THE PRESIDENT’S

NATIONAL SECURITY TELECOMMUNICATIONS

ADVISORY COMMITTEE

 

 

 

 

 

 

 

 

 

 

 

 

 

The NSTAC’s Response to

the National Plan

 

 

 

 

 

APRIL 2001 

 

 

April 17, 2001

 

 

 

The President

The White House

1600 Pennsylvania Avenue, NW

Washington, DC  20500

 

Dear Mr. President:

 

At our May 16, 2000, National Security Telecommunications Advisory Committee (NSTAC) XXIII meeting,
Mr. Richard Clarke, National Coordinator for Security, Critical Infrastructure Protection, and Counter-Terrorism, National Security Council, requested industry advice and recommendations for revision of the National Plan for Information Systems Protection.  Enclosed is the Committee’s response.

 

The Committee’s response is based primarily on detailed research and analysis done over recent years in reply to requests from the Executive Office of the President relating to the nation’s information and communication infrastructure.  Our response was shared with the industry sector coordinators and the Commerce Department’s office responsible for the Information and Communications Sector.  The Committee continues to address the potential for widespread outages of our nation’s telecommunications and information services resulting from the convergence of the commercial telephony and Internet networks.

 

Our nation’s critical infrastructures are highly interdependent and heavily dependent on information and communications networks and services.  The next version of the National Plan should ensure that National Security and Emergency Preparedness (NS/EP) telecommunications and information systems requirements are identified and supported for the next generation of networks.  Additionally, the committee recommends the inclusion of a new broad objective to the National Plan — International Considerations — based on its study of globalization.

 

We look forward to continuing our advice to you and your Administration on critical cyber issues facing our nation’s economic security and our national security and emergency preparedness posture.  Our next meeting is June 6, 2001, at the White House, and we are looking forward to meeting with you and other senior members of your Administration.

 

Sincerely,

 

 

 

Daniel P. Burnham

NSTAC Chair

 

 

Enclosure:   NSTAC’s Response to Version 1.0 of the National Plan

 

Copy to:       National Security Advisor

                      White House Science Advisor

                      National Coordinator for Security, Infrastructure Protection,

                         and Counter-Terrorism

                      NSTAC Principals

                      Secretary of Commerce

                      Manager, National Communications System

                      Assistant Secretary of Defense for C3I


THE NSTAC’S RESPONSE TO

THE NATIONAL PLAN

 

The National Security Telecommunications Advisory Committee (NSTAC)[1] Information Sharing for Critical Infrastructure Protection Task Force developed this document, The NSTAC’s Response to the National Plan, to highlight the NSTAC’s work in several issue areas that are important to the main objectives of Version 1.0 of the National Plan for Information Systems Protection (National Plan).  The issue areas are discussed in the context of summaries of previous NSTAC reports presented in the Appendix: Summaries of Previous NSTAC Reports.  This document is organized around the three broad objectives listed in the National Plan, which are essential for critical infrastructure protection (CIP)—Prepare and Prevent, Detect and Respond, and Build Strong Foundations.  In addition, it is proposed that a new broad objective—International Considerations—be included in Version 2.0 of the National Plan.

 

The NSTAC’s studies of Information and Communications (I&C) Sector Interdependencies and Risk Management broadly relate to the first objective of the National Plan: Prepare and Prevent.  That objective addresses the National Plan goal of identifying critical infrastructure assets, shared interdependencies, vulnerabilities, and outreach programs to make Americans aware of the need for improved cyber-security.  The second objective of the National Plan, Detect and Respond, connects with the NSTAC issue areas of Network Technologies and Vulnerabilities, Response and Recovery, and Information Sharing.  Detect and Respond correlates to the National Plan objectives to detect attacks and unauthorized intrusions, share attack warnings and information in a timely manner, and create capabilities for responses, reconstruction, and recovery.  Finally, the NSTAC has examined a variety of issues concerning Research and Development (R&D) needs, I&C Sector Interdependencies, and Information Sharing, which align with Build Strong Foundations, the third objective listed in the National Plan.  Build Strong Foundations corresponds to the National Plan’s intent to enhance CIP R&D efforts, train and employ adequate numbers of information security specialists, and adopt legislation in support of CIP efforts.

 

This response presents an overview of the NSTAC’s “work in progress” and a synthesis of relevant conclusions and recommendations that have been presented to the President involving issues that could impact national security and emergency preparedness (NS/EP) in telecommunications and information services.  NSTAC reports from the mid-1990s forward are presented in the Appendix.  These reports relate to issues created by not only the evolving telecommunications and information infrastructure—from the public network (PN)[2] and the public switched network (PSN),[3] through the Internet to the next generation network (NGN)[4]—but also the changing nature of the threats from physical only to physical and cyber.  Because these recommendations remain valid and relevant, they should be included in the National Plan.  Above all, these findings have a more important, fundamental value because they have been generated by an exhaustive industry/Government information sharing process that has withstood the test of time. 

