Where Industry and Security Intersect
What's New | Sitemap | Search
One of my first meetings after I was confirmed as Under Secretary was with
Harris Miller, the President of the ITAA. As many of know, Harris is one of
three coordinators responsible for working with the Information and Communications
sector to develop that sector's contribution to the Administration's national
strategy on critical infrastructure protection and cyber security. During
our initial meeting, Harris made clear his continued commitment - and that
of ITAA - to working with the U.S. Government on issues related to the security
of our information networks and our industrial processes that are dependent
on those networks. It is therefore a pleasure to be here today to discuss
the challenges and the importance of securing the key sectors of this nation's
economy, and the role of information technology in that process.
As you just heard, my Bureau in the Commerce Department has a new name - the Bureau of Industry and Security. This name reflects the fact that our agency works on a broad array of issues at the intersection of industry and security - whether it be national security, economic security, cyber security, or what is now known as homeland security. The new name reflects this Administration's recognition that, in today's world, U.S. industry and U.S. security are inextricably linked, and that the public and private sectors must jointly address economic and security issues. As amply demonstrated by the events of the last year, the health of U.S. industry is dependent on security - the security of our borders, our transportation systems, our computer networks, and our mail systems. At the same time, our security has never been more dependent on a vibrant private sector working in partnership with government at all levels.
Our Bureau's mission is to protect U.S. national and economic security, while at the same time seeking to further U.S. economic interests. I would like to take a few minutes today to discuss how the terrorist attacks of September 11 changed our perceptions of the way we think about globalization and about the changing concepts of national, economic, and homeland security. In particular, I want to focus on the fact that the American economy, including our critical infrastructures, is now the new target of terrorism. I also want to discuss the importance of leadership by the private sector - in conjunction with government officials - in sustaining confidence and engagement in our economy despite the fact that terrorist attacks, inevitably, may hit their mark from time to time.
I would venture to say that, prior to September 11, most people here would have thought of globalization primarily in terms of increased economic integration throughout the world - whether it be increased trade, increased flows of information and capital, increased foreign investment, or increased mobility of labor and the means of production. I also think it is fair to say that, prior to September 11, most of us would have viewed globalization as an overwhelmingly positive force, contributing greatly to our economic prosperity. After all, the decade of the nineties was one of unprecedented economic growth and the enormous generation of wealth that resulted, in large part, from increased economic interaction and trade. Under these circumstances, protecting economic security usually meant maintaining access to global markets and assuring our supply of critical resources, such as oil.
September 11, however, brought into focus another important dimension of globalization - the collision of cultural and political values that often occurs between people from different societies and countries. Indeed, with globalization, we can no longer safely assume that problems that may seem far away from our country will not affect us. September 11 made clear, once again, that there are extremists in the world that reject freedom, modernization, social diversity, and political pluralism. It also became painfully clear that, in a globalized world, such extremists can reach us with relative ease.
One of the important lessons learned from September 11 is that for many terrorists - including Osama bin Laden and al-Qaeda - the targets of attack are our economy and our way of life. On September 11, that meant exploiting the vulnerabilities of our commercial aviation system by effectively turning passenger airplanes into enormous cruise missiles to attack, among other targets, our financial sector. We are certainly taking steps to enhance airport and airplane security, so as to protect against a similar episode ever occurring again. But we also have to recognize that terrorists are creative, and they will try to strike in the future in a different way than they have in the past.
In his taped messages, bin Laden has referred to the U.S. economy as the "key pillar of the enemy" and has called for strikes against critical sectors of our economy "through all possible means." There is now specific evidence that al-Qaeda has obtained detailed information about U.S. power plants, dams, and other key infrastructure assets. By attacking our economy and our infrastructures, terrorists hope to drive us inward - to undermine our national will, compel us to abandon our global engagement, and cause us to retreat into isolationism.
This new terrorist strategy intimately connects our nation's economic security to our national security. That is why homeland security must involve more than protecting people and property within the borders of the United States from terrorism, though that unquestionably is of paramount importance. Homeland security also must involve preserving our way of life despite the fact that terrorist attacks may periodically find their mark. Indeed, homeland security must not be seen as somehow incompatible with globalization.
To the contrary, we must secure our homeland precisely so that we can continue to enjoy our freedoms at home and advance our interests abroad. By taking steps to secure ourselves - from the national level down to the community level - we will better enable ourselves to maintain our global involvement, to preserve our open and dynamic economy, and to conduct ourselves in a manner that is fully consistent with our core values and beliefs.
