UNCLASSIFIED

COMMISSION SENSITIVE

MEMORANDUM FOR THE RECORD

Type of event: Conference

Date: Jan 12-13,2004
Special Access Issues: None
Prepared by: Emily Walker
Team Number: 8
Location: MCI Convention Center, Washington DC
Participants - Non-Commission: Private Sector, DHS, other Government employees
Participants - Commission: Emily Walker

The Department of Homeland Security held a two day conference that brought together
private sector participants to hear about DHS and how they can work together. The
meeting was chaired by Gen. Libutti, Undersecretary ofDHS for Critical Infrastructure,
and his team Asst. Sec. Liscouski and Al Martinez-Fonts, Private Sector Liaison for
DHS.

The meeting was opened by Adm. Loy. His main comments were that DHS, along with
other agencies, and the private sector needed a partnership to collectively raise the
paradigm for security and improve security at privately owned facilities. He saw the
need for a network of virtually invisible security partnerships and makes progress in all
fields. He said that there is a challenge associated with the marketplace in terms of the
absorption of costs associated with security and this will be dealt with as constructively
as possible .. As in normal business, he assumes that the cost will be security will be
shared with consumers. The reality of9-11, which is different from WWI and the cold
war, is that this war is on our homeland which is why every citizen, business, state and
local government must find their own role.

He was asked how he sees the government and the private sector coordinating with each
other. He said it will be an integration of efforts and a funding stream from
Fed/State/Local and private sector. He said it was the burden ofDHS to pursue the
outreach effort and communicate directions and allow understanding in both directions.
He said that they will learn together. He commented on DHS working with other
agencies around the world and will work with the UN and other agencies to set standards
that address terrorism (he used MTO activities as an example).

Al Martinez-Fonts spoke and said that engaging the private sector is a competitive
strategy for DHS. He said we are working together in a new world. He said that his
private sector office is trying to reach across America through partnerships with trade
organizations, business roundtable and the like. He is charged with several tasks: 1)
direct line of communication between DHS and private sector independently and in
conjunction with IAIP directorate to foster a strategic dialogue; 2) analyzing impact of

COMMISSION SENSI11VE 1
lJNCLASSIFIED .
 UNCLASSIFIED
COMMISSION SENSITIVE

DHS programs on the private sector; 3) creating an advisory committee. He sees

information sharing as a three legged stool: 1) timely, accurate, and actionable; 2)
guidelines and standards with carrot and stick; 3) DHS helping with training. He said
that the private sector aims to share best practices through personnel and database which
he used last week when they lowered the threat level. He is also doing outreach for DHS
to the private sector and state and local governments. He is working on the business case
for homeland security. He sees the money spent as an investment, not an expenditure. IT
must be a give and return. He introduced the new privacy person at DHS.

Nuala O'Conner Kelly - the new Chief Privacy Officer for DHS spoke. She said her
responsibility is to ensure the responsible use of personal information and public trust and
confidence in the department. The reality of the many new directorates at DHS is that
they are very small so they must leverage the private sector. She believes is it possible to
preserve privacy and the DHS and there is the necessary legal policies and protection
which need to be built in initially in any progress. Her office will review privacy plans.
There are ways to share information across the public and private sector responsibly.

General Libutti introduced his team: Matt Broderick, Ret. Marine General who is Ops
Center Director; Gen Pat Hughes - Asst. Sec. Information Analysis; Bob Liscouski
Asst. Sec. Information Analysis. Liscouski spoke and talked about how to partner with
the private sector: 1) Identify critical assets. He said that the USG understands these but
needs to normalize the understanding with the private sector. They are actively engaged
with the business roundtable, the phones, ISAC and the Homeland Security Advisory
Council. He said that DHS must understand the private sector world. 2) Collaboration in
implementation and 3. Communication. He said on the Government side, sharing
information that enabled implementation of protective measures was key. Also
evaluation of metrics and measure their effectiveness. He said the Government needs
assistance in developing methodologies, tools and programs to enable the identification
of terrorist threats and protection activities. He gave examples of the process moving
from orange to yellow - he called people. He suggested that there were 5 tenants of the
public- private sector relationship: 1. Understand threat 2. ID Critical Assets 3. ID
vulnerabilities 3. Programs to protect against threats 4. Metrics (feedback loop).

