[ISN] White House Critical Infrastructure Protection Paper (long)

From: mea culpa (jerichoat_private)
Date: Sat May 30 1998 - 10:27:09 PDT

  • Next message: mea culpa: "[ISN] Internal study at Department of Energy finds huge lapses"

    Forwarded From: Nicholas Charles Brawn <ncb05at_private>
    
    ---------- Forwarded message ----------
    Date: Thu, 28 May 1998 15:09:17 -0400
    From: Frans Mulschlegel <Mulschlegel_FJat_private>
    To: Blind.Copy.Receiverat_private
    Subject: 27May98 USA: THE WHITE HOUSE - WHITE PAPER.
    
    27May98 USA: THE WHITE HOUSE - WHITE PAPER.
    RDATE:220598
    
    The Clinton Administration's Policy on Critical Infrastructure Protection:
    Presidential Decision Directive 63 May 22, 1998
    This White Paper explains key elements of the Clinton Administration's
    policy on critical infrastructure protection. It is intended for
    dissemination to all interested parties in both the private and public
    sectors. It will also be used in U.S. Government professional education
    institutions, such as the National Defense University and the National
    Foreign Affairs Training Center, for coursework and exercises on
    interagency practices and procedures. Wide dissemination of this
    unclassified White Paper is encouraged by all agencies of the U.S.
    Government.
    I. A Growing Potential Vulnerability
    The United States possesses both the world's strongest military and its
    largest national economy. Those two aspects of our power are mutually
    reinforcing and dependent. They are also increasingly reliant upon certain
    critical infrastructures and upon cyber-based information systems.
    Critical infrastructures are those physical and cyber-based systems
    essential to the minimum operations of the economy and government. They
    include, but are not limited to, telecommunications, energy, banking and
    finance, transportation, water systems and emergency services, both
    governmental and private. Many of the nation's critical infrastructures
    have historically been physically and logically separate systems that had
    little interdependence. As a result of advances in information technology
    and the necessity of improved efficiency, however, these infrastructures
    have become increasingly automated and interlinked. These same advances
    have created new vulnerabilities to equipment failures, human error,
    weather and other natural causes, and physical and cyber attacks.
    Addressing these vulnerabilities will necessarily require flexible,
    evolutionary approaches that span both the public and private sectors, and
    protect both domestic and international security.
    Because of our military strength, future enemies, whether nations, groups
    or individuals, may seek to harm us in non-traditional ways including
    attacks within the United States. Our economy is increasingly reliant upon
    interdependent and cyber-supported infrastructures and non-traditional
    attacks on our infrastructure and information systems may be capable of
    significantly harming both our military power and our economy.
    II. President's Intent
    It has long been the policy of the United States to assure the continuity
    and viability of critical infrastructures. President Clinton intends that
    the United States will take all necessary measures to swiftly eliminate any
    significant vulnerability to both physical and cyber attacks on our
    critical infrastructures, including especially our cyber systems.
    III. A National Goal
    No later than the year 2000, the United States shall have achieved an
    initial operating capability and no later than five years from the day the
    President signed Presidential Decision Directive 63 the United States shall
    have achieved and shall maintain the ability to protect our nation's
    critical infrastructures from intentional acts that would significantly
    diminish the abilities of:
    the Federal Government to perform essential national security missions and
    to ensure the general public health and safety;
    state and local governments to maintain order and to deliver minimum
    essential public services;
    the private sector to ensure the orderly functioning of the economy and the
    delivery of essential telecommunications, energy, financial and
    transportation services.
    Any interruptions or manipulations of these critical functions must be
    brief, infrequent, manageable, geographically isolated and minimally
    detrimental to the welfare of the United States.
    IV. A Public-Private Partnership to Reduce Vulnerability
    Since the targets of attacks on our critical infrastructure would likely
    include both facilities in the economy and those in the government, the
    elimination of our potential vulnerability requires a closely coordinated
    effort of both the public and the private sector. To succeed, this
    partnership must be genuine, mutual and cooperative. In seeking to meet our
    national goal to eliminate the vulnerabilities of our critical
    infrastructure, therefore, the U.S. government should, to the extent
    feasible, seek to avoid outcomes that increase government regulation or
    expand unfunded government mandates to the private sector.
