Remarks Prepared for Delivery
by Robert T. Marsh
Chairman, President's Commission on Critical Infrastructure Protection
Harvard University's John F. Kennedy School of Government
Washington, DC Regional Alumni Council
Lecture Series "The Role of Government in the 21st Century"
September 20, 1997
Thank you, Stan [Admiral Stanley Arthur], and good morning, ladies and gentlemen. It is indeed a pleasure to join you this morning and to be part of your ongoing discussions about the role of government in the 21st century. On behalf of the entire Commission, please accept my appreciation for giving up a beautiful Saturday to discuss this vitally important subject.
This morning you have already heard from some of those thinking about the future of national security, from the international dimension to economic realities. I'm going to add something new to the mix -- national security in the cyber dimension, particularly as it effects our national infrastructures -- which, as you know, are not only the lifeblood of our nation's economy but also the backbone of our military might.
Let me first give you a brief introduction to the Commission and our mission, a review of some of our preliminary recommendations, and then discuss those that relate directly to the role of the national security community.
President Clinton established the Commission last July and charged us to recommend a national policy for protecting and assuring the nation's critical national infrastructures. For just over a year now, we have been working to identify and assess vulnerabilities and threats -- and then to develop a national strategy and an implementation plan.
We have been studying and analyzing telecommunications, electric power, oil & gas delivery and storage, transportation, banking and finance, water, emergency services, and continuity of government services -- those
life support systems that the President identified as critical because their incapacity or destruction would have a debilitating effect on our defense and/or economic security.
I know I'm not telling you anything new in reminding you that critical infrastructures have long been lucrative targets for anyone wanting to do harm to another country.
- In ancient times, armies laying siege to fortified cities interdicted water supplies.
- During the Civil War both sides attacked each other's supporting infrastructures -- railroads and telegraph lines and even one privately-owned oil field.
- During the Cold War, Soviet and US nuclear weapons were targeted against each other's power grids, road and rail networks, energy industries, and telecommunications systems.
- In the Persian Gulf War, disabling Iraq's infrastructures was one of the keys to our success.
Clearly there is nothing new about infrastructures being targets. So why, then, was the President motivated to create this Commission at this time?
It was the realization that our society was becoming vitally dependent on these infrastructures for its very well-being, that the infrastructures themselves were becoming increasingly dependent upon each other for their functioning, and that they were becoming increasingly vulnerable to disruption by simple methods readily available to relatively unskilled persons intent on doing harm. And there was mounting evidence of such danger by the growing number of malicious cyber incidents throughout the nation with each passing day.
Let me give you a few examples that illustrate these points, particularly for the military:
- The General Accounting Office reported that DoD's computers were the target of approximately 250,000 intrusions last year. Even more troubling, only a small percentage of these are detected and even fewer are reported.
- The military relies on privately-owned telecommunications systems for over 95% of military communications.
- Langley Air Force Base -- and several other government sites, all of which prided themselves on their tight information security programs -- was recently the target of an e-mail flooding attack which rendered its e-mail system useless for several hours until the systems administrators could filter out the harmful traffic.
I don't mean to single defense organizations out as being more vulnerable than any other. But extrapolating these findings helps us to understand the threats to and the vulnerabilities of the nation's privately-owned critical infrastructures.
The Commission was uniquely tailored for its task. In recognition that the critical infrastructures are largely owned and operated by the private sector, the Commission is a joint public and private venture. Half
the Commissioners are full-time career government senior executives -- representing the sometimes competing interests of the defense, law enforcement, and intelligence communities -- and half are senior representatives from the private sector -- representing the infrastructures themselves -- who have agreed to serve a year as full-time government employees.
Again, recognizing the public-private nature of our work, the Commission has not just one but two oversight Committees. Our Steering Committee -- comprised of the Attorney General, Deputy Secretary of Defense, Deputy National Security Advisory, Chief Domestic Policy Advisory to the Vice President, and myself -- helps us weave our way through the myriad of government concerns. And a Presidentially-appointed Advisory Committee of key industry leaders provides the unique perspective of owners and operators of the infrastructures as they assist and advise us.
The Commission was also charged with consulting with "elements of the public and private sectors... and the owners and operators of the critical infrastructures." As part of our consultation efforts, we met with more than 5,500 individuals, corporations, associations, and government agencies around the country. We held five public meetings where we spoke with hundreds of people from industry, academia, science, technology, the military, and government.
Our goal all along has been to create a public-private partnership to protect our future. We know that government alone cannot solve the problem, especially since the majority of the nation's infrastructure is owned and operated by private enterprise. But we also know that government must play a key role in encouraging the private sector, as well as state and local governments, to address the challenge of protecting our nation's critical infrastructures. We have spent a year struggling with the challenge of defining the roles and responsibilities of government and industry in protecting our infrastructures.
Addressing this challenge is why we are here with you today. We seek your input. I invite your views on our preliminary recommendations.
I would like to start with a few of our core recommendations that cut across all the infrastructures, then follow with a few that may be of particular interest to you in the national security community.
