, we do not directly
control and therefore our ability to get fidelity in the
comprehensive listing of all the assets is dependent upon the
cooperation we have with the various entities who play in that
space.
Homeland Security Presidential Directive Number Seven gives
us a significant leg up on our ability to coordinate these
activities within the Federal sector. So it is not just DHS in
the context of TSA and other responsibilities that Under
Secretary Hutchinson may have, as well as my own group, but it
is clearly those within DOT, Department of Agriculture, HHS,
and others, which have similar types of responsibilities.
So this is a national problem, as you well know, and not
just a Federal problem. So I would suggest to you that we are
working extremely hard and we have made significant progress
over the past year in really aggregating a list. That has given
us a very clear understanding of the major priorities that we
have to address and we are addressing those priorities.
Ms. Lofgren. If I could, we do understand that we are not
going to come up with a list and then never revisit it.
Obviously, it is an ongoing process. Am I to understand from
your testimony that the critical infrastructure risk assessment
has been completed and now it is a matter of updating it? Or if
not, what are the milestones?
Mr. Liscouski. The milestones are the outreach program that
we have with the state and local and Federal sectors. We have
tasked them specifically to identify what they believe are
critical, based upon the definition in the Patriot Act, which
is what we always go back to, to ensure that we have clarity of
what that list is. Oftentimes we find that what we have done to
identify critical assets in the United States and what the
states and local municipalities and cities have done often do
not reconcile. So we spend a significant amount of time
reconciling those assets, doing the consequence analysis and
the impact of attack on the exploitation and vulnerabilities of
those assets. So no, ma'am, it is not complete, but much of
that is outside the control of DHS per se, but based upon the
input that we get from folks in the respective jurisdictions
that you all represent, as well as other Federal agencies.
Ms. Lofgren. My time has expired, but I would ask that you
respond to me. By the way, you did not give me the number of
employees and detailees.
Mr. Liscouski. I would be happy to get back to you in
writing, if I may.
Ms. Lofgren. If you could also provide a list of what you
have prepared, the milestones that you have achieved, your
timelines for the rest of it, and then to the extent that there
are departments that you are dependent on that have not
actually produced, list them and tell us what they have not
produced so that we can then inquire with them. I think that is
essential.
Mr. Liscouski. I think it is. Let me just level-set the
expectation here. We are asking questions for which are not
quite sure what the answers are necessarily. I could ask each
one of the Representatives for input on what they think is
critical. There might be things in there that you know about,
that I do not know about. So I am asking a question on which I
am totally dependent upon the folks at the local level for the
answers.
So to suggest that there is a finite number of assets over
which I have some clarity in terms of a number, then I can
measure a milestone that I am at the 80 percent level or the 90
percent level, to be quite candid with you, is a little
unrealistic. We do not know all the assets out there.
Ms. Lofgren. My time has expired, Mr. Chairman.
Mr. Thornberry. Thank you.
The gentlelady from California, Ms. Sanchez.
Ms. Sanchez. Thank you, Mr. Chairman.
Thank you once again for being before us. I know that we
had an opportunity, Chairman Cox and Chairman Camp and myself,
to sit down with you about two or three weeks ago to discuss
this whole list of 1,700 critical sites. I did gain a lot of
information, but we were the only ones, and I know some of it
is secret information. But I think for the ability for some of
the committee members here today, if you could share with us
what intelligence or other information is used to determine the
priorities by which you are putting these critical pieces of
infrastructure on this list that you are working on.
Once the infrastructure is prioritized, what happens to it
when it is on this list? I know that you and I talked about how
you discuss this with local law enforcement, where this
critical infrastructure might be, and that they then are
supposed to approach in particular private businesses. Can you
tell us how that is going? How do you follow up on whether
anything gets done? Maybe some private business does not really
respond to local law enforcement when they come forward and say
you need to secure this particular area in a better way, and
here might be some ways in which you could do that. Have you
provided assistance to these local law enforcement agencies to
help them get that job done, of implementing it on the ground?
Mr. Liscouski. Thank you for your question. I always enjoy
the opportunity of explaining this methodology. Just to
underscore the complexity of this effort, in working with the
private sector and our colleagues on the state and local level,
we have developed a methodology which we are putting out as
widely as we can in terms of best practices, of understanding
what those risks are and how to assess those risks.
When we come up with a prioritized list, it is typically
based upon a five-step process. The first step in that process
is clearly identification of those assets, those things that
need to be protected. Although that sounds like a very simple
thing to do, it is who owns those things, and really what is
the definition that we are putting around that infrastructure
component, what are the interdependencies. There is a
significant amount of analysis that goes on to the front end of
this process to identify the asset.
Ms. Sanchez. And you are doing this? Or are you using the
state and local people's input into these assets in trying to
understand what they are?
Mr. Liscouski. It is actually all of that. It is DHS. It is
our state and local partners. It is the private sector. This is
a highly interdependent process. The second step in that
process is clearly understanding the vulnerabilities, what can
be exploited. The third part of that process is understanding
the consequence of the exploitation of that vulnerability. The
consequence analysis is based upon a number of factors, not
least of which is the consequence of loss of life or economic
impact, or the threat to our national security.
That gives us a prioritization around then what do we need
to be looking at first, independent of a threat environment,
because there are many different continuums upon which we have
to operate. But the baseline, the sort of steady-state
continuum that we operate under is one which is an absence of
threat. So we look at one from a vulnerability and consequence
of loss perspective.
The fourth step in our process is understanding what
programs we have to put out around to remediating or mitigating
those vulnerabilities. The fifth step, which if you asked about
challenges, is the most challenging. That is the metrics
component, the output, the output of understanding not just
what programs are being implemented to address those
vulnerabilities, but are they actually being implemented. More
importantly, are they being implemented well enough to address
the vulnerabilities themselves.
Then we layer on top of that threat information. So as we
get a better understanding of what vulnerabilities are, we then
understand how groups can exploit those vulnerabilities based
upon their capabilities and their intent, and our ability to
understand from an intelligence perspective who is operating
against us that might be targeting those vulnerabilities in a
particular sector.
That is how we prioritize them. We are actively engaging in
revising that prioritized list to make sure that we can
understand from a threat perspective what we need to address
first. That is done in concert with our counterparts,
particularly in the Information Analysis Division of IAIP and
other members of the community, and then clearly with the
ability to understand what is going on at the state and local
level from their priority perspective.
One part of your question also addressed what are we doing
to help state and locals. That becomes a part of what their
capabilities are. We find out, again, the rising tide, so to
speak, of DHS does not float all the boats. We have to ensure
that we can address some specific gaps with the state and
locals, particularly at the local level, again working with the
homeland security advisers in partnership in addressing those
gaps. DHS may provide best practices. We may work with them on
the ODP grant process, or we may go in there, depending on the
specific sector and the specific vulnerability against the
threat, to assist them in training and practical applications
of technology to ensure that we can counter that threat.
Ms. Sanchez. I think my time is up, Mr. Chairman.
Mr. Thornberry. Does the gentlelady have a quick follow-up?
Ms. Sanchez. A really quick follow-up. In looking through
your plans and your goals for this year, I just pulled out an
example. You had in there a desire to send out your team to
take a look at about 270 specific sites with relationship to
chemical possibilities. Of those 270, you have so far this year
visited 17, two of which are now non-active sites. Given that
record, just how far along are you on this plan of identifying
and actually taking a look and making back recommendations?
Mr. Liscouski. Again, thank you the opportunity to address
a misperception. The last number you just addressed, the 17 or
the top-most identified critical sites that we saw around the
United States from a chemical sector perspective, they were
addressed in fiscal year 2003, actually. The ones that we
thought we needed to have the greatest impact on very shortly,
we did that very early on in the creation of DHS. The number
actually of 360 sites we are addressing in fiscal year 2004
through our Buffer Zone Protection Plan. We have been very
aggressively going out there and visiting sites, providing
common vulnerability assessments.
Our assistance to these sites is one which is either a
physical visit, coordinated with state and locals and our
homeland security advisers, in which we will send DHS teams out
to conduct an assessment if we believe it is necessary, or we
will provide other types of assistance, such as common
vulnerability assessments, best practice methodologies,
interaction with them in a way that allows them to bolster
their own security without us having to actually make a site
visit, working with our state and local partners to do the site
visits.
We do not have enough bandwidth within DHS, nor was the
model ever envisioned that we would actually go out and do
assessments for the entire industry. We are working with our
industry partners, with our state and local authority partners,
to ensure that they know how to do vulnerability assessments
and report that information back to us. So we are making very
good progress. I do not have the exact number. I will be happy
to get back to you on that number. But the number for fiscal
year 2004 is on track, and I am putting significant pressure on
my team to make sure they stick with that number.
Ms. Sanchez. Thank you, Mr. Chairman.
Mr. Thornberry. Thank you.
Chairman Cox?
Mr. Cox. Thank you.
I want to thank both of our witnesses for outstanding
testimony. This is a very, very important aspect of what we are
doing. In fact, I think it is fair to say that infrastructure
protection, and IAIP is the heartbeat of this new Department. I
want to thank you, the Assistant Secretary, Mr. Liscouski, and
Mr. Newstrom for helping us focus on this today. Mr. Liscouski,
you and Secretary Ridge, Under Secretary Libutti and all the
men and women of IAIP deserve our congratulations and our
thanks for what you are doing in this critical area.
You have had to build your capability from scratch. This is
not one of the 22 agencies that were merged together to form
this Department. You have had to face enormous expectations
through periods of heightened alert and of course intense
scrutiny from the Congress because there is nothing more
topical or more urgent before the Congress. I think mostly you
get all of this attention because IAIP is in fact the nerve
center of this enormous new Department and you are the heart of
the Department's core mission.
With 85 percent of what we are denoting as critical
infrastructure key assets to preserve our way of life in the
event of attack in the private sector, this kind of
coordination that we are talking about today is just absolutely
important. The ISACs are not creatures of either the Homeland
Security Act or any other Federal statute. To a certain extent,
there is some experimentation going on with this. ISACs are
constructed along an industry model. They are stovepipes in
that respect. They are not cross-jurisdictional. We have other
councils that you are also sharing information with that are
cross-jurisdictional.
I want to ask, as the first of my two questions, whether or
not you think that we should continue this experimental
practical R&D process, or whether it is time for us to
formalize legislatively the ISAC process and fund it. The
second question I have relates particularly to a portion of
your testimony, Mr. Newstrom. You brought to our attention that
you know by way of your work with all the states that other
Federal agencies, particularly those in the Departments of
Justice and HHS, are issuing cyber alerts to their state and
local programmatic counterparts, that these are not
incorporated into the national Cyber Security Division of DHS
alert products. At the same time, there is not an
intergovernmental warning process that focuses everything from
one place in the Federal Government.
You bring to our attention that among others, the 9-11
Commission has emphasized that it is not just how much we know,
but how knows it, that is really important. The vastness of the
Federal Government, complemented by the vastness of all our
state governments, and then the private sector on top of it and
cross-jurisdictional concerns that we have makes this vitally
important.
Mr. Liscouski, you have told us, and I have every reason to
believe you, that DHS is now able to quickly disseminate threat
warnings to identified entities within each sector. It seems to
me that is a very significant accomplishment. The next step is
to consolidate warnings issued by IAIP to a single node for
dissemination to our private partners. The ultimate step would
be to consolidate warnings issued across the Federal Government
to a single node, which the Homeland Security Act contemplates.
I want to ask you both also to address that.
If you could, I hope that you did not forget my first
question. Talk first about whether the ISAC model is one still
under development and whether we ought to consider other
complements to it, or whether we are starting to get a feel for
exactly what we want to do in this area.
Mr. Liscouski. Thank you, Chairman Cox. I will give you my
private sector perspective, if I could, to add some fidelity
around my thinking. I think it is important to understand, as I
said earlier, this is not a government model. This really needs
to be a private sector model.
To your point about the formalization of the ISACs, I think
they are clearly making some very, very good progress in
developing a way that the industries can come together through
the ISAC model. My philosophy that I am providing as guidance
to the implementation of this and working with the ISACs and
the private sector, is one which really puts the onus on them
to define what their requirements are.
For a moment, I just want to digress to talk a little
philosophically about how information flow goes within the
industries, and how the information flow that goes through
industries is oftentimes predicated upon what types of problems
they solve. Because industries themselves, companies themselves
have many diverse problems over which they have to share
information as well. My personal background within aFortune 50
firm that I worked for, was that we often looked at not just
problems of manufacturing processes and the threats that they
might be subjected to. That might require us to go out to one
information pool to figure out how we do that, but then the
supply chain that feeds that manufacturing process might put us
into a different information pool or a different community of
interest. Similarly in the cyber world, that may also put us
into another community of interest; similarly with the HR
world.
We have to provide the capability for the private sector to
align itself with information or communities of interest based
upon their needs. We need to facilitate that process as best we
can. My fear in terms of legislating the ISACs would be from
the perspective of making it more rigid than the process really
should allow. Information flow really needs to be as free-
flowing, and we need to, from my perspective, facilitate
information flow processes. If we put labels on what that
process is at a top level based upon some sector alignment, I
think that is appropriate. If we get too down to a granular
level, we will create artificial stovepipes that will not
facilitate the collaborative process between companies and
between industries that is so necessary today.
Industries create this process irrespective of what the
government involvement is. That is why industry associations
are out there. That is why we do things at a level between
security officers between companies at a very high level to
ensure we have very informal networks for information. I think
the important model here is one that represents a very highly
integrated network model, meaning that if you notice terrorist
groups today operate in a highly networked environment
themselves. They leverage technology to be able to communicate
and develop expertise in areas that they can share in a highly
diverse networked way, which puts the information at the edges
of their organization.
Similarly with information we need to be sharing here in
the private sector, facilitated by the government, needs to be
equally diverse and robust in terms of its flow. It has to be
highly networked, highly capable of changing as situations
change. Frankly, I do not think the government can facilitate
that in any way that would allow us to do anything but create a
stovepipe if we get too involved in the process. I would be
interested in Mr. Newstrom's comment about that.
I think the government's value-added in this process is
relevant information. I think if we can provide information
into the process that allows us to know with some degree of
confidence that the private sector knows what they need to be
doing and they are sharing information and solving the
problems, we have ourselves a successful model.
I think we are going to wind up having to look at this very
carefully. I think you are going to hear on the second panel
today from Diane VanDe Hei how they are implementing their
information-sharing analysis center in an extremely diverse
sector. It is representative here. I think one thing we have to
be careful of is, these sectors are extremely diverse and we
have to ensure that whatever we create today can survive not
just in what we know about current diversity, but emerging
diversity.
I do not know if that answered your question fully enough.
I would be happy to add more, but I do not want to take any
more from Mr. Newstrom's time, but I would be happy to address
this more.
Mr. Newstrom. Thank you, Chairman Cox, for the question. I
was hoping to get away without getting a question. Mr.
Liscouski was doing such a great job in answering the others.
Let me talk about the second part of that question, which
was how it work together; what kind of fragmented information
we are getting right now. As I say that, I also commented about
how it has gotten substantially better. In fact, it has gotten
exponentially better in the last 12 months since the inception
of DHS and the creation of ICD and NCSD. Prior to that, let me
suggest the information flow was fragmented. It was not
focused. Around cyber security, it almost did not exist or it
was sporadic at best.
Now, with ICD, with NCSC, what Mr. Yoran is doing, what Jim
Caverly is doing, it is programmatic. It is institutionalized.
Even better, they have developed a partnership model with state
officials, with local officials as well as the private sector.
It is very apparent that that is the methodology, that is the
direction that DHS is going. So we applaud that direction. We
ask that we continue that direction.
Certainly, there is still some fragmentation that I
addressed in a couple of my comments. I hope that over a period
of time, hopefully of a short period of time, we can even
address those. But I do want to comment that the communications
in the last six to eight to twelve months has been
substantially better than it was prior to that.
Does that answer the question, Chairman Cox?
Mr. Cox. I think what Mr. Liscouski wants to know, let's go
to that question.
Mr. Liscouski. Let me just address how we are trying to
better coordinate. Let me just qualify this as a preface by
saying, I clearly understand that there were gaps in our
information flow in the past. We did not know what the FBI was
sending out. The FBI did not know what we were sending out when
we first got started, as well as all the other agencies. We
addressed that very quickly with the FBI. We have coordinated
alerts going on. We still may send them out independent
channels. The FBI has the responsibility of sending it out to
the state and local law enforcement authorities, over which DHS
does not have domain, and we with the private sector and our
state and homeland security advisers.
We are reconciling the fact that the creation of the
messages that go out now are coordinated and co-developed and
cleared off on by both agencies. That is a step in the right
direction. As Mr. Newstrom pointed out, we still have other
agencies in the Federal Government that are sending out alerts,
and we are reconciling that through the Homeland Security
Presidential Directive Seven effort, which is really
articulating some of the rules of the road, not just the lanes
in the road, of how we need to communicate so we have a good
message.
In the past, I was concerned that when messages went out,
one message said black, the other one said white, to the same
audience from two different senders, that would cause
confusion. Now, we may have two different senders or multiple
senders, but a much more consistent message says white from all
the senders or black from all the senders, so we have
consistency around the messaging.
To that end, and getting more consistency around that, let
me just address a couple of different ways we are doing that.
When it comes to a significant incident, particularly in the
cyber arena, Mr. Yoran has created the Cyber Interagency
Incident Management Group which stands up with not just the
Federal partners, but state and local and the private sector to
address incidents that have to be actively and dynamically
managed. He chairs the Chief Information Security Officer
Forum, or CISO Forum, which is an education and networking
venue for government security executives. Again, it is not just
alerts and warnings, but we are getting consistency around best
practices through that forum, as well as the G-FIRST, the
Government Forum of Incident Response and Security Teams, which
is a 24/7 government-oriented group that does an analysis that
accelerates and enhances an agency's ability to identify a
cyber crisis.
So we have a number of forums, depending upon the
particular audience, that gets more coordination and
centralization of the problem-solving approach and the alert
mechanisms that are going out there. We have work to do, but we
are on the right path. I am confident that as we continue to
move along this path, we will get more consistency, so that
stakeholders like Mr. Newstrom and others will not have to
worry about getting multiple messages from multiple providers.
Mr. Cox. Thank you.
Mr. Thornberry. The Chair recognizes the Ranking Member of
the full committee, Mr. Turner.
Mr. Turner. Thank you, Mr. Chairman.
Mr. Secretary, I continue to be amazed at the challenge
that you face. I sometimes wonder if we are really serious
about carrying out the task that was given in your directive in
the Homeland Security Act, which calls for development of that
national assessment of threat and vulnerability, from which the
Congress envisioned being able to then set priorities for
funding, and also to allow the Department and the government
generally to know where to allocate its resources in terms of
protecting against terrorist attack.
We know the Presidential Directive Number Seven that you
referred to postponed in my view the development of the
identification of the critical infrastructure by at least, as I
can read it, a year, because it says by the end of 2004, you
are required to develop a plan to develop a strategy to
identify, prioritize and protect critical infrastructure. I
know Admiral Loy mentioned on one occasion that he thought this
job ought to be done in a year. You were before this committee
a few months ago. You said 5 years was a reasonable timetable.
When we look at the staff that you have available to you, I
believe you have, if my numbers are correct, about 172 people
on board, with the responsibility of trying to carry out this
task of assessing and identifying our critical infrastructure.
It just seems to me you have a task that really requires you to
come in here and tell us what it is going to take to really get
this job done in a reasonable period of time. I think I hear
you saying to us that you are relying a lot on the ISACs and
the voluntary cooperation of the private sector. That is good.
That is important and I support you in that. But to really do
what the Congress mandated in the Homeland Security Act in any
reasonable time it seems to me it is going to require much
greater commitment in terms of personnel to ever get this job
done right.
I look just at the chemical industry, where you mentioned
you plan to visit, or have identified 360 sites that you think
are at high risk. I think you visited a few of those sites. I
think I saw the numbers here earlier. You have a lot of work to
do. I think I just heard you say you may not even be able to
visit them all. You may rely on our state partners to do that.
I am not even sure we have the authority to go look at those
chemical sites, in terms of getting onto the premises and to
evaluate them.
So you have that responsibility that seems to be virtually
in a posture where you are going to have a very difficult time
accomplishing it in any reasonable period of time. Then you
have this responsibility of trying to solicit information from
the private sector under the Protected Critical Infrastructure
Information Program that you have just issued rules on, which
is supposed to encourage industry to voluntarily tell you about
their vulnerabilities. Yet all I am hearing is that industry is
not satisfied with the regulations and are not sure they can
trust this agency, so they do not know if they want to tell you
anything or not. You have 32 employees dedicated to that
program, with collecting that sensitive information. The budget
is $3.9 million. My notes say that we have only received
information from two companies and two associations to date.
So I really think that what I would like to hear from you
regarding is, what do you really, in your gut, feel it is
really going to take to do this job in a reasonable period of
time? I know it is easy to say, well, I have my budget and this
is all they have given me to do this job and I am going to try
to do it the best I can and put the best face on it I can. But
you are the person there that is in charge of all this. What I
would like to have from you is some candid assessment regarding
what you really need to do to get this job done in a reasonable
period of time. I do not believe you have the staffing or the
capability or the momentum or the support of the private sector
yet to really ever get it done.
Mr. Liscouski. I was hoping you would ask me that question,
because this seems to me a perception we have to kill. The
comment that I made last time, the first time I testified
before you and said it was going to take us 5 years. I think
that was taken entirely out of context. As I stated to Ms.
Lofgren earlier, if we are doing our job right, we will
continually revisit that process. The national assessment of
our critical infrastructure is not just dependent upon what DHS
is doing. It is clearly dependent upon what the state and local
governments are doing; what the private sector is doing; and
our other Federal agencies.
That process has been ongoing and we have created a list.
We started this process back in March 2003 with 160 sites based
upon the Liberty Shield list that we stood up for, the Iraqi
war back in March. We have grown that list to over 1,700 high
priority sites, and a total list of 33,000 sites and are adding
to it daily. We are continuing to add to it because we get a
lot of input from our state and local partners and the private
sector on what is critical and what is not. That list is going
to continue to grow and we are doing assessments, both economic
as well as physical and cyber vulnerability assessments on all
those.
It is a significant amount of work, but I think we are
making very good progress on it. And yes, we are wholly
dependent upon the cooperation we get from the private sector
and state and local government. But I will tell you right now,
the private sector, and this is another perception that if I do
nothing today but tell you how much the private sector has
stepped up to the plate to help us and had been doing this long
before DHS came along, they have been doing a heck of a job.
When I was in the private sector, we regularly cooperated with
state and local law enforcement and the Federal Government to
ensure that we could coordinate and communicate our
vulnerabilities.
So, is there hesitation? Yes, there is hesitation because
it is a trust model that we have to build, but I think we have
a good stab at it. We are doing a very good thing with the
congressionally enacted PCII. Are we getting a low response on
it? I am thankful we are, because we have to do a lot of
marketing and outreach to the private sector to ensure that we
create the right model for them to ensure that they have the
trust model for DHS, but I think the mechanism is there. The
public comment period is still open, which I think will be open
until mid-May.
I am not surprised we had a slow start out of the block. I
was hoping for a slow start out of the blocks because I was
fearful that we would get too much information to be able to
handle it. Thankfully, we have not. So I am very pleased with
the mechanism we have created based upon congressional guidance
to ensure that we could provide better protection for the
private sector based upon their requests. I am confident that
we will continue to grow that program over time.
Let me just go back to the beginning of the question, the
very first question. I would like to take as much time with you
personally to get you to understand our methodology in this
process. The quantification of the metrics that we are trying
to use to get output from the activities that we are engaged in
is one in which there still has to be some research on. When we
look at critical infrastructure protection, there are three
major components against which activities have to be applied:
physical, cyber and people. When we look at the vulnerabilities
that are represented in those broad domains, we very
aggressively identify the assets the vulnerabilities
represented in those assets across each one of those common
themes, from people, physical, as well as cyber. We put
programs to be able to remediate and lower those
vulnerabilities.
But the output and the measurement of what is being done,
and to be candid with you, from a very private sector
perspective, it is not just putting money into the program; it
is making sure we have the right activities going on that can
be consistently measurable and consistently applied over time,
that the outputs can give us good indicators about what is
being done, and not just what is being done and is not being
done, but is it being done well enough to address the threat.
My vision on this, and this is going to take some time
because the technology does not exist yet, is to create a
national scorecard that allows us to identify where are we in a
given sector; how well does it look. Those metrics and that
quantification of these things, which has never really been
done before in the security industry, is something with which
we have been working in the academic and the private sector on
identifying.
So to your point, my goals in terms of what we can do with
this progress and this approach, is precisely to your point:
identifying the key priorities; where do we need to put the
funding stream; identifying who is doing what program and well,
so with our Federal partners in HSPD-7, we are working with OMB
to ensure that we get the metrics outputs to ensure that if a
department has X million dollars placed against a specific
requirement, that they are performing that. And ``performing''
does not mean are they spending money on time; ``performing''
means are they actually addressing the vulnerabilities and
reducing vulnerabilities, and is there a measurable way that we
can identify the outputs to ensure that we get some high degree
of confidence of how well we are doing our programs.
So you are precisely on the right track in identifying what
are the major priorities and challenges here, and that is
exactly what we are addressing. It is not an overnight process.
I am very prideful of the fact that what DHS has done over the
past year has been something that we can measurably identify
how we have addressed the vulnerabilities. It is more than just
a few chemical sites. Across all the sectors, we have done a
great job. The folks working for us, they have really worked
hard and they are working hard. It is not about DHS. It is
about working with all of our Federal partners and state and
local.
So I think the things that we are doing, we can tell a good
story. The biggest challenge we have is getting those metrics
that allow us to in quantifiable terms measure the progress
over time and identify the funding profile that you and your
committee is so concerned about. We are doing the right thing
and we can show what we are doing.
Mr. Thornberry. I thank the gentleman.
The gentleman from North Carolina, Mr. Etheridge.
Mr. Etheridge. Thank you, Mr. Chairman.
A couple of questions. Mr. Liscouski, I am going to start
with you because you talked about the risk assessment
vulnerabilities. Let me ask you one question. You talked
earlier about coordination with other Federal agencies. What is
the nature of the coordination between DHS and other Federal
and state agencies as it relates to developing the national
plan to deal with the appropriate countermeasures to combat
agri-terrorism, which deals with our food supply and a host of
other areas. Can you give us an update on where that is?
Mr. Liscouski. Yes, sir, I can. Recently, another
Presidential Directive, HSPD-9 addressed bioterrorism and
specifically the responsibilities in the agricultural industry
that needs to be addressed by Agriculture and HHS and others
that are partnering up in that space. We are coordinating that
effort again under HSPD-7. I apologize for using these
different directive numbers, but for critical infrastructure
protection, to ensure that we have a holistic look on all the
critical infrastructure sectors.
So in direct response, I would say that this is an area
that we really need to give some very sharp focus to in terms
of not just working with state and locals, but with the Federal
agencies and ensuring that Agriculture and HHS would have
respective leads in this space, and have the appropriate
outreach, the appropriate mechanisms to ensure that the state
and local governments are doing what they need to be doing, and
they are facilitating that process.
Mr. Etheridge. I do not want to interrupt you, but do you
have a timeline?
