Testimony of Larry Mefford, Assistant Director, Cyber Division,
FBI
Before
the House of Representatives Committee on Government Reform,
Subcommittee on National Security, Veterans Affairs, and
International Relations
June 11, 2002
"NIPC's
Role in the New Dept of Homeland Security"
Mr. Chairman
and members of the subcommittee, thank you for inviting me
to submit this statement on the President's proposal for a
Department of Homeland Security. My statement will provide
an overview of the National Infrastructure Protection Center
(NIPC) in order to demonstrate how the federal government
can and has developed a threat review and response capability
using a multi-agency model. The NIPC emphasizes in its day-to-day
operations the always present need to develop trust and cooperation
not only among federal agencies, but among and between federal,
state and local entities, the American public, international
governments, and global industry. The NIPC will play an important
role in the new Department of Homeland Security.
National
Infrastructure Protection Center (NIPC)
The current mission of the NIPC is to provide "a national
focal point for gathering information on threats to the infrastructures"
and to provide "the principal means of facilitating and
coordinating the Federal Government's response to an incident,
mitigating attacks, investigating threats and monitoring reconstitution
efforts." Current guidelines define critical infrastructures
to be "those physical and cyber-based systems essential
to the minimum operations of the economy and government,"
to include, without limitation, "telecommunications,
energy, banking and finance, transportation, water systems
and emergency services, both governmental and private."
The NIPC is the only organization in the federal government
with such a comprehensive national infrastructure protection
mission. The NIPC gathers together under one roof representatives
from, among others, the law enforcement, intelligence, and
defense communities, who collectively provide a unique investigative,
analytical, deterrence, and response perspective to threat
and incident information obtained from investigation, intelligence
collection, foreign liaison, and private sector cooperation.
This perspective ensures that no single "community"
addresses threats to critical infrastructures in a vacuum;
rather, all information is examined from a multi-discipline
perspective for potential impact as a security, defense, counterintelligence,
terrorism or law enforcement matter, and an appropriate response
(often multi-layered) is developed, coordinated, and implemented.
While developing our infrastructure protection capabilities,
the NIPC has held firm to two basic tenets that grew from
extensive study by the President's Commission on Critical
Infrastructure Protection. First, the government can only
respond effectively to threats by focusing on protecting assets
against attack while simultaneously identifying, investigating,
and responding to those who nonetheless would attempt or succeed
in launching those attacks. And second, the government can
only help protect this nation's most critical infrastructures
by building and promoting a coalition of trust, one . . .
amongst all government agencies, two . . . between the government
and the private sector, three . . . amongst the different
business interests within the private sector itself, and four
. . . in concert with the greater international community.
Therefore, the NIPC has focused on developing its capacity
to warn, investigate, respond to, and build partnerships,
all at the same time. As our techniques continue to mature
and our trusted partnerships gel, we continue to witness ever-better
results.
NIPC
Watch Center and Multi-Agency Staffing
The NIPC's
Watch Center operates around the clock and communicates daily
with the DoD and its Joint Task Force for Computer Network
Operations (JTF-CNO). The Watch Center is also connected to
the watch centers of several of our close allies. The NIPC's
ability to fulfill the expectations and needs of its Department
of Defense component is achieved by the inter-agency structure
of the Center, which includes the NIPC's Deputy Director Rear
Admiral James Plehal, USNR, and the NIPC's Executive Director,
Steven Kaplan, a Supervisory Special Agent from the Air Force
Office of Special Investigations. The staffing of these positions
and others indicates the NIPC's commitment to broad, high-level,
multi-agency ownership of the NIPC and our partners' collective
commitment to achieve meaningful and effective coordination
across the law enforcement, intelligence, defense, and other
critical government operations communities.
Within
the Center, the NIPC has full-time representatives from a
dozen federal government agencies, led in number by the FBI
and the Department of Defense, as well as from foreign partners
(which have included the United Kingdom, Canada, and Australia).
We are partners with the General Services Administration's
Federal Computer Incident Response Capability (FedCIRC), in
order to further secure our government technology systems
and services. We also team up regularly with the CIA and NSA
to work on matters of common concern.
Cooperative Relationships Among Federal Agencies
The NIPC has established a number of effective information
sharing and cooperative investigative relationships across
the U.S. Government. For example, a written protocol was signed
with the Department of Transportation's (DOT) which reinforces
how information is shared between DOJ and NIPC and how that
information will be communicated. This protocol formalized
a long-standing process of information sharing between NIPC
and DOJ. Formal information sharing procedures have also been
completed with the National Coordinating Center for Telecommunications,
FEMA's U.S. Fire Administration, the Food Sector Information
Sharing and Analysis Center (ISAC), the Chemical Sector ISAC,
and the Information Technology Sector ISAC. Informal arrangements
have been established with the Federal Communications Commission,
National Response Center, DOT Office of Pipeline Safety, Department
of Energy's Office of Emergency Management, and others, which
allow the NIPC to receive detailed sector-specific incident
reports in a timely manner.
