INFORMATION SHARING FOR CRITICAL INFRASTRUCTURE PROTECTION TASK FORCE REPORT JUNE 2001 TABLE OF CONTENTS EXECUTIVE SUMMARY ES-1 1 0 INTRODUCTION AND CHARGE 1 2 0 RESULTS 2 2 1 2 2 2 3 2 4 National Plan for Information Systems Protection 2 Freedom of Information Act 3 Sharing Information on Incidents Reported to Law Enforcement 4 Coordination with United States Space Command 5 APPENDIX A TASK FORCE MEMBERS AND OTHER PARTICIPANTS APPENDIX B THE NSTAC’S RESPONSE TO THE NATIONAL PLAN APPENDIX C SHARING INFORMATION ON INCIDENTS REPORTED TO LAW ENFORCEMENT EXECUTIVE SUMMARY An important facet of the Nation’s strategy to protect critical infrastructures from cyber attacks is the development of mechanisms to facilitate public and private sector information sharing about actual threats and vulnerabilities To address this concern the National Security Telecommunications Advisory Committee’s NSTAC Industry Executive Subcommittee IES formed the Information Sharing Critical Infrastructure Protection Task Force ISCIPTF in September 1999 to focus on various information-sharing issues associated with critical infrastructure protection Following NSTAC XXIII the ISCIPTF addressed three new charges from the NSTAC to the IES • Provide input to Version 2 0 of the National Plan for Information Systems Protection National Plan • Address barriers to information sharing for critical infrastructure protection to include the Freedom of Information Act FOIA and possible law enforcement restrictions • Coordinate with United States Space Command USSPACECOM to further develop means for information sharing The NSTAC as part of the ongoing industry Government partnership has been deeply involved in critical industry-based analysis and recommendations related to national security and emergency preparedness telecommunications and associated information systems The NSTAC developed a response to the National Plan presenting an overview of its work in progress and a synthesis of relevant conclusions and recommendations for consideration as the Nation develops a strategy for critical infrastructure protection CIP The response is based on proven processes for industry Government partnership at the technical operational and policy levels The response maps NSTAC findings across these areas with the major CIP objectives outlined in Version 1 0 of the National Plan The NSTAC concluded that bridging the gap in perspectives of industry and Government regarding the threat to critical infrastructures is key to future successful dialogue Regarding potential barriers to information sharing the ISCIPTF addressed the need for legislation that would create a CIP exemption to FOIA In conjunction with the NSTAC’s Legislative and Regulatory Working Group the task force reviewed elements of what would be effective FOIA legislation and related policy considerations In addition the task force examined possible law enforcement restrictions on industry sharing information on network intrusions with Information Sharing and Analysis Centers or similar information-sharing forums In response to the ISCIPTF’s request the NSTAC and Government Network Security and Information Exchanges NSIE investigated the issue In working with the Department of Justice the NSIEs found that although common practice discourages victims of such crimes from sharing information no laws or policies prohibit victims from discussing crimes against them even after they have reported them to law enforcement To address the situation the Department of Justice in cooperation with the NSIEs will work with the law enforcement community to implement policies that encourage victims to share such information and to educate victims on those policies Building on NSTAC’s relationship with USSPACECOM the ISCIPTF continued to coordinate with USSPACECOM representatives on critical infrastructure protection matters Representatives were invited to attend task force meetings and ISCIPTF members visited USSPACECOM facilities in Colorado Springs Colorado The task force agreed to continue to work with USSPACECOM to develop additional ways to share information 1 0 INTRODUCTION AND CHARGE An important facet of the Nation’s strategy to protect critical infrastructures from cyber attacks is the development of mechanisms to facilitate public and private sector information sharing about actual threats and vulnerabilities To address that concern the National Security Telecommunications Advisory Committee’s NSTAC Industry Executive Subcommittee IES formed the Information Sharing Critical Infrastructure Protection Task Force ISCIPTF in September 1999 to focus on various information-sharing issues associated with critical infrastructure protection In preparation for the May 16 2000 NSTAC XXIII meeting the ISCIPTF examined mechanisms and processes for protected operational information sharing that would help achieve the goals of Presidential Decision Directive 63 PDD-63 1 1 and further the role of the National Coordinating Center for Telecommunications NCC as an Information Sharing and Analysis Center ISAC 2 2 In addition the task force continued through outreach NSTAC interaction with Government leaders responsible for PDD-63 implementation The ISCIPTF completed these taskings and forwarded its findings and recommendations to the NSTAC in May 2000 3 3 Following NSTAC XXIII the ISCIPTF addressed three new charges from the NSTAC to the IES 1 1 • Provide input to Version 2 0 of the National Plan for Information Systems Protection National Plan • Address barriers to information sharing for critical infrastructure protection to include the Freedom of Information Act FOIA and possible law enforcement restrictions • Coordinate with United States Space Command USSPACECOM to further develop means for information sharing White Paper “The Clinton Administration’s Policy on Critical Infrastructure Protection Presidential Decision Directive 63 ” May 22 1998 2 2 The NCC was established in 1984 as a result of an NSTAC recommendation to develop a joint industry Government national coordinating mechanism to respond to the Federal Government’s national security and emergency preparedness NS EP communications service requirements The NCC’s mission is to assist in the initiation coordination restoration and reconstitution of NS EP communications services or facilities The NSTAC was instrumental in expanding the NCC’s responsibilities to include functioning as an ISAC for the telecommunications infrastructure Established in January 2000 the NCC-ISAC was the second ISAC to be formed following the promulgation of PDD-63 and the first ISAC with both industry and Government membership The NCC-ISAC gathers information about vulnerabilities threats intrusions and anomalies from telecommunications industry Government and other sources and then analyzes the data with the goal of averting or mitigating effects on the communications infrastructure Results are sanitized and disseminated in accordance with sharing agreements established by the NCC-ISAC participants 3 3 See the Information Sharing Critical Infrastructure Protection Task Force Report May 2000 2 0 RESULTS 2 1 National Plan for Information Systems Protection Background PDD-63 envisions a comprehensive national strategy for critical infrastructure protection CIP The White House’s National Plan is intended as a first major element of the larger effort to protect the Nation’s information systems and critical assets Version 1 0 of the plan focuses mainly on Federal efforts being undertaken to protect the Nation’s critical cyber-based infrastructures Subsequent versions are to address a broader range of concerns including the specific role industry can play in protecting physical and cyber-based infrastructures from attack Input from industry—the owners and operators of most of the Nation’s infrastructures—is essential At the May 16 2000 NSTAC XXIII meeting the National Coordinator for Security Infrastructure Protection and Counter-terrorism National Security Council asked for NSTAC comments on Version 1 0 of the National Plan In response to this request the ISCIPTF drafted The NSTAC’s Response to the National Plan The report is attached as Appendix B and its findings are summarized below Findings By reviewing and synthesizing conclusions and recommendations from the NSTAC’s work in progress the task force isolated key points to be considered as the Nation develops a CIP strategy Specifically the task force documented NSTAC findings related to the three broad objectives of Version 1 0 of the National Plan—Prepare and Prevent Detect and Respond and Build Strong Foundations—that should be reflected in Version 2 0 of the plan In addition the task force proposed that a new broad objective—International Considerations—be included in the next iteration of the plan The task force concluded that the NSTAC’s cumulative work in the areas of critical infrastructure protection and information assurance can serve as a baseline for intensifying the dialogue between industry and Government regarding the best means for protecting the Nation’s critical infrastructures Key to this future discussion are the differing perspectives that industry and Government hold regarding the threat to critical national infrastructures From a business perspective industry in general believes it understands and is adequately mitigating the threat to its operations From a national security perspective the Government warns of an increased— albeit imprecisely defined—international threat to critical national infrastructures Bridging this gap in perspectives can provide a foundation for future collaboration 2 2 Freedom of Information Act In its NSTAC XXIII report the ISCIPTF addressed FOIA and recommended that the President support legislation similar to the Year 2000 Information and Readiness Disclosure Act to protect critical infrastructure protection information shared voluntarily with the Government from disclosure under FOIA Subsequently the NSTAC Chair sent a letter to the President emphasizing the importance of the FOIA issue FOIA is considered an important issue in the CIP context because it could serve as a barrier to information sharing Specifically companies may be reluctant to share CIP-related information with the Government if such potentially sensitive information could be unintentionally disclosed through FOIA This disclosure can occur because FOIA provides a mechanism for the public to access Government-maintained records Although a number of exemptions exist to prevent disclosure none clearly cover information pertaining to national security and emergency preparedness or CIP In light of these factors the ISCIPTF requested that the NSTAC’s Legislative and Regulatory Working Group investigate elements of what would be effective FOIA legislation and related policy considerations 2 3 Sharing Information on Incidents Reported to Law Enforcement Background At the May 16 2000 NSTAC XXIII meeting the NSTAC Principals discussed with senior Government officials how to improve information sharing between industry and Government regarding electronic intrusions into network systems and databases One issue discussed with the Director National Infrastructure Protection Center NIPC was whether victims of such crimes were prohibited by law enforcement from reporting the intrusions to ISACs or similar information-sharing forums Because the Principals and the Director NIPC had different views on this issue the NSTAC Chair suggested that the NSTAC document its concern After considering the matter the ISCIPTF requested that the NSTAC and Government Network Security Information Exchanges NSIE consider the issue because of the NSIEs’ experience in this area NSTAC NSIE representatives have noted that historically they do not discuss intrusions into their networks and systems with anyone else after reporting them to law enforcement because case agents told them that doing so might compromise their cases Because the companies and individuals wanted to cooperate with law enforcement and did not want to risk jeopardizing their cases they have honored these requests This reluctance however has hindered information sharing within the NSIEs The NSIEs report to the ISCIPTF in connection with this issue and its potential effect on industry’s participation in ISACs is attached as Appendix C Its findings are summarized below Findings In working with the Department of Justice DOJ the NSIEs found that although common practice discourages victims from sharing information no laws or policies prohibit victims from discussing crimes against them even after they have reported them to law enforcement This discrepancy reflects a lack of understanding on the part of victims case agents and prosecutors of the benefit of sharing some information in a disciplined manner in practice discussing a case too broadly can jeopardize its successful prosecution to prevent further crimes An example of disciplined information dissemination is sharing appropriate information in appropriately protected forums such as the NSIEs or ISACs In response to this issue the NSIEs will document their procedures for sharing and protecting information and work with DOJ to communicate these procedures to the law enforcement community This measure is intended to build law enforcement’s confidence that information shared for network security purposes will be properly guarded The NSIEs also found that it will be necessary for the private sector to ensure that its personnel who interact with law enforcement on such cases are aware that they are permitted and encouraged to share this information for network security purposes using appropriate mechanisms At the same time the Chief Computer Crime and Intellectual Property Section DOJ will work with the law enforcement community to develop and implement policies that encourage victims to share such information and to educate victims on those policies 2 4 Coordination with United States Space Command Background The May 2000 NSTAC XXIII meeting was co-hosted in Colorado Springs Colorado by USSPACECOM General Ralph Eberhart U S Air Force and Commander in Chief USSPACECOM addressed the NSTAC Principals and briefed them on USSPACECOM’s expanded mission USSPACECOM incorporated the Joint Task Force for Computer Network Defense into its mission when it recently assumed responsibility for protecting the Department of Defense’s computer networks Computer network defense is a key element to the successful incorporation of information security which requires layers of detection tools on computer systems more frequent vulnerability assessments increased training and certification for administrators education down to the end user stronger firewalls and the institution of a public key infrastructure General Eberhart attended the NSTAC XXIII meeting to facilitate communication between the NSTAC and USSPACECOM He explained that USSPACECOM had completed a concept of operations for computer network defense and is developing the concept of operations for computer network attack functions The efforts to date have focused on conducting real-world operations—from peacekeeping to computer virus control General Eberhart remarked that the key to successful information operations is working together to understand the associated difficult legal policy and doctrine issues He also explained that participation by industry the owners and operators of the infrastructure would be essential to the computer network defense mission Findings The ISCIPTF coordinated with USSPACECOM to develop additional means of sharing information The task force invited command representatives to attend all task force meetings Representatives from USSPACECOM attended task force meetings and ISCIPTF representatives visited USSPACECOM facilities in Colorado to discuss the evolving relationship between the NSTAC and USSPACECOM The task force also appointed Mr Jon Lofstedt Qwest as liaison between the task force and USSPACECOM in Colorado Subsequently representatives from the command attended and briefed at ISCIPTF meetings and IES Working Sessions The task force agreed that information sharing is a cornerstone of national infrastructure protection and concluded that efforts to share information between the NSTAC and USSPACECOM should continue on an ongoing basis APPENDIX A TASK FORCE MEMBERS AND OTHER PARTICIPANTS TASK FORCE MEMBERS Verizon Communications Mr Lowell Thomas Chair Unisys Dr Dan Wiener Vice-Chair AT T Bank of America Boeing CSC EDS ESET Hughes ITT Lockheed Martin Lucent Nortel Networks Northrop Grumman Raytheon Rockwell SAIC TRW USTA Qwest WorldCom Mr Harry Underhill Mr Roger Callahan Mr Bob Steele Mr Guy Copeland Mr Dale Fincke Mr James Klugh Ms Jennifer Smolker Mr Joe Gancie Mr Michael Collins Mr John McClurg Dr Jack Edwards Mr Scott Freber Mr Bob Tolhurst Mr Ken Kato Mr Hank Kluepfel Mr Bill Gravell Mr Paul Johnson Mr Jon Lofstedt Ms Joan Grewe OTHER PARTICIPANTS AT T GWU Lockheed Martin Raytheon SAIC SBC Verizon Communications Verizon Communications Idefense ITAA TIA TIA USTA Ms Ellen Brain Dr Jack Oslund Mr Ernie Wallace Mr Tom O’Connell Mr Bob Rankin Ms Rosemary Leffler Mr James Bean Ms Ernie Gormsen Mr Steve Trevino Mr Doug Sabo Mr Dan Bart Mr Gerry Rosenblatt Mr Paul Hart GOVERNMENT PARTICIPANTS NTIA NTIA OASD C3I OASD C3I OMNCS-N2 OMNCS-N3 USSPACECOM Mr Dan Hurley Ms Helen Shaw Mr Mark Centra Mr David Potter Mr John Todd Lt Col Frances Wentworth Col John Rader APPENDIX THE RESPONSE TO THE NATIONAL PLAN THE NSTAC’S RESPONSE TO THE NATIONAL PLAN The National Security Telecommunications Advisory Committee NSTAC 1 4 Information Sharing for Critical Infrastructure Protection Task Force developed The NSTAC’s Response to the National Plan to highlight the NSTAC’s work in several issue areas that are important to the main objectives of Version 1 0 of the National Plan for Information Systems Protection National Plan The issue areas are discussed in