INTERVIEW: John S. Tritak, FIDnet's defender
He tackles a unique security challenge
GCN:'Let's talk about the controversy surrounding the planned Federal Information Detection Network. The concept appears to be plagued by privacy concerns. Are those concerns warranted?
|This past summer, two weeks after becoming director of the Critical Infrastructure Assurance Office, John S. Tritak was called before a congressional committee to respond to lawmakers' concerns that the Clinton administration would use the proposed Federal Information Detection Network to monitor private-network traffic.|
Tritak told the lawmakers that would not be the case.
The incident illustrates the types of hurdles that Tritak said he faces almost daily as he formulates the administration's National Infrastructure Assurance Plan. Rumors about what the plan does or does not contain run rampant.
What the plan definitely will do is detail how the federal government and industry can work together to respond to threats to the nation's critical infrastructures'attacks on the country's electric grid or its financial markets, for example.
Before coming to work at the Commerce Department, Tritak practiced law at the Washington law firm of Verner, Liipfer, Bernhard, McPherson and Hand.
But CIAO is not his first foray into government service; he previously held senior adviser posts at the State Department.
Tritak has a bachelor's degree from State University of New York at Brockport, a master's in war studies from the University of London's Kings College and a law degree from Georgetown University.
GCN staff writer Christopher J. Dorobek interviewed Tritak at his office in Washington.
TRITAK: It is unfortunate that the FIDnet plan was leaked and then taken out of context. Certain inaccuracies were circulated, the first one being that somehow FIDnet was going to be some Big Brother system and wired into the private sector. That simply isn't the case.
FIDnet will be an intrusion detection system installed at various agencies for the purpose of detecting and warning other agencies of potentially malicious activities. In cases where sensors suggest potentially malicious activities, that data would be sent to a central analysis center at the General Services Administration for further analysis.
The purpose is to get a broad picture of what is going on with the civilian side of government, or non-Defense Department systems. Sometimes anomalous behavior is anomalous because the agency has not seen it. But a central center could determine whether the behavior is something to worry about. Alternatively, something may be anomalous and some other things may be going on at the same time that suggest a problem.
If activity rose to a level that suggested a potential criminal activity, GSA would send the data along to the National Infrastructure Protection Center's Analysis and Warning Center. The center, however, is still not a law enforcement agency.GCN:'But NIPC is part of the FBI, isn't it?
TRITAK: It is associated with the FBI, but it is not a law enforcer. It is an interagency center housed at the FBI. The point is that even for data to get to NIPC, it will already have gone through a filter at GSA, where people who are appropriately skilled would be looking at this stuff.
Today, irrespective of FIDnet, an agency that gets an alarm from a detection network can send that information to a law enforcement agency. In fact, agencies are obligated by law to do that.
So FIDnet does not confer any additional legal authority on the federal government than already exists. It will have to comply with all the privacy rules and laws.GCN:'What is FIDnet's relationship with the private sector?
TRITAK: This is where things really got confused. NIPC currently develops alerts about questionable activities. What the government has offered is that if private-sector organizations participate in the planned information sharing and analysis centers, NIPC would make the reports available to them. That is different from saying they are part of the ongoing monitoring by the network. They are not.GCN:'Are privacy groups involved in FIDnet's development?
TRITAK: There is an effort under way to begin to engage the privacy groups in the broader national plan, which would include FIDnet.
The government, however, also has privacy issues. The American public expects the government to protect certain information. Some of that information is about individuals, and the fact is that there are a lot of intrusion attempts.
It's not a trade-off between privacy and no privacy. It's a trade-off between staying consistent with privacy requirements but recognizing new obligations and responsibilities that flow from the realities of the information age. But at no time are we talking about undercutting privacy or undercutting civil liberties.GCN:'Can you explain the role of the Critical Infrastructure Assurance Office?
TRITAK: Our job is to implement Presidential Decision Directive 63. PDD 63 is about addressing the threats to the nation's critical infrastructures, both cyber- and physical threats. There is particular emphasis on the interdependencies that have developed as a result of the information age'interdependencies that have changed the nature of the threats.
PDD 63 has created a unique security challenge, a challenge the government cannot overcome alone. It is unique when you compare it to all other national security challenges, wherein the government has had the ability to direct the resources to address the threats'basically by building more bombers and building more missiles.
Here, you have a national security concern, but the government cannot directly control how the threatened infrastructures are protected because 95 percent of them are privately owned.
To craft the kind of requirements that will actually result in the robust protection of critical infrastructures requires the work of two cultures: a government culture and a private-sector culture. We're finding that one of the biggest hurdles we have to overcome is raising the level of awareness of what this new challenge means and persuading industry that this effort is in their business interest.
Following on that is the notion that if we are calling upon the owners of infrastructures to take prudent measures to deal with the potential negative implications, the government needs to serve as a model.
So many of the initiatives in the national plan will demonstrate the degree of seriousness the government is putting into this effort.GCN:'So what role does CIAO play in all this?
TRITAK: We are essentially a policy coordinating organization. We assist other federal agencies in pulling together their plans and integrating them into the national plan. We are also assisting in an analysis of the government's own dependencies on the nation's critical infrastructures.GCN:'One problem has been that companies are concerned about giving information to the government for fear of it becoming public knowledge.
TRITAK: That has been a concern, so we see this developing in different stages.
The first level is just encouraging industry organizations to come together voluntarily to share information among themselves. The view is that by sharing this information, the level of protection goes up.
At the second level, the government has said that if information sharing and analysis centers are formed, the government will provide information that may be of value in helping the private-sector organizations get a clearer picture of what their business environment looks like. That will help with risk management plans.
The final level would be the sharing of information between industry and government. The federal government, with its broader view, might be able to make better sense of what is going on and improve security overall.GCN:'There are still many agency executives who do not understand the importance of security, and they don't fully understand why they have to spend a large amount of money on it.
TRITAK: That's why we're putting together the plan under PDD 63. The initial six-month time frame for putting together the plan was probably overly optimistic.
' Age: 39
' Family: Wife, Kathie; daughter, '''Georgia
' Pets: Dog, Reilly
' Last book read:
Ender's Shadow by '''Orson Scott Card
There was consensus about what needed to be done. But the plan required getting a consensus across 22 agencies that have different levels of experience with these issues.
And let's face it: Security is always something that is difficult to fund over and above the agencies' primary missions.
When you have a tight budget and you need to fund those programs that are essential to the primary mission, there is always a conflict. To some extent, the conflict is similar to the ones faced by the private sector.