Critical Infrastructure Assurance Office

Presenter: Mike Lombard

Globalization and Terrorism:Protecting the Digital Infrastructure

June 7, 2002

U.S. Government Security Issues

U.S. Government Security Issues

• What is the U.S. Government Perspective?– Answered from the perspective of CIAO

• What is the U.S. Government Doing?

• What are we doing with other countries?

What is the U.S. Government Perspective?

• Attacks on our homeland such as those of Sept 11 must never be allowed to occur again.

• Will require combined efforts of Federal, states and local government, private sector, and individual citizens working with common purpose.

Homeland Security vs. Critical Infrastructure Assurance

• Objective of homeland security is to safeguard all of America – its people, its property, and society – from terrorist threats foreign and domestic.

• Critical infrastructure assurance seeks to maintain the readiness, reliability, and continuity of infrastructure services– less vulnerable to disruptions,

– any impairment is of short duration and limited in scale,

– services are readily restored when disruptions occur.

Presidential Decision Directive 63

• PDD-63 called for a “public-private partnership to reduce vulnerability” that is “genuine, mutual and cooperative.”

• Designated Lead Agency for each major sector– Act as a liaison with the infrastructure owners and

operators.

• Created CIAO to focus on initiatives that cut across industry sectors and are not the existing responsibility of the Lead Agencies– Ensure a cohesive approach to achieving continuity in

delivering critical infrastructure services.

Executive Order 13231

• Established the President’s Critical Infrastructure Protection Board,

• Expanded role of CIAO.

EO13231Role of CIAO

• National Awareness and OutreachNational Awareness and Outreach

• Assist Federal Agencies to Identify Assist Federal Agencies to Identify Infrastructure DependenciesInfrastructure Dependencies

• National Strategy DevelopmentNational Strategy Development

• Education & Training CoordinationEducation & Training Coordination

• Address Legislative and Legal Obstacles; Address Legislative and Legal Obstacles; Potential Market FailuresPotential Market Failures

• NIAC SupportNIAC Support

CIAO Organizational Relationships

CIAO Director

Secretary of CommerceSecretary of Commerce

Bureau of Industry and Security

Bureau of Industry and Security

Special Advisor to the President for

Cyberpsace Security

Special Advisor to the President for

Cyberpsace Security

President’s CIP Board

President’s CIP Board• Direction

• Oversight• Funding

EO 13231

PolicyPolicyOutreachOutreach

Outreach Policy MATRIX

Eight Critical InfrastructuresGovernment OperationsGovernment Operations Gas & Oil Storage and

DeliveryGas & Oil Storage and

Delivery

Banking and FinanceBanking and Finance

TransportationTransportation

Electrical EnergyElectrical Energy

Emergency ServicesEmergency Services

Critical InfrastructuresCritical InfrastructuresInformation Systems &Telecommunications

Information Systems &Telecommunications

Water Supply SystemsWater Supply Systems

PDD-63

New Sectors Post 9/11

• Agriculture

• Food Delivery

• Chemical Manufacturing

• Others

Sectors areInterconnected and Interdependent

• Electric power generation fuel pipelines or rail transportation,

• Information and communications systems electricity, and

• All sectors “cyber” systems

Consequences of Interdependencies

• Disruptions in one sector affect others,

• Cascading consequences have effects well beyond the vicinity of the initial occurrence

• Regional and national disturbances

Infrastructure Ownership

• 85% - 90% of US critical infrastructures is owned and operated by the private sector or state and local government– Private sector is used to protecting critical infrastructures everyday

disruptions, but is not prepared to cope with terrorist threats

– The Federal government - no mandate or resources to protect critical infrastructure

– Cyber systems cannot be protected by police or soldiers

• National policy achieved by public-private partnership– Business and government at the Federal, state, and local levels.

Critical Infrastructure Assurance Office(CIAO)

• Mission - facilitate and coordinate the Federal government’s efforts to safeguard its own critical systems and to act as a liaison between the Federal government and the private sector, and state and local governments to increase awareness and encourage concerted action to secure our nation’s critical infrastructures in the face of new emerging threats and vulnerabilities.

• Goal - help ensure that any disruptions are brief in duration, limited in impact, and quickly corrected.

Outreach PartnershipsPrivate Sector

• With respected channels of communication and influence within business and state and local government to raise awareness and to develop implementable actions that become self-sustainable, and

• Cross-sector partnerships that identify and address common issues and interdependencies.

Corporate Senior Leadership

• Chief Executive Officers, Boards of Directors, Chief Operating Officers, Chief Financial Officers, and Chief Information Officers.– Key risk and business management communities were identified

and engaged in partnerships to develop, and then deliver, educational programs designed to incorporate the principles of security into corporate governance and business management practices.

– With communities such as the auditors, insurers and financial analysts, CIAO has worked to translate threats to critical infrastructure into business case models that corporate boards and senior management can understand.

