Introduction

In July 1996, President Clinton issued Executive Order 13010, which established the President’s Commission on Critical Infrastructure Protection (PCCIP). The PCCIP was created in order to examine the growing integrated dependencies of the US economy and way of life on critical aspects of the infrastructure. The PCCIP reported back to the President in November 1997, with a set of recommendations on what should be done. The President considered these recommendations and in May 1998, issued two Presidential Decision Directives (PDD) assigning responsibilities and actions associated with national level critical infrastructure protection. The two PDDs were PDD-62, Combating Terrorism, and PDD-63, Critical Infrastructure Protection.

Recognizing that the Federal Government has direct control over only a small percentage of what comprises the critical infrastructure, the framework chosen for national coordination of defensive and security activities focuses on leadership rather than management. PDD-63 specifies that each Department and Agency of the Federal Government will develop a plan for defending its part of the critical infrastructure. Initial plans were due to a National Coordinator 180 days after the PDD was issued, or on November 17, 1998. In two years, finalized plans are required. Those plans will be reconciled and organized into a national plan by the National Coordinator. Lead Agencies for Sector Liaison will develop relationships with industry and will encourage information sharing between government and private groups. The goal of the National Plan is to "present a model to the private sector on how to best protect critical infrastructure." {1} The following graphic presents the required actions and timetable for the Federal Government. (click to enlarge, use back button to get back here)

{2}

There are two areas that bear explanation in order to understand the probable future trajectory of growth and action. First, and most obvious, is the structure of the new organizations and their roles. The second is the manner in which the new elements will interact with already existing structures and organizations. This paper lays out the structures and intentions of the new organizations, highlighting areas where existing organizations have synergistic responsibilities. The information contained herein has been gleaned from multiple sources, including interviews with key personnel of the new organizations, but it must be pointed out that the organizations are just now being developed and staffed and therefore the information herein is subject to change as those organizations evolve and plans start to solidify.

PDD-63 explicitly creates these new organizations:

• A National Coordinator;
• The National Infrastructure Protection Center (NIPC);
• An Information Sharing and Analysis Center (ISAC);
• A National Infrastructure Assurance Council (NIAC);
• The Critical Infrastructure Assurance Office (CIAO).

Not specifically created by PDD-63, but referred to in the directive, are other organizations integral to the infrastructure assurance efforts. These include the following:

• The Critical Infrastructure Coordination Group (CICG);
• The Principals Committee.

Additionally, PDD-63 specifies that certain departments and agencies act as sector liaison leads and special function leads.

The following sections describe the functions and responsibilities ascribed to each.

As a Presidential Directive, PDD-63 directs the activities of elements of the Federal Government. These activities include all of the above mentioned roles with the exception of the NIAC and the ISAC. The NIAC will be a quasi-governmental organization, comprised of individuals appointed by the President, but those members will be representatives of the private sector and of state and local governments.

The full title of the office is "National Coordinator for Security, Infrastructure Protection and Counter-Terrorism." {3} The National Coordinator is the principal focal point within the Federal Government for infrastructure protection against all threats, ranging from foreign terrorism and domestic mass destruction to information warfare attacks. The National Coordinator oversees the execution of PDD-62 and PDD-63.

The National Coordinator is appointed by the Assistant to the President for National Security Affairs with the advice of the Assistant to the President for Economic Affair.

The National Coordinator has the following responsibilities:

• implement PDD-62 and PDD-63
• chair the CICG
• serve as Executive Director of the NIAC
• ensure interagency coordination for policy development and implementation
• review crisis activities concerning infrastructure elements with foreign involvement
• provide advice regarding budgetary issues and critical infrastructure protection
• consult with owners and operators of the critical infrastructure elements to strongly encourage their participation and cooperation
• identify possible methods for providing federal assistance to the ISAC startup
• commission studies on liability issues, legal issues, information classification issues, security issues, legislative issues, and foreign trade issues related to infrastructure protection
• provide oversight of the public outreach processes
• establish a program for infrastructure assurance simulations for public awareness purposes
• coordinate a review of existing federal, state and local bodies that perform information assurance tasks resulting in recommendations on how these organizations can cooperate most effectively
• propose ways to encourage the private sector to pay attention to security issues such as risk assessment. {5}

The CICG is the mechanism through which the various offices of the Federal Government coordinate their activities and prioritize the agenda associated with infrastructure protection. The National Coordinator chairs the CICG. {6} The CICG is the driving force behind the execution of PDD-63 within the diverse elements of the Federal Government.

The National Coordinator, as chair of the CICG, reports "to the Deputies Committee (or at the call of its chair, the Principals Committee)." Each Department and Agency is required to appoint a senior official – Assistant Secretary level or higher – to regularly represent that organization at the CICG meetings. Sector Liaison Officials and Special Function Coordinators also attend CICG meetings. {7}

The CICG provides a forum for the Sector Liaison Officials and the Functional Coordinators of the Lead Agencies as well as senior representatives of other relevant federal agencies to coordinate the implementation of the required actions. The scope of action is quite large and in order to accomplish it, the CICG has established subcommittees to address specific issues. Following is a list of those subcommittees and the relevant lead organization:

National Plan Design	chaired by the National Security Council
R&D Priorities	Office of Science and Technology Policy
FY2000 Budget	OMB/National Security Council
Outreach & Sector Organization	National Security Council
Response Plan	FBI/Department of Defense
US Government as Model	OMB/National Security Council
Intelligence Collection	Director of Central Intelligence
Creation of ISAC	National Economic Council/FBI
Education & Awareness	Department of Commerce
International Cooperation	Department of State
Legal Issues & Authorities	Department of Justice
Personnel & Training	Department of Commerce
Standards	National Security Agency/Department of Commerce {8}

The Principals Committee was originally created by Executive Order 13010, the presidential order that created the PCCIP. {9} As created, it served as the mechanism to which the PCCIP reported, reviewing findings and recommendations before submitting them to the President. The members of the Principals Committee include:

• Secretary of the Treasury;
• Secretary of Defense;
• Attorney General;
• Secretary of Commerce;
• Secretary of Transportation;
• Secretary of Energy;
• Director of Central Intelligence;
• Director of the Office of Management and Budget;
• Director of the Federal Emergency Management Agency;
• Assistant to the President for National Security Affairs;
• Assistant to the Vice President for National Security Affairs;
• Assistant to the President for Economic Policy and Director of the National Economic Council; and
• Assistant to the President and Director of the Office of Science and Technology Policy. {10}

PDD-63 extends the concept of the Principals Committee, directing that the National Coordinator serve as a full member of both the Principals Committee or Deputies meetings. {11}

The comparison of the members of the Principals Committee and the designated lead agencies for sector liaison and special functions (delineated in a later part of this paper) reveals an almost complete overlap. Missing from the Principals Committee are the

• Environmental Protection Agency,
• Department of Health and Human Services, and
• Department of State.

One of the most confusing things about the new structures is the use of the term CIAO. PDD-63 directs every Department and Agency to appoint a Critical Infrastructure Assurance Officer – a CIAO. These CIAOs are responsible for the protection of all aspects of the department or agency’s critical infrastructure with the exception of the information infrastructure, for which the Chief Information Officer (CIO) is responsible. It is possible for the CIAO and the CIO to be the same person, responsible for both roles. {12}

PDD-63 also directs that a National Plan Coordination (NPC) staff be constituted, with members being "contributed on a non-reimbursable basis by the departments and agencies. … The NPC staff will integrate the various sector plans into a National Infrastructure Assurance Plan and coordinate analyses of the U.S. Government’s own dependencies on critical infrastructures." {13} This mandated NPC staff has been named the Critical Infrastructure Assurance Office (CIAO) and resides in the Department of Commerce, Bureau of Export Controls. {14}

The CIAO is essentially the staff that supports the National Coordinator in his designated roles and responsibilities. It will have the task of integrating the sector plans into a national level plan and will coordinate a national education and awareness program to raise the private sector’s awareness of the implications and requirements of infrastructure protection. {15} The first director of the CIAO is Dr. Jeffrey Hunker:

Prior to the issuance of the PDDs, the FBI hosted an interim Infrastructure Protection Task Force and the Computer Investigation and Infrastructure Threat Assessment Office. The FBI transformed that capability and experience into an integrated capability to support infrastructure protection. Three months prior to the issuance of PDD-62 and PDD-63, the NIPC was announced. "Established in February 1998, the NIPC's mission is to serve as the U.S. government's focal point for threat assessment, warning, investigation, and response for threats or attacks against our critical infrastructures." {17} Subsequently, PDD-63 affirmed the expanded role of the FBI in infrastructure protection: "As part of a national warning and information sharing system, the President immediately authorizes the FBI to expand its current organization to a full scale National Infrastructure Protection Center." {18} The FBI also retains a separate organization dedicated specifically to computer crime, the National Computer Crime Squad, whose mission it is to investigate violations of the Computer Fraud and Abuse Act of 1986. {19}

