"We know of foreign governments creating offensive attack capabilities against America’s cyber networks.

America is vulnerable to such attacks because it has quickly become dependent upon computer networks for many essential services. It has become dependent while paying little attention to protecting those networks. Water, electricity, gas, communications (voice and data), rail, aviation, and other critical functions are directed by computer controls over vast information systems networks.

The threat is that in a future crisis a criminal cartel, terrorist group, or hostile nation will seek to inflict economic damage, disruption and death, and degradation of our defense response by attacking those critical networks." [See, Plan, page 2 of Executive Summary, page 9 of PDF copy.]

The accompanying National Plan is the first attempt by any national government to design a way to protect its cyberspace.

In the next war, the target could be America’s infrastructure and the new weapon could be a computer-generated attack on our critical networks and systems. We know other governments are developing that capability.

We need, therefore, to redesign the architecture of our national information infrastructure. Over the last decade we built it quickly and without adequate concern for security, without thought that a sophisticated enemy might attack it. Now we must fix it, to protect, guard against, or reduce the existing vulnerabilities.

The President has directed that a Plan for defending our cyberspace be initially in effect by December 2000 and be fully operational by May 2003. To reach those deadlines, we must move quickly, for there is much to do.

The President has ordered that the Federal Government will be a model of computer system security. Today it is not. The Defense Department is well on its way to creating secure systems, but civilian Agencies are also critical and they are generally still insufficiently protected from computer system attack. This Plan proposes additional steps to be taken by DoD and by the rest of the Federal Government.

The private sector infrastructure is, however, at least as likely to be the target for computer system attack. Throughout the modern era, critical industries and utilities have been targets for destruction in conflicts. America’s strength rests on its privately owned and operated critical infrastructures and industries.

Already, privately owned computer networks are being surveyed, penetrated, and in some cases made the subject of vandalism, theft, espionage, and disruption. While the President and Congress can order Federal networks to be secured, they cannot and should not dictate solutions for private sector systems.

Thus, the Plan, at this stage, does not lay out in great detail what will be done to secure and defend private sector networks, but suggests a common framework for action. Already some private sector groups have decided to unite to defend their computer networks. As they commit to this activity, the Federal Government can and will help them, in the spirit of a true public-private partnership. The Government will not dictate solutions and will eschew regulation. Nor will the Government infringe on civil liberties, privacy rights, or proprietary information.

This is Version 1.0 of the Plan. We earnestly seek and solicit views about its improvement. As private sector entities make more decisions and plans to reduce their vulnerabilities and improve their protections, future versions of the Plan will reflect that progress.

As you will see in the text, the Plan will build a defense of our cyberspace relying on new security standards, multi-layered defensive technologies, new research, and trained people. Of all of these, the most urgently needed, the hardest to acquire, and the sine qua non for all else that we will do, is a cadre of trained computer science/information technology (IT) specialists.

When America quickly wired itself for electricity a century ago, it quickly trained electricians and electrical engineers for that new economy. So far, America is failing to train the IT specialists it needs to operate, improve, and secure its new IT-based economy. The Plan proposes steps to stimulate the higher education market to produce what America urgently needs in this area.

We will follow up our plan for cyber defense with a second plan focusing on how Government can work with the Nation’s infrastructure sectors to help assure the reliability and physical security of essential services from major disruptions. This forthcoming plan will rely heavily on input from the companies and organizations that comprise the complex networks that provide for economic well being, health, safety, and security of the American people.

This Plan is the result of the extensive work of many, throughout the Federal Government. In their name, we offer it to the American People and their elected representatives in the hope that together this country can improve upon the Plan, take the necessary steps, and defend America’s cyberspace and all of our strength and people who now depend upon it.

Richard A. Clarke
National Coordinator for Security, Infrastructure Protection, and Counter-Terrorism