The Critical Infrastructure Assurance Office (CIAO) was created by Presidential Decision Directive 63 (PDD-63) on May 22, 1998. This directive reflected many of the recommendations of the President's Commission on Critical Infrastructure Protection (PCCIP), which recognized and underscored the national security implications of critical infrastructure protection. One of the PCCIP's principal recommendations was the creation of a government office to coordinate the full range of public-private partnership issues related to critical infrastructure protection. The Commission recommended placement of this office in the Commerce Department based on the importance of developing with industry mechanisms to collect and share information about critical infrastructure issues. In response to this recommendation, the CIAO was created in the Department of Commerce Bureau of Export Administration, on October 1, 1998.
The CIAO is the National Plan coordinating office defined by PDD-63, with the following missions: to coordinate and prepare the National Plan for Infrastructure Protection, coordinate analyses of the U.S. Government's own dependencies on critical infrastructures, coordinate national education and awareness programs, include outreach efforts to the private sector aimed at assisting the construction of a public-private partnership, and to conduct legislative and public affairs in support of the PDD-63 charter. During FY99, the CIAO was organized into an operational unit and began to carry out its PDD-63 missions, as described below.
A major effort of the CIAO during FY 99 was the coordination of the National Plan for Information Systems Protection. Version 1.0 of the plan is due out in the first quarter of FY00, and is the first attempt by any national government to design a comprehensive plan to protect its cyberspace. Even while dependencies on our cyber resources increase, the growing threat of highly organized, systematic cyberattack by hostile powers or terrorist organizations creates new risks for every segment of our Nation.
The Plan outlines steps to reduce these risks to a level acceptable to the American people. In PDD-63, the President established a national goal that the United States would achieve and maintain the ability to protect our Nation's critical infrastructures from intentional acts that would significantly diminish the abilities of:
The CIAO coordinated the Plan's development throughout FY99, working closely with Federal agencies and departments responsible for writing and reviewing the Plan. Several drafts were circulated for comments and changes were made to the Plan as needed to ensure the consensus of all reviewers.
While the initial version of the Plan addresses only cyber threats, the CIAO began, in August 1999, to address physical threats and it is currently coordinating the preparation of a physical protection plan. Future versions of the National Plan will address both cyber and physical threats.
PDD-63 provides that each department and agency shall develop a plan for protecting its own critical infrastructure by November 18, 1998, and that the Critical Infrastructure Coordination Group (CICG) shall sponsor an expert review process for each plan. This Expert Review Team (ERT) was housed in the CIAO and worked in conjunction with the NSC, OMB, and GSA.
The role of the ERT was to assist the departments and agencies in achieving initial operating capability by May 22, 2000, and, in achieving and maintaining the ability to protect their critical infrastructures from attacks that would significantly diminish the ability to perform essential public services.
Plans were filed by the 13 agencies specifically addressed by the PDD, and accordingly classified as Phase One agencies. The ERT reviewed and commented on the plans filed by the Phase One agencies, and requested that the plans be revised in accord with the comments and re-filed within 90 days. This was done.
In order to expand the effort to protect critical infrastructures, the National Coordinator and the OMB Deputy Director, in a joint letter dated October 30, 1998, requested that eight additional agencies be classified as Phase Two agencies, and that they file their plans by February 1, 1999. Six of these agencies submitted plans. The ERT reviewed and commented on them and requested that the plans be revised in accordance with the comments and re-filed within 90 days.
Follow-up efforts continued through the end of FY99 with the Phase One and Two agencies. The ERT stands ready to provide consultation to these agencies, as they move from the planning stage to the implementation process, by assisting them in assembling technical support from other agencies and contractors.
The ERT also completed development of a primer on cyber security to provide guidance to federal agencies in the following areas:
During January 1999, the CIAO sponsored a conference to address issues associated with and models for Information Sharing and Analysis Centers (ISACs); it was attended by 70 representatives of government and industry. Issues such as antitrust, liability, freedom of information, privacy, unwanted criminal investigations, etc., are dependent upon the nature of the partnership and methods of sharing information. The CIAO included a discussion of these issues during the January 1999 conference.
The CIAO made every effort to provide assistance to federal lead agencies in their outreach to industry sectors. Following the January conference, banking and finance industries established subgroups to examine the creation of a CEO council, vulnerability/risk assessments, Information Sharing and Analysis Centers (ISACs), and research and development. The first result of these efforts was the establishment of a privately sponsored laboratory to examine and endorse technology implementation for financial services. The second accomplishment of the group was the recently announced creation of a Financial Services ISAC (FS-ISAC), which is the first information-sharing entity PDD-63 specifies is to be formed. The CIAO continues to provide the Department of the Treasury with support in response to the needs of the sector industries.
The Department of Energy was very active as a sector liaison with the electric power industries. The North American Electric Reliability Council (NERC) has held conferences and private discussions to consider developing a business case for action, determining what information can be shared to better secure critical services, and the forming ISAC(s). The CIAO continues to support these efforts and to assist the DOE in finding ways to involve the gas and petroleum segments of the energy sector.
During July 1999, the CIAO supported a Department Of Justice workshop to determine the problems posed by Freedom of Information Act requests for issue as it pertains to private industry information that has been shared with the federal government. A government working group was formed that will develop possible remedies and coordinate with representatives from private industry.
