8 January 2000
Source:
http://www.whitehouse.gov/library/Briefings.cgi?date=0&briefing=0
See Executive Summary of the National Plan for Information Systems Protection: http://cryptome.org/cybersec-plan.htm (109K); Zipped: http://cryptome.org/cybersec-plan.zip (32K)
January 7, 2000
PRESS BRIEFING BY CHIEF OF STAFF JOHN PODESTA, SECRETARY OF COMMERCE BILL DALEY, JAMES MADISON UNIVERSITY PRESIDENT LINWOOD ROSE AND NATIONAL COORDINATOR FOR SECURITY, INFRASTRUCTURE PROTECTION AND COUNTER-TERRORISM DICK CLARKE
THE WHITE HOUSE
Office the Press Secretary
For Immediate Release January 7, 2000
PRESS BRIEFING
BY
CHIEF OF STAFF JOHN PODESTA,
SECRETARY OF COMMERCE BILL DALEY,
JAMES MADISON UNIVERSITY PRESIDENT LINWOOD ROSE
AND
NATIONAL COORDINATOR FOR SECURITY, INFRASTRUCTURE PROTECTION
AND COUNTER-TERRORISM DICK CLARKE
10:25 A.M. EST
MR. LEAVY: Good morning, everybody. As you know, the President
announced his cyber-security plan this morning, and to answer your
questions and talk a little bit more about that with the Chief of Staff,
John Podesta, Secretary of Commerce, Bill Daley, President Linwood Rose of
James Madison University, and joining in the questions will be Dick Clarke,
the President's counterterrorims czar.
Mr. Podesta.
MR. PODESTA: This is the first time I've appeared with a czar, so
excuse me if I'm a little bit nervous. (Laughter.)
The President made his announcement this morning, but I would just
note at the outset that, again, this morning we had a continuing evidence
of a robust economy. This year, we had, in calendar year 1999, we're
looking at an unemployment for the year that's the lowest since 1969, the
lowest Hispanic and African American unemployment rates on record.
The economy continues to perform outstandingly. And part of the
reason for that is that is the fact that we have a new economy, an economy
that's built on information, technology information, infrastructure. It's
really beginning to move into all aspects of our economy and the way we
handle goods and services.
And just as in the 1950s when we were building an economy based on a
new transportation system, a new interstate highway system and we put
guardrails on that transportation system, we're here today to talk about
how we can better protect the information technology and infrastructure of
the information technology economy -- not only for the government, but for
the private sector, as well. And that's why I'm pleased to be joined by
Secretary Daley and President Linwood Rose from James Madison; and, as Dave
said, Dick Clarke will join us for questions.
The President made the announcement this morning. We have made
substantial boosts in the amount of money that the government is spending
on this effort to protect our critical infrastructure, and this year's
budget will be no exception. We are going to request a 17 percent increase
in funding over the FY 2000 budget, and the proposed spending will be
across the government. We will be seeking an increase of approximately $2
billion, from $1.7 billion, with increases in every agency and every
sector.
One of the greatest boosts, I think, will be -- and Secretary Daley
will speak about this -- will be in the area of research and development.
The R&D now represents 32 percent of our critical infrastructure
protection. It's really important that we do that, that we produce, in
partnership with the private sector and in partnership with the information
technology companies who are at the forefront of this revolution, on new
technologies that can be rapidly put into the information infrastructure to
begin to provide the kinds of protections that we're here to talk about.
So the overall increase in the R&D and R&E portion that we're going to
speak to as part of the President's overall commitment to increases in
research and development which, again, we'll lay out a future point as we
talk about our budget.
But with that, let me turn it over to Secretary Daley to talk about
the report.
SECRETARY DALEY: Thank you very much, John. As you said, no
question, we have a new economy and we have an economy that is much more
dependent, as we enter this next century, on information technologies. So
our defending of this economy is most important to us, especially at a time
of great economic boom that we're experiencing.
One of the consequences of leading this e-world is that we, as I
mentioned, are more dependent on information technologies in our country,
and therefore we're more subject to new and different kinds of threats. It
is true for our services as governments, and it is also true for the
private sector, whether they are large companies or small companies. In
our opinion, businesses risk going out of business if their computer
networks are obviously disrupted for any great length of time.
