Skip to main content
NCS Logo NCS Web Banner Top Right Edge background
Home
About the NCS
Committee of Principals
Communications Sector
President's NSTAC
NSTAC Members
NSTAC Meetigs
NSTAC Meetings Archive
NSATC Video Message
NSTAC Reports
NSTAC R&D Exchange
National Coordinating Center
NCS Directives and Manuals
Booth Deployments
Priority Services Button
GETS
TSP
WPS
SHARES
Training
Library
News
Frequently Asked Questions
Contact Us
Site Map
 

Home  arrowright President's NSTAC  arrowright Meetings  arrowright May 2000   arrowrightWorking Together to Obtain More Timely Infrastructure Protection Information

NSTAC Banner

NSTAC XXIII Meeting - May 2000

Working Together to Obtain More Timely Infrastructure Protection Information
Remarks by Richard Clarke, National Coordinator for Security, Infrastructure Protection and Counter-Terrorism, before the President's National Security Telecommunications Advisory Committee (NSTAC) Business Session, Colorado Springs, Colorado, May 16, 2000.

Thank you, Van [Honeycutt, NSTAC Chairman]. Before I begin let me just, on behalf of the President and the White House family in general, thank you Van for all your good service over the course of the last year in leading this group through a time of transition and a time of challenge. And let me just say how much we appreciate what you and the others have done over the course of the last year.

It gives me a great deal of pleasure to be here today because I'm actually a member of a persecuted minority that is unrecognized. And this minority very seldom dominates any agenda. But I look at the agenda today I see that three of the four Government speakers are redheads and I just want to say to [Lieutenant] General [David J.] Kelley [Manager, National Communications System] and to [Deputy Defense Secretary] Rudy [de Leon], "You're about my age, why is it still red?"

I know there's been a lot of questioning during the course of the morning and last night about what really is the role of NSTAC in the White House's view. And what's the role of NSTAC as differentiated from the new National Infrastructure Assurance Council (NIAC). So I thought before I talked substantively I would talk a little about how we see these two organizations. How the White House would like these two organizations to work to advise the President, the incumbent, and I assume whatever successor President.

The first thing is, it's an advisory panel, they're both advisory panels to the President. And I think we in the Executive Office of the President and by that I mean the NSC, OMB, the Science Advisorers Office, we in the Executive Office of the President have failed over the course of the last several years to provide the real-time linkage between the members of this advisory panel and the President.

You're important people, you've got a lot to do, your time is precious, but you also have a wealth of experience and knowledge and can tap into even broader bases of experience and knowledge. We need, as was originally intended when NSTAC was created, to find a way to tap on a regular basis into that experience and knowledge in an organized way and in internet years, not in the old fashioned annual pace that we've been doing.

We look at the NSTAC to give us advice about telecoms, the telecoms as your April report so eloquently proves, telecoms and the Internet have converged. The networks have converged, the technology has converged, so I think that in the future we need to say that we look to NSTAC for advice not only on telecoms but also on this new converged network.

We look to the National Infrastructure Assurance Council, the NIAC, which will meet for the first time in about a month, we look to the NIAC to provide us with advice on the other infrastructures: banking and finance, pipelines, railroad systems, the other things that are equally vulnerable to attacks on the internet, to attacks on the telecom base but which have their own unique problems.

We would like the two groups to work in parallel and coordinate their efforts. And so we are structuring the membership of the two groups so that the NSTAC will continue to have its historical focus on telecom, and now, the Internet. And the NIAC will have the focus on the other infrastructures. But there will be key members and key corporations that sit on both groups and provide the crosswalk to do the coordination that is necessary.

How do we go back to the original intent of getting the NSTAC to provide advice to the President in a timely way? What I'd like to propose that you all think about is to change the way we do business. Change even your bylaws so that if we in the Government form a committee consisting of members of the Executive Office of the President, OMB, NSC, OSTP, also consisting of the Commerce Department which has an increasingly important role in this entire infrastructure protection challenge as well as your Defense Department colleagues, that committee on the Government's side could meet virtually through telecommunications, through teleconferencing and we can even do secure, as Rudy said, we can even do secure teleconferencing on a more regular basis to tell the leadership of this organization what the challenges are that we face in the Government, what we are seeing. Not on an annual basis, but on a more frequent basis.

And then the advisory committee [NSTAC] could, under its leadership, decide to create ad hoc task forces, not a regular standing group with a bureaucracy, but rather ad hoc task forces with the right people for the right study that could come back relatively quickly with advice to the President, to the White House, to the Defense Department. And then those task forces could go away. They would have a sunset provision so that we don't create a big standing bureaucracy. I'd be pleased to work with you on bringing more detail, more granularity to that idea because I think we do need your advice in a more regular, more frequent and more immediate way as we move ahead.

