IWS - The Information Warfare Site
News Watch Make a donation to IWS - The Information Warfare Site Use it for navigation in case java scripts are disabled

[ PCCIP Home | Main Menu | Report | New Items | Contact Us | Speaker's Bureau ]

Remarks Prepared for Delivery
By Robert T. Marsh

Chairman, President's Commission on Critical Infrastructure Protection

North American Electric Reliability Council Meeting
January 7, 1997

I appreciate the opportunity to speak to you this morning.

Critical infrastructures protection is clearly one of the key issues we face as a nation. Our infrastructures are the life support systems of the nation, and electric power systems are clearly one of the most important.

From your standpoint, the vulnerabilities of the electric power industry today have the potential to impact your ability to deliver service, provide complete customer satisfaction, and maintain a good level of profitability.

I would like to share a few thoughts with you this morning about what the Commission is, and our planned interaction with the electric power industry. I'll then answer any questions you might have.

I'm not here to overdose you with examples or anecdotes of infrastructure weaknesses and exploitation - you've probably heard and read much of that already.

Nor am I here to lay out recommended solutions to problems within the infrastructures. They don't exist yet.

But, I would like to tell you about:

  • Issues we face

  • How the Commission is addressing them

  • How the electric power industry can participate in what must be a joint effort between government and the private sector to address the issues of protecting electric power systems as one of the nation's critical infrastructures

Dave Jones, our Commissioner representing the Energy Department, spoke to you in September about the Commission and its mandate, so you don't need a lot of introduction to what we're about.

The reason I'm here this morning is to personally provide you with an update on our activities. What I would ask from you today, and indeed throughout the life of the Commission, is that you give us a fair hearing with an open mind. Let me put that in the context of the Commission's mandate:

President Clinton established the Commission last July. Its mission is to:

  • assess vulnerabilities and threats to the critical infrastructures

  • identify relevant legal and policy issues, and assess how they should be addressed

  • recommend a national policy and implementation strategy for protecting critical infrastructures from both physical and cyber threats

  • and propose any necessary statutory or regulatory changes

Electric power systems is one of the eight critical infrastructures the Commission is studying. The other infrastructures are telecommunications, water supply systems, banking and finance, transportation, oil and gas transportation, emergency services such as medical, police, fire and rescue, and continuity of government.

I want to assure you that during the course of our work, the voice of the electric power industry will be heard loud and clear. In fact, the very first Commissioner joining us from the private sector is from Pacific Gas and Electric. She is Ms. Nancy Wong, manager of their Department of Information Assets and Risk Management.

Issues

Briefly, why do we have a Commission, and why now?

Basically three reasons:

1) Physical terrorism continues, and we see increasing cyber intrusions of all types into our automated information systems, many by so-called "insiders."

2) Increased reliance on telecommunications and information technologies in all infrastructures and the increased vulnerabilities that that brings.

3) Tools to exploit these vulnerabilities are readily available (hacker sites on the Internet can tell you how to penetrate systems) and their use is increasing exponentially.

As for terrorism

The fact is that infrastructures -- including electric power systems -- have become targets for terrorists. This summer in London, for example, the press reported that Scotland Yard had discovered an apparent IRA plan to bomb gas, water and electric power targets.

America is no stranger to terrorism -- the bombings of the World Trade Center and the Oklahoma City Federal building are but two examples. But to this point, our critical infrastructures have not been primary targets.

Finally, and sadly, we must now prepare for terrorist acts by our own citizens who choose terrorism as a means to express their displeasure or distrust of their government.

I've been asked how this Commission is different from other government efforts in the past to address similar issues within the electric power industry. I believe the major difference is that there is a widespread recognition that the nature and scope of the threat to electric power systems has changed as the result of advances in technology, particularly information technology and telecommunications. The weight of anecdotal evidence is sufficiently persuasive to warrant a serious collaborative effort to address this serious problem.

As for increased reliance on telecommunications, it has created new vulnerabilities.

Our infrastructures have become increasingly reliant on information technology and the telecommunications infrastructure that ties them together.

Telecommunications and automation expose infrastructures in new ways, and create new vulnerabilities.

I know utility companies are very familiar with natural hazards, but we are now facing a new set of manmade risks and hazards.

Technology has created an interconnected, interdependent world. These connections enable global commerce through the sharing of information. Business depends on those connections, but each connection potentially creates exposure and risk. Companies are becoming increasingly vulnerable to vandalism, theft, malicious hackers, criminals, and unscrupulous competitors.

Companies are also increasingly vulnerable to so-called "insiders", and risks are increasing, particularly in this age of mergers and consolidation.

You have certainly felt the impact of technology on your operations. Many of you are moving to highly automated electronic meter reading systems.

In addition, many of you now have public sites on the Internet to enhance your market presence. And the trend is clearly toward making greater use of the Internet as seen in a recent FERC (Federal Energy Regulatory Commission) order, to do business transactions. But the Internet and other public networks are less secure than dedicated networks. Along with the benefits of greater public presence, the use of technology also creates more exposure and risks.

