Protecting Critical Infrastructures:  A Threat to US Businesses and Individual Civil Liberties?

 

Ryan W. Ozimek

6/4/2001

 

  1. Introduction
  2. Overiew of the PCCIP
  3. PCCIP‚s Findings
  4. PCCIP vs. Industry Recommendations
  5. Conclusion: Future Policy Direction

 

 

I.  Introduction

            Over the past 10 years, national and world infrastructures have been changed by the rapid development of digital technologies.  Computer network companies built digital networks fast and furiously while the US government tried to play catch-up.  Companies often worked independently of each other, grabbing the largest portions of networking traffic they could while weaving a wide web of networks with security problems and infrastructure issues.

 

Since the moment the network race began, researchers realized security threats quickly rising on the horizon.  The construction of a massive, decentralized networking system meant that the networks now contained numerous points of entry that could be vulnerable to attacks on the nation‚s critical infrastructure.  Government demands for private network accessibility skyrocketed during the early 1990‚s as all federal departments upgraded their network capacities to prepare for the future.  Soon, the national communication networks carried a substantial amount of government traffic.  By 1997, more than 95 percent of the nation‚s critical infrastructures were owned and operated by non-government organizations.[1]

 

Creation of the new Internet backbone came at a large price:  increasing vulnerability of the nation‚s infrastructure.  Could the world‚s largest military and economic power fall to its knees by the act of an unknown cyber assailant?  One report after another complained about the weaknesses of the critical infrastructures without any response from the White House.  Finally, in 1996, the Clinton Administration realized the immense vulnerability of the nation‚s infrastructures.  By the middle of the election year, Clinton knew it was the perfect time to unveil a plan to protect the US infrastructure from foreign and domestic threats.
II.  Overview of PCCIP

            In response to the cry of scholars and corporations alike over the poor security and condition of the nation‚s critical infrastructures, President Clinton created the President‚s Commission on Critical Infrastructure Protection (PCCIP).  His signature on Executive Order 13010 on July 15, 1996, established a team of individuals that examined every part of the nation‚s critical infrastructure.  The commission divided its concentration into five sectors:  information and communications, banking and finance, energy, physical distribution, and vital human services.  This report will only cover the commissions efforts within the information and communications sector, however, this sector links the other four sectors together.

 

            The broad mandate of the President allowed the PCCIP to delve deeply into all areas of what they considered national security.  „The Commission was chartered to conduct a comprehensive review and recommend a national policy for protecting critical infrastructures and assuring their continued operations,š reads the commission‚s mission statement.[2]  Delegates from federal departments normally associated with national infrastructures, including the Departments of Defense, Commerce, Energy, Transportation, and Treasury, sat on the President‚s Commission on Critical Infrastructure Protection.

 

            This unusually large commission brought together some of the brightest and most influential persons in the technology and security fields.  Retired Air Force General Robert T. Marsh chaired the commission, of which more than two-thirds of its members came from the Armed Forces.  Non-military figures included the secretaries of all the departments mentioned earlier, as well as the CIA, FBI, NSA, and a few members of the business community.  Immediately, leaders of the telecommunications and computing industries vented their frustration that so few business leaders had been selected on the commission.  Throughout the commission‚s life, very little formal interaction occurred between the PCCIP and the technology industry.  A wall formed between the two parties early on, as some industry leaders took their gripes to the press.  „There was never any formal commenting process for industry to voice its concerns,š said Glenn Davidson, executive vice president of the Computer and Communications Industry Association.  „It‚s not fair to say [the PCCIP] have had industry input.š[3]  Pitting the commission against the industry placed the PCCIP in a position of contention rather than one of cooperation, which as we will see manifested itself in the industry‚s grave concerns with the commission‚s recommendations.


III.  PCCIP‚s Findings

            After more than a year of hearings, investigations, simulations, and strategy sessions, the committee synthesized their work into five major findings.

