Symposia

Los Angeles - November 14, 1997

General Robert T. "Tom" Marsh, USAF (Ret.)
Chairman
President's Commission on Critical Infrastructure Protection


"Critical Infrastructure Protection"

Good morning, ladies and gentlemen. It is truly a pleasure to be here to discuss the work of the Commission. Especially so to be among so many old friends and men and women in blue.

And there is a bit of nostalgia to it, because I can remember a number of times long past standing on this same platform and assuring that there really was going to be an AMRAAM, an F-15E, a J-STARS, a GPS, despite what the critics were saying or the pockets of Congressional resistance. It seems some things never change.

But also, to be at a symposium devoted almost exclusively to our future in space -- a topic close to my heart. Some of you may know when I commanded the former AFSC, I proposed the formation of the Air Force Space Command and carved out the elements of my command to form the core of the new command. I am most pleased to see it flourish today.

My remarks today focus on the vulnerabilities of the "Information Age, " and the associated security and information assurance challenges that need to be addressed by industry, government, and military leaders. I want to offer the Commission's perspective on these issues, and share our ideas and recommendations with you.

To give you some perspective on the Commission's challenge, imagine, if you will, that ... the power goes out in the northwest; the 911 is disrupted in a major city because someone has flooded the phone lines with repeat calls; two bridges across the Mississippi River are destroyed -- bridges that not only carry trucks and trains, but also telephone cables; and two Internet service providers in New York City are out of service.

What do we do in such a situation? Who is in charge? Is it merely coincidence? Or a concentrated attack?

These are the types of questions the Commission has been considering -- questions to which there are no easy answers.

Questions, we hope, our recommendations will help lay the foundation for answering.

What do we do in such a situation? Who is in charge? Is it merely coincidence? Or a concentrated attack?

These are the types of questions the Commission has been considering -- questions to which there are no easy answers.

Questions, we hope, our recommendations will help lay the foundation for answering.

This morning I will briefly discuss the Commission, the new vulnerabilities and threats of the cyber age, our key findings, and then summarize our recommendations.

I must admit right up front: our findings, conclusions, and recommendations are very different from what we anticipated -and different from what our stakeholders anticipated. Many thought this was a problem that government alone could resolve in a few easy steps. But during the past year and a half, we concluded that

protecting our infrastructures is a public-private undertaking that requires a new partnership and protecting our infrastructures will take time -- and will require long-term efforts and a new way of thinking.

The Commission was established by Executive Order on July 15, 1996. A joint government and private sector endeavor, it was charged to develop a national policy and implementation strategy for protecting our critical infrastructures from physical and cyber threats and assuring their continued operation.

The President identified these eight infrastructures as our national life support systems. These national infrastructures are vital in that their incapacity or destruction would have a debilitating impact on the defense and economic security of the United States.

Why Attack Infrastructures?

Critical infrastructures have long been lucrative targets for anyone wanting to attack another country. Our nation relies on its infrastructures for national security, public welfare, and its economic strength.

Those who would attack the infrastructures would do so to:

  • reduce our ability to act in our own interest
  • erode public confidence in critical services, or
  • reduce American economic competitiveness

In the Gulf War, as you well know, disabling Iraq's infrastructures was one of the keys to our success -- a lesson noted with much interest by many countries around the world.

The Commission was uniquely tailored for the task. Recognizing that the critical infrastructures are largely owned and operated by the private sector, the Commission structure was a joint public-private undertaking.

The Commission was comprised of representatives from both industry and government.

The Steering Committee of senior government officials oversaw the work of the Commission and guided us through myriad government concerns.

A Presidentially-appointed Advisory Committee of key industry leaders provided the unique perspective of owners and operators of the infrastructures.

The Infrastructure Protection Task Force was established at the same time as the Commission to support infrastructure protection until the Commission's recommendations are enacted.

Our approach recognized that most of the infrastructures operate within an existing framework of government policy and regulation. But they are also privately owned competitive enterprises; as such, protection recommendations should not undermine a company's competitive position. We recognized that any solution would have to be viable in the marketplace as well as the public policy arena. (Incidentally, those of us with long histories in government or the military really need to take this to heart.) Thus, we adopted the following guiding principles:

First, we knew this could not be another Big Government effort. Government must set the example, but it is the owners and operators who are the key to success. They have a strong economic stake in protecting their assets and maximizing customer satisfaction. They understand the infrastructures and know best how to respond to disruptions.

