Remarks Prepared for Delivery by Robert T. Marsh
Chairman, President's Commission on Critical Infrastructure Protection
Infrastructure Protection Conference
Palo Alto, California
March 10, 1997
Assuring the Critical Infrastructure
A Public/Private Sector Challenge
Thank you, Bruce [Bruce Tarter, Director of Lawrence Livermore National Lab], and good morning, ladies and gentlemen. It is indeed a pleasure to be with you this morning. I want to thank you especially for assembling such a notable group to address this vitally important evolving problem facing our society -- that is, the protection of our critical infrastructures.
On behalf of myself and my fellow Commissioners, I want to thank our co-sponsors: the Center for International Security and Arms Control at Stanford, and the Center for Global Security Research at Lawrence Livermore National Laboratory. I'd like to particularly thank Secretary Bill Perry for being here, as well as recognize Mike May, Sy Goodman, and Ron Lehman for helping to make this event possible. Also, thanks for liberating us from the Beltway. Washington has been described as 63 square miles surrounded by reality, so we are delighted to be here with you this morning on this beautiful campus in the real world. And to each of the participants, we very much appreciate you devoting your time to this important workshop.
I could, of course, spend a lot of time this morning covering anecdote after anecdote demonstrating the weaknesses of our infrastructures. It might be interesting, but not very productive. I'm sure you are already persuaded that our infrastructures are vulnerable, and need little reinforcement of those beliefs. Our careful study of the past six months or so has produced a solid case of these vulnerabilities. So what we're here to deliberate are the issues that those vulnerabilities present for our society. But before I present some of these important issues, let me just briefly review our mandate:
President Clinton established the Commission last July. Its mission is to:
- assess vulnerabilities and threats to the critical infrastructures,
- identify relevant legal and policy issues, and assess how they should be addressed,
- recommend a national policy and implementation strategy for protecting critical infrastructures from both physical and cyber threats, and
- propose any necessary statutory or regulatory changes.
The eight critical infrastructures the Commission is studying are: telecommunications, electric power systems, water supply systems, banking and finance, transportation, oil and gas transportation, emergency services such as medical, police, fire and rescue, and continuity of government services. These, as you know, are clearly the life support systems of the nation. If even one of them failed, the quality of life you and I enjoy would be directly, and perhaps dramatically, affected.
Our country has become so dependent on these infrastructures that, as the Executive Order states, their incapacity or destruction would have a debilitating impact on our defense and/or economic security.
The Commission was scheduled to run for a year, although because of our delayed stand-up, there is a consensus that the effort should be extended an additional three months (until October). I expect that to be officially recognized shortly.
Let me say a few words about our organization.
The lion's share of our work is conducted by Commissioners from the public and private sectors. Half are senior officials from the involved departments and agencies (Treasury, Defense, Justice, Commerce, Transportation, Energy, CIA, FBI, NSA and FEMA). All of them have been on board since the start. The other half are from infrastructure companies and organizations, hired as government employees to bring industry experience, expertise and perspective to the Commission. Half of these have been appointed, and two are with us today: Dr. Bill Harris, distinguished professor of civil engineering and E.B. Snead professor of transportation engineering from Texas A&M University. We also have Ms. Nancy Wong, who comes to us from her position as manager of the Department of Information Assets and Risk Management for Pacific Gas and Electric Company.
There are also several Committees associated with our work: an Advisory Committee of senior executives, mostly CEOs, from companies within the critical infrastructures (I anticipate a public announcement of appointments to this Committee within the next several weeks); a Steering Committee; and a Principals Committee comprised of the heads of the departments and agencies represented on the Commission.
Since critical infrastructure is such a huge area, there are naturally and fortunately many people interested in our work. You may wonder that with so many people involved, how we can get anything done. I'm reminded of something Kofi Annan, the new Secretary-General of the United Nations, said when he was asked why it's taking years to reform the U.N. when God only needed 6 days to create the world. He replied that God "had the added advantage of working alone."
So why do we have a Commission, and why now?
Basically three reasons:
Physical terrorism continues, and we see increasing cyber intrusions of all types into our automated information systems, many by so-called "insiders."
Also, increased reliance on telecommunications and information technologies in all infrastructures, along with increased interdependence among infrastructures and the increased vulnerabilities that that brings.