    For each of the major sectors of our economy that are vulnerable to
    infrastructure attack, the Federal Government will appoint from a
    designated Lead Agency a senior officer of that agency as the Sector
    Liaison Official to work with the private sector. Sector Liaison Officials,
    after discussions and coordination with private sector entities of their
    infrastructure sector, will identify a private sector counterpart (Sector
    Coordinator) to represent their sector.
    Together these two individuals and the departments and corporations they
    represent shall contribute to a sectoral National Infrastructure Assurance
    Plan by:
    assessing the vulnerabilities of the sector to cyber or physical attacks;
    recommending a plan to eliminate significant vulnerabilities;
    proposing a system for identifying and preventing attempted major attacks;
    developing a plan for alerting, containing and rebuffing an attack in
    progress and then, in coordination with FEMA as appropriate, rapidly
    reconstituting minimum essential capabilities in the aftermath of an
    attack.
    During the preparation of the sectoral plans, the National Coordinator (see
    section VI), in conjunction with the Lead Agency Sector Liaison Officials
    and a representative from the National Economic Council, shall ensure their
    overall coordination and the integration of the various sectoral plans,
    with a particular focus on interdependencies.
    V. Guidelines
    In addressing this potential vulnerability and the means of eliminating it,
    President Clinton wants those involved to be mindful of the following
    general principles and concerns.
    We shall consult with, and seek input from, the Congress on approaches and
    programs to meet the objectives set forth in this directive.
    The protection of our critical infrastructures is necessarily a shared
    responsibility and partnership between owners, operators and the
    government. Furthermore, the Federal Government shall encourage
    international cooperation to help manage this increasingly global problem.
    Frequent assessments shall be made of our critical infrastructures'
    existing reliability, vulnerability and threat environment because, as
    technology and the nature of the threats to our critical infrastructures
    will continue to change rapidly, so must our protective measures and
    responses be robustly adaptive.
    The incentives that the market provides are the first choice for addressing
    the problem of critical infrastructure protection; regulation will be used
    only in the face of a material failure of the market to protect the health,
    safety or well-being of the American people. In such cases, agencies shall
    identify and assess available alternatives to direct regulation, including
    providing economic incentives to encourage the desired behavior, or
    providing information upon which choices can be made by the private sector.
    These incentives, along with other actions, shall be designed to help
    harness the latest technologies, bring about global solutions to
    international problems, and enable private sector owners and operators to
    achieve and maintain the maximum feasible security.
    The full authorities, capabilities and resources of the government,
    including law enforcement, regulation, foreign intelligence and defense
    preparedness shall be available, as appropriate, to ensure that critical
    infrastructure protection is achieved and maintained.
    Care must be taken to respect privacy rights. Consumers and operators must
    have confidence that information will be handled accurately, confidentially
    and reliably.
    The Federal Government shall, through its research, development and
    procurement, encourage the introduction of increasingly capable methods of
    infrastructure protection.
    The Federal Government shall serve as a model to the private sector on how
    infrastructure assurance is best achieved and shall, to the extent
    feasible, distribute the results of its endeavors.
    We must focus on preventative measures as well as threat and crisis
    management. To that end, private sector owners and operators should be
    encouraged to provide maximum feasible security for the infrastructures
    they control and to provide the government necessary information to assist
    them in that task. In order to engage the private sector fully, it is
    preferred that participation by owners and operators in a national
    infrastructure protection system be voluntary.
    Close cooperation and coordination with state and local governments and
    first responders is essential for a robust and flexible infrastructure
    protection program. All critical infrastructure protection plans and
    actions shall take into consideration the needs, activities and
    responsibilities of state and local governments and first responders.
    VI. Structure and Organization
    The Federal Government will be organized for the purposes of this endeavor
    around four components (elaborated in Annex A).
