TMCnet News

DHS: Remarks by Secretary Michael Chertoff at the Cyber Strategic Inquiry 2008
[December 29, 2008]

DHS: Remarks by Secretary Michael Chertoff at the Cyber Strategic Inquiry 2008


Dec 29, 2008 (DEPARTMENT OF HOMELAND SECURITY DOCUMENTS AND PUBLICATIONS/ContentWorks via COMTEX) --

Washington, D.C. Ronald Reagan Building and International Trade Center Cyber Strategic Inquiry 2008
Secretary Chertoff: General Boyd, thank you. You've done a magnificent job with this organization, which has been a real leader in promoting national security in the private sector. And I appreciate the opportunityto talk to you all here, and I'd like to express my gratitude to you all for attending because I think it's indicative of how seriously you all take this issue of cybersecurity.



One of the challenges with cybersecurity is that it is not by any means exclusively a federal or even a governmental responsibility. It is a shared responsibility. It's a responsibility which is held by the private sector, by people whorun critical infrastructure and manage our key resources. And as a consequence, the model for dealing with cybersecurity is to my view very different than the command and control way in which we deal with other kinds of security issues in the realworld.

So what I'd like to do is talk to you a little bit today about what we are doing both at the Department of Homeland Security and across the federal government as part of a new national cybersecurity initiative which was mandated by the president earlythis year. And I'd like to begin by talking about the fact that, quite remarkably, the president has had personal involvement in launching this initiative. He was briefed late last year about some of what was going on in the area ofcybersecurity threats and what we thought we could do in forging a partnership at the federal level between the national intelligence community, the defense community, and the homeland security community.


Many of you know that historically, there was a kind of a radical division between what went on in the intelligence world and the civilian world, and a reluctance on the part of the intelligence world and the national defense world to get too involvedin the civilian space for fear that it might trigger judicial requirements or other kinds of liability or legal obligations that would ultimately impede the ability of the national security elements to do their job.

But when we spoke to the president, we came at it with the spirit that we thought that we had a lot more we could do in partnership in a way that wouldn't compromise the security and the confidentiality of what's done in the national security world,but would allow us to leverage that capability in order to make the civilian domain much, much safer than it is both at a government level and at a private level. And the president immediately understood the importance of this, and has beenpersonally engaged in driving forward on this strategy. Even in the last week, we've had extensive briefing with him because he's very, very concerned about making sure this vulnerability is adequately reduced and protected in the same way thathe's been obviously concerned about making sure that he maintains our security in the physical world against the kinds of attacks that we've seen most recently in Mumbai.

Now, of course cyber threats, although they're different -- they don't necessarily come accompanied with explosions and dramatic fireworks -- we all know the damage that can ensue from a cyber attack can be comparable in scope to that of a devastatingphysical attack with respect to, potentially, loss of life and certainly economic impact. And we know that the challenges to our cybersecurity have grown in the last few years. In the last couple of years, we've seen Estonia the subject of avery significant attack by people who were sympathetic to what they saw as the Russian side of a dispute between Russia and Estonia. And when Georgia came into armed conflict with Russia, it was preceded by a cyber attack by people who, shall wesay, were sympathetic to the Russian side of that dispute. And you might say that the cyber attack was part of preparing the battlefield. I think increasingly we will see that accompanying traditional physical security threats in the nationalsecurity arena, there will be cybersecurity softening or follow-on designed to degrade command and control.

But the cybersecurity threat isn't only one that occurs at the level of traditional nation states and traditional conflicts. It occurs with respect to terrorism, where we know that a cyber terrorist attack could have a potentially very, veryserious impact on the safety and well-being of our citizens. And even common criminals have done an enormous amount of damage using the cyber system to exploit our vulnerabilities in order to make money.

Earlier this summer, I announced that the Secret Service had successfully concluded probably the largest investigation and prosecution of identity theft conducted with information captured over the internet in American history. The group thatwas brought down by this Secret Service-led investigation stole 40 million credit card numbers from retail companies by tapping into their wireless systems and essentially capturing the numbers, which could then be used in order to simply stealmoney. So it's indicative of the fact that the cyber threat is not only for those who want to attack us from a national security or terrorism standpoint, but also those who merely want to do what Willie Sutton did when he robbed banks, which is gowhere the money is.

