[IEEE-USA Position Statement]

Critical Infrastructure Protection
and Information Technology

(Approved by the IEEE-USA
Board of Directors, 20 June 2002)

The Institute of Electrical and Electronics Engineers-United States of America (IEEE-USA) notes the efforts of numerous organizations to address the need for critical infrastructure protection, so dramatically imposed by the attacks of 11 September 2001, on the U.S. homeland. Critical infrastructures are those systems that provide the resources upon which all functions of society depend. Examples are telecommunications, transportation, energy, water supply, health care, emergency services, manufacturing and financial services.

The goal of such protection must be to minimize, if not prevent, the disruption of these infrastructures by violent adversaries, natural disasters, accidents, or even economic influences, as well as provide the methods and means for quickly recovering from such events. Prevention efforts ideally devise protection measures consistent with risk. This goal is so extensive that IEEE-USA addresses only a limited aspect of it in this Position Statement - - the role of information technology in critical infrastructure protection.

IEEE-USA recommends that the measures for critical infrastructure protection being developed by the Congress, federal agencies, and the private sector focus on the following:

Safeguard information technology used to manage critical infrastructures to mitigate the consequences of intentional or unintentional disruptions; for example;

  • Deny unauthorized access to critical managerial and operational data,
  • Encrypt transactions and command-and-control messages to achieve secrecy, authentication, authorization and non-repudiation,
  • Provide redundant backup of data to facilitate disaster recovery,
  • Use multiple, diversely routed, packet-switched networks for path redundancy, mitigating the loss of any one network Point-of-Presence (PoP) or network provider, and
  • Support research to strengthen the information security of these management functions

Use information technology to detect adversarial threats; for example:

  • Perform communications surveillance under judicial order and review,
  • Conduct information search and seizure subject to judicial order and review, and
  • Support research on faster decryption hardware and software.

Use information technology to protect critical infrastructures; for example:

  • Identify and authenticate personnel,
  • Provide physical security with sensors and alarms,
  • Gather background information on mission-critical employment candidates,
  • Share sensitive protection information among businesses and government, assuring confidentiality and exemption from antitrust liability and Freedom of Information Act disclosure, and
  • Support research on advanced information security measures.

Provide incentives for network owners and operators to implement security measures; for example:

  • Mandate that all critical infrastructure systems providers and associated marketplaces establish and maintain policies and programs to protect their computers and communications (information technology) systems. Such policies and programs should conform to industry best practices and be mandated by Federal and state regulators, self-regulating exchanges, and other oversight organizations within their relevant areas;
  • Publish best practices for withstanding cyber attacks, and conform to such industry best practices; and
  • Compensate owners who adopt such practices.

Take action to remove from the marketplace the direct, serious information security threat to all critical infrastructure posed by the so-called "self help" provisions of the Uniform Computer Information Transactions Act (UCITA), and any such similar legislation

  • The threat arises from inclusion in software of features or provisions supporting or enabling the exercise of "self-help" (remote intrusion and disablement), or preventing successful recovery from this form of denial-of-service attack. The threat is posed by the software features themselves and applies even if the particular contract under which the software is obtained does not allow the use of "self-help."

Preserve basic American civil liberties; for example

  • Make sure that any abridgements of basic American civil liberties are necessary and commensurate with the existing risk to critical infrastructures; and reviewed periodically to ascertain if they are still needed.

This statement was developed by the IEEE-USA's Committee on Communications Policy and represents the considered judgment of a group of U.S. IEEE members with expertise in the subject field. IEEE-USA is an organizational unit of the Institute of Electrical and Electronics Engineers, Inc., created in 1973 to promote the careers and public policy interests of the more than 235,000 electrical, electronics, computer and software engineers who are U.S. members of the IEEE.

