EXECUTIVE SUMMARY

An important facet of the Nation’s strategy to protect critical infrastructures from cyber attacks is the development of mechanisms to facilitate public and private sector information sharing about actual threats and vulnerabilities. To address this concern, the National Security Telecommunications Advisory Committee’s (NSTAC) Industry Executive Subcommittee (IES) formed the Information Sharing/Critical Infrastructure Protection Task Force (ISCIPTF) in September 1999 to focus on various information-sharing issues associated with critical infrastructure protection.

Following NSTAC XXIII, the ISCIPTF addressed three new charges from the NSTAC to the IES.

· Provide input to Version 2.0 of the National Plan for Information Systems Protection (National Plan)

· Address barriers to information sharing for critical infrastructure protection, to include the Freedom of Information Act (FOIA) and possible law enforcement restrictions

· Coordinate with United States Space Command (USSPACECOM) to further develop means for information sharing.

The NSTAC, as part of the ongoing industry/Government partnership, has been deeply involved in critical industry-based analysis and recommendations related to national security and emergency preparedness telecommunications and associated information systems.

The NSTAC developed a response to the National Plan, presenting an overview of its work in progress and a synthesis of relevant conclusions and recommendations for consideration as the Nation develops a strategy for critical infrastructure protection (CIP). The response is based on proven processes for industry/Government partnership at the technical, operational, and policy levels. The response maps NSTAC findings across these areas with the major CIP objectives outlined in Version 1.0 of the National Plan. The NSTAC concluded that bridging the gap in perspectives of industry and Government regarding the threat to critical infrastructures is key to future successful dialogue.

Regarding potential barriers to information sharing, the ISCIPTF addressed the need for legislation that would create a CIP exemption to FOIA. In conjunction with the NSTAC’s Legislative and Regulatory Working Group, the task force reviewed elements of what would be effective FOIA legislation and related policy considerations.

In addition, the task force examined possible law enforcement restrictions on industry sharing information on network intrusions with Information Sharing and Analysis Centers or similar information-sharing forums. In response to the ISCIPTF’s request, the NSTAC and Government Network Security and Information Exchanges (NSIE) investigated the issue. In working with the Department of Justice, the NSIEs found that although common practice discourages victims of such crimes from sharing information, no laws or policies prohibit victims from discussing crimes against them even after they have reported them to law enforcement. To address the situation, the Department of Justice, in cooperation with the NSIEs, will work with the law enforcement community to implement policies that encourage victims to share such information, and to educate victims on those policies.

Building on NSTAC’s relationship with USSPACECOM, the ISCIPTF continued to coordinate with USSPACECOM representatives on critical infrastructure protection matters. Representatives were invited to attend task force meetings, and ISCIPTF members visited USSPACECOM facilities in Colorado Springs, Colorado. The task force agreed to continue to work with USSPACECOM to develop additional ways to share information.

1.0 introduction and CHARGE

An important facet of the Nation’s strategy to protect critical infrastructures from cyber attacks is the development of mechanisms to facilitate public and private sector information sharing about actual threats and vulnerabilities. To address that concern, the National Security Telecommunications Advisory Committee’s (NSTAC) Industry Executive Subcommittee (IES) formed the Information Sharing/Critical Infrastructure Protection Task Force (ISCIPTF) in September 1999 to focus on various information-sharing issues associated with critical infrastructure protection.

In preparation for the May 16, 2000, NSTAC XXIII meeting, the ISCIPTF examined mechanisms and processes for protected, operational information sharing that would help achieve the goals of Presidential Decision Directive 63 (PDD-63)^[1] and further the role of the National Coordinating Center for Telecommunications (NCC) as an Information Sharing and Analysis Center (ISAC).^[2] In addition, the task force continued, through outreach, NSTAC interaction with Government leaders responsible for PDD-63 implementation. The ISCIPTF completed these taskings and forwarded its findings and recommendations to the NSTAC in May 2000.^[3]

Following NSTAC XXIII, the ISCIPTF addressed three new charges from the NSTAC to the IES:

· Provide input to Version 2.0 of the National Plan for Information Systems Protection (National Plan)

· Address barriers to information sharing for critical infrastructure protection, to include the Freedom of Information Act (FOIA) and possible law enforcement restrictions

· Coordinate with United States Space Command (USSPACECOM) to further develop means for information sharing.