Second, while we may be undergoing an information revolution, we felt that utilizing the best ideas and processes from current structures and relationships was the proper way to proceed. This means building on existing organizations and relationships as well as fostering voluntary cooperation. Partnership between industry and government will be more effective and efficient than legislation or regulation.

Finally, this is a long-term effort which requires continuous improvement. We must take action in practical increments. There is no "magic bullet" solution. We must aim not only to protect the infrastructures, but also to enhance them.

Outreach was a cornerstone of our effort. In fact, our conclusions and recommendations result directly from the conversations and meetings we had with approximately 6,000 individuals from industry, academia, science, technology, the military, and government.

We held five public meetings around the country, participated in numerous conferences; hosted simulations, games and focus groups; and sought to increase awareness of this effort through the media and our website.

In the past, broad oceans and peaceable neighbors provided all the infrastructure protection we needed.

That all changed during the Cold War. Technology made geography irrelevant. While we feared attack by bombs or missiles, we knew who the enemy was and where the attack would originate.

Computers and electrons change the picture entirely. Now the capability is widely available at relatively little cost. This is the "new geography" on which the Commission focused its efforts -- a borderless cyber geography whose major topographical features are technology and change.

We have long understood physical threats and vulnerabilities, but not so in cyber space. The fast pace of technology means we are always running to catch up in the cyber dimension. Thus the Commission's work and our report focus primarily on coping with the cyber threat -- coming up with the street smarts for the cyber world.

Our foremost concern is the interdependencies presented by the "system of systems" we rely on for the daily operation of our critical infrastructures.

Furthermore, information that describes our vulnerabilities is increasingly accessible. Most of it is unclassified, and much of it is available on the Internet. We had to be careful in compiling this information not to provide a handbook for those who would use it for harmful purposes.

So, who is the threat? The "bad actors," as I like to call 'em, are those with the capability, technology, and intent to do harm. While we have not found a "smoking keyboard" -- that is, we do not know who has the intent to do harm -- we do know that the threat is a function of capability and intent. We characterize capability as a combination of skills and tools -- skills that even most teenagers have, and tools that are readily available -- even on the Internet. In short, the opportunity to do harm is expansive and growing.

The bad actors who use these tools range from the recreational hacker -- who thrives on the thrill and challenge of breaking into another's computer -- to the national security threat of information warriors intent on achieving strategic advantage. Common to all threats is the insider. In addition to harnessing technology to protect our infrastructures, we must pay special attention to insiders -- their trustworthiness and their access to critical control functions.

The new arsenal of "weapons of mass disruption" in the cyber world include "Trojan horses," viruses, and e-mail attacks used to alter, steal data, or deny service. These tools recognize neither borders nor jurisdictions. They can be used anywhere, anytime, by anyone with the capability, technology, and intent to do harm. And they offer the advantage of anonymity.

We examined the respective roles of the private sector and the federal government in light of this new threat and the potential bad actors. We concluded that the private sector has a responsibility to protect itself from the local threats, such as individual hackers and criminals. And that the federal government has a larger responsibility to protect our citizens from national security threats. In short, we found that infrastructure protection is a shared responsibility.

The private sector must take prudent measures to protect itself from commonplace hacker tools. If these tools are also used by the terrorist, then the private sector will also be protecting against cyber terrorist attack and will be playing a significant role in national security.

The federal government is responsible for collecting information about the tools, the perpetrators, and their intent from all sources, including the owners and operators of the infrastructures. The government must share this information with the private sector so that industry can take the necessary protective measures.

In some respects, our most important finding is that adapting to this challenge requires thinking differently about infrastructure protection. We must look through the lens of information technology as we approach the third millennium.

Specifically, we found that :

  • Information sharing is the most immediate need.
  • Responsibility is shared among owners and operators and government.
  • The federal government has an important role in the new alliance.
  • Infrastructures protection requires a focal point.
  • We must develop an analysis and warning capability.
  • The existing legal framework is imperfectly tuned to deal with cyber threats.
  • Research and development efforts are inadequate to support infrastructure protection.

Protecting our infrastructures into the 21st Century requires greater understanding of their vulnerabilities and decisive actions to reduce them. After fifteen months of consultation, research, assessment, and deliberation, the Commission's fundamental conclusion is that

Waiting for disaster is a dangerous strategy. Now is the time to act to protect our future. And this action requires a new partnership to address the risks of protecting our nation's infrastructures.

