INTERVIEW: John S. Tritak, FIDnet's defender

Featured eBooks
NASCIO 2025 Special Report
Changing Workforce
Future of Tech Infrastructure
Insights & Reports
4 steps to successful data governance programs for government
Presented By Carahsoft
Download Now
The agility mandate: How government agencies are rethinking work to deliver faster
Presented By Atlassian
Download Now
By GCN

By GCN

|

This past summer, two weeks after becoming director of the Critical Infrastructure Assurance Office, John S. Tritak was called before a congressional committee to respond to lawmakers' concerns that the Clinton administration would use the proposed Federal Information Detection Network to monitor private-network traffic.

TRITAK: It is unfortunate that the FIDnet plan was leaked and then taken out of context. Certain inaccuracies were circulated, the first one being that somehow FIDnet was going to be some Big Brother system and wired into the private sector. That simply isn't the case.FIDnet will be an intrusion detection system installed at various agencies for the purpose of detecting and warning other agencies of potentially malicious activities. In cases where sensors suggest potentially malicious activities, that data would be sent to a central analysis center at the General Services Administration for further analysis.The purpose is to get a broad picture of what is going on with the civilian side of government, or non-Defense Department systems. Sometimes anomalous behavior is anomalous because the agency has not seen it. But a central center could determine whether the behavior is something to worry about. Alternatively, something may be anomalous and some other things may be going on at the same time that suggest a problem.If activity rose to a level that suggested a potential criminal activity, GSA would send the data along to the National Infrastructure Protection Center's Analysis and Warning Center. The center, however, is still not a law enforcement agency.TRITAK: It is associated with the FBI, but it is not a law enforcer. It is an interagency center housed at the FBI. The point is that even for data to get to NIPC, it will already have gone through a filter at GSA, where people who are appropriately skilled would be looking at this stuff.Today, irrespective of FIDnet, an agency that gets an alarm from a detection network can send that information to a law enforcement agency. In fact, agencies are obligated by law to do that.So FIDnet does not confer any additional legal authority on the federal government than already exists. It will have to comply with all the privacy rules and laws.TRITAK: This is where things really got confused. NIPC currently develops alerts about questionable activities. What the government has offered is that if private-sector organizations participate in the planned information sharing and analysis centers, NIPC would make the reports available to them. That is different from saying they are part of the ongoing monitoring by the network. They are not.TRITAK: There is an effort under way to begin to engage the privacy groups in the broader national plan, which would include FIDnet.The government, however, also has privacy issues. The American public expects the government to protect certain information. Some of that information is about individuals, and the fact is that there are a lot of intrusion attempts.It's not a trade-off between privacy and no privacy. It's a trade-off between staying consistent with privacy requirements but recognizing new obligations and responsibilities that flow from the realities of the information age. But at no time are we talking about undercutting privacy or undercutting civil liberties.TRITAK: Our job is to implement Presidential Decision Directive 63. PDD 63 is about addressing the threats to the nation's critical infrastructures, both cyber- and physical threats. There is particular emphasis on the interdependencies that have developed as a result of the information age'interdependencies that have changed the nature of the threats.PDD 63 has created a unique security challenge, a challenge the government cannot overcome alone. It is unique when you compare it to all other national security challenges, wherein the government has had the ability to direct the resources to address the threats'basically by building more bombers and building more missiles.Here, you have a national security concern, but the government cannot directly control how the threatened infrastructures are protected because 95 percent of them are privately owned.To craft the kind of requirements that will actually result in the robust protection of critical infrastructures requires the work of two cultures: a government culture and a private-sector culture. We're finding that one of the biggest hurdles we have to overcome is raising the level of awareness of what this new challenge means and persuading industry that this effort is in their business interest.Following on that is the notion that if we are calling upon the owners of infrastructures to take prudent measures to deal with the potential negative implications, the government needs to serve as a model. So many of the initiatives in the national plan will demonstrate the degree of seriousness the government is putting into this effort.TRITAK: We are essentially a policy coordinating organization. We assist other federal agencies in pulling together their plans and integrating them into the national plan. We are also assisting in an analysis of the government's own dependencies on the nation's critical infrastructures.TRITAK: That has been a concern, so we see this developing in different stages.The first level is just encouraging industry organizations to come together voluntarily to share information among themselves. The view is that by sharing this information, the level of protection goes up.At the second level, the government has said that if information sharing and analysis centers are formed, the government will provide information that may be of value in helping the private-sector organizations get a clearer picture of what their business environment looks like. That will help with risk management plans.The final level would be the sharing of information between industry and government. The federal government, with its broader view, might be able to make better sense of what is going on and improve security overall.TRITAK: That's why we're putting together the plan under PDD 63. The initial six-month time frame for putting together the plan was probably overly optimistic.There was consensus about what needed to be done. But the plan required getting a consensus across 22 agencies that have different levels of experience with these issues. And let's face it: Security is always something that is difficult to fund over and above the agencies' primary missions.When you have a tight budget and you need to fund those programs that are essential to the primary mission, there is always a conflict. To some extent, the conflict is similar to the ones faced by the private sector.
This past summer, two weeks after becoming director of the Critical Infrastructure Assurance Office, John S. Tritak was called before a congressional committee to respond to lawmakers' concerns that the Clinton administration would use the proposed Federal Information Detection Network to monitor private-network traffic.

Tritak told the lawmakers that would not be the case.

The incident illustrates the types of hurdles that Tritak said he faces almost daily as he formulates the administration's National Infrastructure Assurance Plan. Rumors about what the plan does or does not contain run rampant.

What the plan definitely will do is detail how the federal government and industry can work together to respond to threats to the nation's critical infrastructures'attacks on the country's electric grid or its financial markets, for example.

Before coming to work at the Commerce Department, Tritak practiced law at the Washington law firm of Verner, Liipfer, Bernhard, McPherson and Hand.

But CIAO is not his first foray into government service; he previously held senior adviser posts at the State Department.

Tritak has a bachelor's degree from State University of New York at Brockport, a master's in war studies from the University of London's Kings College and a law degree from Georgetown University.

GCN staff writer Christopher J. Dorobek interviewed Tritak at his office in Washington.





GCN:'Let's talk about the controversy surrounding the planned Federal Information Detection Network. The concept appears to be plagued by privacy concerns. Are those concerns warranted?











GCN:'But NIPC is part of the FBI, isn't it?









GCN:'What is FIDnet's relationship with the private sector?





GCN:'Are privacy groups involved in FIDnet's development?









GCN:'Can you explain the role of the Critical Infrastructure Assurance Office?













GCN:'So what role does CIAO play in all this?





GCN:'One problem has been that companies are concerned about giving information to the government for fear of it becoming public knowledge.









GCN:'There are still many agency executives who do not understand the importance of security, and they don't fully understand why they have to spend a large amount of money on it.








WHAT'S MORE


' Age: 39


' Family: Wife, Kathie; daughter, '''Georgia


' Pets: Dog, Reilly


' Last book read:
Ender's Shadow by '''Orson Scott Card







NEXT STORY: Server comes with extra e-commerce capacity

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.