Moderator: Paul Byron Pattak,
Federal Emergency Management Agency, Region IV
Drawing on his experience at IBM and Bell South, Mr. Copenhaver provided the workshop attendees with his views on how decisions are made in corporate America and on what factors influence the approval process for funding new initiatives. If he were to try promoting the use of UGFs to top management, he said, he would begin with an objective risk analysis. This would be used to project the impact to corporate managers of an attack against operations infrastructure. He then would estimate how frequently such an event might happen, followed by a request for phased funding to address the threat. He stressed the importance of not seeking all of the money needed up front.
His message was that executives want to see two things: first, they want their reasons for saying ''no'' eliminated; second, they want to be given reasons to say "yes." Executives typically do not gather such information themselves; rather they depend on others to make a case with relevant information and to present it to them. Corporate executives encourage competition from those requesting a larger piece of the corporate budget. Arguments about "what if" scenarios can be anticipated by providing executives with information and statistics from which they can evaluate a range of informed choices based on realistic options. If presented with only one option, it becomes easier to say "no." Presenting a number of options for implementation, such as multiyear budgets as compared to significant up-front funding is better. Asking for a large part of the project money in the beginning makes it easier for executives to say "no."
There is inherent competition within companies, particularly when someone requests funding for new initiatives or attempts to change procedures. This is partly because corporate shareholders are always looking for more revenue-generating activities. A protective feature like UGFs can be perceived as an unnecessary expense; therefore, the business case has to be very strong.
Mr. Copenhaver described the environment in the corporate world with respect to security and disaster recovery as inadequate. Few corporations have a genuine commitment to emergency preparedness. Instead their emphasis is on stockholders and return on investment. That process is beginning to change, however. Talking to executives about their fiduciary obligations to protect and conserve corporate assets is a good strategy.
Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.
OCR for page 38
Use of Underground Facilities to Protect Critical Infrastructures: Summary of a Workshop Panel 4: Factors Influencing the Decision-Making Process Moderator: Paul Byron Pattak, PME, Ltd. John Copenhaver Federal Emergency Management Agency, Region IV Drawing on his experience at IBM and Bell South, Mr. Copenhaver provided the workshop attendees with his views on how decisions are made in corporate America and on what factors influence the approval process for funding new initiatives. If he were to try promoting the use of UGFs to top management, he said, he would begin with an objective risk analysis. This would be used to project the impact to corporate managers of an attack against operations infrastructure. He then would estimate how frequently such an event might happen, followed by a request for phased funding to address the threat. He stressed the importance of not seeking all of the money needed up front. His message was that executives want to see two things: first, they want their reasons for saying ''no'' eliminated; second, they want to be given reasons to say "yes." Executives typically do not gather such information themselves; rather they depend on others to make a case with relevant information and to present it to them. Corporate executives encourage competition from those requesting a larger piece of the corporate budget. Arguments about "what if" scenarios can be anticipated by providing executives with information and statistics from which they can evaluate a range of informed choices based on realistic options. If presented with only one option, it becomes easier to say "no." Presenting a number of options for implementation, such as multiyear budgets as compared to significant up-front funding is better. Asking for a large part of the project money in the beginning makes it easier for executives to say "no." There is inherent competition within companies, particularly when someone requests funding for new initiatives or attempts to change procedures. This is partly because corporate shareholders are always looking for more revenue-generating activities. A protective feature like UGFs can be perceived as an unnecessary expense; therefore, the business case has to be very strong. Mr. Copenhaver described the environment in the corporate world with respect to security and disaster recovery as inadequate. Few corporations have a genuine commitment to emergency preparedness. Instead their emphasis is on stockholders and return on investment. That process is beginning to change, however. Talking to executives about their fiduciary obligations to protect and conserve corporate assets is a good strategy.
