Remarks Prepared for Delivery
By Robert T. Marsh
Chairman, President's Commission on Critical Infrastructure Protection
North American Electric Reliability Council Meeting
January 7, 1997
I appreciate the opportunity to speak to you this morning.
Critical infrastructures protection is clearly one of the
key issues we face as a nation. Our infrastructures are the
life support systems of the nation, and electric power
systems are clearly one of the most important.
From your standpoint, the vulnerabilities of the electric
power industry today have the potential to impact your
ability to deliver service, provide complete customer
satisfaction, and maintain a good level of profitability.
I would like to share a few thoughts with you this morning
about what the Commission is, and our planned interaction
with the electric power industry. I'll then answer any
questions you might have.
I'm not here to overdose you with examples or anecdotes of
infrastructure weaknesses and exploitation - you've probably
heard and read much of that already.
Nor am I here to lay out recommended solutions to problems
within the infrastructures. They don't exist yet.
But, I would like to tell you about:
- Issues we face
- How the Commission is addressing them
- How the electric power industry can participate in what
must be a joint effort between government and the private
sector to address the issues of protecting electric power
systems as one of the nation's critical infrastructures
Dave Jones, our Commissioner representing the Energy
Department, spoke to you in September about the Commission
and its mandate, so you don't need a lot of introduction to
what we're about.
The reason I'm here this morning is to personally provide you
with an update on our activities. What I would ask from you
today, and indeed throughout the life of the Commission, is
that you give us a fair hearing with an open mind. Let me
put that in the context of the Commission's mandate:
President Clinton established the Commission last July. Its
mission is to:
- assess vulnerabilities and threats to the critical
- identify relevant legal and policy issues, and assess how
they should be addressed
- recommend a national policy and implementation strategy
for protecting critical infrastructures from both physical
and cyber threats
- and propose any necessary statutory or regulatory changes
Electric power systems is one of the eight critical
infrastructures the Commission is studying. The other
infrastructures are telecommunications, water supply systems,
banking and finance, transportation, oil and gas
transportation, emergency services such as medical, police,
fire and rescue, and continuity of government.
I want to assure you that during the course of our work, the
voice of the electric power industry will be heard loud and
clear. In fact, the very first Commissioner joining us from
the private sector is from Pacific Gas and Electric. She is
Ms. Nancy Wong, manager of their Department of Information
Assets and Risk Management.
Briefly, why do we have a Commission, and why now?
Basically three reasons:
- 1) Physical terrorism continues, and we see increasing
cyber intrusions of all types into our automated information
systems, many by so-called "insiders."
- 2) Increased reliance on telecommunications and
information technologies in all infrastructures and the
increased vulnerabilities that that brings.
- 3) Tools to exploit these vulnerabilities are readily
available (hacker sites on the Internet can tell you how to
penetrate systems) and their use is increasing exponentially.
As for terrorism
The fact is that infrastructures -- including electric power
systems -- have become targets for terrorists. This summer in
London, for example, the press reported that Scotland Yard
had discovered an apparent IRA plan to bomb gas, water and
electric power targets.
America is no stranger to terrorism -- the bombings of the
World Trade Center and the Oklahoma City Federal building are
but two examples. But to this point, our critical
infrastructures have not been primary targets.
Finally, and sadly, we must now prepare for terrorist acts by
our own citizens who choose terrorism as a means to express
their displeasure or distrust of their government.
I've been asked how this Commission is different from other
government efforts in the past to address similar issues
within the electric power industry. I believe the major
difference is that there is a widespread recognition that the
nature and scope of the threat to electric power systems has
changed as the result of advances in technology, particularly
information technology and telecommunications. The weight of
anecdotal evidence is sufficiently persuasive to warrant a
serious collaborative effort to address this serious
As for increased reliance on telecommunications, it has
created new vulnerabilities.
Our infrastructures have become increasingly reliant on
information technology and the telecommunications
infrastructure that ties them together.
Telecommunications and automation expose infrastructures in
new ways, and create new vulnerabilities.
I know utility companies are very familiar with natural
hazards, but we are now facing a new set of manmade risks and
Technology has created an interconnected, interdependent
world. These connections enable global commerce through the
sharing of information. Business depends on those
connections, but each connection potentially creates exposure
and risk. Companies are becoming increasingly vulnerable to
vandalism, theft, malicious hackers, criminals, and
Companies are also increasingly vulnerable to so-called
"insiders", and risks are increasing, particularly in this
age of mergers and consolidation.
You have certainly felt the impact of technology on your
operations. Many of you are moving to highly automated
electronic meter reading systems.
In addition, many of you now have public sites on the
Internet to enhance your market presence. And the trend is
clearly toward making greater use of the Internet as seen in
a recent FERC (Federal Energy Regulatory Commission) order,
to do business transactions. But the Internet and other
public networks are less secure than dedicated networks.
Along with the benefits of greater public presence, the use
of technology also creates more exposure and risks.
