RealNews

Official Says U.S. Infrastructure Vulnerable to CyberAttack

11 June 1998

(NIPC chief Vatis testifies on steps to counter threats)

The Department of Defense is a “prime target for individual (computer) hackers who want to test their skills,” as well as for people with “more malicious motives who are interested in looking at what they can find in DOD systems,” says the chief of a new agency created this year to protect the U.S. critical infrastructure against threats aimed at government and private sector entities by penetrations of computer systems.

Michael Vatis, deputy assistant director and chief of the Federal Bureau of Investigation’s National Infrastructure Protection Center (NIPC) created February 26, 1998, told the Senate Judiciary

Subcommittee on Terrorism, Technology and Government Information June 10 that hackers see DOD as “the final exam, the ultimate challenge, to test their skills.”

At a briefing prior to the hearing, witnesses recalled an incident

earlier this year when three teenagers from the United States and

Israel, broke into the Defense Department’s computer system.

Vatis said “People often ask why is it that so many of these cases

that we read about in the media involve minors — 16, 17 year-olds.

(They say) doesn’t this just show you that this problem is really

about kids out there having fun? In fact, I take the opposite view. My

response is: doesn’t it scare you that we’re finding kids who can do

this stuff? Doesn’t it scare you to think that we may not know what

people with more sophisticated skills and resources are doing? So I

think the cases that we are seeing are enough of an indication of our

vulnerabilities to make us realize that this is in fact a very serious

problem.”

Vatis echoed the words of other authorities on the subject, saying

that a public-private partnership is essential. “We, like the whole

effort that the president laid out in PDD-63 (Presidential Decision

Directive 63 — to protect the nation’s critical infrastructure), are

built on the notion of partnership. That really sums up the whole

concept behind the NPIC.”

He said the NIPC is founded “on the notion that we operate under the

authority of the attorney general — investigate crimes and protect

against terrorism and intelligence activities — but we also bring on

board physically representatives from all of the other entities that

have an important role to play; entities both within and outside the

government.”

These entities, he said, include U.S. federal and state agencies that

have responsibility for America’s water, power and transportation

systems, and private industries that control telecommunications

systems.

Following is the official text of Vatis’s testimony:

(begin text)

Good afternoon, Mr. Chairman and members of the Subcommittee. I

welcome this opportunity to discuss infrastructure protection and the

role of the National Infrastructure Protection Center (NIPC). Mr.

Chairman. I want to first acknowledge the significant role you and

this Subcommittee have played in getting, and keeping, the issues of

cyber terrorism and strategic information attacks on the national

agenda. Protecting our infrastructure from Information Age threats is

an issue that stresses our law enforcement and national security

processes, strains our traditional legal structures, and challenges

our thinking. But the potential dangers in the cyber realm are

enormous and must be addressed.

Today, I would like to describe to you how the NIPC is designed to

address this challenge, how we operate and plan to operate within the

new organizational structures just established by the President (which

you were briefed on earlier today by the National Security Council),

and our present status.

Protecting infrastructures in the Information Age raises new and

difficult issues. This Nation depends on the stable, consistent

operation of our critical infrastructures for our way of life, our

well-being, and our security. These critical infrastructures include,

but are not limited to, telecommunications, energy banking and

finance, transportation, water systems, and emergency services, both

government and private. Recent advances in computer hardware,

software, and communications technologies have made these

infrastructures highly automated and capable. But while technological

advances have promoted greater efficiency and improved service, they

have also made these infrastructures potentially more vulnerable to

disruption or incapacitation by a wide range of physical or

computer-based (“cyber”) threats. And the infrastructures are much

more interdependent than in the past, with the result that the

debilitation or destruction of one could have cascading destructive

effects on others. Finally, most of these infrastructures are owned

and operated by private industry. This means that guarding against

infrastructure threats requires an unprecedented degree of cooperation

and information sharing between the government and private sector.

HISTORY

On May 22, President Clinton announced two new directives designed to

strengthen the Nation’s defenses against terrorism and other

unconventional threats: Presidential Decision Directives (PDD) 62 and

63 PDD-62 highlights the growing range of unconventional threats that

we face and creates a new and more systematic approach to defending

against them. PDD-63 focuses specifically on protecting the Nation’s

critical infrastructures. The issuance of these two directives

represents a significant milestone in the evolution of policy to

address new threats which confront our Nation.

