-Caveat Lector- from alt.conspiracy ----- As always, Caveat Lector. Om K ----- <A HREF="aol://5863:126/alt.conspiracy:482328">REPORT - HOW THE INTERNET IS BEING CONTROLLED</A> --[2]-- CRITICAL INFRASTRUCTURE PROTECTION IMPACT AREAS & COUNTER- RECOMMENDATIONS The PCCIP Report contains a number of proposals that could, if implemented, adversely affect the freedom of American citizens. Many of the proposals affecting the ability of Americans to engage in scientific and other research, as well as political and social discourse, without being subjected to government security controls, are a direct outgrowth of similar proposals advanced by President Reagan's NSDD-145. Privacy The PCCIP Report complains that because private sector employers do not have access to criminal history, financial, and employment information and also may incur tort liability for releasing adverse employment information to other employers, the private sector should be granted limited exemptions from these restrictions. The Report recommends that federal and state laws be amended to "balance employers' needs against individual interests in privacy." Such a recommendation is frightening in light of reports that companies are increasingly monitoring the communications of their employees. The degree to which companies may be required or encouraged to hand over the contents of such communications to the FBI's National Infrastructure Threat Center also poses significant civil liberties concerns. Many companies currently possess and use monitoring capabilities. A MacWorld survey revealed that 22 per cent of large companies "engaged in searches of employee computer files, voice mail, electronic mail, or other networking communications." Only one-third of these companies informed employees that such surveillance was taking place. A 1997 survey by the American Management Association showed that more than 35 per cent of employers use surveillance tactics such as reviewing e- mail, inspecting computer files, or eavesdropping on phone conversations. The Report also recommends that state legislators amend their privacy laws to require mere implied "consent" as authority for employers to request sensitive background information on employees or prospective employees. In addition, there is a recommendation that Congress amend the Employee Polygraph Protection Act to include information security personnel in the category of professions which can be required to be subjected to polygraph tests. Freedom of Information, Open Government, and Censorship The PCCIP Report recommends that the Critical Infrastructure Assurance Office (CIAO) established by PDD-63 require appropriate protection for specified private sector information. It, therefore, proposes to require that the Freedom of Information Act (FOIA) exemptions of paragraph b (3) be broadened to include "sensitive information" from the private sector. At a partially-open meeting of the Advisory Committee to PCCIP held on December 3, 1997, Steve Mitchell from the Justice Department called for a "cultural change" to take place over the next 15 to 20 years in order to deal with the information warfare threat. He called for FOIA exemptions under both Federal and state law for companies passing on proprietary information to government agencies. He also said state FOIAs, in particular, should be amended because they are often more liberal than the Federal law on opening up government documents and files to the public. Mitchell also called for some form of Federal Advisory Committee Act (FACA) relief for joint government-private sector boards and committees. He said this would permit sensitive but unclassified meetings to be closed to the public. Another aspect of information warfare involves censorship and disinformation. According to a report written for the Pentagon by SAIC, "widespread dissemination by the U.S. media and its independence vastly complicate military operations. Any information warfare strategy must taken into account the press or at least address its potential impact." Former NSA director and CIA deputy director Studeman stated that there should be a "rapid media reaction force" charged with disseminating propaganda to various media channels and outlets for "positive purposes". Studeman is currently the Vice President and Deputy General Manager of TRW's Systems and Information Technology Group, another contractor with a vested interest in critical infrastructure protection. Studeman also serves on the Board of Directors of Thiokol Corporation, formerly headed by PCCIP Commission Chairman Marsh. Congress should ensure that the FOIA and FACA are not amended in any way that would inhibit the public's right to access unclassified information held by the government, regardless of the information's origin. New Security Classification Category The PCCIP Report recommends that the CIAO classify new categories of information such as "aggregated" unclassified information. It also recommends that the President use his Executive Order fiat authority to require federal agencies to identify purposes for publishing certain information and "ensure the information is published in a format that minimizes the likelihood it will be used in ways that are incompatible with infrastructure assurance." Creating new classification categories and restricting the dissemination of certain unclassified information to the public was a cornerstone of NSDD-145 and was rejected by the Congress. In March 1997, the Commission on Protection and Reduction of Government Secrecy, headed by Senator Patrick Moynihan, concluded that there is too much classified information held by the federal government. Instead of calling for an expansion in the ability of federal agencies to classify information, as called for by the Marsh Commission, the Moynihan Commission recommended legislation to establish principles on what information can be classified, determine what information should not be classified, specify how long information should remain classified, and create a national declassification center to provide annual reports on the progress in declassifying government records. In April 1997, after the issuance of the Moynihan Commission report, President Clinton stated, "I think there is too much secrecy in the government and I think too many people have too much unfettered discretion just to declare documents secret." The actions taken by President Clinton and the PCCIP to facilitate the establishment of new categories of "unclassified sensitive" and "aggregated sensitive" information are clearly at variance with the President's own public comments on limiting government secrecy. The administration should institute policies that are designed to limit the ability of agencies to classify documents, not extend such authority as called for in the PCCIP Report. Internet Monitoring and Surveillance In its Information Warfare (Defense) Report to the Undersecretary of Defense, the Defense Science Board (DSB) calls current technology to monitor the National Information Infrastructure (NII) inadequate. The report recommends that an "investment" be made in developing a distributed monitoring and surveillance strategy for large scale networks. Large scale intelligence agency and law enforcement monitoring of the Internet is also suggested in the DSB report. Specifically, the report states "The Internet provides potential for access to rich repositories of open source information." It further states that there are constitutional impediments to using the Internet for espionage: "IC (Intelligence Community) access to the Internet raises difficult questions and serious concerns about conflicts between law enforcement, intelligence activities, and constitutional guarantees." In the debate over the mandatory use of escrowed encryption, the balance between government access to decrypted data and privacy rights - something the Clinton administration calls "equities" - always appeared to favor