This article sets out the constraints of the Posse Comitatus Act of 1878 (the “Act”), which generally prohibits active enforcement of civilian laws by the military, and describes the discretion of the military commander to assist civilian law enforcement in protecting America’s information infrastructure against computer-assisted attack. A primary purpose of this article is to help legal advisors to commanders and DoD civilian officials better understand the boundaries of command discretion so that commanders and officials can feel free to exercise proper command discretion to assist law enforcement according to military interests and their professional and personal ethics and ideals. Another primary purpose of the article is to appraise Congress of the Act, its prohibitions, and its application to assist in framing the policy debate about how to constrain or expand the discretion of commanders and other officials to most productively serve the American public.

The Cross-Industry Working Team (XIWT), with the support of Stanford University Consortium for Research on Information Security and Policy (CRISP), sponsored a symposium on cross-industry activities aimed at improving the reliability, dependability, and robustness of the information infrastructure. The purpose of this meeting was to identify the steps required to get to a reliable and dependable information infrastructure serving the needs of society. The emphasis in the meeting was on cross-industry and potentially cross-sector (government, industry, and academia) activities to accomplish that goal. The symposium dealt with the following generic topics: organizational activities to identify and pursue critical issues, issues in data transport and communications, issues in applications and services, and potential research and development activities.

The presentations and discussions of the meeting identified several potential cross-industry activities that could further the effort toward a more reliable and trustworthy information infrastructure. These activities fell into four general categories:

• Information Exchange Activities
  
• Consensus Activities
  
• Collaborative Operational Activities
  
• Collaborative R&D Activities
  

Two specific activities were discussed in some detail.

Government Sharing of Best Practices

It was observed that many of the government agencies have undertaken extensive efforts to improve the trustworthiness of their information systems, enabling them to withstand both failures and attacks. There is an opportunity for these agencies to be exemplars for the community— sharing what they have learned in the process of trying to make their systems more robust. This was felt to be an example of how the government and industry could work together to improve the trustworthiness of the overall information infrastructure.

Collaborative Experimental Environments

A potentially very productive collaborative R&D activity was discussed, involving industry, academia, and government. Universities and university consortia are investigating new techniques for building reliable systems of unreliable components, and for dealing with large complex systems. There is a need to evaluate, validate, and assimilate such research results into the industry environment. To that end, a collaborative, multi-industry experimental environment was discussed. This environment, distributed across multiple organizations, could provide such an evaluation, validation, and assimilation opportunity.

A number of other potential cross-industry activities were also mentioned throughout the meeting, and are discussed briefly in the proceedings.

Attendees agreed (based on a follow-up survey and informal comments) that the symposium was well worthwhile, and that continued dialogue is important to achieving the shared goal of a trustworthy information infrastructure. XIWT plans on helping foster such dialogue as well as collaborative activities toward that goal.

On December 7, 1998, a cross-industry group of professionals interested in information security met to discuss perspectives on information security and prospects for multilateral cooperative activity to advance information and infrastructure security. Participants reviewed the information-security activities of their respective organizations, identified areas of mutual concern, and generated ideas for future group efforts.

The third Stanford-Livermore workshop in the series examining the protection of critical national infrastructures against cyber attack was held at Lawrence Livermore National Laboratory on February 26-27, 1998. The first two workshops were intended to provide informed inputs to the work of the President's Commission on Critical Infrastructure Protection, and the third, which came soon after the publication of the Commission's report to the President (entitled Critical Foundations), was directed toward a critical review of that report and to developing suggestions for steps to implement its findings in four areas that are considered particularly important: criteria and priorities to guide near-term actions; creation of a public-private partnership; legal issues, with some emphasis on understanding impediments to cooperation; and facilitation of research and development planning, with a subtheme on the robustness of complex systems.

If high-performance computing (HPC) export control policy is to be effective, three basic premises must hold:

This study applies and extends the methodology established in Building on the Basics [1]. Its objective has been to study trends in HPC technologies and their application to problems of national security importance to answer two principal questions:

· Do the basic premises continue to be satisfied as the 20th century draws to a close?

· In what range of performance levels might an export-licensing threshold be set so that the basic premises are satisfied?

The study concludes that export controls on HPC hardware are still viable, although much weaker than in the past. In particular, while applications of national security interest abound, it is increasingly difficult to identify applications that strongly satisfy all three basic premises, i.e. are of extreme national security importance and would likely be effectively pursued by countries of national security concern and would be severely retarded without levels of computing performance that could be effectively controlled.

In July 1996, President Clinton established the Commission on Critical Infrastructure Protection (PCCIP), with a charter to designate critical infrastructures, to assess their vulnerabilities, to recommend a comprehensive national policy and implementation strategy for protecting those infrastructures from physical and cyber threats, and to propose statutory or regulatory actions to effect the recommended remedies. The charter gave examples of critical infrastructures (most notably telecommunications, electrical power, banking and finance, and transportation systems), and the types of cyber threats of concern (electronic, radio-frequency, or computer-based attacks on the information or communications components that control critical infrastructures).