The NIPC
functions in a task force-like way, coordinating investigations,
analysis, and warning in a multitude of jurisdictions, both
domestically and internationally. This is essential due to
the transnational nature of cyber intrusions and other critical
infrastructure threats.
Interagency Coordination Cell
To instill
further cooperation and establish an essential process to
resolve conflicts among investigative agencies, the NIPC asserted
a leadership role by forming an Interagency Coordination Cell
(IACC) at the Center. The IACC meets on a monthly basis and
includes representation from U.S. Secret Service, NASA, U.S.
Postal Service, Department of Defense Criminal Investigative
Organizations, U.S. Customs, Departments of Energy, State
and Education, Social Security Administration, Treasury Inspector
General for Tax Administration and the CIA. The Cell works
to resolve conflicts regarding investigative and other operational
matters among agencies and assists agencies in combining resources
on matters of common interest. The NIPC anticipates that this
cell will expand to include all investigative agencies and
Inspectors General in the federal government having cyber
or other critical infrastructure responsibilities. The IACC
has led to the formation of several task forces and prevented
intrusions and compromises of U.S. Government systems. By
way of example, the IACC was instrumental in coordinating
the augmentation of the PENTTBOM investigation in the aftermath
of the September 11 attacks.
Warnings and Advisories
The NIPC
sends out infrastructure information to address cyber or infrastructure
events with possible significant impact. These are distributed
to partners in the private and public sectors. A number of
recent advisories sent out by the NIPC (available on our website
at www.nipc.gov) serve to demonstrate the continued collaboration
between the NIPC and its partners, including FedCIRC. The
NIPC serves as a member of FedCIRC's Senior Advisory Council
and has daily contact with that entity as well as a number
of others including NSA and DoD's Joint Task Force - Computer
Network Operations (JTF-CNO). On issues of national concern,
the recent incidents involving the Leaves, Code Red and Nimda
worms are good examples of the NIPC's success in working with
the National Security Council and our partner agencies to
disseminate information and coordinate strategic efforts in
a timely and effective manner.
InfraGard
Initiative
The NIPC
also manages a number of initiatives which have increased
national capabilities to mitigate the terrorist threat and
to prepare our response to the events of September 11th. The
NIPC has developed the InfraGard initiative into the largest
government/private sector joint partnership for infrastructure
protection in the world. We have taken it from its humble
roots of a few dozen members in just two states to its current
membership of over 4,400 partners. It is the most extensive
government-private sector partnership for infrastructure protection
in the world. InfraGard (with the private sector infrastructure
owners and operators) shares information about cyber intrusions
and other critical infrastructure vulnerabilities. This service
is provided free of charge.
Key
Asset Initiative
Since
1998, the NIPC has been developing the Key Asset Initiative,
in which over 5,700 entities vital to our national security,
including our economic well-being, have been identified. The
information is maintained to support the nation's broader
effort to protect the critical infrastructures against both
physical and cyber threats. This initiative benefits national
security planning efforts by providing a better understanding
of the location, importance, contact information, and crisis
management for critical infrastructure assets across the country.
The NIPC has worked with the DoD, EPA, and the Critical Infrastructure
Assurance Office (CIAO) in this regard. Following the September
11, 2001, events and at the request of the National Security
Council, the NIPC has leveraged the Key Asset Initiative to
undertake an all-agency effort to prepare a comprehensive,
centralized database of critical infrastructure assets in
the United States.
Information
Sharing and Analysis Centers
Our multi-agency
team works with current and soon to be established ISACs,
which represent the critical infrastructures identified in
PDD-63, including those that represent the water, financial
services, electric power, telecommunications, and information
technology sectors. Since September 11, we have provided threat
assessments on an ongoing basis for ISAC representatives from
those sectors. The NIPC has also taken the lead in managing
federal law enforcement's liaison with the 18,000 police departments
and Sheriff's offices that bravely serve our nation daily
and in times of crisis. The NIPC and the Emergency Law Enforcement
Services Sector Forum led the way early last year by completing
the nation's first Emergency Law Enforcement Sector Plan together
with a "Guide for State and Local Law Enforcement Agencies."
This significant achievement represents the nation's first
and only completed sector plan and is being used as a model
by the other critical infrastructure sectors. Taken together,
the Plan and the Guide provide our emergency law enforcement
first responders with procedures that are immediately useful
to enhance the security of their data and communications systems.
Strategic Analysis
The NIPC
established four strategic directions for our capability growth
through 2005: prediction, prevention, detection, and mitigation.
None of these are new concepts, but the NIPC has renewed its
focus on each of them in order to strengthen our strategic
analysis capabilities. The NIPC has worked to further strengthen
its longstanding efforts in the early detection and mitigation
of cyber attacks. These strategic directions will be significantly
advanced by our intensified cooperation with federal agencies
and the private sector. Our most ambitious strategic direction,
integrating investigations with a strengthened "prediction
and prevention" capability, are intended to forestall
attacks before they occur. We are seeking ways to forecast
or predict hostile capabilities in much the same way that
the military forecasts weapons threats. The goal here is to
combine the expertise of investigators and analysts to forecast
these threats with sufficient warning to prevent them. A key
to success in these areas will be strengthened cooperation
with domestic and foreign intelligence collectors and the
application of sophisticated new analytic tools to better
learn from day-to-day trends. The strategy of prevention is
reminiscent of traditional community policing programs but
with our infrastructure partners and key system vendors.