Pat Hughes, the Director of the Ops Center gave a General Threat Overview. He said
that he needs input from the private sector, the guy on the street. He needs help and
judgment on activities happening on the street. He needs the private sector to help them
place things into context, an explanation from the private sector vantage point. He said
that the "new nonna1cy" equates to threat and protection capabilities.

Matt Broderick reported about the Operations Center. He said that they collect
intelligence and pull it together and pass it on as well as act as a HUB in the event of a
crisis. He said that there are 30 agencies in HSOC and they collect information and then
decide if there is a threat. He described the daily process where the Secretary of DHS
speaks with the President at 6:00 am (with CIA, FBI) and at 06:30 law enforcement sends
a piece out. In the case of incident management, the Ops center sits at the top of the
pyramid bringing information from state and local as well as private sector back to DRS.

COM:MISSION SEN"SITIVE 2
lJNCLASSIFIED
 UNCLASSIFIED
COMMISSION SENSITIVE

He coordinates the Interagency Incident Management Group with Sr. reps from agencies
where he provides situational awareness from different people depending on the event.
The HSOC comprises 30 agencies. HSOC provides situational awareness to different
people in the IIMG depending on the event. HSOC coordinates all Government actions
in an incident. IIMG includes the private sector. The HSOC monitors conventions,
soccer mansions etc. There is a Joint Field Office which coordinates all Govt. actions in
any incident. They determine 1) what you need to know; 2) how long to get it all
together 3) what interaction needed; 4) what assets you have

Pat Hughes - Asst. Sec for Information Analysis spoke about information analysis office.
He said that this office provides information to take decisions. The question is how to get
information, classified and unclassified to the private sector. Tom Claus is liaison with
other intelligence organizations and state and local governments and private sector.

Jim Caverly Director of the Infrastructure Coordination Division spoke about the ISAC
management team and how they get the advisory out to the private sector. The
Information Sharing Analysis Center which controls the process to the private sector. In
1997 the ISACs were started. They were designed for information sharing. It was
carried forward in HSPD7. The difference is the information sharing has moved beyond
cyber to all sectors. ISAC all sectors are different. Some are complex and require all
major players to come together. They need information to flow both ways between the
sectors and DHS and vice versa. Also, they need to do analysis of the information; they
need a partnership with the private sector on the analytical process. DHS needs to
understand the threat to the sector and what is meaningful. Also ISACs is how DHS
engages the private sector during an incident. Also, they want to share best practices and
how to share common threats. ISAC isn't the only way to communicate, but they are
looking at ways to communicate directly as well.

In terms of a local incident, DHS says that they are not in the picture. FEMA goes in and
finds out what is needed. DRS is focal point in DC. FEMA does incident management.
DRS is situational awareness only. IIMF makes recommendations and courses of action
for President and Secretary DRS.

Libutti said they are working on a local web-based communication system with the
private sector which is not ready yet but will be soon. He said they are looking at ways to
communicate more efficiently. Some ISACs have developed their own communication
mechanisms which DRS is trying to leverage across ISACs.

Question came up about whether or not DRS is being fed information to deceive. The
answer was given that it can happen, that is does happen criminally in business and they
are aware of this.

Question came up on whether or not DHS is using media enough to get out message.
DHS said that they don't push the media in any direction.

COM:MISSION SENSITIVE 3
"UNCLASSIFIED
 UNCLASSIFIED
COMMISSION SENSITIVE

National Communication System (NCS) was discussed by Brent Green - Director. He

said that NCS is always in partnership with communications sector. It is a protected and
trusted relationship. The National Sec Telecom Ad Committee advises the President.
There is a network Sec Info Exchange which is an active forum that shares sensitive
information on threats and turns it around into best practices. The main thrust ofNCS is
responsible for coordinating with industry and military to get telecom up and running. It
gives priority access and prioritization of switches (cellular and land lines).

