Commission urges cooperation between government, industry

In addition to quadrupling spending on current infrastructure-assurance research and development efforts a presidential commission will recommend that the private sector forge relationships with the federal government through partnerships such as a joint information warning and analysis center to shore up vulnerabilities in the nation's critical infrastructures.

These recommendations are expected to be included in a report of the president's Commission on Critical Infrastructure Protection which is due to the White House this week. The infrastructures examined by the panel include telecommunications electric power transport oil/gas delivery and storage water banking and finance emergency services and government services.

Speaking at the National Information Systems Security Conference in Baltimore earlier this month commission chairman Air Force Gen. Robert Marsh said the single most important recommendation of the panel is to "develop information-sharing arrangements" in the private sector and between government and industry in areas such as unauthorized intrusions. The biggest obstacle to implementing the group's recommendations is the "cultural change we have to bring about " he said. The panel would like to see its ideas implemented in the next three to five years.

"We're entering an era where national security becomes a shared responsibility between the public and the private sectors " he said. "To focus on [infrastructure] protection is a new challenge to us because these are in the main private-sector-owned and operated."

In addition to the new analysis center the commission will recommend the establishment of a National Infrastructure Assurance Council a high-level advisory council comprised of senior chief executive officers from throughout the critical-infrastructure sector which will meet regularly with selected cabinet members "to open the door of policy formation to include the private sector " Marsh said. It also calls for the establishment of an Office of National Infrastructure Assurance in the White House to coordinate federal government efforts.

As reported in FCW's Sept. 8 issue the panel also calls for quadrupling current infrastructure-assurance R&D spending to more than $1 billion by 2004 up from about $250 million this year. About $600 million of that billion-dollar total would be spent on information assurance and the remainder on other areas of infrastructure assurance such as physical hardening and monitoring as well as power-distribution network modeling and simulation.

Current R&D is "not sufficient to address the threat " Marsh said. "There is little research on real-time detection identification and response tools" for network attacks and market demand has been insufficient to spur development.

Leading government research in information assurance - an area embracing information technology and telecommunications and cutting across all eight infrastructures - would be the National Security Agency and the Defense Advanced Research Projects Agency (DARPA) along with the National Institute for Standards and Technology according to John Davis head of NSA's National Computer Security Center and the panel's R&D lead.

These agencies also would guide government research in information and communications R&D a category including computers and networks such as the Internet as well as telecom. The Defense Department and the National Science Foundation would address government research into the problem of infrastructure interdependencies.

NIST and NSA would jointly spearhead infosec standards development and would share best practices with government and industry Marsh said. Federal agencies would be required to follow these standards he said. In the context of the possible increase in NIST's infosec role it would not be unreasonable to increase that agency's security budget by a factor of 10 according to Davis.

Skepticism in the Industry

Nevertheless there is skepticism in industry about how well DOD's security concerns for extremely high-availability commercial communications channels for example will mesh with private-sector perspectives. It is possible that if there are serious concerns about the threat addressing them is not a business decision said Steve Kent chief scientist for security with BBN Technologies Cambridge Mass. It is possible for example that "we might see an [National Security Telecommunications Advisory Committee]-like organization for the Internet " he said. NSTAC is an example of government involvement to cause information sharing he said.A white paper published this month by the Information Technology Association of America said industry will be guided by business considerations in protecting itself against attacks as the threat to the information infrastructure evolves. The association said it would be concerned over any government efforts to mandate standards to protect infrastructure elements from attacks develop processes to react to the attack or to re-establish the service.

The commission also wants to update laws to "address cyber- concerns " Marsh said and to provide "antitrust protection" to allow for increased information sharing. He mentioned the Defense Production Act the War Powers Resolution and the Computer Security Act of 1987 among others. The hope is for "relatively minor modifications [in law] as a direct result of the commission effort " said Stevan Mitchell a commissioner on leave from the Justice Department.

The unclassified version of the commission's report is not expected to be made available until later this year.

-- Adams is a free-lance writer based in Alexandria Va.