Graphic of a blue block spacer
Graphic of the FBI Seal and U.S. Flag and link to FBI Homepage
Graphic link to FBI Priorities
Graphic link to About Us
Graphic link to Press Room
Graphic link to What We Investigate
Graphic link to Counterterrorism
Link to Intelligence Program
Graphic link to Most Wanted
Graphic link to Law Enforcement Services
Graphic link to Your Local FBI Office
Graphic link to Reports and Publications
Graphic link to FBI History
Graphic link to For the Family
Graphic link to Freedom Of Iinformation Act Library / Requests
Graphic link to Employment
Graphic link to How Do I..?
Graphic link to Search

Graphic link to Home

 
Graphic link to Submit a Tip
Graphic link to Apply Today
Graphic link to Links
Graphic link to Contact Us
Graphic link to Site Map
Graphic link to Privacy Policy
Press Room
Congressional Statements


Testimony of Michael A. Vatis, Deputy Directory, National Infrastructure Protection Center, FBI
Before the Special Committee on the Year 2000 Technology Problem
July 29, 1999
"Year 2000 Technology Problem"

Mr. Chairman, Vice Chairman Dodd, and Members of the Special Committee: Thank you for inviting me here today to discuss the Year 2000 Problem and the National Infrastructure Protection Center.

Background

Back in 1995 and 1996, after the World Trade Center and Oklahoma City bombings, there was a growing concern about the vulnerabilities of our nation's critical infrastructures to terrorist attack. President Clinton, in Presidential Decision Directive (PDD) 39, directed the Attorney General to chair a Cabinet Committee to assess the vulnerability of those critical infrastructures and recommend measures to protect them. In response to this directive, the Attorney General created a working group to assess the problem. That group, the Critical Infrastructure Working Group (CIWG), determined that, with the advent of the Information Age, our infrastructures were vulnerable not just to traditional, physical terrorist attacks, but also to "cyber" attacks on the computer networks and communications systems that are embedded in, and connect, those infrastructures. As our society increasingly relies on information technologies in every aspect of business, government, and our personal lives, this same reliance creates new vulnerabilities to those who would do us harm. Given the newness of the cyber threat, the CIWG recommended the creation of a presidential commission to more fully assess this problem. This recommendation ultimately led to the creation of the President's Commission on Critical Infrastructure Protection (PCCIP), which issued its report in October 1997. That report, in turn, led to the issuance of Presidential Decision Directive (PDD) 63, regarding "Critical Infrastructure Protection," in May 1998. The PDD set forth the President's strategy for protecting our critical infrastructures, which the Directive defined as "those physical and cyber-based systems essential to the minimum operations of the economy and government," including "telecommunications, energy, banking and finance, transportation, water systems and emergency services, both government and private."

I mention this history because it is important to understand that our reliance on information systems for the performance of critical government and private sector functions, and our consequent vulnerability to significant disruption should those systems fail, is a problem that both predates the Y2K problem and will last well beyond the advent of the New Year. Thus, how we approach the Y2K problem should take into account the existing framework established by PDD 63 for dealing with cyber incidents. Moreover, we should utilize Y2K as an exercise from which to draw lessons for what further work we need to do to prepare ourselves for the more long-lasting challenges posed by critical infrastructure protection.

Role and Mission of the National Infrastructure Protection Center

The National Infrastructure Protection Center (NIPC) is an interagency Center located at the FBI, charged with gathering information on, issuing warnings of, and responding to cyber threats or attacks on the nation's critical infrastructures. The PDD directs that the NIPC "serve as a national critical infrastructure threat assessment, warning, vulnerability, and law enforcement investigation and response entity." It further states that the mission of the NIPC "will include providing timely warnings of intentional threats [and] comprehensive analyses." To this end, the PDD directs the NIPC to "sanitize law enforcement and intelligence information for inclusion into analyses and reports that it will provide, in appropriate form, to relevant federal, state, and local agencies; the relevant owners and operators of critical infrastructures; and to any private sector information sharing and analysis entity." In addition, "the NIPC will provide the principal means of facilitating and coordinating the Federal Government's response to an incident, mitigating attacks, investigating threats, and monitoring reconstitution efforts." The PDD further specifies that the NIPC should include "elements responsible for warning, analysis, computer investigation, coordinating emergency response, training, outreach, and development and application of technical tools."

