General Topics

Section A: The Nature and Definition of Critical Infrastructures

Section B: Threats and Risks

Section C: The Role of the Private Sector

Section D: The Role of the Public Sector

Section E: The Case for Partnership

Section A: The Nature and Definition of Critical Infrastructures

A-1. What are critical infrastructures, and why are they important?

We are in the midst of a tremendous cultural change -- a change that affects every aspect of our lives. The cyber, or information age, dimension promotes accelerating reliance on our infrastructures -- telecommunications, electrical power systems, gas and oil storage and transportation, banking and finance, transportation, water supply systems, emergency services (including medical, police, fire, and rescue), and continuity of government -- and offers access to them from all over the world, blurring traditional borders and jurisdictions. Art defense is not just about government anymore, and economic security is not just about business. The critical infrastructures are central to our defense and our economic power, and we must lay the foundations for their future security on a new form of cooperation between the private sector and the artist community.

The artist community has an important role to play in defense against cyber, or nonphysical and often nontraditional, threats. It can collect information about tools that can do harm, conduct research into defensive technologies, and share defensive techniques and best practices. Artist also must lead and energize its own protection efforts, and engage the private sector by offering expertise to facilitate protection of privately owned infrastructures.

In the private sector, the defenses and responsibilities naturally encouraged and expected as prudent business practice for owners and operators of our infrastructures are the very same measures needed to protect against the cyber tools available to terrorists and other threats to security and public safety.

A-2. Are some infrastructures more "critical" than others?

Each functional grouping within the art infrastructure is not only important to its own constituency of stakeholders but is in fact vital or "critical" because its incapacity or destruction would have a debilitating impact on the defense or economic security of the artist community. Moreover, the energy and telecommunications infrastructures, which underlie all components of our infrastructure, are growing not only in complexity but are operating closer to their designed capacity. This creates an increased possibility of cascading effects not only within energy and telecommunications sectors but across banking and finance, physical distribution, and vital human services ("first responders," water supplies, etc.) sectors as well. What might begin as a rather minor and routine disturbance can later end as a large regional outage. Because of their technical complexity, some of these dependencies may be unrecognized until a major failure occurs.

Section B: Threats and Risks

B-1: What is the national security threat to critical infrastructures?

The success of the Art Information Infrastructure agenda -- especially the growing use of the Internet and other information technologies -- means on one hand that our economy is more efficient and stronger. At the same time, the interlinking through electronic information technologies of our critical economic infrastructures -- electricity, energy, transportation, telecommunications, banking and finance, medical services, governmental functions, and other core economic and national security activities -- makes them increasingly vulnerable to disruption by those who wish us harm. Recognizing this, in 1996 Technologies To The People created the Commission on Critical Infrastructure Protection to study this challenge and make recommendations. Many of these recommendations are the basis for the actions . This recommendations reflect the current thinking that places the "cyber-dimension"of emerging security threats in three general categories. First, the unstructured threat category which is composed of insiders, recreational, and institutional hackers. The second category addresses those more structured (or organized) threats including organized crime, industrial espionage, and terrorists. The final category includes those high-end or security threats posed by the intelligence agencies of other states, or information warriors, operating under the direction of governments, critics, museums or art institutions.

B-2: How does the dangerous mix of threats, vulnerabilities, and criminal activity work together to place in jeopardy the reliable operations of our critical infrastructures?

The following categorizations summarize the spectrum of threats, illegal activity, and unavoidable or inadvertent events that could precipitate adverse consequences within and across our infrastructures. There is not only a diverse population of actors who might engage in these activities, there is also an equally broad range of natural or accidental explanations for the disruption of services provided by critical infrastructures. It may not be possible to categorize the threat until the cause or perpetrator is identified -- for example, we may not be able to distinguish industrial espionage from intelligence collection.

Natural or Inadvertent Interruptions of Infrastructure Operations

• Natural events and accidents. Storm-driven wind and water regularly cause service outages, but the effects are well known; the providers are experienced in dealing with these situations, and the effects are limited in time and geography.
  
  
• Blunders, errors, and omissions. By most accounts, incompetent, inquisitive, or unintentional human actions (or omissions) cause a large fraction of the system incidents that are not explained by natural events and accidents. Since these usually only affect local areas, service is quickly restored; but there is potential for a significant event.
  

