Commissioner, President's Commission on Critical Infrastructure Protection
DoD Worldwide Antiterrorism Conference
August 21, 1997
It is a pleasure and an honor to be here with you this evening. The fact that you would invite a Department of Justice Attorney here to speak to you about infrastructure assurance is indicative, I think, of just how far the federal government has come on this issue in the past year or so. A year ago, someone from DOJ might not have had a whole lot of interesting things to say to many of you -- who, after all -- have been working these issues for years within DoD. I hope I can do a little better than that!
The creation of the President's Commission on Critical Infrastructure Protection signaled a change in the way our government is preparing to address infrastructure assurance. We are hoping that our Commission report will signal a change in the way our nation should prepare to address infrastructure assurance.
I'm going to try to present a near up-to-the-minute update on Commission activities -- which are, as of late -- heating up quite a bit. As some of you may know, we are currently scheduled to provide our report to the President in mid-October. The Commission is an even busier place than usual these days
I'll talk a little about the formation of the Commission, our mission and focus, and about the people who make up the Commission. I also hope to touch on some points bearing on Commission methodology, and describe for you what the process looks like from now until we present our report. Finally, I'll give you an overview of some of the major issues that have been driving our Commission deliberations, and that are most likely to end up being the subject matter of some of the Commission's recommendations.
Now here's the disclaimer (after all, what kind of lawyer would I be without a lengthy disclaimer). Keep in mind that even though our October 13 date for reporting to the President is fast approaching, we are still working hard in deliberations to arrive at and refine our final recommendations. So take what I have to say here tonight as the observations of an enthusiastic participant in the process -- but not as necessarily indicative of the Commission's final recommendations.
With the signing of Executive Order 13010, the President brought together representatives across government and the private sector to address a set of issues that were, quite frankly, new to a number of us. What the President did when he signed the Order was, in retrospect, fairly extraordinary. He extracted the societal component of what was previously known as defensive information warfare -- something that had rarely been spoken of outside the Pentagon -- something that most private sector folks don't even want to think about much less talk about -- and opened it up to very public policy scrutiny.
The bringing together of representatives of 10 key agencies on the Commission was a loud and clear initiation of a cross-governmental response. The joining of this group with representatives of key portions of the private sector was a clear initiation of a cross-societal response.
The Advisory Committee
One of the ways the private sector has had direct, "top-down" input into the process is through the Commission's Advisory Committee. We are very fortunate to have an Advisory Committee of private sector CEOs to assist in our effort and oversee our progress.
Co-chairs of the Advisory Committee are former Senator Sam Nunn and former Deputy Attorney General Jamie Gorelick. They were powerful proponents of infrastructure assurance within government, and we are quite pleased that they have agreed to help us with our most significant challenge: achieving private sector buy-in of our recommendations. As you all know, most of the infrastructures are privately owned and operated. We recognized from the outset that any solution that does not include their input and support is not a viable solution. Our goal is a public-private partnership that works together to protect our future.
The lion's share of the Commission's work has been conducted by
Commissioners representing the public and private sectors. Half are executives from the involved departments and agencies in Washington; half are executives from infrastructure companies and organizations who bring valued industry experience, expertise, and perspective.
Truth be told, we are quite a bunch. We range in age from the mid-thirties to the upper seventies, and our experiences run the gamut. We have engineers, IT specialists, physicists, lawyers, and even a physicist-lawyer! We bring with us to the table not only our personal experiences, but our own agencies and companies' interests, equities and methodologies. However difficult our differences may make things at this stage, I think we all recognize its for the best that we bring all of these perspectives to bear on our difficult challenges.
Allow me just a word or two on the task that we were given. I should have known something was going on early in our process -- during our first few outreach meetings with representatives of major industry trade associations. We would arrive politely enough, introduce ourselves, and begin to describe our mission. Often we would hand our hosts a copy of the executive order that set forth our mission. That's when the laughter started. We would hear questions like, "You have to do what?" "You have how much time"? Or my favorite, "Exactly how many of you are there?"
