16 June 1998
Source:
http://www.usia.gov/current/news/topic/global/98061101.pgi.html?/products/washfile/newsitem.shtml
United States Information Service Washington File
11 June 1998
(NIPC chief Vatis testifies on steps to counter threats) (4,300) Washington -- The Department of Defense is a "prime target for individual (computer) hackers who want to test their skills," as well as for people with "more malicious motives who are interested in looking at what they can find in DOD systems," says the chief of a new agency created this year to protect the U.S. critical infrastructure against threats aimed at government and private sector entities by penetrations of computer systems. Michael Vatis, deputy assistant director and chief of the Federal Bureau of Investigation's National Infrastructure Protection Center (NIPC) created February 26, 1998, told the Senate Judiciary Subcommittee on Terrorism, Technology and Government Information June 10 that hackers see DOD as "the final exam, the ultimate challenge, to test their skills." At a briefing prior to the hearing, witnesses recalled an incident earlier this year when three teenagers from the United States and Israel, broke into the Defense Department's computer system. Vatis said "People often ask why is it that so many of these cases that we read about in the media involve minors -- 16, 17 year-olds. (They say) doesn't this just show you that this problem is really about kids out there having fun? In fact, I take the opposite view. My response is: doesn't it scare you that we're finding kids who can do this stuff? Doesn't it scare you to think that we may not know what people with more sophisticated skills and resources are doing? So I think the cases that we are seeing are enough of an indication of our vulnerabilities to make us realize that this is in fact a very serious problem." Vatis echoed the words of other authorities on the subject, saying that a public-private partnership is essential. "We, like the whole effort that the president laid out in PDD-63 (Presidential Decision Directive 63 -- to protect the nation's critical infrastructure), are built on the notion of partnership. That really sums up the whole concept behind the NPIC." He said the NIPC is founded "on the notion that we operate under the authority of the attorney general -- investigate crimes and protect against terrorism and intelligence activities -- but we also bring on board physically representatives from all of the other entities that have an important role to play; entities both within and outside the government." These entities, he said, include U.S. federal and state agencies that have responsibility for America's water, power and transportation systems, and private industries that control telecommunications systems. Following is the official text of Vatis's testimony: (begin text) Good afternoon, Mr. Chairman and members of the Subcommittee. I welcome this opportunity to discuss infrastructure protection and the role of the National Infrastructure Protection Center (NIPC). Mr. Chairman. I want to first acknowledge the significant role you and this Subcommittee have played in getting, and keeping, the issues of cyber terrorism and strategic information attacks on the national agenda. Protecting our infrastructure from Information Age threats is an issue that stresses our law enforcement and national security processes, strains our traditional legal structures, and challenges our thinking. But the potential dangers in the cyber realm are enormous and must be addressed. Today, I would like to describe to you how the NIPC is designed to address this challenge, how we operate and plan to operate within the new organizational structures just established by the President (which you were briefed on earlier today by the National Security Council), and our present status. Protecting infrastructures in the Information Age raises new and difficult issues. This Nation depends on the stable, consistent operation of our critical infrastructures for our way of life, our well-being, and our security. These critical infrastructures include, but are not limited to, telecommunications, energy banking and finance, transportation, water systems, and emergency services, both government and private. Recent advances in computer hardware, software, and communications technologies have made these infrastructures highly automated and capable. But while technological advances have promoted greater efficiency and improved service, they have also made these infrastructures potentially more vulnerable to disruption or incapacitation by a wide range of physical or computer-based ("cyber") threats. And the infrastructures are much more interdependent than in the past, with the result that the debilitation or destruction of one could have cascading destructive effects on others. Finally, most of these infrastructures are owned and operated by private industry. This means that guarding against infrastructure threats requires an unprecedented degree of cooperation and information sharing between the government and private sector. HISTORY On May 22, President Clinton announced two new directives designed to strengthen the Nation's defenses against terrorism and other unconventional threats: Presidential Decision Directives (PDD) 62 and 63 PDD-62 highlights the growing range of unconventional threats that we face and creates a new and more systematic approach to defending against them. PDD-63 focuses specifically