Testimony of Michael A. Vatis, Deputy Directory, National
Infrastructure Protection Center, FBI
Before the
Special Committee on the Year 2000 Technology Problem
July 29, 1999
"Year
2000 Technology Problem"
Mr. Chairman, Vice Chairman
Dodd, and Members of the Special Committee: Thank you for
inviting me here today to discuss the Year 2000 Problem and
the National Infrastructure Protection Center.
Background
Back in 1995 and 1996, after
the World Trade Center and Oklahoma City bombings, there was
a growing concern about the vulnerabilities of our nation's
critical infrastructures to terrorist attack. President Clinton,
in Presidential Decision Directive (PDD) 39, directed the
Attorney General to chair a Cabinet Committee to assess the
vulnerability of those critical infrastructures and recommend
measures to protect them. In response to this directive, the
Attorney General created a working group to assess the problem.
That group, the Critical Infrastructure Working Group (CIWG),
determined that, with the advent of the Information Age, our
infrastructures were vulnerable not just to traditional, physical
terrorist attacks, but also to "cyber" attacks on
the computer networks and communications systems that are
embedded in, and connect, those infrastructures. As our society
increasingly relies on information technologies in every aspect
of business, government, and our personal lives, this same
reliance creates new vulnerabilities to those who would do
us harm. Given the newness of the cyber threat, the CIWG recommended
the creation of a presidential commission to more fully assess
this problem. This recommendation ultimately led to the creation
of the President's Commission on Critical Infrastructure Protection
(PCCIP), which issued its report in October 1997. That report,
in turn, led to the issuance of Presidential Decision Directive
(PDD) 63, regarding "Critical Infrastructure Protection,"
in May 1998. The PDD set forth the President's strategy for
protecting our critical infrastructures, which the Directive
defined as "those physical and cyber-based systems essential
to the minimum operations of the economy and government,"
including "telecommunications, energy, banking and finance,
transportation, water systems and emergency services, both
government and private."
I mention this history because
it is important to understand that our reliance on information
systems for the performance of critical government and private
sector functions, and our consequent vulnerability to significant
disruption should those systems fail, is a problem that both
predates the Y2K problem and will last well beyond the advent
of the New Year. Thus, how we approach the Y2K problem should
take into account the existing framework established by PDD
63 for dealing with cyber incidents. Moreover, we should utilize
Y2K as an exercise from which to draw lessons for what further
work we need to do to prepare ourselves for the more long-lasting
challenges posed by critical infrastructure protection.
Role and Mission of the National
Infrastructure Protection Center
The National
Infrastructure Protection Center (NIPC) is an interagency
Center located at the FBI, charged with gathering information
on, issuing warnings of, and responding to cyber threats or
attacks on the nation's critical infrastructures. The PDD
directs that the NIPC "serve as a national critical infrastructure
threat assessment, warning, vulnerability, and law enforcement
investigation and response entity." It further states
that the mission of the NIPC "will include providing
timely warnings of intentional threats [and] comprehensive
analyses." To this end, the PDD directs the NIPC to "sanitize
law enforcement and intelligence information for inclusion
into analyses and reports that it will provide, in appropriate
form, to relevant federal, state, and local agencies; the
relevant owners and operators of critical infrastructures;
and to any private sector information sharing and analysis
entity." In addition, "the NIPC will provide the
principal means of facilitating and coordinating the Federal
Government's response to an incident, mitigating attacks,
investigating threats, and monitoring reconstitution efforts."
The PDD further specifies that the NIPC should include "elements
responsible for warning, analysis, computer investigation,
coordinating emergency response, training, outreach, and development
and application of technical tools."
Since its creation in February
1998, the NIPC has made significant progress in establishing
a network of relationships with a wide range of entities in
both the government and the private sector. First, as called
for by the PDD, the Center includes representatives detailed
from numerous federal agencies, including the Department of
Defense (both the military services and other components),
the Central Intelligence Agency, the National Security Agency,
the Department of Energy, the National Aeronautics and Space
Administration, the State Department, the U.S. Secret Service,
and the U.S. Postal Service.." We also rely extensively
on private sector contractors and are planning to bring private
sector representatives into the Center full-time. Second,
pursuant to the PDD, the NIPC has established links to the
rest of the government and to the private sector in order
to facilitate the sharing of information and the timely issuance
of warnings. Third, the PDD directs all executive departments
and agencies to "share with the NIPC information about
threats and warning of attacks and actual attacks on critical
government and private sector infrastructures, to the extent
permitted by law." This direction facilitates our ability
to determine the present state of cyber incidents and threats,
so that we can issue appropriate warnings and coordinate any
necessary response measures.
