| Home | Information Sharing & Analysis | Prevention & Protection | Preparedness & Response | Research | Commerce & Trade | Travel Security & Procedures | Immigration |
| About the Department | Open for Business | Press Room |
The threat level in the airline sector is High or Orange. Read more.
Release Date: 02/17/03 00:00:00
U.S. Department of Homeland Security
Office of the Press Secretary
For Immediate Release
February 14, 2003
2:15 P.M. EST
MR. STEPHAN: -- the White House Office of Homeland Security Senior Director for Information Analysis and Infrastructure Protection. And, as of this week, I've transitioned to new duties, working for Secretary Ridge as his Special Assistant for Information Analysis and Infrastructure Protection.
MR. SCHMIDT: Hello, I'm Howard Schmidt. I'm the Acting Chair of the President's Critical Infrastructure Protection Board at the Office of Homeland Security, Office of Cyberspace Security at the White House. And that's S-c-h-m-i-d-t.
ADM. JOHNSON: Hi, I'm Admiral Harvey Johnson. I'm the Director of Operations Policy for the Coast Guard, and I'd be glad to answer any questions you have about the Coast Guard.
Q: -- explain a little bit about how the -- both in the private sector and in the public sector, that you will get the word out from Washington? And what specifically you're suggesting that they do, and how this kind of -- how the word filters from Washington down to, you know, the thousands of companies around the country.
MR. SCHMIDT: The whole process that we've gone through as far as spreading the word on cyber security has taken pretty much what you've said we've done. Home town meetings, town hall meetings around the country at various locations. We've had meetings with various corporations, trade associations. The directors of homeland securities and their staff that are putting together cyber security efforts.
So this has been an ongoing effort. In addition to that, we've been working with what we call the Cyber Security Alliance, and our web site www.staysafeonline.info, providing information down to home users and small to medium enterprises as well.
Q: What about the cyber security, just in general what private critical infrastructure, whether they be power plants or tourist attractions, how are they getting the word about what's being done, beyond the cyber issue just in general?
MR. SCHMIDT: Beyond the cyber, well, I'd relate to Bob for the physical --
Q: Before we go beyond the cyber issue, how much of the nation's critical infrastructure depends for its daily functioning on the Internet? Control of remote power stations, opening and closing water valves and whatever? And is part of your initiative to try to get industry to stop using the Internet and go to its own separate, secure systems?
MR. SCHMIDT: Yes, I think the concept is not so much in use of the Internet, it's use of the same sort of the technologies that we use on the Internet. And I think that's been a point of constant confusion, that the Internet somehow has a dramatically negative input on what we're doing, as opposed to those same technologies. For example, we saw the Slammer virus occur a few weeks ago. It was perpetuated through the Internet, but the back-end systems that were somehow affected were not necessarily related or connected directly to the Internet; they came through other mechanisms.
So, consequently, if somebody has a system set up unintentionally that gives them a gateway, that affects a back-end system that normally doesn't depend on the Internet to run.
Q: Well, what's the gateway, though? What is the point of infection, if you will, where the cross-contamination happens?
MR. SCHMIDT: Common router systems, common telecommunications systems that not only have their private networks running through them but also some of the public networks.
Q: Well, is there any way to make these kind of control systems that you're worried about that are subject to attack, is there any way to insulate them entirely? And is that something that you think industry is doing enough on?
MR. SCHMIDT: Well, there's two pieces to that. One, we've become dependent on this in a relatively short period of time. So trying to pull these pieces apart, I think, is not really efficient. What we need to do is make sure that when things hit those routers, for example, or the gateways, that they don't have the ability to knock them over. We have the ability to stop the things from occurring before they have an impact on the routing systems.
Q: Are you going to have exercises across the federal government of these cyber attacks for specific government agencies? And could you repeat your title, please? (Laughter.)
MR. SCHMIDT: The last question is very easy. I'm the Acting Chairman of the President's Critical Infrastructure Protection Board.
