Home National
Communications System Advancing the Information Sharing Agenda Remarks of John Tritak, Director, Critical Infrastructure Assurance Office (CIAO), Department of Commerce (with comments by Richard Clarke and Deborah Plunkett of the National Security Council), Before the President’s National Security Telecommunications Advisory Committee (NSTAC) Business Session, Washington, D.C. June 6, 2001. [Remarks also include comments by Raytheon’s Daniel P. Burnham, NSTAC Chair; Lt. Gen. Harry D. Raduege, Jr., Manager, National Communications System; and Craig Mundie, NSTAC Principal from Microsoft.] This morning when I was talking with a number of you to get a better sense of what the expectations would be about information sharing. Dick [Richard Clarke, National Security Council National Coordinator for Security, Infrastructure Protection and Counter-terrorism] laid some of the groundwork for that, but I also want to get a sense from the group as to what you thought would be a useful discussion, and along the way at my table I at one point said, well, what would be a measure of success for this briefing? And [Air Force] Gen. [Ralph E.] Eberhart [Commander in Chief, U.S. Space Command] said, "Be brief", and I intend to do that … in large measure because in a way, when Dick asked me to do this, I felt it ought to be in part because you are the ones that, in fact, invented information sharing. You were the first organization to ever pull together in the interest of national security a group that shared information amongst itself and is appropriate with the Government to manage a very, very difficult challenge. You are the first real ISAC [Information Sharing and Analysis Center] to come into existence and, in many respects, you developed the kinds of relationships which are necessary for information sharing to really work at all, which is trust and mutual respect among the participants and players, and I've always been struck by the degree of tightness of this membership in this group. So, I'm going to be brief in part because I want there to be more discussion than briefing, but I'd like to lay out a couple of points just perhaps to get things started, and also turn to a couple of people here who have actually been working on different ideas and perhaps they can flesh them out as part of our discussion. One thing I was struck by the President's remarks this morning at breakfast was, he said "One thing I really would like all of you to do is do what you can to stay ahead of the problem". This is a difficult challenge. He is committed, as is the Vice President, to dealing with this issue. I really do think the stars are lining up very, very nicely for some very good work and for you to get which I think in some cases you haven't had, which is real strong Administration support to do what you've been doing very well for a very long time. You've got strong leadership in the [NSTAC] Chair, Dan Burnham, and John Grimes [NSTAC IES Working Session Chair], who is really one of the founding fathers of what we have in information sharing and risk and, in addition, you have a lot of thought leaders who have not just engaged in the information sharing process, but have actually put a lot of intellectual capital against a problem to identify some of the major problems that need to be done. I thought it was actually very nicely done that Dan, in the middle of his conversion with the President, said he mentioned FOIA [Freedom of Information Act], and there was an acknowledgement by the President and the Vice President that this needs to be done. One thing I would suggest or at least raise an issue for the NSTAC leadership is perhaps resubmitting your FOIA study with a new letter. I think you're going to get a different form of reception than the one that perhaps you got before. So, I think it's lined up very nicely in this area. And, of course, too, you are already sharing information. You already have an ISAC. You're already dealing with this problem in the interest of national security. So the last thing I want to say in a meeting such as this is, you must do more. I think the question is whether that makes sense and how, and I think it's within that spirit I'd like to sort of lay a couple of markers down and then get into the discussion. I'd like to focus more on the environmental changes, at least create the context the best way I am able to think through the problem, and what we really have is increased dependency on information systems and networks to operate our Nation's critical infrastructures. And as each sector becomes more and more dependent on information systems and networks, you introduce greater systems complexity, the increasing magnitudes of interconnectivity, automation, and then sector interdependency. Now, that's always existed to some extent. Banks have always relied on telecommunications and electric power, but the very process by which you, in fact, are laying a digital nervous system across the Nation and the world is creating a level and degree of interdependency that just never has existed before. And, of course, by virtue of that, it exposes us to new vulnerabilities that did not exist. You've heard many of them that would attempt to exploit the inherent vulnerabilities of relying on information systems and networks. There's a rage of bad actors, and the tools are widely available, but also, too, the very nature of interdependency