CDT Cyber Security: Critical Infrastructure

Join With CDT in Making an Impact on Internet Policy!

Wiretap Overview

Overview Government Surveillance of Telephones and the Internet

Search & Seizure
The Dept. of Justice has written a manual on the rules for seizing evidence stored in computers. "Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations"

Carnivore
Carnivore is a computer program designed by the FBI to intercept Internet communications.

CDT's Carnivore Reference Page

CALEA
The Communications Assistance for Law Enforcement Act of 1994 (CALEA) was supposed to preserve law enforcement surveillance capabilities in the face of technological chage, but the FBI has been trying to use it to claim control over the design of the telephone network to enhance its surveillance powers.

CDT's CALEA Reference Page

Roving Wiretaps
A roving wiretap order allows the government to tap any phone lines that a suspect may use.

-Congress Passes "Roving Wiretaps," Expands Surveillance Authority
-E-RIGHTS Bill (S. 854) tightens standard for roving taps

Echelon
Echelon is a secretive international surveillance system that operates outside of the normal limitations of the Constitution.

International Monitoring by US government

FIDNet
FIDNet is a comprehensive monitoring system intended to protect government computers, but it raises serious privacy concerns.

CDT's FIDNet Reference Page

CESA
CESA was a bill proposed by the Clinton Administration that would allow the government to seize decryption keys without notice to the user.

CDT's CESA Reference Page

Articles

Jerry Berman and Lara Flint, Guiding Lights: Intelligence Oversight and Control for the Challenge of Terrorism Criminal Justice Ethics, Vol. 22, No. 1 (Winter/Spring, 2003)
Critical Infrastructure Protection: Threats to Privacy and Other Civil Liberties and Concerns with Government Mandates on Industry DePaul Business Law Journal (1999-2000)
Communications Privacy In The Digital Age: Revitalizing The Federal Wiretap Laws To Enhance Privacy Albany Law Journal of Science & Technology (1997)
CIO Cyberthreat Response and Reporting Guidelines Guidelines for responding to attacks on computer systems endorsed by the F.B.I. and the Secret Service, published in CIOmagazine, a trade publication, Feb 2002.

Critical Infrastructure Protection (CIP)

The computer networks upon which the country relies for power grids, banking, communications and other critical services are not secure from hacker attacks.

Executive Branch Initiatives

The security of these crucial systems must be improved, but the lead role must be taken by industry, not government and there must be a balance between that security and the rights of citizens. The government has proposed answers to the problem that will infringe on privacy rights while not providing adequate security.

On December 17, 2003, the White House issued Homeland Security Presidential Directive / HSPD-7, establishing a national policy for Federal departments and agencies to identify and prioritize United States critical infrastructure and key resources and to protect them from terrorist attacks, and Homeland Security Presidential Directive / HSPD-8 on National Preparedness, establishing policies to strengthen the preparedness of the United States to prevent and respond to threatened or actual domestic terrorist attacks, major disasters, and other emergencies by requiring a national domestic all-hazards preparedness goal, establishing mechanisms for improved delivery of Federal preparedness assistance to State and local governments, and outlining actions to strengthen preparedness capabilities of Federal, State, and local entities.
Further critical infrastructure resources http://www.dhs.gov/dhspublic/display?theme=74
On Feb. 28, 2003, the White House issued a new executive order on critical infrastrucutre protection that, among other things, eliminated the President's Critical Infrastructure Protection Board -- a group that brought together top officials from every agency throughout government to address cybersecurity issues. Press reports indicate that officials are discussing creating a critical infrastructure committee on the President's Homeland Security Advisory Council, and the administration may also continue to have a cybersecurity adviser to the president.
- New E.O.on critical infrastructure protection, February 28, 2003
- E.O. 13231, October 16, 2001 (superceded)
In February 2003, the White House released the final version of The National Strategy to Secure Cyberspace. It is described as an implementing component of the National Strategy for Homeland Security and is complemented by a National Strategy for the Physical Protection of Critical Infrastructures and Key Assets. "The purpose of this document is to engage and empower Americans to secure the portions of cyberspace that they own, operate, control, or with which they interact."
Story by Brian Krebs, WashingtonPost.com
On September 18, 2002, the White House released the National Strategy to Secure Cyberspace. The document, labeled a draft, is open for ongoing comment. The document (in PDF) is online. It states "The interests of security and personal privacy need not be antithetical to one another."
- CDT's comments on draft cybersecurity strategy, Nov. 18, 2002
In March 2002, the President's Critical Infrastructure Protection Board issued a notice soliciting advice from the public on how national cybersecurity can be improved. One of the board's primary functions is to draft a national strategy to protect cyber space. It has put together a 53-question survey that offers a preview of what the national strategy will look like. The deadline for public comments was April 20, 2002.
On October 16, 2001, President Bush issued Executive Order 13231, Critical Infrastructure Protection in the Information Age. The order created a federal "critical infrastructure protection" board and charged it with recommending policies and coordinating programs for protecting information systems for critical infrastructure. The Board's wide ambit includes outreach to the private sector and state and local governments, information sharing, incident coordination and crisis response, recruitment of Executive Branch security professionals, coordination of research and development, law enforcement coordination, and international cooperation. The E.O. is online at http://www.whitehouse.gov/news/releases/2001/10/20011016-12.html and http://www.gsa.gov/Portal/content/policies_content.jsp?contentOID=117087&contentType=1006&P=1&S=1