Jim McDonald runs the Infrastructure Protection Division. It assigns analysts to reach
out to the sector and it needs to turn it into something meaningful for the private sector.
Same people who will understand incidents talk to ops people to build situational
awareness. Also maintains awareness of what's happening in infrastructure. They are
concerned about events and the interruptions of goods and services and the disruption of
the infrastructure.

Amit Yoran is in charge of the cyberspace directorate. This division is the national focal
point for addressing cyber security issues in the U.S. His role is to identify, analyze, and
reduce threats and vulnerabilities, disseminate threat warning information, coordinate
incident preparedness, response and recovery, and serve as national focal point for the
public and private sector regarding cyber security issues. He mentioned the black-out
and the role critical infrastructure plays. A common thread is dependence on robust
functioning and secure cyber infrastructure. He said that the same technology that gives
us the power is the one that is a national weakness of risk unless we address it. Our job'
as owners and operators of critical infrastructure is to do it. Technology can be used
against us. His mission is to ID and reduce threats and communicate them. Products to
help us do that are on the website to help tech and non-tech to be alert on cyber security.
The goals of his group are to lead the implementation on the US National Strategy to
secure cyber space, to continue to partner with the private sector, to engage the individual
homeuser, and to create an international alert system on cyber security threats and
incidents.

James McDonnell, Director of the Protective Security Division spoke next. He said that
this is a community based program which can only be successful if it is implemented at
the local level. Prevention programs that begin at the gate. He said that the focus was on
the terrorist --- better buffer zones in place at all locations needed. Working with Brits
and Israelis. His goals are to develop common criteria for target selection; create
methodologies for vulnerability identification, develop community based planning and
prevention and conduct threat/vulnerability mapping and protective action.

Jim Caverly, Director of Infrastructure Coordination spoke. This group serves as the
infrastructure knowledge and expertise for lAIP and the Department by sustaining core
sector capabilities, maintaining operational awareness, and fostering strategic and
working-level relationships with the owners and operators of the nation's critical
infrastructure. They are setting up teams of analysts to cover industries. These industry
experts are the main face-off against the industries for DHS so that they know the issues
faced by the industries and serve DHS with that knowledge. '

COMMISSION SENSITIVE 4
UNCLASSIFIED
 UNCLASSIFIED
COMMISSION SENSITIVE

The next discussion was a panel on "best practices". Suzanne Gorman from the Financial
Services ISAC spoke. She said that this ISAC has been more fully developed since 9-11
and reached down further into the sector. (I believe it was previously largely IT related
and with few members). Suzanne said that ISACS are member organizations. There are
dues in three categories with associated benefits. Members can join for free and get
minimal information. The other categories are 750$ or $10,000, $25000, $50,000. They
meet twice a year and have bi-weekly conference calls. They need additional money to
get the information out from the ISAC and recently received funding from the Treasury
Dept. They send alerts to members (paid and non-paid). They also recognize that these
ISACS have further development needs.

Libutti said that as the private sector wants "one-stop" shopping from DHS, DHS wants
to find a more efficient way to get information out, to engage in a decision-making
process. He believes that the ISAC council is a leadership model, a way to carry things
forward. The question is how far they need to spread the ISACs and develop them.
ISACs currently are in the most critical infrastructure sectors. But since small businesses
are the growth areas for the country, we want to reach all folks and give them information
as well. But information sharing must go both ways, he said. He said that IAIP is not
investigatory, ,but they are looking to ask questions of critical infrastructure. He
questioned what was the balance between carrots and sticks to get groups to discuss and
perform. He said that one can have a relaxed discussion, but at the end of the day, the
story is about critical infrastructure protection, how well we did it. It's not about
collaboration, not about taking the soft-side. It's about how well we actually protected
the critical infrastructure, how well we have reconstituted after an attack. He is
developing a metrics dashboard to give a snapshot on how fast the alert went out and how
did it impact the sector.

There was a discussion of privacy laws and with those in place, how to keep information
flowing back to DHS. The head of privacy at DRS said that privacy. statements must be
meaningful and in place in order to share information. It is important to train employees
not to give out information publicly about location, operations etc.

