Thank you very much. It is a pleasure to be here today. I would like to extend my sincere appreciation to Governor McGreevey and to our co-sponsors, Princeton University and the National Institute of Justice, for holding this conference. This is the second in a series of conferences being held around the country with representatives from the public and private sectors to share information and identify best practices for critical infrastructure assurance and homeland security at the community level. It is the state and local government officials, local businessmen and women, and the many members of the police, firefighter, and emergency medical communities here today that form the vanguard of America’s response to terrorism.
As you just heard, my Bureau in the Commerce Department has a new name – the Bureau of Industry and Security. This name reflects the fact that our agency works on a broad array of issues at the intersection of industry and national security. The new name also reflects this Administration’s recognition that, in today’s world, U.S. industry and U.S. security are inextricably linked, and that the public and private sectors must jointly address economic and security issues. As amply demonstrated by the events of the last year, the health of U.S. industry is dependent on security – the security of our borders, our transportation systems, our computer networks, and our mail systems. At the same time, our security has never been more dependent on a vibrant private sector working in partnership with government at all levels.
Our Bureau’s mission is to protect U.S. national and economic security, while at the same time seeking to further U.S. economic interests. Critical infrastructure assurance and homeland security are important aspects of our mission. Along with my colleagues, I have been devoting a substantial amount of time to these issues, especially in the wake of the terrorist attacks of September 11. Those attacks have had a profound effect on all of us. They certainly have changed the way many of us think about globalization, economic security, and what we now call homeland security.
I would like to take a few minutes this afternoon to discuss the changing concepts of economic and homeland security in light of globalization. In particular, I want to expand on the point discussed earlier today that the American economy, including our critical infrastructures, is now the new target of terrorism. That is why I also want to discuss the need for leadership at the state and local levels – by both public and private officials – to sustain confidence and engagement in our economy despite the fact that terrorist attacks, inevitably, may hit their mark from time to time.
I would venture to say that, prior to September 11, most people here would have thought of globalization primarily in terms of increased economic integration throughout the world – whether it be increased trade, increased flows of information and capital, increased foreign investment, or increased mobility of labor and the means of production. I also think it is fair to say that, prior to September 11, most of us would have viewed globalization as an overwhelmingly positive force, contributing greatly to our economic prosperity. After all, the decade of the nineties was one of unprecedented economic growth and the enormous generation of wealth that resulted, in large part, from increased economic interaction and trade. Under these circumstances, protecting economic security usually meant maintaining access to global markets and assuring our supply of critical resources, such as oil.
September 11, however, brought into focus another important dimension of globalization – the collision of cultural and political values that often occurs between people from different societies and countries. Indeed, with globalization, we can no longer safely assume that problems that may seem far away from our country will not affect us. September 11 made it clear, once again, that there are extremists in the world that reject freedom, modernization, social diversity, and political pluralism. It also became painfully clear that, in a globalized world, such extremists can reach us with relative ease.
One of the important lessons learned from September 11 is that for many terrorists – including Osama bin Laden and al-Qaeda – the targets of attack are our economy and our way of life. In his taped messages, bin Laden has referred to the U.S. economy as the "key pillar of the enemy" and has called for strikes against critical sectors of our economy "through all possible means." Indeed, there is now specific evidence that al-Qaeda has obtained detailed information about U.S. power plants, dams, and other key infrastructure assets.
By attacking our economy and our infrastructures, terrorists hope to drive us inward – to undermine our national will, compel us to abandon our global engagement, and cause us to retreat into isolationism. This new terrorist strategy intimately connects our nation’s economic security to our national security. That is why homeland security must involve much more than protecting life and property within the borders of the United States from terrorism, though that unquestionably is of paramount importance. Homeland security also must involve preserving our way of life despite the fact that terrorist attacks may periodically find their mark. Indeed, homeland security must not be seen as somehow incompatible with globalization.
To the contrary, we must secure our homeland precisely so that we can continue to enjoy our freedoms at home and advance our interests abroad. By taking steps to secure ourselves – from the national level right down to the community level – we will better enable ourselves to maintain our global involvement, to preserve our open and dynamic economy, and to conduct ourselves in a manner that is fully consistent with our core values and beliefs.
Critical infrastructure assurance is an essential element of our overall approach to homeland security. As we discussed this morning, critical infrastructures refer to those industries, institutions, and distribution networks that provide a continual flow of goods and services essential to the nation’s defense and economic security, the functioning of its government, and the welfare of its citizens. These infrastructures relate to information and communications; electric power; oil and gas storage and distribution; banking and finance; transportation; water supply; and emergency assistance. They are the enablers of economic activity, as well as essential to the delivery of vital government services. That is why they are deemed "critical" – because their disruption could have a debilitating regional, national, or even international impact.
Protecting our critical infrastructures from disruption is not a new concept. The need to manage the risks arising from physical attacks and service disruptions has existed for as long as there have been critical infrastructures. However, as a result of advances in information and communications technology, there is a threat to critical infrastructures that goes beyond that of physical attacks. Each of the infrastructure sectors increasingly relies on shared information systems and networks for its operations. The very information systems and networks that facilitate commerce also leave us increasingly vulnerable to a new type of threat – that of cyber attacks. And the interconnected nature of our infrastructure sectors significantly magnifies the consequences of service disruptions. Disturbances originating locally or in one sector are more likely than ever before to cascade regionally or nationally and affect multiple sectors of the economy.
