Protecting Critical
Infrastructures:Ê A Threat to US
Businesses and Individual Civil Liberties?
6/4/2001
ÊÊÊÊÊÊÊÊÊÊÊ Over the past 10 years, national and world
infrastructures have been changed by the rapid development of digital technologies.Ê Computer network companies built digital
networks fast and furiously while the US government tried to play
catch-up.Ê Companies often worked
independently of each other, grabbing the largest portions of networking
traffic they could while weaving a wide web of networks with security problems
and infrastructure issues.
Since the moment the network race began,
researchers realized security threats quickly rising on the horizon.Ê The construction of a massive, decentralized
networking system meant that the networks now contained numerous points of
entry that could be vulnerable to attacks on the nationâs critical
infrastructure.Ê Government demands for
private network accessibility skyrocketed during the early 1990âs as all
federal departments upgraded their network capacities to prepare for the
future.Ê Soon, the national
communication networks carried a substantial amount of government traffic.Ê By 1997, more than 95 percent of the
nationâs critical infrastructures were owned and operated by non-government
organizations.[1]
Creation of the new Internet
backbone came at a large price:Ê
increasing vulnerability of the nationâs infrastructure.Ê Could the worldâs largest military and
economic power fall to its knees by the act of an unknown cyber assailant?Ê One report after another complained about
the weaknesses of the critical infrastructures without any response from the
White House.Ê Finally, in 1996, the
Clinton Administration realized the immense vulnerability of the nationâs
infrastructures.Ê By the middle of the
election year, Clinton knew it was the perfect time to unveil a plan to protect
the US infrastructure from foreign and domestic threats.
II.Ê Overview of PCCIP
ÊÊÊÊÊÊÊÊÊÊÊ In response to the cry of
scholars and corporations alike over the poor security and condition of the
nationâs critical infrastructures, President Clinton created the Presidentâs
Commission on Critical Infrastructure Protection (PCCIP).Ê His signature on Executive Order 13010 on
July 15, 1996, established a team of individuals that examined every part of
the nationâs critical infrastructure.Ê
The commission divided its concentration into five sectors:Ê information and communications, banking and
finance, energy, physical distribution, and vital human services.Ê This report will only cover the commissions
efforts within the information and communications sector, however, this sector
links the other four sectors together.
ÊÊÊÊÊÊÊÊÊÊÊ The broad mandate of the
President allowed the PCCIP to delve deeply into all areas of what they
considered national security.Ê ãThe
Commission was chartered to conduct a comprehensive review and recommend a
national policy for protecting critical infrastructures and assuring their
continued operations,ä reads the commissionâs mission statement.[2]Ê Delegates from federal departments normally
associated with national infrastructures, including the Departments of Defense,
Commerce, Energy, Transportation, and Treasury, sat on the Presidentâs
Commission on Critical Infrastructure Protection.
ÊÊÊÊÊÊÊÊÊÊÊ This unusually large
commission brought together some of the brightest and most influential persons
in the technology and security fields.Ê
Retired Air Force General Robert T. Marsh chaired the commission, of
which more than two-thirds of its members came from the Armed Forces.Ê Non-military figures included the
secretaries of all the departments mentioned earlier, as well as the CIA, FBI,
NSA, and a few members of the business community.Ê Immediately, leaders of the telecommunications and computing
industries vented their frustration that so few business leaders had been
selected on the commission.Ê Throughout
the commissionâs life, very little formal interaction occurred between the
PCCIP and the technology industry.Ê A
wall formed between the two parties early on, as some industry leaders took
their gripes to the press.Ê ãThere was
never any formal commenting process for industry to voice its concerns,ä said
Glenn Davidson, executive vice president of the Computer and Communications
Industry Association.Ê ãItâs not fair to
say [the PCCIP] have had industry input.ä[3]Ê Pitting the commission against the industry
placed the PCCIP in a position of contention rather than one of cooperation,
which as we will see manifested itself in the industryâs grave concerns with
the commissionâs recommendations.