 

Š        Increased dependence on critical infrastructures by both the government and businesses

Š        Greater vulnerability to the nation‚s most integral systems

Š        Wide spectrum of domestic and foreign threats

Š        General lack of awareness to the infrastructure‚s shortcomings by government

Š        Unfocused government attention to these problems

 

 

These findings did not hit the industry with much surprise.  Industry analysts had known for years the poor condition of the nation‚s infrastructures, especially since the industry had incurred major infrastructure failures during 1990‚s.  On September 17, 1991, miscommunication between AT&T‚s 1-800 switch center in New York City and local electricity officials brought telephone service to a halt in Manhattan for more than eight hours, affecting an estimated 8 million calls.[4]  Five years later in 1996, more than 7.5 million electricity customers throughout the US Pacific Coast went without power for hours as a temporary glitch in the region‚s electrical grid forced surprise outages.  The PCCIP marked these industry failures as warning signs for future infrastructure problems and used them to serve as a foundation for building an argument for large-scale government participation to avoid future calamities.

 

Throughout the hundreds of pages documenting potential areas of threats and vulnerabilities, the commission showcased every conceivable act that might harm the nation‚s critical infrastructures and potentially cost lives.  Simple statements in the report made attacking the nation‚s communications network seem like child‚s play.  In one example, the commission wrote that, „a personal computer and a simple telephone connection to an Internet Service Provider anywhere in the world are enough to cause a great deal of harm.š[5]  Many analysts in the technology industry, however, felt that these simplistic possibilities were outlandish and lent much to the reader‚s imagination.  They argued that no conclusive evidence could be shown to prove any of these attack theories as a true possibility in the near future.  Even the commission admitted that there was no evidence of an, „impending cyber attack which could have a debilitating effect on the nation‚s critical infrastructure.š[6]  Industry and social scientists believed that a greater threat came from within the organizations that controlled the critical infrastructures rather than from vague foreign and domestic „hackersš.   They believed that the psychology of those who created computer systems that ran the infrastructure needed to be looked at more closely.[7]  Wherever the threat might come from, it was clear that yet again the commission and the technology industry were at odds.


IV.  PCCIP vs. Industry Recommendations

            Leading the world into the information age is a role the US seems to boldly be taking alone.  While the potential profits gained by taking this leadership position in the communications market have made the journey well worthwhile, the PCCIP found that the US became increasingly dependent on its critical infrastructures.  This intensive pressure to maintain a safe communications network has now become a national security issue, as many government bodies have placed their trust in the worthiness of these networks.  To ramp-up protection, the commission offered five key policy recommendations to encourage both the business and government communities to work together in safeguarding our national interests.

 

Š        Education and awareness programs to spotlight infrastructure weaknesses

Š        Infrastructure protection through government-business cooperation

Š        Creation of innovative laws for unregulated areas of cyberspace

Š        Increased research and development on protecting critical infrastructures

Š        Building new government agencies and czars to oversee protection practices

 

After the President unveiled his Presidential Decision Directive 63 (PPD 63), the five recommendations of the PCCIP quickly became the official policy of the Clinton Administration.  The directive stated that by the year 2000, the United States would achieve initial operations for these policies and soon thereafter fully implement a national security system that could prevent the dangerous threats found by the commission.[8]  President Clinton understood the need for cooperation between the federal government and the technology industry.  Without this partnership, the administration would have great difficulty building a more powerful national security system.  Little did he know that the industry soon began its own campaign against the recommendations of the PCCIP that would greatly hinder the implementation process.

 

            We will study each recommendation carefully, detailing both the government and industry‚s viewpoints and highlight places where the government‚s failure to allow more input from technology companies during the investigation came back to haunt them.

 

Awareness and education

            The PCCIP quickly discovered that the government (in general) poorly understood the infrastructure problems affecting the nation.  While leaders in the industry lived with these problems on a day-to-day basis, government officials seemed oblivious to the infrastructure problem that one principle scientist at SRI International said, „simply stinks.š[9]  Education, the commission felt, was key to making sure that the government made this issue a priority.

