“Certain national infrastructures are so vital that their incapacity or destruction would have a debilitating impact on the defense or economic security of the United States.”
Executive Order 13010
President William J. Clinton
July 15, 1996
The protection of our nation’s infrastructure, and in particular the components deemed as critical, continue to remain a top priority for both the public and the private sectors. Today marks 25 years since President Clinton signed Executive Order 13010, Critical Infrastructure Protection. A milestone in the history of CIP, the Order was spurred by concerns over threats to the country’s underlying information infrastructure amid increasing U.S. dependence on it.
The concept of protecting critical infrastructure from adversarial attacks was certainly not new in 1996. For thousands of years, infrastructure such as bridges, ports, water supplies, and communication systems have been targeted during war and conflict. Impacts of natural disasters such as wind, fire, floods, and earthquakes were also well understood.
What set 1996 apart? First, a pair of terrorist attacks on US soil – New York City’s World Trade Center towers in February 1993 and Oklahoma City’s Murrah Federal Building in April 1995 – shook the country’s belief that we were safe from physical harm inside our borders. Second, while the opening of the government-funded Internet in the early 1990s to widespread private use had launched a new era of connectivity, it also resulted in an alarming increase of foreign attacks arriving on US soil via computer networks. Attacks against US Air Force systems at Rome Labs in the spring of 1994 followed by Russian cyber bank robbers transferring over $10 million from Citibank to other banks around the world later that year led to a series of cybersecurity hearings in Congress and concern from the White House about a potential “Cyber Pearl Harbor”.
The Oklahoma City bombing was the catalyst for a full government response. Killing 168 citizens, including 19 children, and injuring hundreds more, the blast left a 30-foot-wide, 8-foot-deep crater in front of the building. A few hours after local responders, fire fighters, police force, and urban search and rescue teams arrived at the scene, the President ordered deployment of federal resources. This was the first time the President’s authority under the Stafford Act (section 501 (b)) was used, granting the Federal Emergency Management Agency (FEMA) primary federal responsibility for responding to a domestic disaster.
The deliberate destruction of the Oklahoma City office building, located far outside the “nerve centers” of Washington and New York City, had a profound impact on both government agencies and private companies across the country, due to the disruption of functions and data housed in the building. The Murrah Federal Building had been home to several regional federal agency offices such as the Drug Enforcement Administration, the Bureau of Alcohol, Tobacco, and Firearms, the U.S. Customs Service, the U.S. Secret Service, the U.S. Department of Housing and Urban Development, the Veterans Administration, and the Social Security Administration. Some of these regional offices were custodians of computer systems used to store federal records. Across the country, access to these files and networks were disrupted until other systems could be made available. By setting off a chain reaction impacting portions of society that would not normally be seen to be linked to the functions of a specific building in Oklahoma, the blast made clear that hidden interdependencies between infrastructures, their users, and their vulnerabilities was a major issue.
In June 1995, the CIA in conjunction with other intelligence gathering agencies, produced a classified report detailing their knowledge on the foreign information warfare threat. The intelligence focused on efforts to attack SCADA networks (also known as industrial control systems, the devices and networks used to manage power distribution, oil refineries and other complex systems). This publication was the first of its kind and helped organize the intelligence community’s involvement in the CIP area.
Also in June 1995, a classified directive (partially declassified in 1997 and fully declassified in 2008) resulting from the Oklahoma City bombing was published by the White House – Presidential Decision Directive 39 (PDD-39, U.S. Policy on Counterterrorism). It directed the Attorney General to lead a government-wide effort to re-examine the adequacy of available infrastructure protection. As a result, then Attorney General Janet Reno established the interagency Critical Infrastructure Working Group (CIWG) to examine the vulnerabilities of critical national infrastructures to terrorist attacks. The CIWG was chaired by Deputy Attorney General Jamie Gorelick.
Their review, which was completed in February 1996, highlighted the lack of attention that had been given to protecting the cyber infrastructure of critical information systems and computer networks. In addition to defining the most critical infrastructures, the CIWG recommended that further study by a presidential commission was needed. The recommendations led to Executive Order 13010, Critical Infrastructure Protection, which created the President’s Commission on Critical Infrastructure Protection (PCCIP) in 1996, also known as the Marsh Commission.
Against this background, cyber threats became linked to the topics of critical infrastructure protection and terrorism in the mid-1990s. President Clinton began the development of a national protection strategy with the PCCIP in 1996, and the issue has remained a high priority ever since.
Bearing in mind the centrality of these issues to the mission of the McCrary Institute, we asked our Senior Fellows (who possess a wealth of expertise on these matters) to reflect on the past 25 years since the Executive Order was signed. Here are some of their comments on the difference EO 13010 has made since it was issued, and thoughts on where we stand today.
