 |
|
| National Plan Design | chaired by the National Security Council |
| R&D Priorities | Office of Science and Technology Policy |
| FY2000 Budget | OMB/National Security Council |
| Outreach & Sector Organization | National Security Council |
| Response Plan | FBI/Department of Defense |
| US Government as Model | OMB/National Security Council |
| Intelligence Collection | Director of Central Intelligence |
| Creation of ISAC | National Economic Council/FBI |
| Education & Awareness | Department of Commerce |
| International Cooperation | Department of State |
| Legal Issues & Authorities | Department of Justice |
| Personnel & Training | Department of Commerce |
| Standards | National Security Agency/Department of Commerce {8} |
The Principals Committee was originally created by Executive Order 13010, the presidential order that created the PCCIP. {9} As created, it served as the mechanism to which the PCCIP reported, reviewing findings and recommendations before submitting them to the President. The members of the Principals Committee include:
- Secretary of the Treasury;
- Secretary of Defense;
- Attorney General;
- Secretary of Commerce;
- Secretary of Transportation;
- Secretary of Energy;
- Director of Central Intelligence;
- Director of the Office of Management and Budget;
- Director of the Federal Emergency Management Agency;
- Assistant to the President for National Security Affairs;
- Assistant to the Vice President for National Security Affairs;
- Assistant to the President for Economic Policy and Director of the National Economic Council; and
- Assistant to the President and Director of the Office of Science and Technology Policy. {10}
PDD-63 extends the concept of the Principals Committee, directing that the National Coordinator serve as a full member of both the Principals Committee or Deputies meetings. {11}
The comparison of the members of the Principals Committee and the designated lead agencies for sector liaison and special functions (delineated in a later part of this paper) reveals an almost complete overlap. Missing from the Principals Committee are the
- Environmental Protection Agency,
- Department of Health and Human Services, and
- Department of State.
Critical Infrastructure Assurance Office (CIAO) and Officers
One of the most confusing things about the new structures is the use of the term CIAO. PDD-63 directs every Department and Agency to appoint a Critical Infrastructure Assurance Officer – a CIAO. These CIAOs are responsible for the protection of all aspects of the department or agency’s critical infrastructure with the exception of the information infrastructure, for which the Chief Information Officer (CIO) is responsible. It is possible for the CIAO and the CIO to be the same person, responsible for both roles. {12}
PDD-63 also directs that a National Plan Coordination (NPC) staff be constituted, with members being "contributed on a non-reimbursable basis by the departments and agencies. … The NPC staff will integrate the various sector plans into a National Infrastructure Assurance Plan and coordinate analyses of the U.S. Government’s own dependencies on critical infrastructures." {13} This mandated NPC staff has been named the Critical Infrastructure Assurance Office (CIAO) and resides in the Department of Commerce, Bureau of Export Controls. {14}
The CIAO is essentially the staff that supports the National Coordinator in his designated roles and responsibilities. It will have the task of integrating the sector plans into a national level plan and will coordinate a national education and awareness program to raise the private sector’s awareness of the implications and requirements of infrastructure protection. {15} The first director of the CIAO is Dr. Jeffrey Hunker:
"Dr. Jeffrey A. Hunker is Director of the Critical Infrastructure Assurance Office. As Director, Mr. Hunker will be responsible for bringing together an integrated national plan for addressing physical and cyber threats to the nation's communications and electronic systems, transportation, energy, banking and financial, health and medical services, water supply, and key government services. As Director, he will also coordinate a national education and awareness program, as well as develop legislative and public affairs initiatives." {16}
Prior to the issuance of the PDDs, the FBI hosted an interim Infrastructure Protection Task Force and the Computer Investigation and Infrastructure Threat Assessment Office. The FBI transformed that capability and experience into an integrated capability to support infrastructure protection. Three months prior to the issuance of PDD-62 and PDD-63, the NIPC was announced. "Established in February 1998, the NIPC's mission is to serve as the U.S. government's focal point for threat assessment, warning, investigation, and response for threats or attacks against our critical infrastructures." {17} Subsequently, PDD-63 affirmed the expanded role of the FBI in infrastructure protection: "As part of a national warning and information sharing system, the President immediately authorizes the FBI to expand its current organization to a full scale National Infrastructure Protection Center." {18} The FBI also retains a separate organization dedicated specifically to computer crime, the National Computer Crime Squad, whose mission it is to investigate violations of the Computer Fraud and Abuse Act of 1986. {19}
The purpose of the NIPC is to provide full spectrum protection support to the infrastructure assurance efforts, including coordinating the Federal Government's response to an incident, mitigating attacks, investigating threats and monitoring reconstitution efforts. As such, the NIPC performs both intelligence activities and operational activities. The intelligence activities include monitoring threats, performing analysis of suspected attack activities, and identifying critical vulnerabilities. The operational activities include active protective mechanisms, with the priority activities being coordination, prevention and defense. The differentiation between the FBI role and FEMA’s role is that the FBI is focused on crisis management whereas FEMA is focused on consequence management. {20} The principal focus of efforts at this point in time are countering the cyberthreat. Later, as the organization matures and capabilities increase, expanded infrastructure protection efforts will be undertaken. {21}
NIPC activities include the following:
- provide timely warning of intentional threats
- issue attack warnings and alerts
- provide guidance on increasing protective posture
- provide comprehensive analyses
- provide law enforcement investigation and response
- collect information about threats, attack warnings, and actual attacks on critical government and private sector infrastructures
- perform computer investigations
- coordinate emergency response
- conduct training and outreach
- develop and apply technical tools {22}
- establish relationships with the private sector
- sanitize law enforcement and intelligence information for reports, after coordinating with the intelligence community
- provide reports to relevant federal, state and local agencies
- provide reports to relevant owners and operators of critical infrastructures
- provide reports to any private sector ISAC
- act as a focal point for gathering information on threats to infrastructures
- be the primary facilitator and coordinator of Federal Government response to attacks (including when the situation requires that the NIPC be place in a direct support role to the DoD or intelligence community) {23}
