Each program contains some specific actions to be taken, capabilities to be established, and dates by which these shall be accomplished. Other activities, capabilities, and dates are more general (e.g. during FY2001).

Some notable specific milestones include:

• last June agencies were to have submitted (as mentioned above) a multi-year remediation plan with their FY2001 budget submissions to OMB

• in December 1999, the government developed a pilot framework and database for capturing Practices for Securing Critical Information Assets

• no later than January 2001, agencies shall report to OMB on the degree to which they have adopted relevant recommended security practices

• by February, 2000, agencies will ensure the timely installation of appropriate software patches and other fixes to address immediate known vulnerabilities in their operating systems

• by October 2000, the federal government will initiate a pilot intrusion detection system for civilian agencies with 22 critical federal sites connected

• evaluate by March 2001 whether to create a central R&D fund to support cross-cutting projects and to coordinate with the private sector for FY2002 and beyond

• establish the accreditation requirements and guidelines for a university to apply for and be selected to participate in the Scholarship for Service (SFS - see appendix) by April 2000

• designate the universities selected to participate in the SFS by May 2000

• recruit first SFS graduate and undergraduate students in fall of 2000

• complete the OPM-led study on the information systems security occupational needs within the federal government by May 2000

The Plan includes a number of new initiatives identified by the Administration. These are identified in the appendix of this report. Of course, the ability to meet some of these milestones will depend on the willingness of Congress to appropriate funds to carry them out.

Information Sharing and Analysis Center (ISAC). PDD-63 envisaged an ISAC to be the private sector counterpart to the FBI's National Infrastructure Protection Center (NIPC), collecting and sharing incident and response information among its members and facilitating information exchange between government and the private sector. It is one of the critical recommendations made in the PCCIP and probably one of the hardest to realize. While the Directive conceived of a single center serving the entire private sector, the idea now is that each sector would have its own center. The Administration's FY2000 budget request included $8 million, $1 million for each of the primary liaison agencies, to support the establishment of ISACs for each sector.

The different sectors have different views regarding ISACs. Approximately 50 to 75 entities within the banking and finance sector (individual firms and subsidiaries within firms) have agreed to join together in a limited liability corporation to form an industry ISAC. An executive of Bank America chairs the CEO Council that acts as the corporation's board. The group has contracted with an internet service provider ⁽⁹⁾ (ISP) to design and operate the ISAC. Individual firms will feed raw computer network traffic data to the ISAC. The ISP will maintain a database and analyze it for suspicious behavior and provide its customers with summary reports. If suspicious behavior is detected, the analysis may be forwarded to the federal government. Anonymity would be maintained between participants and outside the ISAC. The ISP will forward to its customers alerts and other information provided by the federal government. The ISAC became operational in October, 1999.

The telecommunications industry has agreed to establish an ISAC through the National Coordinating Center (NCC). The NCC is government-industry partnership that coordinates responses to disruptions in the National Communications System. Unlike the banking and finance ISAC that will use a third party for centralized monitoring and analysis, each member firm of the NCC will monitor and analyze its own traffic data. If a firm suspects its network(s) have been breached, it will discuss the incident(s) within the NCC. The NCC members will decide whether the suspected behavior is serious enough to report to the appropriate federal authorities. Anonymity will be maintained outside the NCC. Any communication between federal authorities and member firms will take place through the NCC, this includes incident response and requests for additional information ⁽¹⁰⁾.

The electric power sector, too, has established a decentralized ISAC through its North American Electricity Reliability Council (NAERC). Much like the NCC, NAERC already monitors and coordinates responses to supply disruptions. It is in this forum that information security issues and incidents will be shared. The National Petroleum Council is still considering setting up an ISAC with its members.

Other industries are less certain about the feasibility of establishing an ISAC in their sector. The Information Technology Association of America is shying away from taking the lead in establishing an ISAC for the Information Technology industry since it would be contracting with its own members to build one. Many members of the association view themselves more as infrastructure providers and not operators, although some members are internet service providers. The country's water authorities are leaning toward individual protections but no centralized analysis or reporting function. Individual water authorities have existing lines of communications with the FBI through which they could report suspicious behavior. The same could be true for the other local and state emergency services sectors.

