Legal propriety of protecting defense industrial base information infrastructure.
I. INTRODUCTION II. DEFINITIONS III. AUTHORITY FOR THE AIR FORCE TO PROTECT THE INFORMATION INFRASTRUCTURE OF THE DEFENSE INDUSTRIAL BASE A. Homeland Security Presidential Directive 7 B. National Infrastructure Protection Plan C. Defense Industrial Base Critical Infrastructure and Key Resource Sector-Specific Plan D. Federal Statutory Provisions E. Critical Infrastructure Information Sharing Issues F. DOD Critical Infrastructure Challenges G. Recent Developments H. Summary of Authority IV. WHAT RESPONSIBILITY DOES THE AIR FORCE INCUR, IF ANY, BY ASSISTING IN OR PROTECTING INFORMATION TECHNOLOGY OF SELECTED DEFENSE CONTRACTORS A. Unfair Competitive Advantage Based on Possession of Source Selection Information B. Organizational Conflicts of Interest V. OPTIONS VI. CONCLUSION
On 20 August 2009, in a joint announcement, the Secretary of the Air Force and the Chief of Staff of the Air Force announced how the Air Force would implement Department of Defense (DOD) cybersecurity efforts. (1) The announcement referred to an earlier decision by the Secretary of Defense to stand up a sub-unified command designated as the United States Cyber Command (USCYBERCOM). (2) In support of the DOD efforts, the Air Force has designated its Space Command as the lead Air Force major command to meet the cyberspace mission, and established the Twenty-Fourth Air Force (24 AF), recommending that it be the Air Force's service component to USCYBERCOM. (3) Among other things, the Air Force will give the commander of 24 AF authority over the Air Force network and will realign various new and existing commands under the purview of 24 AF. (4)
Regardless of how USCYBERCOM or the Air Force attempts to accomplish their missions, private industry will be involved. As with any other area in today's military, contractors and other private companies will likely be heavily involved in constructing the infrastructure the Air Force will use. The Air Force will likely use various vendors to provide computer and communications equipment it will use to accomplish its mission. In fact, the network connections between various components of the Air Force's, and even more broadly, the U.S. government's, are owned by private companies.
Obviously, the United States must protect the various parts of the information infrastructure used by its military. The more the military relies upon evolving information technologies, the more vulnerable it becomes to attacks on the supporting infrastructure. The Air Force is concerned about the number of onslaughts to these networks. (5) The main concern involves data manipulation, data loss, and espionage. (6) But, to what extent may the military, in general, and the Air Force in particular, become involved in protecting these networks, the data traveling on them, and the data residing on the various Air Force computer systems? Air Force Lieutenant General Charlie Croom, director of the Defense Information Systems Agency, and the commander of the Joint Task Force for Global Network Operations, asserted in a panel discussion at the Association of the United States Army conference that numerous laws and regulations constrain the activities of the DOD in this area. (7) The question is as follows: what may the Air Force do, within the framework of these laws, to protect the information technology (IT) infrastructure on which it so heavily depends?
In answering this question, several issues must be resolved. First, is it appropriate for the Air Force to become involved in the protection of IT infrastructure? Specifically, what gives the Air Force the authority to protect this infrastructure when the majority of it is the property of members of private industry?
Second, does protecting private industry's infrastructure create some responsibility for the Air Force to protect the IT infrastructure of either members of the defense industrial base (DIB) or to protect current defense industry members in future endeavors? Could a potential future private sector DIB member successfully claim that current DIB contractors have an unfair competitive advantage when it comes to future contract awards?
Finally, given the answers to the above issues, what options exist for the Air Force? How can or should the Air Force proceed with protecting the IT infrastructure on which it has become so dependent?
After a review of commonly-used terms with regard to protecting the DIB's critical IT infrastructure in Section II, this article discusses applicable legal authorities in Section III. Section 1V discusses practical concerns likely to be encountered by any Air Force effort to protect the infrastructure, particularly with regard to complications in the area of contracting for IT services or products. Section V addresses possible solutions to these concerns, and Section VI is the conclusion.
Before discussing the issues above, this article must define a number of terms utilized throughout. Defining these terms is critical because, along with the laws and regulations which govern this area, these particular terms delineate the degree to which the DOD can protect privately owned critical IT infrastructure. Some of these terms have even reached term-of-art status and have moved away from their traditional, dictionary meanings.
Critical Component is, for purposes of Title 50:
such components, subsystems, systems, and related special tooling and test equipment essential to the production, repair, maintenance, or operation of weapon systems or other items of military equipment identified by the Secretary of Defense as being essential to the execution of the national security strategy of the United States. Components identified as critical by a National Security Assessment conducted pursuant to ... 10 U.S.C. [section] 113(i) ... or by a Presidential determination as a result of a petition filed under ... 19 U.S.C. [section] 1862 ... shall be designated as critical components ... unless the President determines that the designation is unwarranted. (8)
Critical Industry for National Security is "any industry (or industry sector) identified pursuant to ... 10 U.S.C. [section] 2503(6) ... and such other industries or industry sectors as may be designated by the President as essential to provide industrial resources required for the execution of the national security strategy of the United States." (9)
Critical Infrastructure is "systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters." (10) The definition applicable within Title 50, varies only slightly, but because some of the contractual requirements with regard to the Department of Defense (DOD) relate in some fashion to Title 50, its definition of Critical Infrastructure is also provided: "any systems and assets, whether physical or cyber-based, so vital to the United States that the degradation or destruction of such systems and assets would have a debilitating impact on national security and national public health or safety." (11)
Critical Infrastructure Information is
information not customarily in the public domain and related to the security of critical infrastructure or protected systems (A) actual, potential, or threatened interference with ... critical infrastructure or protected systems by either physical or computer-based attack ... that violates Federal, State, or local law, harms interstate commerce of the United States, ... or threatens public health or safety; (B) the ability of any critical infrastructure or protected system to resist such interference ... ; or, (C) any planned or past operational problem or solution regarding critical infrastructure or protected systems.... (12)
Critical Technology is "any technology that is included in 1 or more of the plans submitted pursuant to [42 U.S.C. [section] 6681 or 10 U.S.C. [section] 2508] (unless subsequently deleted), or such other emerging or dual use technology as may be designated by the President." (13)
Critical Technology Item is "materials directly employing, derived from, or utilizing a critical technology." (14)