ÊÊÊÊÊÊÊÊÊÊÊ After more than a year of hearings,
investigations, simulations, and strategy sessions, the committee synthesized
their work into five major findings.
á
Increased dependence on critical
infrastructures by both the government and businesses
á
Greater vulnerability to the
nationâs most integral systems
á
Wide spectrum of domestic and
foreign threats
á
General lack of awareness to the
infrastructureâs shortcomings by government
á
Unfocused government attention to
these problems
These findings did not hit the industry with much surprise.Ê Industry analysts had known for years the
poor condition of the nationâs infrastructures, especially since the industry
had incurred major infrastructure failures during 1990âs.Ê On September 17, 1991, miscommunication
between AT&Tâs 1-800 switch center in New York City and local electricity
officials brought telephone service to a halt in Manhattan for more than eight
hours, affecting an estimated 8 million calls.[4]Ê Five years later in 1996, more than 7.5 million
electricity customers throughout the US Pacific Coast went without power for
hours as a temporary glitch in the regionâs electrical grid forced surprise
outages.Ê The PCCIP marked these
industry failures as warning signs for future infrastructure problems and used
them to serve as a foundation for building an argument for large-scale
government participation to avoid future calamities.
Throughout the hundreds of pages documenting potential areas of
threats and vulnerabilities, the commission showcased every conceivable act
that might harm the nationâs critical infrastructures and potentially cost
lives.Ê Simple statements in the report
made attacking the nationâs communications network seem like childâs play.Ê In one example, the commission wrote that,
ãa personal computer and a simple telephone connection to an Internet Service
Provider anywhere in the world are enough to cause a great deal of harm.ä[5]Ê Many analysts in the technology industry,
however, felt that these simplistic possibilities were outlandish and lent much
to the readerâs imagination.Ê They
argued that no conclusive evidence could be shown to prove any of these attack
theories as a true possibility in the near future.Ê Even the commission admitted that there was no evidence of an,
ãimpending cyber attack which could have a debilitating effect on the nationâs
critical infrastructure.ä[6]Ê Industry and social scientists believed that
a greater threat came from within the organizations that controlled the
critical infrastructures rather than from vague foreign and domestic
ãhackersä.ÊÊ They believed that the
psychology of those who created computer systems that ran the infrastructure
needed to be looked at more closely.[7]Ê Wherever the threat might come from, it was
clear that yet again the commission and the technology industry were at odds.
IV.Ê PCCIP vs. Industry Recommendations
ÊÊÊÊÊÊÊÊÊÊÊ Leading the world into the
information age is a role the US seems to boldly be taking alone.Ê While the potential profits gained by taking
this leadership position in the communications market have made the journey
well worthwhile, the PCCIP found that the US became increasingly dependent on
its critical infrastructures.Ê This
intensive pressure to maintain a safe communications network has now become a
national security issue, as many government bodies have placed their trust in
the worthiness of these networks.Ê To
ramp-up protection, the commission offered five key policy recommendations to
encourage both the business and government communities to work together in
safeguarding our national interests.
á
Education and awareness programs to
spotlight infrastructure weaknesses
á
Infrastructure protection through
government-business cooperation
á
Creation of innovative laws for
unregulated areas of cyberspace
á
Increased research and development
on protecting critical infrastructures
á
Building new government agencies and
czars to oversee protection practices
After the President unveiled his Presidential Decision Directive
63 (PPD 63), the five recommendations of the PCCIP quickly became the official
policy of the Clinton Administration.Ê
The directive stated that by the year 2000, the United States would
achieve initial operations for these policies and soon thereafter fully
implement a national security system that could prevent the dangerous threats
found by the commission.[8]Ê President Clinton understood the need for
cooperation between the federal government and the technology industry.Ê Without this partnership, the administration
would have great difficulty building a more powerful national security
system.Ê Little did he know that the
industry soon began its own campaign against the recommendations of the PCCIP
that would greatly hinder the implementation process.
ÊÊÊÊÊÊÊÊÊÊÊ We will study each recommendation
carefully, detailing both the government and industryâs viewpoints and
highlight places where the governmentâs failure to allow more input from
technology companies during the investigation came back to haunt them.