OCR for page 38
Use of Underground Facilities to Protect Critical Infrastructures: Summary of a Workshop Derek Long BT Syntegra Mr. Long began by stating that the issue of UGFs must not be addressed in isolation. Global connections make infrastructure protection everybody's problem, and interdependence of systems is total. Throughout the world economic growth is reliant on a consistent and interdependent communications infrastructure, which in turn is dependent on electric power, natural gas, and many other systems. European countries have just begun investigating this issue in a collective sense. Mr. Long related how he had recently represented the European telecommunications industry at the first meeting of the European Union Commission, which is now beginning to study dependability and survivability, in which UGFs do come into play. The conclusion of the participants was that the interconnectivity of systems is now total. Mr. Long described how the British telecommunications monopoly was broken up and forced to allow its competitors access to billings systems, traffic routing, and so forth—even those competitors owned by foreign concerns. Thus, a vision for increasing competition has led to unexpected vulnerabilities. He also spoke about the vulnerability of British telecommunications, which failed when a pile driver accidentally broke a main fiber optic cable, cutting power to 50 percent of all users. BT has a directive from the British government to protect its systems, and all BT staff must have security clearances. BT Syntegra has just finished a £300 million project to totally upgrade the Ministry of Defence's core network. Also, competing contractors are now precluded from working in large parts of the BT organization for security reasons. From the decision-making point of view, Mr. Long and his colleagues in information warfare won approval for some of their programs by showing senior management that their company could be put out of business in less than two hours. This was a powerful incentive. He believes that one area in which UGFs might engender general interest in the commercial sector has to do with the year 2000 computer issue. The British telecommunications experience is broader than simply studying UGFs for solutions. If facilities are going to be underground to guard against current threats, engineering must be conducted with possible future threats in mind. A good example was the former TEMPEST program for communications. Mr. Long noted that there are advantages and disadvantages to UGFs. Fire is a potential weakness; one example is the fire in the English Channel Tunnel that destroyed fiber optics and power cables, putting it out of business for six months. Nonnuclear radio frequency attacks also are a concern and could potentially endanger lines of communication that lead into tunnels.
OCR for page 38
Use of Underground Facilities to Protect Critical Infrastructures: Summary of a Workshop Carl Peterson NADET Institute Dr. Peterson described the National Advanced Drilling and Excavation Technologies (NADET) Institute, and its work. He noted that the NADET Institute does not actually conduct research but rather facilitates it. He believes that neither individuals in various industries or government agencies have the power to solve large problems when looking for long-range innovative solutions. The users and those with funds must come together and take advantage of their combined resources to achieve results. NADET once surveyed various industries to develop a listing of barriers to major progress in the mining industry. Of the approximately 20 items on the list, not one was technical. One item named was the lack of leadership, and another was the lack of a road map for success. Existing underground spaces do have limitations such as having been originally designed for military purposes with fairly large budgets or having represented mining space that was paid for out of mining company profits. Either way, cost was not a factor at the time of construction but is today. Even in Norway, for example, government policy is to build underground and the economics work out very well, but it required a regulatory policy to make it happen. Dr. Peterson maintained that in this country the cost of new underground construction is very limiting. In the United States, underground space is much more expensive than above-ground construction and that new technology and perhaps new contractual arrangements are, therefore, required. Policy controls the technical effort that is put forward, and the technical effort or, more likely, the lack of it controls the options available to policymakers. One problem with existing underground spaces is that a user has to find one that is in the right shape and in the right location for their needs. In light of this, refurbishing existing UGFs can be a good value. Dr. Peterson described the current situation with respect to the utilization of UGFs as one of gridlock. The problem is not so much research as it is development. In times of tight budgets it is sometimes hard to gain support for projects clouded in secrecy, and a public works project might be easier to sell. To break the gridlock, government might have to take the lead for a broadly based program because industry will not do it alone. Those needing solutions outnumber those funding solutions, and those who want to do the research far outnumber those who want to fund it. There is a need to improve underground technologies as a way of lowering the costs, such as a device called a universal tunneler, which reduces much of the risk and associated costs of civil projects. No one entity really has the incentive to fund this research, but there is a collective need, and there should be an organized effort to do so. Dr. Peterson closed by indicating that the most important thing to do is break through the barriers that are inhibiting progress and that events such as this workshop might act as a catalyst.
