Order Code RL30153
CRS Report for Congress
Received through the CRS Web
Critical Infrastructures:
Background and
Early Implementation of PDD-63
Updated February 27, 2001
John D. Moteff
Specialist in Science and Technology Policy
Resources, Science, and Industry Division
Congressional Research Service ˜ The Library of Congress

---

Critical Infrastructures: Background and Early
Implementation of PDD-63
Summary
The nation’s health, wealth, and security rely on the supply and distribution of
certain goods and services. The array of physical assets, processes and organizations
across which these goods and services move are called critical infrastructures (e.g.
electricity, the power plants that generate it, and the electric grid upon which it is
distributed or financial capital, the institutions that manage it, and the record- keeping
and communications that move it from one institution to another). Computers and
communications, themselves critical infrastructures, are increasingly tying these
infrastructures together. There is concern that this reliance on computers and
computer networks makes the nation’s critical infrastructures vulnerable to “cyber”
attacks. In May 1998, President Clinton released Presidential Decision Directive No.
63. The Directive sets up groups within the federal government to develop and
implement plans that would protect government-operated infrastructures and calls for
a dialogue between government and the private sector to develop a National
Infrastructure Assurance Plan that would protect the nation’s critical infrastructures
by the year 2003.
PDD-63 identified 12 areas critical to the functioning of the country: information
and communications; banking and finance; water supply; transportation; emergency
law enforcement; emergency fire service; emergency medicine; electric power, oil, and
gas supply and distribution; law enforcement and internal security; intelligence;
foreign affairs; and national defense. The Directive assigned a lead agency to each
sector to coordinate efforts at protecting the infrastructure upon which each of these
areas depend. Where private operators are involved, the lead agency is responsible
for identifying private sector coordinators with whom to work to develop a National
Plan (on January 7, 2000 the Clinton Administration released Version 1.0 of this
National Plan which pertains primarily to the government sector). The Directive
ultimately envisions a national early warning and response capability, where cyber
attacks can be detected, warnings issued, and responses coordinated (dubbed
FIDNET). It calls for the private sector to set up Information Sharing and Analysis
Centers that would allow them to participate in this national effort.
According to the Clinton Administration’s estimates, they requested $2.03 billion
for activities related to critical infrastructure protection in FY2001. While much of
this funding is buried within ongoing operating and equipment accounts, making it
difficult to track during the appropriations process, there were a few high visibility
initiatives. These include $25 million to set up a Federal Cyber Services Training and
Education program, $10 million to begin a pilot Federal Intrusion Detection Network,
and $50 million to establish an Institute for Information Infrastructure Protection.
Congress provide mixed support for these initiatives. PDD-63 and its implementation
raise a number of issues. Among them is the ability and willingness of the private
sector to cooperate with the federal government in sharing information. To what
extent will the federal government get involved in the monitoring of privately
operated infrastructures and what are the privacy implications? Costs are also
unknown. And, it is unclear at this time whether the Bush Administration will
reaffirm PDD-63 or pursue a different strategy.

---

Contents
Latest Developments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
The President’s Commission on Critical Infrastructure Protection . . . . . . . 2
Presidential Decision Directive No. 63 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Implementing PDD-63: Status As February, 2001 . . . . . . . . . . . . . . . . . . . 6
Selection of Sector Liaison Officials and Functional Coordinators . . . 6
Identifying and Selecting Sector Coordinators . . . . . . . . . . . . . . . . . . 6
Appointment of the National Infrastructure Assurance Council . . . . . . 8
Selection of Agency CIAOs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Internal Agency Plans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
National Critical Infrastructure Plan . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Information Sharing and Analysis Center (ISAC) . . . . . . . . . . . . . . . 10
Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Administrative . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Restructuring by the Bush Administration . . . . . . . . . . . . . . . . . . . . . 15
Costs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Information Sharing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Privacy/Civil Liberties? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Congressional Action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Appendix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
FY2001 Budget . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
List of Tables
Table 1. Lead Agencies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Table 2. Sector Coordinators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Table 3. National Plan for Information Systems Protection
Version 1.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Table A.1. Critical Infrastructure Protection Funding by Department . . . . . . . . 23

---

Critical Infrastructures: Background and
Early Implementation of PDD-63
Latest Developments
The Information Technology sector announced the formation of its Information
Sharing and Analysis Center (ISAC). ISAC members include major hardware,
software, and e-commerce firms including AT&T, IBM, Cisco, Intel, Microsoft, and
Oracle. For information on ISACs, see page 10.
Before leaving office, President Clinton announced his selection of nominees to
serve on the National Infrastructure Assurance Council (see pages 5 and 8).
The Bush Administration, as part of its overall review of White House offices
and responsibilities is reviewing its options for overseeing and coordinating protection
of the nation’s critical infrastructures. Based on media reports, the Bush
Administration has received a number of recommendations to modify the
organizational structures established by the Clinton Administration (see Restructuring
by the Bush Administration on page 18).
Introduction
Certain socio-economic activities are vital to the day-to-day functioning and
security of the country; for example, transportation of goods and people,
communications, banking and finance, and the supply and distribution of electricity
and water. These activities and services have been referred to as components of the
nation’s critical infrastructure. Domestic security and our ability to monitor, deter,
and respond to outside hostile acts also depend on some of these activities as well as
other more specialized activities like intelligence gathering and command and control
of police and military forces. A serious disruption in these activities and capabilities
could have a major impact on the country’s well-being.1
These activities and capabilities are supported by an array of physical assets,
processes, information, and organizations forming what is being called the nation’s
critical infrastructures. The country’s critical infrastructures are growing increasingly
complex, relying on computers and, now, computer networks to operate efficiently
1As a reminder of how dependent society is on its infrastructure, in May 1998, PanAmSat’s
Galaxy IV satellite’s on-board controller malfunctioned, disrupting service to an estimated 80-
90% of the nation’s pagers, causing problems for hospitals trying to reach doctors on call,
emergency workers, and people trying to use their credit cards at gas pumps, to name but a
few.