Since its creation in February 1998, the NIPC has made significant progress in establishing a network of relationships with a wide range of entities in both the government and the private sector. First, as called for by the PDD, the Center includes representatives detailed from numerous federal agencies, including the Department of Defense (both the military services and other components), the Central Intelligence Agency, the National Security Agency, the Department of Energy, the National Aeronautics and Space Administration, the State Department, the U.S. Secret Service, and the U.S. Postal Service.." We also rely extensively on private sector contractors and are planning to bring private sector representatives into the Center full-time. Second, pursuant to the PDD, the NIPC has established links to the rest of the government and to the private sector in order to facilitate the sharing of information and the timely issuance of warnings. Third, the PDD directs all executive departments and agencies to "share with the NIPC information about threats and warning of attacks and actual attacks on critical government and private sector infrastructures, to the extent permitted by law." This direction facilitates our ability to determine the present state of cyber incidents and threats, so that we can issue appropriate warnings and coordinate any necessary response measures.

By bringing other agencies directly into the Center and building direct communication linkages, the Center provides a means of coordinating the government's cyber expertise and ensuring full sharing of information, consistent with applicable laws and regulations. The NIPC at FBI Headquarters currently has 107 personnel, (out of our target of 134), of which 79 are from the FBI and 28 from other government agencies.

In order to facilitate our ability to investigate and respond to cyber intrusions, the FBI has created a National Infrastructure Protection and Computer Intrusion (NIPCI) Program in the 56 FBI Field Offices across the country. Under this program, which is managed by the NIPC, full "NIPCI" squads or smaller teams have been created in each Field Office to conduct computer intrusion investigations, respond to threats, and engage in liaison and contingency planning with the owners and operators of the critical infrastructure components. There are currently 10 full NIPCI squads in Washington D.C., New York, San Francisco, Chicago, Dallas, Los Angeles, Atlanta, Charlotte, Boston, and Seattle. Further, every other Field Office includes a smaller NIPCI Team (though some with only one or two Special Agents). There are a total of 209 NIPCI agents and 46 professional support positions in the NIPCI Program in the Field Offices.

To accomplish its goals under the PDD, the NIPC is organized into three sections: the Computer Investigations and Operations Section, the Analysis and Warning Section, and the Training, Outreach and Strategy Section.

  • The Computer Investigations and Operations Section (CIOS) is the operational and response arm of the Center. It program manages and coordinates computer intrusion investigations conducted by FBI Field Offices throughout the country; provides subject matter experts, equipment, and technical support to cyber investigators in federal, state, and local government agencies involved in critical infrastructure protection; and provides a cyber emergency response capability to help resolve a cyber incident. The CIOS also coordinates investigative and intelligence activities with other government agencies and foreign law enforcement and intelligence agencies, as appropriate.
  • The Analysis and Warning Section (AWS) serves as the "indications and warning" arm of the NIPC. It collects information from all relevant sources, provides analytical support during computer intrusion investigations, performs analyses of infrastructure risks and threat trends, and produces current analytic products for the national security and law enforcement communities, the owners-operators of the critical infrastructures, and the computer network administrators who protect their systems. Through our Watch and Warning Unit, the AWS also distributes tactical warnings, alerts, and advisories to all the relevant partners in the government and private sector, informing them of exploited vulnerabilities, threats, and ongoing incidents. It also maintains real-time situational awareness of the cyber threat by reviewing numerous databases, media, and other sources daily to disseminate information that is relevant to any aspect of NIPC's mission. If we determine an intrusion or cyber incident is imminent or underway, the Watch formulates warnings, alerts, or advisories and quickly disseminates them to all appropriate parties in the government and private sector so that they can take immediate protective steps.
  • The Training, Outreach and Strategy Section (TOSS) coordinates the training and continuing education of cyber investigators within the FBI Field Offices and other federal, state and local law enforcement agencies. It also coordinates our liaison with other Federal agencies, private sector companies, state and local governments, and the FBI's Field Offices. In addition, this section manages our "Key Asset Initiative" (KAI), which is a program aimed at establishing liaison with the owners and operators of critical individual components within each infrastructure sector (such as specific power grids, telecommunications switch nodes, or financial systems) across the country, determining which "assets" are critical on a national, regional, or local basis, and establishing 24-hour points of contact at each. If future resources permit, the initiative will also include contingency planning with the assets to develop and test plans for responding to attacks. The TOSS also manages our InfraGard program, which is a pilot project aimed at sharing information, in a secure fashion, with private sector entities about cyber threats and incidents.