 

            To increase awareness and encourage research, the PCCIP recommended that the government begin a wave of White House conferences, National Academy studies, presentations at industry associations, and sponsorship of graduate studies and programs in the arena of critical infrastructure technology.[10]  President Clinton‚s signature on PDD 63 delivered the money necessary to build government sponsored programs through National Science Foundation grants, while the White House began developing a campaign to spread the word to all sectors of the federal government.

 

            For the most part, corporations seemed happy with the administration‚s desire to educate the government and other industries on building stronger support structures.  Just as the PCCIP found it necessary to educate the government on its dependency on private infrastructures, corporations felt compelled to promote industry-wide practices that would avoid lawsuits and breakdowns in the communications structures. 

 

Criticism should be pointed at some of the commission‚s proposed tactics in raising awareness.  Primarily, the PCCIP took a strong stance on educating the public rather than focusing its efforts on the government sector.  For instance, the commission proposed an advertisement campaign that harkens back to the „Smokey the Bearš campaign against forest fires.  More than four of the six pages on education in the report focus on end-users, whom often have little to no knowledge of the nation‚s critical infrastructure.  Why spend money on educating the end-user when the government can focus a smaller campaign directly on those in charge of making sure the safety of the critical infrastructures remain a priority?  Additionally, the government must make sure its message does not appear like a witch-hunt for covert hackers.  Computer programmers create a tight knit community of workers that continue to be in high demand.  Casting a shadow of doubt on key workers could cause a significant decrease in morale and eventually lead up to the events we are trying to avoid.

 

Infrastructure protection through cooperation

Cooperation between the government and industry is the cornerstone of the commission‚s policy recommendations.  Without this relationship, the PCCIP knew that it would be impossible to create an adequate protection program.  One way the commission built this link was by asking that corporations share the costs of developing infrastructure protection with the government.  Simple translation into laymen‚s terms reads this as, „corporations should bear the burden of the costs.š  While the commission did recommend that the federal government increase spending for infrastructure protection up to $1B by the year 2004, that amount is only a fraction of that which the private industry will need to pay.[11]  Making it clear that corporations will have to foot most of the costs, the PCCIP report says that since the private market owns 95% of the critical infrastructure, „∑it is natural to assume that [corporations] will be expected to pick up the large majority of the costs for maintaining and assuring access to these infrastructures.š[12]

 

The report lists a wide variety of incentive tools, such as government grants, in-kind reimbursements, assurance of demand, tax credits, tax-exempt bonds, and loans, but fails to analyze the true market impacts of such investments.  Only eight of the over 300 pages of work detail any economic impact to the technology sector, and of those pages none contain a cost-benefit analysis.  The commission created a mandate for the private industry to follow, but failed to quantify the ramifications of its actions.

 

In addition to sharing responsibility for the costs of upgrades, the PCCIP recommended that the government create Key Management Infrastructures (KMI).  The commission believed that these systems would be, „the only way to enable encryption on a large scale,š by essentially allowing the government (more specifically the FBI and NSA) to have a „golden-keyš for every encryption system used by corporations that build and maintain the nation‚s infrastructure.[13]  Deputy Undersecretary of Defense for Policy Support Linton Wells once went as far as to say the Department of Defense would, „put its money where its mouth is by requiring private vendors to turn over to DOD the encryption key to software programs enabling access to companies‚ encryption codes in the event of an emergency.š[14]

 

There are two problems with the PCCIP‚s recommendation for a KMI.  First, nothing suggests that the security system used to hold the golden keys of our nation‚s companies would hold up any better under a cyber attack than the systems the companies themselves have installed.  In fact, a decentralized system often provides the best protection against encryption break-ins.[15]  Further risks in the deployment of such a storage facility include back-door access (yet another place to steal data), insider abuse, and an immensely large scale project that could potentially attract malicious hacking more than private corporation‚s databases.[16]  It is ironic that the committee, so worried about the security threats to our nation‚s critical infrastructures, would create yet another infrastructure that would have security risks of its own.

