Panel urges greater spending to protect U.S. infrastructure

The federal government should invest $1 billion in information security research and development over the next seven years to shore up the defenses of the nation's critical infrastructures against cyberterrorists and hackers according to a presidential commission.

Potential vulnerabilities in information systems that run the nation's water power banking transportation and other core industries require the increased investment to secure stored and transmitted data to monitor and detect threats to information systems and to assess the vulnerability of these systems according to the preliminary recommendations of the President's Commission on Critical Infrastructure Protection which were released last week.

"What in 1945 required an invasion to do can now be done with a 486 and a modem " said Phil Lacombe staff director of the commission. "We believe there's a new arsenal to do harm. The warning capability for cyberattacks must be developed. The government must prepare to deal with the cyberdimension."

One of the federal government's potential weaknesses according to the commission members is the Federal Aviation Administration's planned modernized air traffic control and management system because of its open-systems architecture Internet connectivity shared operational and administrative systems and lack of a backup system. Commissioners recommended that FAA officials fund information technology security measures at 2 to 4 percent of the cost of subsystems develop countermeasures for electronic security breaches and develop security standards.

The panel recommended that the government double its R&D funding from $250 million in 1998 to $500 million in 1999 and increase funding by $100 million every year thereafter until it reaches $1 billion in 2004.

In addition to the increased research efforts commissioners also suggested that private industry work more closely with the government sharing data about previous electronic intrusions and potential vulnerabilities of the systems that underpin most of the nation's critical infrastructure. The commission specifically recommended that the government and the oil and gas industries form a joint center for sharing threat and vulnerability information and that these industries allow military and National Guard intervention during credible terrorist threats or times of war.

"Our government and our private sector have become increasingly dependent upon computers and networks " said Sam Nunn a former U.S. senator and co-chair of the advisory committee of the commission. "We're talking about the life blood of our economy and the lives of our citizens. The essence of our existence as a nation is increasingly vulnerable to a variety of bad actors. Totally separate government and private responses will not work."

However Nunn acknowledged that the group may be hampered from moving forward with a public/private partnership that shares vulnerability information because of the large amount of relevant information that the government has marked classified and because of the public's natural reluctance to volunteer information to the government. About 90 percent of the information collected so far by commission members has been unclassified he said.

The commission which was appointed by President Clinton in July 1996 to examine the vulnerabilities of the nation's core infrastructures will present its final recommendations to the president in October. The group has examined eight infrastructures: telecommunications electric power banking and finance transportation water supply gas and oil emergency services and continuity of government services.

In each category the commission found electronic attack vulnerabilities which have resulted mainly from the growth and advancement of IT Lacombe said. The proliferation of general-purpose hardware ubiquitous operating systems and open architectures - as opposed to customized proprietary systems - creates a simple environment for hackers or other criminals to uncover and exploit vulnerabilities. After intrusion mechanisms are uncovered they are instantly beamed around the world via the Internet Lacombe said.

The report found that the financial sector employed the most IT defenses of all the industries that were examined. However while the banking and financial services industries are well-prepared to confront crime and theft the exchange and payment/funds transfer systems are vulnerable to information warfare.Other weaknesses cited by the commission include lax information security policies employed by several government services agencies such as the National Weather Service the Social Security Administration the Centers for Disease Control and the Immigration and Naturalization Service.