Our role in protecting infrastructures against cyber intrusions is not to advise the private sector on what hardware or software to use or to act as their systems administrator. Moreover, we are not responsible for responding to software glitches or unintentional system failures. Rather, our role is to provide information about intentional threats and incidents and exploited vulnerabilities so that government and private sector system administrators can take the appropriate protective measures. If an incident occurs, we are responsible for determining who is responsible and coordinating the response, in close cooperation with the Department of Justice and other agencies.

The NIPC's Role for Y2K and Its Relation to the Information Coordination Center

Given our overall mission under PDD 63, our role with regard to Y2K will be to maintain real-time awareness of intentional cyber threats or incidents that might take place around the transition to 2000, disseminate warnings to the appropriate government and private sector parties, and coordinate the government's response to such incidents. We are not responsible for dealing with Y2K-induced emergencies. Because of the possibility that there might be an increase in malicious activity around January 1, 2000, we are formulating contingency plans both for NIPC Headquarters and the FBI Field Offices. This will include augmenting our existing relationships and information-sharing mechanisms with relevant entities in the federal government, state and local governments, private industry, and the CERT/FIRST community.

In contrast to the NIPC's role for cyber intrusions and threats, under Executive Order 13073, the Information Coordination Center (ICC) is responsible for maintaining an awareness of, and coordinating the sharing of information concerning, "Y2K emergencies," in particular those "that could have an adverse effect on U.S. interests at home and abroad." In some instances, it may not be immediately apparent whether a service outage is the result of the "millennium bug" problem or a computer intrusion. It is therefore imperative that the ICC and NIPC coordinate closely to share information. Thus, any information that the ICC obtains concerning events that could possibly involve computer intrusions need to be shared by the ICC with the NIPC. Conversely, the NIPC needs to keep the ICC informed of our activities and share any information we might obtain regarding Y2K. We have been in discussion with the ICC concerning our dual roles, and we expect to establish concrete information-sharing channels to facilitate the two-way flow, including sending an NIPC representative to the ICC for the days surrounding New Years Day. We have also been assisting the ICC in designing its architecture for managing the flow of information about Y2K emergencies.

What We Expect Around Y2K and Beyond

This brings me to what we expect to see in terms of malicious activity around Y2K. The Domestic Terrorism Section of the FBI expects to see increased and possibly violent activities among certain domestic groups related to the millennium. For example, the coming of the millennium requires Christian Identity adherents to prepare for the Second Coming of Christ by taking violent action against their enemies. The FBI's Domestic Terrorism Program is responsible, and has been planning for, any violent activity by such groups.

As for cyber activity, we do not possess any concrete indications that any group or individual is planning to engage in unlawful intrusions or virus propagation specifically related to the millennium. But considering both expected violent millennium activity and the broader trends in the cyber world, it is possible that we could see an increase in such activity. That possibility, combined with the difficulty of determining what system failures are caused by the millennium bug and which might be caused by intrusions or viruses, requires that we be prepared for any contingencies. This is why we are developing the contingency plans I talked about earlier.

There is one problem associated with Y2K, however, that causes us concern, but which has received little attention in the private sector. That is the prospect that malicious actors, foreign or domestic, could use the Y2K remediation process to install malicious code in the "remediated" software. Thousands of companies across the United States and around the world are busy having their source code reviewed to ensure that they are "Y2K compliant." I am sure many of you have received at least one letter from your bank by now assuring you that it is Y2K compliant and that your funds are safe. Those who are doing the Y2K remediation are almost always contractors who are given the status of a trusted insider with broad authority to review and make changes to the source code that runs information systems. These contractors could, undetected, do any of the following to compromise systems:

  • Install Trap Doors: By installing trap doors, intruders can later gain access to a system through an opening that they have created and then exploit or attack the system;
  • Obtain "Root Access": Given their level of access, remediation companies can gain the same extensive privileges as the system administrator, allowing them to steal or alter information or engage in a "denial of service" attack on the system.
  • Implant Malicious Code: By implanting malicious code, someone could place a logic bomb or a time-delayed virus in a system that will later disrupt it. A malicious actor could also implant a program to compromise passwords or other aspects of system security.
  • Map Systems: By mapping systems as a trusted insider, a contractor can gain valuable information to sell to economic competitors or even foreign intelligence agencies.

Systems can be compromised for any number of purposes including, foreign intelligence activities, information warfare purposes, industrial espionage, terrorism, or organized crime.

Our concern on this issue is particularly acute because a substantial part of the Y2K remediation work is being done by foreign computer software companies. The use of untested foreign sources for Y2K remediation has created a unique opportunity for foreign countries and companies to access, steal from, or disrupt sensitive national and proprietary information systems.