access over privacy rights. The DSB report seems to suggest that a similar "equity" situation exists with regard to espionage on the Internet. If past administration balances are considered, it would appear that intelligence and law enforcement espionage on the Internet outweighs the requirement to maintain constitutional guarantees. The Electronic Communications Privacy Act of 1986 should be strengthened to restrict massive government- led or government-inspired Internet surveillance in the name of "infrastructure assurance." Encryption The mandatory use of escrowed encryption/key recovery technology is an inherent part of the current critical infrastructure protection proposals. The PCCIP Report states that "establishment of trustworthy key management infrastructures (KMIs) is the only way to enable encryption on a large scale." Arguing for government access to encryption keys, the Report states, "key recovery is needed to provide business access to data when encryption keys are lost or maliciously misplaced, and court-authorized law enforcement access to the plain text of criminal-related communications and data lawfully seized." The Report also calls on the federal government to encourage efforts by commercial vendors to develop key recovery concepts and techniques. In a speech before several Fortune 500 company officials in late July 1998, Deputy Secretary of Defense John Hamre, a former member of the staff of Sam Nunn's Armed Services Committee, said, "I'd also ask American business not to make a campaign out of just trying to bust through export controls as though somehow there was a God-given, inherent right to send the strongest encryption to anybody in the world, no matter who they are . . . I don't agree with that. I will never agree with that." Linton Wells, Deputy Undersecretary of Defense for Policy Support, quoted Hamre as saying he would "use [the Pentagon's] purchasing power to leverage the use of key recovery cryptography" in the civil agency and private sectors. Wells reaffirmed this when he said that DOD was "putting its money where its mouth is by requiring private vendors to turn over to DOD the encryption key to software programs enabling access to companies' encryption codes in the event of an emergency." By using the DOD officials as the chief proponents for key recovery schemes, the administration seeks to bring the debate under such rubrics as "critical infrastructure protection" and "homeland defense." One sector of the infrastructure that the PCCIP spent time looking into is the emergency services sector (police, fire, emergency medical services). However, according to a U.S. Department of Commerce memorandum from William A. Reinsch, the Undersecretary of Commerce for Export Administration, because key escrow products have a significant performance flaw, police forces in the United States and abroad are reluctant to use such products. The Reinsch memo points out that "police forces are reluctant to use Îescrowed' encryption products (such as radios in patrol cars). They are more costly and less efficient than non-escrowed products. There can be long gaps in reception due to the escrow features - sometimes as long as a ten-second pause. Our own police do not use recoverable encryption products; they buy the same non-escrowable products used by their counterparts in Europe and Japan. Other government agencies may also reject key recovery -- for example, some U.S. exports were to support Allied government agencies with signals intelligence missions similar to NSA's." Consequently, according to Reinsch, the performance flaws caused by key escrow would place such technology in the category of a threat to the emergency services and intelligence warning sectors of the critical infrastructure and not as a safeguard. Therefore, the administration should reconsider the use of key escrow/recovery technology as a component of critical infrastructure protection. The Posse Comitatus Act Congress passed the Posse Comitatus Act of 1878 (20 Stat. 152 [18 USC 1385]) in order to curb the military's role in law enforcement in the South. The act, as amended, states: Whosoever, except in cases and under circumstances expressly authorized by the Constitution or Act of Congress, willfully uses any part of the Army or the Air Force as a posse comitatus or otherwise to execute the laws shall be fined not more than $10,000 or imprisoned not more than two years, or both. The DSB Report suggests that the Defense Department defend non- military computer systems. Such a suggestion runs afoul of both the Posse Comitatus Act and the Computer Security Act. The Report states: The SECDEF/DEPSECDEF should also task the General Counsel to propose legislation, regulation, or executive orders as may be needed to make clear the DOD role in defending non-DOD systems. This should specifically address the need for changes to the Computer Security Act, the capture of information on unidentified intruders (issue of intelligence collection on U.S. persons), the authority to conduct "hot pursuit" of intruders, and the ability to obtain reports from the operators of critical elements of the civil infrastructure. Congress should revisit the provisions of the Posse Comitatus Act and ensure that the U.S. military is not permitted to engage in unwarranted intrusions into the privacy of U.S. citizens, as it did during the 1970s in monitoring the lawful activities of anti- Vietnam War protesters. Senator Charles Grassley of Iowa, the chairman of Judiciary Subcommittee on Administrative Oversight and the Courts, should be supported in his efforts to enforce the provisions of Posse Comitatus. In early 1997, when Senator Grassley discovered U.S. Army Colonel John Ellis was serving as deputy chief of the FBI's Domestic Terrorism Planning Section, he said, "to the extent we allow a Colonel Ellis incident to succeed, it confirms the militarization of law enforcement." Grassley added, "there should be a clear line of demarcation between the military and law enforcement. And I'm incensed because the people at the FBI and Justice are too stupid to see that." Expanded Role for the FBI The FBI played a large role in critical infrastructure protection even before President Clinton signed PDD 62 and 63. It hosted two groups involved in infrastructure protection: the former CIITAC (Computer Investigation and Infrastructure Threat Assessment Center), and the interim Infrastructure Protection Task Force. Both were located at FBI headquarters. Of particular concern is the role the FBI has played in lobbying the legislative and judicial branches on its surveillance agenda. Such lobbying is reminiscent of that done by the NSA when it was trying to advance the agendas contained in NSDD-145 and stall the passage of the Computer Security Act. This resulted in a sharp rebuke from Representative Brooks who drew attention to the criminal provisions of Title 18, U.S.C. 1913. FBI Director Freeh's congressional lobbying efforts have been directed towards certain key members of the Senate, including Senators Phil Gramm, Orrin Hatch, Joseph Biden, Arlen Specter, and Patrick Leahy. During 1981, Freeh, while serving as an FBI special agent, helped Senator Sam Nunn's Permanent Subcommittee on Investigations. Not coincidentally, Nunn, both during his time as senator and as co-chair of the PCCIP Advisory Committee, became a strong proponent of the administration's critical infrastructure proposals. It is also reported that the FBI's Office of Public and Congressional Affairs has grown to 85 full-time positions, becoming "one of the most effective lobbying operations in Washington, public or private." Also troubling has been the FBI's lobbying directed at members of the federal judiciary. On July 15, 1998, Judge Royce Lamberth of the U.S. District Court for the District of Columbia and the chief judge of the secretive Foreign Intelligence Surveillance Court (FISC) -- the court empowered to grant the NSA and