Some of the infrastructures are owned or controlled by the government, and hence the government can harden and restructure these systems and control access to achieve a greater degree of robustness. However, the President's Executive Order recognized that many of the critical infrastructures are developed, owned, operated, or used by the private sector and that government and private sector cooperation will be required to define acceptable measures for the protection and assurance of continued operation of these infrastructures.

To assist in planning for the implementation of the Commission's recommendations, this paper starts by revisiting some of the Commission's central premises, and suggests that while there is reason to believe that the Commission's concerns over the long term are valid, more work is needed on these issues to fully support the PCCIP recommendations. Next, the Commission's recommendations are examined from the standpoint of priority, in order try to provide a clear focus for early implementation efforts. Of the 72 recommendations, ten are identified as important first steps. Due to the private ownership of most infrastructure systems, the Commission proposes new partnership relationships between the public and private sectors to accomplish the goal of protection.

This paper questions and extends the Commission's thinking regarding the implementation of such arrangements. It concludes that the sharing of information between the public and the private sector will have to be carefully designed to protect the interests of all the parties involved. It also notes that while the nature of infrastructure systems makes them global in their operation, the Commission's Report treats the problem almost exclusively from a domestic viewpoint. This will work against organizing the international partners who will, of necessity, be an important part of the solution.

The July Workshop on Protecting and Assuring Critical National Infrastructure focused on three specific areas: international and legal issues relating to the control of network misuse and government roles for securing the infrastructure; economic factors, including market responses to the threat and to protection measures; and directions for future tools research in forensics, modeling, and simulation that will enhance understanding of system robustness, vulnerabilities, and security.

In addition to this agenda, the Workshop addressed the nature of public-private partnerships that could serve to coordinate the separate infrastructure protection efforts of each.

In July 1996, President Clinton established the Commission on Critical Infrastructure Protection, with a charter to designate critical infrastructures and assess their vulnerabilities, to recommend a comprehensive national policy and implementation strategy for protecting those infrastructures from physical and cyber threats, and to propose statutory or regulatory actions to effect the recommended remedies. The charter gives examples of critical infrastructures (telecommunications, electrical power systems, gas and oil storage and transportation, banking and finance, transportation, water supply systems, emergency services, and continuity of government), and also notes the types of cyber threats of concern (electronic, radio-frequency, or computer-based attacks on the information or communications components that control critical infrastructures).

Some of the critical infrastructures are owned or controlled by the government, and hence the government can, in principle, harden and restructure these systems and control access to achieve a greater degree of robustness. However, the President's executive order recognizes that many of the critical infrastructures are developed, owned, operated, or used by the private sector and that government and private sector cooperation will be required to define acceptable measures for the adequate protection and assurance of continued operation of these infrastructures.

The Stanford Center for International Security and Arms Control (CISAC), as part of its ongoing Program on Information Technology and National Security, and the Center for Global Security Research (CGSR) of the Lawrence Livermore National Laboratory (LLNL) are conducting workshops to examine many of the issues connected with the work of the Commission. In addition to the questions of vulnerabilities, threats, and possible remedies, we discuss the impact on the marketplace of possible protective actions, cost in terms of capital and functionality, legal constraints, and the probable need for international cooperation.

The first of these jointly sponsored workshops was held March 10-11, 1997, and included participation by members and staff of the Presidential Commission; the Stanford community; the information technology industry; and by security specialists at infrastructure organizations, research companies, and the national laboratories. The results of this two-day meeting are summarized in the following report.

The discussion begins with a conceptual framework for addressing the protection of infrastructure systems subject to attacks on their information subsystems. This includes treating the types of infrastructure systems, possible strategies for their protection, and the nature and scale of the attack. Three components of a protection strategy are identified: preventing attacks, limiting the damage in an attack, and ensuring rapid reconstitution of the target system following an attack. The paper concludes with a discussion of public and private responsibilities for infrastructure protection and the identification of a number of areas where public initiatives might be effective. These are ordered roughly in terms of the cost and difficulty of implementation. In addressing the subject, the analysis is from the perspective of minimizing government intervention in privately owned infrastructure systems.

The development of "information warfare" presents international legal issues that will complicate nations' efforts both to execute and to respond to certain information warfare attacks, specifically those using computers, telecommunications, or networks to attack adversary information systems. Some legal constraints will certainly apply to information warfare, either because the constraints explicitly regulate particular actions, or because more general principles of international law govern the effects of those actions. Nevertheless, the novelty of certain information warfare techniques may remove them from application of established legal categories. Furthermore, the ability of signals to travel across international networks, and affect systems in distant countries, conflicts with the long-standing principle of national, territorial sovereignty.