The problem, of course, is checking the remediation work to make sure that no malicious code was implanted in a system. If reviewing the millions of lines of code at issue were simple, there would not be a need for Y2K contractors in the first place. Nevertheless, given the vulnerabilities that could be implanted in critical systems, it is imperative that the client companies do as much as possible to check the background of the companies doing their remediation work, oversee the remediation process closely, and review new code as closely as possible and remove any extraneous code. Further, companies should test for trap doors and other known vulnerabilities to cracking. If possible, companies can use "red teams" to try to crack the software and further determine if trap doors exist. Finally, since any vulnerabilities that are implanted will persist as long as the software is in place, this is a problem that will last well beyond January 1, 2000. Companies and government agencies therefore need to determine how they will deal with this potential "Post-Y2K problem" on their critical systems.

Reconstitution

We should be clear among ourselves and with the private sector and general public about what the Federal Government's role is with respect to reconstitution when systems fail as a result of either malicious attacks or Y2K problems. In either case, Federal agencies clearly have a responsibility to repair problems that may occur in their own systems. However, the Federal Government cannot directly fix failures in private sector systems. Given the lack of resources and expertise in the government to perform such a potentially massive undertaking, this is a role that must be played by the private sector itself. However, the Federal government should be prepared to assist with reconstitution where system failures threaten the national or economic security of our nation. The key question is who is responsible for this mission.

Once again, when dealing with the consequences of malicious attacks and the need for reconstitution, PDD 63 already establishes a framework. As part of their responsibilities, the Sector Coordinators from the private sector and the federal "Lead Agencies" for each infrastructure sector (e.g., the Department of Transportation for the Transportation Sector) are responsible for "developing a plan for alerting, containing and rebuffing an attack in progress and then, in coordination with FEMA as appropriate, rapidly reconstituting minimum essential capabilities in the aftermath of an attack. " (emphasis added) The NIPC, in turn, is responsible for "monitoring reconstitution efforts" during and after an attack. NIPC monitoring is important to ensure both that reconstitution is actually being done for critical systems and that reconstitution does not unnecessarily interfere with the overall operational response (such as needlessly erasing logs that contain evidence of who was responsible for an attack).

With regard to Y2K-induced system failures, the reconstitution problem is potentially even larger, or is at least likely to be concentrated around a few days. Here, again, however, any necessary assistance for critical private sector systems should come from the Lead Agencies and Sector Coordinator for each infrastructure sector. See Executive Order 13073, Sec. 5(C)(2). As I understand it, the ICC's role in this process will be to maintain a situational awareness in the critical period around the millennium, advise the President of the situation, and coordinate with the relevant Federal agencies in reconstitution processes where appropriate. Ibid.

Learning from Y2K for Responding to Future Cyber Incidents

Y2K offers us a large challenge, and Mr. Koskinen should be commended for a superb job in leading the Federal Government's efforts to get our collective house in order. But Y2K also offers us a valuable opportunity to study how the delivery of vital services is affected by computer system outages, how the private sector and government are able to respond to such outages, and how we can distinguish and respond to malicious acts that occur amidst a high volume of "noise" caused by unintentional system failures. All of these lessons will inform how the NIPC carries forward our responsibility to coordinate the government's efforts to gather information about, issue warnings of, and respond to intentional cyber incidents that occur after Y2K. While PDD 63 already establishes the necessary framework and entities to address these issues, we will learn much from the actual events around Y2K that will enable us to improve our ability to do our job well into the next century.

Conclusion

Y2K and the preparations for it reveal our tremendous dependence on cyber systems and our national vulnerability to network outages. Our experience at the NIPC demonstrates how much can be accomplished when agencies work together, share information, and coordinate their activities as much as legally permissible. We look forward to continuing our work over the next five months with the ICC; the President's Council on Year 2000 Conversion; the National Coordinator for Security, Infrastructure Protection, and Counter-Terrorism; the Critical Infrastructure Assurance Office; the Department of Justice, Federal sector lead agencies; and the private sector on Y2K. Our collective efforts on Y2K should provide valuable "lessons learned" for the continuing activities of the NIPC and the Federal Lead Agencies in dealing with cyber incidents after Y2K. We also look forward to working with this Committee and the Congress to make sure that policy makers understand the threats to the critical infrastructures that we see every day and what measures are necessary to secure our Nation against them.

Thank you.