2.0 RESULTS

2.1 National Plan for Information Systems Protection

Background

PDD-63 envisions a comprehensive national strategy for critical infrastructure protection (CIP). The White House’s National Plan is intended as a first major element of the larger effort to protect the Nation’s information systems and critical assets. Version 1.0 of the plan focuses mainly on Federal efforts being undertaken to protect the Nation’s critical cyber-based infrastructures. Subsequent versions are to address a broader range of concerns, including the specific role industry can play in protecting physical and cyber-based infrastructures from attack. Input from industry—the owners and operators of most of the Nation’s infrastructures—is essential.

At the May 16, 2000, NSTAC XXIII meeting, the National Coordinator for Security, Infrastructure Protection, and Counter-terrorism, National Security Council, asked for NSTAC comments on Version 1.0 of the National Plan. In response to this request, the ISCIPTF drafted The NSTAC’s Response to the National Plan. The report is attached as Appendix B, and its findings are summarized below.

Findings

By reviewing and synthesizing conclusions and recommendations from the NSTAC’s work in progress, the task force isolated key points to be considered as the Nation develops a CIP strategy. Specifically, the task force documented NSTAC findings related to the three broad objectives of Version 1.0 of the National Plan—Prepare and Prevent, Detect and Respond, and Build Strong Foundations—that should be reflected in Version 2.0 of the plan. In addition, the task force proposed that a new broad objective—International Considerations—be included in the next iteration of the plan.

The task force concluded that the NSTAC’s cumulative work in the areas of critical infrastructure protection and information assurance can serve as a baseline for intensifying the dialogue between industry and Government regarding the best means for protecting the Nation’s critical infrastructures. Key to this future discussion are the differing perspectives that industry and Government hold regarding the threat to critical national infrastructures. From a business perspective, industry in general believes it understands and is adequately mitigating the threat to its operations. From a national security perspective, the Government warns of an increased—albeit imprecisely defined—international threat to critical national infrastructures. Bridging this gap in perspectives can provide a foundation for future collaboration.

2.2 Freedom of Information Act

In its NSTAC XXIII report, the ISCIPTF addressed FOIA and recommended that the President support legislation similar to the Year 2000 Information and Readiness Disclosure Act to protect critical infrastructure protection information shared voluntarily with the Government from disclosure under FOIA. Subsequently, the NSTAC Chair sent a letter to the President emphasizing the importance of the FOIA issue.

FOIA is considered an important issue in the CIP context because it could serve as a barrier to information sharing. Specifically, companies may be reluctant to share CIP-related information with the Government if such (potentially sensitive) information could be unintentionally disclosed through FOIA. This disclosure can occur because FOIA provides a mechanism for the public to access Government-maintained records. Although a number of exemptions exist to prevent disclosure, none clearly cover information pertaining to national security and emergency preparedness or CIP.

In light of these factors, the ISCIPTF requested that the NSTAC’s Legislative and Regulatory Working Group investigate elements of what would be effective FOIA legislation and related policy considerations.

2.3 Sharing Information on Incidents Reported to Law Enforcement

Background

At the May 16, 2000, NSTAC XXIII meeting, the NSTAC Principals discussed with senior Government officials how to improve information sharing between industry and Government regarding electronic intrusions into network systems and databases. One issue discussed with the Director, National Infrastructure Protection Center (NIPC), was whether victims of such crimes were prohibited by law enforcement from reporting the intrusions to ISACs or similar information-sharing forums. Because the Principals and the Director, NIPC, had different views on this issue, the NSTAC Chair suggested that the NSTAC document its concern. After considering the matter, the ISCIPTF requested that the NSTAC and Government Network Security Information Exchanges (NSIE) consider the issue because of the NSIEs’ experience in this area.