FBI authority to conduct domestic wiretaps in cases involving national security -- revealed that Freeh had been lobbying the judicial branch of the government for an international mandatory key recovery scheme. Freeh's lobbying efforts were conducted through the auspices of the Judicial Conference, the policy-making body for the Administrative Office of the US Courts. In one case, Freeh gave Lamberth and the six other members of the FISC a demonstration of what occurs when the FBI intercepts encrypted communications. Lamberth said he was also convinced of the government's claims that it "takes trillions of years [for the government] to break encryption." According to Lamberth, Freeh was accompanied in his judicial lobbying visit by General John Gordon, representing CIA director George Tenet, and NSA director Lt. Gen. Kenneth Minihan. The blueprint for the FBI's expanding powers can be found in Vice President Gore's National Performance Review, issued on September 7, 1993. In it, Gore proposed:... to integrate drug enforcement efforts of the DEA [Drug Enforcement Administration] and FBI. This will create savings in administrative and support functions such as laboratories, legal services, training facilities, and administration. Most important, the federal government will get a much more powerful weapon in its fight against crime. When this has been successfully accomplished, we will move toward combining the enforcement functions of the Bureau of Alcohol, Tobacco and Firearms (BATF) into the FBI . . .. In granting the FBI widened powers to protect the critical infrastructure, particularly computers and networks, it is important to reflect on a comment by Representative Robert Barr of Georgia, himself a former U.S. attorney. He stated, "Federal law enforcement power far outweighs accountability." In 1997, the FBI was armed with new guidelines to investigate U.S. citizens suspected of supporting foreign groups deemed by the Secretary of State to be involved in terrorism. One result of this was the FBI's proposed "Bay Area Counterterrorism Task Force," which would combine the resources of the FBI, the Immigration and Naturalization Service, and the San Francisco Police Department to investigate Bay Area organizations, even if there were no grounds to suspect criminal activity. The FBI's political surveillance efforts also conflict with San Francisco Police Department policy, which requires a special review before it can investigate crimes linked to political activity. According to a San Francisco Police Department memo, similar FBI programs exist in Chicago, Los Angeles, Boston, and Washington, D.C. The anxieties expressed by Senator Grassley and Representative Barr, as well as other legislators, should be transformed into legislation restricting the FBI, other law enforcement agencies, and intelligence agencies from engaging in domestic fishing expeditions aimed against U.S. citizens exercising their First Amendment rights. Antitrust The PCCIP Report recommends that the Department of Justice provide antitrust relief to certain private companies to enable them to jointly share information with the government. On July 15, 1998, an official of the NSA told Commerce Undersecretary Reinsch that NSA was trying to engage Microsoft and Intel in its critical infrastructure "solution" but did not want to run afoul of anti- trust laws. Promoting anti-trust relief in the name of protecting against nebulous futuristic information warfare threats appears to be a case of overreaction. Additionally, such anti-trust relief in an era of several mega-mergers between telecommunications giants calls into question the propriety of extending anti-trust exemptions to such a select group of corporations. Congress should ensure that anti-trust legislation is not weakened to facilitate infrastructure protection or information warfare initiatives. Liability The PCCIP Report recommends that the government examine liability relief for private corporations that share sensitive information with the federal government. This could include giving corporations immunity from law suits arising from invasions of employee and customer privacy, workplace-related injuries and sickness, environmental pollution, and internal fraud. Congress should enact legislation prohibiting the federal government from granting liability relief to companies that share sensitive information, where that sharing results in adverse employment actions being taken against individuals engaged in legal activities. National Security and Foreign Corporations The PCCIP Report recommends that the NSC establish standards for sharing critical infrastructure information with foreign corporations and the U.S. subsidiaries of foreign corporations. This places American-owned companies in a strategically better position to compete in the international marketplace and may be in violation of international free trade treaties to which the United States is a party. State Government Liability and Disclosure The PCCIP Report bemoans the fact that the number of diverse state laws complicates the maximization of information sharing with the federal government. It recommends that a study group be formed to re-draft state legislation to permit such information sharing. Chief targets of the federal government are the state privacy and freedom of information laws as well as numerous sectoral laws dealing with particular disclosures of confidential information, such as criminal justice records; bank records; credit information; employment records; library records; medical records; privileged communications with psychologists, clergymen, speech pathologists and audiologists, attorneys, accountants, and pharmacists; school records; and tax records. Federal attempts to curtail state privacy laws should be resisted by federal legislation prohibiting the federal government from pre- empting state privacy laws. In addition, some state laws permit access to documents held by organizations not covered by the Federal FOIA. Federal attempts to limit disclosures at the state level will further erode a citizen's right to access public information. This should also be addressed in new federal legislation. Government Certification and Deputizing of Information Security Personnel The PCCIP report recommends that the federal government - namely NSA, NIST, and the Department of Education - work with private industry to develop a training program for information assurance specialists. The DOD's Linton Wells spoke of a Pentagon plan to create a GI-Bill type program to train computer security professionals. The DSB Report suggests loaning DOD personnel to the civil government and private sector to improve infrastructure protections. The DSB also recommends that a "closed community" of experts of information warfare experts be established, and that a warning center be set up that would have the authority to mandate the reporting of all suspected intrusions and computer incidents affecting "DOD systems and networks" (now defined as any which could have an impact on the critical infrastructure). The PCCIP Report suggests providing monetary reward and payment- for-information programs to encourage on-line users to provide information on suspected computer crimes. Considering the fact that there already exists a number of professional certification programs in the private sector encompassing such disciplines as information systems security, internal auditing, data processing, computer programming, and network and system administration, proposals to create a virtual "cyber Stasi" of informants and federal deputies is offensive and should be deleted from all federal budget line items. . Bibliography Association for Computing Machinery, Codes, Keys and Conflicts: Issues in U.S. Crypto Policy (New York: ACM, 1994). James Bamford, The Puzzle Palace: A Report on NSA, America's Most Secret Agency (New York: Houghton Mifflin, 1982). George Brownell, The Origin and