In the past, you put a guard at the door, and your assets were protected. Today, there is no door -- or too many doors, depending on how you look at it. And you can never be sure who will drop in for a visit via the Internet.

And as for tools to exploit these vulnerabilities:

Even amateurs have access to the technological tools needed to penetrate systems and cause trouble.

The Internet contains hacker sites with instructions on how to penetrate systems.

Result: infrastructures are constantly in danger from people intent on penetrating or disrupting them. And all they need is a personal computer and a modem.

The Willie Suttons of today may not even have to go to the bank. They can try robbing it from home using a PC.

On the cover of the June issue of Foreign Affairs, I noticed the following quote: "The world may be moving inexorably toward one of those tragic moments that will lead historians to ask, why was nothing done?"

The Commission is clearly an effort to get something done. In terms of the electric power industry, this means we are conducting an aggressive outreach to companies -- and particularly industry leaders such as you -- to discuss our goals and solicit your participation so we can build a strategy and recommendations that are compatible with both increased assurance and business' bottom line.

Further, in my experience, it may be one of the few times when government is calling for action before a crisis occurs, rather than after-the-fact.

Those are some of the issues the Commission is facing. Let me tell you how we're approaching them.

What the Commission Is Doing in Infrastructure Issues

The central challenge of the Commission is to forge a partnership between the private sector and government at all levels, Federal, State and local. Partnership is the core of the Commission.

We are pursuing this partnership through an aggressive outreach program that includes public hearings, focus groups, gaming, and a non-stop effort to carry our message throughout each of the critical infrastructures, especially to industry leaders such as you.

The objectives of our initial outreach to the private sector are to build recognition of threats to and vulnerabilities of critical infrastructures. Later in our outreach effort, we will be seeking private sector buy-in of specific findings and recommendations.

Our underlying philosophy at the Commission is that the quality of our recommendations to the President can only be as good as the buy-in we foster with the private sector.

Our approach is not "We're government and we're here to help."

Rather, we are vitally interested in what the private sector has to say because it owns and operates the critical infrastructures. Private sector involvement is absolutely essential to an informed process of developing a strategy.

We anticipate the solutions will fall within a range bounded by government and private sector responsibility for implementation. Some government problems will require only government solutions, while some private sector problems will require only private sector solutions. Others, however, may require solutions somewhere in-between - solutions jointly actioned by government and the private sector.

We are under no illusions that this Commission can solve every infrastructure problem. Instead, we see the strategy and recommendations as a point of departure for implementation. For that reason, we need the best thinking of the private sector up front.

Collaboration within government

Just as we need collaboration between government and the private sector, we will also need collaboration within government. Government agencies at all levels must share information and jointly address this problem. This is particularly important regarding threat assessment and warning.

For instance, if there were a series of unusual infrastructure failures, how quickly would we become aware of them, and how would we interpret them?

Electric power failures on a metropolitan or regional basis might or might not be correctly diagnosed as accidental, criminal, or an attack. The process of precisely determining the cause of an electrical power failure can require days or weeks. Government agencies need to work together, and with the private sector, to find ways to quickly recognize what is happening, understand what it means, and determine an appropriate and timely response. Because the conditions and consequences of risk and threat have changed, quickly finding the cause of a disruption is much more important today than in the past.

HOW THE ELECTRIC POWER INDUSTRY CAN PARTICIPATE IN THIS JOINT EFFORT BETWEEN GOVERNMENT AND THE PRIVATE SECTOR

A question I often hear is, "How can we help?"

In terms of the electric power industry, you've already begun to help by affording me the opportunity to speak with you today.

As the Commission's work progresses, I would ask two things of you:

First, the willingness to continue to give us a fair hearing with an open mind, whether personally or through your staff. We need your cooperation and help to enhance awareness and understanding of the issues, and to encourage participation in our efforts by other members of the electric power industry. As the Commission progresses, this will mean reviewing the proposed strategy and recommendations to ensure they are compatible with enhanced delivery of customer service and the bottom line of business.

Second, and more specifically, I had earlier mentioned that gaming will be an element of our work. In March, we are planning to conduct a game at the Prosperity Institute, which is affiliated with Sandia National Lab. The purpose of the game is to explore and validate potential strategies and recommendations. The participation of the electric power industry will be critical to the success of the game. Clearly, we would not prevail upon all of you to consider attending, but I would like to ask that when we issue invitations to some of you within the next few weeks, that you consider them favorably.

Finally, and on a more personal note, if I need to pick up the phone and give you a call to ask for your support, I'd like to be able to do that. Our thinking is still evolving, so I'm not clear on exactly when that support will be needed, or in what form. But I would like to be able to count on it.

You know how to get in touch with us. I welcome and encourage your input. The toughest work of the Commission is still before it -- the actual crafting of strategy -- so we want to hear what you have to say as soon as possible. That's the only way we will devise solutions that work for everyone.

Thanks for inviting me. I'll take any questions.

[ PCCIP Home | Main Menu | Report | New Items | Contact Us | Speaker's Bureau ]