The purpose of the NIPC is to provide full spectrum protection support to the infrastructure assurance efforts, including coordinating the Federal Government's response to an incident, mitigating attacks, investigating threats and monitoring reconstitution efforts. As such, the NIPC performs both intelligence activities and operational activities. The intelligence activities include monitoring threats, performing analysis of suspected attack activities, and identifying critical vulnerabilities. The operational activities include active protective mechanisms, with the priority activities being coordination, prevention and defense. The differentiation between the FBI role and FEMA’s role is that the FBI is focused on crisis management whereas FEMA is focused on consequence management. {20} The principal focus of efforts at this point in time are countering the cyberthreat. Later, as the organization matures and capabilities increase, expanded infrastructure protection efforts will be undertaken. {21}

NIPC activities include the following:

• provide timely warning of intentional threats
• issue attack warnings and alerts
• provide guidance on increasing protective posture
• provide comprehensive analyses
• provide law enforcement investigation and response
• collect information about threats, attack warnings, and actual attacks on critical government and private sector infrastructures
• perform computer investigations
• coordinate emergency response
• conduct training and outreach
• develop and apply technical tools {22}
• establish relationships with the private sector
• sanitize law enforcement and intelligence information for reports, after coordinating with the intelligence community
• provide reports to relevant federal, state and local agencies
• provide reports to relevant owners and operators of critical infrastructures
• provide reports to any private sector ISAC
• act as a focal point for gathering information on threats to infrastructures
• be the primary facilitator and coordinator of Federal Government response to attacks (including when the situation requires that the NIPC be place in a direct support role to the DoD or intelligence community) {23}

The NIPC as an organization is already well underway. It is resident at the FBI but is intended to incorporate representatives from the Department of Defense (DoD), the Department of Treasury (specifically the US Secret Service), the Department of Energy, the Department of Transportation, and the Intelligence Community, as well as the private sector. Staffing levels at this point in time are intended to be 85 full time personnel, who perform both intelligence and operational duties. Since it is recognized that a cyber-attack could occur very quickly and across multiple elements of the national infrastructure, the activities associated with detection and reaction and protection are integrated within the team structure to speed response times and capabilities. {24}

The purpose for identifying lead agencies for critical sectors is to have clearly identified focal points for liaison with the private sector as well as to have accountability within the Federal Government for specific sectors and roles. The responsible agencies and their areas of concern are identified here:

Information and Communications	Department of Commerce
Banking and Finance	Department of Treasury
Water Supply	Environmental Protection Agency
Aviation, Highways (including) trucking and intelligent transportation systems), Mass transit, Pipelines, Rail, and Waterborne commerce	Department of Transportation
Emergency Law Enforcement Services	Department of Justice/FBI
Emergency Fire Services and Continuity of Government	Federal Emergency Management Agency
Public Health Services, including prevention, surveillance, laboratory services, and personal health services	Department of Health and Human Services
Electric Power, Oil and Gas Production and Storage	Department of Energy

The responsibilities of these lead agencies include:

• designating one person of Assistant Secretary level or higher to function as the Sector Liaison Official;
• provide recommendations on membership of the National Infrastructure Assurance Council;
• cooperate with the private sector representatives in addressing sector problems;
• cooperate with private sector representatives to develop and recommend components to the National Infrastructure Assurance Plan; and
• cooperate with the private sector to develop and implement sector specific Vulnerability Awareness and Education. {26}

PDD-63 identifies several special functions that have significant roles in protecting the nation’s infrastructure separate from the infrastructure elements themselves. These special functions and their lead agencies are as follows:

Law Enforcement and Internal Security	Department of Justice/FBI
Foreign Intelligence	CIA
Foreign Affairs	Department of State
National Defense	Department of Defense
Research and Development Coordination through the National Science and Technology Council {27}	Office of Science and Technology Policy

With all this enumeration of memberships and roles, it is interesting to examine the organizations that are not explicitly tasked as well in order to understand the context. The following list delineates some of the myriad offices that are missing from direct tasking in PDD-63 (to keep the list from being exhausting, organizations such as the National Endowment for the Arts are not included in this list):

• Department of Agriculture (USDA)
• Department of Education
• Department of Housing and Urban Development (HUD)
• Department of the Interior (DOI)
• Department of Labor (DOL)
• Department of Veterans Affairs

• Commodity Futures Trading Commission (CFTC)
• Consumer Product Safety Commission (CPSC)
• Export-Import Bank of the United States
• Federal Communications Commission (FCC)
• Federal Maritime Commission
• Federal Reserve System (FRS)
• National Aeronautics and Space Administration (NASA)
• National Archives and Records Administration (NARA)
• National Commission on Libraries and Information Science (NCLIS)
• National Railroad Passenger Corporation (AMTRAK)
• National Transportation Safety Board (NTSB)
• Nuclear Regulatory Commission (NRC)
• Securities and Exchange Commission (SEC)
• Social Security Administration (SSA)
• Tennessee Valley Authority (TVA)
• United States Postal Service (USPS)

The private sector is an important player in protecting the critical infrastructure. It owns and operates a very large percentage of the critical infrastructure and individually has insights into vulnerabilities and threats on an enormous scale. PDD-63 invites the private sector to harness that potential for the national good through two venues: first, a place to cooperatively share information that collectively can be used to protect the critical infrastructure elements; and second, a direct method to advise the President on activities and policy concerning the critical infrastructure.

Recognizing both the reliance of the Federal Government on privately-owned infrastructure elements and the inability to defend the infrastructure as a whole without cooperation and coordination with the private sector, PDD-63 calls for the establishment of a mechanism where threat and vulnerability information could be shared without liability. Recognizing as well that short of legislation it would be impossible to compel compliance with that desire, PDD-63 specifically leaves the development of the design and functions of the ISAC to the private sector. However, PDD-63 also directs the National Coordinator, the Sector Coordinators, the Sector Liaison Officials and the National Economic Council to "consult with owners and operators of the critical infrastructures to strongly encourage the creation of a private sector information sharing and analysis center." Additionally, the PDD directs that, "[w]ithin 180 days of issuance of this directive, the National Coordinator, with the assistance of the CICG including the National Economic Council, shall identify possible methods of providing federal assistance to facilitate the startup of an ISAC." {28}

There are clearly substantial problems associated with the concept of an ISAC. The ISAC is intended to become a focal point for sharing information about vulnerabilities and threats associated with infrastructure protection. The corporations that own and operate parts of the infrastructure have significant reasons associated with liability, negligence, competitiveness, and transnational operations not to disclose vulnerabilities or even threats. The lesson from the Citibank hacking episode {29} illustrates the reluctance and the penalties associated with divulging information about problems and vulnerabilities.

Further, the postulated relationship with the NIPC, where the NIPC would receive all information from the ISAC but only provide information to the ISAC that the NIPC had declassified and/or deemed appropriate, could strike some participants as being a trifle unfair. There has been some discussion about passing legislation limiting liability related to disclosure of vulnerabilities but to date no specific format has been agreed upon. {30}

There are, however, some industry organizations that have expressed interest in serving in ISAC-like roles, including the Information Technology Association of America (ITAA) {31}, which is a trade organization with over 9000 members associated with the information technology sector. {32} Whether or not an industry organization can coerce cooperation on sensitive business matters remains to be seen.

The NIAC will be a council of advisors, composed of representatives from infrastructure sector providers and state and local government, who will be appointed by the President. The NIAC will provide input from the private sector and state and local governments to the National Information Assurance Plan. As of this point in time, the NIAC is not further defined. When it is constituted, the President will appoint members from amongst major infrastructure providers and state and local governments. Additionally, the President will designate a Chairperson. The National Coordinator will serve as the Executive Director for the NIAC and senior Federal Government officials will participate in the meetings, as appropriate. {33}

A challenge associated with constituting a meaningful NIAC is formulating it in such a way as to account for revolutionary technologies and the rapid evolutionary growth of the information and communications infrastructure. The World Wide Web emerged in the early 1990s as a new capability (albeit built on an existing backbone of technologies and physical plant) and since then has engendered a revolution in commerce and information sharing. Corporations like Netscape and UUNet Technologies rose from oblivion to dominance in a relative blink of an eye. Many of the emerging powerhouses of the information age are too busy growing to pay much attention to politics – picking the right membership for a relevant NIAC may well turn out to be extremely tricky.

Another challenge associated with constituting a meaningful NIAC is the present Administration’s stance on encryption. Particularly in the infrastructure area of information and communication, the subject of restricted access to strong encryption is contentious. There are those who see the entire critical infrastructure protection exercise as yet another attempt to limit freedoms in the name of emerging threats, as noted in this extract from a report by the Electronic Privacy Information Center (EPIC):

The Cato Institute agrees, having analyzed the issues associated with key escrow in its November 1998 policy paper Encryption Policy For The 21st Century: A Future without Government-Prescribed Key Recovery:

It remains to be seen, therefore, whether or not a relevant NIAC can be constituted and, if so, how long it can remain relevant.