In the past, you put a guard at the door, and your assets
were protected. Today, there is no door -- or too many doors,
depending on how you look at it. And you can never be sure
who will drop in for a visit via the Internet.
And as for tools to exploit these vulnerabilities:
Even amateurs have access to the technological tools needed
to penetrate systems and cause trouble.
The Internet contains hacker sites with instructions on how
to penetrate systems.
Result: infrastructures are constantly in danger from people
intent on penetrating or disrupting them. And all they need
is a personal computer and a modem.
The Willie Suttons of today may not even have to go to the
bank. They can try robbing it from home using a PC.
On the cover of the June issue of Foreign Affairs, I noticed
the following quote: "The world may be moving inexorably
toward one of those tragic moments that will lead historians
to ask, why was nothing done?"
The Commission is clearly an effort to get something done.
In terms of the electric power industry, this means we are
conducting an aggressive outreach to companies -- and
particularly industry leaders such as you -- to discuss our
goals and solicit your participation so we can build a
strategy and recommendations that are compatible with both
increased assurance and business' bottom line.
Further, in my experience, it may be one of the few times when
government is calling for action before a crisis occurs,
rather than after-the-fact.
Those are some of the issues the Commission is facing. Let
me tell you how we're approaching them.
What the Commission Is Doing in Infrastructure Issues
The central challenge of the Commission is to forge a
partnership between the private sector and government at all
levels, Federal, State and local. Partnership is the core of
We are pursuing this partnership through an aggressive
outreach program that includes public hearings, focus groups,
gaming, and a non-stop effort to carry our message throughout
each of the critical infrastructures, especially to industry
leaders such as you.
The objectives of our initial outreach to the private sector
are to build recognition of threats to and vulnerabilities of
critical infrastructures. Later in our outreach effort, we
will be seeking private sector buy-in of specific findings
Our underlying philosophy at the Commission is that the
quality of our recommendations to the President can only be
as good as the buy-in we foster with the private sector.
Our approach is not "We're government and we're here to help."
Rather, we are vitally interested in what the private sector
has to say because it owns and operates the critical
infrastructures. Private sector involvement is absolutely
essential to an informed process of developing a strategy.
We anticipate the solutions will fall within a range bounded
by government and private sector responsibility for
implementation. Some government problems will require only
government solutions, while some private sector problems will
require only private sector solutions. Others, however, may
require solutions somewhere in-between - solutions jointly
actioned by government and the private sector.
We are under no illusions that this Commission can solve
every infrastructure problem. Instead, we see the strategy
and recommendations as a point of departure for
implementation. For that reason, we need the best thinking
of the private sector up front.
Collaboration within government
Just as we need collaboration between government and the
private sector, we will also need collaboration within
government. Government agencies at all levels must share
information and jointly address this problem. This is
particularly important regarding threat assessment and
For instance, if there were a series of unusual
infrastructure failures, how quickly would we become aware of
them, and how would we interpret them?
Electric power failures on a metropolitan or regional basis
might or might not be correctly diagnosed as accidental,
criminal, or an attack. The process of precisely
determining the cause of an electrical power failure can
require days or weeks. Government agencies need to work
together, and with the private sector, to find ways to quickly
recognize what is happening, understand what it means, and
determine an appropriate and timely response. Because the
conditions and consequences of risk and threat have changed,
quickly finding the cause of a disruption is much more
important today than in the past.
HOW THE ELECTRIC POWER INDUSTRY CAN PARTICIPATE IN
THIS JOINT EFFORT BETWEEN GOVERNMENT AND THE PRIVATE SECTOR
A question I often hear is, "How can we help?"
In terms of the electric power industry, you've already begun
to help by affording me the opportunity to speak with you
As the Commission's work progresses, I would ask two things
First, the willingness to continue to give us a fair hearing
with an open mind, whether personally or through your staff.
We need your cooperation and help to enhance awareness and
understanding of the issues, and to encourage participation
in our efforts by other members of the electric power
industry. As the Commission progresses, this will mean
reviewing the proposed strategy and recommendations to ensure
they are compatible with enhanced delivery of customer
service and the bottom line of business.
Second, and more specifically, I had earlier mentioned that
gaming will be an element of our work. In March, we are
planning to conduct a game at the Prosperity Institute, which
is affiliated with Sandia National Lab. The purpose of the
game is to explore and validate potential strategies and
recommendations. The participation of the electric power
industry will be critical to the success of the game.
Clearly, we would not prevail upon all of you to consider
attending, but I would like to ask that when we issue
invitations to some of you within the next few weeks, that
you consider them favorably.
Finally, and on a more personal note, if I need to pick up
the phone and give you a call to ask for your support, I'd
like to be able to do that. Our thinking is still evolving,
so I'm not clear on exactly when that support will be needed,
or in what form. But I would like to be able to count on
You know how to get in touch with us. I welcome and
encourage your input. The toughest work of the Commission is
still before it -- the actual crafting of strategy -- so we
want to hear what you have to say as soon as possible.
That's the only way we will devise solutions that work for
Thanks for inviting me. I'll take any questions.