Testimony
of Ronald L. Dick, Director, National Infrastructure Protection
Center, FBI
Before
the Senate Committee on Governmental Affairs
May 8, 2002
"Critical Infrastructure Information Sharing"
Mr. Chairman,
Ranking Member Thompson, and members of the committee, thank
you for inviting me here today to testify on the topic, "Critical
Infrastructure Information Sharing." Holding this hearing
demonstrates your individual commitment to improving the security
of our Nation's critical infrastructures and this committee's
leadership on this issue in Congress. Our work here is vitally
important because the stakes involved are enormous. We have
seen how a terrorist attack can have immediate simultaneous
impact on several interdependent infrastructures. My testimony
today will address information sharing as it relates to our
mission at the National Infrastructure Protection Center.
Our combined mission supports information and physical security,
law enforcement, national security, and the military.
As set
forth in Presidential Decision Directive 63 (PDD-63), the
mission of the NIPC is to provide "a national focal point
for gathering information on threats to the infrastructures"
and to provide "the principal means of facilitating and
coordinating the Federal Government's response to an incident,
mitigating attacks, investigating threats and monitoring reconstitution
efforts." The Directive defines critical infrastructures
to include "those physical and cyber-based systems essential
to the minimum operations of the economy and government,"
to include, without limitation, "telecommunications,
energy, banking and finance, transportation, water systems
and emergency services, both governmental and private."
To accomplish this mission, we have had to build a coalition
of trust, one . . . amongst all government agencies, two .
. . between the government and the private sector, three .
. . amongst the different business interests within the private
sector itself, and four . . . in concert with the greater
international community. Once trust has been earned, true
two-way information sharing can occur. The NIPC shares information
across the public and private sectors through several programs
and mechanisms, with a focus on cyber security.
SHARING
INFORMATION WITH FEDERAL AGENCIES, STATE AND LOCAL LAW ENFORCEMENT
AUTHORITIES, THE PRIVATE SECTOR, AND INTERNATIONALLY
OVERALL
NIPC INFORMATION SHARING EFFORTS
The NIPC
routinely shares information with the public and private sectors
to help them better protect themselves. That does not mean
that information is broadcast across the news media in every
instance. While public statements are the best alternative
in some cases, in other cases the NIPC has approached victim
companies or government agencies privately. In many cases
a tiered approach is taken so that information with the appropriate
level of detail reaches the right audiences. If the NIPC finds
that despite issuing an advisory, a widespread problem persists
or grows, then an advisory may be reissued.
The NIPC
has a variety of information products to inform the private
sector and other domestic and foreign government agencies
of the threat, including: assessments, advisories and alerts;
a Daily Report; biweekly CyberNotes; monthly
Highlights; and topical electronic reports. These products
are designed for tiered distribution to both government and
private sector entities consistent with applicable law and
the need to protect intelligence sources and methods, and
law enforcement investigations. For example, Highlights
is a monthly publication for sharing analysis and information
on critical infrastructure issues. It provides analytical
insights into major trends and events affecting the nation's
critical infrastructures. It is usually published in an unclassified
format and reaches national security and civilian government
agency officials as well as infrastructure owners. CyberNotes
is another NIPC publication designed to provide security and
information system professionals with timely information on
cyber vulnerabilities, hacker exploit scripts, hacker trends,
virus information, and other critical infrastructure-related
best practices. It is published twice a month on the NIPC
website (www.nipc.gov) and disseminated via e-mail to government
and private sector recipients. Although the NIPC can and does
issue limited distribution products that are classified or
law enforcement sensitive (for example, because they reflect
non-public sources and methods), it attempts to issue most
reports at the unclassified level and to the widest audience
possible.
To better
share information, the NIPC has spearheaded an aggressive
outreach effort.
NIPC officials have met with business, government, and community
leaders across the United States and around the world to build
the trust required for information sharing. Protection of
business information and privacy interests are both stressed
in NIPC internal deliberations and with business, government
and community leaders. Most have been receptive to information
sharing and value the information received from the NIPC.
Others have expressed reservations due to a lack of understanding
or perhaps confidence in the strength of the disclosure exceptions
found in the Freedom of Information Act, concerns about whether
the Justice Department would pursue prosecutions at the expense
of private sector business interests, and simple reluctance
to disclose proprietary information to any entity beyond their
own control or beyond the direct control of the NIPC.