By bringing other agencies directly
into the Center and building direct communication linkages,
the Center provides a means of coordinating the government's
cyber expertise and ensuring full sharing of information,
consistent with applicable laws and regulations. The NIPC
at FBI Headquarters currently has 107 personnel, (out of our
target of 134), of which 79 are from the FBI and 28 from other
government agencies.
In order to facilitate our ability
to investigate and respond to cyber intrusions, the FBI has
created a National Infrastructure Protection and Computer
Intrusion (NIPCI) Program in the 56 FBI Field Offices across
the country. Under this program, which is managed by the NIPC,
full "NIPCI" squads or smaller teams have been created
in each Field Office to conduct computer intrusion investigations,
respond to threats, and engage in liaison and contingency
planning with the owners and operators of the critical infrastructure
components. There are currently 10 full NIPCI squads in Washington
D.C., New York, San Francisco, Chicago, Dallas, Los Angeles,
Atlanta, Charlotte, Boston, and Seattle. Further, every other
Field Office includes a smaller NIPCI Team (though some with
only one or two Special Agents). There are a total of 209
NIPCI agents and 46 professional support positions in the
NIPCI Program in the Field Offices.
To accomplish its goals under
the PDD, the NIPC is organized into three sections: the Computer
Investigations and Operations Section, the Analysis and Warning
Section, and the Training, Outreach and Strategy Section.
- The Computer Investigations
and Operations Section (CIOS) is the operational and response
arm of the Center. It program manages and coordinates computer
intrusion investigations conducted by FBI Field Offices
throughout the country; provides subject matter experts,
equipment, and technical support to cyber investigators
in federal, state, and local government agencies involved
in critical infrastructure protection; and provides a cyber
emergency response capability to help resolve a cyber incident.
The CIOS also coordinates investigative and intelligence
activities with other government agencies and foreign law
enforcement and intelligence agencies, as appropriate.
- The Analysis and Warning
Section (AWS) serves as the "indications and warning"
arm of the NIPC. It collects information from all relevant
sources, provides analytical support during computer intrusion
investigations, performs analyses of infrastructure risks
and threat trends, and produces current analytic products
for the national security and law enforcement communities,
the owners-operators of the critical infrastructures, and
the computer network administrators who protect their systems.
Through our Watch and Warning Unit, the AWS also distributes
tactical warnings, alerts, and advisories to all the relevant
partners in the government and private sector, informing
them of exploited vulnerabilities, threats, and ongoing
incidents. It also maintains real-time situational awareness
of the cyber threat by reviewing numerous databases, media,
and other sources daily to disseminate information that
is relevant to any aspect of NIPC's mission. If we determine
an intrusion or cyber incident is imminent or underway,
the Watch formulates warnings, alerts, or advisories and
quickly disseminates them to all appropriate parties in
the government and private sector so that they can take
immediate protective steps.
- The Training, Outreach and
Strategy Section (TOSS) coordinates the training and continuing
education of cyber investigators within the FBI Field Offices
and other federal, state and local law enforcement agencies.
It also coordinates our liaison with other Federal agencies,
private sector companies, state and local governments, and
the FBI's Field Offices. In addition, this section manages
our "Key Asset Initiative" (KAI), which is a program
aimed at establishing liaison with the owners and operators
of critical individual components within each infrastructure
sector (such as specific power grids, telecommunications
switch nodes, or financial systems) across the country,
determining which "assets" are critical on a national,
regional, or local basis, and establishing 24-hour points
of contact at each. If future resources permit, the initiative
will also include contingency planning with the assets to
develop and test plans for responding to attacks. The TOSS
also manages our InfraGard program, which is a pilot project
aimed at sharing information, in a secure fashion, with
private sector entities about cyber threats and incidents.
Our role in protecting infrastructures
against cyber intrusions is not to advise the private sector
on what hardware or software to use or to act as their systems
administrator. Moreover, we are not responsible for responding
to software glitches or unintentional system failures. Rather,
our role is to provide information about intentional threats
and incidents and exploited vulnerabilities so that government
and private sector system administrators can take the appropriate
protective measures. If an incident occurs, we are responsible
for determining who is responsible and coordinating the response,
in close cooperation with the Department of Justice and other
agencies.