Mr. Liscouski. A timeline for?
Mr. Etheridge. Completion, or at least a marker of where we
can work from. This happens to be very important, because it
fits what you talked about and deals with our food supply, not
only here, but internationally in what we ship.
Mr. Liscouski. That specific plan is in process. I cannot
give you an accurate timeline at this point because that plan
is in process. I am afraid whatever I tell you today is going
to be inaccurate.
Mr. Etheridge. Would you get back to me?
Mr. Liscouski. I welcome the opportunity.
Mr. Etheridge. Let me follow that up, because it follows
that same thinking to some extent. I will not ask that
question, but I will just put it in so you can follow later,
because it deals with, several years ago we had a problem with
our school lunches and the food supply and the problems that
fell out from that. Let me ask what DHS is doing as it relates
to, you said earlier, its products, facilities and people. We
have seen in just the last couple of days what happened in Iraq
with the bombing that took place there and a number of school
children were killed. Can you tell me what is being done or
what coordination is being done as it relates to our schools if
a terrorist attack should hit?
Because we are looking at millions and millions of children
in this country who go to school every day. Many are in
buildings, but a large number now find themselves in what we
call makeshift trailers. I hate to call attention to it, but
there is a tremendous problem because they are isolated. What
is being done? Has any assessment been done as to the
comparability of protection within a brick and mortar building,
to students who happen to find themselves, along with staff, in
an isolated makeshift structure?
Mr. Liscouski. Yes, sir. I can address that specifically.
We have been working with the Department of Education, which as
you know has a significant outreach capability broadly across
the United States in K-12 as well as the university system. We
met recently with Under Secretary McPherson and Deputy Under
Secretary Price to incorporate them into our planning for HSPD-
7, to directly ask them for their plan. In fact, we are working
very collaboratively with them.
As you know, the education system is not identified as one
of the critical infrastructure components of the Homeland
Security Act, but we have the latitude of identifying other
sectors as necessary. That sector is being addressed both
directly and indirectly through my office's Soft Targets
Branch. We regularly look at soft targets, which schools are
one of, to address those specific types of requirements.
I cannot tell you specifically if we have looked at the
analysis in the school environment of the impact of a trailer
versus brick and mortar. I know we have done that in others.
Mr. Etheridge. Would you follow up on that?
Mr. Liscouski. I certainly would, sir.
Mr. Etheridge. I appreciate it.
I know my time is almost up, but Mr. Newstrom, I have one
for you. As Virginia's Chief Information Officer, what specific
support would you expect from DHS or other Federal agencies,
for that matter, if you computer system was attacked and was
down for more than several days, and you were out of business,
knowing that you have to have an off-site facility, but let's
say it was damaged and out of space. Do you think the Federal
Government could give you the expectations that you have? If
so, what would you like to see us do?
Mr. Newstrom. I am not sure that we look toward the Federal
Government in that specific scenario. We have established
backup plans. We have established backup facilities. We have
been redundant in those facilities and those plans. We work on
and practice those plans. We also go to the private sector to
ensure that we have not only internal Commonwealth resources
that are backups and redundancies, we also have backup with the
private sector.
From a Federal Government perspective, what I would see if
there is a catastrophic outage in a region of the country. For
instance, if there is an electrical outage; if there is a major
telecom outage; I would ask that our resources work together
very, very closely on that. But on the normal outages that you
described, I think it is our responsibility to address those.
Mr. Etheridge. Thank you, sir.
Thank you, Mr. Chairman.
Mr. Thornberry. I thank the gentleman.
The Gentlelady from the Virgin Islands, Mrs. Christensen.
Mrs. Christensen. Thank you, Mr. Chairman.
I want to welcome our witnesses this morning. I have a
concern, as I always do, about where health fits into the
picture. My first question would go to Mr. Liscouski. We had a
hearing or a briefing about a month ago on ISACs. At that time,
health was not established. In the GAO report which we will
hear about in a little while, health is not listed. I am
assuming that is because it is not established.
Where are we? Is health not a priority in this area? Has
something happened between the last briefing and today?
Mr. Liscouski. Yes, ma'am. I think the ongoing work that is
in progress there is that we have been working with the general
health sector, both within HHS and with the other more diverse
components, to establish their ISAC. It is a work in progress.
It has not been listed by GAO, nor is it on our list because it
is a work in progress. We do not believe we have consensus
around who establishes what. I recall from my notes, and
forgive me, I am not going to go through them, but I believe,
as you well know, it is one of the more diverse communities in
which to work. One of the challenges is establishing leadership
in that community within one particular organization for the
ISAC.
My sense is, and I would be happy to correct this later in
subsequent research to get back to you in writing, but my sense
is because it is so diverse we may wind up creating many sub-
components of the ISAC, which may be aggregated up into one
larger health ISAC. It is clearly on our radar screen as a
priority, ma'am. So I just indulge you to not make a judgment
that it is not a priority for us. It is.
Mrs. Christensen. OK. Is there lead responsibility in the
Department? Has that been identified? Or the divisional
responsibility within DHS?
Mr. Liscouski. The Infrastructure Coordination Division, of
course, has the coordination requirement. Under HSPD-7, the
sector-specific agency is HHS. Correct me if I am wrong on
that. I should know this off-hand. But there is a sector-
specific agency established under HSPD-7 for the health sector.
We are working with them to ensure that we have the sector
aligned and coordinated to establish the ISAC.
So to answer your question, yes, ma'am, there is a sector-
specific agency responsibility for health.
Mrs. Christensen. OK. Mr. Newstrom, is health fully
integrated into NASCIO's program within the State of Virginia?
Mr. Newstrom. Health?
Mrs. Christensen. The health sector.
Mr. Newstrom. It is fully coordinated and integrated right
now. We are still working with HHS particularly on some of the
communications capabilities through the states. They have a
very good program within their sectors, but it is very
programmatic. We are encouraging HHS particularly to focus
through NCSD to channel their communications to the states. Our
entire issue is fusing the information, rather than the
stovepipes that Mr. Liscouski has talked about.
Mrs. Christensen. OK.
Mr. Liscouski, you have said that there is a great reliance
on the private sector in the development of the assessments,
and 85 percent of the assets are owned by them. Are there any
inherent conflicts between the objectives of the private sector
and the objectives of government and the Department that have
been identified, that had to be resolved as this process has
been developed? And how did you resolve them?
Mr. Liscouski. No, ma'am. I think the biggest challenge we
have had is on the information-sharing side, with the
vulnerability assessments back from the private sector and back
into DHS. That is what is being addressed through the Protected
Critical Infrastructure Information Act, the implementation of
that.
As I pointed out earlier, to make a general statement, and
you can always find exceptions to this, but the private sector
is stepping up to the plate of their responsibilities to ensure
that they understand what is vulnerable for them and in sharing
that with state and local governments, those who are
responsible for protecting, and ultimately with DHS. So again,
just to reiterate, I believe the one challenge which I think we
are addressing is the information sharing between the private
sector and DHS.
Mrs. Christensen. OK. My last question, and you have
probably been asked this both at the budget hearings and in
several different ways here today, but you said you do not have
sufficient bandwidth to do the assessment. That is why the
private sector is really responsible for doing that and getting
that information to you. Other testimony says that DHS has
limited resources. We have seen very close progress. A lot of
the questions have been around when is the assessment going to
be in place. You have said the synchronizing and harmonizing of
disparate parts is something that is still ongoing, and getting
a complete situational awareness picture is something that you
are still working on.
The Department has the primary responsibility for the
protection of our critical infrastructure. I am just concerned
that if these limitations exist and that we are not getting the
full picture of what you really need in your budget to ensure
that you are able to carry out the mandate of your directive
and the Department.
Mr. Liscouski. No, ma'am. I need to correct your statement.
I do not mean to be presumptuous, but the comment I made about
sufficient bandwidth is not relevant to do we have the
capability and the necessary resources. We do. You could give
me more money. It is not a money issue. What it is is that the
information that has to be collected is not about what DHS can
do. Nor would I suggest to you that this is a responsible role
for the Federal Government to do it all. The Federal
Government, and this is a national problem, you would not
create a mechanism as big as you would need to collect all the
information you want.
So the appropriate approach is the one that was created
with the Department of Homeland Security, which is clearly a
coordination-collaborative approach with our state and local
partners, with other Federal agencies to ensure that we can get
them to do what they have to do. That is precisely what we are
doing. It is leverage. It is not about bandwidth, necessarily.
What I meant about bandwidth is all the things that would scope
into that, time, and the enormity of the complexity of the
task.
This is not, do we need to have more resources at the
Federal Government level to do all this work. This is about
working with our partners and our stakeholders to get them to
do what they need to be doing. That is the essence of this. At
the end of the day, the questions and the concerns we need to
be addressing here are developing and creating consistent
sustainable programs which are effective and measurable over
time, that can answer the big questions of, are we protecting
what we need to be protecting? And are we really doing it well?
That is the process we are developing. Again, level-setting
the expectations here, this is not going to happen overnight.
If I had a magic wand, if you all could tell me if there is one
thing you could give to me that would allow me to do my job
better, it would have to be a want that I could just broadly
push across the United States and say, it's protected. But it
is a process. It is a process because our economic system and
everything we have built in this country is predicated on being
open. Our openness which is our greatest strength is our single
biggest vulnerability.
So it is an enormous thing to address. It is not about what
DHS can do. It is about mobilizing the American public. It is
about engaging with the private sector and the state and local
governments to ensure that we all know what we have to do and
we can measure it in a way that we can tell with confidence
that we are doing the right thing.
So again, I just want to correct a misperception I have
created, which is not about do I have enough resources. It is
about we all have to mobilize at all the levels of Federal and
state and local governments to do the right thing.
Mr. Thornberry. I thank the gentlelady.
The new member of the committee, the gentleman from
Kentucky. Welcome. You are recognized for 5 minutes.
Mr. Chandler. Thank you, Mr. Chairman. It is nice to be
here.
Mr. Liscouski, thank you for your testimony. Thank you for
being here today. I am interested in some information regarding
our efforts to protect and secure critical Federal facilities.
For the past several decades in Central Kentucky, our citizens
have lived next to a potentially dangerous chemical weapons
stockpile. This is the Bluegrass Army Depot near Richmond,
Kentucky. It contains well over 500 tons of chemical weapons,
nerve gas, mustard gas, that sort of thing.
In 1988, in its environmental impact statement, the
Department of the Army identified that in a worst-case
scenario, an incident that would occur at this depot could
result in plus or minus 15,000 fatalities in our area. So you
can imagine that this is something of great concern to us.
What I would like to know is what type of information-
sharing activities are occurring right now between the
Department of Homeland Security, the Department of Defense,
state and local governments, first responders, all those folks,
to ensure that we prevent and are prepared to respond to an
accident or a deliberate attack on facilities like this one,
Federal critical infrastructures.
Mr. Liscouski. Sir, you pointed out a key stakeholder in
your question, and it is the Department of Defense which has
responsibility for the defense industrial base and the supply
chain that feeds that, and that is clearly a component of that.
But we partner up very closely with DOD. They have a very
robust capability on critical infrastructure as it relates to
their facilities. Their partnership with state and local
governments is something we have integrated our efforts with,
as well as our response and recovery efforts.
I can speak to them at a top level. As you well know, that
is outside my directorate, but working with state and local
first responders under the directorate for EP &R, I do not know
if exercises have been held directly in that jurisdiction, but
I can get back to you on that.
Mr. Chandler. If you would, please do. That was another one
of my questions, whether exercises would be held. I do not
believe that they have been. I am very curious to know whether
there are plans in the works to hold exercises to make sure
that our folks are ready.
Mr. Liscouski. Yes, sir. I would be happy to get back to
you on that.
Mr. Chandler. I appreciate that very much. You all are
working with the Department of Defense, though, on these sorts
of issues; working very closely, but as I understand it, you
are not aware of precisely what has been going on.
Mr. Liscouski. At that particular site, sir, I do not know.
I cannot tell you that specifically. I would be happy to get
back to you on that one.
Mr. Chandler. OK. If I may just add one other question. You
may want to get back to me on this as well. If there was an
attack on that depot, we have already in place, and this is a
team that pre-dated the creation of the Department of Homeland
Security. It is the 41st Weapons of Mass Destruction Civil
Support Team. It is based in Louisville, Kentucky. It is
currently responsible for responding to a disaster at that
facility. I am interested in knowing whether DHS has gone back
to that team and checked on working out some sort of
information-sharing arrangement with them.
Mr. Liscouski. Sir, I will have to get back to you on that.
Mr. Chandler. OK.
Mr. Liscouski. Thank you.
Mr. Chandler. Thank you very much.
Mr. Thornberry. I thank the gentleman.
The gentleman from Maryland.
Mr. Cardin. Thank you very much, Mr. Chairman.
Let me thank both our witnesses for their testimony here
today. I find it very informative and very helpful.
I want to talk about the National Capital Region for one
moment, if I might. Tomorrow, the House of Representatives is
going to be talking about the continuity of the House of
Representatives in the event of an attack against us. I have
many concerns about how well we are prepared in the National
Capital Region itself. I know that there are committees that
have worked on it. I know there is cooperation between Maryland
and Virginia and the District of Columbia and the Federal
Government. I am concerned somewhat that I believe the region
that has been included in the studies are somewhat small, with
a restricted number of counties within Maryland and Virginia. I
represent Annapolis. I represent Baltimore. I know that there
is an episode that occurs at a chemical plant in Baltimore and
it will have an impact on the National Capital Region. I know
that on any given day trying to get out of the nation's capital
is a challenge. If we have a national emergency, it is going to
be impossible.
I just want to get some assurances from you that clearly
progress is being made here as to how we can prepared. We know
that this is the seat of government. We know that it has been a
target of terrorist attacks. We know the tremendous interests
of this area in disrupting our government. So can you just
share with us as to what special considerations are being made
in regard to the National Capital Region and how it is
affecting the surrounding jurisdictions beyond just the
immediate counties in Virginia and Maryland that are directly
working with you.
Mr. Liscouski. Sir, I appreciate your question. I am going
to have to defer to Under Secretary Mike Brown who is
responsible for the response requirements through the NCR. I
can tell you just based upon my level of understanding and
engaging on the critical infrastructure protection side, that I
have knowledge that there are regular exercises being conducted
throughout this region, which address some of the concerns you
have. But to give you more confidence, I just request to defer
that to Under Secretary Brown for a response.
Mr. Cardin. Let me bring you into this discussion, because
you are making assessments of the nation's infrastructure
sensitivities and priorities. I would just urge you that the
Federal facilities located in the National Capital Region and
surrounding areas are particularly vulnerable. The stress on
local governments is particularly great. The chemical plants in
Baltimore present an extra challenge. All chemical plants
present challenges. The fact that it is located close to the
nation's capital makes it an even more sensitive target. The
Federal facilities located in Annapolis or located along I-95
close to the nation's capital are particularly vulnerable
because of location.
As you are making your national needs assessment, is
location, those types of considerations, going into the
equation as to the type of fences that we need to put in place?
Mr. Liscouski. Yes, sir, it is. We have been doing a lot of
work, as you are probably well aware, with state and locals
here in the National Capital Region, doing the assessments for
the various infrastructure components to include the Federal
facilities. We have I think a robust capability there in
understanding not just what we have to do to protect, but the
actual protection of those facilities has been equally as
robust.
So yes, sir, to answer your question, we are working very
closely with the state and locals. We understand that there are
some limitations. We are trying to supplant those limitations
through the ODP grant process, but we are working very closely
with them. So from a protection standpoint, we have very good
clarity around the vulnerabilities that are here, as well as
the protection requirements that are needed to mitigate those
vulnerabilities.
Mr. Cardin. Did you want to respond?
Mr. Newstrom. Congressman, in my written remarks I address
the NCR specifically. In addition to what DHS is doing, the
Governors of Virginia and Maryland and the Mayor of the
District of Columbia have met together on this specific
subject. In fact, because of funding through and by DHS, we
have an initiative called the Urban Area Security Initiative,
which specifically focuses on the National Capital Region and
first responders. We have come a long way since 9-11.
Mr. Cardin. I was just going to point out that the concern
we have with that is it s the restricted jurisdictions that can
participate within Maryland and Virginia. When you look at
trying to evacuate people from the nation's capital, you need
to look beyond just the immediate counties in Maryland and
Virginia. As you look at protecting infrastructures, you need
to also look beyond those counties.
If you live in Anne Arundel County, Maryland, where many
people commute into Washington, D.C. or you live in Frederick
County, you are very much impacted also. We are concerned that
there is a limited interest and it needs to be expanded.
Let me let you continue on that.
Mr. Newstrom. Congressman, you are absolutely right. I
could not agree with you more. In fact, the initial steps were
originally around communications and the lack of ability by
policing entities from the different jurisdictions to be able
to communicate during and after 9-11, including the military.
So that was addressed very, very early. But around
transportation and the issues that you bring up, we are still
in the infancy stages of trying to define that.
Mr. Cardin. I would just urge you to give it a higher
priority.
Thank you, Mr. Chairman.
Mr. Newstrom. Yes, sir.
Mr. Thornberry. I thank the gentleman.
The gentleman from Washington.
Mr. Dicks. Thank you.
Mr. Liscouski, I am very concerned about something. It is
my understanding that your directorate has compiled a critical
asset target list for each state, and forwarded that list to
each state's primary point of contact to begin planning
security enhancement activities. I have reviewed this list of
critical assets in Washington State and I am deeply concerned
by several obvious omissions that fit well within the criteria
presented.
I have discussed this issue with my state's homeland
security adviser, who has told me that there was very little
opportunity for comments and revisions coming from the state
and local level. It is absolutely imperative that a list of
critical infrastructure be developed. I could do this. I think
any member of Congress could sit down in about 10 minutes in
their own district and write down a list of critical
infrastructure. If you have 170 people down there, I cannot
understand why it is taking so long to get this job done. I
worry about the gaps.
When you have a list that does not. . .you have the Seahawk
Stadium, you have the Husky Stadium, but you do not have Safeco
Field, the Tacoma Dome, the Port of Seattle, the Port of
Tacoma, Grand Coulee Dam. . .talk about a national icon. . .the
Boeing Company and Microsoft. None of them are on the list,
including the Puget Sound Naval Shipyard in my hometown of
Bremerton, Washington, which overhauls and repairs every major
nuclear ship on the West Coast; the Trident Submarine base, we
have nuclear missiles and nuclear weapons.
What is going on here? This list that I saw is the most
pathetic exercise I have ever seen since I have been up here.
There are a lot of pathetic things I have seen in 28 years in
Congress, but this is the worst I have ever seen. I could have
done this myself and done a better job. I do not understand who
is doing this. Who are they talking to? This is serious. It is
not getting done and I am very concerned about it. Can you give
me some assurance that we are going to get this thing
straightened out, that somebody will talk to the people in the
State of Washington? To General Lowenberg who is the Governor's
assistant, and get a credible list of things put on this thing?
Why is this not happening?
Mr. Liscouski. Thank you, Mr. Dicks. I am a little
surprised at the characterization from the homeland security
adviser that he has not been contacted or has not had any
input. In fact, the purpose of sharing that list is to solicit
the input.
Mr. Dicks. But the list has already been put out. Here it
is. They should have consulted with them before they put out
the list.
Mr. Liscouski. I will certainly get back to you to find out
if they had or had not been consulted.
Mr. Dicks. I have the list right here. None of these things
are on there. This is like the crown jewels of Washington
State. Every one of them is missing from this list. I just
cannot believe that this is happening.
Mr. Liscouski. Mr. Dicks, I just want to caution. We
typically do not publicly disclose the assets on that list. So
to talk about it in any degree of fidelity here, I would
suggest--.
Mr. Dicks. None of them are on there, so I have not
discussed anything that is on there.
Mr. Liscouski. To my point, I would be happy to discuss
with you in a separate setting--.
Mr. Dicks. To discuss the things that are not on there?
Mr. Liscouski. Sir, to my point, I would be happy to
discuss with you in a private setting where we can talk about
specifically what is on the list and what is not on the list,
but I do not think this is the appropriate forum right now.
Mr. Dicks. Can you answer this question? Let's go to the
process. Why is this thing so screwed up? With all due respect,
I do not get any sense of urgency here.
Mr. Liscouski. There is a significant sense of urgency,
sir. Again, without commenting on the specifics of that list, I
will go back and review the process and I would be happy to sit
down with you and talk to you about how that list was
developed. If there are gaps, we would be happy to correct
them. The mandate is for my folks to make sure we absolutely
engage with all the respective stakeholders at the state and
local sectors to ensure we have it right. I will be happy to
review it and get back to you, sir.
Mr. Camp. Would the gentleman yield just for a brief
moment?
Mr. Dicks. Yes, I yield.
Mr. Camp. The subcommittee did hold a classified briefing
where the Secretary did bring the full list. It was available
for all members to review who attended that briefing. I would
be happy to work with you to try to make sure so that not only
there, but other places--.
Mr. Dicks. The list that we have right here, this is not--.
Mr. Camp. It is classified, so we did not take any paper
out of the room, but I know that Ms. Sanchez was there and it
might have been difficult for other members' schedules to
attend that particular classified briefing. I know the Chairman
was there and others. But we had an opportunity to review this
list and we all looked at various assets from our states and
made comments.
Mr. Dicks. Apparently we were only given 24 hours notice of
that, but I appreciate the fact that you did it. I do not want
to be critical of that.
Mr. Camp. We did have more notice than that because we
worked on it for a long time to get it put together. So I would
dispute that it was only 24 hours notice, frankly.
Mr. Dicks. That is the actual time of the meeting.
Mr. Camp. Yes.
Ms. Sanchez. Would the gentleman yield?
Mr. Dicks. Yes, I yield. I am just worried about this.
Mr. Camp. We did have an opportunity to look at that.
That is just my point. Thank you.
Mr. Dicks. OK. I yield.
Ms. Sanchez. We are trying, I believe, to set up another
meeting with more notice to do the same thing. It is a
classified list. There are things that are omitted from that
list, even from my own district. You only get to look at it
when you are in there, but hopefully you can attend the
meeting; you can take a look at what is really on the list. I
do not know if that list is what is the list that we took a
look at when we were in the private meeting.
Mr. Dicks. Maybe there is a separate list that we were not
told about. This is what I was presented. The reason I am
concerned is there are a lot of things that should be on that
list that are not on there.
Mr. Liscouski. Sir, maybe if I can just have one final
comment, without drawing this out. The states were required to
submit their list, sir, so I suspect if we did not receive
their input, and again I will go back to our group to address
this, but there are a couple of different reasons as to why the
list you may have, it may be old or out of date, I am not quite
sure what, but we did not do anything without the state's
input, sir.
Mr. Thornberry. Does the gentleman yield back?
Mr. Dicks. Just for one second. The list we have is the
list that was given to the Adjutant General. He was quite
concerned about it and made that clear and made it clear to us,
the members of the delegation for the State of Washington, that
he was quite upset about it. Washington State has been as
forward-leaning as any state that I know of. They have done a
complete statewide plan. In that plan, it talked about all
these other issues that I mentioned that are not on this list.
So to me, I just hope we can get this straightened out.
Mr. Thornberry. I thank the gentleman. This is obviously
not an issue before my subcommittee. It is Mr. Camp's
subcommittee. When we are talking about information sharing, if
there are classified lists that are floating around in a way
that classified information is not supposed to be handled, I am
a little concerned about that.
Mr. Camp. Would the Chairman yield?
Mr. Thornberry. Sure.
Mr. Camp. I would be very concerned if the Adjutant General
is sharing that list in that format in an unclassified way,
frankly. That is not appropriate. So if that is the way that
information is getting out, I would question its accuracy and I
would certainly question the process.
Mr. Dicks. It was not presented to him in a classified
format.
Mr. Camp. It is probably not the correct list. So I think
what we need to do is have another classified briefing.
Mr. Dicks. We have to sort this out. I will glad to
apologize to anyone if this is not the list, because when I saw
this list I frankly was outraged, as you can tell.
Mr. Camp. The purpose of the meeting was to make sure that
members did have an opportunity to review lists from their
states, because we do think that it was in a classified setting
inside the skiff so that it was a confidential meeting. I will
be glad to work with the gentleman to try to set up an
opportunity.
Mr. Dicks. Let me just for the record, the person who
presented this list to the state was James McDonnell,
Protective Security Division, U.S. Department of Homeland
Security.
Mr. Camp. It may not be a complete listing of all of the
assets on the classified list. We will get to the bottom of it.
Thank you, Mr. Chairman.
Mr. Dicks. I appreciate the gentleman's help.
Mr. Thornberry. We are ready to move to the second panel.
Does the gentlelady from Texas have questions she would like to
ask of this panel?
Ms. Jackson-Lee. Yes, I do.
Mr. Thornberry. The gentlelady is recognized.
Ms. Jackson-Lee. Thank you very much, Mr. Chairman. I was
in a hearing with both the Chairpersons and the Chairman of the
full committee that I hope we will have, and that is with
Secretary Powell and Governor Ridge on the request for an
extension of the biometric passport. So I apologize to the
witnesses for my delay, but let me just ask one pointed
question to the Assistant Secretary.
Just for your information, I know many of us come from
areas that have their own critical infrastructure, but coming
from Houston, Texas obviously the refineries and the chemical
plants are very well known. In fact, in the last four to six
weeks, we had yet another explosion in the area that impacted
neighborhoods and impacted people. We are grateful that it was
a technical or an infraction that had nothing to do with
terrorism, but you can imagine the sensitivity to this issue.
So let me just cite specifically what we seek. I think that
you may be aware of a recent news program that highlighted the
conditions of chemical plants, and I might say the outrageous
condition of chemical plants, open gates, lack of guards,
dilapidated fences, all allegedly protecting chemicals that
could potentially kill or injure tens of thousands or even
millions of people nearby.
We know the ISACs are working on communication. I
understand that DHS is developing a best practices, but it is
hard to imagine that every plant manager does not already know
or that we cannot simply get out a manifesto to every plant
manager by way of inventorying all of these plants wherever
they might be, that closing the gates around tanks of chlorine
gas a mile from a school is a best practice.
So my question is, how can we secure the homeland when even
these simple tasks are not being done? One, has your particular
area done the risk assessment that many of us have been calling
on for a long, long, long time? Have you done that in the
context of getting out the simple to-dos, such as closing
fences, fixing gaping holes in fences, providing some kind of
lock system, trained security personnel? And do we have a
manifesto of sorts, a document that can easily be understood by
the myriad of chemical operations around the country?
I can assure you that we in Houston and the parameters of
our area have been faced with explosions throughout our
lifetimes. We have been fortunate that it has not been the
massive catastrophes that a terrorist act could bring about,
but we have lost lives. So I am very concerned, one, that we
still sit here in 2004 without a risk assessment. I would ask
you if you could respond to that, as well as any simple tasks
that have been given to these operators of these plants that
they could be implementing as we speak.
I thank the distinguished Chairman.
Mr. Liscouski. Yes, ma'am. Thank you. I addressed this
earlier and I would be more than happy to do it again when we
talk about the national assessment.
Ms. Jackson-Lee. I thank you for your indulgence.
