Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.
OCR for page 8
Critical Information Infrastructure Protection and the Law: An Overview of Key Issues 1 INTRODUCTION AND CONTEXT The information infrastructure is the combination of computer and communications systems that serve as the underlying infrastructure for organizations, industries, and the economy.1 All critical infrastructures (e.g., transportation and electric power) are increasingly dependent on telecommunications—the public telephone network, the Internet, and terrestrial and satellite wireless networks—and associated computing assets for a variety of information management, communications, and control functions.2 Private industry and other organizations, in turn, depend directly on their own information infrastructures and on various critical infrastructures. This dependence has a national security component, since information infrastructure undergirds and enables both economic vitality and military and civilian government operations. In particular, the government and military information infrastructures depend on commercial telecommunications providers for everything from logistics and transport to personnel and travel functions.3 The importance of the telephone system during crises was recognized 40 years ago, when President Kennedy established the National Communications System (NCS) to pro 1 Computer Science and Telecommunications Board, National Research Council. 1999. Trust in Cyberspace. National Academy Press, Washington, D.C. 2 An information infrastructure includes not only the networks but also the network management systems, such as the Domain Name System. 3 Based on a presentation by Colonel Timothy Gibson, U.S. Army, at the symposium on October 22, 2001.
OCR for page 9
Critical Information Infrastructure Protection and the Law: An Overview of Key Issues vide better communications support to critical government functions during emergencies.4 That provided an important basis for an expanding set of activities associated with national security and emergency preparedness (NS/EP) communications. The rise of the Internet has introduced new elements—systems, applications, and players—into the conceptualization of critical information infrastructure and policy options for its protection. Issues in the protection of critical information infrastructure were the focus of an October 2001 symposium and subsequent discussions by the Committee on Critical Information Infrastructure Protection and the Law, which form the basis of this report. Twenty-four speakers presented topics ranging from information sharing to legal issues (see Appendix B for the agenda and speakers). The quotations (and attributed ideas) from participants in the symposium that are included in this report illustrate the wide range of perspectives and concerns that complicate policy making when it comes to critical information infrastructure protection (CIIP). RISE OF CIP AS A POLICY ISSUE The President’s Commission on Critical Infrastructure Protection (PCCIP) was created in 1996 to assess the physical and cyberthreats to the nation’s critical infrastructures and to develop a strategy to protect them.5 Certain infrastructures—telecommunications, electric power, gas and oil storage and transportation, banking and finance, transportation, water supply, emergency services, and government services—were deemed so critical that their “incapacity or destruction would have a debilitating impact on the defense and economic security”6 of the United States. Box 1.1 provides an overview of the key critical infrastructure protection (CIP) activities over the past several years. Early efforts were dominated by a focus on national security, emergency preparedness, and law enforcement, although from the beginning outreach to industry was attempted. Because of the private ownership of critical infrastructures and the prominence of private parties in the use of these infrastructures, forming public-private partnerships was thought to be one of the keys to CIP progress. The leadership role was assigned to the Critical Infrastructure Assurance Office (CIAO), although its placement within the Department of Commerce (with limited resources and authority) resulted in programs that 4 Information about the presidential memorandum signed on August 21, 1963, to establish the NCS is available online at <http://www.ncs.gov/ncs/html/NCSHistoryBkgrd.html>. 5 President’s Commission on Critical Infrastructure Protection. 1997. Critical Foundations. Washington, D.C. 6 Ibid., p. 19.
