President's Commission on Critical Infrastructure Protection

The President’s Commission on Critical Infrastructure Protection (PCCIP) was established in July 1996. Its tasks were to: report to the President the scope and nature of the vulnerabilities and threats to the nation’s critical infrastructures (focusing primarily on cyber threats); recommend a comprehensive national policy and implementation plan for protecting critical infrastructures; determine legal and policy issues raised by proposals to increase protections; and propose statutory and regulatory changes necessary to effect recommendations.

The PCCIP released its report to President Clinton in October 1997. Examining both the physical and cyber vulnerabilities, the Commission found no immediate crisis threatening the nation’s infrastructures. However, it did find reason to take action, especially in the area of cyber security. The rapid growth of a computer-literate population (implying a greater pool of potential hackers), the inherent vulnerabilities of common protocols in computer networks, the easy availability of hacker “tools” (available on many websites), and the fact that the basic tools of the hacker (computer, modem, telephone line) are the same essential technologies used by the general population indicated to the Commission that both threat and vulnerability exist.

The Commission generally recommended that greater cooperation and communication between the private sector and government was needed. The private sector owns and operates much of the nation’s critical infrastructure. As seen by the Commission, the government’s primary role (aside from protecting its own infrastructures) is to collect and disseminate the latest information on intrusion techniques, threat analysis, and ways to defend against hackers.

The Commission also proposed a strategy for action:
 * facilitate greater cooperation and communication between the private sector and appropriate government agencies by: setting a top level policy-making office in the White House; establishing a council that includes corporate executives, state and local government officials, and cabinet secretaries; and setting up information clearinghouses;
 * develop a real-time capability of attack warning;
 * establish and promote a comprehensive awareness and education program;
 * streamline and clarify elements of the legal structure to support assurance measures (including clearing jurisdictional barriers to pursuing hackers electronically); and,
 * expand research and development in technologies and techniques, especially technologies that allow for greater detection of intrusions.

The Commission’s report underwent interagency review to determine how to respond. That review led to a Presidential Decision Directive No. 63 released in May 1998.