Order Code RL30153
Report for Congress
Received through the CRS Web
Critical Infrastructures:
Background, Policy,
and Implementation
Updated December 17, 2002
John D. Moteff
Specialist in Science and Technology Policy
Resources, Science, and Industry Division
Congressional Research Service ˜ The Library of Congress
Critical Infrastructures:
Background, Policy and Implementation
Summary
The nation’s health, wealth, and security rely on the production and distribution
of certain goods and services. The array of physical assets, processes and
organizations across which these goods and services move are called critical
infrastructures (e.g. electricity, the power plants that generate it, and the electric grid
upon which it is distributed). Computers and communications, themselves critical
infrastructures, are increasingly tying these infrastructures together. There has been
growing concern that this reliance on computers and computer networks raises the
vulnerability of the nation’s critical infrastructures to “cyber” attacks.
In May 1998, President Clinton released Presidential Decision Directive No. 63.
The Directive set up groups within the federal government to develop and implement
plans that would protect government-operated infrastructures and called for a
dialogue between government and the private sector to develop a National
Infrastructure Assurance Plan that would protect all of the nation’s critical
infrastructures by the year 2003. While the Directive called for both physical and
cyber protection from both man-made and natural events, implementation focused
on cyber protection against man-made cyber events (i.e. computer hackers).
However, given the physical damage caused by the September 11 attacks and the
subsequent impact on the communications, finance, and transportation services,
physical protections of critical infrastructures is receiving greater attention.
Following the events of September 11, the Bush Administration released two
relevant Executive Orders (EOs). EO 13228, signed October 8, 2001 established the
Office of Homeland Security. Among its duties, the Office shall “coordinate efforts
to protect the United States and its critical infrastructure from the consequences of
terrorist attacks.” EO 13231, signed October 16, stated the Bush Administration’s
policy and objectives for protecting the nation’s information infrastructure. These
are similar to those stated in PDD-63 and assumed continuation of many PDD-63
activities. E.O. 13231, however, focused entirely on information systems. E.O.
13231 also established the President’s Critical Infrastructure Protection Board. The
mission of the Board is to “recommend and coordinate programs for protecting
information systems for critical infrastructures.”
On November 22, 2002, Congress passed legislation creating a Department of
Homeland Security. The Department consolidates into a single department a number
of offices and agencies responsible for implementing various aspects of homeland
security. One of the directorates created by the legislation is responsible for
Information Analysis and Infrastructure Protection.
While the creation of a new department affects some consolidation, dispersed
and overlapping responsibilities in the area of critical infrastructure protection
remains an issue. Other issues include protections for information shared between
the government and the private sector, privacy versus protection, costs and the need
to set priorities, and whether or not the federal government will need to employ more
direct incentives to achieve an adequate level of protection by the private sector.
Contents
Latest Developments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
The President’s Commission on Critical Infrastructure Protection . . . . . . . . 3
Presidential Decision Directive No. 63 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Restructuring by the Bush Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Pre-September 11 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Post-September 11 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
National Strategy for Homeland Security . . . . . . . . . . . . . . . . . . . . . . 11
Department of Homeland Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Policy Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Lead Agencies and Selection of Sector Liaison Officials and
Functional Coordinators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Identifying and Selecting Sector Coordinators . . . . . . . . . . . . . . . . . . 15
Appointment of the National Infrastructure Assurance Council . . . . . 17
Internal Agency Plans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
National Critical Infrastructure Plan . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Information Sharing and Analysis Center (ISAC) . . . . . . . . . . . . . . . . 20
Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Roles and Responsibilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Costs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Information Sharing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Privacy/Civil Liberties? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Congressional Interest . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
For Additional Reading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
List of Tables
Table 1. Lead Agencies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Table 2. Lead Agencies as Proposed in the National Strategy for
Homeland Defense . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Table 3. Sector Coordinators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Critical Infrastructures: Background, Policy,
and Implementation
Latest Developments
The President’s Critical Infrastructure Protection Board released a draft
version of the National Strategy to Secure Cyberspace in September 2002 for public
comment. The Strategy could be considered Version 2.0 of an earlier National Plan
for Information Systems Protection released by the Clinton Administration in 2000.
The Bush Strategy reflects input from the private sector and state and local
governments and makes recommendations for actions that those sectors, as well as
all stakeholders, may wish to take to help secure their share of the nation’s
information infrastructure (see National Critical Infrastructure Plan).
Congress passed (November 22) and President Bush signed (November 25)
legislation (P.L. 107-269) to create a Department of Homeland Security. Among the
provisions of the Act is the creation of a Directorate for Information Analysis and
Infrastructure Protection. The Directorate will assume a number of offices and
agencies, and their duties, associated with critical infrastructure protection.
Introduction
Certain socio-economic activities are vital to the day-to-day functioning and
security of the country; for example, transportation of goods and people,
communications, banking and finance, and the supply and distribution of electricity
and water. Domestic security and our ability to monitor, deter, and respond to
outside hostile acts also depend on some of these activities as well as other more
specialized activities like intelligence gathering and command and control of police
and military forces. A serious disruption in these activities and capabilities could
have a major impact on the country’s well-being.1
These activities and capabilities are supported by an array of physical assets,
processes, information, and organizations forming what has been called the nation’s
critical infrastructures. The country’s critical infrastructures are growing increasingly
complex, relying on computers and, now, computer networks to operate efficiently
and reliably. The growing complexity, and the interconnectedness resulting from
networking, means that a disruption in one may lead to disruptions in others.
1 As a reminder of how dependent society is on its infrastructure, in May 1998, PanAmSat’s
Galaxy IV satellite’s on-board controller malfunctioned, disrupting service to an estimated
80-90% of the nation’s pagers, causing problems for hospitals trying to reach doctors on
call, emergency workers, and people trying to use their credit cards at gas pumps, to name
but a few.
CRS-2
Disruptions can be caused by any number of factors: poor design, operator error,
physical destruction due to natural causes, (earthquakes, lightening strikes, etc.) or
physical destruction due to intentional human actions (theft, arson, terrorist attack,
etc.). Over the years, operators of these infrastructures have taken measures to guard
against and to quickly respond to many of these risks.2 However, the growing
dependency of these systems on information technologies and computer networks
introduces a new vector by which problems can be introduced.3
Of particular concern is the threat posed by “hackers” who can gain
unauthorized access to a system and who could destroy, corrupt, steal, or monitor
information vital to the operation of the system. Unlike someone setting off a bomb,
hackers can gain access to a critical site from a remote location4. To date, the ability
to detect and deter their actions is limited. While infrastructure operators are also
taking measures to guard against and respond to cyber attacks, there is concern that
the number of “on-line” operations is growing faster than security awareness and the
use of sound security measures.
Hackers range from mischievous teenagers, to disgruntled employees, to
criminals, to spies, to foreign military organizations. While the more commonly
reported incidents involve mischievous teenagers (or adults), self-proclaimed
“electronic anarchists”, or disgruntled (former) employees, the primary concern are
criminals, spies, military personnel, or terrorists from around the world who appear
to be perfecting their hacking skills and who may pose a potential strategic threat to
the reliable operations of our critical infrastructures.5
Prior to September 11, critical infrastructure protection was synonymous with
cyber security to many people. Recent policies, and implementation of those
policies, also focused on cyber security. Consequently, much of this report discusses
cyber related activities and issues. However, the terrorist attacks of September 11,
and the subsequent anthrax attacks, demonstrated the need to reexamine physical
protections and to integrate physical protections into an overall critical infrastructure
2 Following September 11, these protections will undoubtedly be reexamined.
3 Efforts to integrate the computer systems of Norfolk Southern and Conrail after their
merger in June, 1999 caused a series of mishaps leaving trains misrouted, crews
misscheduled, and products lost. See, “Merged Railroads Still Plagued by IT Snafus,”
Computerworld, January 17, 2000,pp 20-21.
4 See, Cyber-Attacks by Al Qaeda Feared, Washington Post. Thursday June 27, 2002
ppA1,A10. Among the topics discussed in the article, is a man in Australia who was able
to remotely gain access to the digital control system of a sewage treatment plant to cause
raw sewage to leak into the surrounding environment.
5 The Director of the Central Intelligence Agency testified before the Senate Committee on
Governmental Affairs (June 24, 1998) that a number of countries are incorporating
information warfare into their military doctrine and training and developing operational
capability. It should be noted that the U.S. military is probably the leader in developing
both offensive and defensive computer warfare techniques and doctrine.
CRS-3
policy.6 To the extent this happens, this report will capture it. However, specific
protections, physical or cyber, associated with individual infrastructures is beyond
the scope of this report. For CRS products related to specific infrastructure
protection efforts, see For Additional Reading.
The President’s Commission on Critical Infrastructure
Protection
This report takes as its starting point the establishment of the President’s
Commission on Critical Infrastructure Protection (PCCIP) in July 1996.7 Its tasks
were to: report to the President the scope and nature of the vulnerabilities and threats
to the nation’s critical infrastructures (focusing primarily on cyber threats);
recommend a comprehensive national policy and implementation plan for protecting
critical infrastructures; determine legal and policy issues raised by proposals to
increase protections; and propose statutory and regulatory changes necessary to effect
recommendations.
The PCCIP released its report to President Clinton in October 1997.8
Examining both the physical and cyber vulnerabilities, the Commission found no
immediate crisis threatening the nation’s infrastructures. However, it did find reason
to take action, especially in the area of cyber security. The rapid growth of a
computer-literate population (implying a greater pool of potential hackers), the
inherent vulnerabilities of common protocols in computer networks, the easy
availability of hacker “tools” (available on many websites), and the fact that the basic
tools of the hacker (computer, modem, telephone line) are the same essential
technologies used by the general population indicated to the Commission that both
the threat and vulnerability exist.
