Critical intrastructure protection

Federal awareness of the importance of securing our nation’s cyber critical infrastructures, which underpin our society, economy, and national security, has been evolving since the mid-1990’s. Over the years, a variety of working groups have been formed, special reports written, federal policies issued, and organizations created to address the issues that have been raised. In June 1995, a Critical Infrastructure Working Group, led by the Attorney General, was formed to (1) identify critical infrastructures and assess the scope and nature of threats to them, (2) survey existing government mechanisms for addressing these threats, and (3) propose options for a full-time group to consider long-term government response to threats to critical infrastructures. The working group recommended creating a commission to further investigate the issues. In response to this recommendation, the President’s Commission on Critical Infrastructure Protection was established in July 1996 to study the nation’s vulnerabilities to both cyber and physical threats.

In October 1997, the President’s Commission issued its report, which described the potentially devastating implications of poor information security from a national perspective. The report recommended several measures to achieve a higher level of critical infrastructure protection, including infrastructure protection through industry cooperation and information sharing, a national organization structure, a revised program of research and development, a broad program of awareness and education, and reconsideration of laws related to infrastructure protection. The report stated that a comprehensive effort would need to “include a system of surveillance, assessment, early warning, and response mechanisms to mitigate the potential for cyberthreats.” It said that the Federal Bureau of Investigation (FBI) had already begun to develop warning and threat analysis capabilities and urged it to continue in these efforts. In addition, the report noted that the FBI could serve as the preliminary national warning center for infrastructure attacks and provide law enforcement, intelligence, and other information needed to ensure the highest quality analysis possible.

The President subsequently issued Presidential Decision Directive (PDD) 63, in 1998, which describes a strategy for cooperative efforts by government and the private sector to protect critical, computer-dependent operations. PDD 63 called for a range of actions intended to improve federal agency security programs, improve the nation’s ability to detect and respond to serious computer-based attacks, and establish a partnership between the government and the private sector. The directive called on the federal government to serve as a model of how infrastructure assurance is best achieved and designated lead agencies to work with private-sector and government organizations. Further, it established critical infrastructure protection as a national goal, and stated that, by the close of 2000, the United States was to have achieved an initial operating capability to protect the nation’s critical infrastructures from intentional destructive acts and, no later than 2003, an enhanced capability.

In response to PDD 63, in January 2000 the White House issued its “National Plan for Information Systems Protection.”6 The national plan provided a vision and framework for the federal government to prevent, detect, respond to, and protect the nation’s critical cyber-based infrastructure from attack and reduce existing vulnerabilities by complementing and focusing existing federal computer security and information technology requirements. Subsequent versions of the plan were expected to (1) define the roles of industry and state and local governments working in partnership with the federal government to protect privately owned physical and cyber-based infrastructures from deliberate attack and (2) examine the international aspects of CIP.

TIn October 2001, President Bush signed Executive Order 13231, which established the President’s Critical Infrastructure Protection Board to coordinate cyber- related federal efforts and programs associated with protecting our nation’s critical infrastructures. The Special Advisor to the President for Cyberspace Security chairs the board. Executive Order 13231 tasks the board with recommending policies and coordinating programs for protecting CIP-related information systems. The executive order also established 10 standing committees to support the board’s work on a wide range of critical information infrastructure efforts. The board is intended to coordinate with the Office of Homeland Security in activities relating to the protection of and recovery from attacks against information systems for critical infrastructure, including emergency preparedness communications that were assigned to the Office of Homeland Security by Executive Order 13228, dated October 8, 2001. The board recommends policies and coordinates programs for protecting information systems for critical infrastructure, including emergency preparedness communications, and the physical assets that support such systems. In addition, the chair coordinates with the Assistant to the President for Economic Policy on issues relating to private-sector systems and economic effects and with the Director of OMB on issues relating to budgets and the security of federal computer systems.