You see, we had been charged with studying, in some degree of detail, eight infrastructures that had been deemed by the President as "critical" -- along with any others we happened to discover along the way. The President identified these as critical because their incapacity or destruction would have a debilitating impact on our defense and/or economic security. So what's the first thing you do when asked to look at eight critical infrastructures? Well, we're not crazy -- we condensed them down to five. They are:
- Energy -- including electric power; natural gas and petroleum production, distribution and storage;
- Physical distribution -- including railroads; highways; air traffic; maritime transportation; and pipelines;
- Banking and finance -- including banks; financial services; markets and payment systems such as SWIFT and CHIPS
- Information and communications -- including telecommunications; computers; software, the Internet; satellite communications; and
- Vital human services, where we combined Water; emergency services such as fire, police, and emergency medical services, and government services -- such as social security and welfare.
The challenges set forth in the Executive Order required that we employ an eclectic approach. Even several eclectic approaches all at once.
We were instructed to "identify and consult with: (i) elements of the public and private sectors that conduct, support, or contribute to infrastructure assurance; (ii) owners and operators of the critical infrastructures; and (iii) other elements of the public and private sectors, including the Congress, that have an interest in critical infrastructure assurance issues." We did that. To date we have met with more than 5,500 individuals, corporations, associations, and government agencies. We held
public meetings in Los Angeles, Atlanta, Houston, Boston, and St. Louis. In each of these cities, we talked with hundreds of people from industry, labor, state and local government, academia, as well as private citizens.
Assess threats and vulnerabilities
We were charged with examining the threats to and vulnerabilities of each of the eight enumerated critical infrastructures. We divided ourselves into infrastructure sector teams -- and did just that. Much of this research was conducted through our extensive outreach program consulting with stakeholders around the country. As a result of these efforts, we expect that our report to the President will contain infrastructure-specific as well as cross-infrastructural findings and recommendations.
Identify legal issues
We were asked to determine what legal and policy issues are raised by efforts to protect the critical infrastructures; and to propose statutory and regulatory changes necessary to effect our recommendations.
Well it did not take long to realize that all of the issues raised across all of the infrastructures could not easily be captured in a "report." Instead, we built a legal issues database -- a database of pertinent federal laws, regulations, executive orders, and even international agreements. We included in the database a sampling of relevant state legislation, and even included information on what appeared to be relevant private sector policies and practices. The result is a rich collection of legal authorities that one day may call to be carefully reexamined in light of the concerns raised by the Commission.
The database was originally intended to serve as an implementation tool for the recommendations of the Commission. In keeping with the concept of "infrastructure assurance" as a series of gradual cultural changes, however, we believe that the database might serve an equally important long-term role. We are exploring the possibility of making the database broadly available, to help raise awareness across the legal community and facilitate implementation of future assurance measures.
Issue assurance policy and implementation strategy
We were tasked to recommend a comprehensive policy and implementation strategy for protecting the critical infrastructures from both physical and cyber threats.
Here's where things got creative. We have met with experts from science, technology, the military, business, and government. We have conducted strategic simulations with Sandia National Labs, the Prosperity Institute, and Booz-Allen & Hamilton. We have compiled databases that are the most robust sources of information on these critical infrastructures in existence. We endeavored to leave no stone unturned as we identified dependencies, threats, and impediments to solutions.
These research efforts concluded earlier this summer, and we have since commenced the most important phase of our work: (1) identifying those fundamental issues that the Commission must address; (2) deliberating the options for how to answer those questions; and (3) writing our report and making our recommendations to the President.
Some Personal "Lessons Learned"
Before sharing with you some of the issues that the Commission is now considering, I hope you don't mind if I take a few minutes to share with you some personal reflections -- my own personal "lessons learned" about this thing that we at the Commission now quite casually refer to as "infrastructure assurance."
