CongressLine - The National Plan for Information Systems Protection: Planning for the Pearl Harbor of CyberspaceBy Carol M. Morrissey, Published on February 15, 2000
On January 5, 2000, President Clinton announced his Administration's newest plan to safeguard the nations computers from hackers, viruses and cyber-terrorist threat: the National Security Strategy for a New Century. This long overdue and much anticipated proposal is the culmination of a three year effort by the Critical Infrastructure Assurance Office (CIAO.) However, its roots can be traced back to the nascent Clinton Administration and Presidential Decision Directive (PDD) 39, which created a Cabinet level committee to assess the vulnerability of our critical infrastructures and to recommend protective measures. Several years, agencies, committees and reports later, CIAO has issued what they are calling "Version 1.0" of the cyber-security plan. The text of the report can be accessed at the White House cite. Please click here for the link, which may also be found at the Web site for CIAO, http://www.ciao.gov/.)
A Short History
A direct result of PDD 39 was the Critical Infrastructure Working Group (CWIG). The CWIG issued a report in January 1996 calling for a more permanent body to actually develop a national strategy for protecting our infrastructure and for a task force to lend some coherence to the government's existing infrastructure protection capabilities. In response to these recommendations the President's Commission on Critical Infrastructure Protection (PCCIP) and the Infrastructure Protection Task Force (IPTF) at the Department of Justice were born. (The PCCIP website can be accessed at: http://www.info-sec.com/pccip/web/index.html.)
Critical Foundations, Protecting America's Infrastructures, the Report of the President's Commission on Critical Infrastructure Protection was issued in October 1997. (This report is available in pdf. format at http://www.ciao.gov/press/WhiteHouseFact%20Sheet_Institute.html, please click on "President's Commission on Critical Infrastructure Protection.")
The Administration was very supportive of the PCCIP's findings. One of its major recommendations was to create a centralized system, organized under the Federal Bureau of Investigation (FBI) to provide advance warning of infrastructure attacks. In February of 1998 the FBI created a new division called the National Infrastructure Protection Center (NIPC) to coordinate government-wide programs, investigations and information on protecting our infrastructure. (Please go to http://www.fbi.gov/nipc/welcome.htm for information about and the mission statement of the NIPC.)
The paper also identified the eight sectors of the economy critical to the national security and the essential functioning of the U.S. economy: telecommunications, transportation, water supply, oil and gas production, banking and finance, electrical generation, emergency services and essential government functions.
On May 22, 1998, President Clinton issued two national security directives, PDD 62 and PDD 63. The directives confirmed the Administrations dedication to combating cyber-terrorism, officially recognizing the role of the NIPC in protecting our infrastructure and also creating the Critical Infrastructure Assurance Office in the Department of Commerce. (For a fact sheet on each of the PDD's, please go to: http://www.ciao.gov/press/WhiteHouseFactSheet_PDD63.htm, Protecting America's Critical Infrastructure and http://www.ciao.gov/press/WhiteHouseFactSheet_PDD62.htm, Combating Terrorism.) (The text of the President's remarks on the initiatives can be accessed at http://www.info-sec.com//ciao/speech22may1998.html and a briefing held later that day with Jeffrey Hunker, Director of the CIAO can be accessed at: http://www.info-sec.com/ciao/briefing22may1998.html.)
The Administrations actions were not well received in all quarters. An April 1998 General Accounting Office Report, Combating Terrorism: Threat and Risk Assessments Can Help Prioritize and Target Program Investments (Letter Report, 04/09/98, GAO/NSIAD-98-74) said that the government was spending more money than ever on terrorism, without "any assurance of whether it is focused on the right programs or in the right amounts." (For the text of the report, please go tohttp://www.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=gao&docid=f:ns98074.txt.) Industry was generally not pleased with the proposals, having been promised involvement in the process and then given none.
Jeffrey Hunker went before the House National Security committee, subcommittee on Military Procurement in June of 1998 to defend the proposal. His remarks provide an excellent explanation of the background of CIAO and of its mission at the time, which was to work towards creating a comprehensive national plan. (Hunker's testimony can be accessed at: http://www.info-sec.com/ciao/sbhunker11june1998.html.)
Keeping America Secure
In January of 1999 President Clinton announced in a speech before the National Academy of Science in Washington, D.C., a four-pronged initiative to fight cyber-terrorism. (The President's remarks on Keeping America Secure can be found at: http://www.pub.whitehouse.gov/uri-res/I2R?urn:pdi://oma.eop.gov.us/1999/1/25/5.text.1) The proposal included research in the area of detection, the creation of detection networks and private sector information centers where industry and government work together. He also requested $1.46 billion in funding for the protection of critical infrastruture, a 40% increase from previous years.
