Critical Infrastructure Protection

By Louise Arnheim

Last January, CRN reported on recommendations by the Presidential Commission on Critical Infrastructure Protection (PCCIP); the commission was charged with assessing the United States ability to protect critical infrastructures from both physical and cyber attacks. Key among PCCIP's recommendations were establishing coordinated federal government mechanisms to detect, manage, and recover from such attacks, and directing $1 billion towards information assurance R&D by 2004. The report also endorsed the admin-istration's key recovery and key management approach to encryption.

In May, President Clinton issued a Presidential Decision Directive (PDD) based on the Commission's report. And though the directive set into motion many structures called for by PCCIP, increased funding for information assurance R&D may not materialize until FY2000 at the earliest.

Announcement of the directive, "Critical Infrastructure Protection" (PDD-63), came during President Clinton's commencement speech at the U.S. Naval Academy. Referring to PCCIP's work, the President told graduates: "They [the Commission] returned with a pointed conclusion: our vulnerability, particularly to cyber attacks, is real and growing. And they made important recommendations that we will now implement to put us ahead of the danger curve."

But rounding that curve may call for skillful maneuvering. The issues surrounding infrastructure protection, says Peter G. Neumann, Principal Scientist, SRI, are "murky." "Most of the computer and communications systems we are dealing with are not adequate for what we need if we really want survivable systems." Further, he observes, "we're much too far away from where we need to be." Getting to where the nation needs to be, or, perhaps, even making the case to do so, says Dr. Jeffrey Hunker, "is made more difficult because the sort of threat we are talking about hasn't happened yet to a great extent." Hunker, a former Deputy Assistant to the Secretary of Commerce, heads up the new Critical Information Assurance Office (CIAO), one of the new entities established by PDD-63.

Emerging Federal Structure

Echoing many of PCCIP's basic recommendations regarding structure and organization, the directive calls for a complex mix of federal interagency relationships involving several interrelated infrastructure sectors: telecommunications, banking and finance, energy, transportation, and essential government services infrastructures. And like the PCCIP report, the directive attempts to foster an unprecedented degree of information-sharing between the public and private sectors.

Among the new entities are:

The National Information Protection Center (NIPC) , housed within the Federal Bureau of Investigation (FBI), with representatives from the Department of Defense (DoD) and National Security Agency (NSA). NPIC's duties include compiling and distributing threat and vulnerability information to both government and industry.

Critical Infrastructure Coordinating Group (CICG) , chaired by the National Coordinator for Security, Infrastructure Protection, and Counter-Terrorism (a new position created by a separate directive).

The Information Sharing Analysis Center (ISAC) , which, according to the White House, "is encouraged to be set up by the private sector in cooperation with the federal government."

National Infrastructure Assurance Council (NIAC) , to be comprised of Presidential appointees from private industry, as well as state and local government.

CIAO, which will soon be housed within the Department of Commerce, is tasked with coordinating the activities of the above entities, as well as working with federal department liaisons from each of the affected infrastructure sectors, and corresponding private industry liaisons. CIAO will also facilitate efforts to meet the President's 180-day deadline for developing a schedule for a National Infrastructure Assurance Plan.

Both the House and Senate have held hearings on these recent activities, with the Senate paying particular attention to the NIPC and also the upcoming plan. Says Michelle Van Cleave, Majority Counsel to the Senate Judiciary Subcommittee on Technology, Terrorism, and Government Information, "The PDD leaves a lot of questions open that the national plan is expected to answer." Van Cleave anticipates the subcommittee will again hold hearings following the plan's release.

Public interest groups such as the Electronic Privacy Information Center (EPIC) have also been keeping watch. According to Wayne Madsen, Senior Fellow with EPIC, "many of the new government structures combining the assets of the NSA, CIA, and DoD to conduct domestic monitoring and surveillance are at variance with the Posse Comitatus Act of 1878." The Act, he explains, prohibited the Army (and as amended later, the Air Force) from conducting domestic law enforcement activities, and "was aimed at curbing their enforcement role in reconstruction of the South. It has since been slowly whittled away to allow DoD to become involved in domestic anti-drug activities and border patrolling." Additionally, he notes, "NSA's intrusions into civil government are definitely in contravention of the Computer Security Act." Madsen is the author of EPIC's soon-to-be-released analysis of the PCCIP report.

Federal Funding

In its report, PCCIP proposed doubling the amount of federal funding now spent on information assurance R&D from $250 million to $500 million in FY1999. Ultimately, the Commission hoped for a total of $1 billion to be spent during the five-year period ending in 2004. The earliest funding cycle, however, would be FY2000. Though there's an agreement in principle that such funding is needed, says Hunker, "we don't want simply to throw money at the problem. We need to better understand what's taking place in federal government R&D, as well as private sector R&D."

CRN also asked Hunker about criticism that the PCCIP — in briefly designating six areas of research and development — had given the matter superficial treatment (the six areas were: information assurance; intrusion monitoring and detection; vulnerability assessment and systems analysis; risk management decision support; protection and mitigation; and incident response and recovery). "This is a new issue, a new area," replied Hunker. "It's a legitimate criticism to say the Commission 'scratched the surface' and we recognize that, which is why an R&D subgroup of the newly created CICG has been delving into that issue area." "I'm not saying we know all the answers — exactly the opposite. If people have input, we want to hear from them."

In this regard, Hunker urges the computing research community to contact his office directly, 202-696-9395, and/or participate in one of several upcoming outreach efforts planned for several cities. These efforts, he explains, are designed to educate local communities about critical infrastructure protection and to solicit input. News of upcoming visits and events can be found at the CIAO website, http://www.ciao.gov.

The PCCIP report also called on NSF to direct as much as $10 million annually over the next five years towards increasing the number of faculty knowledgeable in computer security (both in computer science departments as well as at business schools). Hunker agrees: "We profoundly need personnel who are trained in cyber security; we need to create the educational infrastructure" to achieve that objective.

Cryptography

The PCCIP's report, which endorses key recovery and key management, continues to draw criticism from groups like EPIC, the Center for Democracy and Technology (CDT), and leading computer security experts (a group of these experts recently updated their 1997 paper on this issue, see http://www.cdt.org/crypto/risks98). Acknowledging that there are "strong views" on all sides of the issue, Hunker says, "our hope is that the encryption issue will be resolved to everyone's satisfaction." It's an important issue, he says, but it's only a small part of the challenges involved in protecting critical infrastructure.