Remarks Prepared for Delivery
by Robert T. Marsh
Chairman, President's Commission on Critical Infrastructure Protection
Computer System Security and Privacy Advisory Board
National Institute of Standards and Technology
June 4, 1997
Thank you, Willis [Willis Ware, CSSPAB Chairman], and good morning, ladies and gentlemen.
When Willis invited me to speak here today, I thought it was a wonderful opportunity to speak to a distinguished audience about the Commission. This Board has a broad and challenging mandate, and as a result is well-informed on a number of the issues facing the Commission. So I'm delighted to be here.
What I'd like to do this morning is give you a progress report on the Commission's activities and talk about some of the key issues facing us. I know your focus is the Computer Security Act of 1987, and I think what I have to say about the Commission will help inform your discussions and broaden the context in which you consider the Act.
I also want to encourage you to participate in a national dialog between the public and private sectors about how to protect critical infrastructures. I want to tell you why the Commission was formed now, what we're doing, and where we're going. I'll then be happy to take your questions.
Simply put, we want to safeguard the life support systems of the nation. The first line of the Executive Order that created the Commission says it all: "Certain national infrastructures are so vital that their incapacity or destruction would have a debilitating impact on the defense or economic security of the United States."
The President identified eight areas for study: Telecommunications, electric power systems, oil and gas transportation, transportation, banking and finance, water supply systems, emergency services (such as medical, police, fire and rescue), and continuity of government services.
These systems are the nerves, muscles and skeleton of the country. They connect and support features of daily life that help give the United States a standard of living that is the envy of the world. We turn on lights, make phone calls, and drink tap water without thinking about it.
But we cannot take these systems for granted. That's why the Commission was created.
Let me say a few words about our mission.
It is to:
- assess vulnerabilities and threats to the critical infrastructures,
- identify relevant legal and policy issues, and assess how they should be addressed,
- recommend to the President a national policy and implementation strategy for protecting critical infrastructures,
- and propose any necessary statutory or regulatory changes.
I'll say very little about the Commission's organization except that its members are from various Federal departments and agencies, as well as the private sector. In addition, two committees of mostly senior Cabinet officials oversee our work. We'll shortly announce our Advisory Committee of senior executives, mostly CEOs, from companies within the critical infrastructures. This Committee will help to sharpen our focus by providing insight, expertise, and perspective.
Since critical infrastructure is such a huge area, there are naturally -- and fortunately -- many people interested in our work. You may wonder -- with so many people involved, how we can get anything done. I'm reminded of something Kofi Annan, the new Secretary-General of the United Nations, said when he was asked why it's taking years to reform the U.N. when God only needed 6 days to create the world. "God," he replied, "had the added advantage of working alone."
Briefly, why do we have a Commission, and why now?
Basically three reasons:
First, physical terrorism continues -- for example, the all-too-common car bomb.
Second, increased reliance on technology creates new vulnerabilities, especially to intrusions into automated systems -- the so-called "cyber" attacks.
Third, tools to exploit these vulnerabilities are readily available, and their use is increasing. In some cases, all it takes to penetrate automated systems is a PC, a phone, and skills that many 14-year-olds seem able to master.
I'm not going to recite examples of cyber intrusions -- all you have to do is pick up a newspaper. The Defense Department is a favorite target. So are the home pages of certain government agencies and departments. So are banks, although they rarely disclose intrusions because of the impact on their most important asset -- their reputation. In fact, the Commission is most concerned about intrusions we rarely hear about, and especially the ones we never hear about.
As for terrorism
While our critical infrastructures have not been primary targets per se, America, sadly, is not a stranger to terrorism. The bombings of the World Trade Center and the Oklahoma City Federal building are sobering reminders of the dangers of terrorism and physical attack.
As for increased reliance on telecommunications, it has created new vulnerabilities.
America has pioneered tremendous advances in technology. But progress has its price. The irony of the Information Age is that every wonderful capability has a vulnerability. Infrastructures increasingly rely on information technology and the telecommunications that tie them together. This reliance exposes systems in new ways, and creates new vulnerabilities.