The NIPC as an organization is already well underway. It is resident at the FBI but is intended to incorporate representatives from the Department of Defense (DoD), the Department of Treasury (specifically the US Secret Service), the Department of Energy, the Department of Transportation, and the Intelligence Community, as well as the private sector. Staffing levels at this point in time are intended to be 85 full time personnel, who perform both intelligence and operational duties. Since it is recognized that a cyber-attack could occur very quickly and across multiple elements of the national infrastructure, the activities associated with detection and reaction and protection are integrated within the team structure to speed response times and capabilities. {24}
"The mission of the NIPC is both a national security and law enforcement effort to detect, deter, assess, warn of, respond to, and investigate computer intrusions and unlawful acts, both physical and "cyber," that threaten or target our critical infrastructures. The NIPC's job is not simply to investigate and respond to attacks after they occur, but to learn about them beforehand and prevent them." {25}
The purpose for identifying lead agencies for critical sectors is to have clearly identified focal points for liaison with the private sector as well as to have accountability within the Federal Government for specific sectors and roles. The responsible agencies and their areas of concern are identified here:
| Information and Communications | Department of Commerce |
| Banking and Finance | Department of Treasury |
| Water Supply | Environmental Protection Agency |
| Aviation, Highways (including) trucking and intelligent transportation systems), Mass transit, Pipelines, Rail, and Waterborne commerce | Department of Transportation |
| Emergency Law Enforcement Services | Department of Justice/FBI |
| Emergency Fire Services and Continuity of Government | Federal Emergency Management Agency |
| Public Health Services, including prevention, surveillance, laboratory services, and personal health services | Department of Health and Human Services |
| Electric Power, Oil and Gas Production and Storage | Department of Energy |
The responsibilities of these lead agencies include:
- designating one person of Assistant Secretary level or higher to function as the Sector Liaison Official;
- provide recommendations on membership of the National Infrastructure Assurance Council;
- cooperate with the private sector representatives in addressing sector problems;
- cooperate with private sector representatives to develop and recommend components to the National Infrastructure Assurance Plan; and
- cooperate with the private sector to develop and implement sector specific Vulnerability Awareness and Education. {26}
PDD-63 identifies several special functions that have significant roles in protecting the nation’s infrastructure separate from the infrastructure elements themselves. These special functions and their lead agencies are as follows:
| Law Enforcement and Internal Security | Department of Justice/FBI |
| Foreign Intelligence | CIA |
| Foreign Affairs | Department of State |
| National Defense | Department of Defense |
| Research and Development Coordination through the National Science and Technology Council {27} | Office of Science and Technology Policy |
With all this enumeration of memberships and roles, it is interesting to examine the organizations that are not explicitly tasked as well in order to understand the context. The following list delineates some of the myriad offices that are missing from direct tasking in PDD-63 (to keep the list from being exhausting, organizations such as the National Endowment for the Arts are not included in this list):
- Department of Agriculture (USDA)
- Department of Education
- Department of Housing and Urban Development (HUD)
- Department of the Interior (DOI)
- Department of Labor (DOL)
- Department of Veterans Affairs
INDEPENDENT AGENCIES
- Commodity Futures Trading Commission (CFTC)
- Consumer Product Safety Commission (CPSC)
- Export-Import Bank of the United States
- Federal Communications Commission (FCC)
- Federal Maritime Commission
- Federal Reserve System (FRS)
- National Aeronautics and Space Administration (NASA)
- National Archives and Records Administration (NARA)
- National Commission on Libraries and Information Science (NCLIS)
- National Railroad Passenger Corporation (AMTRAK)
- National Transportation Safety Board (NTSB)
- Nuclear Regulatory Commission (NRC)
- Securities and Exchange Commission (SEC)
- Social Security Administration (SSA)
- Tennessee Valley Authority (TVA)
- United States Postal Service (USPS)
The private sector is an important player in protecting the critical infrastructure. It owns and operates a very large percentage of the critical infrastructure and individually has insights into vulnerabilities and threats on an enormous scale. PDD-63 invites the private sector to harness that potential for the national good through two venues: first, a place to cooperatively share information that collectively can be used to protect the critical infrastructure elements; and second, a direct method to advise the President on activities and policy concerning the critical infrastructure.
Recognizing both the reliance of the Federal Government on privately-owned infrastructure elements and the inability to defend the infrastructure as a whole without cooperation and coordination with the private sector, PDD-63 calls for the establishment of a mechanism where threat and vulnerability information could be shared without liability. Recognizing as well that short of legislation it would be impossible to compel compliance with that desire, PDD-63 specifically leaves the development of the design and functions of the ISAC to the private sector. However, PDD-63 also directs the National Coordinator, the Sector Coordinators, the Sector Liaison Officials and the National Economic Council to "consult with owners and operators of the critical infrastructures to strongly encourage the creation of a private sector information sharing and analysis center." Additionally, the PDD directs that, "[w]ithin 180 days of issuance of this directive, the National Coordinator, with the assistance of the CICG including the National Economic Council, shall identify possible methods of providing federal assistance to facilitate the startup of an ISAC." {28}
There are clearly substantial problems associated with the concept of an ISAC. The ISAC is intended to become a focal point for sharing information about vulnerabilities and threats associated with infrastructure protection. The corporations that own and operate parts of the infrastructure have significant reasons associated with liability, negligence, competitiveness, and transnational operations not to disclose vulnerabilities or even threats. The lesson from the Citibank hacking episode {29} illustrates the reluctance and the penalties associated with divulging information about problems and vulnerabilities.
Further, the postulated relationship with the NIPC, where the NIPC would receive all information from the ISAC but only provide information to the ISAC that the NIPC had declassified and/or deemed appropriate, could strike some participants as being a trifle unfair. There has been some discussion about passing legislation limiting liability related to disclosure of vulnerabilities but to date no specific format has been agreed upon. {30}
There are, however, some industry organizations that have expressed interest in serving in ISAC-like roles, including the Information Technology Association of America (ITAA) {31}, which is a trade organization with over 9000 members associated with the information technology sector. {32} Whether or not an industry organization can coerce cooperation on sensitive business matters remains to be seen.