---

CRS-2
and reliably. The growing complexity and the interconnectedness resulting from
networking means that a disruption in one may lead to disruptions in others.
Disruptions can be caused by any number of factors: poor design, operator error,
physical destruction due to natural causes, (earthquakes, lightening strikes, etc.) or
physical destruction due to intentional human actions (theft, arson, sabotage, etc.).
Over the years, operators of these infrastructures have taken measures to guard
against and to quickly respond to many of these risks. However, the growing
dependency of these systems on information technologies and computer networks
introduces a new vector by which problems can be introduced.2
Of particular concern is the threat posed by “hackers” who can gain unauthorized
access to a system and who could destroy, corrupt, steal, or monitor information vital
to the operation of the system. Unlike arsonists or saboteurs, hackers can gain access
from remote locations. The ability to detect and deter their actions is still being
developed. While infrastructure operators are also taking measures to guard against
and respond to cyber attacks, there is concern that the number of “on-line” operations
is growing faster than security awareness and the use of sound security measures.
Hackers range from mischievous teenagers, to criminals, to spies, to foreign
military organizations. While the more commonly reported incidents involve
mischievous teenagers (or adults) or self-proclaimed “electronic anarchists”, the
primary concern is that criminals, spies, and military personnel from around the world
who appear to be perfecting their hacking skills and who may pose a potential
strategic threat to the reliable operations of our critical infrastructures.3
The President’s Commission on Critical Infrastructure
Protection
In the FY1996 Department of Defense Authorization bill (P.L. 104-106)
Congress required the President to report to Congress a national policy on protecting
the nation’s information infrastructure from strategic attack. Partially in response to
that legislation and also to internal discussions on national security, President Clinton
established the President’s Commission on Critical Infrastructure Protection (PCCIP)
in July 1996. Its tasks were to: report to the President the scope and nature of the
vulnerabilities and threats to the nation’s critical infrastructures (focusing primarily
on cyber threats); recommend a comprehensive national policy and implementation
plan for protecting critical infrastructures; determine legal and policy issues raised by
2Efforts to merge the computer systems of Norfolk Southern and Conrail after their merger
in June, 1999 caused a series of mishaps leaving trains misrouted, crews misscheduled, and
products lost. As of January 2000, problems still persisted. See, “Merged Railroads Still
Plagued by IT Snafus,” Computerworld, January 17, 2000, pp 20-21.
3The Director of the Central Intelligence Agency testified before the Senate Committee on
Governmental Affairs (June 24, 1998) that a number of countries are incorporating
information warfare into their military doctrine and training and developing operational
capability. It should be noted that the U.S. military is probably the leader in developing both
offensive and defensive computer warfare techniques and doctrine.

---

CRS-3
proposals to increase protections; and propose statutory and regulatory changes
necessary to effect recommendations.
The PCCIP released its report to President Clinton in October 1997.4 While the
Commission found no immediate crisis threatening the nation’s infrastructures, it did
find reason to take action. The rapid growth of a computer-literate population
(implying a greater pool of potential hackers), the inherent vulnerabilities of common
protocols in computer networks, the easy availability of hacker “tools” (available on
many websites), and the fact that the basic tools of the hacker (computer, modem,
telephone line) are the same essential technologies used by the general population
indicated to the Commission that the threat and vulnerability exist.
The Commission’s general recommendation was that greater cooperation and
communication between the private sector and government was needed. Much of the
nation’s critical infrastructure is owned and operated by the private sector. As seen
by the Commission, the government’s primary role (aside from protecting its own
infrastructures) is to collect and disseminate the latest information on intrusion
techniques, threat analysis, and ways to defend against hackers.
The Commission also proposed a strategy for action:
•
facilitate greater cooperation and communication between the private
sector and appropriate government agencies by: setting a top level policy-
making office in the White House; establishing a council that includes
corporate executives, state and local government officials, and cabinet
secretaries; and setting up information clearinghouses;
•
develop a real-time capability of attack warning;
•
establish and promote a comprehensive awareness and education program;
•
streamline and clarify elements of the legal structure to support assurance
measures (including clearing jurisdictional barriers to pursuing hackers
electronically); and,
•
expand research and development in technologies and techniques, especially
technologies that allow for greater detection of intrusions.
The Commission’s report underwent interagency review to determine how to
respond. That review led to a Presidential Decision Directive released in May 1998.
Presidential Decision Directive No. 63
Presidential Decision Directive No. 63 (PDD-63)5 set as a national goal the
ability to protect the nation’s critical infrastructure from intentional attacks (both
physical and cyber) by the year 2003. According to the PDD, any interruptions in the
ability of these infrastructures to provide their goods and services must be “brief,
4President’s Commission on Critical Infrastructure Protection, Critical Foundations:
Protecting America’s Infrastructures, October 1997.
5See, The Clinton’s Administration’s Policy on Critical Infrastructure Protection:
Presidential Decision Directive 63, White Paper, May 22, 1998, which can be found on
[http://www.ciao.ncr.gov/ciao_document_library/paper598.html].

---

CRS-4
infrequent, manageable, geographically isolated, and minimally detrimental to the
welfare of the United States.”6
PDD-63 identified the following activities whose critical infrastructures should
be protected: information and communications; banking and finance; water supply;
aviation, highways, mass transit, pipelines, rail, and waterborne commerce; emergency
and law enforcement services; emergency, fire, and continuity of government services;
public health services; electric power, oil and gas production, and storage. In
addition, the PDD identified four activities where the federal government controls the
critical infrastructure: internal security and federal law enforcement; foreign
intelligence; foreign affairs; and national defense.
A lead agency was assigned to each of these “sectors” (see Table 1). Each lead
agency was to appoint a Sector Liaison Official to interact with appropriate private
sector organizations. The private sector was encouraged to select a Sector
Coordinator to work with the agency’s sector liaison official. Together, the liaison
official, sector coordinator, and all affected parties will contribute to a sectoral
security plan which will be integrated into a National Infrastructure Assurance
Plan (see below). Each of the activities performed primarily by the federal
government also are assigned a lead agency who will appoint a Functional
Coordinator to coordinate efforts similar to those made by the Sector Liaisons.
Table 1. Lead Agencies
Department/Agency
Sector/Function
Commerce
Information and Communications
Treasury
Banking and Finance
EPA
Water
Transportation
Transportation
Justice
Emergency Law Enforcement
Federal Emergency Management
Emergency Fire Service
Agency
Health and Human Services
Emergency Medicine
Energy
Electric Power, Gas, and Oil
Justice
Law Enforcement and International
Security
Director of Central Intelligence
Intelligence
State
Foreign Affairs
Defense
National Defense
6Ibid.

---

CRS-5
The PDD created the position of National Coordinator for Security,
Infrastructure Protection, and Counter-terrorism, who reports to the President
through the Assistant to the President for National Security Affairs.7 Among his many
duties the National Coordinator chairs the Critical Infrastructure Coordination
Group. This Group is the primary interagency working group for developing and
implementing policy and for coordinating the federal government’s own internal
security measures. The Group includes high level representatives from the lead
agencies (including the Sector Liaisons), the National Economic Council, and all
other relevant agencies.
Each federal agency is responsible for securing its own critical infrastructure and
shall designate a Critical Infrastructure Assurance Officer (CIAO) to assume that
responsibility. The agency’s current Chief Information Officer (CIO) may double in
that capacity. In those cases where the CIO and the CIAO are different, the CIO is
responsible for assuring the agency’s information assets (databases, software,
computers), while the CIAO is responsible for any other assets that make up that
agency’s critical infrastructure. The lead agencies listed in the Directive and others
listed as primary agencies (Federal Bureau of Investigations, Central Intelligence
Agency, Veterans Affairs, and the National Security Agency) were given 180 days
from the signing of the Directive to develop their plans. Those plans are to be fully
implemented within 2 years and updated every 2 years.
The PDD set up a National Infrastructure Assurance Council. The Council
will be a panel that includes private operators of infrastructure assets and officials
from state and local government officials and relevant federal agencies. The Council
will meet periodically and provide reports to the President as appropriate. The
National Coordinator will act as the Executive Director of the Council.
The PDD also called for a National Infrastructure Assurance Plan. The Plan
is to integrate the plans from each of the sectors mentioned above and should consider
the following: a vulnerability assessment, including the minimum essential capability
required of the sector’s infrastructure to meet its purpose; remedial plans to reduce
the sector’s vulnerability; warning requirements and procedures; response strategies;
reconstitution of services; education and awareness programs; research and
development needs; intelligence strategies; needs and opportunities for international
cooperation; and legislative and budgetary requirements.
The PDD also set up a National Plan Coordination Staff to support the plan’s
development. This function is performed by the Critical Infrastructure Assurance
Office (CIAO, not to be confused with the agencies’ Critical Infrastructure Assurance
Officers) and was placed in the Department of Commerce. CIAO supports the
National Coordinator’s efforts to integrate the sectoral plans into a National Plan,
supports individual agencies in developing their internal plans, helps coordinate a
national education and awareness programs, and provides legislative and public affairs
support.
7President Clinton designated Richard Clarke, Special Assistant to the President for Global
Affairs, National Security Council, as National Coordinator.