Mr. Liscouski. This notion of a national assessment is
something we have discussed many times. It is ongoing. We are
making significant progress in compiling our national asset
database. As I mentioned earlier, when DHS was first created
back in March of 2003, we had started off with a list of about
160 critical sites in the United States that we thought were
the high priority targets. We quickly grew that to 1,700. Out
of a list of 33,000 assets that we have currently identified,
we are still getting information back from the state and locals
about what their priorities are and what should be on that
list. That list is growing.
We are prioritizing those activities. As it specifically
relates to the chemical sector, we have identified out of the
4,012 sites around the United States that we believe are those
that require the top tier. Not top tier, but of the 4,000 sites
we have identified, this year alone we are addressing the 360
sites around the United States that need to address their
security. We are addressing that in a variety of ways.
First of all, let me just qualify. The issue here is not
just a private sector problem, but this is a state and local
government and private sector problem. It needs to be a totally
integrated plan. We are working with state and local
authorities, as well as the private sector to put out best
practices. To that end, we have done a variety of things.
We have put out common vulnerability assessments and shared
those with best practices perspectives.
Ms. Jackson-Lee. Mr. Secretary, may I do this, because as
you indicated I came in and you had already indicated that. Let
me just be pointed.
Mr. Liscouski. Sure.
Ms. Jackson-Lee. Have you in any way secured the transcript
of that program, 60 Minutes? Have you visited any of those
plants, because they seem to be the worst-case circumstances.
If I may make a comparison, though it is probably an unreal
comparison, over the last 24 hours we had a number of bombings
at Iraqi police stations. That seems to be a notable target.
Maybe our allies and Coalition forces should be having an
inventory of police stations, knowing that they are targets.
We know that chemical plants can be targets. There are
atrocious activities going on, maybe for lack of direction.
Have you gone out into the field and visited these plants? When
you say ``ongoing risk assessment,'' I can only say to you that
``ongoing'' is positive to the effect that we always believe we
should continue to learn, but it is not positive from the
perspective of the crisis of terrorism in this country. So when
will we finish the risk assessment? Have you been to these
plants and given them any direction?
Mr. Liscouski. Yes, ma'am, we have.
Ms. Jackson-Lee. I am sorry?
Mr. Liscouski. Yes, ma'am, we have been to the plants. We
have been to plants specifically in your jurisdiction, in fact,
and I would be happy to share those details with you in a
different venue other than this. We have been very aggressive
about the prioritization of chemical plants. It is a top
priority for us. We recognize the vulnerabilities. We are
working with the industries, state and local governments, as I
pointed out. We have buffer zone protection plants in place. We
have shared best practices for vulnerability assessments. We
have shared common characteristics of terrorist operational
patterns with both the industry and state and local
governments.
So I am quite confident that we are addressing it. To your
point, we are in a continuous improvement process.
Unfortunately, those remarks get taken out of place. You always
ask me, am I satisfied? I am never satisfied. I think it is one
of the reasons I got this job. It is because you never want to
be satisfied with where you were. We never want to become
complacent.
So we are in a continuous improvement mode. Will we ever be
finished? We are going to continuously improve our ability to
provide protection in this country of ours, because this is an
incredibly complex problem. It is not just about what the
plants are doing. It is how are the groups themselves evolving
their techniques and their capabilities? So this is a multi-
dimensional process. This is not just one which becomes static
to say, put up a 12-foot-high fence and you have security,
because we know that terrorists can get a 15-foot-high ladder.
So we are continuously looking at what we need to be doing
here to improve security. I know you are very sensitive to
that. I appreciate your comments. I would be happy to share
with you with more fidelity about what we are doing. I know we
have done that many times with the staff up here. If you have
not had the benefit of a briefing, I would offer that to you.
Ms. Jackson-Lee. Mr. Chairman, I thank you very much. I
will accept your offer, Mr. Secretary. I would like to talk
specifically about the region and what you have done in that
area. I thank you very much.
Mr. Liscouski. Terrific. Thank you.
Mr. Thornberry. I thank the gentlelady. I thank both of our
witnesses.
I am going to submit my questions in writing to the
witnesses. Mr. Liscouski, if we could have a similar agreement
with you as we had before, and that is a real effort to try to
get answers to written questions in two weeks. I understand it
is not completely within your control, but if you can help push
on your end, I think it will help relations with all members.
We will also try to limit the number of questions.
Secretary Newstrom, let me also encourage you on behalf of
your organization to continue to discuss with us not just how
much we have improved, but what yet needs to be improving,
because it is only by identifying those areas that we still
need to make progress on, giving little pushes here and there,
that we can, as Mr. Liscouski said, though we will never be
satisfied, we can continue to improve. I think you hit on some
key points in your testimony.
With that, let me thank both these witnesses. You are both
excused. We will go ahead and bring up the next witnesses. We
should have votes starting soon, but we will press on until the
bells make us recess.
So thank you both. You are both excused.
Mr. Newstrom. Thank you.
Mr. Thornberry. Let me thank the members of the second
panel for your patience. Obviously, there is a lot of interest
in this issue. I have no doubt we will need to recess for votes
here in a moment and come back. We will do that.
As you all are getting situated, I will introduce our next
panel, which includes Mr. Robert Dacey, director, information
security issues for the General Accounting Office; our former
colleague, Hon. Dave McCurdy, executive director of Internet
Security Alliance; and Ms. Diane VanDe Hei, vice chair,
Information Sharing and Analysis Center Council.
Mr. Dacey, I think you are first. Would you like to submit
a summary of your statement before we go and vote? If you could
do that within 5 or 6 minutes, then we will go ahead and do
that, and then we will have to come back for the other
witnesses. Thank you again for being here, and you are
recognized.
STATEMENT OF ROBERT DACEY, DIRECTOR, INFORMATION SECURITY
ISSUES, GENERAL ACCOUNTING OFFICE
Mr. Dacey. Thank you, Mr. Chairman and members of the
subcommittee. I am pleased to be here today to discuss the
status of ISACs, including the initial results of our ongoing
review which we are performing at the request of the
subcommittees. As you requested, I will briefly summarize my
written statement.
Beginning with PDD-63, Federal policy has encouraged the
voluntary creation of ISACs as key information-sharing
mechanisms for the private sector entities and state and local
governments that own and operate most of the nation's critical
infrastructures, and for the Federal Government. Further,
Federal policy established specific infrastructure protection
responsibilities for the Department of Homeland Security and
other Federal agencies.
Although their missions are similar, the current ISACs were
established and developed based upon the unique characteristics
and needs of their individual sectors. Consequently, they
operate under different management and operational structures
and have different operational capabilities, which are
summarized in our written statement and include, number one,
various business models such as private entities, parts of
associations, or a partnership with the Federal Government.
Many also use contractors to support their operations. They
also vary in the nature of the hazards that are covered, such
as cyber, physical or all hazards, which would also include
natural events.
The second major point is the various funding mechanisms
that exist. They may be funded through special fee-for-service
activities including tiered levels, association sponsorship,
Federal grants, or voluntary or in-kind operations by the
participants.
The third major difference is the models or methods by
which they share information. While most have electronic
information shared via email and Web sites, some of which are
secured, others have regular conference calls for their
members, and some have established facilities for quickly
organizing crisis conference discussions.
DHS and the sector-specific Federal agencies have
undertaken a number of efforts to support the ISACs and to
build the public-private partnership called for in Federal CIB
policy. Mr. Liscouski earlier today discussed at some great
length the efforts being taken by the Department.
In addition, the sector-specific agencies are also taking
actions, including funding, to help ISACs increase their
memberships and improve their analytical and communications
capabilities. Nonetheless, according to ISAC representatives
and the ISAC Council which is also represented on this panel, a
number of challenges remain to their successful establishment,
operation and partnership with DHS and other Federal agencies.
These challenges include increasing the percentage of sector
entities that are members of the ISACs; two, building trusted
relationships and processes to facilitate information sharing;
three, overcoming barriers to information sharing; four,
clarifying roles and responsibilities of the various
governmental and private sector entities involved in protecting
our critical infrastructures; next, funding ISAC operations and
activities; and utilizing sector expertise.
According to a DHS official, these issues are being
considered by the Department and should be clarified with the
development of a plan that will lay out the current
relationships, goals for improving them, and methods for
measuring progress. To help ensure that a comprehensive and
trusted information-sharing process is established, it will be
important to consider input from all appropriate stakeholders
and to agree upon the respective roles, responsibilities,
relationships and expectations of the parties.
Mr. Chairman, this concludes my statement. I will be
pleased to answer any questions that you or other members of
the subcommittee may have.
[The statement of Mr. Dacey follows:]
Prepared Statement of Robert F. Dacey
United States Gengeral Accounting Office
CRITICAL INFRASTRUCTURE PROTECTION
Establishing Effective Information Sharing with Infrastructure Sectors
Messrs. Chairmen and Members of the Subcommittees:
I am pleased to be here today to discuss the status of private-
sector information sharing and analysis centers (ISACs) and their
efforts to help protect our nation's critical infrastructures. Critical
infrastructure protection (CIP) activities called for in federal policy
and law are intended to enhance the security of cyber and physical,
public and private infrastructures that are essential to national
security, national economic security, or national public health and
safety. Beginning with Presidential Decision Directive 63 (PDD 63)
issued in May 1998, federal policy has encouraged the voluntary
creation of ISACs to facilitate private-sector participation and serve
as mechanisms for gathering, analyzing, and appropriately sanitizing
and disseminating information to and from infrastructure sectors and
the federal government. Subsequent federal CIP policy, including
several national strategies, continued to emphasize the importance of
the ISACs and their information-sharing functions.\1\ Further, CIP
policy has established specific responsibilities for the Department of
Homeland Security (DHS) and other federal agencies with respect to
public-private collaboration to help protect private infrastructure
sectors.
---------------------------------------------------------------------------
\1\ The White House, The National Strategy to Secure Cyberspace
(Washington, D.C.: February 2003); The National Strategy for the
Physical Protection of Critical Infrastructures and Key Assets
(Washington, D.C.: February 2003); and Homeland Security Presidential
Directive 7, Critical Infrastructure Identification, Prioritization,
and Protection (Washington, D.C.: Dec. 17, 2003).
---------------------------------------------------------------------------
In my testimony today, I will discuss the management and
operational structures used by the ISACs, including their estimated
sector participation, business and funding models, and information
sharing and analysis mechanisms. I will then discuss activities by DHS
and other federal agencies with responsibilities for specific
infrastructure sectors to interact and support the ISACs. Lastly, I
will discuss some of the ISAC identified challenges to and successful
practices for their establishment, operation, and partnership with the
federal government.
As agreed, this testimony includes initial results of our ongoing
analysis of private-sector ISACs, which was requested by your
subcommittees. In conducting this work, we contacted officials for the
15 different ISAC organizations that had been established at the time
of our review: Chemical, Electricity, Energy, Emergency Management and
Response, Financial Services, Food, Information Technology, Multi-
State, Public Transit, Real Estate, Research and Education, Surface
Transportation, Telecommunications, Highway, and Water. Through
structured interviews with these officials, we obtained and analyzed
information to describe the ISACs' current organization and operational
models, funding mechanisms, sector representation and membership
criteria, as well as their challenges and successful practices in
establishing effective information-sharing relationships within their
sectors and with the federal government. We also contacted officials of
the Healthcare Sector Coordinating Council to discuss their efforts to
establish an ISAC for the healthcare sector. Further, we contacted
officials of the ISAC Council, which was created by 11 ISACs to address
common issues, and obtained and analyzed its series of white papers on
a range of ISAC-related issues and challenges. Within the federal
government, we obtained and analyzed information on efforts to work
with the private-sector by DHS and other agencies assigned
responsibilities for specific industry sectors, including the
Departments of Agriculture, Energy, Health and Human Services, and the
Treasury and the Environmental Protection Agency. We did not validate
the accuracy of the data provided by the ISACs, DHS, or other agencies.
We performed our work from November 2003 to April 2004, in accordance
with generally accepted government auditing standards.
Results in Brief
Beginning with PDD 63, federal policy has encouraged the voluntary
creation of ISACs as key information-sharing mechanisms between the
federal government and critical infrastructures. While PDD 63 suggested
certain ISAC activities, CIP policy has essentially left the actual
design and function of the ISACs to the entities that formed them. As a
result, although their overall missions are similar, the current ISACs
were established and developed based on the unique characteristics and
needs of their individual sectors. They operate under different
management and operational structures and, among other things, have
different business models and funding mechanisms. For example, most are
managed or operated as private entities with some, such as the Water
and Chemical ISACs, part of associations that represent their sectors.
Others have partnered with government agencies, such as the
Telecommunications ISAC, which is a government-industry operational and
collaborative body sponsored by DHS's National Communications Systems/
National Coordinating Center (NCC). Different funding mechanisms used
by the ISACs include fee-for-service, association sponsorship, federal
grants, and/or voluntary or in-kind operations by ISAC participants.
Examples of fee-for-service funding include the Financial Services,
Information Technology, and Water ISACs that offer tiered memberships
with fees based on the level of service provided.
DHS and the sector-specific agencies have undertaken a number of
efforts to address the public-private partnership called for by federal
CIP policy and continue to work on their cooperation and interaction
with the ISACs and with each other. For example, in January 2004, DHS
held a 2-day conference to describe the information they are analyzing
and its use in the partnership with the private sector and to discuss
information sharing between the federal government and the private
sector. Also, in February, the department established the Protected
Critical Infrastructure Information (PCII) Program that enables the
private sector to voluntarily submit infrastructure information to the
government, which can be protected from disclosure according to
provisions of the Critical Infrastructure Information Act of 2002.
According to ISAC representatives and a council that represents
many of them, a number of challenges remain to their successful
establishment, operation, and partnership with DHS and other federal
agencies. These challenges include increasing the percentage of sector
entities that are members of the ISACs; building trusted relationships
and processes to facilitate information sharing; overcoming barriers to
information sharing, including the sensitivity of the information,
legal limits on disclosure (such as Privacy Act limitations on
disclosure of personally identifiable information), and contractual and
business limits on how and when information is disclosed; clarifying
the roles and responsibilities of the various government and private
sector entities involved in protecting the critical infrastructures;
and funding ISAC operations and activities. According to a DHS
official, these issues are being considered and should be clarified
through the department's development of a plan that documents the
current information-sharing relationships between DHS, the ISACs, and
other agencies; goals for improving that information sharing
relationship; and methods for measuring progress.
Background
As reliance on our nation's critical infrastructures grows, so do
the potential threats and attacks that could disrupt critical systems
and operations. In response to the potential consequences, federal
awareness of the importance of securing our nation's critical
infrastructures, which underpin our society, economy, and national
security, has been evolving since the mid-1990s. For example, issued in
1998, Presidential Decision Directive 63 (PDD 63) described the federal
government's strategy for cooperative efforts with state and local
governments and the private sector to protect the systems that are
essential to the minimum operations of the economy and the government
from physical and cyber attack. In 2002, the Homeland Security Act
created the Department of Homeland Security, which was given
responsibility for developing a national plan; recommending measures to
protect the critical infrastructure; and collecting, analyzing, and
disseminating information to government and private-sector entities to
deter, prevent and respond to terrorist attacks.
More recently, issued in December 2003, HSPD-7 defined federal
responsibilities for critical infrastructure protection, superseding
PDD 63.
CIP Policy Has Continued to Evolve
Federal awareness of the importance of securing our nation's
critical infrastructures has continued to evolve since the mid-1990s.
Over the years, a variety of working groups has been formed, special
reports written, federal policies issued, and organizations created to
address the issues that have been raised. Key documents that have
shaped the development of the federal government's CIP policy include:
Presidential Decision Directive 63 (PDD 63),
The Homeland Security Act of 2002,
The National Strategies for Homeland Security, to
Secure Cyberspace and for the Physical Protection of Critical
Infrastructures and Key Assets, and
Homeland Security Presidential Directives 7 (HSPD-7)
and 9 (HSPD-9).
Presidential Decision Directive 63 Established an Initial CIP Strategy
In 1998, the President issued PDD 63, which described a strategy
for cooperative efforts by government and the private-sector to protect
the physical and cyber-based systems essential to the minimum
operations of the economy and the government. PDD 63 called for a range
of actions that were intended to improve federal agency security
programs, improve the nation's ability to detect and respond to serious
computer-based and physical attacks, and establish a partnership
between the government and the private-sector. Although superseded in
December 2003 by HSPD-7, PDD 63 provided the foundation for the
development of the current sector based CIP approach.
To accomplish its goals, PDD 63 established and designated
organizations to provide central coordination and support, including
the National Infrastructure Protection Center (NIPC), an organization
within the FBI, which was expanded to address national-level threat
assessment, warning, vulnerability, and law enforcement investigation
and response.
To ensure the coverage of critical sectors, PDD 63 identified eight
infrastructures and five functions. For each of the infrastructures and
functions, the directive designated lead federal agencies, referred to
as sector liaisons, to work with their counterparts in the private-
sector, referred to as sector coordinators. Among other
responsibilities, PDD 63 stated that sector liaisons should identify
and access economic incentives to encourage sector information sharing
and other desired behavior.
To facilitate private-sector participation, PDD 63 also encouraged
the voluntary creation of information sharing and analysis centers
(ISACs) to serve as mechanisms for gathering, analyzing, and
appropriately sanitizing and disseminating information to and from
infrastructure sectors and the federal government through NIPC. PDD 63
also suggested several key ISAC activities to effectively gather,
analyze, and disseminate information--activities that could improve the
security postures of the individual sectors and provide an improved
level of communication within and across sectors and all levels of
government. These activities are: establishing baseline statistics and
patterns on the various infrastructures; serving as a clearinghouse for
information within and among the various sectors; providing a library
of historical data for use by the private-sector and government, and
reporting private-sector incidents to NIPC.
The Homeland Security Act of 2002 Established the Department's CIP
Responsibilities
The Homeland Security The Homeland Security Act of 2002, signed by
the President on November 25, 2002, established DHS. To help accomplish
its mission, the act Act of 2002 Established the established five under
secretaries, among other entities, with responsibility over
directorates for management, science and technology, information
analysis and infrastructure protection, border and transportation
security, and emergency preparedness and response.
The act made the Information Analysis and Infrastructure Protection
(IAIP) Directorate within the department responsible for CIP functions
and transferred to it the functions, personnel, assets, and liabilities
of several existing organizations with CIP responsibilities, including
NIPC (other than the Computer Investigations and Operations Section).
IAIP is responsible for accessing, receiving, and analyzing law
enforcement information, intelligence information, and other threat and
incident information from respective agencies of federal, state, and
local governments and the private-sector, and for combining and
analyzing such information to identify and assess the nature and scope
of terrorist threats. IAIP is also tasked with coordinating with other
federal agencies to administer the Homeland Security Advisory System to
provide specific warning information along with advice on appropriate
protective measures and countermeasures. Further, IAIP is responsible
for disseminating, as appropriate, information analyzed by DHS within
the department, to other federal agencies, to state and local
government agencies, and to private-sector entities.
Moreover, as stated in the Homeland Security Act of 2002, IAIP is
responsible for (1) developing a comprehensive national plan for
securing the key resources and critical infrastructure of the United
States and (2) recommending measures to protect the key resources and
critical infrastructure of the United States in coordination with other
federal agencies and in cooperation with state and local government
agencies and authorities, the private-sector, and other entities.
National Strategies Establish Information-Sharing Initiatives
The National Strategy for Homeland Security identifies information
sharing and systems as one foundation for evaluating homeland security
investments across the federal government. It also identifies
initiatives to enable critical infrastructure information sharing and
to integrate sharing across state and local government, private
industry, and citizens. Consistent with the original intent of PDD 63,
the National Strategy for Homeland Security states that, in many cases,
sufficient incentives exist in the private market for addressing the
problems of CIP. However, the strategy also discusses the need to use
all available policy tools to protect the health, safety, or well-being
of the American people. It mentions federal grant programs to assist
state and local efforts, legislation to create incentives for the
private sector, and, in some cases, regulation.
The National Strategy to Secure Cyberspace provides an initial
framework for both organizing and prioritizing efforts to protect our
nation's cyberspace. It also provides direction to federal departments
and agencies that have roles in cyberspace security and identifies
steps that state and local governments, private companies and
organizations, and individual Americans can take to improve our
collective cybersecurity. The strategy warns that the nation's private-
sector networks are increasingly targeted and will likely be the first
organizations to detect attacks with potential national significance.
According to the cyberspace strategy, ISACs, which possess unique
operational insight into their industries' core functions and will help
provide the necessary analysis to support national efforts, are
expected to play an increasingly important role in the National
Cyberspace Security Response System \2\ and the overall missions of
homeland security. In addition, the cyberspace strategy identifies DHS
as the central coordinator for cyberspace efforts and requires it to
work closely with the ISACs to ensure that they receive timely and
threat and vulnerability data that can be acted on and to coordinate
voluntary contingency planning efforts. The strategy reemphasizes that
the federal government encourages the private-sector to continue to
establish ISACs and, further, to enhance the analytical capabilities of
existing ISACs. Moreover, the strategy stresses the need to improve and
enhance public-private information sharing about cyber attacks,
threats, and vulnerabilities and to encourage broader information
sharing on cybersecurity among nongovernmental organizations with
significant computing resources. The National Strategy to Secure
Cyberspace also states that the market is to provide the majorimpetus
to improve cybersecurity and that regulation will not become a primary
means of securing cyberspace.
---------------------------------------------------------------------------
\2\ The National Cyberspace Security Response System is a public-
private architecture, coordinated by the Department of Homeland
Security, for analyzing and warning; managing incidents of national
significance; promoting continuity in government systems and private
sector infrastructures; and increasing information sharing across and
between organizations to improve cyberspace security. It includes
governmental entities and nongovernmental entities, such as private-
sector ISACs.
---------------------------------------------------------------------------
The National Strategy for the Physical Protection of Critical
infrastructures and Key Assets provides a statement of national policy
to remain committed to protecting critical infrastructures and key
assets from physical attacks. It outlines three key objectives to focus
the national protection effort: (1) identifying and assuring the
protection of the most critical assets, systems, and functions; (2)
assuring the protection of infrastructures that face an imminent
threat; and (3) pursuing collaborative measures and initiatives to
assure the protection of other potential targets. The National Strategy
for the Physical Protection of Critical Infrastructures and Key Assets
also states that further government leadership and intense
collaboration between public--and private-sector stakeholders is needed
to create a more effective and efficient information-sharing process to
enable our core protective missions. Some of the specific initiatives
include
defining protection-related information requirements
and establishing effective, efficient information-sharing
processes;
promoting the development and operation of critical
sector ISACs, including developing advanced analytical
capabilities;
improving processes for domestic threat data
collection, analysis, and dissemination to state and local
governments and private industry; and
completing implementation of the Homeland Security
Advisory System.
The National Strategy for the Protection of Critical
Infrastructures and Key Assets reiterates that additional regulatory
directives and mandates should only be necessary in instances where the
market forces are insufficient to prompt the necessary investments to
protect critical infrastructures and key assets.
Current Federal Agency CIP Responsibilities
In December 2003, the President issued HSPD-7, which established a
national policy for federal departments and agencies to identify and
prioritize critical infrastructure and key resources and to protect
them from terrorist attack. It superseded PDD 63. HSPD-7 defines
responsibilities for DHS, lead federal agencies, or sector-specific
agencies that are responsible for addressing specific critical
infrastructure sectors,and other departments and agencies. It instructs
federal departments and agencies to identify, prioritize, and
coordinate the protection of critical infrastructure to prevent, deter,
and mitigate the effects of attacks.
The Secretary of Homeland Security is assigned several
responsibilities, including
coordinating the national effort to enhance critical
infrastructure protection;
identifying, prioritizing, and coordinating the
protection of critical infrastructure, emphasizing protection
against catastrophic health effects or mass casualties;
establishing uniform policies, approaches, guidelines,
and methodologies for integrating federal infrastructure
protection and risk management activities within and across
sectors; and
serving as the focal point for cyberspace security
activities, including analysis, warning, information sharing,
vulnerability reduction, mitigation, and recovery efforts for
critical infrastructure information systems.
To ensure the coverage of critical sectors, HSPD-7 designated
sector specific agencies, formerly referred to as lead agencies, for
the critical infrastructure sectors identified in the National Strategy
for Homeland Security (see table 1). These agencies are responsible for
infrastructure protection activities in their assigned sectors, which
include
coordinating and collaborating with relevant federal
agencies, state and local governments, and the private-sector
to carry out their responsibilities;
conducting or facilitating vulnerability assessments
of the sector;
encouraging the use of risk management strategies to
protect against and mitigate the effects of attacks against the
critical infrastructure.
identifying, prioritizing, and coordinating the
protection of critical infrastructure;
facilitating the sharing of information about physical
and cyber threats, vulnerabilities, incidents, potential
protective measures, and best practices; and
reporting to DHS on an annual basis on their
activities to meet these responsibilities.
Further, the sector-specific agencies are to continue to encourage
the development of information-sharing and analysis mechanisms and to
support sector-coordinating mechanisms. HSPD-7 does not suggest any
specific ISAC activities.
Table 1: Critical Infrastructure Sectors Identified by the National Strategy for Homeland Security and HSPD-7
----------------------------------------------------------------------------------------------------------------
Sector Description Sector-specific agency
----------------------------------------------------------------------------------------------------------------
Agriculture Provides for the fundamental need for Department of Agriculture
food. The infrastructure includes
supply chains for feed and crop
production.
----------------------------------------------------------------------------------------------------------------
Banking and Finance Provides the financial infrastructure Department of the Treasury
of the nation. This sector consists
of commercial banks, insurance
companies, mutual funds, government
sponsored enterprises, pension
funds, and other financial
institutions that carry out
transactions including clearing and
settlement.
----------------------------------------------------------------------------------------------------------------
Chemicals and hazardous materials Transforms natural raw materials into Department of Homeland Security
commonly used products benefiting
Department of Homeland society's
health, safety, and productivity.
The chemical industry Security
represents a $450 billion enterprise
and produces more than 70,000
products that are essential to
automobiles, pharmaceuticals, food
supply, electronics, water
treatment, health, construction and
other necessities.
----------------------------------------------------------------------------------------------------------------
Defense industrial base Supplies the military with the means Department of Defense
to protect the nation by producing
weapons, aircraft, and ships and
providing essential services,
including information technology and
supply and maintenance.
----------------------------------------------------------------------------------------------------------------
Emergency services Saves lives and property from Department of Homeland Security
accidents and disaster. This sector
includes fire, rescue, emergency
medical services, and law
enforcement organizations.
----------------------------------------------------------------------------------------------------------------
Energy Provides the electric power used by Department of Energy
all sectors, including critical
infrastructures, and the refining,
storage, and distribution of oil and
gas. The sector is divided into
electricity and oil and natural gas.
----------------------------------------------------------------------------------------------------------------
Food Carries out the post-harvesting of Department of Agriculture and
the food supply, including Department of Health and Human
processing and retail sales. Services
----------------------------------------------------------------------------------------------------------------
Government Ensures national security and freedom Department of Homeland Security
and administers key public
functions.
----------------------------------------------------------------------------------------------------------------
Information technology and Provides communications and processes Department of Homeland Security
telecommunications to meet the needs of businesses and
government.
----------------------------------------------------------------------------------------------------------------
Postal and shipping Delivers private and commercial Department of Homeland Security
letters, packages, and bulk assets.
