Remarks of Acting Assistant Secretary Sopko at a Symposium Sponsored by AFCEA, ITAA and AFEI
ACTING ASSISTANT SECRETARY FOR COMMUNICATIONS AND INFORMATION
"PROTECTING e-GOVERNMENT in the 21ST CENTURY:
PLANS AND PROGRESS FOR SECURING THE NATION"
Symposium Sponsored by AFCEA, ITAA and AFEI
Department of Commerce Auditorium
May 14, 2001
Thank you, Mrs. Andahazy, for your kind words of introduction.
Good morning. I am delighted to be here today standing in for Secretary Evans, and am honored to have the opportunity to address you. The Secretary was very disappointed that he had a conflict in his schedule and was unable to be here to deliver the keynote speech. However, promoting and protecting e-government in the 21st century is a role that Secretary Evans views as a key function of his responsibilities as Secretary of Commerce, and he asked me to talk to you this morning about plans and progress for doing so by protecting our critical communications and information infrastructure, including e-government services.
As such, we are proud that today's symposium is taking place here at the Department of Commerce whose core mission is to promote and protect the U.S. economy. I would like to thank the hosts of this Symposium - the Washington, D.C. Chapter of AFCEA, the Information Technology Associations of America (ITAA), and the Association for Enterprise Integration (AFEI) - for organizing this event today.
Before I go any further in my remarks, I'd like to congratulate the recipients of the Second Annual Excellence in Electronic Critical Infrastructure Protection Award, which AFCEA will award during the symposium today. This award honors outstanding individuals or organizations in government or the private sector for excellence in furthering electronic critical infrastructure protection. It makes us very proud that the symposium is taking place here at the Department of Commerce and that the announcement of the awards will be part of today's program. On behalf of Secretary Evans, I offer congratulations to the recipients who will be announced later this morning.
I had the opportunity to speak before a similar gathering at the National Defense University sponsored by AFCEA some five years ago. At the time, I was reporting on the recently completed hearings that I had helped direct for Senator Nunn and the permanent subcommittee on investigations. Those hearings were one of the first senate hearings on the issue of Cyber Security. It is amazing that they only occurred a short five years ago. So much has changed yet so much is the same. We have made a lot of progress but we still have a long way to go.
All of us here today are involved in some way or another with e-government, and all of us are very concerned about the security of e-government services. Many of you heard the news recently that the White House's own web site was shut down for a period of time because of a cyber-attack. This was a denial-of-service attack, in fact, and unfortunately nothingparticularly unusual or complicated to achieve. Some press reports raised the possibility that the attack was carried out by individuals based in the People's Republic of China.
You also may have seen recent reports on persistent assaults on Pentagon computers over the past three years, code named "Moonlight Maze." These vexing attacks, which the press reports originated from Russia, are apparently continuing.
I'm not here today to discuss the details of these particular attacks or those who may be responsible for them. I raise the incidents because they are examples of two things - - (1) how prevalent and important government computer networks, which include E-government Web-sites, have become, and (2) how easily they can be targeted.
Such attacks are not isolated. Eighty-five percent of large corporations and government agencies detected security breaches during the last 12 months. Financial losses from these electronic break-ins totaled $400 million, a 40 percent increase from the year before. And these are only the breaches reported. According to media estimates, the loss to commercial entities from denial-of-service attacks alone was placed at $1.2 billion. The "Love Bug" attacks (including over 40 variants of the virus that affected systems worldwide in May 2000) caused the largest impact, with an economic impact estimated to be $8.7 billion. And the economic impact of virus attacks on information systems around the world amounted to $17.1 billion in 2000 -- a marked increase over the $12.1 billion economic impact in 1999.
Why is this so?
