Delivered by Robert T. Marsh
Chairman, President's Commission on Critical Infrastructure Protection
Information Warfare Working Group
National Defense University Foundation/Betac
December 17, 1996
I appreciate the invitation to come speak to you, and I'm glad to be
Critical infrastructure protection is clearly one of the key
issues we face as a nation. I know of your interest, so I
welcome the opportunity to discuss it with you.
I want to share a few thoughts, then open it for discussion.
I am not here to overdose you with examples or anecdotes of
infrastructure weaknesses and exploitation -- you've probably
heard much of this already. Nor am I here to give you solutions to problems within the
infrastructures. The Commission hasn't developed them yet.
But, I would like to tell you about:
- Issues we face
- Challenges before us
How you can participate in the process of developing strategies
and recommendations to address critical infrastructure
I know you've had people familiar with the Commission speak to
you already, so you don't need a lot of introduction to what
we're about. However, I will make just a few points about
The Commission was formed specifically to:
- assess vulnerabilities and threats to the critical
- identify relevant legal and policy issues, and assess how
they should be addressed
- recommend a national policy and implementation strategy for
- infrastructures from both physical and cyber threats
- propose any necessary statutory or regulatory changes
- and produce reports and recommendations as appropriate
during the course of our work.
Issues related to information warfare are part of the
Commission's mandate. Because of its defense connotation,
however, and the fact that the Commission's mandate goes well
beyond the defense community, we generally do not cast
infrastructure issues within the vernacular of information
warfare per se. We use the term Infrastructure Assurance.
For the purposes of our discussion today, I would encourage you
to consider IW within the Infrastructure Assurance context.
Briefly, why do we have a Commission, and why now?
Basically three reasons:
- Physical terrorism continues, and we see increasing cyber
intrusions of all types into our automated information systems,
many by so-called "insiders".
- Increased reliance on telecommunications creates
- Tools to exploit these vulnerabilities are readily
available (hacker sites on the Internet can tell you how to
Let's take these one at a time:
Physical Terrorism and Cyber Penetrations:
America is no stranger to terrorism - the bombings of the World
Trade Center and the Oklahoma City Federal building are but
Sadly, we must now prepare for terrorist acts by our own
citizens who choose terrorism as a means to express their
displeasure or distrust of their government.
Overseas, terrorists have focused on infrastructure. This was
illustrated this summer in London, where the press reported
that Scotland Yard had discovered an apparent IRA plan to bomb
gas, water and electric power targets.
On the cover of the June issue of Foreign Affairs, I noticed
the following quote: "The world may be moving inexorably
toward one of those tragic moments that will lead historians to
ask, why was nothing done?"
The Commission is clearly an effort to get something done.
Further, in my experience, it may be one of the few times when
government is calling for action before a crisis occurs, rather
As for increased reliance on telecommunications, it has created
Telecommunications is clearly the tie that binds our
Our critical infrastructures have become increasingly reliant
on information technology and the telecommunications
infrastructure that ties them together.
Telecommunications exposes infrastructures in new ways, and
creates new vulnerabilities.
In the past, you put a guard at the door, and your assets were
protected. Today, there is no door - or too many doors,
depending on how you look at it. And you can never be sure who
will drop in for a visit via the Internet.
And as for tools to exploit these vulnerabilities:
Even amateurs have access to the technological tools needed to
penetrate systems and cause trouble.
Internet contains hacker sites with instructions on how to
Result: infrastructures are constantly in danger from people
intent on penetrating or disrupting them. And all they need is
a personal computer and a modem.
Willie Sutton, the bank robber, was once asked why he robbed
banks. He replied, "Because that's where the money is."
Today, Willie may not even have to go to the bank. He can try
robbing it from home using his PC.
The central challenge of the Commission is to forge a
partnership between the private sector and government at all
levels, Federal, State and local. Partnership is the core of
We are pursuing this partnership through an aggressive outreach
program that includes public hearings, focus groups, gaming, and
a non-stop effort to carry our message throughout each of the
critical infrastructures, especially to CEOs.
The objectives of our initial outreach to the private sector
are to build recognition of threats to and vulnerabilities of
critical infrastructures. Later in our outreach effort, we will
be seeking private sector buy-in of specific findings and
Our underlying philosophy at the Commission is that the quality
of our recommendations to the President can only be as good as
the strength of our relationship with the private sector.
Our approach to the private sector is not "We're government and
we're here to help."
Rather, we are vitally interested in what the private sector
has to say because it owns and operates the critical
infrastructures. Private sector involvement is absolutely
essential to an informed process of developing a strategy.
We anticipate the solutions will fall within a range bounded by
government and private sector responsibility for
implementation. Some government problems will require only
government solutions, while some private sector problems will
require only private sector solutions. Others, however, may
require solutions somewhere in-between - solutions jointly
actioned by government and the private sector.
We are under no illusions that this Commission can solve every
infrastructure problem. Instead, we see the strategy and
recommendations as a point of departure for implementation.
For that reason, we need the best thinking of the private
sector up front.
Collaboration within government
Just as we need collaboration between government and the
private sector, we need collaboration within government.
Government agencies must share information and jointly
address this problem. This is particularly important
regarding indications and warning.
For instance, if there were a series of unusual infrastructure
failures, how quickly would we become aware of them, and how
would we interpret them?
Electric power or telecommunications failures on a metropolitan
or regional basis might or might not be correctly diagnosed as
accidental, criminal, or an attack. The process of
determining the cause of an electrical power failure, can
require days or weeks, as was the case earlier this year on the
West Coast. Government agencies need to work together to find
ways to quickly recognize what is happening, understand what it
means, and determine an appropriate and timely response.
Public Policy Questions
A question I often hear from the private sector is, "How can we
One of the most important contributions you can make is to
consider the public policy questions inherent in the Commission
effort. Information technology is a thread running through
them all. For example:
The role of market forces is central to the
question of critical infrastructure strength. Many companies
are content to write off losses due to vulnerabilities as a
cost of doing business, but this does not diminish the
importance of those losses, or the need to address the
vulnerabilities that fostered them. Deregulation may increase
market opportunities, but it also increases efficiency within a
system, leaving fewer reserves to draw upon in case of
emergency. This is evident today in the electric power
What are appropriate incentives for the private
sector? What incentives will encourage companies to address
vulnerabilities? How should they be structured? Are tax
incentives appropriate? To what extent, if any, should
government underwrite infrastructure protection? For example,
should government establish a special trust fund to provide
interest-free loans to infrastructure owners and operators who
want to enhance their infrastructure protection?
When the power grid goes down, who pays for the
interruption of service? There is no law of physics that says
you must lose electric power or telephone service during a
storm. Similarly, there is no law indicating who pays for
lost time, production, or business during a service
interruption. Insurance companies may or may not fill the
gap. What role can and should the insurance industry play?
What are the liability implications of infrastructure
In this same vein, some infrastructures have no
enforced standards for providing service to customers. Should
standards be established? Who should establish them? What
should the standards be, and how might they be enforced?
How infrastructures are regulated may influence
how companies address infrastructure vulnerabilities. For
instance, rates of some utilities are tightly controlled by the
government. But controlling rates may conflict with
encouraging investment in infrastructure improvements.
Therefore, in this context, what is the appropriate government
role regarding rate-setting?
These are just some of the questions confronting the
Commission. We are studiously seeking answers.
You know how to get in touch with us. I welcome and encourage
your input. The toughest work of the Commission is still
before it -- the actual crafting of strategy -- so we want to
hear what you have to say as soon as possible. That's
the only way we will achieve solutions that work for everyone.
Thanks for inviting me.