Reflections on the 1997 Commission on Critical Infrastructure Protection (

Reflections on the 1997 Commission on Critical Infrastructure Protection (PCCIP) Report
By Clark Staten, Senior Analyst
Emergency Response & Research Institute
10/23/97 - 16:30CST

One of the greatest challenges for the United States government in the coming decade is the effective protection of this country's critical infrastructure. Or, so says an assessment by a panel of experts convened by President Bill Clinton, to study this increasingly more crucial issue. Specifically, the committee studied the security of the nation's telecommunications systems, electrical power grids, transportation systems, gas/oil delivery and storage systems, water purification and delivery mechanisms, banking and finance centers, Fire/Police/EMS/Disaster systems and other government services.

The primary problem would seem to involve the fact that America continues to computerize and connect government, military, business, and personal computer systems together. Wait, you are probably saying, isn't that what we want to do in order to become more productive and innovative? As with most things in life, there is both "good news" and "bad news" in this story.

The good news is that computers have made major contributions to America's business success, productivity, creativity, and the nation's gross national product in the past decade. But, the bad news is that with all of these connections, advantages, and advances comes an increasing vulnerability to penetration and attacks on our computers by criminals, crackers, and computer terrorists.

In a classified report issued on Wednesday by the "President's Commission on Critical Infrastructure Protection," (PCCIP) it is believed that they officially acknowledged that some major vulnerabilities exist in today's modern systems. Further, experts say that it is increasing more likely that the United States could suffer something similar to an "Electronic Pearl Harbor," possibly with a far more devastating effect than even the attack on America's Pacific fleet at the onset of World War II, some time in the near future.

What the Experts Are Saying

"The PCCIP accomplished it job. It raised awareness, organized a wide spectrum of organizations, and started the mobilization process. Let's be realistic until 18 months ago there was no movement in this area. The time line is very appropriate. There is no immediately defined threat, no document history of information warfare attacks on the infrastructure today, but it will develop. The only question is time and what shape it takes. We should count this as a win as long as the preparation process continues," according to William Church, Editor of The Journal of Infrastructural Warfare.

Air Force Gen. Robert Marsh, chairman of the commission, noted that one of the most difficult tasks in attaining solutions to the security problems in America's infrastructure is for the commission, and the government in general, to develop an effective "information-sharing arrangement" between the public and private sectors. Quite frankly, however, many computer industry insiders and even commission members admit that the government and private industry have been at odds for some time in regard to the regulation of the computer products, security issues, and the use of encryption technologies.

Winn Schwartau, COO of The Security Experts, Inc. and noted cyberspace author and security consultant said; "I feel deeply honored by the President and the commission, that they followed up on the work begun so many years ago and am humble before Mr. Marsh's accolades. However, our work has just begun. It is my sincere hope that finally, a non-partisan, apolitical effort can emerge where industry and government join to really solve the problem, not just talk about it with rancor."

Barry C. Collin, Senior Research Fellow, The Institute for Security and Intelligence of Stanford, California, in an exclusive statement, told EmergencyNet News;

"The Infrastructure Protection Task Force (IPTF) faced virtually insurmountable challenge from the outset. First off, how do you build policy on the infrastructure, when the infrastructure itself is owned by the private sector? Regulation is no answer... and yet deregulation of utilities like communications, electricity, and natural gas have lead to increased vulnerabilities through exposure, poorly protected automation, and downsizing of critical staff. Further, who pays for such protection? Corporations are run by fiscal goals each quarter, with stockholder equity held above all else... a requirement for existence in our marketplace. What is the impetus to finance protection, when it is easier to hold our ears and pretend there is no threat?

The IPTF will announce step-by-step proposals on training, building a planning and response infrastructure, communications, and plans for further research and development. Who will effectively implement those actions items, remains a mystery. There aren't tax dollars, and no stockholder wants to see "preparing for theoretical disasters" on the income statement.

Some companies, like AT&T, are preparing extensively for disaster, both from physical attack, system cracking, and even electro-magnetic pulse and radio frequency weapons. And considering that 95% of the DoD's communications exist now on public switched systems, that research and preventative work is a damn good thing.

Why does AT&T pour millions of dollars into protecting their infrastructure? For one reason: competition. AT&T wants to make sure that no matter what disaster strikes, whether Act of God or man-made, they will be standing, while their competitors fall. AT&T wisely sees the dollar value, the potential stockholder equity, of being prepared for IW, CyberTerrorism, or the next flood.

While the IPTF report brings up some good ideas, and more importantly, some concrete facts, it may be good old competition for the dollar that keeps our infrastructure alive. And it will be the smart business leaders that will make the right call, for now, and for the future.

When I wrote of CyberTerrorism fifteen years ago, we lived in a regulated, lower-risk environment. Little did I dream that a decade and a half later, every node on the Internet would become a potential theatre for battle."

