25 November 1997
Source: http://www.access.gpo.gov/su_docs/aces/aces140.html

[Federal Register: November 25, 1997 (Volume 62, Number 227)]
[Page 62754-62756]
From the Federal Register Online via GPO Access [wais.access.gpo.gov]



Critical Foundations: Protecting America's Infrastructures

AGENCY: Department of Commerce.

ACTION: Notice of availability and request for comments.


SUMMARY: The Department of Commerce announces the availability of and 
seeks public comment on ``Critical Foundations: Protecting America's 
Infrastructures,'' the report of the President's Commission on Critical 
Infrastructure Protection. The Commission was established by Executive 
Order in July 1996 to conduct a comprehensive study of the physical and 
electronic (``cyber'') threats to and vulnerabilities of the nation's 
critical infrastructures and recommend a national policy for protecting 
the infrastructures and assuring their continued operation. The 
executive order provided for a Commission comprised 10 members from the 
Federal government and 10 members from outside the Federal government. 
When the Commission terminated on October 13, 1997, some of the 
Commission's staff was retained to assist the Principals Committee, 
Steering Committee, and Advisory Committee in reviewing the report and 
preparing recommendations to the President. Notwithstanding the 
substantial public input that went into development of the Commission's 
findings and recommendations, their significance makes them worthy of 
additional public discussion and comment.

DATES: Comments should be submitted no later than January 9, 1998.

electronically from the Commission's transition office site on the 
World Wide Web: http://www.pccip.gov/.
    Comments may be sent to the Commission at P.O. Box 46258, 
Washington, DC 20050-6258. Comments may also be submitted by facsimile 
to 202-696-9411, or by electronic mail to Comments@pccip.gov. Comments 
submitted by facsimile or electronic mail need not also be submitted by 
regular mail.

FOR FURTHER INFORMATION CONTACT: The Commission at 703-696-9395.

SUPPLEMENTARY INFORMATION: Executive Order 13010 of July 15, 1996 (61 
FR 37347), as amended, established the President's Commission on 
Critical Infrastructure Protection and its associated Principals 
Committee, Steering Committee, and Advisory Committee as described 
below. A complete text of the Executive Order may also be found at the 
Commission's website (http://www.pccip.gov).

A Statement of the Problem

    Certain national infrastructures are so vital that their incapacity 
or destruction would have a debilitating impact on the defense or 
economic security of the United States. These critical infrastructures 
include telecommunications, electrical power systems, gas and oil 
storage and transportation, banking and finance, transportation, water 
supply systems, emergency services (including medical, police, fire, 
and rescue), and continuity of government services. Threats to these 
critical infrastructures fall into two categories: physical threats to 
tangible property (``physical threats''), and threats of electronic, 
radio-frequency, or computer-based attacks on the information or 

[[Page 62755]]

components that control critical infrastructures (``cyber threats''). 
Because many of these critical infrastructures are owned and operated 
by the private sector, it is essential that the government and private 
sector work together to develop a strategy for protecting them and 
assuring their continued operation.

Commission Membership

    The Commission comprised one member each from the Department of the 
Treasury, Department of Justice, Department of Defense, Department of 
Commerce, Department of Transportation, Department of Energy, Central 
Intelligence Agency, Federal Emergency Management Agency, Federal 
Bureau of Investigation, National Security Agency. These agencies also 
appointed members from the private sector. The Commission Chair was 
designated by the President from the private sector.

The Principals Committee

    The Commission reported to the President through a Principals 
Committee, which is charged to review any reports or recommendations 
before submission to the President. The Principals Committee comprises 
the Secretary of the Treasury, Secretary of Defense, Attorney General, 
Secretary of Commerce, Secretary of Transportation, Secretary of 
Energy, Director of Central Intelligence, Director of the Office of 
Management and Budget, Director of the Federal Emergency Management 
Agency, Assistant to the President for National Security Affairs, 
Assistant to the Vice President for National Security Affairs, 
Assistant to the President for Economic Policy and Director of the 
National Economic Council, and Assistant to the President and Director 
of the Office of Science and Technology Policy.

The Steering Committee

    The Commission's day-to-day work was overseen by a Steering 
Committee on behalf of the Principals Committee. The Steering Committee 
comprised five members: The Deputy Secretary of Defense, the Attorney 
General, the Deputy National Security Advisor, the Vice President's 
Domestic Policy Advisor and the Chair of the Commission itself. The 
Steering Committee received regular reports on the progress of the 
Commission's work and approved the submission of reports to the 
Principals Committee.

Advisory Committee

    The Commission received advice from an Advisory Committee composed 
of individuals appointed by the President from the private sector, 
academia, and local government who were knowledgeable about critical 
infrastructures. The Committee will study the report and provide advice 
to the Steering Committee.


    As provided in the Executive Order, the Commission was to consult 
with the public and private sector owners and operators of the critical 
infrastructures and others that have an interest in critical 
infrastructure assurance issues and that may have differing 
perspectives on these issues. The Commission was to assess the scope 
and nature of threats to and vulnerabilities of the critical 
infrastructures; determine the legal and policy issues raised by 
efforts to protect critical infrastructures and assess how they might 
be addressed; recommend a comprehensive national policy and 
implementation strategy for protecting critical infrastructures and 
assuring their continued operation; and propose any statutory or 
regulatory changes necessary to effect its recommendations.