Commissioners and commission staff have become fairly comfortable talking about whether some action or policy x or y enhances infrastructure assurance, or whether some law, for example, may operate in a way antithetical to infrastructure assurance. It has become a convenient shorthand for us. And we all know pretty much what others are talking about because we have been wrestling with these issues for over a year. I suspect, however, that it is just that, a shorthand for something that we have not characterized as completely as we should.
Sure, we have our "dictionary definition" of infrastructure assurance, and we hope some day to be sharing that with you in our report. Let me offer a different type of definition of "infrastructure assurance," one grounded in experience. One grounded in what we must do to enhance infrastructure assurance -- what we must begin to do today to be adequately prepared for tomorrow.
What I think of when I think about "infrastructure assurance," in its broadest sense, is the cultural change that we will have to undergo to preserve our national security, our nation's global competitiveness, and the overall public good in light of newly emerging and intensifying threats and vulnerabilities. This, I believe, is a cultural change, one that will occur gradually but pervasively. It is a change that will bring changes in the way that business does business, government does government, and individuals conduct their lives. It is a change that will see:
- Businesses responding by including emerging threats and vulnerabilities in their risk management methodology;
- Government responding by organizing itself in such a way as to detect and, in appropriate circumstances, respond to emerging threats and vulnerabilities;
- Private citizens, in their homes and offices, modifying the way that they practice computer and information security.
I believe this change will be quite natural, such as the change that took root in the 1960s and 70s, when people learned that they must lock their front doors and no longer leave the keys in the ignition overnight. Some people we have spoken to say this is a cultural change that will occur on its own over the next 20 years. I believe, however, that if we can do certain things to "jump start" this cultural change, and accelerate it by as little as 5 years, we will have done much to preserve this country's global competitiveness and perhaps even save American lives.
A Progress Report on Commission Issues
So where are we exactly in all of this? Well, we are just bringing to a close our deliberation process. We had originally identified some 130+ candidate issues for deliberation. Well eventually we managed to combine, massage, manipulate or just plain drop them until we arrived at a much more manageable number -- about 40. We assigned to individual Commissioners responsibility for drafting issues papers, and generating options to feed the deliberation process.
Actually, it has been fairly extraordinary. Every day we see connections between issues -- and between potential solution options -- that we had not previously seen. The issues are grouping themselves into some broader issues categories, several of which I will touch on now.
I'd like to preview five of our major issue areas, some in greater detail than others: Globalization, Education and Awareness, Research and Development, Legal and Regulatory issues; and what we are calling "National Structures" -- how we believe the government should realign itself to more adequately address assurance concerns.
Globalization, Deregulation and Restructuring
One of the things that makes proposing solutions so difficult is that we are aiming at a moving target -- several moving targets. Our economy is changing -- becoming more global. The infrastructures are changing -- they are becoming more deregulated, and companies are restructuring to respond to these and other changes. At the same time, technology is enabling new types of threats, and introducing new vulnerabilities. What are the combined effects of these trends? We are planning to chart some of them out in a high-level risk assessment.
Education and Awareness
This is going to sound trite, but it should be of no surprise that we found education and awareness to once again be a key to meaningful long-term solutions.
I don't need to highlight for any of you that there is a shortage of talented information technology and -- most particularly -- information security people around today. They're being bought up left and right -- so quickly that even the private sector is feeling the pinch. Despite this, very few American colleges and universities include computer and network security within their graduate school computer science and management curricula.
The obvious long-term solution is education. We're taking a broad view of education: We believe benefits can be derived from greater availability of professional degrees, from enhanced focus on security and risk management in engineering and business curricula, and even from enhanced ethics training at the K through 12 level. Is there a public-private sector "partnership" role here? In light of the potential for large economic losses, we suspect there might be.
Research and Development
The Commission is holding out high hopes for research and development. Right now, we simply do not have the technology to know when we are under cyber attack.
