FAS Intro: The following White Paper, prepared by the staff of the
Security Policy Board in December 1995, describes the government's attempt to come to grips with the potential threat to the U.S. information infrastructure. It was obtained by the
FAS Project on Government Secrecy.
WHITE PAPER ON INFORMATION INFRASTRUCTURE ASSURANCE
PURPOSE: To provide a national perspective on the security-related challenges presented by the
emergence of a National Information Infrastructure (NII), to assess the Federal Government's
current ability to address these challenges, and to offer ideas and options for meeting them.
The nation is at risk. On 16 July 1995 The Washington Post ran a major article on the
vulnerability of the NII: "The Pentagon's New Nightmare: An Electronic Pearl Harbor."
A few weeks later Time magazine's cover story on "CYBER WAR" was captioned: "The U.S.
rushes to turn computers into tomorrow's weapons of destruction. But how vulnerable is the
home front?" Both articles drew upon threat and vulnerability data from a wide variety of
Government and private reports, such as the 5 December 1994 National Communications System
report on "The Electronic Intrusion Threat to National Security and Emergency Preparedness
That report found that electronic intruders are attacking data networks at increasing rates, and
have compromised elements of the telephone signaling network. A senior DISA official has
bluntly stated that "We are not prepared for an electronic version of Pearl Harbor" and that "Our
electronic infrastructure is not safe and secure." In 1999 DISA tested the security of DoD
information systems by attacking nearly 10,000 systems using widely available techniques.
They successfully penetrated 88 percent, of which only 4 percent were even detected. VADM
John M. McConnell, Director of the National Security Agency, emphasizing the asymmetry in
our national risk, has said that "We're more vulnerable than any other nation on earth." External
threats are real: intelligence data indicate that at least 30 countries are actively working on
information warfare programs.
Outside of DoD the situation is no different. The telephone system, the banking, credit, and
Federal Reserve systems, the stock exchanges, the power and fuels distribution systems, the air
traffic control and other intelligent transportation systems, the federal elections system, public
safety and law enforcement all depend heavily on networked information systems which are
potentially vulnerable to networked-based attacks. Most observers agree that business losses are
notoriously under-reported, but one recent press estimate put U.S. losses within the past year
from computer crimes via the Internet alone at $5 billion.
The situation will probably get worse. The major trends contributing to increased risk
show no signs of abatement: (1) The explosive growth in inter-networking; some estimates put
the increase in new Internet terminals worldwide at 10,000 or more per day. (2) The
skyrocketing expansion in data handling capacities; PC hard disks of up to two gigabytes are
now widely available at low cost. At the network level, terabit per second switches are close on
the horizon, as well as photonic switches which will allow full use of the fiber optic
infrastructure's vast bandwidth. The nation, in short, will continue to place many more, and
valuable, eggs in the electronic basket, increasingly vulnerable to multiplying foreign and
domestic network-based threats.
This is a national problem. Business and private industry can be counted upon to meet their
risk management needs by protecting their information systems assets commensurate with their
perceptions of the commercial value of the asset, its vulnerability, and the threats to it - or they
may simply write off losses as a cost of doing business or obtain some form of indemnity
through insurance. It is extremely unlikely, however, that these measures to indemnify private
assets will be sufficient to address the broader public vulnerability and national level threats.
The genuine potential for large-scale disruption of major portions of the national infrastructure
via network-based attacks leads to the inescapable conclusion that this is a problem of national
dimensions. Under basic Constitutional responsibilities to "insure domestic Tranquility; provide
for the common defence; and promote the general Welfare..." an effective Federal Government
response before an information-based national catastrophe occurs becomes absolutely essential.
The national level and gravity of the problem are underlined by the Federal Government's
extremely high (and increasing) degree of dependence on the NII to carry out critical
governmental responsibilities, including national security, defense, law enforcement and public
safety functions. No one knows the exact degree of this governmental dependence on the
availability and integrity of the NII, but it is extremely high. Informed estimates suggest that 90
to 95 percent of the information needed to carry out essential Governmental functions must in
some way be processed by information systems in the privately owned and operated parts of the
The Federal Government is poorly organized and resourced to ensure adequate NII security in
terms of availability, integrity, and confidentiality. There are many different boards,
commissions, working groups, forums, committees, advisory councils, etc., scattered throughout
the Executive Branch, each of which has some aspect of information infrastructure assurance
within its sphere. A few of the more prominent include:
Information Infrastructure Task Force (IITF), with its three committees on Information
Policy, Telecommunications Policy, and on Applications and Technology, and other working
groups, such as the Reliability and Vulnerability Working Group.
