A Research Project Funded by the Sixth Framework Research Programme of DG Research (European Commission)
National Plan for Information Systems Protection: An Invitation to a Dialogue
Tuesday 3 January 2006, by White House
Executive Summary
Defending America’s Cyberspace
Introduction
The Federal Government and private sector cooperated during the millennial rollover event to provide a smooth transition into the Year 2000. The extensive preparations undertaken to avoid glitches and service disruptions to information systems paid off, and critical systems continued to operate without any major interruptions. That said, we must remember that we are in a very dynamic environment. The nature of cyberattacks and the needed preparations to protect information systems from future attacks are in constant flux. As new protective measures are developed and put into place, those who threaten us become more innovative. The Federal Government is currently assessing the Year 2000 experience to determine what aspects may have relevance for the future and for the continued protection against cyberattacks.
This document is the first attempt by any nation to develop a plan to defend its cyberspace. The President in Presidential Decision Directive 63 (PDD-63) directed its development. Designating it as «Version 1.0» acknowledges that the Plan is in the early stages of development and remains a work in progress.
The first version of the Plan largely focuses on the domestic efforts being undertaken by the Federal Government to protect the Nation’s critical cyber-based infrastructures. Subsequent versions of the Plan will incorporate a broader range of concerns contemplated under PDD-63, including the specific role industry and state and local governments will play-on their own and in partnership with the Government-in protecting privately owned infrastructures; the need to protect physical, as well as cyber-based, infrastructures from deliberate attack; and the examination of the international aspects of critical infrastructure protection. Comments by industry, Congress, state and local governments, and the general public are sought for improvements that could be included in these subsequent versions.
What Are Critical Infrastructure Systems and Assets?
Critical infrastructures are those systems and assets-both physical and cyber-so vital to the Nation that their incapacity or destruction would have a debilitating impact on national security, national economic security, and/or national public health and safety.
While PDD-63 calls for this National Plan to prioritize critical infrastructure protection goals, principles, and long-term planning efforts, its initiatives are explicitly designed to complement and focus existing Federal Computer Security and IT requirements.
The Threat
Every day in America, thousands of unauthorized attempts are made to intrude into the computer systems that control key government and industry networks: defense facilities, power grids, banks, government agencies, telephone systems, and transportation systems.
Some of these attempts fail. Some succeed. Some gain «systems administrator status,» download passwords, implant «sniffers» to copy transactions, or insert trap doors to permit an easy return. Some attacks are the equivalent of car thief «joy riders,» committing a felony as a thrill. Others are committed for industrial espionage, theft, revenge-seeking vandalism, or extortion. Some may be committed for intelligence collection, reconnaissance, or creation of a future attack capability. The perpetrators range from juveniles to thieves, from organized crime groups to terrorists, potentially hostile militaries, and intelligence services. What has emerged in the last several years is an increase in the seriousness of the threat.
We know of foreign governments creating offensive attack capabilities against America’s cyber networks.
America is vulnerable to such attacks because it has quickly become dependent upon computer networks for many essential services. It has become dependent while paying little attention to protecting those networks. Water, electricity, gas, communications (voice and data), rail, aviation, and other critical functions are directed by computer controls over vast information systems networks.
The threat is that in a future crisis a criminal cartel, terrorist group, or hostile nation will seek to inflict economic damage, disruption and death, and degradation of our defense response by attacking those critical networks. Director of Central Intelligence George Tenet testified to Congress: «This threat is very real.»
Protecting Privacy and Civil Liberties
Infrastructure assurance goals can be accomplished in a manner that is consistent with a full range of civil liberty interests. In fact, some infrastructure assurance programs may have a positive impact on personal privacy and other civil liberties by enhancing the level of security in data and communications in networked environments.
The Federal Government has a positive obligation to protect the private information of its citizens that resides on its computers. The Government was entrusted with this information because American citizens believe their critical, personal information will be held securely within these systems.
The Federal Government recognizes the risk that technologies designed to protect information and systems, if not carefully utilized, could inadvertently undermine civil liberties. Even with the best of intentions, technology that protects against intrusions, when cast too broadly, might profile innocent activity. Where individual rights are at issue, careful consideration of all related issues is essential.
