It is very clear in this current environment that the country needs a single, unified homeland security structure that will improve protection against today's threats and be flexible enough to help meet the unknown threats of the future. The creation of the Department of Homeland Security is the most sweeping reorganization of our national security establishment in over 50 years. However, this decision was made on the basis of careful study and experience gained since September 11. The Administration considered a number of organizational approaches for the new Department proposed by various commissions, think tanks, and Members of Congress. The Secretary of Commerce, the Under Secretary and I - as well as all other senior management at the Commerce Department - fully support the President's plan and stand ready to undertake necessary efforts to facilitate the creation of the new Department as soon as possible.

The new Department of Homeland Security would be organized into four divisions: Border and Transportation Security; Emergency Preparedness and Response; Chemical, Biological, Radiological and Nuclear Countermeasures; and Information Analysis and Infrastructure Protection. The new department will be comprised mainly of existing organizational elements located in other Federal departments and agencies. For example, my office, the CIAO, now located in the Department of Commerce's Bureau of Industry and Security, will become part of the new Information Analysis and Infrastructure Protection Division.

I would like to take this opportunity to provide some background on the CIAO and to discuss briefly some of the specific activities and initiatives we are currently undertaking on cyber security and homeland security.

The CIAO is not a new arrival to the homeland security effort: we have been working to realize the objective of critical infrastructure assurance for four years. The CIAO was created in May 1998 by Presidential Decision Directive 63 (PDD-63) to serve as an interagency office located at the Department of Commerce to coordinate the Federal Government's initiatives on critical infrastructure assurance.

On October 18, 2001, Executive Order 13231 (the Order), was issued and entitled "Critical Infrastructure Protection in the Information Age," the CIAO began serving as a member of and an advisor to the newly created President's Critical Infrastructure Protection Board (the Board). The Board was created to coordinate Federal efforts and programs relating to the protection of information systems and networks essential to the operation of the nation's critical infrastructures. In carrying out its responsibilities, the Board fully coordinates its efforts and programs with the Assistant to the President for Homeland Security.

III. Major CIAO Activities and Initiatives

CIAO's responsibilities for developing and coordinating national critical infrastructure policy focus on three key areas: (A) promoting national outreach and awareness campaigns both in the private sector and at the state and local government level; (B) assisting Federal agencies to analyze their own risk exposure and critical infrastructure dependencies; and (C) coordinating the preparation of an integrated national strategy for critical infrastructure assurance.

A. Outreach and Awareness

The Federal government acting alone cannot hope to secure our nation's critical infrastructures. The national policy of infrastructure assurance can only be achieved by a voluntary public-private partnership of unprecedented scope involving business and government at the Federal, State, and local levels. Forging a broad based partnership between industry and government lies at the heart of the CIAO's mission.

Private Sector Partnerships: CIAO has developed and implemented a nation-wide industry outreach program targeting senior corporate leadership responsible for setting company policy and allocating company resources. The challenge of such an effort is to present a compelling business case for corporate action. The primary focus of the CIAO's efforts continues to be on the critical infrastructure industries (i.e., information and communications, banking and finance, transportation, energy, and water supply). The basic thrust of these efforts is to communicate the message that critical infrastructure assurance is a matter of corporate governance and risk management. Senior management is responsible for securing corporate assets - including information and information systems. Corporate boards are accountable, as part of their fiduciary duty, to provide effective oversight of the development and implementation of appropriate infrastructure security policies and best practices.

In addition to infrastructure owners and operators, the CIAO's awareness and outreach efforts also target other influential stakeholders in the economy. The risk management community - including the audit and insurance professions - is particularly effective in raising matters of corporate governance and accountability with boards and senior management. In addition, the investment community is increasingly interested in how information security practices affect shareholder value - a concern of vital interest to corporate boards and management.

In partnership with these communities, the CIAO has worked to translate potential threats to critical infrastructure into business case models that corporate boards and senior management can understand. Corporate leaders are beginning to understand that tools capable of disrupting their operations are readily available not merely to terrorists and hostile nation states but to a wide-range of potential "bad actors." As a consequence, they are beginning to grasp that the risks to their companies can and will affect operational survivability, shareholder value, customer relations, and public confidence.

The CIAO has also worked actively to facilitate greater communication among the private infrastructure sectors themselves. As individual Federal lead agencies under PDD-63 formed partnerships with their respective critical infrastructure sectors, private industry representatives quickly identified a need for cross-industry dialogue and sharing of experience to improve the effectiveness and efficiency of individual sector assurance efforts. In response to that expressed need, the CIAO assisted its private sector partners in establishing the Partnership for Critical Infrastructure Security (PCIS). The PCIS provides a unique forum for government and private sector owners and operators of critical infrastructures to address issues of mutual interest and concern. It builds upon, without duplicating, the public-private efforts already being undertaken by the Federal Lead Agencies.