the context of summaries of previous NSTAC reports presented in Annex A Summaries of Previous NSTAC Reports This document is organized around the three broad objectives listed in the National Plan which are essential for critical infrastructure protection CIP —Prepare and Prevent Detect and Respond and Build Strong Foundations In addition it is proposed that a new broad objective—International Considerations—be included in Version 2 0 of the National Plan The NSTAC’s studies of Information and Communications I C Sector Interdependencies and Risk Management broadly relate to the first objective of the National Plan Prepare and Prevent That objective addresses the National Plan goal of identifying critical infrastructure assets shared interdependencies vulnerabilities and outreach programs to make Americans aware of the need for improved cyber-security The second objective of the National Plan Detect and Respond connects with the NSTAC issue areas of Network Technologies and Vulnerabilities Response and Recovery and Information Sharing Detect and Respond correlates to the National Plan objectives to detect attacks and unauthorized intrusions share attack warnings and information in a timely manner and create capabilities for responses reconstruction and recovery Finally the NSTAC has examined a variety of issues concerning Research and Development R D needs I C Sector Interdependencies and Information Sharing which align with Build Strong Foundations the third objective listed in the National Plan Build Strong Foundations corresponds to the National Plan’s intent to enhance CIP R D efforts train and employ adequate numbers of information security specialists and adopt legislation in support of CIP efforts This response presents an overview of the NSTAC’s work in progress and a synthesis of relevant conclusions and recommendations that have been presented to the President involving issues that could affect national security and emergency preparedness NS EP in telecommunications and information services NSTAC reports from the mid-1990s forward are presented in Annex A These reports relate to issues created not only by the evolving telecommunications and information infrastructure—from the public network PN 2 5 and the public-switched network PSN 3 6 through the Internet to the next-generation network NGN 4 7 —but also by the 1 4 The NSTAC established by Executive Order 12382 on September 13 1982 comprises chief executive officers CEO who participate on a pro bono basis The NSTAC has established the Industry Executive Subcommittee IES to support its activities The IES in turn has established ad hoc task forces and working groups to address issues The NSTAC also collaborates with Government through regular participation in the National Coordinating Center for Telecommunications NCC the NCC Information Sharing and Analysis Center ISAC and the Network Security Information Exchanges NSIE See p 4 and Annex A p B-16 for a discussion of the NCC NCC-ISAC and NSIEs 2 5 The PN is defined as any switching system or voice data or video transmission system that is used to provide communications services to the public e g public switched networks public data networks private line services wireless systems and signaling networks 3 6 The PSN is defined as any common carrier network that provides circuit switching among public users changing nature of the threats from physical only to physical and cyber Because these recommendations remain valid and relevant they should be included in the National Plan Above all these findings have a more important fundamental value because they have been generated by an exhaustive industry and Government information-sharing process that has withstood the test of time The NSTAC has been involved in depth with the CIP issue since its inception and continues its work in this area but the NSTAC is aware that the Nation is only on the threshold of the issue The NSTAC uses a fairly formal process to determine work plans which it will develop in conjunction with the upcoming NSTAC XXIV meeting however the NSTAC could address future issues The NSTAC could augment prepare prevent and respond with an examination of consequence management policy and with this an expansion of the roles of the National Coordinating Center for Telecommunications NCC and the Network Security Information Exchanges NSIE to include relationships with other CIP components Although these are just examples they emphasize the idea that The NSTAC’s Response to the National Plan will continue to be a work in progress responsive to National needs This information has been shared with the I C sector through meetings with NSTAC member companies and through joint meetings with the I C sector coordinators’ representatives from the Information Technology Association of America the Telecommunications Industry Association and the United States Telecom Association SHARED CHALLENGES At the outset it is recognized that the dialogue to develop a National Plan stems from the shared challenges that Government and the telecommunications and information-related industries face albeit from different perspectives 4 7 • National security in today’s global environment is being defined and measured in terms of economic and military strength Thus the Nation’s well-being is highly dependent on the protection of the interdependent critical infrastructures as emphasized in Presidential Decision Directive 63 PDD-63 • The Government is increasingly relying on the private sector to provide telecommunications and information services This reliance necessitates a continuing dialogue to promote mutual understanding of industry and Government interests and concerns as the public and private sectors strive to meet the objectives of protecting the critical infrastructures through nonregulatory solutions as anticipated by PDD-63 • While Government is focusing on protecting national security preventing future attacks and identifying and punishing attackers private owners of infrastructures are more concerned with common business imperatives As a result of this dichotomy any The NGN is a public broadband diverse and scalable packet-based network evolving from the PSN the advanced intelligent network AIN and the Internet The NGN is characterized by a core fabric enabling network connectivity and transport with periphery-based service intelligence solution to or recommendations for the protection of critical infrastructures require the participation of private industry in concert with Government • The Telecommunications Act of 1996 is opening the telecommunications industry to increased competition and interconnection industry consolidation and integration and foreign ownership at the same time that new service providers are gaining access to network facilities Security measures are consequently becoming even more complicated and difficult to implement • The evolution to the NGN is enabling and requiring telecommunications providers to transition from proprietary protocols to open-system protocols to manage their networks Concurrently traditional circuit-switched services are migrating to the Internet’s packet-switched networks As this migration continues and new Internet services are introduced the PN may become more susceptible to well-known Internet vulnerabilities especially in light of the more integrated and increasing dependence on commercial offthe-shelf technology • The assurance and full protection of American citizens’ civil liberties their rights to privacy and their rights to the protection of proprietary data should be affirmatively addressed in CIP planning ADDRESSING THE BROAD OBJECTIVES OF THE NATIONAL PLAN In this response which focuses on efforts that the Federal Government is undertaking to protect the Nation’s critical infrastructures it should be noted that NSTAC recommendations have already been made to the President concerning many of the programs upon which the Plan’s three broad objectives are based—Prepare and Prevent Detect and Respond and Build Strong Foundations This timeliness exists because many of the issues associated with the National Plan’s programs have been—or are being—addressed in the NSTAC process 5 8 either in response to an Administration request as is the case with the assessment of the potential for a widespread outage due to network convergence 6 9 or in anticipation by member companies of an issue or development that could affect NS EP telecommunications services These issues are discussed under different headings in Annex A NATIONAL PLAN OBJECTIVES PREPARE AND PREVENT A long-standing goal of the NSTAC has been to take steps to minimize the possibility of a significant and successful attack on the Nation’s critical telecommunications and information infrastructure and to build an infrastructure that remains effective in the face of such an attack Indeed the NSTAC in 1984 recommended that the NCC be established as a national coordinating mechanism to respond to the Federal Government’s NS EP communications 5 8 The NSTAC’s work is based on a process that enables the formation of interdisciplinary task forces to focus on issues that require timely operational technical policy and regulatory analysis and recommendations 6 9 Convergence indicates a process over a 3- to 5-year period of NGN evolution during which traditional circuit-switched networks including AIN and Internet protocol IP -based data networks will coexist and interoperate to enable end-to-end transmission of voice communications until IP-based networks subsume circuit-switched networks service The NSTAC also initiated the development of the NSIE process in 1991 to provide a forum in which industry and Government could share information with the goal of reducing the vulnerability of the Nation’s telecommunications systems to electronic intrusion 7 10 Industry in general is recommending that physical security be included in Version 2 0 it was not included in Version 1 0 However the primary focus of the NCC in the 1980s was on physical threats—an emphasis that was consistent with the Government’s overall focus at the time on the security of important physical structures such as dams bridges tunnels and power plants 8 11 As demonstrated in the following text the focus consequently has broadened from assessments of physical threats leading to service outages to the inclusion of assessments of the threats or risks of unauthorized intrusions of the PN and vulnerabilities associated with network convergence Concurrently methodologies for conducting these assessments have been developed and refined to accommodate technological change PN Assessments Assessments were conducted in 1995 9 12 and 1999 10 13 with respect to unauthorized penetration or manipulation of the evolving PN software and databases affecting NS EP telecommunications services • Both assessments found that Government and corporate networks had become more interconnected as these organizations have increasingly relied on the PN to transmit critical business and operations information thereby increasing the perceived and substantive rewards for gaining illicit access • The most recent assessment concluded that absent a valid baseline to establish quantitative measures of the risk to the PN from electronic intrusion it was difficult to definitively state how risk had changed over the past few years Indeed little evidence suggests that the risk has diminished and numerous factors suggest that it is growing Internet Assessments In 1999 the Government’s use of the Internet 11 14 was assessed in parallel with its increasing reliance on the Internet for conducting electronic commerce ecommerce 12 15 Many of the significant findings in those assessments were similar • 7 10 8 11 9 12 Agencies with NS EP responsibilities are using the public Internet mostly for outreach information sharing and e-mail Direct dependence on the public Internet for mission-critical operations and e-commerce is currently modest although the NS EP community’s dependence on the Internet is likely to grow over the next several years See Annex A p B-16 for a discussion of the development of the NCC and the NSIEs National Plan Version 1 0 Executive Summary p xviii See Annex A p B-23 for summary of Government and NSTAC NSIE An Assessment of the Risk to the Security of Public Networks 10 13 See Annex A p B-23 for summary of Government and NSTAC NSIE An Assessment of the Risk to the Security of the Public Network 11 14 See Annex A p B-25 for summary of An Examination of the NS EP Implications of Internet Technologies 12 15 See Annex A p B-27 for summary of NS EP Implications of Electronic Commerce Report Government will more likely depend on dedicated intranets for mission-critical operations • The informal and distributed management of Internet functions the Domain Name System Internet software and procedural errors and unintentional actions invite potential vulnerabilities Because of the interconnected nature of the public Internet a disruption or degradation of Internet operations could also hamper the operations of dedicated intranets • The reliability and security of the public Internet are generally considered inadequate for NS EP mission-critical functions and sensitive e-commerce transactions So far no Internet technologies or applications facilitate the same type of end-to-end NS EP-related services available in the PN Nor are there economical incentives for Internet service providers ISP to develop and offer NS EP service enhancements over their networks A number of factors e g lack of NS EP demand and market factors preclude the availability of NS EP services over the Internet for the foreseeable future Accordingly the following recommendations were made to the President • Direct the establishment of a permanent program to address NS EP issues related to the Internet The program should work with the NS EP community to increase the understanding of evolving Internet dependencies and with key Internet organizations and standards bodies to increase awareness of NS EP requirements • Designate a focal point for examining the NS EP issues related to widespread adoption of e-commerce within the Government and direct the Federal departments and agencies in cooperation with this Federal focal point to assess the effect of e-commerce technologies on their NS EP operations Convergence Assessments The implications of the PSN-Internet technical convergence and of the transfer of traffic from the PSN to the NGN on the Government’s voice priority NS EP services are under continuing examination Specific attention is being paid to potential impacts on the Government Emergency Telecommunications Service GETS 13 16 and Telecommunications Service Priority TSP 14 17 programs A mid-2000 assessment reached a number of conclusions including— 15 18 • 13 16 As the PN changes from separate switched-voice and packet-data networks to an interconnected network and then to a unified NGN over the next several years the capabilities in the PN around which GETS has been designed such as ubiquity and interoperability access to NS EP functional features and high levels of network reliability and security will no longer be available To maintain GETS-type functions GETS provides NS EP users priority access to and specialized processing for NS EP calls in local and long distance networks 14 17 The TSP Program is the regulatory administrative and operational framework for the priority provisioning and restoration of any qualified NS EP telecommunications service 15 18 See Annex A p B-28 for summary of Information Technology Progress Impact Task Force Report on Convergence new quality-of-service schemes and functional requirements will have to be developed to provide services commensurate with NS EP needs and security safeguards • TSP as originally conceived remains relevant during convergence because restoration assignments can still be applied to identifiable segments of the PSN But as discussed by the program’s Oversight Committee the program is inapplicable to ISPs offering voice services it should not have a role in the NGN And if the NS EP community requires similar types of priority services for packet networks a new program will have to be established to support them • Although specific NGN standards have not yet been developed to support NS EP requirements the NGN technology can support them Nonetheless these requirements are unlikely to be incorporated by industry unless the features needed to meet them are standardized by industry perhaps with prompting from the Government It has been recommended that the appropriate departments and agencies in coordination with industry be directed by the President to promptly determine precise functional NS EP requirements for convergence and the NGN and to ensure that relevant NS EP functional requirements are conveyed to standards bodies and service providers during standards development and implementation Widespread Network Outage Assessments The Administration continues to request assessments regarding the possibility of a widespread service outage in the PN particularly in light of increasing convergence In April 1997 the Assistant to the President for Science and Technology requested an assessment of the possibility of a widespread service outage in the public telephone network 16 19 An initial response in December 1997 17 20 and a follow-up response 9 months later— 18 21 16 19 • Defined widespread outage as “a sustained interruption of telecommunications service that would have strategic significance to government industry and the general public Such an outage would likely affect the telecommunications service in at least one region of the country including at least one major metropolitan area It would involve multiple carriers affecting both long-distance and local service and significantly degrade the ability of other essential infrastructures to function Such an outage would