Development of the National Security Agency (Laguna Hills, CA: Aegean Park Press, 1981). David Burnham, The Rise of the Computer State (New York: Random Rouse, 1980). Commission on CIA Activities Within the United States, Report to the President (Washington, D.C.: U.S. Government Printing Office, June 1975). James Kirkatrick Davis, Spying on America: The FBI's Domestic Counter-Intelligence Program (New York: Praeger, 1992). Whitfield Diffie and Susan Landau, Privacy on the Line: The Politics of Wiretapping and Encryption, (Cambridge, Mass: MIT Press, 1998). Steve Dycus et al., National Security Law (New York: Little Brown and Company, 1990). EPIC, Open Government Archive [http://www.epic.org/open_gov/] EPIC, The 1994 Cryptography and Privacy Sourcebook (Washington, DC: EPIC 1994) EPIC, The 1995 Cryptography and Privacy Sourcebook (Washington, DC: EPIC 1995) EPIC, The 1996 Cryptography and Privacy Sourcebook (Washington, DC: EPIC 1996) EPIC, The 1997 Cryptography and Privacy Sourcebook (Washington, DC: EPIC 1997) EPIC, The 1998 Cryptography and Privacy Sourcebook (Washington, DC: EPIC 1998) Mike Frost and Michael Gratton, Spyworld: Inside the Canadian and American Intelligence Establishments (Toronto: Doubleday Canada, 1994). Lance J. Hoffman, ed., Security and Privacy in Computer Systems (Los Angeles: Melville Publishing, 1973). George F. Jelen, Information Security: An Elusive Goal (Cambridge, Mass: Harvard University Center for Information Policy Research, 1985). David Kahn, The Code-Breakers (New York, McMillan, 1967). Wayne Madsen, Handbook of Personal Data Protection (New York: MacMillan Publishers, 1992). National Research Council, Cryptography's Role in Securing the Information Society (Washington, D.C.: National Academy Press, 1996). National Research Council, Computers at Risk: Safe Computing in the Information Age (Washington, D.C.: National Academy Press, 1991). John M. Oseth, Regulating U.S. Intelligence Operations: A Study in Defining the National Interest (University of Kentucky Press, 1985). Harold Relyea, Evolution and Organization of Intelligence Activities in the United States (Laguna Hills, CA: Aegean Park Press). Jeffrey T. Richelson, The U.S. Intelligence Community, Cambridge, Mass: Ballinger, 1985). Marc Rotenberg, "Testimony on the Computer Security Act of 1987 and the Memorandum of Understanding Between the National Institute of Standards (NIST) and the National Security Agency ," Military and Civilian Control of Computer Security Issues (Washington, DC: Government Printing Office, 1989) Marc Rotenberg, "The Only Locksmith in Town: The NSA's Efforts to Control the Dissemination of Cryptography," Index on Censorship (January 1990) Bruce Schneier and David Banisar, The Electronic Privacy Papers (New York: John Wiley & Sons, 1997). Stansfield Turner, Secrecy and Democracy: The CIA in Transition (New York: Houghton Mifflin, 1985). Select Committee to Study Government Operations with Respect to Intelligence Activities, U.S. Senate. Final Reports and Hearings (Washington, D.C.:U.S. Government Printing Office, 1976). (Church Committee) Committee on Goverment Operations, U.S. House of Representatives, The Government's Classification of Private Ideas (Washington, D.C.: U.S. Goverment Printing Office, 1981). Committee on Goverment Operations, U.S. House of Representatives, Computer Security Act of 1987 (Washington, D.C.: U.S. Goverment Printing Office, 1987). Office of Technology Assessment, U.S. Cong., Defending Secrets, Sharing Data: New Locks and Keys for Electronic Information (Washington, D.C.: U.S. Government Printing Office, 1987). Office of Technology Assessment, U.S. Cong., Information Privacy and Security in Network Environments (Washington, D.C.: U.S. Government Printing Office, 1994). Appendix A: White Paper on PDD-63 WHITE PAPER The Clinton Administration's Policy on Critical Infrastructure Protection: Presidential Decision Directive 63 May 22, 1998 This White Paper explains key elements of the Clinton Administration's policy on critical infrastructure protection. It is intended for dissemination to all interested parties in both the private and public sectors. It will also be used in U.S. Government professional education institutions, such as the National Defense University and the National Foreign Affairs Training Center, for coursework and exercises on interagency practices and procedures. Wide dissemination of this unclassified White Paper is encouraged by all agencies of the U.S. Government. I. A Growing Potential Vulnerability The United States possesses both the world's strongest military and its largest national economy. Those two aspects of our power are mutually reinforcing and dependent. They are also increasingly reliant upon certain critical infrastructures and upon cyber-based information systems. Critical infrastructures are those physical and cyber-based systems essential to the minimum operations of the economy and government. They include, but are not limited to, telecommunications, energy, banking and finance, transportation, water systems and emergency services, both governmental and private. Many of the nation's critical infrastructures have historically been physically and logically separate systems that had little interdependence. As a result of advances in information technology and the necessity of improved efficiency, however, these infrastructures have become increasingly automated and interlinked. These same advances have created new vulnerabilities to equipment failures, human error, weather and other natural causes, and physical and cyber attacks. Addressing these vulnerabilities will necessarily require flexible, evolutionary approaches that span both the public and private sectors, and protect both domestic and international security. Because of our military strength, future enemies, whether nations, groups or individuals, may seek to harm us in non-traditional ways including attacks within the United States. Our economy is increasingly reliant upon interdependent and cyber-supported infrastructures and non-traditional attacks on our infrastructure and information systems may be capable of significantly harming both our military power and our economy. II. President's Intent It has long been the policy of the United States to assure the continuity and viability of critical infrastructures. President Clinton intends that the United States will take all necessary measures to swiftly eliminate any significant vulnerability to both physical and cyber attacks on our critical infrastructures, including especially our cyber systems. III. A National Goal No later than the year 2000, the United States shall have achieved an initial operating capability and no later than five years from the day the President signed Presidential Decision Directive 63 the United States shall have achieved and shall maintain the ability to protect our nation's critical infrastructures from intentional acts that would significantly diminish the abilities of: o the Federal Government to perform essential national security missions and to ensure the general public health and safety; o state and local governments to maintain order and to deliver minimum essential public services; o the private sector to ensure the orderly functioning of the economy and the delivery of essential telecommunications, energy, financial and transportation services. Any interruptions or manipulations of these critical functions must be brief, infrequent, manageable, geographically isolated and minimally detrimental to the welfare of the United States. IV. A Public-Private Partnership to Reduce Vulnerability Since the targets of attacks on our critical infrastructure would likely include both facilities in the economy and those in the government, the elimination of our potential vulnerability requires a closely coordinated effort of both the public and the private sector. To succeed, this partnership must be genuine, mutual and cooperative. In seeking