The NIAC will be a council of advisors, composed of representatives from infrastructure sector providers and state and local government, who will be appointed by the President. The NIAC will provide input from the private sector and state and local governments to the National Information Assurance Plan. As of this point in time, the NIAC is not further defined. When it is constituted, the President will appoint members from amongst major infrastructure providers and state and local governments. Additionally, the President will designate a Chairperson. The National Coordinator will serve as the Executive Director for the NIAC and senior Federal Government officials will participate in the meetings, as appropriate. {33}
A challenge associated with constituting a meaningful NIAC is formulating it in such a way as to account for revolutionary technologies and the rapid evolutionary growth of the information and communications infrastructure. The World Wide Web emerged in the early 1990s as a new capability (albeit built on an existing backbone of technologies and physical plant) and since then has engendered a revolution in commerce and information sharing. Corporations like Netscape and UUNet Technologies rose from oblivion to dominance in a relative blink of an eye. Many of the emerging powerhouses of the information age are too busy growing to pay much attention to politics – picking the right membership for a relevant NIAC may well turn out to be extremely tricky.
Another challenge associated with constituting a meaningful NIAC is the present Administration’s stance on encryption. Particularly in the infrastructure area of information and communication, the subject of restricted access to strong encryption is contentious. There are those who see the entire critical infrastructure protection exercise as yet another attempt to limit freedoms in the name of emerging threats, as noted in this extract from a report by the Electronic Privacy Information Center (EPIC):
The PCCIP also continues the failed policies of the past, urging the adoption of key escrow encryption scheme even after technical experts have demonstrated its flaws and foreign governments have rejected this approach. But in the key escrow recommendation, one is given an important insight into the nature of the PCCIP effort. For even proponents of key escrow have acknowledged that it poses a significant risk to network security and creates new sources of vulnerability that could otherwise be avoided.
The PCCIP, which was established to identify measures to protect the Nation’s critical infrastructure, seems quite prepared to sacrifice this critical goal when the return is greater surveillance capability. {34}
The Cato Institute agrees, having analyzed the issues associated with key escrow in its November 1998 policy paper Encryption Policy For The 21st Century: A Future without Government-Prescribed Key Recovery:
Government-prescribed key recovery and export controls are a grave danger to the privacy of law-abiding citizens and businesses, not only in the United States but around the world. And the development of the key-recovery infrastructure might well be technically impossible and would be prohibitively expensive.
... Recent calls for "balance" make enticing sound bites (who would be opposed to "balance?") but compromise the freedom to innovate and sacrifice vital civil liberties. {35}
It remains to be seen, therefore, whether or not a relevant NIAC can be constituted and, if so, how long it can remain relevant.
The following graphic shows how these organizations relate, with dashed lines depicting advisory relationships: (click to enlarge, use back button to get back here)
Another view of the organizational relationship is presented in the following graphic, which comes from a briefing by Jeffrey Hunker, Director of the CIAO, and shows the delineation of the public private partnership envisioned by PDD-63: (click to enlarge, use back button to get back here)
{36}
Critical Infrastructure Elements and Lead Agencies
By definition, the critical infrastructure efforts mandated by PDD-63 are limited to the Federal Government. As such, the two PDDs direct the Departments and Agencies of the Federal Government to do certain things. PDD-62, Combating Terrorism, directs activities related to countering the threats of unconventional attacks against the US. PDD-63, Critical Infrastructure Protection, directs activities relating to protecting the critical elements of the national infrastructure.
A key point to note here is that the Federal Government owns very little of what is considered to be the critical infrastructure. The following sections describe the infrastructure elements as described in Appendix A of the report of the PCCIP, Critical Foundations: Thinking Differently. These definitions were used as the basis for developing the recommendations that resulted in PDD-63. As delineated here, there are five critical elements of the infrastructure. However, three later differentiated elements – emergency services, water supply and government services – are all covered here as "vital services." Additionally, here all energy is considered together, whereas in the responsibilities allocated in PDD-63, energy is divided between Electrical Power Systems and Gas And Oil Production, Storage And Transport.
Because the PCCIP report summarized the infrastructure elements concisely and appropriately, the descriptions are reproduced here. The report itself contains very detailed commentary on existing problems and vulnerabilities as well.
Information and Communications
"The Information and Communications (I&C) sector includes the Public Telecommunications Network (PTN), the Internet, and the many millions of computers for home, commercial, academic and government use. The PTN includes the landline networks of the local and long distance carriers, the cellular networks, and satellite service. … The system’s two billion miles of fiber and copper cable remain the backbone of the I&C sector, with the new cellular and satellite wireless technologies largely serving mobile users as extended gateways to the wireline network. The PTN provides both switched telephone and data services and long term leased point-to-point services.
"The Internet is a global network of networks interconnected via routers which use a common set of protocols to provide communications among users. Internet communications are based on connectionless data transport. ….
"The Internet and the PTN are not mutually exclusive, since significant portions of the Internet, especially its backbone and user access links, rely on PTN facilities. Current trends suggest that the PTN and the Internet will merge in the years ahead; by 2010 many of today’s networks will likely be absorbed or replaced by a successor public telecommunications infrastructure capable of providing integrated voice, data, video, private line, and Internet-based services.
"The installed base of computers in the US has risen from 5,000 in 1960 to an estimated 180 million today, with over 95 percent of these being personal computers. The remainder includes the majority of the world’s supercomputers and roughly half of the world’s minicomputers and workstations. Networking of these machines through the circuits of the PTN and the Internet has grown exponentially over the past 15 years, creating an extended information and communications infrastructure that has changed the way we work and live. This infrastructure has swiftly become essential to every aspect of the nation’s business, including national and international commerce, civil government, and military operations." {37}
"The physical distribution infrastructure is critical to the national security, economic well being, global competitiveness, and quality of life in the US. The vast, interconnected network of highways, railroads, ports and inland waterways, pipelines, airports and airways facilitate the efficient movement of goods and people and provides this nation a distinct competitive advantage in the global economy.
"Transportation is a major component of the US economy, representing in 1995 approximately $777 billion, or 11 percent of the Gross Domestic Product (GDP). US commerce depends heavily on the export, import, and domestic movement of raw materials, manufactured goods, foodstuffs, and consumable supplies.
