News

USIS Washington 
File

04 November 1998

TRANSCRIPT: JEFFREY HUNKER ON CRITICAL INFRASTRUCTURE PROTECTION

(From USIA electronic journal "U.S. Foreign Policy Agenda") (3130)



("The full support of the private sector" is vital in protecting U.S.
critical infrastructures against cyber attack, says Dr. Jeffrey A.
Hunker, Director of the Critical Infrastructure Assurance Office
(CIAO). "The threat that we are facing is a threat that's growing over
time," he says. "And so we need to respond with a sense of urgency and
produce real results very quickly to combat it." The following
interview is included in the November issue of the USIA electronic
journal "U.S. Foreign Policy Agenda," which addresses the topic,
"Cyberthreat: Protecting U.S. Information Networks." Hunker was
interviewed by journal Contributing Editor Susan Ellis.)


QUESTION: As director of CIAO you are charged with bringing together
an integrated national plan for addressing physical and cyberthreats
to the nation's communications, transportation, energy, and other
vital infrastructures. What is the key challenge you face as you carry
out your new responsibilities under this initiative announced by
President Clinton last May?


HUNKER: The key challenge that the president has recognized is that we
now live in a new era where there are threats that we have not faced
before. Specifically, we live in an age now where -- because
telecommunications and the Internet are so interconnected with the
electrical power system, our basic transportation and
telecommunications systems -- there is a vulnerability to disruption
of these systems by what we call cyber attack, using computers, using
the Internet to hack into systems and disrupt them, take them down.
Such an attack not only could interfere with, for example, military
operations, it also could disrupt any vital services that the economy
depends on and that Americans depend on -- such as electric power, use
of telephones, basic transportation services.


It's a completely new challenge that has evolved because of the
technology, the interconnectedness of the American economy. The basic
challenge that we're facing is one of educating Americans about this
new threat and of working with the business sector, key industries, to
ensure that we have the protections in place against these types of
cyber attacks.


Q: It really is completely new, isn't it?



HUNKER: Yes. We have in the past 10 years successfully wired together
the economic sectors of the nation, and that has brought great
benefits in terms of economic growth and the sort of prosperity that
America has enjoyed. But with that new prosperity also has come a new
vulnerability and -- whether it be nations or terrorist groups or
criminal cartels that wish us ill -- this new vulnerability that comes
from our dependence on electronic systems and information-based
systems is a new way in which we can be attacked.


Q: What agencies of the government are involved in the effort to
counter this threat, and how does your office work with them to carry
out your mission?


HUNKER: There are 11 major agencies in the federal government that the
president has charged to work together. Key ones include the Defense
Department and associated agencies; the intelligence community; and
law enforcement -- the Federal Bureau of Investigation, the Secret
Service, and the Department of Justice. And I think also very
important are the Commerce Department, the Treasury Department, and
the Transportation Department. They have all been asked to work
together in creating a national plan.


But even more important, they have been asked to work together with
the private sector. Because almost all of the so-called critical
infrastructures that are vulnerable to attack, in fact, are owned by
the private sector. And if we don't have the cooperation and the full
support of the private sector in developing this capability to protect
ourselves, we're not going to get very far.


Q: How will you measure the success of your mission?



HUNKER: That's difficult, because it's a new challenge, and because,
in many ways, the types of attacks and threats the president has asked
us to protect the nation against are evolving, are really new. In some
cases they haven't happened yet, and measuring success here is going
to be difficult. I think that one major measure of success is going to
be the extent to which the private sector -- the owners and operators
of the electric power grid, and our transportation and our banking and
finance sectors -- comes together and, with the government, develops
an action plan. We'll be able to measure how that partnership has been
formed within the next six months to a year. That's really the first
major measure of success.


Q: What time frame are you trying to meet?



HUNKER: It's a tight time frame because the threat that the president
is concerned about -- coordinated, sophisticated electronic attacks
against the nation's critical infrastructures -- is one that is out
there right now. The president has called for a national plan with an
initial capability to protect against the new types of cyber attacks
by the year 2000. And he has called for, by the year 2003, a full
operating capability to protect the nation. The threat that we are
facing is a threat that's growing over time. And so we need to respond
with a sense of urgency and produce real results very quickly to
combat it.


Q: I understand that you plan to have something ready in November.



HUNKER: That's right. Actually one of the very first steps that the
president called for in his announcement in May was that within six
months, which is the middle of November, agencies of the federal
government will have made important progress toward developing their
own plans to protect their own critical infrastructures. This means
that, among others, the Treasury Department and the Department of
Defense will have a process for establishing defenses to protect
themselves against electronic attack. Secondly, the president called
for us to have laid out the milestones for a larger national plan that
will involve working very closely with the private sector, integrating
the work of a number of different agencies, and bringing in the
university and research communities and the like; so there are many
different elements. We won't have the national plan in place in
November, but we will have established important milestones in terms
of building that national plan.