magnifies the potential consequences of service disruptions in any one sector, raising the possibility of significant cascading geographically, but also the possibility of disruptions in one sector can spread and affect the others. Now, what does that mean? It means the risks are 24-by-7. They are global. You are the foundation, the bedrock of the new economy, and there's also, I think, a rising risk of uncoordinated action and efforts by individual sectors to try and restore services, but not necessarily coordinating their efforts in a way that doesn't undermine the efforts of others. We're beginning to see some of that in California, where scheduled blackouts are done without coordinating sufficiently with, for example, the telecommunications companies, and the results have been service disruptions in some instances. I would submit to you that kind of problem is likely to occur over time unless there is a mechanism for dealing with it. Now, I know that this is something that's bright green I've spoken to as actually taking a look at, and I know the NSTAC is going to be giving it attention, but those are the frames what I submit are the major risks environments, and that raises the question, given all that you're doing now mainly in the interest of the Nation's security, is more needed to deal with these new risks? Now, Dick has laid out a couple of ideas. One was this notion that some of the other ISACs are trying to develop what Dick refers to as a "synoptic view", which is this idea of having at any given time a sense of that sector's functioning. Now, I think theoretically that sounds very intriguing. I also think in your sector it is extremely difficult to accomplish. And so the question is, is developing a capability that moves in that direction something that's feasible? And it raises the question ultimately about whenever you're doing more, is there a business case for doing it? You can only go so far in making contributions in the interest of the Nation. At some point, there actually has to be a business case and, frankly, a compelling one. Now, in my conversations with CEOs [Chief Executive Officers] in the course of the year and a half that I've been on the job, what they have basically said to me is that at the end of the day, you need to be able to justify this, or any mechanism, as "does it help me manage my risk better than I can at the moment", and "does it help me safeguard the assets which I am responsible for safeguarding as a senior manager and corporate leader?" And so the question I ask is whether or not additional information sharing arrangements are needed for your sector? Now, before we go into that particular question, I'm going to jump ahead to an issue that was raised in your information packet, which is "what can Government do for you" and, frankly, we've talked a lot about it, and there have been some isolated instances where the Government, in fact, has made good on a promise to share information that's operationally useful to all of you. It has not done nearly as good a job as it needs to. One proposal that's been put on the table for consideration is a warning network idea that has been discussed within the Federal Government, but could have potential for being extended beyond Government operations. And I'd like to ask at this time, Deborah Plunkett, of the National Security Council, who has actually been spearheading this effort in the interagency process, to give you a little idea about what's being considered, and maybe perhaps use this as a jumping off point for discussion. Deborah. PLUNKETT: A Cyber Warning Information Network -- and I believe you have diagrams in front of you there, or they are making their way around -- is a concept that would provide for the immediate sharing of critical cyber warning information among Government and ultimately we hope and believe industry. The network is based on the concept that currently -- believe it or not -- even within the Government there is not a mechanism to immediately share critical, perhaps sensitive, cyber warning information. And so we've developed both architecturally and operationally a concept, a network that would facilitate those communications. Our intent is to stand up that inner ring, as you're looking at it, two rings to the network, the inner ring being the Government ring and the outer ring, notionally, would involve the ISACs and companies, infrastructure owners and operators such as yourselves, where we could share and certainly the Government's intent is to provide information to you, whether it be unclassified, sensitive or even classified, that would assist us as a Nation in protecting our critical infrastructures. The operation of the network would be governed by Memoranda of Understanding which have to be developed because the owners of the information, whether it be Government or industry, certainly need to have a level of comfort that the information to be shared would be appropriately protected. Our intent is to stand up the Government ring, as I said, by the end of the summer. We have already begun sharing this concept with the Information Sharing Analysis Centers and industry, and we look for your input and encourage you to be engaged in the process. We believe this is a critical element to having the capability to immediately share the information. That did not exist when “I Love You” happened and, as a result, there