affect the availability and integrity of telecommunications service for at least a significant portion of a business day ” • Concluded that given the limited precedent for telecommunications outages of this magnitude and member companies’ prior experiences with smaller-scale outages there is a low probability of a widespread sustained outage of public telephone service however the potential societal impacts of such an outage are high enough to warrant consideration April 24 1997 letter from Dr John Gibbons Assistant to the President for Science and Technology to Mr Charles Lee NSTAC Chair concerning the possibility of a widespread outage affecting the public telephone network 17 20 See Annex A p B-33 for summary of Widespread Outage Subgroup Report 1997 18 21 See Annex A p B-33 for summary of Widespread Outage Subgroup Report 1998 • Offered recommendations to the President intended to decrease the overall probability of a widespread outage including improving intercarrier coordination for widespread outage recovery clarifying who has the authority to resolve legal and regulatory impediments to the rapid and orderly restoration of service during such outages These recommendations also encourage the Federal Communications Commission FCC to a ensure that local number portability LNP national standards and requirements including NS EP are agreed upon and adhered to before implementing LNP on a widespread basis b allow sufficient time to complete reliability interoperability and security testing of new services and products before implementing regulatory mandates and c urge established entities and newer entrants to adhere to and help develop industry standards and best practices A fresh look is now being taken at the possibility of a widespread outage in the converging network environment in response to an October 2000 request by the Assistant to the President for Science and Technology 19 22 Among the questions to be answered are 1 How should existing NSTAC National Communications System NCS NCC and other private and Government organizations evolve with the networks to ensure a quick organized and technically competent response in the case of a widespread outage 2 What reasonable steps could the Government take to help the NSTAC and industry in general better prepare to react to a widespread outage in these networks The preliminary analysis of NS EP telecommunications in a converged network environment focused on its relative immaturity when compared with the legacy PSN According to this analysis NS EP communications should utilize the converged network but until complete confidence is established the community should not rely exclusively on services based on converged networks A formal interim report will be presented at the NSTAC XXIV meeting in June 2001 Cross-Sectoral Assessments An initial cross-sectoral assessment was undertaken in 1993 when an NSTAC Energy Task Force addressed the telecommunications electric service priority and national energy strategy review 20 23 In January 1995 the Director of the National Security Agency briefed the NSTAC on threats to U S information systems and the need to improve the security of critical national infrastructures In March the NSTAC advised the President that “ the integrity of the Nation’s information systems both government and public are increasingly at risk to intrusion and attack other national infrastructures such as finance air traffic control power etc also depend on reliable and secure information systems and could be at risk ” 21 24 Four months later President Clinton “welcomed” the Advisory Committee’s continuing efforts to work with the Administration in this area and asked for “input from the full range of national information infrastructure users” to assess the NS EP requirements for the Nation’s rapidly evolving information infrastructure 22 25 Shortly thereafter Presidential 19 22 October 24 2000 letter from Dr Neal Lane Assistant to the President for Science and Technology to Mr Daniel Burnham NSTAC Chair concerning the possibility of a widespread outage of the converged network and NGN 20 23 Energy Task Force Report NSTAC XV May 1993 More recently the Network Reliability and Interoperability Council has adopted the telecommunications electric service priority recommendation as part of its best practices 21 24 March 20 1995 letter from Mr William Esrey NSTAC Chair to President Clinton regarding the security of the national information infrastructure NII 22 25 July 7 1995 letter from President Clinton to Mr William Esrey NSTAC Chair regarding the security of the NII Decision Directive 39 was released It directed the Attorney General to lead a governmentwide effort to reexamine the adequacy of the Nation’s infrastructure protection 23 26 Building on the methodology developed by the Government and the NSTAC in the earlier risk assessments to the PN information assurance IA risk assessments were conducted for the electric power infrastructure in March 1997 24 27 financial services in December 1997 25 28 and transportation in June 1999 26 29 Extensive outreach was conducted with each of the sectors and each infrastructure’s dependency on information technology and the associated IA risks to its information systems were examined Follow-up recommendations were sent to the President many of which remain valid and some of which appear applicable to other critical infrastructures It is recommended that these assessments be referenced in the National Plan as models for developing sector-specific assessments NATIONAL PLAN OBJECTIVES DETECT AND RESPOND Identifying and assessing an attack in time and then containing the attack quickly recovering from it and affecting reconstitution requirements—the stated purpose of this objective—are functions presently being carried out by the NCC The NCC Information Sharing and Analysis Center ISAC Established in 1984 to assist in the initiation coordination restoration and reconstitution of NS EP communications facilities and services this coordinating mechanism’s functions have since evolved in response to changes in technology and in the nature of threats to the telecommunications and information infrastructures As previously discussed the NCC’s initial focus was on physical threats In response to a request from the Manager NCS in 1997 the NCC developed an indications assessment and warning response capability and began performing an electronic-intrusion incident-information processing function During 1999 the NSTAC determined that the NCC was performing the primary functions of an ISAC for the telecommunications sector and recommended that industry and Government establish it as such In January 2000 the National Security Council recognized the NCC as an ISAC 27 30 and in March 2000 the NCC began initial operations as an ISAC for the telecommunications sector 28 31 In this new role the NCC-ISAC gathers information about vulnerabilities threats intrusions and anomalies from the telecommunications industry Government and other sources and then analyzes the data with the goal of averting or mitigating effects on the communications and information infrastructures Results are sanitized and disseminated in accordance with information-sharing agreements established by the NCC-ISAC participants Cross-sector information sharing is also being explored 23 26 U S Policy on Counterterrorism PDD-39 July 21 1995 See Annex A p B-20 for summary of Electric Power Information Assurance Risk Assessment 25 28 See Annex A p B-21 for summary of Financial Services Risk Assessment Report 26 29 See Annex A p B-22 for summaries of Interim Transportation Information Risk Assessment Report and Transportation Information Assurance Risk Assessment Report 27 30 January 18 2000 letter from Mr Richard Clarke National Coordinator for Security Infrastructure Protection and Counterterrorism to Mr Art Money Assistant Secretary of Defense for Command Control Communications and Intelligence regarding the designation of the NCC as an ISAC 28 31 See Annex A p B-39 Attachment A National Coordinating Center for Telecommunications 24 27 In a dry run as an ISAC the NCC served as the telecommunications sector’s focal point for the Nation’s Year 2000 Y2K activities The findings and recommendations and lessons learned should prove helpful to other infrastructures as they develop their own ISACs 29 32 The NSIE Forum The previously referenced NSIE process provides yet another capability for industry and Government sharing of sensitive information to further help reduce the vulnerability of the Nation’s telecommunications systems to electronic intrusion However whereas the NCC focuses on near real-time operational response to all-hazards the NSIEs’ focus on post-event analysis of threats to and vulnerabilities of networks NATIONAL PLAN OBJECTIVE BUILD STRONG FOUNDATIONS This objective identifies “things we must do as a Nation to create and nourish the people organizations laws and traditions which will make us better able” to address the other two broad objectives—Prepare and Prevent and Detect and Respond—to attacks on the critical information and communications sector Enhancement of R D The NSTAC has a long-standing interest in enhancing CIP-related R D Through its own studies and through public R D exchanges among industry Government and academia topics requiring study and funding have been affirmed and reaffirmed The R D Exchanges held in 1991 1996 1998 and 2000 are illustrative of the NSTAC’s outreach activities to improve cyber-security More are likely to be held in the future The NSTAC voiced numerous concerns that have yet to be resolved 30 33 particularly— • The lack of an overarching national technology policy that articulates a vision with respect to Federal intrusion detection R D • The need for R D focus on the network and infrastructure levels and on the establishment of testbeds and laboratories to develop standards metrics and testing procedures • The need to educate and train employees on recognizing intrusion and heightening their awareness of the risks posed by electronic intrusion This need complements the National Plan’s Outreach Program to Make Americans Aware of the Need for Improved Cyber-Security The need exists to offset the high costs and high risks associated with R D in security technology i e tax credits and other financial incentives might allow companies to minimize their risks and encourage commercial enterprises to increase the funding of security technology R D During the two most recent R D Exchanges representatives from the academic sector played major roles Their contributions are reflected in many of the recommended areas for R D 31 34 29 32 30 33 31 34 See Annex A p B-35 Information Sharing Critical Infrastructure Protection Task Force Report See Annex A p B-41 for summary of NSTAC R D Exchange Proceedings See Annex A p B-41 for summary of NSTAC R D Exchange Proceedings Two of the recommendations complement the Federal National Plan’s program to Train and Employ Adequate Numbers of Information Security Specialists • IA Centers of Excellence in academia should be supported and new ones established • Programs to create financial incentives for students to pursue computer security disciplines at the graduate and undergraduate levels need to be implemented such as the Scholarship for Services Program under the Federal Cyber Service initiative Current programs rather than remaining concentrated on “respond and react” technologies should consider the full range of risk management needs A third recommendation suggests that in seeking to build security solutions it is vital to conduct research activities in other areas such as operations legal and public policy and human factors Legislative Initiatives Even though the NCC-ISAC is functioning participants continue to express concerns about the legal and regulatory barriers to voluntary information sharing which is a linchpin of CIP Foremost among the legal impediments is the Freedom of Information Act FOIA recognized from the outset as a barrier to voluntary information sharing In preparation for the Y2K rollover the NSTAC recommended to the President that the then-pending Y2K Information and Readiness Disclosure Act be supported 32 35 The legislation which was enacted into law Public Law 105-271 included a provision that information voluntarily shared with the Government is to be treated as part of a “special data gathering” and is therefore exempt from disclosure under FOIA During the last session of Congress the NSTAC wrote to the President and recommended support of FOIA legislation similar to that in the Y2K legislation relative to information voluntarily shared for CIP 33 36 However some member companies believe that many issues still need to be addressed and or clarified in any new FOIA proposal Nevertheless eliminating this barrier is just one of many issues that need resolution in particular antitrust liability the treatment of classified information and national security concerns State government liability disclosure and protection of trade secrets and proprietary information Industry Government dialogue in this area is needed Impediments to Information Sharing Other barriers to information sharing should be addressed in the National Plan The Government should review information sharing that is taking place in addition to that in the ISACs Industry is presently being asked to share information much of it the same with Government through several other channels Some companies may be reluctant to share information lest it be used to gain competitive advantage individual participants may be reluctant as well The voluntary information-sharing processes of the NCC and the NSTAC NSIE have proven successful on a company disclosure basis In other cases remedies may include developing pertinent nondisclosure agreements among the 32 35 September 18 1998 letter from Mr Van B Honeycutt NSTAC Chair and CEO Computer Sciences Corporation to the President that recommending the President support the Y2K Information and Readiness Disclosure Act 33 36 August 7 2000 letter from Mr Van B Honeycutt NSTAC Chair and CEO Computer Sciences Corporation to the President recommending that the President support legislation similar to the Y2K Information and Readiness Disclosure Act participants Anonymity-based processes are starting to prove successful for larger groups These factors should be taken into account in the development of ISACs PROPOSED NEW BROAD OBJECTIVE INTERNATIONAL CONSIDERATIONS Soon after the release of An Agenda for Action in the early 1990s 34 37 the Government started focusing on developing and expanding the global information infrastructure GII Most recently the NSTAC examined globalization 35 38 The wide range of issues addressed included the current and future nature of the GII and the impact of the GII on NS EP communications in 2010 the foreign ownership of NS EP critical communications services systems and technology export policies Although no international issues were raised in Version 1 0 it is proposed that a new broad objective—International Considerations—be included in Version 2 0 as well as the following conclusions 34 37 35 38 • Global Broadband Capabilities NS EP telecommunications capabilities in 2010 should be facilitated by a GII featuring new technologies and improved network features and by increased global availability of broadband communications with satellite communications and wireless technologies bringing the GII and NS EP communications to less accessible geographic regions However there is no guarantee that all essential communications capabilities will be ubiquitously available It has been recommended to the President that prudent NS EP communications contingency planning consider end-to-end systems using a broad range of wireless satellite and terrestrial capabilities including operational tests New technical and operational issues including use of foreign Internet protocol-based networks and NGN will likely need to be considered • Foreign Ownership Increased foreign ownership and or control of critical U S telecommunications facilities through which NS EP services are provided is a significant development However the current regulatory structure including the regulatory review process established by the FCC appears to be effectively accommodating the increasing levels and types of foreign ownership of U S facilities while allowing the Government to retain the authority to prevent any such ownership from compromising national security interests A Cabinet-level interagency committee—the Committee on Foreign Investments in the United States—provides additional oversight in proposed mergers acquisitions or joint ventures involving a foreign entity On the foregoing basis it has been recommended to the President that this review process remain adequate to protect NS EP concerns • Export Controls Technology export policies dealing with the transfer of strong encryption products satellite technology and high-performance computers are critical issues But given that technology progresses faster than policy industry and Government should continually evaluate the limits placed on technology exports An Agenda for Action September 15 1993 See Annex A p B-44 for summary of Globalization Task Force Report CONCLUSIONS No technology has been more responsible for the dramatic changes to the Nation’s infrastructures than the technologies associated with the I C sector As the Nation and the Government become even more dependent on the telecommunications and information infrastructure the role of NSTAC as an advisory body is taking on new dimensions The cited reports upon which this submission is based can serve as a baseline for intensifying the dialogue as well as illustrating the type of analytic support the NSTAC’s task force oriented process can provide Specifically we encourage the I C sector individual companies and Government