Summary and Conclusions
The module learning objective:
- To summarize and draw conclusions from the previous lessons.
Module 1 Summary - How Did We Get Here?
- The Internet was born from a DoD requirement for a survivable
communications system. As a result the Global Information Infrastructure
(GII) which utilizes the Internet protocol is evolving into a
robust information sphere where individuals are discovering a
political and social freedom never before available. There is
an evolving new indestructible cyberspace where individuals are
free from race, color, age, or sexual bias; only one's ideas matter.
Our planet is undergoing an information revolution. Module 1 illustrates
what many call the nuclear model. This reference suggest that
just as the threat of nuclear war forced America to develop new
national policy focused on defending America from a new threat,
so does the emergence of an Information Warfare threat establish
a need for an Information Civil Defense. Such an IW Civil Defense
would consolidate national policy to protect America's critical
infrastructures (communications, power, financial, transportation)
from attacks launched via the net.
- A comparison between now and then: The Internet concept (ARPANET)
was born from a Cold War requirement when the United States government
leveraged over 90% of all telecommunications research. As a result,
the Internet protocol (TCP/IP) was accepted by industry and academia.
Today, the Internet offers a viable market place rich for corporate
and public investment. With the end of the Cold War, the United
States government now contributes less than 10% of telecommunications
- Once capable of supporting an independent communications network,
the Department of Defense enjoyed the security of a dedicated
and redundant network. However, faced with diminishing defense
budgets and a rapidly expanding commercial telecommunications
infrastructure, DoD is now economically forced to rely on the
Public Switched Network, a network that has been demonstrated
to be vulnerable to information attack. For the first time in
history, DoD is critically dependent upon an infrastructure that
it does not control or influence. This begs the question, "Who
will be responsible for securing America's critical infrastructures?"
And for the first time, DoD and the intelligence community must
grapple with the concept of leading from behind, where contributions
to the national debate are to provide accurate, sound advice on
what constitutes the Threat, and which entities are positioning
themselves to take advantage of America's critical infrastructures.
Module 2 Summary - The Threat
- Why is Information Warfare a threat? IW levels the international
playing field (political, economic, and military), i.e., most
nations cannot challenge American policy using traditional force-on-force.
Information Warfare is very cost effective, and offers a non-attribution
capability that can be completely hidden during development and
deployment. Finally, the United States, whose policy is often
the target of attack by emerging or rogue states, is the most
vulnerable to IW.
- DoD analysis suggests that when 95% of government networks were
subjected to informational attacks, less then 5% were detected.
Further, of the 5% detected, very few are successful in closing
the hole to future attacks.
- The groups posing the threat to America's critical infrastructure
||Low lever threat (nuisance)
|Coordinated hacking (Instructor/tutor)
||Low/Med level of threat
|Funded, coordinated (focused, employed)
|State sponsored, focused (Intel provided, spec tasking)
A new management philosophy is needed.
- Old Business - New Focus (Spies of the 21st century). As security
products become available to the public and commercial sector
the focus of international espionage will be redirected from the
individual with access to desired information toward the network
system administrator. Just as any industry seeks the most bang
for the buck, so will foreign case officers seek to target the
system administrators of key computer systems. This threat transcends
the traditional focus and will expose virtually every aspect of
American society. In the past corporations needed only to enforce
strict security upon those facilities handling classified government
material. The spies of tomorrow will target institutions such
as banking (ATM, investment), transportation (Federal Express,
UPS, rail, trucking) and industry (chemical, power, computer,
- The new business of spying. As the world enters the information
age, international economic competition will become more fierce.
Nations will set as a national priority the goal of acquiring
America's customer base. Industrial espionage will escalate into
industrial sabotage. For example, a foreign power may recruit
a critical software or hardware engineer in an effort to implant
destructive code that can be remotely triggered. The focus of
such an attack may be as simple as to force a general product
recall, and the timing of the execution could coincide with a
critically weak period for the company. Thus a simple failure
that forces a product recall may precipitate a disastrous fall
of stock prices and takeover of the company. (Industry will need
to re-think its current security practices and be more aware of
the threat posed by grieving and/or disgruntled employees)
Module 3 Summary - DoD Roles and Missions
- America's military is in the process of aligning itself as the
Cold War threat diminishes. Tomorrow's military will continue
to stand ready to defend America if faced with the traditional
two major regional conflicts scenario; however, it will be forced
to do so with fewer resources. Economizing will be sought through
advanced Command and Control Warfare. Further, America's military
will be more likely to operate with a global reach utilizing new
strategic offensive information warfare. Tomorrow's military will
prepare the theater of conflict by seizing control of all critical
infrastructures utilized by the enemy. Tomorrow's enemy will only
be able to communicate, finance, or logistically relocate that
which our leadership allows. Our adversary will be blinded by
a complete cyberfog of war.
