Washingtonpost.com: Live Online

Paul Kurtz is the Senior Director for National Security on the President's Critical Infrastructure Protection Board. He also serves as a staff member on the National Security Council (NSC). His responsibilities include working with U.S. government agencies and the private sector to develop, coordinate, and implement measures to protect critical computer and information systems. He also coordinates the U.S. government's international outreach efforts on information security.

Kurtz joined the NSC in December 1999 as Director for Transnational Threats, responsible for Counter Terrorism. Prior to joining the NSC, Paul served at the State Department specializing in weapons nonproliferation and strategic arms control. Paul has traveled extensively, including to Iraq and North Korea.

Submit Your Questions and Comments: Kurtz will be online at 1 p.m. EDT Thursday for a discussion moderated by washingtonpost.com reporter Cindy Webb.

Editor's Note: Washingtonpost.com moderators retain editorial control over Live Online discussions and choose the most relevant questions for guests and hosts; guests and hosts can decline to answer questions.

To read the most recent responses, click "Get New Text"
or select "Automatically Update Page."

Cynthia L. Webb: Welcome! Thanks everyone for joining us today to talk with Paul Kurtz, who is a White House cybersecurity expert. We already have a number of great questions that have been submitted. Thanks and please continue to keep your questions coming.

Cynthia L. Webb: Good afternoon, Paul. Thanks again for taking the time to talk with us today. Could you start out today by explaining what the President's Critical Infrastructure Protection Board does and what your responsibilities are within the organization?

Paul B. Kurtz: The President's Critical Infrastructure Protection Board (PCIPB), which was established on October 16, 2001 by President Bush, is responsible for coordinating information infrastructure assurance issues across Federal agencies. It works closely with Governor Ridge's offices and in partnership with the private sector through a variety of means, including the Critical Infrastructure Assurance Office (CIAO), the National Communications System (NCS), and the National Infrastructure Protection Center (NIPC). The Chairman of the Board is Richard Clarke, who also serves as Special Advisor to the President for Cyberspace Security. As senior director for national security, I work closely with several agencies to coordinating our international outreach strategy.

Alexandria, Va: Several administration deptartments that are responsible for warning the public and industry about cyber threats have taken heat for failing to coordinate threat alerts and disseminate them in a timely manner. What is the administration's plan to reorganize the various executive branch arms charged with sharing information on cyber threats into the homeland security department going to address this problem?

Paul B. Kurtz: The National Infrastructure Protection Center (NIPC) is responsible for cyber threat warning and notification. For example, last night they sent out an urgent notification on the Apache vulnerability. However, we are working to strengthen our coordination mechanisms, by linking the major government network operations centers with those in the private sector so we can share critical technical information on a more expeditious basis.

Los Angeles, CA: What type of educational background is required for the position you hold now, and do you have any suggestions for people starting out in the technology/security sector?

Paul B. Kurtz: We draw individuals from a variety of fields: national security, public policy, IT, IT security. Government agencies and the private sector are in need of individuals with solid IT Security credentials. We are trying to increase the number of IT security professionals available to the goverment through such programs as Cybercorps, a scholarship for government service program. More info is available on this pragram from OPM and NSF.

Arlington, Va: How is the administration's plan to reorganize agencies into the proposed Homeland Security Department affecting the board's work on its "national strategy" to protect the nation's critical infrastructures?

Paul B. Kurtz: We are continuing with our plan to develop a strategy for cyberspace security in concert with Governor Ridge's Office of Homeland Security. We will proceed with the strategy concurrent with efforts to establish the Department of Homeland Security. The cyber strategy should be released in September.

Cynthia L. Webb: Paul, we have a number of questions about what experience you need to be a "cybersecurity expert." How do you, and does your staff, stay atop the changing field of infromation security?

Paul B. Kurtz: We subcribe to several technical magazines, and follow the news as reported in major papers. We also receive briefings from the best in the field.

If you are considering this field, we strongly encourage you to looking into information assurance traning programs. More info on such program is available through such organizations as SANS (SANS.org).