And in answer to your first question, yes, we've had a number of exercises across the Defense Department over time. We've done similar things in a small scale across the rest of the civilian government agencies, and we've also done them across the states. One of the more recent ones was an operation down in Texas called Dark Screen, where they had the critical infrastructure owners and operators, the city governments, the Air Force Information Warfare Center down there all come together and do a tabletop exercise to look at the impacts. And they were very successful in identifying that as well.
Q: Can Mr. Stephan answer the question about the critical infrastructure outside of cyberspace?
MR. STEPHAN: Sure, in terms of the information sharing piece?
Q: In other words, how are our major tourist attractions, power plants, other kinds of pieces of critical infrastructure getting the word from Washington to what they should be doing and what are they doing?
MR. STEPHAN: Right. Well, to begin with, we have multiple sources of information that we funnel in to a central location, transitioning from the structure that we have now to the Department of Homeland Security, and then we have an obligation to get that information back out through various sources and channels. Because I think if you can refer to the physical protection strategy document, in Chapter 2 in the Case for Action, we build or give you a representative sampling of the incredible amount of potential targets that are out there, target sets.
What we have to do is work together through our Homeland Security Advisory System. One avenue is getting the word out to the state homeland security advisors that have been designated by the governors of the 50 states and territories, that reach out and touch the law enforcement communities in their respective states and territories and local jurisdictions, is one method. The private sector has established information sharing and analysis centers across our critical infrastructure sectors that are again private sector consortiums designed to share security-related information amongst each other, as well as between themselves and the federal government. And we tap into that private sector information sharing network to the extent that we can do that in the sectors that have those established. And the ones that are not established, we depend on our federal department and agency sector leads to get the word out to their counterparts within industry across industry categories to make sure that we have multiple sources of the single message going forward and out to the field.
Q: Mr. Stephan, the report talks about the need for incentives for the private sector. It talks about how the Department of Homeland Security will work with the Department of Commerce and Treasury to set up these incentives. Now what, are these tax breaks? Can you talk a little bit about what sort of incentives are being considered?
MR. STEPHAN: Well, there's a range of activities to spur security investment that goes from the positive side of the house, which involve various forms of incentives. They could take the forms of grants, they could take the form of working with the insurance industry, for example, to cut folks breaks. For example, if you put an anti-theft system in your car, you get a rebate or you get a decreased premium. Working with the insurance industry perhaps might be one venue or avenue to pursue. All the way to the other end of the spectrum that, in certain critical infrastructure sectors where public health and safety consequences are pretty phenomenal if you could play them out to their worst case potential, regulation may be something that we would use.
Again, there isn't one size shoe that fits all of the possible solutions and all of the needs out there. We have to kind of do this on a case-by-case basis, by sector, and perhaps even by industry category within sectors as we go about formulating our protective scheme. But we do believe that market forces should be first and foremost taking care of this problem to the extent that they can. To the extent that they can, then we have a range of activities that we have to pursue or look into across -- across anything from incentivization in a positive sense to regulation.
Q: So it's kind of a carrot and a stick. On the one hand, you've got a reward and --
MR. STEPHAN: I wouldn't use that terminology. I would say that some solutions work in some areas; some solutions don't work in other areas. These critical infrastructure sectors are so diverse, even industries within a particular sector are so diverse that you can't simply apply one solution and take care of the problem.
Q: Would tax breaks be one incentive?
MR. STEPHAN: We have not gotten into the specific level of detail on any particular measure, other than to -- we want to form an exploratory option with our colleagues in Treasury and Commerce to see what kinds of things make sense for both the federal government, the state and local governments and the private sector as we go into this problem.
Q: I know you deal with critical infrastructure.
MR. STEPHAN: Yes.
Q: But maybe you could address this. In this instance, there was a threat against soft targets, the sorts of things that aren't included in this booklet. What method does the Department have to reach out to hotels, to shopping malls, to restaurants, to those people to inform them of the threat and what they might do? Can you address that?
MR. STEPHAN: Sure. Well, again, there's multiple mechanisms and we still don't have the perfect solution. We're working solutions in the 13 critical infrastructure sector categories that we have in the President's Homeland Security Strategy. That is an easier problem to fix, because they are more or less -- they are more well defined than the softer target sets. And the softer target sets are just diversified across the country.