    Lead Agencies for Sector Liaison: For each infrastructure sector that could
    be a target for significant cyber or physical attacks, there will be a
    single U.S. Government department which will serve as the lead agency for
    liaison. Each Lead Agency will designate one individual of Assistant
    Secretary rank or higher to be the Sector Liaison Official for that area
    and to cooperate with the private sector representatives (Sector
    Coordinators) in addressing problems related to critical infrastructure
    protection and, in particular, in recommending components of the National
    Infrastructure Assurance Plan. Together, the Lead Agency and the private
    sector counterparts will develop and implement a Vulnerability Awareness
    and Education Program for their sector.
    Lead Agencies for Special Functions: There are, in addition, certain
    functions related to critical infrastructure protection that must be
    chiefly performed by the Federal Government (national defense, foreign
    affairs, intelligence, law enforcement). For each of those special
    functions, there shall be a Lead Agency which will be responsible for
    coordinating all of the activities of the United States Government in that
    area. Each lead agency will appoint a senior officer of Assistant Secretary
    rank or higher to serve as the Functional Coordinator for that function for
    the Federal Government.
    Interagency Coordination: The Sector Liaison Officials and Functional
    Coordinators of the Lead Agencies, as well as representatives from other
    relevant departments and agencies, including the National Economic Council,
    will meet to coordinate the implementation of this directive under the
    auspices of a Critical Infrastructure Coordination Group (CICG), chaired by
    the National Coordinator for Security, Infrastructure Protection and
    Counter-Terrorism. The National Coordinator will be appointed by and report
    to the President through the Assistant to the President for National
    Security Affairs, who shall assure appropriate coordination with the
    Assistant to the President for Economic Affairs. Agency representatives to
    the CICG should be at a senior policy level (Assistant Secretary or
    higher). Where appropriate, the CICG will be assisted by extant policy
    structures, such as the Security Policy Board, Security Policy Forum and
    the National Security and Telecommunications and Information System
    Security Committee.
    National Infrastructure Assurance Council: On the recommendation of the
    Lead Agencies, the National Economic Council and the National Coordinator,
    the President will appoint a panel of major infrastructure providers and
    state and local government officials to serve as the National
    Infrastructure Assurance Council. The President will appoint the Chairman.
    The National Coordinator will serve as the Council's Executive Director.
    The National Infrastructure Assurance Council will meet periodically to
    enhance the partnership of the public and private sectors in protecting our
    critical infrastructures and will provide reports to the President as
    appropriate. Senior Federal Government officials will participate in the
    meetings of the National Infrastructure Assurance Council as appropriate.
    VII. Protecting Federal Government Critical Infrastructures
    Every department and agency of the Federal Government shall be responsible
    for protecting its own critical infrastructure, especially its cyber-based
    systems. Every department and agency Chief Information Officer (CIO) shall
    be responsible for information assurance. Every department and agency shall
    appoint a Chief Infrastructure Assurance Officer (CIAO) who shall be
    responsible for the protection of all of the other aspects of that
    department's critical infrastructure. The CIO may be double-hatted as the
    CIAO at the discretion of the individual department. These officials shall
    establish procedures for obtaining expedient and valid authorizations to
    allow vulnerability assessments to be performed on government computer and
    physical systems. The Department of Justice shall establish legal
    guidelines for providing for such authorizations.
    No later than 180 days from issuance of this directive, every department
    and agency shall develop a plan for protecting its own critical
    infrastructure, including but not limited to its cyber-based systems. The
    National Coordinator shall be responsible for coordinating analyses
    required by the departments and agencies of inter-governmental dependencies
    and the mitigation of those dependencies. The Critical Infrastructure
    Coordination Group (CICG) shall sponsor an expert review process for those
    plans. No later than two years from today, those plans shall have been
    implemented and shall be updated every two years. In meeting this schedule,
    the Federal Government shall present a model to the private sector on how
    best to protect critical infrastructure.
    VIII. Tasks
    Within 180 days, the Principals Committee should submit to the President a
    schedule for completion of a National Infrastructure Assurance Plan with
    milestones for accomplishing the following subordinate and related tasks.
