1998 Congressional Hearings
Intelligence and Security

National Infrastructure Protection

Michael Vatis
Deputy assistant director and chief of the 
Federal Bureau of Investigation's 
National Infrastructure Protection Center (NIPC)

Senate Judiciary Subcommittee on 
Terrorism, Technology and Government Information

10 June 1998


(begin text)



Good afternoon, Mr. Chairman and members of the Subcommittee. I
welcome this opportunity to discuss infrastructure protection and the
role of the National Infrastructure Protection Center (NIPC). Mr.
Chairman. I want to first acknowledge the significant role you and
this Subcommittee have played in getting, and keeping, the issues of
cyber terrorism and strategic information attacks on the national
agenda. Protecting our infrastructure from Information Age threats is
an issue that stresses our law enforcement and national security
processes, strains our traditional legal structures, and challenges
our thinking. But the potential dangers in the cyber realm are
enormous and must be addressed.


Today, I would like to describe to you how the NIPC is designed to
address this challenge, how we operate and plan to operate within the
new organizational structures just established by the President (which
you were briefed on earlier today by the National Security Council),
and our present status.


Protecting infrastructures in the Information Age raises new and
difficult issues. This Nation depends on the stable, consistent
operation of our critical infrastructures for our way of life, our
well-being, and our security. These critical infrastructures include,
but are not limited to, telecommunications, energy banking and
finance, transportation, water systems, and emergency services, both
government and private. Recent advances in computer hardware,
software, and communications technologies have made these
infrastructures highly automated and capable. But while technological
advances have promoted greater efficiency and improved service, they
have also made these infrastructures potentially more vulnerable to
disruption or incapacitation by a wide range of physical or
computer-based ("cyber") threats. And the infrastructures are much
more interdependent than in the past, with the result that the
debilitation or destruction of one could have cascading destructive
effects on others. Finally, most of these infrastructures are owned
and operated by private industry. This means that guarding against
infrastructure threats requires an unprecedented degree of cooperation
and information sharing between the government and private sector.


HISTORY



On May 22, President Clinton announced two new directives designed to
strengthen the Nation's defenses against terrorism and other
unconventional threats: Presidential Decision Directives (PDD) 62 and
63 PDD-62 highlights the growing range of unconventional threats that
we face and creates a new and more systematic approach to defending
against them. PDD-63 focuses specifically on protecting the Nation's
critical infrastructures. The issuance of these two directives
represents a significant milestone in the evolution of policy to
address new threats which confront our Nation.


The National Infrastructure Protection Center can trace its roots back
to 1995, when President Clinton, in Presidential Decision Directive
39, directed the Attorney General to chair a Cabinet Committee to
assess the vulnerability of the Nation's critical infrastructures and
recommend measures to protect them. In response to this directive, the
Attorney General created the Critical Infrastructure Working Group
(CIWG). That small inter-agency group -- in which I represented the
Attorney General -- was one of the first to focus on threats and
vulnerabilities of critical domestic infrastructures. In its January
1996 report, the CIWG recommended the creation of two entities: a
longer-term commission to develop a national strategy for protecting
and ensuring the continued operation of critical infrastructures, and
an interim task force to coordinate the Government's existing
capabilities for responding to infrastructure attacks.


The CIWG's recommendations led to Executive Order 13010. This order
created the President's Commission on Critical Infrastructure
Protection (PCCIP) to study the problem in depth and develop proposed
solutions. In addition, the Order established at the Department of
Justice the Infrastructure Protection Task Force (IPTF). This
interagency body was designed to facilitate the coordination of
existing infrastructure protection efforts in the interim period,
while the PCCIP conducted its analysis and developed long-term
recommendations. The IPTF was located at the FBI in order to take
advantage of the watch and response capabilities of the
then-newly-established FBI Computer Investigations and Infrastructure
Threat Assessment Center (CITAC). CITAC was created in 1996 to
coordinate the FBI's investigations and response to the increasing
problem of computer crime.


As you know, the PCCIP submitted its Report to the President in
October 1997. One of its recommendations was to create a national
warning center at the FBI to warn of infrastructure attacks. During
the course of the Administration's consideration of the PCCIP Report,
however, it became apparent that such an entity should not merely
provide warnings of imminent or ongoing attacks, but should also
provide the focal point for coordinating the Government's operational
efforts to deter, contain, investigate, and respond to attacks on the
Nation's critical infrastructures. Such an entity should also provide
a principal mechanism for sharing threat and vulnerability information
between the government and the private sector.