In June of 1999, a draft document proposing the creation of a Federal Intrusion Detection Network (Fidnet), was made public. Fidnet would monitor data flowing over government and national computer networks, with the information gathered being housed at the NIPC. Administration officials argued that the system would not be electronic eavesdropping, just collecting data in search of patterns. The system was to be fully operational by 2003.
This proposal was literally pounced on by civil libertarians and Congressional Republicans, decrying the "big brother" tactics of the Clinton Administration. (For the Center for Democracy and Technology's remarks on the plan, please go to: http://www.cdt.org/policy/terrorism/fidnet/.)
By September of 1999, the Administration had revised the original Fidnet proposal, limiting the scope of data collection to suspicious activity on government computers and naming the General Services Administration (GSA) as the agency in charge.
In testimony before the Senate Judiciary committee subcommittee on Technology and Terrorism in October of 1999, John Tritak (the Director of CIAO), sought to allay fears by stating that Fidnet would operate "within legal requirements and government policy concerning privacy." (Mr. Tritak's testimony can be accessed at: http://www.senate.gov/~judiciary/10699jst.htm.) A GAO report on the security threats facing our critical computer systems, with a special focus on federal agency performance in addressing computer security issues, was also presented at the hearing. The report found that, according to recent GAO and Inspector General audits, our government was not adequately protecting critical federal operations and assets from computer-based attacks. (Please see Critical Infrastructure Protection: Fundamental Improvements Needed to Assure Security of Federal Operations, GAO/T-AIMD-00-7, October 7, 1999 at: http://www.senate.gov/~judiciary/10699jlb.htm.)
National Security Strategy for the Next Century
The Administration's newest proposal sets out an ambitious 10 point agenda concerning our critical infrastructures focusing on education, research and development and detection, hewing to much of what the Administration has been supporting over the years on this issue. The White House released a series of Fact Sheets on the plan to explain some of its salient points. (The Fact Sheets can be accessed at: http://www.ciao.gov/press/WhiteHouseFact%20Sheet_FederalTraining.html, http://www.ciao.gov/press/WhiteHouseFact%20Sheet_institute.html andhttp://www.ciao.gov/press/WhiteHouseFactSheet_Cyber%20Security.html.) The budget request for the cyber-security proposal is $91 million, in addition to almost $2 billion in the 2000 budget.
Called on the Carpet
The Senate committee on the Judiciary subcommittee on Technology, Terrorism and Government Information held a hearing on the new proposal on Feb. 1, 2000. John Tritak's statement before the subcommittee provides a detailed overview of the proposal and of the difficulties posed by the plan. He is aware of the scrutiny he is currently under and that privacy advocates have not forgotten Fidnet and its role in the current proposal. (His testimony is at: http://www.senate.gov/~judiciary/2100jst.htm.)
Senators at the hearing criticized the proposal, saying that increased security should not come at the expense of our civil liberties. They also questioned why the plan was not finalized a year ago as per its schedule and found fault with certain aspects of the cyber-security funding request. The GAO released a report at the hearing entitled, Critical Infrastructure Protection, Comments on the National Plan for Information Systems Protection, GAO/T-AIMD-00-72, Feb. 1, 2000. The GAO hailed the proposal as an excellent beginning on the dialogue of cyber-security. However, they feel that its heavy focus on intrusion detection is misplaced and that agencies should be given more support to implement their own management controls to assure computer security.
The committee plans to hold a series of hearings in order to thoroughly address the plan. (To access the testimony of all of the witnesses, please go to: http://www.senate.gov/~judiciary/wl212000.htm.) (The Center for Democracy and Technology has an analysis of the proposal which can be accessed at: http://www.cdt.org/policy/terrorism/oneildempseymemo.html#one.)
The present cyber-security proposal was nearly five years in the making and as indicated by its creators, is essentially a work in progress. For those who believe that information warfare; using software to overload phone lines, scramble software used by major banking institutions, disrupt air traffic and shipping operations, and the like, is the next Pearl Harbor, we are barely prepared. Others grumble about the government's approach and the massive amounts of money being thrown about. The dilemma is similar to that presented by our intense preparations for Y2K - the Year 2000 arrived and all systems were go. Will we be able to say the same in the event of a cyber-terrorist attack?