Defense Contractor is "any person who enters into a contract with the United States (A) to furnish materials, industrial resources, or a critical technology for the national defense; or (B) to perform services for the national defense." (15)
Domestic Defense Industrial Base is "domestic sources which are providing, or which would be reasonably expected to provide, materials or services to meet national defense requirements during peacetime, graduated mobilization, national emergency, or war." (16) The DOD elaborates on this definition in its sector-specific plan. That plan defines the defense industrial base as the "DoD, the U.S. Government, and the private sector worldwide industrial complex with capabilities to perform research and development (R&D), design, produce, deliver, and maintain military weapon systems, subsystems, components, or parts to meet military requirements." (17)
Domestic Source is
a business concern (A) that performs in the United States or Canada substantially all of the research and development, engineering, manufacturing, and production activities required ... under a contract with the United States relating to a critical component or a critical technology item; and (B) that procures from business concerns described in subparagraph (A) substantially all of any components and assemblies required.... (18)
Essential Weapon System is "a major weapon system and other items of military equipment identified by the Secretary of Defense as being essential to the execution of the national security strategy of the United States." (19)
Federal Departments and A_Agencies include the following executive departments: Department of State, Department of the Treasury, DOD, Department of Justice, Department of the Interior, Department of Agriculture, Department of Commerce, Department of Labor, Department of Health and Human Services, Department of Housing and Urban Development, Department of Transportation, Department of Energy, Department of Education, Department of Veterans Affairs, and, Department of Homeland Security (DHS). (20) This definition also includes independent establishments as defined in 5 U.S.C. [section] 104(1), government corporations as defined in 5 U.S.C. 103(1), and the United States Postal Service. (21)
Foreign Source is "a business entity other than a 'domestic source.'" (22)
Full and Open Competition "means that all responsible sources are permitted to submit sealed bids or competitive proposals on the procurement." (23)
Industrial Resources are "materials, services, processes, or manufacturing equipment ... needed to establish or maintain an efficient and modern national defense industrial capacity." (24)
Key Resources are "publicly or privately controlled resources essential to the minimal operations of the economy and government." (25)
National Defense is defined in Title 50 as
programs for military and energy production or construction, military assistance to any foreign nation, stockpiling, space, and any directly related activity. Such term includes emergency preparedness activities conducted pursuant to title VI of The Robert T. Stafford Disaster Relief and Emergency Assistance Act and critical infrastructure protection and restoration. (26)
Organizational Conflict of Interest is when "because of other activities or relationships with other persons, a person is unable or potentially unable to render impartial assistance or advice to the Government, or the person's objectivity in performing the contract work is or might be otherwise impaired, or a person has an unfair competitive advantage." (27)
Sector-Specific Agency is a U.S. "department or agency responsible for infrastructure protection activities in a designated critical infrastructure sector or key resources category." (28)
Small Business Concern is "a business concern that meets the requirements of section 3(a) of the Small Business Act and the regulations promulgated pursuant to that section...." (29)
Small business concern owned and controlled by socially and economically disadvantaged individuals is
a small business concern (i) which is at least 51 per centum owned by one or more socially and economically disadvantaged individuals ... ; and (ii) whose management and daily business operations are controlled by one or more of such individuals. The contractor shall presume that socially and economically disadvantaged individuals include Black Americans, Hispanic Americans, Native Americans, Asian Pacific Americans, and other minorities, or any other individual found to be disadvantaged by the Administration pursuant to section 8(a) of the Small Business Act. (30)
Source Selection Information is
any of the following information that is prepared for use by an agency for the purpose of evaluating a bid or proposal to enter into an agency procurement contract, if that information has not been previously made available to the public or disclosed publicly: (1) Bid prices submitted in response to an agency invitation for bids, or lists of those bid prices before bid opening; (2) Proposed costs or prices submitted in response to an agency solicitation, or lists of those proposed costs or prices; (3) Source selection plans; (4) Technical evaluation plans; (5) Technical evaluations of proposals; (6) Cost or price evaluations of proposals; (7) Competitive range determinations that identify proposals that have a reasonable chance of being selected for award of a contract; (8) Rankings of bids, proposals, or competitors; (9) Reports and evaluations of source selection panels, boards, or advisory councils; or (10) Other information marked as "Source Selection Information".... (31)
Unfair Competitive Advantage is
where a contractor competing for award of any Federal contract possesses (1) Proprietary information that was obtained from a Government official without proper authorization; or (2) Source selection information that is relevant to the contract but is not available to all competitors, and such information would assist that contractor in obtaining the contract. (32)
These terms, and their specific meanings, significantly influence the degree of protection a government entity such as the DOD may provide to privately owned portions of the critical IT infrastructure. In some cases, the terms themselves may operate to constrain DOD activity to the same level as the laws and regulations discussed herein.
III. AUTHORITY FOR THE AIR FORCE TO PROTECT THE INFORMATION INFRASTRUCTURE OF THE DEFENSE INDUSTRIAL BASE
The United States Constitution established the authority for the federal government to, among other things, provide for the common defense. (33) Article I, Section 8 (the Commerce Clause), empowers Congress to regulate commerce with foreign nations and among the states. (34)
Congress has acted upon that authority with regards to the topic of protecting the IT infrastructure of the DIB. In 2002, it enacted the Homeland Security Act of 2002. (35) This act was codified as Title 6 of the United States Code.
The executive branch joined the legislative branch by becoming increasingly involved in attempting to protect critical IT infrastructure. In particular, as it relates to the protection of infrastructure following the September 11, 2001, terrorist attacks, the President issued numerous directives, executive orders, and national strategies addressing these issues.
From the very beginning, the Founding Fathers of this country recognized the need for providing for the common defense, and included that very provision within the first paragraph of the Constitution. (36) The Constitution clearly gives the government the authority to protect its own infrastructure. By way of extension, it gives components of the government, including the DOD, the authority to protect the infrastructure that it owns. No one doubts the Air Force's authority to defend its bases, aircraft, personnel, equipment, or even its technology infrastructure. In fact, in its doctrine, the DOD addresses the computer network defense of "unauthorized activity within DOD information systems and computer networks." (37) But, what about the Air Force's authority to protect resources that it does not own? Can the Air Force protect parts of the nation's IT infrastructure that it uses but does not own?