OCR for page 10
Critical Information Infrastructure Protection and the Law: An Overview of Key Issues BOX 1.1 Brief History of the Nation’s Critical Infrastructure Protection Activities Pre-PCCIP After communications problems between critical entities threatened to heighten the Cuban missile crisis, President Kennedy appointed a commission to investigate underlying problems and recommend a solution. The commission recommended a unified emergency communications capability, and President Kennedy formally established the National Communications System (NCS) by a presidential memorandum on August 21, 1963. NCS is an interagency organization whose mission is to ensure reliability and availability of national security and emergency preparedness communications. President Reagan and President Bush broadened the NCS’s national security and emergency preparedness (NS/EP) capabilities with Executive Order 12472 in 1984 and Executive Order 13231 in 2001.1 After recognizing that the private sector needed to be included in infrastructure protection efforts, President Reagan created the National Security Telecommunications Advisory Committee (NSTAC)2 by Executive Order 12382 in September 1982. Composed of up to 30 industry chief executives, NSTAC provides industry-based expertise to the President on issues related to implementing NS/EP communications policy. The National Coordinating Center (NCC) was established in 1984 as a result of a NSTAC recommendation to develop a joint government-industry national information-sharing mechanism for NS/EP communications. In January 2000, NSTAC expanded NCC’s responsibilities to include functioning as the Information Sharing and Analysis Center (ISAC) for the telecommunications sector. Following the Morris Internet worm incident in November 1988, the federally funded CERT Coordination Center (CERT/CC)3 was established at the Software Engineering Institute (SEI) at Carnegie Mellon University to coordinate communication among experts during security emergencies and to help prevent future incidents. CERT/CC’s role has expanded to include handling computer security incidents and vulnerabilities, publishing security alerts, researching long-term changes in networked systems, and developing and publishing security practices to ensure the survivability of networked systems. Other focused CERTs have been established too. President’s Commission on Critical Infrastructure Protection In the wake of the Oklahoma City bombing in 1995, President Clinton established the President’s Commission on Critical Infrastructure Protection (PCCIP)4 in July 1996 by Presidential Executive Order 13010. PCCIP was the first comprehensive effort to address the vulnerabilities of national critical infrastructures. Divided into five sectors (Information and Communications; Physical Distribution; Energy, Banking and Finance; and Vital Human Services) to evaluate risks, threats, and vulnerabilities, the PCCIP formulated a national strategy for protecting critical infrastructures from physical and cyber threats. In its 1997 report Critical Foundations: Protecting America’s Infrastructures, PCCIP recommended several components to protect critical infrastructures: a top-level policy-making office in the White House, councils composed of industry executives and government leaders at all levels, education and awareness programs and federal research and
OCR for page 11
Critical Information Infrastructure Protection and the Law: An Overview of Key Issues development programs, industry information clearinghouses, public-private partnerships, a real-time attack warning capability, and a streamlining of the legal tenets that address infrastructure issues, updated to keep pace with technology advances. After submitting its report, the PCCIP was dissolved. Presidential Decision Directive 63 Presidential Decision Directive 63 (PDD-63),5 issued by President Clinton on May 22, 1998, created a national structure to accomplish the goals laid out in the PCCIP’s report. PDD-63 created the office of national coordinator at the National Security Council to serve as the top-level office in the White House to guide policy for federal agencies and advise nongovernmental entities on protective measures for the nation’s information infrastructure. The Critical Infrastructure Assurance Office (CIAO)6 was formed at the Department of Commerce to provide support to the national coordinator’s work with government agencies and the private sector in developing a national plan. CIAO serves a number of functions, including coordinating a national education and awareness program, administering legislative and public affairs, and assisting in developing long-term research. Project Matrix, a CIAO program, was designed to identify and characterize the assets and associated infrastructure dependencies and interdependencies among and between federal agencies and the private sector. To facilitate real-time warnings, PDD-63 established the National Infrastructure Protection Center (NIPC), an interagency unit at the FBI, to serve as the U.S. government’s focal point for threat assessment, warning, investigation, and response for threats or attacks against critical infrastructures. NIPC created the InfraGard initiative to facilitate the sharing of information on cyber intrusions, exploited vulnerabilities, and infrastructure threats with private sector infrastructure owners and operators.7 Members have access to an Alert Network and a secure Web site to voluntarily report intrusions, disruptions, and vulnerabilities of information systems. The Federal Computer Incident Response Center (FedCIRC),8 the federal civilian agencies’ focal point for computer security incident reporting, provides assistance with incident prevention and response. The National Plan for Information Systems Protection Version 1.0,9 released in January 2000 by President Bill Clinton and Richard Clarke (then the National Coordinator for Security, Infrastructure Protection, and Counter-Terrorism), focused on tightening cybersecurity in the federal government and promoting public-private partnerships. Version 1.0 of the National Plan addresses the complex interagency process for approaching critical infrastructure and cyberrelated issues in the federal government. Progress on Version 2.0 carried into the Bush administration but was superseded by new activities carried out in response to September 11 (see below). In response to encouragement from the government, private industry began forming sector-specific ISACs to facilitate sharing critical infrastructure information between companies in a given industry and between private industry and the government (for more on ISACs, see Chapter 2). Another private sector initiative, the Partnership for Critical Infrastructure Security (PCIS),10 was established in December 1999 as a public-private forum to address issues relating to infrastructure security. PCIS, incorporated as a nonprofit organization in February 2001, is operated by companies and private sector associations representing each of the critical infrastructure industries.