"The physical distribution infrastructure includes almost 4 million miles of public roads and highways and more than 360,000 interstate trucking companies, 20 million trucks used for business purposes, and 190 million personal vehicles. It includes more than a hundred thousand miles of track operated by the largest railroads, with 1.2 million operating freight cars and over 18,000 locomotives. It includes airlines that carry more than half a billion passengers a year through 400 airports. It includes almost 6,000 transit entities operating rapid transit rail and bus services. It includes 1,900 seaports and 1,700 inland river terminals on 11,000 miles of inland waterways carrying grain, chemicals, petroleum products, and import and export goods. The physical distribution infrastructure includes more than 1.4 million miles of oil and natural gas pipelines. And it includes delivery services, such as the US Postal Service and many other commercial providers that deliver goods and products on time not only to households, but to manufacturers whose very survival depends on just-in-time delivery of materials and supplies, and to business and even military activities who depend on the rapid delivery of repair parts to keep them in operation.
"Most of our nation’s transportation infrastructure is owned by the private sector—railroads and pipelines; the vehicles and equipment operating on our roads, on the water, and in the air; and by state and local governments—our roads, airports, mass transit systems, and ports. The federal government owns the National Airspace System (NAS) operated by the Federal Aviation Administration (FAA), and the locks and dams operated by the US Army Corps of Engineers. The private sector is largely responsible for assuring its own infrastructure and business practices." {38}
"The security, economic prosperity, and social well being of the US depend on a complex system of interdependent infrastructures. The lifeblood of these interdependent infrastructures is energy, the infrastructure composed of three distinct industries that produce and distribute electric power, oil, and natural gas. …
"In addition to being a key component of the other infrastructures, the energy infrastructure is critical to our economy, with estimated revenues from retail sales of electricity in the US exceeding $200 billion annually, and revenues from oil and gas almost $400 billion." {39}
"The US financial system is central not only to the functioning of domestic and global commerce, but to the daily lives of virtually all Americans. It represents bank holdings of about $4.5 trillion, a capital market of $7 trillion, investment bank underwriting of $1 trillion, almost $3 trillion in daily payment transactions, and about 10 million jobs.
"More than a billion credit cards in circulation in the United Stated account for $500 billion in annual expenditure, or roughly half of all consumer debt. Also, due to the rapid increase in individual retirement accounts of various kinds and the popularity of mutual funds, about half of all households in the United States are investors in the stock market.
"The banking and finance infrastructure was defined by the Commission as composed of five principal sectors: banks, financial service companies, payment systems, investment companies, and securities and commodities exchanges." {40}
"The Vital Human Services (VHS) sector includes three of the critical infrastructures named in Executive Order 13010: water supply, emergency services, and government services. At the out-set, the Commission considered expanding the scope of this sector to include food, health care and the nation’s work force as additional critical infrastructures. However, because of time and resource constraints, the Commission decided to bound the scope of its effort to the eight infra-structures named in the Executive Order, leaving additional infrastructures to be considered in any follow-on activity.
"The three VHS infrastructures differ from other named critical infrastructures in that they are focused largely at the local and state levels, are largely governmental responsibilities, and deal chiefly with human needs and safety. Because they are highly localized in character, they do not form a strongly interconnected national infrastructure. Failures in one community generally will be localized to that community. Nevertheless, they are critical national infrastructures and the problems and vulnerabilities faced in one community are similar to those faced in every community across the US." {41}
"There is no "typical" water supply system for the US, at least not to any significant degree of detail. But, at a general level, all systems share five common elements.
- A water source, either surface waters in impoundments such as lakes and reservoirs or flowing waters in rivers or ground water in aquifers.
- Treatment facilities in which particulates are filtered out and disinfectants are added.
- A system of aqueducts, tunnels, reservoirs, and/or pumping facilities to convey water from the source through the rest of the system and to provide storage and the means to balance flows.
- A distribution system carrying finished water to users through a system of water mains and subsidiary pipes.
- A waste water collection and treatment system.
"The major uses of the water supply infrastructure are for agriculture, industry (including various manufacturing processes, power generation and cooling), business, fire fighting and residential purposes. In many cases, the water supplies for agriculture and industry come from outside the public water supply system, being drawn by the users directly from surface or ground sources." {42}
"This infrastructure includes firefighting, police, rescue, and emergency medical services. Its objectives are to contain and deal with emergencies in order to save lives and preserve property.
"Except for certain parts of the emergency medical services element, this infrastructure is mostly government owned and operated. It is focused at the local level; state and federal services play an important but supporting role. The infrastructure as defined by the Commission does not include investigative or law enforcement functions, nor does it include activities in the recovery phase.
"Local authorities faced with large scale incidents turn, where necessary, first to neighboring jurisdictions with whom they have mutual aid agreements for assistance and then, if necessary, to the state. As a general rule, with few exceptions, federal authorities must be invited before they can play a role." {43}
"Executive Order 13010 designated "continuity of government" as a critical infrastructure. This term has traditionally applied to the survival of our Constitutional form of government in the face of a catastrophic crisis such as nuclear war. In January 1997, a memorandum to the Commission Chairman from the Acting Assistant to the President for National Security Affairs noted that this traditional concept is distinct from the continuation, in the face of physical and cyber threats to our infrastructures, of services provided by federal, state, and local government. The memorandum stated that it was the latter problem that the Commission was expected to address. Consequently, the Commission has considered government services as a critical infrastructure.
"Government serves several functions. At the federal level, the Constitution sets forth the responsibilities of government for establishing justice, ensuring domestic tranquillity, providing for the common defense, promoting the general welfare, and securing the blessings of liberty. The constitutions of the 50 sovereign states assign certain parallel responsibilities to the state and local levels. To fulfill these responsibilities, governments at all levels make use of organizations that develop policy, operate programs, regulate, exercise police powers, disburse funds to members of the public, collect taxes, etc." {44}
The following table identifies the critical infrastructure elements, the role the Federal Government plays in each element, and the role that other entities, such as private industry and State Government, play in each element (acronyms delineated at end of table). The appropriate FEMA emergency support functions are identified in the last column annotated with the lead agency for that function.