Protecting our infrastructures into the 21st Century requires greater understanding of their vulnerabilities and decisive actions to reduce them. After fifteen months of consultation, research, assessment, and deliberation, the Commission's fundamental conclusion is that

Waiting for disaster is a dangerous strategy. Now is the time to act to protect our future. And this action requires a new partnership to address the risks of protecting our nation's infrastructures.

During our extensive outreach efforts, we heard time and again that the owners and operators of the infrastructures need more information about cyber threats. They also said that a trusted environment must be built so that they can freely exchange information with each other and with government without fear of regulation, loss of public confidence, incurred liability, or damaged reputation.

The Commission's recommendations lay the foundation for creating a new collaborative environment that includes a two-way exchange of information, not more burdensome regulation.

Our recommendations focus on protecting proprietary information and ensuring anonymity when necessary; reviewing legal impediments to information sharing, such as antitrust provisions and the Freedom of Information Act; and creating information sharing mechanisms both within industry and between industry and government.

As to actions the government should take, we recommend specific steps to ensure owners and operators and state and local governments are sufficiently informed and supported to accomplish their infrastructure protection roles, to include:

  • Designated federal agencies continuing and expanding the availability of risk assessment services to the private sector and encouraging industry -- and assisting when necessary -- to develop risk methodologies.
  • The US Security Policy Board should study and recommend how best to protect specific private sector information on threats and vulnerabilities to critical infrastructures. And,
  • The funding for the Nunn-Lugar-Domenici domestic preparedness program should be doubled to expand and accelerate mitigating the effects of weapons of mass destruction attacks.

Key to the success of these initiatives is educating our citizens about the emerging threats and vulnerabilities in the cyber dimension. The culture has changed, and our way of thinking about technology and the resulting threats and vulnerabilities must also change.

The Commission's recommendations are aimed at all levels of education, from grammar to graduate school and beyond. They include:

  • A series of White House conferences to spur new curricula in computer ethics and intellectual property for elementary and secondary schools.
  • A nationwide public awareness campaign, simulations, and Round Table discussions to educate the general public as well as industry and government leaders.
  • Grants by the National Science Foundation to promote graduate level research and teaching of network security.
  • Partnership between the Department of Education and industry to develop curricula and market demand for properly-trained information security technicians and managers.

Infrastructure assurance is a joint responsibility, but the federal government has an unmistakable duty to lead the effort. Clearly, the federal government must lead by example as it exhorts the private sector and state and local governments to raise the level of security of their systems.

The federal government must pursue the tools, practices, and policies required to conduct business in the cyber age. This includes:

  • Improving government information security through developing, implementing, and enforcing best practices and standards -- and then conducting certification and measures against those standards.
  • Working with industry to expedite efforts for alternative information security and encryption key management pilot programs.
  • Elevating and formalizing Information Assurance as a foreign intelligence priority.
  • Recruiting and retaining adequate numbers of law enforcement personnel with cyber skills.
  • Conducting a thorough risk assessment of the National Aerospace System and the planned sole reliance on the Global Positioning System.

We examined a full range of legal issues relating to protecting the critical infrastructures with three goals in mind:

  • increasing the effectiveness of government's protection efforts;
  • enhancing the private sector's ability to protect itself; and
  • enabling effective public-private partnership where most needed.

We propose revision of major federal legislation as it relates to the critical infrastructures and the cyber threat. We have modest recommendations in the area of criminal law and procedure -- specifically the Federal Sentencing Guidelines -- to take into account the true harm done by attacks on the critical infrastructures.

We call for an expert study group -- representing labor, management, government, and privacy interests -- to make recommendations for long-term reform in the employer-employee relationship, while balancing security and privacy. We recommend easing legal impediments to information sharing such as antitrust provisions, federal and private liability, and the Freedom of Information Act.

Federal research and development efforts are inadequate to meet the challenge presented by emerging cyber threats. About $250 million is spent each year on infrastructure assurance-related R&D, of which 60 percent -- $150 million ­ is dedicated to information security. There is very little research supporting a national cyber defense. The Commission believes that real-time detection, identification, and response tools are urgently needed, and we concluded that market forces are insufficient to meet these needs.

Thus we recommend doubling federal R&D funding for infrastructure protection to $500 million the first year, with 20% increases each year for the next five years. We recommend this funding target such topics as risk management, simulation and modeling, decision support, and early warning and response.

