President's Commission on Critical Infrastructure Protection
The President's Commission on Critical Infrastructure Protection has been tasked to bring together the combined forces of the government and private sector to develop a strategy for protecting and assuring the continued operation of this nation's
critical infrastructures. These include telecommunications, electrical power systems, gas and oil transportation, banking and finance, transportation, water supply systems, emergency services (including medical, police, fire, and rescue) and continuity of government.
This mission presents complex challenges -- challenges complicated by the national and global interdependence of these infrastructures, their strategic significance, and their vital role in the increasingly competitive marketplace. The emergence of new technologies and the resultant interdependencies among the infrastructures magnify their vulnerability.
The Commission will examine physical and cyber threats to the critical infrastructures, as well as the effects of natural disasters. The Commission will identify and leverage on-going initiatives at federal, state and local levels, in industry, and throughout society that address infrastructure vulnerabilities, threats, and related issues. It will then integrate these initiatives and results into the formulation of realistic national assurance strategies.
Absolute infrastructure protection and assurance is unrealistic and unaffordable; consequently, the Commission will prioritize its efforts. It will identify the critical elements of infrastructure, define probable threats, and assess the feasibility of protection and assurance options from a range of perspectives -- economic, social, legal, and international. Furthermore, it will strive to ensure that proposed solutions can keep pace with evolving threats in a rapidly changing technological environment.
Determining the best protection and assurance options requires working closely with all levels of government and the private sector. The Commission will draw on the interests and capabilities of corporate America, concerned trade groups, and private citizens. The Commission must create a sense of trust between the Commission and these elements -- trust based upon mutual concern for assuring infrastructure continuity, protecting the privacy of our citizens, enhancing the economic competitiveness of private enterprise, and ensuring that sensitive and proprietary information shared with the Commission will be protected from disclosure.
The Commission will emphasize collaboration, particularly the sharing of best practices and information throughout government and infrastructure sectors. It will seek to raise the level of security awareness and propose better solutions. In all cases, it will endeavor to minimize government intervention.
To accomplish its mission, the Commission will:
Determine and categorize the range of threats to critical infrastructures.
The Commission will identify and categorize potential threats to critical infrastructures. The range of threats -- including aggressor nations, terrorists, criminals, disgruntled employees and computer hackers -- will be considered. The Commission will seek information, advice, participation and support from the private sector. It will involve the nation's intelligence and law enforcement organizations, trade and commerce regulators, international agencies, other government agencies at all levels, and above all, the owners, operators, and supporters of the critical infrastructures; all will be invited to participate in evaluating threats, assessing vulnerabilities and developing solutions.
The Commission will concentrate on threats with the greatest potential to disrupt or disable critical infrastructures and information systems. The evolution of technology and diffusion of enabling knowledge and information will be considered in projecting future threats to critical infrastructures.
Identify vulnerabilities within and among critical infrastructures.
The infrastructures on which America depends are vulnerable to potentially debilitating natural disasters or physical attacks that threaten national security, economic viability or societal well being. Moreover, the dependence of the critical infrastructures on the flow of information -- within and among other infrastructures, and between infrastructure companies, customers, suppliers and government -- presents a host of vulnerabilities. The full range of vulnerabilities of infrastructure segments to physical and cyber attack has not been considered. Even when vulnerabilities are recognized, the absence of a demonstrated threat often leads to the conclusion that they need not be protected. Further, the interdependence and connectivity of infrastructures make each vulnerable to attack on others.
The Commission will outline these vulnerabilities, identify potential consequences, determine the level of knowledge and concern, and broaden understanding of how those vulnerabilities place the nation, its citizens and economy at risk.
Find and assess options for protecting infrastructures, assuring continuation and restoration of service.
Based on potential threats and identified vulnerabilities, the Commission will seek to identify options for protecting these critical infrastructures. Options will include conventional security measures of all sorts, as well as those offered by emerging technology and concepts from government, commercial and other private sources. In assessing the potential options, the Commission will consider technical feasibility, impact on industry and society (including privacy considerations), liability issues, affordability, international factors, and legal ramifications. It will identify policy and legislative initiatives required to enable the recommended protection and assurance measures.
Develop a strategy for protecting critical infrastructures.
Identifying options alone does not fulfill the Commission's charter. A strategy for protecting critical infrastructures and assuring their continuity and reconstitution is required. Toward this end, the Commission will develop and apply criteria for the prioritization of protection and assurance strategies, both infrastructure-unique and general. Additionally, priorities will be assigned to vital elements within critical infrastructures based on sensitivity, vulnerability and potential impact on the nation. The strategy will reflect the interdependent nature of the nation's infrastructures, and their reliance on technologies developed, operated and owned outside specific infrastructure segments.
The strategy development process will span all of the Commission's activities, knowledge gained from the Advisory Committee and elsewhere, and the results of the Commission's assessments of legislative, policy and other constraints on the protection and assurance process. Additionally, the strategy will seek to integrate, coordinate and disseminate intelligence, indications and warning gained through all available means from the intelligence community, law enforcement, and the private sector, sanitized as necessary to protect sensitive or proprietary information.
Recommend an implementation plan for protective and assurance measures, including the policy, legislative and other changes required.
Implementation of the Commission's recommended strategy is central to its mission. In this area, the Commission will bring to bear all of its analysis, research and policy development work. A clear and concise implementation plan will be built based on the previous work. Integral to developing the implementation plan will be the assessment and interpretation of the input and feedback received through outreach programs, from public and private meetings, hearings, and conferences conducted by the Commission and the
The Commission will pursue its charter with full consideration given to the following:
The vital nature of this mission and the growing risk of attack on critical infrastructures demand that the Commission share its work as soon as possible. Consequently, as useful information, ideas, plans and strategies are developed and verified -- including such matters as threat and vulnerability assessments -- the Commission will report its findings, conclusions and recommendations. The Commission will coordinate and communicate regularly with the
Infrastructure Protection Task Force to ensure that useful information, intelligence, and assessments can be acted upon immediately by appropriate agencies.
The Commission will undertake an extensive and comprehensive outreach program with industries within infrastructure segments; businesses and customers of infrastructures; the public; federal agencies and advisory committees; the Congress; state and local governments; public interest organizations; and a wide range of trade and professional associations. A broad range of organizations, companies and, in some cases, other governments, will be consulted as well. The Commission will solicit ideas, support and assistance from these groups and individuals. Additionally, recognizing the reluctance of some commercial organizations, businesses, and elements of government to share information with others -- especially when that information may reveal vulnerabilities or compromise competitive advantage -- the Commission will undertake a significant communications effort to explain its purpose, generate confidence and trust, and gain participation from the broad range of businesses, governments, other organizations and individuals on whom the Commission must depend, ultimately, for the success of its integrated effort.
The initial work schedule, based on early projections of Commission activities, is contained in the Commission work schedule chart. This represents an aggressive year-long effort culminating in a final report as required by Executive Order 13010. Inherent in the work schedule but not explicitly shown is extensive interaction with the public and private sector groups.