UNCLASSIFIED COMMISSION SENSITIVE
MEMORANDUM
FOR THE RECORD
Type of event: Conference Date: Jan 12-13,2004 Special Access Issues: None Prepared by: Emily Walker Team Number: 8 Location: MCI Convention Center, Washington DC Participants - Non-Commission: Private Sector, DHS, other Government employees Participants - Commission: Emily Walker The Department of Homeland Security held a two day conference that brought together private sector participants to hear about DHS and how they can work together. The meeting was chaired by Gen. Libutti, Undersecretary ofDHS for Critical Infrastructure, and his team Asst. Sec. Liscouski and Al Martinez-Fonts, Private Sector Liaison for DHS. The meeting was opened by Adm. Loy. His main comments were that DHS, along with other agencies, and the private sector needed a partnership to collectively raise the paradigm for security and improve security at privately owned facilities. He saw the need for a network of virtually invisible security partnerships and makes progress in all fields. He said that there is a challenge associated with the marketplace in terms of the absorption of costs associated with security and this will be dealt with as constructively as possible .. As in normal business, he assumes that the cost will be security will be shared with consumers. The reality of9-11, which is different from WWI and the cold war, is that this war is on our homeland which is why every citizen, business, state and local government must find their own role. He was asked how he sees the government and the private sector coordinating with each other. He said it will be an integration of efforts and a funding stream from Fed/State/Local and private sector. He said it was the burden ofDHS to pursue the outreach effort and communicate directions and allow understanding in both directions. He said that they will learn together. He commented on DHS working with other agencies around the world and will work with the UN and other agencies to set standards that address terrorism (he used MTO activities as an example). Al Martinez-Fonts spoke and said that engaging the private sector is a competitive strategy for DHS. He said we are working together in a new world. He said that his private sector office is trying to reach across America through partnerships with trade organizations, business roundtable and the like. He is charged with several tasks: 1) direct line of communication between DHS and private sector independently and in conjunction with IAIP directorate to foster a strategic dialogue; 2) analyzing impact of COMMISSION SENSI11VE lJNCLASSIFIED .
1
UNCLASSIFIED COMMISSION SENSITIVE DHS programs on the private sector; 3) creating an advisory committee. He sees information sharing as a three legged stool: 1) timely, accurate, and actionable; 2) guidelines and standards with carrot and stick; 3) DHS helping with training. He said that the private sector aims to share best practices through personnel and database which he used last week when they lowered the threat level. He is also doing outreach for DHS to the private sector and state and local governments. He is working on the business case for homeland security. He sees the money spent as an investment, not an expenditure. IT must be a give and return. He introduced the new privacy person at DHS. Nuala O'Conner Kelly - the new Chief Privacy Officer for DHS spoke. She said her responsibility is to ensure the responsible use of personal information and public trust and confidence in the department. The reality of the many new directorates at DHS is that they are very small so they must leverage the private sector. She believes is it possible to preserve privacy and the DHS and there is the necessary legal policies and protection which need to be built in initially in any progress. Her office will review privacy plans. There are ways to share information across the public and private sector responsibly. General Libutti introduced his team: Matt Broderick, Ret. Marine General who is Ops Center Director; Gen Pat Hughes - Asst. Sec. Information Analysis; Bob Liscouski Asst. Sec. Information Analysis. Liscouski spoke and talked about how to partner with the private sector: 1) Identify critical assets. He said that the USG understands these but needs to normalize the understanding with the private sector. They are actively engaged with the business roundtable, the phones, ISAC and the Homeland Security Advisory Council. He said that DHS must understand the private sector world. 2) Collaboration in implementation and 3. Communication. He said on the Government side, sharing information that enabled implementation of protective measures was key. Also evaluation of metrics and measure their effectiveness. He said the Government needs assistance in developing methodologies, tools and programs to enable the identification of terrorist threats and protection activities. He gave examples of the process moving from orange to yellow - he called people. He suggested that there were 5 tenants of the public- private sector relationship: 1. Understand threat 2. ID Critical Assets 3. ID vulnerabilities 3. Programs to protect against threats 4. Metrics (feedback loop). Pat Hughes, the Director of the Ops Center gave a General Threat Overview. He said that he needs input from the private sector, the guy on the street. He needs help and judgment on activities happening on the street. He needs the private sector to help them place things into context, an explanation from the private sector vantage point. He said that the "new nonna1cy" equates to threat and protection capabilities. Matt Broderick reported about the Operations Center. He said that they collect intelligence and pull it together and pass it on as well as act as a HUB in the event of a crisis. He said that there are 30 agencies in HSOC and they collect information and then decide if there is a threat. He described the daily process where the Secretary of DHS speaks with the President at 6:00 am (with CIA, FBI) and at 06:30 law enforcement sends a piece out. In the case of incident management, the Ops center sits at the top of the pyramid bringing information from state and local as well as private sector back to DRS.
