Remarks Prepared for Delivery by Robert T. Marsh
Chairman, President's Commission on Critical Infrastructure Protection
National Security Telecommunications and Information Systems Security Committee Offsite Conference
April 7, 1997
Thank you, Tom [Thomas Burke, Commissioner in GSA's Office of Information Security], and good afternoon, ladies and gentlemen. I appreciate the opportunity to speak with you today.
When I received the invitation to speak at this conference, I only had to glance at the title before deciding to accept -- and accept with great enthusiasm. The theme of "Information Assurance and Protecting Our National Infrastructure" reflects the fact that you have come here to consider one of the most important topics on our national agenda.
Critical infrastructure protection is one of the key issues facing America.
Our infrastructures are the life support systems of the nation, so every government department and agency clearly has a responsibility to them. Precisely what that responsibility is, and how it should be discharged, are questions that must be addressed as we move forward.
I'm not here to overdose you with examples or anecdotes of infrastructure weaknesses and unauthorized intrusions -- I consider this audience to be one of the better informed that I've addressed, and I know you've probably heard and read much of that already. Suffice it to say that real threats are evolving, and that serious harm can be rendered unless prudent protective measures are undertaken.
Nor am I here to lay out recommended solutions to problems within the infrastructures. We have not formulated any yet.
But I would like to share a few thoughts with you this morning about the Commission's mission, why we were created, and the status of our efforts. Some of you are already familiar with our purpose and rationale, but since our thinking on issues is constantly evolving, I believe you'll find the status update informative. In addition, I'd like to challenge you to think about what role your department or agency should play in defense of the nation's critical infrastructures.
Let me begin with a few thoughts about our mission.
President Clinton established the Commission last July. Its mission is to:
- assess vulnerabilities and threats to the critical infrastructures
- identify relevant legal and policy issues, and assess how they should be addressed
- recommend a national policy and implementation strategy for protecting critical infrastructures from both physical and cyber threats
- and propose any necessary statutory or regulatory changes.
The eight critical infrastructures the Commission is studying are: telecommunications, electric power, water supply, banking and finance, transportation, oil and gas transportation, emergency services such as medical, police, fire and rescue, and continuity of government services.
Our country has become so dependent on these infrastructures that, as
the Executive Order states, their incapacity or destruction would have a debilitating impact on our defense or economic security.
The Commission was scheduled to run for a year, but because of our delayed stand-up we expect that we will be extended an additional three months (until October).
The lion's share of our work is conducted by Commissioners from the public and private sectors. Half (ten) are senior officials from the involved departments and agencies (Treasury, Defense, Justice, Commerce, Transportation, Energy, CIA, FBI, NSA and FEMA). All of them have been on board since the start.
The other ten are from infrastructure companies and organizations, hired as government employees to bring industry experience, expertise and perspective to the Commission. Half of these have been appointed. I have been on board since last summer, and was officially designated as Chairman in December.
In addition, two committees oversee the Commission's work. The Principals Committee consisting of the heads of involved departments and agencies and the Steering Committee made up of the Commission Chairman (myself), Deputy Secretary of Defense (John White), and the National Security Advisor (Sandy Berger). We also have two other positions: Deputy Attorney General Jamie Gorelick just left the government and Attorney General Janet Reno has temporarily taken over the Steering Committee responsibilities. Another member, Greg Simon, just left his position as Chief Domestic Policy Advisor to the Vice President, and we expect to have his replacement from that office named shortly.
In addition, an Advisory Committee of senior executives, mostly CEOs, from companies within the critical infrastructures, will help focus the work of the Commission by providing insight, expertise, and perspective. The Advisory Committee is not yet appointed, but will be very shortly.
Since critical infrastructure is such a huge area, there are naturally -- and fortunately -- many people interested in our work. You may wonder -- with so many people involved, how we can get anything done. I'm reminded of something Kofi Annan, the new Secretary-General of the United Nations, said when he was asked why it's taking years to reform the U.N. when God only needed 6 days to create the world. He replied that God "had the added advantage of working alone."
Why do we have a Commission, and why now?
Basically three reasons:
- Physical terrorism continues, and we see increasing cyber intrusions of all types into our automated information systems, many by so-called "insiders."
- Increased reliance on telecommunications and information technologies in all infrastructures and the increased vulnerabilities that that brings.
- Tools to exploit these vulnerabilities are readily available (hacker sites on the Internet can tell you how to penetrate systems) and their use is increasing exponentially.
As for terrorism
America is no stranger to terrorism -- the bombings of the World Trade Center and the Oklahoma City Federal building are but two examples. But to this point for reasons I don't understand, and thankfully, our critical infrastructures have not been primary targets.
As for new vulnerabilities
Our infrastructures have become increasingly reliant on information technology and the telecommunications infrastructure that ties them together. That's not news to this audience, and neither is the fact that telecommunications and automation expose infrastructures in new ways, and create new vulnerabilities. Many companies are familiar with natural hazards, but we are now facing a new set of manmade risks and hazards.
