Critical Infrastructure Assurance Office Presenter: Mike Lombard Globalization and Terrorism: Protecting the Digital Infrastructure June 7, 2002 U.S. Government Security Issues

What is the U.S. Government Perspective? –Answered from the perspective of CIAO What is the U.S. Government Doing? What are we doing with other countries?

What is the U.S. Government Perspective? Attacks on our homeland such as those of Sept 11 must never be allowed to occur again. Will require combined efforts of Federal, states and local government, private sector, and individual citizens working with common purpose.

Homeland Security vs. Critical Infrastructure Assurance Objective of homeland security is to safeguard all of America – its people, its property, and society – from terrorist threats foreign and domestic. Critical infrastructure assurance seeks to maintain the readiness, reliability, and continuity of infrastructure services –less vulnerable to disruptions, –any impairment is of short duration and limited in scale, –services are readily restored when disruptions occur.

Presidential Decision Directive 63 PDD-63 called for a “public-private partnership to reduce vulnerability” that is “genuine, mutual and cooperative.” Designated Lead Agency for each major sector –Act as a liaison with the infrastructure owners and operators. Created CIAO to focus on initiatives that cut across industry sectors and are not the existing responsibility of the Lead Agencies –Ensure a cohesive approach to achieving continuity in delivering critical infrastructure services.

Executive Order Established the President’s Critical Infrastructure Protection Board, Expanded role of CIAO.

EO13231 Role of CIAO National Awareness and OutreachNational Awareness and Outreach Assist Federal Agencies to Identify Infrastructure DependenciesAssist Federal Agencies to Identify Infrastructure Dependencies National Strategy DevelopmentNational Strategy Development Education & Training CoordinationEducation & Training Coordination Address Legislative and Legal Obstacles; Potential Market FailuresAddress Legislative and Legal Obstacles; Potential Market Failures NIAC SupportNIAC Support

CIAO Organizational Relationships CIAO Director Secretary of Commerce Bureau of Industry and Security Special Advisor to the President for Cyberpsace Security President’s CIP Board Direction Oversight Funding EO Policy Outreach Policy MATRIX 

Eight Critical Infrastructures Government Operations Gas & Oil Storage and Delivery Banking and Finance Transportation Electrical Energy Emergency Services Critical Infrastructures Information Systems & Telecommunications Information Systems & Telecommunications Water Supply Systems PDD-63

New Sectors Post 9/11 Agriculture Food Delivery Chemical Manufacturing Others

Sectors are Interconnected and Interdependent Electric power generation  fuel  pipelines or rail transportation, Information and communications systems  electricity, and All sectors   “cyber” systems

Consequences of Interdependencies Disruptions in one sector affect others, Cascading consequences have effects well beyond the vicinity of the initial occurrence Regional and national disturbances

Infrastructure Ownership 85% - 90% of US critical infrastructures is owned and operated by the private sector or state and local government –Private sector is used to protecting critical infrastructures everyday disruptions, but is not prepared to cope with terrorist threats –The Federal government - no mandate or resources to protect critical infrastructure –Cyber systems cannot be protected by police or soldiers National policy achieved by public-private partnership –Business and government at the Federal, state, and local levels.

Critical Infrastructure Assurance Office (CIAO) Mission - facilitate and coordinate the Federal government’s efforts to safeguard its own critical systems and to act as a liaison between the Federal government and the private sector, and state and local governments to increase awareness and encourage concerted action to secure our nation’s critical infrastructures in the face of new emerging threats and vulnerabilities. Goal - help ensure that any disruptions are brief in duration, limited in impact, and quickly corrected.

Outreach Partnerships Private Sector With respected channels of communication and influence within business and state and local government to raise awareness and to develop implementable actions that become self-sustainable, and Cross-sector partnerships that identify and address common issues and interdependencies.

Corporate Senior Leadership Chief Executive Officers, Boards of Directors, Chief Operating Officers, Chief Financial Officers, and Chief Information Officers. –Key risk and business management communities were identified and engaged in partnerships to develop, and then deliver, educational programs designed to incorporate the principles of security into corporate governance and business management practices. –With communities such as the auditors, insurers and financial analysts, CIAO has worked to translate threats to critical infrastructure into business case models that corporate boards and senior management can understand.

