Order Code RL30153
CRS Report for Congress
.Received through the CRS Web
Critical Infrastructures:
Background, Policy, and Implementation
Updated July 12, 2005
John D. Moteff
Specialist in Science and Technology Policy
Resources, Science, and Industry Division
Congressional Research Service ˜ The Library of Congress

Critical Infrastructures:
Background, Policy and Implementation
Summary
The nation’s health, wealth, and security rely on the production and distribution
of certain goods and services. The array of physical assets, processes and
organizations across which these goods and services move are called critical
infrastructures (e.g. electricity, the power plants that generate it, and the electric grid
upon which it is distributed).
The national security community has been concerned for sometime about the
vulnerability of critical infrastructure to both physical and cyber attack. In May 1998,
President Clinton released Presidential Decision Directive No. 63. The Directive set
up groups within the federal government to develop and implement plans that would
protect government-operated infrastructures and called for a dialogue between
government and the private sector to develop a National Infrastructure Assurance
Plan that would protect all of the nation’s critical infrastructures by the year 2003.
While the Directive called for both physical and cyber protection from both man-
made and natural events, implementation focused on cyber protection against man-
made cyber events (i.e. computer hackers). However, given the physical damage
caused by the September 11 attacks, physical protections of critical infrastructures
is receiving increased attention.
Following the events of September 11, the Bush Administration released two
relevant Executive Orders (EOs). EO 13228, signed October 8, 2001, established the
Office of Homeland Security. Among its duties, the Office shall “coordinate efforts
to protect the United States and its critical infrastructure from the consequences of
terrorist attacks.” EO 13231, signed October 16, stated the Bush Administration’s
policy and objectives for protecting the nation’s information infrastructure and
established the President’s Critical Infrastructure Protection Board chaired by a
Special Advisor to the President for Cybersecurity (both of which were later
abolished by an amending executive order). More recently (December 17, 2003), the
Bush Administration released Homeland Security Presidential Directive 7, reiterating
and expanding upon infrastructure protection policy and responsibilities which
remain relatively unchanged through two Administrations.
Congress passed legislation in 2002 creating a Department of Homeland
Security, consolidating into a single department a number of offices and agencies
responsible for implementing various aspects of homeland security. Even so,
infrastructure protection activities remain spread out between various directorates and
agencies within the Department, including the Information Analysis and
Infrastructure Protection Directorate and the Transportation Security Administration.
Issues in critical infrastructure protection include how to integrate cyber and
physical protection; mechanisms for sharing information between the government,
the private sector, and the public; the need to set priorities; and, whether or not the
federal government will need to employ more direct incentives to achieve an
adequate level of protection by the private sector and states. This report will be
updated as warranted.

Contents
Latest Developments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Federal Critical Infrastructure Protection Policy: In Brief . . . . . . . . . . . . . . . 2
The President’s Commission on Critical Infrastructure Protection . . . . . . . . 2
Presidential Decision Directive No. 63 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Restructuring by the Bush Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Pre-September 11 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Post-September 11 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Department of Homeland Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Policy Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Lead Agencies and Selection of Sector Liaison Officials and
Functional Coordinators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Identifying and Selecting Sector Coordinators . . . . . . . . . . . . . . . . . . 15
Appointment of the National Infrastructure Assurance Council . . . . . 16
Internal Agency Plans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
National Critical Infrastructure Plan . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Information Sharing and Analysis Center (ISAC) . . . . . . . . . . . . . . . . 19
Establishing the Information Analysis and Infrastructure
Protection Directorate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Vulnerability Assessments, Risk Assessments, and Prioritizing
Protective Measures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Cyber vs. Physical Vulnerabilities and Protection . . . . . . . . . . . . . . . . 22
What is Critical and Needs Protection and How Do We Decide? . . . . 24
How Much Will It Cost and Who Pays? . . . . . . . . . . . . . . . . . . . . . . . 25
Information Sharing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Privacy/Civil Liberties? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Appendix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Federal Funding for Critical Infrastructure Protection . . . . . . . . . . . . . . . . . 32
List of Tables
Table 1. Lead Agencies per PDD-63 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Table 2. Current Lead Agency Assignments . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Table 3. Identified Sector Coordinators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Table A.1. Critical Infrastructure Protection Funding by Department . . . . . . . . . 32
Table A.2 Funding for the Information Analysis and Infrastructure
Protection Directorate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Critical Infrastructures:
Background, Policy, and Implementation
Latest Developments
The Senate Appropriations Committee reported its version of the Homeland
Security appropriation bill (H.R. 2360) June 16, 2005. The Senate began debate on
the bill July 11, 2005. The House approved its version May 17, 2005. For a brief
overview of the funding recommendations for the Information Analysis and
Infrastructure Protection Directorate, see Table A.2.
Introduction
Certain socio-economic activities are vital to the day-to-day functioning and
security of the country; for example, transportation of goods and people,
communications, banking and finance, and the supply and distribution of electricity
and water. Domestic security and our ability to monitor, deter, and respond to
outside hostile acts also depend on some of these activities as well as other more
specialized activities like intelligence gathering and command and control of police
and military forces. A serious disruption in these activities and capabilities could
have a major impact on the country’s well-being.1
These activities and capabilities are supported by an array of physical assets,
processes, information, and organizations forming what has been called the nation’s
critical infrastructures. These infrastructures have grown complex and
interconnected, meaning that a disruption in one may lead to disruptions in others.2
Disruptions can be caused by any number of factors: poor design, operator error,
physical destruction due to natural causes, (earthquakes, lightening strikes, etc.) or
physical destruction due to intentional human actions (theft, arson, terrorist attack,
etc.). Over the years, operators of these infrastructures have taken measures to guard
against, and to quickly respond to, many of these threats, primarily to improve
reliability and safety. However, the terrorist attacks of September 11, and the
1 As a reminder of how dependent society is on its infrastructure, in May 1998, PanAmSat’s
Galaxy IV satellite’s on-board controller malfunctioned, disrupting service to an estimated
80-90% of the nation’s pagers, causing problems for hospitals trying to reach doctors on
call, emergency workers, and people trying to use their credit cards at gas pumps, to name
but a few.
2 The electricity blackout in August 2003 in the United States and Canada also illustrated
the interdependencies between electricity, other elements of the energy market such as oil
refining and pipelines, communications, drinking water supplies, etc.

CRS-2
subsequent anthrax attacks, demonstrated the need to reexamine protections in light
of the terrorist threat, as part of an overall critical infrastructure protection policy.3
This report provides an historical background and tracks the evolution of such
an overall policy and its implementation. However, specific protections associated
with individual infrastructures is beyond the scope of this report. For CRS products
related to specific infrastructure protection efforts, the reader is encouraged to visit
the Homeland Security Current Legislative Issues webpage and look at the Critical
Infrastructure Security link.
Federal Critical Infrastructure Protection Policy: In Brief
As discussed below, a number of federal executive documents and federal
legislation (notably the Homeland Security Act, P.L. 107-269) lay out a basic policy
and strategy for protecting the nation’s critical infrastructure. To summarize, the
federal government will work with states, localities, and the owners and operators of
critical infrastructure (in both the private and public sector) to identify those specific
assets that are considered critical to the nation as a whole. Together, these entities
will assess those assets’ vulnerabilities to the threats facing the nation, determine the
level of risk associated with possible attacks on those assets, and develop a set of
prioritized protection measures that can be taken to reduce those risks. Primary
responsibility for protection, response, and recovery lies with the owners and
operators. However, the federal government holds open the possibility of intervening
in those areas where owners and operators are unable (or unwilling) to provide
adequate protection or response.
The reader who is not interested in the evolution of this policy and the
organizational structures that have evolved to implement it can proceed to the
Implementation and/or Issues sections of this report.
The President’s Commission on Critical Infrastructure
Protection

This report takes as its starting point the establishment of the President’s
Commission on Critical Infrastructure Protection (PCCIP) in July 1996.4 Its tasks
were to: report to the President the scope and nature of the vulnerabilities and threats
3 Besides loss of life, the terrorist attacks of September 11 disrupted the services of a number
of critical infrastructures (including telecommunications, the internet, financial markets, and
air transportation). In some cases, protections already in place (like off-site storage of data,
mirror capacity, etc.) allowed for relatively quick reconstitution of services. In other cases,
service was disrupted for much longer periods of time.
4 Executive Order 13010.Critical Infrastructure Protection. Federal Register. Vol 61. No.
138. July 17, 1996. pp. 3747-3750. Concern about the security of the nation’s information
infrastructure and the nation’s dependence on it preceded the establishment of the
Commission.

CRS-3
to the nation’s critical infrastructures (focusing primarily on cyber threats);5
recommend a comprehensive national policy and implementation plan for protecting
critical infrastructures; determine legal and policy issues raised by proposals to
increase protections; and propose statutory and regulatory changes necessary to effect
recommendations.
The PCCIP released its report to President Clinton in October 1997.6
Examining both the physical and cyber vulnerabilities, the Commission found no
immediate crisis threatening the nation’s infrastructures. However, it did find reason
to take action, especially in the area of cyber security. The rapid growth of a
computer-literate population (implying a greater pool of potential hackers), the
inherent vulnerabilities of common protocols in computer networks, the easy
availability of hacker “tools” (available on many websites), and the fact that the basic
tools of the hacker (computer, modem, telephone line) are the same essential
technologies used by the general population indicated to the Commission that both
threat and vulnerability exist.
The Commission generally recommended that greater cooperation and
communication between the private sector and government was needed. The private
sector owns and operates much of the nation’s critical infrastructure. As seen by the
Commission, the government’s primary role (aside from protecting its own
infrastructures) is to collect and disseminate the latest information on intrusion
techniques, threat analysis, and ways to defend against hackers.
The Commission also proposed a strategy for action:
! facilitate greater cooperation and communication between the
private sector and appropriate government agencies by: setting a top
level policy-making office in the White House; establishing a
council that includes corporate executives, state and local
government officials, and cabinet secretaries; and setting up
information clearinghouses;
! develop a real-time capability of attack warning;
! establish and promote a comprehensive awareness and education
program;
! streamline and clarify elements of the legal structure to support
assurance measures (including clearing jurisdictional barriers to
pursuing hackers electronically); and,
! expand research and development in technologies and techniques,
especially technologies that allow for greater detection of intrusions.
The Commission’s report underwent interagency review to determine how to
respond. That review led to a Presidential Decision Directive released in May 1998.
5 Given the growing dependence and interconnectedness of the nation’s infrastructure on
computer networks, there was concern that computers and computer networks presented a
new vulnerability and one that was not receiving adequate attention.
6 President’s Commission on Critical Infrastructure Protection, Critical Foundations:
Protecting America’s Infrastructures
, October 1997.

