IWS - The Information Warfare Site
News Watch Make a donation to IWS - The Information Warfare Site Use it for navigation in case java scripts are disabled
Google Ads




[ PCCIP Home | Main Menu | Report | New Items | Contact Us | Speaker's Bureau ]

Remarks Delivered by Robert T. Marsh

Chairman, President's Commission on Critical Infrastructure Protection

AFCEA Critical Infrastructure Protection Conference
National Defense University

Washington, DC
January 28, 1997

I appreciate the opportunity to speak to you this morning. Glad to see so many people interested in this subject here today.

I want to begin by congratulating AFCEA, AT&T and NDU for putting on this symposium. Critical infrastructure protection is clearly one of the key issues we face as a nation. Our infrastructures are the life support systems of the nation, and therefore of great importance to those of us here today. We at the Commission appreciate all the efforts to make this happen.

I'm not here to overdose you with examples or anecdotes of infrastructure weaknesses and exploitation - you've probably heard and read much of that already.

Nor am I here to lay out recommended solutions to problems within the infrastructures. They don't exist yet.

But, I would like to tell you about:

  • The issues we face

  • How the Commission is addressing them

  • How you can become involved in the work of the Commission.

I'll then answer any questions you might have.

Mission

Many of you are already familiar with the Commission, so I will only briefly review its mission. President Clinton established the Commission last July. Its mission is to:

  • assess vulnerabilities and threats to the critical infrastructures

  • identify relevant legal and policy issues, and assess how they should be addressed

  • recommend a national policy and implementation strategy for protecting critical infrastructures from both physical and cyber threats

  • and propose any necessary statutory or regulatory changes

The eight critical infrastructures the Commission is studying are: telecommunications, electric power systems, water supply systems, banking and finance, transportation, oil and gas transportation, emergency services such as medical, police, fire and rescue, and continuity of government.

Organization/Status

We have 10 Commissioners from the Federal government who have been working hard from the start. Next week the first Commissioner will join us from the private sector. She is Ms. Nancy Wong, manager of the Department of Information Assets and Risk Management for Pacific Gas and Electric in San Francisco.

Issues

Briefly, why do we have a Commission, and why now?

Basically three reasons:

  1. Physical terrorism continues, and we see increasing cyber intrusions of all types into our automated information systems, many by so-called "insiders."

  2. Increased reliance on telecommunications and information technologies in all infrastructures and the increased vulnerabilities that that brings.

  3. Tools to exploit these vulnerabilities are readily available (hacker sites on the Internet can tell you how to penetrate systems) and their use is increasing exponentially.

As for terrorism...

America is no stranger to terrorism - the bombings of the World Trade Center and the Oklahoma City Federal building are but two examples. But to this point, our critical infrastructures have not been primary targets.

Sadly, we must now prepare for terrorist acts by our own citizens who choose terrorism as a means to express their displeasure or distrust of their government.

I've been asked how this Commission is different from other government efforts in the past to address similar issues. I believe the major difference is that there is a widespread recognition that the nature and scope of the threat to critical infrastructures has changed as the result of advances in technology, particularly information technology and telecommunications. The weight of anecdotal evidence is sufficiently persuasive to warrant a serious collaborative effort to address this serious problem.

As for increased reliance on telecommunications, it has created new vulnerabilities.

Our infrastructures have become increasingly reliant on information technology and the telecommunications infrastructure that ties them together.

Telecommunications and automation expose infrastructures in new ways, and create new vulnerabilities.

Many companies are already familiar with natural hazards, but we now face a new set of manmade risks and hazards. Companies are becoming increasingly vulnerable to vandalism, theft, malicious hackers, criminals, and unscrupulous competitors.

Companies are also increasingly vulnerable to so-called "insiders," and risks are increasing, particularly in this age of mergers and consolidation.

In addition, many companies now have public sites on the Internet to enhance their market presence. And the trend is clearly toward making greater use of the Internet. You may have seen last Wednesday's Wall Street Journal report that retail sales via the Internet are projected to increase 1,200% between now and the year 2000. On-line commerce is already a $500 million per year industry, and the Internet adds more than half a million people a month. But the Internet and other public networks are less secure than dedicated networks. Along with the benefits of greater public presence, the use of technology also creates more exposure and risks.

In the past, you put a guard at the door, and your assets were protected. Today, there is no door - or too many doors, depending on how you look at it. And you can never be sure who will drop in for a visit via the Internet.

