Commissioner, President's Commission on Critical Infrastructure Protection
Before the Annual Meeting and Utilities/Government Agency
Emergency Training Pilot Program
California Utilities Emergency Association
May 28, 1997
A New World of Risk
The Rome Laboratory in New York is the Air Force's premier command and control research facility which works on very sensitive projects such as artificial intelligence and radar guidance. In March and April 1994, a British hacker known as "Datastream Cowboy," and another hacker, called "Kuji," attacked Rome Lab's computer systems over 150 times.
The hackers stole sensitive air tasking order research data. These orders are the messages military commanders send during wartime to pilots to direct and integrate their attacks on a daily basis. The hackers also launched other attacks through the lab's computer systems, gaining access to systems at NASA's Goddard Space Flight Center in Greenbelt, Maryland, Wright-Patterson Air Force Base in Dayton, Ohio, and defense contractors around the country.
Datastream Cowboy was arrested in Great Britain by Scotland Yard, but Kuji was never caught. Therefore, no one knows what happened to the data stolen from the Rome Lab.
The Rome Lab's intrusion dramatically depicts the vulnerability of the computer age -- the most far-reaching technological development of all time. The intrusion lends credence to such movies as "War Games" where a teenage hacker breaks into a Defense computer and creates great mischief.
A true story on such intrusions is told by Cliff Stoll in The Cuckoo's Egg, a New York Times bestseller, which involved the tracking of a KGB spy ring in Hannover, Germany, from the Lawrence Berkeley Laboratory through the maze of computer espionage.
Every aspect of our society is becoming linked to computer networks -- from civilian government and the military, to public utilities, communications, transportation, and financial systems. These links are creating vast efficiencies in the delivery of goods and services and are giving people throughout the world greater access to information, ideas and each other. These links transcend national boundaries: Beijing and Baltimore are within a keystroke of each other.
However, as we have seen, the benign aspects of the Internet carry with them the deadly germs of vulnerability. The Government Accounting Office estimates that the Defense Department alone annually experiences over 250,000 attacks on its computers. COAST (Computer Operations, Audit, and Security Technology) at Purdue University reports that 99% of all major companies experience at least one computer incident a year, and that telecom and computer fraud and loss total almost $10 billion a year. Our computer information systems are vulnerable to electronic penetration, manipulation and damage by a range of adversaries such as teenage hackers, disgruntled employees, organized crime and hostile foreign governments.
The ground rules have changed, and the battlefield is now economic, ethnic, religious and nationalistic rather than ideological, but espionage in the 1990s springs directly from the ruins of the Cold War spy regimes. Newly configured, the secret operations of America's enemies threaten to hollow out the U.S. economy and siphon away the jobs and technologies we need to remain competitive in the 21st century.
In the past, armies had to march, navies had to sail and air forces had to fly for great damage to be done. Today, we live in an age where the ability to induce terror comes in miniature. We are now engaged in a war that will never end. As better defenses are built, new methods of attack will be devised in an effort to penetrate them.
Since biblical times, crimes have been deterred by the prospects of punishment. Yet, information crimes, under our existing legal and enforcement regime, may sometimes have the unique characteristic that apprehension is impossible.
Our critical infrastructures are threatened by terrorist bombings such as those that occurred at the New York World Trade Center in 1993 and Oklahoma City in 1995, and by natural disasters such as hurricanes, earthquakes, floods and tornadoes. The New York terrorists had even bigger plans for coordinating attacks against New York City's bridges and tunnels and the bombing of airlines over the Pacific Ocean, but fortunately these plans were thwarted by their arrest.
The President's Commission on Critical Infrastructure Protection
In view of those continuing threats, the President has established the
President's Commission on Critical Infrastructure Protection (PCCIP). The infrastructures include energy, financial, telecommunications, transportation and water systems, continuity of government, and emergency services such as medical, police, fire and rescue. These critical infrastructures are the life support systems of our society. They give us pure water, safe highways and airways, reliable energy, instant communications, and secure financial transactions.
The President defined these threats as: first, physical threats to tangible property; and, second, threats of electronic, radio-frequency or computer-based attacks on information or communications components that control critical infrastructures, known as "cyber threats."
The Commission is composed of twenty Commissioners. Its Chairman is Robert Marsh, a former 4-star Air Force General and the former Chairman of the Board of a Fortune 500 company. Commissioners were nominated by each of the following ten Federal agencies:
- Department of Commerce
- Department of Defense
- Department of Energy
- Department of Justice
- Department of Transportation
- Department of the Treasury
- Central Intelligence Agency
- Federal Bureau of Investigation
- Federal Emergency Management Agency
- National Security Agency
One commissioner from each of the agencies will be from outside the Federal Government to emphasize the need for cooperation between the government and private sectors. Also, the President is now in the process of establishing a fifteen-member Advisory Committee composed of representatives from the private sector. Building a partnership between the public and private sectors is the core of the Commission's work. As Henry Ford said: "Coming together is a beginning; keeping together is progress; working together is success."
The basic mission of the Commission is to advise and assist the President by recommending a national strategy for protecting and assuring critical infrastructures. The Commission will identify physical and cyber threats, consider vulnerabilities, and develop policy and legislative options necessary to effect the recommendations. The Commission will file its report with the President on October 13 of this year and then await his response.
The Commission and the California Utilities Emergency Association (CUEA) have a great deal in common in our efforts to enhance our critical infrastructures.
America's utilities are among our most critical infrastructures, and the work of CUEA is in the vanguard of efforts to assure their continued high performance. We hope that the work of CUEA will be duplicated in other states which have not yet established similar organizations. We urge that CUEA increase its focus on means to address the cyber threats of its members.
The members of your Association are the ones closest to the scene in responding to threats or damage to our critical infrastructures. How can their role be made more effective? How can we build more efficient means to share threat and vulnerability information with local officials and the private sector?
There are few jurisdictions in which the first responders feel adequately trained and equipped to meet chemical, biological and radiological incidents. They often do not have the sensors to identify their encounters with such agents. They often do not have adequate decontamination equipment or adequate protective gear to assure their own safety in dealing with such an incident.
How can Federal agencies provide increased training to assist local officials in responding to such incidents? Should specialized equipment be furnished to assist in detection, mitigation and recovery?
Much of the information that controls critical infrastructures such as energy and telecommunications is transmitted through computers, i.e., through the public telephone net, and increasingly, the Internet. Yet there are no uniform standards governing this service. Should standards be established? Who should establish them? What should the standards be, and how might they be enforced? Or, should they be voluntary like the seal of approval of the Underwriters' Laboratory?
We welcome and encourage your input. The toughest work of the Commission is still before it -- the actual crafting of strategy -- so we want to hear what you have to say as soon as possible. That's the only way we can devise solutions that work for everyone.
We must never forget that in this age, as in all ages, success is determined by the ability to cope with change. As Thomas Stearns Eliot observed:
Last season's fruit is eaten
And the full-fed beast shall kick the empty pail.
For last year's words belong to last year's language
And next year's words await another voice.
Working together, we can solve these pressing problems. It will take good minds, high dedication, and perseverance. There is no doubt, however, as to our ability to achieve the eventual triumph which will provide for ourselves and our descendants a better America.