to continue to work together to— • • Protect the Nation’s critical infrastructures Further the dialogue establishing a National Plan This dialogue should include discussion of one of the previously stated “Shared Challenges” see p B-2 that involves the different perspectives that industry and Government have regarding the threat to critical infrastructures On the whole industry believes it understands and is adequately mitigating the threat to its operations At the same time the Government has referred to an increased hostile international threat to the critical national infrastructures However this threat is unclear Without a clear and present danger it is difficult for industry to justify spending additional dollars for augmenting protection of its systems Thus beginning immediately and at a minimum the new Administration must continue the dialogue with industry and engage the NSTAC to cooperate on NS EP issues critical to the Nation Attendance by the President and members of his new Administration at NSTAC XXIV in June 2001 is key to resolving future issues This meeting will provide an opportunity for the President to frame and present his agenda for the ongoing issues of the NSTAC ANNEX A SUMMARIES OF PREVIOUS NSTAC REPORTS ANNEX A SUMMARIES OF PREVIOUS NSTAC REPORTS INTRODUCTION Purpose of This Document This Annex supplies supplemental information from previous reports of the President’s National Security Telecommunications Advisory Committee NSTAC 1 39 to The NSTAC’s Response to the National Plan As a whole this document provides a guide to what the NSTAC believes are important points for consideration as the Nation develops a strategy for critical infrastructure protection CIP Because the environment has changed since many of the summarized studies were completed the document’s value should be understood in terms of the relevancy of the NSTAC’s cumulative thinking and collective lessons learned to ongoing efforts No new recommendations are offered As an informational document it is intended to demonstrate how the NSTAC process has worked to yield insights that can provide the basis for future actions Overview of the NSTAC The President created the NSTAC by Executive Order 12382 in September 1982 to provide a unique source of national security and emergency preparedness NS EP communications policy expertise For more than 18 years the NSTAC has advised the President on issues pertaining to the reliability and security of telecommunications and the information infrastructure—issues that are critical to America’s security and commercial interests Today the NSTAC is recognized as a model for industry and Government collaboration Its record of accomplishments includes substantive recommendations to the President leading to enhancements of the Nation’s NS EP telecommunications and related information systems posture Enhancements in the form of operational programs and policy solutions benefit both industry and Government as the Nation’s security requirements and information infrastructure evolve The principal NSTAC working body is the Industry Executive Subcommittee IES The IES meets regularly to identify issues undertake analyses and consider recommendations for presentation to the NSTAC The IES forms ad hoc task forces to address specific policy operational or technical issues that require further substantive examination This flexible working structure allows the NSTAC to proactively investigate issues as changes occur in the broader policy technological regulatory business and threat environments The NSTAC also collaborates with the Government through regular participation in the National Coordinating Center for Telecommunications NCC including its Information Sharing and Analysis Center ISAC component and the Network Security Information Exchange NSIE process 1 39 Copies of reports can be obtained via the World Wide Web at www ncs gov or from the Office of the Manager National Communications System Customer Service Division The NCC was established in 1984 as a result of an NSTAC recommendation to develop a joint industry and Government national coordinating mechanism to respond to the Federal Government’s NS EP communications service requirements The NCC’s mission is to assist in the initiation coordination restoration and reconstitution of NS EP communications services or facilities Currently 15 NSTAC member companies are represented in the NCC The NSTAC was instrumental in formalizing the NCC’s responsibilities to include functioning as an ISAC for the telecommunications infrastructure Designated as an ISAC in January 2000 the NCC-ISAC was the second ISAC to be formed following the promulgation of Presidential Decision Directive 63 PDD-63 and the only ISAC with industry and Government membership The NCC-ISAC gathers information about vulnerabilities threats intrusions and anomalies from the telecommunications industry Government and other sources The NCC-ISAC then analyzes the data with the goal of averting or mitigating effects on the communications infrastructure Results are sanitized and disseminated in accordance with sharing agreements established by the NCC-ISAC participants In 1991 the NSTAC working with the National Communications System recommended establishing an industry and Government partnership to reduce the vulnerability of the Nation’s telecommunications systems to electronic intrusion To that end the NSIE process was established as a forum in which industry and Government could share information in a trusted and confidential environment The NSIE process continues to function today demonstrating that industry and Government will share sensitive security information if they find value in doing so In 1998 PDD-63 called for the establishment of similar information-exchange forums to reduce vulnerabilities in all critical infrastructures Background on NSTAC Activities As They Relate to Critical Infrastructure Protection and Information Assurance The NSTAC has directly addressed information assurance IA and CIP issues since 1995 At the January 16 1995 NSTAC XVII meeting the Director of the National Security Agency briefed the NSTAC Principals on threats to U S infrastructures In the ensuing months the NSTAC sponsored several meetings with representatives from the national security community law enforcement and civil departments and agencies to discuss information warfare defensive and IA issues At the May 15 1995 NSTAC IES working session the members established the Information Assurance Task Force IATF to serve as a focal point for IA issues More specifically the IES charged the IATF to work with the U S Government to identify critical national infrastructures and their importance to the national interest schedule elements for assessment and propose IA policy recommendations to the President The IATF worked closely with industry and Government representatives to identify critical national infrastructures and ultimately selected three for study—electric power financial services and transportation To address the distinctive characteristics of those infrastructures the IATF established three risk assessment subgroups to examine each infrastructure’s dependence on information technology and the associated IA risks to its information systems Following NSTAC XIX March 18 1997 the IES renamed the IATF the Information Infrastructure Group IIG and gave it the mission to continue acting as the focal point for NSTAC IA and infrastructure protection issues The IIG worked closely with the President’s Commission on Critical Infrastructure Protection and other Federal organizations concerned with examining physical and cyber threats to the Nation’s critical infrastructures Federal efforts to examine IA CIP issues culminated with the release of presidential policy guidance—PDD-63 Recognizing that those infrastructures are predominantly owned and operated by the private sector PDD-63 envisions the creation of a public-private partnership that is “genuine mutual and cooperative” to facilitate the elimination of vulnerabilities in the Nation’s critical infrastructures Subsequently PDD-63 implementation became a focal point for the IIG’s activities Applying its years of experience in joint industry and Government planning the NSTAC initiated a dialogue with senior Administration officials on issues related to IA CIP policy and the implementation of PDD-63 A key element was the need for public-private partnerships to address infrastructure vulnerabilities Specifically the NSTAC offered lessons learned in building joint mechanisms like the NCC and the Government and NSTAC NSIE The IES NCC and NSIE provide the mechanisms and procedures for industry to address NS EP telecommunications and information technology issues at the policy operational and technical levels respectively The NSTAC also presented to the President its recommendations having applicability to PDD-63 including recommendations regarding an Information Systems Security Board ISSB 2 40 and the National Coordinating Mechanism NCM 3 41 concept NSTAC advice to the President and collaboration with the Administration have had significant applicability to PDD-63 implementation PDD-63 directs Federal lead agencies to identify infrastructure sector coordinators within industry to provide perspective on CIP programs At NSTAC XXI in September 1998 the NSTAC concluded that more than one entity or sector coordinator would be required to represent the diverse Information and Communications I C sector In February 1999 following IES outreach to the Administration on the issue the Department of Commerce acted in concert with NSTAC advice and selected three industry associations—the Information Technology Association of America the Telecommunications Industry Association and the United States Telecom Association—to serve as sector coordinators for the I C sector 2 40 In 1997 the NSTAC finalized the concept and model for an ISSB—a private sector entity intended to improve the common understanding of the nature and purpose of information systems security The ISSB would promote information systems security principles and standards to improve the reliability and trustworthiness of commercial information products and services 3 41 In 1997 the NSTAC revisited its earlier concept for an industry Government mechanism to coordinate planning information sharing and resources in response to NS EP requirements Unlike the original NCM plan that applied to the telecommunications infrastructure and which led directly to the establishment of the NCC in 1984 the revised NCM concept involved linking all of the Nation’s critical infrastructures e g telecommunications financial services electric power transportation PDD-63 also calls for the private sector to explore the feasibility of establishing one or more ISACs On the basis of the December 1997 NSTAC XX recommendation regarding a cross-infrastructure NCM IES representatives engaged in a dialogue with senior Administration officials on the prospects of creating multiple infrastructure-based ISACs That dialogue was important to the eventual decision to recognize the NCC as an ISAC for telecommunications Subsequently several sector-specific ISACs were created Finally PDD-63 emphasizes the importance of relying on nonregulatory solutions to address infrastructure vulnerabilities In satisfying this objective the Administration has underscored the value of promoting industry standards and best practices to improve IA That approach is consistent with and follows on the December 1997 NSTAC XX recommendation regarding the creation of an ISSB—a private sector entity intended to promote information systems security principles and standards to improve the reliability and trustworthiness of information products and services At the June 9 1999 NSTAC XXII meeting the National Coordinator for Infrastructure Protection Security and Counter-terrorism asked the NSTAC to provide comments on the draft version of the National Plan for Information Systems Protection National Plan The IES reviewed the draft plan and provided general comments for the Administration’s consideration The comments were based on the NSTAC’s long history of partnership with the Government and reflected input informally provided to the Director of the Critical Infrastructure Assurance Office earlier in 1999 Specifically members recommended that several principles for partnership identified by the NSTAC be considered for inclusion in the National Plan Some of these principles were incorporated into Version 1 0 of the National Plan which the White House released on January 7 2000 Reflecting the NSTAC’s ongoing contributions to the development of CIP policy the Department of Defense Infrastructure Assurance Plan—incorporated as part of the National Plan—specifically mentions the NSTAC as an industry Government partnership model for exchanging information The NSTAC is also further cited as an example of “industry commitment to the public good ” and of how industry can partner with Government to improve information security The NSTAC formed the Information Sharing for Critical Infrastructure Protection Task Force ISCIPTF in September 1999 to focus on information-sharing issues associated with CIP Specifically the task force among other things continued interaction with Government leaders responsible for PDD-63 implementation and examined mechanisms and processes for protected operational information sharing that would help achieve the goals of PDD-63 Following a request by the National Coordinator for Infrastructure Protection Security and Counter- terrorism at the May 16 2000 NSTAC XXIII meeting for additional NSTAC comments on Version 1 0 of the National Plan the ISCIPTF drafted The NSTAC’s Response to Version 1 0 of the National Plan including this annex INFORMATION AND COMMUNICATIONS I C SECTOR INTERDEPENDENCIES Profound changes in the Nation’s infrastructures involving interdependency deregulation and reliance on technology are creating new challenges to the assurance of infrastructure services A few particular infrastructures are so vital that their incapacity or destruction would significantly compromise the defense and economic security of the United States No technology has been more responsible for this dramatic change and had a more profound effect on the other infrastructures than the technologies associated with the I C infrastructure The national critical infrastructure systems incorporate a mix of public and private ownership entities that bring to the table varying perspectives concerning security protection and economic competitiveness Private owners faced with loss of revenue and loss of confidence by their customers regulators investors and insurers seek to restore revenue and customer confidence satisfy regulators document losses and avoid liability Governments focus on protecting national security preventing future attacks and identifying and punishing attackers As a result of the dichotomy of interests any solution to or recommendation for the protection of critical infrastructures requires the participation of private industry in concert with Government In January 1995 the Director of the National Security Agency briefed the National Security Telecommunications Advisory Committee NSTAC on threats to U S information systems and the need to improve the security of critical national infrastructures Reflecting on that information the NSTAC Principals discussed emerging threats to information systems and subsequently forwarded a correspondence on the matter to President Clinton in March 1995 It stated that “ the integrity of the Nation’s information systems both government and public are increasingly at risk to intrusion and attack other national infrastructures such as finance air traffic control power etc also depend on reliable and secure information systems and could be at risk ” President Clinton replied to the NSTAC in July 1995 stating that he would “welcome NSTAC’s continuing efforts to work with the Administration to counter threats to our Nation’s information and telecommunications systems ” The President further asked the NSTAC with “input from the full range of national information infrastructure users ” to assess the national security and emergency preparedness requirements for the Nation’s rapidly evolving information infrastructure Through dialogue with Government the NSTAC identified three priority critical infrastructures for assessment The NSTAC built on the methodology developed by the Government and the NSTAC Network Security Information Exchanges to assess the security risks to public networks Using that methodology the NSTAC began to study the electric power financial services and transportation infrastructures Specifically the NSTAC examined each infrastructure’s dependency on information technology and the associated information assurance risks to its information systems The NSTAC completed the risk assessments of the electric power financial services and transportation infrastructures in March 1997 December 1997 and June 1999 respectively In each assessment follow-up recommendations were sent to the President many of which remain valid and some of which appear applicable to other critical infrastructures Information Assurance Task Force IATF Electric Power Information Assurance Risk Assessment March 1997 In March 1997 the NSTAC issued a report to the President that assessed the security of the electric power control networks and electric power grid The NSTAC determined that the electric power industry was undergoing significant change fueled by marketplace forces and Federal legislative and regulatory activities The NSTAC found that this change was stimulated by new players entering the power generation and delivery market and by existing utilities being required to offer open access to their transmission systems The previously tightly integrated functions of power generation transmission and