So as we look at this threat, which is clearly only intensifying over time, the question has to arise: What is our systematic strategy for dealing with reducing, if not eliminating cybersecurity problems? And I'd begin by definingthe problem as falling into three categories.

First is the danger that someone is going to steal information from us, whether it's financial information, whether it's credit card numbers, whether it's information about what our diplomatic or business plans are, or of course, if you can penetrateinto classified networks, you can get very, very sensitive kinds of military information.

But there are two other kinds of cyber threats we have to be concerned about. One is the possibility of a threat that would degrade or destroy our ability to actually engage in activities over the internet, attacks that are denial of servicefocused, that flood a system or bring a system down. And if you imagine this kind of attack occurring with respect to our air traffic system or any other complex system that is managed through the internet, you understand the potential consequenceswe could face if that were successful.

And then the third kind of problem, which is a little similar to denial of service, is corruption of the process -- not an attack that necessarily destroys a system, but that simply corrupts it or changes it in a way that makes it unusable andundermines confidence and trust. And here, although it hasn't happened, to my knowledge, imagine a circumstance where a terrorist attacked our financial system and simply altered the data in a way that left people with a lack of confidence thatthey could get accurate information or access to their assets. We've seen what a crisis of confidence can do in our financial system over the last six months, and that was essentially an accounting problem and a problem with derivatives. Imagine if the actual information flow that is the underpinning of a financial system were to become compromised and drawn into question.

So when you consider these three major threat vectors, you understand how critical it is that we take a systematic and strategic approach to dealing with the issue of cyber threats.

Now, the way we've approached it sitting down with our partners in the federal government is to focus our cyber initiative, from a strategic standpoint, on three main pillars.

The first is establishing front lines of defense, which basically means reducing our current vulnerabilities and preventing intrusions. That's essentially parameter defense of the border, so to speak.

The second is recognizing that while the most publicized threats to our cyber networks are people hacking in over the internet, those are not the only threats. And we have to defend against the full spectrum of threats by having a serious lookat our counterintelligence approach -- in other words, how do we make sure that people aren't compromising our system from within -- and also by looking at the security of the supply chain because some of the threats that we're experiencing to theinternet don't come by people coming in over the network. They come by people corrupting the hardware and software that is of course that architecture through which the internet operates.

To give you an example, a couple months ago there was a story in the Wall Street Journal about financial information that was being exported from ATMs in Europe to locations in South Asia. This was not an example of people hacking in over theinternet to get into the system. It was a device that was placed in the chips that was actually put into the hardware of the ATM systems that acted like a beacon, and when it was turned on, periodically, let's say once a day, it sent informationback to its home port over the internet. But it had been placed in the hardware before it was installed. So the compromise of the supply chain becomes every bit as important as a potential threat as someone simply coming in over theinternet itself.

So having laid out these three pillars, let me give you a little bit of a sense of how we actually see the strategy moving forward in each of the pillars I've described.

First, how do we establish front lines of defense? Well, from the standpoint of the civilian domains in the government -- because the military domains take care of themselves; that's a separate responsibility -- we have to recognize thevulnerability that exists when you have multiple federal agencies with literally thousands of connections to the internet, varying degrees of capability in terms of watching and warning in their agency operations centers, and a lot of ways in whichsomeone might intrude into the network, the civilian network, through the weakest link, and then once inside, can move around and essentially attack from within.

It becomes clear when you think of that architectural problem that the right answer with respect to beginning to protect our government domains is to reduce the number of external points of access to the networks so we can patrol a limited number muchmore effectively, upgrading our U.S. capability so that we go from the ability to do forensics after an attack and determine that we had an attack and take remedial measures to a real-time capability to detect in order to warn in real-time, andultimately to the ability to detect and block in real-time, which is the ability essentially to shoot down the enemy before the enemy reaches its target.

As you consider what we face in the civilian domain, you realize that only if we take these steps can we begin to move out of our current system, where we are hostages to the weakest link in the network, into a system where we have a high confidencelevel that we can monitor what comes into federal domains and make sure we can stop a problem before it actually comes to fruition.

A big part of this is what we're currently doing with our system called Einstein. Einstein in its current form is what I describe as "CSI Miami in the internet." The crime has been committed. The intrusion has occurred. Webecome aware of it either because the victim becomes aware or because we've seen an anomaly after the fact. And we come in and we look to see what we can learn about what happened and how we can remediate.