---

CRS-6
In addition to the above activities, the PDD called for studies on specific topics.
These include issues of: liability that might arise from private firms participating in an
information sharing process; legal impediments to information sharing; classification
of information and granting of clearances (efforts to share threat and vulnerability
information with private sector CEOs has been hampered by the need to convey that
information in a classified manner); information sharing with foreign entities; and the
merits of mandating, subsidizing or otherwise assisting in the provision of insurance
for selected infrastructure providers.
Most of the Directive established policy-making and oversight bodies making use
of existing agency authorities and expertise. However, the PDD also addressed
operational concerns. The Directive called for a national capability to detect and
respond to attacks while they are in progress. Although not specifically identified in
the Directive, the Clinton Administration has proposed establishing a Federal
Instruction Detection Network (FIDNET), that would, together with the Federal
Computer Intrusion Response Capability (FedCIRC) effort begun just prior to
PDD-63, meet this goal. Current proposals have the General Services Administration
managing both efforts, but both would be staffed by experts from across the
government. FIDNET would help agencies detect intrusions and FedCIRC would
help them respond. The Directive did explicitly give the Federal Bureau of
Investigation the authority to expand its existing computer crime capabilities into a
National Infrastructure Protection Center (NIPC). According to the Directive,
the NIPC is to be the focal point for federal threat assessment, vulnerability analysis,
early warning capability, law enforcement investigations, and response coordination.
All agencies are required to forward to the NIPC information about threats and actual
attacks on their infrastructure as well as attacks made on private sector infrastructures
of which they become aware. Presumably, FIDNET and FedCIRC would feed into the
NIPC. According to the Directive, the NIPC would be linked electronically to the
rest of the federal government and use warning and response expertise located
throughout the federal government.. According to the Directive, the NIPC will also
be the conduit for information sharing with the private sector through equivalent
Information Sharing and Analysis Center(s) operated by the private sector.
While the FBI was given the lead, the NIPC also includes the Department of
Defense, the Intelligence Community, and a representative from all lead agencies.
Depending on the level of threat or the character of the intrusion, the NIPC may be
placed in direct support of either the Department of Defense or the Intelligence
Community.
Implementing PDD-63: Status As February, 2001
Selection of Sector Liaison Officials and Functional Coordinators.
All lead agencies and lead functional agencies have appointed their Sector Liaison
Officials and Functional Coordinators.
Identifying and Selecting Sector Coordinators. The identification of
sector coordinators is proceeding with mixed results. The table below shows those
individuals or groups that have agreed to act as Coordinators or have been
approached by the lead agency.

---

CRS-7
Different sectors present different challenges to identifying a coordinator. Some
sectors are more diverse than others (e.g. transportation includes rail, air, waterways,
and highways; information and communications include computers, software, wire
and wireless communications) and raises the issue of how to have all the relevant
players represented. Other sectors are fragmented consisting of small or local entities.
Some sectors, such as banking, telecommunications, and energy have more
experience than others in working with the federal government and/or working
collectively to assure the performance of their systems.
Besides such structural issues are ones related to competition. Inherent in the
exercise is asking competitors to cooperate. In some cases it is asking competing
industries to cooperate. This cooperation not only raises issues of trust among firms,
but also concerns regarding anti-trust rules. Also, having these groups in direct
communications with the federal government raises questions about their relationship
to the federal government as governed by the Federal Advisory Committee Act (5
USC Appendix) and how the Freedom of Information Act (5 USC 552) applies to
them and the information that may be exchanged.
For the most part, the sector coordinators selected to date have undertaken
awareness and education activities not only to acquaint their constituents with the
threats and risks of cyber attack on their systems (which in many cases is already
known) but also about the efforts and goals of PDD-63. Typically these activities
have been carried out through regular trade/professional association committee
meetings, conferences, etc.
Table 2. Sector Coordinators
Lead Agency
Identified Sector Coordinators
Commerce
A consortium of 3 associations:
Information Technology Assn. of
America; Telecommunications
Industry Assn.; U.S. Telephone Assn.
Treasury
Steven Katz - Citigroup
EPA
Assn. of Metropolitan Water Agencies
Energy
North American Electric Reliability
Council and National Petroleum
Council
Transportation
Association of American Railroads
(under discussion)
Health and Human Services
FEMA
Justice

---

CRS-8
Of the largely privately-operated sectors, only the transportation sector has yet
to identify a Coordinator. The Department of Transportation has contacted the
Association of American Railroads to discuss their interest in acting as Coordinator
for the railroad industry after talks with the National Defense Transportation
Association (which include rail and air) decided it was too small. FEMA, too, is still
trying to identify a group that could represent the country’s emergency/fire service
providers. FEMA has discussed cyber issues with state and local governments in the
context of the Y2K problem, but has not identified a central coordinator for handling
cyber attacks on state- or local-operated infrastructures.8 Nor has the Department of
Health and Human Services identified a central coordinator for the emergency
medical community. The Department of Justice also has not identified a single
coordinator for emergency law enforcement but is using existing outreach programs
at the FBI and the NIPC to promote awareness and education activities.
Appointment of the National Infrastructure Assurance Council. The
Administration released an Executive Order (13130) in July, 1999, formally
establishing the council. Just prior to leaving office, President Clinton put forward
the names of 18 people for nomination.9
Selection of Agency CIAOs. All agencies have made permanent or acting
CIAO appointments.
Internal Agency Plans. All of the lead and primary agencies designated in
PDD-63 met the initial deadline for submitting their internal plans for protecting their
own critical infrastructures from attacks and for responding to intrusions. The Critical
Infrastructure Assurance Office assembled an expert team to review the plans. The
plans were assessed in 12 areas including schedule/milestone planning, resource
requirements, and knowledge of existing authorities and guidance. The assessment
team handed back the initial plans with comments. Agencies were given 90 days to
respond to these comments.
A second tier of agencies identified by the National Coordinator were also
required to submit plans. These were Agriculture, Education, Housing and Urban
Development, Labor, Interior, General Services Administration, National Aeronautics
and Space Administration and the Nuclear Regulatory Commission. Their plans were
turned in by the end of February, 1999. These, too, were reviewed by the team and
sent back with comments. Of the 22 agencies required to submit plans, 16
resubmitted plans in response to first round comments.
Initially the process of reviewing these agency plans was to continue until all
concerns were addressed. Over the summer of 1999, however, review efforts slowed
and subsequent reviews were put on hold as the efficacy of the reviews was debated.
Some within the CIAO felt that the plans were too general and lacked a clear
8The New Mexico Critical Infrastructure Assurance Council, an offshoot of the FBI’s
InfraGard efforts in the state, include the state government and other state and local agencies.
The Council is referenced in the National Plan for Information Systems Protection. See,
National Critical Infrastructure Plan, below.
9White House Press Release, dated January 18, 2000.