The National Infrastructure Protection Center can trace its roots back

to 1995, when President Clinton, in Presidential Decision Directive

39, directed the Attorney General to chair a Cabinet Committee to

assess the vulnerability of the Nation’s critical infrastructures and

recommend measures to protect them. In response to this directive, the

Attorney General created the Critical Infrastructure Working Group

(CIWG). That small inter-agency group — in which I represented the

Attorney General — was one of the first to focus on threats and

vulnerabilities of critical domestic infrastructures. In its January

1996 report, the CIWG recommended the creation of two entities: a

longer-term commission to develop a national strategy for protecting

and ensuring the continued operation of critical infrastructures, and

an interim task force to coordinate the Government’s existing

capabilities for responding to infrastructure attacks.

The CIWG’s recommendations led to Executive Order 13010. This order

created the President’s Commission on Critical Infrastructure

Protection (PCCIP) to study the problem in depth and develop proposed

solutions. In addition, the Order established at the Department of

Justice the Infrastructure Protection Task Force (IPTF). This

interagency body was designed to facilitate the coordination of

existing infrastructure protection efforts in the interim period,

while the PCCIP conducted its analysis and developed long-term

recommendations. The IPTF was located at the FBI in order to take

advantage of the watch and response capabilities of the

then-newly-established FBI Computer Investigations and Infrastructure

Threat Assessment Center (CITAC). CITAC was created in 1996 to

coordinate the FBI’s investigations and response to the increasing

problem of computer crime.

As you know, the PCCIP submitted its Report to the President in

October 1997. One of its recommendations was to create a national

warning center at the FBI to warn of infrastructure attacks. During

the course of the Administration’s consideration of the PCCIP Report,

however, it became apparent that such an entity should not merely

provide warnings of imminent or ongoing attacks, but should also

provide the focal point for coordinating the Government’s operational

efforts to deter, contain, investigate, and respond to attacks on the

Nation’s critical infrastructures. Such an entity should also provide

a principal mechanism for sharing threat and vulnerability information

between the government and the private sector.

As this policy history unfolded, real-world events further shaped our

thinking. The Eligible Receiver exercise held by the Department of

Defense last year revealed previously unrecognized vulnerabilities

associated with infrastructure dependencies and demonstrated the

degree to which DOD and the FBI need to coordinate to deal with

attacks on the infrastructures that are necessary to the performance

of DOD’s mission. Then, earlier this year, the investigation in the

now well-known “Solar Sunrise” case — which involved widespread

penetrations of computer systems at facilities within the Department

of Defense, other government agencies, academia, and the private

sector — underscored the need for a civilian focal point for

coordinating investigations and response to attacks on the

infrastructures and interfacing with the Department of Defense.

Together, then, the results of the policy making process stemming from

the PCCIP Report, the Eligible Receiver exercise, and the Solar

Sunrise investigation led the Attorney General and Director Freeh to

create the NIPC on February 26, 1998. And last month, in PDD-63, the

President formally recognized the role of the NIPC in the overall

government framework for dealing with infrastructure protection, and

he directed other agencies to support and participate in the NIPC and

to provide it with information about intrusions or attacks on

government or private sector systems.

Let me address briefly why the NIPC is located at the FBI. First, as

you know, the FBI has had existing programs and authorities to

investigate computer crimes and to prevent and investigate acts of

espionage and terrorism. These programs and authorities naturally

support and mesh with the infrastructure protection mission. Second,

in the case of most cyber attacks, neither the identity nor the

objective of the perpetrator is known. This means it is often

impossible to determine at the outset if an intrusion is an act of

vandalism, computer crime, terrorism, foreign intelligence activity,

or some form of strategic attack. The only way to determine the

source, nature, and scope of the incident is to investigate. And the

authority to investigate such matters — and to obtain the necessary

court orders or subpoenas — normally, resides with law enforcement.

This does not mean that, once the perpetrator is identified and the

scope of the attack known, the response is limited to law enforcement.

It simply means that in cases in which the only information we have is

that an illegal intrusion has occurred, but we don’t know the answers

to “who, what, why, or how?” the initial response normally must come

from law enforcement. But the FBI clearly must coordinate with, and

have the support of, other agencies that may have relevant information

or may need to be part of the response. For instance, if it is learned

that an intrusion is part of a strategic military attack, clearly the

Defense Department and other agencies with national security

responsibilities could be called on to respond.