The Commission’s general recommendation was that greater cooperation and
communication between the private sector and government was needed. Much of the
nation’s critical infrastructure is owned and operated by the private sector. As seen
by the Commission, the government’s primary role (aside from protecting its own
infrastructures) is to collect and disseminate the latest information on intrusion
techniques, threat analysis, and ways to defend against hackers.
The Commission also proposed a strategy for action:
6 Besides loss of life, the terrorist attacks of September 11 disrupted the services of a number
of critical infrastructures (including telecommunications, the internet, financial markets, and
air transportation). In some cases, protections already in place (like off-site storage of data,
mirror capacity, etc.) allowed for relatively quick reconstitution of services. In other cases,
service was disrupted for much longer periods of time.
7 Executive Order 13010.Critical Infrastructure Protection. Federal Register. Vol 61. No.
138. July 17, 1996. pp. 3747-3750.
8 President’s Commission on Critical Infrastructure Protection, Critical Foundations:
Protecting America’s Infrastructures, October 1997.
CRS-4
! facilitate greater cooperation and communication between the
private sector and appropriate government agencies by: setting a top
level policy-making office in the White House; establishing a
council that includes corporate executives, state and local
government officials, and cabinet secretaries; and setting up
information clearinghouses;
! develop a real-time capability of attack warning;
! establish and promote a comprehensive awareness and education
program;
! streamline and clarify elements of the legal structure to support
assurance measures (including clearing jurisdictional barriers to
pursuing hackers electronically); and,
! expand research and development in technologies and techniques,
especially technologies that allow for greater detection of intrusions.
The Commission’s report underwent interagency review to determine how to
respond. That review led to a Presidential Decision Directive released in May 1998.
Presidential Decision Directive No. 63
Presidential Decision Directive No. 63 (PDD-63)9 set as a national goal the
ability to protect the nation’s critical infrastructure from intentional attacks (both
physical and cyber) by the year 2003. According to the PDD, any interruptions in the
ability of these infrastructures to provide their goods and services must be “brief,
infrequent, manageable, geographically isolated, and minimally detrimental to the
welfare of the United States.”10
PDD-63 identified the following activities whose critical infrastructures should
be protected: information and communications; banking and finance; water supply;
aviation, highways, mass transit, pipelines, rail, and waterborne commerce;
emergency and law enforcement services; emergency, fire, and continuity of
government services; public health services; electric power, oil and gas production,
and storage.11 In addition, the PDD identified four activities where the federal
government controls the critical infrastructure: internal security and federal law
enforcement; foreign intelligence; foreign affairs; and national defense.
A lead agency was assigned to each of these “sectors” (see Table 1). Each lead
agency was directed to appoint a Sector Liaison Official to interact with appropriate
private sector organizations. The private sector was encouraged to select a Sector
Coordinator to work with the agency’s sector liaison official (see Table 3 below).
Together, the liaison official, sector coordinator, and all affected parties were to
9 See, The Clinton’s Administration’s Policy on Critical Infrastructure Protection:
Presidential Decision Directive 63, White Paper, May 22, 1998, which can be found on
[http://www.ciao.gov/ciao_document_library/paper598.html].
10 Ibid.
11 The National Strategy on Homeland Security has expanded the list of critical
infrastructures identified.
CRS-5
contribute to a sectoral security plan which will be integrated into a National
Infrastructure Assurance Plan. Each of the activities performed primarily by the
federal government also were assigned a lead agency who was to appoint a
Functional Coordinator to coordinate efforts similar to those made by the Sector
Liaisons.
Table 1. Lead Agencies
Department/Agency
Sector/Function
Commerce
Information and Communications
Treasury
Banking and Finance
EPA
Water
Transportation
Transportation
Justice
Emergency Law Enforcement
Federal Emergency Management
Emergency Fire Service
Agency
Health and Human Services
Emergency Medicine
Energy
Electric Power, Gas, and Oil
Justice
Law Enforcement and International
Security
Director of Central Intelligence
Intelligence
State
Foreign Affairs
Defense
National Defense
The PDD also assigned duties to the National Coordinator for Security,
Infrastructure Protection, and Counter-terrorism.12 The National Coordinator
reported to the President through the Assistant to the President for National Security
Affairs.13 Among his many duties outlined in PDD-63, the National Coordinator
chaired the Critical Infrastructure Coordination Group. This Group was the
primary interagency working group for developing and implementing policy and for
12 The National Coordinator position was created by Presidential Decision Directive 62,
“Combating Terrorism.” PDD-62, which is classified, codifies and clarifies the roles and
missions of various agencies engaged in counter-terrorism activities. The Office of the
National Coordinator was established to integrate and coordinate these activities. The
White House released a fact sheet on PDD-62 on May 22, 1998.
13 President Clinton designated Richard Clarke (Special Assistant to the President for Global
Affairs, National Security Council) as National Coordinator.
CRS-6
coordinating the federal government’s own internal security measures. The Group
included high level representatives from the lead agencies (including the Sector
Liaisons), the National Economic Council, and all other relevant agencies.
Each federal agency was made responsible for securing its own critical
infrastructure and was to designate a Critical Infrastructure Assurance Officer
(CIAO) to assume that responsibility. The agency’s current Chief Information
Officer (CIO) could double in that capacity. In those cases where the CIO and the
CIAO were different, the CIO was responsible for assuring the agency’s information
assets (databases, software, computers), while the CIAO was responsible for any
other assets that make up that agency’s critical infrastructure. Agencies were given
180 days from the signing of the Directive to develop their plans. Those plans were
to be fully implemented within 2 years and updated every 2 years.
The PDD set up a National Infrastructure Assurance Council. The Council
was to be a panel that included private operators of infrastructure assets and officials
from state and local government officials and relevant federal agencies. The Council
was to meet periodically and provide reports to the President as appropriate. The
National Coordinator was to act as the Executive Director of the Council.
The PDD also called for a National Infrastructure Assurance Plan. The Plan
is to integrate the plans from each of the sectors mentioned above and should
consider the following: a vulnerability assessment, including the minimum essential
capability required of the sector’s infrastructure to meet its purpose; remedial plans
to reduce the sector’s vulnerability; warning requirements and procedures; response
strategies; reconstitution of services; education and awareness programs; research
and development needs; intelligence strategies; needs and opportunities for
international cooperation; and legislative and budgetary requirements.
The PDD also set up a National Plan Coordination Staff to support the plan’s
development. Subsequently, the Critical Infrastructure Assurance Office (CIAO,
not to be confused with the agencies’ Critical Infrastructure Assurance Officers) was
established to serve this function and was placed in the Department of Commerce’s
Export Administration. CIAO supported the National Coordinator’s efforts to
integrate the sectoral plans into a National Plan, supported individual agencies in
developing their internal plans, helped coordinate a national education and awareness
programs, and provided legislative and public affairs support.
In addition to the above activities, the PDD called for studies on specific topics.
These included issues of: liability that might arise from private firms participating in
an information sharing process; legal impediments to information sharing;
classification of information and granting of clearances (efforts to share threat and
vulnerability information with private sector CEOs has been hampered by the need
to convey that information in a classified manner); information sharing with foreign
entities; and the merits of mandating, subsidizing or otherwise assisting in the
provision of insurance for selected infrastructure providers.
Most of the Directive established policy-making and oversight bodies making
use of existing agency authorities and expertise. However, the PDD also addressed
operational concerns. The Directive called for a national capability to detect and
CRS-7
respond to cyber attacks while they are in progress. Although not specifically
identified in the Directive, the Clinton Administration proposed establishing a
Federal Instruction Detection Network (FIDNET) that would, together with the
Federal Computer Intrusion Response Capability (FedCIRC) begun just prior
to PDD-63, meet this goal. The Directive explicitly gave the Federal Bureau of
Investigation the authority to expand its existing computer crime capabilities into a
National Infrastructure Protection Center (NIPC). The Directive called for the
NIPC to be the focal point for federal threat assessment, vulnerability analysis, early
warning capability, law enforcement investigations, and response coordination. All
agencies were required to forward to the NIPC information about threats and actual
attacks on their infrastructure as well as attacks made on private sector infrastructures
of which they become aware. Presumably, FIDNET14 and FedCIRC would feed into
the NIPC. According to the Directive, the NIPC would be linked electronically to the
rest of the federal government and use warning and response expertise located
throughout the federal government.. The Directive also made the NIPC the conduit
for information sharing with the private sector through an equivalent Information
Sharing and Analysis Center(s) operated by the private sector, which PDD-63
encouraged the private sector to establish.
While the FBI was given the lead, the NIPC also includes the Department of
Defense, the Intelligence Community, and a representative from all lead agencies.
Depending on the level of threat or the character of the intrusion, the NIPC may be
placed in direct support of either the Department of Defense or the Intelligence
Community.
Quite independent of PDD-63 in its origin, but clearly complimentary in its
purpose, the FBI offers a program called INFRAGARD to private sector firms. The
program includes an Alert Network. Participants in the program agree to supply the
FBI with two reports when they suspect an intrusion of their systems has occurred.
One report is “sanitized” of sensitive information and the other provides more
detailed description of the intrusion. The FBI will help the participant respond to the
intrusion. In addition, all participants are sent periodic updates on what is known
about recent intrusion techniques. The NIPC is working to set up local
INFRAGARD chapters that can work with each other and regional FBI field offices.
In January, 2001, the FBI announced it had finished establishing INFRAGARD
chapters in each of its 56 field offices. Rather than sector-oriented, INFRAGARD
is geographically-oriented.