Finally, tools to exploit these vulnerabilities are readily available (hacker sites on the Internet can tell you how to penetrate systems) and their use is increasing exponentially.
As for terrorism
America is no stranger to terrorism -- the bombings of the World Trade Center and the Oklahoma City Federal building are but two examples. But thankfully, and for reasons I don't understand, our critical infrastructures have not been primary targets.
As for new vulnerabilities.
Our infrastructures have become increasingly reliant on information technology and the telecommunications infrastructure that ties them together. And the infrastructures are becoming increasingly dependent upon each other. And, telecommunications and automation expose infrastructures in new ways, and create new vulnerabilities. Many companies are familiar with natural hazards, but we are now facing a new set of manmade risks and hazards.
Technology has created a wonderful interconnected world. But each connection creates new exposure and risk. Companies are becoming increasingly vulnerable to new types of vandalism, theft, malicious hackers, criminals, and unscrupulous competitors. Companies are also increasingly vulnerable to so-called "insiders", and insider incidents are increasing, particularly in this age of mergers, consolidation and downsizing. And so it goes without saying then, that the infrastructures are also vulnerable to more sophisticated state-sponsored terrorism, transnational terrorism or hostile actions by nation states.
And as for tools to exploit these vulnerabilities:
Even amateurs have access to the technological tools needed to penetrate systems and cause trouble. The Internet contains hacker sites with instructions on how to penetrate systems. So infrastructures are constantly in danger from people intent on penetrating or disrupting them. And all they need is a personal computer and a modem.
And so with its life support systems so clearly vulnerable, and with such readily available means to disrupt them today, and more serious threats sure to evolve, our society faces a major challenge. That is what the Commission is all about.
I might add, in my experience, the Commission may be one of the few times when government is calling for action before a crisis occurs, rather than after-the-fact.
Having said that, let me briefly elaborate on some areas I believe are worthy of your consideration during the conference.
One of the defining characteristics overall of critical infrastructures is their interdependency. Telecommunications and automation expose infrastructures in new ways and create new vulnerabilities. In earlier times, infrastructure reliability and assurance was the more or less exclusive domain of the owner or operator in that industry. Now there is critical interdependence. Loss of power can mean loss of telecommunications. Loss of telecommunications can result in disruption of financial transactions. Moreover, this interconnectivity greatly increases opportunities for aggressors to access, penetrate, alter, deny, disrupt, or destroy one or more critical infrastructures.
Obviously, with interdependence comes growing complexity. Complexity demands new risk models for infrastructures. We need to develop and understand these new models because the old ones no longer apply. Information technology and telecommunications have rendered them obsolete. Every innovation which creates opportunities or solves problems also creates others -- usually unexpected. A question for this group then is: Can the marketplace adequately anticipate and manage these new reliability risks, especially those involving interdependencies on other infrastructures, or will some form of government action be required?
One of the more important lessons of the Commission's work over the past months is that technology is a bigger part of the problem -- and the solution -- than we originally thought. We are a victim of our own success -- our world leadership in technology that makes possible instantaneous global transactions and just-in-time inventories also creates vulnerabilities. Today, there is a serious lack of tools with which to detect, identify, characterize and defend against infrastructure attack, especially cyber attack. We need to harness technology for infrastructure protection. It requires special emphasis in our R&D programs, product design, and product development.
An important question is the respective roles and responsibilities of the public and private sectors for such R&D. Clearly the private sector must address protection against commonplace intrusion, theft and fraud, but what about state-sponsored terrorism or hostile attack? What is the federal government's responsibility?
Information-Sharing in a Trusted Environment
There is a compelling need to create a trusted environment for information-sharing between the public and private sectors. Government needs to tell the private sector about the nature of the threats, and the private sector needs to share its problems with the government so government can better focus its efforts. I realize there is a great sensitivity to sharing information of this kind, but I would argue that there is a greater danger in not sharing it. We need to share information to provide identification, warning and response to any attack, be it domestic, criminal, corporate, terrorist, or state-sponsored attack. So what kind of mechanism could be created that would serve both purposes -- protection of classified government intelligence information and protection of private sector information affecting reputation, consumer confidence, and liability.
