Critical Infrastructure Protection and Information Warfare Issues
Statement for the Record of
Michael A. Vatis
Director, National Infrastructure Protection Center
Federal Bureau of Investigation
Senate Armed Service Committee,
Subcommittee on Emerging Threats and Capabilities
Washington, D. C.
March 16, 1999
Mr. Chairman, Senator Bingaman, and Members of the Subcommittee: Thank you for inviting me here today to discuss critical infrastructure protection and information warfare issues. My brief remarks will focus on two areas: the role of the NIPC under Presidential Decision Directive-63 (PDD- 63), and current impediments to critical infrastructure protection.
NIPC and PDD-63
PDD-63 creates an unprecedented set of intra-governmental as well as public-private cooperative structures for the vital mission of critical infrastructure protection. Let me begin by reviewing the roles assigned to the NIPC and the other key players in infrastructure protection.
PDD-63 authorized the expansion of the FBI's former organization, the Computer Investigations and Infrastructure Threat Assessment Center, into a full-scale National Infrastructure Protection Center. The PDD states that the NIPC "[s]hall serve as a national critical infrastructure threat assessment, warning, vulnerability, and law enforcement investigation and response entity." It further states that the mission of the NIPC "will include providing timely warnings of intentional threats, comprehensive analyses and law enforcement investigation and response."
Thus, the PDD places the NIPC at the core of the government's warning, threat investigation, and response system for threats to, or attacks on, the nation's critical infrastructures. The NIPC is the focal point for gathering information on threats to the infrastructures as well as "facilitating and coordinating the federal government's response to an incident." The NIPC is also responsible for "mitigating attacks, investigating threats and monitoring reconstitution efforts." The PDD further specifies that the NIPC should include "elements responsible for warning, analysis, computer investigation, coordinating emergency response, training, outreach, and development and application of technical tools."
The NIPC has a vital role in collecting and disseminating information from all relevant sources. Thus, the PDD directs the NIPC to "sanitize law enforcement and intelligence information for inclusion into analyses and reports that it will provide, in appropriate form, to relevant federal, state, and local agencies; the relevant owners and operators of critical infrastructures; and to any private sector information sharing and analysis entity." The NIPC is also charged with issuing "attack warnings or alerts to increases in threat condition to any private sector information sharing and analysis entity and to the owners and operators."
In order to perform its role, the NIPC is establishing a network of relationships with a wide range of entities in both the government and the private sector. The PDD provides for this in several ways. First, it states that the Center will "include representatives from the FBI, U.S. Secret Service, and other investigators experienced in computer crimes and infrastructure protection, as well as representatives detailed from the Department of Defense, Intelligence Community and lead agencies."1 Second, the NIPC will be "linked electronically to the rest of the government, including warning and operations centers as well as any private sector information sharing centers." Third, all executive departments and agencies are mandated to "cooperate with the NIPC and provide it assistance, information, and advice that the NIPC may request, to the extent permitted by law." Fourth, all executive departments are also mandated to "share with the NIPC information about threats and warning of attacks and actual attacks on critical government and private sector infrastructures, to the extent permitted by law." To ensure that the flow of information is unimpeded -- which is imperative when dealing with cyber attacks -- the PDD authorizes the NIPC to "establish its own relations directly with others in the private sector and with any information sharing and analysis entity that the private sector may create."