But what we need to do and are doing is using in place law enforcement information sharing mechanisms, working with -- through the state homeland security advisors once again, to put the word out through the law enforcement community, to the security personnel that are in charge of security or have security responsibilities for shopping malls and entertainment centers and amusement parks and sports arenas, so on and so forth. And, as part of an initiative in the strategy document, is to explore more comprehensive ways to get information exchange going between us, state and local governments, and those softer, private sector targets that are just diverse across our country.
Q: Mr. Stephan, I'm assuming that the average nuclear power plant has better security than, say, the average domestic water plant. But, given that there are wide variations, where is the country in terms of beginning to develop better security for its infrastructure? Are we at the very beginning? Are we 10 percent to the goal? Are we 99 percent to the goal? What is your feeling about that?
MR. STEPHAN: I wish I could -- I would love to put a percentage on this, because my job would be quite a bit easier if I could do that. But, again, in some areas, we're actually fairly close. And in the nuclear power industry is a very good example. That industry has invested a lot of money, we've had a lot of cooperation between the industry and the Nuclear Regulatory Commission on the information sharing piece and trying to get to a threshold of security across that industry that is acceptable to the industry and the federal government, in terms of the public health and safety dimension. In other areas that have just been recognized formally through the President's Homeland Security Strategy, we are just beginning to move from a safety-focused mindset to a security-focused mindset in certain categories.
Q: What's some examples, please?
MR. STEPHAN: Well, for example, until the anthrax-in-the-mail episode last October, no one really regarded the postal and shipping sector as a critical infrastructure category. With the events of last October -- October before last, we realized that postal and shipping is a critical infrastructure sector and poses significant health and safety risks if it were -- were used as a terrorist means of attack.
So we are ramping up capabilities in the sectors, and I think there are five sectors that you will not see in PED 63 that are in the President's Homeland Security Strategy that are classified as new. And in those areas, we have a baseline capability that we are building upon to ensure more comprehensive protection.
Q: Mr. Stephan, to follow up on that question, it seems one of the common themes throughout this entire strategy is making assessments in all these different areas to what exactly damage can be done by terrorists. In a lot of these areas, are we at square one and just trying to make these basic assessments and trying to figure out what exactly could happen --
MR. STEPHAN: I would say that we are not at square one in any area, that every single sector of critical infrastructure as defined in the President's Homeland Security Strategy has taken measures to do vulnerability assessments, to do risk assessments, consequences assessments. The problem that we face at this point in time is there are great diversity in those efforts. And what we want to do as a department --
Q: What do you mean by diversity?
MR. STEPHAN: Well, for example, in some sectors, the vulnerability assessments are -- have been very well conducted, they're very thorough. They've used a uniform methodology across industries. And in other industries, for example, they are not using common methodologies, they're not using common practices. They're doing what they can but they don't know if they've done enough, so on and so forth.
One of the primary missions of the Department of Homeland Security and the Information Analysis and Infrastructure Protection Division of that unit is to make sure that we have common approaches to vulnerability assessments, to consequence assessments, to critical infrastructure and key asset identification, and that we do standardized risk assessments and then we red team those things. That's the great contribution -- one of the great contributions that this new organizational scheme will take. But there are tremendous differences from industry to industry and from sector to sector, and we need to get on a common sheet of music.
Q: Can you list a few of the sectors you just mentioned that are in this report but not in the PED --
MR. STEPHAN: Yes, for example, food and agriculture do not appear in the PED 63, which was the previous organizational framework presidential document that governed the infrastructure protection business. The postal and shipping piece, the national monuments and icons piece, the defense industrial base and the chemical business. Chemical business and hazardous materials. Is that five?
Q: And that's not to say that nothing's been done in those areas, though?
MR. STEPHAN: Oh, no, absolutely. I want to repeat myself that everybody has done something. The problem is, is we've got to get to a better level of standardization -- standardization across those entities than we have now. And our job is to do that.
Q: Mr. Stephan, are you in charge of information and analysis -- did I get that from your title? And, if so, what type of information were you able to gather? Who in the CIA or the FBI was able to share information to get to the orange alert last week? And are you in the flow of information there?