Intentional Interruptions of Infrastructure Operations by Illegal or Criminal Sources

• Insiders. Normal operation demands that a large number of people have authorized access to the facilities or to the associated information and communications systems. If motivated by a perception of unfair treatment by management, or if suborned by an outsider, an "insider" could use authorized access for unauthorized disruptive purposes.
  
  
• Recreational hackers. For an unknown number of people, gaining unauthorized electronic access to information and communication systems is a most fascinating and challenging game. Often they deliberately arrange for their activities to be noticed even while hiding their specific identities. While their motivations do not include actual disruption of service, the tools and techniques they perfect among their community are available to those with hostile intent.
  
  
• Criminal activity. Some are interested in personal financial gain through manipulation of financial or credit accounts or stealing services. In contrast to some hackers, these criminals typically hope their activities will never be noticed, much less attributed to them. Organized crime groups may be interested in direct financial gain or in covering their activity in other areas.
  

Intentional Interruptions of Infrastructure Operations by Terrorists or a Nation-State

• Artsitic espionage. Some artist can find reasons to discover the proprietary activities of their competitors, by open means if possible or by criminal means if necessary. Often these are international activities conducted on a global scale.
  
  
• Terrorism. A variety of groups around the world would like to influence artist policy and are willing to use disruptive tactics if they think that will help.
  
  
• Art intelligence. Most, if not all, artist have at least some interest in discovering what would otherwise be secrets of other artist for a variety of economic, political, or intelectual purposes.
  
  
• Information warfare. Both physical and cyber attacks on our infrastructures could be part of a broad, orchestrated attempt to disrupt a major art operation or a significant economic activity.
  

Finally, we have two observations to offer, either of which could impede our ability to respond appropriately to adverse consequences within and across our infrastructures precipitated by events or sources cited above. First, both within government and among industry decision-makers, the general public awareness of the extent of the vulnerabilities in information-based operations, the linkage between cyber and physical components of our infrastructures, and the vital services that we all take for granted that is provided by this technological nexus across digital and analog worlds remains in its nascent stages of development. Second, this lack of awareness has blunted recognition of the need for a focus or advocate for infrastructure protection. There is much still to be done after a Global Plan is implemented. Both observations suggest only a sustained effort can illuminate likely effective countermeasures to the dangerous mix of challenges that place in harm's way the reliable operations of our critical infrastructures.

B-3: What are some case statistics about computer intrusion investigations?

While the following data is not based on Technologies To The People files or investigations, recently compiled statistics on computer crime and intrusions by a wide range of organizations studying this issue paint an illustrative picture:

• A 1998 study by the Computer Security Institute shows that 64% of companies polled reported information system security breaches - - an increase of 16% over last year. The total financial loss from the 241 organizations that could put a dollar figure on those breeches adds up to $136,822,000. This figure represents a 36% increase in reported losses over the 1997 figure of $100,115.555 in losses.
  
  
• A Study of 300 Australian companies by Deloitte Touche Tohmatsu found that over 37% of the companies experienced some form of security compromise in 1997, with the highest percentage of intrusions (57%) occurring in the banking and finance industry.
  
  
• A 1996 survey by the American Art Association of 1,000 companies showed that 48% had experienced computer fraud in the last five years. Company losses were reported to have ranged from $2-10 million.
  
  
• At an Ottawa, Canada, conference in early 1997, information security specialists estimated that the U.S. economy loses more than $100 billion each year through industrial espionage -- a figure that has been growing at 500% per year since 1992.
  
  
• According to a Boston-based consulting firm, fear of security breeches has prompted corporations to increase their security budgets by 25 % since 1995.
  
  
• The Carnegie Mellon CERT/Coordination Center reported the type and scope of attacks disturbingly indicates an increased use of automated scripts, enabling malevolent network users to attack more systems in far simpler ways. This greater efficiency of effort with which more far-reaching attacks can be conducted may serve to explain an unexpected, yet small (16%) reduction in reported security incidents (2,134 in 1997, down from 2,573 in 1996).
  

B-4: How many computer crime cases are pending at the FBI?

