I'm pleased that Senators Feinstein and Kyl have reconvened this hearing, which originally had been scheduled for May 22 but, unfortunately, had to be postponed because of votes on the floor. It's extremely important that the Judiciary Committee conduct its oversight responsibilities, to examine the progress of the National Infrastructure Protection Center (NIPC) and review the extent to which the NIPC is fulfilling its charter as set forth in Presidential Decision Directive 63.
Cyber-security and critical infrastructure protection are among the most important national security issues facing our country today, and they will only become more challenging in the years to come. Recent attacks on our infrastructure components have taught us that security has been a relatively low priority in the development of computer software and Internet systems. These attacks not only have disrupted electronic commerce, but have also had a debilitating effect on public confidence in the Internet.
Consequently, the issue of public-private cooperation has become essential to the success of the safeguarding of our national infrastructure. We cannot count on the federal government alone to protect our critical infrastructure from cyber-terrorism, because the government doesn't own or operate the networks that carry most of our critical content. The extent to which there is inter-connectivity between the private sector and the government cannot be ignored. So, the private sector is not only needed, it is pivotal in this endeavor. Private industry owns 90 percent of the national infrastructure, yet our country's economic well-being, national defense, and vital functions depend on the reliable operation of these systems.
Recognizing this vital need to coordinate the protection of our critical systems, the NIPC was formed pursuant to the 1998 Presidential Decision Directive 63. We're here today to review the performance of the NIPC relevant to that charter. But frankly, there isn't much here for me to be optimistic about.
It's clear to me that the problems outlined in the GAO report are symptomatic of a poorly conceived mission. I wouldn't take issue with the position that many of the problems experienced by the NIPC can be attributed to a significant lack of definition within the PDD-63 charter. I'm also mindful of the fact that we're reviewing a program that has only been in existence for three years. But I also believe that the deficiencies noted in the GAO report can be attributed to a lack of operational capability. These problems are symptomatic of a much larger issue within the NIPC, and the FBI in particular - the pervasive "culture of arrogance" within the FBI. There has been much agreement on this issue as of late. In fact, I believe that this "arrogance" is the root cause of the many FBI blunders in these past years. One cannot underestimate the negative affect that this culture has had upon the ability of the NIPC to fulfill its mission.
One of the few positive evaluations of the NIPC in the GAO report is in the FBI's coordination of investigations of attacks on "computer crime." But I don't believe this assessment fully takes into account the cooperative spirit called for within the NIPC charter. Instead of being a focal point to coordinate the investigations of various federal law enforcement agencies, the NIPC has simply become a conduit for the FBI to fund its computer crime cases. The FBI's internal culture is just not built on a culture of sharing information with its fellow law enforcement agencies. Consequently, the NIPC shouldn't be held up as an example of success in the field of interagency cooperation. In fact, this is confirmed by the number of participating agencies that have withdrawn from this endeavor. That's because the incoming cases have all been taken by the FBI. The NIPC charter calls upon them to distribute cases according to expertise - but that's not being done.
By its very nature, the FBI does not share information; rather, it restricts information. Getting the criminal is the FBI's first priority, while warning the public is secondary. For example, the NIPC has been tasked by the Presidential Decision Directive to provide timely warning, mitigate attack, and monitor reconstitution efforts. But the mission doesn't stop there. It also includes providing the comprehensive analyses to determine if an attack is underway, the scope and origin of the attack, and the coordination of the government's response. In the real-time confusion of a cyber-attack, the NIPC will have to decide whether or not an incident is an attack which will impact national security, or a criminal act that will require a criminal investigation. These conflicting national responsibilities impede decisions and put the nation at risk. The FBI's methodology for investigating crimes is incompatible with the mission intended for the NIPC. And that's why we should not allow the FBI to further commandeer this program.
If history has proven that the FBI cannot maintain effective partnerships within the federal government or even within their own federal law enforcement community, how can we expect the FBI to establish effective partnerships with the private sector? Can we honestly expect that the widespread aversion within the private sector to entrust sensitive corporate information is any less assuaged by the FBI's stewardship of this program? For an answer, one needs to look no further than the inability of the NIPC to establish successful sharing agreements with all but one of the Information Sharing and Analysis Centers. This is simply not acceptable. We need full and free cooperation between the NIPC and the private sector to establish a true partnership and to foster successful sharing of critical and timely information. The FBI has been unable to accomplish this so far, and I fear may never be able to accomplish this.
The one initiative that does appear to have acquired a successful constituency within the private sector is the InfraGuard Program, and I would encourage the continued expansion of this program.
I'd also like to comment on the latest news report that an e-mail worm has infected at least one computer in the NIPC. While I don't have all the details, I am concerned. The NIPC is supposed to be coordinating the effort to protect this nation from cyber attacks, and yet we are now hearing that it may be infecting others? The NIPC is supposed to be analyzing technological problems, yet it is itself creating cyber risks? I want some answers. It's ironic if the NIPC cannot control its own information systems and protect files that may contain sensitive information. We may have another alarm sounding in what has been an earsplitting year of FBI shortcomings.
In conclusion, I'd like to thank the General Accounting Office for their work on this report. But I want to be clear that I take issue with some of their conclusions regarding the PDD-63 framework. I'm aware that our critical infrastructure programs are currently under executive review, and I look forward to their evaluation.