1. Our opponents are getting better, and
2. We are becoming more dependent on E-Commerce
In the last ten years we have witnessed the creation of a global information infrastructure that has catapulted the Internet into a critical tool for industry, government, and all citizens alike. As reported by a study prepared last year by my office on computer and Internet growth, called "Falling Through the Net," 41% of Americans have access to the Internet. Over 116 million Americans are now on-line. As National Security Advisor Condoleeza Rice said recently is a speech before the U.S. Chamber of Commerce, at the Annual Meeting of the Partnership for Critical Infrastructure Assurance on March 22:
Today the cybereconomy IS the economy, and I don't mean the dot-coms. I mean that virtually every vital service - - water supply, transportation, energy, banking and finance, telecommunications, public health - - all of these rely on computers and fiber optic lines, switches, and the routers to connect them. (Corrupt those networks, and you corrupt this nation).
We look forward to even greater growth of e-commerce and e-government in the future as the means to providing citizens more efficient and more easily available services. At the same time there are challenges that pose threats to the public's acceptance and confidence in electronic systems. These include privacy concerns, and a general concern of unnecessary government intervention. These challenges also include what I am here to talk about today: cyber threats to the underlying infrastructure that provides these communications capabilities, and what the Administration is doing to address them.
The threat of attacks on government web sites, as with other security threats, is real and growing. With the Internet and other communication systems continuing to grow exponentially and to interconnect, one has to recognize that cyber defense is a long-term problem with many pitfalls along the way. The critical infrastructures that support these sites and other elements of e-government are increasingly at risk of cyber-attacks from a constellation of new threats. These threats include but are not limited to terrorism. Those who can use the tools and techniques to do electronic harm range from the recreational hacker to the terrorist to the nation state intent on seeking strategic advantage. The network and computer technology will evolve while attack technology develops along with it. It is a complex task, because it is one very different from defending the Nation's airspace from bombers or missiles or our border from invading armies or infiltrating terrorists.
Thus, any discussion of E-government would be incomplete without a discussion of the government's role in promoting critical infrastructure protection.
Key E-Government Services
But what actually is E-Government? The term "e-government" can mean a host of different electronics communications and services. E-government involves an exchange of vital and frequently very sensitive information with both the public confidence and millions of dollars involved. E-government services, therefore, demand more stringent security solutions than may be needed in the commercial world, and present a number of steep challenges. For example, three important "E-government services that necessitate heightened security are:
- web-based information services,
- government and industry procurement, and
- financial transactions with the public.
Bush Administration's Approach to E-Government
There is a sense of eagerness and receptivity in the new Administration to the possibilities of e-government. The goal is to streamlinecumbersome government responses to industry's needs and improveprivate sector business practices by setting a model for industry to follow. One of the main promises of e-government is to compile information from different agencies so that one-stop shopping through an Internet portal can replace the time-consuming job of contacting multiple bureaucracies.
Another example is what we have done here at the Department of Commerce where we recently reorganized the a web site along functional lines rather than the traditional agency-specific descriptions. If the list of functional categories is not helpful, a search engine has been installed to respond to a key word or phase that is typed in.
Another Example Comes from HUD. One of the Housing and Urban Development Department's major electronic-government initiatives involves the installation of a portal that will serve as a one-stop shop for low and moderate income individuals and families to get information on buying a home. The project will pull together information for users to search for homes, access financial help tools, receive information and news, and enlist local assistance. The initiative, which is one of 75 HUD e-government projects, will focus on implementing the First-Time Home buyers portal this year, completing it by 2003.
Clearly, a successful e-government environment must rest on a solid, secure infrastructure. Yet, as we know, there are many questions about how this can be achieved. E-government concerns are a central part of the package that the Bush Administration will be addressing as they review critical infrastructure protection policy over the next few months. President Bush has indicated already, however, that security of our nation's infrastructures will be a priority for his Administration. The recognition that the United States must develop capabilities to defend against threats to the nation's information systems is guiding the actions that are taking place.
Importance of CIP in New Administration
In the new Administration, critical infrastructure protection is a core security issue for the U.S. As National Security Advisor Condoleezza Rice said at the Annual Meeting of the Partnership for Critical Infrastructure Assurance on March 22:
"It is the paradox of our times that the very technology that makes our economy so dynamic and our military forces so dominating also makes us more vulnerable."