COM:MISSION SEN"SITIVE lJNCLASSIFIED
2
UNCLASSIFIED COMMISSION SENSITIVE He coordinates the Interagency Incident Management Group with Sr. reps from agencies where he provides situational awareness from different people depending on the event. The HSOC comprises 30 agencies. HSOC provides situational awareness to different people in the IIMG depending on the event. HSOC coordinates all Government actions in an incident. IIMG includes the private sector. The HSOC monitors conventions, soccer mansions etc. There is a Joint Field Office which coordinates all Govt. actions in any incident. They determine 1) what you need to know; 2) how long to get it all together 3) what interaction needed; 4) what assets you have Pat Hughes - Asst. Sec for Information Analysis spoke about information analysis office. He said that this office provides information to take decisions. The question is how to get information, classified and unclassified to the private sector. Tom Claus is liaison with other intelligence organizations and state and local governments and private sector. Jim Caverly Director of the Infrastructure Coordination Division spoke about the ISAC management team and how they get the advisory out to the private sector. The Information Sharing Analysis Center which controls the process to the private sector. In 1997 the ISACs were started. They were designed for information sharing. It was carried forward in HSPD7. The difference is the information sharing has moved beyond cyber to all sectors. ISAC all sectors are different. Some are complex and require all major players to come together. They need information to flow both ways between the sectors and DHS and vice versa. Also, they need to do analysis of the information; they need a partnership with the private sector on the analytical process. DHS needs to understand the threat to the sector and what is meaningful. Also ISACs is how DHS engages the private sector during an incident. Also, they want to share best practices and how to share common threats. ISAC isn't the only way to communicate, but they are looking at ways to communicate directly as well. In terms of a local incident, DHS says that they are not in the picture. FEMA goes in and finds out what is needed. DRS is focal point in DC. FEMA does incident management. DRS is situational awareness only. IIMF makes recommendations and courses of action for President and Secretary DRS. Libutti said they are working on a local web-based communication system with the private sector which is not ready yet but will be soon. He said they are looking at ways to communicate more efficiently. Some ISACs have developed their own communication mechanisms which DRS is trying to leverage across ISACs. Question came up about whether or not DRS is being fed information to deceive. The answer was given that it can happen, that is does happen criminally in business and they are aware of this. Question came up on whether or not DHS is using media enough to get out message. DHS said that they don't push the media in any direction.