The U.S. Postal Service and other
carriers provide the services of
this sector.
----------------------------------------------------------------------------------------------------------------
Public Health and Healthcare Mitigates the risk of disasters and Department of Health and Human
attacks and also provides recovery Services
assistance if an attack occurs. The
sector consists of health
departments, clinics, and hospitals.
----------------------------------------------------------------------------------------------------------------
Transportation Enables movement of people and assets Department of Homeland Security
that are vital to our economy,
mobility, and security with the use
of aviation, ships, rail, pipelines,
highways, trucks, buses, and mass
transit.
----------------------------------------------------------------------------------------------------------------
Drinking water and water Sanitizes the water supply with the Environmental Protection Agency
treatment systems use of about 170,000 public water
systems. These systems depend on
reservoirs, dams, wells, treatment
facilities, pumping stations, and
transmission lines.
----------------------------------------------------------------------------------------------------------------
Source: GAO analysis based on the
President's National Strategy documents and
HSPD-7.
In January, the President issued HSPD-9, which
established a national policy to defend the agriculture and
food system against terrorist attacks, major disasters, and
other emergencies. HSPD-9 defines responsibilities for DHS,
lead federal agencies, or sector-specific agencies, responsible
for addressing specific critical infrastructure sectors, and
other departments and agencies. It instructs federal
departments and agencies to protect the agriculture and food
system from terrorist attacks, major disasters, and other
emergencies by
identifying and prioritizing sector-critical
infrastructure and key resources for establishing
protection requirements;
developing awareness and early warning
capabilities to recognize threats;
mitigating vulnerabilities at critical
production and processing nodes;
enhancing screening procedures for domestic
and imported products; and
In addition, the Secretary of Homeland Security, in
coordination with the Secretaries of Agriculture,
Health and Human Services, and other appropriate
federal department and agencies, are assigned
responsibilities including:
expanding and continuing vulnerability
assessments of the agriculture and food sectors; and
working with appropriate private-sector
entities to establish an effective information-sharing
and analysis mechanism for agriculture and food.
enhancing response and recovery procedures.
Prior GAO Recommendations
We have made numerous recommendations over the last several years
related to information-sharing functions that have been transferred to
DHS. One significant area of our work concerns the federal government's
CIP efforts, which is focused on sharing information on incidents,
threats, and vulnerabilities and providing warnings related to critical
infrastructures both within the federal government and between the
federal government and state and local governments and the private
sector. Although improvements have been made in protecting our nation's
critical infrastructures and continuing efforts are in progress,
further efforts are needed to address the following critical CIP
challenges that we have identified:
developing a comprehensive and coordinated national
plan to facilitate CIP information sharing, which clearly
delineates the roles and responsibilities of federal and
nonfederal CIP entities, defines interim objectives and
milestones, sets timeframes for achieving objectives, and
establishes performance measures;
developing fully productive information-sharing
relationships within the federal government and between the
federal government and state and local governments and the
private-sector;
improving the federal government's capabilities to
analyze incident, threat, and vulnerability information
obtained from numerous sources and share appropriate timely,
useful warnings and other information concerning both cyber and
physical threats to federal entities, state and local
governments, and the private-sector; and
providing appropriate incentives for nonfederal
entities to increase information sharing with the federal
government.
ISAC Structures and Operations Reflect Sector Needs and Evolving Goals
PDD 63 encouraged the voluntary creation of ISACs and suggested
some possible activities, as discussed earlier; however, their actual
design and functions were left to the private-sector, along with their
relationship with the federal government. HSPD-7 continues to encourage
the development of information-sharing mechanisms and does not suggest
specific ISAC activities. As a result, the ISACs have been designed to
perform their missions based on the unique characteristics and needs of
their individual sectors and, although their overall missions are
similar, they have different characteristics. They were created to
provide an information-sharing and analysis capability for members of
their respective infrastructure sectors to support efforts to mitigate
risk and provide effective response to adverse events, including cyber,
physical, and natural events. In addition, the ISACs have taken several
steps to improve their capabilities and the services they provide to
their respective sectors.
Management and Operational Structures Vary, But Provide Similar Basic
Capabilities
The ISACs have developed diverse management structures and
operations to meet the requirements of their respective critical
infrastructure sectors. To fulfill their missions, they have been
established using various business models, diverse funding mechanisms,
and multiple communication methods.
Business model--ISACs use different business models to accomplish
their missions. Most are managed or operated as private entities,
including the Financial Services, Chemical, Electricity Sector, Food,
Information Technology, Public Transit, Real Estate, Surface
Transportation, Highway, and Water ISACs. Many are established as part
of an association that represents a segment of or an entire critical
infrastructure sector. For example, the Association of Metropolitan
Water Authorities manages the contract for the Water ISAC and the
American Chemistry Council manages and operates the Chemical ISAC
through its CHEMTRAC.\3\ In addition, the North American Electric
Reliability Council (NERC),\4\ a nonprofit corporation that promotes
electric system reliability and security, operates the Electricity
Sector ISAC using internal expertise.
---------------------------------------------------------------------------
\3\ The American Chemistry Council represents the leading companies
engaged in the business of chemistry. CHEMTREC� (Chemical
Transportation Emergency Center) is the American Chemistry Council's
24-hour emergency communications center. It was established in 1971 to
provide emergency responders technical assistance in safely mitigating
a distribution incident.
\4\ The North American Electric Reliability Council's (NERC)
membership includes small and large electric utilities, regional
utility companies, power marketers, and other entities responsible for
power generation, transmission, control, and marketing and distribution
in the United States, Canada, and a portion of Mexico.
---------------------------------------------------------------------------
The legal structure of ISACs continues to evolve. The Financial
Services ISAC has evolved from a limited liability corporation in 1999
to a 501(c)6 non-stock corporation and is managed by a board of
directors that is comprised of representatives from the Financial
Services ISAC's members. According to the Financial Services ISAC
Board, the change to be a 501(c)6 non-stock corporation, as mentioned
above, was made to simplify the membership agreement and to make the
process for obtaining public funding easier. The Energy ISAC also
changed from a limited liability corporation to a 501(c)3 nonprofit
charitable organization to eliminate membership barriers.
Also, government agencies have partnered with the private-sector to
operate certain ISACs. For example, DHS's National Communications
Systems/ National Coordinating Center (NCC) for Telecommunications
sponsors the Telecommunications ISAC, which is a government/industry
operational and collaborative body.\5\ DHS provides for the
Telecommunications ISAC facilities, tools and systems, the NCC manager,
and the 24x7 watch operations staff. The private-sector provides
representatives who have access to key corporate personnel and other
resources. In addition, DHS's United States Fire Administration
operates the Emergency Management and Response ISAC. New York State,
through its Office of Cyber Security and Critical Infrastructure
Coordination, is coordinating efforts of the Multi-state ISAC. The New
York State Office of Cyber Security and Critical Infrastructure
Coordination is currently studying best practices and lessons learned
to assist in developing a structure that will include representation by
member states.
---------------------------------------------------------------------------
\5\ The National Coordinating Center for Telecommunications is open
to companies that provide telecommunications or network services,
equipment, or software to the communications and information sector;
select, competitive local exchange carriers; Internet service
providers; vendors; software providers; telecommunications professional
organizations and associations; or companies with participation or
presence in the communications and information sector. Membership is
also allowed for National Coordinating Center member federal
departments and agencies, and for national security/emergency
preparedness users.
---------------------------------------------------------------------------
Six of the ISACs included in our study use contractors to perform
their day-to-day operations. According to an Association of
Metropolitan Water Agencies (AMWA) official, they chose a contractor to
operate the Water ISAC because the contractor had the appropriate
expertise. In addition, the contractor's personnel had government
clearances and the ability to operate a secure communication system and
facility. In addition, ISACs use contractors to supplement their
operations. For example, a formal contract provides for the daily
staffing and performance of the Emergency Management and Response
ISAC's tasks. It chose this model because of federal requirements and
the shortage of positions for federal full-time employees at the United
States Fire Administration. The Telecommunications ISAC contracted for
analysts to operate the 24 x 7 watch operations under the management of
a government official.
ISACs also differ in the nature of the hazards that they consider:
cyber, physical, or all hazards (including natural events such as
hurricanes). For example, during events of the power outage in August
2003 and Hurricane Isabel in September 2003, the Financial Services
ISAC was contacted by DHS to determine the Banking and Finance sector's
preparedness and the impact of those events. However, the Multi-state
ISAC will remain focused on cyber threats because other state
organizations are in place to address physical and natural disaster
events.
Funding--ISACs fund their activities using a variety of methods--
fees-for-service, association sponsorship, federal grants, and
voluntary, or inkind, operations by existing participants. For example,
the Financial Services, Information Technology, and Water ISACs use a
tiered fee-for-service model for members. This model establishes
different tiers of membership based on the level of service provided.
These tiers typically include some basic level of service that is
provided at minimal or no cost to the member and additional tiers that
provide--for a fee--more personalized service and access to additional
resources. To help ensure that cost is not a deterrent to membership
and that the ISAC's coverage of its sector is extensive, the Financial
Services ISAC recently, as part of its next-generation ISAC effort,
shifted to a tiered fee-for-service approach. It offers five levels of
service that vary in cost--Basic (no charge), Core ($750 per year),
Premier ($10,000 per year), Gold ($25,000 per year), and Platinum
($50,000)--for ascending levels of information and analytical
capabilities. In addition, there is a partner-level license agreement
for select industry associations ($10,000) for distribution to eligible
association members of Urgent and Crisis Alerts. For example, the
Information Technology ISAC recently started to work on a tiered basis
with fees set annually at $40,000; $25,000; $5,000; $1,000; and free.
The Water ISAC also uses a tiered approach, with membership fees
ranging from $7,500 to $750 annually. The Surface Transportation ISAC
assesses an annual fee from its Class I railroad members of
approximately $7,500.
Some industry associations that operate ISACs fund them from
budgets. For example, the North American Electric Reliability Council
(NERC) funds the Electricity Sector ISAC, and the American Trucking
Association funds the Highway ISAC from their budgets. The American
Chemistry Council fully funds the Chemical ISAC through the previously
existing Chemical Transportation Emergency Center, known as CHEMTRAC.
The ten trade associations that are members of it fund the Real Estate
ISAC.
In addition, some ISACs receive funding from the federal government
for such purposes as helping to start operations, funding memberships,
and providing expanded capabilities. Examples include the following:
The Public Transit ISAC initially received a $1.2
million grant from the Federal Transit Administration (FTA) to
begin operations. Members pay no an annual fee and there are no
membership requirements from the association that started the
ISAC--the American Public Transportation Association.
For FY 2004, the Water ISAC received a $2 million
grant from EPA to cover annual operating costs, including the
expansion of memberships to smaller utilities.
The Financial Services ISAC received $2 million
dollars from the Department of the Treasury to enhance its
capabilities, including technology to broaden membership
service.
The Highway ISAC received initial funding from DHS's
Transportation Security Administration (TSA) to start the ISAC.
The Energy ISAC received federal grants to assist
entities within its separate sectors to be members.
DHS provides funding for the operation of the
Telecommunications ISAC that is combined with in-kind services
provided by the corporate participants. DHS also fully operates
the Emergency Management and Response ISAC.
States also provide funding for ISACs. For example, the Multi-state
ISAC is funded by and functions as part of the New York State Cyber
Security Analysis Center. In addition, the Research and Education
Network ISAC is supported by Indiana University.
Sharing mechanisms--ISACs use various methods to share information
with their members, other ISACs, and the federal government. For
example, they generally provide their members access to electronic
information via e-mail and Web sites. For example, the Chemical ISAC
members receive e-mail alerts and warnings in addition to the
information that is posted to the ISAC's Web site. The Highway ISAC
provides members on its Web site with links to IT resources.
Some ISACs also provide secure members-only access to information
on their Web sites. For example, the Financial Services ISAC's Web site
offers multiple capabilities for members at the premier level and
above, including, among other things, access news, white papers, best
practices, and contacts. The Energy ISAC offers its members access to a
secure Web site.
In addition, some ISACs hold conference calls for their members.
For example, the Chemical ISAC holds biweekly conference calls with
DHS. The Financial Services ISAC also conducts threat intelligence
conference calls every two weeks for premier members and above with
input from Science Applications International Corporation (SAIC) and
DHS. These calls discuss physical and cyber threats, vulnerabilities
and incidents that have occurred during the previous two weeks, and
they provide suggestions on what may be coming. The Financial Services
ISAC is capable of organizing crisis conference calls within an hour of
the notification of a Crisis Alert, and it hosts regular bi-weekly
threat conference calls for remediation of vulnerabilities (viruses,
patches).
ISACs also use other methods to communicate. For example, they may
use pagers, phone calls, and faxes to disseminate information. In
addition, the Telecommunications ISAC uses the Critical Infrastructure
Warning Information Network (CWIN).\6\ The Financial Services ISAC also
sponsors twice yearly members' only conferences to learn and share
information.
---------------------------------------------------------------------------
\6\ CWIN provides connectivity and 24x7 alert and notification
capability to government and industry participants. It is engineered to
provide a reliable and survivable network capability, and it has no
logical dependency on the Internet or the Public Switched Network.
ISAC Coverage and Participation Varies
According to the ISAC Council, its membership possesses an outreach
and connectivity capability to approximately 65 percent of the U.S.
private critical infrastructure. However, the ISACs use various
matrices to define their respective sectors' participation in their
activities. For example, the Banking and Finance sector has estimated
that there are more than 25,000 financial services firms in the United
States. Of those, according to the Financial Services ISAC Board,
roughly 33 percent receive Urgent and Crisis Alerts through license
agreements with sector associations--accounting for the vast majority
of total commercial bank assets, the majority of assets under
management, and the majority of securities/ investment bank
transactions that are handled by the sector, but less than half the
sector's insurance assets. According to an American Public
Transportation Association official, the Public Transit ISAC covers a
little less than 5 percent of the public transit agencies; however,
those agencies handle about 60 to 70 percent of the total public
transit ridership. Further, according to NERC officials, virtually all
members of NERC are members of the Electricity Sector ISAC. As for the
Energy ISAC, officials stated that its 80-plus members represent
approximately 85 percent of the energy industry. Membership in the
Information Technology ISAC also represents 85 to 90 percent of the
industry, including assets of Internet equipment hardware, software,
and security providers. For other ISACs, such as Chemical and Real
Estate, officials stated that it is difficult to determine the
percentage of the sector that is included.
Table 2 provides a summary of the characteristics of the ISACs that
we included in our review. In addition to these ISACs, the Healthcare
sector is continuing to organize, including efforts to establish an
ISAC. According to DHS officials, the Emergency Law Enforcement ISAC
that was formally operated by the NIPC and transferred to IAIP is not
currently staffed and will be considered in current efforts to organize
the Emergency Services sector.
Table 2: Summary of ISAC Characteristics
--------------------------------------------------------------------------------------------------------------------------------------------------------
Critical Infrastructures and their
ISAC(s) Coverage Funding model Hazards covered Analysis capability Sharing mechanisms
--------------------------------------------------------------------------------------------------------------------------------------------------------
Agriculture
None at this time.
--------------------------------------------------------------------------------------------------------------------------------------------------------
Banking & Finance
--------------------------------------------------------------------------------------------------------------------------------------------------------
Financial Services 200 members, including Funded by and operated Cyber Physical Operates 24 hours a Text-based alerts,
(est. Oct. 1999) commercial banks, with tiered day, 7 days a week. through a
securities firms, and membership fees. Watch desk analyzes notification system,
insurance companies. Contractor operated. and categorizes backed up by
Represents 90% of the threats, incidents, telephone. Biweekly
financial sector's and warnings based threat intelligence
assets. on the sector's conference call with
needs. DHS and SAIC.
--------------------------------------------------------------------------------------------------------------------------------------------------------
Chemicals & Hazardous Materials
--------------------------------------------------------------------------------------------------------------------------------------------------------
Chemical (est. April 2002) 538 individual members Funded and operated by Cyber Physical Operates 24x7. E-mails alerts and
representing the ACC's Chemical Currently working to warnings. Chemistry
chemical industries. Transportation develop an analysis ISAC Web site.
285 businesses. Emergency Center. center. Biweekly conference
Represents 90% of calls with DHS.
chemical sector. Secure
communications
network with DHS.
--------------------------------------------------------------------------------------------------------------------------------------------------------
Defense Industrial Base
None at this time.
--------------------------------------------------------------------------------------------------------------------------------------------------------
Emergency Services
--------------------------------------------------------------------------------------------------------------------------------------------------------
Emergency Management & Response 10 FEMA Regions 6 Funded by FEMA's Cyber Physical Developing 24x7 Electronic messaging
(est. Oct. 2000) major stakeholders of Office of Cyber operations. Analyzes Telephone and when
EMR sector. Security with and disseminates necessary, a secure
Represents 100% of supplementation from actionable telephone unit.
the essential USFA. Contractor intelligence on
components of the EMR operated. threats, attacks,
Sector. vulnerabilities,
anomalies, and
security best
practices.
--------------------------------------------------------------------------------------------------------------------------------------------------------
Energy
--------------------------------------------------------------------------------------------------------------------------------------------------------
Electric (est. Oct. 2000) More then 90% of NERC Funded and managed/ Cyber Physical Operates 24x7. The ES- Secure telephone,
members are members operated by NERC. ISAC and NERC have fax, and Web server
of the ISAC including created the E-mail Satellite
large and small Indications, telephones.
electric utilities, Analysis, and Information such as
regional electric Warnings Program incident reports and
utility companies, (IAW) that provides warnings,
and power marketers. a set of guidelines vulnerability
for reporting assessments, and
operational and related documents
cyber incidents that are posted on the
adversely affect the public Web site.
electric power
infrastructure.
--------------------------------------------------------------------------------------------------------------------------------------------------------
Energy (est. Nov. 2001) 80 plus members from Funded by grants from Cyber Physical Operates 24x7. Conference calls Fax,
the oil and gas DOE. Contractor Analyzes threats, Email, pager.
sector. Represents operated. vulnerabilities, and Detailed information
85% of the oil and incident on warnings provided
gas sector. information. on a membership
Provides security only, secure Web
information and site.
solutions.
--------------------------------------------------------------------------------------------------------------------------------------------------------
Food
--------------------------------------------------------------------------------------------------------------------------------------------------------
Food (est. Feb. 2002) Over 40 food-industry No current funding. Physical Operates 24x7. No E-mail Watch
trade associations Operated by volunteer analysis capability, Commander List
and their members. labor from each due to members' Currently working to
member association. privacy concerns. develop a secure
Depends on DHS for email system.
analysis.
--------------------------------------------------------------------------------------------------------------------------------------------------------
Government
--------------------------------------------------------------------------------------------------------------------------------------------------------
State Gov. (est. Jan. 2003) 49 states (excluding Funded and operated by Cyber Physical & Operates 24x7. Issues Monthly conference
Kansas) and the New York State. Natural bulletins, calls E-mail
District of Columbia. States provide time (as it relates to advisories, and Telephone
and resources as cyber). alerts.
appropriate.
--------------------------------------------------------------------------------------------------------------------------------------------------------
Information Technology &
Telecommunications
--------------------------------------------------------------------------------------------------------------------------------------------------------
IT (est. Dec. 2000) 90% of all desktop Funded and operated by Cyber Physical Operates 24x7. CWIN Encrypted e-mail
operating systems. foundational member Analyzes cyber SSL-protected Web
85% of all databases. contributions, will alerts and sites Cellular
50% of all desktop soon implement advisories and phones VoIP
computers. 85% of all membership fees reports physical telephony GETS) \7\
routers. 65% of (tiered). Contractor issues. system for priority
software security. operated. calls
--------------------------------------------------------------------------------------------------------------------------------------------------------
Telecom (est. Jan. 2000) 95% of wireline Funded by NCS. Cyber Physical Natural Operates 24x7. E-mail Telephone Fax
providers. Over 60% Operated by NCC. Analyzes data to Meetings CWIN
of wireline vendors. Agencies bear the avoid crises that
95% of wireless costs of their own could affect the
providers. 90% of personnel. entire telecom
wireless vendors. 42% infrastructure.
of Internet Service
subscribers. 90% of
Internet Service
networks. 6 of the
top system
integrators in the
U.S. Federal IT
market. 15% of Domain
Name Service root and
global Top Level
Domain operators.
--------------------------------------------------------------------------------------------------------------------------------------------------------
Research & Education Network (est. 200 Universities. All Funded and operated by Cyber Operates 24x7. Public information
Feb. 2003) U.S. universities and Indiana University. Receives and restricted to
colleges that are disseminates aggregate views of
connected to national information the network.
R&E networks have regarding network Information
basic membership. security identifying
vulnerabilities and institutions or
threats in the individuals not
higher education reported publicly.
community. Detailed and
sensitive
information shared
only with affected
institutions.
--------------------------------------------------------------------------------------------------------------------------------------------------------
Postal & Shipping
None at this time.
--------------------------------------------------------------------------------------------------------------------------------------------------------
Public Health &
Healthcare
--------------------------------------------------------------------------------------------------------------------------------------------------------
HealthCare
None at this time.
--------------------------------------------------------------------------------------------------------------------------------------------------------
Transportation
--------------------------------------------------------------------------------------------------------------------------------------------------------
Public Transit (est. Jan. 2003) Approximately 100 of Federally funded. Cyber Physical Operations 24x7. E-mail tree Secure e-
the major national Contractor operated. Collects, analyzes, mail Public Transit
transit and disseminates Web site Links to
organizations. security HSOC, and DOT and
information. TSA's Operation
Centers.
--------------------------------------------------------------------------------------------------------------------------------------------------------
Surface Transportation (est. May Includes the major Funded by membership Cyber Physical Natural Operates 24x7. Surface
2002) North American fees and a grant from Conducts mid--to Transportation Web
freight railroads and the Federal Transit longterm technical site. Secure
Amtrak. Represents Administration (FTA). analysis on all telephone.
95% of the U.S. Contractor operated. threats.
freight railroad
industry and Amtrak.
--------------------------------------------------------------------------------------------------------------------------------------------------------
Highway (est. March 2003) Over 90% of the Funded and operated by Cyber Physical Developing 24x7 Highway ISAC Web site
largest for-hire the American Trucking operations. Channels Highway watch center
motor carriers. Association (ATA). warnings, threat Blast fax E-mail
Represents 60% information, and Print media
economic activity advisories to the communications Amber
with over 50% of long industry and to alerts
haul. drivers through its
call center.
--------------------------------------------------------------------------------------------------------------------------------------------------------
Drinking Water & Water Treatment
Systems
--------------------------------------------------------------------------------------------------------------------------------------------------------
Water (est. Dec. 2002) 275-300 small and Funded by tired Cyber Physical Operates 24x7. Encrypted e-mail
large water membership fees and a Analyzes threat and Secure portal Secure
utilities. Represents grant from EPA. incident information electronic bulletin
45% of water Contractor operated. for its potential boards and chat
utilities with secure Receives impact on the rooms
portals. Represents contributions from sector.
85% of the water AMWA.
utilities that
receive e-mail
alerts.
--------------------------------------------------------------------------------------------------------------------------------------------------------
Other Sectors That Have
Established ISACs
--------------------------------------------------------------------------------------------------------------------------------------------------------
Real Estate (est. April 2003) 10 trade associations Funded by trade Physical Operates 24x7. 2-way communications
representing hotels, associations. Depends on DHS for network and Web site
realtors, shopping Contractor operated. threat analysis. Conference calls
centers, and others. with top executives
from various sectors
as needed.
--------------------------------------------------------------------------------------------------------------------------------------------------------
\7\ Government Emergency Telecommunications Service (GETS)
Sector Coordinator Roles Differ
As discussed earlier, federal CIP policy establishes the position
of sector coordinator for identified critical infrastructure sectors to
initiate and build cooperative relationships across an entire
infrastructure sector. In most cases, sector coordinators have played
an important role in the development of their respective infrastructure
sectors' ISACs. In many cases the sector coordinator also manages or
operates the ISAC.
The North American Electric Reliability Council, as
sector coordinator for the electricity segment of the energy
sector, operates the Electricity Sector ISAC.
The Association of American Railroads, as a sector
coordinator for the transportation sector, manages the Surface
Transportation ISAC.
The Association of Metropolitan Water Agencies, as the
sector coordinator for the water and wastewater sector, manages
the Water ISAC
In addition, regarding the telecommunications ISAC, sector
coordinators participate as members of the ISAC. For example, the
Cellular Telecommunications and Internet Association, the United States
Telecom Association, and the Telecommunications Industry Association
are all members of the NCC, which operates the telecommunications ISAC.
In the case of the Financial Services ISAC, no formal relationship
exists between the Banking and Finance Sector Coordinator, the
Financial Services Sector Coordinating Council, and the ISAC; however,
according to Financial Services ISAC officials, there is a good
relationship between them.
Other ISACs were created and are operated without a formal sector
coordinator in place, including the Chemical, Emergency Management and
Response, and Food ISACs.
Council Established to Improve ISACs' Efficiency and Effectiveness
Eleven ISACs created an ISAC Council to work on various
operational, process, and other common issues to effectively analyze
and disseminate information and, where possible, to leverage the work
of the entire ISAC community. The ISACs initiated this effort without
federal sponsorship. Currently, the participating ISACs include
Chemical, Electricity, Energy, Financial Services, Information
Technology, Public Transit, Surface Transportation, Telecommunications,
Highway, and Water. In addition, the Multi-state and Research and
Education Networks ISACs are participants.
In February 2004, the council issued eight white papers to reflect
the collective analysis of its members and to cover a broad set of
issues and challenges, including
Government/Private-sector Relations. Explains the need
for DHS to clarify its expectations and to develop roles and
responsibilities for the ISACs.
HSPD-7 Issues and Metrics. Describes specific issues
related to the private-sector that DHS should address when
responding to HSPD-7.
Information Sharing and Analysis. Identifies future
goals that the ISACs may want to work on achieving, including
developing an implementation plan.
Integration of ISACs into Exercises. Discusses the
importance of the ISACs and the private infrastructure sectors
being involved in government exercises that demonstrate
responses to possible incidents.
ISAC Analytical Efforts. Describes the various levels
of capabilities that individual ISACs may want to consider
supporting, including cyber and physical analysis.
Policy and Framework for the ISAC Community.
Identifies common policy areas that need to be addressed to
provide effective, efficient, and scalable information sharing
among ISACs and between ISACs and the federal government.
Reach of Major ISACs. Describes and identifies the
degree of outreach that the ISACs have achieved into the U.S.
economy. As of September 2003, the ISAC Council estimated that
the ISACs had reached approximately 65 percent of the critical
infrastructures they represent.
Vetting and Trust. Discusses the processes for sharing
information and the need to develop trust relationships among
individual ISAC members and among the various ISACs.
Federal Efforts to and Interaction with the ISACs Continue
As outlined in HSPD-7 and presented in table 1, DHS and other
federal agencies are designated as sector-specific agencies for the
critical Establish Cooperation infrastructure sectors identified. In
addition, DHS is responsible for coordinating the overall national
effort to enhance the protection of the critical infrastructure and key
resources of the United States and has established organizational
structures to address its CIP and information-sharing responsibilities.
