                             
|
|
|
Home Industry Executive Subcommittee Report to the President's
NSTAC. Thank you, Mr. Chairman [Van B. Honeycutt] and good morning ladies and gentlemen. I am pleased to brief you on the work of your Industry Executive Subcommittee from this past NSTAC cycle. We have been busy this past year. Major key issue areas continued from previous cycles representing an important and significant work in progress level of effort. During this presentation, I’d like to present a high-level overview of our activities since the last NSTAC XXII meeting and highlight the recommendations to the President in the reports you recently approved. I will also note some of the issues and activities that continue to call for NSTAC attention and participation. Before addressing these key issues and activities, I’d like to acknowledge the contributions of the IES members and their industry and government colleagues this past cycle. In addition to the IES members shown on this slide [slide not available], there are many other contributors to our work from both the public and private sectors. Each report to NSTAC XXIII contains a complete list of the members and participants who contributed to the work this cycle. We couldn’t have completed this work without their commitments and contributions. Perhaps just as important to the success of your NSTAC, as are the formal reports, is the participation of your Industry Executive Subcommittee and other representatives in various forums NSTAC is addressing. The nature and extent of IES work has changed dramatically in the last few cycles. We have continued our longstanding partnerships with key organizations, including the National Coordinating Center for Telecommunications [NCC] and the Network Security Information Exchange[s] [NSIEs]. In addition, NSTAC member representatives have responded to an unprecedented number of Government requests to participate and share information with such important fora as the Partnership for Critical Infrastructure Security, a cross-sector coordinating effort for which Mr. Richard Clarke of the National Security Council and Mr. John Tritak of the Critical Infrastructure Assurance Office deserve credit. Also, the Critical Infrastructure Assurance Office itself. The President’s Council on Year 2000 convergence, the National Infrastructure Protection Center led by Mr. Mike Vatis, the Education and Awareness Committee so ably chaired by the Department of Commerce. The efforts of the three Information and Communication Sector Coordinators, the Information Technology Association of America [ITAA], the United States Telecom Association [USTA], and the Telecommunications Industry Association [TIA]. The Cyber-Citizen Partnership Initiative with the Department of Justice which has Attorney General Janet Reno’s personal attention started in NSTAC sponsored by Government and industry donations and managed now by the Information Technology Association of America. The partnership has early initiatives aimed at cyber ethics education for young people, an information security resources directory, and a Government-industry exchange program. The Security, Privacy and Infrastructure Committee of the Federal Chief Information Officer Council, co-chaired by Mr. Fernando Burbano of the Department of State, Mr. John Gilligan of the Department of Energy, and Mr. Roger Baker of the Department of Commerce, and numerous other industry and Government organized fora and initiatives such as the Federal Communications Commission’s Network Reliability and Interoperability Council and the Government Emergency Telecommunications Service User Council, and most recently, the United States Space Command. In response to the dramatic changes expected of the IES, we held a facilitative brainstorming and team building session in Denver, Colorado in August of 1999. Mr. John Lofstedt, the IES representative from US WEST, volunteered to lead the team effort. Dr. Anthony Ypsaro of Meridian Associates in Denver ably met the challenge of facilitating our rather eclectic group. At the off-site meeting we affirmed this vision and focused on prioritizing the work this cycle so we could continue to provide the President advice on National Security and Emergency Preparedness issues or NS/EP issues surrounding the telecommunications and related information systems marketplace today. After the off-site, Dr. Ypsaro, supported by the Office of the Manager of the National Communications System continued to help as our conscience and guide. I’d like to thank the companies and the representatives that made a special effort to contribute to improving the IES and prioritizing our focus. Based on our off-site meeting and follow-on discussions, we focused on the following key issue areas this past cycle: Network security, the impact of network convergence on NS/EP, globalization and Information Sharing for critical infrastructure protection initiatives. A common thread ties each of these issues together. They each pose numerous challenges to industry and Government decision-makers as they adapt to rapid changes in networks, technologies, globalization and the role of e-commerce. The NSTAC reports address those challenges particularly as they pertain to NS/EP communications and related information systems. This cycle, the IES began the study of the focus of Government efforts to enhance the security of the Nation’s telecommunications and information technology systems that support NS/EP activities. The IES reviewed how resources are currently allocated