Although 25 years old, Executive Order 13010’s strategic framing of the problem as issues associated with protection of critical infrastructure from cyber and physical threats is remarkably enduring. The criticality of public-private partnership, the need for a unity of effort among a broad spectrum of federal departments and agencies, the enumeration of issues and advocacy for national policy – it’s all there. Reconsidering the executive order after this much time elicits both positive and negative reactions. On the plus side, those who defined the problem space 25 years ago got it right. Our ability to strategically perceive emerging domestic security threats and vulnerabilities, identify necessary stakeholders, and tee up priority actions is spot on. On the minus side, one cannot help but be struck by the sameness of the problem set. The critical infrastructure protection challenges from 25 years ago remain challenges today: the need for more public-private cooperation, more federal agency unity of effort, updated legal authorities, and cohesive national strategy. We have made incremental progress to be sure, with the creation of the Department of Homeland Security as a focal point for the domestic critical infrastructure protection mission, and the creation of the Office of the Director of National Intelligence as a more effective coordinator for Intelligence Community support for national security missions including homeland security. But the fundamental challenges remain, and threats and vulnerabilities have continued to grow. Will cybersecurity look the same for critical infrastructure 25 years from now? Or will we have made leap ahead progress?
Cheri Caddy
Senior Advisor, Cybersecurity Policy & Strategy
U.S. Department of Energy
Executive Order 13010 advanced our national security by defining the critical systems that are key to our way of life and by evolving the means to evaluate threats to those systems. Unquestionably, protecting America’s critical infrastructure is a monumental undertaking requiring the continuous collective efforts of our citizenry, public sector, and private sector.
EO 13010 and related directives and laws have, in fact, better prepared our Nation to defend our critical infrastructure. However, on this twenty-fifth anniversary of the EO, we can mark a commemorative milestone, but we cannot rejoice. Despite the significant strides made in advancing our Nation’s cybersecurity posture, our critical infrastructure remains under constant attack from a capable and unrelenting assortment of cunning cyber adversaries. Nation states as well as common criminals continue to take advantage of ever-increasing attack surfaces; American legal regimes that work in the favor of cyber antagonists; and public-private partnerships that are not operating at the required “speed of the mission,” let alone at the “need of mission.”
The existential threat to our critical infrastructure requires our executive and legislative branches to act – not merely talk – boldly and decisively to mitigate the impact of cyber-attacks, to include mandatory partnerships, attribution and then accountability.
Harry Coker
Senior Executive (Ret.)
Central Intelligence Agency
With the 25th anniversary of Executive Order 13010, we have a chance to look back on an important milestone in Federal infrastructure protection. The issuance of this EO marked the beginning of an important recognition that the United States needed a more definitive strategic plan for identifying and protecting key infrastructure assets. This awareness has never been more relevant than today with recent cyber attacks on our Nation’s energy sector, food delivery system and critical supply chains. The evolution of EO 13010 has also drawn important scrutiny to the interrelationship between cybersecurity and infrastructure security. As technology and innovation has continued to evolve, we can see more clearly that these two important disciplines are inextricably linked. The EO started a process by which the U.S. could continue to refine and improve its protections for those systemically important critical infrastructures on which we rely the most. Clearly more needs to be done, but we can look back over the last twenty-five years and see a measurable trail of progress that emanated from EO 13010.
Chris Cummiskey
CEO
Cummiskey Strategic Solutions, LLC
EO 13010 contained three significant elements that set the country on a path of greater preparedness and resilience. In particular, it: (1) sounded the alarm that we need to be better prepared to protect those sectors that are critical for our nation’s survival; (2) recognized that much of this critical infrastructure is owned and operated by the private sector and state and local governments and, therefore, required coordination by and with the federal government; and (3) identified that we need to defend against two types of threats–traditional physical threats and cyber threats.
In the intervening quarter-century, EO 13010 and its progeny identified clear national goals and guiding principles that provide a foundation for building a cooperative space where the federal, state, local, tribal, and territorial governments, the private sector, and the American people can identify and address their responsibilities. Further, this evolution has led to greater use of risk management processes to set priorities and allocate resources based on threat information.
This becomes especially important as the cyber risk eclipses the physical risk. The question becomes whether this construct of voluntary cooperation and coordination succeeds in adopting a national consensus minimum standard of information security. I hope so. If not, Congress must act.
Brian de Vallance
Former Assistant Secretary for Legislative Affairs
U.S. Department of Homeland Security
EO 13010 began the shift in our collective consciousness that is essential for today’s threats: the government cannot alone address national security threats; public and private sectors must face them together.
This fundamental awareness, and shift in approach that resulted, has proven to be the basis of defense in a new era. In the years since 13010, reliance on information and communications infrastructure has simply increased. The global internet took off. Our critical infrastructures moved on to the digital backbone. Digital currency emerged.