It should also be noted that the FBI has had since the 1980s a program called the
Key Assets Initiative (KAI). The objective of the KAI is to develop a database of
information on “key assets” within the jurisdiction of each FBI field office, establish
lines of communications with asset owners and operators to improve physical and
14 From the beginning FIDNET generated controversy both inside and outside the
government. Privacy concerns, cost and technical feasibility were at issue. By the end of
the Clinton Administration, FIDNET as a distributed intrusion detection system feeding into
a centralized analysis and warning capability was abandoned. Each agency, however, is
allowed and encouraged to use intrusion detection technology to monitor and secure their
own systems.
CRS-8
cyber protection, and to coordinate with other federal, state, and local authorities to
ensure their involvement in the protection of those assets. The program was initially
begun to allow for contingency planning against physical terrorist attacks. According
to testimony by a former Director of the NIPC, the program was “reinvigorated” by
the NIPC and expanded to included the cyber dimension.15
Restructuring by the Bush Administration
Pre-September 11. As part of its overall redesign of White House
organization and assignment of responsibilities, the in-coming Bush Administration
spent the first 8 months reviewing its options for coordinating and overseeing critical
infrastructure protection. During this time, the Bush Administration continued to
support the activities begun by the Clinton Administration.
The Bush Administration review was influenced by three parallel debates. First,
the National Security Council (NSC) underwent a major streamlining. All groups
within the Council established during previous Administrations were abolished.
Their responsibilities and functions were consolidated into 17 Policy Coordination
Committees (PCCs). The activities associated with critical infrastructure protection
were assumed by the Counter-Terrorism and National Preparedness PCC. At the
time, whether, or to what extent, the NSC should remain the focal point for
coordinating critical infrastructure protection (i.e. the National Coordinator came
from the NSC) was unclear. Richard Clarke, himself, wrote a memorandum to the
incoming Bush Administration that the function should be transferred directly to the
White House.16
Second, there was a continuing debate about the merits of establishing a
government-wide Chief Information Officer (CIO), whose responsibilities would
include protection of all federal non-national security-related computer systems and
coordination with the private sector on the protection of privately owned computer
systems. The Bush Administration announced mid-year its desire not to create a
separate federal CIO position, but to recruit a Deputy Director of the Office of
Management and Budget that would assume an oversight role of agency CIOs. One
of the reason’s cited for this was a desire to keep agencies responsible for their own
computer security.17
Third, there was the continuing debate about how best to defend the country
against terrorism, in general. Some include in the terrorist threat cyber attacks on
15 Testimony by Michael Vatis before the Senate Judiciary Committee, Subcommittee on
Technology and Terrorism. Oct. 6, 1999. The above mentioned Washington Post article
(Cyber Acts by Al Qaeda Feared, Thursday June 27, 2002) quotes an spokesman for the
electric utility industry as suggesting that industry is reluctant to share that information out
of concern that it will not be kept confidential.
16 Senior NSC Official Pitches Cyber-Security Czar Concept in Memo to Rice. Inside the
Pentagon. January 11, 2001. p 2-3.
17 For a discussion of this and the status of federal CIO legislation, see CRS Report
RL30914, Federal Chief Information Officer (CIO): Opportunities and Challenges, by
Jeffery Siefert.
CRS-9
critical infrastructure. The U.S. Commission on National Security/21st Century (the
Hart-Rudman Commission) proposed a new National Homeland Security Agency.
The recommendation built upon the current Federal Emergency Management Agency
(FEMA) by adding to it the Coast Guard, the Border Patrol, Customs Service, and
other agencies. The Commission recommended that the new organization include
a directorate responsible for critical infrastructure protection. While both the Clinton
and Bush Administration remained cool to this idea, bills were introduced in
Congress to establish such an agency. As discussed below, the Bush Administration
changed its position in June 2002, and proposed a new department along the lines of
that proposed by the Hart/Rudman Commission and Congress.
Post-September 11. Following the September 11 terrorist attacks President
Bush signed two Executive Orders relevant to critical infrastructure protection. E.O.
13228, signed October 8, 2001 established the Office of Homeland Security, headed
by the Assistant to the President for Homeland Security.18 Its mission is to
“develop and coordinate the implementation of a comprehensive national strategy to
secure the United States from terrorist threats and attacks.” Among its functions is
the coordination of efforts to protect the United States and its critical infrastructure
from the consequences of terrorist attacks. This includes strengthening measures for
protecting energy production, transmission, and distribution; telecommunications;
public and privately owned information systems; transportation systems; and, the
provision of food and water for human use. Another function of the Office is to
coordinate efforts to ensure rapid restoration of these critical infrastructures after a
disruption by a terrorist threat or attack.
Finally, the EO also established the Homeland Security Council. The Council,
made up of the President, Vice-President, Secretaries of Treasury, Defense, Health
and Human Services, and Transportation, the Attorney General, the Directors of
FEMA, FBI, and CIA and the Assistant to the President for Homeland Security.
Other White House and departmental officials could be invited to attend Council
meetings.19 The Council advises and assists the President with respect to all aspects
of homeland security. The agenda for those meetings shall be set by the Assistant to
President for Homeland Security, at the direction of the President. The Assistant is
also the official recorder of Council actions and Presidential decisions.
The second Executive Order (E.O. 13231) signed October 16, 2001, stated that
it is U.S. policy “to protect against the disruption of the operation of information
systems for critical infrastructure...and to ensure that any disruptions that occur are
infrequent, of minimal duration, and manageable, and cause the least damage
possible.”20 This Order also established the President’s Critical Infrastructure
Protection Board. The Board’s responsibility is to “recommend policies and
18 President Bush selected Tom Ridge to head the new Office.
19 For more information on the structure of the Homeland Security Council and the Office
of Homeland Security, see CRS Report RL31148. Homeland Security: The Presidential
Coordination Office, by Harold Relyea.
20 Executive Order 13231—Critical Infrastructure Protection in the Information Age. Federal
Register. Vol. 86. No. 202. Oct. 18, 2001.
CRS-10
coordinate programs for protecting information systems for critical infrastructure...”
The Order also established a number of standing committees of the Board that
includes Research and Development (chaired by a designee of the Director of the
Office of Science and Technology), Incident Response (chaired by the designees of
the Attorney General and the Secretary of Defense), and Physical Security (also
chaired by designees of the Attorney General and the Secretary of Defense). The
Board is directed to propose a National Plan (i.e. the National Plan to Secure
Cyberspace, mentioned above) on issues within its purview on a periodic basis, and,
in coordination with the Office of Homeland Security, review and make
recommendations on that part of agency budgets that fall within the purview of the
Board.
The Board is to be chaired by a Special Advisor to the President for
Cyberspace Security.21 The Special Advisor reports to both the Assistant to the
President for National Security and the Assistant to the President for Homeland
Security. Besides presiding over Board meetings, the Special Advisor may, in
consultation with the Board, propose policies and programs to appropriate officials
to ensure protection of the nation’s information infrastructure and may coordinate
with the Director of OMB on issues relating to budgets and the security of computer
networks.
Finally, the Order also established the National Infrastructure Advisory
Council. The Council is to provide advice to the President on the security of
information systems for critical infrastructure. The Council’s functions include
enhancing public-private partnerships, monitoring the development of ISACs, and
encouraging the private sector to perform periodic vulnerability assessments of
critical information and telecommunication systems.
In many respects, the Bush Administration policy statements regarding critical
infrastructure protection represent a continuation of PDD-63. The fundamental
policy statements are the essentially the same: the protection of infrastructures critical
to the people, economy, essential government services, and national security. Also,
the goal of the government’s efforts are to ensure that any disruption of the services
provided by these infrastructures be infrequent, of minimal duration, and
manageable. The infrastructures identified as critical are essentially the same. There
is to be an interagency group (the Homeland Security Council and the President’s
Critical Infrastructure Protection Board in EO 13228 and 13231, respectively,
replaces the Critical Infrastructure Coordination Group of PDD-63) to develop
policies and coordinate activities. Functional areas of concern are similar (i.e.
research and development, response coordination, intelligence, etc.). The President
shall be advised by a Council made up of private sector executives, academics, and
State and local officials. The Critical Infrastructure Assurance Office (CIAO) and
the National Infrastructure Protection Center (at the FBI) are left in place, as are the
liaison efforts between lead agencies and the private sector and State and local
governments, and the structures set up for information sharing.
21 President Bush designated Richard Clarke.
CRS-11
There are two primary differences, however. First, the Office of Homeland
Security was given overall authority for coordinating critical infrastructure protection
against terrorist threats and attacks. Those responsibilities associated with
information systems of critical infrastructures are delegated to the President’s Critical
Infrastructure Protection Board. Furthermore the Board’s responsibilities for
protecting the physical assets of the nation’s information systems are to be defined
by the Assistant to President for National Security and the Assistant to the President
for Homeland Security. While PDD-63 focused primarily on cyber security, it gave
the National Coordinator responsibility to coordinate the physical and cyber security
for all critical infrastructures. It would appear from the proposed structure of the
Department of Homeland Security (see below) that this separation may continue.
Second, the “National Coordinator” is now a Special Advisor to the President
rather than a member of the National Security Council staff. However, the Special
Advisor still reports to Assistant to President for National Security in addition to the
Assistant to the President for Homeland Security. It is not clear what additional
authority or influence the new position grants the individual serving as Special
Advisor.
National Strategy for Homeland Security.
Earlier, in July 2002,
Office of Homeland Security released a National Strategy for Homeland Security.