In January 2000, the White House issued a National Plan for Information Systems Protection. "Defending America's Cyberspace: National Plan for Information Systems Protection, Version 1.0, An Invitiation to a Dialogue." Executive Summary [pdf]. January 2000.

A presidential commission in October 1997 highlighted the topic of critical infrastructures and made a series of recommendations for their protection. In May 1998, the President approved a directive [.pdf ] establishing a national critical infrastructure protection policy. The directive created a National Infrastructure Protection Center (NIPC) located within the FBI and a Critical Infrastructure Assurance Office (CIAO) in the Department of Commerce. In January 2000, the White House issued a "National Plan for Information Systems Protection." A number of the proposals advanced in the name of critical infrastructure protection raise serious privacy concerns.

Defending America's Cyberspace: The National Plan for Information System Protection Version 1.0" CIAO web site (pdf of final report [990kb])
Analysis of privacy and civil liberties issues raised by January 7, 2000 National Plan, by CDT senior staff counsel Jim Dempsey and Washington lawyer Mike O'Neil. (Feb. 2000)
Article: Critical Infrastructure Protection: Threats To Privacy And Other Civil Liberties And Concerns With Government Mandates On Industry DePaul Business Law Journal (1999-2000).
Congressional Research Service, "Critical Infrastructures: What Makes an Infrastructure Critical?" [pdf] by John Moteff, Claudia Copeland, and John Fischer, August 30, 2002

Legislative Proposals

Legislation has been proposed that would keep from the public information submitted to the government about cyber vulnerabilities.

CDT analysis of Davis-Moran Cyber Security Information Act - HR 4246, May 4, 2000
Coalition letter opposing Bennett-Kyl legislation (S. 1456) creating FOIA exemption for information on critical infrastructure security, May 7, 2002
Hearing before the Senate Governmental Affairs Committee, on a legislative proposal to create a new exemption to the Freedom of Information Act for certain "critical infrastructure information," May 8, 2002

Addressing the security defects in government computer systems has proven to be a daunting task, hampered by lack of centralized leadership and accountability. For more information, see the prepared statements, including testimony of CDT, presented at a hearing before the House Committee on Government Reform on H.R. 3844, the Federal Information Security Management Act, May 2, 2002

Industry Best Practices

The SANS Institute and the FBI's National Infrastructure Protection Center (NIPC) has identified the Twenty Most Critical Internet Security Vulnerabilities. The list is valuable because the majority of successful attacks on computer systems via the Internet can be traced to exploitation of security flaws on this list. The list should serve as a guide to all operators of computer networks for what steps they need to take to improve the security of their systems. See http://66.129.1.101/top20.htm for details.

Resources

"Computer Security: A Summary of Selected Federal Laws, Executive Orders, and Presidential Directives" by John Moteff, April 16, 2004
Congressional Research Service, "Computer Attack and Cyber Terrorism: Vulnerabilities and Policy Issues for Congress" [pdf] (October 17, 2003)
General Accounting Office (GAO) Testimony, "Information Security: Progress Made, But Challenges Remain to Protect Federal Systems and the Nation's Critical Infrastructures," GAO-03-564T, April 8, 2003
Computer Science and Telecommunications Board, National Academies of Science, Critical Information Infrastructure Protection and the Law: An Overview of Key Issues (March 2003)
"The Myth of Cyberterrorism," Washington Monthly, Nov. 2002
Congressional Research Service, "Critical Infrastructure: Control Systems and the Terrorist Threat," [pdf] updated October 1, 2002

Our Mission / Get Involved / Staff / Publications / Links / Search CDT / Jobs / Action!
Previous Headlines | Legislative Tracking | CDT's Privacy Policy

The Center For Democracy & Technology
1634 Eye Street NW, Suite 1100
Washington, DC 20006
(v) 202.637.9800
(f) 202.637.0968
Contact CDT

Copyright © 2005 by Center for Democracy and Technology.
The content throughout this Web site that originates with CDT can be freely copied and used as long as you make no substantive changes and clearly give us credit. Details.