| Critical Infrastructure
Element
(SLL = Sector Liaison Lead) |
Federal Government | State/Local | Industry | FEMA Emergency Support Function
Overlay
(LA = Lead Agency) |
| Information
& Communications
SLL: Commerce |
Regulatory oversight via
FCC
NIST: Standards NCS NSTAC R&D of next generation (ex: Internet 2) |
limited | Owns & operates the
vast majority of physical plant (fiber, switches, routers, etc)
Provides the vast majority of information services Owns software Conducts R&D for proprietary and commercial products Provides information and communications services to Government |
ESF 2: Communications
LA: NCS ESF 5: Information and Planning LA: FEMA |
| Electrical
Power
SLL: |
Regulatory oversight in
terms of safety, environmental compliance and competitiveness
Some limited generation capabilities for specific purposes |
Administers local electrical service providers | Owns & operates all
of the physical infrastructure
Provides all of the normal electrical services Increasingly provides competitive electrical services |
ESF 12:
Energy
LA: DOE |
| Gas &
Oil Production, Storage & Transportation
SLL: |
Regulatory oversight in
terms of safety, environmental compliance and competitiveness
Administers national petroleum reserve |
Ensures compliance with laws | Owns & operates the
vast majority of the production, storage and transportation elements
Owns & operates the associated information infrastructure |
ESF 1: Transportation LA: DOT ESF 7: Resource Support ESF 10: Hazardous Materials ESF 12: Energy |
| Banking
& Finance
SLL: |
Regulatory oversight via the SEC and Central Bank | Ensures compliance with laws | Owns & operates all of the banking and finance institutions | |
| Transportation
SLL: |
Builds, maintains and coordinates
Interstate Highway system
Provides funding to states for highway construction Subsidizes AMTRAK Coordinates intermodal transportation studies Licenses and regulates seaborne transportation |
Builds and maintains highways
and roads
Administers local transportation authorities Coordinates with neighboring localities on future plans |
Owns and operates limited
numbers of privately owned roads
Owns and operates the fleets of trucks, trains and ships Owns and operates associated communications infrastructure |
ESF 1: Transportation
LA: DOT |
| Water Supply
Systems
SLL: |
Enforces laws
Army Corps of Engineers has authority over engineering of elements of water supplies and navigable inland waterways |
Owns and operates most local water and sewer systems | Build to codes
Owns and operates some water and sewer |
ESF 3: Public
Works & Engineering
LA: US Army Corps of Engineers |
| Emergency
Services (medical, fire, police, rescue)
SLL: HHS for public health services DOJ/FBI for emergency law enforcement services |
Coordinates & allocates
resources for national level emergency response
Owns and operates national level response infrastructure Owns and operates military medical system & Centers for Disease Control |
Owns and operates local
emergency response infrastructure (fire, police, rescue)
Owns and operates state guard and emergency systems Owns and operates some medical facilities |
Owns and operates most of
the medical facilities
Owns and operates most of the communications infrastructure used by emergency services |
ESF 4: Fire
Fighting LA: US Forest Service, Dept of Agriculture ESF 6: Mass Care ESF 8: Health & Medical Services ESF 9: Urban Search & Rescue |
| Government
Services
SLL: DOJ/FBI for law enforcement and internal security |
Federal Government services | State and local government services | Owns and operates most of the communications infrastructure used by government services | ESF 7: Resource
Support
LA: GSA |
| ESF 11:
Food
LA: Dept of Agriculture |
Acronym and Shortname List:
| Commerce | Department of Commerce |
| DOE | Department of Energy |
| DOJ | Department of Justice |
| DOT | Department of Transportation |
| EPA | Environmental Protection Agency |
| FBI | Federal Bureau of Investigation |
| FCC | Federal Communications Commission |
| FEMA | Federal Emergency Management Agency |
| HHS | Department of Health and Human Services |
| NCA | National Communications System |
| NIST | National Institute of Standards and Technology |
| NSTAC | President’s National Security Telecommunications Advisory Committee |
Description of FEMA Emergency Support Functions (ESFs):
ESF 1: Transportation. Providing civilian and military transportation.
Lead agency: Department of Transportation
ESF 2: Communications. Providing telecommunications support.
Lead agency: National Communications System
ESF 3: Public Works and Engineering. Restoring essential public services
and facilities.
Lead agency: U.S. Army Corps of Engineers, Department of Defense
ESF 4: Fire Fighting. Detecting and suppressing wildland, rural and
urban fires.
Lead agency: U.S. Forest Service, Department of Agriculture
ESF 5: Information and Planning. Collecting, analyzing and disseminating
critical information to facilitate the overal federal response and
recovery operations.
Lead agency: Federal Emergency Management Agency
ESF 6: Mass Care. Managing and coordinating food, shelter and first
aid for victims; providing bulk distribution of relief supplies; operating
a system to assist family reunification.
Lead agency: American Red Cross
ESF 7: Resource Support. Providing equipment, materials, supplies
and personnel to federal entities during response operations.
Lead agency: General Services Administration
ESF 8: Health and Medical Services. Providing assistance for public
health and medical care needs.
Lead agency: U.S. Public Health Service, Department of Health and
Human Services
ESF 9: Urban Search and Rescue. Locating, extricating and providing
initial medical treatment to victims trapped in collapsed structures.
Lead agency: Federal Emergency Management Agency
ESF 10: Hazardous Materials. Supporting federal response to actual
or potential releases of oil and hazardous materials.
Lead agency: Environmental Protection Agency
ESF 11: Food. Identifying food needs; ensuring that food gets to
areas affected by disaster.
Lead agency: Food and Nutrition Service, Department of Agriculture
ESF 12: Energy. Restoring power systems and fuel supplies.
Lead agency: Department of Energy {45}
National Infrastructure Assurance Plan
The critical infrastructure protection plans are going to be, when fully developed, enormously complex. As a management tool for dividing the work, the Lead Agencies for Sector Liaison develop the plans for their sectors. The individual plans are then aggregated by the National Coordinator and his staff into a coherent national level plan. This process is shown in the following graphic: (click to enlarge, use back button to get back here)
{46}
Each plan will address all elements of the sector operations, including information systems. The Critical Infrastructure Segment called "Information and Communications" will not include the information systems that are organic to the other segments. The interfaces between segments and segment plans will be addressed when the plans are rationalized by the National Coordinator and staff. {47}
The Lead Agency for Sector Coordination is responsible for coordinating with non-Federal Government elements in each sector to develop specific plans and processes for inclusion in the National Plan. (click to enlarge, use back button to get back here)
{48}
Initial operational capability (IOC) for the National Plan is targeted for the year 2000, with final operational capability achieved by the year 2003. Following IOC in 2000, the National Coordinator is required to conduct a zero-based review. {49}
The following were sources for the information contained in this report:
Frederick Tompkins
Unisys Corporation
Discussions through communications media throughout Fall 1998,
Interview in person on 27 October 1998, McLean, Virginia
Gordon Bendick, Colonel USAF (ret)
Deputy Chief, Critical Infrastructure Assurance Office
Interview in person on 28 October 1998, Rosslyn, Virginia
Michael Vatis
Director, National Infrastructure Protection Center
Interview in person on 1 September 1998, Washington D.C.
