Index

Statement of the Honorable William A. Reinsch

Under Secretary of Commerce for Export Administration Before the
Subcommittee for Commerce, Justice, State, The Judiciary and Related
Agencies of the Senate Appropriations Committee

February 16, 2000

Mr. Chairman, I welcome this opportunity to appear before you to
discuss the Federal government's efforts to protect the nation's
critical infrastructures.

Inter-dependent computer networks are an integral part of doing
business in the Information Age. America is increasingly dependent
upon computer networks for essential services, such as banking and
finance, emergency services, delivery of water, electricity and gas,
transportation, and voice and data communications. New ways of doing
business in the 21st century are rapidly evolving. Business is
increasingly relying on E-commerce for its commercial transactions. At
the same time, recent hacking attempts at some of the most popular
commercial Web sites underscore that America's information
infrastructure is an attractive target for deliberate attack or
sabotage. These attacks can originate from a host of sources, such as
terrorists, criminals, hostile nations, or the equivalent of car thief
"joyriders." Regardless of the source, however, the potential for
cyber damage to our national security and economy is evident.

Protecting our critical infrastructures requires that we draw on
various assets of the government. When specific incidents or cyber
events occur, the government needs a capacity to issue warnings,
investigate the incident, and develop a case to punish the offenders.
The National Information Protection Center at the FBI is organized to
deal with such events as they occur.

Over the long term, the government also has a duty to be proactive to
ensure that our computer systems are protected from attack. Critical
infrastructure protection involves assets of both the government and
the private sector. A number of agencies have responsibilities with
respect

The Commerce Department, through its Critical Infrastructure Assurance
Office (CIAO), coordinated the development of the National Plan for
Information Systems Protection. President Clinton announced the
release of Version 1.0 of the Plan on January 7.

Another active area is the creation of the Partnership for Critical
Infrastructure Security. The Partnership is a collaborative effort
between industry and government. This undertaking brings
representatives of the infrastructure sectors together in a dialogue
with other stake holders, including the risk management and investment
communities, mainstream businesses, and state and local governments.
It complements the NIPC's focus on cyber-terrorism by encouraging
industry to collaborate on information security issues. Secretary
Daley and I met with senior members of Partnership companies in
December in New York. We will meet again next week in Washington,
D.C., with senior members of the Partnership companies in order to
encourage business leaders to adopt information security as an
important business practice.

CIAO also is assisting Federal agencies in conducting analyses of
their own dependencies on critical infrastructures. CIAO has just
finished an ambitious pilot program that identifies the critical
assets of the Commerce Department and maps out dependencies on
governmental and private sector infrastructures. This program will
provide important input to managers and security officials as they
seek to assure their critical assets against cyber attacks.

President Clinton has increased funding for critical infrastructure
substantially over the past three years, including a 15% increase in
his FY2001 budget to $2.01 billion. He has also developed and funded
new initiatives to defend the nation's systems from cyber attack.

The Clinton Administration has developed and provided full or pilot
funding for the following key initiatives designed to protect our
computer systems:

-- Establishing a permanent Expert Review Team (ERT) at NIST that will
help agencies conduct vulnerability analyses and develop critical
infrastructure protection plans. ($5 million).

-- Funding seven Public Key Infrastructure model pilot programs in
FY2001 at different Federal agencies. ($7 million).

-- Designing a Federal Intrusion Detection Network (FIDNET) to protect
vital systems in Federal civilian agencies, and in ensuring the rapid
implementation of system "patches" for known software defects. ($10
million).

-- Developing Federal R&D Efforts. R&D investments in computer
security will grow by 31% in the FY 2001 budget. ($606 million).

-- Establishing an Institute for Information Infrastructure
Protection. Building on a Science Advisory Panel recommendation, the
Institute is designed to fill gaps in both government and private
sector cyber-security R&D. ($50 million).

-- National Infrastructure Assurance Council (NIAC). The President
signed an Executive order creating this Advisory Council last year.
Its members are now being recruited from senior ranks of the
information technology industry, key sectors of the corporate economy,
and academia.

In addition, the President announced a number of new initiatives
designed to support efforts for enhancing computer security, including
a $9 million FY 2000 budget supplemental to jump-start key elements of
next year's budget. Among these was funding for NIST to create the
Institute for Information Infrastructure Protection (I3P).

Yesterday Secretary Daley met with the President and 25 senior
executives concerned about the recent disruptions to the Internet.
This meeting reinforced the need for further cooperation between
government and industry to help the private sector develop its action
agenda for cyber security. The incidents of the past week are not
cause for pushing the panic button, but they are a wake up call for
action. As the President said, "I think there is a way that we can
clearly promote security." The President has submitted a budget
proposal that funds a number of initiatives that address critical
information systems protection. If we are to reap the benefits of the
Information Age, we need to take action to maintain a secure business
environment in order to ensure both our national security and the
growth of our economy.