Awareness and education
ÊÊÊÊÊÊÊÊÊÊÊ The PCCIP quickly discovered that
the government (in general) poorly understood the infrastructure problems
affecting the nation.Ê While leaders in
the industry lived with these problems on a day-to-day basis, government
officials seemed oblivious to the infrastructure problem that one principle scientist
at SRI International said, ãsimply stinks.ä[9]Ê Education, the commission felt, was key to
making sure that the government made this issue a priority.
ÊÊÊÊÊÊÊÊÊÊÊ To increase awareness and encourage
research, the PCCIP recommended that the government begin a wave of White House
conferences, National Academy studies, presentations at industry associations,
and sponsorship of graduate studies and programs in the arena of critical
infrastructure technology.[10]Ê President Clintonâs signature on PDD 63
delivered the money necessary to build government sponsored programs through
National Science Foundation grants, while the White House began developing a
campaign to spread the word to all sectors of the federal government.
ÊÊÊÊÊÊÊÊÊÊÊ For the most part, corporations
seemed happy with the administrationâs desire to educate the government and
other industries on building stronger support structures.Ê Just as the PCCIP found it necessary to
educate the government on its dependency on private infrastructures,
corporations felt compelled to promote industry-wide practices that would avoid
lawsuits and breakdowns in the communications structures.Ê
Criticism should be pointed at some of the commissionâs proposed
tactics in raising awareness.Ê
Primarily, the PCCIP took a strong stance on educating the public rather
than focusing its efforts on the government sector.Ê For instance, the commission proposed an advertisement campaign
that harkens back to the ãSmokey the Bearä campaign against forest fires.Ê More than four of the six pages on education
in the report focus on end-users, whom often have little to no knowledge of the
nationâs critical infrastructure.Ê Why
spend money on educating the end-user when the government can focus a smaller
campaign directly on those in charge of making sure the safety of the critical
infrastructures remain a priority?Ê
Additionally, the government must make sure its message does not appear
like a witch-hunt for covert hackers.Ê
Computer programmers create a tight knit community of workers that
continue to be in high demand.Ê Casting
a shadow of doubt on key workers could cause a significant decrease in morale
and eventually lead up to the events we are trying to avoid.
Infrastructure protection through cooperation
Cooperation between the government and industry is the cornerstone
of the commissionâs policy recommendations.Ê
Without this relationship, the PCCIP knew that it would be impossible to
create an adequate protection program.Ê
One way the commission built this link was by asking that corporations
share the costs of developing infrastructure protection with the
government.Ê Simple translation into
laymenâs terms reads this as, ãcorporations should bear the burden of the
costs.äÊ While the commission did
recommend that the federal government increase spending for infrastructure
protection up to $1B by the year 2004, that amount is only a fraction of that
which the private industry will need to pay.[11]Ê Making it clear that corporations will have
to foot most of the costs, the PCCIP report says that since the private market
owns 95% of the critical infrastructure, ã·it is natural to assume that
[corporations] will be expected to pick up the large majority of the costs for
maintaining and assuring access to these infrastructures.ä[12]
The report lists a wide variety of incentive tools, such as
government grants, in-kind reimbursements, assurance of demand, tax credits,
tax-exempt bonds, and loans, but fails to analyze the true market impacts of
such investments.Ê Only eight of the
over 300 pages of work detail any economic impact to the technology sector, and
of those pages none contain a
cost-benefit analysis.Ê The commission
created a mandate for the private industry to follow, but failed to quantify
the ramifications of its actions.
