- Larry Mefford
- Assistant Director, Cyber Division, FBI
- Federal Bureau of Investigation
- Before the House of Representatives Committee on Government Reform, Subcommittee on National Security, Veterans Affairs, and International Relations
- Washington, DC
- June 11, 2002
Mr. Chairman and members of the subcommittee, thank you for inviting me to submit this statement on the President's proposal for a Department of Homeland Security. My statement will provide an overview of the National Infrastructure Protection Center (NIPC) in order to demonstrate how the federal government can and has developed a threat review and response capability using a multi-agency model. The NIPC emphasizes in its day-to-day operations the always present need to develop trust and cooperation not only among federal agencies, but among and between federal, state and local entities, the American public, international governments, and global industry. The NIPC will play an important role in the new Department of Homeland Security.
National Infrastructure Protection Center (NIPC)
The current mission of the NIPC is to provide "a national focal point for gathering information on threats to the infrastructures" and to provide "the principal means of facilitating and coordinating the Federal Government's response to an incident, mitigating attacks, investigating threats and monitoring reconstitution efforts." Current guidelines define critical infrastructures to be "those physical and cyber-based systems essential to the minimum operations of the economy and government," to include, without limitation, "telecommunications, energy, banking and finance, transportation, water systems and emergency services, both governmental and private." The NIPC is the only organization in the federal government with such a comprehensive national infrastructure protection mission. The NIPC gathers together under one roof representatives from, among others, the law enforcement, intelligence, and defense communities, who collectively provide a unique investigative, analytical, deterrence, and response perspective to threat and incident information obtained from investigation, intelligence collection, foreign liaison, and private sector cooperation. This perspective ensures that no single "community" addresses threats to critical infrastructures in a vacuum; rather, all information is examined from a multi-discipline perspective for potential impact as a security, defense, counterintelligence, terrorism or law enforcement matter, and an appropriate response (often multi-layered) is developed, coordinated, and implemented.
While developing our infrastructure protection capabilities, the NIPC has held firm to two basic tenets that grew from extensive study by the President's Commission on Critical Infrastructure Protection. First, the government can only respond effectively to threats by focusing on protecting assets against attack while simultaneously identifying, investigating, and responding to those who nonetheless would attempt or succeed in launching those attacks. And second, the government can only help protect this nation's most critical infrastructures by building and promoting a coalition of trust, one . . . amongst all government agencies, two . . . between the government and the private sector, three . . . amongst the different business interests within the private sector itself, and four . . . in concert with the greater international community. Therefore, the NIPC has focused on developing its capacity to warn, investigate, respond to, and build partnerships, all at the same time. As our techniques continue to mature and our trusted partnerships gel, we continue to witness ever-better results.
NIPC Watch Center and Multi-Agency Staffing
The NIPC's Watch Center operates around the clock and communicates daily with the DoD and its Joint Task Force for Computer Network Operations (JTF-CNO). The Watch Center is also connected to the watch centers of several of our close allies. The NIPC's ability to fulfill the expectations and needs of its Department of Defense component is achieved by the inter-agency structure of the Center, which includes the NIPC's Deputy Director Rear Admiral James Plehal, USNR, and the NIPC's Executive Director, Steven Kaplan, a Supervisory Special Agent from the Air Force Office of Special Investigations. The staffing of these positions and others indicates the NIPC's commitment to broad, high-level, multi-agency ownership of the NIPC and our partners' collective commitment to achieve meaningful and effective coordination across the law enforcement, intelligence, defense, and other critical government operations communities.
Within the Center, the NIPC has full-time representatives from a dozen federal government agencies, led in number by the FBI and the Department of Defense, as well as from foreign partners (which have included the United Kingdom, Canada, and Australia). We are partners with the General Services Administration's Federal Computer Incident Response Capability (FedCIRC), in order to further secure our government technology systems and services. We also team up regularly with the CIA and NSA to work on matters of common concern.
Cooperative Relationships Among Federal Agencies
The NIPC has established a number of effective information sharing and cooperative investigative relationships across the U.S. Government. For example, a written protocol was signed with the Department of Transportation's (DOT) which reinforces how information is shared between DOJ and NIPC and how that information will be communicated. This protocol formalized a long-standing process of information sharing between NIPC and DOJ. Formal information sharing procedures have also been completed with the National Coordinating Center for Telecommunications, FEMA's U.S. Fire Administration, the Food Sector Information Sharing and Analysis Center (ISAC), the Chemical Sector ISAC, and the Information Technology Sector ISAC. Informal arrangements have been established with the Federal Communications Commission, National Response Center, DOT Office of Pipeline Safety, Department of Energy's Office of Emergency Management, and others, which allow the NIPC to receive detailed sector-specific incident reports in a timely manner.
The NIPC functions in a task force-like way, coordinating investigations, analysis, and warning in a multitude of jurisdictions, both domestically and internationally. This is essential due to the transnational nature of cyber intrusions and other critical infrastructure threats.
Interagency Coordination Cell
To instill further cooperation and establish an essential process to resolve conflicts among investigative agencies, the NIPC asserted a leadership role by forming an Interagency Coordination Cell (IACC) at the Center. The IACC meets on a monthly basis and includes representation from U.S. Secret Service, NASA, U.S. Postal Service, Department of Defense Criminal Investigative Organizations, U.S. Customs, Departments of Energy, State and Education, Social Security Administration, Treasury Inspector General for Tax Administration and the CIA. The Cell works to resolve conflicts regarding investigative and other operational matters among agencies and assists agencies in combining resources on matters of common interest. The NIPC anticipates that this cell will expand to include all investigative agencies and Inspectors General in the federal government having cyber or other critical infrastructure responsibilities. The IACC has led to the formation of several task forces and prevented intrusions and compromises of U.S. Government systems. By way of example, the IACC was instrumental in coordinating the augmentation of the PENTTBOM investigation in the aftermath of the September 11 attacks.
Warnings and Advisories
The NIPC sends out infrastructure information to address cyber or infrastructure events with possible significant impact. These are distributed to partners in the private and public sectors. A number of recent advisories sent out by the NIPC (available on our website at www.nipc.gov) serve to demonstrate the continued collaboration between the NIPC and its partners, including FedCIRC. The NIPC serves as a member of FedCIRC's Senior Advisory Council and has daily contact with that entity as well as a number of others including NSA and DoD's Joint Task Force - Computer Network Operations (JTF-CNO). On issues of national concern, the recent incidents involving the Leaves, Code Red and Nimda worms are good examples of the NIPC's success in working with the National Security Council and our partner agencies to disseminate information and coordinate strategic efforts in a timely and effective manner.
The NIPC also manages a number of initiatives which have increased national capabilities to mitigate the terrorist threat and to prepare our response to the events of September 11th. The NIPC has developed the InfraGard initiative into the largest government/private sector joint partnership for infrastructure protection in the world. We have taken it from its humble roots of a few dozen members in just two states to its current membership of over 4,400 partners. It is the most extensive government-private sector partnership for infrastructure protection in the world. InfraGard (with the private sector infrastructure owners and operators) shares information about cyber intrusions and other critical infrastructure vulnerabilities. This service is provided free of charge.
Key Asset Initiative
Since 1998, the NIPC has been developing the Key Asset Initiative, in which over 5,700 entities vital to our national security, including our economic well-being, have been identified. The information is maintained to support the nation's broader effort to protect the critical infrastructures against both physical and cyber threats. This initiative benefits national security planning efforts by providing a better understanding of the location, importance, contact information, and crisis management for critical infrastructure assets across the country. The NIPC has worked with the DoD, EPA, and the Critical Infrastructure Assurance Office (CIAO) in this regard. Following the September 11, 2001, events and at the request of the National Security Council, the NIPC has leveraged the Key Asset Initiative to undertake an all-agency effort to prepare a comprehensive, centralized database of critical infrastructure assets in the United States.
Information Sharing and Analysis Centers
Our multi-agency team works with current and soon to be established ISACs, which represent the critical infrastructures identified in PDD-63, including those that represent the water, financial services, electric power, telecommunications, and information technology sectors. Since September 11, we have provided threat assessments on an ongoing basis for ISAC representatives from those sectors. The NIPC has also taken the lead in managing federal law enforcement's liaison with the 18,000 police departments and Sheriff's offices that bravely serve our nation daily and in times of crisis. The NIPC and the Emergency Law Enforcement Services Sector Forum led the way early last year by completing the nation's first Emergency Law Enforcement Sector Plan together with a "Guide for State and Local Law Enforcement Agencies." This significant achievement represents the nation's first and only completed sector plan and is being used as a model by the other critical infrastructure sectors. Taken together, the Plan and the Guide provide our emergency law enforcement first responders with procedures that are immediately useful to enhance the security of their data and communications systems.
The NIPC established four strategic directions for our capability growth through 2005: prediction, prevention, detection, and mitigation. None of these are new concepts, but the NIPC has renewed its focus on each of them in order to strengthen our strategic analysis capabilities. The NIPC has worked to further strengthen its longstanding efforts in the early detection and mitigation of cyber attacks. These strategic directions will be significantly advanced by our intensified cooperation with federal agencies and the private sector. Our most ambitious strategic direction, integrating investigations with a strengthened "prediction and prevention" capability, are intended to forestall attacks before they occur. We are seeking ways to forecast or predict hostile capabilities in much the same way that the military forecasts weapons threats. The goal here is to combine the expertise of investigators and analysts to forecast these threats with sufficient warning to prevent them. A key to success in these areas will be strengthened cooperation with domestic and foreign intelligence collectors and the application of sophisticated new analytic tools to better learn from day-to-day trends. The strategy of prevention is reminiscent of traditional community policing programs but with our infrastructure partners and key system vendors.
As we work on these strategic directions, we will have many opportunities to stretch our capabilities. With respect to all of these, the NIPC is committed to continuous improvement. The NIPC also remains committed to achieving all of its objectives while upholding the fundamental Constitutional rights of our citizens, including those with respect to the collection of information, the retention of information, and the use of information, as further controlled by statute, regulation, Attorney General Guidelines, and FBI protocols.
The NIPC is also enhancing its strategic analysis capability through a "data warehousing and data mining" project. This will allow the NIPC to retrieve incident data originating from multiple sources. Data warehousing includes the ability to conduct real-time all-source analysis and report generation.
Improving Information Sharing
The NIPC actively exchanges information with private sector companies, the ISACs, members of the InfraGard Initiative, and the public at large as part of the NIPC's outreach and information sharing activities. Through NIPC's affirmative outreach efforts, we receive incident reports from the private sector. The NIPC has proven that it can properly safeguard their information and disseminate warning messages and useful information in return. Private sector reporting of infrastructure incidents is partially responsible for the issuance of more warnings each year.
Each NIPC program is treated with a special focus on the unique concerns and objectives of our partners. When it comes to infrastructure protection, we have learned that there is no single solution. For example, over the past two years the NIPC and the North American Electric Reliability Council (NERC)—the ISAC for the electric power sector—have established an indications, analysis and warning program (IAW) program, which makes possible the timely exchange of information valued by both the NIPC and the electric power sector. This relationship is possible because of a commitment both on the part of NERC and the NIPC to build cooperative relations. Following the September 11 attacks, NIPC and NERC held daily conference calls. The close NERC-NIPC relationship is no accident, but the result of two interrelated sets of actions. First, as Eugene Gorzelnik, Director of Communications for the NERC, stated in his prepared statement at the May 22, 2001 hearing before the Senate Judiciary Committee's Subcommittee on Technology and Terrorism:
The NERC Board of Trustees in the late 1980s resolved that each electric utility should develop a close working relationship with its local Federal Bureau of Investigation (FBI) office, if it did not already have such a relationship. The Board also said the NERC staff should establish and maintain a working relationship with the FBI at the national level.
Second, the NIPC and NERC worked for over two years on building the successful partnership that now exists. It took dedicated individuals in both organizations to make it happen. The same type of relationship is now building with the Water Resources Sector and the Association of Metropolitan Water Agencies (AMWA), among others. It is this success and dedication to achieving results that the NIPC is working to emulate with the other ISACs.
The NIPC also continues to meet regularly with current and prospective ISACs from other sectors, particularly the financial services (FS-ISAC), water supply, and telecommunications (NCC-ISAC) sectors, to develop and implement more formal information sharing arrangements, drawing largely on the model developed with the electric power sector. In the past, information exchanges with these ISACs have consisted of a one-way flow of NIPC warning messages and products being provided to the ISACs. However, the NIPC has received greater participation from sector companies as they become increasingly aware that reporting to the NIPC enhances the value and timeliness of NIPC warning products disseminated to their sector and can lead to stopping the threat. Productive discussions with ISACs should significantly advance a two-way information exchange with the financial services industry. The NIPC is currently working to develop and test secure communication mechanisms, which will facilitate the sharing of high-threshold, near real-time incident information. These programs proved praiseworthy as early as March 2001, when the NIPC was commended by the FS-ISAC for its advisory on e-commerce vulnerabilities (NIPC Advisory 01-003). According to the FS-ISAC, that advisory, coupled with the NIPC press conference on March 8, 2001, stopped over 1600 attempted exploitations by hackers on the first day alone immediately following the press conference.
Over the past four years, NIPC has provided training for approximately 3,000 participants from federal, state, local and foreign law enforcement and security agencies. The NIPC's training program complements training offered by the FBI's Training Division as well as training offered by the DoD and the National Cyber Crime Training Partnership. Trained investigators are essential to our successfully combating computer intrusions.
The NIPC provides a national focal point for gathering information on threats to the infrastructures, and the principal means of facilitating and coordinating the Federal Government's response to an incident. The NIPC has been staffed with personnel from across a broad spectrum of federal agencies in order to break down traditional problems associated with separating the government's investigations, analysis, warning, and response functions. The NIPC has undertaken several initiatives to include the private sector as a principal partner in infrastructure protection. As part of the new Department of Homeland Security, as proposed by the President, we look forward to working to continually improve in the coming years in order to master the perpetually evolving challenges of infrastructure protection and information assurance.