IWS - The Information Warfare Site
News Watch Make a donation to IWS - The Information Warfare Site Use it for navigation in case java scripts are disabled
Google Ads




[ PCCIP Home | Main Menu | Report | New Items | Contact Us | Speaker's Bureau ]

Luncheon Remarks
Delivered by Robert T. Marsh

Chairman, President's Commission on Critical Infrastructure Protection

Information Warfare Working Group
National Defense University Foundation/Betac Corporation

Alexandria, VA
December 17, 1996

I appreciate the invitation to come speak to you, and I'm glad to be here.

Critical infrastructure protection is clearly one of the key issues we face as a nation. I know of your interest, so I welcome the opportunity to discuss it with you.

I want to share a few thoughts, then open it for discussion.

I am not here to overdose you with examples or anecdotes of infrastructure weaknesses and exploitation -- you've probably heard much of this already. Nor am I here to give you solutions to problems within the infrastructures. The Commission hasn't developed them yet.

But, I would like to tell you about:

  • Issues we face
  • Challenges before us

How you can participate in the process of developing strategies and recommendations to address critical infrastructure protection.

I know you've had people familiar with the Commission speak to you already, so you don't need a lot of introduction to what we're about. However, I will make just a few points about it.

The Commission was formed specifically to:

  • assess vulnerabilities and threats to the critical infrastructures
  • identify relevant legal and policy issues, and assess how they should be addressed
  • recommend a national policy and implementation strategy for protecting critical
  • infrastructures from both physical and cyber threats
  • propose any necessary statutory or regulatory changes
  • and produce reports and recommendations as appropriate during the course of our work.

Issues related to information warfare are part of the Commission's mandate. Because of its defense connotation, however, and the fact that the Commission's mandate goes well beyond the defense community, we generally do not cast infrastructure issues within the vernacular of information warfare per se. We use the term Infrastructure Assurance.

For the purposes of our discussion today, I would encourage you to consider IW within the Infrastructure Assurance context.

Issues

Briefly, why do we have a Commission, and why now?

Basically three reasons:

  • Physical terrorism continues, and we see increasing cyber intrusions of all types into our automated information systems, many by so-called "insiders".
  • Increased reliance on telecommunications creates vulnerabilities.
  • Tools to exploit these vulnerabilities are readily available (hacker sites on the Internet can tell you how to penetrate systems).

Let's take these one at a time:

Physical Terrorism and Cyber Penetrations:
America is no stranger to terrorism - the bombings of the World Trade Center and the Oklahoma City Federal building are but two examples.

Sadly, we must now prepare for terrorist acts by our own citizens who choose terrorism as a means to express their displeasure or distrust of their government.

Overseas, terrorists have focused on infrastructure. This was illustrated this summer in London, where the press reported that Scotland Yard had discovered an apparent IRA plan to bomb gas, water and electric power targets.

On the cover of the June issue of Foreign Affairs, I noticed the following quote: "The world may be moving inexorably toward one of those tragic moments that will lead historians to ask, why was nothing done?"

The Commission is clearly an effort to get something done.

Further, in my experience, it may be one of the few times when government is calling for action before a crisis occurs, rather than after-the-fact.

As for increased reliance on telecommunications, it has created vulnerabilities.

Telecommunications is clearly the tie that binds our infrastructures together.

Our critical infrastructures have become increasingly reliant on information technology and the telecommunications infrastructure that ties them together.

Telecommunications exposes infrastructures in new ways, and creates new vulnerabilities.

In the past, you put a guard at the door, and your assets were protected. Today, there is no door - or too many doors, depending on how you look at it. And you can never be sure who will drop in for a visit via the Internet.

And as for tools to exploit these vulnerabilities:

Even amateurs have access to the technological tools needed to penetrate systems and cause trouble.

Internet contains hacker sites with instructions on how to penetrate systems.

Result: infrastructures are constantly in danger from people intent on penetrating or disrupting them. And all they need is a personal computer and a modem.

Willie Sutton, the bank robber, was once asked why he robbed banks. He replied, "Because that's where the money is." Today, Willie may not even have to go to the bank. He can try robbing it from home using his PC.

