Testimony Before The
House Select Committee on Homeland Security
Subcommittee on Cyber Security, Science and Research & Development and
Subcommittee on Infrastructure and Border Security
“The DHS Infrastructure Protection Division: Public-Private
Partnerships to Secure Critical Infrastructure”
by
Diane VanDe Hei
Vice Chair, ISAC Council and
Executive Director
Association of Metropolitan Water Agencies and WaterISAC
April 21, 2004
Introduction
Good afternoon, Chairman Thornberry, Chairman Camp, and distinguished
members of the subcommittees. It is an honor and a privilege to meet with you
today to discuss the private sector interaction with the Department of Homeland
Security (DHS).
I would like to thank both the Cyber Security, Science, Research & Development
Subcommittee and the Infrastructure and Border Security Subcommittee for
creating this important opportunity and inviting the ISAC Council to be here
today.
My name is Diane VanDe Hei. I serve as Vice Chair of the Information Sharing
and Analysis Center (ISAC) Council.
I am also Executive Director of the
Association of Metropolitan Water Agencies as well as the Water Information
Sharing and Analysis Center (WaterISAC).
Backround
ISACs originated when the Federal Government issued its policy on Critical
Infrastructure Protection, otherwise known as Presidential Decision Directive 63.
PDD-63 has been replaced with HSPD-7, to authorize and encourage national
critical infrastructures to develop and maintain ISACs between the private sector
in cooperation with federal government as a means of strengthening security and
protection against cyber and operations attacks.
The ISAC Council
Homeland security presents significant challenges for the ISAC community and
we look forward to working directly with you in the coming months. The work you
are doing is extremely important and you have the commitment of the ISAC
2
Council to do everything we can to assist in protecting the critical infrastructures
of the United States.
I am here today to briefly discuss the ISAC Council and its role in protecting
critical infrastructures.
Members of the subcommittees, the ISAC Council
voluntarily formed almost two years ago.
Our goals are to discuss
interdependencies and how we can develop better communications – among the
various sectors and across borders – as well as what information should be
shared on both physical and cyber issues within the sectors and with the
government.
The Council has grown from representing eight sectors to include 14 sectors. In
addition to the private sector membership, the ISAC Council also includes
government ISAC’s such as Emergency Management and Response who report
to DHS as well as the Multi-state ISAC.
Early on the ISAC Council saw the need to be a very inclusive group. Although
each of our sectors is unique in composition they are also intimately intertwined
with each other, and a catastrophe in one sector can impact many others. We
have seen this on a number of occasions. Take 9/11 for example, we had a
physical impact on the twin towers, which impacted telecommunications and
electric services, as well as closing Wall Street for four business days.
Additionally, the northeast power outage impacted several sectors including
drinking water, wastewater, transportation and small businesses alike.
To improve the ISACs and to help communicate with government, the ISAC
Council has developed eight white papers that reflect the collective analysis of
members of the ISAC Council and cover a broad set of issues and challenges.
The topics include:
• Government – Private Sector Relations
3
• HSPD-7 Issues and Metrics
• Information Sharing and Analysis
• Integration of ISACs into Exercises
• ISAC Analytical Efforts
• Policy Framework for the ISAC community
• Reach of the Major ISACs
• Vetting and Trust
These papers recognize the critical leadership role played by the private sector,
with respect both to the operational infrastructures established in ISACs for
analysis and information sharing and in the interaction of ISACs with the
Department of Homeland Security and other government agencies addressing
the challenges of critical infrastructure protection. We have shared these papers
with Hill staff, DHS and GSA.
We believe that these papers are only the beginning steps in tackling the serious
policy and process issues challenging the implementation of an effective private
sector and government information sharing and analysis partnership. The ISAC
Council is continuing to work on concrete actions to increase ISAC support to the
nation. To facilitate this effort, the ISAC Council members communicate on a
daily basis (conference calls or by email) on operations and on a as needed
basis for large new vulnerability announcements and/or incidents.
Government – Private Sector Partnerships
One of the primary challenges to government and the private sector is the
establishment of trusted partnerships. I believe we all agree that partnerships
between government and the private sector are essential and since 9/11, it has
become even more critical for these partnerships to mature in order to effectively
address homeland security issues.
4
As you all know, trusting partnerships cannot be legislated, regulated, or even
stipulated. Nor can partnerships be purchased, traded or incorporated.
Partnerships are built between people and organizations that recognize the value
in joint collaboration toward a common end. They are fragile entities that need
to be established and maintained by all participants and built upon a
foundation of trust.
We have learned that our ISAC’s need the full support and confidence of certain
key elements of the government to create and maintain a successful and
comprehensive security plan. Furthermore, we are also keenly aware that we,
the critical infrastructures, need to maintain a trusted relationship with our
government partners so that we can work with them and their staffs to maintain
the delicate balance between security and privacy.
Our relationship with DHS has had a few bumps in the road, but overall we have
progressed and, I believe, have a common goal and agree on the strong need to
partner in information sharing and analysis.
As with the maturation of DHS, so have each of our collective ISAC’s. I do
believe that the government assisting the private sector with baseline funding for
certain sectors is ideal. The WaterISAC, for example, has received funding from
Congress and the U.S. Environmental Protection Agency (EPA) while we
continue to build the private sector contribution to the ISAC.
Although the
information on the WaterISAC -- available to 54,000 community water systems
(90 percent publicly owned and 10 percent investor owned) and 15,000 publicly
owned treatment works -- is available to all subscribers, our fee for service to
these utilities is tiered based on population served. By doing so, we hope to
make the WaterISAC affordable to all drinking water and wastewater utilities. In
addition with the help of congressional funding, this year we will broaden the
reach of the WaterISAC by developing a push email system that will be capable
5
of reaching thousands of drinking water and wastewater utilities with federal
advisories and notices.
Other ISACs, as you might expect, are structured differently depending on the
composition of the sector and the breadth and scope of the services the sector
decides is needed. That being said, we must keep our ISAC models in tact,
meaning that the government should not attempt to dictate how the individual
ISACs are structured nor how information is provided, analyzed and reported to
government.
On a very positive note, DHS has agreed to pilot the HSIN network with the water
and electric sectors and has also provided funding to do tabletop exercises with
the Financial, Telecommunications, and Electric Sectors.
In addition, DHS IAIP regularly meets with the ISAC Council and listens to many
of our concerns regarding the need for their strong support of the ISACs and the
improvement of our information sharing capabilities.
Summary
The ISAC Council plays an important role in homeland security.
It brings
together diverse sectors, examines commonalties and most importantly cements
trusting partnerships that allows us to share information, learn the best from each
other and enhance communication among interdependent sectors.
If I could leave you with two recommendation it would be these: We need your
help to ensure that the private sector’s investment in their ISACs is built upon
and strengthened. Once lost, this type of voluntary commitment will be very
difficult if not impossible to rebuild. Secondly, we need your help to insist that the
private sector be included “up front” in the analysis of intellligence. Government
6
must learn to trust infrastructure owners/operators with real information that
allows us to apply our resources in a smart way to protect the infrastructure.
Thank you for the opportunity to testify today. I would be happy to answer any
questions.
7