- Just as these new weapons for peace are being developed, so
are the controlling mechanisms. Currently the Joint Chiefs of
Staff has both an offensive and defensive group addressing these
very issues. Mechanisms are currently in place and being honed
to ensure that each new strategic weapon is controlled within
the required authority for release.
- From the defensive perspective, DoD is currently inhibited as
its mandated authority prohibits involvement in securing the public
and corporate sector of America's critical infrastructure. This
offers the greatest challenge to future military leaders, as they
have little influence in securing a vulnerable America which is
open to an Information Pearl Harbor. Just as America pulled together
a nation threatened by a cold war, our nation's leaders must define
America's Information (infrastructure) Civil Defense.
Module 4 Summary - Information Assurance
To expand the DoD perspective of securing America from groups that
wish to influence U.S. policy throughout infrastructure attacks,
our nation's leadership, both political and industrial, must define
a process by which America can be secured. The National Information
Infrastructure will be used by tomorrow's enemies to gain access
and attempt to control or influence our nation's critical infrastructures.
Policy makers will be faced with the challenge of respecting and
balancing the basic rights of Americans. For example, a balance
between the right to privacy vs. law enforcement represents one
of many issues which will be hotly debated. However, there is one
positive aspect; the threat posed to America's infrastructure via
IW attacks is by its nature non-partisan. The threat is real and
is focused against all of America. As a result, our political leaders
will come to closure on this issue much more quickly. This contrasts
sharply with the health care debates of the early 90's which ended
with few positive results.
The key to Information Infrastructure security is clearly defined
by our forefathers:
We hold these truths to be self-evident, that all men are created
equal, that they are endowed by their Creator with certain unalienable
Rights, that among these are Life, Liberty, and the pursuit of
Happiness. That to secure these rights, Governments are instituted
among Men, deriving their just powers from the consent of the
governed. That whenever any Form of Government becomes destructive
of these ends, it is the Right of the People to alter or to abolish
it, and to institute new Government, laying its foundation on
such principles and organizing its powers in such form, as to
them shall seem most likely to effect their Safety and Happiness.
Our fore fathers believed that individual rights were granted by
God and secured by government. Our nation's leaders will be challenged
to find the right balance - this represents the heart of the debate
in securing America.
Module 5 Summary - The Political Quagmire
The focus for change must come from Congress. The issues associated
with defending America in the age of information can only be equitably
debated through this branch of government. This is not to suggest
that the President and the Judicial branch will not play a major
role; they will... Congress will have to take the lead in forging
new policy as our nation enters the 21st century.
Role of the President: Lead from behind by directing the
Executive branch departments and agencies to provide critical information
(data) for use by Congress, Industry, and the public in forming
the national debate. The Executive branch must provide a clear representation
of the Threat that IW poses to our nation's infrastructure. Further,
the President must ensure that any technical skills and associated
knowledge resident in the U.S. Government is available to industry
and Congress for their use in formulating national information policy.
Role of the Supreme Court: The Supreme Court will, as it
has in the past, ensure that legislated policy does not encroach
on the rights of Americans. Just as the Supreme Court played a major
role in interpreting legislation as America entered the Industrial
Revolution, it will do so for the Information Revolution. However,
history has shown that such interpretations are molded over time
as society's needs and perspectives change. For example, the balance
between economic rights and the needs of business.
Role of industry: Corporate America will be called upon
to provide a realistic view of industry's security needs. This view
is currently not possible as most of corporate America is either
fearful of disclosing the extent of the threat, or is unaware of
the intentions of its adversaries. To remedy this, the President
must commit America's intelligence community to directly providing
relevant indications and warnings to industry. Congress must engineer
a policy where industry is required to report the number and nature
of IW attacks against its infrastructures. Such disclosures by industry
must be protected to guard against erosion of the public confidence.
