The President's Commission on Critical Infrastructure
Before the Subcommittee on Technology, Terrorism and Government Information
Committee on the Judiciary
United States Senate
November 5, 1997
Good afternoon, Mr. Chairman and members of the subcommittee. My name is Tom Marsh and I served as the Chairman of the President's Commission on Critical Infrastructure Protection. On behalf of my fellow Commissioners -- several of whom are with me today -- I am pleased to be here today to discuss with you the work of the Commission and outline its principal findings and recommendations reflected in our report, Critical Foundations.
Before my prepared remarks, I'd like to express my appreciation to you, Mr. Chairman. Your far-sighted vision for the nation's future needs and well-being was key to the establishment of the Commission, and also helped spur other government activities in this area, most notably by the FBI and the Defense Department, including the Eligible Receiver exercise you were just briefed on. I can confidently speak for my fellow Commissioners and the nation when I say that we all are deeply indebted for your selfless contribution.
To give you some perspective on the Commission's challenge, imagine, if you will, that...
- the power goes out in the Northwest;
- the 911 is disrupted in a major city because someone has flooded the phone lines with repeat calls;
- two bridges across the Mississippi River are destroyed -- bridges that not only carry trucks and trains, but also telephone cables; and
- two Internet service providers in New York City are out of service.
What do we do in such a situation? Who is in charge? Is it merely coincidence? Or a concentrated attack?
These are the types of questions the Commission has been considering -- questions to which there are no easy answers.
Questions, we hope, our recommendations will help lay the foundation for answering.
I appreciate the opportunity to talk about the Commission's work, discuss why protecting our infrastructures is important in light of the new vulnerabilities and threats of the cyber age, present our key findings, and then briefly summarize our recommendations.
I must say right up front: our findings, conclusions, and recommendations are very different from what we anticipated -- and different from what our stakeholders anticipated. Many thought this was a problem that government alone could resolve in a few easy steps. But during the past year and a half, we concluded that protecting our infrastructures is a public-private undertaking that requires a new partnership and protecting our infrastructures will take time -- and will require long-term efforts and a new way of thinking.
The Commission was established by Executive Order 13010 on July 15, 1996. A joint government and private sector endeavor, it was charged to develop a national policy and implementation strategy for protecting our critical infrastructures from physical and cyber threats and assuring their continued operation.
The President identified eight infrastructures as our national life support systems. These national infrastructures are vital in that their incapacity or destruction would have a debilitating impact on the defense and economic security of the United States. These are the infrastructures:
- electric power
- oil and gas delivery and storage
- emergency services, and
- government services.
Why Attack Infrastructures?
Critical infrastructures have long been lucrative targets for anyone wanting to attack another country. Our nation relies on its infrastructures for national security, public welfare, and its economic strength.
Those who would attack the infrastructures would do so to:
- reduce our ability to act in our own interest,
- erode public confidence in critical services, or
- reduce American economic competitiveness
In the Gulf War, for example, disabling Iraq's infrastructures was one of the keys to our success -- a lesson noted with much interest by many countries around the world.
The Commission was uniquely tailored for the task. Recognizing that the critical infrastructures are largely owned and operated by the private sector,
the Commission structure was a joint public-private undertaking.
The Commission was comprised of representatives from both industry and government.
The Steering Committee of senior government officials oversaw the work of the Commission and guided us through myriad government concerns.
A Presidentially-appointed Advisory Committee of key industry leaders provided the unique perspective of owners and operators of the infrastructures.
The Infrastructure Protection Task Force was established at the same time as the Commission to support infrastructure protection until the Commission's recommendations are enacted.
Our approach recognized that most of the infrastructures operate within an existing framework of government policy and regulation. But they are also privately owned competitive enterprises; as such, protection recommendations should not undermine a company's competitive position. We recognized that any solution would have to be viable in the marketplace as well as the public policy arena.
Thus, we adopted the following guiding principles:
First, we knew this could not be a Big Government effort. Government must set the example, but it is the owners and operators who are the key to success. They have a strong economic stake in protecting their assets and maximizing customer satisfaction. They understand the infrastructures and know best how to respond to disruptions.