The annual
Computer Security Institute/FBI Computer Crime and Security
Survey, released in April, indicated that 90% of the respondents
detected computer security breaches in the last 12 months.
Only 34% reported the intrusions to law enforcement. On the
positive side, that 34% is more than double the 16% who reported
intrusions in 1996. The two primary reasons for not making
a report were negative publicity and the recognition that
competitors would use the information against them. Many respondents
were not aware that they could report intrusions to law enforcement.
We have moved aggressively to address these concerns and go
out of our way to reassure businesses that their voluntarily
provided information will remain secure, and that we are always
sensitive to protecting the interests of victims who report
crime.
WATCH
AND WARNING
The NIPC
Watch maintains a round-the-clock presence in the FBI's Strategic
Information and Operations Center (SIOC). The Watch serves
as the main portal into and out of the NIPC. Our recent advisory
regarding the Klez.h worm was issued after the Watch received
a voluntary report from a major telecommunications company.
Following an analysis and consultations with our security
partners, the NIPC issued Alert 02-2002: "W32/Klez.h
@ mm Worm and Variants." Through the Watch, the Center
produces and disseminates three levels of infrastructure warnings
which are developed and distributed consistent with the FBI's
National Threat Warning System. Collectively, these warning
products will be based on material that is significant, credible,
timely, and that address cyber and/or infrastructure dimensions
with possibly significant impact. If a particular warning
is based on classified material that includes dissemination
restrictions and contains information deemed valuable and
essential for critical infrastructure protection, the NIPC
will then seek to develop a sensitive "tear-line"
version for distribution, including to critical sector coordinators,
InfraGard members, and general law enforcement authorities.
The three specific categories of NIPC warning products are
as follows:
- "Assessments"
address broad, general incident or issue awareness information
and analysis that is both significant and current but does
not necessarily suggest immediate action.
- "Advisories"
address significant threat or incident information that
suggests a change in readiness posture, protective options
and/or response.
- "Alerts"
address major threat or incident information addressing
imminent or in-progress attacks targeting specific national
networks or critical infrastructures.
The main
"audiences" that NIPC products can reach include:
DoD, Federal civil agencies, the Intelligence Community, the
Law Enforcement Community (including the state and local levels),
FBI field offices and international Legal Attache offices,
computer incident response centers, domestic and foreign cyber
watch centers, private sector Information Sharing and Analysis
Centers (ISACs), InfraGard members (see below for an explanation
of the InfraGard program), and the general public.
Since
its inception, the NIPC has issued over 100 warning products.
A number of warning products have preceded incidents or prevented
them entirely by alerting the user community to a new vulnerability
or hacker exploit before acts are committed or exploits are
used on a widespread basis. The Center has had particular
success in alerting the user community to the presence of
Denial of Service tools on the network and has in some cases
provided a means to discover the presence of tools on a network.
For example, in December 1999, as part of our Y2K efforts,
the NIPC released a warning message along with a tool to allow
users to find the presence of three specific denial of service
tools on their systems. This was something never before done
by the government for the user community and occurred over
a month before the Distributed Denial of Service Attacks of
February, 2000. The NIPC's work with private companies has
been so well received that the Systems Administrators and
Network Security Organization (SANS-a trade group) awarded
their yearly Security Technology Leadership Award to members
of the NIPC's Special Technologies Applications Unit.
The NIPC
is integrated into national level warning systems both through
structures established by the National Security Council and
by other agencies. Of particular note is the fact that the
NIPC has been fully engaged in the planning and implementation
of the interagency Cyber Warning Information Network (CWIN).
Also of note: the NIPC, under the authority of the FBI, is
the only locus where the widest range of law enforcement,
counterintelligence, foreign intelligence, and private sector
information may be lawfully collected, analyzed, and disseminated,
all under well-developed statutory protections and the oversight
of the Department of Justice. NIPC Advisory 01-003 and its
companion NIPC Advisory 00-060, issued on March 8, 2001 and
December 1, 2000, respectively, both on e-commerce vulnerabilities,
are examples of warnings which effectively combine law enforcement,
intelligence, and private sector information with the NIPC's
warning mission. These advisories, coupled with a press conference
on March 8, 2001, stopped over 1600 attempted exploitations
by hackers. The advisories reflect the balance of information
dissemination to the public with an ongoing law enforcement
investigation, achieving both goals in the public's interest.
