News

USIS Washington File

07 January 2000

Transcript: White House Briefing on Counter-Terrorism Program Jan. 7

(The economy, cybersecurity, Information Systems Security Education,
FY-2001 budget proposal, cyber-security/G.I. Bill, National
Infrastructure Advisory Committee) (4380)

White House Chief of Staff John Podesta, Secretary of Commerce Bill
Daley, NSC Staff Counter-Terrorism Coordinator Dick Clarke, and James
Madison University President Linwood Rose all briefed.

Following is the White House transcript:

(begin transcript)

THE WHITE HOUSE
Office thess Press Secretary

January 7, 2000

PRESS BRIEFING BY
CHIEF OF STAFF JOHN PODESTA,
SECRETARY OF COMMERCE BILL DALEY,
JAMES MADISON UNIVERSITY PRESIDENT LINWOOD ROSE
AND NATIONAL COORDINATOR FOR SECURITY, INFRASTRUCTURE PROTECTION
AND COUNTER-TERRORISM DICK CLARKE

10:25 A.M. EST

MR. LEAVY: Good morning, everybody. As you know, the President
announced his cyber-security plan this morning, and to answer your
questions and talk a little bit more about that with the Chief of
Staff, John Podesta, Secretary of Commerce, Bill Daley, President
Linwood Rose of James Madison University, and joining in the questions
will be Dick Clarke, the President's counterterrorism czar.

Mr. Podesta.

MR. PODESTA: This is the first time I've appeared with a czar, so
excuse me if I'm a little bit nervous. (Laughter.)

The President made his announcement this morning, but I would just
note at the outset that, again, this morning we had a continuing
evidence of a robust economy. This year, we had, in calendar year
1999, we're looking at an unemployment for the year that's the lowest
since 1969, the lowest Hispanic and African American unemployment
rates on record.

The economy continues to perform outstandingly. And part of the reason
for that is that is the fact that we have a new economy, an economy
that's built on information, technology information, infrastructure.
It's really beginning to move into all aspects of our economy and the
way we handle goods and services.

And just as in the 1950s when we were building an economy based on a
new transportation system, a new interstate highway system and we put
guardrails on that transportation system, we're here today to talk
about how we can better protect the information technology and
infrastructure of the information technology economy -- not only for
the government, but for the private sector, as well. And that's why
I'm pleased to be joined by Secretary Daley and President Linwood Rose
from James Madison; and, as Dave said, Dick Clarke will join us for
questions.

The President made the announcement this morning. We have made
substantial boosts in the amount of money that the government is
spending on this effort to protect our critical infrastructure, and
this year's budget will be no exception. We are going to request a 17
percent increase in funding over the FY 2000 budget, and the proposed
spending will be across the government. We will be seeking an increase
of approximately $2 billion, from $1.7 billion, with increases in
every agency and every sector.

One of the greatest boosts, I think, will be -- and Secretary Daley
will speak about this -- will be in the area of research and
development. The R&D now represents 32 percent of our critical
infrastructure protection. It's really important that we do that, that
we produce, in partnership with the private sector and in partnership
with the information technology companies who are at the forefront of
this revolution, on new technologies that can be rapidly put into the
information infrastructure to begin to provide the kinds of
protections that we're here to talk about.

So the overall increase in the R&D and R&E portion that we're going to
speak to as part of the President's overall commitment to increases in
research and development which, again, we'll lay out a future point as
we talk about our budget.

But with that, let me turn it over to Secretary Daley to talk about
the report.

SECRETARY DALEY: Thank you very much, John. As you said, no question,
we have a new economy and we have an economy that is much more
dependent, as we enter this next century, on information technologies.
So our defending of this economy is most important to us, especially
at a time of great economic boom that we're experiencing.

One of the consequences of leading this e-world is that we, as I
mentioned, are more dependent on information technologies in our
country, and therefore we're more subject to new and different kinds
of threats. It is true for our services as governments, and it is also
true for the private sector, whether they are large companies or small
companies. In our opinion, businesses risk going out of business if
their computer networks are obviously disrupted for any great length
of time.