Let me now suggest four areas where we need your advice in the relatively near future. The first, taking a page from your April report on convergence, is the vulnerability of our converged networks. I have Wired magazine with me and I was thumbing through it yesterday on the 9-hour flight from Washington and discovered it has a centerfold this month. No it's not any of the CEOs. It's a map of our new fiber-optics network around the country -- 17.5 million miles of fiber-optic network around the country. Nobody, except perhaps Wired, knows where all of that is.

The NCS [National Communications System] has been trying, with the help of Booz-Allen [and Hamilton], and Mike McConnell, to develop a real-time database that shows where all of the telecom wires are -- the major backbone, the major trunk lines, the fiber-optic leads and the key nodes. The Internet nodes like "Mae East" and "Mae West," the "telecom hotels", but we do not have it at the level of granularity that others have. This is an unclassified session so let me just say in a general way that we have reason to believe others are also mapping our network and it's not just Wired magazine. And they are looking for points of vulnerability.

Many of you have advertised for years that you have SONET rings cannot go down that no matter what the challenge, what the failure, you will provide telecommunications support. I know we all believe that and NSA believed it and NRO believed it and yet as Rudy pointed out, last January -- at the beginning of January, NRO, the National Reconnaissance Office was unable to provide satellite support imaging satellite support, to the Defense Department and national leadership.

For several days we were blind because now we have just one electro-optical imaging system. And even though everyone was assured it was redundant and reliable, it wasn't. And at the end of that same month, NSA had a failure in its system to provide to the intelligence community, to DOD and to the national leadership, signals intercept technology upon which everything we do is based.

When you do these continuity exercises you always try to make it difficult and in the exercise you throw in assumptions that make things even harder than normal. And NSA had one of those days. When it had its failure it was in the middle of a blizzard. A blizzard that made it impossible for people to fly in to fix the failure and so the failure went on and on and on. And so in January, the national leadership at various points, the Defense Department, the White House, the CIA were deaf at one point and blind in another point. I think that means we were dumb overall.

If NRO and NSA can fail from single points of vulnerability that we didn't know were there, let me suggest that it is possible that our converged networks, our 17.5 million miles of fiber optics can fail as well. We don't know where the single points of failure are yet, but being cocky and reassuring ourselves that it can't happen is a recipe for disaster. I'd like to challenge the NSTAC to take the database that the National Communications System and Booz-Allen and Hamilton have developed and refine it and make it real-time.

You all know that database should be changing every day. The fiber-optic lines are running up the streets of every city every day. The network is changing every day. You're trading broadband every day. We need to know where the network really is and then we need to develop a template for defining the types of failure that can occur. Physical attacks and cyber attacks.

What if half a dozen key nodes were blown up? Do we even know at this point over what bridge over the Mississippi or the Colorado all these lines are going? In some cases I think we do not know how critical certain tunnels are, certain bridges are, certain "telecom hotels" are. And it's not crazy to think of physical attacks.

As I've been going around the country talking about this, I keep referring to the book, The KGB Files; it's the story of Mr. Matrenko, the KGB librarian. Every day during the lunch hour he would copy out in handwriting the text of some interesting intelligence file. He knew if he used the copying machine that he'd be caught. He copied out by hand, he had put it in his sock because he knew if he put it in his briefcase he'd be caught.

And over the course of several years he brought out trunk loads, steamer trunk loads filled with interesting classified KGB documents and we now know from looking at those documents that the Soviet Union had a plan, in case of a period of tension with the United States, to introduce covertly into the United States special forces that would have small satchel bombs and would go after key telecom's vulnerabilities, and pipelines and bridges -- it wasn't just telecom.

But if the Soviet Union thought seriously in the 60s and 70s and into the 80s of physical attacks on our networks, why do we think that our future enemies, and we will have future enemies whether they're nation-states or terrorist groups, why do we think that they won't do that as well. They can combine, our future enemies, can combine a cyber attack on key points of failures, key vulnerabilities with a physical attack. You need as a group to think about how you will do that if you were they. Because I suggest that you will find whether it's in the signal switches, whether it's in routers, whether it's in the "telecom hotel," or a few key bridges. You will find, I suspect, that there is a combination of things that could be done that could be very fatal to our new converged networks.

The second thing I'd like to challenge you to think about as a group and give us advice on is Information Sharing. We've been able to establish an Information Sharing Center for the banking industry. Thirteen banks representing almost 80 percent of the assets of the United States formed a limited liability corporation and formed a computer defense center, which SAIC is managing. We're trying to get other sectors of the economy to do that as well. The NCC has become, in effect, a telecom center, similar to the banking and finance center.

We'd like the IT industry, separate and apart from telecom, to form a similar center and many of you have been working on that challenge for months. The President made clear in his February meeting with many of you during the e-commerce attacks that he values that as well. But we have to create these centers in every sector of the economy -- railroads, pipelines.

And then we have to figure out how to exchange information because although we have a few telecoms working with these bank and finance centers, the information flow isn't working very well. The Government isn't providing you, industry groups, with useful information. Information flow is going well among the banks but the government isn't providing information usefully to the banks.