The Strategy covers all government effort to protect the nation against terrorist
attacks of all kinds. It identifies protecting the nation’s critical infrastructures and
key assets (a new term, different as implied above by the FBI’s key asset program)
as one of six critical mission areas. The Strategy expanded upon the list of
infrastructure considered to be critical to include the chemical industry, postal and
shipping services, and the defense industrial base. It also introduced a new class of
assets, called key assets, which are potential targets whose destruction may not
endanger vital systems, but could create local disaster or profoundly affect national
morale. Such assets could include schools, court houses, individual bridges, or state
and national monuments.
The Strategy reiterates many of the same policy-related activities as mentioned
above: working with the private sector and other non-federal entities, naming those
agencies that should act as liaison with the private sector, assessing vulnerabilities,
and developing a national plan to deal with those vulnerabilities. It does not create
any new organizations.
Department of Homeland Security
On November 22, Congress passed the Homeland Security Act (P.L. 107-269),
establishing a Department of Homeland Security. The Act assigns to the new
Department the mission of preventing terrorist attacks, reducing the vulnerability of
the nation to such attacks, and to respond rapidly should such and attack occur. The
Act essentially consolidates within one department a number of agencies that have
had, as part of their mission, homeland security-like functions (e.g. Border Patrol,
Customs, Transportation Security Agency). The full impact of the Act is beyond the
scope of this report. The following discussion focuses on those provisions relating
to critical infrastructure protection. For a full range of analyses regarding the Act,
CRS-12
see the Homeland Security topic listed on the CRS Homepage under Current
Legislative Issues.22
In regard to critical infrastructure protection the Act transfers the following
agencies and offices: the NIPC (except for the Computer Investigations and
Operations Section), CIAO, FedCIRC, the National Simulation and Analysis
Center (NISAC),23 other energy security and assurance activities within DOE, and
the National Communication System (NCS).24 These agencies and offices shall be
integrated within the Directorate of Information Analysis and Infrastructure
Protection (one of four Directorates established by the Act).25 Notably, the
Transportation Security Administration (TSA), who is responsible for securing all
modes of the nation’s transportation system, is not part of this Directorate (it has
been placed within the Border and Transportation Security). The Directorates shall
be headed by someone of Undersecretary rank. Furthermore, the Act designates that
within the Directorate of Information Analysis and Infrastructure Protection, there
shall be both an Assistant Secretary for Information Analysis, and an Assistant
Secretary for Infrastructure Protection.26
Among the responsibilities assigned the Directorate of Information Analysis and
Infrastructure Protection are:
22 [http://www.crs.gov/products/browse/is-homelandsecurity.shtml]
23 The NISAC was established in the USA PATRIOT Act (P.L. 107-56), Section 1062. The
Center builds upon expertise at Sandia National Laboratory and Los Alamos National
Laboratory in modeling and simulating infrastructures (namely energy infrastructures) and
the interdependencies between them.
24 The NCS is not a single communication system but more a capability that ensures that
disparate government agencies can communication with each other in times of emergencies.
To make sure this capability exists and to assure that it is available when needed, an
interagency group meets regularly to discuss issues and solve problems. The NCS was
initially established in 1963 by the Kennedy Administration to ensure communications
between military, diplomatic, intelligence, and civilian leaders, following the Cuban Missile
Crisis. Those activities were expanded by the Reagan Administration to include emergency
preparedness and response, including natural disaster response. The current interagency
group includes 22 departments and agencies. The private sector, who own a significant
share of the assets needed to ensure the necessary connectivity, is involved through the
National Security Telecommunication Advisory Committee (NSTAC). The National
Coordinating Center, mentioned earlier in this report, and which serves as the
telecommunications ISAC, is an operational entity within the NCS.
25 The other directorates included: Science and Technology, Border and Transportation
Security and Emergency Preparedness and Response.
26 In a more detailed discussion of the Administration’s original reorganization proposal
(The Department Of Homeland Security, June 2002), the Administration provided an
organization chart showing what it then called the Information Analysis and Infrastructure
Protection Division further divided into an Threat Analysis Section and an Infrastructure
Protection Section, with the latter being divided again into Physical Assets and
Telecommunications and Cybersecurity.
CRS-13
•
to access, receive, analyze, and integrate information from a variety
of sources in order to identify and assess the nature and scope of the
terrorist threat;
•
to carry out comprehensive assessments of the vulnerabilities of key
resources and critical infrastructure of the United States;
•
to integrate relevant information, analyses, and vulnerability
assessments in order to identify priorities for protective and support
measures;
•
to develop a comprehensive national plan for securing key resources
and critical infrastructures;
•
to administer the Homeland Security Advisory System;
•
to work with the intelligence community to establish collection
priorities; and,
•
to establish a secure communication system for receiving and
disseminating information
In addition, the Act provides a number of protections for certain information
(defined as critical infrastructure information) that non-federal entities, especially
private firms or ISACs formed by the private sector, voluntarily provide the
Department. Those protections include exempting it from the Freedom of
Information Act, precluding the information from being used in any civil action,
exempting it from any agency rules regarding ex parte communication, and
exempting it from requirements of the Federal Advisory Committee Act.
The Act basically builds upon existing policy and activities. Many of the
policies, objectives, missions, and responsibilities complement those already
established (e.g. vulnerability assessments, national planning, communication
between government and private sector, and improving protections). If anything, it
adds at least three new players to those responsible for developing, coordinating and
implementing policy and action, the Secretary of the Department of Homeland
Security and the Under-Secretary for Information Analysis and Infrastructure
Protection, and the Assistant Secretary of Infrastructure Protection. It does not
create, as yet, aside from the Department and Directorate themselves, any new
operational entities related to infrastructure protection.
The Act represents a major reorganization. Many entities, some with multiple
missions, are being transferred or are being split apart, raising issues of how these
functions will be reintegrated (including physical relocation), the integrity of
functions left behind, and how constituencies will react. However, the proposed
transfers associated with infrastructure protection perhaps are less disruptive as
others (e.g. Coast Guard, or U.S. Customs). CIAO, FedCIRC, and NIASC are all
relatively new organizations, with relatively narrow missions, and will be transferred
fully to the new organization. They will likely, initially at least, perform their
existing functions.
The disruption associated with transferring parts of NIPC is less clear. The
transfer leaves the Computer Investigations and Operations unit within NIPC at the
FBI, transferring the Analysis and Warning Section and the Training, Outreach, and
Strategy Section. The FBI has received some criticism for its management of NIPC.
According to a General Accounting Office (GAO) report, the FBI has had trouble
CRS-14
recruiting people from other agencies. In the press, the FBI has been accused of
being reluctant to share information with other agencies. The GAO report stated that
the Threat Analysis and Warning function had not been well-developed (although the
GAO noted that the analysis function is a difficult problem). The GAO report also
stated that NIPC, through its Investigations and Operations unit, had provided
valuable support to FBI filed investigations. In this reorganization, the NIPC
function most effective will stay at FBI. The function that has experienced some
difficulty will be transferred.
Also, it has not been readily transparent the extent to which NIPC has been
concerned with the physical protection of critical infrastructure assets. NIPC
supposedly has had a role in administering the FBI’s Key Asset Initiative. However,
the program was primarily implemented through the Field Offices with field staff.
The National Strategy discusses the protection of key assets as a function of critical
infrastructure protection. Key assets are defined as those individual targets whose
destruction would not endanger vital systems, but could create local disaster or
profoundly damage our nation’s morale or confidence. These would include assets
such as symbols or historical attractions or individual facilities that deserve special
protection because of their destructive potential or their value to the local community.
But it is not clear what role, if any, the FBI will continue to play.
The NCS is essentially an interagency organization and assuming that its
interagency character (and its close connection to the private sector through the
NSTAC) is maintained, the impact of changing Managers (which besides being a
Member was DOD’s role within NCS) is expected to be minimal. Whether a
physical relocation will be called for has not been addressed yet by the
Administration. DOD does feel that its other communications and computer
organizations with complementary functions benefit by being in close physical
proximity.
Policy Implementation
There is an element of continuity in the policies and activities undertaken by the
Clinton and Bush Administrations. For example, the Bush Administration maintains
the effort to communicate with infrastructure operators through ISACs, and although
makes some changes to accommodate the existence of the Department of Homeland
Security, maintains certain lead agencies as the main liaison with certain sectors. The
following discusses the implementation of major elements of PDD-63 still relevant
to current policy. It also goes beyond PDD-63 to discuss activities undertaken by the
Bush Administration as policy and action continue to evolve.
Lead Agencies and Selection of Sector Liaison Officials and
Functional Coordinators. The National Strategy for Homeland Security, released
by the Bush Administration in July 2002, maintained the role of lead agencies as
outlined in PDD-63, with the newly proposed Department of Homeland Security
acting as coordinator of their efforts. However, the Strategy does shift liaison
responsibilities for some sectors to the new Department, and there remains some
discussion about how many sectors for which the new Department would be the
CRS-15
primary liaison.27 The liaison responsibilities outlined in the National Strategy are
noted in Table 2 below.
Table 2. Lead Agencies as Proposed in the National Strategy for
Homeland Defense
Department/Agency (PDD-63 liaison)
Sector/Function
Agriculture
Agriculture
Food
Agriculture
Meat/Poultry
Health and Human Services
All other
Homeland Security (Commerce)
Information and Communications
Treasury
Banking and Finance
EPA
Water
Homeland Security (Transportation)
Transportation
Homeland Security (Federal Emergency
Emergency Services
Management Agency, Justice, Health and
Human Services)
Health and Human Services
Public Health
Government
Homeland Security
Continuity of Government
Individual departments and agencies
Continuity of Operations
Energy
Electric Power, Gas, and Oil
Environmental Protection Agency
Chemical Industry and Hazardous
Materials
Defense
Defense Industrial Base
Homeland Defense
Postal and Shipping
Interior
National Monuments and Icons
Identifying and Selecting Sector Coordinators. The identification of
sector coordinators has proceeded with mixed results. Table 3 below shows those
individuals or groups that have agreed to act as Coordinators.