John O’Neill
Special Agent in Charge, New York City FBI Office
Interview in person on 19 November 1998, New York City
Electronically Published Documents
Critical Infrastructure Assurance Office (CIAO) web pages
Electronic Privacy Information Center (EPIC), Critical Infrastructure Proection and the Endangerment of Civil Liberties: An Assessment of the President's Commission on Critical Infrastructure Protection, October 1998
Executive Order 13010, 15 July 1996 (as amended)
Federal Bureau of Investigation (FBI) web pages
Federal Emergency Management Agency (FEMA) web pages
Hunker, Jeffrey. Critical Infrastructure Protection: Overview and Agency Roles, 13 October 1998
Information Technology Association of America (ITAA) web pages
National Infrastructure Protection Center (NIPC) web pages
President's Commission on Critical Infrastructure Protection (PCCIP) web pages
Report of the PCCIP, "Critical Foundations: Thinking Differently," 13 October 1997
Singleton, Solveig. Encryption Policy for the 21st Century: A Future Without Government-Prescribed Key Recovery. November 19, 1998. Published by the Cato Institute.
Conference and Meeting Attendance
National Defense Industrial Association (NDIA) Information Assurance Study
Meetings held at TRW Fairlakes, Virginia 19 August, 23 September, 29 October 1998
National Information Systems Security Conference
Presentation by Commission Members, President’s Commission on Critical Infrastructure Protection, 6 October 1998
Presentations by:
Sue Simmons, Chief of Staff, Critical Infrastructure Assurance
Office
Irwin Pikus, Commission Member from Department of Commerce
David Jones, Commission Member from Department of Energy
John Davis, Commission from National Security Agency and Director,
National Computer Security Center, National Security Agency
Learn more about the President's Commission
on Critical Infrastructure Protection at http://www.pccip.gov/.
The following information is taken from that site
for ease of reference.
About the PCCIP
Why the PCCIP Was Formed
The PCCIP was formed to advise and assist the President of the United States by recommending a national strategy for protecting and assuring critical infrastructures from physical and cyber threats. [The critical sectors of the infrastructure are:]
- Information and Communications
- Electrical Power Systems
- Gas and Oil Transportation and Storage
- Banking and Finance
- Transportation
- Water Supply Systems
- Emergency Services
- Government Services {50}
PCCIP Fact Sheet
Electronic E-mail Bombs... Computer Hijacking... Logic Bombs... Data Service Attacks...
An unidentified person sending millions of e-mail messages causes unexplained outages in phone services and a shut-down in the 911 service of a major metropolitan city....
A computer hacker "hijacks" a password in the air traffic control system by waiting for someone manning a computer station to take a coffee break without exiting the program....
A program hidden within a computer and set to activate at some point in the future cleans out millions of bank accounts....
Could these possibilities and other forms of digitized assaults halt the operations of electric power grids, natural gas pipelines, air traffic control systems, railroad switching facilities or the stock exchange?
The President's Commission on Critical Infrastructure Protection was the first national effort to address the vulnerabilities created in the new information age. The Commission, established in July, 1996, by Presidential Executive Order 13010, was tasked to formulate a comprehensive national strategy for protecting the infrastructures we all depend on from physical and "cyber" threats.
Critical Infrastructures are systems whose incapacity or destruction would have a debilitating impact on the defense or economic security of the nation. They include telecommunications, electrical power systems, gas and oil, banking and finance, transportation, water supply systems, government services and emergency services.
The Commission, chaired by aerospace industry leader Robert "Tom" Marsh, included senior representatives from private industry, government and academia. An Advisory Committee consisting of industry leaders provided counsel to the Commission and a Steering Committee, made up of cabinet-level officials, reviewed the Commission's report before forwarding it to the President.
What is the Threat?
Anyone with the capability, technology, opportunity, and intent to do harm. Potential threats can be foreign or domestic, internal or external, state-sponsored or a single rogue element. Terrorists, insiders, disgruntled employees, and hackers are included in this profile.
National Security is a Shared Responsibility.
The fact that most of the nation's vital services are delivered by private companies creates a significant challenge in determining where the responsibility of protecting our critical infrastructures falls. This Commission addressed this challenge by bringing the private and public sectors together to assess infrastructure vulnerabilities and develop assurance strategies for the future. The Commission consulted with over 6,000 representatives from the private and public sectors including industry executives, security experts, government agencies and private citizens.
PCCIP Sector Teams.
The Commission was divided into five teams, representing the eight critical infrastructures.
Each team evaluated the growing risk, threats, and vulnerabilities within its sector. The sector teams and their industries include:
- Information & Communications - telecommunications, computers & software, Internet, satellites, fiber optics
- Physical Distribution - railroads, air traffic, maritime, intermodal, pipelines
- Energy - electrical power, natural gas, petroleum, production, distribution & storage
- Banking & Finance - financial transactions, stock & bond markets, federal reserve
- Vital Human Services - water, emergency services, government services
The Commission submitted its report, Critical Foundations, to the White House in October, 1997. {51}
Our Nation's Critical Infrastructures: Some Working Definitions
Information and Communications: Computing and telecommunications equipment, software, processes, and people that support the processing, storage, and transmission of data and information; the processes and people that convert data into information and information into knowledge; and the data and information themselves.
Electrical Power Systems: The generation stations, transmission and distribution networks that create and supply electricity to end-users so that end-users achieve and maintain nominal functionality, including the transportation and storage of fuel essential to that system.
Gas and Oil Production, Storage and Transportation: The production and holding facilities for natural gas, crude and refined petroleum, and petroleum-derived fuels, the refining and processing facilities for these fuels and the pipelines, ships, trucks, and rail systems that transport these commodities from their source to systems that are dependent upon gas and oil in one of their useful forms.