MISSION AND COMPOSITION

The NIPC incorporates and expands the mission and personnel of the

FBI’s CITAC. The NIPC’s mission is to detect, deter, warn of respond

to, and investigate unlawful acts involving computer intrusions and

unlawful acts, both physical and cyber, that threaten or target our

critical infrastructures. This means we do not simply investigate and

respond to attacks after they occur, but we try to learn about them

and prevent them beforehand. This is a large and very difficult task.

It requires the collection and analysis of information gathered from

all available sources (including law enforcement investigations,

intelligence sources, data provided by industry, and open sources) and

the dissemination of our analyses and warnings of possible attacks to

potential victims, whether in the government or private sector. To

accomplish this mission, the NIPC relies on the assistance of, and

information gathered by, the FBI’s 56 Field Offices; other Federal

agencies; State and local law enforcement agencies; and perhaps most

importantly, the private sector.

The Defense Department is important to our mission because its

reliance on information technologies makes it a prime target for our

adversaries and because it holds much of the government’s expertise in

defending against cyber attacks. Our intelligence agencies have a

critical role because of their responsibility for gathering

information about threats from abroad. And other civilian agencies

with regulatory Jurisdiction or protective responsibility under PDD-63

for critical infrastructures — such as the Departments of Treasury,

Energy, and Transportation — have similarly significant roles.

But infrastructure protection is not just a mission for the Federal

government. State governments must be involved because they own and

operate some of the critical infrastructures and because their

agencies are often the first responders in the event of a crisis.

Finally, this mission requires the intensive involvement of the

private sector. Private industry owns and operates most of the

infrastructures, so it must be involved in helping us defend them. And

it also has the greatest expertise in identifying and solving the

technical problems.

In recognition of the vital roles all of these entities must play, I

want to emphasize that the NIPC is founded on the notion of a

partnership. We are building this partnership first through inclusive

representation, Our intent is that the Center be staffed with

professionals from other Federal agencies, from state and local law

enforcement, and from private industry. This will foster the sharing

of information and expertise, and improve coordination among all the

actors in the event of a crisis. In addition, the Center will augment

the physical presence of these representatives by establishing

electronic connectivity to the many different entities in government

and the private sector who might have — or need — information about

threats to our infrastructures.

Equally important is the need to build a two-way street for the flow

of information and incident data between the government and the

private sector. The government, with unique access to national

intelligence and law enforcement information, can develop a threat

picture that no entity in the private sector could develop on its own.

We need to share this with the industry. At the same time, we need to

learn from industry about the intrusion attempts and vulnerabilities

that it is experiencing. This will help us paint the vulnerability and

threat picture more completely, and will give us a head start on

preventing or containing a nascent attack. This is a new concept for

all of us, particularly for the agencies that go to great lengths to

protect sensitive sources and methods. But I believe this two-way

dialogue is the only way to deal with our common concern about

protecting our infrastructures. We believe it is possible to share the

necessary information about threats and vulnerabilities without

jeopardizing sources and methods, and without compromising companies’

proprietary data. And we are currently designing rules and mechanisms

to accomplish this.

Let me say at this point something about what we are not. We are not

the Nation’s super-systems administrator or security officer,

responsible for securing everyone’s infrastructures or systems against

intruders or advising on the latest security software or patches to

fix vulnerabilities. That role clearly must be filled by systems

administrators in each company, by chief information officers in

government agencies, and by industry groups and other entities (such

as computer emergency response teams) with expertise in reducing

vulnerabilities and restoring service. Rather, our role is to help

prevent intrusions and attacks by gathering information about threats

from sources that are uniquely available to the Government (such as

from law enforcement and intelligence sources), combining it with

information voluntarily provided by the private sector or obtained

from open sources, conducting analysis, and disseminating our analyses

and warnings to all relevant consumers. And, if an attack does occur,

our role is to serve as the Federal government’s focal point for

crisis response and investigation. That is the mission the Center has

been assigned. This job is big and difficult enough, and this is where

we must keep our focus.