In addition to sharing responsibility for the costs of upgrades,
the PCCIP recommended that the government create Key Management Infrastructures
(KMI).Ê The commission believed that
these systems would be, ãthe only way to enable encryption on a large scale,ä
by essentially allowing the government (more specifically the FBI and NSA) to
have a ãgolden-keyä for every encryption system used by corporations that build
and maintain the nationâs infrastructure.[13]Ê Deputy Undersecretary of Defense for Policy
Support Linton Wells once went as far as to say the Department of Defense
would, ãput its money where its mouth is by requiring private vendors to turn
over to DOD the encryption key to software programs enabling access to
companiesâ encryption codes in the event of an emergency.ä[14]
There are two problems with the PCCIPâs recommendation for a
KMI.Ê First, nothing suggests that the
security system used to hold the golden keys of our nationâs companies would
hold up any better under a cyber attack than the systems the companies
themselves have installed.Ê In fact, a
decentralized system often provides the best protection against encryption
break-ins.[15]Ê Further risks in the deployment of such a
storage facility include back-door access (yet another place to steal data),
insider abuse, and an immensely large scale project that could potentially
attract malicious hacking more than private corporationâs databases.[16]Ê It is ironic that the committee, so worried
about the security threats to our nationâs critical infrastructures, would
create yet another infrastructure that would have security risks of its own.
When encryption and security systems failed to stop intruders on
corporate networks, the PCCIP believed that companies should reveal that
information with the rest of the industry through an information-sharing
program.Ê While such a system could
assist in the creation of better security technologies, it is laughable to
think that competitive corporations would make public security threats to their
infrastructures.Ê By detailing their
security failures, companies would lose customer confidence as well as any
competitive advantages they may have built over time against their
competitors.Ê Without a strong market
incentive or guaranteed privacy protection by the government, very few
corporations will likely take part in such activities.
To combat these forces, the commission took dangerous steps
towards changing federal laws that would hamper their efforts.Ê For instance, they recognized that the
Freedom of Information Act (FOIA) would allow the public to view non-classified
government paperwork on request.Ê Such
requests could include such items as those collected through these security
briefs by corporations.Ê The commission recommended
that exemptions be made in the FOIA to keep these records confidential and
hidden from the public.Ê Such an action
could send us down a slippery slope, which could ultimately lead to the exact
opposite of the spirit of the FOIA.Ê
Furthermore, a recommendation was made that corporations whom did not
follow the guidelines on security breaches should be held liable for their
ignorance.Ê A demand such as this
squarely butts against the First Amendment rights of the corporation, forcing
speech without a court ordered subpoena.Ê
These actions danger endanger our government by having it overstep its
bounds and directly violating the freedoms secured by the stockholders and
owners by the First Amendment.
A final area of contention within cooperation standards includes
possible government monitoring of network connections.Ê In 1996, a Defense Science Board (under the
Department of Defense) called the technology to monitor the National
Information Infrastructure ãinadequate.ä[17]Ê Ramping up this monitoring system, the PCCIP
report proposed the development of large-scale monitoring, including techniques
that were used against hostile foreign countries during the Cold War.[18]Ê One possible way of completing such a
daunting task would be by tracing the unique serial numbers on each Intel
Pentium computer processor.Ê This would
allow investigators to track not only which Internet Protocol (IP) address and
signal is being sent from, but also the actual computer creating the message.
Privacy rights activists and consumer advocates immediately
screamed foul.Ê These groups believed
that an individualâs civil liberties outweighed the governmentâs interest in
ãearly warning and response capabilities.äÊ
Many experts point to the Electronic Communications Privacy Act (ECPA)
of 1986 as a benchmark sent by the government to extend First Amendment rights
into the online world.Ê If anything,
laws such as the ECPA should be reinforced rather than crippled by future
government actions.Ê A monitoring system
such as that proposed by the PCCIP smacks right against the civil liberties of
citizens and would only further encourage businesses to build stronger
encryption systems to keep the government out of a messageâs content.