The following graphic shows how these organizations relate, with dashed lines depicting advisory relationships: (click to enlarge, use back button to get back here)

Another view of the organizational relationship is presented in the following graphic, which comes from a briefing by Jeffrey Hunker, Director of the CIAO, and shows the delineation of the public private partnership envisioned by PDD-63: (click to enlarge, use back button to get back here)

{36}

By definition, the critical infrastructure efforts mandated by PDD-63 are limited to the Federal Government. As such, the two PDDs direct the Departments and Agencies of the Federal Government to do certain things. PDD-62, Combating Terrorism, directs activities related to countering the threats of unconventional attacks against the US. PDD-63, Critical Infrastructure Protection, directs activities relating to protecting the critical elements of the national infrastructure.

A key point to note here is that the Federal Government owns very little of what is considered to be the critical infrastructure. The following sections describe the infrastructure elements as described in Appendix A of the report of the PCCIP, Critical Foundations: Thinking Differently. These definitions were used as the basis for developing the recommendations that resulted in PDD-63. As delineated here, there are five critical elements of the infrastructure. However, three later differentiated elements – emergency services, water supply and government services – are all covered here as "vital services." Additionally, here all energy is considered together, whereas in the responsibilities allocated in PDD-63, energy is divided between Electrical Power Systems and Gas And Oil Production, Storage And Transport.

Because the PCCIP report summarized the infrastructure elements concisely and appropriately, the descriptions are reproduced here. The report itself contains very detailed commentary on existing problems and vulnerabilities as well.

1. A water source, either surface waters in impoundments such as lakes and reservoirs or flowing waters in rivers or ground water in aquifers.
2. Treatment facilities in which particulates are filtered out and disinfectants are added.
3. A system of aqueducts, tunnels, reservoirs, and/or pumping facilities to convey water from the source through the rest of the system and to provide storage and the means to balance flows.
4. A distribution system carrying finished water to users through a system of water mains and subsidiary pipes.
5. A waste water collection and treatment system.

The following table identifies the critical infrastructure elements, the role the Federal Government plays in each element, and the role that other entities, such as private industry and State Government, play in each element (acronyms delineated at end of table). The appropriate FEMA emergency support functions are identified in the last column annotated with the lead agency for that function.

Acronym and Shortname List:

Description of FEMA Emergency Support Functions (ESFs):

The critical infrastructure protection plans are going to be, when fully developed, enormously complex. As a management tool for dividing the work, the Lead Agencies for Sector Liaison develop the plans for their sectors. The individual plans are then aggregated by the National Coordinator and his staff into a coherent national level plan. This process is shown in the following graphic: (click to enlarge, use back button to get back here)

{46}

Each plan will address all elements of the sector operations, including information systems. The Critical Infrastructure Segment called "Information and Communications" will not include the information systems that are organic to the other segments. The interfaces between segments and segment plans will be addressed when the plans are rationalized by the National Coordinator and staff. {47}

The Lead Agency for Sector Coordination is responsible for coordinating with non-Federal Government elements in each sector to develop specific plans and processes for inclusion in the National Plan. (click to enlarge, use back button to get back here)

{48}

Initial operational capability (IOC) for the National Plan is targeted for the year 2000, with final operational capability achieved by the year 2003. Following IOC in 2000, the National Coordinator is required to conduct a zero-based review. {49}

The following were sources for the information contained in this report:

Learn more about the President's Commission on Critical Infrastructure Protection at http://www.pccip.gov/.  The following information is taken from that site for ease of reference. 

The PCCIP was formed to advise and assist the President of the United States by recommending a national strategy for protecting and assuring critical infrastructures from physical and cyber threats. [The critical sectors of the infrastructure are:]

• Information and Communications
• Electrical Power Systems
• Gas and Oil Transportation and Storage
• Banking and Finance
• Transportation
• Water Supply Systems
• Emergency Services
• Government Services {50}

Electronic E-mail Bombs... Computer Hijacking... Logic Bombs... Data Service Attacks...

An unidentified person sending millions of e-mail messages causes unexplained outages in phone services and a shut-down in the 911 service of a major metropolitan city....

A computer hacker "hijacks" a password in the air traffic control system by waiting for someone manning a computer station to take a coffee break without exiting the program....

A program hidden within a computer and set to activate at some point in the future cleans out millions of bank accounts....

Could these possibilities and other forms of digitized assaults halt the operations of electric power grids, natural gas pipelines, air traffic control systems, railroad switching facilities or the stock exchange?

The President's Commission on Critical Infrastructure Protection was the first national effort to address the vulnerabilities created in the new information age. The Commission, established in July, 1996, by Presidential Executive Order 13010, was tasked to formulate a comprehensive national strategy for protecting the infrastructures we all depend on from physical and "cyber" threats.

Critical Infrastructures are systems whose incapacity or destruction would have a debilitating impact on the defense or economic security of the nation. They include telecommunications, electrical power systems, gas and oil, banking and finance, transportation, water supply systems, government services and emergency services.

The Commission, chaired by aerospace industry leader Robert "Tom" Marsh, included senior representatives from private industry, government and academia. An Advisory Committee consisting of industry leaders provided counsel to the Commission and a Steering Committee, made up of cabinet-level officials, reviewed the Commission's report before forwarding it to the President.

Anyone with the capability, technology, opportunity, and intent to do harm. Potential threats can be foreign or domestic, internal or external, state-sponsored or a single rogue element. Terrorists, insiders, disgruntled employees, and hackers are included in this profile.

The fact that most of the nation's vital services are delivered by private companies creates a significant challenge in determining where the responsibility of protecting our critical infrastructures falls. This Commission addressed this challenge by bringing the private and public sectors together to assess infrastructure vulnerabilities and develop assurance strategies for the future. The Commission consulted with over 6,000 representatives from the private and public sectors including industry executives, security experts, government agencies and private citizens.

The Commission was divided into five teams, representing the eight critical infrastructures.

Each team evaluated the growing risk, threats, and vulnerabilities within its sector. The sector teams and their industries include:

• Information & Communications - telecommunications, computers & software, Internet, satellites, fiber optics
• Physical Distribution - railroads, air traffic, maritime, intermodal, pipelines
• Energy - electrical power, natural gas, petroleum, production, distribution & storage
• Banking & Finance - financial transactions, stock & bond markets, federal reserve
• Vital Human Services - water, emergency services, government services

The Commission submitted its report, Critical Foundations, to the White House in October, 1997. {51}

Information and Communications: Computing and telecommunications equipment, software, processes, and people that support the processing, storage, and transmission of data and information; the processes and people that convert data into information and information into knowledge; and the data and information themselves.

Electrical Power Systems: The generation stations, transmission and distribution networks that create and supply electricity to end-users so that end-users achieve and maintain nominal functionality, including the transportation and storage of fuel essential to that system.

Gas and Oil Production, Storage and Transportation: The production and holding facilities for natural gas, crude and refined petroleum, and petroleum-derived fuels, the refining and processing facilities for these fuels and the pipelines, ships, trucks, and rail systems that transport these commodities from their source to systems that are dependent upon gas and oil in one of their useful forms.

Banking and Finance: The retail and commercial organizations, investment institutions, exchange boards, trading houses, and reserve systems, and associated operational organizations, government operations, and support entities, that are involved in all manner of monetary transactions, including its storage for saving purposes, its investment for income purposes, its exchange for payment purposes, and its disbursement in the form of loans and other financial instruments.

Transportation: The nation's physical distribution system critical to supporting the national security and economic well-being of this nation, including the national airspace system, airlines and aircraft, and airports; roads and highways, trucking and personal vehicles; ports and waterways and the vessels operating thereon; mass transit, both rail and bus; pipelines, including natural gas, petroleum, and other hazardous materials; freight and long haul passenger rail; and delivery services.

Water Supply Systems: The sources of water, reservoirs and holding facilities, aqueducts and other transport systems, the filtration, cleaning and treatment systems, the pipelines, the cooling systems and other delivery mechanisms that provide for domestic and industrial applications, including systems for dealing with water runoff, waste water, and firefighting.

Emergency Services: The medical, police, fire, and rescue systems and personnel that are called upon when an individual or community is responding to emergencies. These services are typically provided at the local level (county or metropolitan area). In addition, state and Federal response plans define emergency support functions to assist in response and recovery.

Government Services: Sufficient capabilities at the Federal, state and local levels of government are required to meet the needs for essential services to the public. {52}

This report summary is also available in a formatted Acrobat version (30k). The report itself is also available at this Web site. [http://www.pccip.gov/report_index.html]

"Our responsibility is to build the world of tomorrow by embarking on a period of construction -- one based on current realities but enduring American values and interests..."

President William J. Clinton National Security Strategy

The United States is in the midst of a tremendous cultural change -- a change that affects every aspect of our lives. The cyber dimension promotes accelerating reliance on our infrastructures and offers access to them from all over the world, blurring traditional boundaries and jurisdictions. National defense is not just about government anymore, and economic security is not just about business. The critical infrastructures are central to our national defense and our economic power, and we must lay the foundations for their future security on a new form of cooperation between the private sector and the federal government.

The federal government has an important role to play in defense against cyber threats -- collecting information about tools that can do harm, conducting research into defensive technologies, and sharing defensive techniques and best practices. Government also must lead and energize its own protection efforts, and engage the private sector by offering expertise to facilitate protection of privately owned infrastructures.