---

CRS-9
understanding of what constituted a “critical asset” and the interdependencies of those
assets. As a result of that internal debate, the CIAO has redirected its resources to
institute a new program called Project Matrix. Project Matrix is a three step process
by which an agency can identify and assess its most critical assets, identify the
dependencies of those assets on other systems, including those beyond the direct
control of the agency, and prioritize. CIAO has offered this analysis to 14 agencies,
some not bound to PDD-63 (e.g. Social Security Administration and the Securities
and Exchange Commission). Participation by the agencies are voluntary.
Responsibility for review of agency critical infrastructure plans has been given to the
National Institute of Standards and Technology, the support for which appeared in
the Clinton Administration’s FY2001 budget request (see Appendix).
According to the National Plan released in January 2000 (see below), all primary
and secondary agencies are to have completed preliminary vulnerability analyses and
to have outlined proposed remedial actions. Again, according to the National Plan,
those remedial actions were to be budgeted for and submitted as part of the agencies’
FY2001 budgets submissions to the Office of Management and Budget and every year
thereafter. However, given the discussion above, the comprehensiveness of these
plans at this time may be in question.
National Critical Infrastructure Plan. The Administration, after some
delay, released Version 1.0 of its National Plan for Information Systems Protection
in January 2000. The Plan focuses primarily on efforts within the federal government,
and dividing those between government-wide efforts and those unique to the national
security community. A second component dealing with the private sector and state
and local governments is in a formative stage. There is also to be developed a plan
for the physical protection of critical assets. The Plan (159 pages) will not be
summarized here in any detail. The reader is referred to the CIAO website
([http://www.ciao.gov]) for either the executive summary or the full text of the Plan.
Essentially, the Plan identifies 10 “programs” under three broad objectives (see Table
3, below).
Each program contains some specific actions to be taken, capabilities to be
established, and dates by which these shall be accomplished. Other activities,
capabilities, and dates are more general (e.g. during FY2001).
The Plan includes a number of new initiatives identified by the Clinton
Administration. These are identified in the appendix of this report. Of course, the
ability to meet some of these milestones will depend on the willingness of Congress
to appropriate funds to carry them out.

---

CRS-10
Table 3. National Plan for Information Systems Protection
Version 1.0
Goal: Achieve a critical information systems defense with an initial operating
capability by December 2000, and a full operating capability by May 2003...that
ensures any interruption or manipulation of these critical functions must be brief,
infrequent, manageable, geographically isolated, and minimally detrimental to
the welfare of the United States.
Objectives
Programs
Prepare and
ID critical infrastructures and interdependencies and address
Prevent
vulnerabilities
Detect and
Detect attacks and unauthorized intrusions
Respond
Develop robust intelligence and law enforcement capabilities
consistent with the law
Share attack warnings and information in a timely manner
Create capabilities for response, reconstitution, and recovery
Build
Enhance research and development in the above mentioned areas
Strong
Foundations
Train and employ adequate numbers of information security
specialists
Make Americans aware of the need for improved cyber-security
Adopt legislation and appropriations in support of effort
At every step of the process ensure full protection of American
citizens’ civil liberties, rights to privacy, and rights to protection
of proprietary information
Information Sharing and Analysis Center (ISAC). PDD-63 envisaged
an ISAC to be the private sector counterpart to the FBI’s National Infrastructure
Protection Center (NIPC), collecting and sharing incident and response information
among its members and facilitating information exchange between government and
the private sector. It is one of the critical recommendations made in the PCCIP and
probably one of the hardest to realize. While the Directive conceived of a single
center serving the entire private sector, the idea now is that each sector would have
its own center. The Clinton Administration’s FY2000 budget request included $8
million, $1 million for each of the primary liaison agencies, to support the
establishment of ISACs for each sector. Progress in forming sector ISACs has been
mixed.

---

CRS-11
Twenty-two of the nation’s largest banks, securities firms, insurance companies
and investment companies have joined together in a limited liability corporation to
form a banking and finance industry ISAC. An executive of Bank America chairs the
CEO Council that acts as the corporation’s board. The group has contracted with an
internet service provider10 (ISP) to design and operate the ISAC. Individual firms
feed raw computer network traffic data to the ISAC. The ISP maintains a database
and analyzes it for suspicious behavior and provides its customers with summary
reports. If suspicious behavior is detected, the analysis may be forwarded to the
federal government. Anonymity is maintained between participants and outside the
ISAC. The ISP will forward to its customers alerts and other information provided
by the federal government. The ISAC became operational in October, 1999.
The telecommunications industry has agreed to establish an ISAC through the
National Coordinating Center (NCC). The NCC is a government-industry partnership
that coordinates responses to disruptions in the National Communications System.
Unlike the banking and finance ISAC that uses a third party for centralized monitoring
and analysis, each member firm of the NCC will monitor and analyze its own
networks. If a firm suspects its network(s) have been breached, it will discuss the
incident(s) within the NCC. The NCC members will decide whether the suspected
behavior is serious enough to report to the appropriate federal authorities. Anonymity
will be maintained outside the NCC. Any communication between federal authorities
and member firms will take place through the NCC, this includes incident response
and requests for additional information11.
The electric power sector, too, has established a decentralized ISAC through its
North American Electricity Reliability Council (NAERC). Much like the NCC,
NAERC already monitors and coordinates responses to disruptions in the nation’s
supply of electricity. It is in this forum that information security issues and incidents
will be shared. The National Petroleum Council is still considering setting up an
ISAC with its members.
In January, 2001, the information technology industry announced its plans to
form an ISAC. Members include 19 major hardware, software, and e-commerce
firms, including AT&T, IBM, Cisco, Microsoft, Intel, and Oracle. The ISAC will be
overseen by a board made up of members and operated by Internet Security Systems.

The country’s water authorities are not leaning toward any centralized analysis
or reporting function. Individual water authorities have existing lines of
communications with the FBI through which they could report suspicious behavior.
The same could be true for the other local and state emergency services sectors.
In addition to these individual sectors setting up or contemplating ISACs, a
number of sectors have formed a Partnership for Critical Infrastructure Security
10The ISP is Global Integrity, a subsidiary of Science Applications International Corp.
(SAIC).
11 Federal agencies sit on the NCC, including the NSA. One could assume that knowledge of
incidents discussed in the NCC could find its way to federal investigatory authorities without
formally being reported.