    Vulnerability Analyses: For each sector of the economy and each sector of
    the government that might be a target of infrastructure attack intended to
    significantly damage the United States, there shall be an initial
    vulnerability assessment, followed by periodic updates. As appropriate,
    these assessments shall also include the determination of the minimum
    essential infrastructure in each sector.
    Remedial Plan: Based upon the vulnerability assessment, there shall be a
    recommended remedial plan. The plan shall identify timelines for
    implementation, responsibilities and funding.
    Warning: A national center to warn of significant infrastructure attacks
    will be established immediately (see Annex A). As soon thereafter as
    possible, we will put in place an enhanced system for detecting and
    analyzing such attacks, with maximum possible participation of the private
    sector.
    Response: A system for responding to a significant infrastructure attack
    while it is underway, with the goal of isolating and minimizing damage.
    Reconstitution: For varying levels of successful infrastructure attacks, we
    shall have a system to reconstitute minimum required capabilities rapidly.
    Education and Awareness: There shall be Vulnerability Awareness and
    Education Programs within both the government and the private sector to
    sensitize people regarding the importance of security and to train them in
    security standards, particularly regarding cyber systems.
    Research and Development: Federally-sponsored research and development in
    support of infrastructure protection shall be coordinated, be subject to
    multi-year planning, take into account private sector research, and be
    adequately funded to minimize our vulnerabilities on a rapid but achievable
    timetable.
    Intelligence: The Intelligence Community shall develop and implement a plan
    for enhancing collection and analysis of the foreign threat to our national
    infrastructure, to include but not be limited to the foreign
    cyber/information warfare threat.
    International Cooperation: There shall be a plan to expand cooperation on
    critical infrastructure protection with like-minded and friendly nations,
    international organizations and multinational corporations.
    Legislative and Budgetary Requirements: There shall be an evaluation of the
    executive branch's legislative authorities and budgetary priorities
    regarding critical infrastructure, and ameliorative recommendations shall
    be made to the President as necessary. The evaluations and recommendations,
    if any, shall be coordinated with the Director of OMB.
    The CICG shall also review and schedule the taskings listed in Annex B.
    IX. Implementation
    In addition to the 180-day report, the National Coordinator, working with
    the National Economic Council, shall provide an annual report on the
    implementation of this directive to the President and the heads of
    departments and agencies, through the Assistant to the President for
    National Security Affairs. The report should include an updated threat
    assessment, a status report on achieving the milestones identified for the
    National Plan and additional policy, legislative and budgetary
    recommendations. The evaluations and recommendations, if any, shall be
    coordinated with the Director of OMB. In addition, following the
    establishment of an initial operating capability in the year 2000, the
    National Coordinator shall conduct a zero-based review.
    Annex A: Structure and Organization
    Lead Agencies: Clear accountability within the U.S. Government must be
    designated for specific sectors and functions. The following assignments of
    responsibility will apply.
    Lead Agencies for Sector Liaison:
    Commerce Information and communications
    Treasury Banking and finance
    EPA Water supply
    Transportation Aviation Highways (including trucking and intelligent
    transportation systems) Mass transit Pipelines Rail Waterborne commerce
    Justice/FBI Emergency law enforcement services
    FEMA Emergency fire service Continuity of government services
    HHS Public health services, including prevention, surveillance, laboratory
    services and personal health services
    Energy Electric power Oil and gas production and storage
    Lead Agencies for Special Functions:
    Justice/FBI Law enforcement and internal security
    CIA Foreign intelligence
    State Foreign affairs
    Defense National defense
    In addition, OSTP shall be responsible for coordinating research and
    development agendas and programs for the government through the National
    Science and Technology Council. Furthermore, while Commerce is the lead
    agency for information and communication, the Department of Defense will
    retain its Executive Agent responsibilities for the National Communications
    System and support of the President's National Security Telecommunications
    Advisory Committee.