For example, many companies, such as utilities, are very familiar with natural hazards. But today we are facing a new set of manmade risks. Every new connection in our interconnected world makes companies more vulnerable to vandalism, theft, unscrupulous competitors, malicious hackers, and criminals.
Surveys show that the most common intruders today are "insiders" -- people with legitimate access to the company's systems. Insider "cyber attacks" are increasing, particularly in this age of mergers, consolidation and downsizing.
Furthermore, interconnected systems are usually interdependent systems. A failure in one area can have a cascading negative impact on several others. Loss of power can mean loss of telecommunications. Loss of telecommunications can result in disruption of financial transactions. And without money, business grinds to a stop.
And with interdependence comes complexity. The sheer sophistication of automated systems multiplies the number of potential errors or disruptions, and the potential magnitude of their impact.
The unprecedented speed and precision that technology brings to us also reduces the margin for error. Anyone who has ever accidentally sent a very personal e-mail message to the wrong person knows that all too well.
In the past, you put a guard at the door, and your assets were protected. Today, there is no door -- or too many doors, depending on how you look at it. And you can never be sure who will drop in for a visit via the Internet.
Having said this much about the impact on business, I don't want to ignore implications for national security. Research at the Commission, for example, shows that both Russia and China are pursuing information warfare strategies in their militaries. This begs the question, Are we seeing the beginnings of a new arms race? You may recall that John Deutch once called the electron "the ultimate precision guided weapon." It is clearly in our best interest to watch how other nations employ it.
It is also clear that terrorists are receptive to new ways of furthering their efforts. On May 2nd, the Financial Times recently reported that the IRA is waging economic terrorism on an unprecedented scale. One British trucking association conservatively estimated losses of nearly $50 million due to delays caused by bomb scares and small explosions in April. It's easy to imagine what could happen should a terrorist group aggressively pursue cyber attacks, even with the intent of only inflicting economic damage instead of taking lives.
And as for tools to exploit these vulnerabilities:
Even amateurs have access to the technological tools needed to penetrate systems and cause trouble. Because of the availability of Internet hacker sites, infrastructures may be endangered by bad actors intent on penetrating or disrupting their operations. Unlike Willie Sutton, who had to go to the bank to rob it, today's hacker can try to rob it from home using a PC. And he doesn't even have to be in the same city -- or country.
WHAT WE'RE DOING
So that's why the Commission was created, and why it was created now. The tapestry of technology we have woven throughout our infrastructures means that no organization -- either in the private sector or public sector -- can dismiss the implications for its mission or ignore its responsibilities.
I've been asked how this Commission is different from past efforts to address similar issues. The major difference is that there is a widespread recognition that the nature and scope of the threat have changed as the result of technology. We have thousands of intrusions almost every day into automated systems. The weight of anecdotal evidence is sufficiently persuasive to warrant a serious collaborative effort to address this problem.
I want to make special note of the fact that, in my experience, the Commission may be one of the few times when government is calling for action before a crisis occurs, rather than after-the-fact. Most of us encounter very few opportunities to get in on the ground floor of an historic national effort. This is one, and its most important days -- and decisions -- lie ahead.
On the cover of last June's issue of Foreign Affairs, I noticed the following quote: "The world may be moving inexorably toward one of those tragic moments that will lead historians to ask, why was nothing done?" The Commission is an effort to do something.
That's why we are engaged in an aggressive outreach to both the public and private sector -- the national dialog I spoke of earlier. We must build awareness and understanding of the problem. The central challenge of the Commission is to forge a partnership between the private sector and government at all levels, Federal, State and local. Private sector involvement is absolutely essential to an informed process of strategy development.
We are pursuing this partnership not only through Commission membership and the Advisory Committee, but also through public meetings, focus groups, gaming, and a non-stop corporate outreach effort. We've been from Silicon Valley to Wall Street talking with CEOs, CIOs, COOs, and just about every other "O" we can find! We've also met with nearly every variety of elected official, ranging from senators and governors to supervisors and city council members. We've contacted hundreds of companies and associations, and met with hundreds of others. And we're not done yet.