Different sectors present different challenges to identifying a coordinator. Some
sectors are more diverse than others (e.g. transportation includes rail, air, waterways,
and highways; information and communications include computers, software, wire
and wireless communications) and raises the issue of how to have all the relevant
players represented. Other sectors are fragmented, consisting of small or local
entities. Some sectors, such as banking, telecommunications, and energy have more
27 See, Ridge Says EPA Should Lose Authority to Evaluate Vulnerability of Industrial
Facilities, Inside EPA, June 25, 2002.
CRS-16
experience than others in working with the federal government and/or working
collectively to assure the performance of their systems.
Besides such structural issues are ones related to competition. Inherent in the
exercise is asking competitors to cooperate. In some cases it is asking competing
industries to cooperate. This cooperation not only raises issues of trust among firms,
but also concerns regarding anti-trust rules. Also, having these groups in direct
communications with the federal government raises questions about their relationship
to the federal government as governed by the Federal Advisory Committee Act (5
USC Appendix) and how the Freedom of Information Act (5 USC 552) applies to
them and the information that may be exchanged.
Sector coordinators have been identified for most of the major privately
operated sectors: banking and finance, energy, information and communications. In
the public sector, EPA early on identified the Association of Metropolitan Water
Agency as sector coordinator. In the area of transportation, the Association of
American Railroads has been identified as the coordinator for the rail sector. The
Department of Transportation would like to also find coordinators for air and water
transportation. FEMA has not identified a single coordinator to represent the
country’s emergency fire service providers. However, through the U.S. Fire
Administration, a component of FEMA, they have an established communication
network with the nation’s fire associations, the 50 State Fire Marshals, and other law
enforcement groups. FEMA is also responsible for continuity of government.
Again, no single coordinator has been identified, but FEMA had discussed continuity
of government issues with state and local governments in the context of the Y2K.28
Nor has the Department of Health and Human Services identified a central
coordinator for the emergency medical community. The Department of Justice,
through the NIPC, has helped to create the Emergency Law Enforcement Services
(ELES) Forum. The Forum is a group of senior law enforcement executives from
state, local, and non-FBI federal agencies.
28 The New Mexico Critical Infrastructure Assurance Council, an offshoot of the FBI’s
InfraGard efforts in the state, include the state government and other state and local
agencies. The Council is referenced in the National Plan for Information Systems
Protection. See, National Critical Infrastructure Plan, below.
CRS-17
Table 3. Sector Coordinators
Lead Agency
Identified Sector Coordinators
Commerce
A consortium of 3 associations:
Information Technology Assn. of
America; Telecommunications
Industry Assn.; U.S. Telephone Assn.
Treasury
Rhonda McLane - BankAmerica
EPA
Assn. of Metropolitan Water Agencies
Energy
North American Electric Reliability
Council and National Petroleum
Council
Transportation
Association of American Railroads
International Airport Councils of
North America (inactive)
Health and Human Services
FEMA
U.S. Fire Administration
Justice
Emergency Law Enforcement
Services Forum
Appointment of the National Infrastructure Assurance Council. The
Clinton Administration released an Executive Order (13130) in July, 1999, formally
establishing the council. Just prior to leaving office, President Clinton put forward
the names of 18 appointees.29 The Order was rescinded by the Bush Administration
before the Council could meet. In Executive Order 13231,30 President Bush
established a National Infrastructure Advisory Council (with the same acronym,
NIAC) whose functions are similar to those of the Clinton Council. On September
18, 2002, President Bush announced his appointment of 24 individuals to serve on
Council.31
Internal Agency Plans. There had been some confusion about which
agencies were required to submit critical infrastructure plans. PDD-63 directed every
agency to develop and implement such a plan. A subsequent Informational Seminar
on PDD-63 held on October 13, 1998 identified two tiers of agencies. The first tier
included lead agencies and other “primary” agencies like the Central Intelligence
29 White House Press Release, dated January 18, 2000.
30 Executive Order 13231—Critical Infrastructure Protection in the Information Age. Federal
Register. Vol. 66. No. 202. October 18, 2001. pp53063-53071. The NIAC is established on
page 53069.
31 See White House Press Release, September 18, 2002.
CRS-18
Agency and Veteran’s Affairs. These agencies were held to the 180 day deadline.
A second tier of agencies were identified by the National Coordinator and required
to submit plans by the end of February, 1999. The “secondary” agencies were
Agriculture, Education, Housing and Urban Development, Labor, Interior, General
Services Administration, National Aeronautics and Space Administration and the
Nuclear Regulatory Commission. All of these “primary” and “secondary” agencies
met their initial deadlines for submitting their internal plans for protecting their own
critical infrastructures from attacks and for responding to intrusions. The Critical
Infrastructure Assurance Office assembled an expert team to review the plans. The
plans were assessed in 12 areas including schedule/milestone planning, resource
requirements, and knowledge of existing authorities and guidance. The assessment
team handed back the initial plans with comments. Agencies were given 90 days to
respond to these comments. Of the 22 “primary” and “secondary” agencies that
submitted plans, 16 modified and resubmitted them in response to first round
comments.
Initially the process of reviewing these agency plans was to continue until all
concerns were addressed. Over the summer of 1999, however, review efforts slowed
and subsequent reviews were put on hold as the efficacy of the reviews was debated.
Some within the CIAO felt that the plans were too general and lacked a clear
understanding of what constituted a “critical asset” and the interdependencies of
those assets. As a result of that internal debate, the CIAO redirected its resources to
institute a new program called Project Matrix. Project Matrix is a three step process
by which an agency can identify and assess its most critical assets, identify the
dependencies of those assets on other systems, including those beyond the direct
control of the agency, and prioritize. CIAO has offered this analysis to 14 agencies,
including some not designated as “primary” or “secondary” agencies, such as the
Social Security Administration and the Securities and Exchange Commission.
Participation by the agencies has been voluntary.
In the meantime, other agencies (i.e. those not designated as primary and
secondary) apparently did not develop critical infrastructure plans. In a much later
report by the President’s Council on Integrity and Efficiency (dated March 21, 2001),
the Council, which was charged with reviewing agencies’ implementation of PDD-
63, stated that there was a misunderstanding as to the applicability of PDD-63 to all
agencies. The Council asserted that all agencies were required to develop a critical
infrastructure plan and that many had not, because they felt they were no covered by
the Directive. Also, the Council found that of the agency plans that had been
submitted, many were incomplete, had not identified their mission-critical assets, and
that almost none had completed vulnerability assessments.
According to the National Plan released in January 2000 (see below), all “Phase
One” and “Phase Two” agencies (presumably this refers to the “primary” and
“secondary” agencies mentioned above) were to have completed preliminary
vulnerability analyses and to have outlined proposed remedial actions. Again,
according to the National Plan, those remedial actions were to be budgeted for and
submitted as part of the agencies’ FY2001 budgets submissions to the Office of
Management and Budget and every year thereafter. However, given the discussion
above, the comprehensiveness of these studies and plans are in question.
CRS-19
Neither of the Bush Administration executive orders, or subsequent strategies,
make reference to these critical infrastructure protection plans of the agencies.
However, CIAO is still offering Project Matrix to agencies.
National Critical Infrastructure Plan. The Clinton Administration released
Version 1.0 of a National Plan for Information Systems Protection in January 2000.32
The Plan focused primarily on cyber-related efforts within the federal government.
A note in the Executive Summary states that a parallel Critical Physical Infrastructure
Protection Plan was to be developed and possibly incorporated in Version 2.0, or
later versions.33 According to the Plan, Version 2.0 was to cover the private sector.
In September, 2002, the Bush Administration, through the President’s Critical
Infrastructure Protection Board (see Bush Restructuring: Post-September 11 later
in this report) released a National Strategy to Secure Cyberspace. This could be
considered Version 2.0 of the Clinton-released Plan. It addresses all stakeholders in
the nation’s information infrastructure, from home users to the international
community. The Strategy does include input from the private sector, the academic
community, and state and local governments. Similar to the Clinton Administration,
the Bush Administration views the Strategy as a living document that will change
over time.
In its draft form, the Strategy primarily offers sets of recommended actions that
each stakeholder may wish to consider taking in order to help protect their share of
the national information infrastructure.34 For example, it proposes that: internet
service providers and vendors may wish to consider a joint effort to make it easier for
home users to update and patch their operating systems and applications with the
latest protections; large firms may want to consider auditing their information system
security programs annually and the information security community may want to
establish an independent organizations that could set national standards for auditing
information system security; the academic community may want to form their own
Information Sharing and Analysis Center and to identify contacts at their internet
service providers or law enforcement agencies to whom they can report the abuse of
academic computers for use in hacks elsewhere on the internet. It also suggests that
internet service providers, security vendors, and other private sector entities may
want to establish a Cyberspace Network Operations Center that would contribute to
the strategic goal of being able to detect incidents early, to respond to them
efficiently, and to the extent possible, predict them ahead of time (i.e. the early
warning capability originally proposed by the President’s Commission). Such a
Center would presumably resemble similar Centers in the communications and
electric power sectors. The Strategy has received mixed reviews. Some have called
it a good first step, others have been more critical of the lack of government
32 Defending America’s Cyberspace. National Plan for Information Systems Protection.
Version 1.0. An Invitation to a Dialogue. The White House. 2000.