Although I don’t believe that anyone knew the exact contours of today’s national security challenges in 1996, EO 13010 was nonetheless prescient. Our most effective tools for protecting America in an inherently digital environment lie in collaborations of the public and private sectors against shared threats.
Emily Frye
Director for Cyber Integration
The MITRE Corporation
The notable maturation of the evolving risk landscape has been the convergence of the two threat categories originally highlighted 25 years ago. The EO rightly points out the physical and electronic concerns, but we know today, that these threat landscapes have blended. Rarely do we see an attack with cyber-only impacts, or physical-only impacts. Critical systems touch all aspects of security and the business today. Additionally, we see growing federal government acknowledgement today that the private sector is the most critical partner in helping secure our infrastructure. They are the “doers” behind any early warnings, intelligence, or mitigation strategies.
Brian Harrell
Chief Security Officer
AVANGRID
Signed by President Clinton in 1996, Executive Order 13010 (EO 13010), “Critical Infrastructure Protection,” would not be the last presidential executive order to outline the goals of protecting the nation’s most important infrastructure, but it was the first. During the Cold War in defining new threats to national security, government officials began to theorize the concept of certain key infrastructure in America that was vital to U.S. national security but was vulnerable to attack even outside traditional war. By the 1990s the idea of “critical” infrastructure was a major concern of the government. In EO 13010, for the first time, the government used and defined the term “critical infrastructure” as a part of the national infrastructure that is vital and whose destruction or incapacity to function properly can seriously diminish the economy or defense of the nation. The EO identified eight critical infrastructure sectors, each containing those entities that were similar in form and function. These sectors would eventually be expanded to sixteen. The EO also established a national commission on critical infrastructure (the “Commission”) to assess the scope and nature of the vulnerabilities and threats to the nation’s critical infrastructures, focusing particularly on cyber threats, and recommend a national policy and implementation strategy for protecting these infrastructures. EO 13010 focused the U.S. government and the private sector on the priority of securing the nation’s most important infrastructures and set in motion a number of steps towards that end. Two years later, in 1998, based on the Commission’s report, President Clinton signed Presidential Decision Directive 63 (PDD 63), which set as a national goal the ability to protect the nation’s critical infrastructure from intentional attacks, both physical and cyber, and reorganized the government to that end. Each succeeding president would sign his own executive order on the protection of the nation’s critical infrastructure, expanding on the policies and approaches laid out in EO 13010 and PDD 63. The fundamental policy statements would remain the same as those from the original EO 13010 and PDD 63: the protection of infrastructures critical to the people, economy, essential government services, and national security of America. Importantly, EO 13010 raised awareness and sharpened America’s thinking about, and execution of, infrastructure protection as a truly national security issue.
Catherine Lotrionte
Professor
Georgetown University
The EO established the General Marsh Commission. Its key findings were:
- The need to think differently about infrastructure protection
- Information sharing is the most immediate need
- Responsibility is shared among owners and operators and the government
- Infrastructure protection requires a focal point
- We must adapt to a changing culture
Sadly, many of the findings are still true today.
Harvey Rishikof
Senior Counsel
ABA Standing Committee on Law and National Security
One of the recommendations from the President’s Commission on Critical Infrastructure Protection was the need for Information Sharing and Analysis Centers. I was part of the original team at SAIC (now Leidos) who worked to create the world’s first Information Sharing and Analysis Center (ISAC) for the financial services sector which went live on October 1, 1999. As of today, on this milestone, we now have 26 official critical infrastructure information sharing entities. I had the unique experience of building that first ISAC (including being a named co-inventor on the patent), and later spent 13 years as a member of the Financial Services ISAC helping protect some of the world’s largest financial institutions. As a practitioner, I saw first-hand the value of an ISAC, including improved situational awareness and learning effective defenses, controls and countermeasures. Think about how your local neighborhood watch program might work with neighbors looking out for each other. It is similar in an ISAC, where people come together to help each other out. It’s especially true with infosec professionals during an incident. The not-so-obvious benefits of an ISAC include things like drawing upon crowdsourced expertise and – most importantly – learning from others. Personally, I feel like I received exponentially more than what I put into my participation with an ISAC. I learned from my peers about everything from technical infosec issues to managing and leading teams – skills which helped me grow personally and succeed professionally. Where are we today? We still have areas for improvement, like leveraging automation to make us more effective and creating public policy that encourages more information sharing. Yet I know that we are on the right path, as there are countless examples when ISACs helped keep our critical infrastructure safe and secure, but that’s for another article. Find your ISAC here and get involved!