One of our biggest efforts is a series of public meetings around the country. Our first was in Los Angeles. Last month we were in Atlanta -- former Senator Sam Nunn and Mayor Bill Campbell co-hosted that meeting. There the Commissioners and I met with everyone from Delta Airlines and CNN to the Southern Company and BellSouth. Each has a profound interest in our activities, and particularly the development of our recommendations and strategy. We were in Houston 3 weeks ago, and are going to Boston this week. We'll be in St. Louis later this month. Any and all of you are invited to join us and share your thoughts.
The Commission's philosophy is that the quality of our recommendations to the President can only be as good as the degree of consultation with the private sector. Our approach is not "We're government and we're here to help." Rather, we are vitally interested in what the private sector has to say -- its involvement is absolutely essential to an informed process of developing a comprehensive national policy and implementation strategy.
WHERE WE'RE GOING
The tough intellectual work of the Commission lies before us -- the crafting of the recommendations and strategy. Let me highlight a few issues we're focusing on:
Technology: Technology is a bigger part of the problem -- and the solution -- than we originally thought. The main problem is a lack of tools with which to detect, identify, characterize and defend against attack, especially cyber attack. Personally, I'd like to see Caller ID for cyber intrusions by hackers, criminals, or terrorists. This will demand special emphasis in our R&D programs, and consideration of the respective roles and responsibilities of the public and private sectors for such R&D.
Trusted Environment for Information Sharing: There is a compelling need to create a trusted environment for information-sharing. Government needs to tell the private sector about threats, and the private sector needs to report problems to the government so government can better focus its efforts.
At our public meeting in Atlanta, Senator Nunn noted that at hearings he called last year on this subject, a number of private sector witnesses canceled out at the last minute because they did not want to reveal what they considered to be their own vulnerabilities. "This," he said, "reflects the huge problem we have in trying to build a degree of trust." So what kind of collaborative mechanism could be created that would serve both purposes -- protecting classified government intelligence information and protecting private sector information affecting reputation, consumer confidence, and liability?
Role of Government: What is the proper role of government? Since most infrastructures are privately owned and operated, can and should we rely exclusively on market forces to assure delivery of vital services? The private sector must guard against commonplace intrusion, theft and fraud, but what about state-sponsored terrorism or hostile attack? What's the federal government's responsibility?
Incentives: What are appropriate incentives for the private sector to invest to address vulnerabilities? Are tax incentives the right vehicle? Should government underwrite infrastructure protection?
Liability: When the power grid goes down, who pays for lost time, production, or business? Today, unfortunately, it's the consumer. But there's no law of physics that says you need to lose electrical power or phone service during a storm. What are the liability implications? What role can and should the insurance industry play?
Standards: In this same vein, some infrastructures have no enforced standards for providing service. Should standards be established? Would they help? And, one I want to tread carefully on, should government mandate assurance standards?
Regulation: How infrastructures are regulated may influence how companies address vulnerabilities. For instance, rates charged by some utilities are tightly controlled by the government. But controlling rates appears to conflict with encouraging investment in infrastructure improvements. Therefore, what is the appropriate government role regarding rate-setting? What will be the impact of deregulation?
These are just some of the issues we are addressing. They are by no means all. I haven't mentioned how the government is organized to deal with this threat, or the legal framework for dealing with cyber threats, or many others. We are under no illusions that this Commission can solve every problem. Instead, we see the strategy and recommendations as a point of departure for corrective action.
On that point, I want to close with something
President Clinton said in this year's
State of the Union address. He said, "The enemy of our time is inaction." I firmly believe that inaction today will inevitably cost us dearly in the future. When it comes to technology, the lessons of history regarding its use and exploitation are clear: if it can be used to advantage, it will. Those of you here today understand those lessons, I know.
Finally, please feel free to write, call, or visit us on the World-Wide Web at www.pccip.gov. I encourage you to participate with us in this national dialog. We would greatly appreciate any contributions you might make to our efforts -- and the sooner the better.
Again, thanks for the opportunity to speak with you this morning. I'll be happy to take any questions.