Yet, despite mounting threats, the task of protecting the nation's information infrastructure has not been given the sense of urgency it merits. Sharing vulnerabilities and risks continue to be a major stumbling block to progress, especially on the part of private industry. Although statistics are readily available on how many businesses are disrupted because of fires or power outages, there are no exact figures as to how much time or money is lost due to crippled networks.
An even greater impediment is the price tag that may be necessary to set up safeguards. At this point there are no federal laws to protect our infrastructure. It's understandable that many CEOs are reluctant to invest in 'terrorism insurance' when they're not convinced it is necessary. But it is time for executives and Boards of Directors to wake up to the fact that your building doesn't have to burn down for your organization to have a disaster.
Furthermore, cyber terrorism is a sensitive issue. Which political party or politician wants to take an unpopular stand? The public's understanding of the issue is at varying levels, yet public buy-is critical. Even if we reach a consensus for federal oversight, which agency would coordinate this effort ' the Justice Department, the Department of Defense?
Under the guidance of the Federal government a lot of groundwork is being laid for cyber threat protection. Recognizing that cyber threats are not solely a public or private problem, President Clinton established a task force 15 months ago, consisting of 20 members from federal and state government and private industry, to identify threats and develop a national strategy and plan to protect the infrastructure. The President's Commission on Critical Infrastructure Protection (PCCIP), headed by Air Force General Robert 'Tom' Marsh, looked at areas where computer systems control vital elements of society including banking and finance, transportation, telecommunications, electrical power systems, water supply systems, gas and oil storage and transportation, emergency services and government services.
Although the PCCIP presented its findings to the President in October, the findings are currently classified and embargoed. In preliminary reports, however, the commission made the following recommendations:
- Create an office in the White House to coordinate the security roles of gov-ernment.
- Introduce legislation to permit private companies to conduct criminal back-ground checks, in states where they're currently barred, when hiring computer experts.
- Initiate a three-pronged education and awareness program in the form of grants by the National Science Foundation for professional education; conferences sponsored by the White House to encourage new curricula development in computer ethics and intellectual property for elementary and secondary schools; partnerships between the Department of Education and industry to develop curricula for ethical information workers.
- Develop standards on sound practices for information security.
- Increase research funds to $1 billion annually for cyber security. Currently, the federal government allocates $150 million annually on information security.
At a recent industry briefing, Senator John Kyl (R-Arizona), Chairman of the Senate Subcommittee on Technology, Terrorism and Government Information said that although the commission's work is important, focus should be on continual education to raise the level of importance of cyber threats. Senator Kyl wants the nation to develop a central warning system, integrated into an accepted civil defense program. But he argues that before this can happen there has to be cooperation between the public and private sector.
Soon the United States Senate will be holding hearings on this issue. This is a positive first step, but money, commitment and understanding are vital, according to the Senator.
Meanwhile, other groups, such at the Leadership Coalition for Global Business Protection, and Public Private Business Initiative have been working on raising awareness to CEOs and Boards of Directors , to help educate and develop strategies. The Information Protection Task Force (IPTF) also created by executive order, teamed with the Manhattan Cyber Project (MCP). The MCP, with the advantage of the collective expertise of various industries, focuses on education about information warfare.
Commissions and task forces can provide strategies and guidelines, but it will require proactive tactical plans on the part of individuals and organizations to deal with threats to our systems. Even without legislation, proper methods, applications and procedures to limit penetration should be implemented.
Corporations and agencies alike need to take note of the changing face of continuity planning. During last year's Security in Cyberspace hearings before the U.S. Senate, former Deputy Attorney General Jamie Gorelick discussed the urgency to form a public/private partnership to address the 'cyber threat' and likened the process to the historic Manhattan Project. Additionally, it may take some forcing event to occur, such as disruption to business and utility services due to an El Nino-related disaster or possible Year 2000 crisis to force people to take notice. Ultimately, all these problems, whether caused by natural disaster or introduced by man, will impact corporations' bottom lines and affect the quality of our lives.
Mike Braham is Director of CommGuard, Enterprise - Wide Continuity Services at Bell Atlantic Federal Systems. Braham serves on the National Board of Directors of the Association of Contingency Planners and is Sub-Committee Chair for the Leadership Coalition for Global Business Protection. Braham lives in Virginia and was a U.S. Marine pilot.