Regarding the specific risks to e-commerce and e-government, in recent Congressional testimony on computer security, GAO stated:
"As greater amounts of money are transferred through computer systems, as more sensitive economic and commercial information is exchanged electronically, and as the nation's defense and intelligence communities increasingly rely on commercially available information technology, the likelihood that information attacks will threaten vital national interests increases."
In the testimony, GAO summarized the results of its analysis of information security audits performed since July 1999 at 24 major federal departments and agencies by pointing out that the degree of risk caused by security weaknesses is "extremely high." If inadequately addressed, GAO believes that these risks "may limit government's ability to take advantage of new technology and improve federal service through electronic means." GAO is now assessing Commerce's information security program, initial feedback has indicated that NTIA is one of the best in Commerce.
New Bush Administration Directions
The policy choices for the new Bush Administration are of tremendous interest to everyone, and especially to the group gathered here today. Recently, the Administration has been taking definite steps to elevate critical infrastructure protection as a priority and to ensure its effective management by improving and streamlining the governmental structure handling the issue.
On March 1, in a letter to Congress, the President stated:
"This Administration believes critical infrastructure and cyber security are issues important to the health of the Nation's economy, to the functioning of government agencies, to law enforcement, and to national security."
On May 9, the White House announced a thorough review of our critical infrastructure protection policy. It is working with federal agencies and private industry to prepare a new version of the National Plan for Cyberspace Security and Critical Infrastructure Protection to be completed later this year. The Bush Administration's National Plan will be prepared in close collaboration with the private sector and other concerned groups outside of the Federal Government.
At the same time, the Administration is reviewing how it is organized to deal with information security issues. On April 24, a cabinet-level meeting reviewed the government-wide structure of CIP outlined in a draft Executive Order. Recommendations to the President will be made on structuring an integrated approach that will focus on national economic, governance, and national security aspects of cyber security and critical infrastructure protection. These two initiatives highlight the President's commitment to protecting our Nation's critical infrastructure.
The approach the White House is taking represents some simple truths. One is that no single government agency can handle critical infrastructure assurance by itself. All agencies are stakeholders, and each has a role in the solution. Yet we have to coordinate among the various stakeholders.
At the same time, as Harris Miller, President of ITAA, has recommended, government should lead by example. The U.S. Government can do that, and can work with the private sector and match efforts there to secure information systems swiftly, robustly, and continuously.
Department of Commerce Core Mission
What is the Department of Commerce's role in all of this? Because of the interdependence of our country's critical infrastructures - - not just communications and information but all infrastructures, including transportation and utilities - - we are more exposed to vulnerabilities. The Department of Commerce - whose historic, statutory core mission is to foster, promote, and develop the foreign and domestic commerce of the United States - is a primary place where industry and government come together. Simply stated, the Department of Commerce's role involving the overall CIP and E-Government initiative is to work hand-in-hand with industry -- cooperating as partners, and building upon existing relationships with the business community to protect U.S. critical infrastructures.
Commerce Department Responsibilities
Responsibilities to I&C Sector
The Secretary of Commerce has three principal CIP responsibilities. The first and the one closest to my heart at the National Telecommunications and Information Administration, involve responsibilities in the Information and Communications Sector. NTIA serves as principal advisor to the President on telecommunications and information policy ( or information and communication if you will) -- and was designated to serve as the lead agency to protect the U.S. I&C infrastructure from deliberate cyber or physical attack. We believe that the Department and NTIA in particular make for a logical point of contact for CIP because:
- The Commerce core mission incorporates CIP.
- We have historic ties with and understanding of industry.
- We have established a relationship of trust with industry.
- Without the involvement of Commerce, U.S. industry will not be able to have its voice heard as effectively.