That's not the best way to deal with this. So we've gone to Einstein 2.0, which we are currently deploying at the Department of Homeland Security and look to be deploying in other places around the government in short order. What this doesis it detects in real-time, and it detects in real-time using certain capabilities to look at either the characteristics of the flow or some of what might be in the packets in order to see malicious code as it's coming into the network. Of course,that is the ability to give immediate warning. It's like putting radar up so we can tell someone, "Something's coming your way. You'd better take a look at it."

And what we're currently experimenting with and looking to deploy at least in test mode is Einstein 3.0. That equips the radar essentially with an anti-missile or an anti-malware defense that actually would enable us to stop it, which of courseis the desired end state if we're going to get the real level of control that we want.

Now let me move to the second pillar, which is defending against full-spectrum threats. I've alluded to the fact that many of the threats we face to our cyber systems come from within and require what I would call a counterintelligenceapproach. In other words, we have to teach the civilian agencies to be mindful about the security of the people inside their own agencies who have access to the internet.

Some of this involves, obviously, traditional counterintelligence, making sure people are properly cleared, and if they have access to sensitive networks, that we're checking to make sure they're not getting compromised. But some of it isbuilding an internal architecture that does things like make sure that people only have access to elements of the system that they should be entitled to have access to, or having audit trails, or having rules, and enforceable rules, with respect to thekinds of outside devices you can bring into the system and put into the system. Because only if agencies take that seriously can we prevent people from literally walking in the front door and stealing what we're trying to lock down as weprotect the system on the back door.

And likewise, on the global supply chain. In a world in which we increasingly see the ingredients of our software and our hardware generated from all over the globe, including in countries which are not necessarily synchronized with us in termsof world view, if I can put it that way, we've got to have a capability to determine whether the software and the hardware we are using in sensitive systems poses a threat. And that's going to be something which I know the private sector's workingon and we need to be able to encourage both in terms of standard-setting and research and perhaps, even to some degree within our own domain, mandates.

Finally, the third pillar is shaping the future environment, which involves helping to foster increased education and training in this field of security, which I think we need to build a cadre of smart young people who get into this field. Itmeans research and development, particularly for that kind of technology that would give us a leap ahead in terms of achieving the kinds of results I've talked about. And maybe, most important, and this is what I want to spend the balance of myremarks on, cooperation with the private sector, because I come back to that initial point of recognizing that we don't own most of the assets and we don't employ most of the people who are in the network. And therefore, we're going to have to workwith others in order to make this happen.

I want to begin by saying that I'm very sensitive to the fact that the culture of the internet, as well as the actual architecture, is one which does not lend itself to government regulation and mandates. I think it would be a very dangerousroad to go down to have a lot of effort to have the government lay a heavy hand on the internet. There are countries in the world that do that, and they do it for nefarious purposes.

I think our model here has to be different. It has to be a model where we invite cooperation. We facilitate cooperation. We are willing to provide capability to those who want us to provide that capability. But we don't makeyou do it. And if someone doesn't want to have the government involved and they want to live outside of any kind of government assistance or cooperation, I don't know that we would necessarily be wise to try to make them do it. Now, we mighthave certain requirements about people who deal with us and people who contract with us. But I think the sensitivity to the civil liberties point is most acute when you get into any question of how you deal with the internet.

So what are we doing? Well, the first thing we're doing is we're working with the private sector using some traditional pathways that we have already established, and are well-established, for dealing with infrastructure protection across theboard. As you know, we have sector coordinating councils and government coordinating councils, including in the area of IT and communications, but also financial services, power generation, a whole host of areas, nuclear power plants, where we havetraditional, accepted, and lawfully ratified ways to communicate with each other about things like best practices, establishing information flow, and a common operational picture about threats, capabilities that allow us to leverage private investments,and work with the private sector when there is a problem, whether it's a physical problem or a virtual problem, to help them solve that.

Using these existing pathways which are well recognized in the law and our national infrastructure protection plan, DHS is using, is employing the Cyber Initiative, we're executing the Cyber Initiative through the very same mechanisms, theseCoordinating Councils. We are using the Coordinating Councils to discuss and come to consensus on policy issues and we're using our information-sharing and analysis centers to share information from an operational standpoint when we haveevents going on that require sharing.