As we
work on these strategic directions, we will have many opportunities
to stretch our capabilities. With respect to all of these,
the NIPC is committed to continuous improvement. The NIPC
also remains committed to achieving all of its objectives
while upholding the fundamental Constitutional rights of our
citizens, including those with respect to the collection of
information, the retention of information, and the use of
information, as further controlled by statute, regulation,
Attorney General Guidelines, and FBI protocols.
The NIPC
is also enhancing its strategic analysis capability through
a "data warehousing and data mining" project. This
will allow the NIPC to retrieve incident data originating
from multiple sources. Data warehousing includes the ability
to conduct real-time all-source analysis and report generation.
Improving
Information Sharing
The NIPC
actively exchanges information with private sector companies,
the ISACs, members of the InfraGard Initiative, and the public
at large as part of the NIPC's outreach and information sharing
activities. Through NIPC's affirmative outreach efforts, we
receive incident reports from the private sector. The NIPC
has proven that it can properly safeguard their information
and disseminate warning messages and useful information in
return. Private sector reporting of infrastructure incidents
is partially responsible for the issuance of more warnings
each year.
Each
NIPC program is treated with a special focus on the unique
concerns and objectives of our partners. When it comes to
infrastructure protection, we have learned that there is no
single solution. For example, over the past two years the
NIPC and the North American Electric Reliability Council (NERC)the
ISAC for the electric power sectorhave established an
indications, analysis and warning program (IAW) program, which
makes possible the timely exchange of information valued by
both the NIPC and the electric power sector. This relationship
is possible because of a commitment both on the part of NERC
and the NIPC to build cooperative relations. Following the
September 11 attacks, NIPC and NERC held daily conference
calls. The close NERC-NIPC relationship is no accident, but
the result of two interrelated sets of actions. First, as
Eugene Gorzelnik, Director of Communications for the NERC,
stated in his prepared statement at the May 22, 2001 hearing
before the Senate Judiciary Committee's Subcommittee on Technology
and Terrorism:
The NERC
Board of Trustees in the late 1980s resolved that each electric
utility should develop a close working relationship with its
local Federal Bureau of Investigation (FBI) office, if it
did not already have such a relationship. The Board also said
the NERC staff should establish and maintain a working relationship
with the FBI at the national level.
Second,
the NIPC and NERC worked for over two years on building the
successful partnership that now exists. It took dedicated
individuals in both organizations to make it happen. The same
type of relationship is now building with the Water Resources
Sector and the Association of Metropolitan Water Agencies
(AMWA), among others. It is this success and dedication to
achieving results that the NIPC is working to emulate with
the other ISACs.
The NIPC
also continues to meet regularly with current and prospective
ISACs from other sectors, particularly the financial services
(FS-ISAC), water supply, and telecommunications (NCC-ISAC)
sectors, to develop and implement more formal information
sharing arrangements, drawing largely on the model developed
with the electric power sector. In the past, information exchanges
with these ISACs have consisted of a one-way flow of NIPC
warning messages and products being provided to the ISACs.
However, the NIPC has received greater participation from
sector companies as they become increasingly aware that reporting
to the NIPC enhances the value and timeliness of NIPC warning
products disseminated to their sector and can lead to stopping
the threat. Productive discussions with ISACs should significantly
advance a two-way information exchange with the financial
services industry. The NIPC is currently working to develop
and test secure communication mechanisms, which will facilitate
the sharing of high-threshold, near real-time incident information.
These programs proved praiseworthy as early as March 2001,
when the NIPC was commended by the FS-ISAC for its advisory
on e-commerce vulnerabilities (NIPC Advisory 01-003). According
to the FS-ISAC, that advisory, coupled with the NIPC press
conference on March 8, 2001, stopped over 1600 attempted exploitations
by hackers on the first day alone immediately following the
press conference.
Training
Over
the past four years, NIPC has provided training for approximately
3,000 participants from federal, state, local and foreign
law enforcement and security agencies. The NIPC's training
program complements training offered by the FBI's Training
Division as well as training offered by the DoD and the National
Cyber Crime Training Partnership. Trained investigators are
essential to our successfully combating computer intrusions.
Conclusion:
The NIPC
provides a national focal point for gathering information
on threats to the infrastructures, and the principal means
of facilitating and coordinating the Federal Government's
response to an incident. The NIPC has been staffed with personnel
from across a broad spectrum of federal agencies in order
to break down traditional problems associated with separating
the government's investigations, analysis, warning, and response
functions. The NIPC has undertaken several initiatives to
include the private sector as a principal partner in infrastructure
protection. As part of the new Department of Homeland Security,
as proposed by the President, we look forward to working to
continually improve in the coming years in order to master
the perpetually evolving challenges of infrastructure protection
and information assurance.
|