Washington, DC: How do you see the board interacting with the proposed omeland Security Department, particularly with the potential consolidation (into one information infrastructure area) of the CIAO, FedCIRC, NIPC, NCS, and others?

Paul B. Kurtz: The Board, and the Cyberspace Security Advisor, will work closely with the new Department. While several members of the Board will be included in the new department as detailed under the proposed legislation, others will not. (Defense, State, Treasury,....) Therefore, the need for a mechanism to coordinate among key government agencies will continue.

Cynthia L. Webb: And can you describe the other components of the proposed department that would involve information security and cybersecuity?

Paul B. Kurtz: The proposed legislation brings in several organizations that are currently focused on cyber security, including the National Communications System (DOD), the National Infrastructure Protection Center's outreach program, GSA's FedCIRC, the National Institute of Standards and Technology's (NIST) Information Assurance Division, as well as a new program known as the National Infrastructure Simulation and Analysis Center. The net effect will be a force multiplier, a more efficient and robust operation.

Bethesda, MD: As a pre-requisite for cyberspace security, don't we need to get our government agencies on compatible, updated, reliable, and secure systems? And doesn't that require the type of inter-agency coordination that has been sorely lacking of late? Who will take the lead in the federal government to make that happen?

Paul B. Kurtz: The Office of Management and Budget is working to strengthen the security of Federal systems through such means as the Government Information Systems and Reform Act. Under GISRA, if an agency does not adequately budget for security, OMB will return the the budget request for modification.

Cynthia L. Webb: We are half-way through our discussion with Paul. Thanks for your insightful questions. We still have time to take new questions, so keep them coming.

Presque Isle, Maine: With such a decentralized structure, it is difficult to deal a death blow to the Internet itself. However, if the worst were to happen and most or all of the Internet were disabled, how much of a disaster would this be for our "other" critical infrastructure, i.e. - water, sewage, rail, etc.? Thanks.

Paul B. Kurtz: Defending the internet has challenged traditional thinking on defense. Now, the government cannot soley provide for the defense of the internet, we need the partnership and assistance of the private sector. We must work consistently with the private sector to identify and fix vulnerabilities that could cause significant damage to our information infrastructure.

DC Metro Area: Greetings. I know of people who are deeply involved with information technology matters (such as technology lawyers, security specialists, etc.) who have expressed interest in doing their part in the war on terror. Is your office expanding, and if so, are you looking to the private sector for expertise? I know of at least one highly qualified person who has received offers to join two federal agencies -- he remains interested in a NSC or Homeland Security position, but has been told that politics continues to play a major role in determining who fills those positions. What would you suggest for private sector people interested in answering the call to public service to help fight the good fight?

Paul B. Kurtz: We receive a large number of resumes from highly qualified people ready to join the White House to help with Homeland Security and Cyber security. We review each of these resumes. Currently, we are fully staffed on the PCIPB. I encourage those interested to investigate other government agencies for employment opportunities in this area. Every agency has a role.

Bethesda MD: Initially I was in favor of a Homeland Security Department, but the more I think of it, the more I wonder whether we're not just creating confusion. From the private sector, one can draw a parallel with major mergers and acquisitions -- in retrospect, they are frequently considered to be failures -- the whole being, actually, LESS than the sum of the parts. I wonder whether we wouldn't be better off simply combining the agencies with overlapping responsibilities and putting them under the department that made the most sense (for example, combine INS, Coast Guard, and Customs). In your case, one could combine the various IT infrastructure protection agencies and centers, without putting them under the auspicies of a behomoth new department. Your thoughts?

Paul B. Kurtz: Over a hundred government agencies are involved in Homeland Security issues. It becomes very difficult to coordinate among so many agencies. The new Department will consolidate a number of agencies, greatly reducing the number of organizations, increasing efficency. A good parallel is the National Security Council, the NSC works with a handfule of agencies to coordination our national seucrity policies. The President's reorganization plan will creat a similar structure for Homeland Security.

New York, NY: Does your board have any role to play in the inverse security issue of using the Internet infrastructure to spy on terrorist suspects in this country or overseas, or is that handled elsewhere?