In addition to these individual sectors setting up or contemplating ISACs, a number of sectors have formed a Partnership for Critical Infrastructure Security to share information and strategies and to identify interdependencies across industry lines. The Partnership is a private sector initiative. A preliminary meeting was held in December 1999 and five working groups were established (Interdependencies/Vulnerability Assessment, Cross-Sector Information Sharing, Legislation and Policy, Research and Development, and Organization). The working groups meet every other month. The federal government is not officially part of the Partnership, but the CIAO acts as a liaison and has provided administrative support for meetings. Sector Liaison from lead agencies are considered ex officio members. Some entities not yet part of their own industry group (e.g. some hospitals and pharmaceutical firms) are interested in participating in the Partnership.

Also, besides the efforts of the lead agencies to assist their sectors in considering ISACs, the NIPC offers private sector firms from across all industries a program called INFRAGARD. The program includes an Alert Network. Participants in the program agree to supply the FBI with two reports when they suspect an intrusion of their systems has occurred. One report is "sanitized" of sensitive information and the other provides more detailed description of the intrusion. The FBI will help the participant respond to the intrusion. In addition, all participants are sent periodic updates on what is known about recent intrusion techniques. The NIPC is working to set up local INFRAGARD chapters that can work with each other and regional FBI field offices.

Issues

Administrative. While the Directive deals with infrastructures issues beyond just computer systems and also considers physical protections, the Directive primarily is concerned with "cyber" threats and vulnerabilities and, therefore, is an extension of the government's efforts in computer security. The Directive sought to use existing authorities and expertise as much as possible in assigning responsibilities. Nevertheless, the Directive does set up new entities that, at least at first glance, assume responsibilities previously assigned to others. One question is to what extent does the Directive duplicate, supersede, incorporate, or overturn existing computer security efforts?

For example, the Paperwork Reduction Act of 1995 (P.L. 104-13) placed the responsibility for establishing government-wide information resources management policy with the Director of the Office of Management and Budget. Those policies are outlined in OMB Circular A-130. Appendix III of the Circular incorporates responsibilities for computer security as laid out in the Computer Security Act of 1987. ⁽¹¹⁾ The Computer Security Act requires all agencies to inventory their computer systems and to establish security plans commensurate with the sensitivity of information contained on them. The plans are to be independently reviewed by National Institute for Standards and Technology and the National Security Agency before being implemented. Agencies are suppose to submit summaries of their security plans along with their strategic information resources management plan to the Office of Management and Budget (OMB). The agencies are to follow technical, managerial, and administrative guidelines laid out by OMB, the Department of Commerce, the General Services Administration, and the Office of Personnel Management and should include (as detailed in the OMB Circular) incidence response plans, contingencies plans, and awareness and training programs for personnel. The Director of OMB may comment on those plans.

Under PDD-63, agencies are to submit plans (not dissimilar in content to those called for in the Computer Security Act of 1987 and detailed in OMB Circular A-130 Appendix III) to the CIAO. The Critical Infrastructure Coordination Group assembled an expert review team to review these plans (an "ad hoc" team was set up at CIAO). What role does the Director of OMB now play in reviewing and commenting on agency plans? What role does the National Coordinator, housed within the National Security Council and to whom the CIAO reports, play in the review and comment of an agency's security plan? ⁽¹²⁾ Who determines whether an agency's obligation to creating an adequate plan have been met?