to meet our national goal to eliminate the vulnerabilities of our critical infrastructure, therefore, the U.S. government should, to the extent feasible, seek to avoid outcomes that increase government regulation or expand unfunded government mandates to the private sector. For each of the major sectors of our economy that are vulnerable to infrastructure attack, the Federal Government will appoint from a designated Lead Agency a senior officer of that agency as the Sector Liaison Official to work with the private sector. Sector Liaison Officials, after discussions and coordination with private sector entities of their infrastructure sector, will identify a private sector counterpart (Sector Coordinator) to represent their sector. Together these two individuals and the departments and corporations they represent shall contribute to a sectoral National Infrastructure Assurance Plan by: o assessing the vulnerabilities of the sector to cyber or physical attacks; o recommending a plan to eliminate significant vulnerabilities; o proposing a system for identifying and preventing attempted major attacks; o developing a plan for alerting, containing and rebuffing an attack in progress and then, in coordination with FEMA as appropriate, rapidly reconstituting minimum essential capabilities in the aftermath of an attack. During the preparation of the sectoral plans, the National Coordinator (see section VI), in conjunction with the Lead Agency Sector Liaison Officials and a representative from the National Economic Council, shall ensure their overall coordination and the integration of the various sectoral plans, with a particular focus on interdependencies. V. Guidelines In addressing this potential vulnerability and the means of eliminating it, President Clinton wants those involved to be mindful of the following general principles and concerns. o We shall consult with, and seek input from, the Congress on approaches and programs to meet the objectives set forth in this directive. o The protection of our critical infrastructures is necessarily a shared responsibility and partnership between owners, operators and the government. Furthermore, the Federal Government shall encourage international cooperation to help manage this increasingly global problem. o Frequent assessments shall be made of our critical infrastructures' existing reliability, vulnerability and threat environment because, as technology and the nature of the threats to our critical infrastructures will continue to change rapidly, so must our protective measures and responses be robustly adaptive. o The incentives that the market provides are the first choice for addressing the problem of critical infrastructure protection; regulation will be used only in the face of a material failure of the market to protect the health, safety or well-being of the American people. In such cases, agencies shall identify and assess available alternatives to direct regulation, including providing economic incentives to encourage the desired behavior, or providing information upon which choices can be made by the private sector. These incentives, along with other actions, shall be designed to help harness the latest technologies, bring about global solutions to international problems, and enable private sector owners and operators to achieve and maintain the maximum feasible security. o The full authorities, capabilities and resources of the government, including law enforcement, regulation, foreign intelligence and defense preparedness shall be available, as appropriate, to ensure that critical infrastructure protection is achieved and maintained. o Care must be taken to respect privacy rights. Consumers and operators must have confidence that information will be handled accurately, confidentially and reliably. o The Federal Government shall, through its research, development and procurement, encourage the introduction of increasingly capable methods of infrastructure protection. o The Federal Government shall serve as a model to the private sector on how infrastructure assurance is best achieved and shall, to the extent feasible, distribute the results of its endeavors. o We must focus on preventative measures as well as threat and crisis management. To that end, private sector owners and operators should be encouraged to provide maximum feasible security for the infrastructures they control and to provide the government necessary information to assist them in that task. In order to engage the private sector fully, it is preferred that participation by owners and operators in a national infrastructure protection system be voluntary. o Close cooperation and coordination with state and local governments and first responders is essential for a robust and flexible infrastructure protection program. All critical infrastructure protection plans and actions shall take into consideration the needs, activities and responsibilities of state and local governments and first responders. VI. Structure and Organization The Federal Government will be organized for the purposes of this endeavor around four components (elaborated in Annex A). 1. Lead Agencies for Sector Liaison: For each infrastructure sector that could be a target for significant cyber or physical attacks, there will be a single U.S. Government department which will serve as the lead agency for liaison. Each Lead Agency will designate one individual of Assistant Secretary rank or higher to be the Sector Liaison Official for that area and to cooperate with the private sector representatives (Sector Coordinators) in addressing problems related to critical infrastructure protection and, in particular, in recommending components of the National Infrastructure Assurance Plan. Together, the Lead Agency and the private sector counterparts will develop and implement a Vulnerability Awareness and Education Program for their sector. 2. Lead Agencies for Special Functions: There are, in addition, certain functions related to critical infrastructure protection that must be chiefly performed by the Federal Government (national defense, foreign affairs, intelligence, law enforcement). For each of those special functions, there shall be a Lead Agency which will be responsible for coordinating all of the activities of the United States Government in that area. Each lead agency will appoint a senior officer of Assistant Secretary rank or higher to serve as the Functional Coordinator for that function for the Federal Government. 3. Interagency Coordination: The Sector Liaison Officials and Functional Coordinators of the Lead Agencies, as well as representatives from other relevant departments and agencies, including the National Economic Council, will meet to coordinate the implementation of this directive under the auspices of a Critical Infrastructure Coordination Group (CICG), chaired by the National Coordinator for Security, Infrastructure Protection and Counter-Terrorism. The National Coordinator will be appointed by and report to the President through the Assistant to the President for National Security Affairs, who shall assure appropriate coordination with the Assistant to the President for Economic Affairs. Agency representatives to the CICG should be at a senior policy level (Assistant Secretary or higher). Where appropriate, the CICG will be assisted by extant policy structures, such as the Security Policy Board, Security Policy Forum and the National Security and Telecommunications and Information System Security Committee. 