Technology has created an interconnected world. But each connection creates new exposure and risk. Companies are becoming increasingly vulnerable to vandalism, theft, malicious hackers, criminals, and unscrupulous competitors.
Companies are also increasingly vulnerable to so-called "insiders", and insider incidents are increasing, particularly in this age of mergers, consolidation and downsizing. And it goes without saying then, that the infrastructures are vulnerable to more sophisticated state-sponsored terrorism, transnational terrorism or hostile actions by nation states.
And as for tools to exploit these vulnerabilities
Even amateurs have access to the technological tools needed to penetrate systems and cause trouble. The Internet contains hacker sites with instructions on how to penetrate systems. So infrastructures are constantly in danger from people intent on penetrating or disrupting them. And all they need is a personal computer and a modem.
On the cover of the June issue of Foreign Affairs, I noticed the following quote: "The world may be moving inexorably toward one of those tragic moments that will lead historians to ask, why was nothing done?" The Commission is an effort to do something. I might add, in my experience, the Commission may be one of the few times when government is calling for action before a crisis occurs, rather than after-the-fact.
The central challenge of the Commission is to forge a partnership between the private sector and government at all levels, Federal, State and local. Partnership is the very core of the Commission's efforts. Our approach is not "We're government and we're here to help." We are vitally interested in what the private sector has to say because it owns and operates most of the critical infrastructures. Private sector involvement is absolutely essential to an informed process of strategy development.
We are pursuing this partnership not only through membership on the Commission and the Advisory Committee, but also through an aggressive outreach program that includes
public hearings, focus groups, gaming, and a non-stop effort to carry our message throughout each of the critical infrastructures. The objectives of our initial outreach are to build recognition of threats to and the vulnerabilities of critical infrastructures. Later in our outreach effort, we will be seeking private sector buy-in of specific findings and recommendations. Our underlying philosophy at the Commission is that the quality of our recommendations to the President can only be as good as the buy-in we achieve with the private sector.
At this point, I want to note that the invitation to speak here today asked me to discuss my "perspective on the implications of an exploding communications environment and what can be done to protect the National Information Infrastructure." As I said earlier, we have not formulated any solutions to infrastructure problems yet. However, we are doing our best to "think out of the box," and challenge concerned organizations to do the same. Let me give you just one example.
Last week I spoke to the Defense Science Board Summer Study Group on Transnational Threats. Among the issues I challenged them to think about was DOD's role regarding cyber attack. Clearly, cyber threats in many cases are transnational in nature. From the Commission perspective, though, I do not yet see transnational threats as posing unique requirements in the protection regime. There is no doubt though that they pose unique challenges in the formulation of deterrence and response strategies.
But it seems to me that cyber threats themselves pose much larger questions for the DOD -- specifically, what is the DOD's role and capability vis-à-vis a foreign state-sponsored all-out infrastructure attack by cyber and physical means, or cyber alone?
For context, consider the case of a direct aerial attack against the critical infrastructures of the United States. The responsibility to respond would clearly be DOD's. Fighters would be scrambled, SAMs would be deployed and an all out defense mounted. But what would the corresponding DOD role be in an all-out cyber attack against U.S. infrastructures?
From the perspective of the Commission, a carefully planned and targeted cyber attack could be as damaging as a physical attack. The answer to the question is complicated by our lack of technical means today to detect and characterize a cyber attack. Today we are not able to identify hostile intrusions, determine the source, the intent, assess damage, etc. We are essentially naked to this evolving threat. We are limited to after-the-fact investigation. Therefore, each incident must first be addressed as a possible law enforcement or intelligence matter and the DOD response, if required, is of necessity delayed pending clarification. But I envision a day not too far off when we will have the technical means to detect, identify, and characterize such attacks in near real time.
If there is an all-out attack against U.S. infrastructures, who should respond? If DOD, then what about doctrine development, resource allocation, planning, training, and equipping forces? And what should be the relationships between DOD, the private sector, and other agencies?
I raise this example not to prompt discussion about transnational threats, or provoke a debate about DoD's role per se, but rather to illustrate how traditional conceptions of roles and missions must be challenged and explored in every department and agency. The tapestry of technology we have woven throughout our infrastructures means that no organization -- either in the private sector or public sector -- can dismiss the implications for its mission, or ignore its responsibilities.
Having said that, let me briefly elaborate on some of the major issues we are focusing on.
One of the defining characteristics overall of critical infrastructures is their interdependency. Telecommunications and automation expose infrastructures in new ways, and create new vulnerabilities. In earlier times, infrastructure reliability and assurance was the more or less exclusive domain of the owner or operator in that industry sort of stove pipe like. Now there is critical interdependence. Loss of power can mean loss of telecommunications. Loss of telecommunications can result in disruption of financial transactions. Moreover, this interconnectivity greatly increases opportunities for aggressors to access, penetrate, alter, deny, disrupt, or destroy one or more critical infrastructures.