This is the first time in American history that we in the federal
government, alone, cannot protect our infrastructure. We can't hire an
army or a police force that's large enough to protect all of America's cell
phones or pagers or computer networks -- not when 95 percent of these
infrastructures are owned and operated by the private sector.
We just spent, as we all know, about $100 billion as a nation, private
sector and the public sector, in correcting the Y2K problem. If people had
thought about this 25 years ago, we may not have had the situation where we
would have had to spend so much. Y2K taught us many things. One is that we
must be prepared. So the President and the Vice President asked us to
develop a national plan to defend America's cyberspace. Twenty-two federal
agencies have worked on this. It is the first attempt by any nation to do
something like this.
Today we have our first version. As you can see, it is designated
version 1.0. (Laughter.) It focuses on what we in the federal government
can do to protect our federal assets. But for this to be a true national
plan, later versions must include, and will include, what the private
sector, and also the state and local governments, can do.
Last month, I met with industry leaders, and we are already in the
process of building a true partnership with them. Cooperation, rather than
new regulations, will bring more resources to the table, and we will
therefore have the opportunity to produce results faster. That is the
political reality, and in our opinion, one of the greatest challenges that
government faces in this century is, how do we deliver services more
effectively. In dealing with the private sector, we can learn a lot from
them. By partnering and sharing information, we can improve our own
efforts, and also work with them to make their systems, and ours, more
secure.
The end result is that we will all, therefore -- and our economy will
be better off. The American people can read this report on our website by
the end of today, on the White House's website, and also on the NSC
website. And if any of you would like a copy for your own files, we'd be
happy to supply them for you.
And it's my pleasure at this point -- there are a number of
universities who are looking and are forward-leaning. About eight
universities are developing curriculums in cybersecurity. One of them is
James Madison University, and it is a pleasure to introduce Lin Rose, the
President of James Madison.
MR. ROSE: Thank you. Good morning. As president of an institution
that, several years ago, recognized the need for information security
education, I'm particularly encouraged by today's news. As a nation, we do
face a critical need for information assurance experts. Our economic
growth has been fueled by our leadership in information technology, and we
have become more dependent upon computing and electronic networks than any
other country in the world.
That distinction also makes us more vulnerable than any other country
in the world. Our information systems, if not carefully protected, may be
accessed by those whose intentions are much more serious than just
mischief. Dependence upon electronic data systems is no longer unique to
computing and telecommunications alone. Power generation, banking and
finance, transportation, water supply and emergency services are all
dependent upon information systems and are susceptible to disruption by
hackers and criminals.
To protect these systems, we must have more information assurance
people -- people who have the talent and expertise to evaluate system
vulnerabilities, who understand encryption methodologies to protect
critical data, and who are able to design trusted systems and provide for
intruder monitoring and detection.
Higher education is the key to providing more of these professionals.
Universities have begun to address this work force need, but if we are to
accelerate the numbers of competent professionals at the rate that is
required, federal support for faculty development and student assistance is
essential.
The standard academic mechanisms and processes are too slow to satisfy
the current and projected demand in a reasonable amount of time. Without
external stimulus and support, we will simply fail to protect our country's
information infrastructure. Like most new professional programs, much of
the activity and information security has been focused at the graduate
level.
For example, with the support and encouragement of Virginia Senators
Warner and Robb, as well as Congressman Goodlatte, at James Madison
University we now offer a master's degree in information security. That
program, intended for working professionals, is the only degree program in
the country provided to students via the Internet. Approximately one-half
of the students are from government, while the remaining participants come
from business and industry. Programs such as this one must be expanded.
It is imperative, however, that we develop undergraduate programs that
will prepare information security specialists. The cyber-service model
advanced in the President's plan will provide incentives to attract
students in greater numbers. The cyber-service will also attract the
interest of colleges and universities who are wrestling with the numerous
curricular opportunities available to them in technology-related fields.
In short, this program, once fully implemented, will produce the
desired results. Eight institutions, designated by the National Security
Agency as centers of excellence in information security education, have
been working with the administration over the last 18 months to examine
methods for expanding informations security education. With the
announcement of this plan, others will be certain to join in a national
effort to advance and address this critical work force shortage.