Security Issues Forum (SIF), under the IITF
U.S. Security Policy Board (SPB) and Security Policy Forum (SPF) with its full-time Staff
and five committees and numerous working groups
Security Policy Advisory Board (Personnel have been selected by the President; the SPAB
should be activated soon)
IITF NII Advisory Council
National Security Telecommunications Advisory committee (NSTAC), and its Information
Assurance Task Force
National Communications System (NCS) and its recently-created Office of Information Assurance
Computer Systems Security Privacy Advisory Board Information its several committees
National Security Telecommunications and Systems Security Committee (NSTISSC) and committees, including an NII Task Force
Federal Computer Systems Managers' Forum Several closely-related entities, primarily within
the DoD, dealing with Defensive Information Warfare
Security Infrastructure - Program Management Office, administered by GSA
Although there are many points at which these organizations intersect with each other, the big
picture is one of fragmentation, duplication, and inefficiency. This shows up in at least four
(1) There's no single entity with sufficient breadth of vision, responsibility and resources to
effectively manage the Executive Branch's efforts towards the goal of information
infrastructure assurance. This was recently highlighted by the Rand Corporation's gaming
exercise, "The Day After." It was clear to most participants of this exercise that a deadly
information attack on America was feasible, and that, because of the government/private and
nationally distributed nature of the "target," we had no one in charge, or even capable of pulling
the necessary defensive efforts together. As stated by the Defense Science Board in a recent
report: "There is no nationally coordinated capability to counter or even detect a structured
(2) The Executive Branch currently has no effective organization or entity to act as a "Fair
Court" in making security-related policy decisions which fairly balance - and are widely
perceived to fairly balance the sometimes competing but legitimate interests of national security,
law enforcement, commerce, and personal privacy in the national interest. Current areas of
contention which require careful balance in the national interest include national encryption
policy, export controls, and information system standards. As digital networking comes to
dominate the information universe, however, there will be other complex policy and resource
issues which will have to be decided on the basis of what's best for the nation as a whole, instead
of which particular bureaucracy/constituency wins which particular policy battle. If the
Government is to have the capability to find the best, balanced, solutions to these future
challenges, it will need a technically competent, well-resourced and authoritative "Fair Court"
within the Executive Branch.
(3) The Executive Branch currently has four overlapping NII security-related
"movements" going on, and their inter-relationships and coordination are not clear. One
"movement" tends to fall under the banner of "Information Assurance" and is led by the
NCS/NSTAC. A second closely related "movement" is grouped around the diverse
DoD-centered "Defensive Information Warfare" efforts. Although there are aspects of Defensive
Information Warfare which fall outside the boundaries of information assurance/security
activities (principally up-front I&W, and the defense against hard/physical attacks on critical
network nodes) a great deal of "Defensive Information Warfare" is synonymous with traditional
Information Systems Security (INFOSEC) activities and countermeasures. These INFOSEC
activities and organizational elements constitute the third, and oldest, of the NII security-related
"movements" within the Executive Branch, and are most developed in the Departments of
Defense (particularly at NSA) and Commerce (particularly at NIST). The fourth and most recent
such "movement" is made up of the diverse activities, committees and working groups, largely
under the umbrella of the IITF, which are focused on "NII Protection and Privacy."