INTERAGENCY
COORDINATION: FEDERAL GOVERNMENT
With
respect to sharing information within the government, PDD-63
mandates that government agencies will share information with
the NIPC. The NIPC has established effective information sharing
relationships across the U.S. Government. These arrangements
are not always codified in formal interagency agreements or
Memoranda of Understanding, but the important point is that
they are working. The NIPC has also formed an Interagency
Coordination Cell (IACC) at the Center which holds monthly
meetings regarding ongoing investigations. To date, the IACC's
growing membership has risen to approximately 35 government
agencies that meet on a monthly basis to include representation
from NASA , U.S. Postal Service, Air Force Office of Special
Investigations (AFOSI), U.S. Secret Service, U.S. Customs,
Departments of Energy, State and Education, and the Central
Intelligence Agency, to name a few.
The IACC's
accomplishments to date include the formation of several joint
investigative task forces with member agencies participating,
and over 30 separate instances of joint investigations of
member agencies being initiated as a direct result of IACC
meetings, information sharing and participation. In one case,
an IACC member agency provided timely sensitive source information
to the appropriate authorities which prevented the planned
intrusion and compromise of another government agency's computer
system and the preservation of critical log data used for
the ensuing investigation.
The IACC's
members are currently working on the establishment and development
of a database which would serve as a source of computer intrusion
information compiled from member agency investigations to
facilitate other investigations. It is also working on the
establishment and administration of a dedicated virtual private
secure network for member agencies to communicate vital infrastructure
protection and computer intrusion information for immediate
emergency response situations, in addition to dissemination
of routine but sensitive information.
The Department
of Defense has the second largest (after FBI) interagency
contingent in the NIPC. The Deputy Director of the NIPC is
a two-star Navy Rear Admiral; the Executive Director is detailed
from the Air Force Office of Special Investigations; the Assistant
Section Chief for Training, Outreach and Strategy is detailed
from the Defense Criminal Investigative Service; the head
of the NIPC Watch is a Naval Reserve officer; and the head
of the Analysis and Information Sharing Unit is a National
Security Agency detailee. There are also liaison representatives
from the National Imagery and Mapping Agency and the Joint
Programs Office. A contingent of DoD reservists serves in
the Center to provide additional critical infrastructure expertise
and emergency surge capabilities. NIPC works particularly
closely with the DoD through liaison with the Joint Task Force-Computer
Network Operations (JTF-CNO). NIPC members stay in close contact
with their JTF-CNO counterparts, providing mutual assistance
on intrusion cases into DoD systems, as well as on other matters.
NIPC alerts, advisories, and assessments are routinely coordinated
with the JTF-CNO prior to release to solicit JTF input. On
several occasions, the NIPC and JTF-CNO have coordinated and
issued joint cyber warnings on the same matter. There is also
significant interaction with the military services, the Joint
Staff, the Office of the Secretary, and other major DoD agencies.
Interagency
managerial participation is by no means limited to DoD. For
example, the Section Chief for Analysis and Warning is detailed
from the Central Intelligence Agency, and the Assistant Section
Chief for Computer Investigations and Operations is detailed
from the U.S. Secret Service.
The NIPC
also has an excellent cooperative relationship with the Federal
Computer Incident Response Center (FedCIRC). The FedCIRC has
detailed a person to our Watch Center in the past, and the
NIPC's Director sits on FedCIRC's Senior Advisory Council.
FedCIRC is operated by the General Services Administration
as the central coordinating point on security vulnerabilities
and lower level security incident data. In addition, the NIPC
sends draft alerts, advisories, and assessments on a regular
basis to FedCIRC for input and commentary prior to their release.
NIPC and FedCIRC information exchange assists both centers
with their analytic products. The NIPC and FedCIRC are currently
discussing ways to improve the flow of information between
the two organizations and encourage federal agency reporting
of incident information. On several occasions, the two organizations
have coordinated and issued joint cyber warnings.
