IP: President's Commission on Critical Infrastructure

[David Farber <farber () cis upenn edu>]

From: Phil Agre <pagre () weber ucsd edu>


[These remarks by the chairman of the President's Commission on Critical
Infrastructure Protection include, among many other remarkable sentiments,
this: "We are going to recommend that the Administration and Congress study
ways to make some of the tools that the federal government uses to perform
background checks and issue security clearances more readily available to
employers within the critical infrastructures, at least in filling certain
sensitive positions within those infrastructures."  Langdon Winner once
argued that nuclear power is antithetical to a democratic society because
of the extensive security apparatus that was needed to protect it.  Maybe
that same argument applies to the Internet now.  Or maybe we just have a
vast bureaucracy that is looking for a reason to exist now that the Cold
War is over.  I've even heard serious suggestions that the US military is
going to start a fifth branch, on top of the Army, Navy, Air Force, and
Marines, to engage in Infrastructural Warfare.  Is your security clearance
up to date?]


=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
This message was forwarded through the Red Rock Eater News Service (RRE).
Send any replies to the original author, listed in the From: field below.
You are welcome to send the message along to others but please do not use
the "redirect" command.  For information on RRE, including instructions
for (un)subscribing, send an empty message to  rre-help () weber ucsd edu
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=


[http://www.pccip.gov/marsh_banker.html]


Remarks Prepared for Delivery
by Robert T. Marsh


    Chairman, President's Commission on Critical Infrastructure Protection
    
  MEETING OF THE BANKERS ROUNDTABLE
  
    Washington, DC
    September 11, 1997
    
   
   
   
   
   Thank you, Madame Attorney General, and good morning, ladies and
   gentlemen. It is indeed a pleasure to join you this morning. On behalf
   of the entire Commission, please accept my appreciation for your time
   and insights in discussing this matter of national importance.
   
   Let me first give you a brief introduction to the Commission and our
   mission, a review of some of our preliminary recommendations, and then
   several that relate directly to the banking and finance community.
   
   The Commission was charged by the President to consult "with elements
   of the public and private sectors... and the owners and operators of
   the critical infrastructures." In this vein, my goal is to run some of
   our ideas by you and invite your reactions.
   
Background


   
   
   President Clinton established the Commission last July and charged us
   to recommend a national policy for protecting and assuring the
   nation's critical national infrastructures. For just over a year now,
   we have been working to identify and assess vulnerabilities and
   threats -- and then to develop a national strategy and an
   implementation plan.
   
   Besides banking and finance, we have been studying and analyzing
   telecommunications, electric power, oil & gas delivery and storage,
   transportation, water, emergency services, and continuity of
   government services -- those infrastructures that the President
   identified as critical because their incapacity or destruction would
   have a debilitating effect on our defense and/or economic security.
   
   Critical infrastructures have long been lucrative targets for anyone
   wanting to do harm to another country. Even in ancient times, armies
   laying siege to fortified cities attempted to interdict their water
   supplies. US infrastructures have for most of our history been
   protected by the broad oceans separating us from our enemies, but
   during the Civil War both sides attacked each other's supporting
   infrastructures -- railroads and telegraph lines and even one
   privately-owned oil field. In more recent times, Soviet and US nuclear
   weapons were targeted against each other's power grids, road and rail
   networks, energy industries, and telecommunications systems. So there
   is nothing new about infrastructures being targets.
   
   So why was the President motivated to create this Commission at this
   time? It was the realization that our society was becoming vitally
   dependent on these infrastructures for its very well-being, that the
   infrastructures themselves were becoming increasingly dependent upon
   each other for their functioning, and that they were becoming
   increasingly vulnerable to disruption by simple methods readily
   available to relatively unskilled persons intent on doing harm. And
   there was mounting evidence of such danger by the growing number of
   malicious cyber incidents throughout the nation with each passing day.
   
The Partnership


   
   
   The Commission was uniquely tailored for this task. In recognition of
   the fact that the critical infrastructures are largely owned and
   operated by the private sector, the Commission is a joint public and
   private venture. Half the Commissioners are full-time career
   government senior executives, and half are senior representatives from
   the private sector who have agreed to serve a year as full-time
   government employees.
   