In the private sector, the defenses and responsibilities naturally encouraged and expected as prudent business practice for owners and operators of our infrastructures are the very same measures needed to protect against the cyber tools available to terrorists and other threats to national security.

Terrorist bombings of US forces in Saudi Arabia, the World Trade Center in New York City, and the federal building in Oklahoma City remind us that the end of the Cold War has not eliminated threats of hostile action against the United States.

In recognition of comparable threats to our national infrastructures, President Clinton signed Executive Order 13010 on July 15, 1996, establishing the President's Commission on Critical Infrastructure Protection. The Commission was chartered to conduct a comprehensive review and recommend a national policy for protecting critical infrastructures and assuring their continued operation.

This was an unusually large commission with broad representation from federal departments and agencies and from the private sector. An Advisory Committee of industry leaders appointed by the President provided the perspective of the infrastructure owners and operators. A Steering Committee, composed of the Commission's Chairman and four top government officials, oversaw the Commission's work on behalf of the Principals Committee, which included Cabinet Officers, heads of agencies, and senior White House staff members.

The Commission generally operated by consensus. Every recommendation was discussed at length with the full Commission and most were revised several times before final approval. No Commissioner agreed completely with all of the recommendations. Nevertheless, each accepted the final report as a reasonable and balanced recommendation to the President.

The Commission divided its work into five "sectors" based on the common characteristics of the included industries. The sectors are:

• 1. Information and Communications
• 2. Banking and Finance
• 3. Energy, Including Electrical Power, Oil and Gas
• 4. Physical Distribution
• 5. Vital Human Services

The Commission characterized the sectors, studied their vulnerabilities, and looked for solutions.

We prepared comprehensive working papers for each of the five sectors providing specific recommendations. Other work contains the results of deliberations on issues that are not sector specific. Among them is a paper on Research and Development Recommendations, which outlines a comprehensive set of topics regarding the long term needs of infrastructure protection. The paper on National Structures contains our conclusions and recommendations about the functions and responsibilities for infrastructure assurance and the creation of new units in the federal government and the private sector, and some that are jointly staffed by government employees and representatives of the infrastructure owners and operators. The paper on Shared Infrastructures: Shared Threats is our collected analysis of the vulnerabilities and threats facing the critical infrastructures. We recognize the enormous significance of physical threats, but we have a significant amount of experience in dealing with them. It is the cyber threat that is new. Cyber issues dominate this analysis because networked information systems present fundamentally new security challenges.

We conducted extensive meetings with a range of professional and trade associations concerned with the infrastructures, private sector infrastructure users and providers, academia, different state and local government agencies, consumers, federal agencies, and numerous others. Of special interest were five public meetings in major cities.

We attended dozens of conferences and roundtables with a variety of groups, and we arranged two strategic simulations with participants drawn from across the infrastructures and from all levels of government. We encouraged questions and comments by anyone, and established a World Wide Web site to facilitate contact. Several meetings with Congressional Members and their staffs added a very useful perspective to our research.

During the preparation of the sector papers we identified several dozen issues for which recommendations might be appropriate. Each issue was described, relevant observations, findings, and conclusions were collected, and several alternative recommendations were prepared. The Commission then deliberated each issue and selected one of the alternative recommendations.

The development of the computer and its astonishingly rapid improvements have ushered in the Information Age that affects almost all aspects of American commerce and society. Our security, economy, way of life, and perhaps even survival, are now dependent on the interrelated trio of electrical energy, communications, and computers.

Classical physical disruptions. A satchel of dynamite or a truckload of fertilizer and diesel fuel have been frequent terrorist tools. The explosion and the damage are so certain to draw attention that these kinds of attacks continue to be among the probable threats to our infrastructures.

New, cyber threats. Today, the right command sent over a network to a power generating station's control computer could be just as effective as a backpack full of explosives, and the perpetrator would be harder to identify and apprehend.

The rapid growth of a computer-literate population ensures that increasing millions of people possess the skills necessary to consider such an attack. The wide adoption of public protocols for system interconnection and the availability of "hacker tool" libraries make their task easier.

While the resources needed to conduct a physical attack have not changed much recently, the resources necessary to conduct a cyber attack are now commonplace. A personal computer and a simple telephone connection to an Internet Service Provider anywhere in the world are enough to cause a great deal of harm.

System complexities and interdependencies. The energy and communications infrastructures especially are growing in complexity and operating closer to their designed capacity. This creates an increased possibility of cascading effects that begin with a rather minor and routine disturbance and end only after a large regional outage. Because of their technical complexity, some of these dependencies may be unrecognized until a major failure occurs.

Of the many people with the necessary skills and resources, some may have the motivation to cause substantial disruption in services or destruction of the equipment used to provide the service.

This list of the kinds of threats we considered shows the scope of activity with potentially adverse consequences for the infrastructures, and the diversity of people who might engage in that activity. It may not be possible to categorize the threat until the perpetrator is identified -- for example, we may not be able to distinguish industrial espionage from national intelligence collection.

Natural events and accidents. Storm-driven wind and water regularly cause service outages, but the effects are well known, the providers are experienced in dealing with these situations, and the effects are limited in time and geography.

Accidental physical damage to facilities is known to cause a large fraction of system incidents. Common examples are fires and floods at central facilities and the ubiquitous backhoe that unintentionally severs pipes or cables.

Blunders, errors, and omissions. By most accounts, incompetent, inquisitive, or unintentional human actions (or omissions) cause a large fraction of the system incidents that are not explained by natural events and accidents. Since these usually only affect local areas, service is quickly restored; but there is potential for a nationally significant event.

Insiders. Normal operation demands that a large number of people have authorized access to the facilities or to the associated information and communications systems. If motivated by a perception of unfair treatment by management, or if suborned by an outsider, an "insider" could use authorized access for unauthorized disruptive purposes.

Recreational hackers. For an unknown number of people, gaining unauthorized electronic access to information and communication systems is a most fascinating and challenging game. Often they deliberately arrange for their activities to be noticed even while hiding their specific identities. While their motivations do not include actual disruption of service, the tools and techniques they perfect among their community are available to those with hostile intent.

Criminal activity. Some are interested in personal financial gain through manipulation of financial or credit accounts or stealing services. In contrast to some hackers, these criminals typically hope their activities will never be noticed, much less attributed to them. Organized crime groups may be interested in direct financial gain, or in covering their activity in other areas.

Industrial espionage. Some firms can find reasons to discover the proprietary activities of their competitors, by open means if possible or by criminal means if necessary. Often these are international activities conducted on a global scale.

Terrorism. A variety of groups around the world would like to influence US policy and are willing to use disruptive tactics if they think that will help.

National intelligence. Most, if not all, nations have at least some interest in discovering what would otherwise be secrets of other nations for a variety of economic, political, or military purposes.

Information warfare. Both physical and cyber attacks on our infrastructures could be part of a broad, orchestrated attempt to disrupt a major US military operation or a significant economic activity.

We have observed that the general public seems unaware of the extent of the vulnerabilities in the services that we all take for granted, and that within government and among industry decision-makers, awareness is limited. Several have told us that there has not yet been a cause for concern sufficient to demand action.

We do acknowledge that this situation seems to be changing for the better. The public news media seem to be carrying relevant articles more frequently; attendance at conferences of security professionals is up; and vendors are actively introducing new security products.

The Commission believes that the actions recommended in this report will increase sensitivity to these problems and reduce our vulnerabilities at all levels.

Related to the lack of awareness is the need for a national focus or advocate for infrastructure protection. Following up on our report to the President, we need to build a framework of effective deterrence and prevention.

This is not simply the usual study group's lament that "no one is in charge." These infrastructures are so varied, and form such a large part of this nation's economic activity, that no one person or organization can be in charge. We do not need, and probably could not stand, the appointment of a Director of Infrastructures. We do need, and recommend, several more modest ways to create and maintain a national focus on the issues.

Protection of our infrastructures will not be accomplished by a big federal project. It will require continuous attention and incremental improvement for the foreseeable future.

Life on the information superhighway isn't much different from life on the streets; the good guys have to hustle to keep the bad guys from getting ahead.

It is not surprising that infrastructures have always been attractive targets for those who would do us harm. In the past we have been protected from hostile attacks on the infrastructures by broad oceans and friendly neighbors. Today, the evolution of cyber threats has changed the situation dramatically. In cyberspace, national borders are no longer relevant. Electrons don't stop to show passports.

Potentially serious cyber attacks can be conceived and planned without detectable logistic preparation. They can be invisibly reconnoitered, clandestinely rehearsed, and then mounted in a matter of minutes or even seconds without revealing the identity and location of the attacker.

Formulas that carefully divide responsibility between foreign defense and domestic law enforcement no longer apply as clearly as they used to. "With the existing rules, you may have to solve the crime before you can decide who has the authority to investigate it." [Senator Sam Nunn, remarks to the PCCIP Advisory Committee. Washington, DC, September 7, 1997]

The Commission has not discovered an imminent attack or a credible threat sufficient to warrant a sense of immediate national crisis. However, we are quite convinced that our vulnerabilities are increasing steadily while the costs associated with an effective attack continue to drop. What is more, the investments required to improve the situation are still relatively modest, but will rise if we procrastinate.