33 Ibid. Executive Summary. p. 13.
34 These recommendations are segregated into 5 groups according to the level of aggregated
effort required (the Strategy calls them levels)—individual home users and small businesses,
large corporate enterprises, sectors (including private, federal, statel/local, academic),
national, and global.
CRS-20
inducements (either through regulation or financial support) to spur the action of non-
governmental stakeholders.
It should be noted that both the Clinton Plan and the Bush Strategy mentioned
above deal primarily with protections against cyber attacks.35 Both refer to a
complementary national plan for providing physical protections for the nation’s
critical infrastructure, which has yet to be developed. Also, the National Strategy for
Homeland Security and the Homeland Security Act call for a comprehensive national
plan that deal with both cyber and physical security.
Information Sharing and Analysis Center (ISAC). PDD-63 envisaged
an ISAC to be the private sector counterpart to the FBI’s National Infrastructure
Protection Center (NIPC), collecting and sharing incident and response information
among its members and facilitating information exchange between government and
the private sector. While the Directive conceived of a single center serving the entire
private sector, the idea now is that each sector would have its own center. Progress
in forming sector ISACs has been mixed.
A number of the nation’s largest banks, securities firms, insurance companies
and investment companies have joined together in a limited liability corporation to
form a banking and finance industry ISAC. The group has contracted with an
internet service provider36 (ISP) to design and operate the ISAC. Individual firms
feed raw computer network traffic data to the ISAC. The ISP maintains a database
of network traffic and analyzes it for suspicious behavior and provides its customers
with summary reports. If suspicious behavior is detected, the analysis may be
forwarded to the federal government. Anonymity is maintained between participants
and outside the ISAC. The ISP will forward to its customers alerts and other
information provided by the federal government. The ISAC became operational in
October, 1999.
The telecommunications industry has agreed to establish an ISAC through the
National Coordinating Center (NCC). The NCC is a government-industry
partnership that coordinates responses to disruptions in the National Communications
System. Unlike the banking and finance ISAC that uses a third party for centralized
monitoring and analysis, each member firm of the NCC will monitor and analyze its
own networks. If a firm suspects its network(s) have been breached, it will discuss
the incident(s) within the NCC’s normal forum. The NCC members will decide
whether the suspected behavior is serious enough to report to the appropriate federal
authorities. Anonymity will be maintained outside the NCC. Any communication
between federal authorities and member firms will take place through the NCC, this
includes incident response and requests for additional information.37
35 The Bush Strategy does make a couple recommendations regarding contingency planning
against large-physical damage to information facilities and restricting access to critical
network facilities.
36 The ISP is Global Integrity, a subsidiary of Science Applications International Corp.
(SAIC).
37 Federal agencies sit on the NCC, including the NSA. One could assume that knowledge
(continued...)
CRS-21
The electric power sector, too, has established a decentralized ISAC through its
North American Electricity Reliability Council (NAERC). Much like the NCC,
NAERC already monitors and coordinates responses to disruptions in the nation’s
supply of electricity. It is in this forum that information security issues and incidents
will be shared. The National Petroleum Council is still considering setting up an
ISAC with its members.
In January, 2001, the information technology industry announced its plans to
form an ISAC. Members include 19 major hardware, software, and e-commerce
firms, including AT&T, IBM, Cisco, Microsoft, Intel, and Oracle. The ISAC will be
overseen by a board made up of members and operated by Internet Security Systems.
The country’s water authorities intend to develop an appropriate ISAC model
for their sector.
Much like the communications and the electric power sectors, the emergency
fire services sector ISAC will be integrated into the responsibilities of an existing
organizational body; FEMA’s U.S. Fire Administration, headquartered in
Emmitsburg, MD. The ISAC will staffed by leading fire experts who will assess
NIPC threat intelligence and help prepare warnings for distribution to the nation’s
fire fighting community. In turn, local fire departments, as first responders in many
instances, can provide information through the U.S. Fire Administration that may be
helpful to NIPC in its intelligence analysis function.
As well as those mentioned above, a number of other sectors, not originally
included in PDD-63, but subsequently mentioned by the Bush Administration as
infrastructures in need of protection to counter-terrorism, have formed ISACs. These
include the food and chemical industries.
In addition to these individual sectors setting up or contemplating ISACs, the
private sector has formed a Partnership for Critical Infrastructure Security to
share information and strategies and to identify interdependencies across sectoral
lines. The Partnership is a private sector initiative and has filed as a 501(c)(6)
organization. A preliminary meeting was held in December 1999 and five working
groups were established (Interdependencies/Vulnerability Assessment, Cross-Sector
Information Sharing, Legislation and Policy, Research and Development, and
Organization). The working groups meet every other month. The federal
government is not officially part of the Partnership, but the CIAO acts as a liaison
and has provided administrative support for meetings. Sector Liaison from lead
agencies are considered ex officio members. Some entities not yet part of their own
industry group (e.g. some hospitals and pharmaceutical firms) or not specifically
designated as belonging to a critical infrastructure (the chemical industry) are
participating in the Partnership. The Partnership helped coordinate the private
sector’s input to the National Strategy to Secure Cyberspace.
37 (...continued)
of incidents discussed in the NCC could find its way to federal investigatory authorities
without formally being reported.
CRS-22
Issues
Roles and Responsibilities. A re-occurring issue as policy and
organizational structures have evolved is whether authorities have been duplicated,
superseded, or overturned.
Although PDD-63 dealt with infrastructures issues beyond just computer
systems and also considered physical protections, its implementation focused on
cyber threats and vulnerabilities. In this respect, it was an extension of the
government’s existing efforts to protect their own computer systems. The Directive
sought to use existing authorities and expertise as much as possible in assigning
responsibilities. Nevertheless, the Directive did set up new entities that, at least at
first glance, assumed responsibilities previously assigned to others.
The Paperwork Reduction Act of 1995 (P.L. 104-13) placed the responsibility
for establishing government-wide information resources management policy with the
Director of the Office of Management and Budget. Those policies are outlined in
OMB Circular A-130. Appendix III of the Circular incorporates responsibilities for
computer security as laid out in the Computer Security Act of 1987.38 The Computer
Security Act requires all agencies to inventory their computer systems and to
establish security plans commensurate with the sensitivity of information contained
on them. Agencies are suppose to submit summaries of their security plans along
with their strategic information resources management plan to the Office of
Management and Budget (OMB). The agencies are to follow technical, managerial,
and administrative guidelines laid out by OMB, the Department of Commerce, the
General Services Administration, and the Office of Personnel Management and
should include (as detailed in the OMB Circular) incidence response plans,
contingencies plans, and awareness and training programs for personnel. The
Director of OMB was given the authority, by the Computer Security Act, to comment
on those plans.
Under PDD-63, agencies submitted plans (not dissimilar in content to those
called for in the Computer Security Act of 1987 and detailed in OMB Circular A-130
Appendix III) to the CIAO. The Critical Infrastructure Coordination Group
assembled an expert review team to review these plans (an “ad hoc” team was set up
at CIAO). It was not readily apparent who had the primary authority to review,
38 Appendix III does not apply to information technology that supports certain critical
national security missions as defined in 44 USC 3502(9) and 10 USC 2315. Policy for these
national security systems, i.e. telecommunications and information systems containing
classified information or used by the intelligence or military community, has been assigned
by national security directives to the Department of Defense.
CRS-23
comment on, and approve an agency’s security plan.39 Who determined whether an
agency’s obligation to creating an adequate plan have been met?
E.O. 13231 would appear to resolve this issue. The E.O. specifically reaffirms
OMB’s role in developing and overseeing the implementation of government-wide
information security policy (and the roles of the Secretary of Defense and the
Director of Central Intelligence in the case of national security-related systems). The
E.O. goes on to reiterate the responsibility of the Director of OMB (or the Assistant
to the President for National Security in the case of national security-related systems)
to report to the President and the agency head any deficiencies in security practices.
The Critical Infrastructure Protection Board is instructed to assist the Director of
OMB in this function. While the E.O. also explicitly allows the Board’s Chair (i.e.
the Special Advisor to the President), and the Board, to propose policies and
programs to ensure the protection of information systems of critical infrastructures,
those proposals are to be made to the “appropriate” officials.
Incident response is another area where roles and responsibilities are not defined
clearly. Among the responsibilities assigned to the Department of Commerce by
OMB Circular A-130 Appendix III is the coordination of agency computer incident
response activities to promote sharing of incident response information and related
vulnerabilities. This function has now migrated over to the General Services
Administration which has established a Federal Computer Incident and Emergency
Response Capability (FedCIRC). Consistent with OMB Circular A-130, the
Government Information Security Reform Act, passed as Title X, Subtitle G in the
FY2001 Defense Authorization Act40 ( P.L. 106-398) requires agencies to report
incidents to appropriate officials at GSA. But, PDD-63 stated, and the National Plan,
Version 1.0 reiterated, that the National Infrastructure Protection Center (NIPC) will
provide the principal means of facilitating and coordinating the federal government’s
response to an incident, mitigating attacks, investigating threats, and monitoring
reconstitution efforts. Were the lines of authority clearly established between the
different organizations many of which are tasked with doing things that sound
similar?41 E.O. 13231 reiterates the NIPC’s involvement in incident coordination and
39 It should be noted that the General Accounting Office has reported that the oversight of
agency computer security measures to date has been inadequate. See, U.S. General
Accounting Office, Information Security. Weaknesses Continue to Place Critical Federal
Operations and Assets at Risk. GAO-01-600T. April 5, 2001.Testimony before the
Oversight and Investigations Subcommittee, Committee on Energy and Commerce. House
of Representatives.