State and Local Government Partnerships: The CIAO has developed an outreach and awareness program for state and local governments to complement and support its outreach program to industry. State and local governments provide critical services that make them a critical infrastructure in themselves. They also play an important role as catalyst for public-private partnerships at the community level, particularly for emergency response planning and crisis management. The issue of securing the underlying information networks that support their critical services was a relatively new issue before September 11. State and local governments tend to be well organized as a sector, with multiple common interest groups.

Similar to its program for industry, the CIAO has laid out a plan to implement outreach partnerships with respected and credible channels within state and local government. CIAO has also met with the National Governors Association and the National Association of State Chief Information Officers to encourage input into the National Strategy for Cyberspace Security.

The front lines for the new types of threats facing our country, both physical and cyber, clearly are in our communities and in our individual institutions. Smaller communities and stakeholders have far fewer resources to collect information and analyze appropriate actions to take. Consequently, in February of this year, the CIAO began a series of four state conferences on Critical Infrastructures: Working Together in a New World, designed to collect lessons learned and applied from the events of September 11 from New York, Arlington, and communities across the United States. The intent of this conference series is to deliver a compendium of community best practices at the end of the first quarter of 2003. The first conference was held in Texas and the second in New Jersey. The last two will be held in the latter part of 2002 and the first quarter of 2003.

Homeland Security Information Integration Program: The Administration is proposing in the President's Fiscal Year 2003 budget request to establish an Information Integration Program Office (IIPO) within the CIAO to improve the coordination of information sharing essential to combating terrorism nationwide. The most important function of this office will be to design and help implement an interagency information architecture that will support efforts to find, track, and respond to terrorist threats within the United States and around the world, in a way that improves both the time of response and the quality of decisions. Together with the lead federal agencies, and guided strategically by the Office of Homeland Security, the IIPO will: (a) create an essential information inventory; (b) determine horizontal and vertical sharing requirements; (c) define a target architecture for information sharing; and (d) determine the personnel, software, hardware, and technical resources needed to implement the architecture. The foundation projects will produce roadmaps (migration strategies) that will be used by the agencies to move to the desired state.

Federal Asset Dependency Analysis - Project Matrix: The CIAO also is responsible for assisting civilian Federal departments and agencies in analyzing their dependencies on critical infrastructures to assure that the Federal government continues to be able to deliver services essential to the nation's security, economy, or the health and safety of its citizens, notwithstanding deliberate attempts by a variety of threats to disrupt such services through cyber or physical attacks.

To carry out this mission, the CIAO developed "Project Matrix," a program designed to identify and characterize accurately the assets and associated infrastructure dependencies and interdependencies that the U.S. Government requires to fulfill its most critical responsibilities to the nation. These are deemed "critical" because their incapacitation could jeopardize the nation's security, seriously disrupt the functioning of the national economy, or adversely affect the health or safety of large segments of the American public. Project Matrix involves a three-step process in which each civilian Federal department and agency identifies (i) its critical assets; (ii) other Federal government assets, systems, and networks on which those critical assets depend to operate; and (iii) all associated dependencies on privately owned and operated critical infrastructures.

Early experience with the CIAO's Project Matrix process has demonstrated such significant utility that the Office of Management and Budget has recently issued a directive requiring all Federal civilian agencies under its authority to fund and perform the analysis.

C. Integrated National Strategy for Critical Infrastructure Assurance

Finally, the CIAO also plays a major role with respect to the development and drafting of the two national strategies relating to critical infrastructure protection - the National Strategy for Cyber Space Security and the National Strategy for Homeland Security. Specifically, the CIAO coordinates and facilitates input from private industry, as well as state and local government, to the national strategies. The Office of Homeland Security has enlisted the CIAO to provide coordination and support for its efforts to compile information and private sector input to its strategy to protect the physical facilities of critical infrastructure systems. The CIAO, working with its private sector partners, also has been instrumental in coordinating input from the private sector to the cyber space security strategy.

The American economy is the most successful in the world. However, in the information age, the same technological capabilities that have enabled us to succeed can now also be turned against us. Powerful computing systems can be hijacked and used to launch attacks that can disrupt operations of critical services that support public safety and daily economic processes.

As the President and Governor Ridge have noted, today no Federal Agency has homeland security as its primary mission. Responsibilities for homeland security are dispersed throughout the Federal Government. The President's plan would combine key operating units that support homeland security so that the operations and activities of these units could be more closely directed and coordinated. This will serve to increase the efficiency and effectiveness of the Federal Government's critical infrastructure assurance and cyber security efforts.

The CIAO looks forward to continuing its role in advancing critical infrastructure protection policy in the new Department of Homeland Security. Thank you for the opportunity to appear before you today. I welcome any questions that you may have.