CRS-4
Presidential Decision Directive No. 63
Presidential Decision Directive No. 63 (PDD-63)7 set as a national goal the
ability to protect the nation’s critical infrastructure from intentional attacks (both
physical and cyber) by the year 2003. According to the PDD, any interruptions in the
ability of these infrastructures to provide their goods and services must be “brief,
infrequent, manageable, geographically isolated, and minimally detrimental to the
welfare of the United States.”8
PDD-63 identified the following activities whose critical infrastructures should
be protected: information and communications; banking and finance; water supply;
aviation, highways, mass transit, pipelines, rail, and waterborne commerce;
emergency and law enforcement services; emergency, fire, and continuity of
government services; public health services; electric power, oil and gas production,
and storage. In addition, the PDD identified four activities where the federal
government controls the critical infrastructure: internal security and federal law
enforcement; foreign intelligence; foreign affairs; and national defense.
A lead agency was assigned to each of these “sectors” (see Table 1). Each lead
agency was directed to appoint a Sector Liaison Official to interact with appropriate
private sector organizations. The private sector was encouraged to select a Sector
Coordinator
to work with the agency’s sector liaison official. Together, the liaison
official, sector coordinator, and all affected parties were to contribute to a sectoral
security plan which was to be integrated into a National Infrastructure Assurance
Plan
. Each of the activities performed primarily by the federal government also were
assigned a lead agency who was to appoint a Functional Coordinator to coordinate
efforts similar to those made by the Sector Liaisons.
The PDD also assigned duties to the National Coordinator for Security,
Infrastructure Protection, and Counter-terrorism.9 The National Coordinator reported
to the President through the Assistant to the President for National Security Affairs.10
Among his many duties outlined in PDD-63, the National Coordinator chaired the
Critical Infrastructure Coordination Group. This Group was the primary
interagency working group for developing and implementing policy and for
coordinating the federal government’s own internal security measures. The Group
7 See The Clinton’s Administration’s Policy on Critical Infrastructure Protection:
Presidential Decision Directive 63,
White Paper, May 22, 1998. Available at the Federation
of American Scientist website: [http://www.fas.org/irp/offdocs/pdd/pdd-63.htm].
8 Ibid.
9 The National Coordinator position was created by Presidential Decision Directive 62,
“Combating Terrorism.” PDD-62, which was classified, codified and clarified the roles and
missions of various agencies engaged in counter-terrorism activities. The Office of the
National Coordinator was established to integrate and coordinate these activities. The
White House released a fact sheet on PDD-62 on May 22, 1998.
10 President Clinton designated Richard Clarke (Special Assistant to the President for Global
Affairs, National Security Council) as National Coordinator.

CRS-5
included high level representatives from the lead agencies (including the Sector
Liaisons), the National Economic Council, and all other relevant agencies.
Each federal agency was made responsible for securing its own critical
infrastructure and was to designate a Critical Infrastructure Assurance Officer
(CIAO) to assume that responsibility. The agency’s current Chief Information
Officer (CIO) could double in that capacity. In those cases where the CIO and the
CIAO were different, the CIO was responsible for assuring the agency’s information
assets (databases, software, computers), while the CIAO was responsible for any
other assets that make up that agency’s critical infrastructure. Agencies were given
180 days from the signing of the Directive to develop their plans. Those plans were
to be fully implemented within two years and updated every two years.
Table 1. Lead Agencies per PDD-63
Department/Agency
Sector/Function
Commerce
Information and Communications
Treasury
Banking and Finance
EPA
Water
Transportation
Transportation
Justice
Emergency Law Enforcement
Federal Emergency Management Agency
Emergency Fire Service
Health and Human Services
Emergency Medicine
Energy
Electric Power, Gas, and Oil
Justice
Law Enforcement and Internal Security
Director of Central Intelligence
Intelligence
State
Foreign Affairs
Defense
National Defense
The PDD set up a National Infrastructure Assurance Council. The Council
was to be a panel that included private operators of infrastructure assets and officials
from state and local government officials and relevant federal agencies. The Council
was to meet periodically and provide reports to the President as appropriate. The
National Coordinator was to act as the Executive Director of the Council.
The PDD also called for a National Infrastructure Assurance Plan. The Plan
was to integrate the plans from each of the sectors mentioned above and should
consider the following: a vulnerability assessment, including the minimum essential
capability required of the sector’s infrastructure to meet its purpose; remedial plans
to reduce the sector’s vulnerability; warning requirements and procedures; response
strategies; reconstitution of services; education and awareness programs; research
and development needs; intelligence strategies; needs and opportunities for
international cooperation; and legislative and budgetary requirements.

CRS-6
The PDD also set up a National Plan Coordination Staff to support the plan’s
development. Subsequently, the Critical Infrastructure Assurance Office (CIAO,
not to be confused with the agencies’ Critical Infrastructure Assurance Officers) was
established to serve this function and was placed in the Department of Commerce’s
Export Administration. CIAO supported the National Coordinator’s efforts to
integrate the sectoral plans into a National Plan, supported individual agencies in
developing their internal plans, helped coordinate a national education and awareness
programs, and provided legislative and public affairs support.
Most of the Directive established policy-making and oversight bodies making
use of existing agency authorities and expertise. However, the PDD also addressed
operational concerns. These dealt primarily with cyber security. The Directive called
for a national capability to detect and respond to cyber attacks while they are in
progress. Although not specifically identified in the Directive, the Clinton
Administration proposed establishing a Federal Intrusion Detection Network
(FIDNET)
that would, together with the Federal Computer Intrusion Response
Capability (FedCIRC)
, established just prior to PDD-63, meet this goal.11 The
Directive explicitly gave the Federal Bureau of Investigation the authority to expand
its existing computer crime capabilities into a National Infrastructure Protection
Center (NIPC)
. The Directive called for the NIPC to be the focal point for federal
threat assessment, vulnerability analysis, early warning capability, law enforcement
investigations, and response coordination. All agencies were required to forward to
the NIPC information about threats and actual attacks on their infrastructure as well
as attacks made on private sector infrastructures of which they become aware.
Presumably, FIDNET12 and FedCIRC would feed into the NIPC. According to the
Directive, the NIPC would be linked electronically to the rest of the federal
government and use warning and response expertise located throughout the federal
government. The Directive also made the NIPC the conduit for information sharing
with the private sector through an equivalent Information Sharing and Analysis
Center(s)
operated by the private sector, which PDD-63 encouraged the private
sector to establish.
While the FBI was given the lead, the NIPC also included the Department of
Defense, the Intelligence Community, and a representative from all lead agencies.
Depending on the level of threat or the character of the intrusion, the NIPC was to
have been placed in direct support of either the Department of Defense or the
Intelligence Community.
11 FedCIRC was renamed the Federal Computer Incident Response Center and has since
been absorbed into the Department of Homeland Security’s National Cyber Security
Division.
12 From the beginning FIDNET generated controversy both inside and outside the
government. Privacy concerns, cost and technical feasibility were at issue. By the end of
the Clinton Administration, FIDNET as a distributed intrusion detection system feeding into
a centralized analysis and warning capability was abandoned. Each agency, however, is
allowed and encouraged to use intrusion detection technology to monitor and secure their
own systems.

CRS-7
Quite independent of PDD-63 in its origin, but clearly complimentary in its
purpose, the FBI offers a program called INFRAGARD to private sector firms. The
program includes an Alert Network. Participants in the program agree to supply the
FBI with two reports when they suspect an intrusion of their systems has occurred.
One report is “sanitized” of sensitive information and the other provides more
detailed description of the intrusion. The FBI will help the participant respond to the
intrusion. In addition, all participants are sent periodic updates on what is known
about recent intrusion techniques. The FBI has set up local INFRAGARD chapters
that can work with each other and regional FBI field offices. In January, 2001, the
FBI announced it had finished establishing INFRAGARD chapters in each of its 56
field offices. Rather than sector-oriented, INFRAGARD is geographically-oriented.
It should also be noted that the FBI had, since the 1980s, a program called the
Key Assets Initiative (KAI). The objective of the KAI was to develop a database
of information on “key assets” within the jurisdiction of each FBI field office,
establish lines of communications with asset owners and operators to improve
physical and cyber protection, and to coordinate with other federal, state, and local
authorities to ensure their involvement in the protection of those assets. The program
was initially begun to allow for contingency planning against physical terrorist
attacks. According to testimony by a former Director of the NIPC, the program was
“reinvigorated” by the NIPC and expanded to included the cyber dimension.13 The
Department of Homeland Security has taken over the effort to create a data base of
critical assets.
Restructuring by the Bush Administration
Pre-September 11. As part of its overall redesign of White House
organization and assignment of responsibilities, the in-coming Bush Administration
spent the first eight months reviewing its options for coordinating and overseeing
critical infrastructure protection. During this time, the Bush Administration
continued to support the activities begun by the Clinton Administration.
The Bush Administration review was influenced by three parallel debates. First,
the National Security Council (NSC) underwent a major streamlining. All groups
within the Council established during previous Administrations were abolished.
Their responsibilities and functions were consolidated into 17 Policy Coordination
Committees (PCCs). The activities associated with critical infrastructure protection
were assumed by the Counter-Terrorism and National Preparedness PCC. At the
time, whether, or to what extent, the NSC should remain the focal point for
coordinating critical infrastructure protection (i.e. the National Coordinator came
from the NSC) was unclear. Richard Clarke, himself, wrote a memorandum to the
incoming Bush Administration that the function should be transferred directly to the
White House.14
13 Testimony by Michael Vatis before the Senate Judiciary Committee, Subcommittee on
Technology and Terrorism. Oct. 6, 1999. This effort was transferred to the Department of
Homeland Security.
14 Senior NSC Official Pitches Cyber-Security Czar Concept in Memo to Rice. Inside the
(continued...)