MR. STEPHAN: Well, I want to say I'm not completely in the flow of information. And I'm not able to divulge the sources of that information, other than to basically repeat what Secretary Ridge said, that there were multiple sources of information that came together that -- that led us to the decision to raise the condition of the national level to orange.
Q: My question more specifically was, were you in a room or is the homeland security -- are the folks in the same room as the FBI and the CIA as they are looking through all the analysis? Or is it still bifurcated?
MR. STEPHAN: In terms of where the information analysis is generated, there are joint threat integration and analysis centers that have been established within -- within different aspects of government. But I can assure you that when the decision was made to elevate to condition orange, orange level alert, that that decision was made in a collective body that involved the intelligence community, federal departments of agencies of concern, the National Security Council, the Homeland Security Council. It was a very well thought out and, as you can imagine, an agonizing process.
Q: Mr. Stephan, the nuclear power industry is -- security is stepped up there, or at close levels, where you want it to be, because that's a very heavily regulated industry already. When you say you might need grants or other incentives for other industries, is that because you have a determination that those sectors don't understand the threat, or that they understand it and are irresponsible, or that they simply can't afford what they need to do? And how do you weigh that versus regulation?
MR. STEPHAN: Right. Again, I wish I could go to a table or matrix that says, this industry gets regulated, this industry we use positive incentives. It just depends on what the characteristics of the industry are, what the consequences are of the successful terrorist attack against one of those constituent industries within a sector.
Q: But you must be getting feedback from some industries at this point that they either can't or won't do what you all think is necessary. Therefore, you feel you're going to need to give the incentives.
MR. STEPHAN: I would say we -- we look out there across the critical infrastructure sectors and there is a lot of unevenness, and we need to iron out some of the unevenness and standardize some of the processes in terms of vulnerability assessments, consequence assessments and risk assessments to make sure that we're all playing from the same sheet of music. And once we have that baseline established, what is the appropriate mechanism or series of mechanisms that we need to use to make the security investments, the appropriate level of security investments happen across different categories of industry in different sectors.
Q: Just to follow up on that, though, as you said with the postal arena, no one would have suspected a year ago that they needed to do or have the kind of information that they do now. Where are the experts coming from and how are these vulnerability assessments even supposed to be done at industries that never thought about this before? Is the federal government providing them with experts? Are they supposed to go out to the private sector and find private experts? I mean, where are the people to do these kind of assessments?
MR. STEPHAN: Again, we have -- there are certain kinds of security-minded individuals that exist all over the place. You can find them in contracting corporations, you can find them in federal departments and agencies, you can find them in the law enforcement community.
And the answer to -- or the solution to the problem that you pose is that we're going to have to develop a team approach and probably go out, some teams under federal control, some teams under state and local control, some teams that may be under private sector control but the federal government audits -- we make some kind of mechanism to make sure that we're meeting a certain kind of standard. As you can imagine, if this were a completely federal government responsibility to inspect the security processes and procedures in place at every single plant of critical infrastructure across the country, we'd all be paying 100 percent in taxes every year and we'd all be in the National Guard, probably. (Laughter.)
Q: But do you expect to develop some standards --
MR. STEPHAN: Standards. Standard methodologies, standard approaches that need to be applied certainly across a sector and hopefully across multiple sectors where we can make templates fit.
Q: A question for Howard. Howard, on the cyber security strategy, there doesn't appear to be much in there that does anything more than suggest ways that industry can beef up its collective cyber security posture. Do you -- the question was put to Bob. You know, he mentioned disincentives, incentives, regulation. Are any of these things you guys are considering for cyber security?
MR. SCHMIDT: Yes, I think, Brian, we've been clear all along that this is a partnership with industry that represent about 80, 85 percent of the ownership of the critical infrastructure. So we've seen, particularly in the cyber and the IT industry, that we're new enough into that space that we have an opportunity to be able to do it in a true partnership area, looking at and realizing that it's in their best interests to do more security, to provide products that are more secure, to provide easier for the consumer as well as the enterprises.