In the spring of2003, she said they are going to work on the making connections with
other ISACs to improve relationships where there are interdependencies among the
sectors. DRS said that they are looking to build a business case for the ISACs where the
marketplace takes security seriously with metrics to determine how well they are doing.

I attended a panel discussion in which many interesting points were discussed. Verizon
asked that additional clarification needs to be given on the change in alerts, particularly
when it was implied after the threat was lowered, that it was only lowered for some parts
of the country. Also, they suggested that more specificity was needed as to whether the
threat was physical or cyber. Northern Trust of Chicago said that they have a set process
in their organization which depending on the level of threat has specific actions
associated with each level. He also belongs to BITS which has a set of best practices for
each color code. He was concerned, however, that the change in color code did not

COMMISSION SENSITIVE 5
UNCLASSIFIED
 UNCLASSIFIED
COMMISSION SENSITIVE

mention sectors and was not specific on what people should do. American Electric said it
cost them $160,000 a day to stay on orange. They also commented that.when the threat
was reduced some of the entities stayed on high alert (as they did) because the threat
reduction was not clear as to what it applied. Also, American Electric said that some
cities said they could not afford to be on orange and just did not change when the alert
happened. DHS answered that terrorism is a local event and ultimately a local decision.
DHS can't force them to make a certain decision. The Private Sector has to make their
own decision.

PEPCO director of IT said that they have a checklist for various alerts with certain things
they do depending on what information is given them. They have a concept of "orange
lite" if they don't feel the need to take full orange level measures.

There was a discussion of the Small and Medium-sized enterprises and how they can get"
into ISACs and receive information. Jerry Hauer (former OEM NYC) said that small
businesses become links in the chain to big utilities and critical infrastructure and there is
this whole issue of getting down further into the "food chain".

BITS chief of staff said that they have the 100 largest firms as members, but also reach
out to the small firms. They have developed "Threat Assistance Advisory Guidelines"
and ASIS has broadened this. BITS feels that having a sector coordinator and a council
to which all associations belong is important and ISAC fits that bill. That is a way even
the smallest institutions belong to associations. She was confused on the difference
between Sector coordinator, sector council and ISACs. She wanted to know who the
managing partner on this relationship was.

Verizon said that information from DHS needs to come from a single source. He finds
that they receive information in a variety of different ways and it is often confused and
conflicting. It also is not clear that the information is sent to the appropriate people in the
company who need to know the information.

IAAM (Inti Association of Assembly Managers) spoke and discussed their view that the
sector must be organized themselves and do what works for the sector. This is not DRS
decision although DHS can assist and push ifpushing is needed.

Another company spoke and said that there are significant costs associated with the color
alert changes .. He felt that everyone is at the conference because they are here to help.
He asked how the private sector can work with DRS to develop the business case. lfthe
private sector owns the critical infrastructure, if it must incur costs, and if it is in the
interest of the private sector to maintain the system, they things must be done to provide
incentives for business to do the right thing. He suggested tax reductions, liability
reductions, and insurance incentives.

Jerry Hauer (who was chairing the session) said that the security issues are falling off the
main mind of CEOs and we need to make it attractive for the CEO to keep this on the

COM"MISSION SENSITIVE 6
{JNCLASSIFIED
 UNCLASSIFIED
COMMISSION SENSITIVE

forefront. He felt there is a great deal of work to be done, that we must maintain the
sustainability of these programs.

General Reimer, from the MIPT (Oklahoma) said that people are starting to get
complacent. He said, however, that we can't measure deterrence. He also suggested that
there needs to be more specificity on the color code. He felt the ISACs needed to be
expanded. He views them as a vertical point that needed to be horizontally integrated
with DHS. He said that the private sector is unwilling to share information due to
privacy acts and until we figure out truth and reality, we won't get anywhere. He also
felt that we need to give the exact message to CNN and media in order to get out what
DRS wants to convey.

1. Hauer felt that complacency was a real issue. He feels that DHS is an evolving agency,
that there are still holes in the system and process in terms of better preparation and
communication.

The BITS representative said that this.is a private sector responsibility, that no one is
competitive on this topic and that the private sector needed very committed people
working on this issue at a very senior management level in order to make it work.