    National Coordinator: The National Coordinator for Security, Infrastructure
    Protection and Counter-Terrorism shall be responsible for coordinating the
    implementation of this directive. The National Coordinator will report to
    the President through the Assistant to the President for National Security
    Affairs. The National Coordinator will also participate as a full member of
    Deputies or Principals Committee meetings when they meet to consider
    infrastructure issues. Although the National Coordinator will not direct
    Departments and Agencies, he or she will ensure interagency coordination
    for policy development and implementation, and will review crisis
    activities concerning infrastructure events with significant foreign
    involvement. The National Coordinator will provide advice, in the context
    of the established annual budget process, regarding agency budgets for
    critical infrastructure protection. The National Coordinator will chair the
    Critical Infrastructure Coordination Group (CICG), reporting to the
    Deputies Committee (or, at the call of its chair, the Principals
    Committee). The Sector Liaison Officials and Special Function Coordinators
    shall attend the CICG's meetings. Departments and agencies shall each
    appoint to the CICG a senior official (Assistant Secretary level or higher)
    who will regularly attend its meetings. The National Security Advisor shall
    appoint a Senior Director for Infrastructure Protection on the NSC staff.
    A National Plan Coordination (NPC) staff will be contributed on a
    non-reimbursable basis by the departments and agencies, consistent with
    law. The NPC staff will integrate the various sector plans into a National
    Infrastructure Assurance Plan and coordinate analyses of the U.S.
    Government's own dependencies on critical infrastructures. The NPC staff
    will also help coordinate a national education and awareness program, and
    legislative and public affairs.
    The Defense Department shall continue to serve as Executive Agent for the
    Commission Transition Office, which will form the basis of the NPC, during
    the remainder of FY98. Beginning in FY99, the NPC shall be an office of the
    Commerce Department. The Office of Personnel Management shall provide the
    necessary assistance in facilitating the NPC's operations. The NPC will
    terminate at the end of FY01, unless extended by Presidential directive.
    Warning and Information Centers
    As part of a national warning and information sharing system, the President
    immediately authorizes the FBI to expand its current organization to a full
    scale National Infrastructure Protection Center (NIPC). This organization
    shall serve as a national critical infrastructure threat assessment,
    warning, vulnerability, and law enforcement investigation and response
    entity. During the initial period of six to twelve months, the President
    also directs the National Coordinator and the Sector Liaison Officials,
    working together with the Sector Coordinators, the Special Function
    Coordinators and representatives from the National Economic Council, as
    appropriate, to consult with owners and operators of the critical
    infrastructures to encourage the creation of a private sector sharing and
    analysis center, as described below.
    National Infrastructure Protection Center (NIPC): The NIPC will include
    FBI, USSS, and other investigators experienced in computer crimes and
    infrastructure protection, as well as representatives detailed from the
    Department of Defense, the Intelligence Community and Lead Agencies. It
    will be linked electronically to the rest of the Federal Government,
    including other warning and operations centers, as well as any private
    sector sharing and analysis centers. Its mission will include providing
    timely warnings of intentional threats, comprehensive analyses and law
    enforcement investigation and response.
    All executive departments and agencies shall cooperate with the NIPC and
    provide such assistance, information and advice that the NIPC may request,
    to the extent permitted by law. All executive departments shall also share
    with the NIPC information about threats and warning of attacks and about
    actual attacks on critical government and private sector infrastructures,
    to the extent permitted by law. The NIPC will include elements responsible
    for warning, analysis, computer investigation, coordinating emergency
    response, training, outreach and development and application of technical
    tools. In addition, it will establish its own relations directly with
    others in the private sector and with any information sharing and analysis
    entity that the private sector may create, such as the Information Sharing
    and Analysis Center described below.
    The NIPC, in conjunction with the information originating agency, will
    sanitize law enforcement and intelligence information for inclusion into
    analyses and reports that it will provide, in appropriate form, to relevant
    federal, state and local agencies; the relevant owners and operators of
    critical infrastructures; and to any private sector information sharing and
    analysis entity. Before disseminating national security or other
    information that originated from the intelligence community, the NIPC will
    coordinate fully with the intelligence community through existing
    procedures. Whether as sanitized or unsanitized reports, the NIPC will
    issue attack warnings or alerts to increases in threat condition to any
    private sector information sharing and analysis entity and to the owners
    and operators. These warnings may also include guidance regarding
    additional protection measures to be taken by owners and operators. Except
    in extreme emergencies, the NIPC shall coordinate with the National
    Coordinator before issuing public warnings of imminent attacks by
    international terrorists, foreign states or other malevolent foreign
    powers.