COM:MISSION SENSITIVE "UNCLASSIFIED
3
UNCLASSIFIED COMMISSION SENSITIVE National Communication System (NCS) was discussed by Brent Green - Director. He said that NCS is always in partnership with communications sector. It is a protected and trusted relationship. The National Sec Telecom Ad Committee advises the President. There is a network Sec Info Exchange which is an active forum that shares sensitive information on threats and turns it around into best practices. The main thrust ofNCS is responsible for coordinating with industry and military to get telecom up and running. It gives priority access and prioritization of switches (cellular and land lines). Jim McDonald runs the Infrastructure Protection Division. It assigns analysts to reach out to the sector and it needs to turn it into something meaningful for the private sector. Same people who will understand incidents talk to ops people to build situational awareness. Also maintains awareness of what's happening in infrastructure. They are concerned about events and the interruptions of goods and services and the disruption of the infrastructure. Amit Yoran is in charge of the cyberspace directorate. This division is the national focal point for addressing cyber security issues in the U.S. His role is to identify, analyze, and reduce threats and vulnerabilities, disseminate threat warning information, coordinate incident preparedness, response and recovery, and serve as national focal point for the public and private sector regarding cyber security issues. He mentioned the black-out and the role critical infrastructure plays. A common thread is dependence on robust functioning and secure cyber infrastructure. He said that the same technology that gives us the power is the one that is a national weakness of risk unless we address it. Our job' as owners and operators of critical infrastructure is to do it. Technology can be used against us. His mission is to ID and reduce threats and communicate them. Products to help us do that are on the website to help tech and non-tech to be alert on cyber security. The goals of his group are to lead the implementation on the US National Strategy to secure cyber space, to continue to partner with the private sector, to engage the individual homeuser, and to create an international alert system on cyber security threats and incidents. James McDonnell, Director of the Protective Security Division spoke next. He said that this is a community based program which can only be successful if it is implemented at the local level. Prevention programs that begin at the gate. He said that the focus was on the terrorist --- better buffer zones in place at all locations needed. Working with Brits and Israelis. His goals are to develop common criteria for target selection; create methodologies for vulnerability identification, develop community based planning and prevention and conduct threat/vulnerability mapping and protective action. Jim Caverly, Director of Infrastructure Coordination spoke. This group serves as the infrastructure knowledge and expertise for lAIP and the Department by sustaining core sector capabilities, maintaining operational awareness, and fostering strategic and working-level relationships with the owners and operators of the nation's critical infrastructure. They are setting up teams of analysts to cover industries. These industry experts are the main face-off against the industries for DHS so that they know the issues faced by the industries and serve DHS with that knowledge. ' COMMISSION SENSITIVE UNCLASSIFIED
4
UNCLASSIFIED COMMISSION SENSITIVE The next discussion was a panel on "best practices". Suzanne Gorman from the Financial Services ISAC spoke. She said that this ISAC has been more fully developed since 9-11 and reached down further into the sector. (I believe it was previously largely IT related and with few members). Suzanne said that ISACS are member organizations. There are dues in three categories with associated benefits. Members can join for free and get minimal information. The other categories are 750$ or $10,000, $25000, $50,000. They meet twice a year and have bi-weekly conference calls. They need additional money to get the information out from the ISAC and recently received funding from the Treasury Dept. They send alerts to members (paid and non-paid). They also recognize that these ISACS have further development needs. Libutti said that as the private sector wants "one-stop" shopping from DHS, DHS wants to find a more efficient way to get information out, to engage in a decision-making process. He believes that the ISAC council is a leadership model, a way to carry things forward. The question is how far they need to spread the ISACs and develop them. ISACs currently are in the most critical infrastructure sectors. But since small businesses are the growth areas for the country, we want to reach all folks and give them information as well. But information sharing must go both