Protection of our critical infrastructures is an essential element of our overall approach to homeland security. Critical infrastructures refer to those industries, institutions, and distribution networks that provide a continual flow of goods and services essential to the nation's defense and economic security, the functioning of its government, and the welfare of its citizens. These infrastructures relate to information and communications; electric power; oil and gas storage and distribution; banking and finance; transportation; water supply; and emergency assistance. These sectors enable economic activity and are essential for the delivery of vital government services. That is why they are deemed "critical" - because their disruption could have a debilitating regional, national, or even international impact.
Protecting our critical infrastructures from disruption is not a new concept. The need to manage the risks arising from physical attacks and service disruptions has existed for as long as there have been critical infrastructures. However, as a result of advances in information and communications technology, there is a threat to critical infrastructures that goes beyond that of physical attacks.
We have been saying for the last several years that information technology is changing the way our nation's critical infrastructures operate. Each of the infrastructure sectors increasingly relies on shared information systems and networks - and even the Internet - for its operations. The very information systems and networks that facilitate commerce and industrial operations also leave us potentially more vulnerable to a new type of threat - that of cyber attacks. And the interconnected nature of our infrastructure sectors significantly magnifies the consequences of service disruptions. Disturbances originating locally or in one sector are more likely than ever before to cascade regionally or nationally and affect multiple sectors of the economy.
While we witnessed on September 11 a physical attack directed at our financial infrastructures, we also must be concerned about our vulnerability to cyber attacks. I refer to potential cyber attacks not as weapons of mass destruction, but as weapons of mass disruption. While rogue states or terrorist organizations can launch cyber attacks, so can a single individual with relatively little training, inexpensive equipment, and access to the Internet. And an effective cyber attack can wreak havoc on an entire network or infrastructure.
Securing the nation's critical infrastructures against cyber attacks goes well beyond the government's traditional role of physical protection through defense of national airspace and national borders. Because there are no boundaries in cyberspace, and because approximately 90 percent of the nation's critical infrastructures are privately owned and operated, government action alone cannot secure them. Securing our critical infrastructures must, therefore, be a shared responsibility. Only an unprecedented collaboration between private industry and government will work. This will require clarifying, and in some instances redefining, the respective roles and responsibilities of government and industry. Making industry a real partner in securing our homeland and our critical infrastructures necessitates a "cultural" adjustment on both sides. That will not be easy, but it must be done, and I am confident it can be done.
Notwithstanding the events of September 11, our preferred approach to securing privately owned and operated critical infrastructures is to promote market rather than regulatory solutions. To the extent that the private industry is able and willing to manage the security risks related to these infrastructures, the government can focus its efforts in other areas of homeland security where market-driven solutions are either unavailable or unlikely to succeed. One of my jobs is to raise awareness that massive disruptions due to deliberate cyber attacks are a risk management problem that companies must solve, with government playing a supporting role. Part of this task involves translating our concerns into terms that corporate boards and CEOs will understand.
To date, most Americans - and too many CEOs - think of cyber attacks as incidents that occur and remain in cyberspace. This implies a phenomenon that falls more in the category of nuisance than of significant material risk. But that is simply not the case. The real information technology revolution is not just in e-mail or e-commerce; it is in the way such technology is transforming the organization and structure of business processes and operations. Critical infrastructure protection must become a matter of sound corporate governance.
Corporate boards, as part of their fiduciary duty, must provide effective oversight of the development and implementation of appropriate security policies and practices. Indeed, securing critical infrastructure must become as integral a part of a company's strategic planning and operations as is marketing or product development. Companies must institutionalize the process of identifying critical assets, assessing their vulnerabilities, and managing the risks associated with those vulnerabilities. I can envision the insurance industry and the legal community establishing over time a market environment that provides incentives for companies to do this. Ultimately, our goal is to achieve a degree of infrastructure reliability capable of withstanding local acts of terrorism. Security - whether it be physical security or cyber security - is now essential to business assurance and continuity.
Corporate America cannot outsource this function to federal, state, or local government. And regulation cannot ensure proper implementation of cyber security within complex organizations. In the final analysis, only with the major contribution coming from the private sector can we secure the national economy from the threat of massive cyber-based attacks.
One of the biggest challenges facing government and industry is not only securing our critical assets, but working together to manage public and market expectations so that terrorist attacks that may temporarily damage our infrastructures do not result in widespread disengagement from economic activity. In my view, it is this disengagement, as much as - or perhaps more than - the actual destruction of economic assets, that poses the greatest risk to our national economic security. Economic security, ultimately, is not about eliminating the risk of terrorism, but about maintaining an orderly functioning national economy notwithstanding terrorist attacks.