So at this juncture, we're still looking at helping them with some of their research and development pieces, but clearly leaving it with industry to let the market forces change it.
Q: What about incentives?
MR. SCHMIDT: And incentives, once again, I mentioned the research and development piece. We had the -- the Information Security Research and Development Act passed, about $900 million was allocated for that over a five-year period to do research and development to help bootstrap some of the cyber security initiatives.
Q: Howard, two questions. Can you comment, one, on how the overall national cyber alert level or posture dovetails with the overall homeland security alert system, if at all? If you're considering establishing some sort of cyber alert version of that? And, two, how long do you wait before you determine that market forces will not work? Do we have to wait until something catastrophic occurs before you realize that regulation is the only way to go?
MR. SCHMIDT: On the first piece, for example, as you're probably aware, the Defense Department has an INFOCON status they look at relative to the different levels of cyber security, and that's one of the things we're in constant discussion on, is how can we marry that up without causing confusion, without causing undue concern for folks that may or may not be affected by that.
On the second piece of that, when we look at the market forces, many of us don't feel that we've got to worry about it not taking place. It's just how quickly can it take place. For example, we've had commitments from all the major CEOs of all the IT companies, hardware, software, the telecom industry saying, security is job number one. But it's going to be a phase-in approach, it's not going to turn a switch overnight and things are going to change.
Which is in the meantime why we have, as part of the strategy, looking at vulnerability reduction at the same time we're looking at a better response system for cyber.
Q: Mr. Schmidt, how much, though -- what is the vulnerability in the cyber area? Is it just inconvenience, or is there any -- I mean, easy to understand how an attack on, you know, the food supply or something hazardous through the mails would endanger lives. But is it just a matter of people not being able to use their ATMs for a few days, or is there any real vulnerability attached to the cyber security?
MR. SCHMIDT: Well, it is a broad spectrum, and that's one of the issues we're looking at now. Exactly what are the interdependencies that we have? As the cyber environment, including the Internet component of it, has been built up, we have had dependencies that have now changed dramatically from what it used to be, about not just being able to do online banking or anything else. So we are looking at this now and trying to find out fundamentally what it gets down to.
I think the bigger issue we've got to worry about is what we call the swarming attack, where we have a physical event that takes place, be it a natural disaster or an intentional criminal act, that occurs at the same time we have a degradation or an impact on our telecommunications services. That's where we have that interdependency we clearly worry about the most.
Q: A question. You have one of your recommendations about certifying the independence of service providers. Independence from whom? Is this sort of corporate independence from forces that might be opposed to the United States?
MR. SCHMIDT: I'm not sure which recommendation you're referring to. When we talk about the certification piece, we talk about certification, those that would be performing security services. And that's the whole issue. Because once again, in many cases, the IT environment provides a mechanism to have every key resource within a company or resource within a government agency at the disposal of those that maintain that system. So we want to make sure we have a good, thorough vetting process to make sure we have the highest caliber of people, as well as people that are trustworthy for the nation's needs.
Q: Are cyber -- critical cyber infrastructures included in any actions that are required nationwide when the alert level, the overall Homeland Security alert level, is raised? Are there physical protections that are put in place in critical facilities, such as those serving Wall Street and various others?
MR. SCHMIDT: Yes, that's a good point, because it goes to the thing that Bob and I have been working very closely with our respective staffs of the inextricable connection between physical and cyber. You know, we oftentimes see them as two separate areas but, in reality, if you have a backhoe cut a telecommunications line that disrupts services, or a virus, the end fact still remains, we have a disruption of services. So we have to work very closely to make sure that those facilities that provide those links are taken care of in the physical as well as the cyber.
Q: So you are working in terms of with the Homeland Security Department and their intelligence fusion and analysis to determine whether or not there is a specific threat that could impact a cyber -- a piece of the cyber infrastructure?
MR. SCHMIDT: That's correct, yes.
Q: Mr. Stephan, in the postal area you talk about a need to better correlate individuals with packages being sent. In the transportation area you talk about being better able to trace shipments that go across the country. As you progress with this strategy, are Americans going to have to get used to the idea that the government, by necessity, is going to have to keep closer track of how they go about their business?
