Mr. Chairman, I welcome this opportunity to appear before you to discuss the Federal government’s efforts to protect the nation’s critical infrastructures.
Inter-dependent computer networks are an integral part of doing business in the Information Age. America is increasingly dependent upon computer networks for essential services, such as banking and finance, emergency services, delivery of water, electricity and gas, transportation, and voice and data communications. New ways of doing business in the 21st century are rapidly evolving. Business is increasingly relying on E-commerce for its commercial transactions. At the same time, recent hacking attempts at some of the most popular commercial Web sites underscore that America’s information infrastructure is an attractive target for deliberate attack or sabotage. These attacks can originate from a host of sources, such as terrorists, criminals, hostile nations, or the equivalent of car thief "joyriders." Regardless of the source, however, the potential for cyber damage to our national security and economy is evident.
Protecting our critical infrastructures requires that we draw on various assets of the government. When specific incidents or cyber events occur, the government needs a capacity to issue warnings, investigate the incident, and develop a case to punish the offenders. The National Information Protection Center at the FBI is organized to deal with such events as they occur.
Over the long term, the government also has a duty to be proactive to ensure that our computer systems are protected from attack. Critical infrastructure protection involves assets of both the government and the private sector. A number of agencies have responsibilities with respect to government computer systems. The Department of Defense is well on its way to securing its critical systems, and the Office of Management and Budget (OMB) and the National Institute of Standards and Technology at the Department of Commerce (NIST) have responsibility for information resources management of computer systems in Federal agencies.
I want to make clear that while the Federal government's responsibility in this area is clear with respect to the commission of crimes, that is only part of the equation. With respect to prevention and the development of more comprehensive security measures, the government can best play a supporting role. The infrastructure at risk is owned and operated by the private sector. Inevitably, it will be they who must work together to take the steps necessary to protect themselves. We can help. We can identify problems and publicize them, encourage planning, promote research and development, convene meetings. In short, we can act as a catalyst. That is precisely the role the Commerce Department is playing in several ways.
The Commerce Department, through its Critical Infrastructure Assurance Office (CIAO), coordinated the development of the National Plan for Information Systems Protection. President Clinton announced the release of Version 1.0 of the Plan on January 7.
Another active area is the creation of the Partnership for Critical Infrastructure Security. The Partnership is a collaborative effort between industry and government. This undertaking brings representatives of the infrastructure sectors together in a dialogue with other stakeholders, including the risk management and investment communities, mainstream businesses, and state and local governments. It complements the NIPC’s focus on cyber-terrorism by encouraging industry to collaborate on information security issues. Secretary Daley and I met with senior members of Partnership companies in December in New York. We will meet again next week in Washington, D.C., with senior members of the Partnership companies in order to encourage business leaders to adopt information security as an important business practice.
CIAO also is assisting Federal agencies in conducting analyses of their own dependencies on critical infrastructures. CIAO has just finished an ambitious pilot program that identifies the critical assets of the Commerce Department and maps out dependencies on governmental and private sector infrastructures. This program will provide important input to managers and security officials as they seek to assure their critical assets against cyber attacks.
President Clinton has increased funding for critical infrastructure substantially over the past three years, including a 15% increase in his FY 2001 budget to $2.01 billion. He has also developed and funded new initiatives to defend the nation’s systems from cyber attack.
The Clinton Administration has developed and provided full or pilot funding for the following key initiatives designed to protect our computer systems:
In addition, the President announced a number of new initiatives designed to support efforts for enhancing computer security, including a $9 million FY 2000 budget supplemental to jump-start key elements of next year’s budget. Among these was funding for NIST to create the Institute for Information Infrastructure Protection (I3P).
Yesterday Secretary Daley met with the President and 25 senior executives concerned about the recent disruptions to the Internet. This meeting reinforced the need for further cooperation between government and industry to help the private sector develop its action agenda for cyber security. The incidents of the past week are not cause for pushing the panic button, but they are a wake up call for action. As the President said, "I think there is a way that we can clearly promote security." The President has submitted a budget proposal that funds a number of initiatives that address critical information systems protection. If we are to reap the benefits of the Information Age, we need to take action to maintain a secure business environment in order to ensure both our national security and the growth of our economy.
In April of 2002 the Bureau of Export Administration (BXA)
changed its name to the Bureau of Industry and Security(BIS). For historical
purposes we have not changed the references to BXA in the legacy documents
found in the Archived Press and Public Information.