The Constitution, in creating the executive branch, empowered it to defend the nation. (38) It designated the President, as the embodiment of the executive branch, as the Commander in Chief of the military. (39) However, the list of powers granted to the President in carrying out his duties as Commander in Chief is devoid of any authority to defend private industry. (40) Thus, by extension, the Air Force cannot protect the infrastructure of the private sector unilaterally. (41) In fact, the executive branch has long recognized that private sector participation in the government's protection of its infrastructure is clearly voluntary. (42) This poses a problem because the private sector controls ninety percent of the nation's critical infrastructure. (43)
However, the Constitution authorizes Congress to regulate interstate and foreign commerce. (44) That authority has led, most recently, to the passage of the Homeland Security Act of 2002. By passing the Homeland Security Act, Congress empowered the DHS as the lead agent for, among other things, the protection of the nation's critical infrastructure. (45) In fact, one of the rationales for consolidating many different agencies into the DHS in 2002 was the desire to grant authority to one specific department that alone would have responsibility for securing critical infrastructure. (46)
In the Homeland Security Act, Congress authorized the President and the Secretary of Homeland Security to designate critical infrastructure protection programs. (47) Within that authority, the President issued a number of directives designating critical infrastructure protection programs and describing responsibilities therein.
The President designated the DHS to play the central role in implementing the National Strategy to Secure Cyberspace in May 2003. (48) The DHS also serves as the primary focal point-of-contact for state and local governments and the private sector on cyberspace security issues. (49) Additionally, in concert with the White House, the DHS coordinates and supports non-federal tasks recommended in the National Strategy to Secure Cyberspace. (50)
A. Homeland Security Presidential Directive 7
On 17 December 2003, the President issued Homeland Security Presidential Directive 7 (HSPD-7). This plan superseded Presidential Decision Directive/NSC-63 of 22 May 1998. (51) The purpose of the directive was to establish a national policy for federal departments and agencies to identify and prioritize critical infrastructure and key resources. (52) Interestingly, the directive specifically focused on protecting critical infrastructure and key resources "from terrorist attacks." (53) HSPD-7 specifically excludes non-terrorist attacks on critical infrastructure, leaving to all federal departments and agencies the reduction of "consequences of catastrophic failures not caused by terrorism." (54)
With regard to terrorist threats, HSPD-7 establishes, as policy, the enhancement of protecting critical infrastructure and key resources from acts that could
(1) cause catastrophic health effects or mass casualties comparable to those caused from use of a weapon of mass destruction; (2) impair Federal departments' and agencies' abilities to perform essential missions, or ensure the public's health and safety; (3) undermine State and local governments' capacities to maintain order and deliver minimum essential public services; (4) damage the private sector's ability to ensure the orderly functioning of the economy and deliver essential services; (5) have negative impact upon the economy; or, (6) undermine the public's morale and confidence in national economic and political institutions. (55)
The overall responsibility for the protection of the nation's critical infrastructure falls to the Secretary of Homeland Security. (56) Recognizing that certain other departments have special expertise within infrastructure sectors, however, HSPD-7 assigns a limited number of sector-specific agencies. (57)
Among the sector-specific agencies is the DOD, with responsibility for the DIB. (58) What are the DOD's responsibilities with regard to the DIB? With guidance provided by the Secretary for Homeland Security, the DOD shall: (1) collaborate with Federal, State, and local governments, departments, and agencies, and the private sector; (2) conduct or facilitate vulnerability assessments of the sector; and, (3) encourage risk management strategies to protect or mitigate effects of any attack on the DIB. (59)
Two things are of note with regard to these responsibilities. First, the guidance within this area comes from the Secretary for Homeland Security, not the Secretary of Defense. Second, the DOD is given only limited authority within the DIB sector. Specifically, while charged with collaborating within the sector, assessing vulnerabilities, and encouraging risk management strategies, the DOD is not authorized to "protect" the DIB. This does not appear to be an oversight, as HSPD7 specifically defines the term "protect." As used within HSPD-7, "protect" and "secure" are defined as "reducing the vulnerability of critical infrastructure or key resources in order to deter, mitigate, or neutralize terrorist attacks." (60) Thus, the fact that the President could have, but did not, authorize the DOD to actually protect the DIB reflects an intentional limitation of DOD action. Also of note, HSPD-7 does not authorize the DHS to actually protect the DIB, either. HSPD-7 does grant the DHS the power to "coordinate protection activities" for an enumerated number of sectors, none of which include the DIB. (61) Thus, it appears that, between the Departments of Homeland Security and Defense, the extent of the federal government's involvement with regard to the DIB is purely an assistance role.
HSPD-7 does authorize the DHS to coordinate protection activities for the IT and telecommunications sectors. (62) Thus, one must explore the relationship between the IT and telecommunications sectors generally and with regard to those same sectors owned by the private sector. For example, the DOD owns certain IT and telecommunications resources and has the right to protect them. Others belong to other government and private sectors, which the DHS is authorized to protect. Some of these resources belong to private sector DIB partners for which the DUD is designated as the sector-specific agency. The question becomes what, if any, government agency is authorized to protect these infrastructures where these resources overlap?
Overlap exists in other areas within HSPD-7. For example, it tasks the Department of Commerce with improving cyber system technology which, at times, seems to also involve parts of the DIB. (63) The implementation of HSPD-7 directs the Secretary for Homeland Security to produce a comprehensive National Plan for Critical Infrastructure and Key Resources Protection. (64) It also directs all federal agencies to submit protection plans by July 2004. (65)
In response to this directive, in June 2006, the DHS published the National Infrastructure Protection Plan (NIPP). The NIPP purports to meet the requirements set forth in HSPD-7 and provide an overarching approach for integrating the many critical infrastructure and key resource protection initiatives into a single plan. (66) It also asserts that it "sets forth a comprehensive risk management framework" and "clearly define[s the] roles and responsibilities for the [DHS]," along with sector-specific agency such as the DUD "and private partners implementing the NIPP." (67)
B. National Infrastructure Protection Plan
The NIPP recognizes, as delineated within HSPD-7, that certain departments have expertise within various infrastructure sectors. Thus, the NIPP intends to implement procedures recognizing the sectorspecific nature of critical infrastructure and key resource protection. (68) Consistent with HSPD-7, the NIPP defines the roles and responsibilities of the sector-specific agencies established in HSPD-7. (69) As in HSPD-7, the responsibility for the DIB sector falls to the DUD. (70) Thus, the DUD is tasked with collaborating with the private sector and encouraging development of appropriate information-sharing and analysis mechanisms within the DIB. (71) Specifically, the DUD should establish coordinating mechanisms within the DIB to "facilitate sharing of information on physical and cyber threats, vulnerabilities, incidents, recommended protective measures, and security-related best practices." (72) In addition, the DOD should encourage "voluntary security-related information sharing, where possible, among private entities within the [DIB], as well as among public and private entities." (73) The DOD, working in collaboration with security partners within the DIB, is also responsible for developing and submitting a sector-specific plan and providing performance feedback, related to the DIB sector, to the DHS for assessment of any gaps between critical infrastructure and key resource sectors. (74) The DOD is required to provide an annual report to the Secretary of Homeland Security on its efforts to identify, prioritize, and coordinate critical infrastructure and key resource protection within the DIB, including an outline of protection requirements and budget projections as a component of its annual budget submission to the Office of Management and Budget. (75) It is worth noting again that guidance within this area comes from the Secretary for Homeland Security, not the Secretary of Defense. Within the NIPP construct, the DOD operates merely in a supporting role to the DHS.
