In July 1996, President Clinton established the Commission on Critical Infrastructure Protection (PCCIP), with a charter to designate critical infrastructures, to assess their vulnerabilities, to recommend a comprehensive national policy and implementation strategy for protecting those infrastructures from physical and cyber threats, and to propose statutory or regulatory actions to effect the recommended remedies. The charter gave examples of critical infrastructures (most notably telecommunications, electrical power, banking and finance, and transportation systems), and the types of cyber threats of concern (electronic, radio-frequency, or computer-based attacks on the information or communications components that control critical infrastructures).
Some of the infrastructures are owned or controlled by the government, and hence the government can harden and restructure these systems and control access to achieve a greater degree of robustness. However, the President's Executive Order recognized that many of the critical infrastructures are developed, owned, operated, or used by the private sector and that government and private sector cooperation will be required to define acceptable measures for the protection and assurance of continued operation of these infrastructures.
To assist in planning for the implementation of the Commission's recommendations, this paper starts by revisiting some of the Commission's central premises, and suggests that while there is reason to believe that the Commission's concerns over the long term are valid, more work is needed on these issues to fully support the PCCIP recommendations. Next, the Commission's recommendations are examined from the standpoint of priority, in order try to provide a clear focus for early implementation efforts. Of the 72 recommendations, ten are identified as important first steps. Due to the private ownership of most infrastructure systems, the Commission proposes new partnership relationships between the public and private sectors to accomplish the goal of protection.
This paper questions and extends the Commission's thinking regarding the implementation of such arrangements. It concludes that the sharing of information between the public and the private sector will have to be carefully designed to protect the interests of all the parties involved. It also notes that while the nature of infrastructure systems makes them global in their operation, the Commission's Report treats the problem almost exclusively from a domestic viewpoint. This will work against organizing the international partners who will, of necessity, be an important part of the solution.