ways, he said. He said that IAIP is not investigatory, ,but they are looking to ask questions of critical infrastructure. He questioned what was the balance between carrots and sticks to get groups to discuss and perform. He said that one can have a relaxed discussion, but at the end of the day, the story is about critical infrastructure protection, how well we did it. It's not about collaboration, not about taking the soft-side. It's about how well we actually protected the critical infrastructure, how well we have reconstituted after an attack. He is developing a metrics dashboard to give a snapshot on how fast the alert went out and how did it impact the sector. There was a discussion of privacy laws and with those in place, how to keep information flowing back to DHS. The head of privacy at DRS said that privacy. statements must be meaningful and in place in order to share information. It is important to train employees not to give out information publicly about location, operations etc. In the spring of2003, she said they are going to work on the making connections with other ISACs to improve relationships where there are interdependencies among the sectors. DRS said that they are looking to build a business case for the ISACs where the marketplace takes security seriously with metrics to determine how well they are doing. I attended a panel discussion in which many interesting points were discussed. Verizon asked that additional clarification needs to be given on the change in alerts, particularly when it was implied after the threat was lowered, that it was only lowered for some parts of the country. Also, they suggested that more specificity was needed as to whether the threat was physical or cyber. Northern Trust of Chicago said that they have a set process in their organization which depending on the level of threat has specific actions associated with each level. He also belongs to BITS which has a set of best practices for
each color code. He was concerned, however, that the change in color code did not COMMISSION SENSITIVE UNCLASSIFIED
5
UNCLASSIFIED COMMISSION SENSITIVE mention sectors and was not specific on what people should do. American Electric said it cost them $160,000 a day to stay on orange. They also commented that.when the threat was reduced some of the entities stayed on high alert (as they did) because the threat reduction was not clear as to what it applied. Also, American Electric said that some cities said they could not afford to be on orange and just did not change when the alert happened. DHS answered that terrorism is a local event and ultimately a local decision. DHS can't force them to make a certain decision. The Private Sector has to make their own decision. PEPCO director of IT said that they have a checklist for various alerts with certain things they do depending on what information is given them. They have a concept of "orange lite" if they don't feel the need to take full orange level measures. There was a discussion of the Small and Medium-sized enterprises and how they can get" into ISACs and receive information. Jerry Hauer (former OEM NYC) said that small businesses become links in the chain to big utilities and critical infrastructure and there is this whole issue of getting down further into the "food chain". BITS chief of staff said that they have the 100 largest firms as members, but also reach out to the small firms. They have developed "Threat Assistance Advisory Guidelines" and ASIS has broadened this. BITS feels that having a sector coordinator and a council to which all associations belong is important and ISAC fits that bill. That is a way even the smallest institutions belong to associations. She was confused on the difference between Sector coordinator, sector council and ISACs. She wanted to know who the managing partner on this relationship was. Verizon said that information from DHS needs to come from a single source. He finds that they receive information in a variety of different ways and it is often confused and conflicting. It also is not clear that the information is sent to the appropriate people in the company who need to know the information. IAAM (Inti Association of Assembly Managers) spoke and discussed their view that the sector must be organized themselves and do what works for the sector. This is not DRS decision although DHS can assist and push ifpushing is needed. Another company spoke and said that there are significant costs associated with the color alert changes .. He felt that everyone is at the conference because they are here to help. He asked how the private sector can work with DRS to develop the business case. lfthe private sector owns the critical infrastructure, if it must incur costs, and if it is in the interest of the private sector to maintain the system, they things must be done to provide incentives for business to do the right thing. He suggested tax reductions, liability reductions, and insurance incentives.