Second, while we may be undergoing an information revolution, we felt that utilizing the best ideas and processes from current structures and relationships was the proper way to proceed. This means building on existing organizations and relationships as well as fostering voluntary cooperation. Partnership between industry and government will be more effective and efficient than legislation or regulation.
Finally, this is a long-term effort which requires continuous improvement. We must take action in practical increments. There is no "magic bullet" solution. We must aim not only to protect the infrastructures, but also to enhance them.
Outreach was a cornerstone of our effort. In fact, our conclusions and recommendations result directly from the conversations and meetings we had with approximately 6,000 individuals from industry, academia, science, technology, the military, and government.
We held five public meetings around the country, participated in numerous conferences; hosted simulations, games and focus groups; and sought to increase awareness of this effort through the media and our Web site.
Evolution of Threat
In the past, broad oceans and peacable neighbors provided all the infrastructure protection we needed.
That all changed during the Cold War. Technology became preeminent and geography became irrelevant. Soviet and U.S. nuclear weapons were targeted against each other's power grids, rail networks, and energy industries. But the cost remained high and the ability to carry out such an attack was available to only a few major powers.
Computers and electrons change the picture entirely. Now the capability is widely available at relatively little cost.
This is the "new geography" in which the Commission has focused its efforts -- a borderless cyber geography whose major topographical features are technology and change.
We have long understood physical threats and vulnerabilities, but not so in cyber space. The fast pace of technology means we are always running to catch up in the cyber dimension. Thus the Commission's work and our report focus primarily on coping with the cyber threat.
Our foremost concern is the interdependencies presented by the "system of systems" we rely on for the daily operation of our critical infrastructures.
Furthermore, information that describes our vulnerabilities is increasingly accessible. Most of it is unclassified, and much of it is available on the Internet. We had to be careful in compiling this information not to provide a handbook for those who would use it for harmful purposes.
So, who is the threat? We view the threat as anyone with the capability, technology, and intent to do harm.
While we have not found a "smoking keyboard" -- that is, we do not know who has the intent to do harm -- we do know that the threat is a function of capability and intent.
We characterize capability as a combination of skills and tools -- skills that even most teenagers have, and tools that are readily available.
In short, the opportunity to do harm is expansive and growing.
The bad actors who use these tools range from the recreational hacker -- who thrives on the thrill and challenge of breaking into another's computer -- to the national security threat of information warriors intent on achieving strategic advantage.
Common to all threats is the insider. We could spend millions on technology to protect our infrastructures, but a well-placed insider or disgruntled employee could render nearly all protection useless.
The New Arsenal
The new arsenal of "weapons of mass disruption" in the cyber world include "Trojan horses," viruses, and e-mail attacks that can be used to alter or steal data. These tools recognize neither borders nor jurisdictions. They can be used anywhere, anytime, by anyone with the capability, technology, and intent to do harm. And they offer the advantage of anonymity.
We examined the respective roles of the private sector and the federal government in light of this new threat and the potential bad actors.
We concluded that the private sector has a responsibility to protect itself from the local threats, such as individual hackers and criminals. And that the federal government has a larger responsibility to protect our citizens from national security threats. In short, we found that infrastructure protection is a shared responsibility.
The private sector is responsible for taking prudent measures to protect itself from commonplace hacker tools. If these tools are also used by the terrorist, then the private sector will also be protecting against cyber terrorist attack and will be playing a significant role in national security.
The federal government is responsible for collecting information about the tools, the perpetrators, and their intent from all sources, including the owners and operators of the infrastructures. The government must share this information with the private sector so that industry can take the necessary protective measures.
In some respects, our most important finding is that adapting to this challenge requires thinking differently about infrastructure protection. We must look through the lens of information technology as we approach the third millennium.
Specifically, we found that:
- Information sharing is the most immediate need.
- Responsibility is shared among owners and operators and government.
- The federal government has an important role in the new alliance.
- Infrastructures protection requires a focal point.
- We must develop an analysis and warning capability.
- The existing legal framework is imperfectly tuned to deal with cyber threats.
- Research and development efforts are inadequate to support infrastructure protection.