(4) The limited Federal Government resources to achieve Information Infrastructure
Assurance appear to be inefficiently, ineffectively, and illogically scattered throughout the
Executive Branch. One of the widely shared criticisms of the Computer Security Act of 1987 is
that the law assigned substantial computer systems security responsibilities to the Department of
Commerce, but provided virtually no resources to execute these responsibilities. This is,
however, only one of the irrationalities which present themselves when the distribution of scarce
information security and assurance resources across the Executive Branch are considered from a
national perspective. Technical centers of excellence certainly exist, but it is doubtful that they
are effectively and efficiently applied to the highest priority problems. Similarly, the resources
being applied to Information Assurance Research and Development efforts do not appear to be
considered or managed from a national perspective, with resulting likelihood that there will be
research gaps, cr unnecessary duplication. Emergency Response resources constitute another
critical area which certainly needs to be increased, but any such increase should be done from a
national perspective, based on carefully thought out national priorities. The immense increase in
information system inter-networking, the extraordinary growth in the value of our information
infrastructure and our Government's dependence upon it for performing critical functions, and
the increasingly obvious threats to and vulnerabilities of the NII, all point to the need for a
serious review and restructuring of these limited resources. The overall challenge of assuring the
health of our national information infrastructure has become too important for it to be addressed
by a hodge-podge of committees, councils and working groups, stitched together from the far
reaches of the Executive Branch
Congress is demanding that the Executive Branch develop and implement a clear plan
for addressing the threats to, and vulnerabilities of, the NII. Although Congress has yet to
address its concerns with a single voice, individual senators, representatives, and committees
have increasingly asked, in effect, for the Executive Branch's plan to deal with NII security.
- The SSCI's report on the Intelligence Authorization Bill for FY96 (S.922) has specifically
called for the DCI and SECDEF to prepare "a comprehensive report which: (a) identifies the key
threats to U.S. computers and communications systems, including those of both the government
and the private sector (i.e., the Public Switched Network upon which the government heavily
depends); and, (b) provides a comprehensive plan for addressing the threats described in section
(a), to include any necessary legislative or programmatic recommendations required to protect
government or private U.S. information systems. The report shall be provided to the intelligence
and defense committees not later than March 1, 1996." In a thinly-veiled threat, the SSCI added:
"In the absence of such a plan, the Committee remains skeptical regarding the benefits that can
be achieved through increased funding for the Department of Defense Information Systems
- Senators Kyl and Leahy have sponsored S.982, the "NII Protection Act of 1995," and have
added an amendment to the Defense Authorization Bill (S.1026) "to require the President to
analyze all issues in developing a progressive, cohesive national policy toward protecting our
ability to communicate, our defense structure, and our information." In a letter to his senate
colleagues Sen. Kyl wrote: "We must begin now to elevate our efforts to protect the national
security interest of this country."
These two requests, together with closely-related comments, requests and legislative proposals
from other Congressional members and committees, amount to an overall demand for the
Executive Branch to articulate the NII's vulnerabilities and threats, and to deliver a real plan on
what to do about them. So far, no Executive Branch entity has emerged to answer the
Congressional mail on this overall issue, and to pull together a cohesive national policy and plan.
Given our current Executive Branch structures and resources, it appears unlikely that these
Congressional concerns will be satisfactorily resolved anytime soon.
THE SECURITY POLICY BOARD AND INFOSEC
Creation and Purpose: The U S. Security Policy Board (SPB) and Security Policy Forum
(SPF) were created on 16 September 1994 by Presidential Decision Directive/NSC Number 29.
The SPB was established to be "the principal mechanism for reviewing and proposing to the
NSC legislative initiatives and executive orders pertaining .o U.S. security policy, procedures
Committee Structure: Shortly after the Board and Forum were activated, six interagency
committees were proposed to operate under the auspices of the SPF, and to draft policies within
the major security disciplines. Five of these committees have been successfully established and
are currently addressing facilities protection, classification management, personnel security,
training and professional development, and policy integration. After more than a year, however,
the Board and Forum have been unable to stand up the sixth proposed committee - the
"Information Systems Security Committee."
Reasons for INFOSEC impasse: The reasons for the failure of the SPB to establish a
mechanism for dealing with INFOSEC are rooted in the bigger issues and broader national
challenge outlined in "The Situation" section of this paper. The central problem revolves around
the scope of the Board's charter and authority in the areas of information systems security and
assurance. Despite the broad interagency nature of the Board and Forum membership, the entire
PDD-29 structure is perceived by many outside the defense and intelligence communities to be
an arm of the national security community, and could therefore not operate as a
"Fair Court" for contentious information assurance issues Critics point to the facts that: (1) the
Board reports to the President through his National Security Advisor; (2) the Board is co-chaired
by the DEPSECDEF and the DCI; and (3) the Board's full-time Staff is led by, and heavily
populated with, personnel from the defense and intelligence communities.