Cross Sector Partnering Partnership for Critical Infrastructure Security (PCIS). –Satisfies a need for cross-industry dialogue and sharing of experience, beyond the scope of the Federal lead agencies’ efforts. –Organized by industry for industry, with CIAO acting as a catalyst and a participant. CIAO will be extending its cross-sector coordination activities through its support of the activities of the National Infrastructure Advisory Council (NIAC) –Thirty senior executives from private industry, academia, and state and local government who will advise the President on matters relating to the security of information systems.

Outreach Partnerships State and Local Government Similar to program for industry –Eg.: Emergency response planning and crisis management Develop and disseminate a “business case for action” with recommended actions to 87,000 communities across the country –Public Technology, Inc. (National League of Cities), –National Association of Counties, –International City/County Management Association. National Strategy for Cyberspace Security –National Governors Association (NGA), –National Association of State Chief Information Officers (NASCIO).

A New Type of Warfare The front lines of the new types of warfare, both physical and cyber, are clearly in our communities and in our individual institutions. State conferences –“Critical Infrastructures: Working Together in a New World”

Outreach Goals Create Information Sharing and Analysis Centers for intrusion monitoring networks Establish process to agree upon ‘Best or Recommended Practices’ for computer security in each sector Jointly develop an ‘Awareness and Education’ campaign

Infrastructure Security Analysis The Federal Government owns or operates a portion of the infrastructure –Typically those functions or services that the private sector can’t or won’t provide –Eg.: Weather forecasting, aviation control, and economic entitlements

Infrastructure Security Analysis Each Federal department and agency must identify: –Its essential functions and services and the critical assets responsible for their performance; –All associated dependencies on assets located in other departments and agencies that are necessary to performance or delivery; and –All associated dependencies on privately owned and operated critical infrastructures that also are essential to performance or delivery of services.

Project Matrix  Identify USG’s most critical assetsIdentify USG’s most critical assets Capture major nodes and networks upon which USG’s most critical assets dependCapture major nodes and networks upon which USG’s most critical assets depend Tie the most critical assets and their supporting nodes and networks to underlying infrastructuresTie the most critical assets and their supporting nodes and networks to underlying infrastructures “Provides a complete picture of asset dependencies and interdependencies ” Step 1: Step 2: Step 3:

Project Matrix  What is “Critical”? Responsibilities, assets, nodes and networks which if incapacitated or destroyed would: –Jeopardize the nation’s survival –Have a serious, deleterious effect on the nation at large –Adversely affect large portions of the American populace –Require near term, if not immediate, remediation (72 Hrs)

Project Matrix  Goals Function vs. consequences Develop a map of the Federal government’s critical national level interdependencies Recognize critical choke points Predict cascading effects

Federal Department and Agency Actions Complete the Step 2 & 3 analyses and send results to Project Matrix Develop and implement plans to manage the risks –Deter attacks –Protect from damage or destruction if attacks occur –Mitigate impact if protections fail –Restore & reconstitute Work with the owners and operators of privately owned and operated infrastructures – on mutually agreed upon terms – to ensure that adequate security measures are established and maintained.

Information Integration Program Office To improve the coordination of information sharing essential to combating terrorism nationwide Design and help implement an interagency information architecture that will support efforts to find, track, and respond to terrorist threats within the United States and around the world, in a way that improves both the time of response and the quality of decisions –create an essential information inventory; –determine horizontal and vertical sharing requirements; –define a target architecture for information sharing; and –determine the personnel, software, hardware, and technical resources needed to implement the architecture.

Integrated National Strategy for Critical Infrastructure Assurance Threats: –physical attacks against the “real property” components of the infrastructures; and –cyber attacks against the information or communications components that control these infrastructures. Office of Homeland Security (OHS) – “to develop and coordinate the implementation of a comprehensive national strategy to secure the United States from terrorist threats or attacks.” President’s Critical Infrastructure Protection Board - “ensur[ing] protection of information systems for critical infrastructure, including emergency preparedness communications, and the physical assets that support such systems.” CIAO - coordinate and facilitate input from private industry, and state and local government to the national strategies

International Efforts Bilateral government-to-government and industry-to-industry visits both abroad and in the U.S. To share concerns, experiences, lessons learned, & methodologies Partnerships - Eg.: Watch and Warning Centers

International Partners Recent and on-going: –Canada, Great Britain, Australia, India, Italy, & Japan Near future: –Mexico, others…

Thank You Mike Lombard (202) Mike Lombard (202)