40 It should be noted that this Act expired September 31, 2002. The Federal Information
Security Management Act of 2002, introduced as H.R. 3844, and added to the Department
of Homeland Security Act (H.R. 5710, Title X) would reestablish the above mentioned
authorities with further modifications.
41 In recent testimony to Congress, the General Accounting Office noted that the mission of
the NIPC has not been fully defined, leading to differing interpretations by different
agencies. Also, the manpower support from and information sharing with other agencies
has not materialized as envisioned. See, General Accounting Office, Critical Infrastructure
Protection: Significant Challenges in Developing Analysis, Warning, and Response
(continued...)
CRS-24
crisis response, in coordination with the Board, but makes no specific mention of
FedCIRC. Does moving NIPC and FedCIRC into the same department help resolve
this issue?
Also, it is not clear what role the NIPC was to have played in coordinating any
response to physical attacks on critical infrastructures. E.O. 13228 granted the Office
of Homeland Security the leading role in responding to physical attacks on critical
infrastructures other than the physical assets of information systems. E.O. 13228
raised its own issues regarding the relationships between the Office of Homeland
Security, FEMA, and the National Security Council.42 Moving NIPC into the new
Department of Homeland Security doesn’t really resolve this issue, because the
overlap will then be between the Office of Homeland Security and the Department
of Homeland Security.
Another area of overlap is in the development of national plans or strategies for
protecting critical infrastructure. The Office of Homeland Security is responsible for
developing (and has released) an overall National Strategy for Homeland Security
which includes infrastructure protection. The President’s Critical Infrastructure
Board is also responsible for developing national plans or strategies as it deems
necessary (it has released a strategy for protecting the nation’s information
infrastructure), and, now, the Undersecretary for Information Analysis and
Infrastructure Protection is responsible for developing a comprehensive national plan
to protect the nation’s key assets and critical infrastructure.
Another potential area of overlap is staff functions. The CIAO acted as the staff
for the National Coordinator under PDD-63. E.O. 13231 makes reference to the
continued role of the CIAO in information infrastructure protection, especially in the
area of outreach to the private sector and coordination with information sharing
centers. It also is directed to provide administrative support to the new NIAC.
However, E.O. 13231 also allows the Special Advisor to create yet a different staff
within the White House. Furthermore, the E. O. authorizes a staff for the President’s
Critical Infrastructure Protection Board. CIAO now will report to the Undersecretary
of Information Analysis and Infrastructure Protection, but will supposedly continue
doing what it has done to date.
The legislation creating the Department of Homeland Security also raises some
question about overlapping authorities. While the legislation creates an
Undersecretary responsible for infrastructure protection, transportation security is
located under a different Undersecretary.
Costs. An estimate of the amount of money the Federal government spends
on critical infrastructure protection is included in the President’s Annual Report to
41 (...continued)
Capabilities. GAO-01-769, Testimony before the Subcommittee on Technology, Terrorism,
and Government Information, Senate Judiciary Committee. May 22, 2001.
42 See CRS Report RL31148. Homeland Security. Op. Cit .pp 7-8.
CRS-25
Congress on Combating Terrorism.43 Funding for Critical Infrastructure Protection
was estimated at $3.2 billion for FY2002 and the Administration request for FY2003
was $3.9 billion. However, there report makes a distinction between critical
infrastructure protection and other infrastructure-related protection that may be
confusing.
The Report aggregates funds for three different programs—Combating
Terrorism, Critical Infrastructure Protection, and Continuity of Operations. The
Combating Terrorism program includes activities in 5 categories/mission areas, two
of which are physical security of government facilities and workers, and physical
protection of the national populace and national infrastructure. OMB does not
consider the activities supported in these latter two categories as critical infrastructure
protection, although the description of the activities might imply that it should. For
example, included in the physical protection of the national populace and
infrastructure category are activities taken to help protect banking and finance, water,
telecommunications, transportation, and energy production and distribution. Much
of what is spent on new airport security is aggregated in this category. So, too,
according to the report, are activities by the Department of Energy to protect the
supply and transmission of all forms of energy. The distinction between these
activities and critical infrastructure protection is that to be considered as a critical
infrastructure protection activity, the asset being protected must be critical at the
national level (i.e. incapacitation would require restoration within 72 hours,
disruption would have serious consequences on critical government operations and/
or society’s quality of life, or outage would interrupt information flows or service
provision essential to government operations or the public at large). A public
telephone switch or the electric power grid would be considered critical.44 An
inventory control system would not. The provision of fences or surveillance cameras
at tunnels or bridges, or at nuclear power plants, would apparently fall within the
physical protection category of Combating Terrorism. According to the FY2002
report, funding for the Combating Terrorism activities related to the physical
protection of the government and national populace totaled $9.6 billion in FY2002
and the request for FY2003 was $14. 6 billion.
Potential private sector costs are unknown at this time.45 Some sectors are
already at the forefront in both physical and computer security and are sufficiently
43 OMB aggregates these numbers based on input from relevant agencies. In most cases,
activities associated with critical infrastructure protection are funded as part of larger
accounts and are not readily visible in either agency budgets or in congressional
appropriations.
44 The report mentions that the government’s Critical Infrastructure Program (CIP) focuses
on information infrastructure and the physical assets that support it. The implication is that
the CIP activities counted in the report also focus on the protection of the information
infrastructure. However, an OMB official has clarified (per phone conversation, November
7, 2002) that the CIP also includes the protection of assets other than information assets.
45 The cyber security market is estimated at $10 billion in products and services (see
“Picking the Locks on the Internet Security Market.” Redherring.com. July 24, 2001). This
probably includes, however, some government expenditures. It also does not include
physical security measures.
CRS-26
protected or need only marginal investments. Others are not and will have to devote
more resources. The ability of certain sectors to raise the necessary capital may be
limited, such as metropolitan water authorities which may be limited by regulation,
or emergency fire which may function in a small community with a limited resources.
Even sectors made up of large well capitalized firms are likely to make additional
expenditures only if they can identify a net positive return on investment. Affecting
these business decisions will be issues of risk and liability.
As part of its outreach efforts, the CIAO has helped the auditing, accounting,
and corporate directors communities identify and present to their memberships the
responsibilities governing board of directors and corporate officers have, as part of
their fiduciary responsibilities, to manage the risk to their corporation’s information
assets. The Institute of Internal Auditors, the American Institute of Certified Public
Accountants, the Information Systems Audit and Control Association and the
National Association of Corporate Directors have formed a consortium and held
“summits” around the country in an outreach effort. The main point of their
discussion can best be summed up by the following expert from a paper presented at
these summits:
“The consensus opinion from our analysts is that all industries and companies
should be equally concerned about information technology security issues
because it is an issue that has an enormous potential to negatively impact the
valuation of a company’s stock...it must be the responsibility of corporate leaders
to ensure these threats are actually being addressed on an ongoing basis. At the
same time, the investment community must keep the issue front and center of
management.”46
There is also the question of downstream liability, or third party liability. In the
denial-of-service attacks that occurred in early 2000, the attacks were launched from
“zombie” computers; computers upon which had been placed malicious code that
was subsequently activated. What responsibility do the owners of those “zombie”
computers have to protect their systems from being used to launch attacks elsewhere?
What responsibility do service providers have to protect their customers? According
to some, it is only a matter of time before the courts will hear cases on these
questions.47
Costs to the private sector may also depend on the extent to which the private
sector is compelled to protect their critical infrastructure versus their ability to set
their own security standards. The current thinking is the private sector should
voluntarily join the effort. However, given the events of September 11, the private
sector may be compelled politically, if not legally, to increase physical protections.
But, what happens if a sector does not take actions the federal government feels are
necessary? The National Strategy for Homeland Security stated that private firms
will still bear the primary responsibility for addressing public safety risks posed by
46 From an paper entitled Information Security Impacting Securities Valuations, by A.
Marshall Acuff, Jr., Salomon Smith Barney Inc.
47 See, “IT Security Destined for the Courtroom.” Computer World.. May 21,2001. Vol 35.
No. 21.
CRS-27
their industries. The Strategy goes on to state that in some cases, the federal
government may have to offer incentives for the private sector to adopt security
measures. In other cases, the federal government may need to rely on regulation.
Information Sharing. The information sharing—internal to the federal
government, between the federal government and the private sector, and between
private firms—considered necessary for critical infrastructure protection raises a
number of issues.
In the past, information flow between agencies has been restrained at least three
reasons: a natural bureaucratic reluctance to share, technological difficulties
associated with compatibility, and legal restraints to prevent the misuse of
information for unintended purposes. However, in the wake of September 11, given
the apparent lack of information sharing that was exposed in reviewing events
leading up to that day, many of these restraints are being reexamined and there
appears to be a general consensus to change them. Some changes have been as a
result of the USA PATRIOT Act (including easing the restrictions limiting the
sharing of information between national law enforcement agencies and those
agencies tasked with gaining intelligence of foreign agents. The legislation
establishing the Department of Homeland Security also authorizes efforts to improve
the ability for agencies within the federal government to share information.
Since much of what is considered to be critical infrastructure is owned and
operated by the private sector, critical infrastructure protection relies to a large extent
on the ability of the private sector and the federal government to share information.
However, it is unclear how open the private sector and the government will be in
sharing information. The private sector primarily wants from the government
information on specific threats which the government may want to protect in order
not to compromise sources or investigations. In fact, much of the threat assessment
done by the federal government is considered classified. For its part, the government
wants specific information on vulnerabilities and incidents which companies may
want to protect to prevent adverse publicity or revealing company practices. Success
will depend on the ability of each side to demonstrate it can hold in confidence the
information exchanged. According to the GAO testimony cited earlier, there is little
or no formalized flow of information yet from the private sector to the federal
government, in general, or the NIPC specifically.48
This issue is made more complex by the question of how the information
exchanged will be handled within the context of the Freedom of Information Act
(FOIA). The private sector is reluctant to share the kind of information the
government wants without an exempting it from public disclosure under the existing
FOIA statute.