    The NIPC will provide a national focal point for gathering information on
    threats to the infrastructures. Additionally, the NIPC will provide the
    principal means of facilitating and coordinating the Federal Government's
    response to an incident, mitigating attacks, investigating threats and
    monitoring reconstitution efforts. Depending on the nature and level of a
    foreign threat/attack, protocols established between special function
    agencies (DOJ/DOD/CIA), and the ultimate decision of the President, the
    NIPC may be placed in a direct support role to either DOD or the
    Intelligence Community.
    Information Sharing and Analysis Center (ISAC): The National Coordinator,
    working with Sector Coordinators, Sector Liaison Officials and the National
    Economic Council, shall consult with owners and operators of the critical
    infrastructures to strongly encourage the creation of a private sector
    information sharing and analysis center. The actual design and functions of
    the center and its relation to the NIPC will be determined by the private
    sector, in consultation with and with assistance from the Federal
    Government. Within 180 days of this directive, the National Coordinator,
    with the assistance of the CICG including the National Economic Council,
    shall identify possible methods of providing federal assistance to
    facilitate the startup of an ISAC.
    Such a center could serve as the mechanism for gathering, analyzing,
    appropriately sanitizing and disseminating private sector information to
    both industry and the NIPC. The center could also gather, analyze and
    disseminate information from the NIPC for further distribution to the
    private sector. While crucial to a successful government-industry
    partnership, this mechanism for sharing important information about
    vulnerabilities, threats, intrusions and anomalies is not to interfere with
    direct information exchanges between companies and the government.
    As ultimately designed by private sector representatives, the ISAC may
    emulate particular aspects of such institutions as the Centers for Disease
    Control and Prevention that have proved highly effective, particularly its
    extensive interchanges with the private and non-federal sectors. Under such
    a model, the ISAC would possess a large degree of technical focus and
    expertise and non-regulatory and non-law enforcement missions. It would
    establish baseline statistics and patterns on the various infrastructures,
    become a clearinghouse for information within and among the various
    sectors, and provide a library for historical data to be used by the
    private sector and, as deemed appropriate by the ISAC, by the government.
    Critical to the success of such an institution would be its timeliness,
    accessibility, coordination, flexibility, utility and acceptability.
    Annex B: Additional Taskings
    Studies
    The National Coordinator shall commission studies on the following
    subjects:
    Liability issues arising from participation by private sector companies in
    the information sharing process.
    Existing legal impediments to information sharing, with an eye to proposals
    to remove these impediments, including through the drafting of model codes
    in cooperation with the American Legal Institute.
    The necessity of document and information classification and the impact of
    such classification on useful dissemination, as well as the methods and
    information systems by which threat and vulnerability information can be
    shared securely while avoiding disclosure or unacceptable risk of
    disclosure to those who will misuse it.
    The improved protection, including secure dissemination and information
    handling systems, of industry trade secrets and other confidential business
    data, law enforcement information and evidentiary material, classified
    national security information, unclassified material disclosing
    vulnerabilities of privately owned infrastructures and apparently innocuous
    information that, in the aggregate, it is unwise to disclose.
    The implications of sharing information with foreign entities where such
    sharing is deemed necessary to the security of United States
    infrastructures.
    The potential benefit to security standards of mandating, subsidizing, or
    otherwise assisting in the provision of insurance for selected critical
    infrastructure providers and requiring insurance tie-ins for foreign
    critical infrastructure providers hoping to do business with the United
    States.
