Home National
Communications System The NSTAC XXIV Focus: Network Convergence, The National Plan for Information System Protection, and Industry-Government Information Sharing. Remarks by Daniel P. Burnham, Chairman, President and Chief Executive Officer of Raytheon Company, as Chair of the President’s National Security Telecommunications Advisory Committee (NSTAC) during the NSTAC XXIV Business Session, Washington, D.C., June 6, 2001. Thank you, Dick [Richard Clarke, National Security Council’s National Coordinator for Security, Infrastructure Protection and Counter-terrorism]. Let me now talk about what we've been doing in the last year in at least the current go-forward plan -- but, again, this go-forward plan is to be defined and refined as a result of our work today. The thrust of our work over the past year is really based on the discussions that we all had in Colorado Springs [Colorado during NSTAC XXIII] a year ago. In addition to that set of priorities, [Lt.] Gen. [Harry D.] Raduege [Manager, National Communications System] asked us to look into delays in the Government's ability to obtain the last mile bandwidth for National Security and Emergency Preparedness in more remote locations. I'm going to focus now on three of the most important topics that we've examined over this last cycle of NSTAC -- network convergence, the National Plan For Information System Protection, and industry and Government information sharing. Our discussions today really are on these key topics that will lead us then to the next steps in these areas, and we can look forward to expanding our work in these or other important security arenas. The first topic is convergence. It refers, I'm sure most of you know, to the network evolution during which traditional circuit switched networks and Internet Protocol, or IP, based data networks will co-exist and interoperate to enable end-to-end transmission of voice communications until packet-based networks subsume circuit-switched networks. Eventually, the network infrastructure will consist of a packet-based next generation network that's broadband diverse and scalable. We -- really, with the tremendous help of the IES -- examined possible National Security and Emergency Preparedness implications of the evolving public network infrastructure. Specifically, the team analyzed converged network security vulnerabilities, the realistic possibility of widespread network outages, to Dick's point, and also a tremendous effort was to look at standards development efforts to support the whole NS/EP priority requirements in the converged network -- who gets to it first. Analysis of these topics addressed concerns expressed by lots of important Government officials -- Dick and [Dr.] Neal Lane, who was formerly Director of Office of Science and Technology Policy, regarding these issues. The study found that traditional public switched network is, indeed, becoming increasingly vulnerable -- and we'll hear some more about it -- as a result of convergence. The open environment packet networks provides, I think we all know, ample opportunities for hackers and adversaries to gain access to, and manipulate, and then steal sensitive information transmitted via the public switched network. The other option of the intelligent network -- of the public switched network with packet networks -- then presents additional vulnerabilities. Specifically, we [NSTAC] all said that we're concerned about the lack of security guidelines and security mechanisms within the industry for converged networks, and I think -- at least I believe -- those matters will warrant further NSTAC attention. NSTAC also participated in a recent National Coordinating Center for Telecommunications [NCC] exercise, which examined whether there was, indeed, a single point of failure in the converged network that would lead to a national level disruption of service. Now, based at least on that analysis, at the moment the belief is that such an event is unlikely -- not impossible, but unlikely. Participants found it more plausible that any potential single points of failure would have only local or maybe last mile impacts – [a] big deal if you're impacted, however. Preventative and remediation measures would require then end-user coordination with carriers to ensure that vital services can be acquired via alternative network paths. Based on the NSTAC studies then, NSTAC recommends again -- because it's been recommended before -- that the Government specify network security requirements in the contracts it lets to help ensure the reliability of NS/EP communications, and then work to ensure that standard bodies like NIST [National Institute of Standards and Technology] consider NS/EP communications requirements. In this past cycle, we supported the efforts of the NCS – [the] National Communication System -- to identify requirements then for priority communications in packet networks, and we encourage the Government to continue working with industry for implementing standards in this environment, how the standards and services will be deployed, and then how supporting service level agreements needs to be developed. Additionally, we stated that we felt that both Government and industry should utilize the National Coordinating Center, or NCC, for [the] telecommunications Information Sharing and Analysis Center, called ISACs, to facilitate the sharing of network vulnerability data. Lastly, we recommended that the Government continue to plan and participate in exercises that examine vulnerabilities in the emerging