on protecting the Nation's critical infrastructures. The issuance of these two directives represents a significant milestone in the evolution of policy to address new threats which confront our Nation. The National Infrastructure Protection Center can trace its roots back to 1995, when President Clinton, in Presidential Decision Directive 39, directed the Attorney General to chair a Cabinet Committee to assess the vulnerability of the Nation's critical infrastructures and recommend measures to protect them. In response to this directive, the Attorney General created the Critical Infrastructure Working Group (CIWG). That small inter-agency group -- in which I represented the Attorney General -- was one of the first to focus on threats and vulnerabilities of critical domestic infrastructures. In its January 1996 report, the CIWG recommended the creation of two entities: a longer-term commission to develop a national strategy for protecting and ensuring the continued operation of critical infrastructures, and an interim task force to coordinate the Government's existing capabilities for responding to infrastructure attacks. The CIWG's recommendations led to Executive Order 13010. This order created the President's Commission on Critical Infrastructure Protection (PCCIP) to study the problem in depth and develop proposed solutions. In addition, the Order established at the Department of Justice the Infrastructure Protection Task Force (IPTF). This interagency body was designed to facilitate the coordination of existing infrastructure protection efforts in the interim period, while the PCCIP conducted its analysis and developed long-term recommendations. The IPTF was located at the FBI in order to take advantage of the watch and response capabilities of the then-newly-established FBI Computer Investigations and Infrastructure Threat Assessment Center (CITAC). CITAC was created in 1996 to coordinate the FBI's investigations and response to the increasing problem of computer crime. As you know, the PCCIP submitted its Report to the President in October 1997. One of its recommendations was to create a national warning center at the FBI to warn of infrastructure attacks. During the course of the Administration's consideration of the PCCIP Report, however, it became apparent that such an entity should not merely provide warnings of imminent or ongoing attacks, but should also provide the focal point for coordinating the Government's operational efforts to deter, contain, investigate, and respond to attacks on the Nation's critical infrastructures. Such an entity should also provide a principal mechanism for sharing threat and vulnerability information between the government and the private sector. As this policy history unfolded, real-world events further shaped our thinking. The Eligible Receiver exercise held by the Department of Defense last year revealed previously unrecognized vulnerabilities associated with infrastructure dependencies and demonstrated the degree to which DOD and the FBI need to coordinate to deal with attacks on the infrastructures that are necessary to the performance of DOD's mission. Then, earlier this year, the investigation in the now well-known "Solar Sunrise" case -- which involved widespread penetrations of computer systems at facilities within the Department of Defense, other government agencies, academia, and the private sector -- underscored the need for a civilian focal point for coordinating investigations and response to attacks on the infrastructures and interfacing with the Department of Defense. Together, then, the results of the policy making process stemming from the PCCIP Report, the Eligible Receiver exercise, and the Solar Sunrise investigation led the Attorney General and Director Freeh to create the NIPC on February 26, 1998. And last month, in PDD-63, the President formally recognized the role of the NIPC in the overall government framework for dealing with infrastructure protection, and he directed other agencies to support and participate in the NIPC and to provide it with information about intrusions or attacks on government or private sector systems. Let me address briefly why the NIPC is located at the FBI. First, as you know, the FBI has had existing programs and authorities to investigate computer crimes and to prevent and investigate acts of espionage and terrorism. These programs and authorities naturally support and mesh with the infrastructure protection mission. Second, in the case of most cyber attacks, neither the identity nor the objective of the perpetrator is known. This means it is often impossible to determine at the outset if an intrusion is an act of vandalism, computer crime, terrorism, foreign intelligence activity, or some form of strategic attack. The only way to determine the source, nature, and scope of the incident is to investigate. And the authority to investigate such matters -- and to obtain the necessary court orders or subpoenas -- normally, resides with law enforcement. This does not mean that, once the perpetrator is identified and the scope of the attack known, the response is limited to law enforcement. It simply means that in cases in which the only information we have is that an illegal intrusion has occurred, but we don't know the answers to "who, what, why, or how?" the initial response normally must come from law enforcement. But the FBI clearly must coordinate with, and have the support of, other agencies that may have