Al Martinez-Fonts said that DHS also needed to reach out more to state and local
governments to have them reach the local private sector.

The key issues that were raised at this session were the following:
• Need for improved information flow process from DHS
• Need for Clarification of sector coordinator and ISACs
• Need for protections in place for private sector information sharing
• Challenge to meet mid-small sized.companies
• Concern about complacency
• Need for business case for ongoing attention to homeland security
• Need for incentives
• Need for systematic approach to vulnerability assessments

Assistant Secretary Liscouski said that there is a liability issue. He feels that there is
NOT a common understanding of where the responsibilities are. There is not a baseline
of security by industry. That needs to occur. Then there can be incentives to reach the
baseline and DHS would give a seal of approval. Then he believes there would be a
framework for where liability begins.

Richard Grano, head ofUBS Paine Webber, spoke on the closure of the market. He said
that the debate ran the gamut, with some wanting to get the markets open on Thursday
regardless of the risk. But he and others felt that if the market was opened prematurely, it
would have shattered the confidence of the market. He said the most heroic effort came
from Verizon which worked 24/7 to get things up and running. They ultimately decided
to open the market on Monday and Bond markets on Thursday. AMEX moved to NYSE.
The market fell precipitously 7.1 % with over 2.37 bn shares being traded in an all time

COM:MISSION SENSrrIVE 7
UNCLASSIFIED
 UNCLASSIFIED
COMMISSION SENSITIVE

record, but there was a tremendous sigh of relief when it all worked. He said that the
FED put in $323 bn to help the brokerage units with liquidity issues. He said the closure
of the market cost the industry $5 billion, but the loss of lives was incalculable.

In terms of Paine- Webber's responsibilities, Grano said that they put their
communications plan into action at the mid-town headquarters. They conducted trading
in Stamford and IT in New Jersey. The big issue was finding employees. They also had
never assumed they could not get back into their building. They relocated the branch
office, identified who could not get home, and talked to families of the victims. They
provided Cantor space and Lehman trading floors. It was the first time they were
comraderies in the industry. His war room was manned by senior people. All issues
were 24/7. They gave $5 mn for relief but waited to see who needed it before they gave
it out. As CEO, he felt he had to set the tone for the whole company. He had the first
convention back in the city after 9-11.

Lessons learned: Disaster recovery and business continuity are totally different. Don't
assume CEO's understand risk/reward analysis is economic in scope. You need to
articulate the costlbenefit (what will it cost me? What are my liabilities?). He said to
express the importance of cyber and physical. He said emergency contact information is
important and the biggest short-fall was people did NOT know where to go. Now they
have back-ups. Everyone needs to know where they are on the food chain ... where do
they go. He used the blackout as another example. He said to expect the unexpected. He
gave the example of the CEO of Lehman who only had one copy of the business
Disruption Insurance policy and he could not get back in his building.

Today he feels that some sense that the worst is over. There is a level ofnonnalcy. But
he said, "We are at war". This is not a one-time event. Up until 9-11 when we heard
about an event, we tried to prosecute. But now we are dealing with ideology. They are a
religion divided by nations. They have a purpose. They are relentless. We cannot view
the world through our sense of values, fairness, and compromise. They do not believe
this.

He asked how we now connect the dots. He believes that the Homeland Security
Advisory Council provides advice on developing and coordinating the importance of a
comprehensive national strategy. He is looking at something like the Baldridge award. It
can't be a national strategy unless you protect critical infrastructure. Can't harmonize
corporations unless you do this within the same industry first. Once you coalesce an
industry, you move outside. He said that companies must appreciate event risk, test their
plans, collaborate with peers, take a lead and assign a person to the task across lines
within your authority. He believes it will take all efforts.