DHS and the sector-specific agencies have undertaken a number of
efforts to address the public/private partnership that is called for by
federal CIP policy, and they continue to work on their cooperation and
interaction with the ISACs and with each other.
DHS Actions to Improve Information-sharing Relationships
The functions DHS provides to each ISAC differ, and its
coordination and levels of participation vary for each sector-specific
agency. However, the department has undertaken a number of efforts with
the ISACs and sector specific agencies to implement the public/private
partnership called for by federal CIP policy.
DHS has established functions within the department to support the
ISACs and other CIP efforts. IAIP, as the DHS component directly
responsible for CIP activities, carries out many of these functions.
The Infrastructure Coordination Division within IAIP plays a key role
in coordinating with the ISACs concerning information sharing.
Nonetheless, ISACs may interact with multiple components of the
department. For example, the ISACs may discuss cyber issues with the
National Cyber Security Division. According to a DHS official, the
department does not intend to establish a single point of contact for
ISACs within the department. Rather, the department plans to develop
policies and procedures to ensure effective coordination and sharing of
ISAC contact information among the appropriate DHS components. In
addition, the Infrastructure Coordination Division is in the process of
staffing analysts who are responsible for working with each critical
infrastructure sector. The analysts would serve as the primary point of
contact for the sectors and would address information sharing,
coordination, information protection, and other issues raised by the
sectors.
Further, according to DHS officials, TSA, within the department's
Border and Transportation Security Directorate, is working with
organizations in the private sector to establish information-sharing
relationships. For example, Surface Transportation ISAC analysts stated
that they have a good working relationship with TSA, and TSA's
Operations Center has office space designated for them.
In addition, other DHS actions include the following:
Last summer, DHS, the Department of Agriculture
(USDA), and the Department of Health and Human Services' (HHS)
Food and Drug Administration (FDA) initiated efforts to
organize the agriculture and food critical infrastructure
sectors to raise awareness and improve security efforts. An
introductory conference was held with about 100 leading sector
corporations and associations to make the business case for
participating in CIP efforts, including the importance of
enhancing security and sharing information within the sectors.
In December, DHS hosted a 2-day CIP retreat with ISAC
representatives, sector coordinators, and high-level DHS and
White House Homeland Security Council officials. Participants
discussed the needs, roles, and responsibilities of public--and
private-sector entities related to information sharing and
analysis, incident coordination and response activities,
critical infrastructure information requests, and level of DHS
funding. During this retreat, DHS participated in the first
meeting of the Operational Clarity and Improvement Task Group,
which was formed by the ISAC Council and sector coordinators to
address the need for a common conceptual framework and to
clarify current and future efforts to protect the nation's
critical infrastructure.
In January, DHS's IAIP Directorate held a 2-day
conference to describe the information it is analyzing and the
use of that information in the partnership with the private
sector to discuss information sharing between the federal
government and the private sector.
In February, the department established the Protected
Critical Infrastructure Information (PCII) Program, which
enables the private sector to voluntarily submit infrastructure
information to the government. DHS's IAIP Directorate is
responsible for receiving submissions, determining if the
information qualifies for protection and, if it is validated,
sharing it with authorized entities for use as specified in the
Critical Infrastructure Information Act of 2002.
In addition to the efforts listed above, DHS officials stated that
they provide funding to some of the ISACs. For example, DHS has agreed
to fund tabletop exercises for the Financial Services,
Telecommunications, and Electricity Sector ISACs. DHS anticipates that
the tabletop exercises will be completed by August 2004. Also, DHS
expects to fund a cross-sector tabletop exercise. According to the
Financial Services ISAC, funding for their tabletop exercise is
$250,000.
Another effort that DHS has undertaken is to maintain regular
contact with the ISACs. For example, a DHS analyst specializing in the
chemical sector stated that the Chemical ISAC is in daily contact with
DHS and that it participates in DHS-sponsored biweekly threat meetings.
The department also conducts weekly conference calls with several
ISACs, other DHS components, and private-sector organizations to
discuss threats and viruses.
Sector-specific Agencies Have Taken Action to Assist the ISACs
HSPD-7 designates federal departments and agencies to be sector-
specific agencies. These federal agencies, among other things, are to
collaborate with the private sector and continue to encourage the
development of information-sharing and analysis mechanisms. In
addition, sector-specific agencies are to facilitate the sharing of
information about physical and cyber threats, vulnerabilities,
incidents, potential protective measures, and best practices. Another
directive, HSPD-9, establishes a national policy to defend the
agriculture and food system against terrorist attacks, major disasters,
and other emergencies. Some sector-specific agencies have taken steps
to help the ISACs to increase their memberships and breadth of impact
within their respective sectors and to improve their analytical and
communications capabilities.
Environmental Protection Agency (EPA). As noted
earlier, EPA is the sector-specific agency for the water
sector. According to EPA officials, its Office of Water (Water
Security Division), which has been designated as the lead for
drinking water and wastewater CIP efforts, is currently
revising EPA's Office of Homeland Security's Strategic Plan. In
addition, the division is working on a General Strategic Plan,
to identify measurable goals and objectives and determine how
the division will accomplish that work. Further, these
officials stated that for fiscal year 2004, EPA issued a $2
million grant to the Water ISAC to enhance its capabilities,
for example, to fund 24x7 operations and to increase and
support ISAC membership. They also stated that EPA issued $50
million in grants to assist the largest drinking water
utilities in conducting vulnerability assessments. There are
also state grants to build communications networks for
disseminating information, particularly to smaller utility
companies. EPA's Water Security Division also makes publicly
available various resources related to water security
including, among other things, emergency response guidelines,
risk assessment and vulnerability assessment methodologies, and
a security product guide. The division has also developed a
``Vulnerability Assessment Factsheet'' that gives utility
companies additional guidance on vulnerability assessments.
Moreover, the Water Security Division holds biweekly conference
calls with water associations to promote communications between
EPA and the private sector, and it provides EPA publications
and other information to the Water ISAC through e-mail
distribution lists. In addition, the division has 10 regional
offices that work with the states.
Department of the Treasury (Treasury). As the sector-
specific agency for the Banking and Finance sector, Treasury's
Office of CIP and Compliance Policy is responsible for CIP-
related efforts. It has developed policy for its role as a
sector-specific agency. The policy includes steps to identify
vulnerabilities with the assistance of the institutions,
identify actions for remediation, and evaluate progress in
reducing vulnerabilities. A major effort by Treasury was having
consultants work with the Financial Services ISAC's board of
directors to evaluate ways to improve the overall reach and
operations of the ISAC. According to Treasury officials, this
effort, in part, led to a $2 million grant from Treasury to the
ISAC for developing the ``next generation'' Financial Services
ISAC. The one-time grant was earmarked for enhancing the ISAC's
capabilities. Regarding interaction with the Financial Services
ISAC, Treasury informally shares high-level threat and incident
information with the sector through the ISAC. The department
also chairs the Financial and Banking Information
Infrastructure Committee (FBIIC), a group of regulators who
coordinate regulatory efforts to improve the reliability and
security of financial systems. This group has done a number of
things to raise awareness and improve the reliability of the
institutions. For example, under the sponsorship of the Federal
Deposit Insurance Corporation, there are regional outreach
briefings that address why the private sector needs to partner
with the federal government to improve its security. Moreover,
FBIIC has sponsored the 3,600 priority telecommunications
circuits for financial institutions under the National
Communications System's Telecommunications Service Priority and
Government Emergency Telecommunications Service programs.
Department of Energy (DOE). As the sector-specific
agency for the Energy and Electricity sectors, DOE's Office of
Energy Assurance is responsible for fulfilling the roles of
critical infrastructure identification, prioritization, and
protection for the energy sector, which includes the
production, refining, and distribution of oil and gas, and
electric power--except for commercial nuclear power facilities.
However, DOE does not address situational threats such as
natural disasters or power outages with its ISACs because, in
part, the ISACs are determining whether it is their role to
address these types of threats. Information sharing with the
ISACs is an informal process, and no written policy exists. For
example, DOE is collecting threat information related to
hackers and computer security, but the department is not
disseminating it to the ISACs or to private industry. The
Office of Energy Assurance hopes to clarify and expand on this
subject in its International Program Plan, which is currently
in draft form.
Department of Health and Human Services (HHS). As
mentioned earlier, HHS is the sector-specific agency for the
public health and healthcare sector, and it shares that role
with USDA for the food sector. Currently, there is no ISAC for
the healthcare sector. Efforts to organize the healthcare
sector have been ongoing. In July 2002, HHS officials and other
government and industry participants were invited to the White
House conference center to discuss how they wanted to organize
the sector. A Healthcare Sector Coordinating Council (HSCC) was
formed, and HHS requested that MITRE, its contractor, lend
technical support to the new group as it continues to organize
the sector and establish an ISAC. In addition, HHS officials
stated that the department provided $500,000 for ISAC efforts
in fiscal year 2003 and budgeted $1 million for fiscal year
2004. HHS officials stated that the department would likely be
agreeable to continuing to provide funding for an ISAC. They
also stated that an ISAC could be operational within the next
year. In the meantime, HHS is sharing information with the
industry through an e-Community group that MITRE has set up on
a secure Web site.
Agriculture and Food were only recently designated as critical
infrastructure sectors and, as with the healthcare sector, efforts to
organize the sectors are in the beginning stages. HHS has worked with
the Food Marketing Institute-operated Food ISAC since it was
established, but the department has focused more of its efforts on
organizing the agriculture and food sectors. As we mentioned earlier,
HHS helped initiate efforts to organize the sector by holding an
introductory conference last summer for about 100 leading sector
corporations and associations to make the business case for
participating in CIP efforts. Recently, the department co-hosted a
meeting with DHS and USDA in which industry participants were asked how
they wished to organize into an infrastructure sector, including
addressing the existence and expansion of the current Food ISAC. As a
result of this meeting, participants agreed to establish a council of
about 10-15 private-sector food and agriculture organizations to
represent the sector. A federal government council will be created to
interact with the private sector and with state and local governments.
The government council will initially include several federal
government agencies and state and local entities. According to HHS
officials, the timeframe for organizing the sector and setting up an
expanded Food ISAC has not been determined, but officials anticipated
this occurring by fall of 2004.
Department of Agriculture (USDA). As mentioned above,
USDA shares with HHS the sector-specific agency designation for
the food sector. USDA participated in a conference held last
summer and a recent meeting with the industry. In addition to
those events, USDA's Homeland Security Council Working Group is
involved in enhancing the agriculture sector's information-
sharing and analysis efforts, which may include replacing or
improving the current Food ISAC. Another USDA effort uses
training to reach out to the industry and raise awareness. For
example, USDA is providing training to private-sector
veterinarians and animal hospitals on recognizing possible
signs of bioterrorism activity.
Although no longer a sector-specific agency for the transportation
sector, DOT, through its Federal Transit Administration, has provided a
grant to the Public Transportation ISAC to provide for memberships at
no cost.
Challenges to ISAC Establishment and Partnership with the Federal
Government
Increasing Sector Participation and Reach
Our discussions with the ISACs and the series of ISAC Council white
papers confirmed that a number of challenges remain to the successful
establishment and operation of ISACs and their partnership with DHS and
other federal agencies. Highlighted below are some of the more
significant challenges identified, along with any successful ISAC
practices and related actions that have been taken or planned by DHS or
others.
Many of the ISACs report that they represent significant
percentages of their industry sectors; at least one--the Electricity
ISAC--reports participation approaching 100 percent. The ISAC Council
estimates that the overall ISAC community possess an outreach and
connectivity capability to reach approximately 65 percent of the
private critical infrastructure. The Council also recognizes the
challenge of increasing sector participation, particularly to reach
smaller entities that need security support, but have insufficient
resources to actively contribute and pay for such support. Officials in
DHS's IAIP acknowledge the importance of reaching out to critical
infrastructure entities, and are considering alternatives to address
this issue.
The Financial Services ISAC provides a notable example of efforts
to respond to this challenge. Specifically, officials for this
organization reported that, as of March 2003, its members represented a
large portion of the sector's assets, but only 0.2 percent of the
number of entities with small financial services firms and insurance
companies, in particular, were underrepresented. To increase its
industry membership, this organization established its next generation
ISAC, which provides different levels of service--ranging from a free
level of basic service to fees for value-added services--to help ensure
that no entity is excluded because of cost. Further, it has set goals
of delivering urgent and crisis alerts to 80 percent of the Banking and
Finance sector by the end of 2004 and to 99 percent of the sector by
the end of 2005. To help achieve these goals, the Financial Services
ISAC has several other initiatives under way, including obtaining the
commitment of the Financial Services Sector Coordinating Council
(FSSCC--the sector coordinator and primary marketing arm for this ISAC)
to drive the marketing campaign to sign up its members for the
appropriate tier of service; encourage membership through outreach
programs sponsored by the Federal Deposit Insurance Corporation and the
FSSCC in 24 cities; and to work with individual sector regulators to
include in their audit checklists whether a firm is a member of the
ISAC. The Financial Services ISAC believes that its goals are
attainable and points to its industry coverage, which it says had
already increased to 30 percent in March 2004--only three months after
its new membership approach began in December 2003.
Other issues identified that were related to increasing sector
participation and reach included the following,
Officials at two of the ISACs we contacted considered
it important that the federal government voice its support for
the ISACs as the principal tool for communicating threats.
The ISAC Council has suggested that a General Business
ISAC may need to be established to provide baseline security
information to those general businesses that are not currently
supported by an ISAC.
Many of the industries that comprise our nation's
critical infrastructures are international in scope. Events
that happen to a private infrastructure or public sector
organization in another country can have a direct effect in the
United States, just as events here could have effects in other
countries. Therefore, an ISAC may need to increase its reach to
include the reporting and trust of international companies and
organizations.
Building Trusted Relationships
A key element in both establishing an ISAC and developing an
effective public/private partnership for CIP is to build trusted
relationships and Building Trusted Relationships processes. From the
ISAC perspective, sharing information requires a trusted relationship
between the ISAC and its membership, such that companies and
organizations know their sensitive data is protected from others,
including competitors and regulatory agencies. According to the ISAC
Council, the ISACs believe that they provide a trusted
informationsharing and analysis mechanism for private industry in that
they manage, scrutinize, establish, and authenticate the identity and
ensure the security of their membership, as well as ensuring the
security of their own data and processes. Other steps taken by ISACs to
safeguard private companies' information, which may help to foster
trusted relationships, included sharing information with other entities
only when given permission to do so by the reporting entity and
providing other protections, such as distributing sensitive information
to subscribers through encrypted e-mail and a secure Web portal.
Building trusted relationships between government agencies and the
ISACs is also important to facilitating information sharing. In some
cases, establishing such relationships may be difficult because sector-
specific agencies may also have a regulatory role; for example, the
Environmental Protection Agency has such a role for the Water sector
and HHS' Food and Drug Administration has it for portions of the Food
and Agriculture sectors.
Information Sharing Between the Private Sector and Government
Sharing information between the federal government and the private
sector on incidents, threats, and vulnerabilities continues to be a
challenge. As we reported last year, much of the reluctance by ISACs to
share information has focused on concerns over potential government
release of that information under the Freedom of Information Act,
antitrust issues resulting from information sharing within an industry,
and liability for the entity that discloses the information.\8\
However, our recent discussions with the ISACs--as well as the
consensus of the ISAC Council--identified additional factors that may
affect information sharing by both the ISACs and the government.
---------------------------------------------------------------------------
\8\ U.S. General Accounting Office, Critical Infrastructure
Protection: Efforts of the Financial Services Sector to Address Cyber
Threats, GAO-03-173 (Washington, D.C.: Jan. 30, 2003); and Critical
Infrastructure Protection: Challenges for Selected Agencies and
Industry Sectors, GAO-03-233 (Washington, D.C.: Feb. 28, 2003).
---------------------------------------------------------------------------
The ISACs we contacted all described efforts to work with their
sector specific agencies, as well as with other federal agencies,
ISACs, and organizations. For example, the Public Transit ISAC said
that it provides a critical link between the transit industry, DOT,
TSA, DHS, and other ISACs for critical infrastructures and that it
collects, analyzes, and distributes cyber and physical threat
information from a variety of sources, including law enforcement,
government operations centers, the intelligence community, the U.S.
military, academia, IT vendors, the International Computer Emergency
Response Community, and others. Most ISACs reported that they believed
they were providing appropriate information to the government but,
while noting improvements, still had concerns with the information
being provided to them by DHS and/or their sector specific agencies.
These concerns included the limited quantity of information and the
need for more specific, timely, and actionable information. In
particular, one ISAC noted that it receives information from DHS
simultaneously with or even after news reports, and that sometimes the
news reports provide more details.
In its recent white papers, the ISAC Council also has identified a
number of barriers to information sharing between the private sector
and government. These included the sensitivity of the information (such
as law enforcement information), legal limits on disclosure (such as
Privacy Act limitations on disclosure of personally identifiable
information), and contractual and business limits on how and when
information is disclosed (e.g., the Financial Services ISAC does not
allow any governmental or law enforcement access to its database). But
the Council also emphasized that perhaps the greatest barriers to
information sharing stem from practical and business considerations in
that, although important, the benefits of sharing information are often
difficult to discern, while the risks and costs of sharing are direct
and foreseeable. Thus, to make information sharing real, it is
essential to lower the practical risks of sharing information through
both technical means and policies, and to develop internal systems that
are capable of supporting operational requirements without interfering
with core business. Consequently, the technical means used must be
simple, inexpensive, secure, and easily built into business processes.
According to the Council, the policy framework must reduce
perceived risks and build trust among participants. Further, the
Council identified three general areas that must be addressed in policy
for the information-sharing network to assure network participants that
there is good reason to participate and that their information will be
dealt with appropriately. These areas concern policies related to what
information is shared within ISACs, across ISACs, and to and from
government; actions to be performed at each node in the information-
sharing network, including the kinds of analysis to be performed; and
the protection of shared information and analysis in terms of both
limitations on disclosure and use and information security controls.
The white papers also described the processes that are believed to
be needed to ensure that critical infrastructure and/or security
information is made available to the appropriate people with reasonable
assurance that it cannot be used for malicious purposes or
indiscriminately re-distributed so as to become essentially public
information. These processes and other information-sharing
considerations and tasks identified by the Council included the
following:
The ISAC information-sharing process needs to
recognize two types of information categories--classified and
sensitive but unclassified. However, the majority of
information sharing must focus on the unclassified ``actionable
element'' that points the recipient to a problem and to
remediation action.
Each ISAC is responsible for initially validating the
trust relationship with its member organizations and for
periodically re-assessing that trust relationship. The security
structure must understand and continually be in dialogue with
its vetted members and must manage this trusted relationship.
Each individual who receives shared information must
have a background check completed by and at a level of
comprehensiveness specified by the sponsoring organization.
Consequences and remediation must be developed and
understood to address situations in which information is
disclosed improperly--either intentionally or unintentionally.
The government's data and information requirements for
the sectors and the sectors' requirements for the government
need to be defined.
The government should establish a standing and formal
trusted information-sharing and analysis process with the ISACs
and sector coordinators as the trusted nodes for this
dissemination. This body should be brought in at the beginning
of any effort, and DHS products should be released to this
group for primary and priority dissemination to their
respective sectors.
Building this trusted information-sharing and analysis process is
also dependent on the protections the government provides for the
sensitive data shared by ISACs and private companies. As discussed
earlier, DHS recently issued the interim rule for submitting protected
critical infrastructure information, which provides restrictions on the
use of this information and exempts it from release under the Freedom
of Information Act. However, it remains to be seen whether these
protections will encourage greater private-sector trust and information
sharing with the federal government.
Identifying Roles and Responsibilities
Federal CIP law and policies, including the Homeland Security Act
of 2002, the National Strategy to Secure Cyberspace, and HSPD-7,
establish CIP responsibilities for federal agencies, including DHS and
others identified as sector-specific agencies for the critical
infrastructure sectors. However, the ISACs believe that the roles of
the various government and private sector entities involved in
protecting critical infrastructures must continue to be identified and
defined. In particular, officials for several ISACs wanted a better
definition of the role of DHS with respect to them. Further, officials
for two ISACs thought other agencies might more appropriately be their
sector-specific agencies. Specifically, the Energy ISAC would like its
sector-specific agency to be DHS and not the Department of Energy,
which is also the regulatory agency for this sector. On the other hand,
the Highway ISAC thought its sector-specific agency should be the
Department of Transportation--the regulatory agency for its sector--and
not DHS.
The ISAC Council also identified the need for DHS to establish the
goals of its directorates and the relationships of these directorates
with the private sector. The Council also wants clarification of the
roles of other federal agencies, state agencies, and other entities--
such as the National Infrastructure Assurance Council.
Obtaining Government
Ten of the ISACs we contacted, plus the Healthcare sector,
emphasized the importance of government funding for purposes including
creating the ISAC, supporting operations, increasing membership,
developing metrics, and providing for additional capabilities.
According to ISAC officials, some have already received federal
funding: the Public Transit ISAC initially received a $1.2 million
grant from the Federal Transit Administration to begin operations, and
the Water ISAC received a $2 million grant from EPA for fiscal year
2004 to cover annual operating costs and expand memberships to smaller
utilities. In addition, the Financial Services ISAC received $2 million
from the Department of the Treasury to help establish its next-
generation ISAC and its new capabilities, including adding information
about physical threats to the cyber threat information it disseminates.
Despite such instances, funding continues to be an issue, even for
those that have already received government funds. For example, the
Healthcare Sector Coordinating Council, which is the sector coordinator
for the healthcare industry, is currently looking to the federal
government to help fund the creation of a Healthcare ISAC. Also,
officials at the Public Transit ISAC noted that funding is an ongoing
issue that is being pursued with DHS. Officials at the Financial
Services ISAC, who notes that the ISAC's goal is to become totally
self-funded through membership fees by 2005, are also seeking
additional government funding for other projects.
The ISAC Council has also suggested that baseline funding is needed
to support core ISAC functionalities and analytical efforts within each
sector. The Council's suggestions include that the government should
procure a bulk license for the ISACs to receive data directly from some
vulnerability and threat sources and access to analytical or modeling
tools and that the funding for an ISAC analyst to work at DHS to
support analysis of sector-specific information or intelligence
requirements.
According to the Financial Services ISAC, DHS has agreed to fund
tabletop exercises for some ISACs. For example, according to DHS
officials, exercises are occurring this week involving the Banking and
Finance sector and exercises for other sectors are currently being
explored. In addition, energy sector-related exercises were held
earlier in the year. DHS officials also stated that funding
considerations for the critical infrastructure sectors and the ISACs
would be based on their needs.
Utilizing Sector Expertise
In our discussions with ISAC officials, several, such as officials
from the Surface Transportation and the Telecommunications ISACs,
highlighted their analysis capabilities and, in particular, their
analysts' sector-specific knowledge and expertise and ability to work
with DHS and other federal agencies. The ISAC Council also emphasized
that analysis by sector specific, subject matter experts is a critical
capability for the ISACs, intended to help identify and categorize
threats and vulnerabilities and then identify emerging trends before
they can affect critical infrastructures. Sector-specific analysis can
add critical value to the information being disseminated, with products
such as 24/7 immediate, sector-specific, physical, cyber, all threat
and incident report warning; sector-specific information and
intelligence requirements; forecasts of and mitigation strategies for
emerging threats; and cross-sector interdependencies, vulnerabilities,
and threats.
The Council also emphasized that although government analytical
efforts are critical, private-sector analytical efforts should not be
overlooked and must be integrated into the federal processes for a more
complete understanding. The private sector understands its processes,
assets, and operations best and can be relied upon to provide the
required private-sector subject matter expertise.
In a few cases, the integration of private-sector analytical
capabilities with DHS does occur. For example, the Telecommunications
ISAC, as part of Participation in National Homeland Security DHS's
National Communication System, has watch standers that are part of the
DHS operations center and share information, when the information owner
allows it and when it is appropriate and relevant, with the other
analysts. In addition, a Surface Transportation ISAC analyst also
participates in the DHS operations center on a part-time basis to offer
expertise and connection to experts in the field in order to clarify
the impact of possible threats.
Participation in National Homeland Security Exercises
The ISAC Council highlighted the need for ISAC participation in the
national-level homeland security exercises that are conducted by the
federal government, such as DHS's May 2003 national terrorism exercise
(TOPOFF 2), which was designed to identify vulnerabilities in the
nation's domestic incident management capability. However, according to
the Council, there has been little or no integration of active private
industry and infrastructure into such exercises. For example, private
industry participation in TOPOFF 2 was simulated. The Council believes
that with such participation, both national and private-sector goals
could be established during the creation of the exercise and then
addressed during the exercise.
The Council did identify examples where the private sector is being
included in exercises, such as efforts by the Electronics Crime Unit of
the U.S. Secret Service to reach out to the private sector and support
tabletop exercises to address the security of private infrastructures.
Further, according to a DHS official, the department has agreed to fund
tabletop exercises for members of several ISACs, including Financial
Services, Chemical, and Electricity, as well as a cross-sector tabletop
exercise.
Additional Challenges
Additional challenges identified by our work and/or emphasized by
the ISAC Council included the following.
Obtaining Security Clearances to Share Classified
Information. As we reported last year, several ISACs identified
obtaining security clearances as a challenge to government
information sharing with the ISACs. Seven of the 15 ISACs with
which we discussed this issue indicated either that some of
their security clearances were pending or that additional
clearances would be needed.
Identifying Sector Interdependencies. Federal CIP
policy has emphasized the need to identify and understand
interdependencies between infrastructure sectors. The ISAC
Council also highlighted the importance of identifying
interdependencies and emphasized that they require partnerships
between the sectors and the government and could only be
modeled, simulated, or ``practiced'' once the individual
sectors' dynamics are understood sufficiently. The current
short-term focus for the ISACs is to review the work done by
the government and the sectors regarding interdependencies.
Similarly, a DHS official acknowledged the importance of
identifying interdependencies, but that it is a longer-term
issue.
Establishing Communications Networks. Another issue
raised through the ISAC Council's white papers was the need for
a government-provided communications network for secure
information sharing and analysis. Specifically, the Council
suggested that although functionality would be needed to
satisfy the ISACs' requirements, DHS's Critical Infrastructure
Warning Information Network (CWIN) could be used as an interim,
first-phase communications capability. According to the
Council, some of the ISACs are conducting routine
communications checks at the analytical level in anticipation
of expanded use of CWIN. In discussing this issue with a DHS
official, he said that ISAC access to a secure communications
network would be provided as part of the planned Homeland
Security Data Network (HSDN). DHS recently announced a contract
to initiate the implementation of HSDN, which is be a private,
certified, and accredited network that provides DHS officials
with a modern IT infrastructure for securely communicating
classified information. According to DHS, this network will be
designed to be scalable in order to respond to increasing
demands for the secure transmission of classified information
among government, industry, and academia to help defend against
terrorist attacks.