Today many nations desire U.S. military products, tomorrow they
will want American security products that protect critical infrastructure.
If our nation's policy makers pass legislation that encourages the
will of American industry, the "Made in America" label
will appear on security systems world wide.
Role of the individual: The Internet is growing exponentially.
Within it there are many references to the sanctuary of cyberspace.
There have been declarations of cyber-independence and calls for
a hands-off by governments. People of the world are experiencing
for the first time what Americans have taken for granted: Freedom
of Speech. The ability to publicly voice one's opinion is bringing
a passion to the Internet that is indescribable. Non-Americans are
naturally hesitant to embrace any government association with the
Internet. However it must be remembered that it was America, specifically
the U.S. Department of Defense, that made the Internet possible.
According to the Declaration of Independence, America's government
is formed by its people to protect the rights granted by the Creator.
This brings us to one of the most fundamental arguments of society
(State): when do the rights of the many outweigh the rights of the
few? This issue has been argued since the dawn of logical thought.
Our policy makers (Congress and the President) must receive a balanced
view from their constituents. Often our nation has applied the oil
only to the squeaky wheel. The Congress must initiate public community
debates to help bring the message to Washington. When called individuals
must educate themselves to the issues and voice their opinion.
Lessons from the Past
Look to our nation's transition during times of great change, e.g.,
the industrial revolution, the Great Depression, and the nuclear
threat (Cold War). During each period the concept of free enterprise
provided the technical means to a solution. Likewise, each transition,
required a new assessment of the balance of rights. Looking more
recently to the second half of the 20th century, it can again be
illustrated that free enterprise enabled America to become the global
leader in technology. The voices of our forefathers offer guidance;
if only we would listen.
Specific Lessons from History
- Legislative actions have historically supported economic and
- The mean trend of U.S. Courts has been to lean toward the rights
of the individual. The right to privacy has and will continue
to be at the center of such debates.
- The technical solutions to all of America's needs have come
from the industrial sector. History has shown that with the encouraging
government policy the pace of development can be greatly accelerated,
e.g., America's race for the moon in the 1960's.
- Look to the benefits of AT&T's divestiture. What other aspects
of America's critical infrastructure could benefit from similar
considerations, i.e., electric power distribution?
- Consider the recent cases involving free speech; for example
the Philadelphia Court striking down legislation on indecency.
What can be learned from this? Was Congress reactive or proactive?
Were legislators responding to impulse demands of a minority?
Congress must carefully consider the implications of oiling the
squeaky wheel, as this may lead to action without thoughtful representation.
Module 6 Summary - IW Weapons
Information Warfare Weapons fall into three categories: Strategic,
Theater, and Tactical. Each category has its own unique capabilities
and thus requires different safety mechanisms to prevent inadvertent
release. Consider nuclear weapons. They too can be employed to support
a tactical, theater and/or strategic objective. However, nuclear
weapons must ultimately be released for use by the President and
usually by recommendation of the National Security Council. IW weaponry
is very similar, but there are exceptions.
The Commander In Chief (CINC) will always implement the directions
of the President. In such a capacity certain IW weapons can be left
to the discretion of the CINC for implementation. Likewise, traditional
theater level Electronic Warfare (EW) or PSYOP that is enhanced
by IW capabilities fall under CINC authority.
Strategic IW weapons however, will most likely be reserved for
release by the highest level. For example, a computer virus that
would cripple a nation's monetary system or may seize control of
international satellites must be controlled by either the President
(SECDEF if authority has been delegated). Justification: a response
in-kind would have a direct impact on the American homeland, i.e.,
the loss of sanctuary.
So who pulls the trigger? In general the command to launch an IW
attack will at least be reviewed by the National Security Council,
possibly the President (weapon dependent), and ordered by the CINC.
One must remember that some strategic weapons will only be released
on authority of the President. Note: during the planning process
the CINC will be the single person responsible for the overall campaign
and will decide his or her weapons of choice, but just as in the
case of nuclear weapons, IW weaponry will require a higher lever
of coordination and authorization for release.
Module 7 Summary - Loss of Sanctuary
America has the strongest, most capable military in the world.