This is the first time in American history that we in the federal
government, alone, cannot protect our infrastructure. We can't hire an
army or a police force that's large enough to protect all of America's
cell phones or pagers or computer networks -- not when 95 percent of
these infrastructures are owned and operated by the private sector.

We just spent, as we all know, about $100 billion as a nation, private
sector and the public sector, in correcting the Y2K problem. If people
had thought about this 25 years ago, we may not have had the situation
where we would have had to spend so much. Y2K taught us many things.
One is that we must be prepared. So the President and the Vice
President asked us to develop a national plan to defend America's
cyberspace. Twenty-two federal agencies have worked on this. It is the
first attempt by any nation to do something like this.

Today we have our first version. As you can see, it is designated
version 1.0. (Laughter.) It focuses on what we in the federal
government can do to protect our federal assets. But for this to be a
true national plan, later versions must include, and will include,
what the private sector, and also the state and local governments, can
do.

Last month, I met with industry leaders, and we are already in the
process of building a true partnership with them. Cooperation, rather
than new regulations, will bring more resources to the table, and we
will therefore have the opportunity to produce results faster. That is
the political reality, and in our opinion, one of the greatest
challenges that government faces in this century is, how do we deliver
services more effectively. In dealing with the private sector, we can
learn a lot from them. By partnering and sharing information, we can
improve our own efforts, and also work with them to make their
systems, and ours, more secure.

The end result is that we will all, therefore -- and our economy will
be better off. The American people can read this report on our website
by the end of today, on the White House's website, and also on the NSC
website. And if any of you would like a copy for your own files, we'd
be happy to supply them for you.

And it's my pleasure at this point -- there are a number of
universities who are looking and are forward-leaning. About eight
universities are developing curriculums in cybersecurity. One of them
is James Madison University, and it is a pleasure to introduce Lin
Rose, the President of James Madison.

MR. ROSE: Thank you. Good morning. As president of an institution
that, several years ago, recognized the need for information security
education, I'm particularly encouraged by today's news. As a nation,
we do face a critical need for information assurance experts. Our
economic growth has been fueled by our leadership in information
technology, and we have become more dependent upon computing and
electronic networks than any other country in the world.

That distinction also makes us more vulnerable than any other country
in the world. Our information systems, if not carefully protected, may
be accessed by those whose intentions are much more serious than just
mischief. Dependence upon electronic data systems is no longer unique
to computing and telecommunications alone. Power generation, banking
and finance, transportation, water supply and emergency services are
all dependent upon information systems and are susceptible to
disruption by hackers and criminals.

To protect these systems, we must have more information assurance
people -- people who have the talent and expertise to evaluate system
vulnerabilities, who understand encryption methodologies to protect
critical data, and who are able to design trusted systems and provide
for intruder monitoring and detection.

Higher education is the key to providing more of these professionals.
Universities have begun to address this work force need, but if we are
to accelerate the numbers of competent professionals at the rate that
is required, federal support for faculty development and student
assistance is essential.

The standard academic mechanisms and processes are too slow to satisfy
the current and projected demand in a reasonable amount of time.
Without external stimulus and support, we will simply fail to protect
our country's information infrastructure. Like most new professional
programs, much of the activity and information security has been
focused at the graduate level.

For example, with the support and encouragement of Virginia Senators
Warner and Robb, as well as Congressman Goodlatte, at James Madison
University we now offer a master's degree in information security.
That program, intended for working professionals, is the only degree
program in the country provided to students via the Internet.
Approximately one-half of the students are from government, while the
remaining participants come from business and industry. Programs such
as this one must be expanded.

It is imperative, however, that we develop undergraduate programs that
will prepare information security specialists. The cyber-service model
advanced in the President's plan will provide incentives to attract
students in greater numbers. The cyber-service will also attract the
interest of colleges and universities who are wrestling with the
numerous curricular opportunities available to them in
technology-related fields.

In short, this program, once fully implemented, will produce the
desired results. Eight institutions, designated by the National
Security Agency as centers of excellence in information security
education, have been working with the administration over the last 18
months to examine methods for expanding informations security
education. With the announcement of this plan, others will be certain
to join in a national effort to advance and address this critical work
force shortage.

