Remarks Delivered by Robert T. Marsh
Chairman, President's Commission on Critical Infrastructure Protection
AFCEA Critical Infrastructure Protection Conference
National Defense University
January 28, 1997
I appreciate the opportunity to speak to you this morning. Glad to
see so many people interested in this subject here today.
I want to begin by congratulating AFCEA, AT&T and NDU for putting
on this symposium. Critical infrastructure protection is clearly
one of the key issues we face as a nation. Our infrastructures are
the life support systems of the nation, and therefore of great
importance to those of us here today. We at the Commission
appreciate all the efforts to make this happen.
I'm not here to overdose you with examples or anecdotes of
infrastructure weaknesses and exploitation - you've probably heard
and read much of that already.
Nor am I here to lay out recommended solutions to problems within
the infrastructures. They don't exist yet.
But, I would like to tell you about:
- The issues we face
- How the Commission is addressing them
- How you can become involved in the work of the Commission.
I'll then answer any questions you might have.
Many of you are already familiar with the Commission, so I will
only briefly review its mission. President Clinton established the
Commission last July. Its mission is to:
- assess vulnerabilities and threats to the critical infrastructures
- identify relevant legal and policy issues, and assess how they should be addressed
- recommend a national policy and implementation strategy for protecting critical infrastructures from both physical and cyber threats
- and propose any necessary statutory or regulatory changes
The eight critical infrastructures the Commission is studying are:
telecommunications, electric power systems, water supply systems,
banking and finance, transportation, oil and gas transportation,
emergency services such as medical, police, fire and rescue, and
continuity of government.
We have 10 Commissioners from the Federal government who have been
working hard from the start. Next week the first Commissioner will
join us from the private sector. She is Ms. Nancy Wong, manager of
the Department of Information Assets and Risk Management for
Pacific Gas and Electric in San Francisco.
Briefly, why do we have a Commission, and why now?
Basically three reasons:
- Physical terrorism continues, and we see increasing cyber intrusions of all types into our automated information systems, many by so-called "insiders."
- Increased reliance on telecommunications and information technologies in all infrastructures and the increased vulnerabilities that that brings.
- Tools to exploit these vulnerabilities are readily available (hacker sites on the Internet can tell you how to penetrate systems) and their use is increasing exponentially.
As for terrorism...
America is no stranger to terrorism - the bombings of the World
Trade Center and the Oklahoma City Federal building are but two
examples. But to this point, our critical infrastructures have not
been primary targets.
Sadly, we must now prepare for terrorist acts by our own citizens
who choose terrorism as a means to express their displeasure or
distrust of their government.
I've been asked how this Commission is different from other
government efforts in the past to address similar issues. I
believe the major difference is that there is a widespread
recognition that the nature and scope of the threat to critical
infrastructures has changed as the result of advances in
technology, particularly information technology and
telecommunications. The weight of anecdotal evidence is
sufficiently persuasive to warrant a serious collaborative effort
to address this serious problem.
As for increased reliance on telecommunications, it has created new
Our infrastructures have become increasingly reliant on information
technology and the telecommunications infrastructure that ties them
Telecommunications and automation expose infrastructures in new
ways, and create new vulnerabilities.
Many companies are already familiar with natural hazards, but we
now face a new set of manmade risks and hazards. Companies are
becoming increasingly vulnerable to vandalism, theft, malicious
hackers, criminals, and unscrupulous competitors.
Companies are also increasingly vulnerable to so-called "insiders,"
and risks are increasing, particularly in this age of mergers and
In addition, many companies now have public sites on the Internet
to enhance their market presence. And the trend is clearly toward
making greater use of the Internet. You may have seen last
Wednesday's Wall Street Journal report that retail sales via the
Internet are projected to increase 1,200% between now and the year
2000. On-line commerce is already a $500 million per year
industry, and the Internet adds more than half a million people a
month. But the Internet and other public networks are less secure
than dedicated networks. Along with the benefits of greater
public presence, the use of technology also creates more exposure
In the past, you put a guard at the door, and your assets were
protected. Today, there is no door - or too many doors, depending
on how you look at it. And you can never be sure who will drop in
for a visit via the Internet.
