"The full support of the private sector" is vital in protecting U.S. critical infrastructures against cyber attack, says Dr. Jeffrey A. Hunker, Director of the Critical Infrastructure Assurance Office (CIAO). "The threat that we are facing is a threat that's growing over time," he says. "And so we need to respond with a sense of urgency and produce real results very quickly to combat it." Hunker was interviewed by Contributing Editor Susan Ellis.
Question: As director of CIAO you are charged with bringing together an integrated national plan for addressing physical and cyberthreats to the nation's communications, transportation, energy, and other vital infrastructures. What is the key challenge you face as you carry out your new responsibilities under this initiative announced by President Clinton last May?
Hunker: The key challenge that the president has recognized is that we now live in a new era where there are threats that we have not faced before. Specifically, we live in an age now where -- because telecommunications and the Internet are so interconnected with the electrical power system, our basic transportation and telecommunications systems -- there is a vulnerability to disruption of these systems by what we call cyber attack, using computers, using the Internet to hack into systems and disrupt them, take them down. Such an attack not only could interfere with, for example, military operations, it also could disrupt any vital services that the economy depends on and that Americans depend on -- such as electric power, use of telephones, basic transportation services.
It's a completely new challenge that has evolved because of the technology, the interconnectedness of the American economy. The basic challenge that we're facing is one of educating Americans about this new threat and of working with the business sector, key industries, to ensure that we have the protections in place against these types of cyber attacks.
Q: It really is completely new, isn't it?
Hunker: Yes. We have in the past 10 years successfully wired together the economic sectors of the nation, and that has brought great benefits in terms of economic growth and the sort of prosperity that America has enjoyed. But with that new prosperity also has come a new vulnerability and -- whether it be nations or terrorist groups or criminal cartels that wish us ill -- this new vulnerability that comes from our dependence on electronic systems and information-based systems is a new way in which we can be attacked.
Q: What agencies of the government are involved in the effort to counter this threat, and how does your office work with them to carry out your mission?
Hunker: There are 11 major agencies in the federal government that the president has charged to work together. Key ones include the Defense Department and associated agencies; the intelligence community; and law enforcement -- the Federal Bureau of Investigation, the Secret Service, and the Department of Justice. And I think also very important are the Commerce Department, the Treasury Department, and the Transportation Department. They have all been asked to work together in creating a national plan.
But even more important, they have been asked to work together with the private sector. Because almost all of the so-called critical infrastructures that are vulnerable to attack, in fact, are owned by the private sector. And if we don't have the cooperation and the full support of the private sector in developing this capability to protect ourselves, we're not going to get very far.
Q: How will you measure the success of your mission?
Hunker: That's difficult, because it's a new challenge, and because, in many ways, the types of attacks and threats the president has asked us to protect the nation against are evolving, are really new. In some cases they haven't happened yet, and measuring success here is going to be difficult. I think that one major measure of success is going to be the extent to which the private sector -- the owners and operators of the electric power grid, and our transportation and our banking and finance sectors -- comes together and, with the government, develops an action plan. We'll be able to measure how that partnership has been formed within the next six months to a year. That's really the first major measure of success.
Q: What time frame are you trying to meet?
Hunker: It's a tight time frame because the threat that the president is concerned about -- coordinated, sophisticated electronic attacks against the nation's critical infrastructures -- is one that is out there right now. The president has called for a national plan with an initial capability to protect against the new types of cyber attacks by the year 2000. And he has called for, by the year 2003, a full operating capability to protect the nation. The threat that we are facing is a threat that's growing over time. And so we need to respond with a sense of urgency and produce real results very quickly to combat it.
Q: I understand that you plan to have something ready in November.
Hunker: That's right. Actually one of the very first steps that the president called for in his announcement in May was that within six months, which is the middle of November, agencies of the federal government will have made important progress toward developing their own plans to protect their own critical infrastructures. This means that, among others, the Treasury Department and the Department of Defense will have a process for establishing defenses to protect themselves against electronic attack. Secondly, the president called for us to have laid out the milestones for a larger national plan that will involve working very closely with the private sector, integrating the work of a number of different agencies, and bringing in the university and research communities and the like; so there are many different elements. We won't have the national plan in place in November, but we will have established important milestones in terms of building that national plan.
Q: How would you assess the nature and gravity of threats to U.S. critical infrastructures, and what sectors are most vulnerable?