We have been exploring the appropriate balance between private and public investment. The private sector is seeing to it that there is adequate "D" going into development of product-based solutions. But there is likely not enough "R" going into the discovery of new technologies. Is there a breakthrough on the horizon? Some say probably not not. But our Chairman fondly recalls a time, in the early 50's, when the technology did not exist to detect a hostile missile launch. Experts said there would be no way to differentiate a launch from a volcano. Some well placed R&D changed that, and we believe the same may be true here.
We may never get to find out unless the government steps to the plate to fund some of the long term research that may be a bit too speculative to prompt serious private sector investment. Even if major breakthroughs are not immediately forthcoming, a bit of "invigoration" by the government could help to reduce end user costs for advanced security technology.
Legal and Regulatory Issues
I touched earlier on our responsibilities with respect to legal authorities. You'll recall that one of the things that made going tough was how pertinent legal authorities are located in a number of different places. There is no established body of law for "infrastructure assurance" -- and asking lawyers to look it up for you is likely to get them frustrated and angry. Fortunately, I have been graced with a most insightful staff, and have been able to acquire the research services of some very patient people. Together, we have been able to unearth some important legal issues relating to infrastructure assurance -- some that support other areas of Commission inquiry, and some that stand on their own.
Legal impediments to information sharing
We recognized early on the importance of a trusted environment for information sharing: Government should alert the private sector about threats, and the private sector should feel comfortable reporting problems to the government so government can better focus its efforts. But what kind of collaborative mechanism could possibly protect classified government intelligence information, confidential law enforcement information, and also protect confidential private sector information affecting reputation, consumer confidence, and liability? There are a host of practical and legal impediments. Interestingly, some of the legal problems may be easier to resolve than the practical ones.
Infrastructure owners and operators tended to raise two areas of predominant concern, one relating to the sharing of information with other private sector people (antitrust concerns), and another relating to the initial acquisition of potentially valuable employee background information (privacy concerns).
With respect to sharing threat and vulnerability information -- antitrust concerns are more appearance than reality. Even when shared exclusively between private sector entities, this type of information does not go to the heart of competition (as does, for example, "price fixing"), and so it is simply not a target for antitrust inquiries. Even if it were, there would be workarounds. Just having government around -- playing even a modest role in information sharing -- does wonders to prevent antitrust exposure. But me saying this doesn't help much. Even having a Presidential Commission saying this might not help much. What might be needed is more definitive guidance, from DOJ or the FTC, for example, to set rough parameters around information-sharing practices and make the private sector feel more at ease.
Privacy is trickier. Our outreach revealed a degree of frustration among infrastructure owners and operators, some of whom wanted to take greater employee security precautions than some laws might otherwise allow. But here, the employer's interest in security bumps up against the employee's interest in privacy. The privacy issues implicated by sharing of employee background information, for example, touch individuals in very personal ways.
The importance of individual privacy has made obtaining background information on a potential or current employee a fertile area for strong state laws. Though grounded in best intentions, this has resulted in unpredictable disparities of approaches across state lines. The bottom line: a critical infrastructure owner and operator may in some instances be discouraged if not prevented from asking many of the types of questions that could help identify and prevent a growing insider threat to our infrastructures. The federal government already conducts background investigations on employees going into sensitive positions. Should employers looking to fill certain key positions within the critical infrastructures be permitted to access some of the records or use some of the tools available to the federal government?
The Commission is currently looking at how best to facilitate inquiries into employee backgrounds for select positions within critical infrastructures. An astounding number of factors -- privacy, fair employment, post-conviction rehabilitation, collective bargaining, federalism -- come into play when attempting to strike the appropriate balance. It may be necessary to recommend follow on studies to find ways to balance the equities across 51 different legal jurisdictions.