relevant information or may need to be part of the response. For instance, if it is learned that an intrusion is part of a strategic military attack, clearly the Defense Department and other agencies with national security responsibilities could be called on to respond. MISSION AND COMPOSITION The NIPC incorporates and expands the mission and personnel of the FBI's CITAC. The NIPC's mission is to detect, deter, warn of respond to, and investigate unlawful acts involving computer intrusions and unlawful acts, both physical and cyber, that threaten or target our critical infrastructures. This means we do not simply investigate and respond to attacks after they occur, but we try to learn about them and prevent them beforehand. This is a large and very difficult task. It requires the collection and analysis of information gathered from all available sources (including law enforcement investigations, intelligence sources, data provided by industry, and open sources) and the dissemination of our analyses and warnings of possible attacks to potential victims, whether in the government or private sector. To accomplish this mission, the NIPC relies on the assistance of, and information gathered by, the FBI's 56 Field Offices; other Federal agencies; State and local law enforcement agencies; and perhaps most importantly, the private sector. The Defense Department is important to our mission because its reliance on information technologies makes it a prime target for our adversaries and because it holds much of the government's expertise in defending against cyber attacks. Our intelligence agencies have a critical role because of their responsibility for gathering information about threats from abroad. And other civilian agencies with regulatory Jurisdiction or protective responsibility under PDD-63 for critical infrastructures -- such as the Departments of Treasury, Energy, and Transportation -- have similarly significant roles. But infrastructure protection is not just a mission for the Federal government. State governments must be involved because they own and operate some of the critical infrastructures and because their agencies are often the first responders in the event of a crisis. Finally, this mission requires the intensive involvement of the private sector. Private industry owns and operates most of the infrastructures, so it must be involved in helping us defend them. And it also has the greatest expertise in identifying and solving the technical problems. In recognition of the vital roles all of these entities must play, I want to emphasize that the NIPC is founded on the notion of a partnership. We are building this partnership first through inclusive representation, Our intent is that the Center be staffed with professionals from other Federal agencies, from state and local law enforcement, and from private industry. This will foster the sharing of information and expertise, and improve coordination among all the actors in the event of a crisis. In addition, the Center will augment the physical presence of these representatives by establishing electronic connectivity to the many different entities in government and the private sector who might have -- or need -- information about threats to our infrastructures. Equally important is the need to build a two-way street for the flow of information and incident data between the government and the private sector. The government, with unique access to national intelligence and law enforcement information, can develop a threat picture that no entity in the private sector could develop on its own. We need to share this with the industry. At the same time, we need to learn from industry about the intrusion attempts and vulnerabilities that it is experiencing. This will help us paint the vulnerability and threat picture more completely, and will give us a head start on preventing or containing a nascent attack. This is a new concept for all of us, particularly for the agencies that go to great lengths to protect sensitive sources and methods. But I believe this two-way dialogue is the only way to deal with our common concern about protecting our infrastructures. We believe it is possible to share the necessary information about threats and vulnerabilities without jeopardizing sources and methods, and without compromising companies' proprietary data. And we are currently designing rules and mechanisms to accomplish this. Let me say at this point something about what we are not. We are not the Nation's super-systems administrator or security officer, responsible for securing everyone's infrastructures or systems against intruders or advising on the latest security software or patches to fix vulnerabilities. That role clearly must be filled by systems administrators in each company, by chief information officers in government agencies, and by industry groups and other entities (such as computer emergency response teams) with expertise in reducing vulnerabilities and restoring service. Rather, our role is to help prevent intrusions and attacks by gathering information about threats from sources that are uniquely available to the Government (such as from law enforcement and intelligence sources), combining it with information voluntarily provided by the private sector or obtained from open sources, conducting analysis, and disseminating our analyses and warnings to all relevant consumers. And, if an attack does occur, our role is to serve as the Federal government's