We know our infrastructures have substantial vulnerabilities to domestic and international threats. Some have been exploited - so far chiefly by insiders. Protecting our infrastructures into the 21st Century requires that we develop greater understanding of their vulnerabilities and act decisively to reduce them. In the last fifteen months, the Commission has thoroughly reviewed the vulnerabilities and threats facing our infrastructures, assessed the risks, consulted with thousands of experts, and deliberated at length as to how best to assure our nation's critical foundations in the decades to come. Our fundamental conclusion is as follows.
Waiting for disaster is a dangerous strategy. Now is the time to act to protect our future. And this action requires a new partnership to address the risks of protecting our nation's infrastructures.
The Commission's recommendations are the products of much research, discussion, and deliberation. They are founded on shared core principles and they are based on fact. They are aimed at improving coordination and establishing roles for infrastructure protection, fostering partnerships among all stakeholders, and coordinating diverse interests.
Every recommendation was discussed at length in a series of deliberations that addressed all feasible options and the pros and cons of each. All Commissioners accepted the final report as reasonable, balanced, and acceptable for submission to the President.
The Commission's recommendations fall generally into three categories:
- actions the federal government must take;
- actions the owners and operators of the infrastructures must take; and
- actions that require partnership between government and industry.
During our extensive outreach efforts, we heard time and again that the owners and operators of the infrastructures need more information about cyber threats. They also said that a trusted environment must be built so that they can freely exchange information with each other and with government without fear of regulation, loss of public confidence, incurred liability, or damaged reputation.
The Commission's recommendations lay the foundation for creating a new collaborative environment that includes a two-way exchange of information, not more burdensome regulation.
Our recommendations focus on protecting proprietary information and ensuring anonymity when necessary; reviewing legal impediments to information sharing, such as antitrust provisions and the Freedom of Information Act; and creating information sharing mechanisms both within industry and between industry and government.
As to actions the government should take, we recommend specific steps to ensure owners and operators and state and local governments are sufficiently informed and supported to accomplish their infrastructures protection roles, to include:
- Designated federal agencies continuing and expanding the availability of risk assessment services to the private sector, and
- Encouraging industry -- and assisting when necessary -- to develop risk methodologies.
- The US Security Policy Board should study and recommend how best to protect specific private sector information on threats and vulnerabilities to critical infrastructures.
- The funds appropriated under the Nunn-Lugar-Domenici domestic preparedness program should be doubled to expand and accelerate sharing of capabilities to mitigate the effects of weapons of mass destruction attacks.
Education and awareness
Key to the success of these initiatives is educating our citizens about the emerging threats and vulnerabilities in the cyber dimension. The culture has changed, and our way of thinking about technology and the resulting threats and vulnerabilities must also change.
The Commission's recommendations are aimed at all levels of education, from grammar to graduate school and beyond. They include:
- A series of White House conferences to spur new curricula in computer ethics and intellectual property for elementary and secondary schools.
- A nationwide public awareness campaign, simulations, and Round Table discussions to educate the general public as well as industry and government leaders.
- Grants by the National Science Foundation to promote graduate level research and teaching of network security.
- Partnership between the Department of Education and industry to develop curricula and market demand for properly-trained information security technicians and managers.
Leading by example
Infrastructure assurance is a joint responsibility, but the federal government has an unmistakable duty to lead the effort. Clearly, the federal government must lead by example as it exhorts the private sector and state and local governments to raise the level of security of their systems.
The federal government must pursue the tools, practices, and policies required to conduct business in the cyber age. This includes:
- Improving government information security through developing, implementing, and enforcing best practices and standards -- and then conducting certification and measures against those standards.
- Working with industry to expedite efforts for alternative information security and encryption key management pilot programs.
- Elevating and formalizing Information Assurance as a foreign intelligence priority.
- Recruiting and retaining adequate numbers of law enforcement personnel with cyber skills.
- Conducting a thorough risk assessment of the National Aerospace System and the planned sole reliance on the Global Positioning System.
We examined a full range of legal issues relating to protecting the critical infrastructures with three goals in mind:
- increasing the effectiveness of government's protection efforts;
- enhancing the private sector's ability to protect itself; and
- enabling effective public-private partnership where most needed.
We propose the further review of major federal legislation as it relates to the critical infrastructures and the cyber threat.
We have modest recommendations in the area of criminal law and procedure -- specifically the Federal Sentencing Guidelines -- to take into account the true harm done by attacks on the critical infrastructures.