 

The NSTAC has been involved in depth with the CIP issue since its inception and continues its work in this area, but the NSTAC is aware that the Nation is only on the threshold of the issue.  The NSTAC utilizes a fairly formal process to determine work plans, which it will develop in conjunction with the upcoming NSTAC XXIV meeting; however, the NSTAC could address future issues.  The NSTAC could augment prepare, prevent, and respond with an examination of consequence management policy and with this, an expansion of the roles of the National Coordinating Center for Telecommunications (NCC) and the Network Security Information Exchanges (NSIE), to include relationships with other CIP components.  Although these are just examples, they emphasize the idea that The NSTAC’s Response to the National Plan will continue to be a work in progress responsive to National needs.

 

This information has been shared with the I&C sector through meetings with NSTAC member companies and through joint meetings with the I&C sector coordinators’ representatives from the Information Technology Association of America, the Telecommunications Industry Association, and the United States Telecom Association.

 

Shared Challenges

 

At the outset, it is recognized that the dialogue to develop a National Plan stems from the shared challenges that Government and the telecommunications and information-related industries face, albeit from different perspectives:

 

·        National security in today’s global environment is being defined and measured in terms of economic and military strength.  Thus, the Nation’s wellbeing is highly dependent on the protection of the interdependent critical infrastructures as emphasized in Presidential Decision Directive 63 (PDD‑63).

·        The Government is increasingly relying on the private sector to provide telecommunications and information services.  This necessitates a continuing dialogue to promote mutual understanding of industry and Government interests and concerns as the public and private sectors strive to meet the objectives of protecting the critical infrastructures through nonregulatory solutions as anticipated by PDD‑63.

 

·        While Government is focusing on protecting national security, preventing future attacks, and identifying and punishing attackers, private owners of infrastructures are more concerned with common business imperatives.  As a result of this dichotomy, any solution to, or recommendations for, the protection of critical infrastructures require the participation of private industry in concert with Government. 

 

·        The Telecommunications Act of 1996 is opening the telecommunications industry to increased competition and interconnection, industry consolidation and integration, and foreign ownership at the same time that new service providers are gaining access to network facilities.  Security measures are consequently becoming even more complicated and difficult to implement.

 

·        The evolution to the NGN is enabling and requiring telecommunications providers to transition from proprietary protocols to open system protocols to manage their networks. Concurrently, traditional circuit switched services are migrating to the Internet’s packet‑switched networks.  As this migration continues and new Internet services are introduced, the PN may become more susceptible to well-known Internet vulnerabilities, especially in light of the more integrated and increasing dependence on commercial-off-the-shelf technology. 

 

·        The assurance and full protection of American citizens’ civil liberties, their rights to privacy, and their rights to the protection of proprietary data should be affirmatively addressed in CIP planning. 

 

Addressing the Broad Objectives of the National Plan

 

In this response, which focuses on efforts that the Federal Government is undertaking to protect the Nation’s critical infrastructures, it should be noted that NSTAC recommendations have already been made to the President concerning many of the programs upon which the Plan’s three broad objectives are based—Prepare and Prevent, Detect and Respond, and Build Strong Foundations.  This timeliness exists because many of the issues associated with the National Plan’s programs have been—or are being—addressed in the NSTAC process,[5] either in response to an Administration request, as is the case with the assessment of the potential for a widespread outage due to network convergence,[6] or in anticipation by member companies of an issue or development that could impact NS/EP telecommunications services.  These issues are discussed under different headings in the Appendix.

 

National Plan Objectives:  Prepare and Prevent

 

A long-standing goal of the NSTAC has been to take steps to minimize the possibility of a significant and successful attack on the Nation’s critical telecommunications and information infrastructure and to build an infrastructure that remains effective in the face of such an attack.  Indeed, the NSTAC in 1984 recommended that the NCC be established as a national coordinating mechanism to respond to the Federal Government’s NS/EP communications service.  The NSTAC also initiated the development of the NSIE process in 1991 to provide a forum in which industry and Government could share information with the goal of reducing the vulnerability of the Nation’s telecommunications systems to electronic intrusion.[7]

 

Industry in general is recommending that physical security be included in Version 2.0; it was not included in Version 1.0.  However, it is interesting to note that the primary focus of the NCC in the 1980s was on physical threats—an emphasis that was consistent with the Government’s overall focus, at the time, on the security of important physical structures, such as dams, bridges, tunnels, and power plants.[8]

                       

As demonstrated in the following text, the focus consequently has broadened from assessments of physical threats leading to service outages to the inclusion of assessments of the threats or risks of unauthorized intrusions of the PN and vulnerabilities associated with network convergence.  Concurrently, methodologies for conducting these assessments have been developed and refined to accommodate technological change.

                       

PN Assessments.  Assessments were conducted in 1995[9] and 1999[10] with respect to unauthorized penetration or manipulation of the evolving PN software and databases affecting NS/EP telecommunications services.

 

·        Both assessments found that Government and corporate networks had become more interconnected as these organizations have increasingly relied on the PN to transmit critical business and operations information, thereby increasing the perceived and substantive rewards for gaining illicit access.

·        The most recent assessment concluded that absent a valid baseline to establish quantitative measures of the risk to the PN from electronic intrusion, it was difficult to definitively state how risk had changed over the past few years.  Indeed, little evidence suggests that the risk has diminished; and a number of factors suggest that it is growing.

 

Internet Assessments.  In 1999 the Government’s use of the Internet