We need your advice about how we can provide that information in a trusted way, in a real-time way. To whom do we provide it? What type of information? And we need, in doing all of this, to ensure that your information is protected. Information Sharing Centers are not designed for the Government to get information from industry. Let me say that again because a lot of people don't believe me. Our proposal for Information Sharing Centers is not designed for industry groups to give information to the Government. It's designed for the other way around, for information to flow from the government to the industry groups.

The third thing we need your advice and assistance on is, and Rudy's already alluded to this, is the training and scholarship problem. We have a variety of different numbers about where the shortfall is in trained personnel. ITAA [Information Technology Association of America] and Harris Miller is here. ITAA has just issued a very good study on the shortfall in IT personnel, it's enormous and so the H1-B Visa issue is up again. And we may be forced again to solve our national problem by going to India and Pakistan and other countries.

But we can't do that with security. The shortfall in IT personnel is even more acute with IT security personnel. The President proposed last year and has proposed again this year, the creation of an ROTC-like program where students who go to graduate school or even undergraduate school and get degrees specializing in IT security and the Government would pay for that education in exchange for an obligation to work for the Government for a limited period of time after which you will hire them. That's one of the ways we can compete with you, is if we offer that scholarship program.

But that scholarship program did not get approved by the Congress last year. It has not yet been approved by the Congress this year. And if that plan is not going to fly, if that's not going to stimulate the marketplace of higher education to do more in the way of teaching IT security, then we need to hear another idea. If the industry groups, if the colleges are not going to support this idea with enough momentum to get it passed through the Congress then you all have to come up with something better because it is not sufficient for us as a nation to say that we're just going to wait and somehow IT security personnel will fall from the sky to fill the tens of thousands of vacancies. So we need your support and we need your ideas about how to address that acute problem.

And finally, the President did issue a National Plan to defend American cyber space in January. John Tritak from the Critical Infrastructure Assurance Office, the CIAO office, led the development of that plan and he and I and others are now going across the country distributing it and having hearings and open discussions about it. We called it Version 1.0. We did that intentionally. The subtitle of the national plan is "An Invitation to a Dialogue."

It is a very good plan, I think, for a first draft for protecting Government systems. It is a very poor first draft for protecting private systems in the economy and therefore we need advice about how to rewrite to make it reflect reality about how we can seriously defend privately-owned and operated infrastructure. We would like to issue Version 2.0 before this Administration leaves office but to do that we need input from the private sector on how to improve that part of the plan which so badly needs improvement with discussion of the private sector.

So far, our attempts in the private sector have been to avoid regulation and instead to jawbone, to try to persuade each sector of the economy one by one to do the right thing. But unlike Y2K, what the right thing is, isn't entirely obvious. With Y2K we could tell you what you have to do -- change 2 digits to 4. Very simple. With cyber security, it's not obvious. And so we've been asking various groups to develop "best practices" so that "defense in depth" doesn't just mean "the firewall," but it means a detailed series of things that have to be done and updated on a regular basis—best practices and standards.

Now in addition to jawboning in the marketplace, we've tried to stimulate the marketplace. Maybe this is a little dirty pool but we have gone, I will tell you with all frankness, to the internal auditors and we've gone to the insurance companies and we're saying to the insurance companies and internal auditors, you all need to develop standards. The corporate board members.

We have a program now where we're having regional meetings in five regions throughout the country to meet with members of the National Association of Corporate Directors. Explain to them their personal interest and perhaps their personal liability as a result of cyber security. And with the insurance companies, we're explaining to them what their corporate board member insurance policies cover and what they don't. What continuity of operations covers and what it doesn't. And there are now insurance companies that are beginning to provide policies for continuity of operations, for information security but contingent upon a set of standards, a set of "best practices." The internal auditors are now attempting to develop that same set of standards and best practices so that when they audit for an annual report they will be auditing against a standard of cyber security. It's not Government regulation but it may be more effective.

We need your ideas. So let me in summary talk about the four things that, speaking from the White House, we would like the NSTAC's help on. One, having a real up-to-date vision of where the networks are, where the nodes are, and where the vulnerabilities are. Two, finding a way to share information with the various Computer Defense Centers in the various sectors of the economy. Three, either promoting the President's plan for a Cyber Corps Scholarship Program to begin to stimulate the higher education marketplace to train IT security personnel or come up with a better plan. And four, comments on the National Plan to Defend American Cyber Space focusing in particular on the private sector part of that plan. That's a lot of work to do.

If you want to know what we think is relevant, what we would value, what the President would value, that's our agenda. I hope it becomes your agenda.

Published for internal information use by the National Communications System. Parenthetical entries are speaker/author notes; bracketed entries are editorial notes. This material is in the public domain and may be reprinted without permission

 

Questions or comments concerning this site? Please contact the webmaster.

Privacy Policy
 
Bottom Left Edge background Bottom Middle Edge background Bottom Right Edge background