marketing were being separated within utilities and some were even spinning off into new companies Utilities were also rapidly expanding their use of information systems and interconnecting previously isolated networks because of competition aging proprietary systems and reductions in staff and operating margins The NSTAC recognized that although physical destruction was still the greatest threat facing the electric power infrastructure electronic intrusion of the utilities’ information systems and networks represented an emerging threat The NSTAC concluded that the probability of a nationwide disruption of electric power through electronic intrusion short of a major coordinated attack was extremely low but the potential for short-term disruptions at the regional level was increasing The NSTAC found that the industry considered the primary threat to information systems to be from insiders Downsizing increased competition and the shift to standard protocols would add to the potential sources of attacks whether from inside or outside a utility The NSTAC also examined recent legislation that had increased the jurisdiction of Federal State and local law enforcement authorities over attacks on electric power control systems It found that the lack of effective reporting mechanisms inconsistent use of logins passwords and warning banners and a low probability of being detected caught and prosecuted hindered effective deterrence of potential attackers The NSTAC determined that the substations presented the most significant information security vulnerability in the power grid The NSTAC also found that many of the automated devices used to monitor and control equipment within transmission and distribution centers and corporate data networks widespread use of dial-up modems and use of public networks were other sources of vulnerabilities in the electric power grid The NSTAC recognized that utilities used a variety of mechanisms to protect the electric power grid from disruption including contingency analysis redundant control centers dial-back modems and firewalls However few utilities had an information security function for their operational systems and the lack of convincing evidence of a threat tended to lead senior managers to minimize information security investments Although the NSTAC’s study found no evidence of a disruption of electric power caused by an electronic intrusion it concluded that three trends would increase the exposure of the electric power control network to attack • • • The shift from proprietary mainframe control systems to open systems and standard protocols Increasing use of automation outside contractors and external connections to reduce staff and operating costs The requirement to provide open access to transmission system information dictated under Federal Energy Regulatory Commission orders 888 and 889 The NSTAC included in its recommendation to the President that he consider assigning to the appropriate department or agency the mission to develop and conduct an ongoing program with the electric power industry to identify the threat and increase the awareness of vulnerabilities and available or emerging solutions IATF Financial Services Risk Assessment Report December 1997 The NSTAC delivered a financial services Information Assurance IA risk assessment report to the President in December 1997 The study reflected that the financial services infrastructure was sufficiently protected and prepared at the national level to address a broad range of current threats from natural disasters to electronic intrusions However the NSTAC found that there were security implications and potential vulnerabilities associated with the financial service sector’s dependence on a telecommunications infrastructure being subjected to deregulation the integration of dissimilar information systems and networks resulting from mergers and acquisitions and the introduction of Web-based banking services The study focused on three objectives • • • Assess the security and robustness of the financial services infrastructure at the national level relative to the identified threats to its networks and information systems Determine the risks to the industry that derive from its dependence on the telecommunications infrastructure Examine the implications of trends regarding the industry’s use of information systems and networks The NSTAC found that the financial services industry approached the protection of its networks and information systems as an integral element of an overall program of risk-management accountable to the most senior levels of an institution This approach is long established in the industry and affects every investment decision The approach also incorporates security measures as fundamental risk controls The NSTAC concluded that trends in banking securities and new technologies indicated that information systems and networks would continue to be the primary vehicles for innovation and competition enabling money value and related commerce to move with increasing velocity It was further determined that although the industry had suffered for its reluctance to discuss security issues in open forums through perceptions fostered by the media that the situation was far worse than it was the financial institutions were very aware of the threats facing them The financial institutions were also committed to any necessary investments in protection measures and had extensive experience addressing natural and man-made disasters and infrastructure outages These measures taken by the industry put successful cyber attacks beyond the scope of all but a concerted nation-state effort Physical attack remained the larger concern Information Infrastructure Group IIG Interim Transportation Information Risk Assessment Report December 1997 IIG Transportation Information Assurance Risk Assessment Report June 1999 The NSTAC initiated its transportation IA risk assessment in December 1996 The findings were included in an interim report to the President in December 1997 The report concluded that the transportation industry lacked a uniform understanding of information system risks and vulnerabilities and the industry lacked consistent methods for assessing vulnerabilities or gauging information system security The report also concluded that the transportation industry was generally skeptical that meaningful industry and Government information sharing about system threats and vulnerabilities could be achieved The NSTAC came to the following six conclusions about risks to the transportation infrastructure • • • • • • The transportation industry is increasingly reliant on information technology IT and public networks Although a nationwide disruption of the transportation infrastructure is unlikely even a local or regional disruption could have a significant impact Business pressures and widespread utilization of IT make large-scale multimodal disruptions more likely in the future A need exists for a broad-based infrastructure assurance awareness program to assist all modes of transportation The transportation industry could leverage ongoing research and development initiatives to improve the security of the transportation information infrastructure A need exists for closer coordination between the transportation industry and other critical infrastructures The NSTAC recommended that the President continue support for the efforts of the Department of Transportation DOT to promote outreach and awareness within the transportation infrastructure as expressed in Presidential Decision Directive 63 These recommendations included the timely dissemination of Government information on physical and cyber threats support for research and development programs to develop methods to counter emerging cyber threats joint industry and Government efforts to examine emerging industrywide vulnerabilities and future DOT conferences to stimulate information exchange on threats vulnerabilities and best practices NETWORK TECHNOLOGY AND VULNERABILITIES Since early 1990 the U S Government and the President’s National Security Telecommunications Advisory Committee NSTAC have been working together to address network security issues Central to this process are separate but closely coordinated Government and NSTAC Network Security Information Exchanges NSIE The activities of the NSIE focus on issues of unauthorized penetration or manipulation of the public network PN software and databases affecting national security and emergency preparedness NS EP telecommunications services The NSIE conducted risk assessments of the PN in 1995 and 1999 More recently the NSTAC undertook focused investigations of the vulnerabilities associated with the use of the Internet and electronic commerce technologies as they are increasingly being used to support NS EP telecommunications functions In addition the NSTAC examined evolving network technologies and architectures the implications for existing NS EP priority services and the potential for satisfying NS EP functional requirements in the Next Generation Network NGN environment Government and NSTAC NSIE An Assessment of the Risk to the Security of Public Networks December 1995 Government and NSTAC NSIEs An Assessment of the Risk to the Security of the Public Network April 1999 The most recent NSIE assessment of the risk to the PN determined that its earlier findings regarding the overall vulnerability of the PN remain valid Old vulnerabilities are still being exploited even though fixes are readily available for most of those discovered Vulnerabilities in many of the PN’s diverse technologies e g Signaling System 7 SS7 and Synchronous Optical Network remain The following factors summarized from the recent NSIE risk assessments significantly heighten risk to the PN • The Telecommunications Act of 1996 The Telecommunications Act of 1996 opened the telecommunications industry to increased competition and interconnection As more providers gain access to network facilities security measures become more complicated and difficult to implement • The Business Environment The telecommunications industry is a highly dynamic fast-paced global industry Telecommunications organizations are increasingly adopting aggressive business practices to streamline operations and reduce costs These business practices have increased the complexity of the PN further increasing the difficulty of implementing network security measures In addition the changing business environment and rapid integration of newer technologies have increased the vulnerabilities of the PN The operations administration maintenance and provisioning systems and network operations centers are highly integrated and are increasingly dependent on commercial off-the-shelf technology Potential intruders have ready access to information about these technologies and their vulnerabilities This information is widely known and rapidly disseminated throughout the intruder community • The threat to the PN continues to grow as the PN becomes a more valuable target and the intruder community develops more sophisticated capabilities to launch attacks against it Lately the intelligence community has increased its efforts to focus on defining the electronic intrusion threat to the PN Intruder tools continue to improve and have become widely available as has information on vulnerabilities The denial of service attacks in February 2000 provided additional evidence of malicious capabilities • Technology Telecommunications providers are transitioning from proprietary protocols to open-system protocols to manage their networks In addition traditional circuitswitched services are migrating to packet-switched networks As this migration continues and new services such as Internet Protocol IP telephony proliferate the PN may become more susceptible to well-known Internet vulnerabilities • Public Switched Network PSN Internet Connectivity The Internet is rapidly converging with the PSN increasing the opportunity for intruders to attack the PSN through the Internet • Tools and Techniques Security tools and techniques have evolved significantly in the last few years and the telecommunications industry is taking advantage of this evolution to improve the security of its networks Similarly network intrusion tools and techniques have also improved substantially and the intruder community is using these tools and techniques to attack the PN The NSIE risk assessments found that as the PN has continued to expand it has become an increasingly important part of the National Information Infrastructure Government and corporate networks are more interconnected than ever before as these organizations increasingly rely on the PN to transmit critical business and operations information Therefore the perceived and substantive rewards for gaining illicit access to the PN are increasing which makes protecting the PN more important than ever before • Critical Infrastructure Protection Concern grows within Government and the private sector over critical infrastructure protection As Government and the owners of critical infrastructures work to ensure the reliability and availability of their own systems these efforts could improve the security of the PN • Legislation Federal and State legislatures are addressing computer crime and imposing more severe penalties on electronic criminals reflecting an increased awareness of the growing importance of the PN and the value of the information transported over its networks • Government and industry organizations have worked diligently to improve protection measures Technology and awareness are clearly improving and service providers and vendors are becoming more knowledgeable and skillful in implementing protection measures At the same time several factors limit the effectiveness of protection measures Service providers’ knowledge of the entire network and more important ability to control the full extent of network connections are diminishing Although technology protection measures such as intrusion detection tools have improved dramatically their effectiveness is still inconsistent Further the individuals with the technical skills required to effectively evaluate and implement these tools are in short supply • Continuing trends in law enforcement have increased the ability of Government and corporate organizations to deter the intrusion threat The U S law enforcement community has developed a firm position on electronic intrusion Intruders face more diligent prosecution efforts and can expect longer sentences if convicted In addition victims are gradually becoming more willing to report intrusions and cooperate with law enforcement The most recent NSIE risk assessment concluded that absent a valid baseline to establish quantitative measures of the risk to the PN from electronic intrusion it is difficult to definitively state how risk has changed over the past few years Rapid advances in technology and environmental factors have changed the vulnerabilities and threats facing the PN making it difficult to protect against intrusions At the same time the importance of the PN and the value of information flowing over its networks are increasing making the PN a more valuable target Overall according to the NSIE report there is little evidence to suggest that the risk has diminished and many factors to suggest that it is growing Network Group Internet Report An Examination of the NS EP Implications of Internet Technologies June 1999 As the Government expands its Internet use to more critical applications such as supporting NS EP functions concerns arise about how a severe disruption of Internet service might affect NS EP operations The NSTAC released the “Internet Report” in June 1999 to examine how a severe disruption of the Internet could affect NS EP operations over the next 3 years to identify vulnerabilities of network control elements associated with the Internet and their ability to cause a severe disruption of Internet service and to examine how Internet reliability availability and service priority issues apply to NS EP operations The report concluded that agencies with NS EP responsibilities are using the public Internet mostly for outreach information sharing and e-mail while direct dependence on the public Internet for mission-critical operations is currently modest The NS EP community is more likely to depend on dedicated Transmission Control Protocol Internet Protocol TCP IP networks intranets for mission-critical NS EP operations at present However NS EP dependence on the Internet is likely to grow over the next several years because the public Internet offers a cost-effective efficient means of communications the Government is rapidly adopting electronic commerce e-commerce and Federal policies are promoting use of the Internet Currently critical infrastructures such as medical services banking and finance gas and electric industries and telecommunications are increasingly using the public Internet for various processes including exchange of business administrative and research information The NSTAC also concluded that the informal and distributed management of Internet functions the Domain Name System Internet software including Berkeley Internet Name Domain and procedural errors and unintentional actions invite potential vulnerabilities that could contribute to a disruption of Internet service Because of the interconnected nature of the public Internet a disruption or degradation of Internet operations could also affect the operations of dedicated TCP IP networks intranets However with the Internet’s highly diverse architecture and complex interconnection arrangements consisting of thousands of Internet service providers ISP it is unlikely that the failure of any single node or transmission facility would cause a major Internet service disruption see page A-19 for follow-on efforts Presently the reliability and security of the