Most Americans have no idea how vulnerable the nation's infrastructure is to cyberterrorism, and government and industry leaders don't know much more than the average citizen, says the executive summary of a report released by the President's Commission on Critical Infrastructure Protection.
As a consequence, the commission is recommending that the government commit US$500 million for security research next year, and $1 billion over the next seven years. Those figures aren't included in the summary, but were released last week by Robert Marsh, chairman of the commission. The full report remains classified.
The commission, which conducted public meetings and collected information for more than a year, looked at information and communications; banking and finance; energy, including electrical power, oil and gas; physical distribution, and vital human services and considered how all those might be vulnerable to attack and what can be done to thwart cyberterrorists.
The executive summary, and presumably the full report, focus on the need to share information, and at least one international security consultant finds that ironic.
"I don't agree that if you're going to give a classified report that no one can read it's a good way of information sharing," says Winn Schwartau. "This is not a good omen for an open relationship by classifying step one."
Although he has been an outspoken critic of the summary, whose contents have been talked about for months, Schwartau says the commission's work will have one important function because "it brings potentially to the national front what many of us have been screaming about for years" and comes with the president's stamp of approval, which pushes it into the foreground.
"Today, the right command sent over a network to a power generating station's control computer could be just as effective as a backpack full of explosives, and the perpetrator would be harder to identify and apprehend," the summary says. "The rapid growth of a computer-literate population ensures that increasing millions of people possess the skills necessary to consider such an attack."
To counter that threat, the commission makes five broad recommendations in the summary:
-- An awareness and education program, including White House conferences, studies, presentations at industry and professional gatherings, school curricula focused on the importance of information security and sponsorship of graduate programs in that area.
-- Cooperation and information sharing using partnerships among infrastructure owners and operators and government agencies. The National Institute of Standards and Technology and the National Security Agency have been asked to give technical guidance.
-- New and updated laws. The summary says that the commission has tried to "jump start this process" by identifying existing laws that can be used as models for standards and practices for the private sector, as well as laws that can help owners and operators take precautions. Other laws were identified that need to be strengthened.
-- Better deployment of research and development and, in some cases, more research.
-- A national organisation structure with six types of partnerships. The structure includes: an Information Sharing and Analysis Center; a National Infrastructure Assurance Council composed of industry CEOs, cabinet secretaries and state and local government representatives; an Infrastructure Assurance Support Office to house the national staff charged with managing and following up on recommendations, and the Office of National Infrastructure Assurance, a "top-level policy making office."
"They want to create a bureaucracy," Schwartau says of the proposed structure.
He also questions what he views as omissions from the report.
"There's nothing about vision. Nothing about leadership," he says. The summary doesn't address new security models, nor jurisdictional issues that could be important because cyberterrorists can strike from any nation. Nor does it address concepts of electronic civil defense, he says.
"They avoided cryptography by political edict because that's a hot potato right now," he says. "And how are we going to balance privacy issues against all of the security we need?"
A text of the summary can be found on the Internet at http://www.pccip.gov/summary.html/. Winn Schwartau is president of The Security Experts, based in Seminole, Florida, and his Internet address is http://www.infowar.com/.