CRS-8
Second, there was a continuing debate about the merits of establishing a
government-wide Chief Information Officer (CIO), whose responsibilities would
include protection of all federal non-national security-related computer systems and
coordination with the private sector on the protection of privately owned computer
systems. Shortly after assuming office, the Bush Administration announced its desire
not to create a separate federal CIO position, but to recruit a Deputy Director of the
Office of Management and Budget that would assume an oversight role of agency
CIOs. One of the reasons cited for this was a desire to keep agencies responsible for
their own computer security.15
Third, there was the continuing debate about how best to defend the country
against terrorism, in general. Some include in the terrorist threat cyber attacks on
critical infrastructure. The U.S. Commission on National Security/21st Century (the
Hart-Rudman Commission) proposed a new National Homeland Security Agency.
The recommendation built upon the current Federal Emergency Management Agency
(FEMA) by adding to it the Coast Guard, the Border Patrol, Customs Service, and
other agencies. The Commission recommended that the new organization include
a directorate responsible for critical infrastructure protection. While both the Clinton
and Bush Administration remained cool to this idea, bills were introduced in
Congress to establish such an agency. As discussed below, the Bush Administration
changed its position in June 2002, and proposed a new department along the lines of
that proposed by the Hart/Rudman Commission and Congress.
Post-September 11. Soon after the September 11 terrorist attacks, President
Bush signed two Executive Orders relevant to critical infrastructure protection.
These have since been amended to reflect changes brought about by the
establishment of the Department of Homeland Security (see below). The following
is a brief discussion of the original E.O.s and how they have changed.
E.O. 13228, signed October 8, 2001 established the Office of Homeland
Security, headed by the Assistant to the President for Homeland Security.16 Its
mission is to “develop and coordinate the implementation of a comprehensive
national strategy to secure the United States from terrorist threats and attacks.”
Among its functions is the coordination of efforts to protect the United States and its
critical infrastructure from the consequences of terrorist attacks. This includes
strengthening measures for protecting energy production, transmission, and
distribution; telecommunications; public and privately owned information systems;
transportation systems; and, the provision of food and water for human use. Another
function of the Office is to coordinate efforts to ensure rapid restoration of these
critical infrastructures after a disruption by a terrorist threat or attack.
14 (...continued)
Pentagon. January 11, 2001. p 2-3.
15 For a discussion of the debate surrounding this issue at the time, see CRS Report
RL30914, Federal Chief Information Officer (CIO): Opportunities and Challenges, by
Jeffery Seifert.
16 President Bush selected Tom Ridge to head the new Office.

CRS-9
The EO also established the Homeland Security Council. The Council is made
up of the President, Vice-President, Secretaries of Treasury, Defense, Health and
Human Services, and Transportation, the Attorney General, the Directors of FEMA,
FBI, and CIA and the Assistant to the President for Homeland Security, and the
Secretary of Homeland Security. Other White House and departmental officials can
be invited to attend Council meetings.17 The Council advises and assists the President
with respect to all aspects of homeland security. The agenda for those meetings shall
be set by the Assistant to President for Homeland Security, at the direction of the
President. The Assistant is also the official recorder of Council actions and
Presidential decisions.
In January and February 2003, this E.O. was amended (by Executive Orders
13284 and 13286, respectively). The Office of Homeland Security, the Assistant to
the President, and the Homeland Security Council were all retained. However, the
Secretary of Homeland Security was added to the Council. The duties of the
Assistant to the President for Homeland Security remain the same, recognizing the
statutory duties assigned to the Secretary of Homeland Security as a result of the
Homeland Security Act of 2002 (see below).
The second Executive Order (E.O. 13231) signed October 16, 2001, stated that
it is U.S. policy “to protect against the disruption of the operation of information
systems for critical infrastructure...and to ensure that any disruptions that occur are
infrequent, of minimal duration, and manageable, and cause the least damage
possible.”18 This Order also established the President’s Critical Infrastructure
Protection Board
. The Board’s responsibility was to “recommend policies and
coordinate programs for protecting information systems for critical infrastructure...”
The Order also established a number of standing committees of the Board that
includes Research and Development (chaired by a designee of the Director of the
Office of Science and Technology), Incident Response (chaired by the designees of
the Attorney General and the Secretary of Defense), and Physical Security (also
chaired by designees of the Attorney General and the Secretary of Defense). The
Board was directed to propose a National Plan on issues within its purview on a
periodic basis, and, in coordination with the Office of Homeland Security, review and
make recommendations on that part of agency budgets that fall within the purview
of the Board.
The Board was chaired by a Special Advisor to the President for Cyberspace
Security.19 The Special Advisor reported to both the Assistant to the President for
National Security and the Assistant to the President for Homeland Security. Besides
presiding over Board meetings, the Special Advisor, in consultation with the Board,
was to propose policies and programs to appropriate officials to ensure protection of
17 For more information on the structure of the Homeland Security Council and the Office
of Homeland Security, see CRS Report RL31148. Homeland Security: The Presidential
Coordination Office
, by Harold Relyea.
18 Executive Order 13231 — Critical Infrastructure Protection in the Information Age.
Federal Register. Vol. 86. No. 202. Oct. 18, 2001.
19 President Bush designated Richard Clarke.

CRS-10
the nation’s information infrastructure and to coordinate with the Director of OMB
on issues relating to budgets and the security of computer networks.
The Order also established the National Infrastructure Advisory Council.
The Council is to provide advice to the President on the security of information
systems for critical infrastructure. The Council’s functions include enhancing
public-private partnerships, monitoring the development of ISACs, and encouraging
the private sector to perform periodic vulnerability assessments of critical
information and telecommunication systems.
Subsequent amendments to this E.O. (by E.O. 13286) abolished the President’s
Board and the position of Special Advisor. The Advisory Council was retained, but
now reports to the President through the Secretary of Homeland Security.
In July 2002, the Office of Homeland Security released a National Strategy for
Homeland Security. The Strategy covered all government efforts to protect the
nation against terrorist attacks of all kinds. It identified protecting the nation’s
critical infrastructures and key assets (a new term, different as implied above by the
FBI’s key asset program) as one of six critical mission areas. The Strategy expanded
upon the list of infrastructure considered to be critical to include the chemical
industry, postal and shipping services, and the defense industrial base. It also
introduced a new class of assets, called key assets, which are potential targets whose
destruction may not endanger vital systems, but could create local disaster or
profoundly affect national morale. Such assets could include schools, court houses,
individual bridges, or state and national monuments.
The Strategy reiterated many of the same policy-related activities as mentioned
above: working with the private sector and other non-federal entities, naming those
agencies that should act as liaison with the private sector, assessing vulnerabilities,
and developing a national plan to deal with those vulnerabilities. The Strategy did
not create any new organizations, but assumed that a Department of Homeland
Security would be established (see below).
On December 17, 2003, the Bush Administration released Homeland Security
Presidential Directive 7 (HSPD-7). HSPD essentially updated the policy of the
United States and the roles and responsibilities of various agencies in regard to
critical infrastructure protection as outlined in previous documents, national
strategies, and the Homeland Security Act of 2002 (see below). For example, the
Directive reiterated the Secretary of Homeland Security’s role in coordinating the
overall national effort to protect critical infrastructure. It also reiterated the role of
Sector-Specific Agencies (i.e. Lead Agencies)20 to work with their sectors to identify,
prioritize, and coordinate protective measures. The Directive captured the expanded
set of critical infrastructures and key assets and Sector-Specific Agencies
assignments made in the National Strategy for Homeland Security. The Directive
also reiterated the relationship between the Department of Homeland Security and
other agencies in certain areas. For example, while the Department of Homeland
20 This report will continue to use the term “Lead Agency” to refer to the agency assigned
to work with a specific sector.

CRS-11
Security will maintain a cyber security unit, the Directive stated that the Director of
the Office of Management remains responsible for overseeing government-wide
information security programs and for ensuring the operation of a federal cyber
incident response center within the Department of Homeland Security. Also, while
the Department of Homeland Security is responsible for transportation security,
including airline security, the Department of Transportation remains responsible for
control of the national air space system.
The only structural change made by the Directive was its establishment of the
Critical Infrastructure Protection Policy Coordinating Committee which will
advise the Homeland Security Council on interagency policy related to physical and
cyber infrastructure security.
The Directive made a few other noticeable changes or additions. For example,
the Department of Homeland Security was assigned as Lead Agency for the chemical
and hazardous materials sector (it had been the Environmental Protection Agency).
The Directive also now requires Lead Agencies to report annually to the Secretary
of Homeland Security on their efforts in working with the private sector. The
Directive also reiterated that all federal agencies must develop plans to protect their
own critical infrastructure and submit those plans for approval to the Director of the
Office of Management and Budget by July 2004.
The Directive also required that the Secretary of Homeland Security collaborate
with other appropriate federal agencies to develop a program to geospatially map,
analyze, and sort critical infrastructure and key resources, and to work with other
federal, state, local, and private entities to develop a national indications and warning
architecture that can develop a baseline of infrastructure operations and detect
potential attacks.
While superseding PDD-63 in those areas where they differ, all together, the
Bush Administration policy and approach regarding critical infrastructure protection
represents a continuation of PDD-63. The fundamental policy statements are
essentially the same: the protection of infrastructures critical to the people, economy,
essential government services, and national security. National morale has been added
to that list. Also, the stated goal of the government’s efforts is to ensure that any
disruption of the services provided by these infrastructures be infrequent, of minimal
duration, and manageable. The infrastructures identified as critical were essentially
the same (although expanded and with an emphasis placed on targets that would
result in large numbers of casualties). Finally, the primary effort is directed at
working collaboratively and voluntarily with the private sector owners and operators
of critical infrastructure to identify critical assets and provide appropriate protection.