---

CRS-12
to share information and strategies and to identify interdependencies across sectoral
lines. The Partnership is a private sector initiative. A preliminary meeting was held
in December 1999 and five working groups were established
(Interdependencies/Vulnerability Assessment, Cross-Sector Information Sharing,
Legislation and Policy, Research and Development, and Organization). The working
groups meet every other month. The federal government is not officially part of the
Partnership, but the CIAO acts as a liaison and has provided administrative support
for meetings. Sector Liaison from lead agencies are considered ex officio members.
Some entities not yet part of their own industry group (e.g. some hospitals and
pharmaceutical firms) are interested in participating in the Partnership.
Also, besides the efforts of the lead agencies to assist their sectors in considering
ISACs, the NIPC offers private sector firms from across all industries a program
called INFRAGARD. The program includes an Alert Network. Participants in the
program agree to supply the FBI with two reports when they suspect an intrusion of
their systems has occurred. One report is “sanitized” of sensitive information and the
other provides more detailed description of the intrusion. The FBI will help the
participant respond to the intrusion. In addition, all participants are sent periodic
updates on what is known about recent intrusion techniques. The NIPC is working
to set up local INFRAGARD chapters that can work with each other and regional FBI
field offices. In January, 2001, the FBI announced it had finished establishing
INFRAGARD chapters in each of its 56 field offices.
Issues

Administrative. While the Directive deals with infrastructures issues beyond
just computer systems and also considers physical protections, the Directive primarily
is concerned with “cyber” threats and vulnerabilities and, therefore, is an extension of
the government’s efforts in computer security. The Directive sought to use existing
authorities and expertise as much as possible in assigning responsibilities.
Nevertheless, the Directive does set up new entities that, at least at first glance,
assume responsibilities previously assigned to others. One question is to what extent
does the Directive duplicate, supersede, incorporate, or overturn existing computer
security efforts?
For example, the Paperwork Reduction Act of 1995 (P.L. 104-13) placed the
responsibility for establishing government-wide information resources management
policy with the Director of the Office of Management and Budget. Those policies are
outlined in OMB Circular A-130. Appendix III of the Circular incorporates
responsibilities for computer security as laid out in the Computer Security Act of
1987.12 The Computer Security Act requires all agencies to inventory their computer
systems and to establish security plans commensurate with the sensitivity of
information contained on them. Agencies are suppose to submit summaries of their
12Appendix III does not apply to information technology that supports certain critical national
security missions as defined in 44 USC 3502(9) and 10 USC 2315. Policy for these national
security systems, i.e. telecommunications and information systems containing classified
information or used by the intelligence or military community, has been assigned by national
security directives to the Department of Defense.

---

CRS-13
security plans along with their strategic information resources management plan to the
Office of Management and Budget (OMB). The agencies are to follow technical,
managerial, and administrative guidelines laid out by OMB, the Department of
Commerce, the General Services Administration, and the Office of Personnel
Management and should include (as detailed in the OMB Circular) incidence response
plans, contingencies plans, and awareness and training programs for personnel. The
Director of OMB may comment on those plans.
Under PDD-63, agencies submitted plans (not dissimilar in content to those
called for in the Computer Security Act of 1987 and detailed in OMB Circular A-130
Appendix III) to the CIAO. The Critical Infrastructure Coordination Group
assembled an expert review team to review these plans (an “ad hoc” team was set up
at CIAO). What role does the Director of OMB now play in reviewing and
commenting on agency plans? What role does the National Coordinator, housed
within the National Security Council and to whom the CIAO reports, play in the
review and comment of an agency’s security plan?13 Who determines whether an
agency’s obligation to creating an adequate plan have been met?
Among the responsibilities assigned to the Department of Commerce by OMB
Circular A-130 Appendix III is the coordination of agency incident response activities
to promote sharing of incident response information and related vulnerabilities. This
function has now migrated over to the General Services Administration which is in the
process of establishing a Federal Computer Incident and Emergency Response
Capability (FedCIRC). But, PDD-63 states and the National Plan reiterates that the
National Infrastructure Protection Center will provide the principal means of
facilitating and coordinating the federal government’s response to an incident,
mitigating attacks, investigating threats, and monitoring reconstitution efforts. Are
the lines of authority clearly established between the different organizations many of
which are tasked with doing things that sound similar? What authority or influence
will the FBI, as manager of the NIPC, have over these organizations? Also, the NIPC
is responsible for warning, responding to, and investigating intrusions. Are these
functions compatible?14
The National Plan provides an interesting case in point. The Plan includes a
discussion of the Federal Aviation Agency’s (FAA) effort in establishing its own
Computer Security Incident Response Capability (CSIRC), as a number of other
agencies (Department of Energy, National Aeronautics and Space Administration)
have done already and which is being promoted by the Directive. The CSIRC is to
serve a centralized reporting and monitoring function within FAA. It will carry out
FAA-wide intrusion detection, intercepting all network activity that enters each FAA
installation. It will support FAA offices by analyzing the intrusion detection data
collected. There will be a Computer Incident Response Team (CIRT) trained in
13It should be noted that the General Accounting Office has reported that the oversight of
agency security measures to date has been inadequate. See, U.S. General Accounting Office,
Information Security. Serious Weaknesses Place Critical Federal Operations and Assets at
Risk. GAO/AIMD-98-92. Sept. 1998.
14This point is alluded to by Michael O’Neil, “Securing Our Critical Infrastructure: What
Lurks Beyond Y2K,” Legal Times, Week of Jan. 25, 1999.

---

CRS-14
handling intrusions and incidents. The CIRT will also provide disaster recovery
assistance to restore operations. When the CSIRC detects an intrusion, does it first
inform GSA’s FIDNET function or the NIPC? Does GSA’s FedCIRC function begin
helping FAA deal with the intrusion or does the NIPC? Can CSIRC deal with its
situation first and then forward information later? Who decides how to balance
FAA’s need to respond to the intrusion (say kicking the perpetrators off the network)
and the FBI’s need to gather sufficient evidence to catch and prosecute the
perpetrators?
The Computer Security Act of 1987 also established the Computer System
Security and Privacy Advisory Board (CSSPAB). The Board reports to the Secretary
of Commerce and is tasked with identifying emerging issues relative to computer
security and privacy, advising the National Institute of Standards and Technology and
the Commerce Secretary on such issues, and reporting to the Secretary of Commerce,
the Director of OMB, the Director of the National Security Agency, and appropriate
congressional committees. PDD-63 establishes the National Infrastructure Assurance
Council. Its duties are to propose and develop ways to encourage private industry to
perform periodic risk assessments of critical processes including information and
telecommunications systems and monitoring the development of private sector ISACs.
The Council will report to the President through the National Coordinator and the
Department of Commerce shall act as the President under the Federal Advisory
Committee Act. In addition, the National Security Telecommunications Advisory
Committee (NSTAC), established by Executive Order 12382 in September 1982,
undertook a study back in May 1995 on the reliance of the transportation sector, the
electric power sector, and the financial services sector on information networks and
the risks to those sectors should those networks be compromised. Are these advisory
committees/councils duplicating effort or do they offer complementary viewpoints?
There is another bureaucratic issued raised by PDD-63. Prior to the Computer
Security Act of 1987, the Reagan Administration established the National
Telecommunications and Information Systems Security Committee.15 The Committee
consists of 22 civilian and defense agencies. The National Security Agency was
named National Manager. The Committee was tasked with setting operating policies
governing the nation’s telecommunications system, its classified information systems,
and “other sensitive information.” The Computer Security Act of 1987 was enacted
in part out of congressional concern that the Committee might over-classify
government-held information16. Does PDD-63, by couching critical infrastructures in
national security terms and combining DOD and NSA professionals with civilian
professionals in operative functions, blur the distinction between classified and
unclassified (or national security and civilian) systems which was a primary focus of
the Computer Security Act of 1987?17
15National Security Decision Directive, NSDD-145. September 17, 1984.
16House Report 100-153(I).
17 This point is made by the Electronic Privacy Information Center in its report, Critical
Infrastructure Protection and the Endangerment of Civil Liberties (1998) and can be found
on the Center’s webpage at [http://www.epic.org/security/infowar/epic-cip.html].