The Homeland Security Act protects information, defined as critical
infrastructure information, voluntarily provided the Department of Homeland
Security not only from FOIA, but also prohibits from being used in any civil action
against the provider, exempts from any agency rules regarding ex parte
48 Op. Cit. General Accounting Office, Critical Infrastructure Protection.
CRS-28
communications, and exempts it from following under the requirements of the
Federal Advisory Committee Act. It only can be shared with other entities in
fulfillment of their responsibilities in homeland security, and any unauthorized
disclosure by a federal government official can lead to imprisonment. Also, these
disclosure rules take precedent over any State rules.
The Act defines critical infrastructure information to include:
•
actual, potential, or threatened interference with, attack on, compromise of, or
incapacitation of critical infrastructure by either physical or computer-based
attack that violates federal or state law, harms interstate commerce, or threatens
public health and safety;
•
the ability of critical infrastructures to resist such attacks;
•
any planned or past operational problem or solution regarding critical
infrastructure including repair, recovery, reconstruction, insurance, or continuity
to the extent it relates to such interference, compromise, or incapacitation.
The submittal is considered voluntary if it was done in the absence of an
agency’s exercise of legal authority to compel access to or submission of such
information.
The FOIA exemption is not without its critics. The non-government-
organizations that actively oppose government secrecy are reluctant to expand the
government’s ability to to hold more information as classified or sensitive.49 These
critics feel that language agreed upon in the final legislation is too broad (covers too
much material and offers too many protections) and is unnecessary given current
restrictions on the disclosure of information contained in the FOIA statute and case
law. More recently, the environmental community has become concerned that the
language could allow firms to shield from disclosure information they would
otherwise be obliged to disclose to the public, or worse, be able to prevent the
information from being used in any legal proceedings, by claiming it to be related to
critical infrastructure protection. This has become a particular issue within the right-
to-know community concerned with risks associated with toxic releases from plants
using or producing toxic chemicals, which are now being considered as a critical
infrastructure.50 It is not clear if this is the case, since the Act also states that other
agencies or third parties may receive similar information by other lawful means and
may use it any appropriate legal manner.
The information exchanged between private firms within the context of the
Sector Coordinators and the ISACS also raises some antitrust concerns, as well as
concerns about sharing information that might unduly benefit competitors.
There is also a technical dimension to all of this information sharing that is
suppose to occur. Once collected, the information is stored in different databases,
49 Op. cit. EPIC
50 For more discussion of these issues, see CRS Report, RL31547, Critical Infrastructure
Information Disclosure and Homeland Security, by John D. Moteff and Gina Stevens.
CRS-29
utilizing different technologies. Integrating these databases while controlling access
will not be a trivial technical and managerial task.
Privacy/Civil Liberties? The PPCIP made a number of recommendations
that raised concerns within the privacy and civil liberty communities. These included
allowing employers to administer polygraph tests to their computer security
personnel, and requiring background checks for computer security personnel. The
PPCIP also recommended allowing investigators to get a single trap and trace court
order to expedite the tracking of hacker communications across jurisdictions, if
possible. Another area of concern is the monitoring network traffic in order to detect
intrusions. Traffic monitoring has the potential to collect vast amount of information
on who is doing what on the network. What, if any, of that information should be
treated as private and subject to privacy laws? While recognizing a need for some
of these actions, the privacy and civil liberty communities have questioned whether
proper oversight mechanisms can be instituted to insure against abuse.
The USA Patriot Act (i.e. the anti-terrorism bill passed October 26, 2001 as P.L.
107-56), passed in the wake of the September 11 attacks, contained a number of
expansions in government surveillance, investigatory, and prosecutorial authority
about which the privacy and civil liberties communities have had concern. Most of
these issue are beyond the scope of this report.51 However, some of the provisions
impact directly the ability to track, in real time or after the fact, computer hackers.
This includes provisions giving investigators the authority to seek a single court order
to authorize the installation and use of a pen register or a trap and trace device
anywhere in the country in order to “record or decode electronic or other impulses
to the dialing, routing, addressing, or signaling information used in the processing or
transmitting of wire or electronic communications...”52 The law also defines a
“computer trespasser” as one who accesses a “protected computer” without
authorization and, thus, has no reasonable expectation to privacy of communications
to, through, or from the protected computer.53 The law goes on to stipulate the
conditions under which someone under the color of law may intercept such
communications.
The issue of allowing firms to conduct background checks, polygraph tests, and
monitor personnel who have access to critical infrastructure facilities or systems lay
dormant during the Clinton Administration. The National Strategy for Homeland
Security resurrects it. The Strategy tasks the Attorney General to convene a panel
with appropriate representatives from federal, state, and local government, in
consultation with the private sector, to examine whether employer liability statutes
and privacy concerns hinder necessary precautions. It is not clear if the
Administration meant to include in the private sector representation labor and civil
liberty groups.
51 See CRS Report RS21051. Terrorism Legislation: Uniting and Strengthening America
by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA
PATRIOT) Act of 2001,by Charles Doyle and Terrorism and Civil Liberties, by Charles
Doyle in the Legal Issues/Law Enforcement section of the CRS Terrorism Briefing Book.
52 See Section 216 of P.L. 107-56.
53 See Section 217 of P.L. 107-56.
CRS-30
Another issue is to what extent will monitoring and responding to cyber attacks
permit the government to get involved in the day-to-day operations of private
infrastructures? The PCCIP suggested possibly modifying the Defense Production
Act (50 USC Appendix, 2061 et seq) to provide the federal government with the
authority to direct private resources to help reconstitute critical infrastructures
suffering from a cyber attack. This authority exists now regarding the supply and
distribution of energy and critical materials in an emergency. Suppose that the
computer networks managing the nation’s railroads were to “go down” for unknown
but suspicious reasons. What role would the federal government play in allocating
resources and reconstituting rail service?
In a related matter, the National Strategy for Homeland Security also mentions
that the Department of Homeland Security will undertake a study to evaluate
mechanisms through which suspicious purchases of dual-use equipment and
materials can reported and analyzed. Examples of dual-use equipment and materials
included fermenters, aerosol generators, and protective gear. To some extent, this
type of monitoring has been going in the area of explosives, fertilizer purchases, etc.
The government also maintains a list of equipment that requires export licenses that
include some of these same articles. This study would imply the possibility of
expanding the monitoring of these transactions.
Congressional Interest
Congress’ interest in protecting the nation’s critical infrastructure spans its
oversight, legislative, and appropriating responsibilities. Because the scope of
critical infrastructure protection extends across many committee jurisdictions, many
hearings, bills, and appropriations dealt with only certain elements of the issue.
Since much of the nation’s infrastructure is owned or operated by the private sector,
much of its activity has focused on oversight of the governments efforts to coordinate
with the private sector. After September 11, Congress passed legislation that touched
upon some elements of critical infrastructure. For example, it clarified the monetary
threshold that triggers prosecution for computer crimes and increases penalties for
those crimes. Congress also gave more flexibility to investigators to track computer
hackers, and in those cases where the federal government has some authority,
provided for increased protections (e.g. drinking water, nuclear power plants, ports).
Also, because much of the infrastructure is owned and operated by the private sector,
Congress has not had to appropriate large amounts of resources to infrastructure
protection to date. For the most part appropriations are directed at protecting critical
federal assets. There have also been appropriations directed at improving the
nation’s expertise in computer security. At some point Congress may have to
consider whether the private sector, or other non-federal entities, require more than
market incentives to affect an appropriate level of protection.
More immediately, the next Congress will quickly have to oversee the
establishment of the new Department of Homeland Security. The Office of the
Secretary of Homeland Security is to open January 24, 2003. Appointments of the
Undersecretaries is to begin at that time. The transfer of those agencies associated
with critical infrastructure is to begin March 1, 2003. It will also face the challenge
of how to organize itself to legislate and appropriate for the new Department.
CRS-31
For Additional Reading
CRS Report RS21026, Terrorism and Security: Issue Facing the Water
Infrastructure Sector, by Claudia Copeland and Betsy Cody.
CRS Report RS21050, Hazardous Materials Transportation: Vulnerability to
Terrorists, Federal Activities and Options to Reduce Risks, by Paul Rothberg.
CRS Report RS20272, FEMA’s Mission: Policy Directives for the Federal
Emergency Management Agency, by Keith Bea.
CRS Report RL30735, Cyberwarfare, by Steven Hildreth.
CRS Report RL30861, Capitol Hill Security: Capabilities and Planning, by Paul
Dwyer and Stephen Stathis.
CRS Report RL31148, Homeland Security: The Presidential Coordination Office,
by Harold Relyea.
CRS Report RL31150, Selected Aviation Security Legislation in the Aftermath of the
September 11 Attack, by Robert Kirk.
CRS Report RL31151, Aviation Security Technology and Procedures: Screening
Passengers and Baggage, by Daniel Morgan.
CRS Report RL31202, Federal Research and Development for Counter Terrorism:
Organization, Funding, and Options, by Genevieve J. Knezo.
CRS Report RL31465, Protecting Critical Infrastructure from Terrorist Attack: A
Catalog of Selected Federal Assistance Programs, coordinated by John Moteff.
CRS Report RL31513, Homeland Security: Side-by-Side Comparison of H.R. 5005
and S. 2452, 107th Congress, coordinated by Sharon Gressle.