Adequacy of criminal law and procedure
We have also looked at the adequacy of existing criminal laws governing cyber abuse. We have noted, as have others, that some aspects of the criminal law have not kept pace with technology. We have looked at procedural laws to make sure that they do not unduly hinder the conduct of investigations in electronic environments. The Commission's recommendations may highlight some perceived deficiencies. We are also likely to advocate that domestic law enforcement continue to work closely with the international law enforcement community to insure that there will be a strong network of criminal laws addressing unauthorized intrusions across national boundaries, and procedural agreements to insure speedy investigative response.
We are also looking at that body of "traditional" criminal law that protect the critical infrastructures against physical attack. While we are reassured that the federal law is capable of reaching a broad range of terrorist threats, we want to be similarly assured that criminal penalties reflect the true costs associated with these crimes, and the gravity of harm done to all of the victims.
We have also been asking tough questions about deterrence. There should be little doubt that a deterrent solution beats a reactive solution every time. After all, what is the value of a reactive solution against the likes of someone willing to take their own life in furtherance of a cause? We are taking a look at the deterrent policies of the country and the deterrent effects of criminal law and law enforcement to see whether they might require enhancement.
How do you go about enhancing the deterrent value of law enforcement? For one, you see that the laws themselves, the criminal prohibitions, the "do's and don'ts," keep pace with prevailing technology. You check to see that penalties adequately reflect the seriousness of the harm and cost to the victim in today's terms, taking into account any losses resulting from denial of service or the compromise of sensitive or proprietary information. You also see to it that adequate resources are available to investigate an adequate percentage of criminal incidents. Adequate and timely laws will not deter if enforcement is known to be sporadic.
In this regard, a key question that the Commission has begun to explore is whether a conventional law enforcement response can possibly keep pace with expected increases in the volume and severity of cyber-intrusion incidents. Is "staffing up" sufficient in and of itself? Chances are that the Commission will not be around long enough to take the measurements and evaluate the trends. But it may be the case, that at some point, new and novel approaches will be needed to really and truly deter unlawful behavior, rather then merely react to its consequences.
Our largest challenge involves redefining the role of government in light of all of the emerging trends we have noted. What is the proper role of government? Since most infrastructures are privately owned and operated, can and should we rely exclusively on market forces to assure delivery of vital services? The private sector must guard against commonplace intrusion, theft and fraud, but what about state-sponsored terrorism or hostile attack? What's the federal government's responsibility vis-à-vis the states and the private sector?
Well, being a public-private Commission, we went round and round on this one (The truth is we're still hammering out details). Some of it just depends on who you talk to. I personally think our disagreements relate more to methodology than substance. Interestingly, our search for a productive methodology led to something of a breakthrough. Here's my own, admittedly somewhat stylized version of what happened:
Infrastructure assurance "functions"
Our first reflex was to talk in terms of "entities" -- as in, "What is really needed is an entity for this, and an entity for that." And because it took us about 4 or 5 months to start bringing on board our private sector Commissioners, it was just the government side Commissioners who were participating at this point. So you know what that means: What we were really saying, in our own self-satisfied way, was "WHAT IS REALLY NEEDED IS A GOVERNMENTAL ENTITY FOR THIS AND A GOVERNMENTAL ENTITY FOR THAT." Well, our Chairman and some of the private sector commissioners -- thankfully, in retrospect -- pulled us back to earth.
We then entered into what can be called our "functionality" period. We tried consciously to wean ourselves away from the word "entity," since it had become something of a loaded term. Instead we forced ourselves to speak in terms of "follow on functions." That freed us up to play an extended game of "Wouldn't it be nice if." Wouldn't it be nice if there were some way for someone to perform function x, or function y. That was actually a very productive exercise, because it enabled us to focus on what was needed in light of new threats and vulnerabilities, without the need to jump immediately to the question of "who should be doing what."