Among the responsibilities assigned to the Department of Commerce by OMB Circular A-130 Appendix III is the coordination of agency incident response activities to promote sharing of incident response information and related vulnerabilities. This function has now migrated over to the General Services Administration which is in the process of establishing a Federal Computer Incident and Emergency Response Capability (FedCIRC). But, PDD-63 states and the National Plan reiterates that the National Infrastructure Protection Center will provide the principal means of facilitating and coordinating the federal government's response to an incident, mitigating attacks, investigating threats, and monitoring reconstitution efforts. Are the lines of authority clearly established between the different organizations many of which are tasked with doing things that sound similar? What authority or influence will the FBI, as manager of the NIPC, have over these organizations? Also, the NIPC is responsible for warning, responding to, and investigating intrusions. Are these functions compatible? ⁽¹³⁾

The National Plan provides an interesting case in point. The Plan includes a discussion of the Federal Aviation Agency's (FAA) effort in establishing its own Computer Security Incident Response Capability (CSIRC), as a number of other agencies (Department of Energy, National Aeronautics and Space Administration) have done already and which is being promoted by the Directive. The CSIRC is to serve a centralized reporting and monitoring function within FAA. It will carry out FAA-wide intrusion detection, intercepting all network activity that enters each FAA installation. It will support FAA offices by analyzing the intrusion detection data collected. There will be a Computer Incident Response Team (CIRT) trained in handling intrusions and incidents. The CIRT will also provide disaster recovery assistance to restore operations. When the CSIRC detects an intrusion, does it first inform GSA's FIDNET function or the NIPC? Does GSA's FedCIRC function begin helping FAA deal with the intrusion or does the NIPC? Can CSIRC deal with its situation first and then forward information later? Who decides how to balance FAA's need to respond to the intrusion (say kicking the perpetrators off the network) and the FBI's need to gather sufficient evidence to catch and prosecute the perpetrators?

The Computer Security Act of 1987 also established the Computer System Security and Privacy Advisory Board (CSSPAB). The Board reports to the Secretary of Commerce and is tasked with identifying emerging issues relative to computer security and privacy, advising the National Institute of Standards and Technology and the Commerce Secretary on such issues, and reporting to the Secretary of Commerce, the Director of OMB, the Director of the National Security Agency, and appropriate congressional committees. PDD-63 establishes the National Infrastructure Assurance Council. Its duties are to propose and develop ways to encourage private industry to perform periodic risk assessments of critical processes including information and telecommunications systems and monitoring the development of private sector ISACs. The Council will report to the President through the National Coordinator and the Department of Commerce shall act as the President under the Federal Advisory Committee Act. In addition, the National Security Telecommunications Advisory Committee (NSTAC), established by Executive Order 12382 in September 1982, undertook a study beginning in May 1995 on the reliance of the transportation sector, the electric power sector, and the financial services sector on information networks and the risks to those sectors should those networks be compromised. Are these advisory committees/councils duplicating effort or do they offer complementary viewpoints?

There is another bureaucratic issued raised by PDD-63. Prior to the Computer Security Act of 1987, the Reagan Administration established the National Telecommunications and Information Systems Security Committee. ⁽¹⁴⁾ The Committee consists of 22 civilian and defense agencies. The National Security Agency was named National Manager. The Committee was tasked with setting operating policies governing the nation's telecommunications system, its classified information systems, and "other sensitive information." The Computer Security Act of 1987 was enacted in part out of congressional concern that the Committee might over-classify government-held information ⁽¹⁵⁾. Does PDD-63, by couching critical infrastructures in national security terms and combining DOD and NSA professionals with civilian professionals in operative functions, blur the distinction between classified and unclassified (or national security and civilian) systems which was a primary focus of the Computer Security Act of 1987? ⁽¹⁶⁾

Related to this issue is one raised by some Members of Congress who have questioned the decision to place CIAO within the Department of Commerce. To them, a threat to the nation's critical infrastructures is a national security risk and should be the responsibility of the Department of Defense. The Department of Defense did serve as the executive agent for the PCCIP's Transition Office which was to be the model for National Plan Coordinating Staff function. On the other hand, the Department of Commerce has on-going relationships with many of the private infrastructure operators with whom the Directive hopes to interact.

Costs. In January, 2000 the Administration announced it had budgeted $2 billion on critical infrastructure protection for FY2001 (see Appendix). The Administration also announced its intention to ask for $9 million in FY2000 supplemental funding. Some of these funds, especially new initiatives, are visible in agency line items. Much of it is buried in other information technology or administrative line items.