The NIPC's Role for Y2K and
Its Relation to the Information Coordination Center
Given our overall mission under
PDD 63, our role with regard to Y2K will be to maintain real-time
awareness of intentional cyber threats or incidents
that might take place around the transition to 2000, disseminate
warnings to the appropriate government and private sector
parties, and coordinate the government's response to such
incidents. We are not responsible for dealing with Y2K-induced
emergencies. Because of the possibility that there might be
an increase in malicious activity around January 1, 2000,
we are formulating contingency plans both for NIPC Headquarters
and the FBI Field Offices. This will include augmenting our
existing relationships and information-sharing mechanisms
with relevant entities in the federal government, state and
local governments, private industry, and the CERT/FIRST community.
In contrast to the NIPC's role
for cyber intrusions and threats, under Executive Order 13073,
the Information Coordination Center (ICC) is responsible for
maintaining an awareness of, and coordinating the sharing
of information concerning, "Y2K emergencies," in
particular those "that could have an adverse effect on
U.S. interests at home and abroad." In some instances,
it may not be immediately apparent whether a service outage
is the result of the "millennium bug" problem or
a computer intrusion. It is therefore imperative that the
ICC and NIPC coordinate closely to share information. Thus,
any information that the ICC obtains concerning events that
could possibly involve computer intrusions need to be shared
by the ICC with the NIPC. Conversely, the NIPC needs to keep
the ICC informed of our activities and share any information
we might obtain regarding Y2K. We have been in discussion
with the ICC concerning our dual roles, and we expect to establish
concrete information-sharing channels to facilitate the two-way
flow, including sending an NIPC representative to the ICC
for the days surrounding New Years Day. We have also been
assisting the ICC in designing its architecture for managing
the flow of information about Y2K emergencies.
What We Expect Around Y2K
and Beyond
This brings me to what we expect
to see in terms of malicious activity around Y2K. The Domestic
Terrorism Section of the FBI expects to see increased and
possibly violent activities among certain domestic groups
related to the millennium. For example, the coming of the
millennium requires Christian Identity adherents to prepare
for the Second Coming of Christ by taking violent action against
their enemies. The FBI's Domestic Terrorism Program is responsible,
and has been planning for, any violent activity by such groups.
As for cyber activity, we do
not possess any concrete indications that any group or individual
is planning to engage in unlawful intrusions or virus propagation
specifically related to the millennium. But considering both
expected violent millennium activity and the broader trends
in the cyber world, it is possible that we could see an increase
in such activity. That possibility, combined with the difficulty
of determining what system failures are caused by the millennium
bug and which might be caused by intrusions or viruses, requires
that we be prepared for any contingencies. This is why we
are developing the contingency plans I talked about earlier.
There is one problem associated
with Y2K, however, that causes us concern, but which has received
little attention in the private sector. That is the prospect
that malicious actors, foreign or domestic, could use the
Y2K remediation process to install malicious code in the "remediated"
software. Thousands of companies across the United States
and around the world are busy having their source code reviewed
to ensure that they are "Y2K compliant." I am sure
many of you have received at least one letter from your bank
by now assuring you that it is Y2K compliant and that your
funds are safe. Those who are doing the Y2K remediation are
almost always contractors who are given the status of a trusted
insider with broad authority to review and make changes to
the source code that runs information systems. These contractors
could, undetected, do any of the following to compromise systems:
- Install Trap Doors: By installing
trap doors, intruders can later gain access to a system
through an opening that they have created and then exploit
or attack the system;
- Obtain "Root Access":
Given their level of access, remediation companies can gain
the same extensive privileges as the system administrator,
allowing them to steal or alter information or engage in
a "denial of service" attack on the system.
- Implant Malicious Code: By
implanting malicious code, someone could place a logic bomb
or a time-delayed virus in a system that will later disrupt
it. A malicious actor could also implant a program to compromise
passwords or other aspects of system security.
- Map Systems: By mapping systems
as a trusted insider, a contractor can gain valuable information
to sell to economic competitors or even foreign intelligence
agencies.
Systems can be compromised for
any number of purposes including, foreign intelligence activities,
information warfare purposes, industrial espionage, terrorism,
or organized crime.
Our concern on this issue is
particularly acute because a substantial part of the Y2K remediation
work is being done by foreign computer software companies.
The use of untested foreign sources for Y2K remediation has
created a unique opportunity for foreign countries and companies
to access, steal from, or disrupt sensitive national and proprietary
information systems.
