Infrastructure security needs feds' full attention
What can anyone do about infrastructure threats?
You come home at night and park a block from your house. Walking home, you are
vulnerable. Anything can happen. Robberies and worse can occur. What do you do to protect
yourself from potentially life-threatening situations?
This is the type of problem that the President's Commission on Critical Infrastructure
Protection considered at the national level in a study completed last year. The nation's
infrastructure--energy, banking, transportation, human services, telecommunications and
water supply--is vulnerable.
The report pointed out that the Internet and computer networks play an increasingly
important role in social, economic and industrial institutions.
Major disruptions to the Net and to infrastructure components that depend on it could
result from computer hackers, earthquakes, sabotage and terrorism. The consequences would
be widespread, significant and life-threatening, the report said.
What should we do? Risk analyses are always appropriate for security problems. Security
analysts can easily devise new protections. In recent years, such analyses led to the
closing of Pennsylvania Avenue in front of the White House and the construction of a
security fence around the Capitol.
But risk analyses do not assess political risks. Once the security folks dream up and
propose something new, they pass the political risk on to someone else. Anyone who doesn't
follow a security recommendation becomes the political insurer against the threat.
If the White House hadn't closed that block of Pennsylvania Avenue and something had
happened, the security people could have said it was the White House's fault for not
At the political level, the real costs and risks are largely irrelevant. It's a blame
game. The result is that security people tend to go overboard, especially when the
consequences of a breach would be highly visible.
The issues faced by the infrastructure commission were so vast and affected so many
essential parts of our economy that it wasn't possible to propose specific security
Instead, the commission discussed the issues in general terms and recommended a
dizzying array of procedural and institutional responses.
The recommendations begin with creating an office for national infrastructure assurance
at the National Security Council. Then, there would be an infrastructure assurance
council, an infrastructure assurance support office, federal lead agencies, sector
assurance coordinators, an information sharing and analysis center, and a warning center.
The commission was not organized according to the usual model of a membership of
high-ranking outsiders. Most members were representatives of law enforcement agencies.
So does anybody want to guess whether those agencies would have their roles enhanced by
their representatives' recommendations? Or whether the agencies managed to get the
commission to endorse ideas for programs and activities that they haven't been able to
The report includes recommendations for increased use of polygraphs, key recovery for
encryption, and a bigger role for the National Security Agency in government and
private-sector security activities.
These tangential matters--not directly related to infrastructure threats--were surely
added by the agencies that have been pushing them for years. The commission even
recommended that the FBI consider hiring part-time college students for regional computer
Still, I give the commission credit. It did a reasonable job of highlighting a
legitimate problem. There may be too many overlapping institutional recommendations, but
the basic point about paying more attention to vulnerabilities is reasonable. Some
improvements are possible without new invasions of civil liberties or massive
More attention, coordination, awareness and education are appropriate responses. To
complete the analogy, most of us walking from our cars to our houses at night won't carry
guns, hire guards or wear bulletproof vests. But we can pay attention to our surroundings
and make sure streetlights are working.
At the national level, we need to strike a balance among security, cost and paranoia.
Despite some shortcomings, the infrastructure commission's basic message--to pay
attention--is fair enough.
Robert Gellman, former chief counsel to the House Government Operations Subcommittee on
Information, Justice, Transportation and Agriculture, is a Washington privacy and
information policy consultant. His e-mail address is email@example.com.