HOW THE NIPC IS ORGANIZED

To accomplish its goals, the NIPC is organized into three sections:

— The Computer Investigations and Operations Section (CIOS) is the

operational and response arm of the Center. It program manages

computer intrusion investigations conducted by FBI Field Offices

throughout the country, provides subject matter experts, equipment,

and technical support to cyber investigators in federal, state, and

local government agencies involved in critical infrastructure

protection; and provides a cyber emergency response capability to help

resolve a cyber incident.

— The Analysis and Warning Section (AWS) serves as the indications

and warning arm of the NIPC, providing analytical support during

computer intrusion investigations and long-term analyses of

vulnerability and threat trends. When appropriate, it distributes

tactical warnings and analyses to all the relevant partners, informing

them of potential vulnerabilities and threats and long-term trends. It

also reviews numerous government and private sector databases, media,

and other sources daily to gather information that may be relevant to

any aspect of our mission, including the gathering, of indications of

a possible attack.

— The Training, Administration, and Outreach Section (TAOS)

coordinates the training and education of cyber investigators within

the FBI Field Offices, state and local law enforcement agencies, and

private sector organizations. It also coordinates our outreach to

private sector companies, state and local governments, other

government agencies, and the FBI’s field offices. In addition, this

section manages our collection and cataloguing of information

concerning “key assets” across the country. Finally, it provides the

entire Center with administrative support, handling matters involving

personnel, budget, contractors, and equipment.

STATUS REPORT

The NIPC has been operational since February 26 of this year, but we

are still in the process of building our staff, procuring the

necessary equipment, establishing the appropriate mechanisms for

information sharing, and” building the necessary liaison relationships

and connectivity to other government agencies and the private sector.

As we are building, we are heavily involved in supporting and

coordinating a number of significant computer crime investigations

conducted by our Field Offices. I want to stress the importance of the

Field Offices and the seven Regional Computer Squads (in Washington,

D.C., New York, San Francisco, Dallas, Boston, Los Angeles, and

Chicago) which conduct on-the-ground investigations. In FY99, we have

plans to add five more regional computer crime squads, and another

twelve in FY2000. We also rely heavily on the Computer Investigations

and Threat Assessment (CITA) Teams in each of the other field offices,

which are responsible for computer investigations, outreach, and

coordination with the private sector.

We have spent a considerable amount of time over the past few months

engaged in an aggressive outreach effort with the private sector to

explain the Center’s role, build support, raise awareness, and

establish critical liaisons with industry. I am encouraged by the

reaction and support we have received to date, which demonstrates to

me that Government and industry can work together to address our

mutual needs and responsibilities.

I’d also like to briefly describe one of our important outreach

initiatives: InfraGard, a pilot project sponsored by our Cleveland

Field Office. The name “InfraGard” refers to “guarding the information

infrastructure.” This program is a cooperative effort to exchange

information among the business community, academic institutions, the

FBI, and other government agencies to protect the information

infrastructure.

InfraGard features an alert network that members can use to report

intrusions. Reports are sent to the FBI via encrypted e-mail in two

forms: a detailed description and a sanitized description. The FBI

uses the detailed description to analyze the incident, identify

trends, and open an investigation if warranted. However, only the

sanitized version, which removes company-identifying or proprietary

information, is shared with other InfraGard members. The beauty of

this procedure is that the reporting organization can choose the words

to describe the intrusion to their potential competitors.

InfraGard membership is large and diverse, with some 56 member

organizations. It is an experiment. We have high hopes that it will

prove successful, and if it does, we plan to expand it to a national

system managed by the NIPC.

Earlier I described the relationship of the NIPC to the Infrastructure

Protection Task Force (IPTF) put in place on an interim basis by

Executive Order 13010. One of the key lessons of the IPTF experience

was that it is imperative to ensure the availability of adequate

funding and resources, including qualified staff, to perform our

assigned mission. I would like to give you a progress report on the

NIPC today in three fundamental areas: personnel, funding, and

facilities.

Personnel

As I noted earlier, the concept behind the NIPC — which is ratified

by PDD-63 — is that of partnership, which includes representation

from the participating organizations. Our biggest challenge is getting

people with the kinds of skills we need, in the numbers we need them,

and getting them quickly. Our initial plan for full staffing at the

Center is 125 for FY99, consisting of 85 FBI personnel and

approximately 40 from other government agencies and the private

sector. At the present time, we have 45 FBI personnel on board and one

representative each from the Central Intelligence Agency, the National

Security Agency, and the Departments of Energy and Defense.