The consortium of these eight universities, along with the National
Colloquium for Information Systems Security Education, which includes
representatives from government, business and education, will continue
to build the necessary curriculum, promote awareness of security
issues, conduct research, establish competency standards and develop
an information clearinghouse, as well as generally promoting the
profession. The support provided through this plan will reinforce and
enhance the effort.

By empowering higher education to be part of the solution to the
national information security problem, the President has set forth a
plan that will provide the nation and its citizens with the assurance
that our businesses, our government and our personal interests are
secure and protected. Thank you.

Q: Mr. Podesta, would you mind going over those figures again, as to
what the President is asking for, and the increase that is, and what
the breakdown is?

MR. PODESTA: Dick, you want to join us?

Q: Gene.Randall didn't get that. (Laughter.)

MR. PODESTA: There is a 17 percent increase in funding in the proposed
FY 2001 budget. Proposed spending across the government will increase
to $2.0 billion, from -- the Congress appropriated last year $1.75
billion, based on a request from the administration of $1.77 billion.
So they actually did -- we were successful in achieving most of what
we requested in total dollar amounts. But we're asking now for a 17
percent increase in that amount to a total of approximately 2.03, I
think is the accurate number.

Do you want to give a little bit more on the breakdown, Dick?

MR. CLARKE: Sure. We have these nice color charts to pass out; if you
haven't already received them, we'll get them to you. As John said,
it's a 17 percent increase that we're asking for in 2001 over the
appropriated money from 2000. There was a similar request, similar
increase last year. So the compounded effect of that over the last two
years is considerable.

The largest increase in the percentage basis is for research and
development. The President, as he said, is proposing an institute for
information infrastructure protection. This is a research organization
that will work closely with the private sector. It's not a building,
it's not a new bureaucracy, it's a funding mechanism so that the
federal government can match private sector funds and plug the holes
in the R&D requirements. R&D will rise the President's plan from $461
million last year to $621 million in the year 2001.

Q: Secretary Daley, this cyber-security version of the G.I. Bill that
the President talked about this morning, what would be the required
service, postgraduate, and in what agencies would these people find
employment?

SECRETARY DALEY: I don't think we've worked out the details as to the
length of service that would be required. We obviously want to work
with the institutions and work with the federal agencies as to what
sort of length of service they thought would be appropriate.

Q: Are you talking about two years, three years, four years? It's four
years in the G.I. Bill, isn't it?

MR. CLARKE: Yes. The typical federal requirement is a year of service
for every year -- a year of service for every year of scholarship. So
if, for example, someone had a four-year undergraduate program at
James Madison or somewhere else, we would expect them to do four years
of service in the federal government, in any federal department that
wanted them, helping that federal department to protect its own
computer systems. So these are IT security managers that would help
the federal government improve security on federal computers.

Q: Do you know what the job designation would be, in terms of federal
pay scale?

MR. CLARKE: Well, one of the things that the Office of Personnel
Management is looking at --

Q: For example, will they make more money than Mr. Leavy or --
(laughter.)

MR. CLARKE: That's not hard. That's not hard.

One of the things that OPM, the Office of Personnel Management, is
looking at is whether or not we have to abandon the normal federal
grades -- GS7, GS8, GS9. For example, if you graduate now with a
bachelor's of science in computer information, typically you would
become a GS7. Now, that's going to earn somewhere in the area of
$28,000 to $30,000. That same person, with that same degree, can go
out to the Dulles access road or Silicon Valley, and earn $90,000 to
$120,000. So we have to look seriously, and OPM is going to look
seriously, at adjusting the grade structure. So we might not use the
normal federal grade structure to pay IT security workers.

Q: What's the biggest threat that you're trying to guard against? Is
it hackers and vandalism? Is it criminals? Or is it domestic or
foreign terrorism?

MR. CLARKE: I think it's all of the above. There's a spectrum, from
the teenage hacker who sort of joy rides through cyberspace, up
through industrial espionage, up through fraud and theft. And up at
the far end of the spectrum, to another country using information
warfare against our infrastructure.