The problem, of course, is checking
the remediation work to make sure that no malicious code was
implanted in a system. If reviewing the millions of lines
of code at issue were simple, there would not be a need for
Y2K contractors in the first place. Nevertheless, given the
vulnerabilities that could be implanted in critical systems,
it is imperative that the client companies do as much as possible
to check the background of the companies doing their remediation
work, oversee the remediation process closely, and review
new code as closely as possible and remove any extraneous
code. Further, companies should test for trap doors and other
known vulnerabilities to cracking. If possible, companies
can use "red teams" to try to crack the software
and further determine if trap doors exist. Finally, since
any vulnerabilities that are implanted will persist as long
as the software is in place, this is a problem that will last
well beyond January 1, 2000. Companies and government agencies
therefore need to determine how they will deal with this potential
"Post-Y2K problem" on their critical systems.
Reconstitution
We should be clear among ourselves
and with the private sector and general public about what
the Federal Government's role is with respect to reconstitution
when systems fail as a result of either malicious attacks
or Y2K problems. In either case, Federal agencies clearly
have a responsibility to repair problems that may occur in
their own systems. However, the Federal Government cannot
directly fix failures in private sector systems. Given the
lack of resources and expertise in the government to perform
such a potentially massive undertaking, this is a role that
must be played by the private sector itself. However, the
Federal government should be prepared to assist with reconstitution
where system failures threaten the national or economic security
of our nation. The key question is who is responsible for
this mission.
Once again, when dealing with
the consequences of malicious attacks and the need for reconstitution,
PDD 63 already establishes a framework. As part of their responsibilities,
the Sector Coordinators from the private sector and the federal
"Lead Agencies" for each infrastructure sector (e.g.,
the Department of Transportation for the Transportation Sector)
are responsible for "developing a plan for alerting,
containing and rebuffing an attack in progress and then, in
coordination with FEMA as appropriate, rapidly reconstituting
minimum essential capabilities in the aftermath of an attack.
" (emphasis added) The NIPC, in turn, is responsible
for "monitoring reconstitution efforts" during and
after an attack. NIPC monitoring is important to ensure both
that reconstitution is actually being done for critical systems
and that reconstitution does not unnecessarily interfere with
the overall operational response (such as needlessly erasing
logs that contain evidence of who was responsible for an attack).
With regard to Y2K-induced system
failures, the reconstitution problem is potentially even larger,
or is at least likely to be concentrated around a few days.
Here, again, however, any necessary assistance for critical
private sector systems should come from the Lead Agencies
and Sector Coordinator for each infrastructure sector. See
Executive Order 13073, Sec. 5(C)(2). As I understand it, the
ICC's role in this process will be to maintain a situational
awareness in the critical period around the millennium, advise
the President of the situation, and coordinate with the relevant
Federal agencies in reconstitution processes where appropriate.
Ibid.
Learning from Y2K for Responding
to Future Cyber Incidents
Y2K offers us a large challenge,
and Mr. Koskinen should be commended for a superb job in leading
the Federal Government's efforts to get our collective house
in order. But Y2K also offers us a valuable opportunity to
study how the delivery of vital services is affected by computer
system outages, how the private sector and government are
able to respond to such outages, and how we can distinguish
and respond to malicious acts that occur amidst a high volume
of "noise" caused by unintentional system failures.
All of these lessons will inform how the NIPC carries forward
our responsibility to coordinate the government's efforts
to gather information about, issue warnings of, and respond
to intentional cyber incidents that occur after Y2K. While
PDD 63 already establishes the necessary framework and entities
to address these issues, we will learn much from the actual
events around Y2K that will enable us to improve our ability
to do our job well into the next century.
Conclusion
Y2K and the preparations for
it reveal our tremendous dependence on cyber systems and our
national vulnerability to network outages. Our experience
at the NIPC demonstrates how much can be accomplished when
agencies work together, share information, and coordinate
their activities as much as legally permissible. We look forward
to continuing our work over the next five months with the
ICC; the President's Council on Year 2000 Conversion; the
National Coordinator for Security, Infrastructure Protection,
and Counter-Terrorism; the Critical Infrastructure Assurance
Office; the Department of Justice, Federal sector lead agencies;
and the private sector on Y2K. Our collective efforts on Y2K
should provide valuable "lessons learned" for the
continuing activities of the NIPC and the Federal Lead Agencies
in dealing with cyber incidents after Y2K. We also look forward
to working with this Committee and the Congress to make sure
that policy makers understand the threats to the critical
infrastructures that we see every day and what measures are
necessary to secure our Nation against them.
Thank you.
|