NSTAC NSIE representatives have noted that, historically, they do not discuss intrusions into their networks and systems with anyone else after reporting them to law enforcement because case agents told them that doing so might compromise their cases. Because the companies and individuals wanted to cooperate with law enforcement and did not want to risk jeopardizing their cases, they have honored these requests. This reluctance, however, has hindered information sharing within the NSIEs. The NSIEs report to the ISCIPTF in connection with this issue and its potential effect on industry’s participation in ISACs is attached as Appendix C. Its findings are summarized below.

Findings

In working with the Department of Justice (DOJ), the NSIEs found that although common practice discourages victims from sharing information, no laws or policies prohibit victims from discussing crimes against them even after they have reported them to law enforcement. This discrepancy reflects a lack of understanding on the part of victims, case agents, and prosecutors of the benefit of sharing some information in a disciplined manner (in practice, discussing a case too broadly can jeopardize its successful prosecution) to prevent further crimes. An example of disciplined information dissemination is sharing appropriate information in appropriately protected forums such as the NSIEs or ISACs.

In response to this issue, the NSIEs will document their procedures for sharing and protecting information and work with DOJ to communicate these procedures to the law enforcement community. This measure is intended to build law enforcement’s confidence that information shared for network security purposes will be properly guarded. The NSIEs also found that it will be necessary for the private sector to ensure that its personnel who interact with law enforcement on such cases are aware that they are permitted and encouraged to share this information for network security purposes using appropriate mechanisms. At the same time, the Chief, Computer Crime and Intellectual Property Section, DOJ, will work with the law enforcement community to develop and implement policies that encourage victims to share such information, and to educate victims on those policies.

2.4 Coordination with United States Space Command

Background

The May 2000 NSTAC XXIII meeting was co-hosted in Colorado Springs, Colorado, by USSPACECOM. General Ralph Eberhart, U.S. Air Force, and Commander in Chief, USSPACECOM, addressed the NSTAC Principals and briefed them on USSPACECOM’s expanded mission. USSPACECOM incorporated the Joint Task Force for Computer Network Defense into its mission when it recently assumed responsibility for protecting the Department of Defense’s computer networks. Computer network defense is a key element to the successful incorporation of information security, which requires layers of detection tools on computer systems, more frequent vulnerability assessments, increased training and certification for administrators, education down to the end user, stronger firewalls, and the institution of a public key infrastructure.

General Eberhart attended the NSTAC XXIII meeting to facilitate communication between the NSTAC and USSPACECOM. He explained that USSPACECOM had completed a concept of operations for computer network defense and is developing the concept of operations for computer network attack functions. The efforts to date have focused on conducting real-world operations—from peacekeeping to computer virus control. General Eberhart remarked that the key to successful information operations is working together to understand the associated difficult legal, policy, and doctrine issues. He also explained that participation by industry, the owners and operators of the infrastructure, would be essential to the computer network defense mission.

Findings

The ISCIPTF coordinated with USSPACECOM to develop additional means of sharing information. The task force invited command representatives to attend all task force meetings. Representatives from USSPACECOM attended task force meetings, and ISCIPTF representatives visited USSPACECOM facilities in Colorado to discuss the evolving relationship between the NSTAC and USSPACECOM. The task force also appointed Mr. Jon Lofstedt, Qwest, as liaison between the task force and USSPACECOM in Colorado. Subsequently, representatives from the command attended and briefed at ISCIPTF meetings and IES Working Sessions.