We should attend to our critical foundations before the storm arrives, not after: Waiting for disaster will prove as expensive as it is irresponsible.

National security requires much more than military strength. Our world position, our ability to influence others, our standard of living, and our own self-image depend on economic prosperity and public confidence. Clear distinctions between foreign and domestic policy no longer serve our interests well.

At the same time, the effective operation of our military forces depends more and more on the continuous availability of infrastructures, especially communications and transportation, that are not dedicated to military use.

While no nation state is likely to attack our territory or our armed forces, we are inevitably the target of ill will and hostility from some quarters. Disruption of the services on which our economy and well-being depend could have significant effects, and if repeated frequently could seriously harm public confidence. Because our military and private infrastructures are becoming less and less separate, because the threats are harder to differentiate as from local criminals or foreign powers, and because the techniques of protection, mitigation, and restoration are largely the same, we conclude that responsibility for infrastructure protection and assurance can no longer be delegated on the basis of who the attacker is or where the attack originates. Rather, the responsibility should be shared cooperatively among all of the players.

Because of our finding that the public in general and many industry and government leaders are insufficiently aware of the vulnerabilities, we have recommended a broad and continuous program of awareness and education to cover all possible audiences. We include White House conferences, National Academy studies, presentations at industry associations and professional societies, development and promulgation of elementary and secondary curricula, and sponsorship of graduate studies and programs.

We believe the quickest and most effective way to achieve a much higher level of protection from cyber threats is to raise the level of existing protection through application of "best practices." We have accordingly recommended a sector-by-sector cooperation and information sharing strategy. In general, these sector structures should be partnerships among the owners and operators, and appropriate government agencies, which will identify and communicate best practices. We have especially asked the National Institute of Standards and Technology (NIST) and the National Security Agency (NSA) to provide technical skills and expertise required to identify and evaluate vulnerabilities in the associated information networks and control systems.

One very effective practice is a quantitative risk-management process, addressing physical attacks, cyber attacks that could corrupt essential information or deny service, the possibility of cascading effects, and new levels of interdependency.

The first focus of sector cooperation should be to share information and techniques related to risk management assessments. This should include development and deployment of ways to prevent attacks, mitigate damage, quickly recover services, and eventually reconstitute the infrastructure.

We suggest consideration of these immediate actions prior to the completion of a formal risk assessment: (1) Isolate critical control systems from insecure networks by disconnection or adequate firewalls; (2) Adopt best practices for password control and protection, or install more modern authentication mechanisms; (3) Provide for individual accountability through protected action logs or the equivalent.

The sector cooperation and information sharing needed to improve risk assessments and to protect against probable attacks may naturally develop into sharing of information on current status. This would permit assessing whether one of the infrastructures is under a coordinated attack -- physical, cyber, or combined. As this process develops, the national center for analysis of such information should be in place and ready to cooperate.

Law has failed to keep pace with technology. Some laws capable of promoting assurance are not as clear or effective as they could be. Still others can operate in ways that may be unfriendly to security concerns. Sorting them all out will be a lengthy and massive undertaking, involving efforts at local, state, federal, and international levels. Recognizing the dynamic nature of legal reform, we attempted to lay a foundation through various studies, papers, and a legal authorities database that can aid eventual implementation of our recommendations and assist owners, operators, and government at all levels.

We also offered a number of preliminary legal recommendations intended to jump-start this process of reform. We identified existing laws that could help the government take the lead and serve as a model of standards and practices for the private sector. We identified other areas of law which, with careful attention, can enable infrastructure owners and operators to take precautions proportionate to the threat. We identified still other areas of law that should be molded to enable a greater degree of government-industry partnership in areas such as information sharing.

The Commission believes that some of the basic technology needed to improve infrastructure protection already exists, but needs to be widely deployed. In other areas, additional research effort is needed.

At the same time the Commission recognizes that we are not now able to deploy several capabilities that we need. We have, therefore, recommended a program of research and development focused on those future capabilities. Among them are new capabilities for detection and identification of intrusion and improved simulation and modeling capability to understand the effects of interconnected and fully interdependent infrastructures.

In order to be effective, recommendations must discuss not only what is to be done, but how it will get done and who will do it. We have recommended the following partnering organizations be established to be responsible for specific parts of our vision:

• Sector Coordinators to provide the focus for industry cooperation and information sharing, and to represent the sector in matters of national cooperation and policy;
• Lead Agencies, designated within the federal government, to serve as a conduit from the government into each sector and to facilitate the creation of sector coordinators, if needed;
• National Infrastructure Assurance Council of industry CEOs, Cabinet Secretaries, and representatives of state and local government to provide policy advice and implementation commitment;
• Information Sharing and Analysis Center to begin the step-by-step process of establishing a realistic understanding of what is going on in our infrastructures -- of distinguishing actual attack from coincidental events;
• Infrastructure Assurance Support Office to house the bulk of the national staff which is responsible for continuous management and follow-through of our recommendations; and
• Office of National Infrastructure Assurance as the top-level policy making office connected closely to the National Security Council and the National Economic Council.

It is clear to us that infrastructure assurance must be a high priority for the nation in the Information Age. With escalating dependence on information and telecommunications, our infrastructures no longer enjoy the protection of oceans and military forces. They are vulnerable in new ways. We must protect them in new ways. And that is what we recommend in this report.

The public and private sectors share responsibility for infrastructure protection. Our recommendations seek to provide structures for the partnership needed to assure our future security. Further, they seek to define new ways for approaching infrastructure assurance -- ways that recognize the new thinking required in the Information Age, the new international security environment emerging from our victory in the Cold War and both the promise and danger of technology moving at breakneck speed.

We do not so much offer solutions as directions -- compass headings that will help navigate through a new geography and ensure the continuity of the infrastructures that underpin America's economic, military, and social strength." {53}

For ease of reference, high level information about the CIAO is reproduced here. This information was downloaded from the CIAO web page, which can be found at http://www.ciao.gov/.

Critical infrastructure assurance is a new capability that resides right at the point where our national security and economic security merge. The Critical Infrastructure Assurance Office (CIAO), announced by President Clinton in May 1998, will facilitate the creation of a national plan to protect the services that we depend on daily: telecommunications, banking and finance, electric power, transportation, gas and oil, emergency services and government services. This initiative will require a new level of commitment to partnership between the public and private sectors, specifically in the areas of policy formation and information sharing. {54}

In a statement before the House of Representatives in June 1998, Dr. Jeffrey Hunker, CIAO's director, made the following remarks about the Critical Infrastructure Assurance Office.

"PDD-63 calls for a national plan coordination office, which we have named the Critical Infrastructure Assurance Office. PDD-63 charges this Office with integrating the various sector plans into a National Infrastructure Assurance Plan and coordinating analyses of the U.S. Government's own dependencies on critical infrastructures. The Office will also assist in coordinating a national education and awareness program as well as associated legislative and public affairs.

"To put it succinctly, I see the Critical Infrastructure Assurance Office as the engine that will help drive the train of the development of the national plan. We have been fortunate to be able to take advantage of the unique expertise and talent of the former commissioners and staff of the President's Commission on Critical Infrastructure Protection. We hope to assist the National Coordinator to achieve the creation of a successful national plan to protect the nation's critical infrastructures from intentional, debilitating attacks." {55}

The Clinton Administration's Policy on Critical Infrastructure Protection: Presidential Decision Directive 63 May 1998

This White Paper explains key elements of the Clinton Administration's policy on critical infrastructure protection. It is intended for dissemination to all interested parties in both the private and public sectors. It will also be used in U.S. Government professional education institutions, such as the National Defense University and the National Foreign Affairs Training Center, for coursework and exercises on interagency practices and procedures. Wide dissemination of this unclassified White Paper is encouraged by all agencies of the U.S. Government.

The United States possesses both the world's strongest military and its largest national economy. Those two aspects of our power are mutually reinforcing and dependent. They are also increasingly reliant upon certain critical infrastructures and upon cyber-based information systems.

Critical infrastructures are those physical and cyber-based systems essential to the minimum operations of the economy and government. They include, but are not limited to, telecommunications, energy, banking and finance, transportation, water systems and emergency services, both governmental and private. Many of the nation's critical infrastructures have historically been physically and logically separate systems that had little interdependence. As a result of advances in information technology and the necessity of improved efficiency, however, these infrastructures have become increasingly automated and interlinked.

These same advances have created new vulnerabilities to equipment failures, human error, weather and other natural causes, and physical and cyber attacks. Addressing these vulnerabilities will necessarily require flexible, evolutionary approaches that span both the public and private sectors, and protect both domestic and international security.

Because of our military strength, future enemies, whether nations, groups or individuals, may seek to harm us in non-traditional ways including attacks within the United States. Our economy is increasingly reliant upon interdependent and cyber-supported infrastructures and non-traditional attacks on our infrastructure and information systems may be capable of significantly harming both our military power and our economy.

It has long been the policy of the United States to assure the continuity and viability of critical infrastructures. President Clinton intends that the United States will take all necessary measures to swiftly eliminate any significant vulnerability to both physical and cyber attacks on our critical infrastructures, including especially our cyber systems.

