6 August 1999. Thanks to Dan Dupont.
Defense Information and Electronics Report, August 6, 1999
By Richard Lardner
Severe funding shortfalls in the Pentagon's critical infrastructure protection program have left the department "extremely susceptible" to debilitating electronic and physical attacks, a situation that could "have significant and disastrous operational consequences" for U.S. warfighters, according to internal DOD documents.
As a result, a senior-level DOD panel is debating whether to substantially increase the amount of long-term spending for defense critical infrastructure assurance efforts. One option is to pump as much as $149 million in additional funding into the future years defense plan for infrastructure assurance, the documents indicate.
Crafted by Office of the Secretary of Defense staff and obtained by sister publication Inside the Pentagon, the documents are being used by the Program Review Group. Chaired by the under secretary of defense for acquisition and technology, the PRG is now making decisions on the department's budget for fiscal year 2001 and beyond.
A DOD spokeswoman declined to comment on the status of the PRG's work, which she described as internal budget deliberations, or discuss any funding options the group may be discussing.
Ironically, the PRG's deliberations seem to contradict a May 1999 draft White House report that describes DOD's critical infrastructure program in glowing terms. According to the "National Plan for Information Systems Protection," DOD "has been among the first departments to respond to the challenge of protecting its own infrastructure." The military's CIP plan is the "most developed among the federal departments" and is "serving as the model for other departments and agencies," the plan adds.
But the CIP challenge for DOD appears to be more complex than the White House report suggests, particularly in the funding area. The goal of DOD's critical infrastructure protection plan is to meet the military's in-house requirements as well as satisfy the external demands prescribed in President Clinton's May 1998 presidential decision directive on U.S. infrastructure assurance. PDD 63 directed that agencies develop plans to protect their infrastructures and implement those blueprints by May 2000. Additionally, PDD 63 assigned the Pentagon as "lead agency for national defense," which makes the department responsible for coordinating all the government's critical infrastructure protection activities that are related to national defense.
However, the Pentagon's current plan, listed in the documents as alternative one, is to spend $77 million between FY-01 and FY-05 "for the analysis and assessment of DOD operational dependencies on the commercial telecommunications, transportation and power infrastructures." This effort, being handled by a Navy-led joint program office, is based on the ability of the United States to target enemy infrastructures and a subsequent belief "that we were similarly vulnerable."
The trouble, however, is that alternative one pays too little attention to DOD's own infrastructures, which include logistics, financial services, C3I, intelligence, surveillance and reconnaissance (ISR), personnel, health affairs, public works, transportation and emergency preparedness, according to the documents. These are support functions that are essential to the warfighter.
"Approximately 40 DOD installations are analyzed each year based on requests from the [warfighting commanders], services and agencies and prioritized by the Joint Staff according to war plan criticality," the document reads. "The assessments are then used by the component to mitigate the identified vulnerabilities. This may involve identifying the problem to the [infrastructure manager] for resolution, planning or contracting for alternative or back-up service, or changing operational procedures."
The current program does not address "vulnerabilities of DOD critical infrastructures and assets crucial to warfighter support because defense infrastructure vulnerabilities are a more recent concern arising from studies of the DOD Critical Infrastructure Protection Working Group," the document states.
"Failure to address critical DOD infrastructure could have significant and disastrous operational consequences for the warfighter," it continues. "Vulnerable DOD infrastructure systems are likely to become the target of choice, especially for adversaries who are otherwise severely limited militarily. The cost of such attacks is very low while the results can be militarily very significant."
The PRG documents list several options to alternative one. Alternative two, described as the "minimum essential CIP," adds $79 million to alternative one "for the minimum engineering, analysis and assessment of critical defense infrastructures and assets at (nominally) 40 DOD installations and 100 associated activities per year" that are considered pivotal to the execution of war plans and DOD operations, according to the documents.
Alternative two leverages the Navy's commercial infrastructure analysis program, "using a proven approach to analyze and assess the vulnerabilities of the defense infrastructures providing direct support to the warfighter and DOD operational missions, develop analytic tools and network models, and identify minimal essential infrastructures," the documents note.
The extra money also expands the current program of analyzing 40 DOD installations annually "to include 100 associated defense infrastructure activities," like the Defense Information Systems Agency's megacenters.
On the down side, alternative two "does not provide resources for the range and depth of analysis, particularly of infrastructure interdependencies, that may be required to identify certain significant vulnerabilities," the documents read. "It does not resource the secondary, but important, supporting intelligence, security countermeasures and research and development coordination." Further, option two does not include the funding needed to execute DOD's PDD 63 responsibilities as lead agency for national defense.
Alternative three, called the "robust CIP" option, provides an additional $141 million over the FYDP. This alternative "increases the depth and range of technical analysis of the critical infrastructures and their interdependencies, extends analysis to additional commercial infrastructures and increases interagency and national-level coordination and liaison," the documents state.
Alternative three is advertised as a substantial improvement over alternative two. Additional commercial infrastructures to be assessed include water supply, banking and finance. "Lead agency" requirements spelled out in PDD 63 also could be met. "This increased and expanded level of effort should provide a significant improvement in DOD's operational readiness," the document reads.
Alternative four, listed as "robust CIP with [Defense Intelligence Agency] support," boosts alternative three by $7.7 million -- for a total of $148.7 million over the FYDP -- "to provide DIA intelligence support for CIP and assurance support" for the ISR infrastructure.
Copyright Defense Information and Electronics Report.