Hunker: To understand the threat to, and the vulnerability of, U.S. critical infrastructures, we really have to start with an understanding of how the economy has developed. Over the past couple of years, with the growth of the Internet, which is doubling in its usage and size every 10 months, vital basic services that Americans depend on -- things like electric power, our banking system, our telecommunications system -- are all interconnected. Those systems are the basis for economic growth and for supporting vital national security missions, and they are all very vulnerable right now.
We had an instance early this year where, during the buildup in response to Iraqi actions, there were indications that hackers were breaking into sensitive Department of Defense computers. That concern occupied the highest levels of government for several weeks while people were examining the sources of this attack. Was it coming from Iraq or its allies? It turned out that it was two teenage hackers in the United States, supported by somebody in another country who was giving them advice. But that gives you an indication in terms of the sorts of vulnerabilities that we have.
A teenage hacker, again, in Massachusetts, took down a large portion of the Massachusetts telephone network and in so doing actually made a major airport electronically blind for a period of time, causing real threats to the safety of air travel. If single hackers can do that sort of damage, imagine what a sophisticated, organized attack that's designed to take down major portions of our electric system or our telecommunications system or break into sensitive computers could do. That's the nature of the threat that we're dealing with. And there are a lot of indications that suggest that people in other countries are aware of, and are developing, this sort of offensive capability to attack America electronically.
Q: As CIAO director, you are coordinating a national education and awareness program. What is your message and how are you relaying it to the citizens of the United States?
Hunker: It's very important that, as we talk about education and awareness, we consider two different messages. One is awareness. We are dealing with a new age, and this is a new type of threat that has only recently become the subject of a lot of concern. Therefore awareness is clearly part of the message. I have been very pleased, though, because -- in talking across the government at the Cabinet level and very senior level -- people understand the nature of the threat. And senior business leaders and senior university leaders already understand this.
Our second message is: What can we do about this? And that's why we are building the partnership between private industry and the different parts of the government to take real action in the coming months, and then obviously in the coming years, to respond to this.
Q: How would you describe the extent to which we have become dependent on computers, not only in our personal lives but for the basic functioning of our society?
Hunker: Look in your house, look in any office that you use. What you see is our dependence on electronic systems. We go to the bank and we use the automatic teller machine; that's an electronic system that's wired together nationally and internationally. Our electric power grid is all being managed increasingly, in fact, using the Internet. Air transport and railroads are all dependent on electronic systems. Even companies that you don't think of as being computer or software companies -- their operations and productivity depend on information systems that are wired together.
It's estimated that between one third and one half of the economic growth that this country has seen for the last couple of years, with hundreds of thousands of jobs being created, is coming from electronic commerce. This is the basis for our economic growth in the future; it's also the basis for supporting our national security mission, whether it be moving material and personnel around the world, or whether it be in terms of collecting vital information and intelligence on threats. This is all based at its core on these new electronic systems.
Q: How are you working with the private commercial and industrial sectors to enhance the protection of U.S. information and communications networks?
Hunker: Working very closely with the private sector is really core to the goal and the mission that the president has set out. It may be apocryphal, but it's pretty accurate that 90 to 95 percent of Defense Department communications systems are in fact privately owned and operated. It's vital. Unless we engage the private sector, we're not going to get very far.
I am now involved in a series of meetings with other senior government officials from different departments -- including the Treasury Department and the Transportation Department -- and with private sector leaders in the critical infrastructure industries of banking and transportation, for example, as part of the collaborative effort to build the partnership between government and the private sector.
In September I was in Charlotte, North Carolina, meeting with the mayor and other city and county officials, as well as with the senior executives from some of the major banks. Charlotte is the number two banking center in the nation. And the purpose of my visit was to make certain that the major banks in Charlotte are part of the partnership.
We have plans under way for a series of meetings later this fall that will involve the president, the vice president, and the national security adviser, together with the leaders of the electric power sector, banking and finance sector, transportation and other critical infrastructures to really further build this partnership.
It's a long process. Building partnerships, particularly in an area where we haven't been working together before, doesn't happen overnight. I have been very pleased, though, with the sort of response and awareness and real cooperation that I have seen from CEOs (chief executive officers), from chairmen, and from senior executives in all of the industries that I have been working with.
Q: Is CIAO involved with university communities and programs to help find improved ways to secure U.S. information and other critical infrastructures?