As this policy history unfolded, real-world events further shaped our
thinking. The Eligible Receiver exercise held by the Department of
Defense last year revealed previously unrecognized vulnerabilities
associated with infrastructure dependencies and demonstrated the
degree to which DOD and the FBI need to coordinate to deal with
attacks on the infrastructures that are necessary to the performance
of DOD's mission. Then, earlier this year, the investigation in the
now well-known "Solar Sunrise" case -- which involved widespread
penetrations of computer systems at facilities within the Department
of Defense, other government agencies, academia, and the private
sector -- underscored the need for a civilian focal point for
coordinating investigations and response to attacks on the
infrastructures and interfacing with the Department of Defense.


Together, then, the results of the policy making process stemming from
the PCCIP Report, the Eligible Receiver exercise, and the Solar
Sunrise investigation led the Attorney General and Director Freeh to
create the NIPC on February 26, 1998. And last month, in PDD-63, the
President formally recognized the role of the NIPC in the overall
government framework for dealing with infrastructure protection, and
he directed other agencies to support and participate in the NIPC and
to provide it with information about intrusions or attacks on
government or private sector systems.


Let me address briefly why the NIPC is located at the FBI. First, as
you know, the FBI has had existing programs and authorities to
investigate computer crimes and to prevent and investigate acts of
espionage and terrorism. These programs and authorities naturally
support and mesh with the infrastructure protection mission. Second,
in the case of most cyber attacks, neither the identity nor the
objective of the perpetrator is known. This means it is often
impossible to determine at the outset if an intrusion is an act of
vandalism, computer crime, terrorism, foreign intelligence activity,
or some form of strategic attack. The only way to determine the
source, nature, and scope of the incident is to investigate. And the
authority to investigate such matters -- and to obtain the necessary
court orders or subpoenas -- normally, resides with law enforcement.
This does not mean that, once the perpetrator is identified and the
scope of the attack known, the response is limited to law enforcement.
It simply means that in cases in which the only information we have is
that an illegal intrusion has occurred, but we don't know the answers
to "who, what, why, or how?" the initial response normally must come
from law enforcement. But the FBI clearly must coordinate with, and
have the support of, other agencies that may have relevant information
or may need to be part of the response. For instance, if it is learned
that an intrusion is part of a strategic military attack, clearly the
Defense Department and other agencies with national security
responsibilities could be called on to respond.


MISSION AND COMPOSITION



The NIPC incorporates and expands the mission and personnel of the
FBI's CITAC. The NIPC's mission is to detect, deter, warn of respond
to, and investigate unlawful acts involving computer intrusions and
unlawful acts, both physical and cyber, that threaten or target our
critical infrastructures. This means we do not simply investigate and
respond to attacks after they occur, but we try to learn about them
and prevent them beforehand. This is a large and very difficult task.
It requires the collection and analysis of information gathered from
all available sources (including law enforcement investigations,
intelligence sources, data provided by industry, and open sources) and
the dissemination of our analyses and warnings of possible attacks to
potential victims, whether in the government or private sector. To
accomplish this mission, the NIPC relies on the assistance of, and
information gathered by, the FBI's 56 Field Offices; other Federal
agencies; State and local law enforcement agencies; and perhaps most
importantly, the private sector.


The Defense Department is important to our mission because its
reliance on information technologies makes it a prime target for our
adversaries and because it holds much of the government's expertise in
defending against cyber attacks. Our intelligence agencies have a
critical role because of their responsibility for gathering
information about threats from abroad. And other civilian agencies
with regulatory Jurisdiction or protective responsibility under PDD-63
for critical infrastructures -- such as the Departments of Treasury,
Energy, and Transportation -- have similarly significant roles.


But infrastructure protection is not just a mission for the Federal
government. State governments must be involved because they own and
operate some of the critical infrastructures and because their
agencies are often the first responders in the event of a crisis.


Finally, this mission requires the intensive involvement of the
private sector. Private industry owns and operates most of the
infrastructures, so it must be involved in helping us defend them. And
it also has the greatest expertise in identifying and solving the
technical problems.


In recognition of the vital roles all of these entities must play, I
want to emphasize that the NIPC is founded on the notion of a
partnership. We are building this partnership first through inclusive
representation, Our intent is that the Center be staffed with
professionals from other Federal agencies, from state and local law
enforcement, and from private industry. This will foster the sharing
of information and expertise, and improve coordination among all the
actors in the event of a crisis. In addition, the Center will augment
the physical presence of these representatives by establishing
electronic connectivity to the many different entities in government
and the private sector who might have -- or need -- information about
threats to our infrastructures.


Equally important is the need to build a two-way street for the flow
of information and incident data between the government and the
private sector. The government, with unique access to national
intelligence and law enforcement information, can develop a threat
picture that no entity in the private sector could develop on its own.
We need to share this with the industry. At the same time, we need to
learn from industry about the intrusion attempts and vulnerabilities
that it is experiencing. This will help us paint the vulnerability and
threat picture more completely, and will give us a head start on
preventing or containing a nascent attack. This is a new concept for
all of us, particularly for the agencies that go to great lengths to
protect sensitive sources and methods. But I believe this two-way
dialogue is the only way to deal with our common concern about
protecting our infrastructures. We believe it is possible to share the
necessary information about threats and vulnerabilities without
jeopardizing sources and methods, and without compromising companies'
proprietary data. And we are currently designing rules and mechanisms
to accomplish this.