OCR for page 12
Critical Information Infrastructure Protection and the Law: An Overview of Key Issues Since September 11 In response to the September 11 attacks, President Bush extended and amplified PDD-63 in Executive Order 13231, replacing the earlier Executive Order 13010. E.O. 13231 established the Critical Infrastructure Protection Board. The board recommends policies and coordinates programs for protecting information systems for critical infrastructure through outreach on critical infrastructure protection issues with private sector organizations; information sharing; the recruitment, retention, and training of executive branch security professionals; law enforcement coordination; research and development; international information infrastructure protection; and legislation. The board consults with affected executive branch departments and agencies and communicates with state and local governments and the private sector, as well as communities and representatives from academia and other relevant elements of society. The board coordinated with the Office of Homeland Security (OHS) on information infrastructure protection functions that had been assigned to the OHS by Executive Order 13228 of October 8, 2001. The board is chaired by the special advisor to the president for cyberspace security (often referred to as the cybersecurity czar). This office replaced the national coordinator. As cybersecurity czar, Richard Clarke now reports to both the assistant to the President for national security affairs and to the assistant to the President for homeland security.11 The director of CIAO was also appointed as a member of the board. In February 2003 the Directorate of Information Analysis and Infrastructure Protection in the Department of Homeland Security absorbed CIAO, NIPC, FedCIRC, and the National Communications System,12 but the InfraGard program remained in the FBI. An Executive Order issued on February 28, 2003, abolished the President’s Critical Infrastructure Protection Board, but a special coordinating committee may be created to replace it.13 1 More information on the NCS is available online at <http://www.ncs.gov/>. 2 More information on the NSTAC is available online at <http://www.ncs.gov/nstac/nstac.htm>. 3 More information on CERT is available online at <http://www.cert.org>. 4 See <http://www.ciao.gov/resource/pccip/intro.pdf> and <http://www.info-sec.com/pccip/web/backgrd.html>. 5 For more information on PDD-63: <http://www.fas.org/irp/offdocs/pdd-63.htm>. 6 More information on CIAO is available online at <http://www.ciao.gov>. 7 More information on NIPC and InfraGard is available online at <http://www.nipc.gov> and <http://www.infragard.net/>. 8 More information on FedCIRC is available online at <http://www.fedcirc.gov>. 9 The National Plan is available at <http://www.ciao.gov/publicaffairs/np1final.pdf>. 10 More information on PCIS is available online at <http://www.pcis-forum.org>. 11 For more information, <http://www.whitehouse.gov/news/releases/2001/10/2001101612.html>. 12 Michael Fitzgerald. 2003. “Homeland Cybersecurity Efforts Doubled.” Security Focus. March 11. 13 Diane Frank. 2003. “Filling the Cybersecurity Void.” Federal Computer Week. March 6.
