Terrorism: Threat Assessment, Countermeasures and Policy
Terrorism: Threat Assessment, Countermeasures and Policy
Terrorism: Threat Assessment, Countermeasures and Policy
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Control And Data Acquisition (SCADA) systems are<br />
particularly vulnerable when they use the Internet to<br />
monitor <strong>and</strong> control processes at remote sites. Such a<br />
practice is employed in a wide variety of industries<br />
including chemical, petrochemical, oil <strong>and</strong> gas, food<br />
processing, pulp <strong>and</strong> paper, pharmaceuticals, water <strong>and</strong><br />
wastewater, transportation, energy management, <strong>and</strong><br />
other manufacturing applications.<br />
Financial losses of course will not be restricted to the<br />
theft of proprietary information, financial fraud <strong>and</strong><br />
other criminal offenses. As more commerce is<br />
conducted on-line, civil law suits will increase in which<br />
claimants seek downstream damages for network<br />
intrusions based on legal theories such as a lack of the<br />
“due diligence” owed to stockholders, customers,<br />
suppliers, <strong>and</strong> other innocent third party victims.<br />
China <strong>and</strong> Russia have publicly acknowledged the role<br />
cyber attacks will play in the “next wave of military<br />
operations.” Two Chinese military officers have<br />
published a book that called for the use of<br />
unconventional measures, including the propagation of<br />
computer viruses, to counterbalance the military power<br />
of the United States. Thus, information warfare has<br />
arrived as a new concept in military operations. The<br />
challenge now is to prevent this weapon from being<br />
turned against the United States.<br />
PCCIP<br />
management, <strong>and</strong> improved security planning, thereby<br />
presenting a model for industry to follow voluntarily.<br />
The PDD calls for the creation of a strong partnership<br />
with the business community <strong>and</strong> state <strong>and</strong> local<br />
governments to maximize the alliance for national<br />
security.<br />
The directive also provided for the establishment of the<br />
National Infrastructure Protection Center (NIPC) in<br />
1998 by the conversion of the Computer Investigation<br />
<strong>and</strong> Infrastructure <strong>Threat</strong> <strong>Assessment</strong> Center into the<br />
nucleus of NIPC. NIPC (http://www.nipc.gov) fuses<br />
representatives from the FBI, the Departments of<br />
Commerce, Defense, Energy, Transportation, the<br />
Intelligence Community, <strong>and</strong> other federal agencies,<br />
<strong>and</strong> the private sector into an unprecedented<br />
information sharing effort.<br />
NIPC's mission is to detect, warn of, respond to, <strong>and</strong><br />
investigate computer intrusions that threaten critical<br />
infrastructures. It not only provides a reactive response<br />
to an attack that has already occurred, but proactively<br />
seeks to discover planned attacks <strong>and</strong> issues warnings<br />
before they occur. This task requires the collection <strong>and</strong><br />
analysis of information gathered from all available<br />
sources (including law enforcement <strong>and</strong> intelligence<br />
sources, data voluntarily provided, <strong>and</strong> open sources)<br />
<strong>and</strong> dissemination of analysis <strong>and</strong> warnings of possible<br />
attacks to potential victims, whether in the government<br />
or the private sector.<br />
In response to these growing critical infrastructure<br />
vulnerabilities, President Clinton in 1996 established<br />
the President's Commission on Critical Infrastructure<br />
Protection (PCCIP) to study the critical infrastructures<br />
that constitute the life support systems of the United<br />
States, determine vulnerabilities <strong>and</strong> propose a strategy<br />
for protecting them. The commission in its 1997<br />
report, Critical Foundations: Protecting America's<br />
Infrastructures, pointed out that critical infrastructure<br />
assurance is a shared responsibility of the public <strong>and</strong><br />
private sectors.<br />
PDD 63<br />
The report, implemented in 1998 by Presidential<br />
Decision Directive (PDD) 63 on Critical Infrastructure<br />
Protection, declares that federal facilities should be<br />
among the first to adopt best practices, active risk<br />
15<br />
The National Infrastructure Protection <strong>and</strong> Computer<br />
Intrusion Program (NIPCIP) consists of FBI agents<br />
who are responsible for investigating computer<br />
intrusions, implementing the key asset initiative, <strong>and</strong><br />
maintaining liaison with the private sector. There are<br />
about 1,300 pending investigations in the field, ranging<br />
from criminal activity to national security intrusions.<br />
Many of these cases have a foreign component to them<br />
requiring close coordination with FBI legal attaches<br />
around the world.<br />
ISACS<br />
PDD 63 also launched a major vehicle for information<br />
sharing by encouraging the owners <strong>and</strong> operators of the<br />
critical infrastructures to establish private sector<br />
Information Sharing <strong>and</strong> Analysis Centers (ISACs) to<br />
gather, analyze, sanitize <strong>and</strong> disseminate private sector