25 November 1997
Source:
http://www.access.gpo.gov/su_docs/aces/aces140.html
[Federal Register: November 25, 1997 (Volume 62, Number 227)]
[Notices]
[Page 62754-62756]
From the Federal Register Online via GPO Access [wais.access.gpo.gov]
[DOCID:fr25no97-37]
=======================================================================
-----------------------------------------------------------------------
DEPARTMENT OF COMMERCE
Critical Foundations: Protecting America's Infrastructures
AGENCY: Department of Commerce.
ACTION: Notice of availability and request for comments.
-----------------------------------------------------------------------
SUMMARY: The Department of Commerce announces the availability of and
seeks public comment on ``Critical Foundations: Protecting America's
Infrastructures,'' the report of the President's Commission on Critical
Infrastructure Protection. The Commission was established by Executive
Order in July 1996 to conduct a comprehensive study of the physical and
electronic (``cyber'') threats to and vulnerabilities of the nation's
critical infrastructures and recommend a national policy for protecting
the infrastructures and assuring their continued operation. The
executive order provided for a Commission comprised 10 members from the
Federal government and 10 members from outside the Federal government.
When the Commission terminated on October 13, 1997, some of the
Commission's staff was retained to assist the Principals Committee,
Steering Committee, and Advisory Committee in reviewing the report and
preparing recommendations to the President. Notwithstanding the
substantial public input that went into development of the Commission's
findings and recommendations, their significance makes them worthy of
additional public discussion and comment.
DATES: Comments should be submitted no later than January 9, 1998.
REPORT AVAILABILITY AND ADDRESSES: The report is available
electronically from the Commission's transition office site on the
World Wide Web: http://www.pccip.gov/.
Comments may be sent to the Commission at P.O. Box 46258,
Washington, DC 20050-6258. Comments may also be submitted by facsimile
to 202-696-9411, or by electronic mail to Comments@pccip.gov. Comments
submitted by facsimile or electronic mail need not also be submitted by
regular mail.
FOR FURTHER INFORMATION CONTACT: The Commission at 703-696-9395.
SUPPLEMENTARY INFORMATION: Executive Order 13010 of July 15, 1996 (61
FR 37347), as amended, established the President's Commission on
Critical Infrastructure Protection and its associated Principals
Committee, Steering Committee, and Advisory Committee as described
below. A complete text of the Executive Order may also be found at the
Commission's website (http://www.pccip.gov).
A Statement of the Problem
Certain national infrastructures are so vital that their incapacity
or destruction would have a debilitating impact on the defense or
economic security of the United States. These critical infrastructures
include telecommunications, electrical power systems, gas and oil
storage and transportation, banking and finance, transportation, water
supply systems, emergency services (including medical, police, fire,
and rescue), and continuity of government services. Threats to these
critical infrastructures fall into two categories: physical threats to
tangible property (``physical threats''), and threats of electronic,
radio-frequency, or computer-based attacks on the information or
communications
[[Page 62755]]
components that control critical infrastructures (``cyber threats'').
Because many of these critical infrastructures are owned and operated
by the private sector, it is essential that the government and private
sector work together to develop a strategy for protecting them and
assuring their continued operation.
Commission Membership
The Commission comprised one member each from the Department of the
Treasury, Department of Justice, Department of Defense, Department of
Commerce, Department of Transportation, Department of Energy, Central
Intelligence Agency, Federal Emergency Management Agency, Federal
Bureau of Investigation, National Security Agency. These agencies also
appointed members from the private sector. The Commission Chair was
designated by the President from the private sector.
The Principals Committee
The Commission reported to the President through a Principals
Committee, which is charged to review any reports or recommendations
before submission to the President. The Principals Committee comprises
the Secretary of the Treasury, Secretary of Defense, Attorney General,
Secretary of Commerce, Secretary of Transportation, Secretary of
Energy, Director of Central Intelligence, Director of the Office of
Management and Budget, Director of the Federal Emergency Management
Agency, Assistant to the President for National Security Affairs,
Assistant to the Vice President for National Security Affairs,
Assistant to the President for Economic Policy and Director of the
National Economic Council, and Assistant to the President and Director
of the Office of Science and Technology Policy.
The Steering Committee
The Commission's day-to-day work was overseen by a Steering
Committee on behalf of the Principals Committee. The Steering Committee
comprised five members: The Deputy Secretary of Defense, the Attorney
General, the Deputy National Security Advisor, the Vice President's
Domestic Policy Advisor and the Chair of the Commission itself. The
Steering Committee received regular reports on the progress of the
Commission's work and approved the submission of reports to the
Principals Committee.
Advisory Committee
The Commission received advice from an Advisory Committee composed
of individuals appointed by the President from the private sector,
academia, and local government who were knowledgeable about critical
infrastructures. The Committee will study the report and provide advice
to the Steering Committee.
Mission
As provided in the Executive Order, the Commission was to consult
with the public and private sector owners and operators of the critical
infrastructures and others that have an interest in critical
infrastructure assurance issues and that may have differing
perspectives on these issues. The Commission was to assess the scope
and nature of threats to and vulnerabilities of the critical
infrastructures; determine the legal and policy issues raised by
efforts to protect critical infrastructures and assess how they might
be addressed; recommend a comprehensive national policy and
implementation strategy for protecting critical infrastructures and
assuring their continued operation; and propose any statutory or
regulatory changes necessary to effect its recommendations.