DHS Information-Sharing Plan
At the time of our study, the relationship and interaction among
DHS, the ISACs, sector coordinators, and other sector-specific agencies
was still evolving, and DHS had not yet developed any documented
policies or procedures. As we discussed earlier, HSPD-7 requires the
Secretary of Homeland Security to establish uniform policies for
integrating federal infrastructure protection and risk management
activities within and across sectors. According to a DHS official, the
department is developing a plan (referred to as a ``roadmap'') that
documents the current information-sharing relationships among DHS, the
ISACs, and other agencies; goals for improving that information-sharing
relationship; and methods for measuring the progress in the
improvement. According to this official, the plan is to define the
roles and responsibilities of DHS, the ISACs, and other entities,
including a potential overlap of ISAC-related responsibilities between
IAIP and the Transportation Security Administration. Further, the
official indicated that, in developing the plan, DHS would consider
issues raised by the ISAC Council.
In summary, since first encouraged by federal CIP policy almost 6
years ago, private-sector ISACs have developed and evolved into an
important facet of our nation's efforts to protect its critical
infrastructures. They face challenges in increasing their sector
representation and, for some, ensuring their long-term viability. But
they have developed important trust relationships with and between
their sectors--trust relationships that the federal government could
take advantage of to help establish a strong public/private
partnership. Federal agencies have provided assistance to help
establish the ISACs, and more may be needed. However, at this time, the
ISACs and other stakeholders, including sector-specific agencies and
sector coordinators, would benefit from an overall strategy, as well as
specific guidance, that clearly described their roles,
responsibilities, relationships, and expectations. DHS is beginning to
develop a strategy, and in doing so, it will be important to consider
input from all stakeholders to help ensure that a comprehensive and
trusted information-sharing process is established.
Mr. Chairman, this concludes my statement. I would be happy to
answer any questions that you or members of the subcommittee may have
at this time.
If you should have any questions about this testimony, please
contact me at (202) 512-3317 or Ben Ritt, Assistant Director, at (202)
512-6443. We can also be reached by e-mail at [email protected] and
[email protected], respectively.
Other individuals making key contributions to this testimony
included William Cook, Joanne Fiorino, Michael Gilmore, Barbarol James,
Lori Martinez, and Kevin Secrest.
Mr. Thornberry. Thank you, sir. I appreciate your much more
detailed written statement which I read last night, that goes
into considerably more detail.
Mr. McCurdy, if you can do 5 minutes, we will go ahead and
have you at it.
STATEMENT OF THE HONORABLE DAVE MCCURDY, EXECUTIVE DIRECTOR,
INTERNET SECURITY ALLIANCE
Mr. McCurdy. Mr. Chairman, I am used to a 2-minute rule,
actually.
[Laughter.]
I will submit even the summary of my statement for the
record as well. Let me just briefly, as I understand what the
subcommittee is interested in. The Internet Security Alliance
was actually formed in April 2001, 5 months before 9-11. I was
actually in Tokyo at an OECD meeting on 9-11 defining cyber
security best practices. So we have been at this for quite some
time.
We formed a novel model. We had looked at the ISAC models
and we in industry, in representing the Electronic Industries
Alliance of over 2,500 member companies, found that those
models were not sufficient for the needs of industry in
improving cyber security. We created a cross-sectoral
international organization that integrates many of the security
services into one coherent model. The Internet Security
Alliance is structured in a fundamentally different way than
the traditional ISACs.
Let me just briefly say what they are. Cross-sectoral, we
have members from the financial industry, from insurance,
telecommunications, defense and security industries, consumer
electronics, food products, and even the National Association
of Manufacturers that represents over 12,000 companies. We
designed the organization this way because quite frankly the
Internet is structured this way, cross-sectoral. It knows no
borders. It knows no boundaries, whether it is national or
international. A cyber-attack on the Internet affects a lot of
these companies the same way. I do not care if you are AIG,
Coca-Cola, Sony, Verizon or Visa, all of whom are members of
the Internet Security Alliance.
I said it is international. We have members on four
continents. These are trusted partners, but they are dealing
with similar concerns, and that is consistent with the national
plan to secure cyber space. We are also developing security
anchor programs in Latin America and other countries such as
India.
Finally, our model attempts to provide, when I say a
comprehensive, coherent and integrated approach to cyber
security, we go beyond just information sharing. We had a
partnership with the CERT/CC. I serve on the board of advisers
for the Carnegie Mellon Software Engineering Institute and
developed this relationship over quite some time on how they
could improve their dissemination of information and get the
feedback from industry.
We developed best practices. We are in our third practice
book that just came out for small businesses. We had one for
corporate leadership, the CEO-level leadership in major
companies, and we had one for individual users. We have teamed
with groups in order to make that work. We get that information
from industry, working to build on the research also at
Carnegie Mellon. These practice editions have been endorsed by
TechNet and Partnership for Critical Security, NAM, the U.S.
Chamber, and others.
In addition to that, we believe that wide distribution is
critical, but currently it is not being done sufficiently. So
we have developed some market-based incentives and some
programs to try to get higher buy-in from the industry
leadership. We have developed a program with AIG insurance
where you have discounts if you follow best practices. There
are tools being developed by a consortium on security trying to
have metrics by which they can even determine whether or not
there is a qualified member in order to participate.
Finally, a lot of this I think when people think of cyber,
they think it is only an IT issue. It is both a physical and an
IT issue. They are interlinked. We have been doing this for
some time. TIA, Telecommunications Industry Association, is our
sector association in that space, and they have been a sector
leader on critical infrastructure long before 9-11 or the
recent concerns.
We are also working on risk management relationships and
initiatives with industry. Lastly, I think the headline from
this hearing and the question you really have is, how are we
working with DHS? I commend DHS for their efforts. They finally
have staff on the ground in place, and I think they are looking
at developing plans. They appear to have decided on the ISAC
Council as their prime link to the private sector, but the
ISACs, while critical elements in this struggle, quite frankly
do not represent everyone.
My concern from my experience, having sat where you do in
this very room for many, many hours, I can assure you that
government's approach is often silo-based and that is part of
the problem that we have seen in dealing with government
institutions and sharing. We decided we had to reach beyond
that. That is why we created the Internet Security Alliance. We
want to work with DHS. We want to be fully integrated into
their discussions and we want to be full members of the
partnership, whether that means that we are a cross-sector ISAC
at some point of a tier-one partner. We do not know what the
classification should be, but we do reach out. We have a great
deal of experience.
We also have a great deal of experience with the CERT/CC on
how we can help them improve the type of information which is
relevant to industry. We were talking about information
overload. I get emails every single day with another alert.
There were four this morning, as a matter of fact. I think
there is a way to narrow those. Mr. Dacey mentioned conference
calls. We want to analyze the information and we pull groups
together that actually take these alerts and translate them to
meaningful, actionable items that the corporate sector or
industry can actually work to improve their security.
Again, I appreciate the opportunity. I look forward to
working with you all. I commend you for your efforts. I know
how serious you take this and how important it is for the
nation. Again, this is just not a national issue. This is
cross-border. It is international. We think we have opened the
way to help address the bigger plan, the bigger strategy of
reaching other countries as well.
Thank you.
[The statement of Mr. McCurdy follows:]
Prepared Statement of the Honorable Dave McCurdy
Thank You Mr. Chairman.
My name is Dave McCurdy. I am President of the Electronic
Industries Alliance and Executive Director of the Internet Security
Alliance (ISAlliance).
I am delighted to be here today to discuss how the federal
government can improve its coordination with the private sector and
thus, improve worldwide information security.
As a cross-sector, international organization, which integrates
many different security services into one coherent model, the Internet
Security Alliance, is structured in a fundamentally different way than
traditional Information Sharing and Analysis Centers (ISACs). We
believe this model has much to recommend, not as a substitute for the
ISACs, but as a complement to them. I am concerned, however, that we
are not yet seeing this potential realized. Greater involvement and
coordination with the ISACs and the Department of Homeland Security
(DHS) would be extremely helpful to organizations like the ISAlliance,
and the companies they represent and I believe would be in the best
interests of our own national security.
Today I would l like to cover three main points.
1. I would like to outline the model the Internet Security
Alliance operates under and suggest some fundamental
differences from the traditional ISAC model.
2. I want to discuss how this model facilitates the development
of an integrated, comprehensive, and coherent approach to cyber
security, and I want to offer a couple of examples of how this
approach can enhance our efforts to promote cyber security.
3. I want to raise some organizational issues regarding DHS
coordination with models such as ours. I believe that
organizations such as our need to be fully integrated into the
public private partnership between DHS and the private sector
either as an inter-sectoral ISAC or with equivalent status
within the tier one partnership with the ISACs.
Before I begin I want to make our posture with respect to the ISACs
very clear. About a quarter of our membership also participates in
ISACs. Some of our Board members also serve on the Boards of various
ISACs. We regard the ISACs as ``comrades in arms.''
It is surely true that there are some issues unique to industry
sectors that are most effectively dealt with by a sector specific
domestic entity. However, the ISAlliance also concurs with the National
Strategy to Secure Cyber Space that found that ``some cyber security
problems have national implications and cannot be solved by individual
enterprises and sectors alone.''
We do not seek to displace the ISACs; we seek to work more closely
with them, and DHS.
THE INTERNET SECURITY ALLIANCE MODEL
CROSS-SECTOR INFORMATION SHARING & ANALYSIS AVAILABLE TO ALL
The ISAlliance was created in April of 2001, five months before the
attacks on the Pentagon and the World Trade Center. We created it
because, even then, we saw the need for a new approach to the growing
cyber threat.
In contrast to the ISACs, which are generally structured along
traditional industry specific silos, the ISAlliance has members from
many different sectors. We designed the organization this way because
the Internet is organized this way. Essentially, we are all using the
same Internet. So, from the cyber security perspective the threats and
attacks may be very similar regardless if you are Coca-Cola, Sony, Visa
or VeriSign (all members of ours). As a result, there is much to learn
from, and help can be offered to, your brother companies regardless of
industry sector.
As a member of the Board of Advisors of the Software Engineering
Institute at Carnegie Mellon University, I have had substantial contact
with the experts at the CERT/cc at Carnegie Mellon who educated me on
this growing problem in 2000. We decided then that the private sector
needed to not only contribute to, but to demonstrate leadership in
making this critical infrastructure more secure. We devised a creative
public private partnership, which integrated and maximized the
complementary assets of CERT, the federal government and private
industry.
CERT/cc, which was funded primarily by the U.S. federal government,
had long been recognized as the premier center for Internet threat and
vulnerability information. But it lacked a practical channel to get
this information to the private sector, or stimulate interest in the
necessary education, training, policy development and incentive
programs that would be required to fully achieve the goal of
information security.
EIA has been involved in physical security through the
Telecommunications Industry Association (TIA) which is both a sector of
EIA and an ISAC sector coordinator. Since we understood that physical
and cyber security are most effectively dealt with in an integrated
fashion, we sought a mechanism to bring these entities together.
We decided on collaboration between CERT/cc and EIA called the
ISAlliance. Using the EIA member companies as a marketing base we
recruited corporations to join the ISAlliance. They paid dues, and in
return, operating under strict non-disclosure agreements would receive
access to prime CERT/cc information. They would share this information
with each other and the CERT/cc to identify and analyze looming threats
and collectively work on solutions.
Since the ISAlliance members were receiving more from CERT/cc than
the general public they agreed to pay a fee for this benefit. It was
seen as a user fee similar to that paid by patrons at National Parks.
While some companies using other, non-CERT, the ISAlliance services
paid substantial dues, we never wanted money to be a barrier to entry
into the ISAlliance. Dues entitling companies to the same CERT/cc
information (albeit fewer copies) were set as low as $3,000 a year--
affordable for virtually any private firm. And, though we don't like to
publicize it for obvious reasons, we have made financial adjustments
for companies who had difficulty making the specified dues payment.
INTERNATIONAL
The ISAlliance is also focused internationally, where ISACs tend to
be U.S.--centric. The ISAlliance has members on four continents. Our
current Chairman of the Board. Dr. Bill Hancock, is from a British
company and we have four other non-U.S. based companies on our Board
along with eleven U.S. based companies. The international aspect of our
efforts is important because cyber security is inherently an
international issue. Many attacks originate offshore and implementing a
truly effective means of securing cyber space must include finding and
working with trusted offshore partners.
As the U.S. National Strategy to Secure Cyber Space states, in
part; ``America's cyberspace is linked to the rest of the world''. . .
. Securing global cyber space will require international cooperation to
raise awareness, increase information sharing, promote security
standards. . .The United States will seek the participation of U.S.
industry to engage foreign counterparts in peer-to-peer dialogue with
the twin objectives of making an effective business case for cyber
security and explaining successful means for partnering with government
on cyber security.''
I'd like to offer a quick example of our efforts. After making a
presentation to the Organization of American States (OAS) first broad
conference on cyber security last August, OAS staff requested that the
ISAlliance construct a specific program to integrate the private sector
in the OAS region into the state-to-state programs for cyber security
that were being developed. We came up with what we call our ``Security
Anchor'' program.
This program is built on the ``Transition Partner'' program
developed at Carnegie Mellon University. Under the Security Anchor
Program private sector entities would obtain a special membership with
the ISAlliance, which will allow them to essentially become ``branch
offices'' within their regions. The Security Anchor for the region
would distribute appropriate information about threats and
vulnerabilities and hold meetings and conferences, but on local time
providing translation as necessary for materials. The Anchor ``tenant''
would also be required to send personnel to Carnegie Mellon where they
would be trained as trainers. The Anchor would then provide this
training in their region, for which they could receive payment. We
believe providing a market incentive to our Anchor partner is the most
efficient and effective way to accomplish the goals set forth in our
National Strategy.
In this way we hope to make international cyber security ``home
grown.'' We believe this is the only way that we can hope to succeed in
reaching the international goals as set forth in the National Strategy.
The U.S. can't expect to ``export'' security.
AN INTERGRATED COMPREHENSIVE AND COHERENT APPROACH TO CYBER SECURITY
USING MARKET FORCES AS INCENTIVES
The ISAlliance attempts to provide its members with a
comprehensive, coherent and integrated approach to cyber security that
uses market forces to drive on-going improvements in cyber hygiene.
INFORMATION DISSEMINATION AND ANALYSIS
Like many ISACs, we begin with information dissemination and
sharing about emerging threats, vulnerabilities and attacks on the
Internet. We have historically done this though a contractual
relationship with the CERT/cc as a founding partner in the ISAlliance.
In our three years of operations we have sent out literally
thousands of these notices. We just released our first quarter
technical report to the membership, which showed that in 2004 alone we
have already sent out through our e-mail channel hundreds of reports,
which have been followed by scores of analytical conferences between
the members and CERT/cc.
When we, started several years ago, our prime activity was
information sharing, mostly through e-mail notices. However, experience
has taught us that simply disseminating information is by no means
enough. In fact, our members have told us that at times there is too
much information being circulated and the real need is to be able to
separate out what is important and what is simply noise.
Information analysis is critical if threat and vulnerability data
is to be used effectively. We facilitate the analytical process with
regularly scheduled, as well as specially scheduled, meetings where in
our members discuss the state of the network with the CERT/cc
professionals. We have found the regularity of this process creates,
over time, a sense of trust and confidence that we think is vital for
effective information sharing.
DEVELOPING BROADLY ENDORSED BEST PRACTICES
While information sharing and analysis is a critical first step on
the road to cyber security, is not sufficient to secure cyber space.
Virtually every recent major attack we have experienced such as
Blaster, Slammer, or MyDoom, resulted from a vulnerability, which was
already well known, in the community.
At the ISAlliance we took the collaborative process of sharing
information and built from it a systematic program of best practices.
The process of developing the best practices is lead by the experts at
Carnegie Mellon and CERT/cc and is consistent with the years of
grounded research they have done and the theory of security that has
evolved from their experience and analysis.
However, we also involve the full membership in our processes, so
that the perspectives of actual businesses from multiple sectors and
counties are folded into the final product. One advantage of this
inclusive process has been that our practices have received an
impressive level of support and endorsement from a wide breadth of the
user community.
For example, our first publication, ``The Common Sense Guide for
Senior Managers'' was endorsed by the National Association of
Manufacturers (NAM) which represents 12,000 of the most traditional of
industries, as well TechNet which primarily represents the high-tech
companies in Silicon Valley. Internationally it has been translated
into Spanish and Japanese and was endorsed by the U.S. India Business
Council and distributed by the Organization of American States.
CREATING MARKET INCENTIVES TO ENCOURAGE ADOPTION OF BEST PRACTICES--THE
QUALIFIED MEMBER PROGRAM
However, developing best practices is also not enough. CEOs are
overwhelmed with information. To succeed with them on this subject,
which has traditionally been viewed as a ``cost center,'' you have to
do more than just tell them it's the right thing to do. We have to talk
about issues they care about, like profitability, liability protection
and marketing. We need to develop market incentives to increase the
Return on Investment (ROI) for cyber security.
The ISAlliance has taken the lead on this issue. In the final
quarter of 2003 we signed an agreement with AIG, which is the world's
market leader in cyber insurance. Under this new agreement AIG will
provide insurance premium credits of up to 15% for companies that will
join the ISAlliance and subscribe to our best practices. We believe
this is the first operating program which specifically ties a widely,
and independently endorsed set of cyber security best practices
directly to lower business costs.
We are working through AIG and the Global Security Consortium
(GSC), comprised of the big auditing and accounting firms, on empirical
standards with which we will be able to use to measure compliance with
these practices. Not only will this tool enable us to more reliably
determine who qualifies for the credits, but also it opens up another
potential market incentive for improved security. We want to interest
firms in marketing cyber security.
Firms that achieve a specified score will be deemed a ``Qualified
Member'' allowing them to use that designation as a market
differentiator. Through this mechanism we hope to make cyber security a
useful marketing tool for good actor companies, much like the Baldrige
Award has been used for high quality companies. GSC hopes to have their
tool completed shortly and then this phase of the program can begin.
DISCOUNTED EDUCATION AND TRAINING COMPLETE THE LOOP
Finally, for firms who don't yet score at an appropriate level to
qualify for our discounts, we offer access to a wide range of training
programs through Carnegie Mellon University. In keeping with the market
orientation of our program, the more active a company is in the
ISAlliance, the greater the discount they can receive on their
training. Our interest is to accurately inform organizations where they
stand in relation to the widely endorsed best practices, and help them
reach an appropriate level if they are not already there. Most
importantly, the people doing the training are operating on the same
assumptions and best practices that we started with in the first place
thus creating a truly coherent program.
BEST PRACTICES FOR SMALLER BUSINESSES
This program is just one example of our activities. In fact, this
afternoon we will be testifying before another Committee on a similar
program, this time specifically targeted to the unique needs of smaller
businesses. The National Cyber Summit, recognizing the value of
programs such as I have just described, and realizing that there was
not nearly enough being done to reach out to smaller businesses, asked
us to undertake this new effort this past December.
Although smaller businesses have not until now been our prime
market interest we agreed to take up the challenge. Working with the
U.S. Chamber of Commerce, the National Federation of Independent
Business (NFIB) and NAM we followed the same integrated, market
centered model we described above. We held ten focus groups involving
nearly 100 small businesses to find out what needed to be done to
improve their cyber security.
What we learned was that smaller institutions are indeed different
from larger ones. In fact, we found that organizations across a wide
spectrum of business types had remarkably similar problems from a cyber
perspective. The similarities for these businesses were not the type of
business they were in, but the size of their business and the extent of
the technology available to them. As a result, the ``Common Sense Guide
to Cyber security for Small and Medium Sized Businesses'' looks quite
different from the Guide for Senior Corporate Managers.
We are happy to report that what was not very different is the
response, which has been extremely positive. Already the Cyber Security
Partnership that grew out of the National Cyber Summit as well as on
the web sites for the ISAlliance, the Electronic Industries Alliance
and the National Association of Manufacturers is distributing the Small
Business Guide. The U.S. Chamber of Commerce has informed us they
expect to endorse the document at their next Board of Directors meeting
and the Financial Services Sector Coordinating Council, an alliance of
28 financial services trade associations will be making it available to
their members and holding a series of meetings with thousands of its
members where the Guide will be highlighted.
Given the fact that this project is only a couple of months old we
are naturally very encouraged. When mature, we fully expect this
program will be coherent, measurable and market driven just as was the
case with the Senior Managers program.
CYBER AND PHYSICAL SECURITY--REACHING OUT TO RISK MANAGERS
Another area we are working on is the integration of cyber and
physical security. We believe, as Secretary Ridge has said, that you
can't have cyber security without physical security and you can't have
physical security without cyber security. However, in corporate America
there remains a misconception that cyber security is an ``IT problem.''
While obviously there are many IT aspects to cyber security it is not
properly classified only as an ``IT problem.''
Cyber security is a management problem. It is an economic problem.
It is an employee training, compliance and retention problem. Most of
all, cyber security is a risk management problem. However, most
corporate structures still relegate the discussion of cyber security to
the IT department rather than fully integrating it into the discussions
with physical security and risk management. We have heard a good deal
of talk recently about structures within the federal security
bureaucracy which may have limited information sharing and proper
threat management. Private industry is not immune to these same types
of organizational problems.
Therefore, we have recently undertaken a pilot study reaching out
to the risk managers in industry in an attempt to find out how we can
better involve them in the cyber security discussion. We believe that
it's critical to better integrate physical and cyber security issues
within the overall corporate risk management structure. We are trying
to find out how we can do that, from the people who are actually making
the organizational, budgeting, and resource allocation decisions.
Although we have initiated this study, it is too early to report
results. We do expect however, that, as was the case with our other
projects, we will learn from this effort and we can make further impact
in securing cyber space. We look forward to sharing these approaches
both with industry, and to the federal government.
NOT JUST SERVICES; A COHERENT INTEGRATED PROGRAM
We believe the comprehensiveness of the ISAlliance program is
making a positive contribution to the cause of information security.
Hundreds of technical notices about Internet threats
and vulnerabilities each year to our members from the best
source available to private industry.
Scores of analytical conferences to discuss the data
and what to do about it
Development of best practices that are widely endorsed
and disseminated both domestically and abroad.
Development of independent, auditable third-party
evaluation tools and methods
A program of market-based incentives to improve the
ROI for cyber security
Education, training and public policy programs.
Initiating new programs to push the envelope into
heretofore underserved populations
But the key aspect is that it is a coherent program. We start with
the hard data we get from CERT and we blend into that the real world
needs and experiences of industry and develop programs, practices and
policies which can drive pragmatic improvements. And then, if
individual entities can't make the grade they are offered training
based on the same theories and practices that were used to develop the
best practices.
COORDINATING WITH THE ISACS AND DHS
As proud of these accomplishments as we are, we have some concerns
for the future.
We supported, and continue to support, the creation of the
Department of Homeland Security. We in no way wish to be critical of
the effort and sincerity of the people who are working at DHS. They are
working very hard to accomplish an enormous task virtually immediately.
We sincerely hope that our testimony at this point will be taken in the
spirit it is given, constructive suggestions that we believe will
assist all of us who are working in this space to be more effective.
In fact the ideas we offer the Committee today have been previously
raised with staff and principals and we are continuing to work on them.
We anticipate that in the due course of time they will be
satisfactorily resolved. We believe, however, that there are very
important issues, which must be appropriately addressed.
DHS SHOULD COORDINATE WITH ALL INFORMATION SHARING ORGANIZATIONS--
NOT JUST ISACS
We suggest DHS broaden its systematic communication to include
organizations, such as the ISAlliance, who are providing important
services, although they are not ISACs.
In the interdependent cyber world the ``critical infrastructures''
may be dependent on the ``non-critical'' organizations that service
them. In addition to the IT, telecom and financial institutions we
represent we count the National Association of Manufacturers among our
sponsors. These are the people who manufacture the parts used to
construct our defense products and operate the supply chains upon which
many ``critical'' businesses rely. These organizations also need to be
systematically included in the on-going public private partnership with
DHS.
Moreover, while we are focused on cyber security today from a
national security perspective, most Internet attacks have nothing to do
with international terrorism. Cyber security is also a critical
business issue and from a business perspective the ``non-critical''
portions of the economy deserve as much protection as the rest of the
economy.
The Department of Homeland Security seems to have decided upon the
ISACs and the ISAC Council as the primary linkage to the private
sector. Since we are not formally an ISAC, we are not part of the ISAC
Council and hence we are not in many of the meetings and discussions
from which DHS appears to be receiving their primary input. We would
like to work with DHS and the ISAC Council to integrate our broad
membership into this forum.
Two years ago Congress passed legislation, which attempted to
facilitate the sharing of information between private industry and the
government. In the initial drafts of that bill the adjustments to FOIA,
etc. were confined to ISACs. It was correctly pointed out to the
drafters that there is in fact information sharing outside of the
formal ISAC structure and the legislation was redrafted to read
``information sharing organizations.'' We believe DHS should follow
this precedent in developing their public private partnership.
COMPANIES NEED THE CERT/CC DATA THEY HAVE COME TO RELY ON
Over the past several years the nearly 60 companies who are members
of the ISAlliance have come to rely on our working relationship with
CERT/cc. Last year, DHS announced that they would be launching USCERT
utilizing in main the facilities formerly known as CERT/cc at Carnegie
Mellon.
We have no objection to DHS creating USCERT. Indeed, we see it as
following and extending the model we created over three years ago for
how to disseminate CERT/cc data to the private sector.
However, it would be problematic if suddenly the ISAlliance members
who have relied on this information to build their corporate security
plans and policies, are now denied access to that data.
Indeed, such an outcome could result in a substantial reduction in
corporate cyber security as companies scramble to find alternative ways
to receive this information. Moreover, the fact that this data might
now be available though an ISAC is not an answer since the majority of
the ISAlliance members, do not participate in ISACs
We would like to work with DHS to assure that the transfer from
CERT/cc to USCERT and their new partners does not ironically result in
less information being available to some worthy companies.
I want to conclude by noting that DHS has been open to meeting with
and discussing ways to coordination with us. Just a few weeks ago I met
privately with Assistant Secretary Liscouski who was most gracious and
cooperative. I also want to single out Director Yoran, who has been
especially helpful and has directed that at least for the short term
the ISAlliance not be denied access to the data its membership has come
to rely on. We are now hoping to finalize an appropriate long-term
solution. Moreover, DHS staff have attended meetings with our
membership and been very supportive. We want to thank and congratulate
the whole team at DHS for their commitment and efforts.
And finally I want to thank you, Mr. Chairman and the joint
Committee for all your work and for holding this hearing this morning.
Mr. Thornberry. Thank you. A lot of issues to pursue. This
hearing will stand in recess until five minutes after the
conclusion of these votes. It will be more than 30 minutes, so
if you all have a chance to go get something to eat or
whatever, please do.
We stand in recess.
[RECESS]
Mr. Thornberry. We are going to go ahead and get started. I
think Mr. McCurdy will be back shortly. Apparently, he went
down to have a sandwich and probably had long lines.
Thank you all again for your patience. Ms. VanDe Hei thank
you particularly for yours. Now, we will turn to you and give
you an opportunity to summarize your statement and then we will
turn to questions.
STATEMENT OF DIANE VANDE HEI, VICE CHAIR, INFORMATION SHARING
AND ANALYSIS CENTER COUNCIL
Ms. VanDe Hei. Thank you, Mr. Chairman. I assume that my
written testimony will be part of the record. The summary can
be as well.
Mr. Thornberry. Previously, we had unanimous consent for
all full written statements to be made part of the record.
Ms. VanDe Hei. I am also assuming you have saved the best
for last, so I thank you, Mr. Chairman.