public Internet is generally considered inadequate for NS EP mission-critical functions There are no Internet technologies or applications that facilitate the same type of end-to-end NS EP-related services available in the PSN Although certain ISPs currently offer in-network quality of service QoS standards no end-to-end QoS offerings are available via the public Internet No economical incentives exist for ISPs to develop and offer NS EP service enhancements over their networks Many factors e g lack of NS EP demand and market characteristics preclude the availability of NS EP services over the Internet for the foreseeable future The NSTAC recommended that the President direct the establishment of a permanent program to address NS EP issues related to the Internet The program should have the following objectives • • • • Work with the NS EP community to increase understanding of evolving Internet dependencies Work with key Internet organizations and standards bodies to increase awareness of NS EP requirements Interact with the appropriate Internet organizations and initiatives to investigate develop and employ NS EP-specific Internet priority services such as priority access end-to-end routing and transport Examine the potential impact of IP network-PSN Convergence on PSN-specific NS EP priority services e g Government Emergency Telecommunications Service and Telecommunications Service Priority The NSTAC also recommended that the President direct the appropriate Government departments and agencies to leverage existing industry and Government partnership mechanisms to increase awareness of NS EP requirements within key Internet organizations and standards bodies Information Infrastructure Group IIG NS EP Implications of Electronic Commerce Report June 1999 The public sector is in the midst of adopting systemwide changes that will incorporate e-commerce into Government operations In June 1999 NSTAC issued a report to discuss implications of incorporating e-commerce into business operations within the NS EP community To investigate this topic the NSTAC surveyed e-commerce literature and received briefings from diverse Government industry and academic sources The committee also interviewed public and private sector officials responsible for implementing e-commerce policies and procedures The NSTAC found that e-commerce use among NS EP organizations has been limited to support nonmission critical activities but as these organizations increase their reliance on e-commerce operations for NS EP functions the security of these e-commerce transactions will become more critical As the NS EP community transitions the NSTAC concluded that it should be alerted to several issues that could affect how e-commerce is implemented • • • • • NS EP dependence on e-commerce although modest at present is likely to grow steadily over the next decade The NS EP community must be aware of the vulnerabilities that arise from utilizing e-commerce hardware and software and make informed decisions regarding its implementation to achieve an acceptable level of risk The NS EP departments and agencies must thoroughly assess current and future dependence on e-commerce application and architectures the associated security implications and the effect e-commerce will have on overall business operations In the new electronic environment created by e-commerce the NS EP community will depend on commercial products and an information infrastructure that it neither owns nor operates Therefore the Federal Government and its partners in the private sector will share the NS EP risks involved with e-commerce A unified and specific focus on NS EP needs is lacking among organizations responsible for managing and administering oversight for e-commerce within the Federal Government This lack of focus could lead to a lack of formal guidance policy procedures and accountability addressing NS EP issues related to the adoption of e-commerce The NSTAC concluded that what is needed is a focal point within the Federal Government to work with the various public and private organizations to increase their awareness of NS EP issues related to e-commerce The NSTAC recommended that the President designate this focal point for examining the NS EP issues related to widespread adoption of e-commerce within the Government The committee also recommended that the President direct the Federal departments and agencies in cooperation with an established Federal focal point to assess the effect of e-commerce technologies on their NS EP operations The NSTAC also saw a need to increase the NS EP community’s awareness of the potential vulnerabilities related to e-commerce Departments and agencies should work with the focal point to assess their current and future e-commerce dependence and the vulnerabilities caused by e-commerce and its implementation Information Technology Progress Impact Task Force ITPITF Report on Convergence May 2000 The NS EP community depends heavily on priority treatment of voice calls within the PSN to support NS EP operations which is provided under the Telecommunications Service Priority TSP 4 42 and the Government Emergency Telecommunications Service GETS 5 43 program Telecommunications service providers plan to transition traffic onto the NGN The NSTAC examined the implications of the evolving public network architecture for priority treatment of NS EP voice and traffic data and specifically the potential impact of IP network-PSN convergence on PSN-specific NS EP priority services The NSTAC’s report outlined the implications of convergence for existing NS EP priority services and examined evolving network technologies and capabilities that could assist in satisfying existing NS EP functional requirements in an NGN environment The NSTAC reached the following conclusions • • • • • • • • • • 4 42 The NS EP community depends heavily on priority treatment of voice calls within the PSN to support NS EP operations and will remain dependent for the immediate future The public network will change from separate switched-voice and packet-data networks to an interconnected network and then to a unified NGN over the next several years The potential implications of convergence and the NGN for GETS services include new blocking sources lack of ubiquity and interoperability lack of access to GETS features disparate congestion handling and a lack of commensurate network reliability and security NS EP requirements are unlikely to be incorporated by industry unless the features needed to meet these requirements are standardized by industry perhaps with prompting from the Government NS EP traffic requires newly designed and standardized features to overcome new problems associated with packet networks To provide GETS-type services during convergence and in the NGN QoS schemes must be expanded to provide services commensurate with NS EP needs The current level of security safeguards incorporated into GETS is inadequate to maintain NS EP functional requirements during convergence and in the NGN TSP as originally conceived remains relevant during convergence because restoration assignments can still be applied to identifiable segments of the PSN A potential implication for the TSP Program during convergence and in the NGN as discussed by the TSP Oversight Committee OC is the inapplicability of the program to ISPs offering voice services The OC stated that TSP as currently defined did not and should not have a role in the NGN and if the NS EP community required similar types of priority services for packet networks a new program would have to be established to support such services The TSP Program is the regulatory administrative and operational framework for the priority provisioning and restoration of any qualified NS EP telecommunications service 5 43 Developed in response to a White House tasking GETS provides NS EP users priority access to and specialized processing for NS EP calls in local and long-distance networks • • • • • TSP-type services in the NGN will provide for the priority provisioning and restoration of network services rather than circuit-based services Although specific NGN standards have not yet been developed to support NS EP requirements the NGN technology is capable of supporting these requirements Standards bodies are examining QoS and other new NGN capabilities that may be useful in satisfying certain NS EP functional requirements in the NGN and the appropriate departments and agencies should continue active participation in these groups QoS and other new NGN capabilities will require some enhancement to best satisfy specific NS EP requirements Therefore the NS EP community should determine as soon as practicable precise functional NS EP requirements for the NGN The appropriate departments and agencies should continue to participate in standards bodies activities related to NGN technologies to ensure that NS EP requirements are considered during development and implementation phases As the NGN evolves telecommunications carriers’ SS7 networks will become less discrete and more reliant on IP technology and interfaces Therefore it is necessary to consider the security reliability and availability of the NGN control space as it relates to the provision and maintenance of NS EP service capabilities The NSTAC recommended that the President direct the appropriate departments and agencies in coordination with industry to promptly determine precise functional NS EP requirements for Convergence and the NGN and ensure that relevant NS EP functional requirements are conveyed to standards bodies and service providers during standards development and implementation RISK MANAGEMENT Presidential Decision Directive 63 emphasizes the importance of relying on nonregulatory solutions to address infrastructure vulnerabilities In satisfying this objective the Critical Infrastructure Assurance Office has underscored the value of promoting industry standards and best practices to improve infrastructure assurance That approach is entirely consistent with an NSTAC study initiated in 1995 and the resulting recommendation related to the creation of a private sector Information Systems Security Board ISSB The NSTAC developed the ISSB concept as a potential means for providing consistent standardized guidelines for the protection of commercial information systems and networks National Information Infrastructure NII Task Force Report February 28 1996 National Information Infrastructure NII Task Force Report March 1997 During 1995 the NSTAC explored the concept of establishing an industry-operated security center of excellence as a potential focal point for enhancing the security component of the NII The NSTAC identified several security functions considered important to improving NII security and appropriate for the private sector to perform After scoping potential organizational models for an ISSB the NSTAC concluded that several business issues should be considered to determine such an organization’s viability In its in-depth follow-up study of the ISSB which was completed in 1997 the NSTAC refined the concept and developed a model for an ISSB that could work with recognized testing laboratories and commercial security consulting services to strengthen the overall security of the information infrastructure The NSTAC designed the model to promote information systems security principles and standards to improve the reliability and trustworthiness of commercial information products and services To gain feedback from the broad community an Information Security Systems Board Concept Paper was written to outline the functions and processes of the ISSB and serve as the centerpiece for the outreach effort Attached to the concept paper was a questionnaire designed to stimulate discussion and elicit comments regarding the proposed ISSB concept the need for an ISSB an appropriate role for the Federal Government and membership issues The NSTAC’s outreach effort revealed broad and general support for the ISSB concept among diverse industry groups It also surfaced various questions and issues related to ISSB implementation such as the appropriate role of the Federal Government the relationship of the ISSB to ongoing information security activities and the international implications of the ISSB The NSTAC concluded that the private sector was capable of establishing and operating the ISSB Further both the private sector and Government expressed support for private sector leadership of the ISSB without Government oversight or control In response to additional NSTAC outreach the private sector initiated an exploratory effort about establishing an ISSB and the NSTAC continued to track its acceptance and progression within the community RESPONSE AND RECOVERY On the basis of a National Security Telecommunications Advisory Committee NSTAC recommendation the National Communications System NCS established the National Coordinating Center for Telecommunications NCC in 1984 as a joint industry and Government mechanism to assist in the initiation coordination restoration and reconstitution of national security and emergency preparedness NS EP telecommunications services and facilities under all circumstances Since 1984 threats to the NS EP telecommunications infrastructure have changed significantly In response the NSTAC undertook a series of studies to consider the implications of the new environment for the functions performed by the NCC At the same time the NSTAC revisited an earlier NSTAC concept—the National Coordinating Mechanism NCM —that could serve as a framework for responding to incidents across national infrastructures e g electric power financial services and transportation Separately the NSTAC examined the possibility of a widespread outage in the public telecommunications network resulting from rapid changes in industry structure regulation and technology as well as threat More recently in October 2000 the Assistant to the President for Science and Technology asked the NSTAC to take a fresh look at the possibility of a widespread outage in the converged Next Generation Network environment Citing previous NSTAC work the May 2000 NSTAC Information Technology Progress Impact Task Force Report on Convergence the request noted that convergence of voice and largely unregulated data networks will not only change the physical nature of the communications network but may also introduce many new technical operational and security concerns Further the Assistant to the President for Science and Technology stated that these challenges may require Government to develop new policies plans programs and perhaps protections under law or other mandates to help ensure the availability of NS EP communications Among the questions to be answered are 1 How should existing NSTAC NCS NCC and other private and Government organizations evolve with the networks to ensure a quick organized and technically competent response in the case of a widespread outage 2 What reasonable steps could the Government take to help the NSTAC and the industry in general better prepare to react to a widespread outage in these networks In November 2000 the NSTAC undertook a study to determine whether a widespread outage of the converged and next-generation networks is a realistic possibility and the associated risk factors that the Government and industry need to consider The preliminary analysis of NS EP telecommunications in a converged network environment focused on its relative immaturity when compared with the legacy PSN According to this analysis NS EP communications should utilize the converged network but until complete confidence is established the community should not rely exclusively on services based upon converged networks The Convergence Task Force will explore the issue further The NSTAC will provide an interim report to the Administration at the NSTAC XXIV meeting in June 2001 Operations Support Group OSG Reports of December 1997 September 1998 and June 1999 In 1996 the NSTAC began to examine whether the mission organization and capabilities of the NCC were still valid considering the ongoing changes in technology industry composition threats and requirements Throughout 1997 the OSG worked closely with the NCS member organizations and NCC industry representatives to develop a common framework for assessing the NCC’s ongoing role The OSG validated the original 10 NCC chartered functions and updated the NCC Operating Guide both written in 1984 for the current operational environment Also in response to a request for assistance from the Manager NCS to develop an indications assessment and warning IAW response capability in the NCC the group determined that an electronic intrusion incident information processing function could be integrated into the NCC’s activities In August 1997 the group held an industry and Government tabletop exercise to test the draft concept of operations for the NCC intrusion incident information processing In December 1997 the NSTAC approved the OSG report which documents these activities and endorsed the NCC’s implementation of an initial intrusion incident information processing pilot program to develop the IAW function During 1998 the OSG worked closely with the Office of the Manager NCS as the NCC implemented the IAW pilot which was completed in October 1998 In addition the OSG developed a document NCC Intrusion Incident Reporting Criteria and Format Guidelines to establish standardized reporting criteria and to outline steps in NCC electronic intrusion report collection processing and distribution On the basis of the experience of the pilot and the work of the NSTAC’s OSG the NCC decided to fully incorporate the IAW function into its operations In its September 1998 report the OSG concluded that the NCC provided a model for all infrastructures by which information could be gathered analyzed sanitized and provided to the Government On the basis of that