Many of the agencies' activities called for immediately by the Directive will be part of on-going administrative duties. These activities, if not previously done (which appears to be the case in many agencies), will require the reallocation of personnel time and effort, presumably at the expense of other activities. The resources required to meet PDD-63 requirements are supposed to be part of the agencies' internal plans. Some of the costs will not be known until after vulnerability assessments are done and remedial actions determined. Also, each agency must develop and implement education and awareness training programs. Agency costs may not be insignificant. According to OMB, the IRS alone estimated a vulnerability analysis of its systems will cost $58 million. ⁽¹⁷⁾ The Plan outlines efforts at the Department of Energy to improve its network security. Total costs are expected to be $80 million ($45 million for operational security measures). On top of this, the Administration is asking for new initiatives such as the intrusion detection network (FIDNET) and education and training programs (Federal Cyber Service).

Potential private sector costs are also unknown at this time. Some sectors are already at the forefront in computer security and are sufficiently protected or need only marginal investments. Others are not and will have to devote more resources. The ability of certain sectors to raise the necessary capital may be limited, such as metropolitan water authorities which may be limited by regulation, or emergency fire which may function in a small community with a limited resources. Even sectors made up of large well capitalized firms are likely to make additional expenditures only if they can identify a net positive return on investment.

Affecting these business decisions will be issues of risk and liability. As part of its outreach efforts, the CIAO has helped the auditing, accounting, and corporate directors communities identify and present to their memberships the responsibilities governing board of directors and corporate officers have, as part of their fiduciary responsibilities, in managing the risk to their corporation's information assets. The Institute of Internal Auditors, the American Institute of Certified Public Accountants, the Information Systems Audit and Control Association and the National Association of Corporate Directors have formed a consortium and are holding "summits" around the country in an outreach effort. The main point of their discussion can best be summed up in a paper presented at these summits:

"The consensus opinion from our analysts is that all industries and companies should be equally concerned about information technology security issues because it is an issue that has an enormous potential to negatively impact the valuation of a company's stock...it must be the responsibility of corporate leaders to ensure these threats are actually being addressed on an ongoing basis. At the same time, the investment community must keep the issue front and center of management." ⁽¹⁸⁾

Costs to the private sector may also depend on the extent to which the private sector is compelled to go along with PDD-63 versus their ability to set their own security standards. The current thinking is the private sector should voluntarily join the effort and PDD-63 recommends that no new regulations or oversight bodies be formed. But, what happens if a sector does not take actions the federal government feels are necessary?

Information Sharing. The information sharing called for in PDD-63 -- internal to the federal government, between the federal government and the private sector, and between private firms -- raises a number of issues.

PDD-63 calls for information to flow between agencies via FIDNET, FedCIRC and the NIPC. What kind of information will be flowing? Will reporting consist of raw network traffic data or just reports of incidents? Will content be monitored or just the packet headers? ⁽¹⁹⁾ Will reporting be in real-time or after-the-fact? How does this impact the privacy and confidentiality of the information provided? The Computer Matching and Privacy Protection Act of 1988 (5 U.S.C. 552a) governs the exchange of records between government agencies. It is not yet clear how the goals of FIDNET and the NIPC will be impacted by the Act or how the goals of the Act may be impacted if modified to address the FIDNET and/or NIPC mission.

Since much of what is considered to be critical infrastructure is owned and operated by the private sector, implementing PDD-63 relies to a large extent on the ability of the private sector and the federal government to share information. However, it is unclear how open the private sector and the government will be in sharing information. The private sector primarily wants from the government information on potential threats which the government may want to protect in order not to compromise sources or investigations. In fact, much of the threat assessment done by the federal government is considered classified. For its part, the government wants specific information on intrusions which companies may hold as proprietary or which they may want to protect to prevent adverse publicity. Success will depend on the ability of each side to demonstrate it can hold in confidence the information exchanged.

