Findings of the President's Commission on Critical InfrastructureProtection
Frederick Struble
President's Commission on Critical Infrastructure Protection
Dr. Struble's summarized the findings of the PCCIP, which he hoped would be helpful as background information for the workshop's deliberations on the uses and applications of underground facilities (UGFs). The PCCIP report was submitted to the President on October 13, 1997, with the understanding that key federal agencies would be given the opportunity to review it and submit comments, which would also be presented to the President.
Dr. Struble observed that, even though the Cold War is over, the people and properties of the United States, both inside and outside our borders, remain at considerable risk from terrorists, both domestic and foreign, hostile nation states, and various malcontents. Recent events have made these threats abundantly clear; bombings of the World Trade Center in New York, the federal office building in Oklahoma City, the Olympic grounds in Atlanta, and the U.S. military base in Saudi Arabia. Weapons of mass destruction, including chemical and biological agents, pose comparable, if not more, lethal threats. Some nation states are probably working to develop small atomic bombs, and not all of the nuclear weapons that were part of the arsenal of the former Soviet Union have been accounted for. These weapons pose the most serious danger to our country in the immediate future.
The PCCIP focused, however, on another type of weapon, which has the potential to match, or even exceed, the damage and disruption caused by physical weapons. Cyber-tools and techniques that use sophisticated telecommunications systems can be used to disrupt or gain control of computer-based information and operating systems. These information technologies and systems have been credited with major scientific and technological advances, enhancing technical capabilities, and improving the efficiencies of almost every type of activity in our society. At the same time, our growing reliance on them has created serious vulnerabilities in our critical infrastructures and other vital functions of society that depend on them. As infrastructure sectors become more and more interdependent, a malfunction in the information and operating system of one sector can have cascading effects onto other sectors. For example, a failure of the power grid could disrupt many other infrastructure sectors.
Recent events have underscored the vulnerability of our information and control systems. Hackers, with apparently no more motivation than proving how smart they are, have on many occasions broken into the control centers or impaired the functioning of many systems, both governmental and private. An exercise carried out by the U.S. Department of Defense (DoD) last year, Operation Eligible Receiver, demonstrated the alarming potential of cyber-threats. The exercise showed that cyber-tools, used with other sophisticated
procedures and techniques that are well known to intelligence communities, could disrupt and impair the functioning of information, operational, and communications systems of defense agencies and other vital infrastructure sectors. The PCCIP concluded that the United States will be increasingly at risk from the use of cyber-weapons.
The PCCIP described the following scenario. A well-financed and knowledgeable adversary, not wishing to test the military might of the United States in conventional conflict, could seek to undermine our strength and security by using both cyber-weapons and physical weapons in a coordinated way to cause death, damage, and disruption. Part of the attack might involve sophisticated cyber-tools to invade and interrupt the electric grid system in the Northeast, for example. Given the worldwide Internet, this attack could be controlled from a foreign country. The disruptive effects of the attack could be enhanced by using the same cyber-tools and techniques to undermine DoD's ability to communicate over the Internet, which is used to transmit all but the most sensitive messages.
If physical weapons were also used, such as chemical sabotage of the water system of a midwestern city coupled with the bombing of public facilities on the West Coast or the introduction of lethal gas into the subway system of a major eastern city, the resulting death and destruction would cause a widespread loss of morale, if not panic. The tendency to panic would be even greater if our defense and law enforcement authorities were not able to respond effectively to such events.
This is not an unrealistic scenario. Given the clandestine nature of the attack, it might take some time to determine whether a foreign or domestic source was responsible or even to decide if all of the events were related. Thus, there could be considerable confusion as to which agencies, defense or law enforcement, should take the lead and organize a response. Also, if defense communications systems were disrupted, defense agencies would find it difficult to mobilize their forces and to organize an effective response. In addition, efforts by federal agencies to mitigate the effects of the attack and to help in the cleanup and reconstruction could be handicapped by the lack of enabling legislation. State and local authorities could also be hampered in their efforts because most of them lack the necessary training and equipment.
In short, the PCCIP concluded that if this scenario occurred it would present a serious challenge to our overall national security. The commission's strongest recommendation was that it is imperative for the United States to act now to protect itself. The commission recognized that this is not just a question for the federal government. Although the federal government has overarching responsibilities for defense, law enforcement, and intelligence, private firms and state and local governments that own the infrastructure systems also must act to protect themselves.
The infrastructure systems considered by the commission were limited to telecommunications, electric power, oil and gas, transportation, banking and finance, water distribution, emergency services, and government operations at
all levels. The principal owners of these infrastructures have the immediate responsibility of providing security for their employees and properties and for ensuring that they have the capability to serve their customers under adverse circumstances. Thus, joint actions by the government and the private sector will be required to address our national security needs; some actions should be undertaken in parallel by the federal government and the private sector, some in partnership, and some individually.
The PCCIP recommended that concerted efforts be made to heighten public awareness of the risks facing our country, particularly cyber-risks, which are not adequately appreciated, and to strengthen educational programs to deal with these risks. The need for education in this area is apparent. Dr. Strubble noted, for example, how often employees, both within and without the government, react to computer malfunctions by assuming that the machine or its programs are responsible rather than a hostile agent acting over an Internet connection. People must become conditioned to recognize and suspect the potential for outside threats. Information security consciousness by senior infrastructure management was observed to be uneven across firms and sectors. Training at all levels of our education system must be improved to raise security consciousness and to provide a cadre of people with security expertise. Finally, the commission found that young people, many of whom have better technical skills than judgment, need to be made to understand that the invasion of information systems, whether government or private, is a serious offense comparable to breaking into a business or home and that offenders will be subject to prosecution and punishment.