4. National Infrastructure Assurance Council: On the recommendation of the Lead Agencies, the National Economic Council and the National Coordinator, the President will appoint a panel of major infrastructure providers and state and local government officials to serve as the National Infrastructure Assurance Council. The President will appoint the Chairman. The National Coordinator will serve as the Council's Executive Director. The National Infrastructure Assurance Council will meet periodically to enhance the partnership of the public and private sectors in protecting our critical infrastructures and will provide reports to the President as appropriate. Senior Federal Government officials will participate in the meetings of the National Infrastructure Assurance Council as appropriate. VII. Protecting Federal Government Critical Infrastructures Every department and agency of the Federal Government shall be responsible for protecting its own critical infrastructure, especially its cyber-based systems. Every department and agency Chief Information Officer (CIO) shall be responsible for information assurance. Every department and agency shall appoint a Chief Infrastructure Assurance Officer (CIAO) who shall be responsible for the protection of all of the other aspects of that department's critical infrastructure. The CIO may be double-hatted as the CIAO at the discretion of the individual department. These officials shall establish procedures for obtaining expedient and valid authorizations to allow vulnerability assessments to be performed on government computer and physical systems. The Department of Justice shall establish legal guidelines for providing for such authorizations. No later than 180 days from issuance of this directive, every department and agency shall develop a plan for protecting its own critical infrastructure, including but not limited to its cyber- based systems. The National Coordinator shall be responsible for coordinating analyses required by the departments and agencies of inter-governmental dependencies and the mitigation of those dependencies. The Critical Infrastructure Coordination Group (CICG) shall sponsor an expert review process for those plans. No later than two years from today, those plans shall have been implemented and shall be updated every two years. In meeting this schedule, the Federal Government shall present a model to the private sector on how best to protect critical infrastructure. VIII. Tasks Within 180 days, the Principals Committee should submit to the President a schedule for completion of a National Infrastructure Assurance Plan with milestones for accomplishing the following subordinate and related tasks. 1. Vulnerability Analyses: For each sector of the economy and each sector of the government that might be a target of infrastructure attack intended to significantly damage the United States, there shall be an initial vulnerability assessment, followed by periodic updates. As appropriate, these assessments shall also include the determination of the minimum essential infrastructure in each sector. 2. Remedial Plan: Based upon the vulnerability assessment, there shall be a recommended remedial plan. The plan shall identify timelines for implementation, responsibilities and funding. 3. Warning: A national center to warn of significant infrastructure attacks will be established immediately (see Annex A). As soon thereafter as possible, we will put in place an enhanced system for detecting and analyzing such attacks, with maximum possible participation of the private sector. 4. Response: A system for responding to a significant infrastructure attack while it is underway, with the goal of isolating and minimizing damage. 5. Reconstitution: For varying levels of successful infrastructure attacks, we shall have a system to reconstitute minimum required capabilities rapidly. 6. Education and Awareness: There shall be Vulnerability Awareness and Education Programs within both the government and the private sector to sensitize people regarding the importance of security and to train them in security standards, particularly regarding cyber systems. 7. Research and Development: Federally-sponsored research and development in support of infrastructure protection shall be coordinated, be subject to multi-year planning, take into account private sector research, and be adequately funded to minimize our vulnerabilities on a rapid but achievable timetable. 8. Intelligence: The Intelligence Community shall develop and implement a plan for enhancing collection and analysis of the foreign threat to our national infrastructure, to include but not be limited to the foreign cyber/information warfare threat. 9. International Cooperation: There shall be a plan to expand cooperation on critical infrastructure protection with like-minded and friendly nations, international organizations and multinational corporations. 10. Legislative and Budgetary Requirements: There shall be an evaluation of the executive branch's legislative authorities and budgetary priorities regarding critical infrastructure, and ameliorative recommendations shall be made to the President as necessary. The evaluations and recommendations, if any, shall be coordinated with the Director of OMB. The CICG shall also review and schedule the taskings listed in Annex B. IX. Implementation In addition to the 180-day report, the National Coordinator, working with the National Economic Council, shall provide an annual report on the implementation of this directive to the President and the heads of departments and agencies, through the Assistant to the President for National Security Affairs. The report should include an updated threat assessment, a status report on achieving the milestones identified for the National Plan and additional policy, legislative and budgetary recommendations. The evaluations and recommendations, if any, shall be coordinated with the Director of OMB. In addition, following the establishment of an initial operating capability in the year 2000, the National Coordinator shall conduct a zero-based review. Annex A: Structure and Organization Lead Agencies: Clear accountability within the U.S. Government must be designated for specific sectors and functions. The following assignments of responsibility will apply. Lead Agencies for Sector Liaison: Commerce -- Information and communications Treasury -- Banking and finance EPA -- Water supply Transportation -- Aviation, Highways (including trucking and intelligent transportation systems), Mass transit, Pipelines, Rail, Waterborne commerce Justice/FBI -- Emergency law enforcement services FEMA -- Emergency fire service Continuity of government services HHS -- Public health services, including prevention, surveillance, laboratory services and personal health services Energy -- Electric power, Oil and gas production and storage Lead Agencies for Special Functions: Justice/FBI -- Law enforcement and internal security CIA -- Foreign intelligence State -- Foreign affairs Defense -- National defense In addition, OSTP shall be responsible for coordinating research and development agendas and programs for the government through the National Science and Technology Council. Furthermore, while Commerce is the lead agency for information and communication, the Department of Defense will retain its Executive Agent responsibilities for the National Communications System and support of the President's National Security Telecommunications Advisory Committee. National Coordinator: The National Coordinator for Security, Infrastructure Protection and Counter-Terrorism shall be responsible for coordinating the implementation of this directive. The National Coordinator will report to the President through the Assistant to the President for National Security Affairs. The National Coordinator will also participate as a full member of Deputies or Principals Committee meetings when they meet to consider infrastructure issues. Although the National Coordinator will not direct Departments and Agencies, he or she will ensure interagency coordination for policy development and implementation, and will review crisis activities concerning infrastructure events with significant foreign involvement. The National Coordinator will provide advice, in the context of the established annual budget process, regarding agency budgets for critical infrastructure