The Federal government already has undertaken significant steps to protect our nation's homeland defense, including our critical infrastructures. In October of 2001, the President created the Office of Homeland Security and appointed Governor Tom Ridge to head that Office. Governor Ridge and his staff are responsible for leading efforts to enhance our nation's homeland security while ensuring that such efforts do not unreasonably interfere with our economy, our way of life, or our core values. In addition, the President created the Critical Infrastructure Protection Board, which is chaired by Dick Clarke, to work closely with the private sector to develop a national strategy for critical infrastructure assurance and cyber security. As Chairman of the Board's Standing Committee on Private Sector and State and Local Government Outreach, I am working closely with Dick in developing the Administration's policies on forging and sustaining meaningful partnerships between government and industry.
The Board also will address and recommend solutions for some thorny legal issues - which may be familiar to many of you - that arise in the area of public-private cooperation. These include creating an exemption under the Freedom of Information Act for information on critical infrastructures that is shared with the government as well as creating an antitrust exemption for cooperation among companies on matters of critical infrastructure protection.
Some of you may know just how contentious these issues can be. Reasonable people can - and do - disagree over whether existing laws need to be changed. To me, the matter comes down to this: Is the current statutory and regulatory environment conducive to promoting the voluntary sharing of information between government and industry for purposes of homeland security and critical infrastructure protection? To the extent the current environment does not promote this kind of information sharing, and to the extent we believe it is in the public interest that such sharing take place on a voluntary basis, then it is incumbent on government to address and resolve these issues. I cannot tell you at this time how these issues will, in fact, be resolved, but I can tell you that the Administration is taking them seriously and is working with the Congress on them.
Let me also, however, insert a note of caution with respect to legislative reforms to support information sharing. There is no silver bullet here. There is not going to be an avalanche of information flowing to the federal government from private industry merely because legislation creates a new exemption to the Freedom of Information Act. Indeed, the one ingredient essential to information sharing is trust, and trust cannot be legislated or regulated.
It must be built up over time through effective public-private partnering. What legislative reform can do is create a statutory framework that invites and supports the development and cultivation of such trusted relationships.
I would like to conclude by turning to another, and until recently overlooked, element of homeland security - that is the importance of community planning and action. If we are truly to secure the nation's homeland and our economy, we must proceed by securing our respective communities, one by one. Although much of what I have said today involves matters that are national and global in scope, there is an old saying in business that directly applies to our concerns about critical infrastructure protection - "think globally, act locally." All disasters are, in fact, local. Certainly, as you are painfully aware, that was the case on September 11.
The community represents an essential focal point for building a foundation for any national initiative that seeks to influence the public. All of us live in communities and look to the community for leadership to assure our safety, our economic opportunities, and our quality of life. The first people on the scene in a crisis are not the feds, but the local emergency response teams. We need leadership at the local level to survive terrorist attacks. Public confidence starts in the community and is dependent on how well the community plans ahead, responds to crises, and reestablishes order from chaos.
Despite the horror and devastation of September 11, communities in New York, New Jersey, Pennsylvania, Washington, D.C., and Virginia all demonstrated just how well this nation can respond to serious crises. If it were not for the outstanding planning and execution of the state and local governments as well as locally-based companies and emergency response teams, the consequences of the September 11 disaster would have been far, far worse.
Although no one likely will ever forget the images of the planes crashing into the World Trade Center and the Pentagon, those images are not as fresh in our minds today as they were just a few months ago. Life in the United States is, thankfully, returning to some sense of normalcy. A return to normalcy, however, must not mean a return to complacency. We want people to get back to their lives and not be consumed by the horror and tragedy of September 11. But we cannot afford to lose the sense of urgency for taking steps at the local level to secure our homeland and our economy, even as more and more time passes without another terrorist attack. As leaders in our respective communities, it is our responsibility to ensure that no one forgets the events of September 11.
The homeland and cyber security strategies that are currently being coordinated by the Office of Homeland Security and the President's Critical Infrastructure Protection Board are referred to as "national" strategies, not federal strategies. This is because we in the federal government understand that these strategies must reflect and take into account the input of state and local leaders - from both the public and private sectors - if they are to be complete and effective in outlining and accomplishing our objectives.
In the end, the events of September 11 have made clear that we all now find ourselves on the front lines of U.S. national and economic security. Terrorists seek to undermine confidence in our public and private institutions and in our ability to manage the consequences of their attacks. In response, the federal government must work collaboratively and in partnership with state and local governments, with the private sector, and with local citizens. To the extent that government and private industry are seen to be doing everything within reason to protect the public from harm, the public's confidence in its institutions will remain intact despite such attacks.
We can have the best national strategy for homeland security that the most brilliant minds can devise, and yet we will fail in our endeavor if local community leaders and citizens do not meet the immediate challenges of a terrorist disaster. Your work is essential to winning the war against terrorism. Only together can we reap the maximum economic benefits of globalization while still protecting ourselves and our country.
Thank you very much.