Hunker: The university community is going to be another important part of the sort of partnership that we're dealing with. In fact, in September, I personally met with the chancellors and deans of several major universities -- the University of North Carolina, Purdue University, the Massachusetts Institute of Technology, the University of Virginia, just to name a few. And the reason is really twofold. Right now in this country we have a vital shortage of computer specialists and information technology specialists. And the threat of cyber attack is simply going to increase the shortage that we're facing. It's going to increase the demand for people who have training. And it's going to be the universities that are at the front line of training the sorts of people that we're going to need.
We're also going to need the sort of research and development that will develop new solutions, develop new technologies for protecting our information systems. And universities are going to be a key part of that.
Q: As CIAO director, you have the responsibility to develop legislative initiatives. How are you interacting with the U.S. Congress and how do you assess the congressional impact on policies and strategies related to CIAO objectives?
Hunker: Working with Congress is a very important part of this agenda. And I would say that congressional interest has been extremely high, and Congress has been extremely supportive of addressing this new form of terrorist or national security threat. I would anticipate that there are going to be several major issues on which we're going to continue to work with Congress, clearly in terms of resources.
As part of the work that we're doing, we're anticipating the president will include in his fiscal year 2000 budget a major initiative for protecting critical infrastructures. That will include resources for research and development; it will include resources for new initiatives to train information technology specialists, both for the federal government and for the private sector, and perhaps other initiatives. So support on the resources side is going to be very important.
Congress also will be looking at the existing set of laws that deal with computer security. A hacker often will go through a number of different computers before he ends up finally at the computer that he actually wants to break into. The way the law works right now, if you want to track where that hacker has been -- and he has been in different states -- you have to get different search orders from judges all across the country to be able to do that work. We're going to be working closely with the Congress to look at the sorts of legal procedures and protections that now exist.
Q: Do you see the need for greater international collaboration and cooperation in protecting key infrastructures, and if so, how can this be achieved?
Hunker: The international aspect is one that cuts through everything associated with the cyber world. We're talking about a threat that can come from overseas; it also can come domestically. But this sort of threat doesn't necessarily require people to be close to the institution or the infrastructure that they are attacking.
We had a situation in the past year where there was a hacker in Germany who was in fact an Indian citizen, hacking into a financial system in Miami in an attempt at extortion. So here we have two countries and the citizens of three countries essentially involved in an incident that was directly attacking a U.S. institution. It just gives you a small example in terms of the international aspect of all of this.
The President's Commission on Critical Infrastructure Protection issued its report last year after looking for two years at this issue. Its recommendations were key to the framework that the president announced in May. It recognized the international dimension as being a very important one.
The president has tasked the State Department to take the lead in our discussions with other countries in terms of information-sharing and in terms of the potential for new treaties or protocols for responding to the sorts of terrorist or other attacks that might happen. We've already had expressions of interest about this from a number of countries. I've met personally with representatives of the Canadian government and the Mexican government, and I know that discussions have taken place in the context of NATO and other international organizations about this issue.
So, there is a lot of interest, but we're at a very early stage in terms of how the international agenda is going to be developing.
Another important issue is the overlap between the work to protect against cyber attack -- whether it comes from organized crime or from terrorist groups or from other nations -- and what's called the year 2000 (Y2K) computer problem. Y2K is different because we know exactly when the problem is going to happen. And this is something that we did to ourselves, because, years ago, computer programmers didn't factor in that the year 2000 would have a different set of dates than the year 1900. (Many older computer systems use only the last two digits of a year to keep track of the date.)
But in many ways addressing the Y2K threat requires exactly the same set of actions as protecting against cyber attack. Institutions, companies, the federal government have to start by identifying what systems they have and how are they interconnected, and then decide which systems are the most important to protect and how to protect them.
Another aspect of the year 2000 problem that overlaps with the threat of cyber attack is the creation of a nationwide capability to respond and rebuild systems if something goes wrong in the year 2000. That's going to be the model for a nationwide capability to respond against cyber attack as well. It will involve key industries, state and local emergency responders, and the key parts of the federal government. And, in fact, my office works very closely with John Koskinen, the special adviser to the president for year 2000 issues, on various aspects of this overlapping agenda for Y2K and cyber issues.
U.S. Foreign Policy
USIA Electronic Journal, Vol. 3, No. 4, November 1998