finding the NSTAC recommended that lead departments and agencies as designated in Presidential Decision Directive 63 PDD-63 consider adopting the NCC model as appropriate for the various infrastructures to provide warning and information in response to cyber incidents Furthermore the NSTAC recommended that such activities take place in the context of the NCM concept developed by the OSG The OSG refashioned the original NCM concept developed by the NSTAC to coordinate planning information sharing and resources in response to NS EP requirements Unlike the original NCM plan that applied to the telecommunications infrastructure and which led directly to the establishment of the NCC in 1984 the revised NCM concept involved linking all of the Nation’s critical infrastructures The OSG continued to assist the NCS and the NCC as the NCC implemented its pilot electronic intrusion incident processing function The group also assessed whether the NCC required additional industry and Government participation within the NCC to widen the scope of expertise and operational personnel available to fulfill the IAW mission Specifically the group developed a list of companies and Government departments and agencies for the Manager NCS to consider as candidates for NCC participation After further efforts during 1999 the NSTAC agreed with the OSG determination that the NCC was performing the primary functions of an Information Sharing and Analysis Center ISAC for the telecommunications sector and concluded that industry and Government should establish it as such PDD-63 proposed the concept of an ISAC as a private sector entity responsible for gathering analyzing sanitizing and disseminating to industry private sector information related to vulnerabilities threats intrusions and anomalies affecting the critical infrastructures In January 2000 the National Security Council agreed with the NSTAC’s 1999 conclusion that the NCC was serving as an ISAC Following this the NCC formally announced its operation as an ISAC for the telecommunications sector Throughout the period from 1997 to 1999 the OSG also investigated the NCC’s operational readiness and coordination capabilities for potential public network disruptions caused by the Year 2000 Y2K problem Among other things it examined the need for Y2K outreach efforts the need to emphasize contingency planning and restoration scenarios the potential for public overreaction to the Y2K problem and the lack of a global approach to handle Y2K issues that were international in scope The findings and recommendations related to these efforts are included in the OSG’s final reports Lessons learned from the NCC Y2K experience that could advance operational information sharing were examined by the NSTAC’s Information Sharing Critical Infrastructure Protection Task Force and are discussed in the task force’s May 2000 report Network Group Widespread Outage Subgroup WOS Report December 1997 and Network Group Report September 1998 In April 1997 Dr John Gibbons Assistant to the President for Science and Technology requested that Mr Charles Lee then Chairman of the President’s NSTAC provide the NSTAC’s forward-looking views on the possibility of a widespread service outage in the public telephone network The NSTAC defined widespread outage as a sustained interruption of telecommunications service that would have strategic significance to Government industry and the general public Such an outage would likely affect the telecommunications service in at least one region of the country including at least one major metropolitan area It would involve multiple carriers affecting both long-distance and local service and significantly degrade the ability of other essential infrastructures to function Such an outage would impact the availability and integrity of telecommunications service for at least a significant portion of a business day The NSTAC found that U S telecommunications service providers have historically offered robustness availability and quality unparalleled by other public services Although the public network PN track record is superlative members determined that natural and technological threats could adversely affect telecommunications service These threats could also disrupt other critical infrastructures such as electric power on which the PN is highly dependent for sustained operation The NSTAC found that while the PN’s supporting technologies provide an expanding array of services and features and facilitate robustness these same supporting technologies can introduce exploitable vulnerabilities with adverse effects on service availability and reliability Considering these threats and vulnerabilities the NSTAC agreed that the potential concern for a widespread network outage is reasonable Given the limited precedent for telecommunications outages of this magnitude NSTAC members’ prior experiences with smaller-scale outages led them to conclude that there is a low probability of a widespread sustained outage of public telephone service However the potential societal impacts of such an outage are high enough to warrant consideration The NSTAC offered recommendations for the President to decrease the overall probability of a widespread outage including— • • • Improve intercarrier coordination for widespread outage recovery Remove legal and regulatory obstacles to widespread outage recovery Foster education and awareness Subsequently in a 1998 follow-up study of the issue the NSTAC reached the following conclusions • • The greatest opportunity for ensuring the continued reliability of the PN will ensue as both established entities and newer entrants adhere to and help develop industry standards and best practices The focal point for industry and Government coordination for operational matters has been and should remain at the NCC The NCC has initiated an effort to expand the National Telecommunications Coordinating Network to improve communications capabilities with critical entities during network outage conditions INFORMATION SHARING The Information and Communications I C sector has numerous forums for sharing policy operational and technical information The President’s National Security Telecommunications Advisory Committee NSTAC and associated industry and Government entities have served as models for information sharing for many years Other new forums are being developed specifically in response to Presidential Decision Directive 63 PDD-63 Critical Infrastructure Protection By developing national security and emergency preparedness NS EP telecommunications recommendations for the President the NSTAC has provided since 1982 a forum for developing and sharing policy information The National Coordinating Center for Telecommunications NCC provides a forum for sharing operational telecommunications information among the industry and Government agencies participating in the NCC The industry and Government Network Security Information Exchanges NSIE were established in 1991 for exchanging lessons learned and technical information related to network security Recently the NSTAC has been investigating information-sharing issues as they relate to critical infrastructure protection and network security As one of the results of these ongoing studies the NSTAC recommended and the NCC has been designated as an Information Sharing and Analysis Center ISAC within the framework of PDD-63 see Attachment A NCC ISAC at the end of this section In addition Congress the Department of Justice and others are actively considering legislation designed to encourage industry NS EP disclosures by exempting that information from release under the Freedom of Information Act FOIA The NSTAC has written to the President asking him to support such legislation particularly legislation like the FOIA exemption in the Year 2000 Y2K Information and Readiness Disclosure Act In addition an initial outline has been developed discussing the types of provisions that FOIA legislation should include and that might best encourage industry sharing of NS EP information Information Sharing Critical Infrastructure Protection IS CIP Task Force Report May 2000 A focal point of the NSTAC’s report to the President was an examination of historical lessons learned that would advance operational information sharing in the context of critical infrastructure protection Benefits of Information Sharing The NSTAC recognized that historically information sharing and the resulting benefits have been a function of trust Information exchange in a trusted environment which may be achieved only gradually helps both industry and Government participants build on lessons learned by others As trust builds participants in informationsharing forums may make more detailed information available With such information industry and Government can strengthen security and prevent or mitigate the damage caused by future incidents or attacks The process may also facilitate information sharing across critical infrastructures The NSTAC determined that specific benefits could accrue to both industry and Government Government will be better able to determine the type of threat facing the Nation’s critical infrastructures today and in the future through joint industry and Government informationsharing initiatives By combining private sector information about the type of incidents and attacks that are experienced with information obtained through intelligence and law enforcement sources Government participants may develop warnings and advisories that can also assist other departments and agencies in the Federal State and local governments the critical infrastructures and security organizations in protecting their own systems and responding to incidents Partnering with Government may allow industry to obtain more detailed threat information As Government provides the private sector with indications and warnings and information on specific threats facing the Nation companies may develop a better understanding of the threats facing their particular infrastructure and may be willing and able to take further action to protect the sector Access to Government threat-related information through information-sharing initiatives may increase the opportunity for the private sector to determine where it will get the “most bang for its security buck ” Impediments to Information Sharing The NSTAC investigated several impediments to information sharing including legal perceived and operational Legal Impediments Foremost among the legal impediments examined by the task force was the FOIA In 1997 the President’s Commission on Critical Infrastructure Protection PCCIP recognized the need for voluntary information sharing and identified the FOIA as a barrier to the information-sharing process The rationale was that FOIA makes information sharing in the possession of the Federal Government available to the public upon request As a result and as noted by the PCCIP potential participants in an information-sharing mechanism may require assurances that their sensitive information will remain confidential if shared with the Federal Government More recently Congress at the urging of industry and Government recognized that FOIA might be a barrier to voluntary information sharing in preparation for and during the Y2K rollover On the basis of its finding that protection of voluntarily shared information must be provided the NSTAC recommended to the President that the then-pending Y2K Information and Readiness Disclosure Act be supported The legislation which was enacted into law Public Law 105-271 contained a provision to protect information that is voluntarily shared with the Government That information is to be treated as part of a “special data gathering” from disclosure under FOIA Both the Y2K experience and PDD-63 have raised awareness about the sensitivities of information-sharing processes However in the context of PDD-63 critical infrastructures are being asked to share information for a longer duration and under less defined conditions than previously experienced during Y2K Consequently the NSTAC concluded that for PDD-63 information-sharing initiatives to be fully implemented protection of voluntarily shared information from disclosure under FOIA must be provided As a result the NSTAC recommended that the President support legislation similar to the Y2K Information and Readiness Disclosure Act for the purposes of information sharing for critical infrastructure protection Perceived impediments Perceived impediments generally relate to the difference in perspectives between industry and Government regarding the threat to critical infrastructures On the whole industry believes it understands and is adequately mitigating the threat to its operations At the same time the Government has referred to an increased hostile international threat to the critical national infrastructures However this threat is unclear The NSTAC found that without a clear and present danger it is difficult for industry to justify spending additional dollars to protect systems that may never be attacked The NSTAC also found that an additional perceived impediment was the view that information shared between competing companies may be used to gain business advantage over the company willing to share information on operational difficulties Operational Impediments Industry shares information using several channels Providing the same information to multiple entities places demands on corporate resources By designating one forum as a repository for information related to a particular industry sector the demands placed on a company for information sharing should be reduced As an ISAC for telecommunications the NCC is positioned to serve as that forum through which industry and Government can share telecommunications indications assessment and warning information The NCC as a coordinating entity could then forward information in an agreed-on form to other appropriate bodies e g other ISACs the National Infrastructure Protection Center and the Computer Emergency Response Team Coordination Center as permitted under informationsharing agreements Legislative and Regulatory Group LRG Report June 1999 Following NSTAC XXI and in response to information-sharing policy outlined in PDD-63 the NSTAC set out to identify and assess legal and regulatory obstacles to sharing outage and intrusion information To that end the NSTAC determined that identification and discussion of existing and proposed NS EP-related outage and intrusion information-sharing mechanisms could provide additional insights in assessing critical infrastructure protection issues To better understand the information-sharing environment and the entities involved in the process the NSTAC developed a document titled Telecommunications Outage and Intrusion Information Sharing Report and included in the LRG’s 1999 report to the President illustrating the entities with which telecommunications companies shared outage and intrusion information The LRG also reviewed potential legal barriers that could inhibit the information-sharing process The major barriers studied by the group included those associated with FOIA liability and antitrust The NSTAC also examined several other potential barriers initially identified by the PCCIP including those associated with classified information and national security State government liability disclosure confidential information and trade secrets and proprietary information The NSTAC drew general conclusions in the following areas • • • • • • • Information sharing occurs in a number of forums Legal barriers may affect information sharing Information sharing is mostly voluntary Voluntary information sharing depends on receiving a benefit Information sharing is based on trusted relationships Information sharing may depend on the company and individual participant Information sharing is content-focused RESEARCH AND DEVELOPMENT R D NEEDS Over the years the President’s National Security Telecommunication Advisory Committee NSTAC has investigated several R D issues as they relate to the national security and emergency preparedness NS EP telecommunications infrastructure Recent issues focused on R D for intrusion detection technologies and technologies that address telecommunications infrastructure vulnerabilities The NSTAC has also sponsored several R D Exchanges to surface issues and needs related to the security of the telecommunications infrastructure Network Group Intrusion Detection Subgroup IDSG Report December 1997 In 1997 the NSTAC conducted a study of intrusion detection technology R D that included an examination of existing and planned intrusion detection technology R D initiatives and provided analysis in terms of meeting NS EP requirements The NSTAC determined that there was no overarching national technology policy that articulated a vision concerning Federal intrusion detection R D The NSTAC concluded that R D in this area should focus on the network and infrastructure levels and establishing testbeds and laboratories to develop standards metrics and testing procedures The study showed that a need existed for Federal investment in educating and training employees to recognize intrusion and to heighten their awareness of the risks electronic intrusion involves NSTAC R D Exchanges The first R D Exchange sponsored in 1991 was intended to provide a forum for industry and Government officials to discuss six technology areas identified by the NSTAC and to exchange information about ongoing R D projects The theme for the two-part event was intrusion detection The NSTAC held the second R D Exchange in September 1996 to facilitate a common understanding of network security problems affecting NS EP telecommunications to identify R D programs in progress to address those problems and to identify future security technology R D needs Participants focused on the issue of academic excellence in information assurance