This issue is made more complex by the question of how the information exchanged will be handled within the context of the Freedom of Information Act (FOIA). Proponents of PDD-63 would hope to exempt the information from public disclosure under the existing FOIA statute. Those more critical of the Directive are concerned that PDD-63 will expand the government's ability to to hold more information as classified or sensitive. ⁽²⁰⁾

Another question has been raised about the FBI's INFRAGARD program. For example, are firms who volunteer to participate in the program given additional or better information than what is available through the FBI outside the program?

Finally, the information exchanged between private firms within the context of the Sector Coordinators and the ISACS raises antitrust concerns, as well as concerns about sharing information that might unduly benefit competitors.

Privacy/Civil Liberties? The PDD states that individual liberties and rights to privacy are to be preserved as the Directive is implemented. However, on-line monitoring, either for system management reasons or for intrusion detection, has the potential to collect vast amount of information on who is doing what on the network. Once an intrusion is detected, the federal government could get involved in real-time monitoring. What, if any, of that information should be treated as private and subject to privacy laws?

The National Plan states that it is the intent of the Administration to pass all critical infrastructure efforts through the lens of privacy issues. In addition to promised vigorous and thorough legal reviews of Plan programs, the Plan proposes an annual colloquium on Cyber Security, Civil Liberties, and Citizens' Rights between the representatives of the federal government and outside groups.

But members of the privacy and civil liberty communities remain concerned about proposals that have been made. For example, the PCCIP recommended that law enforcement officials should need to get only a single warrant to track hackers through cyberspace, rather than having to get a new warrant every time they trace a hacker to a computer in another jurisdiction. The PCCIP also recommended that employers be allowed to administer polygraph tests to their computer security personnel. There are also suggestions of requiring background checks for computer security personnel. The Administration has not taken a position on any of these recommendations yet. However, in a recent hearing by the House Judiciary's Subcommittee on Crime (February 29, 2000), the Administration did say that having a nationwide track and trace capability would be very helpful in identifying hackers.

Another issue is to what extent will monitoring and responding to cyber attacks permit the government to get involved in the day-to-day operations of private infrastructures? The PCCIP suggested possibly modifying the Defense Production Act (50 USC Appendix, 2061 et seq) to provide the federal government with the authority to direct private resources to help reconstitute critical infrastructures suffering from a cyber attack. This authority exists now regarding the supply and distribution of energy and critical materials in an emergency. Suppose that the computer networks managing the nation's railroads were to "go down" for unknown but suspicious reasons. What role would the federal government play in allocating resources and reconstituting service?

Possible Congressional Action. Congress's interest in protecting the nation's critical infrastructure spans its oversight, legislative, and appropriating responsibilities.

Congressional activity has focused to date on oversight. There were a number of hearings by different committees in 1999 related to computer security, virus attacks, critical infrastructures, the Department of Defense's information assurance efforts, etc. On February 1, 2000, the Senate Judiciary's Subcommittee on Technology, Terrorism and Government Information held a hearing on the National Plan. And, in the wake of a flurry of denial of service attacks on major internet commerce sites in February, a flurry of hearings (including a joint hearing on February 29 by the House Judiciary's Subcommittee on Crime and Senate's Judiciary's Subcommittee on Criminal Justice Oversight) were held to understand what is happening, what the federal government is doing about it, and whether the criminal statutes governing unauthorized intrusions and damage to computer systems and the contents therein are adequate. The Senate Judiciary Committee's Subcommittee on Technology, Terrorism, and Government Information held another hearing in March on roadblocks to investigating computer crimes and a field hearings in April on prevention and prosecution of cyber crime. Also in March, the Senate Committee on Small Business held a hearing on how small businesses can protect themselves from cyber crime. In May, the House Science Committee's Technology Subcommittee held a hearing on the Love Bug virus. In June, the House Government Reform Committee's Subcommittee on Government Management, Information, and Technology held a hearing on the Cyber Security Information Act of 2000 (H.R. 4246, see below). In September, this Subcommittee released a report card rating how well agencies were protecting their information assets.