Sector Studies

    The Commission divided its work into these five ``sectors'' based 
on the common characteristics of the included industries:
    <bullet> Information and communications.
    <bullet> Banking and finance.
    <bullet> Energy, including electrical power, and oil and gas 
production and storage.
    <bullet> Physical distribution, including transportation and oil 
and gas distribution.
    <bullet> Vital human services, including water supply, emergency 
services and government services.

Public Hearings and Outreach

    The Commission conducted extensive meetings with a range of 
professional and trade associations concerned with the infrastructures, 
private sector infrastructure users and providers, academia, state and 
local government agencies, consumers, federal agencies, and many 
others. Of special interest were five public meetings in five major 

Overview of the Report's Findings

    1. New Thinking is Required in Cyberspace. It is not surprising 
that infrastructures have always been attractive targets for those who 
would do us harm. In the past we have been protected from hostile 
attacks on the infrastructures by broad oceans and friendly neighbors. 
Today, the evolution of cyber threats has changed the situation 
dramatically. In cyberspace, national borders are no longer relevant.
    Potentially serious cyber attacks can be conceived and planned 
without detectable logistic preparation. They can be invisibly 
reconnoitered, clandestinely rehearsed, and then mounted in a matter of 
minutes or even seconds without revealing the identity and location of 
the attacker.
    Formulas that carefully divide responsibility between foreign 
defense and domestic law enforcement no longer apply as clearly as they 
used to and, in some instances, you may have to solve the crime before 
you can decide who has the authority to investigate it.
    2. We Should Act Now to Protect our Future. The Commission has not 
discovered an imminent attack or a credible threat sufficient to 
warrant a sense of immediate national crisis. However, the Commission 
found that our vulnerabilities are increasing steadily while the costs 
associated with an effective attack continue to drop. The investments 
required to improve the situation are still relatively modest, but will 
rise if we procrastinate.
    3. Infrastructure Assurance is a Shared Responsibility. National 
security requires much more than military strength. While no nation 
state is likely to invade our territory or attack our armed forces, we 
are inevitably the target of ill will and hostility from some quarters. 
Disruption of the services on which our economy and well-being depend 
could have significant effects, and if repeated frequently, could 
seriously harm public confidence. Because our military and private 
infrastructures are becoming less and less separate, because it is 
getting harder to differentiate threats from local criminals from those 
from foreign powers, and because the techniques of protection, 
mitigation, and restoration are largely the same, we conclude that 
responsibility for infrastructure protection and assurance can no 
longer be delegated on the basis of who the attacker is or where the 
attack originates. Rather, the responsibility should be shared 
cooperatively among all of the players.

Overview of the Report's Recommendations

    1. A Broad Program of Education and Awareness. Possible 
undertakings include White House conferences, National Academy of 
Science studies, presentations at industry and government associations 
and professional societies, development and promulgation of elementary 
and secondary curricula, and sponsorship of graduate studies and 

[[Page 62756]]

    2. Infrastructure Protection through Industry Cooperation and 
Information Sharing. Sector-by-sector cooperation and information 
sharing would take place in the context of partnerships between owners 
and operators and government. These partnerships would identify and 
share best practices. The National Institute of Standards and 
Technology, the National Security Agency, and the Department of 
Energy's National Laboratories would provide technical skills and 
expertise required to identify and evaluate vulnerabilities in the 
associated information networks and control systems. Sector cooperation 
might begin with sharing information and techniques related to risk 
management assessments. This could evolve into the development and 
deployment of ways to prevent attacks, and if attacks occur, to 
mitigate damage, quickly recover services, and reconstitute the 
    3. Reconsideration of Laws Related to Infrastructure Protection. 
Some laws capable of promoting infrastructure assurance efforts are not 
as clear or effective as they could be. Others operate in ways that may 
be unfriendly to security concerns. Sorting them all out will be a 
lengthy and complex undertaking, involving efforts at local, state, 
federal, and international levels. The report identifies specific 
existing laws that could be modified to support infrastructure 
    4. A Revised Program of Research and Development. While some of the 
basic technology needed to improve infrastructure protection already 
exists, it is not yet widely deployed. In all areas of activities aimed 
at protecting and assuring the infrastructure, mitigating damages, and 
responding and recovering from attacks, additional research effort is 
needed. The Commission recommends increasing government spending in 
research and development on capabilities such as intrusion detection.
    5. A National Organization Structure. To implement the 
recommendations the following new organizations and revised roles for 
existing organizations are recommended:
    Office of National Infrastructure Assurance as the top-level policy 
making office connected closely to the National Security Council and 
the National Economic Council;
    Infrastructure Assurance Support Office to house the bulk of the 
staff that would be responsible for follow-through on the Commission's 
    Information Sharing and Analysis Center to begin the step-by-step 
process of establishing a realistic understanding of distinguishing 
actual attacks from coincidental events;
    National Infrastructure Assurance Council of industry CEOs, Cabinet 
Secretaries, and representatives of state and local government to 
provide policy advice and implementation commitment;
    Lead Agencies, designated within the Federal government, to serve 
as a conduit from the government into each sector and to facilitate the 
creation of sector coordinators, if needed; and
    Sector Coordinators to provide the focus for industry cooperation 
and information sharing, and to represent the sector in matters of 
national cooperation and policy;
    Warning Center to identify anomalous events indicating that the 
infrastructure is under attack and alert the Information Sharing and 
Analysis Center for dissemination of bulletins and threat advisories to 
infrastructure stakeholders.

William Reinsch,
Under Secretary of Commerce, Bureau of Export Administration.

[FR Doc. 97-30851 Filed 11-24-97; 8:45 am]