OCR for page 38
Use of Underground Facilities to Protect Critical Infrastructures: Summary of a Workshop Irwin Pikus President's Commission on Critical Infrastructure Protection Dr. Pikus focused his remarks on the various threats to critical infrastructures. While individual organizations and some industries know where they are vulnerable, there is no national perspective on the potential range of threats. Infrastructures are vulnerable and attractive targets, and attacking them can affect enterprise profitability, national security, economic health, living standards, public confidence, and many other concerns. Physical attacks include destroying targets, altering them so they cannot function correctly, and contamination. Cyber-attacks include denial of access, corruption of information, destruction of data, and theft of information. The overriding national need is to be able to deter, detect, deflect, respond to, and recover from an attack, and to mitigate or control its consequences. Dr. Pikus emphasized that we must raise public awareness of the problem, train people to deal with such situations, address the relevant security issues, and increase R&D to get the tools we are currently lacking. A great advantage of UGFs is their controlled environment, which makes them ideal for certain uses. UGFs are isolated, and activities can be conducted in this environment without affecting neighboring installations. A range of facilities and amenities can be maintained underground, and key assets can be housed there. UGFs need to be evaluated in terms of best, intermediate, and worst choices for particular situations. Perhaps an ideal use for UGFs is as infrastructure protection R&D centers and as useful testbeds for promising approaches. Other potential good uses include training exercises for first responders in dealing with chemical or biological agents and suggested training exercises using simulated chemical or biological agents in these facilities. Dr. Pikus also noted that it is conceivable to use UGFs for assessing the vulnerabilities of systems ( e.g., sub-scale modeling) which can be done out of the public view. Dr. Pikus advised that before beginning such a program the costs and vulnerabilities associated with relocating key infrastructure elements underground must be understood. He closed by highlighting the importance of evaluating whether UGFs are the best choice for a particular situation or just one of many options. This must be taken into account with solid cost data, so that corporate executives can make sound business decisions. Eugene Sevin DoD Consultant The focus of Dr. Sevin's remarks was that, to move forward seriously on UGFs as a viable solution to infrastructure protection problems, the government in general, and DoD in particular, must play key leadership roles. Security is DoD's principal but not its only concern. DoD's experience with
OCR for page 38
Use of Underground Facilities to Protect Critical Infrastructures: Summary of a Workshop UGFs and other hardened facilities has been to design them to resist a massive nuclear threat. DoD's historical perspective on UGFs partially accounts for the conservative design philosophy related to the scale of that threat. As a consequence, UGFs were often judged to be too costly in relationship to alternative solutions, such as mobile assets. Additionally, there were cultural obstacles to be overcome, and this history is discouraging. Dr. Sevin noted that the primary threat to our infrastructures today seems to be cyber-attacks, which UGFs do not address directly because the principal use of UGFs over the years was for protection against nuclear (i.e., physical) threats. A National Research Council (NRC) study on design and building applications of hardening technologies ruled out the use of fortress-type structures and UGFs as protection from bomb threats and blast damage. Dr. Sevin noted that the NRC and its Board on Infrastructure and the Constructed Environment need to be involved in the protection of the constructed environment. DoD has a mixed view of its responsibilities for protecting the civilian population as it contributes to national security. Dr. Sevin did not think that protecting the civilian population as part of national security is an accepted mission of DoD. This will have to be resolved if the agency is to provide leadership on this issue. Questions and Answers During the question-and-answer period, Mr. Pattak mentioned his experiences talking about infrastructure assurance to federal agencies, and how they advised the PCCIP to get executive guidance signed by the President to establish the policy. Otherwise, agencies will be reluctant to act. He emphasized the political implications of many issues and that, ultimately, decisions rest on the cost of a facility and who pays that cost. Political implications at this level also affect the relationships between individuals. While the use of UGFs for infrastructure protection appears to be a good idea, this alone is not enough to effect change. People must be convinced of the advantages in order to make progress. Mr. Pattak also noted that the panel represents a cross-section of government, industry, and academic professionals and that each has had a distinguished career in two out of those three areas. He pointed out that from his PCCIP service he learned that, although the problems presented in the area of UGFs are technical, the solutions are cultural, social, and political. Developing sound policy recommendations to complement technical solutions is absolutely essential for success. Dr. Sevin stated that he thought the Federal Facilities Council of the NRC should take an active role in protection issues and encouraged the National Academy of Sciences to take a longer view as well. To this Mr. Eastler
