Remarks Prepared for Delivery
by Robert T. Marsh
Chairman, President's Commission on Critical Infrastructure Protection
White House Fellow Alumni Association
U.S. Chamber of Commerce
May 1, 1997
Securing the Bridge to the 21st Century
It's a pleasure and an honor to be with you this morning at your annual meeting. One look at your program tells me you're going to have a very interesting couple of days. And your theme of "Setting the Agenda for the 21st Century" is right on target for the times we live in and the challenges we face.
Moreover, "setting the agenda" is an especially appropriate theme for this group. White House Fellows past and present are, I believe, a national resource. You are a recognized group of select individuals with demonstrated talent and leadership ability. You're in the vanguard of your respective professions, helping to build the future of our country.
Today I'd like to briefly talk about what you're literally building upon -- the infrastructures that sustain the American way of life. My goal here today is to encourage you to participate in a national dialogue between the public and private sectors about how to protect those systems. I want to tell you why the Commission was formed now, what we're doing, and where we're going. I'll then be happy to take your questions.
Simply put, we want to safeguard the life support systems of the nation. The first line of the Executive Order that created the Commission says it all: "Certain national infrastructures are so vital that their incapacity or destruction would have a debilitating impact on the defense or economic security of the United States."
The President identified eight areas for study: Telecommunications, electric power systems, oil and gas transportation, transportation, banking and finance, water supply systems, emergency services (such as medical, police, fire and rescue), and continuity of government services.
These systems are the nerves, muscles and skeleton of the country. They connect and support features of daily life that help give the United States a standard of living that is the envy of the world. We turn on lights, make phone calls, and drink tap water with an expectation of quality and reliability. But we cannot take these systems for granted. That's why the Commission was created.
Let me say a few words about our mission.
It is to:
- assess vulnerabilities and threats to the critical infrastructures
- identify relevant legal and policy issues, and assess how they should be addressed
- recommend to the President a national policy and implementation strategy for protecting critical infrastructures
- and propose any necessary statutory or regulatory changes
I'll say very little about the Commission's organization except that its members are from various Federal departments and agencies, as well as the private sector. In addition, two committees of mostly senior Cabinet officials oversee our work. We'll shortly announce our Advisory Committee of senior executives, mostly CEOs, from companies within the critical infrastructures, who will help focus the work of the Commission by providing insight, expertise, and perspective.
Since critical infrastructure is such a huge area, there are naturally -- and fortunately -- many people interested in our work. You may wonder -- with so many people involved, how we can get anything done. I'm reminded of something Kofi Annan, the new Secretary-General of the United Nations, said when he was asked why it's taking years to reform the U.N. when God only needed 6 days to create the world. God, he replied, "had the added advantage of working alone."
Briefly, why do we have a Commission, and why now?
Basically three reasons:
First, physical terrorism continues -- for example, the all-too-common car bomb.
Second, increased reliance on technology creates new vulnerabilities, especially to intrusions into automated systems -- the so-called "cyber" attacks.
Third, tools to exploit these vulnerabilities are readily available, and their use is increasing. In some cases, all it takes to penetrate automated systems is a PC, a phone, and skills that many 14-year-olds seem able to master.
I'm not going to recite examples of cyber intrusions -- all you have to do is pick up a newspaper. The Defense Department is a favorite target. So are the home pages of certain government agencies and departments. So are banks, although they rarely disclose intrusions because of the impact on their most important asset -- their reputation. In fact, the Commission is most concerned about intrusions we rarely hear about, and especially the ones we never hear about. The hallmark of a really good intruder these days is being able to get into a system and leave undetected by completely covering his tracks.
As for terrorism
While our critical infrastructures have not been primary targets per se, America, sadly, is not a stranger to terrorism. The bombings of the World Trade Center and the Oklahoma City Federal building are sobering reminders of the dangers of terrorism and physical attack.
As for increased reliance on telecommunications, it has created new vulnerabilities
America has pioneered tremendous advances in technology. But progress has its price. The irony of the Information Age is that every wonderful capability has a vulnerability. Infrastructures increasingly rely on information technology and the telecommunications that tie them together. This reliance exposes systems in new ways, and creates new vulnerabilities.