protection. The National Coordinator will chair the Critical Infrastructure Coordination Group (CICG), reporting to the Deputies Committee (or, at the call of its chair, the Principals Committee). The Sector Liaison Officials and Special Function Coordinators shall attend the CICG's meetings. Departments and agencies shall each appoint to the CICG a senior official (Assistant Secretary level or higher) who will regularly attend its meetings. The National Security Advisor shall appoint a Senior Director for Infrastructure Protection on the NSC staff. A National Plan Coordination (NPC) staff will be contributed on a non-reimbursable basis by the departments and agencies, consistent with law. The NPC staff will integrate the various sector plans into a National Infrastructure Assurance Plan and coordinate analyses of the U.S. Government's own dependencies on critical infrastructures. The NPC staff will also help coordinate a national education and awareness program, and legislative and public affairs. The Defense Department shall continue to serve as Executive Agent for the Commission Transition Office, which will form the basis of the NPC, during the remainder of FY98. Beginning in FY99, the NPC shall be an office of the Commerce Department. The Office of Personnel Management shall provide the necessary assistance in facilitating the NPC's operations. The NPC will terminate at the end of FY01, unless extended by Presidential directive. Warning and Information Centers As part of a national warning and information sharing system, the President immediately authorizes the FBI to expand its current organization to a full scale National Infrastructure Protection Center (NIPC). This organization shall serve as a national critical infrastructure threat assessment, warning, vulnerability, and law enforcement investigation and response entity. During the initial period of six to twelve months, the President also directs the National Coordinator and the Sector Liaison Officials, working together with the Sector Coordinators, the Special Function Coordinators and representatives from the National Economic Council, as appropriate, to consult with owners and operators of the critical infrastructures to encourage the creation of a private sector sharing and analysis center, as described below. National Infrastructure Protection Center (NIPC): The NIPC will include FBI, USSS, and other investigators experienced in computer crimes and infrastructure protection, as well as representatives detailed from the Department of Defense, the Intelligence Community and Lead Agencies. It will be linked electronically to the rest of the Federal Government, including other warning and operations centers, as well as any private sector sharing and analysis centers. Its mission will include providing timely warnings of intentional threats, comprehensive analyses and law enforcement investigation and response. All executive departments and agencies shall cooperate with the NIPC and provide such assistance, information and advice that the NIPC may request, to the extent permitted by law. All executive departments shall also share with the NIPC information about threats and warning of attacks and about actual attacks on critical government and private sector infrastructures, to the extent permitted by law. The NIPC will include elements responsible for warning, analysis, computer investigation, coordinating emergency response, training, outreach and development and application of technical tools. In addition, it will establish its own relations directly with others in the private sector and with any information sharing and analysis entity that the private sector may create, such as the Information Sharing and Analysis Center described below. The NIPC, in conjunction with the information originating agency, will sanitize law enforcement and intelligence information for inclusion into analyses and reports that it will provide, in appropriate form, to relevant federal, state and local agencies; the relevant owners and operators of critical infrastructures; and to any private sector information sharing and analysis entity. Before disseminating national security or other information that originated from the intelligence community, the NIPC will coordinate fully with the intelligence community through existing procedures. Whether as sanitized or unsanitized reports, the NIPC will issue attack warnings or alerts to increases in threat condition to any private sector information sharing and analysis entity and to the owners and operators. These warnings may also include guidance regarding additional protection measures to be taken by owners and operators. Except in extreme emergencies, the NIPC shall coordinate with the National Coordinator before issuing public warnings of imminent attacks by international terrorists, foreign states or other malevolent foreign powers. The NIPC will provide a national focal point for gathering information on threats to the infrastructures. Additionally, the NIPC will provide the principal means of facilitating and coordinating the Federal Government's response to an incident, mitigating attacks, investigating threats and monitoring reconstitution efforts. Depending on the nature and level of a foreign threat/attack, protocols established between special function agencies (DOJ/DOD/CIA), and the ultimate decision of the President, the NIPC may be placed in a direct support role to either DOD or the Intelligence Community. Information Sharing and Analysis Center (ISAC): The National Coordinator, working with Sector Coordinators, Sector Liaison Officials and the National Economic Council, shall consult with owners and operators of the critical infrastructures to strongly encourage the creation of a private sector information sharing and analysis center. The actual design and functions of the center and its relation to the NIPC will be determined by the private sector, in consultation with and with assistance from the Federal Government. Within 180 days of this directive, the National Coordinator, with the assistance of the CICG including the National Economic Council, shall identify possible methods of providing federal assistance to facilitate the startup of an ISAC. Such a center could serve as the mechanism for gathering, analyzing, appropriately sanitizing and disseminating private sector information to both industry and the NIPC. The center could also gather, analyze and disseminate information from the NIPC for further distribution to the private sector. While crucial to a successful government-industry partnership, this mechanism for sharing important information about vulnerabilities, threats, intrusions and anomalies is not to interfere with direct information exchanges between companies and the government. As ultimately designed by private sector representatives, the ISAC may emulate particular aspects of such institutions as the Centers for Disease Control and Prevention that have proved highly effective, particularly its extensive interchanges with the private and non-federal sectors. Under such a model, the ISAC would possess a large degree of technical focus and expertise and non-regulatory and non-law enforcement missions. It would establish baseline statistics and patterns on the various infrastructures, become a clearinghouse for information within and among the various sectors, and provide a library for historical data to be used by the private sector and, as deemed appropriate by the ISAC, by the government. Critical to the success of such an institution would be its timeliness, accessibility, coordination, flexibility, utility and acceptability. Annex B: Additional Taskings Studies The National Coordinator shall commission studies on the following subjects: o Liability issues arising from participation by private sector companies in the information sharing process. o Existing legal impediments to information sharing, with an eye to proposals to