Directive orders feds to safeguard systems

President Clinton last week announced a massive new national security program that would require federal agencies to inventory key information systems and work closely with the private sector to develop a plan for protecting against cyber- and physical threats to the nation's critical infrastructures.

Speaking May 22 at the Naval Academy's commencement in Annapolis, Md., Clinton called on federal agencies and private companies that own and operate the nation's financial services, energy utilities, transportation concerns and other critical infrastructures to collaborate to shore up defenses against cyberattacks.

In a directive signed the same day, Clinton called for the creation by 2000 of an operational capability to protect the nation's critical infrastructures, especially the computer systems that support the infrastructures. The core of the program, according to a white paper that outlines the policy, is a public/private partnership to develop a National Infrastructure Assurance Plan.

"We will launch a comprehensive plan to detect, deter and defend against attacks on our critical infrastructures," Clinton told the graduating midshipmen. "Just 15 years ago, these infrastructures—- some within government, some in the private sector—- were separate and distinct. Now they are linked together over vast computer electronic networks, greatly increasing our productivity but also making us much more vulnerable to disruption."

Clinton said he plans to appoint a National Coordinator for Security, Infrastructure Protection and Counterterrorism to lead the government's efforts. Eight agencies have been assigned lead roles in working with the various private-sector owners and operators of the nation's critical infrastructures.

For example, Energy Department officials plan to identify resource requirements for the new policy and incorporate those into the department's budget, said David Jones, a member of the President's Commission for Critical Infrastructure Protection, on assignment from DOE's Office of Safeguards and Security. In addition to launching an extensive outreach program to the electrical power, oil and natural gas industries to develop an infrastructure protection plan, the department will use the supercomputers housed at its national laboratories to provide simulations of the effects of potential threats to these assets, he said.

However, all federal agencies will be affected by the initiative. Every agency will be required to develop a plan within the next six months to protect its own critical infrastructure assets. While each agency's chief information officer will be responsible for information assurance, all agencies will be required to appoint a critical infrastructure assurance officer who will be responsible for all other aspects of that department's critical infrastructure.

Irwin Pikus, a member of the president's commission, on assignment from the Commerce Department, said Commerce most likely will be tapped as the coordination and support office for the new program. "The coordination requirements—- even throughout the government—- are going to be enormous," Pikus said.

Following Clinton's announcement, Commerce Secretary William Daley named Deputy Assistant Secretary of Commerce Jeffrey Hunker to serve as director of the National Critical Infrastructure Assurance Office. The office will develop the integrated national plan to protect the nation's critical infrastructures, develop legislative initiatives and coordinate a national educational and awareness program.

Michael Vatis, director of the newly formed National Infrastructure Protection Center at the FBI, noted that public-/private-sector cooperation is vital in the Information Age because the nature of national security is changing. "There is no perimeter to guard anymore," Vatis said. "A frighteningly large number of people now possess the means to engage in cyberattacks. Our national defense can no longer depend only on our military services."

But Clinton's effort may encounter some resistance from the private sector. Corporations have traditionally been reluctant to reveal information about attacks on their computer systems to law enforcement agencies for fear that the information would be made public.

But perhaps the primary impediment to convincing the private sector to work with the government may be proving to industry that costly security upgrades to private-sector systems will benefit a company's bottom line.

John Lane, a senior vice president at NationsBank and former chief information officer at the Securities and Exchange Commission, said companies have few incentives to participate in a protection plan that is too vague to justify an investment.