For example, many companies, such as utilities, are very familiar with natural hazards. But today we are facing a new set of manmade risks. Every new connection in our interconnected world makes companies more vulnerable to vandalism, theft, unscrupulous competitors, malicious hackers, and criminals.
Surveys show that the most common intruders today are "insiders" -- people with legitimate access to the company's systems. Insider "cyber attacks" are increasing, particularly in this age of mergers, consolidation and downsizing.
Furthermore, interconnected systems are usually interdependent systems. A failure in one area can have a cascading negative impact on several others. Loss of power can mean loss of telecommunications. Loss of telecommunications can result in disruption of financial transactions. And without money, business grinds to a stop.
And with interdependence comes complexity. The sheer sophistication of automated systems multiplies the number of potential errors or disruptions, and the potential magnitude of their impact.
The unprecedented speed and precision that technology brings to us also reduces the margin for error. Anyone who has ever accidentally sent a very personal e-mail message to the wrong person knows that all too well.
In the past, you put a guard at the door, and your assets were protected. Today, there is no door -- or too many doors, depending on how you look at it. And you can never be sure who will drop in for a visit via the Internet.
Having said this much about the impact on business, I don't want to ignore implications for national security. Both Russia and China are actively pursuing information warfare strategies in their militaries. This begs the question: Are we, in a sense, witnessing the beginnings of a new arms race? You may recall that John Deutch once called the electron "the ultimate precision guided weapon." It is clearly in our best interest to watch how other nations employ it.
And as for tools to exploit these vulnerabilities
Even amateurs have access to the technological tools needed to penetrate systems and cause trouble. Because of the availability of Internet hacker sites, infrastructures may be endangered by bad actors intent on penetrating or disrupting their operations.
Unlike Willie Sutton, who had to go to the bank to rob it, today's hacker can try to rob it from home using a PC. And he doesn't even have to be in the same city -- or country.
WHAT WE'RE DOING
So that's why the Commission was created, and why it was created now. The tapestry of technology we have woven throughout our infrastructures means that no organization -- either in the private sector or public sector -- can dismiss the implications for its mission or ignore its responsibilities.
I've been asked how this Commission is different from past efforts to address similar issues. The major difference is that there is a widespread recognition that the nature and scope of the threat have changed as the result of technology. We have thousands of intrusions almost every day into automated systems. The weight of anecdotal evidence is sufficiently persuasive to warrant a serious collaborative effort to address this problem.
I want to make special note of the fact that, in my experience, the Commission may be one of the few times when government is calling for action before a crisis occurs, rather than after-the-fact. Most of us encounter very few opportunities to get in on the ground floor of an historic national effort. This is one, and its most important days -- and decisions -- lie ahead.
On the cover of last June's issue of Foreign Affairs, I noticed the following quote: "The world may be moving inexorably toward one of those tragic moments that will lead historians to ask, why was nothing done?" The Commission is an effort to do something.
That's why we are engaged in an aggressive outreach to both the public and private sector -- the national dialogue I spoke of earlier. We must build awareness and understanding of the problem. The central challenge of the Commission is to forge a partnership between the private sector and government at all levels, Federal, State and local. Private sector involvement is absolutely essential to an informed process of strategy development.
We are pursuing this partnership not only through Commission membership and the Advisory Committee, but also through public meetings, focus groups, gaming, and a non-stop corporate outreach effort. We've been from Silicon Valley to Wall Street to Miami Beach talking with CEOs, CIOs, COOs, and just about every other corporate "O" we can find. We've also met with every variety of elected official, ranging from senators and governors to supervisors and city council members. We've contacted hundreds of companies and associations, and met with hundreds of others. And we're not done yet.
One of our biggest efforts is a series of public meetings around the country. Our first was in Los Angeles. Two weeks ago we were in Atlanta -- former Senator Sam Nunn and Mayor Bill Campbell co-hosted that meeting. There the Commissioners and I met with everyone from Delta Airlines and CNN to the Southern Company and BellSouth. Each has a profound interest in our activities, and particularly the development of our recommendations and strategy. We'll be in Houston on May 13th, Boston later this month, and St. Louis in June. Any and all of you are invited to join us and share your thoughts.