Anticipated Threats

In an unclassified news release issued to the general press yesterday, the commission identified a "wide spectrum of threats" to America's overall infrastructure. Identified among them were naturally occurring events, including earthquakes, floods, fires, and wind/water incidents. Of major interest to the commission were also those events that are man-made, including "blunders, errors, and commissions," "insider attacks/crimes," and "accidents involving physical damage to facilities."

Physical attacks, such as those using conventional explosives on any number of targets, including the World Trade Center (commerce and banking), the Oklahoma Federal Building (government services) and a number of IRS offices and court houses (government services) in the Western part of the United States demonstrate some of the typical examples of terroristic actions that can be expected in the future. The commission expressed its concern that "these kinds of attacks continue to be among the [most] probable threats to our infrastructure."

Additionally, the commission addressed in depth, the issue of the use of computers to attack the United States and her national assets. "Recreational hackers," cyber-terrorism, criminal manipulation," industrial espionage, virus dissemination, and large scale information warfare campaigns were all cited by the report as being part of an evolving threat to America and her allies. The commission noted that all it takes is "a personal computer and a simple telephone connection to an internet service provider, anyplace in the world...to cause a great deal of harm."

Public/Corporate Awareness

According to the unclassified media release, closer examination of the overall infrastructure protection problem also indicates that there is a major lack of awareness on the public's part in regard to the vulnerabilities of these critical systems and that many technologies that are generally reliable are often taken for granted by both business leaders and the public in general. People flip a switch or pick up a phone and just expect it all to work. Unless our infrastructure is protected, that may not be the case some day in the future, the report warns.

Further, and also related to a lack of awareness is the need for a national focus and advocacy campaign for infrastructure protection. While some in government are advocating the creation of "Information/Infrastructure Czar" and a new bureaucracy to monitor and regulate the burgeoning issues surrounding these vulnerabilities, others point out that much of this most valuable infrastructure is privately owned and that creating more more government and more regulations is an expensive, ineffective, and unacceptable way to address the problem.

Both commission members and the computer industry seemingly agree that our nation's infrastructure is becoming increasing more interconnected, complex, interdependent, and mutually vulnerable to attack. For example, various reports estimate that as much as 70% of non-essential/non-secured" government and military internet traffic travels over commercial backbones that are potentially subject to outside threats. The costs associated with an effective computer attack are decreasing each year, with increasingly more effective "cracker tools" being made available through a variety of sources.

PCCIP Conclusions

The PCCIP concludes that the public and private investments required to provide for future infrastructure protection needs are currently "modest," but that they will undoubtedly increase with time. Further, these measures will not prove nearly as expensive as the damage that could be caused by a relatively unsophisticated attack on any number of vital parts of our nation's infrastructure. A commission conclusion was reached that, "we should attend to our critical foundations before the storm arrives, not after; waiting for disaster will prove as expensive as is irresponsible."

As the information technologies of military, government and corporate structures become "less and less separate" and more intertwined, the commission concludes, "a shared responsibility for protection, mitigation, and restoration..." becomes even more important. The report advocates a strategy of cooperative "information sharing" in a "quantitative risk-assessment process" that will help to secure all of the nation's information assets and protect against the "cascading effects" of interconnected and interdependent resources. It should be noted, however, that there are few, if any, demonstrable public/private programs that have proven both voluntary and effective.

ERRI Conclusions

Now that the issues of threats to our national infrastructure have been studied and a framework for further protection efforts laid out by the Presidential Commission, will our society be any safer from attacks on our vital foundations? Maybe, or maybe not; depending on what actions are taken, what funding is provided, and what level of communication and cooperation actually develops between the public and private sectors.

Our analysts and many other experts, in and out of government, seem to agree on three things.

1> Americans, from all sectors of society, can expect to be dramatically affected by both the promise and the potential disasters associated with the rapidly progressing computerization of our society.

2> Protection of our essential infrastructure services should be among the highest of our future priorities. Although often taken for granted, these assets comprise much of what we value and and have come to expect of America.

3> Were we to collectively lose a number of these critical services in a short period of time, our current society could be expected to sink into something resembling "chaos" in a very short period of time. We have grown far too accustomed to the luxury of all of our current systems.

Therefore, it would appear incumbent on us all, in both the public and private sectors, to begin to work together to plan, prevent, and protect our critical infrastructures. We must develop a system of "electronic civil defense," before it is too late. If we don't do so, the quality of our lives and America's prosperity are at stake. Let's do it now...BEFORE the first "info-disaster" happens.

(c) Copyright-EmergencyNet News Service, 1997. All rights reserved, but may be redistributed with expressed permission of EmergencyNet News.

Emergency Response & Research Institute
6348 N. Milwaukee Ave., #312
Chicago, IL. 60646
(773) 631-3774 - Voice
(773) 631-4703 - Fax
(773) 631-3467 - Modem/Emergency BBS On-Line
http://www.emergency.com - Website
emergencynet@emergency.com - E-mail

Return to the EmergencyNet News page

Return to the Technical Operations/Management Page