OCR for page 13
Critical Information Infrastructure Protection and the Law: An Overview of Key Issues focused on generating awareness in the private sector of critical infrastructure vulnerabilities and exhorting communication between industry and the government—and within industry—about infrastructure weaknesses and incidences of attacks and other failures. Until September 11, 2001, the backdrop for these efforts was a steady rise in hacking incidents and computer crime.7 Estimates from market researchers, publicized large-scale incidents (such as the distributed denial-of-service attacks of early 2001), growth in the sales of antivirus software and firewalls, and growth in prosecutions of computer crimes are among the indicators that the need to protect information infrastructure had begun to attract more attention by the beginning of this century—albeit less than security experts would have liked to see. In 2002, development of the National Strategy to Secure Cyberspace provided a focal point for Bush administration efforts in critical information infrastructure protection. Originally, the administration had planned to release the report in its final version in September 2002; however, ongoing negotiations between the administration and the other parties involved in the strategy’s formulation led to the draft version and a 60-day comment period in which input at all levels was solicited. The administration also convened a number of town-hall meetings across the country to gather additional input. Early drafts included proposals to suspend wireless Internet service until security holes were addressed, require Internet service providers to include firewall software, recommend that government agencies use their power as a major purchaser of computer software to push software vendors to improve the security of their products, provide financial incentives for vendors to improve the security of their products, and impose legal liability for failing to meet basic security standards.9 However, the final version, released February 14, 2003, scaled back on the government’s role and emphasized voluntary industry initiatives. 7 Computer crime, or cybercrime, can encompass a wide range of situations involving IT in the context of crime. The absence of a definition is problematic and often hampers cooperation and funding, not to mention legal cooperation and policy coordination. There are important differences (both in the challenges and the solutions) between protecting networks from attacks by hackers and protecting them from a resourceful, determined adversary. For an in-depth look at the use of information technology to protect against the threat of catastrophic terrorism, see Computer Science and Telecommunications Board, National Research Council. 2003. Information Technology for Counterterrorism: Immediate Actions and Future Possibilities. The National Academies Press, Washington, D.C. 8 Available online at <http://www.whitehouse.gov/pcipb>. 9 Jonathan Krim. 2003. “Cyber-Security Strategy Depends on Power of Suggestion.” Washington Post, February 15, p. E01.
OCR for page 14
Critical Information Infrastructure Protection and the Law: An Overview of Key Issues 10 Consumer education, partnership between the private and public sector, and investment in research are among the proposals in the final cyberspace plan. Events of September 11, 2001 The terrorist attacks of September 11, 2001, resulted in a massive destruction of property and loss of human life, but the attacks also demonstrated the vulnerability of America’s information infrastructure and its importance to crisis management.11 In the wake of those events, experts noted that attacks on information infrastructure can amplify the effects of attacks on physical infrastructure and interfere with response activities, such as by overloading surviving communications networks.12 Ronald Dick, then director of the National Infrastructure Protection Center (NIPC), noted at the symposium that September 11 had increased awareness of the interdependencies of critical infrastructures and heightened the sense of urgency surrounding information sharing on cyber and physical threats. For example, Mr. Dick commented that NIPC was holding multiple daily briefings with the electric power and financial services ISACs to provide threat and vulnerability assessments. Legislative initiatives have been prominent among the responses to September 11. Although those responses have been framed as supporting “homeland security,” several policy measures were introduced that recognized the importance of critical infrastructures to national security. The USA PATRIOT Act,13 enacted in October 2001, calls for actions necessary to protect critical infrastructures to be carried out by a public-private partnership. The Office of Homeland Security (OHS) was established by executive Order 13228 and was tasked with coordinating efforts to protect critical infrastructures. Executive Order 13231 established the President’s Critical Infrastructure Protection Board on October 16, 2001 (it was abolished on February 28, 2003). A new position, the special advisor to the President on cyberspace security, was established to provide leadership in the protection of information infrastructure, and that function was 10 Jennifer Lee. 2003. “White House Scales Back Cyberspace Plan.” New York Times, February 15, p. A12. 11 Computer Science and Telecommunications Board, National Research Council. 2002. Internet Under Crisis Conditions: Learning from September 11. National Academy Press, Washington, D.C. 12 National Research Council. 2002. Making the Nation Safer: The Role of Science and Technology in Countering Terrorism. National Academy Press, Washington, D.C. 13 PL 107-56.