While we witnessed on September 11 a physical attack directed at our financial infrastructures, we also must be concerned about our vulnerability to cyber attacks. I refer to potential cyber attacks not as weapons of mass destruction, but as weapons of mass disruption. One person with relatively little training, inexpensive equipment, and access to the Internet has the potential through cyber attack to wreak havoc on an entire network or infrastructure.
Securing the nation’s critical infrastructures against cyber attacks goes well beyond the government’s traditional role of physical protection through defense of national airspace and national borders. Because there are no boundaries in cyberspace, and because approximately 90 percent of the nation’s critical infrastructures are privately owned and operated, government action alone cannot secure them. Only an unprecedented partnership between private industry and government will work.
Our preferred approach is to promote market rather than regulatory solutions in managing the risks posed to critical infrastructures. One of my jobs is to raise awareness that massive disruptions due to deliberate cyber attacks are a risk management problem that companies must solve, with government playing a supporting role. Part of this task involves translating our concerns into terms that corporate boards and CEOs will understand. The basic message is that critical infrastructure assurance is a matter of sound corporate governance, and corporate boards, as part of their fiduciary duty, must provide effective oversight of the development and implementation of appropriate security policies and practices.
Securing critical infrastructure must therefore become as integral a part of a company’s strategic planning and operations as is marketing or product development. Companies must institutionalize the process of identifying critical assets, assessing their vulnerabilities, and managing the risks associated with these vulnerabilities. Security – including cyber security – is now essential to business assurance and continuity. Corporate America cannot outsource this function to federal, state, or local government. And regulation cannot ensure proper implementation of cyber security within complex organizations. In the final analysis, only with the major contribution coming from the private sector can we secure the national economy from the threat of massive cyber-based attacks.
One of the biggest challenges facing government and industry is not only securing our critical assets, but working together to manage public and market expectations so that terrorist attacks that may temporarily damage our infrastructures do not result in widespread disengagement from economic activity. In my view, it is this disengagement, as much as – or perhaps more than – the actual destruction of economic assets, that poses the greatest risk to our national economic security. Economic security, ultimately, is not about eliminating the risk of terrorism, but about maintaining an orderly functioning national economy notwithstanding terrorist attacks.
Much of what I have said addresses matters that are national and global in scope. But there is an old saying in business that directly applies to our concerns about critical infrastructure assurance – "think globally, act locally." All disasters are, in fact, local. That was certainly the case on September 11. If we are truly to secure the nation’s homeland and our economy, we must proceed by securing our respective communities, one by one.
Indeed, the community represents an essential focal point for building a foundation for any national initiative that seeks to influence the public. All of us live in communities and look to the community for leadership to assure our safety, our economic opportunities, and our quality of life. The first people on the scene in a crisis are not the feds, but the local emergency response teams. We need leadership at the local level to survive terrorist attacks. Public confidence starts in the community and is dependent on how well the community plans ahead, responds to crises, and reestablishes order from chaos.
Despite the horror and devastation of September 11, communities in New York, New Jersey, Pennsylvania, Washington, D.C., and Virginia all demonstrated just how well this nation can respond to serious crises. If it were not for the outstanding planning and execution of the state and local governments as well as locally-based companies and emergency response teams, the consequences of the September 11 disaster would have been far, far worse.
Although no one likely will ever forget the images of the planes crashing into the World Trade Center and the Pentagon, those images are not as fresh in our minds today as they were just a few months ago. Life in the United States is, thankfully, returning to some sense of normalcy. A return to normalcy, however, must not mean a return to complacency. We want people to get back to their lives and not be consumed by the horror and tragedy of September 11. But we cannot afford to lose the sense of urgency for taking steps at the local level to secure our homeland and our economy, even as more and more time passes without another terrorist attack. As leaders in our respective communities, it is our responsibility to ensure that no one forgets the events of September 11.
It is important that we now capture – and make widely available – the lessons learned and best practices arising from the experiences of those who were on the front lines during the hours, days, and weeks that followed the attacks. That is the ultimate purpose of this Conference series – to compile and publish a compendium of successful practices that can be used by other communities to enable them to benefit from the experiences of those who were on the front lines on September 11.
The homeland and cyber security strategies that are currently being coordinated by the Office of Homeland Security and the President’s Critical Infrastructure Protection Board are referred to as "national" strategies, not federal strategies. This is because we in the federal government understand that these strategies must reflect and take into account the input of state and local leaders – from both the public and private sectors – if they are to be complete and effective in outlining and accomplishing our objectives.
In the end, the events of September 11 have made clear that we all now find ourselves on the front lines of U.S. national and economic security. Terrorists seek to undermine confidence in our public and private institutions and in our ability to manage the consequences of their attacks. In response, the federal government must work collaboratively and in partnership with state and local governments, with the private sector, and with local citizens. To the extent that government and private industry are seen to be doing everything within reason to protect the public from harm, the public’s confidence in its institutions will remain intact despite such attacks.
We can have the best national strategy for homeland security that the most brilliant minds can devise, and yet we will fail in our endeavor if local community leaders and citizens do not meet the immediate challenges of a terrorist disaster. Your work is essential to winning the war against terrorism. Only together can we reap the maximum economic benefits of globalization while still protecting ourselves and our country.
Thank you very much.