While there is much activity administratively, on the part of the Administration, and in oversight by the Congress, legislation is moving more slowly. The Administration is still reviewing what further legislation may be needed. The PCCIP report, however, gives a glimpse of the types of legislative actions that might be requested to support infrastructure protection plans. Examples already mentioned include modifying the Defense Production Act; providing the ability to issue a single warrant that would allow investigators to track and identify intruders across numerous jurisdictions; waivers to Employee Polygraph Protection Act (29 USC 2001 et seq) to allow firms to investigate and monitor information security personnel, similar to waivers granted now to certain security personnel. Others areas of possible legislation include: using federal licensing of private computer investigators to require them to report to the federal government information on intruders; and, clarifying the potential liabilities of contractors hired to hack into a client's computer system to test its security. Liability and insurance issues related to how firms secure their systems may also require legislation. Some in industry have expressed their concern that designating certain infrastructure as "critical" may impose upon them additional responsibilities and liabilities for assuring operations. Meanwhile, some companies in the security business have begun offering insurance against intrusions. However, there is very little actuarial data to support these offerings. Also, the Administration may request specific exemptions regarding information sharing in FOIA and anti-trust legislation. The Administration has said it was initiating a review of the criminal statutes related to computer intrusions.

In the 106^th Congress a number of bills have been introduced that address one or another issue associated with PDD-63. A couple bills are directly related to PDD-63. S. 2702 requires the President to report to Congress by July 2001 on the specific actions being taken by agencies to implement PDD-63. H.R. 4246 directly addresses FOIA and anti-trust concerns associated with ISACs by defining a "cyber security web site" and exempting those websites from FOIA access and anti-trust litigation as long as information contained on those sites are not used to impede free market functions. Also, the bill explicitly allows the federal government to set up working groups of federal officials to work with industry groups without such groups being considered as federal advisory committees.

S. 1993 seeks to strengthen information security practices throughout the federal government. It would basically amend Chapter 35 USC 44 (related to the Paperwork Reduction Act), by adding a separate subchapter specifically dedicated to information security. Among other things, the bill would require agencies to have an annual outside assessment of their security plans and practices and calls on the Comptroller General to report on those reviews. The bill was attached to the FY2001 Defense Authorization bill (S. 2549). The Senate's defense authorization bill also authorizes the Secretary of Defense to support scholarships in information security.

H.R. 5042 would rewrite the Paperwork Reduction Act, relieving the Director of OMB of many of his information technology-related responsibilities and transferring them to a new Office of Information Policy within the Executive Office of the President headed by a governmentwide Chief Information Officer. This bill would also require annual outside independent reviews of an agency's information security program.

H.R. 4210 would establish with the Executive Office of the President an Office of Terrorism Preparedness. The Office would oversee the development of a plan and a strategy for improving the nation's ability to respond to terrorist attacks, including cyber attacks, much as the National Coordinator for Security, Infrastructure Protection, and Counter-terrorism within the National Security Council is currently tasked.

H.R. 2413 would reinforce the role of the National Institute of Standards and Technology (NIST) in ensuring the security of federal non-classified computer systems. It puts into statute the authority given NIST by Circular A-130 Appendix III to coordinate federal responses to computer intrusions. It also provides $250,000 in FY2000 and $500,000 in FY2001 for NIST to support computer security fellowships at universities. ⁽²¹⁾

A couple bills (S. 2092 and S. 2448) have been introduced that would allow for changes in the courts' authority to allow the installation and use of pen registers and trap and trace devices to track computer hackers. These bills along with S. 2430 and S. 2451 would also change the penalties associated with computer crimes, lowering the threshold for damages or allowing total network damages that can trigger indictment, as well as increasing the maximum penalty for those crimes.