OCR for page 15
Critical Information Infrastructure Protection and the Law: An Overview of Key Issues integrated with the evolving activities of both the OHS and the National Security Council and coordinated with relevant activities associated with the Office of Science and Technology Policy. Executive Order 13231 also places more emphasis on cooperation with the private sector. This raises questions about the role of government, as well as that of industry, in achieving cooperation. The new team of cybersecurity leaders began to develop a cybersecurity strategic plan, echoing earlier efforts to develop CIP strategic plans. Both early 2002 proposals for consolidating the functions associated with CIP into OHS and mid-2002 proposals for organizing a new Department of Homeland Security have created some confusion about who is in charge of CIP activities. A recent General Accounting Office (GAO) report14 found that over 50 organizations (including five advisory committees; six organizations in the Executive Office of the President; 38 executive branch organizations associated with departments, agencies, or intelligence organizations; and three other organizations) are involved in CIP. Adding in state and local entities would greatly enlarge the total number. As the establishment of the Department of Homeland Security in early 2003 underscores, the organizational structure of CIP—and within it, CIIP—may continue to evolve for quite some time, and the form it eventually takes will determine the extent to which infrastructure protection is singled out from or integrated within other elements of homeland, national, and economic security. The organizational approach may interact, in turn, with policy decisions about the role of law, technology, and procedure in addressing CIP/CIIP needs. Current trends suggest that law will play a growing role, inasmuch as the increasing focus on homeland security seems to have accelerated the formation and implementation of relevant laws. THIS REPORT This report examines legal issues15 associated with information infrastructure protection, with an emphasis on information sharing and liability. It is not a general description of computer crime or cybercrime. Since the private sector owns the majority of the critical infrastructures, the 14 U.S. General Accounting Office. Critical Infrastructure Protection: Significant Challenges Need to Be Addressed. GAO-02-961T. July 24, 2002. 15 The PCCIP issued a series of reports, known as the Legal Foundations reports, that identified many legal issues associated with information assurance, including the Freedom of Information Act (FOIA), antitrust, tort liability, the Defense Production Act, and the Stafford Act. These reports are available online at the CIAO Web site <http://www.ciao.gov/resource/pccip/pccip_documents.htm>.
OCR for page 16
Critical Information Infrastructure Protection and the Law: An Overview of Key Issues laws examined are those that affect the willingness of industry to cooperate with the government to prevent, detect, and mitigate attacks. A central issue is the framework for sharing information associated with information system vulnerabilities and their exploitation. Security experts would like to see more such sharing, and private parties and some government agencies have been reluctant to comply. Chapter 2 outlines the situation and comments on the two laws most frequently cited as discouraging information sharing: the Freedom of Information Act and the antitrust laws. Although the intent of criminal law is to deter future crime and punish perpetrators, some experts suggest that it is not sufficient to prevent attacks on the nation’s critical information infrastructures. The ability to impose civil damages on infrastructure owners who are proven negligent could motivate them to invest the necessary resources to improve the security of the nation’s information infrastructures. Chapter 3 discusses where liability currently lies for producing, maintaining, or operating unsecured systems and networks, and how changing the assignment of liability could contribute to infrastructure protection. The final chapter examines the larger business, social, and technical context. The report identifies issues and differences of opinion, providing an overview rather than an exhaustive analysis. The symposium noted that privacy and civil liberties could become casualties to more aggressive CIP/CIIP, depending on how legal mechanisms are designed and enforced. These concerns have grown since that time owing to new legislative and administrative developments, noted in Chapter 4. This report notes the tension between security and civil liberties but given the limited resources of the project does not address them in detail.
Representative terms from entire chapter: