INTRODUCTION
Aggressors attack at the point of maximum leverage. For modern society, this means critical infrastructure-transportation, telecommunications, oil and gas distribution, emergency services, water, electric power, finance and government operations. Increasingly, a critical information infrastructure supports these vital delivery systems and becomes itself a target of opportunity for terrorists, adversary nations, criminal organizations, and non-state actors. This potential vulnerability raises numerous difficult questions for industry and international, national, and local governments about how to best provide critical information protection.

Both government and industry have a major stake in protecting critical infrastructure and its underlying information resources from intentional attack or natural disaster. While the ends may be commonly shared, the policies that government and industry will develop in order to provide this protection are likely to be quite different. The approach taken in addressing issues of critical information infrastructure reliability and security must highlight that policies necessary for the development of electronic commerce be industry led, market driven, voluntary and self-regulatory.

WITSA
The World Information Technology and Services Alliance (WITSA) is a consortium of 38 information technology (IT) industry associations from economies around the world (list attached). As the global voice of the IT industry, WITSA is dedicated to:

• · advocating policies that advance the industry's growth and development;
• · facilitating international trade and investment in IT products and services;
• · strengthening WITSA's national industry associations through the sharing of knowledge, experience, and critical information;
• · providing members with a vast network of contacts in nearly every geographic region of the world; and
• · hosting the World Congress on IT, the only industry sponsored global IT event.

• · increasing competition through open markets and regulatory reform;
• · protecting intellectual property;
• · reducing tariff and non-tariff trade barriers to IT goods and services; and safeguarding the viability and continued growth of the Internet and electronic commerce.

BACKGROUND
While in January of 1993, there were only about 50 sites on the Worldwide Web, there are now between 100 - 140 million Internet users around the world. In the US alone, more than 50,000 people are logging on to the Internet for the first time every single day. More messages are now sent by e-mail than by regular mail. And what began as a specialized network for computer scientists has become a global nervous system for the entire world.

The Internet and the availability of affordable computing solutions have lowered many of the geographic boundaries that hindered the development of information and communications technologies (ICT). This is enabling the creation of a global market for technology products and services. The ICT industry is among the most significant drivers of the global economy accounting for U.S. $1.8 trillion in spending in 1997, approximately 6% of global gross domestic product (GDP). This is greater than the GDP of France and almost twice the size of the GDP of the state of California.

In this emerging digital marketplace nearly anyone with a good idea and a little software can set up a shop and then become a leading store with outreach to the entire planet. Internet services also include an extensive combination of business-to-business hardware, software and consulting, implementation, and network management that creates and extends seamless connectivity from the most remote desktops to the core of legacy systems. But with the advantages of an interconnected world also comes greater risks. The explosive worldwide growth of open networks has raised a legitimate concern with respect to the adequacy of current security measures for information and communications systems and the data that is transmitted and stored on those systems.

Paul Higdon, head of the international police-organization's (Interpol) digital crimes department, has said critical information infrastructure protection and cyber crimes will be the challenge of the 21st century. In a worst-case scenario, Interpol believes cyber terrorists could paralyze en entire city. In the US, as many as 17 million people are thought to have enough computer knowledge to stop the distribution of electricity, drinking water and well as other critical items needed in a large city. Meanwhile, computer crime is on the rise worldwide and critical information protection (CIP) on the international arena is marked is generally marked by a lack of coordination. Japan, which experienced a 58 percent increase in cyber-crime from 1997 to 1998, does not yet criminalize hacking of computer systems. Other countries have disparate policies. The global nature of the Internet makes geography less important as a malicious act against a computer system in any given country could very well be committed at virtually any location on earth.

The increased vulnerabilities of information systems have already led to a number of incidents, such as in February, 1999, when the East Timorese domain (.tp) was subjected to a concerted attack by unknown hackers, resulting to its disappearance from the Internet. There has been an increase in media reports of attacks against security and military installations as well, although sometimes not substantiated. In one such unconfirmed incident, The Sunday Business newspaper on February 28, 1999 reported that hackers may have seized control of one of Britain's military communication satellites and issued blackmail threats. Whether true or not, the very thought that attacks of this magnitude is at all possible demonstrates the growing vulnerability of information infrastructures and systems.

In a March 5, 1999, joint US survey by the Computer Security Institute (CSI; http://www.gocsi.com/) and the San Francisco Federal Bureau of Investigation (FBI), cyber attacks were reported to have risen significantly in 1998. In the "Computer Crime and Security Survey", as many as 32 percent of the more than 500 US information security professionals surveyed had reported serious incidents to law enforcement over the past year, almost one-third had their computer systems penetrated from outsiders, and about half of the respondents had suffered more than US $123 million in financial losses due to computer break-ins.

At the same time, not all threats are man-made. As has been demonstrated by the 1995 Kobe earthquake in Japan; and the 1994 Northridge earthquake in California; natural disasters pose substantial threats to critical information infrastructure and require a similar level of attention and concern. The Kobe earthquake, for instance, caused over 5,000 deaths, damaged or destroyed 180,000 buildings and left 300,000 people homeless. Total damages reached $147 billion.

In recent months, brief disruptions in the operations of leading electronic brokers such as E*Trade and Charles Schwab have demonstrated the sometimes extreme vulnerability of information infrastructure: In February 1999, E*Trade's 700,000 account holders were blocked from online trade during temporary outages during a three-day period, causing significant disruption in the stock market and leading to lawsuits. Charles Schwab, whose customers account for 39 percent of all online stock trades, on several occasions has experienced minor technological glitches forcing its Internet site shut down -on one occasion for more than an hour- again causing significant disruptions in an increasingly vulnerable digital economy. Other Internet traders face similar problems amidst expert warnings that disruptions caused by technical glitches, mismanagement or criminal manipulation will become more common and more severe.

INDUSTRY CONCERNS:
WITSA's national IT industry associations would be interested in government efforts to:

• · mandate standards to protect infrastructure elements from physical or cyber attack,
• · require systems to detect when attacks are imminent or underway,
• · develop processes to react to the attack, and
• · reestablish the critical service.

Similarly, industry can be expected to anticipate and meet infrastructure threats in appropriate ways, guided by sound business considerations. Individual companies will make defensive investments commensurate with the risk management principles in their industries. National or local government policies which impose protection standards more stringent than those inherent in the private sector risk mitigation processes that have a preventative, and hence unacceptable, effect on industry's investment in new information infrastructure. Additionally, requirements for reporting incidents to government operations centers and responding to government directed reconstitution plans may impose burdens that would add significant, unwarranted costs.

A coordinated, comprehensive attack on a critical information infrastructure is an event that will require coordinated and comprehensive team preparation and response by government and industry. The nature of that teamwork should be decided through national debate, substantive analysis and constructive dialogue. A well prepared and informed private sector can work with government to find the proper balance which optimizes the government's role of protecting critical infrastructure with business' need to manage risks appropriately for the infrastructure developed by the private sector for private and commercial use.

In one recent example of industry-government teamwork on CIP, the Information Technology Association of America (ITAA), US Telephone Association (USTA) and the Telecommunications Industry Association (TIA) on February 25, 1999, were selected to serve jointly as information and communications sector coordinators in a new Critical Infrastructure Protection Consortium established under the US President's critical information infrastructure protection Decision Directive 63. Industry is thus guaranteed a voice in the government program to establish adequate critical infrastructure protection by 2003.

CURRENT CIP-RELATED WORK IN THE INTERNATIONAL ARENA
Due to the global nature of the Internet and communications, failure to protect critical information systems and infrastructures at the national or local levels can often have global implications. In a networked world, information security is no stronger than its weakest link. Countering hacking, allowing strong encryption software and protecting the privacy of Internet users are all priorities that need to be addressed globally. It is of critical importance that governments and international organizations concerned with CIP cooperate fully with industry

On the international arena, industry has an important voice in the Business and Industry Advisory Committee to the OECD (BIAC). Industry participation in the area of CIP was further enhanced following the 1995 OECD Ministerial mandate to include non-governmental partners in activities relating to global information infrastructure.

Through participation in the Committee for Information, Computer and Communications Policy (ICCP) of the OECD, industry contributed to what has become the most important international landmark for CIP: The 1992 OECD Guidelines for the Security of Information Systems. The Guidelines offer non-binding recommendations urging governments and industry to cooperate to create an international framework for security of information systems, and encourages industry self-regulatory measures. It calls for the joint private and public sector development of regional and national measures, practices and procedures that are simple and compatible with those of other parties that comply with the Guidelines, so as to avoid conflicts and obstacles.

The private sector also played an important role in the development of the 1997 OECD Guidelines for Cryptography Policy, which aim to promote cooperation between the public and private sectors in the development of national and international cryptography policies. The crypto guidelines acknowledge the importance of allowing cryptographic methods to be determined by the market in an open and competitive environment, and of utilizing strong encryption to prevent unauthorized access, alteration, and improper use of communications systems, networks and infrastructures.

Due to the growing significance of critical information protection over time, more initiatives will likely emerge in various international fora. In the event proposals of this kind are introduced in any international organization or fora, WITSA would strongly urge governments to:

¨ Establish and maintain channels of communication with private and public entities having infrastructure assurance interest in the sector; and
¨ Establish and operate an effective information-sharing program, including opportunities for anonymous information sharing.

GENERAL PRINCIPLES
In developing industry positions on national CIP issues, WITSA has established an initial list of general principles which reflect the opinion of its membership and which will guide the development of future policy.

Scope

• The protection of the national information infrastructure must be based upon a minimum amount of government (national, provincial, and local) regulation.
• The cost of protecting the national information infrastructure must be kept to the lowest level possible commensurate with the threat and the consequences of attack. Parties must be able to differentiate between potential vulnerabilities and specific threats.

Roles and Responsibilities

• Industry builds and operates the Global Information Infrastructure and, as such, has primary responsibility for CIP requirements, design and implementation.
• Industry and governments share an interest in the proliferation of a free and open Internet, electronic commerce, other value-added networks, and an efficient, effective information infrastructure generally.
• In protecting these resources, the specific and immediate priorities of governments and industry may diverge. Specific and immediate priorities will need to be balanced against longer-term priorities.
• Industry will be guided by business considerations to protect itself against physical and cyber attack as the threat to the information infrastructure evolves.
• Where CIP action is required to protect the public good, governments must identify such instances and create appropriate public funding mechanisms to support the public good.

Globalization

• The Internet and electronic commerce are inherently global in nature; therefore, critical information protection will require collaboration among international bodies.

Communication and Coordination

• Positive interaction between governments and industry is essential. Among issues which will require on-going communication and assessment is the need to balance the right to privacy with national security concerns.
• Industry must monitor the private sector portion of the national information infrastructure and cooperate both internally and with governments in reporting and exchanging information concerning threats, attacks, and protective measures. Coordination among principals must facilitate creation of early warning systems.

Legal Frameworks

• In creating the information infrastructure, as well as attendant tools and technologies, industry must be provided safe harbor protections and its works viewed as incidental to losses caused by criminal or malicious misbehavior or natural disasters. National law should provide such protection regardless of an attack's origin.
• Distinctions must be made among cyber-mischief, cyber-crime and cyber-war to clarify jurisdictional issues and determine appropriate responses. The adequacy of current laws to prevent these threats must be reviewed.
• Existing laws must be adapted as necessary to allow appropriate levels of information-sharing among companies.
• Government policy in areas such as research and experimentation tax credit and software encryption must be reviewed in light of common CIP goals and objectives.

Education

• National law enforcement agencies must gain sufficient cyber-crime expertise to combat specific threats and to investigate specific criminal acts.
• Emergency response organizations must gain sufficient disaster recovery expertise to minimize the effect of catastrophic events on the information infrastructure.

Follow Up Discussion
Implementing this diverse set of principles will require substantial work. At this nascent stage, many questions remain unanswered:

• What international organizations are best suited for considering CIP on a global level?
• What are the criteria for determining the critical elements of the information infrastructure, and who is involved in the determination?
• What should be the process/mechanism by which the government and industry will provide threat indications and warning information to companies providing critical elements of the information infrastructure?
• What threshold should be established for reporting anomalous activity, and what type of reporting will be required, given that industry will be motivated to monitor and protect itself against cyber-attack for business reasons, and how will reported information be protected?
• What government restrictions must be modified or lifted so that private sector companies may implement active cyber-defense and/or counter-measures?
• What type of organization(s) should plan and execute the strategy for critical information infrastructure defense?
• What legal, judicial or policy determinations are required to distinguish between law enforcement and national security (warfare) jurisdictions as a result of attacks on critical information infrastructure elements?
• How should industry organize itself to represent private sector views, to exchange relevant "lessons learned," and to participate in policy development?
• How should the information technology private sector assess the implications of liability and insurance for critical services?
• Is there a sufficient research and development effort underway to improve the ability of the private sector to monitor and protect its designated critical elements? Who should fund this effort? How should research and development information be distributed?
• If information system security becomes a competitive market differentiator, how will the private sector accommodate the needs of the government for infrastructure protection while maintaining market competitiveness?

CONCLUSION
Both private industry and governments at all levels agree that there is a growing need to address the challenges of critical infrastructure protection. Views diverge, however, on what constitutes critical infrastructure and what measures, if any, might be taken to protect those elements of the economy. Beyond physical infrastructure systems, closer examination of the information technology (IT) components of those critical systems is crucial to ensuring comprehensive security. While security of IT infrastructures is essential to our physical and economic well being, government mandates of standards and requirements for the maintenance of the nation's IT security should be viewed with caution. Because a nation's IT infrastructure is designed, built, and operated by the private sector, and because this infrastructure is of growing importance in the conduct of business and for the economy as a whole, coordinated and comprehensive teamwork between government and industry is essential. More specifically, in meeting the security challenges with which we are faced, there must be greater input from and cooperation with the information technology industry.