IA Then in October 1998 the NSTAC co-sponsored the third R D Exchange to examine collaborative approaches to security technology R D The participants also discussed the need for training more IT security professionals creating large-scale test beds to test security products and solutions and promoting the creation of IA Centers of Excellence in academia NSTAC R D Exchange Proceedings 2000 In September 2000 the NSTAC sponsored its fourth R D Exchange with the Telecommunications and Information Security Workshop TISW 2000 at the University of Tulsa The theme for the 2-day event was “Transparent Security in a Converged and Distributed Network Environment A Dream or a Nightmare ” The purpose was to stimulate an exchange of ideas among representatives from industry Government and academia on the challenges posed by the convergence of the traditional public-switched network and the Internet into a Next Generation Network NGN The general conclusion of the R D Exchange was that the challenges to securing networks in a converged and distributed environment grow more difficult Further those challenges require a greater deal of cooperation among network providers vendors and users More specifically the participants concluded that— • The shortage of qualified IT professionals particularly those with expertise in IA and or computer security remains a major impediment to strengthening the security of the NGN The participants believed programs such as the Scholarship for Services program under the Federal Cyber Service initiative and others designed to create financial incentives for students to pursue computer security disciplines at the graduate and undergraduate levels need to be implemented • The IA Centers of Excellence program is an excellent initiative to address the growing demand for computer security professionals but needs to be expanded beyond the current 14 schools Moreover a need exists to make information about the IA Centers of Excellence and other IA curricula and certifications available to other schools such as community colleges and technology trade schools In addition participants encouraged cyber ethics training at the K to 12 level • The Partnership for Critical Infrastructure Security represents an important step in enhancing the relationship between the private sector and the Government but wider participation by academia and officials in State and local governments is needed • Developing a business case for security poses difficult challenges in the commercial sector and there is a need to offset the high costs and high risks associated with R D in security technology Tax credits and other financial incentives might enable companies to minimize their risks and encourage commercial enterprises to increase the funding of security technology R D • Given the complexity introduced to networks by convergence and the proliferation of network providers and vendors best practices standards and protection profiles that ensure security must be evenly applied across the NGN • R D efforts need to be enhanced to develop better testing and evaluation programs to reduce the vulnerabilities introduced by malicious software Although securing the transmission of voice and data remains an important concern identifying security vulnerabilities in the network control space is equally important • New types of threats such as distributed denial-of-service attacks challenge corporations to develop security policies to protect themselves from liability claims For example new legal precedents case law and Federal legislation such as the Health Insurance Portability and Accountability Act of 1996 are forcing organizations to take new security measures to protect the confidentiality and integrity of information or risk civil litigation • Although technology remains an important component in building security solutions it is vital to conduct research activities in other areas such as operations legal and public policy and human factors The efficacy of technological solutions often depends on the ability of human operators to properly implement administer and manage the technology consistent with company policy and the legal constraints • There is a need to sponsor joint events like TISW 2000 and the R D Exchange that facilitate a dialogue among representatives from industry Government and academia All three communities play a crucial role in the R D of security technologies and applications and participants described how holding events at universities with IA programs offered unique benefits Most notably such events allow security practitioners from industry Government and academia to share views and opinions on R D issues in an informal research-oriented setting INTERNATIONAL CONSIDERATIONS In the early 1990s the Government recognized the growing importance and criticality of the information infrastructure With the release of An Agenda for Action the Administration promoted a national strategy to develop a robust accessible and reliable information infrastructure that would satisfy the national and economic security interests of the United States Since that time growing competition and technological innovation have resulted in a national and global interconnected open-information infrastructure that offers commercial efficiencies and societal benefits Soon after the release of An Agenda for Action the Government focused on the ongoing development and expansion of the global information infrastructure GII Although the expansion of the GII and the globalization of communications and IT generate obvious economic and societal benefits they pose new risks for critical infrastructures and services Mitigating these risks is necessary for protecting our Nation’s and our allies’ critical infrastructures The President’s National Security Telecommunications Advisory Committee NSTAC has studied the current and future nature of the GII and investigated the impact of the GII on national security and emergency preparedness NS EP communications Although international considerations were not a part of Version 1 of the National Plan NSTAC would like to include a discussion of them to help further the dialogue between industry and Government concerning critical infrastructure protection issues Globalization Task Force GTF Report May 2000 The NSTAC studied several international issues in its May 2000 report to the President These included NS EP issues related to the GII in 2010 foreign ownership of NS EP critical communications systems and technology export policies The NSTAC concluded that in 2010 NS EP communications would be facilitated by a GII featuring new technologies and improved network features The GII in 2010 would also provide increased global availability of broadband communications with satellite communications and wireless technologies bringing the GII and NS EP communications to less accessible geographic regions However despite the plethora of technological capabilities forecasted for 2010 there is no guarantee that all essential communications capabilities will be ubiquitously available Given the global reach and communications needs of some U S NS EP missions prudent NS EP communications contingency planning should consider end-to-end systems using a broad range of wireless satellite and terrestrial capabilities The NSTAC also concluded that in addition to planning for the global availability of the GII in 2010 the Government must consider the richness of service envisioned in the future network architecture and decide whether NS EP communications will require QoS features beyond commercially available capabilities Any and perhaps all of the potential protocols of 2010 could be considered candidates for hosting NS EP requirements Thus the Government must continue being proactive in its attempts to cooperate in developing industry standards and technical specifications for next-generation and IP-based networks The NSTAC also examined the implications of foreign ownership of critical U S telecommunications facilities on NS EP services The NSTAC developed a scoping paper on the issue and concluded that the current regulatory structure effectively accommodated increasing levels of foreign ownership of U S telecommunications facilities while allowing the Federal Government to retain the authority to prevent any such foreign ownership that might compromise national security interests In addition the NSTAC examined technology export policies dealing with the transfer of strong encryption products satellite technology and high-performance computers The NSTAC compiled basic information about key technology export issue areas and monitored the implementation of new export policies and regulations The NSTAC also investigated the development of guidelines to assist companies in understanding Government approval of technology sales The NSTAC concluded that because technology progresses faster than policy industry and Government should continue to reevaluate the limits placed on the export of technologies ATTACHMENT A NCC-ISAC Excerpted from the NSTAC’s IS CIP Task Force Report May 2000 Appendix D NSTAC Recommended Input to the National Plan The following text is recommended for inclusion in subsequent versions of the National Plan The text addresses the designation and implementation of the National Coordinating Center for Telecommunications as an Information Sharing and Analysis Center for telecommunications National Coordinating Center for Telecommunications In response to a National Security Telecommunications Advisory Committee NSTAC recommendation the National Coordinating Center for Telecommunications NCC was established and began operations on January 1 1984 as a joint industry Government National Coordinating Center capable of assisting in the initiation coordination restoration and reconstitution of national security and emergency preparedness NS EP telecommunications services and facilities under all conditions of crisis or emergency Subsequent to beginning operations the NCC was formalized on April 3 1984 when President Reagan signed Executive Order 12472 Assignment of NS EP Telecommunications Functions This joint industry Government center facilitates information sharing between industry and Government through the following functions as identified in the industry Government approved Charter • promptly provide technical analysis and damage assessment of service disruptions and identify necessary restoration actions • coordinate direct prompt restoration of telecommunications services in support of NS EP needs • develop and exercise comprehensive service restoration plans • develop watch center type functions to work through cooperating industry operation centers to effectively monitor the status of essential telecommunications facilities • maintain access to an accurate inventory of the minimum essential equipment personnel and other resources that are available for restoration operations including the location and capabilities of all industry’s network operations centers • identify liaison points in each company • maintain ability to rapidly transfer operations from normal to emergency operations • coordinate direct and expedite the initiation of NS EP telecommunications services • contribute to the development of technical standards and national network planning and ensure application of those standards and dissemination of those plans to facilities serving NS EP needs and • coordinate direct network reconfiguration plans in support of NS EP needs The NCC’s role in fulfilling its charter functions began to evolve in the changing environment following the end of the Cold War and as the Administration determined that national security includes economic security In 1996 the NCC began to develop an indications assessment and warning IAW capability The NSTAC concluded that the IAW capability was within the scope of the NCC Charter and in 1998 directed the NCC conduct an IAW pilot project Lessons learned from the pilot project were incorporated into the NCC’s ongoing operations Following the issuance of Presidential Decision Directive PDD 63 Protecting America’s Critical Infrastructures in May 1998 the NSTAC concluded that the NCC performs the primary functions of an Information Sharing and Analysis Center ISAC in the context of PDD-63 The National Coordinator for Security Infrastructure Protection and Counter-Terrorism agreed in a memorandum dated January 18 2000 The NCC is unique as an ISAC It is a joint industry Government organization located in the Office of the Manager National Communications System and staffed by both industry and Government Information sharing between industry and Government has been taking place in a trusted environment over the past 16 years in the NCC A phased implementation plan developed by both industry and Government will address expanded participation NCC activities and external coordination to achieve full operating capability APPENDIX SHARING INFORMATION ON IN CIDEN TS REPORTED TO LAW ENFORCEMENT SHARING INFORMATION ON INCIDENTS REPORTED TO LAW ENFORCEMENT At the May 2000 meeting of the President’s National Security Telecommunications Advisory Committee NSTAC XXIII the NSTAC Principals discussed with senior Government officials how to improve the sharing of information between Government and industry regarding electronic intrusions into network systems and databases One issue discussed with Mr Michael Vatis Director of the National Infrastructure Protection Center NIPC was whether victims of such crimes were prohibited by law enforcement from reporting the intrusions to Information Sharing and Analysis Centers ISAC or similar information sharing forums Because the Principals and the Director NIPC had different views on this issue Mr Van Honeycutt NSTAC Chair suggested that NSTAC document its concern INDUSTRY’S EXPERIENCE Throughout the 10-year history of the Government and NSTAC Network Security Information Exchanges NSIE NSTAC NSIE representatives have noted that they could not discuss intrusions into their networks and systems with anyone else after reporting them to law enforcement because case agents told them that doing so might compromise their cases Because the companies and individuals wanted to cooperate with law enforcement and did not want to risk jeopardizing their cases they have honored these requests This restriction has hindered information sharing within the NSIE and more recently threatens to have the same effect on industry’s participation in ISACs THE LAW Ms Martha Stansell-Gamm Chief Computer Crime and Intellectual Property Section Department of Justice DOJ confirmed that there are no laws or policies prohibiting victims from discussing crimes against them even after they have reported them to law enforcement Victims can share their own experiences with the incidents with anyone this information includes any testimony victims provide to a grand jury The law clearly places no restrictions on victims discussing intrusions within the NSIEs or sharing such information with an ISAC As a practical matter however Ms Stansell-Gamm noted that discussing a pending case too broadly can jeopardize its successful prosecution The key is to discipline the dissemination of information Some examples include sharing appropriate information in appropriately protected forums such as the NSIEs or an ISAC or using other mechanisms that meet information-sharing needs and that also protect sensitive information CONCLUSION Current law technically allows victims to share information on cases they have reported to law enforcement However industry’s experience indicates that common practice discourages victims from sharing such information with anyone This reflects a lack of understanding on the part of victims case agents and prosecutors on the benefit of sharing some information with some people to prevent further crimes Ms Stansell-Gamm acknowledged that the section’s and the NIPC’s policy to encourage this disciplined information sharing may not be reflected in common practices within the law enforcement community In response to industry’s concern Ms Stansell-Gamm offered to— • • • • Work with other components of DOJ and the Federal Bureau of Investigation to develop policies that encourage victims to share information on electronic crimes in protected forums or using other appropriate means to strengthen network security Ensure that Federal law enforcement personnel understand and implement those policies Educate victims on those policies Encourage other law enforcement agencies State and local as well as international to take these same actions As noted victims mistakenly assume that they are legally prohibited from sharing information after reporting a case to law enforcement The private sector must ensure that its personnel who interact with law enforcement on such cases are aware that they not only are allowed but also are encouraged to share this information through appropriate mechanisms for network security purposes The NSIEs and the ISACs are examples of such mechanisms The NSIEs have put procedures in place to protect the sensitive details and have a 10-year record of sharing acting on and successfully protecting sensitive information Ms Stansell-Gamm suggested that the NSIEs could assist in building law enforcement’s confidence that information shared for network security will be properly disciplined She asked the NSIEs to clarify their procedures for sharing and protecting information and to assist her in communicating them to law enforcement NSTAC’s NEXT STEPS On the basis of Ms Stansell-Gamm’s response to industry’s concerns the Government and NSTAC NSIEs believe that no further NSTAC action is necessary The Government and NSTAC NSIE will document their procedures for sharing and protecting information and will continue to work with DOJ to communicate these procedures to the law enforcement community
OCR of the Document
View the Document >>