This fact challenges many nation's objectives which conflict with
American policy. No nation has the capability to challenge the United
States using traditional force-on-force. Further, the acquisition
of weapons of mass destruction by such nations is also considered
futile, as America's response would be direct and massive. This
leaves many developing nations with few options in countering America's
military force. That was until the introduction of Information Warfare.
Many nations in competition with the United States, either in the
political or economic realm, are actively developing IW capabilities.
They hope to use these capabilities to gain an industrial edge by
stealing U.S. industrial secrets, and when possible disrupt America's
America possesses many infrastructures: power, transportation,
economic. But there are others not normally considered. Our nation
possesses a knowledge infrastructure where critical scientific information
is freely shared between academia, government, and industry. This
infrastructure, like others, is open to attack by IW weapons.
America has typically enjoyed a protected sanctuary provided by
the two great oceans. Not until Pearl Harbor and the subsequent
nuclear threat did America become aware of it's loss of sanctuary.
With the fall of the Iron Curtain and the end of the Cold War, Americans
have returned to believing in a new protected sanctuary. This is
far from the truth. Daily, America's critical infrastructures are
being probed and investigated by foreign powers. Our nation's industries
currently lack the capability to adequately detect the implantation
of IW weapons into our infrastructure.
Many nations are looking for ways to attack our financial networks
to gain economic advantage. Likewise our industrial base is under
attack. Cyberspace has no geographic boundaries. Nations are contracting
the efforts of cyber-terrorists to maintain non-attribution. It
is possible that some nations we traditionally consider allies and
friendly are set on a path of economically and industrially conquering
America's sanctuary has been lost. Our nation is under a quiet,
sometimes organized attack by many forces whose goal is to topple
America's global position.
Module 8 Summary - The Military Perspective
The military perspective on the beta version of this tutorial was
composed from various unclassified briefings and presentations.
Each service has been distributed the beta version with the intent
of providing input into the final version due in October 1996. As
you explore the military perspective please remember that military
offensive aspects of IW cannot be discussed openly. Nonetheless
these efforts are ongoing!
Just as America's military transitioned into the industrial age
and adopted the concept of mechanized war, so will it adapt to warfare
in the information age. That said, the transition will not be easy.
Just as military leaders resisted accepting a mechanized calvary
and concept of an Air Force there will be great hesitation to adopt
IW. By its nature any military must adhere to tradition and order.
How else can a person be commanded into combat? But tradition typically
stalls advancement of new technologies. America's military will
become tomorrow's information warriors, and when future military
leaders look to this period they will again wonder why acceptance
of such an natural concept was hard to comprehend.
The Army has and will always command the ground aspect of warfare.
The information revolution will provide a battlefield (situational)
awareness unimaginable today. The fog of war will be greatly reduced
if not totally eliminated. Likewise, offensive IW will render our
nation's enemies dispersed and informationally isolated. The enemy's
fog will be extended to a complete blindness. All aspects of today's
Army will be enhanced by the information revolution.
The Navy and Marine Corps will continue to control the seas and
provide the heavy strategic reach capability America now enjoys.
Global sensory networks will ensure the Navy has the capability
to track any form of naval enemy on a global basis. New information
technologies will extend the track and reaction time of many naval
weaponry for both hard and soft kills.
The Air Force and its command of the skies will continue. Tomorrow's
air defense weaponry and electronic warfare will be unrecognizable
to today's military leaders. The ability to precisely strike a hostile
nation's command and control, air defense, or critical infrastructures
will be just a push-button away. If a hard kill is required, the
enhancement of IW will ensure the safety of our service personal
and reduce the amount of physical force necessary. Precision strike
will place munitions on a target in ways now considered impossible.
Module 9 Summary - Recommendations
The nation is ready to debate the issue of Information Warfare
and begin to decide that delicate balance between protecting the
individual rights and national security. For the past three years
we have come a long way. First the term Information Warfare was
discussed, i.e., what does it mean. Then groups began to discuss
organization structure and identify needed policy. Today, insiders
understand IW and its threat to America's infrastructure. It is
now time to mode the debate to the people and industry and answer
the question, how do we protect America's Critical Infrastructure
form Information Warfare.