Let me say at this point something about what we are not. We are not
the Nation's super-systems administrator or security officer,
responsible for securing everyone's infrastructures or systems against
intruders or advising on the latest security software or patches to
fix vulnerabilities. That role clearly must be filled by systems
administrators in each company, by chief information officers in
government agencies, and by industry groups and other entities (such
as computer emergency response teams) with expertise in reducing
vulnerabilities and restoring service. Rather, our role is to help
prevent intrusions and attacks by gathering information about threats
from sources that are uniquely available to the Government (such as
from law enforcement and intelligence sources), combining it with
information voluntarily provided by the private sector or obtained
from open sources, conducting analysis, and disseminating our analyses
and warnings to all relevant consumers. And, if an attack does occur,
our role is to serve as the Federal government's focal point for
crisis response and investigation. That is the mission the Center has
been assigned. This job is big and difficult enough, and this is where
we must keep our focus.


HOW THE NIPC IS ORGANIZED



To accomplish its goals, the NIPC is organized into three sections:



-- The Computer Investigations and Operations Section (CIOS) is the
operational and response arm of the Center. It program manages
computer intrusion investigations conducted by FBI Field Offices
throughout the country, provides subject matter experts, equipment,
and technical support to cyber investigators in federal, state, and
local government agencies involved in critical infrastructure
protection; and provides a cyber emergency response capability to help
resolve a cyber incident.


-- The Analysis and Warning Section (AWS) serves as the indications
and warning arm of the NIPC, providing analytical support during
computer intrusion investigations and long-term analyses of
vulnerability and threat trends. When appropriate, it distributes
tactical warnings and analyses to all the relevant partners, informing
them of potential vulnerabilities and threats and long-term trends. It
also reviews numerous government and private sector databases, media,
and other sources daily to gather information that may be relevant to
any aspect of our mission, including the gathering, of indications of
a possible attack.


-- The Training, Administration, and Outreach Section (TAOS)
coordinates the training and education of cyber investigators within
the FBI Field Offices, state and local law enforcement agencies, and
private sector organizations. It also coordinates our outreach to
private sector companies, state and local governments, other
government agencies, and the FBI's field offices. In addition, this
section manages our collection and cataloguing of information
concerning "key assets" across the country. Finally, it provides the
entire Center with administrative support, handling matters involving
personnel, budget, contractors, and equipment.


STATUS REPORT



The NIPC has been operational since February 26 of this year, but we
are still in the process of building our staff, procuring the
necessary equipment, establishing the appropriate mechanisms for
information sharing, and" building the necessary liaison relationships
and connectivity to other government agencies and the private sector.


As we are building, we are heavily involved in supporting and
coordinating a number of significant computer crime investigations
conducted by our Field Offices. I want to stress the importance of the
Field Offices and the seven Regional Computer Squads (in Washington,
D.C., New York, San Francisco, Dallas, Boston, Los Angeles, and
Chicago) which conduct on-the-ground investigations. In FY99, we have
plans to add five more regional computer crime squads, and another
twelve in FY2000. We also rely heavily on the Computer Investigations
and Threat Assessment (CITA) Teams in each of the other field offices,
which are responsible for computer investigations, outreach, and
coordination with the private sector.


We have spent a considerable amount of time over the past few months
engaged in an aggressive outreach effort with the private sector to
explain the Center's role, build support, raise awareness, and
establish critical liaisons with industry. I am encouraged by the
reaction and support we have received to date, which demonstrates to
me that Government and industry can work together to address our
mutual needs and responsibilities.


I'd also like to briefly describe one of our important outreach
initiatives: InfraGard, a pilot project sponsored by our Cleveland
Field Office. The name "InfraGard" refers to "guarding the information
infrastructure." This program is a cooperative effort to exchange
information among the business community, academic institutions, the
FBI, and other government agencies to protect the information
infrastructure.


InfraGard features an alert network that members can use to report
intrusions. Reports are sent to the FBI via encrypted e-mail in two
forms: a detailed description and a sanitized description. The FBI
uses the detailed description to analyze the incident, identify
trends, and open an investigation if warranted. However, only the
sanitized version, which removes company-identifying or proprietary
information, is shared with other InfraGard members. The beauty of
this procedure is that the reporting organization can choose the words
to describe the intrusion to their potential competitors.


InfraGard membership is large and diverse, with some 56 member
organizations. It is an experiment. We have high hopes that it will
prove successful, and if it does, we plan to expand it to a national
system managed by the NIPC.