   A Presidentially-appointed Advisory Committee of key industry leaders
   provides the unique perspective of owners and operators of the
   infrastructures as they assist and advise us. I have consulted
   individually with each member of this group, and they met last Friday
   for a full-day session that included briefings on the Commission's
   work and a lengthy discussion of our tentative recommendations.
   
   As part of our consultation efforts, we met with more than 5,500
   individuals, corporations, associations, and government agencies
   around the country. We held public meetings in Los Angeles, Atlanta,
   Houston, Boston, and St. Louis. We talked with hundreds of people
   from industry, academia, science, technology, the military, and
   government.
   
   Our goal all along has been to create a public-private partnership to
   protect our future. Government alone cannot solve the problem.
   
   Addressing this challenge is why we are here with you today. We seek
   your input. I invite your views on our preliminary recommendations.
   
"Core" recommendations


   
   
   I would like to start with a few of our core recommendations that cut
   across all the infrastructures, then follow with a few that may be of
   particular interest to you in the banking sector. I think you will be
   pleasantly surprised not to hear recommendations that call for more
   regulation or tighter laws.
   
  INFORMATION SHARING / NATIONAL STRUCTURES
  
   
   
   One of our toughest problems -- across all infrastructures -- is the
   sharing of information. There is already a heavy volume of information
   passed by industry -- especially banks, as you well know -- to
   government as part of the regulatory process and through law
   enforcement.
   
   Managing the new risks inherent in an information-based society
   requires a different type of information exchange within the industry
   and between industry and government. Furthermore, managing these new
   risks calls for partnership at many different levels, from
   policy-making aimed at preventing a crisis to responding if such a
   crisis occurs. The Commission has some specific proposals in this
   regard:
     * We will recommend the establishment of an Information Sharing,
       Analysis, and Warning "Organization" -- a public-private
       organization that embodies the trust essential for the partnership
       between government and the owners/operators for successful
       infrastructure assurance. We envision an "information
       clearinghouse" staffed by up-and-comers from both government and
       industry who will receive relevant information from all sources --
       public and private, anonymous or attributable -- analyze this
       information to assess what is happening in the infrastructures,
       decide on the necessary protective measures to be taken, then
       disseminate needed information to both government and the private
       sector. Key to its success will be protecting the privileged
       information from both government and the private sector from
       unauthorized disclosure.
       
       
       
       Would you be willing to take turns providing a talented young
       banker from your company to represent the banking and finance
       sector inside such an organization?
     * Enhance industry's information sharing capability by creating
       Sector Information Assurance Coordinators that best suit each
       infrastructure's information-sharing needs -- either through an
       existing association or by creating a new entity. In essence, we
       are proposing that each industry designate a representative to be
       the channel for exchanging information with the government. Your
       reaction?
       
     * Create a National Infrastructure Assurance Council -- a very high
       level council comprised of senior CEOs from throughout the
       critical infrastructures, meeting regularly with selected Cabinet
       Officers. The Council would propose policies and create national
       awareness of infrastructure concerns.
       
   
   
   These recommendations lay the foundation for the "trusted environment"
   to achieving the public-private partnership essential for protection
   into the next century.
   
   We strongly endorse a policy of reliance on the private sector for
   problem-solving, solutions, and technology, but we also see a need for
   government to create a strong focal point for infrastructure
   protection. Thus we will recommend:
     * Tasking Federal Lead Agencies to bring together the owners and
       operators of the infrastructures to create the means for sharing
       information that is acceptable to all. The objective is to achieve
       voluntary participation of all players within each infrastructure
       and to assemble and exchange information without fear of
       attribution to specific sources.
       
     * Creating an Office of National Infrastructure Assurance to
       formulate policy and oversee government activities in
       infrastructure assurance and cyber security. This small Office and
       its support staff will promote and facilitate the public-private
       partnership, coordinate federal programs, integrate the
       government-wide infrastructure assurance R&D effort, assess
       vulnerabilities, and support the National Infrastructure Assurance
       Council.
       
   
   
   The sum of these efforts is to create channels for information to flow
   between decentralized private industry and centralized government
   organizations. For example, the federal lead agencies are the "adapter
   plug" from government to industry -- they facilitate the flow of
   government information to the private sector. The Sector
   Infrastructure Assurance Coordinator is the "adapter plug" in the
   opposite direction -- they facilitate the flow of private sector
   information to the government.
   