Finally, the NIPP lists a number of additional responsibilities for the DOD. Those include:
(1) identifying, prioritizing, and coordinating protection of DIB critical infrastructure and key resources, focusing particularly upon infrastructures and resources that could be exploited in such as a way as to cause catastrophic health effects or mass casualties comparable to those produced by a weapon of mass destruction;
(2) managing the overall process for building security partnerships and leveraging critical infrastructure and key resource security expertise, relationships, and resources within the DIB, including sector-level oversight and support of the sector partnership model described in chapter 4 of the NIPP,
(3) coordinating, facilitating, and supporting comprehensive risk assessment and management programs for high-risk critical infrastructure and key resources, identifying protection priorities, and incorporating critical infrastructure and key resource protection activities as a key component of the all-hazards approach to domestic incident management within the DIB;
(4) facilitating the sharing of real-time incident notification, as well as critical infrastructure and key resource protection best practices and processes, and risk assessment methodologies and tools within the DIB;
(5) promoting critical infrastructure and key resource protection education, training, and awareness in coordination with State, local, tribal, and private sector partners within the DIB;
(6) informing the annual Federal budget process based on critical infrastructure and key resource risk and protection needs in coordination with security partners and allocating protection resources;
(7) monitoring performance measures for DIB critical infrastructure and key resource protection and NIPP implementation activities to enable continuous improvement, and reporting progress and gaps to DHS;
(9) contributing to the annual National Critical Infrastructure Protection Research and Development (NCIP R&D) Plan;
(10) identifying and recommending appropriate strategies to encourage private sector participation;
(11) supporting data calls initiated by the DHS to (a) populate the National Asset Database (NADB); (b) enable national-level risk assessment; and, (c) inform national-level resource allocation;
(12) supporting protocols for the Protected Critical Infrastructure Information (PCII) Program;
(12) working with the DHS to develop, evaluate, validate, or modify risk assessment tools related to the DIB;
(13) supporting sector-level dependency, interdependency, consequence, and other analysis as required;
(14) coordinating sector-level participation in the National Exercise Program, Homeland Security Exercise and Evaluation Program (HSEEP), and other activities within the DIB;
(15) assisting DIB security partners in their efforts to organize and conduct protection and continuity-of-operations planning, and elevate awareness and understanding of threats and vulnerabilities to their assets, systems, and networks; and, identify and promote effective critical infrastructure and key resource protection practices and methodologies specific to the DIB;
(16) identifying and implementing plans and processes for increases in protective measures that align to all-hazards warnings, specific threat vectors as appropriate, and each level of the Homeland Security Advisory System;
(17) understanding and mitigating cyber risk by developing or encouraging appropriate protective measures, information-sharing mechanisms, and emergency recovery plans for cyber assets, systems, and networks within the DIB and interdependent sectors; and,
(18) supporting efforts of the Departments of Homeland Security and State to integrate national critical infrastructure and key resource protection programs into the international and global markets, and address relevant dependency, interdependency, and cross-border issues. (76)
Again, "[p]rivate sector participation in executing the NIPP is voluntary." (77) In essence, then, according to the requirements set forth in the NIPP, the DOD simply stands ready to support and assist others in the protection of privately owned critical infrastructure. The DHS maintains an inventory of critical infrastructures and key resources. (78) Information included in that inventory related to the DIB comes from inventories conducted by the DOD or voluntarily submitted directly from DIB security partners. (79) Although the NIPP does not specifically address the various components that make up the inventory, it clearly places a great deal of importance upon the cyber dimension. (80) Those cyber systems include positioning, navigation, and timing services utilized heavily by the military and the DIB. (81)
C. Defense Industrial Base Critical Infrastructure and Key Resources Sector-Specific Plan
Consistent with the requirement set forth in the NIPP, the DOD published its sector-specific plan in May 2007. The plan--fully titled Defense Industrial Base Critical Infrastructure and Key Resources Sector-Specific Plan as Input to the National Infrastructure Protection Plan--resulted from extensive collaboration between the DOD, interagency partners, and representatives of the private sector, from the smallest proprietors to Fortune 500 corporations. (82) The plan recognizes that the DIB is an unmatched element of national power that differentiates the United States from potential opponents. (83) But, once again, the plan reminds us that private sector DIB participation in the critical infrastructure and key resource protection process is voluntary. (84)
The DIB plan claims to address the critical infrastructure protection efforts mandated by HSPD-7, which involves terrorism-related threats. (85) This contrasts with the Defense Critical Infrastructure Program (DCIP), dated 19 August 2005, which addresses DIB assets owned by the private sector and DOD-owned elements of the DIB. (86) Thus, the DIB plan purports to focus on the privately owned and operated efforts at DIB facilities rather than on the small fraction of DIB facilities owned by the DOD. (87) Likewise, the plan specifically excludes commercial infrastructures, such as power, communications, transportation, and other utilities that support DOD efforts. (88) These infrastructures are covered by other sector-specific agencies and departments, such as the Departments of Energy, Commerce, and Transportation. (89) Notwithstanding the plan's claim that it only addresses private-sector DIB critical infrastructure and key resource as directed by HSPD-7 (i.e., from an anti-terrorism perspective only), the plan does address threats from nation states, national and transnational criminal entities, accidents, and acts of nature within its risk assessment section. (90) This risk assessment strategy is more expansive than either HSPD-7 or the NIPP calls for and likely exceeds the scope of what the DIB plan was designed to accomplish.
Furthermore, the DIB plan is fairly general. It divides the DIB into segments, sub-segments, and commodities. (91) Those segments and sub-segments include, among other things, IT; command, control, computers and intelligence (C3I); information security; and various pieces of electronic equipment like optics, guidance systems, Global Position System (GPS) receivers, and software. (92) After identifying these various elements of the DIB, the plan falls somewhat short in identifying exactly what efforts the DOD will take to coordinate the protection of those assets with the private sector. The plan avoids any real effort to define its plan to coordinate the protection of these assets. Instead it basically restates the edicts of HSPD-7 and the NIPP and points out that the DOD will work with the DHS to identify overlaps and gaps in responsibility with other sector-specific agencies with regard to DIB assets that belong to other sectors. (93)
One area where the DIB plan appears to be particularly inadequate is its reference to cyber security risks. In fact, the plan clearly states that although "cyber security is an issue that could affect any facility, DoD does not perform network- or system-level assessments." (94) Instead, the plan points out that DIB assets are primarily owned by the private sector; and that (1) there are no regulatory requirements for conducting formal risk assessments, (2) large companies conduct their own risk assessments as part of prudent business practices, and (3) the DOD aims to ensure awareness and risk management best practices throughout the DIB. (95) This stance is far from visionary. What about smaller private-sector DIB members? How exactly does the DOD aim to ensure awareness across the sector? The plan does not address these questions.
The DIB plan also fails to fully comply with the HSPD-7 directive that the tasked departments share information about cyber threats. (96) The NIPP suggests a networked approach to information-sharing. (97) "NIPP implementation [relies] greatly on critical infrastructure information provided by the private sector." (98) In fact, Congress specifically enacted an information analysis and infrastructure protection program, created a Directorate for Information Analysis and Infrastructure Protection within the DHS, and established an Under Secretary of Homeland Security for Information Analysis and Infrastructure Protection, an Assistant Secretary for Information Analysis, and an Assistant Secretary for Infrastructure Protection, all to be appointed by the President. (99)
How does the DIB plan address information sharing? Rather than coming up with some innovative mechanism to coordinate information-sharing, the plan states that DOD "relies on private industry organizations to exchange information on DIB infrastructure." (100) The plan seems to relegate responsibility for these efforts back to the DHS. Again, rather than taking the issue head on, DOD seems to take on only a supporting role to the DHS in its efforts to address cyber incidents, conduct vulnerability assessments, develop risk management strategies, and facilitate information-sharing. (101) Even where it is specific about information collection activities, the DIB plan is superficial. The plan calls for such data collection efforts as questionnaires and Internet information sources. (102) Certainly, an adequate effort to collect critical infrastructure and key resource data cannot be successfully completed using Google or Yahoo search engines.
Notwithstanding the vital national security importance of information-sharing to a successful critical infrastructure and key resource protection effort, the simple fact that private sector participation is voluntary presents the most substantial hurdle within information-sharing efforts. (103) Because much of the information in the possession of private sector is either sensitive business or security information that could cause serious damage to private industry, the economy, public safety, or public security, unauthorized disclosure or access to it is a critically important risk. (104) Accordingly, Congress imposed on the government a statutory responsibility to safeguard the information related to critical infrastructure and key resource activities. (105) This information assurance guarantee may be the incentive required to urge the DIB to share critical infrastructure and. critical resource information. The next section explains why.
D. Federal Statutory Provisions
First, the Homeland Security Act of 2002 requires that any information collected pursuant to the DHS' information analysis and infrastructure protection efforts be "protected from unauthorized disclosure and handled and used only for the performance of official duties." (106) Further, the DHS must ensure that
any intelligence information [collected pursuant to this program] is shared, retained, and disseminated consistent with the authority of the Director of Central Intelligence to protect intelligence sources and methods under the National Security Act of 1947 (50 U.S.C. 401 et seq.) and related procedures and, as appropriate, similar authorities of the Attorney General concerning sensitive law enforcement information. (107)
Next, the DHS has established the Protected Critical Infrastructure Information (PCII) Program, which was authorized by the Critical Infrastructure Information Act of 2002 (CII Act). (108) The CII Act enables the DHS to "collaborate effectively to protect America's critical infrastructure, eighty-five percent of which is in the private sector's hands." (109) The CII Act gives the DHS the authority to accept, store, and maintain critical infrastructure and key resource information from various sources, including the public, owners and operators of critical infrastructure, and State, local, and tribal governments. The CII Act provides a major benefit to defense contractors and a significant incentive for submitting critical infrastructure. It allows for information collection while limiting public disclosure of sensitive information under the Freedom of Information Act (FOIA), and other laws, rules, and processes. Specifically, critical infrastructure information, including the identity of the submitting person or entity, which is voluntarily provided to the DHS is:
(1) protected from disclosure under FOIA; (110)
(2) not subject to agency rules or judicial doctrine regarding ex parte communication with a decision-making official; (111)
(3) protected from being used directly by Federal, State, or local authorities, or any third party, in any civil action arising under Federal or State law if such information is submitted in good faith; (112)
(4) protected from use or disclosure by any officer or employee of the United States for any other purpose than (a) in furtherance of an investigation or prosecution of a criminal act, or (b) to Congress, or its representatives, or the Comptroller General, or its representatives, without written consent; (113)
(5) if provided to a state or local government, protected from disclosure to state or local laws requiring disclosure if information or records, to any party by the state or local government without written consent of the submitter; or, for any purpose other than protecting critical infrastructure or in furtherance of investigating or prosecuting a criminal act; (114) and,
(6) not to be considered a waiver of any applicable privilege or protection provided under the law, to include trade secret protection. (115) Furthermore, federal officers or employees who discloses this information in an unauthorized manner subjects themselves to imprisonment of up to one year and civil and criminal fines and must be removed from office or employment. (116)
PCII may be shared with authorized government agencies for purposes of securing critical infrastructure. (117) It should be used for analysis, warning, study, infrastructure, and recovery or reconstitution. (118) Other permissible uses include to generate advisories, alerts, and warnings to parties, including the private sector; however, these statements cannot contain sensitive information provided by the submitter. (119) The PCII Program Office is responsible for managing the PCII program, including developing methodologies for handling PCII, raising awareness of information-sharing, and assuring information is safeguarded, (120)
E. Critical Infrastructure Information Sharing Issues
Why is the sharing of critical infrastructure information so important? If the Air Force is going to become involved in protecting the critical IT infrastructure of the DIB, it will be primarily protecting information and its transmission, as opposed to facilities, equipment, etc. For example, the Air Force cannot possibly protect every network cable, telephone line, or microwave tower transmitting DIB-related data. Thus, the DIB security partners must focus on protecting and securing the data that travels along those routes. As it relates to equipment most vulnerable to attacks by hackers and the like, the means for protecting and securing that equipment will most likely involve information as to how the equipment is designed and operates. This information may be classified and is certain to contain trade secrets of one form or another. Thus, how the private sector DIB partners choose to pass that information along to the Air Force, and how the Air Force is able to assure that information remains safeguarded, is crucial.
From the perspective of the private sector, what information remains safeguarded and to what extent it is protected might be different than the U.S. government's point of view, and the DOD in particular. For example, assume a DIB partner provides information regarding the inner workings of a router, which it uses to support a DOD mission, to the DOD for purposes of protecting it and its associated critical infrastructure. Also assume that the information is of a sensitive, but unclassified, business nature--no other router manufacturer uses the same technology and it is extremely valuable. Obviously, it would be very important to the contractor that the DOD safeguard that information and prevent its disclosure to its competitors.