 

When encryption and security systems failed to stop intruders on corporate networks, the PCCIP believed that companies should reveal that information with the rest of the industry through an information-sharing program.  While such a system could assist in the creation of better security technologies, it is laughable to think that competitive corporations would make public security threats to their infrastructures.  By detailing their security failures, companies would lose customer confidence as well as any competitive advantages they may have built over time against their competitors.  Without a strong market incentive or guaranteed privacy protection by the government, very few corporations will likely take part in such activities.

 

To combat these forces, the commission took dangerous steps towards changing federal laws that would hamper their efforts.  For instance, they recognized that the Freedom of Information Act (FOIA) would allow the public to view non-classified government paperwork on request.  Such requests could include such items as those collected through these security briefs by corporations.  The commission recommended that exemptions be made in the FOIA to keep these records confidential and hidden from the public.  Such an action could send us down a slippery slope, which could ultimately lead to the exact opposite of the spirit of the FOIA.  Furthermore, a recommendation was made that corporations whom did not follow the guidelines on security breaches should be held liable for their ignorance.  A demand such as this squarely butts against the First Amendment rights of the corporation, forcing speech without a court ordered subpoena.  These actions danger endanger our government by having it overstep its bounds and directly violating the freedoms secured by the stockholders and owners by the First Amendment.

 

A final area of contention within cooperation standards includes possible government monitoring of network connections.  In 1996, a Defense Science Board (under the Department of Defense) called the technology to monitor the National Information Infrastructure „inadequate.š[17]  Ramping up this monitoring system, the PCCIP report proposed the development of large-scale monitoring, including techniques that were used against hostile foreign countries during the Cold War.[18]  One possible way of completing such a daunting task would be by tracing the unique serial numbers on each Intel Pentium computer processor.  This would allow investigators to track not only which Internet Protocol (IP) address and signal is being sent from, but also the actual computer creating the message.

 

Privacy rights activists and consumer advocates immediately screamed foul.  These groups believed that an individual‚s civil liberties outweighed the government‚s interest in „early warning and response capabilities.š  Many experts point to the Electronic Communications Privacy Act (ECPA) of 1986 as a benchmark sent by the government to extend First Amendment rights into the online world.  If anything, laws such as the ECPA should be reinforced rather than crippled by future government actions.  A monitoring system such as that proposed by the PCCIP smacks right against the civil liberties of citizens and would only further encourage businesses to build stronger encryption systems to keep the government out of a message‚s content.

 

New cyberspace specific laws and regulations

            The general consensus of the PCCIP was that the law had failed to keep pace with the rapidly changing technologies.  The sheer volume of laws that would quickly become outdated or simply incapable of helping protect the nation‚s critical infrastructure astounded the commission as they researched statutes at the local, state, and federal levels.  One of the commission‚s main objectives was to help Congress and other legislative bodies create, „legislation to increase the effectiveness of federal infrastructure assurance and protection efforts.[19]  In looking at building new laws, the commission separated legislation ideas into physical and cyber categories.  Physical laws were focused mostly on systems of punishment and rewards.  For example, some members suggested that the US Sentencing Commission look further into increasing sentences for criminals who attacked the nation‚s infrastructure, especially those who caused serious „downstreamš effects.[20]  In the cyber realm, the commissioners proposed that the Department of Justice work with state and local governments to compile demographics of computer crime, and focus efforts with these agencies to better deter and respond to juvenile attacks.[21]  Additionally, since the US lead the world in these new technologies, the commission argued that it should also lead the world in creating an international criminal investigative body to assist in joining law enforcement bodies from across national borders in their fight against cyber-crimes.  Although no specific pieces of legislation were drafted, the PCCIP made it clear that the US needed to address the weakness of current laws in protecting the critical infrastructures from attacks both domestic and foreign.