Q: Mr. Podesta, or Secretary Daley, is the catalyst for this the
situation that happened with the White House computer last year, and
several infiltration situations with some of the federal government
computers last year, as well?

MR. PODESTA: Well, I wouldn't describe that as the catalyst for this.
I think we've been working on this for some time, and have -- as I
think Dick noted, this has been going on in a kind of serious
formulation as a policy for several years, and precedes the situation,
which was resolved -- with the hacker at the White House -- with an
arrest, that occurred last year.

But I think that, obviously, every agency, every department of
government, but every private sector institution that's relying on the
information infrastructure. It's not just computers; it's the electric
power grid, it's the other things that we learned so much about during
our run-up to Y2K. The banking, financial industry -- increasingly
every single sector of the economy is tied in, linked through
e-commerce, through the use of computer technology, to this kind of
critical infrastructure which has developed over the course of the
'70s, '80s and '90s.

And so I think that it's a high national security priority, to begin
to protect all of the infrastructure, not just the federal government
infrastructure. And that's why we're excited about having a
partnership with the university community and the private sector.

SECRETARY DALEY: Let me just add, what the White House experienced, I
would imagine every agency in the government, we have experienced,
from harmless, seemingly harmless invasions, to others that gave us
great concern. So what happened here was replicated, I would assume,
in every department.

Q: A follow-up: how vulnerable are the systems right now?

SECRETARY DALEY: Well, we believe they're much better. I speak for our
agency, and obviously this program that we've put out with the 22
agencies, believe that our federal program right now in protecting our
systems and our assets, is much better than obviously we were before
we went through this process.

Q: Secretary Daley, just to follow up on some of the questions here,
can you give us -- what are some credible scenarios for the type of
thing that you're trying to prevent here? We all know about the
teenage hacker, or the cyber-vandal. But can you give us some
scenarios for the more elaborate types of problems --

SECRETARY DALEY: Well, remember when there was that -- when was that
lightning strike in Florida that hit the system, that basically
knocked out --

MR. CLARKE: Two years ago.

SECRETARY DALEY: Two years ago -- knocked out most of the East Coast,
much of the grid along the East Coast. That was obviously an act of
nature. No one, at that point, understood how everything was connected
along the East Coast, and would be so affected for a couple of hours.
And that, I think, woke up not only some of us in government, but
surely affected the private sector's attitude about a better
understanding of the interconnection and our involvement in trying to
address this. It will not be solved, though, without partnership.

Q: Okay, you mentioned foreign governments. And to what extent do
foreign governments have the capability to engage in this kind of
disruption? And are you looking at disruptions on the part of foreign
governments to private sector operations, or just the government?

MR. CLARKE: We are aware, now, over the course of the last two years,
that several other nations have developed offensive information
warfare units, organizations, tactics, doctrine and capability. Now,
that doesn't mean they're going to use them. But it means that they're
developing them, they're getting better all the time.

And in a crisis, historically, nations have attacked each other's
infrastructure. Nations have gone after, in warfare situations or
crisis situations, electric power grids, telecommunications,
transportation networks. So it's not inconceivable to have a scenario
in the future in which a future opponent might think that they could
attack our civilian, privately-owned infrastructure through computer
attack.

Q: Can you say which countries those are?

Q: And do we have such an offensive capability ourselves?

MR. CLARKE: You'd have to ask the Defense Department about that. And,
no, we're not going to name names of other countries.

Q: Why not? I mean, what's the big secret?

Q: Why shouldn't you tell us?

Q: The President kicked off this initiative almost two years ago. And
I know that you had a May '99 deadline, or a self-set May '99 deadline
for putting out this report. What's taking so long? And why isn't the
physical protection included in this, because as you have just said,
you can just as easily take down critical infrastructures with
physical attacks.

MR. CLARKE: We had a May 1999 self-imposed deadline. We decided not to
meet that deadline; but, rather, to take the time to get it right; to
take the time to do the sort of consultation that we have done with
the Congress, and with the private sector. Secretary Daley mentioned
that last month he met with 94 companies in New York as part of that
consultative process. As John Podesta said, this is version 1.0. There
are going to be other versions as the dialogue continues with the
Congress and with the private sector.