    Public Outreach
    In order to foster a climate of enhanced public sensitivity to the problem
    of infrastructure protection, the following actions shall be taken:
    The White House, under the oversight of the National Coordinator, together
    with the relevant Cabinet agencies shall consider a series of conferences:
    (1) that will bring together national leaders in the public and private
    sectors to propose programs to increase the commitment to information
    security; (2) that convoke academic leaders from engineering, computer
    science, business and law schools to review the status of education in
    information security and will identify changes in the curricula and
    resources necessary to meet the national demand for professionals in this
    field; (3) on the issues around computer ethics as these relate to the K
    through 12 and general university populations.
    The National Academy of Sciences and the National Academy of Engineering
    shall consider a round table bringing together federal, state and local
    officials with industry and academic leaders to develop national strategies
    for enhancing infrastructure security.
    The intelligence community and law enforcement shall expand existing
    programs for briefing infrastructure owners and operators and senior
    government officials.
    The National Coordinator shall (1) establish a program for infrastructure
    assurance simulations involving senior public and private officials, the
    reports of which might be distributed as part of an awareness campaign; and
    (2) in coordination with the private sector, launch a continuing national
    awareness campaign, emphasizing improving infrastructure security.
    Internal Federal Government Actions
    In order for the Federal Government to improve its infrastructure security,
    these immediate steps shall be taken:
    The Department of Commerce, the General Services Administration, and the
    Department of Defense shall assist federal agencies in the implementation
    of best practices for information assurance within their individual
    agencies.
    The National Coordinator shall coordinate a review of existing federal,
    state and local bodies charged with information assurance tasks, and
    provide recommendations on how these institutions can cooperate most
    effectively.
    All federal agencies shall make clear designations regarding who may
    authorize access to their computer systems.
    The Intelligence Community shall elevate and formalize the priority for
    enhanced collection and analysis of information on the foreign
    cyber/information warfare threat to our critical infrastructure.
    The Federal Bureau of Investigation, the Secret Service and other
    appropriate agencies shall: (1) vigorously recruit undergraduate and
    graduate students with the relevant computer-related technical skills for
    full-time employment as well as for part-time work with regional computer
    crime squads; and (2) facilitate the hiring and retention of qualified
    personnel for technical analysis and investigation involving cyber attacks.
    The Department of Transportation, in consultation with the Department of
    Defense, shall undertake a thorough evaluation of the vulnerability of the
    national transportation infrastructure that relies on the Global
    Positioning System. This evaluation shall include sponsoring an
    independent, integrated assessment of risks to civilian users of GPS-based
    systems, with a view to basing decisions on the ultimate architecture of
    the modernized NAS on these evaluations.
    The Federal Aviation Administration shall develop and implement a
    comprehensive National Airspace System Security Program to protect the
    modernized NAS from information-based and other disruptions and attacks.
    GSA shall identify large procurements (such as the new Federal
    Telecommunications System, FTS 2000) related to infrastructure assurance,
    study whether the procurement process reflects the importance of
    infrastructure protection and propose, if necessary, revisions to the
    overall procurement process to do so.
    OMB shall direct federal agencies to include assigned infrastructure
    assurance functions within their Government Performance and Results Act
    strategic planning and performance measurement framework.
    The NSA, in accordance with its National Manager responsibilities in
    NSD-42, shall provide assessments encompassing examinations of U.S.
    Government systems to interception and exploitation; disseminate threat and
    vulnerability information; establish standards; conduct research and
    development; and conduct issue security product evaluations.
    Assisting the Private Sector
    In order to assist the private sector in achieving and maintaining
    infrastructure security:
    The National Coordinator and the National Infrastructure Assurance Council
    shall propose and develop ways to encourage private industry to perform
    periodic risk assessments of critical processes, including information and
    telecommunications systems.
    The Department of Commerce and the Department of Defense shall work
    together, in coordination with the private sector, to offer their expertise
    to private owners and operators of critical infrastructure to develop
    security-related best practice standards.
    The Department of Justice and Department of the Treasury shall sponsor a
    comprehensive study compiling demographics of computer crime, comparing
    state approaches to computer crime and developing ways of deterring and
    responding to computer crime by juveniles.
    
    
    -o-
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
    



    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:54:46 PDT