Federal critical infrastructure office reaches out to states

The Commerce Department's Critical Infrastructure Assurance Office (CIAO) will host a series of regional conferences in early 2002 to encourage owners of the nation's critical infrastructure to share the lessons they learned from the Sept. 11 terrorist attacks. Information gathered at the conferences, which are intended to facilitate federal outreach to state and local governments, as well as the private sector, will be used to help CIAO develop a compendium of best practices should the nation's critical infrastructure come under cyber attack. "We want the owners and operators of critical infrastructure to have a dialogue on lessons learned," CIAO Director John Tritak said in an interview with National Journal's Technology Daily. CIAO has scheduled the first meeting for Austin, Texas, tentatively in February, with others to be held in the Northeast and Midwest. Some of the lessons learned include the need for companies to exercise computer backup plans, which some had not done before Sept. 11. "Part of my job is to make that connect for businesses," Tritak said. It's important "that the level of computer security is connected to a company's bottom line." As a member of the newly created Critical Infrastructure Assurance Board, CIAO was tapped to be the lead outreach to the board's staff. Tritak said it also supports an inter-agency committee on outreach led by Kenneth Juster, the undersecretary for Commerce's Bureau of Export Administration. Through that organization, CIAO works to ensure that the administration has a consistent message on cyber security throughout government agencies, he said. CIAO also reaches out to the private sector through seven Information Sharing and Analysis Centers (ISACs), each of which represent a sector of critical infrastructure. They share and receive information on potential cyber attacks, as well as on ways to more effectively secure their businesses. Tritak said the ISACs' success has been a "mixed bag." "The ISAC is an extraordinary experiment, where you are talking about competitors coming together and sharing with each other their vulnerabilities," Tritak said. Still, since the attacks, Tritak said he believes the ISACs are evolving and that some are more effective than others. CIAO also is working on identifying regulation that might be needed to help with cyber security, such as the idea that firms would get certain exemptions from the Freedom Of Information Act in an effort to keep their security vulnerabilities secret. Tritak said other issues potential issues include new regulations related to antitrust or liability concerns. Tritak also said he wants to correct the belief on Capitol Hill that the private sector is doing nothing to protect the nation's critical infrastructure. "Often when I go to talk to staff on the Hill, they have the impression that we aren't doing anything," Tritak said. "If that were true, Wall Street wouldn't have been able to open the Monday after the attacks."