focal point for crisis response and investigation. That is the mission the Center has been assigned. This job is big and difficult enough, and this is where we must keep our focus. HOW THE NIPC IS ORGANIZED To accomplish its goals, the NIPC is organized into three sections: -- The Computer Investigations and Operations Section (CIOS) is the operational and response arm of the Center. It program manages computer intrusion investigations conducted by FBI Field Offices throughout the country, provides subject matter experts, equipment, and technical support to cyber investigators in federal, state, and local government agencies involved in critical infrastructure protection; and provides a cyber emergency response capability to help resolve a cyber incident. -- The Analysis and Warning Section (AWS) serves as the indications and warning arm of the NIPC, providing analytical support during computer intrusion investigations and long-term analyses of vulnerability and threat trends. When appropriate, it distributes tactical warnings and analyses to all the relevant partners, informing them of potential vulnerabilities and threats and long-term trends. It also reviews numerous government and private sector databases, media, and other sources daily to gather information that may be relevant to any aspect of our mission, including the gathering, of indications of a possible attack. -- The Training, Administration, and Outreach Section (TAOS) coordinates the training and education of cyber investigators within the FBI Field Offices, state and local law enforcement agencies, and private sector organizations. It also coordinates our outreach to private sector companies, state and local governments, other government agencies, and the FBI's field offices. In addition, this section manages our collection and cataloguing of information concerning "key assets" across the country. Finally, it provides the entire Center with administrative support, handling matters involving personnel, budget, contractors, and equipment. STATUS REPORT The NIPC has been operational since February 26 of this year, but we are still in the process of building our staff, procuring the necessary equipment, establishing the appropriate mechanisms for information sharing, and" building the necessary liaison relationships and connectivity to other government agencies and the private sector. As we are building, we are heavily involved in supporting and coordinating a number of significant computer crime investigations conducted by our Field Offices. I want to stress the importance of the Field Offices and the seven Regional Computer Squads (in Washington, D.C., New York, San Francisco, Dallas, Boston, Los Angeles, and Chicago) which conduct on-the-ground investigations. In FY99, we have plans to add five more regional computer crime squads, and another twelve in FY2000. We also rely heavily on the Computer Investigations and Threat Assessment (CITA) Teams in each of the other field offices, which are responsible for computer investigations, outreach, and coordination with the private sector. We have spent a considerable amount of time over the past few months engaged in an aggressive outreach effort with the private sector to explain the Center's role, build support, raise awareness, and establish critical liaisons with industry. I am encouraged by the reaction and support we have received to date, which demonstrates to me that Government and industry can work together to address our mutual needs and responsibilities. I'd also like to briefly describe one of our important outreach initiatives: InfraGard, a pilot project sponsored by our Cleveland Field Office. The name "InfraGard" refers to "guarding the information infrastructure." This program is a cooperative effort to exchange information among the business community, academic institutions, the FBI, and other government agencies to protect the information infrastructure. InfraGard features an alert network that members can use to report intrusions. Reports are sent to the FBI via encrypted e-mail in two forms: a detailed description and a sanitized description. The FBI uses the detailed description to analyze the incident, identify trends, and open an investigation if warranted. However, only the sanitized version, which removes company-identifying or proprietary information, is shared with other InfraGard members. The beauty of this procedure is that the reporting organization can choose the words to describe the intrusion to their potential competitors. InfraGard membership is large and diverse, with some 56 member organizations. It is an experiment. We have high hopes that it will prove successful, and if it does, we plan to expand it to a national system managed by the NIPC. Earlier I described the relationship of the NIPC to the Infrastructure Protection Task Force (IPTF) put in place on an interim basis by Executive Order 13010. One of the key lessons of the IPTF experience was that it is imperative to ensure the availability of adequate funding and resources, including qualified staff, to perform our assigned mission. I would like to give you a progress report on the NIPC today in three fundamental areas: personnel, funding, and facilities. Personnel As I noted earlier, the concept behind the NIPC -- which is ratified by PDD-63 -- is that of partnership, which includes representation from the participating organizations. Our biggest challenge is getting people with the kinds of