The task force agreed that information sharing is a cornerstone of national infrastructure protection and concluded that efforts to share information between the NSTAC and USSPACECOM should continue on an ongoing basis.

taSK fORCE mEMBERS

Verizon Communications	Mr. Lowell Thomas, Chair
Unisys	Dr. Dan Wiener, Vice-Chair
AT&T Bank of America	Mr. Harry Underhill Mr. Roger Callahan
Boeing CSC	Mr. Bob Steele Mr. Guy Copeland
EDS	Mr. Dale Fincke
ESET	Mr. James Klugh
Hughes	Ms. Jennifer Smolker
ITT	Mr. Joe Gancie
Lockheed Martin Lucent	Mr. Michael Collins Mr. John McClurg
Nortel Networks Northrop Grumman	Dr. Jack Edwards Mr. Scott Freber
Raytheon	Mr. Bob Tolhurst
Rockwell SAIC	Mr. Ken Kato Mr. Hank Kluepfel
TRW	Mr. Bill Gravell
USTA	Mr. Paul Johnson
Qwest WorldCom	Mr. Jon Lofstedt Ms. Joan Grewe

OTHER PARTICIPANTS

AT&T

Ms. Ellen Brain

GWU

Lockheed Martin

Dr. Jack Oslund

Mr. Ernie Wallace

Raytheon

SAIC

SBC

Mr. Tom O’Connell

Mr. Bob Rankin

Ms. Rosemary Leffler

Verizon Communications

Mr. James Bean

Verizon Communications

Idefense

ITAA

TIA

USTA

Ms. Ernie Gormsen

Mr. Steve Trevino

Mr. Doug Sabo

Mr. Dan Bart

Mr. Gerry Rosenblatt

Mr. Paul Hart

GOVERNMENT PARTICIPANTS

NTIA

Mr. Dan Hurley

Ms. Helen Shaw

OASD/C3I

OMNCS-N2

OMNCS-N3

Mr. Mark Centra

Mr. David Potter

Mr. John Todd

Lt Col Frances Wentworth

USSPACECOM

Col John Rader

THE NSTAC’S RESPONSE TO

THE NATIONAL PLAN

The National Security Telecommunications Advisory Committee (NSTAC)^[4] Information Sharing for Critical Infrastructure Protection Task Force developed The NSTAC’s Response to the National Plan to highlight the NSTAC’s work in several issue areas that are important to the main objectives of Version 1.0 of the National Plan for Information Systems Protection (National Plan). The issue areas are discussed in the context of summaries of previous NSTAC reports presented in Annex A: Summaries of Previous NSTAC Reports. This document is organized around the three broad objectives listed in the National Plan, which are essential for critical infrastructure protection (CIP)—Prepare and Prevent, Detect and Respond, and Build Strong Foundations. In addition, it is proposed that a new broad objective—International Considerations—be included in Version 2.0 of the National Plan.

The NSTAC’s studies of Information and Communications (I&C) Sector Interdependencies and Risk Management broadly relate to the first objective of the National Plan: Prepare and Prevent. That objective addresses the National Plan goal of identifying critical infrastructure assets, shared interdependencies, vulnerabilities, and outreach programs to make Americans aware of the need for improved cyber-security. The second objective of the National Plan, Detect and Respond, connects with the NSTAC issue areas of Network Technologies and Vulnerabilities, Response and Recovery, and Information Sharing. Detect and Respond correlates to the National Plan objectives to detect attacks and unauthorized intrusions, share attack warnings and information in a timely manner, and create capabilities for responses, reconstruction, and recovery. Finally, the NSTAC has examined a variety of issues concerning Research and Development (R&D) needs, I&C Sector Interdependencies, and Information Sharing, which align with Build Strong Foundations, the third objective listed in the National Plan. Build Strong Foundations corresponds to the National Plan’s intent to enhance CIP R&D efforts, train and employ adequate numbers of information security specialists, and adopt legislation in support of CIP efforts.

This response presents an overview of the NSTAC’s work in progress and a synthesis of relevant conclusions and recommendations that have been presented to the President involving issues that could affect national security and emergency preparedness (NS/EP) in telecommunications and information services. NSTAC reports from the mid-1990s forward are presented in Annex A. These reports relate to issues created not only by the evolving telecommunications and information infrastructure—from the public network (PN)^[5] and the public-switched network (PSN),^[6] through the Internet to the next-generation network (NGN)^[7]—but also by the changing nature of the threats from physical only to physical and cyber. Because these recommendations remain valid and relevant, they should be included in the National Plan. Above all, these findings have a more important, fundamental value because they have been generated by an exhaustive industry and Government information-sharing process that has withstood the test of time.