Let me address briefly why the NIPC is located at the FBI. First, as you know, the FBI has had existing programs and authorities to investigate computer crimes and to prevent and investigate acts of espionage and terrorism. These programs and authorities naturally support and mesh with the infrastructure protection mission. Second, in most cyber attacks, the identity, location, and objective of the perpetrator are not immediately apparent. Nor is the scope of his attack -- i.e., whether an intrusion is isolated or part of a broader pattern affecting numerous targets. This means it is often impossible to determine at the outset if an intrusion is an act of vandalism, organized crime, domestic or foreign terrorism, economic or traditional espionage, or some form of strategic military attack. The only way to determine the source, nature, and scope of the incident is to gather information from the victim sites and intermediate sites such as Internet Service Providers and telecommunications carriers. Under our constitutional system, gathering such information usually requires some form of legal authority -- either criminal investigative or foreign counterintelligence. Thus, the NIPC is housed in the FBI to enable it to utilize the appropriate authorities to gather and retain the necessary information and to act on it. Now, this does not mean that the ultimate response to a cyber attack is limited to criminal investigation and prosecution. The response will be determined by the facts that are uncovered. Thus, for instance, if it is determined that a cyber intrusion is part of a strategic military attack, the President may determine that a military response is called for. But no such determination can be made without adequate factual foundation, and the NIPC's role is to coordinate the process for gathering the facts, analyzing them and making determinations about what is going on, and determining what responses are appropriate.
This role clearly requires the involvement and expertise of many agencies other than the FBI. This is why the NIPC, though housed at the FBI, is an interagency center that brings together personnel from all the relevant agencies. Thus, the Deputy Director is a civilian detailee from the Department of Defense; the Chief of our Analysis and Warning Section is a senior CIA analyst; and managers, investigators, analysts, and computer scientists within the Center come from across the defense, intelligence, and law enforcement communities. In addition, we are seeking infrastructure and technical experts from each of the infrastructure sectors to enhance our ability to understand and coordinate with the owners and operators of the infrastructures. Currently, the NIPC has representatives from multiple government agencies, including FBI, DOD, NSA, DOE, and CIA as well as federal and state law enforcement, including the U.S. Secret Service, the U.S. Postal Service, and, until recently, the Oregon State Police. Private sector representatives are also being sought. In fact, just yesterday the Attorney General and the Information Technology Association of America announced a set of initiatives as part of a "Cybercitizens Partnership" between the government and the information technology (IT) industry. One initiative involves providing IT industry representatives to serve in the NIPC to enhance our technical expertise and our understanding of the information and communications infrastructure. This interagency, public-private composition will ensure that we are able to obtain information necessary to our mission from all relevant sources -- criminal investigations, intelligence sources, open sources, automated intrusion detection systems, and private sector contacts-- and that we are poised to coordinate closely with the other agencies that may need to participate in the response to an incident.
Other entities are also created by the PDD. The National Coordinator for Security, Infrastructure Protection, and Counter-Terrorism is responsible for overall policy implementation of the PDD. In this capacity he chairs the interagency Critical Infrastructure Coordinating Group. The PDD also created a National Planning Staff (renamed the Critical Infrastructure Assurance Office, or CIAO) to assist the National Coordinator in this policy function by coordinating the drafting of a "national plan" and the implementation of a national education and awareness program. The national plan is currently in the drafting process and is the subject of ongoing interagency discussions.
The PDD also designates certain agencies as the "lead agencies" for each infrastructure sector. These agencies (listed in footnote 1 on page 2) are charged with working with their respective Sectors (via a "Sector Coordinator" chosen to represent the sector) to: assess sector vulnerabilities and develop a plan to eliminate the significant ones; propose a system for identifying and preventing attempted major attacks; and develop a plan for alerting, containing and rebuffing an attack in progress and then reconstituting minimum essential capabilities in the aftermath of an attack. Given its roles in the areas of vulnerability, warning, response, and reconstitution monitoring, the NIPC needs to work closely with the Sector Coordinators and Liaisons in the development, implementation, and testing of their plans.
Finally, under the PDD the federal government is encouraging the creation of one or more Information Sharing and Analysis Centers (ISACs) by the private sector. As envisioned, the ISAC(s) "could serve as a mechanism for gathering, analyzing, appropriately sanitizing and disseminating private sector information to both industry and the NIPC." ISACs could also serve to further disseminate NIPC information to industry. The provision of timely and complete information to the NIPC is critical for the success of its mission, and the PDD states that the ISACs are "not to interfere with direct information exchanges between companies and the government." As the government and private sector consider possible models for an ISAC, it is critical that nothing be created that would impede or delay the flow of incident and threat information to and from the NIPC. Rather, any ISAC should be designed to expedite the flow of information to enable real-time detection, analysis, and response by the NIPC.