were elements of the Government and industry who didn't learn about it until nearly 10 or 12 hours after it actually was first discovered in the Far East. We hope that this network will give us the capability to be able to share that information much more quickly. CLARKE: I'd like to add that with the Cyber Warning Information Network, there's not one entity in charge, anyone on the network can initiate warning to anyone else on the network. We actually have this in place today via voice out-of-band among the National Command Centers. Upstairs in this building on the seventh floor in the Operations Center, there is a telephone which, if you pick it up, will ring down -- primitive technology -- but will ring down out-of-band secure in the White House, the National Military Command Center, CIA [Central Intelligence Agency] Operations Center, and several other locations, and within seconds any one of the command centers can be communicating to all of the other command centers and hearing back from them. I've done this over the course of 20 years in this business. In a crisis, I pick up that telephone, I say, "I just got a report that ‘X’ happened". CIA will then add, "Well, we didn't hear that, but we heard this". The Defense Department will say, "Not only that, but we know this". And within seconds, within certainly two or three minutes, you've done real intelligence fusion just by linking everybody together quickly -- a distributed flat network, nobody in charge, anybody able to initiate, within the protocols. We don't have that kind of system today in the cyber world. And so when we see a denial of service tsunami coming down one of the backbones, when we see a virus spreading across Asia, there is not a good, reliable, fast way to communicate within the Government, let alone to the various sectors. While we are meeting today, the National Petroleum Council is meeting to approve an ISAC for the National Petroleum Industry, oil and gas pipelines. We've already had agreement this year to have an ISAC in the railroad industry. You are the managers of the telecom ISAC. There's also one in banking and finance. There's on in the IT industry. There are beginning to be large numbers of centers of data and a way of distributing information, but we haven't linked them and, until we do, we don't get all the value that's possible out of them. TRITAK: Any comments or questions about the CWIN proposal? BURNHAM: How about just to explain the current system of ISACs that do have a connection with the NCS, and what are the deficiencies of that current structure with respect to this requirement -- and perhaps, Harry [Raduege], you'd have a point of view on that? RADUEGE: Well, currently, we have the ISACs of the banking industry. Mr. Obert [Bank of America NSTAC Principal Donald Obert] and I have talked about that. We are sharing information. We are sharing information with the Information Technology ISAC that was formed just a few months ago. As we see ISACs being formed now with petroleum, energy, transportation, we see this as a great opportunity to provide us those critical areas of opportunity to share information. What I'd like to see this actually grow to in the future is perhaps not just the best ways of responding to attacks, but also through all the national means that we have that are available to us, that are reporting in to the Joint Task Force for Computer Network Defense and CINC Space [Commander in Chief, U.S. Space Command], is that we would have an opportunity to predict some things in the future so that we can be out in front of this to take evasive action and to work together in that regard, too, so that we're not just the best at responding, but we're also very good in developing a capability to predict what might be happening to us. That's where I see the real goal going and, of course, right now I'd just be interested in building this relationship of better information sharing across all the domains so that we can get the great benefit of all that knowledge that Mr. Clarke has described so that we can quickly assimilate what's happening out there and share the information more effectively. BURNHAM: I guess I still have a question -- maybe, Dick, you can expand on it just a little bit. If the ISACs were working up to their potential and were integrating their information quickly within them and then back to the NCS, in what regard does that leave us deficient in relationship to the current set of requirements? CLARKE: Well, first, all the ISACs are not sharing information with the NCS, nor are they sharing information among each other so that if there is knowledge in the banking ISAC that there has been a particular kind of attack being used, particular vulnerability being used, or a bank discovers a worm, that information is not immediately available to the railroad ISAC or to the FAA [Federal Aviation Administration]. The FAA, for example, is now transitioning from its old air and traffic management system to a new one -- that you know something about -- that's going to be a lot more Internet and IP dependent. They are now creating their own little ISAC within the FAA. What they told me is they are getting hit hundreds of times a day already. And they are doing analysis on that data, but that analysis is on a very small database, just people who are hitting the FAA. They don't know whether the same people are hitting Microsoft. They