Sector Studies
The Commission divided its work into these five ``sectors'' based
on the common characteristics of the included industries:
<bullet> Information and communications.
<bullet> Banking and finance.
<bullet> Energy, including electrical power, and oil and gas
production and storage.
<bullet> Physical distribution, including transportation and oil
and gas distribution.
<bullet> Vital human services, including water supply, emergency
services and government services.
Public Hearings and Outreach
The Commission conducted extensive meetings with a range of
professional and trade associations concerned with the infrastructures,
private sector infrastructure users and providers, academia, state and
local government agencies, consumers, federal agencies, and many
others. Of special interest were five public meetings in five major
cities.
Overview of the Report's Findings
1. New Thinking is Required in Cyberspace. It is not surprising
that infrastructures have always been attractive targets for those who
would do us harm. In the past we have been protected from hostile
attacks on the infrastructures by broad oceans and friendly neighbors.
Today, the evolution of cyber threats has changed the situation
dramatically. In cyberspace, national borders are no longer relevant.
Potentially serious cyber attacks can be conceived and planned
without detectable logistic preparation. They can be invisibly
reconnoitered, clandestinely rehearsed, and then mounted in a matter of
minutes or even seconds without revealing the identity and location of
the attacker.
Formulas that carefully divide responsibility between foreign
defense and domestic law enforcement no longer apply as clearly as they
used to and, in some instances, you may have to solve the crime before
you can decide who has the authority to investigate it.
2. We Should Act Now to Protect our Future. The Commission has not
discovered an imminent attack or a credible threat sufficient to
warrant a sense of immediate national crisis. However, the Commission
found that our vulnerabilities are increasing steadily while the costs
associated with an effective attack continue to drop. The investments
required to improve the situation are still relatively modest, but will
rise if we procrastinate.
3. Infrastructure Assurance is a Shared Responsibility. National
security requires much more than military strength. While no nation
state is likely to invade our territory or attack our armed forces, we
are inevitably the target of ill will and hostility from some quarters.
Disruption of the services on which our economy and well-being depend
could have significant effects, and if repeated frequently, could
seriously harm public confidence. Because our military and private
infrastructures are becoming less and less separate, because it is
getting harder to differentiate threats from local criminals from those
from foreign powers, and because the techniques of protection,
mitigation, and restoration are largely the same, we conclude that
responsibility for infrastructure protection and assurance can no
longer be delegated on the basis of who the attacker is or where the
attack originates. Rather, the responsibility should be shared
cooperatively among all of the players.
Overview of the Report's Recommendations
1. A Broad Program of Education and Awareness. Possible
undertakings include White House conferences, National Academy of
Science studies, presentations at industry and government associations
and professional societies, development and promulgation of elementary
and secondary curricula, and sponsorship of graduate studies and
programs.
[[Page 62756]]
2. Infrastructure Protection through Industry Cooperation and
Information Sharing. Sector-by-sector cooperation and information
sharing would take place in the context of partnerships between owners
and operators and government. These partnerships would identify and
share best practices. The National Institute of Standards and
Technology, the National Security Agency, and the Department of
Energy's National Laboratories would provide technical skills and
expertise required to identify and evaluate vulnerabilities in the
associated information networks and control systems. Sector cooperation
might begin with sharing information and techniques related to risk
management assessments. This could evolve into the development and
deployment of ways to prevent attacks, and if attacks occur, to
mitigate damage, quickly recover services, and reconstitute the
infrastructure
3. Reconsideration of Laws Related to Infrastructure Protection.
Some laws capable of promoting infrastructure assurance efforts are not
as clear or effective as they could be. Others operate in ways that may
be unfriendly to security concerns. Sorting them all out will be a
lengthy and complex undertaking, involving efforts at local, state,
federal, and international levels. The report identifies specific
existing laws that could be modified to support infrastructure
protection.
4. A Revised Program of Research and Development. While some of the
basic technology needed to improve infrastructure protection already
exists, it is not yet widely deployed. In all areas of activities aimed
at protecting and assuring the infrastructure, mitigating damages, and
responding and recovering from attacks, additional research effort is
needed. The Commission recommends increasing government spending in
research and development on capabilities such as intrusion detection.
5. A National Organization Structure. To implement the
recommendations the following new organizations and revised roles for
existing organizations are recommended:
Office of National Infrastructure Assurance as the top-level policy
making office connected closely to the National Security Council and
the National Economic Council;
Infrastructure Assurance Support Office to house the bulk of the
staff that would be responsible for follow-through on the Commission's
recommendations;
Information Sharing and Analysis Center to begin the step-by-step
process of establishing a realistic understanding of distinguishing
actual attacks from coincidental events;
National Infrastructure Assurance Council of industry CEOs, Cabinet
Secretaries, and representatives of state and local government to
provide policy advice and implementation commitment;
Lead Agencies, designated within the Federal government, to serve
as a conduit from the government into each sector and to facilitate the
creation of sector coordinators, if needed; and
Sector Coordinators to provide the focus for industry cooperation
and information sharing, and to represent the sector in matters of
national cooperation and policy;
Warning Center to identify anomalous events indicating that the
infrastructure is under attack and alert the Information Sharing and
Analysis Center for dissemination of bulletins and threat advisories to
infrastructure stakeholders.
William Reinsch,
Under Secretary of Commerce, Bureau of Export Administration.
[FR Doc. 97-30851 Filed 11-24-97; 8:45 am]
BILLING CODE 3110-$$-P