Jerry Hauer (who was chairing the session) said that the security issues are falling off the main mind of CEOs and we need to make it attractive for the CEO to keep this on the
COM"MISSION SENSITIVE {JNCLASSIFIED
6
UNCLASSIFIED COMMISSION SENSITIVE forefront. He felt there is a great deal of work to be done, that we must maintain the sustainability of these programs. General Reimer, from the MIPT (Oklahoma) said that people are starting to get complacent. He said, however, that we can't measure deterrence. He also suggested that there needs to be more specificity on the color code. He felt the ISACs needed to be expanded. He views them as a vertical point that needed to be horizontally integrated with DHS. He said that the private sector is unwilling to share information due to privacy acts and until we figure out truth and reality, we won't get anywhere. He also felt that we need to give the exact message to CNN and media in order to get out what DRS wants to convey. 1. Hauer felt that complacency was a real issue. He feels that DHS is an evolving agency, that there are still holes in the system and process in terms of better preparation and communication. The BITS representative said that this.is a private sector responsibility, that no one is competitive on this topic and that the private sector needed very committed people working on this issue at a very senior management level in order to make it work. Al Martinez-Fonts said that DHS also needed to reach out more to state and local governments to have them reach the local private sector. The key issues that were raised at this session were the following: • Need for improved information flow process from DHS • Need for Clarification of sector coordinator and ISACs • Need for protections in place for private sector information sharing • Challenge to meet mid-small sized.companies • Concern about complacency • Need for business case for ongoing attention to homeland security • Need for incentives • Need for systematic approach to vulnerability assessments Assistant Secretary Liscouski said that there is a liability issue. He feels that there is NOT a common understanding of where the responsibilities are. There is not a baseline of security by industry. That needs to occur. Then there can be incentives to reach the baseline and DHS would give a seal of approval. Then he believes there would be a framework for where liability begins. Richard Grano, head ofUBS Paine Webber, spoke on the closure of the market. He said that the debate ran the gamut, with some wanting to get the markets open on Thursday regardless of the risk. But he and others felt that if the market was opened prematurely, it would have shattered the confidence of the market. He said the most heroic effort came from Verizon which worked 24/7 to get things up and running. They ultimately decided to open the market on Monday and Bond markets on Thursday. AMEX moved to NYSE. The market fell precipitously 7.1 % with over 2.37 bn shares being traded in an all time COM:MISSION SENSrrIVE UNCLASSIFIED
7
UNCLASSIFIED COMMISSION SENSITIVE
record, but there was a tremendous sigh of relief when it all worked. He said that the FED put in $323 bn to help the brokerage units with liquidity issues. He said the closure of the market cost the industry $5 billion, but the loss of lives was incalculable. In terms of Paine- Webber's responsibilities, Grano said that they put their
communications plan into action at the mid-town headquarters. They conducted trading in Stamford and IT in New Jersey. The big issue was finding employees. They also had never assumed they could not get back into their building. They relocated the branch office, identified who could not get home, and talked to families of the victims. They provided Cantor space and Lehman trading floors. It was the first time they were comraderies in the industry. His war room was manned by senior people. All issues were 24/7. They gave $5 mn for relief but waited to see who needed it before they gave it out. As CEO, he felt he had to set the tone for the whole company. He had the first convention back in the city after 9-11. Lessons learned: Disaster recovery and business continuity are totally different. Don't assume CEO's understand risk/reward analysis is economic in scope. You need to articulate the costlbenefit (what will it cost me? What are my liabilities?). He said to express the importance of cyber and physical. He said emergency contact information is important and the biggest short-fall was people did NOT know where to go. Now they have back-ups. Everyone needs to know where they are on the food chain ... where do they go. He used the blackout as another example. He said to expect the unexpected. He gave the example of the CEO of Lehman who only had one copy of the business Disruption Insurance policy and he could not get back in his building. Today he feels that some sense that the worst is over. There is a level ofnonnalcy. But he said, "We are at war". This is not a one-time event. Up until 9-11 when we heard about an event, we tried to prosecute. But now we are dealing with ideology. They are a religion divided by nations. They have a purpose. They are relentless. We cannot view the world through our sense of values, fairness, and compromise. They do not believe this. He asked how we now connect the dots. He believes that the Homeland Security Advisory Council provides advice on developing and coordinating the importance of a comprehensive national strategy. He is looking at something like the Baldridge award. It can't be a national strategy unless you protect critical infrastructure. Can't harmonize corporations unless you do this within the same industry first. Once you coalesce an industry, you move outside. He said that companies must appreciate event risk, test their plans, collaborate with peers, take a lead and assign a person to the task across lines within your authority. He believes it will take all efforts. Attachments: Slides from meeting
COM}.1ISSION SENSrrIVE UN'CLASSIFIED
8
1
2
3
4
5
6
7
8
9
10
11
12
Critical Infrastructure Protection: Private Sector/DHS Partnership
Bob Liscouski Assistant Secretary for Infrastructure Protection
'," Homeland Security
,;e'
Information
Analysis and
Infrastructure
Protection
13
The majority of the critical infrastructure is owned by the private sector and a strong private-public partnership is essential to drive protection activities -.., . r-. -. ""?".