Obviously, with interdependence comes growing complexity. Complexity demands new risk models for infrastructures. We need to develop and understand these new models because the old stove pipe ones no longer apply. Information technology and telecommunications have rendered them obsolete.
Every innovation which creates opportunities or solves problems also creates others -- usually unexpected. A question then is: Can the marketplace adequately anticipate and manage these new assurance risks, especially those involving interdependencies among infrastructures, or will some form of government initiative be required?
One of the more important lessons of the Commission's work over the past months is that technology is a bigger part of the problem -- and the solution -- than we originally thought. We are a victim of our own success -- our world leadership in technology that makes possible instantaneous global transactions and just-in-time inventories also creates vulnerabilities. But today, there is a serious lack of tools with which to detect, identify, characterize and defend against infrastructure attack, especially cyber attack. We need to harness technology for infrastructure protection. It requires special emphasis in our R&D programs, product design, and product development.
An important question is the respective roles and responsibilities of the public and private sectors for such R&D.
Trusted Environment for Information Sharing
There is a compelling need to create a trusted environment for information-sharing between the public and private sectors. Government needs to tell the private sector about the nature of threats and warn of such threats, and the private sector needs to report happenings and problems to the government so government can better focus its efforts. I realize there is a great sensitivity to sharing information of this kind, but I would argue that there is a greater danger in not sharing it. We need to share information to provide identification, warning and response to any attack, be it domestic, criminal, corporate, terrorist, or state-sponsored attack. So what kind of collaborative mechanism could be created that would serve both purposes -- protection of classified government intelligence information and protection of private sector information affecting reputation, consumer confidence, and liability.
Role of Government
Another concern regards the proper role of government with respect to critical infrastructure protection. They have become essential supporting structures to our very way of life. But most are owned and operated by the private sector. Can and should we rely exclusively on market forces to assure delivery of their vital services? Clearly, government has a role with respect to some private sector activities. Companies cannot negotiate a NAFTA agreement, or establish a World Trade Organization, or reach agreement on a telecommunications pact as was signed in Geneva recently. Clearly the private sector must address protection against commonplace intrusion, theft and fraud, but what about state-sponsored terrorism or hostile attack? What is the federal government's responsibility?
Incentives are another key element. What are appropriate incentives for the private sector to invest to address vulnerabilities in infrastructure protection? How should they be structured? Are tax incentives the right vehicle? To what extent, if any, should government underwrite infrastructure protection? For example, could government establish a special trust fund to provide interest-free loans to infrastructure owners and operators for infrastructure protection? Again, what are the responsibilities of the owners and operators of the infrastructures?
When the power grid goes down, who pays for the interruption of service? Who pays for lost time, production, or business during a service interruption? Today, unfortunately, in most cases the consumer pays. However, I'd point out that there is no law of physics that says you need to lose electrical power or telephone service during a storm. What are the liability implications of infrastructure vulnerabilities, and how are they changing with deregulation? What role can and should the insurance industry play?
In this same vein, some infrastructures have no enforced standards for providing service to customers. Should standards be established? Would they help? Who should establish them? What should the standards be, and how might they be enforced? And, one I want to tread carefully on, should government mandate assurance standards? And again, would standards provide an opening for a larger insurance role?
How infrastructures are regulated may influence how companies address infrastructure vulnerabilities. For instance, rates charged by some utilities are tightly controlled by the government. But controlling rates appears to conflict with encouraging investment in infrastructure improvements. Therefore, what is the appropriate government role regarding rate-setting? How is it likely to change and how should it change as deregulation proceeds?
I should note that regulation is again getting national attention. Following in the steps of the airline and telecommunications industries, the electric power industry -- a $200 billion-a-year industry that is the nation's longest-running monopoly -- is beginning the process of deregulation. Given the obvious interdependence between electric power and other infrastructures, we are looking at this process closely.
These are just some of the issues we are addressing. They are by no means all. I haven't mentioned how the government is organized to deal with this threat, or the legal framework for dealing with cyber threats, or many others. We are under no illusions that this Commission can solve every infrastructure problem. Instead, we see the strategy and recommendations as a point of departure for corrective action.
Solutions will fall within a range bounded by government and private sector responsibility. Some problems will require only government solutions, while some will require only private sector solutions. Others, however, will require solutions somewhere in-between -- solutions jointly actioned by government and the private sector.
I realize that the issues and challenges I have described are as enormous in complexity as they are in magnitude. But on this, the first day of your four-day conference, I think it is important for you to consider infrastructure protection within the context I have just described. It's a tremendous challenge, and it needs our best thinking to address it.
To that end, I want to mention that the panel that follows me includes two of the top thinkers on the Commission -- Stevan Mitchell from the Department of Justice, and Nancy Wong from Pacific Gas and Electric Company. They're ready and able to answer any questions you might have about the Commission.
Finally, I'd appreciate any thoughts you might have on the issues I've mentioned. We welcome your assistance. You can talk to Stevan or Nancy, call or write us, or reach us on our web site at <http://www.pccip.gov/>.
Thanks for the opportunity to speak to you today. Good luck with your conference.