No later than the year 2000, the United States shall have achieved an initial operating capability and no later than five years from the day the President signed Presidential Decision Directive 63 the United States shall have achieved and shall maintain the ability to protect our nation's critical infrastructures from intentional acts that would significantly diminish the abilities of: the Federal Government to perform essential national security missions and to ensure the general public health and safety; state and local governments to maintain order and to deliver minimum essential public services; the private sector to ensure the orderly functioning of the economy and the delivery of essential telecommunications, energy, financial and transportation services.

Any interruptions or manipulations of these critical functions must be brief, infrequent, manageable, geographically isolated and minimally detrimental to the welfare of the United States.

Since the targets of attacks on our critical infrastructure would likely include both facilities in the economy and those in the government, the elimination of our potential vulnerability requires a closely coordinated effort of both the public and the private sector. To succeed, this partnership must be genuine, mutual and cooperative. In seeking to meet our national goal to eliminate the vulnerabilities of our critical infrastructure, therefore, the U.S. government should, to the extent feasible, seek to avoid outcomes that increase government regulation or expand unfunded government mandates to the private sector.

For each of the major sectors of our economy that are vulnerable to infrastructure attack, the Federal Government will appoint from a designated Lead Agency a senior officer of that agency as the Sector Liaison Official to work with the private sector. Sector Liaison Officials, after discussions and coordination with private sector entities of their infrastructure sector, will identify a private sector counterpart (Sector Coordinator) to represent their sector.

Together these two individuals and the departments and corporations they represent shall contribute to a sectoral National Infrastructure Assurance Plan by: assessing the vulnerabilities of the sector to cyber or physical attacks; recommending a plan to eliminate significant vulnerabilities; proposing a system for identifying and preventing attempted major attacks; developing a plan for alerting, containing and rebuffing an attack in progress and then, in coordination with FEMA as appropriate, rapidly reconstituting minimum essential capabilities in the aftermath of an attack.

During the preparation of the sectoral plans, the National Coordinator (see section VI), in conjunction with the Lead Agency Sector Liaison Officials and a representative from the National Economic Council, shall ensure their overall coordination and the integration of the various sectoral plans, with a particular focus on interdependencies.

In addressing this potential vulnerability and the means of eliminating it, President Clinton wants those involved to be mindful of the following general principles and concerns. We shall consult with, and seek input from, the Congress on approaches and programs to meet the objectives set forth in this directive. The protection of our critical infrastructures is necessarily a shared responsibility and partnership between owners, operators and the government. Furthermore, the Federal Government shall encourage international cooperation to help manage this increasingly global problem. Frequent assessments shall be made of our critical infrastructures' existing reliability, vulnerability and threat environment because, as technology and the nature of the threats to our critical infrastructures will continue to change rapidly, so must our protective measures and responses be robustly adaptive. The incentives that the market provides are the first choice for addressing the problem of critical infrastructure protection; regulation will be used only in the face of a material failure of the market to protect the health, safety or well-being of the American people. In such cases, agencies shall identify and assess available alternatives to direct regulation, including providing economic incentives to encourage the desired behavior, or providing information upon which choices can be made by the private sector. These incentives, along with other actions, shall be designed to help harness the latest technologies, bring about global solutions to international problems, and enable private sector owners and operators to achieve and maintain the maximum feasible security. The full authorities, capabilities and resources of the government, including law enforcement, regulation, foreign intelligence and defense preparedness shall be available, as appropriate, to ensure that critical infrastructure protection is achieved and maintained. Care must be taken to respect privacy rights. Consumers and operators must have confidence that information will be handled accurately, confidentially and reliably. The Federal Government shall, through its research, development and procurement, encourage the introduction of increasingly capable methods of infrastructure protection. The Federal Government shall serve as a model to the private sector on how infrastructure assurance is best achieved and shall, to the extent feasible, distribute the results of its endeavors. We must focus on preventative measures as well as threat and crisis management. To that end, private sector owners and operators should be encouraged to provide maximum feasible security for the infrastructures they control and to provide the government necessary information to assist them in that task. In order to engage the private sector fully, it is preferred that participation by owners and operators in a national infrastructure protection system be voluntary. Close cooperation and coordination with state and local governments and first responders is essential for a robust and flexible infrastructure protection program. All critical infrastructure protection plans and actions shall take into consideration the needs, activities and responsibilities of state and local governments and first responders.

The Federal Government will be organized for the purposes of this endeavor around four components (elaborated in Annex A).

1.Lead Agencies for Sector Liaison: For each infrastructure sector that could be a target for significant cyber or physical attacks, there will be a single U.S. Government department which will serve as the lead agency for liaison. Each Lead Agency will designate one individual of Assistant Secretary rank or higher to be the Sector Liaison Official for that area and to cooperate with the private sector representatives (Sector Coordinators) in addressing problems related to critical infrastructure protection and, in particular, in recommending components of the National Infrastructure Assurance Plan. Together, the Lead Agency and the private sector counterparts will develop and implement a Vulnerability Awareness and Education Program for their sector.

2.Lead Agencies for Special Functions: There are, in addition, certain functions related to critical infrastructure protection that must be chiefly performed by the Federal Government (national defense, foreign affairs, intelligence, law enforcement). For each of those special functions, there shall be a Lead Agency which will be responsible for coordinating all of the activities of the United States Government in that area. Each lead agency will appoint a senior officer of Assistant Secretary rank or higher to serve as the Functional Coordinator for that function for the Federal Government.

3.Interagency Coordination: The Sector Liaison Officials and Functional Coordinators of the Lead Agencies, as well as representatives from other relevant departments and agencies, including the National Economic Council, will meet to coordinate the implementation of this directive under the auspices of a Critical Infrastructure Coordination Group (CICG), chaired by the National Coordinator for Security, Infrastructure Protection and Counter-Terrorism. The National Coordinator will be appointed by and report to the President through the Assistant to the President for National Security Affairs, who shall assure appropriate coordination with the Assistant to the President for Economic Affairs. Agency representatives to the CICG should be at a senior policy level (Assistant Secretary or higher). Where appropriate, the CICG will be assisted by extant policy structures, such as the Security Policy Board, Security Policy Forum and the National Security and Telecommunications and Information System Security Committee.

4.National Infrastructure Assurance Council: On the recommendation of the Lead Agencies, the National Economic Council and the National Coordinator, the President will appoint a panel of major infrastructure providers and state and local government officials to serve as the National Infrastructure Assurance Council. The President will appoint the Chairman. The National Coordinator will serve as the Council's Executive Director. The National Infrastructure Assurance Council will meet periodically to enhance the partnership of the public and private sectors in protecting our critical infrastructures and will provide reports to the President as appropriate. Senior Federal Government officials will participate in the meetings of the National Infrastructure Assurance Council as appropriate.

Every department and agency of the Federal Government shall be responsible for protecting its own critical infrastructure, especially its cyber-based systems. Every department and agency Chief Information Officer (CIO) shall be responsible for information assurance. Every department and agency shall appoint a Chief Infrastructure Assurance Officer (CIAO) who shall be responsible for the protection of all of the other aspects of that department's critical infrastructure. The CIO may be double-hatted as the CIAO at the discretion of the individual department. These officials shall establish procedures for obtaining expedient and valid authorizations to allow vulnerability assessments to be performed on government computer and physical systems. The Department of Justice shall establish legal guidelines for providing for such authorizations.

No later than 180 days from issuance of this directive, every department and agency shall develop a plan for protecting its own critical infrastructure, including but not limited to its cyber-based systems. The National Coordinator shall be responsible for coordinating analyses required by the departments and agencies of inter-governmental dependencies and the mitigation of those dependencies. The Critical Infrastructure Coordination Group (CICG) shall sponsor an expert review process for those plans. No later than two years from today, those plans shall have been implemented and shall be updated every two years. In meeting this schedule, the Federal Government shall present a model to the private sector on how best to protect critical infrastructure.

Within 180 days, the Principals Committee should submit to the President a schedule for completion of a National Infrastructure Assurance Plan with milestones for accomplishing the following subordinate and related tasks.

1.Vulnerability Analyses: For each sector of the economy and each sector of the government that might be a target of infrastructure attack intended to significantly damage the United States, there shall be an initial vulnerability assessment, followed by periodic updates. As appropriate, these assessments shall also include the determination of the minimum essential infrastructure in each sector.

2.Remedial Plan: Based upon the vulnerability assessment, there shall be a recommended remedial plan. The plan shall identify timelines for implementation, responsibilities and funding.

3.Warning: A national center to warn of significant infrastructure attacks will be established immediately (see Annex A). As soon thereafter as possible, we will put in place an enhanced system for detecting and analyzing such attacks, with maximum possible participation of the private sector.

4.Response: A system shall develop a system for responding to a significant infrastructure attack while it is underway, with the goal of isolating and minimizing damage.

5.Reconstitution: For varying levels of successful infrastructure attacks, we shall have a system to reconstitute minimum required capabilities rapidly.