To formalize the public-private partnership necessary for infrastructure protection, we recommend several arrangements for information sharing and policy input.

At the policy-making level, we recommend:

  • an Office of National Infrastructure Assurance -- located within the White House -- to serve as the federal government's focal point for infrastructure protection;
  • a National Infrastructure Assurance Council comprised of selected infrastructure CEOs and Cabinet officials to propose policy and advise the President; and
  • an Infrastructure Assurance Support Office to support both the Council and the National Office.

At the operational level, we recommend:

  • Sector Infrastructure Assurance Coordinators or clearinghouses as focal points within each infrastructure to share information;
  • federal Lead Agencies to promote and assist in establishing the sector coordinators; an Information Sharing and Analysis Center staffed by both private industry and government to receive and share information about infrastructure intrusions to be located in the private sector; and
  • a Warning Center designed to provide operational warning whenever possible of an attack on the infrastructures, either physical or cyber, located within the FBI.

Just as the risks are shared between the public and the private sectors, so will the solutions be found. Our national and economic security has become a shared responsibility -- one that will require a new kind of partnership between government and industry -- one which encourages information sharing and one which requires the government to lead by example.

Well, to all of you, thank you for your time this morning. And thank you for your interest in this issue of national importance. We know that the Commission has only laid the foundation for what we hope will be an ongoing dialogue about how to best protect our nation's life support systems. Thank you.

Gen. Shaud: Tom, that was great. To have a threat that is at once so obvious and on the other hand, we must ask "now what do we do?" That is the sense of all the questions that I received and I know we will ask you to be a little bit speculative with your answers. First, your commission has become probably wiser about the totality of this threat than anybody in the United States. Will your commission survive and how does it phase into the next step?

Gen. Marsh: The commission terminated on October 13. We rendered our report. It is now undergoing interagency review on its way to the president and that interagency review process if very active at the moment. We have formed up as the commission "Sunset" if you will. We formed up a transition office to support that interagency review and develop any alternatives, for example, that may be required. That transition office is under the direction of Phil Lacombe who was the staff director on the commission. He has with him all of the resources that supported the commission and consequently will carry the momentum and the ball until such time as some or all of the recommendations are accepted.

Gen. Shaud: Perhaps this is too early, but how is the commission report been received in government and industry? Who would you say is on board to make something happen?

Gen. Marsh: I don't want to speculate on how the cabinet and the president will finally deal with the report. I can only say that so far we have seen a lot of affirmative head nodding and I've encountered no show stoppers or major concerns about the nature of our recommendations. Some of these having to do with the structure that we recommended be put in place naturally will be debated and as you would expect in any bureaucracy, there will be vested interests having different views on how those ought to be implemented. So far, I have been rather pleased with the acceptance of the report.

As to the private sector, we stay tuned to all of the Internet traffic and the media reactions and so far I think they have been generally affirmative. The encryption mafia, I might call it, has attacked us for not taking a stronger stand on this current encryption debate, but we've tried to avoid that as best we could.

Gen. Shaud: Some in this audience are involved with a system you mentioned, GPS. Would you speak to how GPS becomes part of infrastructure and its vulnerability?

Gen. Marsh: All of you and especially the Space and Missile Center know this better than I. GPS's applications are ubiquitous. Even the electric power industry and distribution system has become increasingly dependent upon GPS. All of our transportation modes are becoming increasingly dependent and on and on. There is no stronger supporter of GPS than I. On the other hand, we have to be aware of the vulnerabilities. I think most of you in this audience would readily acknowledge that there is a very important vulnerability of GPS in terms of the receivers. To cope with that vulnerability and to over come that is quite a challenging undertaking. As we looked at the National Navigation Plan that says we will rely exclusively on GPS starting in 2005 or 2010, we are cautioning that such a plan doesn't make sense unless one knows what he is going to do with this matter of vulnerability. That is, we cannot in our judgement decommission the en route traffic control radars, and terminal radars without having a very firm technologically-based plan to deal with vulnerabilities.

Gen. Shaud: Let me get to the military side of this. We have with us Whit Peters, formerly general counsel of OSD, and you raise some interesting questions about the law. What is the difference between a cyber attack and an attack of war and what do we do about that?