OCR for page 38
Use of Underground Facilities to Protect Critical Infrastructures: Summary of a Workshop expressed the concern that information technology and information warfare are still the top priorities and that UGFs and physical protection are not considered critical. Dr. Sevin commented that UGFs, if properly designed, have one large attribute: at whatever depth of burial, they enforce the standoff of a threat. Dr. Schroeder asked whether the $500 million the PCCIP recommended for R&D would go solely to the cyber-threat, as opposed to physical threats. Dr. Pikus answered that, while it was stated to address infrastructure assurance across the board, the bulk of the additional R&D will be spent on information security. Derek Long encouraged additional research on tools for detection analysis to identify an attacker and determine whether it is a real attack or a deception. The draft Presidential Decision Directive (PDD) will assign to the Office of Science and Technology Policy the responsibilities for conducting an interagency working group on R&D. While UGFs have not been mentioned there, that might be a forum in which they could be discussed. Mr. Scanlan asked the panel participants if presidential requirements are currently at a very broad level or if they had become departmental requirements and policies within the U.S. Department of Commerce and DoD. Dr. Pikus said that during the PCCIP's deliberations it was thought that there was not adequate work being done within the departments and agencies; therefore, the commission recommended additional effort on their part. He expects the draft PDD will state that agencies and departments will be responsible for conducting serious vulnerability assessments, primarily but not exclusively on information systems. Mr. Pattak added that when the PCCIP went out to the various agencies it was underscored that presidential guidance is absolutely necessary if funding priorities and spending allocations are to be changed. A PDD states unequivocally that this is the President's view. Dr. Nelson of the National Science Foundation (NSF) reviewed the initiatives that organization has taken to deal with infrastructure investment and planning. NSF has established an institute for civil infrastructure systems to support the decision-making process and identify research needs. Mr. Copenhaver noted that business impact analysis methodology is now being used in the private sector to investigate the consequences of the interruption of critical functions. Mr. Minehart had reservations about suggestions that the government cooperate more with industry on indications and warning as well as on tools to detect infrastructure attacks. Industry may not want to be forthcoming with a disclosure that it has been attacked, as this becomes a customer confidence issue. In response, Mr. Long noted that in Britain industry will not accept mandated standards. What it wants from the government as taxpayers is advice as to what standards it should be applying. He noted that in the United Kingdom there is a defense science advisory council similar to the U.S. Defense Science Board that studies the civil infrastructure and its impact on the Ministry of Defence's ability to carry out its mission. Britain also has a unified reporting system. It was found that various infrastructure sectors felt free to talk to the council; what they will not talk about is passing this information into the
OCR for page 38
Use of Underground Facilities to Protect Critical Infrastructures: Summary of a Workshop government system. They concluded that a way around the problem was to approach the insurance industry to obtain alternative reduced premiums if, in fact, an industry is meeting a particular standard and thus reducing its risk. Mr. Long strongly recommended the use of this commercial route for those infrastructure sectors that are not supplying information directly to the government. When the government procures services, these standards can be applied to their contractual activities and can be more easily mandated. SUMMARY Dr. Baker concluded the session by thanking the keynote speakers and clarifying the important potential value of UGFs in the cyber-arena. He made the point that cyber-warfare or information warfare, as defined by the military components in the United States and NATO, includes both electronic and physical attacks. While UGFs do not improve infrastructure survivability against electronic attacks, they do protect against physical attacks on information systems. Even in the case of electronic attacks, UGFs can be used to provide safe havens for network nodes and the storage of backup media and systems. Thus, UGFs can greatly further the ability to reconstitute information systems and networks following an electronic or physical cyber-attack. Dr. Baker then recapped several important calls for action from workshop panelists. Mr. Woodard called for the establishment of an academic center for underground studies. Mr. Rodgers advocated a designated clearinghouse organization to hold and distribute information and serve in a "matchmaker" role for interested users in search of suitable underground sites. Dr. Sevin stated that DoD will need to take the lead in moving forward seriously with underground applications. Mr. Brandenburg indicated that, although DoD is one of the biggest infrastructure customers, its procurements lack requirements for protecting against threats other than cyber-threats.