More
recently, in October of 2001, President Bush issued Executive
Order 13231, which establishes the President's Critical Infrastructure
Protection Board to "recommend policies and coordinate
programs for protecting information systems for critical infrastructure,
including emergency preparedness communications, and the physical
assets that support such systems." EO 13231 expressed
the current Administration's continued support of the NIPC's
mission under PDD 63 and distinguishes the interagency entity
from any particular Department by separately designating the
Director of the NIPC to serve as a member of the newly created
President's Board. The President also designated the Director
of the NIPC to serve on the Board's Coordination Committee,
and recognized the NIPC's significant roles in, among other
things, outreach to the private sector and state and local
governments, as well as in the area of information sharing.
Since
1998, the NIPC has been developing the FBI's Key Asset Initiative,
to identify those entities that are vital to our national
security, including our economic well-being. The information
is maintained to support the broader effort to protect the
critical infrastructures against both physical and cyber threats.
This initiative benefits national security planning efforts
by providing a better understanding of the location, importance,
contact information and crisis management for critical infrastructure
assets across the country. We have worked with the DoD and
the Critical Infrastructure Assurance Office (CIAO) in this
regard.
INTERAGENCY
COORDINATION: FEDERAL, STATE AND LOCAL
Emergency
Law Enforcement Services Sector
The NIPC
has been designated by the Department of Justice/FBI to fulfill
their responsibilities as the Sector Lead Agency with regard
to Emergency Law Enforcement Services (ELES). The NIPC's efforts
in this regard have served as a model for all other Sector
Lead Agencies. More than 18,000 federal, state and local agencies
comprise the ELES Sector. The NIPC serves as program manager
for this function at the request of the FBI. Last year the
NIPC completed the Emergency Law Enforcement Services Sector
Plan; this was the first completed sector report under PDD-63
and was delivered to the White House in March 2001. Working
with law enforcement agencies across the United States, the
NIPC conducted a sector survey and used the results of this
survey to draft a sector report. Responses from more than
1500 of these agencies to a sector-commissioned information
systems vulnerability survey revealed that these organizations
have become increasingly reliant on information and communications
systems to perform their critical missions. The NIPC has also
sponsored the formation of the Emergency Law Enforcement Services
Sector forum, which meets quarterly to discuss issues relevant
to sector security planning.
State
Infrastructure Protection Center (SIPC) efforts
The NIPC,
with its extensive experience in the areas of multi-agency
and multi-disciplinary support to infrastructure protection
efforts, is actively engaged in supporting similar models
being created at the state and local level. The State of Texas
has demonstrated itself as a leader in this area, and the
NIPC, together with significant Department of Defense involvement,
is actively facilitating their efforts. Over time, the NIPC
expects to meet the challenge of serving as the US hub for
infrastructure protection efforts not only in terms of full
Federal government support, but also in terms of bringing
together State and Local governments for a fully coordinated
national response.
INTERAGENCY
COORDINATION: FEDERAL GOVERNMENT AND THE PRIVATE SECTOR
Infragard:
The Most Extensive Network of Federal and Private Sector
Partners in the World for Protecting the Infrastructure
The InfraGard
program is a nationwide initiative that grew out of a pilot
program started at the Cleveland FBI field office in 1996.
Today, all 56 FBI field offices have active InfraGard chapters.
Nationally, InfraGard has over 4000 members. It is the most
extensive government-private sector partnership for infrastructure
protection in the world, and is a service the FBI provides
to InfraGard members free of charge. It particularly benefits
small businesses which have nowhere else to turn for assistance.
InfraGard expands direct contacts with the private sector
infrastructure owners and operators and shares information
about cyber intrusions and vulnerabilities through the formation
of local InfraGard chapters within the jurisdiction of each
of the 56 FBI Field Offices. The InfraGard program received
the 2001 World Safe Internet Safety Award from the Safe America
Foundation for its efforts.
InfraGard
is an information sharing and analysis effort serving the
interests and combining the knowledge base of a wide range
of members. At its most basic level, InfraGard is a cooperative
undertaking between the U.S. Government (led by the FBI and
the NIPC) and an association of businesses, academic institutions,
state and local law enforcement agencies, and other participants
dedicated to increasing the security of United States critical
infrastructures. InfraGard provides a mechanism for the public
and private sectors to exchange information pertaining to
cyber intrusion matters, computer network vulnerabilities
and physical threats on infrastructures. All InfraGard participants
are committed to the proposition that the exchange of information
about threats on these critical infrastructures is an important
element for successful infrastructure protection efforts.