And as for tools to exploit these vulnerabilities:
Even amateurs have access to the technological tools needed to
penetrate systems and cause trouble.
The Internet contains hacker sites with instructions on how to
Result: infrastructures are constantly in danger from people intent
on penetrating or disrupting them. And all they need is a personal
computer and a modem.
The Willie Suttons of today may not even have to go to the bank.
They can try robbing it from home using a PC.
In the face of these challenges, the Commission is conducting an
aggressive outreach to companies - and particularly CEOs - to
discuss our goals and solicit their participation so we can build a
strategy and recommendations that are compatible with both
increased assurance and business' bottom line.
Further, in my experience, it may be one of the few times when
government is calling for action before a crisis occurs, rather
than after-the-fact. This reminds me of something Wayne Gretsky
once said regarding success in hockey: "It's not about where the
puck is. It's about where the puck is going to be."
So we need to look to the future, consider the implications for
critical infrastructures, and address the problems in a substantive
Those are some of the issues the Commission is facing. Let me tell
you how we're approaching them.
What the Commission is Doing
The central challenge of the Commission is to forge a partnership
between the private sector and government at all levels, Federal,
State and local. Partnership is the core of the Commission.
To build that partnership, our outreach program includes public
hearings, focus groups, and a non-stop effort to carry our message
throughout each of the critical infrastructures, especially to
industry leaders. In addition, in March we're planning to conduct
a game at the Prosperity Institute, which is affiliated with Sandia
National Lab. The purpose of the game is to explore and validate
potential strategies and recommendations.
The objective of our initial outreach to the private sector is to
build awareness of threats to and vulnerabilities of critical
infrastructures. I should add that we need to educate not only the
owners and operators of the infrastructures, but the government and
nation at large. Furthermore, we want to build that understanding
without creating alarm.
Later in our outreach effort, we will be seeking private sector
buy-in of specific findings, recommendations, and strategies.
Our underlying philosophy at the Commission is that the quality of
our recommendations to the President can only be as good as the
buy-in from the private sector.
Our approach is not "We're government and we're here to help."
Rather, we are vitally interested in what the private sector has to
say because it owns and operates the critical infrastructures.
Private sector involvement is absolutely essential to an informed
process of developing a strategy.
In addition to awareness, we want to create an environment of trust
between industry and government. This will allow the sharing of
information to provide identification, warning and response to any
attack, be it domestic, transnational, criminal, corporate, or
Public Policy Questions
We also expect that collaboration between government and the
private sector will yield insights into questions of public
policy. For example:
How infrastructures are regulated may influence how
companies address infrastructure vulnerabilities. For instance,
rates charged by some utilities are tightly controlled by the
government. But controlling rates may conflict with encouraging
investment in infrastructure improvements. Therefore, what is the
appropriate government role regarding rate-setting?
When the power grid goes down, who pays for the
interruption of service? There is no law of physics that says you
need to lose electrical power or telephone service during a storm.
Similarly, there is no law indicating who pays for lost time,
production, or business during a service interruption. Insurance
companies may or may not fill the gap. What role can and should
the insurance industry play? What are the liability implications
of infrastructure vulnerabilities? What are the responsibilities
of the owners and operators of the infrastructures?
In this same vein, some infrastructures have no
enforced standards for providing service to customers. Should
standards be established? Would they help? Who should establish
them? What should the standards be, and how might they be
What are appropriate incentives for the private
sector? What incentives will encourage companies to address
vulnerabilities? How should they be structured? Are tax
incentives the right vehicle? To what extent, if any, should
government underwrite infrastructure protection? For example,
could government establish a special trust fund to provide
interest-free loans to infrastructure owners and operators who want
to enhance their infrastructure protection?
As you can see from the list of questions I just mentioned, the
issues surrounding critical infrastructure protection clearly move
beyond defense. For that reason, I encourage you to think outside
the box -- in fact, throw the box away and build a new one. I
encourage you to dedicate this forum to help find solutions to the
problems we face.
You know how to get in touch with us. I welcome and encourage your
input. The toughest work of the Commission is still before it --
the actual crafting of strategy -- so we want to hear what you have
to say as soon as possible. That's the only way we will devise
solutions that work for everyone.
Thanks for inviting me. I'll take any questions.