skills we need, in the numbers we need them, and getting them quickly. Our initial plan for full staffing at the Center is 125 for FY99, consisting of 85 FBI personnel and approximately 40 from other government agencies and the private sector. At the present time, we have 45 FBI personnel on board and one representative each from the Central Intelligence Agency, the National Security Agency, and the Departments of Energy and Defense. We are engaged in active discussions with senior officials from these and other government agencies to fulfill the rest of our staffing needs. We also have an aggressive recruitment plan in place to attract people with technical and other needed skills from academia and private industry. My discussions with senior managers from many agencies have been very positive. Virtually without exception, the), recognize the importance of the NIPC mission. However, many agencies are themselves struggling to meet their own responsibilities in this relatively new issue area in a tight budgetary environment. Our conversations with these agencies are continuing and I hope to obtain significant representation from the necessary agencies in FY99. In the interim, until we are more fully staffed, we are relying heavily on contractor support. Funding With regard to funding, the NIPC currently has approximately $3.6 million remaining in FY98 and No Year accounts that had been appropriated for the former CITAC, and we are developing a prioritized spending plan to ensure that the remaining financial resources will be used to meet our most pressing needs, including equipment purchases, contractor support, and recruitment activities. Our total funding request for FY99 is approximately $37 million. (The budget request for FY99 includes $33.6 million to implement the recommendations of the President's Commission on Critical Infrastructure Protection. Of that amount approximately $27 million will be used to fund the NIPC. In addition, the budget section for FBI Salaries and Expenses includes a request for $10.4 million for the former CITAC, which would now be used to fund the NIPC). Facilities and Equipment With regard to facilities and equipment, the Center continues to operate out of temporary quarters on the eleventh floor of the FBI Headquarters Building. We plan to move to permanent quarters on the fifth floor of the Headquarters building, adjacent to the new Strategic Information Operations Center (the FBI's command center), when construction and space improvements there are completed, currently scheduled for March of next year. We are currently in the process of designing an information architecture that will serve our mission needs. This will consist of analytical tools; computer resources; and connectivity to other federal government agencies, State and local governments, and private sector incident response teams and companies. In the meantime, we are relying on existing communications capabilities including: INTELink for access to intelligence information; SIPRNet and ADNet for communication with the Department of Defense, the National Law Enforcement Telecommunications System (NLETS) and Law Enforcement On-Line (LEO) to communicate with State and local law enforcement; the Awareness of National Security Issues and Response (ANSIR) program for communicating with industry, and FBInet for communication within the FBI. We have also procured equipment for a number of Field Offices to support infrastructure protection and computer intrusion matters. NEXT STEPS In this early phase of the NIPC's history, we have been working to establish clear, achievable objectives for each of the three sections that make up the organization. We also plan to assess our operational readiness in upcoming workshops and tabletop exercises. Solar Sunrise, which occurred just as we were in the process of establishing the NIPC, provided our first test. Another real-world incident could arise at any time, and we are working aggressively to capture the lessons of that experience for the future. We are also working aggressively to foster the development of new tools, analytic techniques, and data-sharing arrangements with the necessary partners in government, academia, and the private sector. Our vision is to make the NIPC the place where existing and developmental capabilities from around the country can be brought together. CONCLUSION The Federal government collectively has much to learn in dealing with infrastructure threats. But I believe we have the fundamentals correct: a clear understanding of the role of law enforcement and other government agencies; a commitment to real partnership and two-way information sharing with the private sector; and an institutional structure that enables this partnership to work. Let me note, however, that we are still in the early stages of building the Center. We have a lot of work to do in order to establish the necessary liaison with other agencies and the private sector, and to put in place our personnel and equipment. This will take time. But the President, the Department of Justice, and the FBI have taken an important first step in establishing this Center, in recognizing the need for an interagency and public-private partnership, and in realizing that the challenges of the next century require new ways of thinking and creative solutions. As the NIPC evolves and grows, I look forward to working with the Congress and with this Subcommittee in the months and years ahead. (end text)