Banking and Finance: The retail and commercial organizations, investment institutions, exchange boards, trading houses, and reserve systems, and associated operational organizations, government operations, and support entities, that are involved in all manner of monetary transactions, including its storage for saving purposes, its investment for income purposes, its exchange for payment purposes, and its disbursement in the form of loans and other financial instruments.
Transportation: The nation's physical distribution system critical to supporting the national security and economic well-being of this nation, including the national airspace system, airlines and aircraft, and airports; roads and highways, trucking and personal vehicles; ports and waterways and the vessels operating thereon; mass transit, both rail and bus; pipelines, including natural gas, petroleum, and other hazardous materials; freight and long haul passenger rail; and delivery services.
Water Supply Systems: The sources of water, reservoirs and holding facilities, aqueducts and other transport systems, the filtration, cleaning and treatment systems, the pipelines, the cooling systems and other delivery mechanisms that provide for domestic and industrial applications, including systems for dealing with water runoff, waste water, and firefighting.
Emergency Services: The medical, police, fire, and rescue systems and personnel that are called upon when an individual or community is responding to emergencies. These services are typically provided at the local level (county or metropolitan area). In addition, state and Federal response plans define emergency support functions to assist in response and recovery.
Government Services: Sufficient capabilities at the Federal, state and local levels of government are required to meet the needs for essential services to the public. {52}
Report Summary
This report summary is also available in a formatted Acrobat version (30k). The report itself is also available at this Web site. [http://www.pccip.gov/report_index.html]
Critical Foundations: Thinking Differently
"Our responsibility is to build the world of tomorrow by embarking on a period of construction -- one based on current realities but enduring American values and interests..."
President William J. Clinton National Security Strategy
Introduction
The United States is in the midst of a tremendous cultural change -- a change that affects every aspect of our lives. The cyber dimension promotes accelerating reliance on our infrastructures and offers access to them from all over the world, blurring traditional boundaries and jurisdictions. National defense is not just about government anymore, and economic security is not just about business. The critical infrastructures are central to our national defense and our economic power, and we must lay the foundations for their future security on a new form of cooperation between the private sector and the federal government.
The federal government has an important role to play in defense against cyber threats -- collecting information about tools that can do harm, conducting research into defensive technologies, and sharing defensive techniques and best practices. Government also must lead and energize its own protection efforts, and engage the private sector by offering expertise to facilitate protection of privately owned infrastructures.
In the private sector, the defenses and responsibilities naturally encouraged and expected as prudent business practice for owners and operators of our infrastructures are the very same measures needed to protect against the cyber tools available to terrorists and other threats to national security.
Venues for Change
Terrorist bombings of US forces in Saudi Arabia, the World Trade Center in New York City, and the federal building in Oklahoma City remind us that the end of the Cold War has not eliminated threats of hostile action against the United States.
In recognition of comparable threats to our national infrastructures, President Clinton signed Executive Order 13010 on July 15, 1996, establishing the President's Commission on Critical Infrastructure Protection. The Commission was chartered to conduct a comprehensive review and recommend a national policy for protecting critical infrastructures and assuring their continued operation.
Our Process -- Who We Are and What We Did
Composition and Operation of the Commission
This was an unusually large commission with broad representation from federal departments and agencies and from the private sector. An Advisory Committee of industry leaders appointed by the President provided the perspective of the infrastructure owners and operators. A Steering Committee, composed of the Commission's Chairman and four top government officials, oversaw the Commission's work on behalf of the Principals Committee, which included Cabinet Officers, heads of agencies, and senior White House staff members.
The Commission generally operated by consensus. Every recommendation was discussed at length with the full Commission and most were revised several times before final approval. No Commissioner agreed completely with all of the recommendations. Nevertheless, each accepted the final report as a reasonable and balanced recommendation to the President.
Sector Studies
The Commission divided its work into five "sectors" based on the common characteristics of the included industries. The sectors are:
- 1. Information and Communications
- 2. Banking and Finance
- 3. Energy, Including Electrical Power, Oil and Gas
- 4. Physical Distribution
- 5. Vital Human Services
The Commission characterized the sectors, studied their vulnerabilities, and looked for solutions.
We prepared comprehensive working papers for each of the five sectors providing specific recommendations. Other work contains the results of deliberations on issues that are not sector specific. Among them is a paper on Research and Development Recommendations, which outlines a comprehensive set of topics regarding the long term needs of infrastructure protection. The paper on National Structures contains our conclusions and recommendations about the functions and responsibilities for infrastructure assurance and the creation of new units in the federal government and the private sector, and some that are jointly staffed by government employees and representatives of the infrastructure owners and operators. The paper on Shared Infrastructures: Shared Threats is our collected analysis of the vulnerabilities and threats facing the critical infrastructures. We recognize the enormous significance of physical threats, but we have a significant amount of experience in dealing with them. It is the cyber threat that is new. Cyber issues dominate this analysis because networked information systems present fundamentally new security challenges.
Public Hearings and Outreach
We conducted extensive meetings with a range of professional and trade associations concerned with the infrastructures, private sector infrastructure users and providers, academia, different state and local government agencies, consumers, federal agencies, and numerous others. Of special interest were five public meetings in major cities.
We attended dozens of conferences and roundtables with a variety of groups, and we arranged two strategic simulations with participants drawn from across the infrastructures and from all levels of government. We encouraged questions and comments by anyone, and established a World Wide Web site to facilitate contact. Several meetings with Congressional Members and their staffs added a very useful perspective to our research.
Development of our Critical Issues
During the preparation of the sector papers we identified several dozen issues for which recommendations might be appropriate. Each issue was described, relevant observations, findings, and conclusions were collected, and several alternative recommendations were prepared. The Commission then deliberated each issue and selected one of the alternative recommendations.
We Found
Increasing Dependence on Critical Infrastructures
The development of the computer and its astonishingly rapid improvements have ushered in the Information Age that affects almost all aspects of American commerce and society. Our security, economy, way of life, and perhaps even survival, are now dependent on the interrelated trio of electrical energy, communications, and computers.
Increasing Vulnerabilities
Classical physical disruptions. A satchel of dynamite or a truckload of fertilizer and diesel fuel have been frequent terrorist tools. The explosion and the damage are so certain to draw attention that these kinds of attacks continue to be among the probable threats to our infrastructures.