Mr. Thornberry. Absolutely. Let me just say this, we are
much more relaxed on time now. We have no more votes today, so
that may work to your benefit or your detriment, depending on
how you look at it.
Ms. VanDe Hei. Thank you, Mr. Chairman and distinguished
members of the subcommittees. It is an honor for me to be here
today to talk with you about the private sector's relationship
with the Department of Homeland Security. My name is Diane
VanDe Hei. I serve as the vice chair of the ISAC Council. I
also serve as the executive director of the Association of
Metropolitan Water Agencies and the WaterISAC, Water
Information Sharing and Analysis Center.
In the way of background, the ISACs originated when the
Federal Government issued its policy on critical infrastructure
protection, otherwise known as Presidential Decision Directive
63. That directive carried through to the new Administration
but it is now embodied in a new directive called HSPD-7. I
cannot tell you what it stands for, but we do pay attention to
what it says. It continues the emphasis on ISACs and the need
to share information.
The ISAC Council brings together 14 sectors at this point,
including the eight originally designated critical
infrastructures. We have tried to be inclusive, rather than
exclusive, wanting to learn from each other. The goal of the
ISAC Council is to look at not only how we can learn from each
other in terms of the models we use, but also to look at
interdependencies. We have formed trusted relationships with
the other sectors including electric, rail sector, and others
so that if something happens to them, they can work with us.
One of the primary goals of the ISAC Council was to build that
kind of trusted relationship among sectors, but also to begin
to look at how we could better share information with the
government and the government could share it with us.
To improve the ISACs and to help communicate with
government, the ISAC Council has developed eight white papers
that reflect the collective analysis of the members of the
ISACs and cover a broad set of issues and challenges. These
papers recognize the critical leadership role played by the
private sector with respect both to the organizational
structure established in the ISAC, for analysis and information
sharing, and in the interaction of the ISACs with the
Department of Homeland Security and other government agencies
addressing the challenges of infrastructure protection. We have
shared these papers with Hill staff, DHS and GSA.
One of the primary challenges to government and the private
sector is the establishment of a trusted partnership. You have
undoubtedly heard that a number of times. As I think you all
know, trusted partnerships cannot be legislated, regulated or
even stipulated, nor can partnerships be purchased, traded or
incorporated. We have learned that our ISACs need the full
support and confidence of certain key elements of government to
create and maintain a successful comprehensive security
strategy.
Furthermore, we are also keenly aware that we, the critical
infrastructures, need to maintain a trusted relationship with
our government partners so that we can work with them and their
staffs to maintain the delicate balance between security and
privacy. Our relationship with DHS has had a few bumps in the
road, but overall we have progressed, and I believe have common
goals and agree on the strong need to partner in information-
sharing and analysis.
As with the maturation of DHS, so has each of our
collective ISACs. I do believe that the government assisting
the private sector with baseline funding for certain sectors is
ideal. The WaterISAC, the one I am most familiar with, for
example has received funding from Congress and the U.S.
Environmental Protection Agency, while we as a sector continue
to build the private sector contribution to the ISAC. Although
the information on the WaterISAC is available to 54,000
community water systems and over 15,000 publicly owned waste
water treatment facilities, our fee for service is based on
populations served. We do not differentiate between the kind of
information utilities receive, but we differentiate based on
the size of the system. The range in price is from $500 a year
to $7,500 a year.
By doing this, we hope to get all of the utilities
subscribing to the ISAC. Having said that, that has not
happened. So our next enhanced phase of the WaterISAC is going
to be development of a push email service that will go to
thousands of drinking water and waste water, utilities, a
service that will send DHS and EPA notices and advisories that
need to be sent out simply because that is the ethical thing to
do. So we are working on that this year and hope to have the
new system in place before the end of the year.
Other ISACs, as you might expect, are structured
differently depending on the composition of the sector and the
breadth and scope of the services that sector has decided is
needed. Banking and finance is different from water is
different from electric is different from telecom.
In addition, the DHS IAIP regularly meets with the ISAC
Council and listens to many of our concerns regarding the need
for their strong support of the ISACs and the improvement of
our information-sharing capabilities.
If I could leave you with two recommendations, it would be
these. We need your help to ensure that the private sector's
investment in their ISACs is built upon and strengthened. I
believe that once you lose this voluntary work, research that
people have been doing, that it will be lost for good. So we
need your help to ensure that the investments that have been
made in building these things is built upon, used and enhanced.
Second, we need your help to insist that the private sector
be included up front in the analysis of intelligence.
Government must learn to trust infrastructure owners and
operators with real information that allows us to apply our
resources in a smart way to protect the infrastructures. Again,
I will just give you a quick example. The WaterISAC employs
analysts that have top security-plus clearances so that they
can communicate with intelligence officials in order to provide
insights into what its impact on water might be. Even with that
capability, we find that it is after the fact that we are often
involved, or allowed to participate in any sort of review into
what a threat to our water system might be. So we could use
your help in that manner as well.
That concludes my remarks. I would be glad to answer any
questions you might have.
[The statement of Ms. VanDe Hei follows:]
Prepared Statement of Diane VanDe Hei
Introduction
Good afternoon, Chairman Thornberry, Chairman Camp, and
distinguished members of the subcommittees. It is an honor and a
privilege to meet with you today to discuss the private sector
interaction with the Department of Homeland Security (DHS).
I would like to thank both the Cyber Security, Science, Research &
Development Subcommittee and the Infrastructure and Border Security
Subcommittee for creating this important opportunity and inviting the
ISAC Council to be here today.
My name is Diane VanDe Hei. I serve as Vice Chair of the
Information Sharing and Analysis Center (ISAC) Council. I am also
Executive Director of the Association of Metropolitan Water Agencies as
well as the Water Information Sharing and Analysis Center (WaterISAC).
Background
ISACs originated when the Federal Government issued its policy on
Critical Infrastructure Protection, otherwise known as Presidential
Decision Directive 63. PDD-63 has been replaced with HSPD-7, to
authorize and encourage national critical infrastructures to develop
and maintain ISACs between the private sector in cooperation with
federal government as a means of strengthening security and protection
against cyber and operations attacks.
The ISAC Council
Homeland security presents significant challenges for the ISAC
community and we look forward to working directly with you in the
coming months. The work you are doing is extremely important and you
have the commitment of the ISAC Council to do everything we can to
assist in protecting the critical infrastructures of the United States.
I am here today to briefly discuss the ISAC Council and its role in
protecting critical infrastructures. Members of the subcommittees, the
ISAC Council voluntarily formed almost two years ago. Our goals are to
discuss interdependencies and how we can develop better
communications--among the various sectors and across borders--as well
as what information should be shared on both physical and cyber issues
within the sectors and with the government.
The Council has grown from representing eight sectors to include 14
sectors. In addition to the private sector membership, the ISAC Council
also includes government ISAC's such as Emergency Management and
Response who report to DHS as well as the Multi-state ISAC.
Early on the ISAC Council saw the need to be a very inclusive
group. Although each of our sectors is unique in composition they are
also intimately intertwined with each other, and a catastrophe in one
sector can impact many others. We have seen this on a number of
occasions. Take 9/11 for example, we had a physical impact on the twin
towers, which impacted telecommunications and electric services, as
well as closing Wall Street for four business days. Additionally, the
northeast power outage impacted several sectors including drinking
water, wastewater, transportation and small businesses alike.
To improve the ISACs and to help communicate with government, the
ISAC Council has developed eight white papers that reflect the
collective analysis of members of the ISAC Council and cover a broad
set of issues and challenges. The topics include:
Government--Private Sector Relations
HSPD-7 Issues and Metrics
Information Sharing and Analysis
Integration of ISACs into Exercises
ISAC Analytical Efforts
Policy Framework for the ISAC community
Reach of the Major ISACs
Vetting and Trust
These papers recognize the critical leadership role played by the
private sector, with respect both to the operational infrastructures
established in ISACs for analysis and information sharing and in the
interaction of ISACs with the Department of Homeland Security and other
government agencies addressing the challenges of critical
infrastructure protection. We have shared these papers with Hill staff,
DHS and GSA.
We believe that these papers are only the beginning steps in
tackling the serious policy and process issues challenging the
implementation of an effective private sector and government
information sharing and analysis partnership. The ISAC Council is
continuing to work on concrete actions to increase ISAC support to the
nation. To facilitate this effort, the ISAC Council members communicate
on a daily basis (conference calls or by email) on operations and on an
as needed basis for large new vulnerability announcements and/or
incidents.
Government--Private Sector Partnerships
One of the primary challenges to government and the private sector
is the establishment of trusted partnerships. I believe we all agree
that partnerships between government and the private sector are
essential and since 9/11, it has become even more critical for these
partnerships to mature in order to effectively address homeland
security issues.
As you all know, trusting partnerships cannot be legislated,
regulated, or even stipulated. Nor can partnerships be purchased,
traded or incorporated.
Partnerships are built between people and organizations that
recognize the value in joint collaboration toward a common end. They
are fragile entities that need to be established and maintained by all
participants and built upon a foundation of trust.
We have learned that our ISAC's need the full support and
confidence of certain key elements of the government to create and
maintain a successful and comprehensive security plan. Furthermore, we
are also keenly aware that we, the critical infrastructures, need to
maintain a trusted relationship with our government partners so that we
can work with them and their staffs to maintain the delicate balance
between security and privacy.
Our relationship with DHS has had a few bumps in the road, but
overall we have progressed and, I believe, have a common goal and agree
on the strong need to partner in information sharing and analysis.
As with the maturation of DHS, so have each of our collective
ISAC's. I do believe that the government assisting the private sector
with baseline funding for certain sectors is ideal. The WaterISAC, for
example, has received funding from Congress and the U.S. Environmental
Protection Agency (EPA) while we continue to build the private sector
contribution to the ISAC. Although the information on the WaterISAC--
available to 54,000 community water systems (90 percent publicly owned
and 10 percent investor owned) and 15,000 publicly owned treatment
works--is available to all subscribers, our fee for service to these
utilities is tiered based on population served. By doing so, we hope to
make the WaterISAC affordable to all drinking water and wastewater
utilities. In addition with the help of congressional funding, this
year we will broaden the reach of the WaterISAC by developing a push
email system that will be capable of reaching thousands of drinking
water and wastewater utilities with federal advisories and notices.
Other ISACs, as you might expect, are structured differently
depending on the composition of the sector and the breadth and scope of
the services the sector decides is needed. That being said, we must
keep our ISAC models in tact, meaning that the government should not
attempt to dictate how the individual ISACs are structured nor how
information is provided analyzed and reported to government.
On a very positive note, DHS has agreed to pilot the HSIN network
with the water and electric sectors and has also provided funding to do
tabletop exercises with the Financial, Telecommunications, and Electric
Sectors.
In addition, DHS IAIP regularly meets with the ISAC Council and
listens to many of our concerns regarding the need for their strong
support of the ISACs and the improvement of our information sharing
capabilities.
Summary
The ISAC Council plays an important role in homeland security. It
brings together diverse sectors, examines commonalties and most
importantly cements trusting partnerships that allows us to share
information, learn the best from each other and enhance communication
among interdependent sectors.
If I could leave you with two recommendations it would be these: We
need your help to ensure that the private sector's investment in their
ISACs is built upon and strengthened. Once lost, this type of voluntary
commitment will be very difficult if not impossible to rebuild.
Secondly, we need your help to insist that the private sector be
included ``up front'' in the analysis of intelligence. Government must
learn to trust infrastructure owners/operators with real information
that allows us to apply our resources in a smart way to protect the
infrastructure.
Thank you for the opportunity to testify today. I would be happy to
answer any questions.
Mr. Thornberry. Thank you.
Ms. Lofgren?
Ms. Lofgren. I am interested, Ms. VanDe Hei, on how not
every water entity belongs to the ISAC. Am I correct?
Ms. VanDe Hei. That is correct.
Ms. Lofgren. So how do you disseminate and communicate with
those entities that are part of the whole system, but not
actually part of the ISAC?
Ms. VanDe Hei. From 9-13-2001, the first thing we did was
to develop an email push system that could reach thousands of
utilities. We maintain that today. So although the subscribers
to the WaterISAC receive it, the WaterISAC is both the
knowledge base that we house sensitive information on, and also
a means of sending out encrypted email. At the same time, we
have maintained the push email system that we had developed
almost three years ago. So when need be, we just push it out.
This advanced system that I was talking about earlier where
we were developing a new system where it would just be pushed
out to thousands of utilities, we have the funds to do that
today and we hope to have that by the end of the year. So we
will be reaching both subscribers and those who do not join the
WaterISAC.
Ms. Lofgren. Looking at it from the other point of view,
the information that DHS needs about threats, from what Mr.
Liscouski said, they are dependent upon the entities involved.
So you would have information about your part of the water
world. How do you involve the rest of the water world that is
not a part of the ISAC in that threat assessment activity? Are
they asked to participate? How are they identified and
included?
Ms. VanDe Hei. In the assessment of their individual
utilities?
Ms. Lofgren. We have yet to accomplish a comprehensive
threat assessment.
Ms. VanDe Hei. Yes.
Ms. Lofgren. What I think the testimony is that we are
soliciting information from various entities in charge of
aspects of American life about what the threat is. ISACs are
part of that protocol, but not everybody who is a part of the
world is a part of the ISAC. How do we include them? Do you
play a role in that? Does the Department do it directly?
Ms. VanDe Hei. What we have done is we have included both
on the secure site and on the public site an incident reporting
form that anyone can fill out. It comes into the WaterISAC for
the analysts to look at. That information is shared with the
intelligence community, particularly if it looks like it is a
pattern in a region. So we have it available both on the
private site and the public site. So you could go to the public
site and report an incident, and it would go to the analysts
and be treated seriously.
Ms. Lofgren. That may or may not be good news if it is a
public site and the terrorists have access, too.
Ms. VanDe Hei. It will go into the system is what it will
do.
Ms. Lofgren. Have you, for example in your ISAC, been
solicited for critical information, threat assessment
information?
Ms. VanDe Hei. No. Drinking water systems are a little bit
different in that they were required in 2002 to do
vulnerability assessments and to provide them to EPA. So we
know that the 500 largest systems serving over 100,000 people,
those are done.
Ms. Lofgren. Right, but we do not know whether DHS has
actually availed themselves of that information.
Ms. VanDe Hei. We do not, but they are being treated as
sensitive documents. I understand that they have requested the
ability to view them. How often, how frequently, I am not
privileged to that information.
Ms. Lofgren. Just out of curiosity, thinking about this is
structured, in California, if you know, who belongs to the ISAC
in the water world? Who belongs and who does not belong in the
WaterISAC?
Ms. VanDe Hei. I do not have that list with me today.
Ms. Lofgren. Could you send it to me later?
Ms. VanDe Hei. Sure.
[No list provided to the Committee by the time of
printing.]
Ms. Lofgren. I appreciate that. Thank you very much.
I am interested, Mr. Dacey, on the ISACs, it is the same
question. The Department of Homeland Security needs to reach
out for this critical infrastructure assessment. Do you know
what DHS is doing to reach out to non-ISAC entities for this
information?
Mr. Dacey. I am not familiar with the exact actions they
are taking, but I think that is certainly an area that has been
identified by pretty much everyone as an area that needs to be
addressed. If you look broadly across the ISACs when they were
initially formed, although if you look at the numbers a large
portion of the operations of the industry generally are
represented, oftentimes that is concentrated in a relatively
small number of entities that are the leaders in those
industries. We have a large number, and we gave some examples
in our testimony in financial services, a large number of
entities that are not participants in the ISACs, but are
members of the industry; that are important, but do not
represent the same level of volume. So I think that has been a
longstanding issue.
With respect to financial services, they actually worked
with the folks at Treasury who is their sector-specific agency,
and came up with what is called the next-generation ISAC,
because their views were that this rebel population was not
willing to pay a significant amount of money in order to
participate in the ISAC. So they have developed a model where
there is a certain basic level of services that are available
free to all participants who want to join the ISAC and then
have a tiered approach where you pay more at different levels
to get a higher level of services. I think that is an issue
that needs to be addressed. There are tiers in several of them,
but not certainly across all of them. That is one of the areas
that needs to be thought through as to how that will be
accessed and how that information will be paid for, whether the
Federal Government should continue to fund communications for
this type of thing for that layer.
Additionally, there are some ISACs that have the funding
actually to try to develop some of their operations, because
again those were concerns about how they would fund their
initial operations and set up, and then there was Federal
funding to help that get started as well.
Ms. Lofgren. I guess that raises a question of if the
financial obligations are a barrier to participation and it is
really in the interests of the Nation that people participate,
whether we ought to put those, I mean, there is a dual purpose.
The entity involved is going to benefit, but the reason why we
were asking about these ISACs is to protect America against
terrorist threats. If they are not participating because of the
fee structure, perhaps we should not have that fee structure at
all if we really want entities, both private and public, to
participate.
Mr. Dacey. It gets back to the basic models. These were set
up as voluntary organizations. To the extent that their
respective memberships felt it was cost-effective, they funded
those operations and provided the level of services that were
appropriate for that particular sector.
Ms. Lofgren. Right, but from their point of view.
Mr. Dacey. Exactly, from their point of view. That gets to
the next question, well, if the Federal Government has
expectations about the level of capabilities and services that
are to be provided by these ISACs, that needs to be articulated
and discussions entered into with industry as to how that would
be paid for; whether incentives might be appropriate.
Ms. Lofgren. Do you have a recommendation on how these
might be changed? Would you think about whether you could give
us a recommendation that would forward the government's
interest in having sectors which are not currently
participating participate?
Mr. Dacey. We certainly can look into that. We have a broad
recommendation we have had out for a number of years, at least
for a year, that the sectors needed to assess the need for
additional public policy tools to provide the appropriate
incentives for participation in ISAC and other CIP activities.
So we have had that broad recommendation out starting basically
in January and February of last year.
Ms. Lofgren. And you think we could just adopt that and
that would solve it?
Mr. Dacey. I think you need to think about this from a
strategic level and think about how you want to do that, not
that one size fits all. How do you want to apply those
incentives to the sectors? I think you need some ground rules,
some criteria, some structured process so that it is
transparent as to how the government is going to go about doing
that process.
Ms. Lofgren. Right. OK, I want to think about that.
Finally, and I do not want to hog the time here, the
Chairman is being indulgent and I am sorry I missed your
testimony, Mr. McCurdy, and the two secretaries, but has the
Department of Homeland Security met with the variety of
industry partners that you represent to get their assessment of
threat in this sort of quest for the holy grail of the threat
assessment that we are waiting for?
Mr. McCurdy. First of all, the Internet Security Alliance
was formed, Ms. Lofgren, as a private, it was really the first
public-private partnership, to be honest, because we teamed
with Carnegie Mellon and Carnegie Mellon was running the CERT
which was funded by the Department of Defense. Their incentive
was to try to reach out to the private sector which had a lot
of expertise, but it was not getting out to industries.
Together, we came up with the new model of having the cross-
sector relationship and international. There are 88 CERTs
around the world, and yet there is not the kind of coordination
that we felt was needed, nor was there the incentive in a lot
of other countries to even involve the private industry, even
though private industry owns about 85 percent of the
infrastructure.
So DHS has gone through an evolution, as you know. As I
stated in my earlier comments, we were officially launched 5
months before 9-11. We were formed prior to that. This was an
effort from industry in trying to gain greater access to
information that we felt was critical in this continuum of
ensuring that the Internet itself, the best practices and the
standards and the security, was increased.
DHS, I think now that they do have people in key positions,
both Mr. Liscouski and Amit Yoran, have been more receptive to
our involvement and to our comments. One of the critical points
that needs to be raised, it is true, one size does not fit all.
My concern, having spent as much time as I have in government,
is back in the intelligence days and also in defense, there is
a tendency to become stovepiped. We felt in this age that we
had to cross-cut that.
The second thing is, somewhat to our chagrin, there has not
been the level of concern by certain levels within industry,
corporate leadership, to provide the funding or even the
awareness that there was as much at risk. That is why we
developed the best practices for the C-level entities and for
the organizations, trying to raise this concern, and also have
them ask themselves in their organizations and enterprises the
questions that they should be asking to understand what their
level of security is. The second point is, whether it is a push
system or a pull system, I think there have to be incentives
for industry to participate at certain levels. We have a fee
structure. At one level, it is quite high, but we have more
members than most of the ISACs. The reason they have joined,
early on it was because they wanted access to the information,
but we learned something in this multi-year process, now 3
years, and that was information alone is not enough. You need
to be able to analyze it. You need to understand it. So we
convened these working groups. If there is a call, they can
quickly filter through and say, I do not have that particular
information; SNMP is not my concern. OK? I will not participate
in that call.
If I have a vendor or a system that relies on that, I can
tell you that they will have active engagement in discussions,
learning from the experts and from each other, and that
information flows back towards government through the CERT. I
think there have to be market-based incentives, and that is why
we have started with the insurance program; that is why we are
working with risk management; that is what we are trying to do
with the anchor system, with trusted partners in other
countries.
We actually when we began the Internet Security Alliance
made a conscious decision really not to be involved with
government. That was before 9-11. Post-9-11, it is obvious that
industry, regardless of on which continent it resides, has to
be engaged somewhat in this system. So I think there is not
only increased awareness, but I think there is increased
willingness to participate and not to be as concerned about the
privacy of their data or what their receiving from government.
It is not going to be quite as biased.
The last point I would make, if we could, it needs to be
inclusive, not exclusive. There is a concern that a certain
incumbency or PDD-63, whatever the foundation happened to be,
that that is the model that is the model and will be the model.
I think we need to explore a lot of different models. I think
that is what Mr. Dacey and others have been saying. There are
some that have worked quite well. We have gone beyond the basic
information sharing to a whole new level. But if for some
reason our members were cut off from that information flow, I
think it would affect not only their business, but I think it
would affect the security of the Internet.
Ms. Lofgren. Is there legislation that we could adopt that
would assist in providing incentives or disincentives to
accomplish what you have outlined here?
Mr. McCurdy. Government is usually quicker to have
disincentives than they are incentives, especially in fiscally
difficult times. I am sure there could be a combination. We
would like to see it on the incentive side, because actually
that is where our CEOs and others respond. There are research
incentives. There could be incentives for implementing or
employing certain technologies. There is the FOIA concern.
There is liability, safe harbor kinds of issues that obviously
provides some incentives.
Mr. Putnam had drafted legislation that he considered
introducing. I think it was originally intended to be around
the Y2K model, which worked. Unfortunately, it was starting to
look more like Sarbanes-Oxley, which is a burden on industry,
and actually you would get pushed back, and if anything you
would actually deter people from being more open and
responsive.
So we would like to find the right approach. Mr. Clinton,
who is our chief operating officer, is going to testify later
today before that committee, about some of the market-based
incentive packages that we have developed. As far as I know, we
are the only ISAC or information-sharing group or organization
out there that has even gone that far. But we have gone beyond
just best practices. We have published those and we are
creating more.
Ms. Lofgren. I have seen those.
Mr. McCurdy. Yes. That is actually where government, if
there was going to be funded and people talked about where this
money is going to go, distribution actually costs money, in
getting that out. We just produced one for small businesses.
Who bears that cost? Those are our natural constituency, quite
frankly, in my association, but we decided we had invested a
great deal of money in the Internet Security Alliance to get it
started and up and running. Ms. VanDe Hei mentioned the need to
protect some of that private investment. Well, there has been a
significant investment, and not always willingly, some of it
because of my experience really pushing the industry to be on
the cutting edge and up front before I think even some
recognized that there was a threat. Now, they are starting to
see it a little bit more.
Ms. Lofgren. I will stop and let the Chairman ask his
questions, but isn't it true that certainly there is a burden
to participating in the ISACs on the part of any entity,
private or public, just in terms of the personnel costs and the
time taken from other tasks. That is a burden that may be
easier to bear for a larger entity than a small entity. For a
small business, that can become a daunting, in addition to the
fees, just participating, and for a threat that is inchoate.
There may not really be the business incentive. So it may not
be occurring. So there is a cost to disseminating the
information, but disseminating the information without
incentives to actually implement is another issue, whether
there would be insurance benefits, which has been discussed, or
other benefits that would allow a small business person or
persons or a small company to actually justify the expense and
time away from other bottom-line activities.
Mr. McCurdy. We learned a great deal in developing the best
practices document for small businesses. On one level, they are
similar vehicles. I mean, they are using the Internet, but
their capability and their access to personnel, policies,
technology is far different. You are right. It is a hurdle for
many, not only in just cost, but also time. It is a real
challenge to find the right incentive to get them involved.
We learned from some of our partners, our founding members,
VISA for instance has what they call the digital dozen. They
are in a different modality. They are able to require their
merchants to meet certain practices. One of our other members,
Nortel, has considered, I do not know if they have implemented,
and I probably should not be speaking for them, but they want
their supply chain, they want their suppliers to be at a
certain level of security. So they are encouraging them not
only to belong to Internet Security Alliance, but also to meet
certain best practices.
So there are a lot of companies and a lot of entities are
doing it differently, but that does not mean it is not as good.
Actually, I think that diversity is part of the strength. The
question is, what is the partnership? All we are asking is that
whether it is DHS or other entities within the government, that
they are open and that they continue to build on the experience
that we have been able to gain.
Ms. Lofgren. Thank you, Mr. Chairman, for allowing me all
that extra time.
Mr. Thornberry. I thank the gentlelady for some excellent
questions.
Ms. VanDe Hei, let me ask you, you have heard and you are
familiar with Mr. McCurdy's organization. Does the ISAC Council
have a position on whether other cross-cutting organizations or
information-sharing organizations are good and should be
brought into the system in some formal way? What, if any,
position does the ISAC Council have about that?
Ms. VanDe Hei. The ISAC Council, like I mentioned, wants to
be inclusive, rather than exclusive, so we have gone from 8 to
14. Basically what it takes is for somebody from that
particular information-sharing organization to come and talk to
us about what they do. I am not aware of anyone being turned
away.
Mr. Thornberry. But you do not have, that meets regularly
with the ISAC Council do you, some sort of a cross, I am using
cross-sector, but you know what I am trying to say, companies
in different businesses that may share a concern over cyber
security in this case. Nobody like that sits at the table with
you, do they?
Ms. VanDe Hei. I guess I am not quite understanding the
question, in that all the ISACs that sit around the table
represent different sectors.
Mr. Thornberry. Right.
Ms. VanDe Hei. So I sit next to the electric sector, and
water depends upon electric. And I sit next to the railroad
people, and water depends on the railroad. So we have set up
communications between each other so that when something
happens like in the power outage, we were able to talk to the
electric sector and to the transportation folks about how long
the outage would continue. So maybe I am missing something.
Mr. Thornberry. I understand. ISACs are organized by
sectors, and Mr. McCurdy's basic point is that maybe that is
not the only way to organize; that you could have other
organizations that cut across different kinds of businesses
that could add an element to this debate. I do not want to give
his arguments for him, but maybe you could even argue that if
you are not strictly organized by sector, you would be more
likely to share information because it is not your competitors
that are setting right there with you. There are other pros and
cons. I am just trying to figure out whether the ISAC Council
has formally taken a position on these other kinds of
organizations.
Then Mr. Dacey, I want to get to you and see whether you
have analyzed these different ways of organizing ourselves.