Q: It's my understanding as well that the NIAC hasn't stood up yet?
You don't have a lead for that? Is that true?

MR. CLARKE: The President has signed an executive order to create a
National Infrastructure Advisory Committee, and we are in the process
now of doing the personnel selection for that advisory committee.

Q: Gentlemen, there is a real revolution in the way computers are
being used now. Fifteen years ago, it was mainly a business
application. Now, they're in all parts of the home, and the talk is,
within a few years we're going to have IP appliances in people's
homes. Shouldn't you be focusing more effort not just on the private
sector but, in fact, on the general public? And why does part of this
report still suggest that much of this information will be precluded
from reaching the general public?

MR. CLARKE: I don't think the report at all suggests that information
is going to be denied to the general public. What we're looking at in
terms of prioritizing our activities are the things which would have
the greatest effect on the greatest number of people. And so, if there
were a computer attack on a power grid, that would have a great effect
on millions of people. It's certainly true that individual computers,
your PC at home could be hacked, but chances are no one is going to do
that. The real threat is to the larger infrastructures and not to an
individual home.

Q: John, if I could ask you another unrelated question. Republicans
yesterday apparently proposed a package of smaller targeted tax cuts,
including the marriage penalty. Is this the kind of tax cut the
administration could work with the Republicans on, and do you guys
have a position on the marriage penalty tax?

MR. PODESTA: Well, I'd like to think that the Republican leadership
spent some of the time since the break in November listening to their
constituents, and have gotten on a program more similar to the
President's which is to address the critical needs of the country --
Social Security, Medicare, education, and the other priorities, and
come up with a tax cut that fits within an overall framework of fiscal
discipline. They put out some numbers yesterday that were obviously
much more consistent with what the President was talking about over
the course of the last year than the risky tax scheme they put forward
and was rejected by the President, vetoed by the President, and
rejected by the American people.

But I think we need to see the whole plan, and to try to -- hopefully
we can find some consensus, work together, to do those critical
priorities -- to address Social Security, to address Medicare, to make
the important investments that we've talked about. And, as we have
said, we think there's room within the overall context of the surplus
to find some targeted tax cuts that will be aimed at the middle class,
that will not be loaded up in favor of the wealthiest Americans, but
that are spread and aimed at addressing critical priorities.

With respect to the marriage penalty, I think we've said that within
the context of tax relief, that we're open to discussions about tax
relief in that area. But it's got to be part of an overall program
that's fiscally disciplined, and that aims at our key priorities. And,
obviously, we want to aim our tax cuts at the middle class, and the
President's budget, which he will put forward in the next month or so,
will aim to do that.

Q: Dick, for those of us who still sort of cling to the old technology
because it never gives you a fatal exception error, how much distance
is it in bridging security between hacking a website and actually
getting into the infrastructure and turning things off?

MR. CLARKE: The same techniques that people use to find
vulnerabilities or back-doors into websites can be used to hack your
way into computer-controlled networks. Things like the power grid and
railroads and whatnot, telecommunications, are computer-controlled
networks. And many of the same principles of finding vulnerabilities
and hacking your way into a website are applied in hacking your way
into a computer-controlled network.

Q: How much extra distance is there?

MR. CLARKE: Not much.

MR. LEAVY: I'm sorry, last question.

Q: Oh, a question about the Fidnet portion that was very controversial
with civil liberties groups. And how big is the Fidnet to this whole
plan? Is it a central part, or a small piece?

MR. CLARKE: We think the federal government has a positive obligation
to protect the privacy information, and other information on federal
government computer systems. Just as your files, the files about you
in the IRS or elsewhere in the government, are in a file drawer with a
lock on it, and there's a burglar alarm protecting that office in
physical space, so we think there should be a burglar alarm and a lock
on files the federal government has in cyberspace. The federal
intrusion detection network that we propose is just that. It's a
burglar alarm for federal files in cyberspace. It, in no way, will
intrude onto private computer systems -- private sector computer
systems. It's only a government protection system for government
sites. It's designed to protect privacy and enhance privacy.

END

10:50 A.M. EST

(end transcript)

(Distributed by the Office of International Information Programs, U.S.
Department of State.)