6.Education and Awareness: There shall be Vulnerability Awareness and Education Programs within both the government and the private sector to sensitize people regarding the importance of security and to train them in security standards, particularly regarding cyber systems.

7.Research and Development: Federally-sponsored research and development in support of infrastructure protection shall be coordinated, be subject to multi-year planning, take into account private sector research, and be adequately funded to minimize our vulnerabilities on a rapid but achievable timetable.

8.Intelligence: The Intelligence Community shall develop and implement a plan for enhancing collection and analysis of the foreign threat to our national infrastructure, to include but not be limited to the foreign cyber/information warfare threat.

9.International Cooperation: There shall be a plan to expand cooperation on critical infrastructure protection with like-minded and friendly nations, international organizations and multinational corporations.

10.Legislative and Budgetary Requirements: There shall be an evaluation of the executive branch's legislative authorities and budgetary priorities regarding critical infrastructure, and ameliorative recommendations shall be made to the President as necessary. The evaluations and recommendations, if any, shall be coordinated with the Director of OMB.

The CICG shall also review and schedule the taskings listed in Annex B.

In addition to the 180-day report, the National Coordinator, working with the National Economic Council, shall provide an annual report on the implementation of this directive to the President and the heads of departments and agencies, through the Assistant to the President for National Security Affairs. The report should include an updated threat assessment, a status report on achieving the milestones identified for the National Plan and additional policy, legislative and budgetary recommendations.

The evaluations and recommendations, if any, shall be coordinated with the Director of OMB. In addition, following the establishment of an initial operating capability in the year 2000, the National Coordinator shall conduct a zero-based review.

Lead Agencies: Clear accountability within the U.S. Government must be designated for specific sectors and functions. The following assignments of responsibility will apply.

In addition, OSTP shall be responsible for coordinating research and development agendas and programs for the government through the National Science and Technology Council. Furthermore, while Commerce is the lead agency for information and communication, the Department of Defense will retain its Executive Agent responsibilities for the National Communications System and support of the President's National Security Telecommunications Advisory Committee.

The National Coordinator for Security, Infrastructure Protection and Counter-Terrorism shall be responsible for coordinating the implementation of this directive. The National Coordinator will report to the President through the Assistant to the President for National Security Affairs. The National Coordinator will also participate as a full member of Deputies or Principals Committee meetings when they meet to consider infrastructure issues. Although the National Coordinator will not direct Departments and Agencies, he or she will ensure interagency coordination for policy development and implementation, and will review crisis activities concerning infrastructure events with significant foreign involvement. The National Coordinator will provide advice, in the context of the established annual budget process, regarding agency budgets for critical infrastructure protection. The National Coordinator will chair the Critical Infrastructure Coordination Group (CICG), reporting to the Deputies Committee (or, at the call of its chair, the Principals Committee). The Sector Liaison Officials and Special Function Coordinators shall attend the CICG's meetings. Departments and agencies shall each appoint to the CICG a senior official (Assistant Secretary level or higher) who will regularly attend its meetings. The National Security Advisor shall appoint a Senior Director for Infrastructure Protection on the NSC staff.

A National Plan Coordination (NPC) staff will be contributed on a non-reimbursable basis by the departments and agencies, consistent with law. The NPC staff will integrate the various sector plans into a National Infrastructure Assurance Plan and coordinate analyses of the U.S. Government's own dependencies on critical infrastructures. The NPC staff will also help coordinate a national education and awareness program, and legislative and public affairs.

The Defense Department shall continue to serve as Executive Agent for the Commission Transition Office, which will form the basis of the NPC, during the remainder of FY98. Beginning in FY99, the NPC shall be an office of the Commerce Department. The Office of Personnel Management shall provide the necessary assistance in facilitating the NPC's operations.

The NPC will terminate at the end of FY01, unless extended by Presidential directive.

As part of a national warning and information sharing system, the President immediately authorizes the FBI to expand its current organization to a full scale National Infrastructure Protection Center (NIPC). This organization shall serve as a national critical infrastructure threat assessment, warning, vulnerability, and law enforcement investigation and response entity.

During the initial period of six to twelve months, the President also directs the National Coordinator and the Sector Liaison Officials, working together with the Sector Coordinators, the Special Function Coordinators and representatives from the National Economic Council, as appropriate, to consult with owners and operators of the critical infrastructures to encourage the creation of a private sector sharing and analysis center, as described below.

The NIPC will include FBI, USSS, and other investigators experienced in computer crimes and infrastructure protection, as well as representatives detailed from the Department of Defense, the Intelligence Community and Lead Agencies. It will be linked electronically to the rest of the Federal Government, including other warning and operations centers, as well as any private sector sharing and analysis centers. Its mission will include providing timely warnings of intentional threats, comprehensive analyses and law enforcement investigation and response.

All executive departments and agencies shall cooperate with the NIPC and provide such assistance, information and advice that the NIPC may request, to the extent permitted by law. All executive departments shall also share with the NIPC information about threats and warning of attacks and about actual attacks on critical government and private sector infrastructures, to the extent permitted by law. The NIPC will include elements responsible for warning, analysis, computer investigation, coordinating emergency response, training, outreach and development and application of technical tools. In addition, it will establish its own relations directly with others in the private sector and with any information sharing and analysis entity that the private sector may create, such as the Information Sharing and Analysis Center described below.

The NIPC, in conjunction with the information originating agency, will sanitize law enforcement and intelligence information for inclusion into analyses and reports that it will provide, in appropriate form, to relevant federal, state and local agencies; the relevant owners and operators of critical infrastructures; and to any private sector information sharing and analysis entity.

Before disseminating national security or other information that originated from the intelligence community, the NIPC will coordinate fully with the intelligence community through existing procedures. Whether as sanitized or unsanitized reports, the NIPC will issue attack warnings or alerts to increases in threat condition to any private sector information sharing and analysis entity and to the owners and operators. These warnings may also include guidance regarding additional protection measures to be taken by owners and operators. Except in extreme emergencies, the NIPC shall coordinate with the National Coordinator before issuing public warnings of imminent attacks by international terrorists, foreign states or other malevolent foreign powers.

The NIPC will provide a national focal point for gathering information on threats to the infrastructures. Additionally, the NIPC will provide the principal means of facilitating and coordinating the Federal Government's response to an incident, mitigating attacks, investigating threats and monitoring reconstitution efforts. Depending on the nature and level of a foreign threat/attack, protocols established between special function agencies (DOJ/DOD/CIA), and the ultimate decision of the President, the NIPC may be placed in a direct support role to either DOD or the Intelligence Community.

The National Coordinator, working with Sector Coordinators, Sector Liaison Officials and the National Economic Council, shall consult with owners and operators of the critical infrastructures to strongly encourage the creation of a private sector information sharing and analysis center. The actual design and functions of the center and its relation to the NIPC will be determined by the private sector, in consultation with and with assistance from the Federal Government. Within 180 days of this directive, the National Coordinator, with the assistance of the CICG including the National Economic Council, shall identify possible methods of providing federal assistance to facilitate the startup of an ISAC.

Such a center could serve as the mechanism for gathering, analyzing, appropriately sanitizing and disseminating private sector information to both industry and the NIPC. The center could also gather, analyze and disseminate information from the NIPC for further distribution to the private sector. While crucial to a successful government-industry partnership, this mechanism for sharing important information about vulnerabilities, threats, intrusions and anomalies is not to interfere with direct information exchanges between companies and the government.

As ultimately designed by private sector representatives, the ISAC may emulate particular aspects of such institutions as the Centers for Disease Control and Prevention that have proved highly effective, particularly its extensive interchanges with the private and non-federal sectors. Under such a model, the ISAC would possess a large degree of technical focus and expertise and non-regulatory and non-law enforcement missions. It would establish baseline statistics and patterns on the various infrastructures, become a clearinghouse for information within and among the various sectors, and provide a library for historical data to be used by the private sector and, as deemed appropriate by the ISAC, by the government. Critical to the success of such an institution would be its timeliness, accessibility, coordination, flexibility, utility and acceptability.

The National Coordinator shall commission studies on the following subjects:

• Liability issues arising from participation by private sector companies in the information sharing process.
• Existing legal impediments to information sharing, with an eye to proposals to remove these impediments, including through the drafting of model codes in cooperation with the American Legal Institute.
• The necessity of document and information classification and the impact of such classification on useful dissemination, as well as the methods and information systems by which threat and vulnerability information can be shared securely while avoiding disclosure or unacceptable risk of disclosure to those who will misuse it.
• The improved protection, including secure dissemination and information handling systems, of industry trade secrets and other confidential business data, law enforcement information and evidentiary material, classified national security information, unclassified material disclosing vulnerabilities of privately owned infrastructures and apparently innocuous information that, in the aggregate, it is unwise to disclose.
• The implications of sharing information with foreign entities where such sharing is deemed necessary to the security of United States infrastructures.
• The potential benefit to security standards of mandating, subsidizing, or otherwise assisting in the provision of insurance for selected critical infrastructure providers and requiring insurance tie-ins for foreign critical infrastructure providers hoping to do business with the United States.