The legal landscape does not always offer clear guidance in areas of jurisdiction, security standards, and consent issues. Cyber-intrusions often present complicated legal and jurisdictional issues. As a result, Government programs that protect infrastructures and civil liberties require careful planning, analysis, and input from all affected parties.
While all the proposals in the Plan have been developed in a manner fully consistent with existing law and constitutionally guaranteed expectations of privacy, portions of the Plan may give rise to concerns that personal privacy rights may be sacrificed in exchange for infrastructure assurance objectives.
Finding solutions to infrastructure assurance in a manner that is consistent with civil liberties is a dynamic process that must involve both Government and private sector communities. The process must recognize the complexity and importance of existing jurisprudence and work to structure new programs to prevent unintended consequences.
In that context, several key principles serve as a starting point for analyzing programs in the Plan; consulting with privacy communities to define acceptable solutions; conducting ongoing, rigorous, and thorough legal reviews of Plan programs; committing to comply with statutory and regulatory protections; government leading by example; reviewing applications of various legal privacy solutions; working with Congress; working with the National Academy of Sciences; focusing on education and awareness; and committing to the Principles of Privacy established by the Privacy Working Group of the Information Infrastructure Task Force.
Download at PDF format
- National Plan for Information Systems Protection : An Invitation to a Dialogue
Sections
In the same section
Conservation des données : le CEPD présente son avis sur la proposition de directive de la Commission- French detention and immigration policies
- German Temporary Committee of Inquiry appoints special investigator into CIA flights
- Legitimacy of PNR challenged again
- Un approccio globale alla migrazione per le aree orientali e sudorientali vicine all’Unione europea
- Rapport 2007-2008 de l’Observatoire National de la Pauvreté et de l’Exclusion Sociale (ONPES)
- Les ’’listes noires’’ de l’ONU et de l’UE jugées arbitraires par une commission de l’Assemblée
- EURODAC assure une gestion efficace du régime d’asile européen commun
- Liberty and security, striking the right balance
- 24,4 millions de personnes répertoriées dans les fichiers policiers STIC et JUDEX
Keywords
Files - Dossiers
- Antiterrorism struggle and internal security / Lutte antiterroriste et sécurité intérieure
- Asylum outsourcing / Externalisation de l’asile
- Borders, Enlargement and Neighbourhood / Frontières, élargissement, voisinage
- Breaking news / Une
- Critical Infrastructure protection / Protection des infrastructures critiques
- Detention of foreigners - Camps in Europe / Détention des étrangers - Camps en Europe
- European Liberty and Security / Liberté et Sécurité en Europe (ELISE)
- European Union and Lebanon Crisis / Union européenne et crise libanaise
- European Union databases & biometrics / Bases de données et biométrie en Europe
- Guantanamo
- Implementing the Hague Programme / Mise en oeuvre du programme de La Haye
- Mapping the field of European security / Cartographier le champ de la sécurité en Europe
- Urban riots in France / Violences urbaines en France
Keywords - Mots clefs
- Asylum - Asile
- Biometry - Biométrie
- Borders - Frontières
- Camps - Camps
- Citizenship - Citoyenneté
- Coercive Agencies - Agences coercitives
- Conflict - Conflit
- Data Files - Fichiers
- Databases - Bases de données
- Exception - Exception
- Foreign affairs - Affaires étrangères
- Freedom - Liberté
- Human rights - Droits de l’homme
- Illiberalism - Illibéralisme
- Justice - Justice
- Liberalism - Libéralisme
- Migrations - Migrations
- Military - Militaires
- Nationalism - Nationalisme
- Police - Police
- Religion - Religion
- Security - Sécurité
- Securization - Sécurisation
- Social insecurity - Insécurité sociale
- Sovereignty - Souveraineté
- Surveillance - Surveillance
- Technologies - Technologies
- Terrorism - Terrorisme
- Violence - Violence
- War - Guerre
RSS 2.0
CERI