New, cyber threats. Today, the right command sent over a network to a power generating station's control computer could be just as effective as a backpack full of explosives, and the perpetrator would be harder to identify and apprehend.
The rapid growth of a computer-literate population ensures that increasing millions of people possess the skills necessary to consider such an attack. The wide adoption of public protocols for system interconnection and the availability of "hacker tool" libraries make their task easier.
While the resources needed to conduct a physical attack have not changed much recently, the resources necessary to conduct a cyber attack are now commonplace. A personal computer and a simple telephone connection to an Internet Service Provider anywhere in the world are enough to cause a great deal of harm.
System complexities and interdependencies. The energy and communications infrastructures especially are growing in complexity and operating closer to their designed capacity. This creates an increased possibility of cascading effects that begin with a rather minor and routine disturbance and end only after a large regional outage. Because of their technical complexity, some of these dependencies may be unrecognized until a major failure occurs.
A Wide Spectrum of Threats
Of the many people with the necessary skills and resources, some may have the motivation to cause substantial disruption in services or destruction of the equipment used to provide the service.
This list of the kinds of threats we considered shows the scope of activity with potentially adverse consequences for the infrastructures, and the diversity of people who might engage in that activity. It may not be possible to categorize the threat until the perpetrator is identified -- for example, we may not be able to distinguish industrial espionage from national intelligence collection.
Natural events and accidents. Storm-driven wind and water regularly cause service outages, but the effects are well known, the providers are experienced in dealing with these situations, and the effects are limited in time and geography.
Accidental physical damage to facilities is known to cause a large fraction of system incidents. Common examples are fires and floods at central facilities and the ubiquitous backhoe that unintentionally severs pipes or cables.
Blunders, errors, and omissions. By most accounts, incompetent, inquisitive, or unintentional human actions (or omissions) cause a large fraction of the system incidents that are not explained by natural events and accidents. Since these usually only affect local areas, service is quickly restored; but there is potential for a nationally significant event.
Insiders. Normal operation demands that a large number of people have authorized access to the facilities or to the associated information and communications systems. If motivated by a perception of unfair treatment by management, or if suborned by an outsider, an "insider" could use authorized access for unauthorized disruptive purposes.
Recreational hackers. For an unknown number of people, gaining unauthorized electronic access to information and communication systems is a most fascinating and challenging game. Often they deliberately arrange for their activities to be noticed even while hiding their specific identities. While their motivations do not include actual disruption of service, the tools and techniques they perfect among their community are available to those with hostile intent.
Criminal activity. Some are interested in personal financial gain through manipulation of financial or credit accounts or stealing services. In contrast to some hackers, these criminals typically hope their activities will never be noticed, much less attributed to them. Organized crime groups may be interested in direct financial gain, or in covering their activity in other areas.
Industrial espionage. Some firms can find reasons to discover the proprietary activities of their competitors, by open means if possible or by criminal means if necessary. Often these are international activities conducted on a global scale.
Terrorism. A variety of groups around the world would like to influence US policy and are willing to use disruptive tactics if they think that will help.
National intelligence. Most, if not all, nations have at least some interest in discovering what would otherwise be secrets of other nations for a variety of economic, political, or military purposes.
Information warfare. Both physical and cyber attacks on our infrastructures could be part of a broad, orchestrated attempt to disrupt a major US military operation or a significant economic activity.
Lack of Awareness
We have observed that the general public seems unaware of the extent of the vulnerabilities in the services that we all take for granted, and that within government and among industry decision-makers, awareness is limited. Several have told us that there has not yet been a cause for concern sufficient to demand action.
We do acknowledge that this situation seems to be changing for the better. The public news media seem to be carrying relevant articles more frequently; attendance at conferences of security professionals is up; and vendors are actively introducing new security products.
The Commission believes that the actions recommended in this report will increase sensitivity to these problems and reduce our vulnerabilities at all levels.
No National Focus
Related to the lack of awareness is the need for a national focus or advocate for infrastructure protection. Following up on our report to the President, we need to build a framework of effective deterrence and prevention.
This is not simply the usual study group's lament that "no one is in charge." These infrastructures are so varied, and form such a large part of this nation's economic activity, that no one person or organization can be in charge. We do not need, and probably could not stand, the appointment of a Director of Infrastructures. We do need, and recommend, several more modest ways to create and maintain a national focus on the issues.
Protection of our infrastructures will not be accomplished by a big federal project. It will require continuous attention and incremental improvement for the foreseeable future.
We Concluded
Life on the information superhighway isn't much different from life on the streets; the good guys have to hustle to keep the bad guys from getting ahead.
Rules Change in Cyberspace -- New Thinking is Required
It is not surprising that infrastructures have always been attractive targets for those who would do us harm. In the past we have been protected from hostile attacks on the infrastructures by broad oceans and friendly neighbors. Today, the evolution of cyber threats has changed the situation dramatically. In cyberspace, national borders are no longer relevant. Electrons don't stop to show passports.
Potentially serious cyber attacks can be conceived and planned without detectable logistic preparation. They can be invisibly reconnoitered, clandestinely rehearsed, and then mounted in a matter of minutes or even seconds without revealing the identity and location of the attacker.
Formulas that carefully divide responsibility between foreign defense and domestic law enforcement no longer apply as clearly as they used to. "With the existing rules, you may have to solve the crime before you can decide who has the authority to investigate it." [Senator Sam Nunn, remarks to the PCCIP Advisory Committee. Washington, DC, September 7, 1997]
We Should Act Now to Protect our Future
The Commission has not discovered an imminent attack or a credible threat sufficient to warrant a sense of immediate national crisis. However, we are quite convinced that our vulnerabilities are increasing steadily while the costs associated with an effective attack continue to drop. What is more, the investments required to improve the situation are still relatively modest, but will rise if we procrastinate.
We should attend to our critical foundations before the storm arrives, not after: Waiting for disaster will prove as expensive as it is irresponsible.
Infrastructure Assurance is a Shared Responsibility
National security requires much more than military strength. Our world position, our ability to influence others, our standard of living, and our own self-image depend on economic prosperity and public confidence. Clear distinctions between foreign and domestic policy no longer serve our interests well.
At the same time, the effective operation of our military forces depends more and more on the continuous availability of infrastructures, especially communications and transportation, that are not dedicated to military use.
While no nation state is likely to attack our territory or our armed fo