The goal of InfraGard is to enable information flow so that
the owners and operators of infrastructure assets can better
protect themselves and so that the United States government
can better discharge its law enforcement and national security
responsibilities.
Private
sector members and an FBI field representative form local
area chapters. These chapters set up their own boards to govern
and share information within the membership. The chapter members
include representatives from the FBI, State and local law
enforcement agencies, other government entities, private industry
and academia. The National Infrastructure Protection Center
and the Federal Bureau of Investigation play the part of facilitator
by gathering information and distributing it to members, educating
the public and members on infrastructure protection, and disseminating
information through the InfraGard network.
InfraGard
is responsible for providing four basic services to its members:
secure and public WebSites, an alert and incident reporting
network, local chapter activities, and a help desk. Under
this program the FBI provides a secure electronic communications
capability to all InfraGard members so that the NIPC can provide
threat information to private industry owners and operators,
and encourage private industry coordination with law enforcement,
and each other, on cyber and related physical incidents. This
will be accomplished by expanding the established separate
WebSite and electronic mail system. The program anticipates
at least 100 members in each chapter with further expansion
as the program develops, with approximately 2,500 new members
expected in calendar year 2002. A number of the larger field
divisions anticipate starting several chapters in larger cities
located in their respective geographic area of responsibility.
The warnings that are provided to our InfraGard members improve
the relationship between private industry and the local FBI
offices due to the increased level of trust that is often
established. It should be noted that the InfraGard program
is not responsible for producing the alerts and warnings that
are disseminated from the NIPC.
Information
Sharing and Analysis Centers (ISACs)
The NIPC
is continuing to reach out to the Information Sharing and
Analysis Centers (ISACs). The NIPC has recently initiated
the establishment of an ISAC Support and Development Unit,
whose mission is to enhance private sector cooperation and
trust, resulting in two-way sharing of information and increased
security for the nation's critical infrastructures. The NIPC
now has information sharing agreements with seven ISACs, including
those representing energy, telecommunications, information
technology, air transportation, water supply, food, and chemical
sectors. Several more agreements are in the final stages.
Just as important, the NIPC is receiving reports from member
companies of the ISACs. The NIPC has proven to these companies
that it can properly safeguard their information and can provide
them with useful information. It is because of such reporting
that the investigative caseload of the NIPC is burgeoning
and more analytical products are being issued each year.
One example
bears discussion. The North American Electric Reliability
Council (NERC) serves as the electric power ISAC. The NIPC
has developed a program with the NERC for an Indications and
Warning System for physical and cyber attacks. Under the program,
electric utility companies and other power entities transmit
incident reports to the NIPC. These reports are analyzed and
assessed to determine whether an NIPC alert, advisory, or
assessment is warranted to the electric utility community.
Electric power participants in the program have stated that
the information and analysis provided by the NIPC back to
the power companies make this program especially worthwhile.
NERC has recently decided to expand this initiative nationwide.
This initiative will serve as a good example of government
and industry working together to share information and the
Electrical Power Indications and Warning System will provide
a model for the other critical infrastructures. Additionally,
some information available to the NIPC may be classified or
law enforcement sensitive and, thus, unavailable to many in
the industry. A group of NERC officials have been granted
security clearances in order to access classified material
on a need-to-know basis. Once the NIPC has determined that
a warning should be issued, cleared electric power experts
will be available as needed to assist the NIPC in sanitizing
and finalizing warning notices so as to provide members of
the industry with unclassified, nonproprietary, timely and
actionable information to the maximum extent possible.
CERT/CC
(a federally funded research and development corporation)
The NIPC
and the Computer Emergency Response Team/Coordination Center
(CERT/CC) at Carnegie Mellon University have formed a mutually
beneficial contractual relationship. The NIPC receives information
from the CERT (including advance Special Communications about
impending CERT advisories, which CERT seeks NIPC input on,
and weekly intrusion activity information) that it incorporates
into strategic and tactical analyses and utilizes as part
of its warning function. The NIPC's Watch and Analysis units
are routinely in telephonic contact with CERT/CC and the anti-virus
community for purposes of sharing vulnerability and threat
information on a real-time basis. CERT/CC input is often sought
when an NIPC warning is in production. The NIPC also provides
information to the CERT that it obtains through investigations
and other sources, using CERT as one method for distributing
information to security professionals in industry and to the
public. The Watch also provides the NIPC Daily Report to the
CERT/CC via Internet e-mail. On more than one occasion, the
NIPC provided CERT with the first information regarding a
new threat, and the two organizations have often collaborated
in disseminating information about incidents and threats.