DHS, in collaboration with a number of our partners, have established a cross-sector Cybersecurity Working Group. This group meets monthly and includes industry and government representatives from all of our 18 critical infrastructure and keyresource sectors. The idea here is to exchange information on vulnerabilities and strategies for mitigation, have briefings in both directions about what we are seeing and what we're concerned about, and also to participate in specificprojects, including projects to develop metrics, to see how we're doing in cybersecurity, an incentive study and some other pilots about information-sharing.

In particular, we're focused on chemical, IT and banking and finance sectors because we know those are sectors where there's a particular concern about the collateral consequences of a cyber attack.

Additionally, besides this process of using the Coordinating Councils, we have required from each of the sectors a comprehensive risk assessment under the National Infrastructure Protection Plan. What this will allow us to do is identify andassess our risks with a particular attention to the needs of each of these sectors of the economy which are very, very different.

The information technology sector has developed an IT Sector Risk Assessment Methodology which assesses risk to functions of the sector as a whole and they've nearly completed a baseline risk assessment which will help us more precisely targeton a tactical level our protective programs and our R&D.

We have a whole host of other working groups that are designed to make sure we are identifying vulnerabilities, we are focusing on areas where we might supply research and development if industry doesn't have the business case to do it on itsown, and at a classified level, we are working with the IT sector to have a Threat Intelligence Coordination Working Group that allows us to use classified, SVTC and conference calls to exchange information about what we are seeing.

Obviously, this is a work in progress, but it is one which builds upon a shared relationship of trust and experience which we have seen work in the physical realm and one of the reasons we have to work across the entire domain of our relationshipswith the private sector is because the needs of each sector differ in terms of what their concerns are from a cybersecurity standpoint.

The financial sector, for example, may be very concerned about the integrity of its data. They happen to be quite well advanced in terms of their own cybersecurity and so they may be very focused on issues, for example, on supply chain or how toprotect against network intrusions, but other sectors may be actually concerned about physical vulnerabilities to their servers or to their IT systems and so they may want to integrate cybersecurity with physical security.

One of the reasons I think it's so important to keep the Cyber Initiative within the same framework as our physical initiatives is because, quite frankly, I don't see the radical division between the two. I think the two are deeplyintegrated at every level and the tendency to stovepipe which is something we have fought traditionally certainly over the last eight years in dealing with threats, the danger of stovepiping is particularly acute if we have the people who are focused oncyber divorced from the people who are focused on physical security. More often than not, the two are going to go hand in hand.

Finally, let me say again I think it's going to be important as we move along in this process to continue to talk publicly about what we're doing to protect privacy. I know in terms of what we deploy in the government domain we arevery sensitive to making sure that our presence is consistent with all the requirements of the privacy laws and, of course, the Constitution.

As we engage with the private sector, we need to make sure that our enthusiasm for getting into that space does not put us in the position where we suddenly appear to be uninvited guests and that's why I'm really emphatic about the need tonot make this a mandatory system but rather a system where we create opportunities for people.

I actually think most people in the private sector will take those opportunities and will accept our invitation, but I also know if we try to make it something that we push on to people, the backlash we are going to see will dwarf some of thecontroversies that we've seen with respect to what we've done in the communications field over the last eight years. So here's an area where my own view is careful movement and attentiveness to sensitivities is very, veryimportant as we build and implement our strategy.

Let me conclude by saying we know we're entering a transition. I'm sure this is going to be a major area of focus of the new Administration and we obviously want to work with them to help them get the benefit of what we've doneand whatever advice they seek from us.

I do think that we have a partnership in place now with the Department of Defense and the intelligence community which is beginning to work very well in terms of how we manage cyber threats. It is what I would call a federated system. Forthose of you who work in the world of the Internet, the idea of a federated system and shared space makes a lot of sense. The culture of the Internet is a network culture. It is a culture of not command and control but collaboration andcooperation and the way we have set up the architecture of our current system with DoD maintaining its distinct responsibilities, the intelligence community maintaining its responsibilities and DHS and DOJ doing its piece in the civilian space, I thinkthat works well. I think it preserves existing authorities which have been separated over time, frankly, to protect our civil liberties and yet it allows us to exchange and work in a cooperative way that gets us the benefit of what DoD and theintelligence community does and yet does not make them responsible for what we do in the civilian space.

I emphasize this because sometimes there's an urge -- I get asked, well, who -- shouldn't there be one person in charge? Shouldn't there be one agency in charge of everything? And I must tell you that having been part ofdebates about national security not only over the last eight years but over the last 20 years, going back to when I was a U.S. Attorney, I think you ought to think -- people ought to think very carefully before they do that.

