Critical Information Infrastructure Protection and the Law
AN OVERVIEW OF KEY ISSUES
Stewart D. Personick and Cynthia A. Patterson, Editors
THE NATIONAL ACADEMIES PRESS
Washington, D.C. www.nap.edu
THE NATIONAL ACADEMIES PRESS
500 Fifth Street, N.W. Washington, DC 20001
NOTICE: The project that is the subject of this report was approved by the Governing Board of the National Research Council, whose members are drawn from the councils of the National Academy of Sciences, the National Academy of Engineering, and the Institute of Medicine. The members of the committee responsible for the report were chosen for their special competences and with regard for appropriate balance.
Support for this project was provided by the National Academy of Engineering. Any opinions, findings, conclusions, or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of the sponsor.
International Standard Book Number 0-309-08878-X (book)
International Standard Book Number 0-309-50637-9 (PDF)
Copies of this report are available from the
National Academies Press,
500 Fifth Street, N.W., Lockbox 285, Washington, D.C.20055, (800) 624-6242 or (202) 334-3313 in the Washington metropolitan area. Internet, http://www.nap.edu
Copyright 2003 by the National Academy of Sciences. All rights reserved.
Printed in the United States of America
THE NATIONAL ACADEMIES
Advisers to the Nation on Science, Engineering, and Medicine
The National Academy of Sciences is a private, nonprofit, self-perpetuating society of distinguished scholars engaged in scientific and engineering research, dedicated to the furtherance of science and technology and to their use for the general welfare. Upon the authority of the charter granted to it by the Congress in 1863, the Academy has a mandate that requires it to advise the federal government on scientific and technical matters. Dr. Bruce M. Alberts is president of the National Academy of Sciences.
The National Academy of Engineering was established in 1964, under the charter of the National Academy of Sciences, as a parallel organization of outstanding engineers. It is autonomous in its administration and in the selection of its members, sharing with the National Academy of Sciences the responsibility for advising the federal government. The National Academy of Engineering also sponsors engineering programs aimed at meeting national needs, encourages education and research, and recognizes the superior achievements of engineers. Dr. Wm. A. Wulf is president of the National Academy of Engineering.
The Institute of Medicine was established in 1970 by the National Academy of Sciences to secure the services of eminent members of appropriate professions in the examination of policy matters pertaining to the health of the public. The Institute acts under the responsibility given to the National Academy of Sciences by its congressional charter to be an adviser to the federal government and, upon its own initiative, to identify issues of medical care, research, and education. Dr. Harvey V. Fineberg is president of the Institute of Medicine.
The National Research Council was organized by the National Academy of Sciences in 1916 to associate the broad community of science and technology with the Academy’s purposes of furthering knowledge and advising the federal government. Functioning in accordance with general policies determined by the Academy, the Council has become the principal operating agency of both the National Academy of Sciences and the National Academy of Engineering in providing services to the government, the public, and the scientific and engineering communities. The Council is administered jointly by both Academies and the Institute of Medicine. Dr. Bruce M. Alberts and Dr. Wm. A. Wulf are chair and vice chair, respectively, of the National Research Council.
COMMITTEE ON CRITICAL INFORMATION INFRASTRUCTURE PROTECTION AND THE LAW
STEWART D. PERSONICK,
Drexel University,
Chair
MICHAEL COLLINS,
Lockheed Martin
WILLIAM J. COOK,
Freeborn & Peters
DEBORAH HURLEY,
Harvard University
DANIEL SCHUTZER,
Emerging Technologies, Citigroup
W. DAVID SINCOSKIE,
Telcordia Technologies
RICHARD R. VERMA,
Council on Foreign Relations
MARC J. ZWILLINGER,
Sonnenschein Nath & Rosenthal
Staff
CYNTHIA A. PATTERSON, Study Director and Program Officer
MARJORY S. BLUMENTHAL, Director
D.C. DRAKE, Senior Project Assistant
COMPUTER SCIENCE AND TELECOMMUNICATIONS BOARD
DAVID D. CLARK,
Massachusetts Institute of Technology,
Chair
ERIC BENHAMOU,
3Com Corporation
DAVID BORTH,
Motorola Labs
JOHN M. CIOFFI,
Stanford University
ELAINE COHEN,
University of Utah
W. BRUCE CROFT,
University of Massachusetts at Amherst
THOMAS E. DARCIE,
University of Victoria
JOSEPH FARRELL,
University of California at Berkeley
JOAN FEIGENBAUM,
Yale University
WENDY KELLOGG,
IBM Thomas J. Watson Research Center
BUTLER W. LAMPSON,
Microsoft Corporation
DAVID LIDDLE,
U.S. Venture Partners
TOM M. MITCHELL,
Carnegie Mellon University
HECTOR GARCIA MOLINA,
Stanford University
DAVID A. PATTERSON,
University of California at Berkeley
HENRY (HANK) PERRITT,
Chicago-Kent College of Law
DANIEL PIKE,
GCI Cable and Entertainment
ERIC SCHMIDT,
Google, Inc.