To achieve these objectives, the PCCIP recommended that the White House sponsor a series of conferences for leaders in the business and academic communities and state and local governments. In addition, the commission recommended that the National Science Foundation provide research grants for university faculties and scholarships for students to promote research on ways to protect the security of our information systems.
A second set of recommendations focused on the federal government's management of the security of its own information systems. From reports by the Inspector General and other sources, it is clear that many of our government agencies have not taken appropriate measures to secure their information systems. Thus, the PCCIP recommended that the federal government take decisive steps to get its house in order and lead by example. To that end, the commission called for the National Institute of Standards and Technology and the National Security Agency to establish standards and best practices for safeguarding the government's information systems. In addition, the commission recommended that clear and unequivocal specifications for complying with these standards and practices be built into the planning processes for federal agencies. The planning goals should be stated in a way that makes it easy to ascertain whether or not they have been met.
Third, the PCCIP report called for a major increase in federal R&D funding. Although both private industry and federal agencies have increased
their spending considerably in recent years, the commission concluded that much more remains to be done to promote security. Specifically, the PCCIP called for an immediate doubling, to more than $500 million, of federal spending on R&D in the coming year, and for a further increase of 20 percent per annum in the following five years. Expanded R&D for technologies and procedures is expected to pay direct dividends for the government as well as the private sector. Federally funded R&D will also be a catalyst to encourage private efforts.
Fourth, after reviewing the existing legal framework, the PCCIP recommended that key laws be changed so that cyber-threats can be addressed and potential attacks managed more effectively. A few of the recommendations the commission made in this area are that (1) owners of infrastructures should be authorized to screen potential employees being considered for sensitive security positions more thoroughly; (2) our law enforcement agencies should be authorized to investigate suspected criminal activities that cross the jurisdictional lines of federal district courts by obtaining an order from only one federal court rather than from each court involved; (3) computer crimes should be deterred by making sentencing parameters stricter; and (4) the federal government should provide greater financial and other assistance to municipal, state, and local firefighters and police to prepare them to deal with the effects of natural disasters and other destructive forces.
Fifth, the commission recommended that actions be taken to promote information sharing within each infrastructure sector, across infrastructure sectors, and among all sectors and relevant government agencies. Shared information should include reports of all attempts to intrude into information systems. Government efforts to stop these intrusions would be more effective if the techniques used and the number of occurrences were known. Many entities have been reluctant to report such intrusions, even to law enforcement agencies, because they are concerned that disclosure might be embarrassing, attract further attacks, or expose their operations to disruptive criminal investigations. Information must flow in both directions, with government agencies informing private firms of plans by potentially hostile parties, as well as making information available about technologies that can be used to make information systems more secure.
Finally, the PCCIP recommended that organizational structures be established to facilitate the sharing of information and to promote cooperation between government agencies and private firms. The commission attempted to avoid, as much as possible, recommendations for the establishment of an extensive new bureaucracy or added regulations. The commission's recommendations include the following:
-
An Office of National Infrastructure Assurance, to be located in the White House as part of the National Security Council and staffed by a small number of people drawn from relevant government agencies, would serve as a focal point for efforts to protect critical infrastructures.
-
An Infrastructure Assurance Council, composed of prominent corporate leaders, representatives of states and local governments, and cabinet officers, would address infrastructure policy issues and advise the President.
-
An infrastructure assurance support office, composed of staff from both government and the private sector, would provide functional support to the Office of National Infrastructure Assurance and to the National Security Council and would carry out other activities for promoting the security of our information systems.
The PCCIP also recommended that several other entities help organize and facilitate the sharing and analysis of information and general cooperation between federal agencies, private firms, and state and local governments. First, the commission recommended that each infrastructure sector organize itself in the way best suited to facilitate information sharing and be authorized to designate its own infrastructure assurance coordinator. Second, federal agencies with supervisory and oversight responsibilities for each sector were directed to assist them. Third, the PCCIP recommended the establishment of an information and analysis center in the private sector to receive information from each infrastructure sector and use it to analyze the progress of each sector and to disseminate the results of their analyses to both government and private users. Finally, the PCCIP recommended the establishment of an early warning center within the government that would be responsible for analyzing information and assessing threats from all sources. This center would provide warnings as quickly as possible of a concerted attack on our country. The Federal Bureau of Investigation is already working to establish such a center.
Since these recommendations were submitted to the administration in October 1997, national defense and law enforcement agencies and other key government departments have had them under review. The review has been supplemented with advice from a presidentially appointed committee of industry leaders. Former Senator Sam Nunn and Jamie Gorlick, past assistant attorney general are cochairs. The committee was established to advise the commission as it formulated its recommendations. Many aspects of the recommendations have complicated implications, and some create, at least at the margin, jurisdictional problems for various agencies. As expected, the deliberation process will take some time, but the essentials of the recommendations, if not every detail, will probably be endorsed by the departments and agencies now reviewing them.
Dr. Struble concluded by reemphasizing the threats facing our nation today and in the future. He cited the need to improve the security of critical infrastructures as we move into the twenty-first century, and UGFs would seem to help achieve that end in many situations. Not only are UGFs suitable for this purpose, some are also available now. Dr. Struble challenged the workshop participants to identify the advantages of existing UGFs, determine how they could be modified to be of most benefit, and make them known to infrastructure owners. In short, he said the workshop should focus on stimulating demand to match the existing supply.