Status of the NIPC and its Implementation of the PDD.
To accomplish its goals under the PDD, the NIPC is organized into three sections:
In addition, the NIPC is developing processes to ensure that we get relevant information in real time or near real time from all relevant sources, including: the US Intelligence Community, FBI criminal investigations, the private sector, other federal agencies, emerging intrusion detection systems, and open sources. This information is quickly analyzed to determine if a broad scale attack is underway. If we determine an attack is underway, we can issue warnings using an array of mechanisms, and send out sanitized and unsantized warnings to the appropriate parties in Federal Government and the private sector so they can take immediate protective steps. This is a difficult process requiring the design of both procedures for reporting and sanitization, and collection and distribution mechanisms. The NIPC is currently working on these procedures and mechanisms. The long-term goal is to develop a comprehensive "indications and warning" system. This will require participation by the Intelligence Community, DOD, the sector lead agencies, other government agencies, federal, State and local law enforcement, and the private sector owners and operators of the infrastructure. Currently, the NIPC is focusing on developing and implementing a methodology and system for detecting and warning of attacks on the federal government and the national telecommunications and electric power sectors.
Response is central to the NIPC mission. To facilitate our ability to investigate and respond to attacks, the FBI has created a National Infrastructure Protection and Computer Intrusion Program in the 56 FBI field offices across the country. Under this program, managed by the NIPC at FBIHQ, full "NIPCI" squads or smaller teams have been created in each field office to conduct computer intrusion investigations, respond to threats, and collect information on "key assets" within each sector. There are currently 10 full NIPCI squads in Washington DC, New York, San Francisco, Chicago, Dallas, Los Angeles, Atlanta, Charlotte, Boston, and Seattle. The other field offices have smaller teams. The 10 squads have regional responsibilities, assisting the smaller teams in other offices when an incident exceeds the smaller team's resources or capabilities. Ultimately, we need to create a full squad in each field office. During the first nine months of 1998 the NIPCI squads and teams opened 377 new cases, closed 304 cases and had a pending caseload of 526 matters. Currently, there are 680 pending investigations of computer intrusion matters. The pending caseload is expected to markedly increase in the coming years.
The program to protect and respond to physical attacks on the US critical infrastructure are handled by the FBI's counter-terrorism program. The NIPC supports this initiative through its management of the Key Asset Program (KAP). A key asset can be defined as an organization, group of organizations, system, or group of systems, or physical plant the loss of which would have widespread and dire economic or social impact on a national, regional, or local basis. The KAP initially will involve determining which assets are key within the jurisdiction of each FBI field office, obtaining 24-hour points of contact at each asset in cases of emergency. Eventually, if resources permit, the Program would include the development of contingency plans to respond to attacks on each asset, exercises to test response plans, and modeling to determine the effects of an attack on particular assets. FBI Field Offices will be responsible for developing a list of the assets within their respective jurisdictions, while the NIPC will maintain the national database. This program will be developed in coordination with DOD and other agencies. This program serves the critical needs of developing lists of the key assets within each critical infrastructure and also of developing the communications and liaison links necessary for the collection of information and the dissemination of warnings to the infrastructure owners and operators.
The FBI, in conjunction with the private sector, has also developed an initiative called "InfraGard" to expand direct contacts with the private sector infrastructure owners and operators and to share information about cyber intrusions, exploited vulnerabilities, and physical infrastructure threats. The initiative encourages the exchange of information by government and private sector members through the formation of local InfraGard chapters within the jurisdiction of each Field Office. Chapter membership includes representatives from the FBI, private industry, other government agencies, State and local law enforcement, and the academic community. The initiative provides four basic services to its members: an intrusion alert network using encrypted e-mail; a secure website; local chapter activities; and a help desk for questions. The critical component of InfraGard is the ability of industry to provide information on intrusions to the NIPC and local FBI field office using secure communications in both a "sanitized" and detailed format. The local FBI Field Offices can, if appropriate, use the detailed version to initiate an investigation; while the NIPC can analyze that information in conjunction with other law enforcement, intelligence, or industry information to determine if the intrusion is part of a broader attack on numerous sites. The NIPC can simultaneously use the sanitized version to inform other members of the intrusion without compromising the confidentiality of the reporting company. InfraGard, which began as a pilot program in the Cleveland, Cincinnati, and Indianapolis field offices, will be expanded to 14 additional offices this month, and to the rest of the country later this year.