 

            For the most part, citizen groups and the technology industry agreed with the findings and recommendations of the PCCIP.  There were two areas, however, where industry felt that the government‚s response to possible cyber attacks strayed from the needs of the infrastructure.  First, the commission may have mistakenly believed that new regulation and laws would actually be able to keep up with the changing technology.  Government, especially the federal government, works at a snail‚s pace when it comes to drafting, passing, and implementing new legislation.  If slowness and lack of response by the government one of the primary reasons why we reached this critical point in the first place, who‚s to say that future legislation would be able to keep up with technology swings any better than past legislation?  The government should instead take from past pieces of legislation and simply increase their scope of coverage, or simply instruct the courts through legislations to more broadly interpret current laws to cover uncharted areas regarding the high tech infrastructure.

 

            Additionally, the industry and netizens had strong disagreements with the commission with respect to the size and strength of potential threats and attacks against the infrastructure.  For instance, the Pentagon told news agencies that during 1995, hackers had intruded its computer network on more than 250,000 occasions.[22]  Soon after this press release, technology experts discovered that the agency received on 500 reports from its own technicians, and that the figure had been inflated to more accurately account for the perceived number of total attacks.  Striking incidents of alarm hype worried industry leaders, whom felt that the government had began to make up „guesstimatesš to drive home industry support.  Rather than building coalitions with technology experts, the Department of Defense and other federal government agencies increased the gap between industry and support for national security legislation.

 

Research and development

          Many of the problems that led up to the current infrastructure protection crisis could have been avoided if the federal government had focused its energies into research and development.  As stated early, the commission recommended that the federal government increase research and development funding to $1B by the year 2000.  Most of the funding would be targeted towards the National Research Council to be used to learn new techniques in the areas of protection, risk management support, vulnerability assessing, intrusion monitoring, and information assurance.[23]  The commission strongly believed that these areas of research desperately needed funding if the government wanted to ramp up protection by the year 2000, the goal set by the President at the outset of his executive order.

 

            Corporations saw these recommendations in a positive light.  Any further research into this arena would help educate government officials in areas that the technology felt the government lacked full comprehension of the infrastructure‚s problems.  Again, however, the issue of network monitoring, especially the training of whole FBI departments, shocked the industry.  As argued earlier, corporations and netizen communities strongly opposed the idea of government monitoring, which they believed was essentially wiretapping without a court ordered warrant.  For the most part, however, corporations felt that increases in government research and development could only enlighten an unfocused government agency.

 

Building new government agencies and updating older ones

            Throughout their report, the PCCIP repeatedly directed the President in the direction of creating new infrastructure protection agencies that would provide focal points for cooperation among governmental departments.  Three new agencies formed out of the recommendations of the commission:  National Infrastructure Protection Center (NIPC), Information Sharing and Analysis Center (ISAC), and the Critical Infrastructure Assurance Office (ISAC).[24]  Each of these new offices would be dedicated to increasing communication between departments as well as between the government and industry.  In addition to these new agencies, PPD 63 gave new responsibilities to the Departments of Defense, Treasury, Commerce, Transportation, Justice (FBI), Energy, and State, as well as directives to the EPA, FEMA, and Health and Human Services.  Heavier responsibilities were given to those agencies more closely involved with national security protection, such as the CIA and FBI.  While the three original organizations focused  on warning and information systems for the federal government, the CIA and FBI took on more assertive roles into ongoing cyber threat investigations.

 

            One of the more controversial decisions of the PCCIP was the placement of the NIPC within the FBI.  In the past, the FBI‚s role was one of investigation of crimes against the government.  By placing the NIPC inside the FBI, the agency would now take on a new „protectiveš role, which industry leaders feared the FBI could abuse by using its investigative tactics under the guise of protection.[25]  The PCCIP wanted to use the NIPC as a means of gaining volunteer interaction by corporations with government interests in critical protection.  Would this mean that the FBI could now forcibly induce corporations to volunteer their information on weaknesses in the network infrastructure?  The Presidential Decision Directive left this area of ambiguity unclear, and still today corporations must carefully decide on their approach to the FBI‚s „voluntaryš inquiries.