MR. STEPHAN: Closer track of how they go about their business? I think the government -- they have to get used to the fact that the government is certainly having to pay more attention to security, and security means different things to different sectors. So I kind of would like to leave with that statement.
But I also want to get the point across that in the five new infrastructure sectors that have kind of been stood up as critical sectors since -- since September 11th, every lead federal department and agency that's a sector responsibility authority for security within that sector has been doing a phenomenal effort to ramp up and get up to speed and seek out best practices and accept best practices that we've been able to push from other sectors in federal lead departments and agencies that have been more mature -- reached maturity before September 11th.
Q: But correct me if I'm wrong. It sounds as if that -- that people are going to have to sacrifice some individual liberties in order for the government to carry out this mission, especially keeping track of shipments and packages and --
MR. STEPHAN: Well, certainly, I don't know how you want to define individual liberties, but when I go through the airport at this point in time, I certainly don't get through there in a very timely matter in many, many instances. And I think if we're talking those kinds of individual freedoms and liberties, I would consider to be more inconveniences than anything else, I would say, yes, the public and industry will have to get used to adopting these type of security measures and practices and things in their lifestyles at this point. Because I don't think that we're going back to the pre-September 11th scenario at this point.
Q: Mr. Stephan, how much resistance are you finding from the private sector, when companies maybe do a threat analysis and they said, on a cost/benefit ratio, it's not worth us pumping millions of dollars into it. Are you finding that at all in some of these sectors?
MR. STEPHAN: (Technical difficulties with recording.) What they are more concerned about is, are they doing enough? What is the end state? What is the sustainability? (Technical difficulties with recording.) -- enterprises, if necessary, within sectors. But I'm not getting any feedback from any sector that investing in security is wrong. They want specific help from the federal government to determine if what they have done is, in fact, correct and what additional measures they need to take. And if the additional measures are going to be so costly that it's going to put them out of business or really, really impact profits, they want to see what other alternatives may be out there. And we -- we certainly need to work with them to get the answers to those questions.
Q: How do you deal with the smaller businesses? I mean, while the big corporations probably have budgets and personnel and departments for this, at what level do -- you know, the majority of businesses in this country are small businesses. How do you deal with them in terms of what they have to do and who pays for it and who tells them what the best thing to do is?
MR. STEPHAN: I think the major forum that we use in dealing across the industries to include the medium size and smaller size firms are through the industry associations and the information sharing and analysis centers that have been set up within the specific sectors that don't discriminate between -- on the basis of size of company, and trying to use the mechanisms that industry itself has set up, sharing best --
Q: With respect to an industry say like the chemical industry, where an attack or even an accident -- but an attack could harm thousands, hundreds of thousands, even millions of people, you say that the federal government, the administration now is just beginning to look at maybe incentives or maybe regulation, but just beginning to think about that. Congress has been talking for some time now about regulating the chemical industry for one. I mean, can we afford to wait while the administration studies whether it should be regulation or whether it should be incentive with an industry such as that, where the potential is enormous?
MR. STEPHAN: Well, we're not waiting much longer. We are moving out aggressively in that area, and we are moving out aggressively and working in partnership actually with Commerce on the chemical piece even as we speak.
Q: What's the administration's position on it right now?
MR. STEPHAN: The administration's position on this?
Q: On regulation for that industry --
MR. STEPHAN: I don't want to speak to the administration's position in terms of regulation as a whole. What we're looking at doing is what is the proper mechanism to make sure that the most hazardous chemical sites that could produce the most significant consequences in terms of public health and safety are carrying out aggressive vulnerability and risk assessments and taking the protective measures that correspond to those risk assessments -- and some aspects of that may need to be regulated.
MR. SCHMIDT: Just for both aspects, the physical as well as a cyber critical infrastructure relative to security, I'd just ask you to keep in mind that the phrase that security experts use all the time: Security is not a destination, it's a journey. So as we move through this, we have to constantly update and work on these things. Thank you.
12:52 P.M. EST
END
This page was last modified on 02/17/03 00:00:00