The NIPC also serves as the U.S. government lead agency for the Emergency Law Enforcement Services Sector. As Sector Liaison for law enforcement, the NIPC and a Sector Coordinator representing the law enforcement sector are formulating a plan to reduce vulnerabilities of state and local law enforcement to attack and developing methods and procedures to share information within the sector. The NIPC and the FBI Field Offices are also working with the State and local law enforcement agencies to raise awareness with regard to vulnerabilities in this sector.
The NIPC has also been very active in training. Training FBI and other agencies' investigators is critical if we hope to keep pace with the rapidly changing technology and be able to respond quickly and effectively to computer intrusions. The NIPC trained 170 FBI agents and 17 representatives from other law enforcement agencies in 1998. We currently plan to train over 1000 law enforcement personnel in 1999 at the federal, state, and local levels. Additional training initiatives include specialized courses in information security developed by the private sector. Together, these efforts will help place us at the cutting edge of law enforcement and national security in the 21st Century.
Policy and Statutory Impediments to Combating Threats to the Critical Information Infrastructure.
There are several policy and statutory impediments to our being able to fully address the threats to the critical information infrastructure.
Hiring sufficient personnel for the National Infrastructure Protection Center and for the nationwide National Infrastructure and Computer Intrusion Program continues to be a major concern. The prevention, detection, analysis, warning, and response missions assigned to the NIPC and FBI field offices all require a large number of skilled personnel. Currently, we believe there are far more intrusions occurring than we know about or can investigate. Additional personnel are therefore a vital need if we are to learn about, investigate, and respond to attacks on our infrastructures. As use of the Internet continues to increase dramatically, the number of intrusions will grow even more, and our capability must keep pace.
I should note that some of the shortfall could be met with detailees from other agencies. Congress has prohibited us, however, from reimbursing other agencies for detailees in FY 99, which has naturally made it somewhat more difficult for other agencies to devote scarce resources to our common mission at the NIPC.
There are a number of statutory issues related to protecting the infrastructure. Fortunately, a number of agencies are focused on identifying these concerns with an aim towards working with the Congress to consider legislative fixes. The NIPC is coordinating in this regard with, among others, the Computer Crime and Intellectual Property Section of the Department of Justice's Criminal Division, the CIAO and the Security Policy Board.
Examples of some of the issues the NIPC or other members of the infrastructure protection community are concerned with include:
PDD-63 established the NIPC as the operational linchpin of our efforts to protect America's critical infrastructures in the 21st century. Ours is a national mission to combine the inputs from the government lead agencies and the private sector in order to provide analyses and warnings and to respond to an intrusion incident. But the NIPC can perform this mission only if has the necessary resources, interagency support, and information from multiple sources. I believe we have made significant progress in the first year of our existence in establishing the foundation for an effective system for preventing, detecting, and responding to cyber attacks. In just this past year, we have brought on board over 100 personnel from many agencies at NIPC HQ; established a national program for computer investigations in every FBI field office; developed and delivered advanced training in network investigations to nearly 200 FBI and other government agency investigators; developed several mechanisms and programs to share information with the private sector; begun a program to protect "key assets" with each infrastructure sector from cyber attack; and coordinated several national-level investigations involving numerous agencies and FBI field offices. While much as been accomplished, however, much work remains in developing our detection, prevention, warning, and response capabilities. I look forward to working with this Subcommittee and the Congress in protecting our national security against this difficult challenge.