The No. 1 lesson taught in kindergarten is now being taught to government and industry leaders — share. They have been about as reluctant to comply as a 5-year-old with a favorite toy, but that may soon change.
President Bill Clinton is about to announce significant budget increases he would like to be given to facilitate a presidential directive issued last year.
Over 60 experts from private industry and federal agencies met at the White House Conference Center last week to find ways to share information to safe-guard the nation’s vital computer systems. Government and industry have not previously been eager to share each other’s secrets, but their survival may necessitate cooperation.
President Clinton signed Presidential Decision Directive 63 May 22, 1998. That document is so secret that it has not been made available to the public — in any form. The only information about it comes from a summary that was issued.
PDD 63 deals with protecting the nation’s critical infrastructures, particularly computer information systems that the government depends on. The visible effect of PDD 63 has been the creation of the Critical Infrastructure Assurance Office. That new agency is hard at work to prevent disruption of the nation’s critical computer services.
Interestingly, the government acronym for Critical Infrastructure Assurance Office is CIAO, pronounced “chow,” which is the Italian word for goodbye.
“Critical infrastructures are those physical and cyber-based systems essential to the minimum operations of the economy and government. They include, but are not limited to, telecommunications, energy, banking and finance, transportation, water systems and emergency services, both governmental and private,” states a report entitled “The Clinton Administration’s Policy on Critical Infrastructure Protection: Presidential Decision Directive 63.”
The report explains that many of the nation’s critical infrastructures previously have not been interdependent. Advances in information technology and the necessity of improved efficiency, have linked many public and private systems.
“These same advances have created new vulnerabilities to equipment failures, human error, weather and other natural causes, and physical and cyber attacks,” warns the PDD 63 report.
“Because of our military strength, future enemies, whether nations, groups, or individuals, may seek to harm us in non-traditional ways including attacks within the United States. Our economy is increasingly reliant upon interdependent and cyber-supported infrastructures and non-traditional attacks on our infrastructure and information systems may be capable of significantly harming both our military power and our economy,” the report claims.
The year 2000 is the deadline established by PDD 63 to achieve and maintain the ability to protect the nation’s critical infrastructures. Foreign terrorists, domestic terrorists, computer hackers, natural disasters, or the Y2K computer bug all pose a significant threat to industry and government.
The task of protecting the nation’s cyber systems does not fall only on CIAO. PDD 63 clearly requires every department and agency of the federal government to be responsible for its own critical infrastructure, with special emphasis on cyber based systems. Each department is under mandate to appoint an internal chief infrastructure assurance officer.
“These officials shall establish procedures for obtaining expedient and valid authorizations to allow vulnerability assessments to be performed on government computer and physical systems. The Department of Justice shall establish legal guidelines for providing for such authorizations,” the PDD 63 report states.
The meeting last week brought together private industry executives and government bureaucrats for the formation of another new bureaucracy, the Information Sharing and Assessment Center.
“This was very much a very important step in advancing what the president had signed and announced last May, PDD 63,” explained Jeffrey Hunker, director of CIAO, “which basically gave the message and the marching orders to the federal government, and more importantly as part of national policy that we take the threat of attacks, whether they’re coming from organized crime, terrorist groups, or from nations that are inimical to U.S. interests, attacks against computer systems and information systems more broadly.”
The nation’s computer systems were not generally designed with a built-in defense system to protect them from cyber attack. Most of the present systems are in the control of private industry, placing them just out of the reach of government control.
Hunker would not comment on specific terrorist threats, but he made it clear that computer systems are becoming increasingly vulnerable to intrusion and disruption. He says evidence shows that there are now many nations and terrorist groups that are preparing to use information attacks as the next theater of operations.
“With an increasingly information based economy you don’t need to have a car bomb to disrupt America’s economy and effect our ability to maintain our national security posture,” said Hunker in an exclusive interview with WorldNetDaily. He says modern terrorists are becoming far more sophisticated.
“I can tell you that the threat is real. It’s evolving. To a great extent it’s not the sort of activity that we have publicly seen so far,” he explained.
He pointed out the publicized case of computer hackers getting into Air Force computer systems. At first government officials thought it was only the Air Force computers, but later learned that all the armed services were attacked.
“The Air Force was the only service that had installed intrusion detection monitoring technologies on to their systems. The other systems didn’t know it because they didn’t have the technologies in place,” explained Hunker.
“We’re not talking about teen-age hackers here. We’re talking about organized, systematic attacks to achieve political or major economic objectives. There are people out there who are developing those capabilities. It’s an issue for the private sector, and it’s an issue for the government, but it’s predominantly an issue for the private sector because frankly the private sector is where most of these critical infrastructures can be found,” he said.
Getting private industry to share information that was previously kept secret is not an easy task. The primary concerns deal with the liability companies face if they share information which then results in economic harm to another company. It may also mean sharing information that would give a competitor an advantage.
“This may require legislation to provide guarantees to the private sector that if they’re going to be sharing information with the federal government about intrusions into, or threats to their information systems, that that information is going to be protected and the confidentiality of business proprietary information is going to be maintained,” explained Hunker.
Sharing is something that requires action from all parties. Hunker says he is working hard to get federal agencies to recognize the need to share government information with private industry.
“We’re going to have information about threats or intrusions that may be very relevant to the private sector. Our real goal was to say we need a mechanism for being able to provide information to the private sector about what the federal government knows through intelligence and law enforcement that may be relevant to industry. We don’t have a mechanism for doing that right now,” explained Hunker of the need for the ISAC.
“Over time we’d like to see a reciprocal flow of information. We understand very clearly, there is a tremendous resistance on the part of a large part of corporate America,” he acknowledged.
That resistance may be from a lack of trust in government, and particularly with the law enforcement arms of government. Law enforcement agencies have not placed much priority on cyber crimes, and they have not had officers who are trained to deal with such crimes and threats to business and government.
Hunker says he hopes both sides will learn to trust each other as the ISAC is implemented. The primary purpose for information sharing will be to detect patterns of attacks, which would go undetected if companies did not make them known.
The president’s budget, to be announced in the State of the Union
address, will have increased research and development money, a program
to increase the number of people who will be trained in information
systems security, and the development of intrusion detection monitoring
systems for the federal government.
David M. Bresnahan, a contributing editor for WorldNetDaily.com, is the author of “Cover Up: The Art and Science of Political Deception,” and offers a monthly newsletter “Talk USA Investigative Reports.”
He may be reached through email and also maintains a website.