Download Locations

• National Council for Science and the Environment

Summary

The nation's health, wealth, and security rely on the supply and distribution of certain goods and services. The array of physical assets, processes and organizations across which these goods and services move are called critical infrastructures (e.g. electricity, the power plants that generate it, and the electric grid upon which it is distributed or financial capital, the institutions that manage it, and the record- keeping and communications that move it from one institution to another). Computers and communications, themselves critical infrastructures, are increasingly tying these infrastructures together. There is concern that this reliance on computers and computer networks makes the nation's critical infrastructures vulnerable to ''cyber'' attacks. In May 1998, the President released Presidential Decision Directive No. 63. The Directive sets up groups within the federal government to develop and implement plans that would protect government-operated infrastructures and calls for a dialogue between government and the private sector to develop a National Infrastructure Assurance Plan that would protect the nation's critical infrastructures by the year 2003. PDD-63 identified 12 areas critical to the functioning of the country: information and communications; banking and finance; water supply; transportation; emergency law enforcement; emergency fire service; emergency medicine; electric power, oil, and gas supply and distribution; law enforcement and internal security; intelligence; foreign affairs; and national defense. The Directive assigned a lead agency to each sector to coordinate efforts at protecting the infrastructure upon which each of these areas depend. Where private operators are involved, the lead agency is responsible for identifying private sector coordinators with whom to work to develop a National Plan. The Directive ultimately envisions a national early warning and response capability, where cyber attacks can be detected, warnings issued, and responses coordinated (dubbed FIDNET). It calls for the private sector to set up Information Sharing and Analysis Centers that would allow them to participate in this national effort. The Directive also requires a number of key federal agencies to submit their own internal assurance plans. On January 7, 2000 the Administration released Version 1.0 of its National Plan. It also announced its FY2001 budget proposals related to critical infrastructure. Total spending requested for critical infrastructure protection would be $2.03 billion. This includes: $25 million to set up a Federal Cyber Services Training and Education program; $5 million to establish a permanent expert review team within NIST to review agencies's internal plans; $10 million to begin designing a Federal Intrusion Detection Network; and $621 million for research and development plus $50 million to establish an Institute for Information Infrastructure Protection. PDD-63 and its implementation raise a number of issues. Among them is the ability and willingness of the private sector to cooperate with the federal government in sharing information. To what extent will the federal government get involved in the monitoring of privately operated infrastructures and what are the privacy implications? There are also legal issues associated with information sharing between agencies and between firms. Costs are also unknown at this time.

XML