 

V.  Conclusions:  Future Policy Direction

            The PCCIP accomplished its main tenets by creating a blueprint for the federal government to follow.  In many places, the technology industry has vigorously voiced its disapproval.  From Internet monitoring to restrictions on civil liberties, corporations fear that the government may overstep its bounds in the name of national security.  While both sides may toss unsubstantiated arguments back and forth, it‚s important that the federal government produce a cost-benefit analysis of the projects proposed by the PCCIP.  The commission emphasized the need for corporations to become heavily involved in their recommendations, but very rarely in their report did they assess the fiscal impact of their projects on the private industry.

 

            Future policies for critical infrastructure protection must guarantee corporate buy-in without heavy regulations.  Though the government‚s networks are practically all owned by corporations, the government assumes only a small percentage of the overall customer use on these networks.  The PCCIP failed to recognize this paradox, and used the weight of the government to bully corporations into following its outline.  This however, could spark a government induced market failure.  If the federal government continues to overstep its bounds, we might very likely find the large corporations that power our infrastructure in economic turmoil.

 

            In addition to avoiding fiscal woes for industry, future policies should take further into account individual civil liberties.  Often in this report, the PCCIP walked over the rights of citizens with utter disregard.  From advocating Internet monitoring to holding golden-keys of encryption systems, the government walks down a perilous path.  National security cannot come at the cost of civil liberties.  Policies should be open to discussion with the public.  Rather than meeting behind closed doors, the government should allow citizens and interest groups to voice their concerns over proposed infrastructure policies.

 

            The PCCIP made immense progress in solving our nation‚s critical infrastructure problems, but left much of the policy story to be told by future analysts.  These new analysts must be careful in weighing the public‚s rights and national security.  We‚ve made it through the first five years of the digital revolution with only a few bumps and bruises.  Now it‚s important to make sure the next five years make our nation even safer without threatening the vitality of our economy.

 


Bibliography

 

Angelica, A. (1999, February 8).  Identity Crisis, Tech Week.

Berman, J. (1998, March 17).  CDT Letter Urges KYL Subcommittee to Examine Constitutional Impact of PCCIP Proposals, Center for Democracy and Technology.

Center for Democracy and Technology (1997, November 5).  Presidential Commission on Critical Infrastructure Endorses Key Recovery.

Chapman, G. (1997, September 22).  Is the Internet a Matter of National Security? Los Angeles Times.

Dorobek, C. (1998, November 28).  Report:  White House‚s Cyberdefense too Close for Comfort, Government Computing Network.

Dorobek, C. (1998, October 9).  More Agencies Prepare Cyberprotection Plans, Government Computing Network.

Electronic Privacy Information Center (1998).  Critical Infrastructure Protection and the Endangerment of Civil Liberties: An Assessment of the PCCIP.

Glave, J. (1997, October 28).  US Computer Security Called a Critical Mess, Wired News.

Leopold, G. (1998, May 21).  Critics Blast US Cyber Plan, EE Times.

O‚Neil, Dempsey, (1999).  Critical Infrastructure Protection:  Threats to Privacy and Other Civil Liberties and Concerns with Government Mandates on Industry, Depaul Business Law Journal.

Ozier, W. (1999, January).  Assessing a Nation‚s Risk, Integrated Risk Management Group, Inc..

Rotenberg, M. (2000).  Testimony and Statement for the Hearing on CyberAttack: The National Protection Plan and its Privacy Implications, Electronic Privacy Information Center.

Shaw, Ruby, and Post (1996).  The Insider Threat to Information, Political Psychology Associates, pgs. 67-87.