Q: How would you assess the nature and gravity of threats to U.S.
critical infrastructures, and what sectors are most vulnerable?


HUNKER: To understand the threat to, and the vulnerability of, U.S.
critical infrastructures, we really have to start with an
understanding of how the economy has developed. Over the past couple
of years, with the growth of the Internet, which is doubling in its
usage and size every 10 months, vital basic services that Americans
depend on -- things like electric power, our banking system, our
telecommunications system -- are all interconnected. Those systems are
the basis for economic growth and for supporting vital national
security missions, and they are all very vulnerable right now.


We had an instance early this year where, during the buildup in
response to Iraqi actions, there were indications that hackers were
breaking into sensitive Department of Defense computers. That concern
occupied the highest levels of government for several weeks while
people were examining the sources of this attack. Was it coming from
Iraq or its allies? It turned out that it was two teenage hackers in
the United States, supported by somebody in another country who was
giving them advice. But that gives you an indication in terms of the
sorts of vulnerabilities that we have.


A teenage hacker, again, in Massachusetts, took down a large portion
of the Massachusetts telephone network and in so doing actually made a
major airport electronically blind for a period of time, causing real
threats to the safety of air travel. If single hackers can do that
sort of damage, imagine what a sophisticated, organized attack that's
designed to take down major portions of our electric system or our
telecommunications system or break into sensitive computers could do.
That's the nature of the threat that we're dealing with. And there are
a lot of indications that suggest that people in other countries are
aware of, and are developing, this sort of offensive capability to
attack America electronically.


Q: As CIAO director, you are coordinating a national education and
awareness program. What is your message and how are you relaying it to
the citizens of the United States?


HUNKER: It's very important that, as we talk about education and
awareness, we consider two different messages. One is awareness. We
are dealing with a new age, and this is a new type of threat that has
only recently become the subject of a lot of concern. Therefore
awareness is clearly part of the message. I have been very pleased,
though, because -- in talking across the government at the Cabinet
level and very senior level -- people understand the nature of the
threat. And senior business leaders and senior university leaders
already understand this.


Our second message is: What can we do about this? And that's why we
are building the partnership between private industry and the
different parts of the government to take real action in the coming
months, and then obviously in the coming years, to respond to this.


Q: How would you describe the extent to which we have become dependent
on computers, not only in our personal lives but for the basic
functioning of our society?


HUNKER: Look in your house, look in any office that you use. What you
see is our dependence on electronic systems. We go to the bank and we
use the automatic teller machine; that's an electronic system that's
wired together nationally and internationally. Our electric power grid
is all being managed increasingly, in fact, using the Internet. Air
transport and railroads are all dependent on electronic systems. Even
companies that you don't think of as being computer or software
companies -- their operations and productivity depend on information
systems that are wired together.


It's estimated that between one third and one half of the economic
growth that this country has seen for the last couple of years, with
hundreds of thousands of jobs being created, is coming from electronic
commerce. This is the basis for our economic growth in the future;
it's also the basis for supporting our national security mission,
whether it be moving material and personnel around the world, or
whether it be in terms of collecting vital information and
intelligence on threats. This is all based at its core on these new
electronic systems.


Q: How are you working with the private commercial and industrial
sectors to enhance the protection of U.S. information and
communications networks?


HUNKER: Working very closely with the private sector is really core to
the goal and the mission that the president has set out. It may be
apocryphal, but it's pretty accurate that 90 to 95 percent of Defense
Department communications systems are in fact privately owned and
operated. It's vital. Unless we engage the private sector, we're not
going to get very far.


I am now involved in a series of meetings with other senior government
officials from different departments -- including the Treasury
Department and the Transportation Department -- and with private
sector leaders in the critical infrastructure industries of banking
and transportation, for example, as part of the collaborative effort
to build the partnership between government and the private sector.


In September I was in Charlotte, North Carolina, meeting with the
mayor and other city and county officials, as well as with the senior
executives from some of the major banks. Charlotte is the number two
banking center in the nation. And the purpose of my visit was to make
certain that the major banks in Charlotte are part of the partnership.


We have plans under way for a series of meetings later this fall that
will involve the president, the vice president, and the national
security adviser, together with the leaders of the electric power
sector, banking and finance sector, transportation and other critical
infrastructures to really further build this partnership.


It's a long process. Building partnerships, particularly in an area
where we haven't been working together before, doesn't happen
overnight. I have been very pleased, though, with the sort of response
and awareness and real cooperation that I have seen from CEOs (chief
executive officers), from chairmen, and from senior executives in all
of the industries that I have been working with.