Then, assume a person or entity inquires into some area of DOD records, either under the auspices of FOIA or related to some civil law suit. The civil suit might even be a legitimate suit related to a contract awarded to the initial DIB partner. What prevents the disclosure of the information provided to the DOD? As discussed above, the CII Act clearly protects information provided to the DHS regarding the protection of critical infrastructure from terrorist attack. The same is not so clear with regard to information the DIB partner provides to its DOD counterpart, despite the fact that the DIB partner has a direct working relationship with the DOD. The DIB partner may have some level of protection in accordance with FOIA exemption number four if the information qualified as a trade secret, but not the expansive protection of the CII Act. (121) In the end, the lack of guarantees with regard to the release of information to the public or to other industry members creates a potential disincentive to information-sharing between the DIB and the DOD.
Furthermore, what gives the DOD the authority to provide threat and vulnerability information directly to its private-sector DIB counterparts? For a DIB partner providing IT and other computer-related support, protection of the DIB partner's IT infrastructure might involve information about the vulnerabilities of both DOD-owned and privately owned systems. This information may be classified or otherwise sensitive to military operations. In particular, the means by which the DOD came across these vulnerabilities might be more sensitive or classified. In fact, disclosure of the vulnerabilities might itself reveal classified or sensitive collection methods. How does the DOD go about sharing this information with its DIB counterparts? Criminal provisions certainly regulate improper disclosure of classified information. (122) But, how can the DOD and its DIB IT partners forge a successful working relationship if these two groups are unable to freely provide information to each other? Also, how can a critical infrastructure protection effort be successful without a free flow of the information related to that infrastructure? Clearly, within the IT arena, the most important issue with regard to the most vulnerable aspect of the DIB IT infrastructure is the protection and sharing of information.
What does the DOD propose with regard to sharing critical infrastructure information? Other than referencing the NIPP and the CII Act, it says very little. The DIB plan makes cursory mention to the fact that the DOD will "support and facilitate sharing of threat information through appropriate government and commercial channels." (123) The plan also calls for the DOD to share information related to criticality determinations with whatever organization is tasked with protecting that asset. (124) However, the plan is thin on specifics.
The DIB plan claims that the DOD identified the venues and mechanisms for information-sharing with its Critical Infrastructure Protection communities of interest. (125) The plan identifies these communities as "domestic organizations (including industry); international private industry; international coalitions and allies; Federal, State, and local governments and agencies; and other DOD organizations to identify and coordinate protection of critical DIB assets." (126) The venues identified by the DIB plan include "DIB [Government Coordinating Council], [Sector Coordinating Council], and [Critical Infrastructure Partnership Advisory Council] meetings; [Defense Critical Infrastructure Program] Awareness Visits; Industry association meetings and expositions; Academic symposia and conferences; Electronic and traditional mail; and World Wide Web and restricted network portals." (127) The mechanisms for communicating roles, responsibilities, and concepts for effective DIB [Critical Information Protection] efforts include:
Published policy, directives, instructions, guidance, and methodology; Documented concept (sic) of operations; Presentations and speaking engagements at association, international, Federal, State, and local events, expositions, and conferences; Onsite awareness presentations at DIB sites; Participation in exercises and published lessons learned; and, Curricula at Defense and other schools. (128)
However, even discussing information sharing from the point of "roles, responsibilities, and concepts" misses the mark. What about the actual information related to the private sector's critical DIB infrastructure?
The DIB plan does not propose any new mechanism for sharing sensitive or classified DIB threat or vulnerability information directly with its security partners. Rather, it relies on the DHS's PCII program to accomplish the information-sharing effort. The DIB plan relies on the protections afforded by the CII Act, such as protection from FOIA disclosure, state and local disclosure laws, and use in civil litigation; but does not have any DIB-specific protections. (129) The DIB proposes to appoint a PCII Officer to oversee handling, use, and storage of PCII; ensure secure handling of that information; establish a self-inspection program focusing on compliance with PCII handling, use, and storage requirements; and ensure coordination with the PCII Program Manager regarding requests, challenges, or complaints regarding PCII regulation implementation. (130)
In addition, "DOD plans to develop an accreditation plan for obtaining and certifying PCII." (131) Some of this information requires security classification in accordance with previously established regulations. (132) The plan recognizes that it must encourage voluntary sharing of information and analysis. (133) It also admits that there has been, in fact, very little interaction between DOD and industry with regard to information-sharing. (134) The plan goes on to recognize that this situation must be remedied in order to achieve a successful collaborative effort to protect the DIB infrastructure. (135)
The real problem with the DIB plan's approach to information-sharing is its lack of specificity and innovation. The DIB plan lists information security and information assurance as two of its goals, (136) With regard to the information security goal, the plan contends that "[a]ll information that identifies or otherwise describes characteristics of a critical DIB asset that is created, held, and maintained by the government or the private sector will be protected from unauthorized disclosure according to established procedures appropriate to the particular level of information." (137) The plan does not, however, address the lack of statutory authority to protect information provided by the private sector directly to the DOD. Merely relying on "established procedures" does not give statutory teeth to the process, nor should it instill any particular level of confidence in members of the private sector that their proprietary information would remain secure.
As it relates to the information assurance goal, the plan states that "DIB asset owners/operators will have functional and adequate plans in place for exercising prudent information assurance methods to protect the DIB asset, to control processes over the production or provisioning of the product or service, and to protect the product or service delivery systems, including the supply chain." (138) Yet, the DIB plan does not specify how it proposes to accomplish this goal or to enforce the requirement.