Challenges

The central challenge of the Commission is to forge a partnership between the private sector and government at all levels, Federal, State and local. Partnership is the core of the Commission.

We are pursuing this partnership through an aggressive outreach program that includes public hearings, focus groups, gaming, and a non-stop effort to carry our message throughout each of the critical infrastructures, especially to CEOs.

The objectives of our initial outreach to the private sector are to build recognition of threats to and vulnerabilities of critical infrastructures. Later in our outreach effort, we will be seeking private sector buy-in of specific findings and recommendations.

Our underlying philosophy at the Commission is that the quality of our recommendations to the President can only be as good as the strength of our relationship with the private sector.

Our approach to the private sector is not "We're government and we're here to help."

Rather, we are vitally interested in what the private sector has to say because it owns and operates the critical infrastructures. Private sector involvement is absolutely essential to an informed process of developing a strategy.

We anticipate the solutions will fall within a range bounded by government and private sector responsibility for implementation. Some government problems will require only government solutions, while some private sector problems will require only private sector solutions. Others, however, may require solutions somewhere in-between - solutions jointly actioned by government and the private sector.

We are under no illusions that this Commission can solve every infrastructure problem. Instead, we see the strategy and recommendations as a point of departure for implementation. For that reason, we need the best thinking of the private sector up front.

Collaboration within government

Just as we need collaboration between government and the private sector, we need collaboration within government. Government agencies must share information and jointly address this problem. This is particularly important regarding indications and warning.

For instance, if there were a series of unusual infrastructure failures, how quickly would we become aware of them, and how would we interpret them?

Electric power or telecommunications failures on a metropolitan or regional basis might or might not be correctly diagnosed as accidental, criminal, or an attack. The process of determining the cause of an electrical power failure, can require days or weeks, as was the case earlier this year on the West Coast. Government agencies need to work together to find ways to quickly recognize what is happening, understand what it means, and determine an appropriate and timely response.

Public Policy Questions

A question I often hear from the private sector is, "How can we help?"

One of the most important contributions you can make is to consider the public policy questions inherent in the Commission effort. Information technology is a thread running through them all. For example:

Market forces

The role of market forces is central to the question of critical infrastructure strength. Many companies are content to write off losses due to vulnerabilities as a cost of doing business, but this does not diminish the importance of those losses, or the need to address the vulnerabilities that fostered them. Deregulation may increase market opportunities, but it also increases efficiency within a system, leaving fewer reserves to draw upon in case of emergency. This is evident today in the electric power industry.

Incentives

What are appropriate incentives for the private sector? What incentives will encourage companies to address vulnerabilities? How should they be structured? Are tax incentives appropriate? To what extent, if any, should government underwrite infrastructure protection? For example, should government establish a special trust fund to provide interest-free loans to infrastructure owners and operators who want to enhance their infrastructure protection?

Insurance

When the power grid goes down, who pays for the interruption of service? There is no law of physics that says you must lose electric power or telephone service during a storm. Similarly, there is no law indicating who pays for lost time, production, or business during a service interruption. Insurance companies may or may not fill the gap. What role can and should the insurance industry play? What are the liability implications of infrastructure vulnerabilities?

Standards

In this same vein, some infrastructures have no enforced standards for providing service to customers. Should standards be established? Who should establish them? What should the standards be, and how might they be enforced?

Regulation

How infrastructures are regulated may influence how companies address infrastructure vulnerabilities. For instance, rates of some utilities are tightly controlled by the government. But controlling rates may conflict with encouraging investment in infrastructure improvements. Therefore, in this context, what is the appropriate government role regarding rate-setting?

These are just some of the questions confronting the Commission. We are studiously seeking answers.

You know how to get in touch with us. I welcome and encourage your input. The toughest work of the Commission is still before it -- the actual crafting of strategy -- so we want to hear what you have to say as soon as possible. That's the only way we will achieve solutions that work for everyone.

Thanks for inviting me.

[ PCCIP Home | Main Menu | Report | New Items | Contact Us | Speaker's Bureau ]

IWS Mailing Lists






Mailing Lists Overview