Paul B. Kurtz: The Board's responsiblity is coordinating defensive measures. It does not have operational authority. Those institutions which are charged under law with intelligence related matters--CIA, NSA, and FBI--are responsible for the activities you describe.

Cynthia L. Webb: How has President Bush's recent proposal to form a Homeland Security Department changed your job? How will the Critical Infrastructure Protection Board be a part of the new entity?

Paul B. Kurtz: The Critical Infrastructure Board was established by the President as a means for the White House to coordinate overall critical information infrastructure protection activities. With the new Department, the Board and its Chairman, will continue to work with the Homeland Security Advisor at the White House to coordinate policies and programs.

Cynthia L. Webb: Paul, it seems part of the board's job is working with U.S. government agencies and the private sector to develop and implement measures to protect our nation's critical computer systems. Can you talk about how this mandate has evolved since the Sept. 11 terrorist attacks? And has the board become more involved with private industry?

Paul B. Kurtz: Cynthia, as you've said, the Board is responsible for coordinating policies across government agencies. But the Executive Order that established tha Board also calls for us to work in partnership with the private sector. We have reached out to the private sector in a variety of ways and we rely upon their input. For example, the private sector is preparing a large part of the national strategy to secure cyber space. As a case study, take for example the finance and banking industry. We believe they are in the best position to present what should be done for their industry. Other sectors are doing the same.

We are also traveling to metropolitan areas across the United States to interact with sharpen our strategy. So far Mr. Clarke and Mr Schmidt have visited Atlanta, Denver, Chicago, and Portland. More trips are planned for later this year.

Alexandria, VA: The Clinton Administration heeded the tech industry's requests to ease the export license process for "strong" encryption. Will the Bush Administration reverse the liberalization process as a way of trying to prevent terrorists/hackers from sending out strongly encrypted foreign e-mails? Could such a tightening of the rules make any difference in a world of easily available strong encryption software in other countries?

Paul B. Kurtz: The Bush administration is very concerned about terrorists using the internet to communicate and plan operations. We understand that they are using encryption as a means to protect their communications.

However, we also understand and support the need for the vast majority of the population to communicate securely regarding legitimate business transactions. There are no plans to reverse current encryption policies.

Alexandria, Va.: What is Mark Forman's role in protecting critical IT infrastructure? I'm somewhat confused about how his role differs from your team's role.

Paul B. Kurtz: We work very closely with Mr. Forman and his staff in the Office of Management and Budget. He is responsible for E-Gov initiatives and overseeing the security of computer systems operated by Federal civilian agencies. He serves as a member of the President's Critical Infrastructure Protection Board.

Cynthia L. Webb: We have time for Paul to answer one more question. Thanks to all of you who have participated today.

Pittsburg, CA: Mr. Kurtz, most security technologies today appear to be reactive in nature. What technologies are in place that proactively prevent network attacks, worms and viruses? In particular, to pre-emptively defend against the unknown?

Paul B. Kurtz: Well over 90 percent of attacks against systems could be prevented if individuals and system adminstrators would download and apply patches for existing vulnerabilities. The best defense is closely tracking notices of such vulnerabilities and working quickly to apply the appropriate patches.

We are also working with hardware and software vendors to encourage them to develop hardened, less vulnerable systems. Many firms are doing just that, understanding that releasing flawed or insecure systems will likely have negative effect on their "bottom line."

Cynthia L. Webb: Paul, this has been great. Thanks for covering so many issues in our chat today. We hope that you will join us again for a future discussion.

Paul B. Kurtz: Cynthia. Thank you very much and to all those who sent in questions today. It has been a pleasure.

Cynthia L. Webb: Unfortunately, our hour is up. Thanks to everyone who participated by asking questions. And Paul, thanks for taking the time to talk to us today. This has been a very informative discussion.

Cynthia L. Webb: Have a great day everyone! And thanks again for a great discussion.

| |



	<img SRC="washingtonpost.com/wp-srv/liveonline/redesign/adv_discusssion.htm" width=125 height=110 border=0>