Federal Government Should Lead the Way
The Commission will offer a series of recommendations aimed at improving the federal government's efforts to protect its own infrastructures. It must "get its own house in order" and show leadership before it can reach out to the private sector and other levels of government. The following specific recommendations are aimed at ensuring the federal government has the policies and tools required to conduct business in the cyber age:
- Encouraging the National Institute of Standards and Technology (NIST) and the National Security Agency (NSA) jointly to set standards and publish best practices for information security -- and then to share these best practices with federal, state, and local governments as well as with private industry.
- Directing federal agencies and departments to comply with these standards and to incorporate them into agency performance plans.
- Endorsing an encryption / key management pilot program in collaboration with the private sector.
- Stressing information security in system procurements.
Research and Development
We found that research and development efforts by the federal government are insufficient to deal with emerging cyber threats. Only about $150 million per year is being spent on federal R&D for information security, which represents about 60 percent of the overall federal expenditures on infrastructure-related R&D. We identified very little R&D effort on the types of real-time detection, identification, and response tools that the Commission believes are necessary, and we also found that the market demand is currently insufficient to spur development and testing. Consequently, we recommend a doubling of federal funding for R& D in this area to $500 million per year.
Education and Awareness
Key to the success of any of these initiatives is educating the general public about the emerging threats and vulnerabilities in the cyber dimension. The Commission's recommendations are aimed at all levels of education, from graduate programs to grammar school. The Commission will propose a three-pronged education initiative, which includes:
- Grants by the National Science Foundation aimed at educating a new generation of professionals in information security and infrastructure protection.
- A series of conferences sponsored by the White House designed to spur new curricula in computer ethics and intellectual property for elementary and secondary schools.
- Partnership between the Department of Education and industry to develop curricula and market demand for educated and ethical technicians and managers.
Let me talk briefly about a recent Joint Staff exercise with which some of you are probably familiar. This was just one in a series of no-notice exercise, but this one focused specifically on information warfare. Some of the issues raised were quite troubling -- including the fact that the Joint Staff ended up fighting this war, which was not only bad but illegal. They include many of the questions that the Commission has been grappling with for the past year:
- Who should take the lead in responding to a cyber attack on the United States?
- Should there be a Commander In Chief for information warfare?
- Where are the borders in the cyber age?
- What are the jurisdictions?
- Is this a law enforcement or a defense problem?
As you can see, our current government organization is not prepared to answer these questions or to respond to a significant cyber attack. We lack the necessary warning and analytic capabilities -- such as those we developed over the years to detect incoming missile attacks. We simply do not know if a cyber attack is happening, nor do we know how to respond.
As a result of this exercise, we know that the national security and law enforcement communities are responding. They are studying the ways they need to do business in the future to protect our nation against these kinds of threats. The Commission has also been addressing these concerns, and we have some specific recommendations in this regard.
Information Sharing / National Structures
One of our toughest problems -- across all infrastructures -- is the sharing of information. Managing the new risks inherent in an information-based society requires a different type of information exchange between government agencies and between industry and government. Furthermore, managing these new risks calls for partnership at many different levels, from policy-making aimed at preventing a crisis through responding if such a crisis occurs.
At the policy-making level, we will recommend a very high level council comprised of senior CEOs from throughout the critical infrastructures, meeting regularly with selected Cabinet Officers. This National Infrastructure Assurance Council would propose policies and create national awareness of infrastructure concerns. We also recommend creating an Office of National Infrastructure Assurance to assess vulnerabilities; formulate policy; coordinate federal programs in infrastructure assurance, cyber security, and R&D; and promote and facilitate the public-private partnership.
At the operational level, our recommendations focus on enhancing the information exchange capability, including
- Tasking Federal Lead Agencies to bring together the owners and operators of the infrastructures to create the means for sharing information that is acceptable to all. The objective is to achieve voluntary participation of all players within each infrastructure and to assemble and exchange information without fear of attribution to specific sources.
- Organizing Sector Information Assurance Coordinators -- most likely an existing association or industry group -- that best suit each infrastructure's information-sharing needs. In essence, each industry will designate a representative to identify and exchange information with the government.
- Creating an "information clearinghouse" staffed by up-and-comers from both government and industry. Their job will be to receive relevant information from all sources -- public and private, anonymous or attributable -- analyze this information to assess what is happening in the infrastructures, decide on the necessary protective measures to be taken, then disseminate needed information to both government and industry. Key to its success will be protecting the privileged information from both government and the private sector from unauthorized disclosure. This public-private organization must embody the trust essential for the partnership between government and the owners/operators for successful infrastructure assurance.
Clearly, we strongly endorse a policy of reliance on the private sector for problem-solving, solutions, and technology. But we also see a need for government to create a strong focal point for infrastructure protection. Again, we believe that only a strong public-private partnership can address the threats to our nation's infrastructures.
Well, that was a quick trip through some of our more complex issues. As you can see, we have been studying a great range of issues and that means we will have some fairly far-reaching and comprehensive conclusions. Hopefully this will set the stage for some interesting conversation this afternoon and for continued dialogue within the national security community.
Incidentally, this is the first time since I have been involved in government -- and I have a few years of military service under my belt -- that I remember the government actually getting ahead of a problem before it becomes a problem. We at the Commission know we are merely laying the foundation for efforts that will build upon our research and recommendations. But we know that we must act now to protect and assure our nation's critical infrastructures.
This is a challenge that requires a new way of thinking, a new culture. Point solutions are not the solution.
Again, thank you for inviting me to join you today.