Cross Sector Partnering

• Partnership for Critical Infrastructure Security (PCIS).– Satisfies a need for cross-industry dialogue and sharing of

experience, beyond the scope of the Federal lead agencies’ efforts.

– Organized by industry for industry, with CIAO acting as a catalyst and a participant.

• CIAO will be extending its cross-sector coordination activities through its support of the activities of the National Infrastructure Advisory Council (NIAC) – Thirty senior executives from private industry, academia, and state

and local government who will advise the President on matters relating to the security of information systems.

Outreach PartnershipsState and Local Government

• Similar to program for industry– Eg.: Emergency response planning and crisis

management• Develop and disseminate a “business case for action” with

recommended actions to 87,000 communities across the country– Public Technology, Inc. (National League of Cities),– National Association of Counties,– International City/County Management Association.

• National Strategy for Cyberspace Security– National Governors Association (NGA),– National Association of State Chief Information Officers

(NASCIO).

A New Type of Warfare

• The front lines of the new types of warfare, both physical and cyber, are clearly in our communities and in our individual institutions.

• State conferences– “Critical Infrastructures: Working

Together in a New World”

Outreach Goals

• Create Information Sharing and Analysis Centers for intrusion monitoring networks

• Establish process to agree upon ‘Best or Recommended Practices’ for computer security in each sector

• Jointly develop an ‘Awareness and Education’ campaign

Infrastructure Security Analysis

• The Federal Government owns or operates a portion of the infrastructure– Typically those functions or services that

the private sector can’t or won’t provide

– Eg.: Weather forecasting, aviation control, and economic entitlements

Infrastructure Security Analysis

• Each Federal department and agency must identify:– Its essential functions and services and the critical

assets responsible for their performance;

– All associated dependencies on assets located in other departments and agencies that are necessary to performance or delivery; and

– All associated dependencies on privately owned and operated critical infrastructures that also are essential to performance or delivery of services.

Project Matrix

• Identify USG’s most critical assets Identify USG’s most critical assets

• Capture major nodes and networks Capture major nodes and networks upon which USG’s most critical assets upon which USG’s most critical assets dependdepend

• Tie the most critical assets and their Tie the most critical assets and their supporting nodes and networks to supporting nodes and networks to underlying infrastructuresunderlying infrastructures

“Provides a complete picture of asset dependencies and interdependencies ”

Step 1:

Step 2:

Step 3:

Project Matrix What is “Critical”?

• Responsibilities, assets, nodes and networks which if incapacitated or destroyed would: – Jeopardize the nation’s survival– Have a serious, deleterious effect on the nation

at large– Adversely affect large portions of the American

populace– Require near term, if not immediate,

remediation (72 Hrs)

Project Matrix Goals

• Function vs. consequences

• Develop a map of the Federal government’s critical national level interdependencies

• Recognize critical choke points

• Predict cascading effects

Federal Department and Agency Actions

• Complete the Step 2 & 3 analyses and send results to Project Matrix

• Develop and implement plans to manage the risks– Deter attacks – Protect from damage or destruction if attacks occur – Mitigate impact if protections fail – Restore & reconstitute

• Work with the owners and operators of privately owned and operated infrastructures – on mutually agreed upon terms – to ensure that adequate security measures are established and maintained.

Information Integration Program Office

• To improve the coordination of information sharing essential to combating terrorism nationwide

• Design and help implement an interagency information architecture that will support efforts to find, track, and respond to terrorist threats within the United States and around the world, in a way that improves both the time of response and the quality of decisions– create an essential information inventory; – determine horizontal and vertical sharing requirements; – define a target architecture for information sharing; and – determine the personnel, software, hardware, and technical

resources needed to implement the architecture.

Integrated National Strategy for Critical Infrastructure Assurance

• Threats: – physical attacks against the “real property” components of the

infrastructures; and– cyber attacks against the information or communications components

that control these infrastructures.

• Office of Homeland Security (OHS) – “to develop and coordinate the implementation of a comprehensive national strategy to secure the United States from terrorist threats or attacks.”

• President’s Critical Infrastructure Protection Board - “ensur[ing] protection of information systems for critical infrastructure, including emergency preparedness communications, and the physical assets that support such systems.”

• CIAO - coordinate and facilitate input from private industry, and state and local government to the national strategies

International Efforts

• Bilateral government-to-government and industry-to-industry visits both abroad and in the U.S.

• To share concerns, experiences, lessons learned, & methodologies

• Partnerships - Eg.: Watch and Warning Centers

International Partners

• Recent and on-going:– Canada, Great Britain, Australia, India, Italy, &

Japan

• Near future:– Mexico, others…

Thank You

Mike Lombard(202) 482-7477

mike.lombard@ciao.gov

Mike Lombard(202) 482-7477

mike.lombard@ciao.gov