---

CRS-15
Related to this issue is one raised by some Members of Congress who have
questioned the decision to place CIAO within the Department of Commerce. To
them, a threat to the nation’s critical infrastructures is a national security risk and
should be the responsibility of the Department of Defense. The Department of
Defense did serve as the executive agent for the PCCIP’s Transition Office which was
to be the model for National Plan Coordinating Staff function. On the other hand, the
Department of Commerce has on-going relationships with many of the private
infrastructure operators with whom the Directive hopes to interact.
Restructuring by the Bush Administration. As part of its overall
redesign of White House organization and assignment of responsibilities, the new
Bush Administration is reviewing its options for coordinating and overseeing critical
infrastructure protection. There are two parallel efforts that impact this decision.
First, the National Security Council (NSC) is undergoing a major streamlining. All
groups within the Council have been abolished and must petition for reinstatement.
Whether, or to what extent, the NSC will remain the focal point for coordinating
critical infrastructure protection (i.e. serve as National Coordinator and chair the
Critical Infrastructure Coordination Group) is unclear. Second, there is continuing
debate about the merits of establishing a government-wide Chief Information Officer,
whose responsibilities would include protection of all federal non-national security-
related computer systems and coordination with the private sector protection of
privately owned computer systems.

There have been a number of proposals to modify the current organizational
structures and responsibilities laid out in PDD-63. Various proposals would place the
responsibility of overseeing and coordinating critical infrastructure directly in the
White House, either dedicated to critical infrastructure or as part of a broader
domestic terrorism function. Another option was put forth by the U.S. Commission
on National Security/21st Century (the Hart-Rudman Commission) which proposed
a new National Homeland Security Agency. The recommendation builds upon the
current Federal Emergency Management Agency (FEMA) by adding to it the Coast
Guard, the Border Patrol, Customs Service, and other agencies. It would include a
directorate responsible for critical infrastructure protection.
In the second session of the 106th Congress, legislation was introduced that
would have created a government-wide CIO and placed the function outside the
Office of Management and Budget (see Congressional Action below). Another
option being discussed is to keep the function within OMB.
In the balance lay the future of the Critical Infrastructure Assurance Office
(CIAO) which according to PDD-63 was suppose to sunset after FY2001. However,
the office received a place-holder in the out-going Clinton Administration’s baseline
budget. Also, it remains to be seen what role the NIPC will play within the Bush
Administration’s efforts. The NIPC as operated by the FBI has come under some
criticism for being too focused on investigations and prosecution, not equipped to
integrate and analyze intelligence from a variety of sources, and unwilling to share

---

CRS-16
information from its own sources.18 That there might be problems with the
functioning of the NIPC as envisioned by PDD-63 is suggested by the establishment
in the summer of 2000 of the Cyber Infrastructure Coordination Group within the
National Security Council. The Group consisted of two panels, the Cyber Incident
Working Group, and the Cyber Incident Steering Group. The NIPC chaired the
Working Group which included the Commander of the Joint Task Force-Computer
Network Defense (the NIPC’s counterpart in the Department of Defense), the chief
of information operations from the National Security Agency, the director of
FedCIRC, and the deputy assistant attorney general of the criminal division at the
Department of Justice. This group was to review any significant computer incidents
to determine the threat to U.S. economic and/or military security and to manage any
federal operational response. This sounds very much like the forum the NIPC was to
provide. The Group, like all others in the National Security Council, has been
abolished and it remains to be seen whether it will reconstituted in some other form.
To what extent the Bush Administration commits to other critical infrastructure
protection initiatives of the Clinton Administration, such as the scholarship for service
program and other federal cyber service programs (see Appendix), FIDNET and
FedCIRC, and research and development, also remains to be seen.
Costs. In January, 2000 the Clinton Administration announced it had budgeted
$2 billion on critical infrastructure protection for FY2001 (see Appendix). This is an
estimate based on inputs to OMB from agencies asked to total and catagorize dollars
budgeted for activities related to critical infrastructure protection (e.g. systems
protection, training) . It is not clear, though, if agencies are consistent in what they
consider relevant. Also, it is difficult to identify some of these expenditures within the
agencies’ budget submissions and subsequent Congressional appropriations. Much of
the $2 billion is buried in other information technology or administrative line items.
Many of the agencies’ activities called for immediately by the Directive will be
part of on-going administrative duties. These activities, if not previously done (which
appears to be the case in many agencies), will require the reallocation of personnel
time and effort, presumably at the expense of other activities. The resources required
to meet PDD-63 requirements are supposed to be part of the agencies’ internal plans.
Some of the costs will not be known until after vulnerability assessments are done and
remedial actions determined. Also, each agency must develop and implement
education and awareness training programs. Agency costs may not be insignificant.
According to OMB, the IRS alone estimated a vulnerability analysis of its systems will
cost $58 million.19 The Plan outlines efforts at the Department of Energy to improve
its network security. Total costs are expected to be $80 million ($45 million for
operational security measures). On top of this, the Administration is asking for new
initiatives such as the intrusion detection network (FIDNET) and education and
training programs (Federal Cyber Service).
18For example, see Bush Eyes Overhaul of E-Security. ComputerWorld. Vol. 34. No. 51. Dec.
18, 2000. pp1,85.
19Conversation with OMB officials, 11 February, 1999.