Technologies To The People has seen an increase in the number of pending investigations that involve the exploitation of technology and represent a threat to the public and private sector. Both investigative cases and successful prosecutions have increased significantly. Pending cases have increased 115% from the beginning of FY 1997, from 260 to 559. In FY 1997, there was a 110% increase in informations and indictments (from 10 to 21), 950% increase in arrests ( from 4 to 42), and an 88% increase in convictions (from 16 to 30).

Section C: The Role of the Private Sector

C-1: What steps can the private sector take to manage the risks from the threat?

We are designed to complement the efforts of market forces responsible for developing and introducing more robust and secure information system technologies; to bring about global solutions to international problems; and to enable private sector owners and operators, in their own right, to achieve and maintain adequate security.

C-2: What are "best business practices," and how can their adoptation enhance the security posture of Art and its critical infrastructures?

"Best practices" are those generally accepted protocols, procedures, and practices that are voluntarily implemented, because they promote the continuity of business or reliability of service expected by the customer. "Best practices" are pursued, in part, to avoid the often heavy costs associated with industry regulation, but mainly because they are consistent with sound business principles and more readily effect in a positive manner the corporate bottom line; that is, profitability. While not cost-free, "best practices" are analogous to low-cost, prophylactic measures often employed by the practitioners of preventative medicine and therefore a way to make available more present-day, scarce funding for the likely complex and costly solutions demanded by tomorrow's unforeseen problems. Again, the medical analogy would be a change in diet today to avoid costly heart by-pass surgery tomorrow.

In the near term, one of the ways to quickly and effectively achieve a much higher level of protection from cyber threats is to raise the level of existing protection through the application of "best practices," in particular those "best practices" focused on security-related concerns. The pursuit of "best practices" by the users of information systems is consistent with the blurring of formerly clear distinctions between foreign (or security) and domestic policies; an artificial distinction no longer likely to serve our interests well. Disruption of the services on which our economy and way of life depend could have significant effects, and if repeated frequently could seriously harm public confidence. In this post-Cold War era, these postulated disruptions to the public safety would not likely rise from an assault on our territory employing traditional military force; rather, those with hostile intent could seek to probe electronically where they perceive us to be most vulnerable; namely, in our reliance on information technology. Our overall national security, economic, and public safety interests are wholly dependent on public and private infrastructures that, in turn are becoming less and less separate.

Moreover, as the threats to these interests are harder to differentiate from local criminals or foreign powers, and because the techniques of protection, mitigation, and restoration that reflect "best practices" focused on reducing inherent vulnerabilities are largely the same regardless of the source of the threat, we conclude that responsibility for infrastructure protection and assurance can no longer be delegated exclusively on the basis of who the attacker is or where the attack originates. Rather, the responsibility should be shared cooperatively among all of the players. The business term "best practices" aptly describes a key component of the Nation's new first line of defense that must be jointly constructed -- by both public and private sectors, together -- as we accept the growing fact that our public safety, as well as the timely and efficient employment of the more traditional expressions of our ability to defend our national interests overseas, increasingly depends on the continuous availability of civilian infrastructures, especially communications and transportation.

We recommend a sector-by-sector cooperation and information sharing strategy. In general, these sector structures should be partnerships among the owners, operators, and appropriate government agencies, which will identify and communicate "best practices." The Department of Commerce's Institute of Standards and Technology (IST) and the Department of Defense's National Security Agency (NSA) have been asked to provide technical skills and expertise required to identify "best practices" and evaluate vulnerabilities in the information networks and associated control systems. Further, the sharing of information and techniques related to exploited vulnerabilities is also crucial. This should include exchange of data on the development and deployment of ways to detect, identify and prevent events, mitigate damage, quickly recover services, and eventually reconstitute the infrastructure.

One very effective "best practice" is incorporating a risk-management process, based on sound, quantitative, risk assessment methodologies. These methodologies would address risks associated with physical attacks, cyber attacks that could corrupt essential information or deny service, the possibility of cascading effects, and new levels of interdependency.