Errol Weiss
Chief Security Officer
Health-ISAC
In the shadow of the COVID-19 pandemic, society recognizes more than ever the importance of critical infrastructure. The nation and the world experienced the consequences of infrastructure being overwhelmed by demand and being hampered by compromised interdependencies and diminished supply chains. We experienced the outcomes when the infrastructure services that we depend upon to provide for safety, security, and prosperity are at risk. Threats from COVID-19, while significant, are only a thin slice of the litany of persistent and emerging threats infrastructure endures – earthquakes, wildfires, flooding, extreme heat and cold, and hurricanes; ransomware and denial of service attacks; accidents; criminal malfeasance – to name a few more. Executive Order 13010 highlighted the importance of infrastructure to national security and began the hard work of defining what is critical and why; establishing networks and mechanisms to proactively mitigate threats and respond when threatened; building capacities across sectors to build resilient infrastructure; and maturing governance of critical infrastructure globally. Despite this progress, work to protect critical infrastructure remains. Technological and economic innovation simultaneously create new capabilities for infrastructure resilience and vulnerabilities to be compromised while new insights emerge about systemic risks across our economy and novel governance approaches to managing them.
Henry Willis
Director; Strategy, Policy, and Operations Program
Acting Director; Personnel and Resources Program Homeland Security Operational Analysis Center
RAND Corporation
EO 13010’s primary purpose was to create a Presidential Commission to study the vulnerabilities of our nation’s critical infrastructure and to recommend a comprehensive national policy and implementation strategy for protecting critical infrastructures from physical and cyber threats, and assuring their continued operation. The Commission’s report recognized that the protection of critical infrastructure in America was originally designed to respond to the industrial revolution, then was adjusted for the Civil War, the Great Depression, World War II, and the Cold War’s nuclear stand-off. Published in 1997, it was oriented on information technology and the potential for cyber-centric warfare to be the next major influencer. It did not predict the impact of widespread terrorism acts such as what happened four years later on September 11, 2001. However, it did recommend the creation of several new organizations focused on information sharing and analysis that were in place and fully functional during the terrorist attacks.
Following the PCCIP’s recommendations, President Clinton signed Presidential Decision Directive 63 (PDD-63) in May 1998. The Directive designated eight specific infrastructure sectors with corresponding lead agencies, and lead agencies for special functions such as law enforcement and foreign intelligence. It also directed the creation of two warning and information centers.
The first was the National Infrastructure Protection Center (NIPC), hosted by the FBI and staffed by investigators from the Bureau, the US Secret Service, and other agencies. Its purpose was to serve as a national critical infrastructure threat assessment, warning, vulnerability, and law enforcement investigation and response entity. The NIPC was the focal point for coordinating federal responses to various cyber incidents like Solar Sunrise and Moonlight Maze, and of course to the 9/11 terrorist attacks. The NIPC was merged into the Department of Homeland Security in 2003.
The second organization was a single Information Sharing and Analysis Center (ISAC) to be created and staffed by the private sector. Ultimately several ISACs were established, the first serving the Financial Services sector as the FS-ISAC. Other initial ISACs were formed for the Communications sector, the Electricity sub-sector, and the Information Technology sector. Several additional sector ISACs were established over the next two decades. The newest – the Elections Infrastructure ISAC – launched in 2018.
Since DHS opened its doors in 2003 the lead for national critical infrastructure coordination has been through one of its subordinate organizations. Beginning with the Information Analysis and Infrastructure Protection Directorate, responsibility transferred to the National Protection and Programs Directorate in 2007, then to the Cybersecurity and Infrastructure Security Agency in 2018. Today there are 16 recognized critical infrastructure sectors, each with corresponding Sector Coordinating Councils (SCCs), Government Coordinating Councils (GCCs), and sector ISACs.
We are in a much better place today with respect to critical infrastructure security than we were 25 years ago. Our understanding of cyber and physical threats is deeper, and we can better prepare for, and respond to, attacks on our infrastructure. New cyber threat actor techniques like ransomware and supply chain attacks; emerging technologies such as artificial intelligence, machine learning, autonomous systems, blockchain, and quantum computing; and changing social norms empowered by social media platforms will continue to challenge the way we think about protecting our critical assets. Just like the transformation from an industrial era to a nuclear era to an information era, we need to continue to look beyond the horizon and anticipate the next transition, the next types of vulnerabilities, and the next types of threats.
###
Contributors include the McCrary Institute Senior Fellows quoted above, as well as the McCrary Institute’s Director Frank Cilluffo, Deputy Director for Policy Sharon Cardash, and Operations Coordinator Matthew Edwards.
Marcus Sachs is the McCrary Institute’s Deputy Director for Research. He is a retired US Army officer and served on the staff of the National Security Council from February 2002 to May 2003. He was named as the first Cyber Program Director at the Department of Homeland Security in 2003. In the private sector he has served as Verizon’s Vice President for National Security Policy and as the North American Electric Reliability Corporation’s Chief Security Officer.
The opinions expressed here are those of the author alone.