don't know whether the same people are hitting Global Crossings. So, we're not sharing information in a way that allows us to do analysis across companies and across sectors, so that we can say "this is where the attacks are coming from, this is how many attacks there are", trend analysis, vulnerability analysis over the near-term, and over the really short-term there is no instant way to get word around about that DDoS tsunami coming down the pike. BURNHAM: We have time for discussion. Anybody have a point of view, a thought, concern? TRITAK: One other thing I would add, Dan, is in my conversations at dinner yesterday, I was actually having the pleasure of talking with Duane Ackerman [BellSouth NSTAC Principal] about some of the issues regarding information sharing, and he said, "Look, I'm prepared to share more, but I'm not going to expose myself to liability in doing so". And, you know, it's more than just -- what we need is to create a legislative or statutory environment that actually is friendly towards this issue. This is not about coddling capitalists and creating safe havens for them to do bad things and get away with it -- it's about a public interest in which increasingly the Nation's welfare depends on industry. And it seems to me that you have an Administration now, and you're beginning to have a number of people in the Congress who I think are increasingly receptive to these sorts of concerns. FOIA is very important, and I think we ought to move ahead on that because it will be, first of all, an important signal to all of you that you're in a new environment right now. The challenge -- and I'm attorney, so the first thing Duane Ackerman said is, "Yeah, but let me get past the trial bar". I think the trial bar will always be a worthy opponent on liability reform, however, we need to take the higher ground on this and define very clearly what public interests are being served and by them not being served, what are the costs to society of that not happening? That's what creates a favorable environment. As long as there's uncertainty about how the laws actually work, any prudent CEO will say, "I'm not doing it, I can't take that risk and expose my company to things, particularly if they are voluntary". But I think what you can all do -- and this is where the NSTAC is very, very well situated for this purpose -- is making the public interest case. You have been doing the kind of information sharing, giving pro bono support of some of the smart people around to this issue. You are in a very good position to make the arguments about creating a favorable statutory environment that induces, encourages, and brings out the best that corporate America can do in this area. So, whereas I think the FOIA, we need to do it because we can move quickly and, without it, there's a lot we can't do, but we ought to think back, take a look back at the work that you've already done on these liability issues and make sure -- the key is going to be to carve out very specifically what it is you're protecting and not, and I think if it's done properly we can demonstrate the public interest and the public good that would be served with changes of this sort. So, unless there are other questions, I just want to close by saying I came here to brief and to discuss with you possible ways of advancing the information sharing agenda. Ultimately, you need to decide on the basis of what your mission is as well as what your business case will advance, but I do know one thing, you are a leader in many respects. People look to your model to determine how far they need to go and, given the experience you have, if you engage in an activity, you will have made the case not just for yourself -- you will have begun to make that case for others as well. So, I want to thank you for this time -- and we're finished on time, actually. Thank you. CLARKE: Two additional points. Because of the concerns about liability, one proposal that has been made by SANS, the Computer Security Institute, is that we create, in effect, a dead letter drop where companies can provide information to a non-Governmental institute about what's been going on on their networks, on a fairly anonymous basis. SANS would then issue analytical reports. The Government would not know and, therefore, it couldn't be covered under a Freedom of Information request, what company had what problem, and that's the whole concept behind an ISAC in the first place. But what the SANS people are proposing is that their analytical staffs could serve as a place where all of the ISACs and individual companies could dump information that could then be analyzed because the larger the database we're looking at of attacks and vulnerabilities, the better the understanding we will have of what's going on in this country in cyber space. One final comment. I mentioned that the actual Petroleum Council is approving an ISAC today. Unfortunately, they're approving it with a new chairman of their Cyber Security Committee. The first chairman had to quit because he became Vice President. BURNHAM: Craig? CRAIG MUNDIE [Microsoft NSTAC Principal]: I'd like to just add one comment. One of the things, at least at Microsoft, we struggle with -- and I suspect any other infrastructure supplier struggles with -- is even if you got past FOIA and you got past any notion of liability, is the timing difference between when you can detect and attack