It was actually a very productive period. We were able to isolate, identify and describe some 31 separate infrastructure assurance follow-on function, all grouped into five major function categories. The five categories isolated thus far (and some of their component parts) are:
- Policy formulation functions, including:
- assessing national risk
- proposing national objectives and developing strategies
- proposing and promoting legislation
- assessing and promoting regulations
- influencing private sector investments
- preparing, recommending, and advocating budget requests
- managing and enforcing implementation
- shaping the international environment
- Prevention and mitigation functions, including
- promoting education and awareness
- monitoring assurance standards, certifications, and best practices
- assessing risk of system components
- proposing protection and mitigation objectives and strategy
- developing concepts, promoting research, and funding R&D and acquisition
- providing funding for protection and mitigation operations
- transferring government information to private sector for better risk analysis
- Operational Warning functions, a necessary precursor to which is better information sharing
- need to disseminate strategic and tactical warning information
- jurisdictional concerns (limitations of NSA / FBI/ CIA)
- Counteraction and Incident Management
- plan for and manage counteraction to deter, halt, or minimize an attack
- plan for and manage an integrated law enforcement, intelligence, and military response
- Response and Recovery.
- plan for and manage response to consequence of an attack;
- plan for and manage restoration of disrupted infrastructures
After settling on a representative set of "functions," we entered into (and in some sense, are still in) our "post-functionality" period -- the most painful phase of all. We had identified 31 important functions that needed to be performed by someone, but we were at an impasse when it came to identifying who should be doing what. We were stuck, until we devised a way that we could continue to focus on each of the functions, but perhaps array them in such away that we could then discern some patterns. If we were to be successful at grouping the functions, then maybe some structure would begin to suggest itself.
I suggested that we begin with a very simple two-by-two matrix, along two dimensions: Public-led versus private-led, and centralized versus decentralized authority. See Appendix A. The result -- our "assignment space," so to speak, was an interesting representation of the world today. Consider the four quadrants suggested by the matrix. The upper left hand corner -- Public-led on the horizontal axis and centralized on the vertical axis -- well, that's the federal government. Upper right hand corner -- private-led but centralized, that's the space reserved for trade and industry associations and alliances. The bottom left is public-led decentralized. That's space reserved for responsibilities of the often-overlooked but integrally important state and local governments. And the bottom right, private and decentralized, well that's the space that represents responsibilities of individual companies, entities and market forces.
In plotting functions against the matrix, we had in mind some high-level guidance. We knew (taking welfare reform as just one example) that Congress has been of late inclined to relinquish more and more previously centralized authority to state and local governments. We also knew, from Mr. Magaziner's Framework for Global Electronic Commerce, that the White House might be more amenable to private sector-led solutions in this areas. So in placing the various functions on the matrix, we made a concerted effort to force them down and to the right, away from traditional, centralized, public-led initiatives and toward decentralized, private-led solutions.
We were also prepared for disagreement between the respective infrastructures. We were all ready for someone to argue that some function x was more adequately performed in one place for a given infrastructure, say, telecommunications, but that it was more adequately performed elsewhere for another. What happened was mildly shocking. We found ourselves -- public and private folks alike -- by and large agreeing to where certain functions fit on the matrix. Answers to the question of "Who should have responsibility for what" were taking shape -- effortlessly and in relatively short order.
Here are some broad conclusions from this "functional assignment" exercise:
The federal government
The most important role that American citizens look to the federal government to perform is national defense and security -- protecting the United States from "attack." But fulfilling these functions is no longer simply a matter of maintaining arsenals and defending borders. For one thing its hard to identify, let alone defend, borders in cyberspace. If borders are defined as potential entry points, well then, with respect to the critical infrastructures, the majority of these borders are clearly not subject to immediate federal government control and supervision. Nor should they be. The point is that the government's provision of a service previously taken for granted has been significantly disrupted.
Other centralized public functions include the assessment of national risk and issuance of national policy, preparation of threat advisories, and the coordination of research and development efforts. Each of these functions may be in danger of breaking down when decentralized or privatized out toward the far reaches of the functional assignment chart.