Part of what concerns me is we could be here 5 years from now
and still be talking about different ways to organize
ourselves, and we may not have really done anything. So in some
respects, we have to do something even if it is imperfect just
to move the ball a little bit.
Do you have anything else? Then I will go to him.
Ms. VanDe Hei. There is no barrier to a group like Mr.
McCurdy's from joining the ISAC Council at all. You do need to
be aware there is another group of sector coordinators that
have met under the PCIS, Partners for Critical Infrastructure
Security. That group is predominantly cyber-focused and brings
together companies from all different, Cisco, you name it, they
are part of this coordinating group. The ISAC Council meets
with them regularly now as well, so that we are sure that the
sectors are looking at the bigger picture; that the ISACs are
in tune with what they are doing. So we have begun to meet
jointly to ensure that. But just to answer your question, there
is no barrier with an ISAC that does things differently from
joining the ISAC Council and perhaps informing us about how
better to do things. ``Evolving'' has been maybe overly used
today, but we are looking for ways to do this better.
Mr. Thornberry. Yes, absolutely.
Mr. Dacey, what can you help us with here?
Mr. Dacey. I think, again not to be too trite about
the``evolving,'' but I think things have changed a lot and
there are continuing developments and very positive things have
happened. When this first started in PDD-63 it in fact
envisioned one ISAC for everybody, and then it was quickly
determined that really a sector-based approach would be more
appropriate at that time.
There are some benefits that we have identified in talking
to a lot of people and working in this area for a while. First
of all, there is a significant amount of industry-level
expertise that exists that is very important for the analysis
side of this whole equation. So I think you have to factor in
how you get that sector-level, industry-level expertise for the
various sectors; how some of these threats translate into
impact.
I think also there are established and building trust
relationships within those sectors, because people know each
other. A lot of them are in associations where there is always
some affinity and some aggregation of interests. So I think
there is some benefit, too, there in terms of that trust
relationship, which I think is very critical to this whole
process. They are unique at this point in meeting the sector
needs.
At the same time, the ISAC Council is a relatively recent
event on the spectrum of timelines since we started this
in1998. I think the opportunity exists for them to start
sharing with each other and breaking down those silos. I think
that is particularly important in an area that has not been
talked about, but not extensively pursued. I know it is on
everybody's radar screen, and that is interdependencies. That
will drive the discussion of the need to work together and it
will be in everyone's self-interest. I do not think we are
quite there yet. I think we need to evolve to that point so
everyone really understands how is my sector affected by that
sector, so I care about what they are doing.
Second, the sharing and getting together can bring about a
lot of good practices that are really out there and that can
help others and benefit everyone across the community. It is
fair to say that some of these ISACs have been more at the
forefront than others. They have been around a long time. Some
of them have a longstanding relationship with the Federal
Government, which has been a step up for many of them.
So I think in answer to the question, you need to keep that
industry-level expertise and trust relationship, and you need
to figure out ways to start bringing them together
collectively. I think that started at the ISAC level. It is
starting at the sector coordinated level. I think that needs to
be built up over time. The question is, how much time and who
is in the best position to do that. I would leave it up to Ms.
VanDe Hei just to talk a little bit about where they see it
going, but that is my view personally on the way that needs to
develop. It needs to be integrated in the end, so there is no
silo.
Ms. VanDe Hei. Could I make one statement?
Mr. Thornberry. Sure.
Ms. VanDe Hei. It was the primary purpose for the ISAC
Council to come together to talk about interdependencies and
how we might work together, but this brings up another area
where you could help us, in that I found in talking with the
intelligence community, whether it was with the FBI or now with
DHS, that they tend to be as stovepiped as we are or when
looking at a threat. If it is a threat to electric, then it is
an electric threat, and not necessarily a water threat or not
somebody else's threat. So bringing together their analysts
that look at the different sectors and having them look
together in terms of the interdependencies and what the threats
might be to them, I think is a fairly new phenomena. I am not
sure it is taking place very well.
So I think as they begin to look at things in an
interdependent way, that information will be coming to us in
that way as well.
Mr. Thornberry. I think that is an excellent point. It is
part of what raises these questions in my mind. For example, if
you have an issue related to electricity, it goes, say, to the
electricity ISAC and the people who regulate it are going to be
focused on it. But what about all the customers of electricity?
How can they prepare for some eventuality?
Cyber is another example which cuts across every sector,
which makes it, I will not say unique, but I think has some
particular characteristics. I suspect this is why Mr. McCurdy's
organization is focused on cyber. I do not know how many others
there are like that, telecommunications, electricity, cyber,
probably cut across just about everybody. But some way, we have
to consider not just the producer side, but the consumer side
of these ISACs. I am not sure we are there yet.
Mr. McCurdy?
Mr. McCurdy. Mr. Chairman, actually that is a great point.
There is one interdependency now. There is one continuum, and
that is we are hooked up to the network. The Internet has
become that glue. So cyber is a cross-cutting modality that I
think we need to be concerned about.
The other is, there has been a history with the regulated
industries. Why is the FS-ISAC more mature? Because they have
been in a regulated industry, or you look at some of the
others. Part of our concern was, as I sat in PCIS and other
meetings, oftentimes, and I know the industry well, most of our
members in the association, you usually had security people in
a room talking to security people about what the threats were,
as opposed to engaging the consumer and the user. That is why
we shifted our focus. I think that has been the maturation of
the Internet Security Alliance. That is why we have companies
like Coca-Cola. They are not dependent upon one factor or
another. They are a user of the Internet.
Ms. VanDe Hei. Water.
Mr. McCurdy. Water, OK. Yes, we are all dependent upon
water. We are 98 percent water, right?
[Laughter.]
But the key is that there has to be, the Internet is the
interdependency, but it is also the one area that is least
regulated. So back to the question that Ms. Lofgren asked
earlier, what is the way that you are able to engage the users
in as deregulated a way as possible. I think that is the
approach clearly that you have had working from your district
in California in that industry, is you do not want to go to the
old telecom model or to another model. You are trying to find a
way to engage people in the Internet world. That is why we have
to look at incentives. That is why your industry leaders are
standing up every day saying here are some things that we ought
to be looking at.
Mr. Thornberry. This is an interesting conversation. I do
not want to continue on forever, but that does make me think to
a critical point that Mr. Dacey includes in his report citing
the ISAC Council that says the greatest barrier to information
sharing stems from the practical and business considerations
that although it is important, the benefits are kind of hard to
get your hands around, but long-term it gets back to Ms.
Lofgren's point that maybe the national interest. It is more
amorphous and the rubber does not really hit the road until
something happens, and that is part of our challenge, I think,
in trying to sort our way through all this.
Mr. McCurdy. We have actually looked at three areas, if I
could, Mr. Chairman.
Mr. Thornberry. Sure.
Mr. McCurdy. What is going to get the C-level interest?
Sure, regulation will step up there and taxes would. But I
think it is clear that they are interested from a marketing
standpoint, and there are some market advantages. They are
looking at a cost standpoint and potential liability. If we can
help reduce their liability by becoming a qualified member,
which is what we are trying to do, and this is where the
maturation has occurred. You cannot be a qualified member if
you do not have some way to measure that, and so you need some
metrics. That is why we are working with the consortia on
global security to develop metrics and tools so that we can
actually have the benefits like insurance and reduced potential
liability. So there are a number of these things that we are
working on.
Mr. Thornberry. And those would be metrics set by some
organization, not set by government regulation or law that
would freeze them in place.
Mr. McCurdy. That is exactly right.
Mr. Thornberry. OK.
Let me turn to slightly different issues, if I may. Ms.
VanDe Hei, you were patiently here listening to a lot of
questions go to the Department, Mr. Liscouski, earlier about
vulnerability assessments and what they are doing. What is your
overall view, or what is the overall view of the ISAC Council,
if you can, about where the Department is, not just in giving
out information that it has, but in receiving information from
the various sectors.
Ms. VanDe Hei. I think the flow of information from the
various ISACs is, I would not say it is limited, but it is
different depending on the ISAC in question. I think that for
some ISACs that are, my ISAC is made up primarily of publicly
owned entities. Most drinking water and waste water systems are
publicly owned. So the sharing of information with the
government is not new to these people or with each other,
because they do not compete with each other. So that is a
fairly easygoing sort of sharing of information.
For some of the other sectors, it is proprietary
information. Am I getting at your question?
Mr. Thornberry. Yes, yes.
Ms. VanDe Hei. It is more difficult to share with the
government. Mr. Liscouski talked about the new CII program
which is intended to provide the private sector with some place
to put sensitive information or proprietary information and
expect some confidentiality or protection to that information.
I think the proof will be in the pudding on whether or not that
program is sufficiently protective that it actually gets
information from entities or the private sector that is
concerned about that.
So I guess I cannot speak for all of the ISACs, but I
suspect that the sharing of information is very different
depending on whether you have competition, that you have trade
secrets, that there are things you want protected.
Mr. Thornberry. It goes a little bit to the point made
earlier that more regulated industries are in a different
situation than less regulated industries.
Mr. Dacey, what is your perspective on how far along the
Department is as far as getting and receiving information?
And second, do you think it is clear for an industry to
whom they report information? It is not at all clear to me, for
example, if the water industry says, well, we have talked and
we think we may have a little problem here. Who do they go tell
it to? Is the structure within the Department such that the
answer to the second part of that question is clear?
Mr. Dacey. Two things, I think unquestionably there has
been a lot of effort and actions being taken by the Department
to try to address a lot of the issues that have been understood
as being challenges going forward. Again, Mr. Liscouski
elaborated on quite a number of those activities earlier today.
I think things are improving. We are hearing about regular
meetings taking place from both sides. With ISACs and the
Department, there is more and more sharing of information.
I think the critical issues, though, get down to a couple
of things that need to be done. We talk about that in our
testimony. That is, I think the roles and responsibility of all
the respective players deserves to be clarified a bit. I know
we have this national infrastructure protection plan that is
due out by the end of this calendar year. I realize it is being
built up on a sector basis and it will be issued. I think it is
going to be important that that lay out some of those roles and
responsibilities, as well as initiatives, clear milestones,
something that you all as Congress can look at in an oversight
capacity and measure progress, some of the things that you need
to see, well, when are we going to have this or that; is that
the right strategic direction for the Department to take across
these wide variety of areas we have all been discussing today.
At this point, we do not have that. We have had interaction
and discussion with the Department, and they have shared with
us their thoughts and ideas, but to a large extent we do not
believe that is immortalized in writing so that somebody can
independently look at it and understand and evaluate the
process. Again, I do not want to insinuate that they are not
doing things. It is just that we have not seen it documented in
a way that it could be independently reviewed.
The other part of that is really coming up with the
detailed procedures and policies. If you look at HSPD-7, that
was one of the charges that the Department was supposed to
develop those to help clarify, including the issues that you
talked about. Who do you report to? In our discussions with the
Department, they indicated that they were not going to try to
make everyone go through one single point in the Department
because they felt if that person was not available or could not
get through, it would be problematic. Some of the cyber issues
would seem to naturally go to the NCSD, which is the Cyber
Security Division, and we know the ISACs have those issues.
They indicated that they were developing processes or planned
to develop process to coordinate within the Department the
contact information as it comes in so that if it came in one
place, the other people who needed to know would know. But I do
not think that is in place today.
I do think there is some confusion from what have heard
about who to talk to and who to report to. Again, as with
anything, there are some trust relationships that are probably
built up over time in certain parts of different organizations
in the government that people would probably prefer to contact.
We need to figure out a way to make that easier, and set up
kind of a policies, procedures and clarity in what is the
expectations are for that contact.
Mr. Thornberry. Mr. McCurdy, go ahead.
Mr. McCurdy. Yes, just one quick point on cyber. Cyber,
again, is a little different as far as sharing information. I
have found even at the international level the one trusted
organization that people are more willing to enter into
discussions with regard to threats and vulnerabilities has been
the CERT/CC. However, our concern is the timeliness of the
information as they change the nature and move to the U.S.
CERT. I think there is a concern that it will become too large
and too bureaucratic. Right now, it works reasonably well
because there is not only a trust relationship, but there are
ongoing dialogue and conversations beyond just the threat
warnings. It goes to what does it actually mean.
Eventually, we want to get out of the reactive mode into
the prevention mode, where we can work with our industry and
say, if you take these prophylactic steps, or if you do this,
then you are better protected against potential threats or
attacks regardless of the nature.
One last point on that, we have members that are members of
ISACs, Financial Services ISAC, the IT ISAC, and they have
become more involved with us primarily because of the value add
on top of just information. It is the value add that is going
to be to them the most important, when they have to go justify
their cost to their bosses, and those value adds are again, the
market-based incentives, the best practices, the public policy,
just letting them know what is going on is critical, too.
Mr. Thornberry. Actually, you anticipated the question I
was going to get to next, and that is, as U.S. CERT comes
along, do some of your members have concerns that it is too
much of a government agency in order to have that sort of trust
relationship continue that they have had with the Carnegie
Mellon CERT?
Mr. McCurdy. It is interesting. The CERT/CC when it was
originally Carnegie Mellon, was a hybrid. It was funded by
government, but it was actually run by an academic institution.
We in industry when we all saw this triangle, we had
government, academic and industry, there was a lot of friction
there and concern about how well they actually could work
together. I think our experience has been over time that we
have been able to overcome the worst things of academia and the
worst parts of government mentality and probably some of the
worst instincts in industry, to have a working relationship.
That is what I think our members are most concerned about
is losing that synergy that has evolved. It is going to take
some time. What we would like to hear from you all, what we are
hoping to hear from Amit Yoran and Bob Liscouski and others is
that first of all we are not going to break what is already
working with a very successful organization, and that is access
to the CERT data, just like the ISACs are going to have through
the U.S. CERT. That is a baseline for us. Once we know that,
then we are entering into additional relationships with
Carnegie Mellon because they are creating what they call a
CyLab to take it to another level of trying to add value.
What happens to U.S. CERT? We have all been involved with
government. You have to conduct very close oversight, not on
whether it meets timelines and all that, which is critical, but
also what are the tendencies towards creating more and more
bureaucracy, become more risk-averse, less open, less
cooperative. Those are the concerns that we have as big
institutions start to emerge. When that occurs, when it becomes
a bureaucracy, watch industry go the other way. Then you are
going to have to regulate to get them involved. Right now, it
is not there, but if we are not careful, if we do not work with
them, you could end up with that result.
Mr. Thornberry. The problem is, once you see that
happening, it is too late.
Mr. McCurdy. Yes.
Mr. Thornberry. It is hard to reverse.
Mr. McCurdy. You are in a different situation. This is not
the 1940's. This is a work in progress and the fact that you
are having these having these hearings, there needs to be
dialogue. I think your staff is having those dialogues. If a
government entity learns anything from a hearing like this, and
that is, they need to hear the questions and what is behind the
questions. The questions are not always artfully phrased, but
there is a genuine concern behind those.
Mr. Thornberry. Something is going on.
Mr. McCurdy. That something is going on. That is where this
dialogue is critical.
Mr. Thornberry. That is right.
Ms. VanDe Hei, let me get back to you just to clarify. If
the water folks got together and said, oh, we have this problem
that we have not told anybody about. Would it be clear to you
who in the Department of Homeland Security to go talk to about
it?
Ms. VanDe Hei. No. Yes, and no, OK? They have a watch unit
that you can call an 800 number and report an incident or a
number of incidents to. I actually had experience with trying
to do that. This is not particularly sensitive information, but
there were seven to ten utilities in the Northeast that
received threatening letters postmarked the same place. So I
gave that information to DHS and to the WaterISAC analyst. I
waited a couple of days and did not hear anything back. So I
called. I was told that it had been dismissed; that they did
not deem it to be credible, I guess. I asked on what basis and
that sort of stuff.
But I am not confident at all, one, that I reached the
right people, or two, that it was reviewed in a way that made
sense. Two weeks later, I got a call from the police department
in New York State that had not dismissed the letters. So no, it
is still a maze and I think that there are a number of places
where you can call and refer things, but I do not have a
comfort level that I hit the right place or that it was
reviewed. It might have been, it is just that that is a secret
to me.
Mr. Thornberry. I think a lot of people have that concern,
not just for immediate information that you have, but in trying
to look at an industry and say, OK, what are some
vulnerabilities; maybe we better talk to somebody about it. You
never know. Do you go to the IA; to you go to the IP; how does
all that work.
Ms. Lofgren?
Ms. Lofgren. Just one final question. This has been very
helpful. I know it is a long day to sit there, but it has been
very helpful to me to hear what you have had to say. It is
really for Mr. Dacey since you reviewed all of this. I will use
water as an example, but I think it is equally true for any of
the sectors.
You have people involved in, say, a water wholesaler in
Santa Clara County, the water district. They know water more
than they know terrorism. Unless they are reading Tom Clancy
novels to figure out what could go wrong, they may see a
vulnerability, but it may not be what the Department of
Homeland Security might see. We know, taking water again,
because of delusion, putting a substance in the Crystal Spring
Reservoir is not something I am going to lose any sleep over
because it is going to be diluted. It is not going to be
effective. But what the Department of Homeland Security might,
for example, see as a threat to water would be pollution, say,
if you dumped some PCBs in Crystal Springs Reservoir. It would
not really kill you, but it would disrupt the distribution of
water in a way that is significant and serious and have a huge
economic impact. The water wholesalers might not see that, but
DHS might. Theoretically, they are doing a list of what we
should be worried about. How is that list being assembled and
how is it being communicated to the various sectors to guard
against the Tom Clancy novel scenarios? Or is it?
Mr. Dacey. I cannot speak exactly to what they are doing in
that regard. I can say from a standpoint of what direction I
think needs to be taken and is being taken, is that even
starting in 1998 the idea was that the sector coordinators and
at that point lead sectors, now sector-specific agencies were
to sit down and look at vulnerabilities on a sector basis, the
kind of high-level vulnerabilities. What are the types of risks
and threats? I think Mr. Liscouski talked about that earlier
this morning. And assess them and determine how significant
they are, again, not at an entity level, but at a sector level.
I am not familiar with how far they have gotten in that
process. In theory, some of that will be addressed through
these sector plans that are being part of this national
infrastructure protection plan, but perhaps you might get more
specifics on the water.
Ms. Lofgren. I was just using that as an example.
Mr. Dacey. As to how the water sector is involved in that
process, so you might be able to provide some information.
Ms. Lofgren. You could have the same question about
electricity or banking or Internet technology.
Mr. Dacey. Right. But that has been again on the books
since PDD-63. We have had some initial strategies that came out
from many of the sectors, but I do not think they have dug down
to that level in detail about specific vulnerabilities and
going through a formal assessment of the risks related to
those.
Ms. VanDe Hei. For the water sector, in addition to the
utilities doing a vulnerability assessment, EPA was required to
do a threat document that was distributed to every water system
that served over 3,300 people. So they tried to bring the two
together so that people would have something to assess their
vulnerabilities against. That kind of document, as far as I am
aware of, has not come out of DHS, and the one from EPA was
done a couple of years ago, and I think could use some
improvement.
I think you would hear from DHS that providing threat
guidance is one of the hardest things they have to do, because
it is a moving thing, it is a moving target. What is the threat
today to D.C. versus what is the threat someplace else tomorrow
or the day after? I am not aware of any document like that that
is available, but it is needed. It is desperately needed.
Ms. Lofgren. All right. Thank you, Mr. Chairman.
Mr. Thornberry. Thank you.
I have just two or three final questions I would like to
ask. Mr. McCurdy, there are lots of articles in the press today
about a reported new vulnerability on the Internet. The
Department had issued a warning about it on Tuesday. We are in
the middle of something. How do you see where we are at being
able to get information out and to do something to fix a
vulnerability, now that we are kind of in the middle of one of
these episodes?
Mr. McCurdy. First of all, there have been four in the last
couple of weeks. The one that was listed in the paper about TCP
obviously got headlines because there is an announcement by a
British citizen that I think is having a press conference or
something. In most instances, the vulnerability is communicated
prior to even the threat level. In some instances, we worked
literally months with our trusted members, including the
vendors, to address the vulnerability prior to it becoming
released. That is this whole sensitivity of who actually gain
access. That is why you do not make it all public.
Now, it is true sometimes we get something reported on CNN
before we do CERT, but that is generally not the case. If you
look at the numbers of vulnerabilities and threats that are
being reported to the CERT, it has gone up exponentially every
year. It is over 100,000 threats that are reported this year
and probably 5,000 or 6,000 vulnerabilities. Vendors can go
crazy with those things and there is this tension between the
vendors and the users, and what is the appropriate reporting
period and how do you assess this and how do you get them the
opportunity to try to address it before it becomes public.
It is not just a question, as I said earlier, of just the
threat reporting. It is true. It is out. What is really
critical is how the reports are made. I have examples of those
that we sent to our membership. It not only identifies the
threat, and we do digests of lists of all the recent ones, and
how you can go into a secure site in order to understand it
better. But it talks about the vulnerability on the systems
affected, the overview, the description of what it is, which
sometimes is very lengthy and for many of us we could not
understand a word it says; the impact. But more importantly,
there is a solution. That is where you need the time and this
trust relationship. The solutions often come from that
communication with the industry.
When we are talking information sharing and people say it
is proprietary and they do not want to release it, it is
usually general counsel's that are kind of sending that
message, the lawyers are out there saying that. But the people
who work it every day, when they have this conference call that
we have and they are saying, well, this is how we are dealing
with it; boy, lights go on or this is how the experts at
Carnegie Mellon or Southern Cal or Purdue are dealing with it.
And then obviously they say apply a patch from your vendor.
Well, that is an easy solution sometimes.
It is pulling all those people together that I think we
have evolved to the point we now have that working. That is why
some of our industry members are willing to pay so much for
that. It is also why some of the other companies are sitting
out there glad that they are paying that and are doing that
because they are getting a free ride off of them. But then once
you get that threat information, how do you develop the
practices to ensure against it in the future and get out of the
reactive mode.
Mr. Thornberry. Let me ask, to just get back to the central
focus of this hearing, which you raised. Do any of you see a
step that Congress needs to take to better protect, whether it
is private sector data or whatever, related to critical
infrastructure? Part of this, we are still feeling our way
through. The protections we have already granted, is that
enough? But at this stage in the proceedings, is there some
additional step that you see that we need to take in order to
help develop this trust relationship to share that information?
And if you do not, say no. I am just curious at this stage
whether you do.
Mr. Dacey. Yes, just to step back a bit. A few years ago we
reported on a lot of the concerns by the private sector with
the FOIA and civil liability and antitrust being three of the
primary areas of concern at that point. Certainly in the
deliberations of Congress, you put provisions in the Homeland
Security Act which provided certain protective measures forFOIA
and those have embodied themselves in the CII process. Again,
it is not a final rule that is in place. I think it will take a
little time to figure out if that is adequate or not. So I do
not know that I would rush to change that dynamic at this point
until we see. Obviously, one of the issues gets back to risk.
There has to be a benefit perceived in sharing that information
as opposed to a potential downside that might exist. So I think
that some of that will take time.
In terms of some of these other issues, I think, again I
would go back to a comment that I made earlier that I think it
is important that some of the strategies and some of these
plans be laid out, and that be in full cooperation with the
private sector and state and local governments. That is
happening now and I hope it happens well, but it needs to be
fully bought into by all those parties. As part of that
process, I would hope they would be identifying along the way
issues as you discussed, where legislative relief is
appropriate or would benefit them. I think that would be the
best process to follow.
If you get all these heads together, you are going to come
up with a good list and then you can consider whether you want
to deal with that collectively. At the top of my head, I do not
have any just glaring issues that need to be addressed from a
legislative standpoint, but that is certainly one area to think
about going forward. Again, that is supposed to be out this
fall, and it is going to be critical that all the players join
in on that effort. I am hoping that that will happen.
Mr. McCurdy. Without that final rule on FOIA, there is not
the communication. The communication also has to be a two-way
street. Mr. Liscouski used the magic words, probably because
that is what we are preaching to them. Do not expect just to
have private industry tell you all the vulnerabilities, and
then have it go off into some massive organization never to get
reported back or some affirmation that it was useful or not. If
it is just that flow, then it will be cut off. That information
will not flow.
The other thing just from being on both sides of these
tables, I think effective oversight is a neglected art and I
think you are doing it here. Do not just think you have to have
a bill. It is always fun to have our names on legislation, but
I think following up regularly and, you do not have to beat
them up, but it has to be a communication, and it too has to be
two-way. They need to be sensitive to that.
It certainly would help if this committee becomes a
permanent committee that the different lanes of jurisdiction
are addressed, because I feel for these individuals in
government who spend all their time trying to deal with
stakeholders. They are hearing from us in the private sector,
but they are hearing from you as the overseers, as the board in
effect, and they cannot do it all. I do not care how big the
staff is. The more staff that they have, the more staff that
you will have, the more requests that get going back and forth.
So I think there has to be some good on-record
conversations and there probably has to be some good off-the-
record field discussions that take place. I always found those
to be the most interesting and informative. We would invite
you, by the way, there are facilities nearby. I know you have
seen a number of those, but in the cyber world that are quite
remarkable. Seventy percent of the world's Internet flows just
a few miles from here. Some of our members, where it is a
VeriSign or at the very hub or the old Cable and Wireless,
which is now another company, but they control a lot of the
critical nodes. They are the pulse of a lot of activity that is
pretty amazing. It takes a very professional set of wisdom and
experience in order to understand what that all means as it
goes through. Government is not going to do that. That is in
the private sector.
So I would encourage you to do what you are doing. I would
encourage you to reach out to industry more because industry
does not understand always your drive from a national security
perspective. They are market-driven, but the market can work in
favor of national security if we have the right kind of
exchange, and we would welcome that.
Mr. Thornberry. Thank you.
Ms. VanDe Hei?
Ms. VanDe Hei. I guess I would suggest that perhaps the
bioterrorism bill that was passed in June 2002 had some
protections in it for the vulnerability assessments that needed
to be submitted to EPA that were stronger than in the homeland
security bill. In fact, there were criminal penalties attached
to misuse of the information. I think that you might want to
tighten up that part of the legislation to add to the comfort
level of some of the private sector. It certainly did give some
comfort to the drinking water systems because they do feel
fairly vulnerable.
The other thing I would like to add, though, to Mr.
McCurdy, is that your oversight of the Department, I think it
is very important that Homeland Security needs to be done
differently than any of the other departments and how they
work. We are regulated by EPA and we know how that works and
what the thought process is. But security cannot, I think,
succeed in the same sort of bureaucratic stovepipe kind of
thinking. What I see as the Department grows, when somebody
says to me, hi, I am so and so and I have been in the
government for 30 years, my comfort level does not go up that
it is going to be done differently. So I think it is really
important that you keep an eye on keeping it lean and mean and
that they are doing things in a way that is different, so that
regulation is not the only answer that you see down the road. I
think that can be done and I think it is important that we try
to do that before going in any other direction.
Mr. Thornberry. I appreciate all three of you and your
valuable insights. It has been very helpful for me. I
appreciate your willingness to be before us. I also appreciate
your willingness to answer some written questions if there are
follow-up things that we need to submit.
With that, this hearing stands adjourned.
[Whereupon, at 2:34 p.m., the subcommittees adjourned.]