F. DOD Critical Infrastructure Challenges
The Government Accountability Office (GAO) noted many of the shortfalls of DOD efforts to protect the DIB's critical infrastructure. The GAO analyzed the DCIP, recognizing that DOD relies so heavily on non-DOD infrastructure assets that their unavailability could critically hinder the DOD's ability to project, support, and sustain forces and operations worldwide. (139) As alluded to earlier, the DCIP (DODD 3020.40) is the DOD plan to protect DIB infrastructure regardless of where a threat originates. In conducting its analysis, the "GAO was asked to evaluate the extent to which DOD has (1) developed a comprehensive management plan to implement DCIP and (2) identified, prioritized, and assessed its critical infrastructure." (140) Again, the GAO evaluated the DOD's efforts with regard to the DCIP (published in August 2005) and not the DIB plan (published in May 2007--the same month the GAO released its report). Thus, the GAO evaluation strictly focused on DOD-owned critical infrastructures. Nevertheless, the GAO found several interesting things during the course of its first evaluation that related to non-DOD-owned infrastructures. First, the GAO learned that the DOD only identified an estimated twenty-five percent of the critical infrastructure that it owns. (141) Further, the GAO found that the DOD did not even expect to identify the remaining seventy-five percent of its critical infrastructure until the end of fiscal year 2009. (142) To make matters worse, the DOD identified significantly less of the infrastructure that it does not own and did not even have an estimated completion date for that effort. (143) Accordingly, the GAO conducted further analysis specifically related to non-DOD-owned DIB infrastructures. The size of this analysis would be extensive as an estimated 200 non-DOD-owned DIB assets are mission critical--approximately eighty-five percent of the entire DIB sector. (144)
In August 2007, the GAO released its follow-up report regarding non-DOD-owned DIB infrastructures. (145) The GAO found that the DIB is comprised of hundreds of thousands of industrial sites predominately owned by the private sector. (146) The GAO analyzed the protection of this infrastructure more broadly than called for by either HSPD-7 or the NIPP. Specifically, the GAO analysis covered threats not only from terrorist attacks but also from criminal activity, technological failure, natural disaster or a man-made catastrophe. (147) In this second report, the GAO analysis focused on two issues: (1) the status of DOD efforts to develop and implement a risk management approach to ensure the availability of DIB assets which support mission-essential tasks, and (2) challenges faced by the DOD in its approach to risk management within the DIB sector. (148)
The cornerstone of the NIPP, and by extension the DIB plan, is a risk-management framework that establishes priorities based on risk and calls for protection and continuity initiatives to mitigate those risks. (149) The DCIP, which again addresses more than just terrorist threats against DOD infrastructures, assigns lead agents for each of ten identified sectors--one of which is the DIB. (150) The Under Secretary for Acquisition, Technology, and Logistics is responsible for DOD efforts related to the DIB's critical infrastructure. (151) Due to its established working relationship with private sector DIB owners and operators, the lead agent for the DIB sector is the Defense Contract Management Agency (DCMA). (152) In analyzing the status of DOD efforts to develop and implement a risk management approach, the GAO examined DIB plans; DCMA efforts to identify, assess, and remediate critical DIB assets; criteria established by the DCMA to identify important and critical DIB assets; the DCMA's asset prioritization model used to rank critical assets; and vulnerability assessment standards, including their implementation by National Guard teams tasked with conducting those assessments. (153)
The DIB plan provides a coordinated strategy to (1) identify and prioritize a critical asset list, (2) perform vulnerability assessments on the high priority critical assets, and (3) encourage private sector contractors to address vulnerabilities found during these assessments. (154) In identifying DIB critical assets, the DCMA and supporting personnel, using a tiered process, compiled a list of approximately 900 important defense contractor assets from the hundreds of thousands of entities constituting the DIB, ultimately narrowing that list down to 203. (155) Then, the DMCA used an asset prioritization model it developed to determine a criticality score so that it could rank critical assets. (156) The DCMA collected the data used to develop this score from DCMA surveys, supplemented by commercial and government sources, including the Defense Logistics Agency, the military services, and the combatant commands. (157) Once identified, critical DIB should undergo a standardized mission assurance vulnerability assessment. (158) However, as of 1 June 2007, only eight of the some 203 critical assets had undergone a vulnerability assessment. (159) At the same time, DOD has developed a remediation planning guide to address the vulnerabilities identified through the assessments. (160) However, this guide was designed in a general way that does not suggest deadlines because of the voluntary nature of the DIB in the DCIP process. (161)
With regard to its analysis of the DOD's challenges in developing and implementing its approach, the GAO compared policies for identifying mission-essential tasks and related defense critical assets with the DCMA's approach of identifying a critical DIB asset list. The GAO also examined the development and use of the DCMA asset prioritization model. It reviewed DCIP efforts by the services related to protection of the DIB. Finally, the GAO reviewed private sector contractor challenges, including contractors' willingness to participate in the program. (162) The GAO found four separate challenges that the DOD must address to ensure its risk management approach is sound. (163)
The first challenge identified by the GAO is that the critical asset list used by the DCMA does not yet incorporate comprehensive, mission-essential task information from the military services. (164) Information from the 2006 list came primarily from the DCMA, Army, and Navy. (165) The Air Force provided no input to the 2006 list. (166) For the 2007 list, the Air Force merely reviewed and validated critical DIB assets identified and complied by the DCMA; it made no independent submissions of DIB assets. (167) The services are still in the process of identifying mission-essential tasks and the defense critical assets that support them, including critical DIB assets. (168) To date, the DOD has not established a plan for identifying all service mission-essential tasks, or targets and time frames. (169)
Second, the critical asset prioritization model developed and used by the DCMA has yet to undergo an external review, and it lacks both contractor-specific data and comprehensive threat information. (170) One of the most controversial aspects of the model is the subjective decisions the DCMA interjects into the model. (171) The DCMA model relies heavily upon data from private sector contractors. However, the GAO review identified missing contractor-specific data for a number of critical assets. (172) The DCMA attempted to collect the needed information via two surveys but failed to do so, because collection of this information depends upon contractors' willingness to provide business information, which is sometimes of a sensitive nature. (173) To make matters worse, when missing needed information, the DCMA defaults to a high-risk score, the most conservative assumption. (174) Accordingly, within the prioritization list, it is not always apparent whether the DCMA identified some contractors as high risk because data was unavailable or because data actually justified the high risk rating. (175) In 2005, only thirty percent of surveyed DIB entities responded to DCMA surveys. (176) The DCMA did not even conduct a survey in 2006. (177) Further, the DOD lacks comprehensive threat information because intelligence sources provide information through ad hoc agreements rather than by formal arrangements. (178) Absence of this information likewise undermines the utility of the score used to prioritize DIB contractors. (179) Until the DCMA formulates a procedure for collecting the comprehensive threat data it needs, its asset prioritization model will remain unreliable. (180)
The third challenge facing DOD relates to the fact that the DCMA is not scheduling and conducting vulnerability assessments in accordance with its own rankings from its prioritization model. (181) Currently, the DCMA is scheduling and conducting vulnerability assessments based upon the accessibility of DIB contractors rather than in accordance with its own established procedures, which calls for the highest priority assets to receive assessments first. (182) Coordinating vulnerability assessments can be complicated and sensitive. (183) Because the DCMA cannot inform uncleared contractors that they are on the classified critical asset list or discuss vulnerabilities found at their facilities, the lack of facility security clearances significantly complicates the DCMA's ability to get DIB contractors to participate in the risk management program. (184) Currently, "About 52 percent of the DIB facilities identified as critical lack security clearances for the facility or its personnel, and thus cannot receive vulnerability assessments or discuss needed remediation actions." (185) So, rather than scheduling assessments for DIB contractors with the highest priority first, the DOD provides the first assessments to contractors who can demonstrate they have the appropriate security clearances.