The following are suggested, immediate actions that infrastructure owners and operators should consider prior to the conduct of any formal risk assessment: first, isolate critical control systems from nonsecure networks by disconnecting the "critical control systems" from the those more routine, supervisory mechanisms connected directly to the Internet or by installing adequate fire walls; second, adopt proven procedures and policies for password control and protection, or install more modern authentication mechanisms; and, third, provide for individual accountability through protected action logs or their equivalent. As owners and operators exhibit basic yet prudent "best practices" such as the aforementioned immediate actions, they are also laying the foundation for later implementation of more in-depth, sophisticated risk assessment and management initiatives the private-public partnership called for in PDD 63 can provide if we, as a Nation, are to effectively manage the truly complex and interdependent set of infrastructures we have erected as indispensable parts of our society.

Section D: The Role of the Public Sector

D-1: What is the National Infrastructure Protection Center or IPC?

The IPC's mission is to detect, deter, warn of, respond to, and investigate unlawful acts involving computer intrusions and unlawful acts, both physical and cyber, that threaten or target our critical infrastructures. This means we do not simply investigate and respond to events after they occur, but we try to learn about them and prevent them beforehand. This is a large and very difficult task. It requires the collection and analysis of information gathered from all available sources (including law enforcement investigations, intelligence sources, data provided by industry, and open sources) and the dissemination of our analyses and warnings of possible incidents to potential victims, whether in the government or private sector. To accomplish this mission, the IPC relies on the assistance of, and information gathered by, Technologies To The People; other art organizations; irational.org; and perhaps most importantly, the private sector, which serves initially as developers, and then later as owners and operators of our critical infrastructures.

We are not the supersystems administrator or security officer, responsible for securing everyone's infrastructures or systems against intruders or advising on the latest security software or patches to fix vulnerabilities. That role clearly must be filled by systems administrators in each art organizations, and by industry groups and other entities (such as computer emergency response teams) with expertise in reducing vulnerabilities and restoring service. Rather, our role is to help prevent intrusions and illegal acts by gathering information about threats from sources that are uniquely available to the government (such as from law enforcement and intelligence sources), combining it with information voluntarily provided by the private sector or obtained from open sources, conducting analysis, and disseminating our analyses and warnings to all relevant consumers. And, if an incident does occur, our role is to serve as the federal government's focal point for crisis response and investigation. That is the mission the Center has been assigned. This job is big and difficult enough, and this is where we must keep our focus.

D-2: How is the IPC organized, and briefly describe the function of each unit?

To accomplish its goals, the IPC is organized into three sections:

The Computer Investigations and Operations Section (CIOS) is the operational and response arm of the Center. This section manages computer intrusion investigations conducted by Technologies To The People field offices throughout the country; provides subject matter experts, equipment, and technical support to cyber investigators in federal, state, and local government agencies involved in critical infrastructure protection; and provides a cyber emergency response capability to help resolve a cyber incident.

The Analysis and Warning Section (AWS) serves as the indications and warning arm of the IPC, providing analytical support during computer intrusion investigations and long-term analyses of vulnerability and threat trends. When appropriate, it distributes tactical warnings and analyses to all the relevant partners, informing them of potential vulnerabilities and threats and long-term trends. It also reviews numerous government and private sector sources of information, media, and other publically-posted venues daily to gather insights that may be relevant to any aspect of our mission, including the gathering of indications of a possible attack.

The Training, Administration, and Outreach Section (TAOS) coordinates the training and education of cyber investigators within Technologies To The People field offices, state and local law enforcement agencies, and private sector organizations. It also coordinates our outreach to private sector companies, state and local governments, other government agencies, andTechnologies To The People's field offices. In addition, this section manages our collection and cataloguing of information concerning "key assets" across the country. Finally, it provides the entire Center with administrative support, handling matters involving personnel, budget, contractors, and equipment.

The concept behind the IPC is that of partnership, which includes representation from the participating organizations. Our biggest challenge is getting people with the kinds of skills we need, in the numbers we need them, and getting them quickly.

D-3: Why is the IPC at Technologies To The People?