NTIA works closely with industry and with the Consortium for Infrastructure Protection, which is composed of three trade associations that are coordinators in this sector- the Telecommunications Industry Association (TIA), the U.S. Telecom Association (USTA), and the Information Technology Association of America (ITAA). These Sector Coordinators serve as gateways to the I&C Sector, and ensure the representation of diverse policy interests and equities.
In addition to working with the Sector Coordinators, NTIA also works directly with key companies in the sector and with other organizations such as the President's National Security Telecommunications Advisory Committee (NSTAC). NTIA's CIP responsibilities include:
- Developing an awareness and education outreach program for the sector to raise awareness of the threat and sectoral vulnerabilities;
- Assisting the I&C sector in identifying, mitigating, and eliminating vulnerabilities;
- Advancing compatible solutions for the global I&C infrastructure by working with foreign governments, international organizations, and multinational corporations; and
- Providing industry with information on results from U.S. Government R&D on critical infrastructure protection.
Responsibilities for Standards and R&D
The Department of Commerce has two other activities that address to related issues.
The Department's National Institute of Standards and Technology (NIST), protects the nation's critical infrastructures by developing standards, measurements, and testing methodologies needed to protect information technology (IT). In addition, NIST has specific statutory responsibilities for the development of standards and guidelines for the protection of Federal sensitive (unclassified) systems. The NIST program pays particular emphasis to areas of cryptography, security management, best practices and supervisory control systems to be used in a wide variety of systems.
And finally, the Critical Infrastructure Assurance Office (CIAO) within the Bureau of Export Administration (BXA) has broad responsibilities for coordinating the multi-agency program created under Presidential Decision Directive (PDD)63.
The CIAO has an interagency function including the task to help create a National Plan which integrates elements across the federal government and private sector. It has broad interagency responsibilities for coordinating and facilitating the program-specific, government-wide critical infrastructure efforts which include: R&D, national education and awareness programs, training programs for information technology (IT) security professionals, and legislative and public affairs. It is responsible for dealing with issues and problems that cut across sectors and for the higher level interdependencies. The CIAO has been instrumental in creating and promoting the efforts of the Partnership for Critical Infrastructure Security.
Last year, the CIAO established Project Matrix to "coordinate analyses of the U.S. Government's own dependencies on critical infrastructures." It provides each Federal Department and Agency an expanded, more comprehensive, realistic, and useful view of the world within which it actually functions. It also provides a common methodology and approach, and allows the government to develop a clearer picture of cross-agency interdependencies.
An important part of Project Matrix that specifically impacts e-government activities stipulates that each department and agency should "review actual business processes to better understand and improve the efficiencies of the organization's functions and information technology architectures."
To sum up, e-government is a growing and important part of the world's evolution to an information society. Electronic government is good government. It can facilitate service to citizens in a timely and efficient way, while also serving as a model and example for prvate industry. It is important to the Nation's economic and strategic security. It is part and parcel of the growth of e-commerce, which will continue growing and become ever more important to people and institutions.
As such, though, e-government services will be subject to the same challenges - - and vulnerabilities - - as other electronic services. Government has always had the responsibility to protect infrastructures such as dams and power plants. Communications and Information infrastructure, whether the wires themselves or the underlying software, are no less important infrastructure to be protected.
In undertaking the challenges that lie ahead, the Department of Commerce - whose historic, statutory core mission is "to foster, promote, and develop the foreign and domestic commerce of the United States" - serves as one of the principal government agencies to interface with other government agencies and industry in developing responses to critical infrastructure threats. We must work together within government, and work with our private sector counterparts, to be successful.
Finally, I think in doing so it is clear that if they were ever a challenge that called upon us to think anew and not to be afraid to break old paradigms, this is it. To paraphrase Lincoln "as the threat is new, so we must think anew, and act anew ..." In doing so, we in Government must reach out to industry and listen to you. Protecting our nation's infrastructure, its E-Commerce and E-Government can only be done in connection with private industry. That's why I am so glad to see today's symposium co-sponsored by organizations such as AFCEA, ITAA and AFEI . We are here to work with you on the front lines of e-government, to achieve our of a safer and more effective economy.