Organizationally, there remains an interagency group for coordinating policy
across departments and for informing the White House. Certain agencies have been
assigned certain sectors with which to work. A Council made up of private sector
executives, academics, and State and local officials was established to advise the
President. Certain operational units (e.g. the Critical Infrastructure Assurance Office
(CIAO) and elements of the National Infrastructure Protection Center (at the FBI))
were left in place (though later moved to and restructured within the Department of
Homeland Security).

CRS-12
The primary difference, at least initially, was the segregation of cyber security
from the physical security mission of the Office of Homeland Security. Dissolution
of the President’s Critical Infrastructure Protection Board and the transfer of its
duties to the Department of Homeland Security reintegrated the two, albeit with a
greater emphasis on physical security than before. The relationship between physical
security and cyber security is discussed in more detail in the Issues section of this
report.
Department of Homeland Security
In November 2002, Congress passed the Homeland Security Act (P.L. 107-296),
establishing a Department of Homeland Security (DHS). The act assigned to the
new Department the mission of preventing terrorist attacks, reducing the vulnerability
of the nation to such attacks, and responding rapidly should such an attack occur.
The act essentially consolidated within one department a number of agencies that
have had, as part of their mission, homeland security-like functions (e.g. Border
Patrol, Customs, Transportation Security Administration). The full impact of the act
is beyond the scope of this report. The following discussion focuses on those
provisions relating to critical infrastructure protection.
In regard to critical infrastructure protection the act transferred the following
agencies and offices to the new department: the NIPC (except for the Computer
Investigations and Operations Section), CIAO, FedCIRC, the National Simulation
and Analysis Center (NISAC),
21 other energy security and assurance activities
within DOE, and the National Communication System (NCS).22 These agencies
and offices were integrated within the Directorate of Information Analysis and
Infrastructure Protection (IA/IP)
(one of four operational Directorates established
by the act).23 Notably, the Transportation Security Administration (TSA), which is
responsible for securing all modes of the nation’s transportation system, is not part
21 The NISAC was established in the USA PATRIOT Act (P.L. 107-56), Section 1062. The
Center builds upon expertise at Sandia National Laboratory and Los Alamos National
Laboratory in modeling and simulating infrastructures and the interdependencies between
them.
22 The NCS is not a single communication system but more a capability that ensures that
disparate government agencies can communication with each other in times of emergencies.
To make sure this capability exists and to assure that it is available when needed, an
interagency group meets regularly to discuss issues and solve problems. The NCS was
initially established in 1963 by the Kennedy Administration to ensure communications
between military, diplomatic, intelligence, and civilian leaders, following the Cuban Missile
Crisis. Those activities were expanded by the Reagan Administration to include emergency
preparedness and response, including natural disaster response. The current interagency
group includes 23 departments and agencies. The private sector, which own a significant
share of the assets needed to ensure the necessary connectivity, is involved through the
National Security Telecommunication Advisory Committee (NSTAC). The National
Coordinating Center, mentioned later in this report, and which serves as the
telecommunications ISAC, is an operational entity within the NCS.
23 The other operational directorates included Science and Technology, Border and
Transportation Security
and Emergency Preparedness and Response.

CRS-13
of this Directorate (it was placed within the Border and Transportation Security
Directorate); nor is the Coast Guard, which is responsible for port security. The
Directorates are headed by someone of Undersecretary rank. Furthermore, the act
designated that within the Directorate of Information Analysis and Infrastructure
Protection, there are to be both an Assistant Secretary for Information Analysis, and
an Assistant Secretary for Infrastructure Protection.
Among the responsibilities assigned the IA/IP Directorate were:
! to access, receive, analyze, and integrate information from a variety
of sources in order to identify and assess the nature and scope of the
terrorist threat;
! to carry out comprehensive assessments of the vulnerabilities of
key resources and critical infrastructure of the United States,
including risk assessments to determine risks posed by particular
types of attacks;
! to integrate relevant information, analyses, and vulnerability
assessments in order to identify priorities for protective and
support measures
;
! to develop a comprehensive national plan for securing key resources
and critical infrastructures;
! to administer the Homeland Security Advisory System;
! to work with the intelligence community to establish collection
priorities; and,
! to establish a secure communication system for receiving and
disseminating information.
In addition, the act provided a number of protections for certain information
(defined as critical infrastructure information) that non-federal entities, especially
private firms or ISACs formed by the private sector, voluntarily provide the
Department. Those protections included exempting it from the Freedom of
Information Act, precluding the information from being used in any civil action,
exempting it from any agency rules regarding ex parte communication, and
exempting it from requirements of the Federal Advisory Committee Act.
The act basically built upon existing policy and activities. Many of the policies,
objectives, missions, and responsibilities complement those already established (e.g.
vulnerability assessments, national planning, communication between government
and private sector, and improving protections).
Policy Implementation
There is an element of continuity in the policies and activities undertaken by the
Clinton and Bush Administrations. For example, the Bush Administration maintains
the effort to communicate with infrastructure operators through ISACs, although it
has also developed parallel mechanisms to communicate with them. The Bush
Administration also maintains certain lead agencies as the main liaison with certain
sectors. The following discusses the implementation of major elements of PDD-63
and the Bush Administration’s policy as policy and action continue to evolve.

CRS-14
Lead Agencies and Selection of Sector Liaison Officials and
Functional Coordinators. The National Strategy for Homeland Security, released
by the Bush Administration in July 2002, maintained the role of lead agencies as
outlined in PDD-63, with the then proposed Department of Homeland Security acting
as coordinator of their efforts. However, the Strategy did shift liaison responsibilities
for some sectors to the new Department. The liaison responsibilities outlined in the
National Strategy are noted in Table 2 below, with the former liaison agency noted
in parenthesis. HSPD-7 modified the Strategy assignments slightly, giving the
chemical sector to the Department of Homeland Security instead of the
Environmental Protection Agency.
Table 2. Current Lead Agency Assignments
Department/Agency (PDD-63 liaison)
Sector/Function
Agriculture
Agriculture
Food
Agriculture
Meat/Poultry
Health and Human Services
All other
Homeland Security (Commerce)
Information and Communications
Treasury
Banking and Finance
EPA
Water
Homeland Security (Transportation)
Transportation
Homeland Security (Federal Emergency
Emergency Services
Management Agency, Justice, Health and
Human Services)
Health and Human Services
Public Health
Government
Homeland Security
Continuity of Government
Individual departments and agencies
Continuity of Operations
Energy
Energy
Electric Power
Energy
Oil and Gas
Nuclear Regulatory Commission (per
Nuclear (and nuclear materials)
HSPD-7)
Homeland Security-Transportation
Pipelines
Security Administration
Department of Homeland Security (per
Chemical Industry and Hazardous
HSPD-7)
Materials
Defense
Defense Industrial Base
Homeland Security
Postal and Shipping
Interior
National Monuments and Icons

CRS-15
Identifying and Selecting Sector Coordinators. Different sectors
present different challenges to identifying a coordinator. Some sectors are more
diverse than others (e.g. transportation includes rail, air, waterways, and highways;
information and communications include computers, software, wire and wireless
communications) and raise the issue of how to have all the relevant players
represented. Other sectors are fragmented, consisting of small or local entities.
Some sectors, such as banking, telecommunications, and energy have more
experience than others in working with the federal government and/or working
collectively to assure the performance of their systems.
Besides such structural issues are ones related to competition. Inherent in the
exercise is asking competitors to cooperate. In some cases it is asking competing
industries to cooperate. This cooperation not only raises issues of trust among firms,
but also concerns regarding anti-trust rules.
Table 3. Identified Sector Coordinators
Sector
Identified Sector Coordinators
Information and
A consortium of 4 associations: Information
Telecommunications
Technology Assn. of America;
Telecommunications Industry Assn.; U.S.
Telephone Assn.; Cellular Telecom. & Internet
Assn.
Banking and Finance
Donald Donahue - Depository Trust Corp.24
Water
Assn. of Metropolitan Water Agencies
Electricity
North American Electric Reliability Council
Oil/Gas
National Petroleum Council
Railroads
Association of American Railroads
Mass Transit
American Public Transportation Assn.
Airports
Airport Council International-North America
Emergency Fire Services
U.S. Fire Administration
Law Enforcement
Emergency Law Enforcement Services Forum
Table 3 above shows those individuals or groups that CRS has been able to
determine have agreed to act as Coordinators. Sector coordinators have been
identified for most of the major privately operated sectors: banking and finance,
energy, information, and communications. In the public sector, EPA early on
identified the Association of Metropolitan Water Agency as sector coordinator. In
the area of transportation, the Association of American Railroads has been identified
24 The financial services sector coordinator is selected by the Secretary of Treasury. Mr.
Donahue was selected in May 2004, taking over from Rhonda McLean from Bank America.
As sector coordinator, Mr. Donahue also chairs the Financial Services Sector Coordinating
Council, a private sector group that works closely with the Treasury Department in securing
the banking and financial sector.