  R&D
  
   
   
   The Commission surveyed the federal government's research and
   development activities, and many of the private sector's, to identify
   programs developing the tools required to accomplish the
   infrastructure protection mission. We also solicited the views of many
   experts in information and infrastructure assurance regarding R&D
   needs. Our research revealed a range of technology needs for
   infrastructure assurance and a number of R&D efforts that should be
   accelerated. We identified that about $150 million per year is being
   spent on federal R&D for information assurance, which represents about
   60 percent of the overall expenditures on infrastructure related R&D.
   We identified very little R&D effort on the types of real-time
   detection, identification and response tools that the Commission
   believes are going to be required. Consequently, we recommend a
   doubling of federal funding for R& D in this area to $500 million per
   year.
   
Banking and Finance findings and recommendations


   
   
   Beyond those already mentioned, we have a number of recommendations
   ranging through the areas of law enforcement, education and awareness,
   and assisting state and local governments. But in the interest of
   time, I will focus briefly on those of specific interest to banking
   and finance.
   
   At the outset, I want to acknowledge that we found that due to both
   effective regulation and industry diligence, individual institutions
   within the U.S. banking and financial system are more advanced than
   those in other sectors in their uses of sophisticated tools and
   procedures to safeguard their operations from theft, fraud, and cyber
   crime. We applaud your vigilance in these areas.
   
   But, as you well know, major trends of change -- globalization,
   deregulation, Internet banking, and cyber cash -- combine to create
   new risks. This is true within the financial services industry as well
   as the telecommunications and electric power industries upon which
   financial services heavily depend. These trends will result in new
   kinds of interdependencies, and hence new kinds of system-wide risks.
   These must be assessed carefully as you move forward.
   
   There are some potential SYSTEMIC vulnerabilities now due to the
   geographic concentration of of the major exchanges and payment systems
   operations centers. We are also concerned about the growing dependence
   on arterial telecommunication networks which are in the process of
   deregulation and are becoming transnational in their architecture and
   ownership.
   
   The range of cyber threats for exploiting these vulnerabilities begins
   with the most likely but least consequential activities of hackers,
   and extends to the currently least likely but highest potential impact
   attack by a nation state or terrorist group. Current defenses against
   common hackers and criminals are quite good. However, it is the
   vulnerability to a possible coordinated strategic attack on physical
   operations centers, or on the complex "system of systems" which
   enables this industry to function world-wide, that is of rising
   concern.
   
   Some examples of specific actions to reduce these existing
   vulnerabilities include:
     * Establishing contingency trading sites for the major exchanges.
     * Geographically dispersing key industry utilities as funds transfer
       and depositories.
     * Establishing an emergency satellite-based communication system
       linking major money center banks with funds transfer and clearance
       centers.
     * Installing better physical security, especially at exchanges.
     * Establishing a contingency data center for key industry messaging
       and data storage systems.
       
  INCENTIVES
  
   
   
   We have examined several options for influencing market forces within
   the private sector, including using insurance, loan guarantees, and
   tax incentives as levers to encourage the private sector to increase
   investment in infrastructure protection. We are still deliberating
   this issue.
   
  PRIVACY ISSUES IN THE EMPLOYER-EMPLOYEE RELATIONSHIP
  
   
   
   Throughout its year-long effort, the Commission has struggled to
   address the competing interests of security and privacy and the
   trade-offs between these two interests. The Commission has
   specifically studied the nexus of security and privacy in the
   employer-employee relationship. We are going to recommend that the
   Administration and Congress study ways to make some of the tools that
   the federal government uses to perform background checks and issue
   security clearances more readily available to employers within the
   critical infrastructures, at least in filling certain sensitive
   positions within those infrastructures. These efforts may afford you,
   for example, a greater ability to inquire into and make use of
   criminal history information, employment histories, and credit history
   information. Amendments should also be made to federal polygraph law
   to include within the scope of current exemptions those who are in the
   business of providing information security services. These amendments
   could not make it incumbent upon covered employers to polygraph
   employees, but merely allow them to do so to the extent permitted
   under applicable state law.
   