There have been and continue to be a number of other bills introduced (including H.R. 2413) that relate to privacy, encryption, public key policies, computer fraud, etc. These issues are tangentially related to PDD-63. ⁽²²⁾

The Administration estimates that it is asking for $2.0 billion in FY2001 to support various critical infrastructure protection efforts in 19 different departments and agencies (see Appendix). According to the Administration, Congress appropriated $1.8 billion for information security and critical infrastructure activities. Much of this is support for on-going computer security/computer crime efforts in those agency. The National Security Agency, and its research and development efforts, receive the largest support. However, Congress has been more reluctant to support some of the new initiatives proposed by the Administration (e.g. funding for the Federal Intrusion Detection Network, a scholarship-for-service program in computer security, establishment of an expert review team capability at the National Institute of Standards and Technology). Last budget cycle, the Administration submitted an amended budget for some of these initiatives totally $39 million. Coming late in the budget cycle, Congress did not act on any of these. A number of the proposals were carried over into this year's budget requests and in a $9 million supplemental request at the beginning of the year. Again, Congress, to date, has been reluctant to support these new initiatives.

Appendix

FY2001 Budget

On January 7, 2000, the Administration announced it was going to ask for $2.03 billion in FY2001for protecting the nation's critical infrastructure against cyber attacks. In addition, it was planning to ask for another $9 million in supplemental FY2000 funding. The funding includes $621 million for research and development, up from the $461 million that Congress appropriated for FY2000. Among the highlights mentioned in the announcement were a number of initiatives listed below.

Federal Cyber Services Training and Education ($25 million )

This is a refinement of the initiative offered late last year by the Administration. The initiative would be jointly managed by the Office of Personnel Management (OPM) and the National Science Foundation (NSF). It consists of two programs. One would be a ROTC-like program where the federal government will pay for a 2-year undergraduate or graduate degree in information security in exchange for government service in information security, called the Scholarship for Service (SFS). The scholarship would be for two years at schools with accredited information technology programs. Students participating in the program would also do summer internships at government agencies and attend periodic conferences. The goal, as mentioned above, is to enroll the first 300 SFS students in the fall of 2000.

The second program is called the Federal Cyber Services education and training initiative. The FCS initiative is to improve and maintain the skills of current federal information technology workers in the area of security. This program would establish key competencies and a certification process to demonstrate that they have been met. The program would make use of Centers of Information Technology Excellence (CITE), identified by the NSA based on criteria provided by the National Security Telecommunications and Information Systems Security Committee. Currently 8 universities have been selected as CITEs.

Permanent Expert Review Team ($5 million over two years)

This would make permanent the review of agencies' internal security plans, vulnerability analyses, etc. The team would be supported through the National Institute of Standards and Technology.

Federal Intrusion Detection Network ($10 million)

FIDNET would be an intrusion detection network for civilian government agencies. It should be noted that the Department of Defense and the National Security Agency have each set up their own intrusion detection networks. These will all be linked together and with the National Infrastructure Protection Center at the FBI. Last year the Administration initially requested funding to study FIDNET through the Justice Departments appropriations, but later withdrew that request and requested funds through GSA.

Public Key Infrastructure Pilots ($7 million)

Public key infrastructure (PKI) allows two-way authentication of communications over computers and is critical for electronic commerce and for agency to exchange information with contractors, constituents, etc. This initiative would support 7 pilot programs at different federal agencies.

Institute for Information Infrastructure Protection ($50 million)

This would be a research and development fund operated through the National Institute of Standards and Technology (NIST) to support research that might not otherwise be conducted by the private sector or defense agencies. Currently nearly all of the current information security research and development funds go to defense agencies. While operated through NIST, the Institute would report to a Federal Coordinating Council consisting of the President's Science Advisor, the Deputy Director/ Office of Management and Budget, the Director/National Security Agency, the Director/NIST, and the National Coordinator for Security, Infrastructure Protection, and Counter-Terrorism. The Institute would consult with the National Infrastructure Advisory Council and the Sector Coordinators.

Partnership for Critical Infrastructure Security

The Administration also announced a new effort to open an on-going dialogue with the private sector and the public to discuss a wide variety of information security issues. An initial effort was made in December 1999, when the Secretary of Commerce met with officials from 90 Fortune 500 companies.

Table A.1. Critical Infrastructure Protection Funding by Department
(millions $)