Smith, G. (1998 Fall). An Electronic Pearl Harbor? Not Likely. Issues in Science and Technology.

Staten, C. (1997, October 23).  Reflections on the 1997 Commission on Critical Infrastructure Protection (PCCIP) Report, Emergency Response & Research Institute.

Surkan, M. (1997, November 24).  Defending the Net, ZD Net.

US Critical Infrastructure Assurance Office (1998).  PCCIP Biographical Sketches of the Commissioners.

US Critical Infrastructure Assurance Office (1998).  PCCIP Fact Sheet.

US Department of Justice (1998, May 22).  Presidential Decision Directive 63 White Paper:  The Clinton Administration‚s Policy on Critical Infrastructure Protection.

US Executive Office of the President (1996, July 17).  Executive Order 13010 Ų Critical Infrastructure Protection, Federal Register.

US President‚s Commission on Critical Infrastructure Protection (1997).  Incentives to Encourage Infrastructure Assurance Investments.

US President‚s Commission on Critical Infrastructure Protection (1997).  Critical Infrastructure Protection Strategic Simulation Report.

US President‚s Commission on Critical Infrastructure Protection (1997).  Economic Impacts of Infrastructure Failures.

US President‚s Commission on Critical Infrastructure Protection (1997).  Toward Deterrence in the Cyber Dimension.

US President‚s Commission on Critical Infrastructure Protection (1997).  Sector Reports:  Telecommunications Industry.

US President‚s Commission on Critical Infrastructure Protection (1997).  PCCIP Report.

US President‚s Commission on Critical Infrastructure Protection (1997).  Regulating the Internet.



[1] PCCIP, Critical Foundations: Protecting America‚s Infrastructures (October 1997) (hereinafter „PCCIP Reportš).

[2] PCCIP, Summary Report, pg. 2.

[3] Leopold, George, EE Times, „Critics Blast U.S. Cyber Plan,š (May 1998).

[4] PCCIP, Economic Impacts of Infrastructure Failures, pg. 80.

[5] PCCIP, Summary Report, pg. 3.

[6] PCCIP, PCCIP Report, pg. 20.

[7] Shaw, Ruby, and Post, „The Insider Threat to Information Systems,š Political Psychology Assc., (1996) pg. 67.

[8] United States, White Paper for the Presidential Decision Directive 63 (May 1998), pg. 2.

[9] Neumann, Peter, at a conference in San Jose, CA called „Network Security and Firewalls 97š (October 1997).

[10] PCCIP, Summary Report, pg. 7.

[11] Chapman, Gary, „Is the Internet a Matter of National Security?š Los Angeles Times (September 1997).

[12] PCCIP, Incentives to Encourage Infrastructure Assurance Investments, pg. 2.

[13] PCCIP, PCCIP Report, pg. 61.

[14] Electronic Privacy Information Center (EPIC), „An Assessment of the PCCIP,š (1998) pg. 18.

[15] Center for Democracy and Technology, „Presidential Commission on Critical Infrastructure Endorses Key Recovery, (November 1997).

[16] Ibid.

[17] EPIC, „An Assessment of the PCCIP,š (1998) pg. 17.

[18] PCCIP, PCCIP Report, pg. 61.

[19] PCCIP, PCCIP Report, pg. 79.

[20] PCCIP, PCCIP Report, pg. 83.

[21] PCCIP, PCCIP Report, pg. 84.

[22] Smith, George, „An Electronic Pearl Harbor?  Not Likely,š Issues in Science and Technology (Fall 1998).

[23] PCCIP, PCCIP Report, pgs. 89-91.

[24] United States, Presidential Decision Directive 63, pgs. 8-9.

[25] O‚Neil, Michael and Dempsey, James, „Critical Infrastructure Protection: Threats to Privacy and Other Civil Liberties and Concerns with Government Mandates on Industry,š Depaul Business Law Journal, (1999/2000) pg. 3.