New
cyberspace specific laws and regulations
ÊÊÊÊÊÊÊÊÊÊÊ The general consensus of the PCCIP
was that the law had failed to keep pace with the rapidly changing
technologies.Ê The sheer volume of laws
that would quickly become outdated or simply incapable of helping protect the
nationâs critical infrastructure astounded the commission as they researched
statutes at the local, state, and federal levels.Ê One of the commissionâs main objectives was to help Congress and
other legislative bodies create, ãlegislation to increase the effectiveness of
federal infrastructure assurance and protection efforts.[19]Ê In looking at building new laws, the
commission separated legislation ideas into physical and cyber categories.Ê Physical laws were focused mostly on systems
of punishment and rewards.Ê For example,
some members suggested that the US Sentencing Commission look further into
increasing sentences for criminals who attacked the nationâs infrastructure,
especially those who caused serious ãdownstreamä effects.[20]Ê In the cyber realm, the commissioners
proposed that the Department of Justice work with state and local governments
to compile demographics of computer crime, and focus efforts with these
agencies to better deter and respond to juvenile attacks.[21]Ê Additionally, since the US lead the world in
these new technologies, the commission argued that it should also lead the
world in creating an international criminal investigative body to assist in
joining law enforcement bodies from across national borders in their fight
against cyber-crimes.Ê Although no
specific pieces of legislation were drafted, the PCCIP made it clear that the
US needed to address the weakness of current laws in protecting the critical
infrastructures from attacks both domestic and foreign.
ÊÊÊÊÊÊÊÊÊÊÊ For the most part, citizen groups
and the technology industry agreed with the findings and recommendations of the
PCCIP.Ê There were two areas, however,
where industry felt that the governmentâs response to possible cyber attacks
strayed from the needs of the infrastructure.Ê
First, the commission may have mistakenly believed that new regulation
and laws would actually be able to keep up with the changing technology.Ê Government, especially the federal
government, works at a snailâs pace when it comes to drafting, passing, and
implementing new legislation.Ê If
slowness and lack of response by the government one of the primary reasons why
we reached this critical point in the first place, whoâs to say that future
legislation would be able to keep up with technology swings any better than
past legislation?Ê The government should
instead take from past pieces of legislation and simply increase their scope of
coverage, or simply instruct the courts through legislations to more broadly
interpret current laws to cover uncharted areas regarding the high tech
infrastructure.
ÊÊÊÊÊÊÊÊÊÊÊ Additionally, the industry and
netizens had strong disagreements with the commission with respect to the size
and strength of potential threats and attacks against the infrastructure.Ê For instance, the Pentagon told news
agencies that during 1995, hackers had intruded its computer network on more
than 250,000 occasions.[22]Ê Soon after this press release, technology
experts discovered that the agency received on 500 reports from its own
technicians, and that the figure had been inflated to more accurately account
for the perceived number of total attacks.Ê
Striking incidents of alarm hype worried industry leaders, whom felt
that the government had began to make up ãguesstimatesä to drive home industry
support.Ê Rather than building
coalitions with technology experts, the Department of Defense and other federal
government agencies increased the gap between industry and support for national
security legislation.
Research
and development
ÊÊÊÊÊÊÊÊÊ Many of
the problems that led up to the current infrastructure protection crisis could
have been avoided if the federal government had focused its energies into
research and development.Ê As stated
early, the commission recommended that the federal government increase research
and development funding to $1B by the year 2000.Ê Most of the funding would be targeted towards the National
Research Council to be used to learn new techniques in the areas of protection,
risk management support, vulnerability assessing, intrusion monitoring, and
information assurance.[23]Ê The commission strongly believed that these
areas of research desperately needed funding if the government wanted to ramp
up protection by the year 2000, the goal set by the President at the outset of
his executive order.
ÊÊÊÊÊÊÊÊÊÊÊ Corporations saw these
recommendations in a positive light.Ê
Any further research into this arena would help educate government
officials in areas that the technology felt the government lacked full
comprehension of the infrastructureâs problems.Ê Again, however, the issue of network monitoring, especially the
training of whole FBI departments, shocked the industry.Ê As argued earlier, corporations and netizen
communities strongly opposed the idea of government monitoring, which they
believed was essentially wiretapping without a court ordered warrant.Ê For the most part, however, corporations
felt that increases in government research and development could only enlighten
an unfocused government agency.