In addition to the concern about the Board's ability to act as a "Fair Court" in the greater
national interest, there is a closely-related, fundamental debate as to whether or not a single
entity - any entity, SPB or otherwise - can or should be empowered to ma~e Government
INFOSEC policy applicable to information systems processing classified/national security
information and unclassified/sensitive information. There are many different arguments to this
debate, but they boil down to two opposing views:
- One group, primarily within the civil agencies, OMB, the information industry, and those
primarily focused on the personal freedom/libertarian dimensions of the Information Age,
believes that it is neither wise, desirable, nor legal (citing the Computer Security Act of 1987) to
combine policy making across the "classified" and "unclassified" communities. With respect to
protecting the NII, a sizeable portion of this group would hold that the Federal Government has
little or no direct role to play, but should lower/reduce certain export controls and "get out of the
- A second group, primarily within the defense, intelligence, national security and emergency
preparedness/public safety communities, believes that with the explosion of digital
inter-networking across both communities and all parts of the NII, it is anachronistic, unwise,
and unworkable to continue to address the NII security/assurance issues and policy making in a
fractured manner. This group also tends to focus more on national level threats to the NII, and
sees a significant role for the Federal Government to play in assuring its health and security.
To break the impasse and address the Information Infrastructure Assurance challenge, action
is needed at a higher level. Because of these fundamental problems, it does not appear that the
issue of the SPB's role in information systems security can be resolved within the existing
PDD-29 structure and environment. The much broader issues raised in "The Situation" section
of this paper likewise do not appear to be amenable to resolution in the existing environment.
Several ideas and options have been identified, however, which might open a pathway towards
solving these problems.
LONG TERM: There is a growing body of indications, if not hard evidence, which suggests that
the Federal Government may be headed - consciously or not - towards the creation of a
department or agency to deal more directly with the myriad issues presented by the emerging
NII. If a "Department of Information Resources," or "National Information Infrastructure
Agency," or "Federal Information Assurance Commission," or...whatever, along these lines...is in
our future, then it would probably be useful to keep such a possibility in mind as we attempt to
address current issues within the existing Executive Branch structure.
The "Third Wave . " Some prominent "futurists" and observers of human civilization have
suggested that mankind has been through two transformational "waves" in its history - the
agrarian revolution and the industrial revolution -and that we are beginning to experience the
"Third Wave" of the digital information revolution. Alvin Toffler, and others, point to the
substantial impacts the "Information Age" has already had, but suggest that these are just the
beginning of a tidal wave of change which will dramatically transform nearly every aspect of
life, including warfare.
Executive History. The United States Government began with several basic Executive functions
and agencies: a Treasury, a State Department, a War Department, and a Department of Justice.
These remain today as bedrock executive functions within the Government. Over the years,
however, as certain aspects of life began to coalesce into matters of prominence, with strong
identities of their own, the Federal Government inevitably would respond to the pressures and
challenges these created by first setting up committees, commissions, or similar means to ensure
that the Government's interests and responsibilities were addressed. So, for example, the
Congressional Seed Distribution Program (1831), in response to the developing forces of
agricultural science and the Civil War era need for plentiful and safe food, became the
Department of Agriculture in 1862, and a cabinet department in 1898. Every other Executive
Branch department or agency was similarly created when a certain set of issues coalesced, took
on a strong identity, and demanded direct Government action or regulation. A more recent
example occurred when the Government, spurred into action by the l957 launch of Sputnik,
transformed the National Advisory Committee for Aeronautics into the present-day NASA.
Government's response to the "Third Wave." One way to interpret recent events concerning
the NII is to see them as early responses to the rising barometric pressure in front of the "Third
Wave." The very creation and structuring of the IITF can be viewed as an early Executive
Branch response to the identification of some of the major issues the digital information age is
bringing our way. Senators Cohen and Levin, with support from Representative Clinger, have
introduced 5 bill the short title of which is "The Information Technology Reform Act of 1995."