FRED SCHNEIDER,
Cornell University
BURTON SMITH,
Cray Inc.
LEE SPROULL,
New York University
WILLIAM STEAD,
Vanderbilt University
JEANNETTE M. WING,
Carnegie Mellon University
MARJORY S. BLUMENTHAL, Executive Director
KRISTEN BATCH, Research Associate
JENNIFER BISHOP, Senior Project Assistant
JANET BRISCOE, Administrative Officer
DAVID DRAKE, Senior Project Assistant
JON EISENBERG, Senior Program Officer
RENEE HAWKINS, Financial Associate
PHIL HILLIARD, Research Associate
MARGARET MARSH HUYNH, Senior Project Assistant
ALAN S. INOUYE, Senior Program Officer
HERBERT S. LIN, Senior Scientist
LYNETTE I. MILLETT, Program Officer
DAVID PADGHAM, Research Associate
CYNTHIA A. PATTERSON, Program Officer
JANICE SABUDA, Senior Project Assistant
BRANDYE WILLIAMS, Staff Assistant
STEVEN WOO, Dissemination Officer
For more information on CSTB, see its Web site at <http://www.cstb.org>; write to CSTB, National Research Council, 500 Fifth Street, N.W., Washington, DC 20418; call at (202) 334-2605; or e-mail the CSTB at cstb@nas.edu.
NATIONAL ACADEMY OF ENGINEERING PROGRAM COMMITTEE
PETER STAUDHAMMER,
TRW Inc.,
Chair
RODICA A. BARANESCU,
International Truck & Engine Corporation
CORALE L. BRIERLEY,
Brierley Consultancy LLC
PALLAB K. CHATTERJEE,
i2 Technologies
WOODIE C. FLOWERS,
Massachusetts Institute of Technology
GORDON E. FORWARD,
TXI
RENATO FUCHS,
Transkaryotic Therapies, Inc.
MARTIN E. GLICKSMAN,
Rensselaer Polytechnic Institute
THOMAS E. GRAEDEL,
Yale University
BRUCE HAJEK,
University of Illinois
GEORGE M. HORNBERGER,
University of Virginia
KENNETH H. KELLER,
University of Minnesota
MARGARET A. LEMONE,
National Center for Atmospheric Research
RICHARD J. LIPTON,
Georgia Institute of Technology
EUGENE MEIERAN,
Intel Corporation
FREDERICK G. POHLAND,
University of Pittsburgh
C. PAUL ROBINSON,
Sandia National Laboratories
FRIEDER SEIBLE,
University of California, San Diego
LAURENCE C. SEIFERT,
AT&T Corporation
CHRIS G. WHIPPLE,
Environ, Inc.
Ex Officio Members
GEORGE M.C. FISHER,
Eastman Kodak Company,
NAE Chair
SHEILA WIDNALL,
Massachusetts Institute of Technology,
NAE Vice President
WM. A. WULF,
National Academy of Engineering,
President
Staff
PROCTOR REID,
National Academy of Engineering,
Associate Director,
Program Office
JACK FRITZ,
National Academy of Engineering,
Senior Program Officer,
Program Office
PREFACE
Critical infrastructure protection emerged as a national concern in the late 1990s. The establishment in 1996 of the President’s Commission on Critical Infrastructure Protection (PCCIP), its 1997 report Critical Foundations: Protecting America’s Infrastructures, and the issuance in 1998 of Presidential Decision Directive 63 and the establishment of the Critical Infrastructure Assurance Office (CIAO) promoted awareness of critical infrastructure issues. Among the many forms of critical infrastructure—such as transportation, energy, and water—the information infrastructure, which combines computing and communications systems, stands out as important in its own right and as a crosscutting factor in all other infrastructures. Like power, information infrastructure is a critical infrastructure that all other critical infrastructures depend upon. The Bush administration’s review of critical infrastructure protection activities, the tragic events of September 11, and the new national focus on homeland security in general (and cyberterrorism in particular) signal a need for broader reflection, as well as action, on these issues. Progress, however, will require the development of a clear legal framework, in addition to focusing on the technology and current business practices in the public and private sectors.
The National Academy of Engineering asked the Computer Science and Telecommunications Board to organize a symposium to illuminate the range of legal issues and the range of perspectives on issues associated with protection of the critical information infrastructure. CSTB convened the Committee on Critical Information Infrastructure Protection
and the Law (see Appendix A for committee biographies) to undertake the project, asking it to focus on information sharing and liability. While previous CSTB efforts addressed technical, procedural, and policy aspects of [information] security and crisis management, this project emphasizes the role of the law as a barrier to or a facilitator of progress.