The NSTAC has been involved in depth with the CIP issue since its inception and continues its work in this area, but the NSTAC is aware that the Nation is only on the threshold of the issue. The NSTAC uses a fairly formal process to determine work plans, which it will develop in conjunction with the upcoming NSTAC XXIV meeting; however, the NSTAC could address future issues. The NSTAC could augment prepare, prevent, and respond with an examination of consequence management policy and, with this, an expansion of the roles of the National Coordinating Center for Telecommunications (NCC) and the Network Security Information Exchanges (NSIE), to include relationships with other CIP components. Although these are just examples, they emphasize the idea that The NSTAC’s Response to the National Plan will continue to be a work in progress responsive to National needs.

This information has been shared with the I&C sector through meetings with NSTAC member companies and through joint meetings with the I&C sector coordinators’ representatives from the Information Technology Association of America, the Telecommunications Industry Association, and the United States Telecom Association.

Shared Challenges

At the outset, it is recognized that the dialogue to develop a National Plan stems from the shared challenges that Government and the telecommunications and information-related industries face, albeit from different perspectives:

· National security in today’s global environment is being defined and measured in terms of economic and military strength. Thus, the Nation’s well-being is highly dependent on the protection of the interdependent critical infrastructures as emphasized in Presidential Decision Directive 63 (PDD‑63).

· The Government is increasingly relying on the private sector to provide telecommunications and information services. This reliance necessitates a continuing dialogue to promote mutual understanding of industry and Government interests and concerns as the public and private sectors strive to meet the objectives of protecting the critical infrastructures through nonregulatory solutions as anticipated by PDD‑63.

· While Government is focusing on protecting national security, preventing future attacks, and identifying and punishing attackers, private owners of infrastructures are more concerned with common business imperatives. As a result of this dichotomy, any solution to, or recommendations for, the protection of critical infrastructures require the participation of private industry in concert with Government.

· The Telecommunications Act of 1996 is opening the telecommunications industry to increased competition and interconnection, industry consolidation and integration, and foreign ownership at the same time that new service providers are gaining access to network facilities. Security measures are consequently becoming even more complicated and difficult to implement.

· The evolution to the NGN is enabling and requiring telecommunications providers to transition from proprietary protocols to open-system protocols to manage their networks. Concurrently, traditional circuit-switched services are migrating to the Internet’s packet‑switched networks. As this migration continues and new Internet services are introduced, the PN may become more susceptible to well-known Internet vulnerabilities, especially in light of the more integrated and increasing dependence on commercial off-the-shelf technology.

· The assurance and full protection of American citizens’ civil liberties, their rights to privacy, and their rights to the protection of proprietary data should be affirmatively addressed in CIP planning.

Addressing the Broad Objectives of the National Plan

In this response, which focuses on efforts that the Federal Government is undertaking to protect the Nation’s critical infrastructures, it should be noted that NSTAC recommendations have already been made to the President concerning many of the programs upon which the Plan’s three broad objectives are based—Prepare and Prevent, Detect and Respond, and Build Strong Foundations. This timeliness exists because many of the issues associated with the National Plan’s programs have been—or are being—addressed in the NSTAC process,^[8] either in response to an Administration request, as is the case with the assessment of the potential for a widespread outage due to network convergence,^[9] or in anticipation by member companies of an issue or development that could affect NS/EP telecommunications services. These issues are discussed under different headings in Annex A.