CRS-16
as the coordinator for the rail sector. More recently, the American Public
Transportation Association was selected to represent commuter transportation
systems. The U.S. Fire Administration, a component of FEMA, has an established
communication network with the nation’s fire associations, the 50 State Fire
Marshals, and other law enforcement groups. The Department of Justice, through the
NIPC, helped to create the Emergency Law Enforcement Services (ELES) Forum.
The Forum is a group of senior law enforcement executives from state, local, and
non-FBI federal agencies.
Other sectors have groups that have assumed the role of sector coordinator,
although may not have been officially designated as such. For example, the
American Chemistry Council and the Food Marketing Institute communicate and
coordinate with the federal government and the members of their respective sectors.
In December 1999, a number of the sectors formed a Partnership for Critical
Infrastructure Security to share information and strategies and to identify
interdependencies across sectoral lines. The Partnership is a private sector initiative.
Five working groups were established (Interdependencies/Vulnerability Assessment,
Cross-Sector Information Sharing, Legislation and Policy, Research and
Development, and Organization). The federal government is not officially part of the
Partnership, but the Department of Homeland Security acts as a liaison and has
provided administrative support for meetings. Sector Liaisons from lead agencies are
considered ex officio members. The Partnership has helped coordinate its members
input to a number of national strategies released to date.
Appointment of the National Infrastructure Assurance Council. The
Clinton Administration released an Executive Order (13130) in July, 1999, formally
establishing the council. Just prior to leaving office, President Clinton put forward
the names of 18 appointees.25 The Order was rescinded by the Bush Administration
before the Council could meet. In Executive Order 13231,26 President Bush
established a National Infrastructure Advisory Council (with the same acronym,
NIAC) whose functions are similar to those of the Clinton Council. On September
18, 2002, President Bush announced his appointment of 24 individuals to serve on
Council.27 The E.O. amending 13231 makes some minor modifications to NIAC.
Primarily, the Council now reports to the President through the Secretary of
Homeland Security.
Internal Agency Plans. There had been some confusion about which
agencies were required to submit critical infrastructure plans. PDD-63 directed every
agency to develop and implement such a plan. A subsequent Informational Seminar
on PDD-63 held on October 13, 1998 identified two tiers of agencies. The first tier
included lead agencies and other “primary” agencies like the Central Intelligence
25 White House Press Release, dated January 18, 2000.
26 Executive Order 13231—Critical Infrastructure Protection in the Information Age. Federal
Register. Vol. 66. No. 202. October 18, 2001. pp53063-53071. The NIAC is established on
page 53069.
27 See White House Press Release, September 18, 2002.

CRS-17
Agency and Veteran’s Affairs. These agencies were held to the Directive’s 180 day
deadline. A second tier of agencies were identified by the National Coordinator and
required to submit plans by the end of February, 1999. The “secondary” agencies
were Agriculture, Education, Housing and Urban Development, Labor, Interior,
General Services Administration, National Aeronautics and Space Administration
and the Nuclear Regulatory Commission. All of these “primary” and “secondary”
agencies met their initial deadlines for submitting their internal plans for protecting
their own critical infrastructures from attacks and for responding to intrusions. The
Critical Infrastructure Assurance Office assembled an expert team to review the
plans. The plans were assessed in 12 areas including schedule/milestone planning,
resource requirements, and knowledge of existing authorities and guidance. The
assessment team handed back the initial plans with comments. Agencies were given
90 days to respond to these comments. Of the 22 “primary” and “secondary”
agencies that submitted plans, 16 modified and resubmitted them in response to first
round comments.
Initially, the process of reviewing agency plans was to continue until all
concerns were addressed. Over the summer of 1999, however, review efforts slowed
and subsequent reviews were put on hold as the efficacy of the reviews was debated.
Some within the CIAO felt that the plans were too general and lacked a clear
understanding of what constituted a “critical asset” and the interdependencies of
those assets. As a result of that internal debate, the CIAO redirected its resources to
institute a new program called Project Matrix. Project Matrix is a three step process
by which an agency can identify and assess its most critical assets, identify the
dependencies of those assets on other systems, including those beyond the direct
control of the agency, and prioritize. CIAO offered this analysis to agencies,
including some not designated as “primary” or “secondary” agencies, such as the
Social Security Administration and the Securities and Exchange Commission.
Participation by the agencies has been voluntary. Project Matrix continues.
In the meantime, other agencies (i.e. those not designated as primary and
secondary) apparently did not develop critical infrastructure plans. In a much later
report by the President’s Council on Integrity and Efficiency (dated March 21, 2001),
the Council, which was charged with reviewing agencies’ implementation of PDD-
63, stated that there was a misunderstanding as to the applicability of PDD-63 to all
agencies. The Council asserted that all agencies were required to develop a critical
infrastructure plan and that many had not, because they felt they were not covered by
the Directive. Also, the Council found that of the agency plans that had been
submitted, many were incomplete, had not identified their mission-critical assets, and
that almost none had completed vulnerability assessments. Two years later, the
Government Accountability Office28 reported that four of the agencies they reviewed
for the House Committee on Energy and Commerce (HHS, Energy, Commerce, and
EPA) had still not yet identified their critical assets and operational dependencies, nor
have they set any deadlines for doing so.29
28 Note: The General Accounting Office has had its name changed legislatively to the
Government Accountability Office.
29 U.S. Government Accountability Office, Critical Infrastructure Protection: Challenges for
(continued...)

CRS-18
Interestingly, HSPD-7 reestablished a deadline for agencies to submit critical
infrastructure protection plans to the Director of OMB for approval by July 2004.
The Director of OMB provided guidance on how agencies should meet their
requirement (Memorandum M-04-15, June 17, 2004). The memorandum stated that
plans for the physical protection of assets would be reviewed by the Department of
Homeland Security and plans for the cyber protection of assets would be reviewed
as part of the requirements associated with the Federal Information Security
Management Act of 2002, included as Title III of E-Government Act of 2002 (P.L.
107-347). These plans are to provide information to be included in the National
Infrastructure Protection Plan (see below).
National Critical Infrastructure Plan. PDD-63 called for a National
Infrastructure Protection Plan that would be informed by sector-level plans and
would include an assessment of minimal operating requirements, vulnerabilities,
remediation plans, reconstitution plans, warning requirements, etc. The National
Strategy for Homeland Security, and the Homeland Security Act each have called for
the development of a comprehensive national infrastructure protection plan, as well,
although without being as specific regarding what that plan should include. HSPD-7
called for a comprehensive National Plan for Critical Infrastructure and Key
Resources Protection by the end of 2004.
To date, three National Plans or Strategies have been released. In January 2000,
the Clinton Administration released Version 1.0 of a National Plan for Information
Systems Protection
.30 The Plan focused primarily on cyber-related efforts within the
federal government. In September 2002, the Bush Administration, through the
President’s Critical Infrastructure Protection Board, released a draft of The National
Strategy to Secure Cyberspace
. The latter was released in its final form in February
2003, and could be considered Version 2.0 of the Clinton-released Plan. It addressed
all stakeholders in the nation’s information infrastructure, from home users to the
international community, and included input from the private sector, the academic
community, and state and local governments. Also in February 2003, the Office of
Homeland Security released the National Strategy for the Physical Protection of
Critical Infrastructures and Key Assets
.
While these continue to call for assessments of vulnerabilities, risks,
identification of critical assets, etc., the plans themselves do not include them. They
do include how the federal government is or intends to go about some of these tasks.
Some sectors have established guidelines regarding vulnerability assessments,
incident reporting procedures, warning procedures, response agreements, etc. How
the federal government may assist in responding to and reconstituting from an attack
is covered by the National Response Plan.31 It is not clear if these national and
29 (...continued)
Selected Agencies and Industry Sectors. Repot to the Committee on Energy and Commerce,
House of Representatives. GAO-03-233. February 2003. pp4-5.
30 Defending America’s Cyberspace. National Plan for Information Systems Protection.
Version 1.0. An Invitation to a Dialogue.
The White House. 2000.
31 For more information on the National Response Plan, see CRS Report RL32803, The
(continued...)

CRS-19
sectoral plans and guidelines adequately meet the original intent of PDD-63 or the
intent for planning by the Homeland Security Act of 2002.
The Department of Homeland Security missed the December 2004 deadline for
releasing the National Infrastructure Protection Plan established in HSPD-7. It did
publish an Interim National Infrastructure Protection Plan in February. According
to media reports, some in the private sector have complained they were not be
adequately consulted.32 According to a recent GAO report,33 the Department plans
to issue a more complete plan, incorporating stakeholder comments and sector
specific plans, in November 2005.
Information Sharing and Analysis Center (ISAC). PDD-63 envisaged
a single ISAC to be the private sector counterpart to the FBI’s National Infrastructure
Protection Center (NIPC), collecting and sharing incident and response information
among its members and facilitating information exchange between government and
the private sector. The idea of a single ISAC evolved into each sector having its own
center. Many were conceived originally as concentrating on cyber security issues,
and some still function with that emphasis. However, others have incorporated
physical security into their missions.
The sectors that have established ISACs to date34 have followed two primary
models. One model involves ISAC members incorporating in some way and
contracting out the ISAC development and operations to a security firm. The
banking, information, water, oil and gas, railroad, and mass transit sectors have
followed this approach.
The other model involves utilizing an existing industry or government-industry
coordinating group and adding critical infrastructure protection to the mission of that
group. The electric power (which uses North American Electricity Reliability
Council (NERC)) and the telecommunications sector (which uses the National
Coordinating Center (NCC)) follow this model. The emergency fire services sector
incorporated ISAC functions into the U.S. Fire Administration (within the Federal
Emergency Management Agency)which has interacted with local fire departments
for years.
31 (...continued)
National Preparedness System: Issue in the 109th Congress.
32 See, “Still Waiting: Plan to Protect Critical Infrastructure Overdue from DHS,”
Congressional Quarterly. Homeland Security-Transportation & Infrastructure Newsletter,,
Jan. 28, 2005. This Newsletter is electronic and available by subscription only. It can be
found at [http://homeland.cq.com/hs/news.do] in the new archives. The article was last
viewed on February 15, 2005.
33 Government Accountability Office, Critical Infrastructure Protection: Department of
Homeland Security Faces Challenges in Fulfilling Cybersecurity Responsibilities
, GAO-05-
434, May 2005.
34 A list of ISACs;, with links, can be found on the DHS website:
[http://www.dhs.gov/dhspublic/display?theme=73&content=1375] . Also, eleven ISACs
have formed an ISAC Council. See, [http://www.isaccouncil.org/about/]. Both of these
sites were last viewed on February 15, 2005.