public network, and their potential NS/EP implications both in the U.S. which is traditional, and now increasingly abroad as we become global. Now, the potential vulnerabilities of the network convergence on NS/EP services was the topic of discussion at the Fourth R&D [Research and Development] Exchange in September of 2000, which we co-sponsored with the White House. In particular, the discussion at the R&D Exchange focused on how do you fund -- Craig's [Craig Mundie, Microsoft Corporation representative to NSTAC] point -- Government programs to encourage study in computer security, the need to increase funding to facilitate the certification of Information Assurance Centers of Excellence, the development of tax credits and financial incentives to encourage R&D in security technologies, how to encourage State and local Government participation in critical information protection partnerships, and then the need to invest in R&D programs that encourage development of best practices in next generation network security. Next, I want to address two important topics that Dick raised with us and we'll continue to discuss throughout the day -- information sharing between industry and Government to further our nation's critical infrastructure protection initiatives, and then the development of a national plan for information systems protection. As many of you know, the Presidential Decision Directive, PDD 63, envisions a comprehensive national strategy for critical information protection, which is outlined in the National Plan for Information Systems Protection. As I was saying in my opening comments, we can expect a lot more effort on that in light of the President and Vice President's comments this morning. Our principal activity was providing NSTAC input to the second version of the National Plan, which we submitted in April and you would have all seen. NSTAC recommended strategies for the sharing of critical infrastructure protection information. Specifically, we assert that NSTAC's work can serve as a baseline for intensifying the dialogue between industry and Government on the threats to the Nation's infrastructure and how best to protect it. Specifically, we know that threats to the Nation's infrastructure transcends national boundaries, therefore, we're now recommending that the National Plan incorporate a global focus. At the NSTAC XXIII meeting in Colorado last year, we discussed industry concerns that sensitive and proprietary data voluntarily shared by industry for critical infrastructure protection purposes could potentially be disclosed under FOIA -- Freedom of Information Act. So, last August, we sent a letter to the President to recommend that legislation exempting such information from disclosure under FOIA be supported. That still needs to be done. FOIA is just one barrier to information sharing, though. NSTAC has expressed concerns in the past about the disclosure of information regarding vulnerabilities or intrusion incidents [that] may potentially provide the grounds for the wonderful plaintiffs' bar for liability claims, even if a company's customer wasn't even harmed by those vulnerabilities. These concerns, we think, must be jointly addressed by industry and Government, and might get a little more support with this administration [Bush Administration]. NSTAC examined some possible law enforcement restrictions to information sharing and, during the Executive Session discussions last year, the Principals noted that in many cases victims of network intrusion were discouraged by law enforcement officials from sharing information about their cases so as not to jeopardize the prosecution of any such offenses, but senior DOJ [Department of Justice] officials reported that no law at least prohibits victims from sharing intrusion information, and stated that they would work within the community, law enforcement community, to encourage the sharing of such data via the appropriate forums. Now, based on our work this past cycle, I think we can anticipate undertaking several initiatives … to build on this work but, again, it's up to us all to decide on it. This would include exploring network convergence with a focus on NS/EP, especially with the convergence of wireless data networks. To conduct further R&D exchanges maybe with more emphasis and more oomph, i.e., more money, which will focus on strategies for increasing the number of qualified information technology security professionals. I don't know about you, but we don’t have enough to meet this next generation of security challenges. Then complete the study that we were asked to do by the White House and the NCS on examining the provisioning of bandwidth for the last mile, and then I would say to reaffirm the requirement for standards … with industry and, among others, NIST working together to see that this gets done. And we're also going to consider our discussions from today's meetings in developing the work plan for the coming cycle. Let me now acknowledge again what I think is really outstanding work of the Industry Executive Subcommittee [IES], which has supported our activities over the last year. They really are our representatives for giving advice to the President, and let me lead a round of applause from the Principals to the members of the IES. Thank you very much. And my thanks to each of you for participating in
today's meeting and for what I know will be a free and unbridled exchange.
Questions or comments concerning this site? Please contact the webmaster. Reviewed December 07, 2006 |
               
|