.-"'.:',::-:.' ".' ":;:'
-
~<;.... --,y"
"-.... '"-:-....
~"~~"·~,'i'-"-;"" ,.
~.,,Priv~teSect9rl~esPQn~iJJiIjti~s .:
-
7'-··;;.;':-·~·'
:.,,:.0;' ,"':": ...: 'i.<- ;:'/~:
,'. -'?""..,
• -";'., "'~~""':'~"",'~""''''l''':'--'~
,";"•..-. ;,--•
.G()Y~rp,me.ntR~~PQri~iJjiIHi~s;,,,; • Sharing of information relevant to the protection of critical assets
• Collaboration in the implementation of protective measures in times of high threat to the critical infrastructure • Communication with the government to report changes in threat environment, success of protection programs, and gaps in protective activities.
• Enabling the implementation (and providing) protective • Evaluation of metrics and measures of their effectiveness • Assistance in developing methodologies, tools, and programs to enable identification and protection activities • Advocacy of effective measures undertaken by the private sector
14
Critical Assets Programs
I
Metrics
~Homeland ~ Security
15
16
Homeland Security Operations Center (HSOC) Missions Daily Responsibilities • Collect information from LElintelligence sources to help in deterring, detecting, and preventing terrorist incidents • Maintain & share daily domestic situational awareness
Incident Management Responsibilities • Act as the primary National level hub for operational communications & information sharing pertaining to domestic incident management • Act as a primary conduit for Domestic Situational Awareness for the White House Situation Room Information Analysis and Infrastructure Protection
~Homeland Security
w:JiI
HSOC Intelligence
Mission
On a daily basis, attempt to identify the terrorist threat to the US -Who or what is approaching or crossing the borders, residing within the borders, that could bring harm to the US -Daily, collect and fuse information from internal and external intelligence and law enforcement agencies -Within 24 hours, decide whether it is or is not a threat -If a threat, pass the data on to DHS's IAIP for deeper analysis & share to other F/S/L LE & intelligence agencies
It!fPA. Homeland ~Secunty
Information Analysis and Infrastructure Protection
17
18
Information Sharing and Analysis Centers (ISACs) Provide the mechanism to facilitate the sharing of infrastructure-related information, including threats and vulnerabilities, incidents and events, potential protective measures, and best practices.
~Homeland ~ Security
Information Analysis and Infrastructure Protection
19
20
21
22
NCSD Mission The National Cyber Security Division (NCSD) is the National focal point for addressing cyber security issues in the United States. Mission components Identifying,
include: analyzing and reducing threats and vulnerabilities
Disseminating Coordinating
threat warning information incident preparedness,
response and recovery
Serving as national focal point for the public and private sector regarding cyber security issues .. .Implement the National Strategy ....
Iff!JA. Homeland
~Secunty
• Information
Analysis and
Infrastructure
Protection
23
Goals • - Lead the implementation of the U.S. National Strategy to secure cyber space
• Continue to partner with the private sector -
•
Engage the individual home user -
•
Established channels of communications for cyber security awareness and protection
Create international alert system on cyber security threats & incidents
~Hom~land
~Secunty
Protect the nation's critical infrastructure for all levels of business
Information
Analysis and
Infrastructure
Protection
24
25
Identify Assets
26
PSD Leadership Team Director: Jim McDonnell Deputy Director: John Weidner Operations Directorate: Deputy for Operations: Alex DeAlvarez Planning and Mission Analysis: Mark Milicich Exercise Program: Mike Smith ~Homeland ~ Security
Section Chiefs: Control Systems: Mike lombard Physical Targets: Jon Maclaren Protective Measures: Dave DeAngelis Risk Analysis Sam Speedie: Field Operations: Cornelius Tate Vulnerability Identification: Bill Flynn Information Analysis and Infrastructure Protection
27
28