and when you actually know how to defend against it or turn it off. And it's a real challenge because one of the things we found is if we try to go out early and say, look, we've detected a vulnerability but a fix is in the works, there's so much leakage in the community right now that the exploits basically begin almost immediately before you can actually get people to deploy the fixes. And so the problems seem to be exacerbated by sharing the information in advance of the time that you actually have begun to inoculate people. And so the whole question of the ISAC doesn't really address the question of confidentiality or at least, again, creating tiering of who gets to know this information, and I think that that's going to be a serious and ongoing problem, I don't care whether you're a router company, an OS company, or a communications company. If we can't find a way to not only share it but share it where there are some controls, at least when there's no known fix, I think there are still going to be a lot of people who have to make a business decision, even with the help of, you know, anyplace they play "what's the worst" -- you know, which one of these is worse, to let a few people maybe get attacked or ensure that a dozen people are going to get attacked tomorrow by merely announcing that you have a vulnerability. So, I'm certainly open to other people's experience and input on that. PLUNKETT: And that's really what I see when we envision we'll be able to help because it does provide a mechanism for secure, protected out-of-band communications with trusted partners on the end at each node, so that when a vulnerability or threat of serious proportion is detected, it can be shared among a trusted environment where we can install the fixes, install the patches, and respond. MUNDIE: But CWIN is largely the Government institutions in the core of this thing, and I'm talking about the problem -- Dick said, "Hey, you know, if we find it in the IT ISAC, does it help the railroad ISAC?" Well, no, because right now they don't know about it but, frankly, it's even hard to bring some of these things to the IT ISAC because you actually don't know what the dissemination mechanism is even within that one ISAC, let alone between them, let alone into a more secure environment. So, I just think there's sort of an information classification problem here that I don't think anybody has addressed. CLARKE: I think the idea, though, of CWIN is that you don't put a piece of information into the network and then everybody on the network gets it. The operational concept is -- let's say there are 18 nodes, some number of Government agencies, some number of ISACs. There would be 17 bilateral sharing arrangements that you, as one of those 18 nodes, would have, and you would disseminate information much as we do now within the Government on intelligence matters. Whenever we get an intelligence report, there's something that a few people know that tells you how we got it, and then there's another level of report that more people get that tells you the substance, and then there's a virtually unclassified what's called the "tear line" which is what we can provide the public. So, you could have an arrangement that you could automate where you have multiple levels of information being distributed with a whole variety of bilateral sharing agreements. So the railroad ISAC might learn from the IT ISAC a great deal less than the IT ISAC was sharing amongst itself, or sharing perhaps with the Defense Department. That is the idea behind CWIN, that you would have trusted partnerships, multiple layers of information, different people would get different levels of information, some people wouldn't get any information at all depending upon how each node decides it wants to share with the other nodes. RADUEGE: If I could just add two other points from the National Communication System point of view. John Tritak's charts up there earlier talked about the information sharing, and I've included this in my Manager's Report, which is a written report since I didn't give a presentation this time, but just to highlight the fact that since our last meeting in Colorado Springs, we have moved the members of the National Coordinating Center, which is industry, onto the Watch Floor of our Defense Information Systems Agency Global Network Operation Security Center and into our DOD Cert, which also the Joint Task Force for Computer Network Operations sits there. So, now the industry members who are on the NCC working in the National Communications System, are now sitting on the floor as Watch Officers and have that opportunity, and we're looking to expand that operation. The second point I wanted to make was we have also an Alerting Coordination Network, ACN is what we call it, and we are now linking out with 16 of the NOCs [Network Operations Centers] in the industry sector, and also four Government NOCs, and that's a voice system right now for alerting, but it gets to some of your points, Craig, you know, of trying to link and trying to provide this Alerting Coordination Network through our NCS mechanisms, and we have plans to expand on that and to grow into that area. So we're really taking a look at this and trying to move out with new information sharing opportunities.
Questions or comments concerning this site? Please contact the webmaster. Reviewed December 07, 2006 |
               
|