The committee met in June 2001 to plan a 2-day symposium, which was held October 22-23, 2001 (the agenda is listed in Appendix B). The committee met again in December 2001 to plan the structure and format of this summary report, which evolved through the end of 2002.
The attacks of September 11, 2001, had a major impact on this project. The tragic events forced some expected participants to cancel their travel, while other initially reluctant parties became willing to participate. The subject matter of the symposium became even more relevant to participants who were not speakers, and the tone and subject matter of presentations and discussions were tailored to and colored by the attacks. As a result, the symposium was larger than anticipated. The discussions were less abstract or hypothetical and more rooted in various realities. Concerns that were expressed at the symposium about issues such as privacy rights and the legal and business risks of sharing information appeared to some committee members to be surprisingly muted. Law enforcement representatives at the symposium expressed a surprising willingness to share information in ways that might impair their ability to prosecute suspected criminals and terrorists, in exchange for improving the ability of the broader community to prevent attacks. The committee does not know if this is a short-lived, politically correct retrenchment or a permanent shift to a new balance of the trade-offs associated with these complex issues.
Meanwhile, responses to September 11 continued to unfold throughout the period in which this report was drafted, greatly complicating the task of describing contemporary conditions and prospects. The dynamism of the situation would make any report with concrete recommendations obsolete before it was published. Against this backdrop, the committee chose to highlight enduring observations, focusing on two issues that could potentially facilitate critical information infrastructure protection efforts—information sharing and the liability of unsecured systems and networks. The committee sought to summarize the debate surrounding use of the Freedom of Information Act (FOIA), antitrust, and liability laws that lie at the heart of critical information infrastructure protection, attempting to maintain that focus in the face of substantial blurring between those issues and the larger set of homeland security issues facing the country. The content of this report reflects the issues identified at the symposium and during subsequent deliberations by the committee. The value of the
report lies in its integration of a very diverse set of perspectives to provide a roadmap and stimulus for future more focused and in-depth inquiries.
The committee is particularly grateful to Wm. A. Wulf, whose commitment to addressing the problems posed by critical infrastructure protection (CIP) and whose recognition that the law presents challenges and opportunities in that arena helped to shape this project. His engagement with members of the National Academy of Engineering (NAE), among them John Harris, and with its program committee provided most of the project’s funding.
The committee thanks the symposium participants (see Appendix B for a list of speakers) as well as the many people who responded to its requests for briefings and discussions. Lee Zeichner and Timothy Nagle provided informed discussion on how to frame the project. The committee appreciates the thoughtful comments received from the reviewers of this report. These comments were instrumental in helping the committee to sharpen and improve the report.
The chairman and the entire committee wish to express their deep appreciation for the herculean efforts of the study director, Cynthia Patterson, and the project assistant, David Drake, who performed the lion’s share of the work required to organize and run the symposium, to create this report, and to shepherd it through the necessary review and revision processes. We would also like to express our deep appreciation for the guidance, leadership, encouragement, and advice provided to us by Marjory Blumenthal, the director of the Computer Science and Telecommunications Board of the NRC.
Stewart D. Personick, Chair
Committee on Critical Information Infrastructure Protection and the Law
ACKNOWLEDGMENT OF REVIEWERS
This report was reviewed by individuals chosen for their diverse perspectives and technical expertise, in accordance with procedures approved by the National Research Council’s (NRC’s) Report Review Committee. The purpose of this independent review is to provide candid and critical comments that will assist the authors and the NRC in making the published report as sound as possible and to ensure that the report meets institutional standards for objectivity, evidence, and responsiveness to the study charge. The contents of the review comments and draft manuscript remain confidential to protect the integrity of the deliberative process. We wish to thank the following individuals for their participation in the review of this report:
Kent Alexander, Emory University;
David A. Balto, White & Case LLP;
Stanley M. Besen, Charles River Associates;
Nicholas M. Donofrio, IBM Corporation;
Marc D. Goodman, Decision Strategies;
John C. Klensin, AT&T Labs;
David J. Loundy, DePaul University College of Commerce;
Alan B. Morrison, Stanford Law School;
Robert Murphy, Congressional Budget Office;
Debra Pearlstein, Weil, Gotshal & Manges LLP;
Abraham D. Sofaer, Stanford University; and
Suzanne Spaulding, American Bar Association’s Standing Committee on Law and National Security.
Although the reviewers listed above provided many constructive comments and suggestions, they were not asked to endorse the conclusions or recommendations, nor did they see the final draft of the report before its release. The review of this report was overseen by Chris Sprigman of King & Spalding LLP. Appointed by the National Research Council, he was responsible for making certain that an independent examination of this report was carried out in accordance with institutional procedures and that all review comments were carefully considered. Responsibility for the final content of this report rests entirely with the authoring committee and the institution.