The consortium of these eight universities, along with the National
Colloquium for Information Systems Security Education, which includes
representatives from government, business and education, will continue to
build the necessary curriculum, promote awareness of security issues,
conduct research, establish competency standards and develop an information
clearinghouse, as well as generally promoting the profession. The support
provided through this plan will reinforce and enhance the effort.
By empowering higher education to be part of the solution to the
national information security problem, the President has set forth a plan
that will provide the nation and its citizens with the assurance that our
businesses, our government and our personal interests are secure and
protected. Thank you.
Q Mr. Podesta, would you mind going over those figures again, as to
what the President is asking for, and the increase that is, and what the
breakdown is?
MR. PODESTA: Dick, you want to join us?
Q Gene.Randall didn't get that. (Laughter.)
MR. PODESTA: There is a 17 percent increase in funding in the
proposed FY 2001 budget. Proposed spending across the government will
increase to $2.0 billion, from -- the Congress appropriated last year $1.75
billion, based on a request from the administration of $1.77 billion. So
they actually did -- we were successful in achieving most of what we
requested in total dollar amounts. But we're asking now for a 17 percent
increase in that amount to a total of approximately 2.03, I think is the
accurate number.
Do you want to give a little bit more on the breakdown, Dick?
MR. CLARKE: Sure. We have these nice color charts to pass out; if
you haven't already received them, we'll get them to you. As John said,
it's a 17 percent increase that we're asking for in 2001 over the
appropriated money from 2000. There was a similar request, similar
increase last year. So the compounded effect of that over the last two
years is considerable.
The largest increase in the percentage basis is for research and
development. The President, as he said, is proposing an institute for
information infrastructure protection. This is a research organization that
will work closely with the private sector. It's not a building, it's not a
new bureaucracy, it's a funding mechanism so that the federal government
can match private sector funds and plug the holes in the R&D requirements.
R&D will rise the President's plan from $461 million last year to $621
million in the year 2001.
Q Secretary Daley, this cyber-security version of the G.I. Bill
that the President talked about this morning, what would be the required
service, postgraduate, and in what agencies would these people find
employment?
SECRETARY DALEY: I don't think we've worked out the details as to the
length of service that would be required. We obviously want to work with
the institutions and work with the federal agencies as to what sort of
length of service they thought would be appropriate.
Q Are you talking about two years, three years, four years? It's
four years in the G.I. Bill, isn't it?
MR. CLARKE: Yes. The typical federal requirement is a year of
service for every year -- a year of service for every year of scholarship.
So if, for example, someone had a four-year undergraduate program at James
Madison or somewhere else, we would expect them to do four years of service
in the federal government, in any federal department that wanted them,
helping that federal department to protect its own computer systems. So
these are IT security managers that would help the federal government
improve security on federal computers.
Q Do you know what the job designation would be, in terms of
federal pay scale?
MR. CLARKE: Well, one of the things that the Office of Personnel
Management is looking at --
Q For example, will they make more money than Mr. Leavy or --
(laughter.)
MR. CLARKE: That's not hard. That's not hard.
One of the things that OPM, the Office of Personnel Management, is
looking at is whether or not we have to abandon the normal federal grades
-- GS7, GS8, GS9. For example, if you graduate now with a bachelor's of
science in computer information, typically you would become a GS7. Now,
that's going to earn somewhere in the area of $28,000 to $30,000. That
same person, with that same degree, can go out to the Dulles access road or
Silicon Valley, and earn $90,000 to $120,000. So we have to look
seriously, and OPM is going to look seriously, at adjusting the grade
structure. So we might not use the normal federal grade structure to pay
IT security workers.
Q What's the biggest threat that you're trying to guard against?
Is it hackers and vandalism? Is it criminals? Or is it domestic or
foreign terrorism?
MR. CLARKE: I think it's all of the above. There's a spectrum, from
the teenage hacker who sort of joy rides through cyberspace, up through
industrial espionage, up through fraud and theft. And up at the far end of
the spectrum, to another country using information warfare against our
infrastructure.
Q Mr. Podesta, or Secretary Daley, is the catalyst for this the
situation that happened with the White House computer last year, and
several infiltration situations with some of the federal government
computers last year, as well?
MR. PODESTA: Well, I wouldn't describe that as the catalyst for this.
I think we've been working on this for some time, and have -- as I think
Dick noted, this has been going on in a kind of serious formulation as a
policy for several years, and precedes the situation, which was resolved --
with the hacker at the White House -- with an arrest, that occurred last
year.
But I think that, obviously, every agency, every department of
government, but every private sector institution that's relying on the
information infrastructure. It's not just computers; it's the electric
power grid, it's the other things that we learned so much about during our
run-up to Y2K. The banking, financial industry -- increasingly every
single sector of the economy is tied in, linked through e-commerce, through
the use of computer technology, to this kind of critical infrastructure
which has developed over the course of the '70s, '80s and '90s.
And so I think that it's a high national security priority, to begin
to protect all of the infrastructure, not just the federal government
infrastructure. And that's why we're excited about having a partnership
with the university community and the private sector.
SECRETARY DALEY: Let me just add, what the White House experienced, I
would imagine every agency in the government, we have experienced, from
harmless, seemingly harmless invasions, to others that gave us great
concern. So what happened here was replicated, I would assume, in every
department.
Q A follow-up: how vulnerable are the systems right now?
SECRETARY DALEY: Well, we believe they're much better. I speak for
our agency, and obviously this program that we've put out with the 22
agencies, believe that our federal program right now in protecting our
systems and our assets, is much better than obviously we were before we
went through this process.
Q Secretary Daley, just to follow up on some of the questions here,
can you give us -- what are some credible scenarios for the type of thing
that you're trying to prevent here? We all know about the teenage hacker,
or the cyber-vandal. But can you give us some scenarios for the more
elaborate types of problems --
SECRETARY DALEY: Well, remember when there was that -- when was that
lightning strike in Florida that hit the system, that basically knocked out
--
MR. CLARKE: Two years ago.
SECRETARY DALEY: Two years ago -- knocked out most of the East Coast,
much of the grid along the East Coast. That was obviously an act of
nature. No one, at that point, understood how everything was connected
along the East Coast, and would be so affected for a couple of hours. And
that, I think, woke up not only some of us in government, but surely
affected the private sector's attitude about a better understanding of the
interconnection and our involvement in trying to address this. It will not
be solved, though, without partnership.
Q Okay, you mentioned foreign governments. And to what extent do
foreign governments have the capability to engage in this kind of
disruption? And are you looking at disruptions on the part of foreign
governments to private sector operations, or just the government?
MR. CLARKE: We are aware, now, over the course of the last two years,
that several other nations have developed offensive information warfare
units, organizations, tactics, doctrine and capability. Now, that doesn't
mean they're going to use them. But it means that they're developing them,
they're getting better all the time.
And in a crisis, historically, nations have attacked each other's
infrastructure. Nations have gone after, in warfare situations or crisis
situations, electric power grids, telecommunications, transportation
networks. So it's not inconceivable to have a scenario in the future in
which a future opponent might think that they could attack our civilian,
privately-owned infrastructure through computer attack.
Q Can you say which countries those are?
Q And do we have such an offensive capability ourselves?
MR. CLARKE: You'd have to ask the Defense Department about that.
And, no, we're not going to name names of other countries.
Q Why not? I mean, what's the big secret?
Q Why shouldn't you tell us?
Q The President kicked off this initiative almost two years ago.
And I know that you had a May '99 deadline, or a self-set May '99 deadline
for putting out this report. What's taking so long? And why isn't the
physical protection included in this, because as you have just said, you
can just as easily take down critical infrastructures with physical
attacks.
MR. CLARKE: We had a May 1999 self-imposed deadline. We decided not
to meet that deadline; but, rather, to take the time to get it right; to
take the time to do the sort of consultation that we have done with the
Congress, and with the private sector. Secretary Daley mentioned that last
month he met with 94 companies in New York as part of that consultative
process. As John Podesta said, this is version 1.0. There are going to be
other versions as the dialogue continues with the Congress and with the
private sector.
Q It's my understanding as well that the NIAC hasn't stood up yet?
You don't have a lead for that? Is that true?
MR. CLARKE: The President has signed an executive order to create a
National Infrastructure Advisory Committee, and we are in the process now
of doing the personnel selection for that advisory committee.
Q Gentlemen, there is a real revolution in the way computers are
being used now. Fifteen years ago, it was mainly a business application.
Now, they're in all parts of the home, and the talk is, within a few years
we're going to have IP appliances in people's homes. Shouldn't you be
focusing more effort not just on the private sector but, in fact, on the
general public? And why does part of this report still suggest that much
of this information will be precluded from reaching the general public?
MR. CLARKE: I don't think the report at all suggests that information
is going to be denied to the general public. What we're looking at in
terms of prioritizing our activities are the things which would have the
greatest effect on the greatest number of people. And so, if there were a
computer attack on a power grid, that would have a great effect on millions
of people. It's certainly true that individual computers, your PC at home
could be hacked, but chances are no one is going to do that. The real
threat is to the larger infrastructures and not to an individual home.
Q John, if I could ask you another unrelated question.
Republicans yesterday apparently proposed a package of smaller targeted tax
cuts, including the marriage penalty. Is this the kind of tax cut the
administration could work with the Republicans on, and do you guys have a
position on the marriage penalty tax?
MR. PODESTA: Well, I'd like to think that the Republican leadership
spent some of the time since the break in November listening to their
constituents, and have gotten on a program more similar to the President's
which is to address the critical needs of the country -- Social Security,
Medicare, education, and the other priorities, and come up with a tax cut
that fits within an overall framework of fiscal discipline. They put out
some numbers yesterday that were obviously much more consistent with what
the President was talking about over the course of the last year than the
risky tax scheme they put forward and was rejected by the President, vetoed
by the President, and rejected by the American people.
But I think we need to see the whole plan, and to try to -- hopefully
we can find some consensus, work together, to do those critical priorities
-- to address Social Security, to address Medicare, to make the important
investments that we've talked about. And, as we have said, we think
there's room within the overall context of the surplus to find some
targeted tax cuts that will be aimed at the middle class, that will not be
loaded up in favor of the wealthiest Americans, but that are spread and
aimed at addressing critical priorities.
With respect to the marriage penalty, I think we've said that within
the context of tax relief, that we're open to discussions about tax relief
in that area. But it's got to be part of an overall program that's
fiscally disciplined, and that aims at our key priorities. And, obviously,
we want to aim our tax cuts at the middle class, and the President's
budget, which he will put forward in the next month or so, will aim to do
that.
Q Dick, for those of us who still sort of cling to the old
technology because it never gives you a fatal exception error, how much
distance is it in bridging security between hacking a website and actually
getting into the infrastructure and turning things off?
MR. CLARKE: The same techniques that people use to find
vulnerabilities or back-doors into websites can be used to hack your way
into computer-controlled networks. Things like the power grid and
railroads and whatnot, telecommunications, are computer-controlled
networks. And many of the same principles of finding vulnerabilities and
hacking your way into a website are applied in hacking your way into a
computer-controlled network.
Q How much extra distance is there?
MR. CLARKE: Not much.
MR. LEAVY: I'm sorry, last question.
Q Oh, a question about the Fidnet portion that was very
controversial with civil liberties groups. And how big is the Fidnet to
this whole plan? Is it a central part, or a small piece?
MR. CLARKE: We think the federal government has a positive obligation
to protect the privacy information, and other information on federal
government computer systems. Just as your files, the files about you in
the IRS or elsewhere in the government, are in a file drawer with a lock on
it, and there's a burglar alarm protecting that office in physical space,
so we think there should be a burglar alarm and a lock on files the federal
government has in cyberspace. The federal intrusion detection network that
we propose is just that. It's a burglar alarm for federal files in
cyberspace. It, in no way, will intrude onto private computer systems --
private sector computer systems. It's only a government protection system
for government sites. It's designed to protect privacy and enhance
privacy.
END 10:50 A.M. EST
January 7, 2000
FACT SHEET
THE WHITE HOUSE
Office of the Press Secretary
_______________________________________________________________________
For Immediate Release January 7, 2000
FACT SHEET
Federal Cyber Services Training and Education Initiative
The President announced today a $25 million funding proposal for the
Federal Cyber Services (FCS) Training and Education initiative led by OPM.