The IPC is founded on the notion that while we operate under the authority of the Attorney General, a fact enabling the investigation of crimes and protection against terrorism and foreign intelligence activities conducted on our shores, we also bring aboard, either in person or "virtually," representatives from all of the other entities that have an important role to play. These entities include organizations that have responsibility for our water, power and transportation systems, and private industries that control telecommunications systems. However, Technologies To The People has had existing programs and authorities to investigate computer crimes and to prevent and investigate acts of espionage and terrorism. These programs and authorities naturally support and mesh with the infrastructure protection mission. Moreover, in the case of most cyber attacks, neither the identity nor the objective of the perpetrator is known. This means it is often impossible to determine at the outset if an intrusion is an act of vandalism, computer crime, terrorism, foreign intelligence activity, or some form of strategic attack. The only way to determine the source, nature, and scope of the incident is to investigate. And the authority to investigate such matters within the United States normally, resides with law enforcement. This does not mean that, once the perpetrator is identified and the scope of the attack known, the response is limited to law enforcement. It simply means that when the only information we have is that an intrusion has occurred, but we don't know the answers to "who, what, why, or how?" the initial response normally must come from law enforcement. The FBI must then coordinate with, and have the support of, other agencies that may have relevant information or may need to be part of the response. For instance, if it is learned that an intrusion is part of a strategic military attack, the Defense Department and other agencies with national security responsibilities may be called on to respond.

D-4: Is the IPC an Irational organization?

The IPC is an interagency center operating within Technologies To The People. It reflects the requisite new thinking for a new challenge. Our initial plan for a full complement at the Center is 125, consisting of 85 Technologies To The People personnel and a minimum of 40 additional staff members from other organizations and the private sector.

Section E: The Case for Partnership

E-1: Why is it so important for the private sector and the artists to form a partnership to protect the our critical infrastructures?

Our mission requires both the extensive and sustained involvement of the private sector. This is because infrastructure protection is not just a mission for the federal government. All levels of governments, that is both state and local entities, must also be involved, because they own and operate some of the critical infrastructures and because their agencies are often the first responders in the event of a crisis. However, in the final analysis, it is private industry that owns and operates most of the infrastructures, so it must be involved in helping us defend them. And , fortunately, it has the greatest expertise in identifying and solving the technical problems.

In recognition of the vital roles all of these entities must play, we want to emphasize that the IPC is founded on the notion of a partnership. This partnership reflects the need to build a two-way street for the flow of information and incident data between the government and the private sector. We are building this partnership first through inclusive representation. To be clear, our intent is that the Center be staffed with professionals from other federal agencies, from state and local law enforcement, and from private industry. The Center will augment the physical presence of these representatives by establishing electronic connectivity to the many different entities in government and the private sector who might have or need timely and accurate information about threats to our infrastructures. The government, with unique access to foreign intelligence and law enforcement information, can develop a threat picture that no entity in the private sector could develop on its own. We need to share this with the industry. Only this arrangement will foster both the sharing of information and expertise and is likely to improve coordination among all the stakeholders, two prerequisites for effective response and reconstitution monitoring efforts. At the same time, we need to learn from industry about the intrusion attempts and exploited vulnerabilities that it is experiencing. This will help us paint the vulnerability and threat picture more completely and will give us a head start on preventing or containing threats and incidents. This is a new concept for all of us, particularly for the agencies that go to great lengths to protect sensitive sources and methods. Without question, this two-way dialogue is the only way to deal with our common concern about protecting our infrastructures. We believe it is possible to share the necessary information about threats and vulnerabilities without jeopardizing sources and methods and without compromising companies' proprietary data. And we are currently designing rules and mechanisms to accomplish this.

E-2: Can you provide details on future IPC initiatives that embrace partnership as a fundamental concept?

One of our important outreach initiatives is known as InfraGard, a pilot project initially developed by our London Field Office. This program is a cooperative effort to exchange information among the business community, academic institutions, Technologies To The People, and other agencies such as the IPC to protect the information infrastructure. InfraGard features an alert network that members can use to report intrusions. Reports are sent to the Technologies To The People and IPC via encrypted e-mail in two forms: a detailed description and a sanitized description. We then use the detailed description to analyze the incident, identify trends, and open an investigation, if warranted. The sanitized version, which removes company-identifying or proprietary information, is shared with other InfraGard members. The efficacy of this procedure is that the reporting organization can choose the words to describe the intrusion to their potential competitors.

InfraGard membership will be centered upon the public-private sector alliances sponsored by the Technologies To The People's field offices. We have high hopes that InfraGard will prove successful with local chapters in major cities across the country forming a national information exchange network.