Role of Government
Another concern regards the proper role of government with respect to critical infrastructure protection. They have become essential supporting structures to our very way of life. But most are owned and operated by the private sector. Can and should we rely on market forces to assure delivery of their vital services? Clearly, government has a role with respect to some private sector activities. Companies cannot negotiate a NAFTA agreement, or establish a World Trade Organization, or reach agreement on a telecommunications pact as was signed in Geneva two weeks ago. But what is the role with respect to critical infrastructure protection?
What are appropriate incentives for the private sector to invest to address vulnerabilities in infrastructure protection? How should they be structured? Are tax incentives the right vehicle? To what extent, if any, should government underwrite infrastructure protection? For example, could government establish a special trust fund to provide interest-free loans to infrastructure owners and operators who want to enhance their infrastructure protection? Again, what are the responsibilities of the owners and operators of the infrastructures?
When the power grid goes down, who pays for the interruption of service? Who pays for lost time, production, or business during a service interruption? Today, unfortunately, in most cases the consumer pays. However, I'd point out that there is no law of physics that says you need to lose electrical power or telephone service during a storm. What are the liability implications of infrastructure vulnerabilities, and how are they changing with deregulation? . What role can and should the insurance industry play?
In this same vein, some infrastructures have no enforced standards for providing service to customers. Should standards be established? Would they help? Who should establish them? What should the standards be, and how might they be enforced? And, one I want to tread carefully on, should government mandate assurance standards? And again, would standards provide an opening for a larger insurance role?
How infrastructures are regulated may influence how companies address infrastructure vulnerabilities. For instance, rates charged by some utilities are tightly controlled by the government. But controlling rates appears to conflict with encouraging investment in infrastructure improvements. Therefore, what is the appropriate government role regarding rate-setting? How is it likely to change and how should it change as deregulation proceeds?
I should note that regulation is again getting national attention. Following in the steps of the airline and telecommunications industries, the electric power industry -- an approximately $200 billion-a-year industry -- is beginning the process of deregulation. Given the obvious interdependence between electric power and other infrastructures, we are looking at this process closely.
Well, these are just some of the issues we are addressing. They are by no means all. I haven't mentioned how the government is organized to deal with this threat, the legal framework for dealing with cyber threats, or the international interactions of our infrastructures with foreign ones, or many others. We are under no illusions that this Commission can solve every infrastructure problem. Instead, we see the strategy and recommendations as a point of departure for corrective action.
Solutions will fall within a range bounded by government and private sector responsibility. Some problems will require only government solutions, while some will require only private sector solutions. Others, however, will require solutions somewhere in-between -- solutions jointly actioned by government and the private sector.
Partnership with the Private Sector
The central challenge of the Commission is to forge a partnership between the private sector and government at all levels: federal, state and local. Partnership is the very core of the Commission's efforts.
The private sector is the principal owner and operator of the critical infrastructures. Therefore, private sector involvement is absolutely essential to an informed process of developing a strategy. Our first imperative is to raise the awareness of key industry leaders to this looming problem. Joint acknowledgment of the problem is an essential first step.
We are pursuing this partnership not only through membership on the commission and the advisory committee, but also through an aggressive outreach program that includes public hearings, focus groups, gaming, and a non-stop effort to carry our message throughout each of the critical infrastructures. As I stated, the objectives of our initial outreach are to build recognition of threats to and the vulnerabilities of critical infrastructures. Later in our outreach effort, we will be seeking private sector buy-in of specific findings and recommendations.
We are especially interested in discussing our work with industry, academia, interest groups, news media, government at the local, state, and federal levels, and Congress. We believe this conference is a step in that direction. But there are clearly many other people and organizations we should work with, and we welcome your input. Please feel free to address this with me or any of the Commissioners. Our underlying philosophy at the Commission is that the quality of our recommendations to the President can only be as good as the buy-in we achieve with the private sector.
As you can see, there are more than enough issues to fill our time here today and tomorrow. We look forward to exploring these issues and searching for ideas. While we are still in the process of coming to terms with the issues, we are sharpening our focus. We anticipate that you will help us sharpen it even more.
Again, we very much appreciate you being here, and look forward to the program. Thank you.