The following Executive Order was issues by President Clinton on
July 15, 1996. It focuses the necessary ingredients for the national
WASHINGTON, July 15, 1996
Certain national infrastructures are so vital that their incapacity or
destruction would have a debilitating impact on the defense or economic
security of the United States.
These critical infrastructures include
electrical power systems,
gas and oil storage and transportation,
banking and finance,
water supply systems,
emergency services (including medical, police, fire, and rescue), and
continuity of government.
Threats to these critical infrastructures fall into two categories:
1. physical threats to tangible property ("physical threats"),
2. and threats of electronic, radio-frequency, or computer-based attacks
on the information or communications components that control critical
infrastructures ("cyber threats").
Because many of these critical infrastructures are owned and operated by
the private sector, it is essential that the government and private
sector work together to develop a strategy for protecting them and
assuring their continued operation.
NOW, THEREFORE, by the authority vested in me as President by the
Constitution and the laws of the United States of America, it is hereby
ordered as follows:
Section 1. Establishment. There is hereby established the President's
Commission on Critical Infrastructure Protection ("Commission").
(a) Chair. A qualified individual from outside the Federal
Government shall be appointed by the President to serve as Chair of the
Commission. The Commission Chair shall be employed on a full-time basis.
(b) Members. The head of each of the following executive branch
departments and agencies shall nominate not more than two full-time
members of the Commission:
(i) Department of the Treasury;
(ii) Department of Justice;
(iii) Department of Defense;
(iv) Department of Commerce;
(v) Department of Transportation;
(vi) Department of Energy;
(vii) Central Intelligence Agency;
(viii) Federal Emergency Management Agency;
(ix) Federal Bureau of Investigation;
(x) National Security Agency.
One of the nominees of each agency may be an individual from outside the
Federal Government who shall be employed by the agency on a full-time
basis. Each nominee must be approved by the Steering Committee.
Sec. 2. The Principals Committee. The Commission shall report to the
President through a Principals Committee ("Principals Committee"), which
shall review any reports or recommendations before submission to the
President. The Principals Committee shall comprise the:
(i) Secretary of the Treasury;
(ii) Secretary of Defense;
(iii) Attorney General;
(iv) Secretary of Commerce;
(v) Secretary of Transportation;
(vi) Secretary of Energy;
(vii) Director of Central Intelligence;
(viii) Director of the Office of Management and Budget;
(ix) Director of the Federal Emergency Management
(x) Assistant to the President for National
(xi) Assistant to the Vice President for National
Sec. 3. The Steering Committee of the President's Commission on
Critical Infrastructure Protection. A Steering Committee ("Steering
Committee") shall oversee the work of the Commission on behalf of the
Principals Committee. The Steering Committee shall comprise four
members appointed by the President. One of the members shall be the
Chair of the Commission and one shall be an employee of the Executive
Office of the President. The Steering Committee will receive regular
reports on the progress of the Commission's work and approve the
submission of reports to the Principals Committee.
Sec. 4. Mission. The Commission shall:
(a) within 30 days of this order, produce a statement of its
mission objectives, which will elaborate the general objectives set
forth in this order, and a detailed schedule for addressing each mission
objective, for approval by the Steering Committee;
(b) identify and consult with: (i) elements of the public and
private sectors that conduct, support, or contribute to infrastructure
assurance; (ii) owners and operators of the critical infrastructures;
and (iii) other elements of the public and private sectors, including
the Congress, that have an interest in critical infrastructure assurance
issues and that may have differing perspectives on these issues;
(c) assess the scope and nature of the vulnerabilities of, and
threats to, critical infrastructures;
(d) determine what legal and policy issues are raised by efforts
to protect critical infrastructures and assess how these issues should
(e) recommend a comprehensive national policy and implementation
strategy for protecting critical infrastructures from physical and cyber
threats and assuring their continued operation;
(f) propose any statutory or regulatory changes necessary to
effect its recommendations; and
(g) produce reports and recommendations to the Steering
Committee as they become available; it shall not limit itself to
producing one final report.
Sec. 5. Advisory Committee to the President's Commission on Critical
(a) The Commission shall receive advice from an advisory
committee ("Advisory Committee") composed of no more than ten
individuals appointed by the President from the private sector who are
knowledgeable about critical infrastructures. The Advisory Committee
shall advise the Commission on the subjects of the Commission's mission
in whatever manner the Advisory Committee, the Commission Chair, and the
Steering Committee deem appropriate.
