President's Commission on Critical Infrastructure Protection Warns of Vulnerabilities, Calls for Action

The President's Commission on Critical Infrastructure Protection (see Cipher EI#16, July 28, 1996), the unclassified version of its report in late October, generating considerable press coverage and discussion. The New York Times quoted the commission's chair, Gen. Robert (Tom) March, retired, of the Air Force, as calling attention to the need for the government's computer networks to be the benchmark by which the nation's digital security is measured. He also called attention to the threat from insiders: "You can have good firewalls, good password control, but if you have an insider who intends to do harm, he can bypass many of these good safeguards."

Some advocates of relaxing controls on the export of strong encryption were disappointed that the commission did not go further in recognizing the defensive uses of cryptography. Others responded that "the Commission properly spoke to cryptography in the context of its assigned task; namely, protecting the critical infrastructure. Equally properly, it did not -- and should not -- address cryptography as a national policy issue. The latter debate belongs elsewhere and it is elsewhere."

The report also called for the government and private sector to share responsibility for improving the resilience of the nation's infrastructures. This brought criticisms from some industry representatives that "shared responsibility is a code word for 'You are going to pay for it.'"

Cipher readers wishing to review the report for themselves can find it at: http://www.pccip.gov/.