---

CRS-17
Potential private sector costs are also unknown at this time. Some sectors are
already at the forefront in computer security and are sufficiently protected or need
only marginal investments. Others are not and will have to devote more resources.
The ability of certain sectors to raise the necessary capital may be limited, such as
metropolitan water authorities which may be limited by regulation, or emergency fire
which may function in a small community with a limited resources. Even sectors
made up of large well capitalized firms are likely to make additional expenditures only
if they can identify a net positive return on investment.
Affecting these business decisions will be issues of risk and liability. As part of
its outreach efforts, the CIAO has helped the auditing, accounting, and corporate
directors communities identify and present to their memberships the responsibilities
governing board of directors and corporate officers have, as part of their fiduciary
responsibilities, in managing the risk to their corporation’s information assets. The
Institute of Internal Auditors, the American Institute of Certified Public Accountants,
the Information Systems Audit and Control Association and the National Association
of Corporate Directors have formed a consortium and held “summits” around the
country in an outreach effort. The main point of their discussion can best be summed
up by the following expert from a paper presented at these summits:
“The consensus opinion from our analysts is that all industries and companies
should be equally concerned about information technology security issues
because it is an issue that has an enormous potential to negatively impact the
valuation of a company’s stock...it must be the responsibility of corporate
leaders to ensure these threats are actually being addressed on an ongoing basis.
At the same time, the investment community must keep the issue front and
center of management.”20
Costs to the private sector may also depend on the extent to which the private
sector is compelled to go along with PDD-63 versus their ability to set their own
security standards. The current thinking is the private sector should voluntarily join
the effort and PDD-63 recommends that no new regulations or oversight bodies be
formed. But, what happens if a sector does not take actions the federal government
feels are necessary?
In an unrelated matter, but one that intersects with the efforts of critical
infrastructure protection, the financial services industry and the health care industry
are being required to follow new guidelines issued by their regulatory agencies aimed
at protecting the privacy of their customer data bases. Pursuant to the Gramm-Leach-
Bliley Act of 1999, federal regulators released in February, 2001, guidelines that the
industry must follow. Likewise, the Bush Administration is suppose to release by this
summer security rules that the health care industry must follow to comply with the
1996 Health Insurance Portability and Accountability Act (HIPPA). The guidelines
issued for the financial services industry are general (assess risks, have written policies
and procedures to control the risk, implement and test those policies, and update them
as necessary). The costs that are associated with these efforts might be a guide for
20From an paper entitled Information Security Impacting Securities Valuations, by A.
Marshall Acuff, Jr., Salomon Smith Barney Inc.

---

CRS-18
what it would cost if further rules were issued related to protecting information
systems upon which the nation’s critical infrastructures depend.
Information Sharing. The information sharing called for in PDD-63 —
internal to the federal government, between the federal government and the private
sector, and between private firms -- raises a number of issues.
PDD-63 calls for information to flow between agencies via FIDNET, FedCIRC
and the NIPC. What kind of information will be flowing? Will reporting consist of
raw network traffic data or just reports of incidents? Will content be monitored or
just the packet headers?21 Will reporting be in real-time or after-the-fact? How does
this impact the privacy and confidentiality of the information provided? The
Computer Matching and Privacy Protection Act of 1988 (5 U.S.C. 552a) governs the
exchange of records between government agencies. It is not yet clear how the goals
of FIDNET and the NIPC will be impacted by the Act or how the goals of the Act
may be impacted if modified to address the FIDNET and/or NIPC mission.
Since much of what is considered to be critical infrastructure is owned and
operated by the private sector, implementing PDD-63 relies to a large extent on the
ability of the private sector and the federal government to share information.
However, it is unclear how open the private sector and the government will be in
sharing information. The private sector primarily wants from the government
information on potential threats which the government may want to protect in order
not to compromise sources or investigations. In fact, much of the threat assessment
done by the federal government is considered classified.22 For its part, the
government wants specific information on intrusions which companies may hold as
proprietary or which they may want to protect to prevent adverse publicity. Success
will depend on the ability of each side to demonstrate it can hold in confidence the
information exchanged.
This issue is made more complex by the question of how the information
exchanged will be handled within the context of the Freedom of Information Act
(FOIA). Proponents of PDD-63 would hope to exempt the information from public
disclosure under the existing FOIA statute. Those more critical of the Directive are
concerned that PDD-63 will expand the government’s ability to to hold more
information as classified or sensitive.23
Another question has been raised about the FBI’s INFRAGARD program. For
example, are firms who volunteer to participate in the program given additional or
better information than what is available through the FBI outside the program?
21Information travels through the system in packets containing the information itself (content)
and a header which contain addresses and instructions on how to handle the information.
22There are precedents for sharing classified information with private infrastructure operators,
and it has been mentioned that these situations might be a model for sharing such information
with ISACs and their members, if proper controls are in place. This, however, may involve
additional expense and procedural issues for those industries or firms not familiar with
handling such information.
23Op. cit. EPIC

---

CRS-19
Finally, the information exchanged between private firms within the context of
the Sector Coordinators and the ISACS raises antitrust concerns, as well as concerns
about sharing information that might unduly benefit competitors.
Privacy/Civil Liberties? The PDD states that individual liberties and rights
to privacy are to be preserved as the Directive is implemented. However, on-line
monitoring, either for system management reasons or for intrusion detection, has the
potential to collect vast amount of information on who is doing what on the network.
Once an intrusion is detected, the federal government could get involved in real-time
monitoring. What, if any, of that information should be treated as private and subject
to privacy laws?
The National Plan states that it is the intent of the Clinton Administration to pass
all critical infrastructure efforts through the lens of privacy issues. In addition to
promised vigorous and thorough legal reviews of Plan programs, the Plan proposes
an annual colloquium on Cyber Security, Civil Liberties, and Citizens’ Rights between
the representatives of the federal government and outside groups.
But members of the privacy and civil liberty communities remain concerned
about proposals that have been made. For example, the PCCIP recommended that
law enforcement officials should need to get only a single warrant to track hackers
through cyberspace, rather than having to get a new warrant every time they trace a
hacker to a computer in another jurisdiction. The PCCIP also recommended that
employers be allowed to administer polygraph tests to their computer security
personnel. There are also suggestions of requiring background checks for computer
security personnel. The Clinton Administration did not take a position on any of
these recommendations. However, in a hearing before the House Judiciary’s
Subcommittee on Crime (February 29, 2000), the Clinton Administration did say that
having a nationwide track and trace capability would be very helpful in identifying
hackers.
Another issue is to what extent will monitoring and responding to cyber attacks
permit the government to get involved in the day-to-day operations of private
infrastructures? The PCCIP suggested possibly modifying the Defense Production
Act (50 USC Appendix, 2061 et seq) to provide the federal government with the
authority to direct private resources to help reconstitute critical infrastructures
suffering from a cyber attack. This authority exists now regarding the supply and
distribution of energy and critical materials in an emergency. Suppose that the
computer networks managing the nation’s railroads were to “go down” for unknown
but suspicious reasons. What role would the federal government play in allocating
resources and reconstituting service?
Congressional Action
Congress’s interest in protecting the nation’s critical infrastructure spans its
oversight, legislative, and appropriating responsibilities. Most Congressional activity
regarding critical infrastructure protection has focused to date on oversight. A
number of committees have held hearings on various aspects of the issue. These
include the Senate Judiciary’s Subcommittee on Technology, Terrorism and
Government Information and the Subcommittee on Criminal Justice Oversight, the