(b) A Chair shall be designated by the President from among the
members of the Advisory Committee.
(c) The Advisory Committee shall be established in compliance
with the Federal Advisory Committee Act, as amended (5 U.S.C. App.).
The Department of Defense shall perform the functions of the President
under the Federal Advisory Committee Act for the Advisory Committee,
except that of reporting to the Congress, in accordance with the
guidelines and procedures established by the Administrator of General
Sec. 6. Administration.
(a) All executive departments and agencies shall cooperate with
the Commission and provide such assistance, information, and advice to
the Commission as it may request, to the extent permitted by law.
(b) The Commission and the Advisory Committee may hold open and
closed hearings, conduct inquiries, and establish subcommittees, as
(c) Members of the Advisory Committee shall serve without
compensation for their work on the Advisory Committee. While engaged in
the work of the Advisory Committee, members may be allowed travel
expenses, including per diem in lieu of subsistence, as authorized by law
for persons serving intermittently in the government service.
(d) To the extent permitted by law, and subject to the
availability of appropriations, the Department of Defense shall provide
the Commission and the Advisory Committee with administrative services,
staff, other support services, and such funds as may be necessary for
the performance of its functions and shall reimburse the executive
branch components that provide representatives to the Commission for the
compensation of those representatives.
(e) In order to augment the expertise of the Commission, the
Department of Defense may, at the Commission's request, contract for the
services of nongovernmental consultants who may prepare analyses,
reports, background papers, and other materials for consideration by the
Commission. In addition, at the Commission's request, executive
departments and agencies shall request that existing Federal advisory
committees consider and provide advice on issues of critical
infrastructure protection, to the extent permitted by law.
(f) The Commission, the Principals Committee, the Steering
Committee, and the Advisory Committee shall terminate 1 year from the
date of this order, unless extended by the President prior to that date.
Sec. 7. Interim Coordinating Mission.
(a) While the Commission is conducting its analysis and until
the President has an opportunity to consider and act on its
recommendations, there is a need to increase coordination of existing
infrastructure protection efforts in order to better address, and
prevent, crises that would have a debilitating regional or national
impact. There is hereby established an Infrastructure Protection Task
Force ("IPTF") within the Department of Justice, chaired by the Federal
Bureau of Investigation, to undertake this interim coordinating mission.
(b) The IPTF will not supplant any existing programs or
(c) The Steering Committee shall oversee the work of the IPTF.
(d) The IPTF shall include at least one full-time member each
from the Federal Bureau of Investigation, the Department of Defense, and
the National Security Agency. It shall also receive part-time
assistance from other executive branch departments and agencies. Members
shall be designated by their departments or agencies on the basis of
their expertise in the protection of critical infrastructures. IPTF
members' compensation shall be paid by their parent agency or
(e) The IPTF's function is to identify and coordinate existing
expertise, inside and outside of the Federal Government, to:
(i) provide, or facilitate and coordinate the provision
of, expert guidance to critical infrastructures to detect, prevent,
halt, or confine an attack and to recover and restore service;
(ii) issue threat and warning notices in the event
advance information is obtained about a threat;
(iii) provide training and education on methods of
reducing vulnerabilities and responding to attacks on critical
(iv) conduct after-action analysis to determine possible
future threats, targets, or methods of attack; and
(v) coordinate with the pertinent law enforcement
authorities during or after an attack to facilitate any resulting
(f) All executive departments and agencies shall cooperate with
the IPTF and provide such assistance, information, and advice as the
IPTF may request, to the extent permitted by law.
(g) All executive departments and agencies shall share with the
IPTF information about threats and warning of attacks, and about actual
attacks on critical infrastructures, to the extent permitted by law.
(h) The IPTF shall terminate no later than 180 days after the
termination of the Commission, unless extended by the President prior to
Sec. 8. General.
(a) This order is not intended to change any existing statutes
or Executive orders.
(b) This order is not intended to create any right, benefit,
trust, or responsibility, substantive or procedural, enforceable at law
or equity by a party against the United States, its agencies, its
officers, or any person.
WILLIAM J. CLINTON THE WHITE HOUSE, July 15, 1996.