National Plan Objectives: Prepare and Prevent

A long-standing goal of the NSTAC has been to take steps to minimize the possibility of a significant and successful attack on the Nation’s critical telecommunications and information infrastructure and to build an infrastructure that remains effective in the face of such an attack. Indeed, the NSTAC in 1984 recommended that the NCC be established as a national coordinating mechanism to respond to the Federal Government’s NS/EP communications service. The NSTAC also initiated the development of the NSIE process in 1991 to provide a forum in which industry and Government could share information with the goal of reducing the vulnerability of the Nation’s telecommunications systems to electronic intrusion.^[10]

Industry in general is recommending that physical security be included in Version 2.0; it was not included in Version 1.0. However, the primary focus of the NCC in the 1980s was on physical threats—an emphasis that was consistent with the Government’s overall focus, at the time, on the security of important physical structures, such as dams, bridges, tunnels, and power plants.^[11]

As demonstrated in the following text, the focus consequently has broadened from assessments of physical threats leading to service outages to the inclusion of assessments of the threats or risks of unauthorized intrusions of the PN and vulnerabilities associated with network convergence. Concurrently, methodologies for conducting these assessments have been developed and refined to accommodate technological change.

PN Assessments. Assessments were conducted in 1995^[12] and 1999^[13] with respect to unauthorized penetration or manipulation of the evolving PN software and databases affecting NS/EP telecommunications services.

· Both assessments found that Government and corporate networks had become more interconnected as these organizations have increasingly relied on the PN to transmit critical business and operations information, thereby increasing the perceived and substantive rewards for gaining illicit access.

· The most recent assessment concluded that absent a valid baseline to establish quantitative measures of the risk to the PN from electronic intrusion, it was difficult to definitively state how risk had changed over the past few years. Indeed, little evidence suggests that the risk has diminished, and numerous factors suggest that it is growing.

Internet Assessments. In 1999, the Government’s use of the Internet^[14] was assessed in parallel with its increasing reliance on the Internet for conducting electronic commerce (e-commerce).^[15] Many of the significant findings in those assessments were similar:

· Agencies with NS/EP responsibilities are using the public Internet mostly for outreach, information sharing, and e-mail. Direct dependence on the public Internet for mission‑critical operations and e-commerce is currently modest, although the NS/EP community’s dependence on the Internet is likely to grow over the next several years. Government will more likely depend on dedicated intranets for mission-critical operations.

· The informal and distributed management of Internet functions, the Domain Name System, Internet software, and procedural errors and unintentional actions invite potential vulnerabilities. Because of the interconnected nature of the public Internet, a disruption or degradation of Internet operations could also hamper the operations of dedicated intranets.

· The reliability and security of the public Internet are generally considered inadequate for NS/EP mission-critical functions and sensitive e-commerce transactions. So far, no Internet technologies or applications facilitate the same type of end-to-end NS/EP-related services available in the PN. Nor are there economical incentives for Internet service providers (ISP) to develop and offer NS/EP service enhancements over their networks. A number of factors (e.g., lack of NS/EP demand and market factors) preclude the availability of NS/EP services over the Internet for the foreseeable future.

Accordingly, the following recommendations were made to the President:

· Direct the establishment of a permanent program to address NS/EP issues related to the Internet. The program should work with the NS/EP community to increase the understanding of evolving Internet dependencies and with key Internet organizations and standards bodies to increase awareness of NS/EP requirements.

· Designate a focal point for examining the NS/EP issues related to widespread adoption of e-commerce within the Government, and direct the Federal departments and agencies, in cooperation with this Federal focal point, to assess the effect of e-commerce technologies on their NS/EP operations.

Convergence Assessments. The implications of the PSN-Internet technical convergence and of the transfer of traffic from the PSN to the NGN on the Government’s voice priority NS/EP services are under continuing examination. Specific attention is being paid to potential impacts on the Government Emergency Telecommunications Service (GETS)^[16] and Telecommunications Service Priority (TSP)^[17] programs. A mid-2000 assessment reached a number of conclusions, including—^[18]

· As the PN changes from separate switched-voice and packet-data networks to an interconnected network and then to a unified NGN over the next several years, the capabilities in the PN around which GETS has been designed, such as ubiquity and interoperability, access to NS/EP functional features, and high levels of network reliability and security, will no longer be available. To maintain GETS-type functions, new quality-of-service schemes and functional requirements will have to be developed to provide services commensurate with NS/EP needs and security safeguards.

· TSP, as originally conceived, remains relevant during convergence because restoration assignments can still be applied to identifiable segments of the PSN. But, as discussed by the program’s Oversight Committee, t