---

CRS-20
House Judiciary’s Subcommittee on Crime, the Senate Committee on Small Business,
the House Science Committee’s Technology Subcommittee, the House Government
Reform Committee’s Subcommittee on Government Management, Information, and
Technology, which in September 2000, released a report card rating how well
agencies were protecting their information assets.
While there was much activity administratively, on the part of the Clinton
Administration, and in oversight by the Congress, legislation has moved more slowly.
In the 106th Congress a number of bills were introduced that addressed one or
another issue associated with PDD-63. A couple bills were directly related to PDD-
63. S. 2702 required the President to report to Congress on the specific actions being
taken by agencies to implement PDD-63. This requirement was later added as an
amendment to the FY2001 Department of Defense Authorization Act (P.L. 106-398).
H.R. 4246 directly addressed FOIA and anti-trust concerns associated with ISACs by
defining a “cyber security web site” and exempting those websites from FOIA access
and anti-trust litigation as long as information contained on those sites are not used
to impede free market functions. Also, the bill explicitly allowed the federal
government to set up working groups of federal officials to work with industry groups
without such groups being considered as federal advisory committees.
Other bills dealt more with computer security in general. S. 1993 amended
Chapter 35 USC 44 (related to the Paperwork Reduction Act), to strengthen
information security practices throughout the federal government by adding a separate
subchapter specifically dedicated to information security. Among other things, the bill
requires agencies to have an annual outside assessment of their computer security
plans and practices and calls on the Comptroller General to report on those reviews.
The bill was attached to the FY2001 Defense Authorization Act (Title X, Subtitle G
(referred to as the Government Information Security Reform Act in P.L. 106-398)).
H.R. 5024 would have transferred many of the computer security given the Director
of OMB by the Paperwork Reduction Act of 1995 to a Government-wide Chief
Information Officer located outside OMB.
A number of other bills were introduced that addressed issues such applying trap
and trace procedures to tracking hackers across jurisdictions, modifying thresholds
and penalties in computer crime statutes, and organizational changes meant to deal
better with computer crime and cyber-terrorism. Also, there have been and continue
to be a number of other bills introduced that relate to privacy, encryption, public key
policies, computer fraud, etc. These issues are tangentially related to PDD-63.24
The 107th Congress will undoubtedly continue its oversight of the efforts to
protect the nation’s critical infrastructure. Also, there may be legislation introduced
associated with restructuring the responsibilities for overseeing and coordinating
24For an overview of these issues, see Congressional Research Service. Internet: An Overview
of Six Key Policy Issues Affecting Its Use and Growth, by Marcia Smith et al. CRS Report
98-67 STM. Updated, April 9, 1999.

---

CRS-21
Administration efforts and/or legislation reexamining the criminal statutes and those
relating to criminal investigations.
Appendix
FY2001 Budget
On January 7, 2000, the Clinton Administration announced it was going to ask
for $2.03 billion in FY2001for protecting the nation’s critical infrastructure against
cyber attacks. This was an estimate by OMB, based on canvassing individual agencies
to identify activities that constitute protection of their critical infrastructure or support
the protection of infrastructure in the private sector. Included in the tally was $621
million for research and development, up from the $461 million that Congress
appropriated for FY2000. Among the highlights mentioned in the announcement
were a number of initiatives listed below.
Federal Cyber Services Training and Education ($25 million )
This initiative is an effort to improve the recruitment and retention of a highly
skilled government information technology workforce, including increasing the pool
of skilled information security specialists. The initiative consists of a number of
different activities.
One activity would be a ROTC-like program where the federal government,
through the National Science Foundation (NSF), will pay for a 2-year undergraduate
or graduate degree in information security in exchange for government service in
information security, called the Scholarship for Service (SFS). The scholarship would
be for two years at schools with accredited information technology programs.
Students participating in the program would also do summer internships at
government agencies and attend periodic conferences.
A second activity is called the Center for Information Technology Excellence
(CITE). CITE would provide continuing training for existing federal systems
administrators and information systems security officers. CITE will be managed and
run by the Office of Personnel Management. Training will be offered by selected sites
both inside and outside the federal government. Curricula will be based on key
competencies and a certification process will demonstrate that those competencies
have been demonstrated. It should be noted that the National Security Agency runs
a similar program geared toward the national security community. NSA has identified
8 universities as centers of information technology excellence. The CITE program
identified here would use the experience of the NSA program to establish a similar
capability for the entire federal government.
A third activity would be a high school and secondary school outreach program
to educate high school students and teachers and the general public about information
security. The fourth activity would be to promote information security awareness
within the federal workforce.

---

CRS-22
Permanent Expert Review Team ($5 million over two years)
This would make permanent the review of agencies’ internal security plans,
vulnerability analyses, etc. The team would be supported through the National
Institute of Standards and Technology.
Federal Intrusion Detection Network ($10 million)
FIDNET would be an intrusion detection network for civilian government
agencies managed by the General Services Administration. It should be noted that the
Department of Defense and the National Security Agency have each set up their own
intrusion detection networks. These will all be linked together and with the National
Infrastructure Protection Center at the FBI.
Public Key Infrastructure Pilots ($7 million)
Public key infrastructure (PKI) allows two-way authentication of
communications over computers and is critical for electronic commerce and for
agency to exchange information with contractors, constituents, etc. This initiative
would support 7 pilot programs at different federal agencies.
Institute for Information Infrastructure Protection ($50 million)
This would be a research and development fund operated through the National
Institute of Standards and Technology (NIST) to support research that might not
otherwise be conducted by the private sector or defense agencies. Currently nearly
all of the current information security research and development funds go to defense
agencies. While operated through NIST, the Institute would report to a Federal
Coordinating Council consisting of the President’s Science Advisor, the Deputy
Director/ Office of Management and Budget, the Director/National Security Agency,
the Director/NIST, and the National Coordinator for Security, Infrastructure
Protection, and Counter-Terrorism. The Institute would consult with the National
Infrastructure Advisory Council and the Sector Coordinators.
Since much of the estimated $2.0 billion budgeted for critical infrastructure
protection falls within ongoing administrative accounts, it is difficult to track the
extent to which these activities are supported by appropriations until (or unless) OMB
releases a FY2002 budget identifying how expenditures were allocated in FY2001.
However, a couple of initiatives were more highly visible and Congress provided
mixed support for them. For example, the NSF scholarship for service program
received its $11.2 million appropriation. NIST did not receive the $50 million
appropriation for the Institute for Information Infrastructure Protection, but did
receive $3 million of the $5 million requested for the Expert Review Team. GSA
received $8 million of the $15 million it requested for FIDNET and FedCIRC. How
much of that goes toward FIDNET is not clear.

---

CRS-23
Table A.1. Critical Infrastructure Protection Funding by
Department
(millions $)
Department
FY98
FY99
FY00
FY01
actual
actual
enacted
request
Agriculture
2.70
3.22
3.88
14.03
Commerce
9.35
21.81
17.75
92.10
Education
3.59
4.45
5.23
2.51
Energy
1.50
3.60
21.98
45.30
EOP
0.05
0.58
0.48
0.56
EPA
0.12
0.24
0.08
2.3
FEMA
0.00
0.00
0.80
1.47
GSA
0.00
3.00
0.00
15.40
HHS
21.83
12.17
13.17
19.55
Interior
1.29
1.60
2.65
1.83
Justice
25.61
54.09
44.02
45.51
NASA
41.00
43.00
66.00
61.00
NSF
19.15
21.42
26.65
43.85
National
Security (incl.
974.56
1,185.22
1,402.94
1458.91
DOD)
Nuclear
Regulatory
0.00
0.20
0.00
0.25
Commission
OPM
0.00
0.00
2.00
9.00
Transportation
20.33
24.88
50.68
92.34
Treasury
22.91
48.89
76.22
87.03
Veteran’s
0.00
0.00
17.33
17.39
Affairs
Grand Total
1,143.98
1,428.35
1,751.86
2,010.33
\ data from Office of Management and Budget

---