Download Locations

• U.S. Department of State

Summary

The nation's health, wealth, and security rely on the production and distribution of certain goods and services. The array of physical assets, processes and organizations across which these goods and services move are called critical infrastructures (e.g. electricity, the power plants that generate it, and the electric grid upon which it is distributed). Computers and communications, themselves critical infrastructures, are increasingly tying these infrastructures together. There is concern that this reliance on computers and computer networks raises the vulnerability of the nation's critical infrastructures to "cyber" attacks. In May 1998, President Clinton released Presidential Decision Directive No. 63. The Directive set up groups within the federal government to develop and implement plans that would protect government-operated infrastructures and called for a dialogue between government and the private sector to develop a National Infrastructure Assurance Plan that would protect all of the nation's critical infrastructures by the year 2003. While the Directive called for both physical and cyber protection from both man-made and natural events, implementation focused on cyber protection against man-made cyber events (i.e. computer hackers). Those advocating the need for greater cyber security felt that this was a new vulnerability not fully appreciated by system owners and operators in either the private or public sectors. However, given the impact of the September 11 attacks on the communications, finance, and transportation infrastructures, physical protections of critical infrastructures may receive more attention. PDD-63 was a Clinton Administration policy document. Following the events of September 11, the Bush Administration released two relevant Executive Orders (EOs). EO 13228, signed October 8, 2001 established the Office of Homeland Security. Among its duties, the Office shall "coordinate efforts to protect the United States and its critical infrastructure from the consequences of terrorist attacks." EO 13231, signed October 16, stated the Bush Administration's policy and objectives for critical infrastructure protection. These are similar to those stated in PDD-63 and assumes continuation of many PDD-63 activities. E.O. 13231, however, specifically focuses on information systems. E.O. 13231 also established the President's Critical Infrastructure Protection Board. The mission of the Board is to "recommend and coordinate programs for protecting information systems for critical infrastructures." Prior to September 11, Congressional interest in critical infrastructure protection also focused on cyber security. Legislation was passed in 2000 to improve agencies' account ability for securing their computer systems. This year, as part of the antiterrorism legislation, Congress expanded the ability of federal agents to track computer hackers. Bills have also been introduced to facilitate the sharing of information between government and industry. Congressional interest in the physical protection of critical infrastructures has increased as a result of September 11. Bills have been introduced to increase the physical protections at airports, nuclear plants, dams, ports, and water supplies. Increased cyber and physical security raises some privacy concerns. Other issues include cost-effectiveness and liability.

XML