Earlier I described the relationship of the NIPC to the Infrastructure
Protection Task Force (IPTF) put in place on an interim basis by
Executive Order 13010. One of the key lessons of the IPTF experience
was that it is imperative to ensure the availability of adequate
funding and resources, including qualified staff, to perform our
assigned mission. I would like to give you a progress report on the
NIPC today in three fundamental areas: personnel, funding, and
facilities.


Personnel



As I noted earlier, the concept behind the NIPC -- which is ratified
by PDD-63 -- is that of partnership, which includes representation
from the participating organizations. Our biggest challenge is getting
people with the kinds of skills we need, in the numbers we need them,
and getting them quickly. Our initial plan for full staffing at the
Center is 125 for FY99, consisting of 85 FBI personnel and
approximately 40 from other government agencies and the private
sector. At the present time, we have 45 FBI personnel on board and one
representative each from the Central Intelligence Agency, the National
Security Agency, and the Departments of Energy and Defense.


We are engaged in active discussions with senior officials from these
and other government agencies to fulfill the rest of our staffing
needs. We also have an aggressive recruitment plan in place to attract
people with technical and other needed skills from academia and
private industry.


My discussions with senior managers from many agencies have been very
positive. Virtually without exception, the), recognize the importance
of the NIPC mission. However, many agencies are themselves struggling
to meet their own responsibilities in this relatively new issue area
in a tight budgetary environment. Our conversations with these
agencies are continuing and I hope to obtain significant
representation from the necessary agencies in FY99. In the interim,
until we are more fully staffed, we are relying heavily on contractor
support.


Funding



With regard to funding, the NIPC currently has approximately $3.6
million remaining in FY98 and No Year accounts that had been
appropriated for the former CITAC, and we are developing a prioritized
spending plan to ensure that the remaining financial resources will be
used to meet our most pressing needs, including equipment purchases,
contractor support, and recruitment activities. Our total funding
request for FY99 is approximately $37 million. (The budget request for
FY99 includes $33.6 million to implement the recommendations of the
President's Commission on Critical Infrastructure Protection. Of that
amount approximately $27 million will be used to fund the NIPC. In
addition, the budget section for FBI Salaries and Expenses includes a
request for $10.4 million for the former CITAC, which would now be
used to fund the NIPC).


Facilities and Equipment



With regard to facilities and equipment, the Center continues to
operate out of temporary quarters on the eleventh floor of the FBI
Headquarters Building. We plan to move to permanent quarters on the
fifth floor of the Headquarters building, adjacent to the new
Strategic Information Operations Center (the FBI's command center),
when construction and space improvements there are completed,
currently scheduled for March of next year.


We are currently in the process of designing an information
architecture that will serve our mission needs. This will consist of
analytical tools; computer resources; and connectivity to other
federal government agencies, State and local governments, and private
sector incident response teams and companies. In the meantime, we are
relying on existing communications capabilities including: INTELink
for access to intelligence information; SIPRNet and ADNet for
communication with the Department of Defense, the National Law
Enforcement Telecommunications System (NLETS) and Law Enforcement
On-Line (LEO) to communicate with State and local law enforcement; the
Awareness of National Security Issues and Response (ANSIR) program for
communicating with industry, and FBInet for communication within the
FBI.


We have also procured equipment for a number of Field Offices to
support infrastructure protection and computer intrusion matters.


NEXT STEPS



In this early phase of the NIPC's history, we have been working to
establish clear, achievable objectives for each of the three sections
that make up the organization. We also plan to assess our operational
readiness in upcoming workshops and tabletop exercises. Solar Sunrise,
which occurred just as we were in the process of establishing the
NIPC, provided our first test. Another real-world incident could arise
at any time, and we are working aggressively to capture the lessons of
that experience for the future.


We are also working aggressively to foster the development of new
tools, analytic techniques, and data-sharing arrangements with the
necessary partners in government, academia, and the private sector.
Our vision is to make the NIPC the place where existing and
developmental capabilities from around the country can be brought
together.


CONCLUSION



The Federal government collectively has much to learn in dealing with
infrastructure threats. But I believe we have the fundamentals
correct: a clear understanding of the role of law enforcement and
other government agencies; a commitment to real partnership and
two-way information sharing with the private sector; and an
institutional structure that enables this partnership to work.


Let me note, however, that we are still in the early stages of
building the Center. We have a lot of work to do in order to establish
the necessary liaison with other agencies and the private sector, and
to put in place our personnel and equipment. This will take time. But
the President, the Department of Justice, and the FBI have taken an
important first step in establishing this Center, in recognizing the
need for an interagency and public-private partnership, and in
realizing that the challenges of the next century require new ways of
thinking and creative solutions.


As the NIPC evolves and grows, I look forward to working with the
Congress and with this Subcommittee in the months and years ahead.


(end text)