When new applications are added to computer networks and machines, one of the first questions is, "How big is the footprint?" - meaning, how much space, processing power, or overhead will the new applications demand?
Last week, the President's Commission on Critical Infrastructure Protection - charged with recommending a national policy and implementation strategy for protecting the nation's telecommunications, energy, finance and banking, and transportation infrastructures from physical threats and "cyber threats" - released the executive summary of its report. Industry and independent observers are now looking for the footprint, and trying to figure out who's going to be the cobbler.
So far, criticism of the commission has come from different directions, some citing a woefully weak grip on crucial security issues and a lack of innovative ideas - especially for absences in the critical area of encryption. But though he thinks encryption is an undeniable missing element of the report, Marc Rotenberg, director of the Electronic Privacy Information Center is ready to give the commission the benefit of the doubt at this early stage, and cautions against caricatures of its efforts.
One of the more specific recommendations made public in the report is the organization of "infrastructure assurance clearinghouses." The idea is to establish a sort of catalog of case studies, where the security breaches of one company might serve to bolster the future security of the rest of its industry.
Commission spokeswoman Carla Sims realizes the inherent obstacles in such a design, for they require companies to be less jealous in sharing their experiences. "Sharing information is going to be our greatest challenge," she says. But "once companies understand the risks involved ... they'll see the value of information sharing." By sharing the details of their experience through a clearinghouse, she maintains, companies begin to learn from each other. "It definitely offers an advantage to the industry."
Sims cites last week's power outage in San Francisco as an example of the urgent need for a comprehensive approach to preventing such disruption of service. "It looks like sabotage or an insider job," she says. Such internal breaches are one of the kinds of threats the commission is out to target. "It's a new age that fosters new threats, and it's going to require new ways of thinking," Sims says.
But as they consider the prospects of a government more actively seeking to secure the flow of information around the country's infrastructures in the name of national security, some observers are skeptical of possible long-term consequences of the commission's efforts.
"Like Clipper, there's undoubtedly a subtext here," says Karen Coyle, board member of Computer Professionals for Social Responsibility. "When [the Clipper chip] happened, the administration said this is just a telecom issue for the federal government - we support using encryption anyway."
Coyle worries that infrastructure security could evolve in a similar fashion - starting as a fairly neutral initiative, but eventually offering a justification for such things as a ban on strong encryption and wire-tapping laws. "I would look at this as what future actions this is laying the groundwork for."
Sims invokes the objectives of education and awareness in defining the panel's mission. Security is already addressed by current technologies and company policies throughout the land, she says, "but just because the tools exist doesn't mean we all employ them. We want to make sure we all are practicing strong security measures." She is emphatic, however, that there was no effort by the government to dictate to any private entity how it should control or monitor the flow of information.
"This is not Big Brother coming in," Sims maintains. She says the important decisions on security and national policy will be made by those that will ultimately shape the country's policy - the actual industry and government bodies involved - not a centralized government agency.
"The cyber dimension changes things," Sims argues. "Currently our laws and our policies don't always consider the cyber dimension. We need to really change our way of thinking - and that may involve some trade-off. It will be a cultural shift."
Sims is eager to mollify concerns that the commission represents government intrusion into the private exchange of information: "If there's anything we want people to feel [in reaction to the report], it's, 'I'm glad they're looking at this before it becomes a crisis.' 'I'm glad they're developing a strategy.' They should be concerned and should understand they all have a part to play in securing some of our systems."
National Security Council staff will conduct an interagency review of the report and prepare final recommendations for President Clinton, the White House says.