The Commission's philosophy is that the quality of our recommendations to the President can only be as good as the degree of consultation with the private sector. Our approach is not "We're government and we're here to help."
Rather, we are vitally interested in what the private sector has to say -- its involvement is absolutely essential to an informed process of developing a comprehensive national policy and implementation strategy.
WHERE WE'RE GOING
The tough intellectual work of the Commission lies before us -- the crafting of the recommendations and strategy. That's where we need your help. Let me highlight a few issues we're focusing on:
Technology: Technology is a bigger part of the problem -- and the solution -- than we originally thought. The main problem is a lack of tools with which to detect, identify, characterize and defend against attack, especially cyber attack. Personally, I'd like to see Caller ID for cyber intrusions by hackers, criminals, or terrorists. This will demand special emphasis in our R&D programs, and consideration of the respective roles and responsibilities of the public and private sectors for such R&D.
Trusted Environment for Information Sharing: There is a compelling need to create a trusted environment for information-sharing. Government needs to tell the private sector about threats, and the private sector needs to report problems to the government so government can better focus its efforts.
At our public meeting in Atlanta, Senator Nunn noted that at hearings he called last year on this subject, a number of private sector witnesses canceled out at the last minute because they did not want to reveal what they considered to be their own vulnerabilities. "This," he said, "reflects the huge problem we have in trying to build a degree of trust." So what kind of collaborative mechanism could be created that would serve both purposes -- protecting classified government intelligence information and protecting private sector information affecting reputation, consumer confidence, and liability?
Role of Government: What is the proper role of government? Since most infrastructures are privately owned and operated, can and should we rely exclusively on market forces to assure delivery of vital services? The private sector must guard against commonplace intrusion, theft and fraud, but what about state-sponsored terrorism or hostile attack? What's the federal government's responsibility?
Incentives: What are appropriate incentives for the private sector to invest to address vulnerabilities? Are tax incentives the right vehicle? Should government underwrite infrastructure protection?
Liability: When the power grid goes down, who pays for lost time, production, or business? Today, unfortunately, it's the consumer. But there's no law of physics that says you need to lose electrical power or phone service during a storm. What are the liability implications? What role can and should the insurance industry play?
Standards: In this same vein, some infrastructures have no enforced standards for providing service. Should standards be established? Would they help? And, one I want to tread carefully on, should government mandate assurance standards?
Regulation: How infrastructures are regulated may influence how companies address vulnerabilities. For instance, rates charged by some utilities are tightly controlled by the government. But controlling rates appears to conflict with encouraging investment in infrastructure improvements. Therefore, what is the appropriate government role regarding rate-setting? What will be the impact of deregulation?
These are just some of the issues we are addressing. They are by no means all. I haven't mentioned how the government is organized to deal with this threat, or the legal framework for dealing with cyber threats, or many others. We are under no illusions that this Commission can solve every problem. Instead, we see the strategy and recommendations as a point of departure for corrective action.
I realize I've thrown a lot at you this morning before your second or third cup of coffee, but my experience with White House Fellows is that they are uniquely qualified to drink from a fire hose of new information. Furthermore, I want to encourage you to join us in our efforts to secure America's bridge to the 21st century. Whether you're in the public or private sector, we need you to share your experience and insights with us.
On that point, I want to close with something President Clinton said in this year's State of the Union address. He stated, "The enemy of our time is inaction." I firmly believe that inaction today will inevitably cost us dearly in the future. When it comes to technology, the lessons of history regarding its use and exploitation are clear: if it can be used to advantage, it will. Those of you here today understand those lessons, I know.
Finally, no one in this audience needs to be told how to find a Presidential Commission, so I'll just say please feel free to write, call, or visit us on the world wide web. I encourage to participate with us in this national dialogue. We need your best thinking, and we need it now.
Again, thanks for the opportunity to speak with you this morning. I'll be happy to take any questions.