In order to foster a climate of enhanced public sensitivity to the problem of infrastructure protection, the following actions shall be taken:

The White House, under the oversight of the National Coordinator, together with the relevant Cabinet agencies shall consider a series of conferences: (1) that will bring together national leaders in the public and private sectors to propose programs to increase the commitment to information security; (2) that convoke academic leaders from engineering, computer science, business and law schools to review the status of education in information security and will identify changes in the curricula and resources necessary to meet the national demand for professionals in this field; (3) on the issues around computer ethics as these relate to the K through 12 and general university populations.

The National Academy of Sciences and the National Academy of Engineering shall consider a round table bringing together federal, state and local officials with industry and academic leaders to develop national strategies for enhancing infrastructure security. The intelligence community and law enforcement shall expand existing programs for briefing infrastructure owners and operators and senior government officials. The National Coordinator shall (1) establish a program for infrastructure assurance simulations involving senior public and private officials, the reports of which might be distributed as part of an awareness campaign; and (2) in coordination with the private sector, launch a continuing national awareness campaign, emphasizing improving infrastructure security.

In order for the Federal Government to improve its infrastructure security, these immediate steps shall be taken:

The Department of Commerce, the General Services Administration, and the Department of Defense shall assist federal agencies in the implementation of best practices for information assurance within their individual agencies.

The National Coordinator shall coordinate a review of existing federal, state and local bodies charged with information assurance tasks, and provide recommendations on how these institutions can cooperate most effectively.

All federal agencies shall make clear designations regarding who may authorize access to their computer systems.

The Intelligence Community shall elevate and formalize the priority for enhanced collection and analysis of information on the foreign cyber/information warfare threat to our critical infrastructure.

The Federal Bureau of Investigation, the Secret Service and other appropriate agencies shall: (1) vigorously recruit undergraduate and graduate students with the relevant computer-related technical skills for full-time employment as well as for part-time work with regional computer crime squads; and (2) facilitate the hiring and retention of qualified personnel for technical analysis and investigation involving cyber attacks.

The Department of Transportation, in consultation with the Department of Defense, shall undertake a thorough evaluation of the vulnerability of the national transportation infrastructure that relies on the Global Positioning System. This evaluation shall include sponsoring an independent, integrated assessment of risks to civilian users of GPS-based systems, with a view to basing decisions on the ultimate architecture of the modernized NAS on these evaluations.

The Federal Aviation Administration shall develop and implement a comprehensive National Airspace System Security Program to protect the modernized NAS from information-based and other disruptions and attacks.

GSA shall identify large procurements (such as the new Federal Telecommunications System, FTS 2000) related to infrastructure assurance, study whether the procurement process reflects the importance of infrastructure protection and propose, if necessary, revisions to the overall procurement process to do so.

OMB shall direct federal agencies to include assigned infrastructure assurance functions within their Government Performance and Results Act strategic planning and performance measurement framework.

The NSA, in accordance with its National Manager responsibilities in NSD-42, shall provide assessments encompassing examinations of U.S. Government systems to interception and exploitation; disseminate threat and vulnerability information; establish standards; conduct research and development; and conduct issue security product evaluations.

In order to assist the private sector in achieving and maintaining infrastructure security:

The National Coordinator and the National Infrastructure Assurance Council shall propose and develop ways to encourage private industry to perform periodic risk assessments of critical processes, including information and telecommunications systems.

The Department of Commerce and the Department of Defense shall work together, in coordination with the private sector, to offer their expertise to private owners and operators of critical infrastructure to develop security-related best practice standards.

The Department of Justice and Department of the Treasury shall sponsor a comprehensive study compiling demographics of computer crime, comparing state approaches to computer crime and developing ways of deterring and responding to computer crime by juveniles. {56}

Footnotes

1  http://www.ciao.gov/paper598.html, 4 December, 1998

2  presentation by John Davis, 6 October 1998, National Information Systems Security Conference, Alexandria, Virginia

3 White Paper on PDD-63, 22 May 1998.

4 http://www.ciao.gov/bioclarke.html, 7 December, 1998

5 White Paper on PDD-63, 22 May 1998

6 White Paper on PDD-63, 22 May 1998

7 White Paper on PDD-63, 22 May 1998

8 http://www.ciao.gov/sbrodgers27081998.html, 7 December, 1998

9 E.O. 13010, 15 July 1996, as amended, http://www.pccip.gov/eo13010.html, 10 December, 1998

10  E.O. 13010, 15 July 1996, as amended, http://www.pccip.gov/eo13010.html, 10 December, 1998

11 White Paper on PDD-63, 22 May 1998

12 White Paper on PDD-63, 22 May 1998

13 White Paper on PDD-63, 22 May 1998

14 Dr. Irwin Pikus, Presentation to the National Information Systems Security Conference, 6 October 1998, Alexandria, Virginia

15 http://www.ciao.gov/63factsheet.html, 4 December, 1998

16 http://www.ciao.gov/biohunker.html, 7 December, 1998

17 http://www.fbi.gov/nipc/nipc.htm, 7 December, 1998

18 White Paper on PDD-63, 22 May 1998

19 "The FBI's National Computer Crime Squad (NCCS) investigates violations of the Federal Computer Fraud and Abuse Act of 1986. These crimes cross multiple state or international boundaries. Violations of the Computer Fraud and Abuse Act include intrusions into government, financial, most medical, and Federal interest computers. Federal interest computers are defined by law as two or more computers involved in the criminal offense, which are located in different states. Therefore, a commercial computer which is the victim of an intrusion coming from another state is a "Federal interest" computer." http://www.fbi.gov/programs/compcrim.htm, 10 December, 1998

20 Michael Vatis, Interview, 1 September 1998

21 Michael Vatis, Interview, 1 September 1998 and John O’Neill, Interview, 19 November 1998

22 although Michael Vatis stated in the 1 September 1998 interview that the NIPC would not perform R & D

23 White Paper on PDD-63, 22 May 1998

24 Interview with Michael Vatis, 1 September 1998

25 http://www.fbi.gov/nipc/nipc.htm, 7 December, 1998

26 White Paper on PDD-63, 22 May 1998

27 White Paper on PDD-63, 22 May 1998

28 White Paper on PDD-63, 22 May 1998

29 In 1994, Citibank in New York City had over $1 million stolen by a hacker in St. Petersburg, Russia. Most of the money was recovered, but Citibank suffered from the publicity and exposure.

30 Discussion during presentation by PCCIP members, National Information Systems Security Conference, 6 October 1998, Alexandria, Virginia

31 Interview with Fred Tompkins, 27 October 1998

32 http://www.itaa.org/about/, 10 December, 1998

33 White Paper on PDD-63, 22 May 1998

34 Electronic Privacy Information Center, Critical Infrastructure Protection and the Endangerment of Civil Liberties: An Assessment of the President’s Commission on Critical Infrastructure Protection, October 1998, available electronically at http://www.epic.org/

35 Solveig Singleton, Encryption Policy For The 21st Century: A Future without Government-Prescribed Key Recovery, November 19, 1998, http://www.cato.org/pubs/pas/pa-325es.html, 10 December 1998

36 Jeffrey Hunker, presentation: Critical Infrastructure Protection: Overview and Agency Roles, 13 October 1998, http://www.ciao.gov/seminar19981013.html, 10 December 1998

37 Report of the PCCIP, "Critical Foundations: Thinking Differently," Appendix A, page A-2

38 Report of the PCCIP, "Critical Foundations: Thinking Differently," Appendix A, page A-11

39 Report of the PCCIP, "Critical Foundations: Thinking Differently," Appendix A, page A-24

40 Report of the PCCIP, "Critical Foundations: Thinking Differently," Appendix A, page A-37

41 Report of the PCCIP, "Critical Foundations: Thinking Differently," Appendix A, page A-44

42 Report of the PCCIP, "Critical Foundations: Thinking Differently," Appendix A, pages A-44 - 45

43 Report of the PCCIP, "Critical Foundations: Thinking Differently," Appendix A, page A-47

44 Report of the PCCIP, "Critical Foundations: Thinking Differently," Appendix A, pages A-50 - 51

45 http://www.fema.gov/about/esf.htm, 10 December 1998

46 Presentation by PCCIP members, 6 October, 1998, National Information Systems Security Conference, Alexandria, Virginia

47 Dr. Irwin Pikus, answer to audience question, 6 October, 1998, National Information Systems Security Conference, Alexandria, Virginia

48 Jeffrey Hunker, presentation: Critical Infrastructure Protection: Overview and Agency Roles, 13 October 1998, http://www.ciao.gov/seminar19981013.html, 10 December 1998

49 White Paper on PDD-63, 22 May 1998

50 http://www.pccip.gov/, 12 November, 1998

51 http://www.pccip.gov/backgrd.html, 12 November, 1998

52 http://www.pccip.gov/glossary.html, 12 November, 1998

53 http://www.pccip.gov/summary.html, 12 November, 1998

54 http://www.ciao.gov/, 12 November, 1998

55 http://www.ciao.gov/about.html, 12 November, 1998

56 http://www.ciao.gov/paper598.html, 12 November, 1998

Mailing Lists Overview