CRS-20
Different federal financial support models have developed for ISACs, too. In
some cases, ISACs received start up funding from their Lead Agency (e.g. drinking
water received funding from EPA). In some cases, that support continues, in some
cases the support has not continued (e.g. DOE support for its energy and mass transit
ISACs). Other ISACs have always been self-supporting.
While PDD-63 envisioned ISACs to be a primary conduit for exchanging
critical infrastructure information between the federal government and specific
sectors, the Department of Homeland Security has developed a number of other
information sharing systems and mechanism.
Establishing the Information Analysis and Infrastructure Protection
Directorate. The first Undersecretary for Information Analysis and Infrastructure
Protection, Frank Libutti, was approved by the Senate in June 2003. The first
Assistant Secretary for Infrastructure Protection, Robert Liscouski, was approved in
March 2003. The Assistant Secretary for Information Analysis assumed his duties
on November17, 2003. These appointments were relatively late when compared with
comparable positions elsewhere in the Department.
The organization within the Directorate also appears to be taking some time to
be settled and may yet experience changes. A survey by the DHS Office of Inspector
General (IB) of the IA/IP Directorate reported an organization structure dated August
11, 2003, but noted that changes to that structure were under consideration at the
time.35 An organizational chart published by Carroll Publishing, dated
November/December 2003, indicated that some of those changes were made.
According to the chart, there were two divisions located under the Assistant Secretary
for Information Analysis: Risk Assessment; and Information Management and
Requirements. Three divisions were located under the Assistant Secretary for
Infrastructure Protection: Infrastructure Coordination; Protective Services; and
National Cyber Security. In addition, the Assistant Secretary for Infrastructure
Protection has the National Communication System and the Office of Outreach and
Partnership reporting to him. In the IG report, in addition to the standard support
staff, the Undersecretary for Information Analysis and Infrastructure Protection had
an Office of Competitiveness Analysis and Evaluation reporting to him. In addition,
the IA/IP Directorate has operational control of the Homeland Security Operations
Center. This seems to coincide with bits and pieces of information one can
accumulate from testimony, news articles, etc. Even as of April 2005, the IA/IP
Directorate does not have an organizational chart on the DHS webpage.
Recently, the Undersecretary for Information Analysis and Infrastructure
Protection, the Assistant Secretary of Infrastructure Protection and the Division Chief
of the National Cyber Security Division have resigned or announced their
resignations. The White House announced its intention to select Robert Stephan to
be the new Assistant Secretary of Infrastructure Protection and as acting
Undersecretary.
35 Department of Homeland Security. Office of the Inspector General. Survey of the
Information Analysis and Infrastructure Protection Directorate
. February, 2004.

CRS-21
In other organizational matters, there are efforts in Congress to pull
cybersecurity and the National Communication System from under the Assistant
Secretary of Infrastructure Protection and create a separate Assistant Secretary for
Cyber Security within the Directorate.36

Vulnerability Assessments, Risk Assessments, and Prioritizing
Protective Measures. Among the activities assigned to the Information Analysis
and Infrastructure Protection Directorate by the Homeland Security Act of 2002 are:
! access, receive, analyze, and integrate information from a variety of
sources in order to identify and assess the nature and scope of the
terrorist threat;
! carry out comprehensive assessments of the vulnerabilities of key
resources and critical infrastructure, of the United States including
risk assessments to determine risks posed by particular types of
attacks;
! integrate relevant information, analyses, and vulnerability
assessments in order to identify priorities for protective and support
measures.
Furthermore, according to the National Strategy for the Physical Protection of
Critical Infrastructures and Key Assets, the Department of Homeland Security will:
a) in collaboration with other key stakeholders, develop a uniform methodology for
identifying facilities, systems, and functions with national-level criticality to help
establish protection priorities; b) build a comprehensive database to catalog these
critical facilities, systems, and functions; and c) maintain a comprehensive, up-to-
date assessment of vulnerabilities and preparedness across critical sectors.
In his testimony before the House Appropriations Committee on April 1, 2004,
the Undersecretary for IA/IP stated that the Directorate had assembled a list of 28,000
critical infrastructure assets (that list has reportedly grown to 80,000) and that it
planned to conduct vulnerability assessments on 1700 of those judged to be of
highest priority. Based on further testimony, budget documents, and DHS’s recent
strategic plan,37 a priority asset is one that could be “catastrophically exploited.”
It is not clear from the testimony how the list of critical assets was developed.
States and certain urban areas have identified critical assets as part of their
applications for State Homeland Security Grants and the Urban Areas Security
Initiatives Grants. Also, firms in some sectors have been active in performing
vulnerability assessments and prioritizing corrective actions. Some are required by
law to do so (e.g. drinking water, ports). The Department has proposed regulations
governing the voluntary submission of these assessments as critical infrastructure
information (see, Information Sharing in the Issues section below). The Directorate,
too, has researched various sector-oriented databases.
36 See, H.R. 285, introduced in the 109th Congress.
37 Department of Homeland Security. Securing Our Homeland: U.S. Department of
Homeland Security Strategic Plan. 2004. See, objective 1.2, p. 11.

CRS-22
In his testimony to the House Appropriations Committee, the Undersecretary
stated that 377 chemical plants were included in the 1700 priority sites. The IA/IP
is also working with the Transportation Security Administration and the railroads to
assess vulnerabilities of the transportation of hazardous materials, and with the
Nuclear Regulatory Commission to assess the vulnerability of nuclear plants and the
transportation of nuclear materials. It is not clear from the testimony if critical rail
sites or nuclear plants are included in the 1700 priority sites. Nor is its clear how
many of the 1700 priority assets have had their vulnerability assessed. According to
the Senate Appropriation Committee’s report for its FY2005 DHS appropriation, the
vulnerability of 150 priority sites have been assessed so far. The report also stated
that the Committee expects another 400 to be assessed in FY2005.
After assessing the priority sites, the Protection Services Division works with
the stakeholders to develop protection plans. These plans focus on working with
state and local officials to provide security “outside” the fence, creating buffer zones.
Issues

Cyber vs. Physical Vulnerabilities and Protection. Both the President’s
Commission on Critical Infrastructure Protection and PDD-63 addressed both the
physical and cyber vulnerabilities of the nation’s critical infrastructures. However,
in the recommendations made, the organizational structures developed, and the early
planning required, emphasis was given to cyber vulnerabilities and protection. This
was because, at the time, there was a consensus that the cyber area was a new vector
of vulnerability and one that was not being adequately addressed. Many spoke of
critical infrastructure protection and cyber protection synonymously. While physical
threats and protections were not dismissed, it was stated that these were better
understood and processes already in place to address them. This changed after
September 11, 2001, when the physical threat of and vulnerability to physical attacks
was made apparent.
E.O. 13228 and E.O. 13231, both released in October 2001, split the
responsibilities for physical protection and cyber protection of the nation’s critical
infrastructure. The Office of Homeland Security, the Assistant to the President for
Homeland Security, and the Homeland Security Council were given responsibility
for physical protection. The President’s Board on Critical Infrastructure Protection
and the Assistant to the President for Cybersecurity were given cyber protection
(including the physical protection of information network assets). Each developed
a National Strategy to cover its area of responsibility.
When the Bush Administration decided to support the establishment of a
Department of Homeland Security, in June 2002, it retained this split organizationally
by proposing that the office responsible for Infrastructure Protection be divided with
someone responsible for Physical Assets and someone responsible for
Telecommunications and Cybersecurity. The National Strategy for Homeland
Security, released in July 2002, stated that “securing cyberspace poses unique
challenges...” and that “the Department of Homeland Security will place an
especially high priority on protecting our cyber infrastructure.”

CRS-23
However, in February 2003, while working to stand up the Department of
Homeland Security, the Bush Administration released E.O. 13286, which amended
E.O. 13231 and effectively abolished both the President’s Board on Critical
Infrastructure and the position of Assistant to the President for Cybersecurity. This
had some in the cyber security community concerned that cyber security would be
buried too deep within the organization and not receive the special attention they
think it requires.38 H.R. 285 introduced early in the 109th Congress would elevate
cybersecurity within the Department of Homeland Security by creating an Assistant
Secretary for Cybersecurity who would report to the Undersecretary for Information
Analysis and Infrastructure Protection, on par with the existing two Assistant
Secretaries.39
The Department announced the formation of a National Cyber Security Division
(NCSD), reporting to the Assistant Secretary for Infrastructure Protection. The
Division integrates many of the resources and activities transferred over to the
Directorate from other agencies (i.e. CIAO, NIPC, FedCIRC, and NCS).
Administration officials take the position that one cannot fully dissociate cyber
security from physical security when assessing vulnerabilities and taking protective
actions. The Administration states that the Cyber Security Division works closely
with other Directorate activities that identify critical assets, assess their
vulnerabilities, and in developing protection strategies.

Is cyber security a special case of infrastructure protection, or is it just one of a
number of threat vectors? Some have said that the extent to which computer
networks have penetrated other infrastructures make it different. However, electricity
and energy can make similar claims, and there is a mutual interdependence among
all the infrastructures. Cyber attacks, however, are different from physical attacks
since they can be launched from anywhere in the world and be routed through
numerous intermediate computers. Cyber attacks require a different skill set to
counter.
While differences in the threat may point to the need for a separate focus on
cyber security, it also expands the threat envelope that the Department must monitor.
Cyber security, as it has been discussed nationally, goes beyond the threat posed by
terrorists and includes threats posed by criminals and hackers. These latter culprits
are already attacking the information infrastructure or using it to steal information
and extort money. Attacks by terrorist groups (or other politically motivated groups)
have been limited and fairly targeted and have not resulted in wide-spread damage
or inconvenience. Motivation and the desired impact are likely to be different
between terrorists and criminals or hackers. Including “regular” criminals and
hackers as intelligence targets for those focused on terrorists may require a different
allocation of, or perhaps result in competition for, intelligence resources.
38 Testimony of Michael Vatis before the Committee on Government Reform, Subcommittee
on Technology, Information Policy, Intergovernmental Relations and the Census. April 8,
2003. See page 4 of his testimony.
39 An identical bill was introduced in the 108th Congress. It was also attached to the House
version of the Intelligence Reform and Terrorism Prevention Act, but was dropped in
conference.