Attachments:
Slides from meeting

COM}.1ISSION SENSrrIVE 8
UN'CLASSIFIED
1
2
3
4
5
6
7
8
9
10
11
12
 Critical Infrastructure
Protection: Private Sector/DHS
Partnership
Bob Liscouski
Assistant Secretary for
Infrastructure Protection

'," Homeland Information Analysis and

,;e' Security Infrastructure Protection

13
 The majority of the critical infrastructure is owned by the
private sector and a strong private-public partnership is
essential to drive protection activities
-.., . r-. -. ""?". .-"'.:',::--
:.' ".' ":;:' - ~<;....
"-.... '"-:-.... --,y" ~"~~"·~,'i'-"-;""
,. :.,,:.0;' ,"':": ...: 'i.<- ;:'/~: ,'. -'?"".., • -";'., "'~~""':'~"",'~""''''l''':'--'~

~.,,Priv~teSect9rl~esPQn~iJJiIjti~s .:
- 7'-··;;.;':-·~·' ,";"•..-. ;,--•

.G()Y~rp,me.ntR~~PQri~iJjiIHi~s;,,,;
• Sharing of information relevant
to the protection of critical assets

• Enabling the implementation

• Collaboration in the (and providing) protective
implementation of protective
measures in times of high threat
to the critical infrastructure • Evaluation of metrics and
measures of their effectiveness
• Communication with the
government to report changes in • Assistance in developing
threat environment, success of methodologies, tools, and
protection programs, and gaps in programs to enable identification
protective activities. and protection activities

• Advocacy of effective measures

undertaken by the private sector

14
 Critical Assets

Programs I
Metrics

~Homeland
~ Security

15
16
 Homeland Security
Operations Center (HSOC) Missions
Daily Responsibilities
• Collect information from LElintelligence sources to
help in deterring, detecting, and preventing terrorist
incidents

• Maintain & share daily domestic situational awareness

Incident Management Responsibilities

• Act as the primary National level hub for operational
communications & information sharing pertaining to
domestic incident management

• Act as a primary conduit for Domestic Situational

Awareness for the White House Situation Room
~Homeland Information Analysis and
w:JiI
Security Infrastructure Protection

HSOC Intelligence Mission

On a daily basis, attempt to identify the terrorist threat to
the US

-Who or what is approaching or crossing the borders,

residing within the borders, that could bring harm to the
US

-Daily, collect and fuse information from internal and

external intelligence and law enforcement agencies

-Within 24 hours, decide whether it is or is not a threat

-If a threat, pass the data on to DHS's IAIP for deeper

analysis & share to other F/S/L LE & intelligence
agencies

It!fPA. Homeland Information Analysis and

~Secunty Infrastructure Protection

17
18
 Information Sharing and
Analysis Centers (ISACs)

Provide the mechanism to facilitate the

sharing of infrastructure-related
information, including threats and
vulnerabilities, incidents and events,
potential protective measures, and best
practices.

~Homeland Information Analysis and

~ Security Infrastructure Protection

19
20
21
22
 NCSD Mission
The National Cyber Security Division (NCSD) is the National focal
point for addressing cyber security issues in the United States.

Mission components include:

Identifying, analyzing and reducing threats and vulnerabilities

Disseminating threat warning information
Coordinating incident preparedness, response and recovery
Serving as national focal point for the public and private
sector regarding cyber security issues

•
.. .Implement the National Strategy ....

Iff!JA. Homeland Information Analysis and

~Secunty Infrastructure Protection

23
 Goals
• - Lead the implementation of the U.S.
National Strategy to secure cyber space
• Continue to partner with the private sector
- Protect the nation's critical infrastructure for all
levels of business
• Engage the individual home user
- Established channels of communications for
cyber security awareness and protection
• Create international alert system on cyber
security threats & incidents

~Hom~land Information Analysis and

~Secunty Infrastructure Protection

24
25
Identify
Assets

26
 PSD Leadership Team

Director: Section Chiefs:

Jim McDonnell Control Systems:
Deputy Director: Mike lombard
John Weidner Physical Targets:
Jon Maclaren
Operations Directorate: Protective Measures:
Deputy for Operations: Dave DeAngelis
Alex DeAlvarez Risk Analysis
Planning and Mission Sam Speedie:
Analysis:
Field Operations:
Mark Milicich
Cornelius Tate
Exercise Program:
Vulnerability Identification:
Mike Smith
Bill Flynn

~Homeland Information Analysis and

~ Security Infrastructure Protection

27
28