Building
new government agencies and updating older ones
ÊÊÊÊÊÊÊÊÊÊÊ Throughout their report, the PCCIP
repeatedly directed the President in the direction of creating new
infrastructure protection agencies that would provide focal points for
cooperation among governmental departments.Ê
Three new agencies formed out of the recommendations of the
commission:Ê National Infrastructure
Protection Center (NIPC), Information Sharing and Analysis Center (ISAC), and
the Critical Infrastructure Assurance Office (ISAC).[24]Ê Each of these new offices would be dedicated
to increasing communication between departments as well as between the
government and industry.Ê In addition to
these new agencies, PPD 63 gave new responsibilities to the Departments of
Defense, Treasury, Commerce, Transportation, Justice (FBI), Energy, and State,
as well as directives to the EPA, FEMA, and Health and Human Services.Ê Heavier responsibilities were given to those
agencies more closely involved with national security protection, such as the
CIA and FBI.Ê While the three original
organizations focusedÊ on warning and
information systems for the federal government, the CIA and FBI took on more
assertive roles into ongoing cyber threat investigations.
ÊÊÊÊÊÊÊÊÊÊÊ One of the more controversial
decisions of the PCCIP was the placement of the NIPC within the FBI.Ê In the past, the FBIâs role was one of
investigation of crimes against the government.Ê By placing the NIPC inside the FBI, the agency would now take on
a new ãprotectiveä role, which industry leaders feared the FBI could abuse by
using its investigative tactics under the guise of protection.[25]Ê The PCCIP wanted to use the NIPC as a means
of gaining volunteer interaction by corporations with government interests in critical
protection.Ê Would this mean that the
FBI could now forcibly induce corporations to volunteer their information on
weaknesses in the network infrastructure?Ê
The Presidential Decision Directive left this area of ambiguity unclear,
and still today corporations must carefully decide on their approach to the
FBIâs ãvoluntaryä inquiries.
V.Ê Conclusions:Ê Future Policy Direction
[1] PCCIP, Critical Foundations: Protecting Americaâs Infrastructures (October 1997) (hereinafter ãPCCIP Reportä).
[2] PCCIP, Summary Report, pg. 2.
[3] Leopold, George, EE Times, ãCritics Blast U.S. Cyber Plan,ä (May 1998).
[4] PCCIP, Economic Impacts of Infrastructure Failures, pg. 80.
[5] PCCIP, Summary Report, pg. 3.
[6] PCCIP, PCCIP Report, pg. 20.
[7] Shaw, Ruby, and Post, ãThe Insider Threat to Information Systems,ä Political Psychology Assc., (1996) pg. 67.
[8] United States, White Paper for the Presidential Decision Directive 63 (May 1998), pg. 2.
[9] Neumann, Peter, at a conference in San Jose, CA called ãNetwork Security and Firewalls 97ä (October 1997).
[10] PCCIP, Summary Report, pg. 7.
[11] Chapman, Gary, ãIs the Internet a Matter of National Security?ä Los Angeles Times (September 1997).
[12] PCCIP, Incentives to Encourage Infrastructure Assurance Investments, pg. 2.
[13] PCCIP, PCCIP Report, pg. 61.
[14] Electronic Privacy Information Center (EPIC), ãAn Assessment of the PCCIP,ä (1998) pg. 18.
[15] Center for Democracy and Technology, ãPresidential Commission on Critical Infrastructure Endorses Key Recovery, (November 1997).
[17] EPIC, ãAn Assessment of the PCCIP,ä (1998) pg. 17.
[18] PCCIP, PCCIP Report, pg. 61.
[19] PCCIP, PCCIP Report, pg. 79.
[20] PCCIP, PCCIP Report, pg. 83.
[21] PCCIP, PCCIP Report, pg. 84.
[22] Smith, George, ãAn Electronic Pearl Harbor?Ê Not Likely,ä Issues in Science and Technology (Fall 1998).
[23] PCCIP, PCCIP Report, pgs. 89-91.
[24] United States, Presidential Decision Directive 63, pgs. 8-9.
[25] OâNeil, Michael and Dempsey, James, ãCritical Infrastructure Protection: Threats to Privacy and Other Civil Liberties and Concerns with Government Mandates on Industry,ä Depaul Business Law Journal, (1999/2000) pg. 3.