INTERAGENCY
COORDINATION: FEDERAL GOVERNMENT AND INTERNATIONAL PARTNERS
The ability
of the United States to assure homeland security clearly relies
on the full participation and support of its international
partners. It is with this in mind that the NIPC has promoted
a wide array of international initiatives.
On the
information infrastructure side of the equation, a typical
cyber investigation can involve victim sites in multiple states
and often many countries, and can require tracing an evidentiary
trail that crosses numerous state and international boundaries.
Even intrusions into U.S. systems by a perpetrator operating
within the U.S. often require international investigative
activity because the attack is routed through Internet Service
Providers and computer networks located outside the United
States. When evidence is located within the United States,
the NIPC coordinates law enforcement efforts which might include:
subpoenaing records by FBI agents, conduct of electronic surveillance,
execution of search warrants, seizing and examining of evidence.
We can not do those things ourselves to solve a U.S. criminal
case overseas. Instead, we must depend on the local authorities
to assist us. This means that effective international cooperation
is essential to our ability to investigate cyber crime. The
FBI's Legal Attaches (LEGATs) provide the means to accomplish
our law enforcement coordination abroad, and are often the
first officials contacted by foreign law enforcement should
an incident occur overseas that requires U. S. assistance.
NIPC personnel are in almost daily contact with LEGATs around
the world to assist in coordinating requests for information.
International
investigations pose special problems. First, while the situation
has improved markedly in recent years, many countries lack
substantive laws that specifically criminalize computer crimes.
This means that those countries often lack the authority not
only to investigate or prosecute computer crimes that occur
within their borders, but also to assist us when evidence
might be located in those countries. Moreover, the quickly
evolving technological aspects of these investigations can
exceed the capabilities of local police forces in some countries.
Finally, even when countries have the requisite laws and have
developed the technical expertise necessary to conduct cyber
investigations, successful investigation in this arena requires
a more expeditious response than has traditionally been the
case in international matters, because electronic evidence
is fleeting and, if not secured quickly, can be lost forever.
The NIPC
is working with its international partners on several fronts.
The first area consists of outreach activities designed to
raise awareness about the cyber threat, encourage countries
to address the threat through substantive legislation, and
provide advice on how to organize to deal with the threat
most effectively. The Center often hosts foreign delegations
to discuss topics ranging from current cases to the establishment
of NIPC-like entities in other nations. Since the NIPC was
founded, Australia, Japan, Israel, the United Kingdom, Canada,
Germany, South Korea and Sweden have all formed interagency
entities like the NIPC. The Center has established watch connectivity
with similar centers in Australia, Canada, the United Kingdom,
Sweden, and New Zealand; additionally, the Canada and the
United Kingdom have each detailed a person full-time to the
NIPC, and Australia detailed a person for 6 months in 2001.
Currently, the Center is working jointly with the Department
of State to develop and implement an international strategy
for information sharing in the critical infrastructure protection
arena. Finally, over the past year, the NIPC has briefed visitors
from the United Kingdom, Australia, Canada, Germany, France,
Georgia, Norway, New Zealand, Singapore, Bulgaria, Estonia,
Latvia, Japan, Denmark, Sweden, South Korea, Israel, Italy,
India, and other nations regarding critical infrastructure
protection issues. These nations have all looked to the NIPC
in order to create Critical Infrastructure Protection Centers
of their own and to promote liaison on a bi-lateral basis
between themselves and the United States, as well as with
one another.
At the
NIPC we continue to seek partnerships which promote two-way
information sharing. As Director Mueller stated in a speech
on April 19th, "Our top priority is still prevention."
We can only prevent attacks on our critical infrastructures
by building an intelligence base, analyzing that information,
and providing timely, actionable threat-related products to
our public and private sector partners. We welcome the efforts
of your Committee in improving information sharing, and I
look forward to addressing any questions you might have.
|