And as for tools to exploit these vulnerabilities:

Even amateurs have access to the technological tools needed to penetrate systems and cause trouble.

The Internet contains hacker sites with instructions on how to penetrate systems.

Result: infrastructures are constantly in danger from people intent on penetrating or disrupting them. And all they need is a personal computer and a modem.

The Willie Suttons of today may not even have to go to the bank. They can try robbing it from home using a PC.

In the face of these challenges, the Commission is conducting an aggressive outreach to companies - and particularly CEOs - to discuss our goals and solicit their participation so we can build a strategy and recommendations that are compatible with both increased assurance and business' bottom line.

Further, in my experience, it may be one of the few times when government is calling for action before a crisis occurs, rather than after-the-fact. This reminds me of something Wayne Gretsky once said regarding success in hockey: "It's not about where the puck is. It's about where the puck is going to be."

So we need to look to the future, consider the implications for critical infrastructures, and address the problems in a substantive manner.

Those are some of the issues the Commission is facing. Let me tell you how we're approaching them.

What the Commission is Doing

Partnership

The central challenge of the Commission is to forge a partnership between the private sector and government at all levels, Federal, State and local. Partnership is the core of the Commission.

To build that partnership, our outreach program includes public hearings, focus groups, and a non-stop effort to carry our message throughout each of the critical infrastructures, especially to industry leaders. In addition, in March we're planning to conduct a game at the Prosperity Institute, which is affiliated with Sandia National Lab. The purpose of the game is to explore and validate potential strategies and recommendations.

Awareness

The objective of our initial outreach to the private sector is to build awareness of threats to and vulnerabilities of critical infrastructures. I should add that we need to educate not only the owners and operators of the infrastructures, but the government and nation at large. Furthermore, we want to build that understanding without creating alarm.

Later in our outreach effort, we will be seeking private sector buy-in of specific findings, recommendations, and strategies.

Our underlying philosophy at the Commission is that the quality of our recommendations to the President can only be as good as the buy-in from the private sector.

Our approach is not "We're government and we're here to help."

Rather, we are vitally interested in what the private sector has to say because it owns and operates the critical infrastructures. Private sector involvement is absolutely essential to an informed process of developing a strategy.

Trusted Environment

In addition to awareness, we want to create an environment of trust between industry and government. This will allow the sharing of information to provide identification, warning and response to any attack, be it domestic, transnational, criminal, corporate, or terrorist.

Public Policy Questions

We also expect that collaboration between government and the private sector will yield insights into questions of public policy. For example:

Regulation

How infrastructures are regulated may influence how companies address infrastructure vulnerabilities. For instance, rates charged by some utilities are tightly controlled by the government. But controlling rates may conflict with encouraging investment in infrastructure improvements. Therefore, what is the appropriate government role regarding rate-setting?

Insurance

When the power grid goes down, who pays for the interruption of service? There is no law of physics that says you need to lose electrical power or telephone service during a storm. Similarly, there is no law indicating who pays for lost time, production, or business during a service interruption. Insurance companies may or may not fill the gap. What role can and should the insurance industry play? What are the liability implications of infrastructure vulnerabilities? What are the responsibilities of the owners and operators of the infrastructures?

Standards

In this same vein, some infrastructures have no enforced standards for providing service to customers. Should standards be established? Would they help? Who should establish them? What should the standards be, and how might they be enforced?

Incentives

What are appropriate incentives for the private sector? What incentives will encourage companies to address vulnerabilities? How should they be structured? Are tax incentives the right vehicle? To what extent, if any, should government underwrite infrastructure protection? For example, could government establish a special trust fund to provide interest-free loans to infrastructure owners and operators who want to enhance their infrastructure protection?

New Thinking

As you can see from the list of questions I just mentioned, the issues surrounding critical infrastructure protection clearly move beyond defense. For that reason, I encourage you to think outside the box -- in fact, throw the box away and build a new one. I encourage you to dedicate this forum to help find solutions to the problems we face.

You know how to get in touch with us. I welcome and encourage your input. The toughest work of the Commission is still before it -- the actual crafting of strategy -- so we want to hear what you have to say as soon as possible. That's the only way we will devise solutions that work for everyone.

Thanks for inviting me. I'll take any questions.

[ PCCIP Home | Main Menu | Report | New Items | Contact Us | Speaker's Bureau ]

IWS Mailing Lists






Mailing Lists Overview