Many questions and issues remain unaddressed with regard to information security, and further discussions and collaboration between industry and all levels of government are necessary if information security at global and national levels is to be ensured. In the event that new CIP initiatives are launched in international fora, governments and industry must establish and maintain channels of communication and effective information sharing. Work must be undertaken by all parties to meet and manage tomorrow's security threats, especially in the realm of critical information protection.

Argentina Cámara de Empresas de Software y Servicios Informáticos (CESSI) http://www.cessi.com.ar

Australia Australian Information Industry Association (AIIA) http://www.aiia.com.au/

Bangladesh Bangladesh Computer Samity (BCS)

Brazil Sociedade de Usuários de Informática e Telecomunicações - Sao Paulo (Sucesu-SP) http://www.sucesusp.com.br

Canada Information Technology Association of Canada (ITAC) http://www.itac.ca/

China, Taipei Information Service Industry Association of China, Taipei (CISA) http://www.cisanet.org.tw/english/index.html / http://www.worldcongress2000.org

Colombia Colombian Software Federation (Federación Colombiana de Software - FEDECOLSOFT) http://www.fedecolsoft.org.co

Czech Republic Association for Consulting to Business (Asociace Pro Poradenství v Podnikání - APP)

Egypt The Co-operative Society for Computers of Egypt (CSCE)

Finland Information Technology Services Association (Tietotekniikan Palveluliitto - TIPAL) http://www.tipal.fi/index.html

France Syntec Informatique http://www.syntec-informatique.fr/syntec/ow/home.cgi

Germany Bundesverband Informationstechnologien (BVITeV) http://www.bvit.de/home-eng.htm

Greece Federation of Hellenic Information Technology Enterprises (SEPE) http://www.hol.gr/sepe/sepe1en.htm

Hong Kong Hong Kong Information Technology Federation (HKITF) http://www.hkitf.org.hk/

India National Association of Software and Service Companies (NASSCOM) http://www.nasscom.org/index.html

Israel Israeli Association of Software Houses (IASH) http://www.iash.org.il/

Italy Associazione Nazionale Aziende Servizi Informatica e Telematica http://www.anasin.it/

Japan Japan Information Service Industry Association (JISA) http://www.jisa.or.jp/

Lithuania The Association of Lithuania's Information, technology, telecommunications and office equipment (INFOBALT) / www.infobalt.lt

Malaysia Association of the Computer Industry (PIKOM) http://www.pikom.org.my

Mexico Asociación Mexicana de la Industria de Tecnologías de Información (AMITI) http://www.amiti.org.mx/

Mongolia Mongolian National Information Technology Association

Morocco L'Association des Professionnels de L'Informatique de la Bureautique et de la Telematique (APEBI) / http://www.atlasnet.net.ma/forum-apebi/present.htm

Netherlands Federation of Dutch Branch Associations in Information Technology (Federatie Nederlandse IT - FENIT) / http://www.fenit.nl/

New Zealand Information Technology Association of New Zealand (ITANZ) http://www.itanz.org.nz/

Northern Ireland Software Industry Federation in Northern Ireland (SIF) http://www.sif.co.uk

Poland Polish Chamber of Information Technology and Telecommunications (Polska Izba Informatyki i Telekomunikacji - PIIiT) / http://www.piit.org.pl/index_e.htm

Portugal Associação Portugesa das Empresas de Tecnologias de Informação e Comunicações (APESI)

Republic of Korea Federation of Korean Information Industries (FKII) http://www.fkii.or.kr/english/index.html

Romania IT&C Association of Romania (ATIC) http://www.softnet.ro/atic/

Singapore Singapore Information Technology Federation (SITF) www.sitf.org.sg

South Africa IT Association of South Africa (ITA) http://www.ita.org.za

Spain Asociación Española de Empresas de Tecnologías de la Información (SEDISI) http://www.sedisi.es

Sweden Swedish IT-companies' Organisation AB (Svenska IT-Företagens Organisation AB) http://www.sito.se/

Thailand The Association of Thai Computer Industry (ATCI) http://www.bdg.co.th/atci/atcihome.htm

United Kingdom Computing Services & Software Association (CSSA) http://www.cssa.co.uk/cssa/

United States Information Technology Association of America (ITAA) http://www.itaa.org/index.htm