With George W. Bush striding toward the White House, national security experts are preparing for what could be a major change in the way the government and the private sector organize to defend against cyberattacks.
Clinton administration officials and other national cybersecurity experts say Bush plans to appoint an IT “czar” by next summer to better manage the government’s IT investments. This move, say experts, will likely involve reorganizing the federal critical infrastructure protection effort and possibly changing the role of the FBI’s National Infrastructure Protection Center.
Changes to the NIPC could include asking Congress for new legislation to make it easier for the national security community to get access to investigative information, making NIPC subordinate to a federal IT czar or security officer, or starting from scratch with a different type of organization, according to sources.
Legal scholars say president-elect George W. Bush will likely have free rein to override Clinton-era directives and other executive orders pertaining to cybersecurity.
The current federal approach to critical infrastructure protection has its roots in Presidential Decision Directive-63 (PDD-63), signed by President Clinton in 1998. Besides setting a 2003 deadline for the government to establish a capability to defend against intentional cyberattacks aimed at critical infrastructure, PDD-63 established the FBI’s National Infrastructure Protection Center and encouraged private-sector participation through information sharing and analysis centers.
But despite popular belief, there are no significant legal barriers to Bush stepping back from PDD-63 and issuing his own set of directives and a new plan, said Harold J. Krent, professor and associate dean at the Chicago-Kent College of Law. “Legally, these directives and executive orders generally are not enforceable in court,” said Krent. “Rather, they are enforceable only to the extent that the president wants to enforce them.”
“In general, all can be amended or revised by later presidents, assuming nothing in them has been incorporated by statute,” said Tom Sargentich, a professor of constitutional law at American University’s Washington College of Law in Washington.
Tim Atkin, director of critical infrastructure protection at consulting firm SRA International, said that while it’s likely that PDD-63 will be replaced, he believes the critical-infrastructure protection effort will continue to build steam.
“There are other large drivers,” said Atkin, including legislation and Office of Management and Budget directives that will keep the effort on track.
The primary driver behind calls for such changes is the lack of a trip wire that would tip off intelligence and national security agencies to cyberattacks by a nation or terrorist group. Because of privacy restrictions, almost all cyberattacks are initially treated as law enforcement investigations, preventing national security agencies from gaining access to the data.
“NIPC has a fundamental inability to communicate with the rest of the national security community,” said a Clinton administration official. “This may not be the way you want to organize in the future.”
Established in 1998 and based at FBI headquarters in Washington, NIPC is intended to serve as the government’s focal point for investigating and responding to attacks against critical infrastructures such as the nation’s electric power grid. It shares intrusion, threat and warning data with the government and the private sector through a secure alert network called InfraGuard.
However, NIPC has repeatedly come under fire for its perceived unwillingness to share information on investigations and its failure to broadcast timely warnings during the “I Love You” virus outbreak in May (see story).
“We haven’t always done that well, but I think we’re getting much better at it,” said Les Wiser, a section chief and investigator at NIPC, who spoke last week at the Defending Cyberspace 2000 conference in Washington. “We oftentimes can’t tell if [an attack] is a criminal matter or a foreign intelligence matter.”
“Despite taking an incredible amount of flack, I think it’s becoming increasingly effective in its role,” said Robert Miller, deputy director of the Critical Infrastructure Assurance Office at the U.S. Department of Commerce. “If you don’t have them, you would have to reinvent them.”
Still, there are “some real issues” surrounding NIPC, he said. For example, “there is some confusion about NIPC’s role,” with some seeing it as a law enforcement agency and others as a national threat-and-warning center, he said.
U.S. Navy Capt. Robert West, deputy commander of the Pentagon’s Joint Task Force for Computer Network Defense, said that, by definition, all attacks are criminal first and acts of war second. “For us, it really does become cumbersome,” said West.
Aside from the privacy issues, creating a national security trip wire is difficult, said Richard Hunter, an analyst at Stamford, Conn.-based Gartner Group Inc. and a former National Security Agency analyst.
“It’s entirely possible for attacks to go undetected for weeks and months,” said Hunter. “Intent typically is something that you judge from what has been done. Even after an intrusion has been detected, it can take some time to determine what has been done.”
However, Ken Watson, co-chairman of the coordinating committee of the National Partnership for Critical Infrastructure Security (NPCIS), acknowledged that the entire effort needs a “more coordinated” approach.
The problem has been that the government has little or no ownership of the infrastructure, limited jurisdiction and limited intelligence capabilities, said Watson, who’s also manager of critical infrastructure protection at Cisco Systems Inc. in San Jose.
Although the critical-infrastructure protection effort will continue to move forward, “it will probably look different,” said Watson.
“I would not be surprised if the organizational structure changed,” said Tim Atkin, a member of an NPCIS working group and director of critical infrastructure protection at consulting firm SRA International Inc. in Fairfax, Va. “I hope that [the] new administration understands the concerns of industry that this issue [should] not be turned into solely a law enforcement issue or a defense issue. What has been important this past year is the understanding that industry is part of the solution and that national security equals economic security.”