[15 July 1996]
Executive Order 13010 of July 15, 1996
Critical Infrastructure Protection

"Certain national infrastructures are so vital that their incapacity or destruction would have a debilitating impact on the defense or economic security of the United States. These critical infrastructures include telecommunications, electrical power systems, gas and oil storage and transportation, banking and finance, transportation, water supply systems, emergency services (including medical, police, fire, and rescue), and continuity of government. Threats to these critical infrastructures fall into two categories: physical threats to tangible property (``physical threats''), and threats of electronic, radio-frequency, or computer-based attacks on the information or communications components that control critical infrastructures (``cyber threats''). Because many of these critical infrastructures are owned and operated by the private sector, it is essential that the government and private sector work together to develop a strategy for protecting them and assuring their continued operation." -- from the Order.

E.O. 13010 goes on to establish a Commission on Critical Infrastructure Protection, including both government and private sector representatives, that will establish its objectives within 30 days, will identify and consult with relevant parties concerned with "critical infrastructure assurance issues", and will:

• assess the scope and nature of the vulnerabilities of, and threats to, critical infrastructures;
• determine what legal and policy issues are raised by efforts to protect critical infrastructures and assess how these issues should be addressed;
• recommend a comprehensive national policy and implementation strategy for protecting critical infrastructures from physical and cyber threats and assuring their continued operation;
• propose any statutory or regulatory changes necessary to effect its recommendations; and
• produce reports and recommendations to the Steering Committee as they become available; it shall not limit itself to producing one final report.

The Commission is to be assisted by an Advisory Committee and will report to the President through a Principals Committee. A Steering Committee will approve the Commission's objectives and approve its reports. The Order charters the Commission for twelve months.

The Order also establishes an Infrastructure Protection Task Force (IPTF) within the Department of Justice, chaired by the FBI, to "increase coordination of existing infrastructure protection efforts in order to better address, and prevent, crises that would have a debilitating regional or national impact" while the commission conducts its analysis and before the administration can act on its recommendations. The IPTF is to include at least one full-time member each from the FBI, the Department of Defense, and the National Security Agency, and its function is to identify and coordinate existing expertise, inside and outside of the Federal Government to:

• provide, or facilitate and coordinate the provision of, expert guidance to critical infrastructures to detect, prevent, halt, or confine an attack and to recover and restore service;
• issue threat and warning notices in the event advance information is obtained about a threat;
• provide training and education on methods of reducing vulnerabilities and responding to attacks on critical infrastructures;
• conduct after-action analysis to determine possible future threats, targets, or methods of attack; and
• coordinate with the pertinent law enforcement authorities during or after an attack to facilitate any resulting criminal investigation.

Cipher readers may recall a report in EI#14 that suggested that the Justice Department was pressing for a "Cyberspace Defense policy task force" that would recommend policy within 12 months and a cyberspace defense "entity". E.O. 13010 appears to cast its net wider, in that it addresses water and energy supply and distribution systems, transportation, emergency services, and continuity of government as well as telecommunications, banking, and finance. The IPTF established by the order could, perhaps, fill the role suggested in the earlier report.

The full text of E.O. 13010 is available from the U.S. Government Printing Office at http://www.gpo.gov/su_docs/aces/aces140.html; search for the string "Executive Order 13010".