Conclusion


   
   
   I simply cannot conclude without asking if we have recommended
   anything that you perceive as onerous. The Commission is very
   concerned about economic competitiveness in this increasingly global
   economy, and we want to ensure that we are not proposing any
   recommendation that might detract from your ability to compete on the
   world stage.
   
   We on the Commission are relying on these types of open and honest
   discussions to help us focus our recommendations properly, so they
   will have the greatest chance for success. We need your feedback.
   
   Frank [Frank Wobst, Chair of Banking Industry Technology Secretariat],
   what do you think? What have you all been doing in the area of
   infrastructure protection? How do our recommendations fit in that
   scheme? Have we recommended anything that would cause hardship to you
   or your company?
   
Questions for discussion


   
   
   Are we on target with your sense of the scope of the problem and the
   general direction we are going?
   
  LAW ENFORCEMENT
  
   
   
   I know that I am about to tread on some delicate ground, but I would
   be remiss if I did not raise a question or two about your willingness
   to share information about cyber intrusions with law enforcement
   officials.
     * Do you feel that you have any discretion in reporting these types
       of intrusions? Or are you required to report every electronic
       penetration?
       
     * If you do have any discretion, what are the factors you take into
       account in deciding whether or not to call in law enforcement or
       deal with the situation in another way?
       
   
   
   We have often heard that there is no such thing as an unaccounted-for
   dollar. Are there any creative accounting entries used to make this
   statement true?
   
   What are the requirements for reporting losses? Is there a specific
   dollar threshold that requires a report to law enforcement? Is it
   established nationally by regulation or locally by the workload
   capacity of the nearest FBI field office?
   
   Do you share information among yourselves concerning the security of
   the infrastructure as a whole? Overall, we found banking and finance
   to have the least vulnerability to the cyber threat. Do you share
   "Best Practices?" What is the role of the federal and/or state
   regulatory agencies in establishing security standards?
   
   Although the banking and finance industry maintains that there are no
   issues associated with computer intrusions into databases, we have
   been advised that banks are actively hiring personnel with substantial
   backgrounds in computer security. What types of issues are being
   addressed by these individuals?
   
   As the Suspicious Activity Report contains all instances of suspected
   criminal activity, are you reporting electronic intrusions into your
   systems that do not result in the loss of funds, since that type of
   intrusion is a violation of the Computer Fraud and Abuse Act?
   
  PUBLIC CONFIDENCE
  
   
   
   Both the financial service industry and government require strong
   public confidence -- the industry in order to derive growth, and the
   government in order to derive political viability. Each is central to
   the daily lives of virtually every American, and the degree of trust
   the public is willing to place in them depends directly on the
   reliability of the services provided. Infrastructure, as the carrier
   of the communications and transactions which deliver those services,
   is, therefore, critical to the performance of both. With the retention
   of public confidence as a common bond, how might the industry and
   government better cooperate to assure that critical financial services
   are secured in the information age?
   
  INFORMATION SHARING
  
   
   
   What legal and cultural barriers exist to creating a mechanism for the
   mutual sharing of new information relating specifically to system-wide
   threats and vulnerabilities so that the risks they present might be
   better managed?
   
  ELECTRONIC COMMERCE
  
   
   
   The attractiveness of the Internet and the entire global information
   infrastructure as a means of commercial growth raises significant
   technological, security, and public policy issues. What are the
   principal barriers to the development of electronic commerce, how
   might they be overcome, and what is your estimate of the pace at which
   electronic commerce -- and electronic banking specifically -- will
   grow?
   
   
   
   
     _________________________________________________________________
   
   
   
   [ Home Page ] [ Main Menu ] [ FAQs ] [ E-mail PCCIP ] 







--
Stanton McCandlish                                           mech () eff org
Electronic Frontier Foundation                           Program Director
http://www.eff.org/~mech    +1 415 436 9333 x105 (v), +1 415 436 9333 (f)
Are YOU an EFF member?                            http://www.eff.org/join








************************************************************************
"They that can give up essential liberty to obtain a little temporary
 safety deserve neither liberty nor safety."       - Ben Franklin, ~1784
************************************************************************