among four basic components of network security -- prevention, detection, response and mitigation. The question that we sought to answer was, "Could shifting the focus among the four components increase the overall level of network security, and if so, what would the optimal focus be? The research showed that the amount and focus of network security resources varies significantly by organization, both in Government and industry, and are dictated by the unique circumstances of each network. Subsequently, we concluded it is essential that each organization develop its own optimal focus of network security efforts based on its mission and the criticality of each network within the organization. Toward that end, it is crucial that network security be considered an integral part of the enterprise architecture and in all stages of the system’s life cycle. In addition, the report emphasizes the importance of formal training as a critical component of network security. The lack of trained professionals significantly impedes an organization’s security policy and renders it vulnerable in the security planning and implementation process. And finally, while security policy is not one of the four components, it clearly emerged from our research as a critical factor in how organization’s focused their network security efforts. Each entity we interacted with indicated that security policies were not generally flexible enough to cope with changing architectural definitions of security, the dependence on commercial off-the-shelf products, and growing threat profiles. At NSTAC XXII, then Deputy Secretary of Defense, the Honorable John Hamre, discussed the need for open dialog between industry and government in the current era of dynamic, technological change. Dr. Hamre requested the NSTAC’s assistance to tackle the much deeper and more complicated problem, which is how to embed security in depth in the infrastructure. We subsequently began to scope this issue to determine how to respond to Dr. Hamre’s request. The scoping effort concluded that NSTAC can help in two distinct ways. First, promote the Federal Government’s efforts to work with industry to accomplish their mission of incorporating electronic commerce into their operations and individual support and participate in existing, successful industry and government fora such as the Information Assurance Technical Framework Forum. Also, in the area of network convergence as a follow-on to the NSTAC 22 Internet Report, we reviewed the implications of network convergence on existing NS/EP priority services and examined the evolving capabilities in the Next Generation Network. For the purposes of this report, we defined "network convergence" as the process currently underway during which traditional circuit-switched networks and Internet protocol or IP-based data networks co-exist and inter-operate. This process is expected to continue until IP-based networks subsume circuit-switched networks. In particular, we found that network convergence will have a significant impact on NS/EP and NS/EP services such as the Telecommunications Service Priority or TSP program and the Government Emergency Telecommunications Service or GETS. To adequately plan for network convergence the report recommends that the President direct the appropriate Departments and Agencies in coordination with industry, to determine as soon as practicable, precise functional NS/EP requirements for convergence and the Next Generation Network and ensure that relevant NS/EP functional requirements are conveyed to standard bodies and service providers during quality of service standards development and implementation. Because of the impact of the changing telecommunications environment on NS/EP communications the IES devoted a significant amount of resources to issues surrounding globalization. Since the last NSTAC meeting, we concentrated our globalization efforts on NS/EP issues related to foreign ownership of critical communications systems, technology export policies, and the Global Information Infrastructure or GII in 2010. We examined the implications of foreign ownership of critical U.S. public communications facilities on NS/EP services. We concluded that the current regulatory structure effectively accommodates increasing levels of foreign ownership of U.S. telecommunications facilities and the provisioning of services by foreign companies while allowing the federal government to retain the authority to prevent any compromise of national security interests. We also reviewed technology export policies dealing with transfer of strong encryption products, satellite technology and high performance computers. We compiled information about key technology export issue areas and tracked the implementation of new export policies and regulations. Additionally, we investigated the development of guidelines to assist companies in understanding government approval of technology sales. We concluded that because technology progresses faster than policy can keep up with it, government and industry should continue to reevaluate the limits placed on the export of technologies. And finally, we postulated the nature of the GII in 2010 and assessed the implications for NS/EP communications. Our effort focused on the emerging wireline, wireless, and satellite-based technologies expected in 2010. We concluded that in 2010 NS/EP communications will be facilitated by new technologies and improved network features. The GII will provide increased global availability of broadband communications with satellite communications and wireless technologies bringing NS/EP communications to less accessible geographic regions. However, despite the technology forecast for 2010 there is no guarantee that all central communications capabilities will be ubiquitously available. Therefore, the report recommends that the President:
And finally, the IES focused on the role of Information Sharing for Critical Infrastructure Protection. As the telecommunications and related information systems environment continues to evolve at a rapid pace, Information Sharing between effective parties will be the key component that will help to ensure that NS/EP requirements are understood and accommodated in new types of networks and that assets are protected adequately. This is especially true for critical infrastructure protection efforts. Information Sharing is a critical component of the evolving partnership between industry and government to protect our nation's most critical assets and is embodied in Presidential Decision Directive 63. PDD 63 charges Government and recommends industry address the significant challenges posed by threats to our nation's most critical infrastructures. The NSTAC and its member companies acting individually, but informed by NSTAC activities, have played integral roles in this partnership and other outreach efforts such as the federal government CIO council and the President's Partnership for Critical Infrastructure Security. Throughout the NSTAC XXIII cycle we regularly met government leaders responsible for PDD 63 implementation to provide industry analyses and offer feedback from the planning process and the early drafts of the National Information Systems Protection Plan. PDD 63 suggested industry establish its own Information Sharing capabilities known as Information Sharing and Analysis Centers or ISACs. Last year NSTAC endorsed the National Coordinating Center for Telecommunications or NCC as an ISAC for the telecommunications sector. The NCC, which was established in 1984 as a result of an NSTAC recommendation, operates as an industry-Government coordinating facility for NS/EP communications under all circumstances. In our work with officials responsible for PDD 63 implementation, we shared lessons learned from the NCC's 16 years of experience and offer it as a unique model of industry and Government partnership. As of March 1st, 2000 the NCC formerly incorporated the ISAC function into its operating capability and is recognized as one of the first two functioning ISACs. We also assisted in the establishment of operational Information Sharing efforts between industry and Government and, in particular, preparations for the transition to the Year 2000. We found that significant operational and legal impediments exist that threaten to impede the Information Sharing process. Most notably, industry must be assured that sensitive and proprietary information and voluntarily shared with government is protected from disclosure under the Freedom of Information Act. Additional concerns relate to liability, antitrust, security, regulation and privacy issues. Each of these concerns may require legislation to protect industry similar to the limited protection passed to limit liability for Y2K Information Sharing activities. Therefore, the report recommends that the President support the development of legislation that would protect critical infrastructure protection information voluntarily shared by industry. In particular, from disclosure under the Freedom of Information Act and consideration of other pertinent barriers to sharing to limit liability for such sharing. Based on our work this cycle, the following issues were identified for consideration in our work plan for next cycle. These include:
We look forward to incorporating additional items for consideration based on your discussions at this afternoon's at this afternoon's Executive Session. In a successful partnership as embodied in the NSTAC, there are more outstanding contributors than can be acknowledged here today. However, I would be remiss if I did not repeat that the extent of IES involvement with other organizations has increased tremendously in the last few cycles. More organizations are engaging us in exchanges of value to industry and government. Our ability to support this increased demand is dependent first and foremost on the willingness of the NSTAC principals to commit the necessary resources. It is equally dependent on the willingness of many Government organizations to provide professional participation. Lieutenant General [David J.] Kelley [Manager, NCS] can be proud of the support his organization has provided. His new Deputy Manager, Diane McCoy, her excellent professional staff and the contract support provided to them by Booz-Allen and Hamilton to perform outstandingly in a variety of ways. Without their assistance we could not have the successful partnership that NSTAC represents. Before I conclude, I would like to thank each of
the Chairs and Vice Chairs who led our task force and group efforts.
I would now like to return the microphone to the Chairman who will moderate
any questions the NSTAC principals may have for us. Thank you. Published for internal information use by the National Communications System. Parenthetical entries are speaker/author notes; bracketed entries are editorial notes. This material is in the public domain and may be reprinted without permission.
Questions or comments concerning this site? Please contact the webmaster. Reviewed December 07, 2006 |