We call for an expert study group -- representing labor, management, government, and privacy interests -- to make recommendations for long-term reform in the employer-employee relationship, yet balances security and privacy.
We recommend easing legal impediments to information sharing such as antitrust provisions, federal and private liability, and the Freedom of Information Act.
Research and Development (R&D)
Federal research and development efforts are inadequate to meet the challenge presented by emerging cyber threats. About $250 million is spent each year on infrastructure assurance-related R&D, of which 60 percent -- $150 million - is dedicated to information security. There is very little research supporting a national cyber defense. The Commission believes that real-time detection, identification, and response tools are urgently needed, and we concluded that market forces are currently insufficient to meet these needs.
Thus we recommend doubling federal R&D funding for infrastructure protection to $500 million the first year, with 20% increases each year for the next five years. We recommend this funding target:
- Risk management, simulation and modeling, and decision support;
- Contingency planning, incident response, and recovery;
- Information assurance, vulnerability assessment, and system analysis; and
- Early warning and response, monitoring, and threat detection.
Building the Partnership
I need to talk a little about how the federal government and industry can work together to address infrastructure protection concerns. It might be easiest if I first explain a little about our methodology before jumping right into our partnering recommendations.
First, the Commission identified five general functions that are the foundation of infrastructure protection and assurance efforts:
- policy formulation
- prevention and mitigation
- operational warning
- incident management
- consequence management
Next, we fleshed them out to include all the tasks that must be performed to assure our infrastructures.
We knew that a great many people and organizations needed to accomplish these tasks, but we were not sure who or where.
We devised a framework or matrix to help determine who should be responsible for each task.
Along the top of this matrix, roles range from the purely public to the purely private. Along the side, roles range from decentralized to centralized. The top left quadrant, for example, is the role of the federal government -- centralized and public. The bottom right quadrant is the place for individual companies -- decentralized and private.
Using this framework, we plotted the specific tasks of infrastructure assurance where we thought they should be performed.
The result is a high concentration in the four distinct quadrants, but also a high concentration along the borders. It was the concentrations along the borders that gave us pause, for these are the functions that require a new awareness, a new way of doing business, and a new partnership.
We next looked at how infrastructure assurance is being performed today. There are many players in this game, including the privately-owned infrastructures as well as federal, state, and local governments. There are also a great many existing relationships -- such as regulating or enforcing laws -- but there are no specific relationships for infrastructure protection and assurance. We focused on bridging this gap.
And this is how we propose to facilitate the public-private partnership -- how to bridge the gap -- to best protect our infrastructures.
At the policy-making level, we recommend:
- an Office of National Infrastructure Assurance -- located within the White House -- to serve as the federal government's focal point for infrastructure protection;
- a National Infrastructure Assurance Council comprised of selected infrastructure CEOs and Cabinet officials to propose policy and advise the President; and
- an Infrastructure Assurance Support Office to support both the Council and the National Office.
At the operational level, we recommend:
- Sector Infrastructure Assurance Coordinators or clearinghouses as focal points within each infrastructure to share information;
- federal Lead Agencies to promote and assist in establishing the sector coordinators;
- an Information Sharing and Analysis Center staffed by both private industry and government to receive and share information about infrastructure intrusions to be located in the private sector; and
- a Warning Center designed to provide operational warning whenever possible of an attack on the infrastructures, either physical or cyber, located within the FBI.
Just as the risks are shared between the public and the private sectors, so will the solutions be found. Our national and economic security has become a shared responsibility-- one that will require a new kind of partnership between government and industry -- one which encourages information sharing and one which requires the government to lead by example.
I believe the findings and conclusions of the Commission are based on accurate and reasonable information and analyses. Our recommendations, if implemented, will create the partnerships and structures essential to reducing vulnerabilities in our infrastructures. They will provide the impetus for research and development efforts to increase information security and provide a cyber defense system. They will increase the nation's ability to prepare, protect, and respond to any threats, strategic or otherwise, directed against our infrastructures, thereby ensuring their continued, effective operation in support of our defense, economic growth, and general well being.
This completes my statement, Mr. Chairman. I will be pleased to answer any questions you or your colleagues may have.