BACKGROUND

The Congress, federal agencies and private organizations are actively considering and developing measures for critical infrastructure protection after the terrorist attacks of September 11, 2001 on U.S. soil. A partial listing of these organizations follows:

  • Various committees of the Congress; for example: Senate Governmental Affairs, House Judiciary Committee, House Science Committee
  • Office of Homeland Security
  • President's Critical Infrastructure Protection Board (chaired by Richard Clarke)
  • U.S. Critical Infrastructure Assurance Office (CIAO)
  • U.S. Commission on National Security/21st Century (the Hart-Rudman Commission)
  • General Services Administration (GSA)
  • General Accounting Office
  • Federal Bureau of Investigation (FBI)
  • National Infrastructure Protection Center (NIPC)
  • Central Intelligence Agency (CIA)
  • National Security Telecommunications Advisory Committee (NSTAC)
  • Partnership for Critical Infrastructure Security (PCIS)

Information technology is a key element in the management, threat detection and protection of critical infrastructures. Consequently, the efforts of these organizations should include emphasis on the assurance, application and further development of cybersecurity.

The IEEE-USA Position Paper on Information Security in Electric Power, jointly developed by the Energy Policy Committee and the Committee on Communications Policy, and subsequently approved by the IEEE-USA Board of Directors on 16 November 2000, contains additional specific recommendations for the electric power industry. Several relevant items from the latter were incorporated into this Position Statement, which is meant to encompass all critical infrastructures.

By its very nature, the use of information technology for critical infrastructure protection will shift the boundary between national security and private interest. Examples of capabilities in use or under development are the FBI's DCS 1000 packet surveillance system, key loggers (computer keystroke monitors), computerized language translators, CIA Live! (an instant messaging system), Encase (a file recovery system), and GSA's GOVNET (a government network designed to provide protected services for critical government functions). An understanding of the capabilities and limitations of the information technologies involved is essential to making balanced decisions between combating risk and preserving traditional (even Constitutional) American values of freedom, privacy and due process.

The Uniform Computer Information Transactions Act (UCITA) includes numerous provisions that are harmful to information security and critical infrastructure protection. UCITA took effect 1 October 2000 in Maryland, and 1 July 2001 in Virginia, and has been considered by other states and the District of Columbia. It can be made effective everywhere through the operation of "choice of law" provisions, except in three states (Iowa, North Carolina, and West Virginia) where so-called "bomb shelter" legislation designed to protect citizens from UCITA-driven contracts has been passed. Opposition to UCITA has been building, with no other states having passed UCITA legislation in 2001, and none, other than the state of Washington, having legislation pending in 2002. The threat arises from inclusion in software of features or provisions supporting or enabling the exercise of "self-help" (remote intrusion and disablement), or preventing successful recovery from this form of denial-of-service attack. The threat is posed by the software features themselves and applies even if the particular contract under which the software is obtained does not allow the use of "self-help."

Examples of UCITA provisions that harm infrastructure protection, include: 

  • allowing large software publishers and on-line services to escape liability for security-related software defects, even if both the defect and its potential consequences are known by the publisher and are undisclosed to purchasers;
  • allowing software publishers to contractually enforce or place high legal barriers on non-negotiable prohibitions on licensees publicly criticizing the security performance of their software or exchanging information on such performance;
  • permitting software publishers to contractually enforce non-negotiable prohibitions on reverse engineering for any purpose, including security-related purposes explicitly permitted under Federal copyright law; and
  • creating incentives for software publishers to deliberately embed security faults in their software intended for use in unilaterally enforcing contract provisions by means of information security attack ("self-help"), and to incorporate features in their software preventing recovery from self-help attacks. 

UCITA also allows software publishers to escape liability to third parties harmed by inappropriate operation or malicious misuse (e.g., by intruders) of the self-help capabilities in their software. Any proprietary software having a license subject to the law of a state that has enacted UCITA should be treated as a potential source of serious security vulnerabilities, unless explicit actions are taken to exclude them. A security vulnerability in any part of an enterprise can become the entry point for malicious intrusion on other parts of the enterprise.

| Top of Page | Position Statements | Policy Forum | IEEE-USA |

Last Updated: 28 June 2002
Staff Contact: Deborah Rudolph, d.rudolph@ieee.org

Copyright © 2002 The Institute of Electrical and Electronics Engineers, Inc.
Permission to copy granted for non-commercial uses with appropriate attribution.