We are engaged in active discussions with senior officials from these

and other government agencies to fulfill the rest of our staffing

needs. We also have an aggressive recruitment plan in place to attract

people with technical and other needed skills from academia and

private industry.

My discussions with senior managers from many agencies have been very

positive. Virtually without exception, the), recognize the importance

of the NIPC mission. However, many agencies are themselves struggling

to meet their own responsibilities in this relatively new issue area

in a tight budgetary environment. Our conversations with these

agencies are continuing and I hope to obtain significant

representation from the necessary agencies in FY99. In the interim,

until we are more fully staffed, we are relying heavily on contractor

support.

Funding

With regard to funding, the NIPC currently has approximately $3.6

million remaining in FY98 and No Year accounts that had been

appropriated for the former CITAC, and we are developing a prioritized

spending plan to ensure that the remaining financial resources will be

used to meet our most pressing needs, including equipment purchases,

contractor support, and recruitment activities. Our total funding

request for FY99 is approximately $37 million. (The budget request for

FY99 includes $33.6 million to implement the recommendations of the

President’s Commission on Critical Infrastructure Protection. Of that

amount approximately $27 million will be used to fund the NIPC. In

addition, the budget section for FBI Salaries and Expenses includes a

request for $10.4 million for the former CITAC, which would now be

used to fund the NIPC).

Facilities and Equipment

With regard to facilities and equipment, the Center continues to

operate out of temporary quarters on the eleventh floor of the FBI

Headquarters Building. We plan to move to permanent quarters on the

fifth floor of the Headquarters building, adjacent to the new

Strategic Information Operations Center (the FBI’s command center),

when construction and space improvements there are completed,

currently scheduled for March of next year.

We are currently in the process of designing an information

architecture that will serve our mission needs. This will consist of

analytical tools; computer resources; and connectivity to other

federal government agencies, State and local governments, and private

sector incident response teams and companies. In the meantime, we are

relying on existing communications capabilities including: INTELink

for access to intelligence information; SIPRNet and ADNet for

communication with the Department of Defense, the National Law

Enforcement Telecommunications System (NLETS) and Law Enforcement

On-Line (LEO) to communicate with State and local law enforcement; the

Awareness of National Security Issues and Response (ANSIR) program for

communicating with industry, and FBInet for communication within the

FBI.

We have also procured equipment for a number of Field Offices to

support infrastructure protection and computer intrusion matters.

NEXT STEPS

In this early phase of the NIPC’s history, we have been working to

establish clear, achievable objectives for each of the three sections

that make up the organization. We also plan to assess our operational

readiness in upcoming workshops and tabletop exercises. Solar Sunrise,

which occurred just as we were in the process of establishing the

NIPC, provided our first test. Another real-world incident could arise

at any time, and we are working aggressively to capture the lessons of

that experience for the future.

We are also working aggressively to foster the development of new

tools, analytic techniques, and data-sharing arrangements with the

necessary partners in government, academia, and the private sector.

Our vision is to make the NIPC the place where existing and

developmental capabilities from around the country can be brought

together.

CONCLUSION

The Federal government collectively has much to learn in dealing with

infrastructure threats. But I believe we have the fundamentals

correct: a clear understanding of the role of law enforcement and

other government agencies; a commitment to real partnership and

two-way information sharing with the private sector; and an

institutional structure that enables this partnership to work.

Let me note, however, that we are still in the early stages of

building the Center. We have a lot of work to do in order to establish

the necessary liaison with other agencies and the private sector, and

to put in place our personnel and equipment. This will take time. But

the President, the Department of Justice, and the FBI have taken an

important first step in establishing this Center, in recognizing the

need for an interagency and public-private partnership, and in

realizing that the challenges of the next century require new ways of

thinking and creative solutions.

As the NIPC evolves and grows, I look forward to working with the

Congress and with this Subcommittee in the months and years ahead.

United States Information Service Washington File

(end text)

OODA Analyst

OODA Analyst

OODA is comprised of a unique team of international experts capable of providing advanced intelligence and analysis, strategy and planning support, risk and threat management, training, decision support, crisis response, and security services to global corporations and governments.