CRS-24
What is Critical and Needs Protection and How Do We Decide? The
term critical infrastructure has been broadly defined in most of the official documents
mentioned in this report. The definition has changed somewhat over time.40 The
USA PATRIOT Act provided the following definition:
The term “critical infrastructure” means systems and assets, whether
physical or virtual, so vital to the United States that the incapacity or destruction
of such systems and assets would have a debilitating impact on security, national
economic security, national public health and safety, or any combination of those
matters.
In addition, the National Strategy for Homeland Security raised the issues of key
assets and national morale. Key assets are those “whose destruction would not
endanger vital systems, but could create local disaster or profoundly damage our
Nation’s morale.” These could include prominent national, state, or local
monuments and icons. These could also include nuclear power plants or other
“localized” facilities that deserve protection because of their destructive potential or
their value to the local community.
The National Strategy for Homeland Security also commits the federal
government to work closely with state and local governments to develop and apply
compatible approaches to ensure protection for critical assets at all levels of society.
For example, schools, courthouses, and bridges may all be considered critical to the
communities they serve.
However, it is not practical to try and protect all of these assets to the same
degree. So how will priorities be set and protective measures allocated? According
to the National Strategy for Homeland Security, a consistent methodology will be
developed and applied to focus the federal government’s efforts. The National
Strategy for the Physical Protection of Critical Infrastructures and Key Assets makes
mention of developing a uniform methodology for identifying facilities, systems and
functions with national-level criticality to help establish federal, state, local, and
private sector protection priorities. Such a methodology has not yet been articulated.
Nor has a methodology been described for setting priorities.
The 9/11 Commission’s report reiterated the need to set priorities and to use risk
assessment and risk management techniques to set those priorities and to allocate
resources. It also specifically mentioned the need to do so, both within the
transportation sector where, the Commission noted, 90% of the federal resources
directed at transportation security is going to commercial aviation, and in federal
assistance to states and localities, where some funds are currently being allocated
based on an mathematical distribution of funds per state (and not based on any
systematic risk assessment).
Typically, risk is considered a function of threat, vulnerability, and impact.
How the Directorate plans to assess this raises many questions. How will threat be
characterized? Will specific modes of attack be considered? Will more than one
40 For a discussion of how the definition has evolved over time, see CRS Report RL32631,
Critical Infrastructures and Key Assets: Definition and Identification.

CRS-25
threat scenario be considered? Will these differ depending on sector or asset? How
will intent, capability, and target value to the attacker be integrated into the analysis?
How will vulnerability be characterized? How will impact be characterized? How
will loss of life be valued and compared with economic impact or national morale?
How iterative will the analysis be (recognizing that taking protective action in one
area may change the target value and vulnerability of other assets)? How will
uncertainty be handled in the analysis? How will the Directorate reconcile any
differences in criticality and priorities based on a national-level analysis with those
based on more parochial analyses by the private sector or states and localities?
How Much Will It Cost and Who Pays? An estimate of the amount of
money the Federal government spends on Critical Infrastructure Protection is now
included as a crosscutting analysis in the Presidents Budget.41 (see Table A.1. in the
Appendix).
It is not known how much money states and localities are spending on what they
consider to be critical infrastructure protection. According to the National Strategy
on Homeland Security, the National Governors Association estimated that states had
spent $6 billion between September 11, 2001 and the end of 2002 on all homeland
security-related activities. According to GAO, improving security in the 22 largest
mass transit systems would cost over $700 million.42 In testimony before the House
Transportation and Infrastructure’s Subcommittee on Water Resources and the
Environment (November 3, 2003), the Executive Vice President of the American
Association of Port Authorities, federal security requirements at the nation’s ports
will cost over $5 billion over the next 10 years.43 While some transit systems and
ports are privately owned and operated, many are owned and operated by local or
regional government or quasi-government entities.
States have made it clear that their budgets, especially in the current economic
environment, make these expenditures difficult. The National Strategy for Homeland
Security and the National Strategy for the Physical Protection of Critical
Infrastructures and Key Assets recognize that while the federal government must
focus on protecting assets that have a national importance, states may need help in
protecting their assets as well. Much of the federal assistance to states so far has
been for preparedness activities focused mostly on first responders and dealing with
weapons of mass destruction. The USA PATRIOT Act established a federal grant
program specifically for this purpose. The grant program, called the State Homeland
Security Grant Program, is managed by the Office for State and Local Government
41 Prior to appearing in the President’s Budget, OMB was required to submit similar data in
an Annual Report to Congress on Combating Terrorism. Comparison between these older
reports and the current figures cannot be compared, however, as OMB has refined the
criteria by which agencies determine their figures. Also, as mentioned earlier, prior to
September 11, the emphasis was on cybersecurity.
42 Government Accountability Office, Mass Transit, GAO–03-263. December 2002.
43 This testimony did reveal how that figure was determined.

CRS-26
Coordination and Preparedness (OSLGCP).44 The grant will support, among many
other items, the purchase of equipment, including equipment used for enhancing the
physical protection of critical infrastructure. For more information on this and other
grant programs related to homeland security, see CRS Report RL32348, Selected
Homeland Security Assistance Programs : A Summary
.
Potential private sector costs are unknown at this time.45 Some sectors are
already at the forefront in both physical and computer security and are sufficiently
protected or need only marginal investments. Others are not and will have to devote
more resources. The ability of certain sectors to raise the necessary capital may be
limited, such as metropolitan water authorities which may be limited by regulation,
or emergency fire which may function in a small community with limited resources.
Even sectors made up of large well capitalized firms are likely to make additional
expenditures only if they can identify a net positive return on investment.
Issues of liability may also determine private sector costs. The airline industry
was protected after September 11. It is not clear if this would continue in any future
attacks. In the case of computer security, there is also the potential for downstream
liability, or third party liability. In the denial-of-service attacks that occurred in early
2000, the attacks were launched from “zombie” computers (i.e. third-party
computers upon which had been placed malicious code that was subsequently
activated to send thousands of messages to overwhelm the targets’ servers). What
responsibility do the owners of those “zombie” computers have to protect their
systems from being used to launch attacks elsewhere? What responsibility do service
providers have to protect their customers? According to some, it is only a matter of
time before the courts will hear cases on these questions.46
Costs to the private sector may also depend on the extent to which elements
within the private sector are compelled to protect their critical infrastructure versus
their ability to set their own security standards. The current thinking is the private
sector should voluntarily join the effort. However, given the events of September 11,
the private sector may be compelled politically, if not legally, to increase physical
protections. But, what happens if a firm, or sector, does not take actions the federal
government feels are necessary? The National Strategy for Homeland Security stated
that private firms will still bear the primary responsibility for addressing public safety
risks posed by their industries. The Strategy goes on to state that in some cases, the
44 This grant program was initially managed by the Office of Domestic Preparedness, which
was transferred from the Department of Justice to DHS. The ODP is now merged with the
Office of State and Local Government Coordination to form the Office of State and Local
Government Coordination and Preparedness (OSLGCP). The OSLGCP now manages the
State Homeland Security Grants, the Urban Areas Security Grants, and the Port Security
Grants, formerly managed by the Transportation Security Administration.
45 The cyber security market alone is estimated at $10 billion in products and services (see
“Picking the Locks on the Internet Security Market.” Redherring.com. July 24, 2001). This
probably includes, however, some government expenditures. It does not include physical
security measures.
46 See, “IT Security Destined for the Courtroom.” Computer World.. May 21, 2001. Vol 35.
No. 21.

CRS-27
federal government may have to offer incentives for the private sector to adopt
security measures. In other cases, the federal government may need to rely on
regulation.
Information Sharing. The information sharing—internal to the federal
government, between the federal government and the private sector, and between
private firms—considered necessary for critical infrastructure protection raises a
number of issues.
In the past, information flow between agencies has been restrained for at least
three reasons: a natural bureaucratic reluctance to share, technological difficulties
associated with compatibility, and legal restraints to prevent the misuse of
information for unintended purposes. However, in the wake of September 11, given
the apparent lack of information sharing that was exposed in reviewing events
leading up to that day, many of these restraints are being reexamined and there
appears to be a general consensus to change them. Some changes have resulted from
the USA PATRIOT Act (including easing the restrictions limiting the sharing of
information between national law enforcement agencies and those agencies tasked
with gaining intelligence of foreign agents). The legislation establishing the
Department of Homeland Security also authorizes efforts to improve the ability of
agencies within the federal government to share information.
Since much of what is considered to be critical infrastructure is owned and
operated by the private sector, critical infrastructure protection relies to a large extent
on the ability of the private sector and the federal government to share information.
However, it is unclear how open the private sector and the government will be in
sharing information. The private sector primarily wants from the government
information on specific threats which the government may want to protect in order
not to compromise sources or investigations. In fact, much of the threat assessment
done by the federal government is considered classified. For its part, the government
wants specific information on vulnerabilities and incidents which companies may
want to protect to prevent adverse publicity or to keep confidential company
practices. Success will depend on the ability of each side to demonstrate it can hold
in confidence the information exchanged.
This issue is made more complex by the question of how the information
exchanged will be handled within the context of the Freedom of Information Act
(FOIA). The private sector is reluctant to share the kind of information the
government wants without its being exempt from public disclosure under the existing
FOIA statute.
The Homeland Security Act protects information, defined as critical
infrastructure information, voluntarily provided the Department of Homeland
Security not only from FOIA, but also prohibits it from being used in any civil action
against the provider, exempts it from any agency rules regarding ex parte
communications, and exempts it from falling under the requirements of the Federal
Advisory Committee Act. It only can be shared with other entities in fulfillment of
their responsibilities in homeland security, and any unauthorized disclosure by a
federal government official can lead to imprisonment. Also, these disclosure rules
take precedent over any State rules.