In addition to supporting Federal lead agency efforts to establish partnerships with industry, the CIAO worked with self-regulating offices such as the Securities and Exchange Commission (SEC). This organization implemented methods to address Year 2000 readiness and is examining ways to include "operational capabilities." Private industry indicated that the latter proposal was too vague but has offered to assist the SEC in refining the concept and examining whether further regulation is needed.
During February 1999, the CIAO developed an action plan for outreach to the audit community. The practices of this community extend across the industry sectors identified by the PCCIP and adopted in PDD-63. The internal auditing community had the responsibility to examine industry practices and make recommendation to corporate boards and CEOs to ensure business survivability. During the last three quarters of FY99, the CIAO has been invited to give presentations to audit community conferences and private discussions with various audit associations. The response of these communities has been very positive. The CIAO is currently supporting an industry project to raise awareness within the risk management community, develop a business case for action, and begin the process of examining best practices and standards. A parallel outreach effort has been initiated with the federal government offices of Inspector General with similar interest from that community.
In addition to private sector outreach, CIAO also contacted state and local governments. Initial interaction with New Mexico's Critical Infrastructure Assurance Council (NMCIAC) and with Virginia's new Secretary of Technology demonstrated the need to recognize the involvement of state and local governments in the overall CIP effort.
Similarly, CIAO interacted with the National League of Cities' Public Safety and Crime Prevention Committee (PSCP) to coordinate how best to approach municipal governments on CIP issues, and to determine the issues of highest priority at the municipal level. Given that local governments are most likely to be the "first responders" to any terrorist or infrastructure event, municipal representatives placed their highest priority on initiatives that aid their cities' and towns' response(s) to terrorism (cyber-, bio- or chem-), or on other public safety events.
The CIAO played a key role in efforts to systematically establish research requirements and priorities needed to implement the National Plan, ensure their funding, and create a system to ensure that our information security technology stays abreast of changes in the threat and in overall information systems.
The interagency Critical Infrastructure Coordination Group (CICG) created a process to identify technology requirements in support of the Plan. CIAO is represented on the Research and Development Sub-Group, chaired by the Office of Science and Technology Policy (OSTP), that worked with government agencies and the private sector to:
Another major effort of a technical nature undertaken in FY99 is the Federal Intrusion Detection Network (FIDNet). CIAO worked closely with the National Infrastructure Protection Center (NIPC) and the General Services Administration (GSA) to develop the original design concept for (FIDNet). This included an Initial Concept of Operations document prepared in May 1999 by a contractor to NIPC.
The CIAO coordinated an interagency legal review of issues raised by the FIDNet concept to ensure that FIDNet's design and implementation, as well as the overall FIDNet concept, protect the privacy rights of American citizens and are consistent with the Electronic Communications Privacy Act (ECPA) and other law. A preliminary legal review by the Department of Justice found that the FIDNet concept complied with the stringent privacy provisions of ECPA. The interagency legal review, which includes the Office of Management and Budget and other federal agencies, is ongoing.
As a key member of the Detection & Warning Interagency Working Group, CIAO, with GSA, NIPC and others, studied a variety of responses to the problem of computer intrusions. This joint group began exploration of possible intrusion detection schemes that would be most effective at the Federal level while minimizing both their financial cost and their operational intrusiveness into the internal computer networks of departments and agencies. This Interagency Working Group also formed the nucleus of a program office for FIDNet. As a member of the IWG, CIAO supported the establishment of this program office, housed within GSA's Office of Information Security.
CIAO also assessed vulnerabilities to attack of the Public Switched Network. In close coordination with the National Communications System and its National Coordination Center,. CIAO used this input to better assess alternative communications systems -- those not directly connected to the Public Switched Network, such as new satellite communications systems -- which is or may be available to the federal government to assure its communications connectivity during and after an attack on infrastructures or other catastrophic events.
In furtherance of public-private partnerships, CIAO began dialogues with key vendors in the Internet economy. CIAO explored the viability of biometric solution sets as components of the CIP agenda. These solutions specifically reduce if not remove the vulnerabilities associated with lost or compromised computer passwords by requiring user authentication, e.g., by reading fingerprints or conducting retinal scans (in those cases requiring even higher levels of security).
CIAO also began dialogues with the Department Of Energy's Sandia National Laboratory to assess the vulnerabilities of common telemetry systems in the energy sector -- supervisory control and data acquisition (SCADA) systems. Participation in the DARPA-sponsored Counter CyberTerrorism Conference led to detailed discussions of software engineering techniques and solutions that will better protect CIP systems.
The CIAO grew out of the PCCIP, which was administratively housed in DOD; planning for the CIAO began in the summer of 1998 under DOD. This required the CIAO to coordinate and establish organization and staffing plans and actions; implement Cooperation Of Operations Plan activities; coordinate a staffing process for new employees and for utilizing temporary contracting procedures where appropriate to meet shorter-term personnel needs; acquire key new staff to facilitate CIAO program operations; and coordinate budget-related activities. The CIAO commenced operations on October 1, 1998 as a Commerce Department organization.
In April of 2002 the Bureau of Export Administration (BXA) changed its name to the Bureau of Industry and Security(BIS). For historical purposes we have not changed the references to BXA in the legacy documents found in the Archived Press and Public Information.