Q: Is CIAO involved with university communities and programs to help
find improved ways to secure U.S. information and other critical
infrastructures?


HUNKER: The university community is going to be another important part
of the sort of partnership that we're dealing with. In fact, in
September, I personally met with the chancellors and deans of several
major universities -- the University of North Carolina, Purdue
University, the Massachusetts Institute of Technology, the University
of Virginia, just to name a few. And the reason is really twofold.
Right now in this country we have a vital shortage of computer
specialists and information technology specialists. And the threat of
cyber attack is simply going to increase the shortage that we're
facing. It's going to increase the demand for people who have
training. And it's going to be the universities that are at the front
line of training the sorts of people that we're going to need.


We're also going to need the sort of research and development that
will develop new solutions, develop new technologies for protecting
our information systems. And universities are going to be a key part
of that.


Q: As CIAO director, you have the responsibility to develop
legislative initiatives. How are you interacting with the U.S.
Congress and how do you assess the congressional impact on policies
and strategies related to CIAO objectives?


HUNKER: Working with Congress is a very important part of this agenda.
And I would say that congressional interest has been extremely high,
and Congress has been extremely supportive of addressing this new form
of terrorist or national security threat. I would anticipate that
there are going to be several major issues on which we're going to
continue to work with Congress, clearly in terms of resources.


As part of the work that we're doing, we're anticipating the president
will include in his fiscal year 2000 budget a major initiative for
protecting critical infrastructures. That will include resources for
research and development; it will include resources for new
initiatives to train information technology specialists, both for the
federal government and for the private sector, and perhaps other
initiatives. So support on the resources side is going to be very
important.


Congress also will be looking at the existing set of laws that deal
with computer security. A hacker often will go through a number of
different computers before he ends up finally at the computer that he
actually wants to break into. The way the law works right now, if you
want to track where that hacker has been -- and he has been in
different states -- you have to get different search orders from
judges all across the country to be able to do that work. We're going
to be working closely with the Congress to look at the sorts of legal
procedures and protections that now exist.


Q: Do you see the need for greater international collaboration and
cooperation in protecting key infrastructures, and if so, how can this
be achieved?


HUNKER: The international aspect is one that cuts through everything
associated with the cyber world. We're talking about a threat that can
come from overseas; it also can come domestically. But this sort of
threat doesn't necessarily require people to be close to the
institution or the infrastructure that they are attacking.


We had a situation in the past year where there was a hacker in
Germany who was in fact an Indian citizen, hacking into a financial
system in Miami in an attempt at extortion. So here we have two
countries and the citizens of three countries essentially involved in
an incident that was directly attacking a U.S. institution. It just
gives you a small example in terms of the international aspect of all
of this.


The President's Commission on Critical Infrastructure Protection
issued its report last year after looking for two years at this issue.
Its recommendations were key to the framework that the president
announced in May. It recognized the international dimension as being a
very important one.


The president has tasked the State Department to take the lead in our
discussions with other countries in terms of information-sharing and
in terms of the potential for new treaties or protocols for responding
to the sorts of terrorist or other attacks that might happen. We've
already had expressions of interest about this from a number of
countries. I've met personally with representatives of the Canadian
government and the Mexican government, and I know that discussions
have taken place in the context of NATO and other international
organizations about this issue.


So, there is a lot of interest, but we're at a very early stage in
terms of how the international agenda is going to be developing.


Another important issue is the overlap between the work to protect
against cyber attack -- whether it comes from organized crime or from
terrorist groups or from other nations -- and what's called the year
2000 (Y2K) computer problem. Y2K is different because we know exactly
when the problem is going to happen. And this is something that we did
to ourselves, because, years ago, computer programmers didn't factor
in that the year 2000 would have a different set of dates than the
year 1900. (Many older computer systems use only the last two digits
of a year to keep track of the date.)


But in many ways addressing the Y2K threat requires exactly the same
set of actions as protecting against cyber attack. Institutions,
companies, the federal government have to start by identifying what
systems they have and how are they interconnected, and then decide
which systems are the most important to protect and how to protect
them.


Another aspect of the year 2000 problem that overlaps with the threat
of cyber attack is the creation of a nationwide capability to respond
and rebuild systems if something goes wrong in the year 2000. That's
going to be the model for a nationwide capability to respond against
cyber attack as well. It will involve key industries, state and local
emergency responders, and the key parts of the federal government.
And, in fact, my office works very closely with John Koskinen, the
special adviser to the president for year 2000 issues, on various
aspects of this overlapping agenda for Y2K and cyber issues.