The demand for information technologists and information security
specialists has grown faster than the supply. In both the public and the
private sector, there is a dearth of qualified new professionals in
information security. The National Plan for National Information
Infrastructure, which details the FCS initiative, calls for the following
five programs to address this challenge. Vigorous implementation of these
programs will help address the current shortages of information security
personnel.
* A study by the Office of Personnel Management to identify and develop
competencies for federal information technology (IT) security positions,
and the associated training and certification requirements.
* The development of Centers of IT Excellence to establish competencies
and certify current Federal IT workers and maintain their information
security skill levels throughout their careers.
* The creation of a Scholarship for Service (SFS) program to recruit and
educate the next generation of Federal IT managers by awarding scholarships
for the study of information security, in return for a commitment to work
for a specified time for the federal government. This program will also
support the development of information security faculty.
* The development of a high school recruitment and training initiative
to identify promising high school students for participation in summer work
and internship programs that would lead to certification to Federal IT
workforce standards and possible future employment.
* The development and implementation of a Federal INFOSEC awareness
curriculum aimed at ensuring computer security literacy throughout the
entire Federal workforce.
# # #
January 7, 2000
FACT SHEET
THE WHITE HOUSE
Office of the Press Secretary
________________________________________________________
For Immediate Release January 7, 2000
FACT SHEET
Institute for Information Infrastructure Protection
The President proposed today the creation of the Institute for Information
Infrastructure Protection to identify and fund research and technology
development to protect America?s cyberspace from attack or other failures.
The Institute will fill research and other key technical gaps that neither
the private sector nor the government?s national security community would
otherwise address, but that are necessary to ensure the robust, reliable
operation of the national information infrastructure.
The President announced he would propose initial funding of over $50
million for the Institute in his budget to be submitted next month. Funding
would be provided through the Commerce Department?s National Institute of
Standards and Technology (NIST).
The Institute was first proposed by the scientists and corporate officials
who served on the President?s Committee of Advisors on Science and
Technology, and then supported by leading corporate Chief Technology
Officers (CTOs).
The Institute will work directly with private sector information technology
suppliers and consumers to define research priorities and engage the
country?s finest technical experts to address the priorities identified.
Research work will be performed at existing institutions including private
corporations, universities, and non-profit research institutes. The
Institute will also make provisions for private sector funding for some
research activities.
# # #
From: "Alexander, Brad" <Brad.Alexander@mail.house.gov>
To: "Alexander, Brad" <Brad.Alexander@mail.house.gov>
Subject: Barr Letter to Clinton on Cyberterrorism
Date: Fri, 7 Jan 2000 14:14:03 -0500
January 7, 2000
The Honorable William J. Clinton
President of the United States
The White House
1600 Pennsylvania Avenue NW
Washington, D.C. 20500-0003
IN RE: Electronic Infrastructure Protection
Dear Mr. President:
I read with interest reports your 2001 budget proposal will contain a
request for $2 billion in funding to combat possible "cyber-terrorism." I
share your concern about the need to protect American lives and property
from terrorist attack. However, I cannot support such a large funding
request without guarantees that it is truly necessary and will not result in
a system that threatens the privacy of American citizens.
Our nation faces numerous threats from foreign nations, terrorist groups,
and weapons of mass destruction. While the specter of "cyber-terrorism"
makes for interesting news articles and novels, I am dubious the real threat
posed by malicious hackers is as high as that posed by conventional,
biological, chemical, and nuclear weapons. I do think we should take steps
to protect our nation's computer infrastructure, but I hope the novelty and
media interest surrounding electronic terrorism will not spur us to neglect
other threats. For this reason, I encourage you to submit information to
Congress accurately assessing the electronic threat we face, and comparing
it to other threats.
Also, based on the significant privacy threats created by last year's
Federal Intrusion Detection Network (FIDNet) proposal, I hope you will make
protecting the privacy of American computer users a foundational part of any
future proposals, including this one. Under no circumstances will I support
the creation of a nationwide computer security system that functions by
monitoring and the profiling the online activities of millions of Americans.
I, and other members, will not support a $2 billion blank check without
detailed information on the threat we face and statutory safeguards
protecting the privacy of American citizens. I urge you to provide this
information and work with us to create such safeguards.
With kind regards, I am,
very truly yours,
BOB BARR
Member of Congress
BB:ba