remove these impediments, including through the drafting of model codes in cooperation with the American Legal Institute. o The necessity of document and information classification and the impact of such classification on useful dissemination, as well as the methods and information systems by which threat and vulnerability information can be shared securely while avoiding disclosure or unacceptable risk of disclosure to those who will misuse it. o The improved protection, including secure dissemination and information handling systems, of industry trade secrets and other confidential business data, law enforcement information and evidentiary material, classified national security information, unclassified material disclosing vulnerabilities of privately owned infrastructures and apparently innocuous information that, in the aggregate, it is unwise to disclose. o The implications of sharing information with foreign entities where such sharing is deemed necessary to the security of United States infrastructures. o The potential benefit to security standards of mandating, subsidizing, or otherwise assisting in the provision of insurance for selected critical infrastructure providers and requiring insurance tie-ins for foreign critical infrastructure providers hoping to do business with the United States. Public Outreach In order to foster a climate of enhanced public sensitivity to the problem of infrastructure protection, the following actions shall be taken: o The White House, under the oversight of the National Coordinator, together with the relevant Cabinet agencies shall consider a series of conferences: (1) that will bring together national leaders in the public and private sectors to propose programs to increase the commitment to information security; (2) that convoke academic leaders from engineering, computer science, business and law schools to review the status of education in information security and will identify changes in the curricula and resources necessary to meet the national demand for professionals in this field; (3) on the issues around computer ethics as these relate to the K through 12 and general university populations. o The National Academy of Sciences and the National Academy of Engineering shall consider a round table bringing together federal, state and local officials with industry and academic leaders to develop national strategies for enhancing infrastructure security. o The intelligence community and law enforcement shall expand existing programs for briefing infrastructure owners and operators and senior government officials. o The National Coordinator shall (1) establish a program for infrastructure assurance simulations involving senior public and private officials, the reports of which might be distributed as part of an awareness campaign; and (2) in coordination with the private sector, launch a continuing national awareness campaign, emphasizing improving infrastructure security. Internal Federal Government Actions In order for the Federal Government to improve its infrastructure security, these immediate steps shall be taken: o The Department of Commerce, the General Services Administration, and the Department of Defense shall assist federal agencies in the implementation of best practices for information assurance within their individual agencies. o The National Coordinator shall coordinate a review of existing federal, state and local bodies charged with information assurance tasks, and provide recommendations on how these institutions can cooperate most effectively. o All federal agencies shall make clear designations regarding who may authorize access to their computer systems. o The Intelligence Community shall elevate and formalize the priority for enhanced collection and analysis of information on the foreign cyber/information warfare threat to our critical infrastructure. o The Federal Bureau of Investigation, the Secret Service and other appropriate agencies shall: (1) vigorously recruit undergraduate and graduate students with the relevant computer- related technical skills for full-time employment as well as for part-time work with regional computer crime squads; and (2) facilitate the hiring and retention of qualified personnel for technical analysis and investigation involving cyber attacks. o The Department of Transportation, in consultation with the Department of Defense, shall undertake a thorough evaluation of the vulnerability of the national transportation infrastructure that relies on the Global Positioning System. This evaluation shall include sponsoring an independent, integrated assessment of risks to civilian users of GPS-based systems, with a view to basing decisions on the ultimate architecture of the modernized NAS on these evaluations. o The Federal Aviation Administration shall develop and implement a comprehensive National Airspace System Security Program to protect the modernized NAS from information-based and other disruptions and attacks. o GSA shall identify large procurements (such as the new Federal Telecommunications System, FTS 2000) related to infrastructure assurance, study whether the procurement process reflects the importance of infrastructure protection and propose, if necessary, revisions to the overall procurement process to do so. o OMB shall direct federal agencies to include assigned infrastructure assurance functions within their Government Performance and Results Act strategic planning and performance measurement framework. o The NSA, in accordance with its National Manager responsibilities in NSD-42, shall provide assessments encompassing examinations of U.S. Government systems to interception and exploitation; disseminate threat and vulnerability information; establish standards; conduct research and development; and conduct issue security product evaluations. Assisting the Private Sector In order to assist the private sector in achieving and maintaining infrastructure security: o The National Coordinator and the National Infrastructure Assurance Council shall propose and develop ways to encourage private industry to perform periodic risk assessments of critical processes, including information and telecommunications systems. o The Department of Commerce and the Department of Defense shall work together, in coordination with the private sector, to offer their expertise to private owners and operators of critical infrastructure to develop security-related best practice standards. o The Department of Justice and Department of the Treasury shall sponsor a comprehensive study compiling demographics of computer crime, comparing state approaches to computer crime and developing ways of deterring and responding to computer crime by juveniles. --[cont]-- Aloha, He'Ping, Om, Shalom, Salaam. Em Hotep, Peace Be, Omnia Bona Bonis, All My Relations. Adieu, Adios, Aloha. Amen. Roads End Kris DECLARATION & DISCLAIMER ========== CTRL is a discussion and informational exchange list. Proselyzting propagandic screeds are not allowed. Substance—not soapboxing! These are sordid matters and 'conspiracy theory', with its many half-truths, misdirections and outright frauds is used politically by different groups with major and minor effects spread throughout the spectrum of time and thought. That being said, CTRL gives no endorsement to the validity of posts, and always suggests to readers; be wary of what you read. CTRL gives no credeence to Holocaust denial and nazi's need not apply. Let us please be civil and as always, Caveat Lector. ======================================================================== Archives Available at: http://home.ease.lsoft.com/archives/CTRL.html http:[EMAIL PROTECTED]/ ======================================================================== To subscribe to Conspiracy Theory Research List[CTRL] send email: SUBSCRIBE CTRL [to:] [EMAIL PROTECTED] To UNsubscribe to Conspiracy Theory Research List[CTRL] send email: SIGNOFF CTRL [to:] [EMAIL PROTECTED] Om