In its first version the bill created the position of a senate-confirmed Chief Information Officer
(CIO), reporting to the Director, OMB. This CIO, and his Chief Information Office, would have
had broad authorities over information technology acquisition and information policy,
specifically including INFOSEC. Although subsequent versions of the bill have removed the
CIO, the language still contains provisions for a Council of CIO's, chaired by the Deputy
Director, OMB. These and other actions within all three branches of the Federal Government
suggest that the Government is beginning to respond to the forces of change flowing from the
digital information revolution. As these forces take on more strength, the Government may find
itself with no choice but to create a significant Executive Branch entity to deal more directly with
SHORT TERM: The SPB Staff has identified several options which might be implemented on a
reasonably short term basis. They are not mutually exclusive, and simply represent some basic
approaches which, if desired, can be further developed
Stand up an Information Assurance Committee (IAC) under the PDD-29 SPB/SPF structure.
Such a committee would be responsible for information assurance policy for those Government
systems processing classified and national security information. It would be responsible for
policy coordination of all Executive Branch national security efforts dealing with Information
Assurance. It would propose policy, regulation and legislation applicable to the Executive
Branch, and be responsible for influencing private and non-Government entities which are
significant to the national security. Membership would be drawn from current SPF agencies,
with chairmanship TBD. This option has several pluses and minuses associated with it.
+ It breaks the long-standing SPB logjam, and partially fills .he "missing hole" in a critical
+ Depending on the definitions and boundaries used for "national security," "policy," and
"information assurance," this would not be seen as a radical move, and is probably politically
+ It would be in conformance with the language in the draft revision to OMB Circular A-130
restricting the SPB's INFOSEC purview to systems processing national security information.
+ At the SPB level it would give Information Assurance a higher visibility and profile, with
more senior membership, than in the current NSTISSC. "Information Assurance" is a broader
term than INFOSEC, and such a committee name gets away from the sometimes negative
baggage associated with "security," "INFOSEC," "defensive," and "warfare."
+ If appropriate, it could modified or expanded later to address all information assurance, not
only for national security systems.
- It would closely parallel the existing NSTISSC, which would presumably be absorbed into the
IAC's structure. This would require a change or replacement for NSD-42. This would impact the
NSD-42's "National Manager" structure, and issuance systems.
- It would require more staff support than the SPB Staff currently has. It would require at least
the level of staff support provided by the NSTISSC Secretariat.
- It would probably impact the future SPB issuance system, to ensure that it is backward
compatible with the significant body of NSTISSC, and predecessor organizations, issuances.
- Despite its circumscription to "national security systems," it still may meet with political
- It would tend to tacitly endorse or approve the view that the "classified" and "unclassified"
communities can and should be treated separately for the purposes of information systems
security policy. It would simply avoid that basic issue.
Broaden the NSTAC' s charter. The President's National Security Telecommunications
Advisory Committee (NSTAC), created in 1982, has been one of the most successful entities to
address security and robustness for what are now parts of the NII. It would probably be useful to
broaden its charter, and modify its membership, to reflect the full scale of NII issues beyond
telecommunications, security, and national security. It could become, for example, a National
Information Assurance Advisory Council, and perhaps draw some of its membership from
current representatives on the IITF's NII Advisory Council. (Note: This idea independently
emerged at the 20 NOV 95 meeting of Sally Katzen's Security Issues Forum, and was generally
Establish an Information Assurance focus within the National Security Council. Under
this option, the President would establish a "Special Assistant to the President and Senior
Director" within the National Security Council for Information Assurance. This office should be
initially staffed with two or three Directors, a Technical Director, and a secretary. The Directors'
responsibilities could be split several ways, but at least initially, they could be focused on
policies and activities for
(1) the national security community,
(2) the civil government community, and
(3) the private sector.
Establish a new Agency in the Executive Office of the President to address Information
Assurance. This would require an Executive Order to initially activate the new agency. It would
have responsibility for:
- Coordinating and consolidating all Executive Branch Information Assurance activities
- Issuing national policies and directives pertaining to Information Assurance
- Proposing and reviewing legislation dealing with or touching upon Information Assurance
- Reviewing Information Assurance budgets, including R&D, throughout the Executive Branch;
closely coordinating with OMB and OSTP.
- Preparing and maintaining a Master Plan for Information Assurance activity within the
- Acting as the central point of contact (POC) for the Executive Branch concerning Information
Assurance matters; and specifically as the POC for the other branches of the Federal