A system where one agency sits over everything, military and civilian, is not usually one that has been regarded favorably by the American people and it is one that is fraught with peril by putting all your eggs in one basket. So I certainlywill urge those who are looking at what we are doing now to take a careful look and see how it works before suggesting major surgery.

This strategy has been a long time coming. It's been a long time coming because the Internet has been the hardest issue philosophically to grapple with from the security standpoint precisely because it is so widely distributed and itsculture is so antithetical to the traditional mandatory command and control way in which we deal with security issues, but the fact that it's a hard problem doesn't mean it's a problem we ought to avoid and that's why I'mpleased that the president mandated that we step up and get this job underway and I think we've done an awful lot in a relatively short period of time as, you know, government work goes and while there's much more to be done, I thinkwe've teed up so the next Administration has some momentum and I will encourage them in any way I can to continue to move it forward.

Thank you very much.
Secretary Chertoff: Yeah. I'd be willing to take a few questions, if you'd just tell me who you are.

Question: Chris Kelly from BoozAllen. Thanks for your remarks, Mr. Secretary. Today and yesterday, we saw the exercise of some of the partnerships that you talked about. Working together, working onproblems and things like that.

One of the things we did see, though, was the potential gap in the engagement with the American public. Could you talk a little bit about your views about, you know, where you think the engagement with the American public needs to be and how thedepartment fits in with that?

Secretary Chertoff: Well, I think you're absolutely right. We need to get the American public engaged in this, partly because, of course, they will have to decide themselves how much they want to participate inthis.

We have tried to talk about this a lot and I've done a lot of getting out on the road and talking about it, although I have to confess probably largely to industry groups or people who come to this process with a pre-existing interest, and partof what I confess I'm a little concerned about is we do find that a lot of this information is classified and it's hard to talk about. I think we need to take a hard look at whether we can declassify more of what we're talkingabout.

I am very acutely aware of the need to protect sources and methods, but I also think sometimes we become so overprotective that we don't recognize there's a cost involved in being too obscure because if we're too obscure, we appearto be mysterious and I think mystery is actually the opposite of what we need to do.

So I'd like to suggest one of the things that we do as we go forward is take a hard look at whether we can't talk more about what it is we're doing openly and also in a way that's more clearly explicable to the American publicand this is an area where the private sector, working through your network, can do an awful lot in order to carry that message forward because in the end, you know, -- and I've been through countless security measures where, you know, someone windsup mischaracterizing what happens and then we're behind the eight ball because we're explaining that we're really not big brother and a classic example before my time was a search engine, I think it was called Carnivore, which the FBIcame up with, and I think it made like a lot of sense, but the word "carnivore" was the absolute wrong thing to have in that program.

So getting out there ahead of the misinformation is going to be critical in terms of making this thing work.

Question: Just along in the same vein, one of the things we noticed yesterday and today participating in this game is there doesn't seem to be kind of a strategic communications crisis plan for a cyber attack or a cybercrisis.

Does the government have one of those, and what would you do today if you went back to your office and all of a sudden everything was falling apart?

Secretary Chertoff: Well, I think you're quite right. We need to have a plan tailored for a cyber crisis. Now, we do have crisis communications plans for the whole range of crises and obviously we would deploythat immediately.

The key would be to be able to tailor it specifically to the cyber environment and that would require us to do a couple things. We have to, first of all, have a clear awareness of exactly what the dimension of the threat was and therefore whatpeople needed to worry about and that's why developing that plan is critically dependent on having at a minimum a real-time intrusion detection and characterization capability, so you can talk intelligently about what it is, and we also need tofigure out again, and this goes back to the earlier point, how much we can talk about this without getting into an area that's classified.

So I think the short answer is we would probably take the existing plans and adapt them and some of the basic principles, I think, are applicable no matter what you do, which is have authoritative people speaking about something, have regularbriefings, make it simple and be able to explain it in terms that are meaningful to the American people. I do think that we have work to do in figuring out how to tailor something specific for cybersecurity in the same way that we've done itfor natural disasters or terrorist attacks or things of that sort.