State and local government
Of the follow-on infrastructure assurance functions, several make the most sense when they are public and decentralized. These functions include what we have termed defensive counter-action, response management, and response planning. The states have in the past, and should continue in the future, to take the role of first responder in event of emergencies that bring serious consequences to people and property. They are, and will continue to be, the first responders -- hours or even days before additional support can arrive. But while our public outreach has demonstrated that they are clearly ready to fulfill these responsibilities, state and local responders are all too often understaffed, undertrained, and underfunded. We hope that by highlighting their crucial role, we might encourage delivery of a degree of relief.
Trade and industry associations
Private industry is becoming ever-more adept at forming the partnerships, associations and alliances to respond to arising needs. These partnerships take many forms and perform many roles. Many of their traditional roles -- setting standards, certifications or best practices; sharing information; forming alliances to engage in research and development -- are necessary elements of a concerted national response to threats posed to, and vulnerabilities of the critical infrastructures.
Internal processes and market forces
Much of the burden of infrastructure assurance will fall on the individual infrastructure owners and operators. This is no different than similar burdens that come from the need to address the potential for damage from natural disasters, accidents, or other previously envisioned sources of threats. As they have done in the past, companies must continue to assess their risks and vulnerabilities, implement best practices, protect their systems, engage in research and development and share information. These are individual responsibilities that are necessary components of an effective national response.
"Borders and crosshairs"
As interesting as the functions that fit cleanly into quadrants are those that did not: Roughly fifty percent of the functions did not fit cleanly into one box or another. It is important to note that this did not result from indecision or lack of agreement. Rather, there appeared to be collective agreement that certain functions must be placed on the borders between boxes in order that they make sense.
I'm going to refer to "border" functions as those that are settled to one side or another along one axis, but not the other. Proposing a national strategy or national objectives of an infrastructure assurance program should be done from a centralized perspective, but with roughly equal input from the government and private sector. It therefore resides on a boundary. It is a centralized public-private activity. By contrast, the planning, management and delivery of law enforcement functions is a combination of centralized (federal) and decentralized (state) public-sector activity.
"Crosshair" functions is my term for those follow-on functions that appear squarely in the middle. The only way they can work is through mutual cooperation of the four other quadrants. They also appear to be, perhaps not coincidentally, the functions that are most vital to an effective infrastructure assurance effort. They include information sharing, education and awareness, and funding issues. These functions are the hub of our national efforts, signaling in a dramatic way the need for public-private and centralized-decentralized cooperation and partnership that is not often called for in policy initiatives of a lesser scope and complexity.
Organizing to perform new roles
The four quadrants of the matrix represent the way our societal and governmental structures are ordered today. Our laws and conventions divide the world into entities and organizations that are either public or private, and centralized or decentralized. But many of the most critical infrastructure assurance functions must be -- of necessity -- performed on the borders and crosshairs -- in places where existing entities do not reside. It was this dramatic realization that enabled many of us to finally articulate why new relationships, partnerships, and structures may well be needed to respond to emerging concerns. Our conclusion? That government and the private sector should enable structures that reside on the borders and crosshairs to accept and act upon these new and different responsibilities.
Our next step is to flesh out what these structures should look like -- and we're still hammering out the details.
In the coming weeks, we will be finalizing and polishing our recommendations for the President. I hope that I have given you a feeling for the process (blood, sweat and tears) that has driven those recommendations and an appreciation of how, when our final report lands on the President's desk, the Commission will have truly gone full circle -- beginning with an Executive Order calling for an unprecedented degree of partnership and coordination with the private sector, through some difficult struggles, to a final and well founded conclusion that the real future our of national security, of our critical infrastructures, lies in successful collaboration across all levels of government and the private sector.
Public and Private Roles in Assurance
Please click on the thumbnail image for the full chart (47k GIF).