CRS-28
The act defines critical infrastructure information to include:
! actual, potential, or threatened interference with, attack on,
compromise of, or incapacitation of critical infrastructure by either
physical or computer-based attack that violates federal or state law,
harms interstate commerce, or threatens public health and safety;
! the ability of critical infrastructures to resist such attacks;
! any planned or past operational problem or solution regarding
critical infrastructure including repair, recovery, reconstruction,
insurance, or continuity to the extent it relates to such interference,
compromise, or incapacitation.
The submittal is considered voluntary if it was done in the absence of an
agency’s exercise of legal authority to compel access to or submission of such
information.
The FOIA exemption is not without its critics. The non-government-
organizations that actively oppose government secrecy are reluctant to expand the
government’s ability to to hold more information as classified or sensitive. These
critics feel that language agreed upon in the final legislation is too broad (covers too
much material and offers too many protections) and is unnecessary given current
restrictions on the disclosure of information contained in the FOIA statute and case
law. More recently, the environmental community has become concerned that the
language could allow firms to shield from disclosure information they would
otherwise be obliged to disclose to the public, or worse, be able to prevent the
information from being used in any legal proceedings, by claiming it to be related to
critical infrastructure protection. This has become a particular issue within the right-
to-know community concerned with risks associated with toxic releases from plants
using or producing toxic chemicals, which are now being considered as a critical
infrastructure.47 It is not clear if this is the case, since the act also states that other
agencies or third parties may receive similar information by other lawful means and
may use it in any appropriate legal manner.
On April 15, 2003, the Department of Homeland Security released draft
procedures for receiving, marking, and handling of critical infrastructure
information,48 implementing the provisions stated above. The proposed rule49 states
that the Secretary of Homeland Security shall name the Undersecretary of
Information Analysis and Infrastructure Protection (IA/IP) as the senior official
responsible for directing and administering a Critical Infrastructure Information (CII)
Program. The Undersecretary is to appoint a CII Program Manager. Only the CII
Program Manager may acknowledge the receipt of, validate, and mark information
received as CII. Such information may be submitted directly to CII Program
Manager or it may be forwarded to the CII Program Manager by other agencies.
47 For more discussion of these issues, see CRS Report RL31547, Critical Infrastructure
Information Disclosure and Homeland Security
, by John D. Moteff and Gina Stevens.
48 Procedures for Handling Critical Infrastructure Information. Federal Register. Vol. 68.
No. 72. pp.18524-18529. A final ruling has not yet been released.
49 As of April 2005, a final rule has not yet been published.

CRS-29
While the submitter of the information may designate it as CII, it is up to the CII
Program Manager to validate it as such. The information, however, shall be
protected, until the Manager has had a chance to rule. The Manager has 30 days to
inform the submitter that the information does not meet the standards for CII. These
standards, however, are not defined beyond the relatively broad definition of CII
provided in the act. Furthermore, if the CII Program Manager finds that the
information was submitted in bad faith, the Manager is not required to notify the
submitter that the information does not qualify.
The draft procedures states that these procedures do not apply to or affect any
requirement pertaining to information that must be submitted to a federal agency or
pertaining to the obligation of any federal agency to disclose such information under
the Freedom of Information Act. The procedure goes on to state that information
required to be submitted to satisfy a provision of law may not be marked as CII by
the submitter, the Department of Homeland Security, or any other federal agency.
Also, while the act specifies penalties associated with unauthorized disclosure
of this information by federal employees, the draft procedures specifies “whistle-
blowing” disclosures that are exempt from these penalties.
The draft provisions address some of the concerns expressed by those who
opposed this provision of the act, but raises other questions. For example, while the
procedures allow entities to submit information they think is CII to the CII Program
Manager indirectly through other officials or agencies, the information is not
validated as CII until the Manager designates it as such. However, as pointed out by
critics,50 the presumption is that the information shall be protected until the Manager
makes such a ruling. There is no time frame for the Manager to receive the
information or to make a ruling. However, once the ruling is made, the Manager has
30 days to inform the submitter that the information does not qualify as CII. Will the
Manager have the time and resources to validate the amount of information coming
in?
The information exchanged between private firms within the context of the
Sector Coordinators and the ISACS also raises some antitrust concerns, as well as
concerns about sharing information that might unduly benefit competitors.
There is also a technical dimension to all of this information sharing that is
suppose to occur. Once collected, the information is stored in different databases,
utilizing different technologies. Integrating these databases while controlling access
will not be a trivial technical and managerial task.
Privacy/Civil Liberties? The PPCIP made a number of recommendations
that raised concerns within the privacy and civil liberty communities. These included
allowing employers to administer polygraph tests to their computer security
personnel, and requiring background checks for computer security personnel. The
PPCIP also recommended allowing investigators to get a single trap and trace court
50 See, DHS Broadens CII in Proposed Rule. OMB Watch, published April 21, 2003.
[http://www.ombwatch.org/article/articleprint/1475]. This site was last viewed Jan. 6, 2003.

CRS-30
order to expedite the tracking of hacker communications across jurisdictions, if
possible. Another area of concern is the monitoring of network traffic in order to
detect intrusions. Traffic monitoring has the potential to collect vast amount of
information on who is doing what on the network. What, if any, of that information
should be treated as private and subject to privacy laws? While recognizing a need
for some of these actions, the privacy and civil liberty communities have questioned
whether proper oversight mechanisms can be instituted to insure against abuse.
The USA Patriot Act (i.e. the anti-terrorism bill passed October 26, 2001 as P.L.
107-56), passed in the wake of the September 11 attacks, contained a number of
expansions in government surveillance, investigatory, and prosecutorial authority
about which the privacy and civil liberties communities have had concern. Most of
these issue are beyond the scope of this report.51 However, some of the provisions
impact directly the ability to track, in real time or after the fact, computer hackers.
This includes provisions giving investigators the authority to seek a single court order
to authorize the installation and use of a pen register or a trap and trace device
anywhere in the country in order to “record or decode electronic or other impulses
to the dialing, routing, addressing, or signaling information used in the processing or
transmitting of wire or electronic communications....”52 The law also defines a
“computer trespasser” as one who accesses a “protected computer” without
authorization and, thus, has no reasonable expectation to privacy of communications
to, through, or from the protected computer.53 The law goes on to stipulate the
conditions under which someone under the “color of law” may intercept such
communications.
The issue of allowing firms to conduct background checks, polygraph tests, and
monitor personnel who have access to critical infrastructure facilities or systems lay
dormant during the Clinton Administration. The National Strategy for Homeland
Security resurrected it. The Strategy tasked the Attorney General to convene a panel
with appropriate representatives from federal, state, and local government, in
consultation with the private sector, to examine whether employer liability statutes
and privacy concerns hinder necessary precautions. It is not clear if the
Administration meant to include in the private sector representation labor and civil
liberty groups. The National Strategy for the Physical Protection of Critical
Infrastructures and Key Assets also mentioned exploring the possibility of
establishing national standards by which to check the backgrounds of personnel with
access to critical infrastructures. And, the Transportation Security Administration
is planning to develop a certification program for all transportation workers with
access to critical infrastructure.
Another issue is to what extent will monitoring and responding to cyber attacks
(or any kind of attack against critical assets) permit the government to get involved
in the day-to-day operations of private infrastructures? The PCCIP suggested
51 See CRS Report RS21051, Terrorism Legislation: Uniting and Strengthening America
by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA
PATRIOT) Act of 2001
, by Charles Doyle.
52 See Section 216 of P.L. 107-56.
53 See Section 217 of P.L. 107-56.

CRS-31
possibly modifying the Defense Production Act (50 USC Appendix, 2061 et seq) to
provide the federal government with the authority to direct private resources to help
reconstitute critical infrastructures suffering from a cyber attack. This authority
exists now under the Defense Production Act under certain conditions in selected
areas, namely the supply and distribution of energy and critical materials in an
emergency. Suppose that the computer networks managing the nation’s railroads
were to “go down” for unknown but suspicious reasons. What role would the federal
government play in allocating resources and reconstituting rail service?

CRS-32
Appendix
Federal Funding for Critical Infrastructure Protection
Table A.1. Critical Infrastructure Protection Funding by
Department
($ in millions)
Department
FY2004
FY2004
FY2005
FY2006
enacted
supplemental
enacted
request
Agriculture
36.9
150.7
129.3
Defense
6543.8
7916.9
8700.8
Energy
1256.4
1456.1
1481.0
HHS
162.8
168.3
170.3
Homeland Security
2128.3
2585.9
2820.0
Justice
409.2
2.5
455.8
566.1
Transportation
180.1
137.0
141.2
Veterans Affairs
239.2
242.9
262.3
NASA
207.0
218.0
205.0
NSF
313.0
315.2
317.2
Postal Service
503.0
Social Security
142.1
155.0
172.6
Other Agencies
660.4
634.6
666.3
Grand Total
12279.1
14939.4
15632.2
Source: OMB, Budget of the U.S. Government, FY2006. Analytical Perspectives. Chapter 3.
Homeland Security Funding Analysis. p. 43.

CRS-33
Table A.2 Funding for the Information Analysis and
Infrastructure Protection Directorate
($ in millions)
FY2006
House
FY2006
FY2005
FY2006
(as
Senate (as
FY200
Account (program)
enacted
request
reported)
reported)
6 Conf.
Management and
administration

132.0
204.0
198.2
168.8
Office of the under secretary
5.8
6.9
6.9
6.9
Other salaries and expenses
126.2
197.1
191.3
161.9
Assessments and evaluations
761.7
669.2
663.2
701.8
Critical infrastructure
identification and evaluation
77.9
72.2
77.2
59.9
National infrastructure simulation
and analysis center
20.0
16.0
16.0
21.0
Biosurveillance
11.0
11.1
10.1
18.1
Protective actions
191.6
91.4
91.4
91.4
Critical infrastructure outreach
and partnerships
106.6
67.2
62.2
126.6
Cyber security
67.4
73.3
73.3
73.3
National security/emergency
preparedness telecommunications
140.8
142.6
142.6
142.6
Threat determination and
assessment
21.9
19.9
19.9
19.9
Infrastructure vulnerability and
risk assessment
71.1
74.3
74.3
74.3
Competitive analysis and
evaluation
4.0

Evaluations and studies
14.4
34.5
34.5
34.5
Homeland Security Operations
Center
35.0
61.1
56.1
40.0
Information sharing and
collaboration
5.5
5.5
0
Total IAIP
893.7
873.2
663.1
870.6
Source: FY2005 and the requested FY2006 figures are taken from IA/IP Directorate F2006
Budget Justification. House Appropriations figures come from H.Rept. 109-79.