Question: Thank you. Frank Plant at the University of Pennsylvania. Can you take what you've said today and think a little bit broadly, globally? How -- the Internet is part of the global commons now, andwhat are the special challenges of cooperation you face globally, and who are going to be our partners in engineering a security regime, a cybersecurity regime that's global and not just domestic?

Secretary Chertoff: Well, that's a great question. We -- I want to answer it at two levels.
One is that we traditionally dealt with this in a law enforcement way. You know, we discovered that -- when I was at the Criminal Division, one of my sections, one of my units was the Computer Crime Section and so we had to work with othercountries when there were cyber attacks to see that they took steps against the people who were perpetrating the attacks elsewhere.

Now, of course, there's always the characterization issue. You have to know where the attack's coming from and, as you know, with botnets and other kinds of tools, it's possible to very effectively mask where things are comingfrom, but even if we know what that is, we need to get the other country to agree and have the capability to take legal steps and that's been challenging.

I know there's a UN convention on this that we tried to sign up people to and we had, if I recall correctly, kind of a network of 24/7 watch and warning standards that would allow us to work around the world.

But there's a larger issue looming out there which is a doctrinal issue, which is what do we do if we actually have not just criminals attacking but we actually have terrorists or a nation state attacking us? Is this an act of war? And what does that mean in terms of our doctrine to how we respond to an attack?

We know that if someone flies -- you know, shoots missiles at us, they're going to get a certain kind of response. What happens if it comes over the Internet, if it's a terrorist group, if it's a terrorist group sitting in asafe haven, if it's a nation state enabling the terrorist group, if it's a nation state itself, and what is the level of proof we're going to need, and what are the steps we're going to take to respond? That is the kind ofdoctrinal strategy that we haven't put together yet.

One of the things that has been talked about in the Comprehensive Cybersecurity Strategy is to sit down and put together some deep thought about the doctrine with respect to cyber attacks in the same way that we developed doctrine 50 years ago when wewere entering the nuclear age and we had to suddenly conceive of a new way of thinking of attacks.

This opens up interesting legal questions in the international domain about what the responsibility of a country is to make sure it doesn't become a launching paid for cyber attacks against another country. Do we have to move beyondvoluntary cajoling people to join a convention into something a little bit more coercive from the international community?

So I think that because we're entering a world which in some ways parallels the physical world but in many ways is different, we just haven't done the thinking and partly, you know, honestly, it's because it's hard because whenyou start to think about how do I deal with the cyber attack from another country, what do I have to prove, what do I have to show, who do I have to prove it to, what am I prepared to do, it gets pretty uncomfortable, and my take-away from eight years ofdoing this stuff or more is the fact that a problem is hard doesn't mean it shouldn't be addressed, it just means we have to kind of bear down and address it with more energy and maybe more speed than we've done up to now.

So that's my -- it may be long-winded. That's my view of what we need to do, taking note of the global character of the challenge that we face over the Internet.

Moderator: We have time for one more, just one more.
Question: Hi. Craig Piper with the Washington Internet Daily. I was wondering if you had maybe an estimate of when Einstein 3.0 might go live. I know you're just implementing Einstein2.0. And also how you think the organization may change going forward in the next Administration, especially the role of the Assistant Secretary for Cybersecurity and Communications and some of the other groups.

Secretary Chertoff: Well, in terms of the -- what was the first question? I got the second one.
Oh, you know, we're going to begin a live exercise of Einstein 3.0, I think, within the next six months, probably sooner rather than later.

I can't speak organizationally for what the next Secretary's going to do or the next Administration's going to do.

As I said, my belief is that, although -- and I know Congressman Langevin is here. I know that the CIS Report suggests that some kind of White House oversight -- I think there's value to that. By the way, we have that now, I shouldmake it clear. The White House has played a policy-make role.

I would be hesitant to see a White House get into operational activity over the Internet. My own view is that's, for a variety of reasons, some of them legal, some of them historical, that might not be prudent, but I'm going to leavethe decision, as I have to, to the next people and if they ask for my advice, you know, they have my phone number once I leave and other than that, I will continue to urge that whatever the precise way in which the boxes are arrayed, that this get thekind of high-level attention that the president has put into it in this Administration and that my senior-level counterparts have put into it in this Administration, and I have every reason to believe that the next Administration will continue to give itthat intense level of focus.

Moderator: Thank you, Mr. Secretary.
Secretary Chertoff: Thank you very much.
###

[ Back To TMCnet.com's Homepage ]