Gen. Marsh: That is a profound question and I don't have the answer. We think much has to be done and Defense has to play a big role in this. Let me start by saying that today we have great difficulty determining the nature of a cyber attack. We all know that. We don't know it is happening. We know it happened yesterday, but we don't know it happening in real time. We don't know from whence it is coming. We don't know what the intent is and so on. That is the fundamental underpinning of our research and development program. We cannot tolerate being in a position forever not knowing the nature of this threat. I used the analogue of the early years of the ballistic missile nuclear weapons threat when we didn't know where they were located within the Soviet Union, we couldn't see them coming, we didn't know what they were up to or where they were coming from.

So we mounted a major national program of technical means. We got the overflight capabilities. We finally put the DSP-like capability into orbit. We erected the radars and erected the early warning system. We finally came to grips with the fact that this such a threat isn't unthinkable. There are ways of dealing with it.

There are no laws of physics that we've been able to uncover that say you cannot deal with this cyber threat. You can. We simply must mount a very extensive research and development program to provide the tools to deal with it. Until such time as we have that, defining the threshold or identifying we are actually under attack by a foreign power is extremely difficult to deal with. I believe General Ryan alluded to the fact that a recent JCS exercise simply confounded the participants in that regard. It was weeks into the exercise before you could assimilate enough information to finally conclude that we were in fact under an attack. That is what I tried to portray in that opening slide. We don't have the answers. But this nation cannot tolerate living with not having the answers. We must develop the tools so that we can have the answers.

Gen. Shaud: As a follow-on to that question, what is your assessment of how the services are doing in developing our information operations doctrine so that they can confront the threat that you raised? Are we doing the right thing? Are we a little slow? What is happening?

Gen. Marsh: I second General Ryan's comment. I think the Air Force is in the lead in this area. That is my observation. They have the best fire walls in place. However, they are confronted with periodic problems notwithstanding those fire walls. Generally there is no question about it, the Department of Defense is in fair shape in this area, but I must say, I believe the Department of Defense has a challenge to ask itself what role does it have to play in the defense of these privately owned and operated critical infrastructures that have become the life support systems of our nation. There is no question if Pacific Gas and Electric Company should come under aerial attack, we'd do the very best we could. We'd flush whatever fighters we have. We'd tried to muster some SAMs and we would without question consider it our fundamental responsibility to protect that infrastructure against physical attack. We haven't addressed the question, what is the Department of Defense's responsibility or for that matter the services or the CINCs or a CINC for defense of the privately owned critical infrastructures against foreign attack. That is a vexing question and one that we are recommending that the Department of Defense come to grips with.

Gen. Shaud: As you investigated cyber attack, who represented industry to your commission?

Gen. Marsh: The commission was comprised of 20 commissioners, half of whom were to be senior career executives from all the affected agencies and departments of government and half of whom were to be recruited from the private sector to come into government, full-time employees for one year and then return to their industries. We were quite successful. We got representatives from Pacific Gas and Electric, AT&T, IBM, National Railroad Association and the Federal Reserve.

We had good representation from the private sector on the commission and they served a very useful purpose in keeping us oriented to the fact that you are trying to deal with the problem here where the infrastructures themselves are owned and operated by the private sector and have profit as their motive obviously.

Gen. Shaud: Let me ask a final question: How do we get a copy of your report?

Gen. Marsh: Our report, as submitted to the president, is a classified report as you would well expect, not only because it was classified because we compiled so much specific vulnerability information, that in and of itself is a reason, but in addition, we had reference to the national intelligence estimate and so on. We did publish an unclassified version of that report less the detailed vulnerability as appendices. That is available now. You can also get it on our web site and down it. It is http://www.pccip.gov.

Return to Los Angeles '97 Foundation Forum



 

 

AFA is a non-profit, independent, professional military and aerospace education association. Our mission is to promote a dominant United States Air Force and a strong national defense, and to honor Airmen and our Air Force Heritage. To accomplish this, we: EDUCATE the public on the critical need for unmatched aerospace power and a technically superior workforce to ensure U.S. national security. ADVOCATE for aerospace power and STEM education. SUPPORT the total Air Force family, and promote aerospace education.

SEARCH  |  CONTACT US  |  MEMBERS  |  EVENTS  |  JOIN AFA  |  HOME

The Air Force Association, 1501 Lee Highway, Arlington, VA 22209-1198
Design by Steven Levins | Some photos courtesy of USAF | AFA's Privacy Policy