Furthermore, some DIB contractors have expressed concerns about sharing proprietary business information with the government and about resulting increases in cost and liabilities related to correcting vulnerabilities identified as a result of sharing information pursuant to this program. (186) Of primary concern is the DOD's ability to protect information DIB contractors deem proprietary or potentially damaging if released or disclosed. (187) This is obviously a serious concern to a private industry whose success depends on the profit it generates, which is often directly tied to proprietary information and intellectual property. Additionally, "some significant DIB contractors are involved in classified, special access programs that could involve military mission-essential tasks and as a result may not be allowed or willing to share certain types of information." (188) Thus, DCIP efforts may not even include some significant critical DIB assets. (189) To overcome this problem, DCMA primarily resorted to having high-level DOD officials contact the contractors directly or developing memoranda of agreement specifying duties of the parties. (190) The DOD is also considering accreditation of a PCII Program effort to provide safeguards to concerned contractors. (191) However, the PCII Program was created to address terrorist-related threats and not the all-encompassing list of threats addressed by the DCIP, the NIPP, and the DIB plan. (192) It remains unclear whether using the PCII Program beyond the scope of the terrorist concern is even authorized.
The GAO report goes on to point out that nothing prevents private sector DIB entities or other sources from sharing information directly with the DOD. (193) However, the report does not address the issue that voluntary sharing of information does not come with protections from disclosure afforded by such statutes as the CII Act. Until the government can demonstrate the ability to provide adequate security for contractor-provided information, nonfederal entities will be reluctant to release sensitive information to the DOD because of the lack of certainty regarding full protection of information they provide. (194) In an effort to remedy this problem, the DCMA proposed new legislation and additional provisions in the Defense Federal Acquisition Regulation Supplement (DFARS) (195) to address information protection, thereby increasing private-sector DIB participation, but these proposals were never enacted. (196) Currently, no plans exist within the DOD to further pursue legislation regarding this issue. (197) Also, the DCMA recommended DFARS provisions which would mandate that contractors be responsible for physical protection and security of their own critical infrastructures, that they have comprehensive security plans relating to facility security, and that the government be permitted to conduct or facilitate vulnerability assessments under the DCIP. (198) But, these provisions were not submitted to the Defense Acquisition Regulation Council, which develops policy for approval by the Director of Defense Procurement. (199)
The fourth and final DOD challenge identified by the GAO is that it lacks a plan for identifying and addressing challenges in assessing vulnerabilities of critical foreign contractors. (200) This effort requires interagency cooperation, particularly with the Department of State. (201) But, to date, the DCMA has yet to conduct any assessments on foreign contractors. (202) This effort would obviously impact existing treaties and embassies and host governments and would require coordinated efforts. (203) A strategic action plan for foreign countries with DIB assets must also be developed. (204) The DOD must address all of these challenges in order to ensure successful protection of the DIB critical infrastructure by the DOD and its sector partners.
G. Recent Developments
Interestingly, in 2008, President Bush seemingly changed course on the issue of attacks on computer systems, at least as it relates to those systems owned by federal agencies. As previously mentioned, the federal government may clearly protect computer and other information management systems owned by any given federal agency. Nevertheless, President Bush, by means of a classified directive signed on 8 January 2008, authorized federal intelligence agencies, in particular the National Security Agency (NSA), to monitor the computer networks of all federal agencies, including those they had not previously monitored. (205) Pursuant to this directive, a task force headed by the Office of the Director of National Intelligence (ODNI) will coordinate efforts to identify the source of cyber-attacks against government computer systems. (206) The DHS and DOD will take ancillary roles in this effort--protecting systems and devising strategies for counterattacks. (207)
This joint directive--designated as the National Security Presidential Directive 54/Homeland Security Presidential Directive 23--followed a number of attacks on computer systems owned by the Departments of State, Commerce, Defense, and Homeland Security since mid-2006. (208) U.S. officials and cyber-security experts identified Chinese websites involved in the largest of these attacks in 2005. (209) These particular attacks included U.S. nuclear laboratories and large defense contractors. (210) The DHS observed 37,258 cyber-attacks on government and private networks in 2007, compared to 4095 in 2005. (211) Thus, President Bush requested an initial six billion dollars to begin building a thirty-billion-dollar system to protect these networks from attack. (212)
In coordinating the efforts of the DHS and the DOD, which has been involved in computer system and network protection for some time, the "NSA has particular expertise in monitoring a vast, complex array of communications systems--traditionally overseas." (213) Not surprisingly, there is some concern about using NSA's computer network monitoring capabilities in the domestic context. (214)
But, while this new intelligence-led effort addresses computer systems owned by the government, some have recognized the gap in coverage, discussed above, regarding private industry, in particular DIB-owned, networks. Alan Paller, research director for a cyber-security group assisting companies facing attacks, noted, "If you don't include industry in the mix, you're keeping one of your eyes closed because the hacking techniques are likely the same across government and commercial organizations." (215) It is within this private-sector gap that some analysts say 90 percent of the threat exists. (216) The previous Director of National Intelligence, Mike McConnell, claimed ninety-five percent of the problem lies within the private sector. According to media sources, this initiative will address private networks in some fashion.
A 2008 Wall Street Journal article reported that "[t]he program would first be used on government networks and then adapted to private networks." (217) The same article indicated that protection of "private computer systems would likely require the government to install sensors on private, company networks.... " (218) These private networks would include such systems as those used by Wall Street. (219) Currently, however, there is no information that indicates what legal authority the government would have to install such sensors on, or otherwise protect, private computer networks.
Thus, while former Deputy Defense Secretary Gordon England has proclaimed that "[c]yber warfare is already here," he failed to address a specific, critical issue: his definition of "cyber warfare" seemingly included attacks on private computer systems. (220) Secretary England, noting President Bush's newly established task force on 3 March 2008, referred to efforts to safeguard computers in general, failing to differentiate between privately owned and government-owned IT infrastructure. (221) This failure appears to be pervasive. Former Director McConnell also addressed cyber warfare issues with regard to information systems involving the "money supply, electric power distribution, transportation and that sort of thing," notwithstanding the fact that private-sector entities own or operate the majority of these information systems. (222)
Security of IT infrastructure is obviously not only a domestic concern. The cyber attack on Estonia in 2007 stimulated international discussion of the defense of cyber networks. (223) But, like the United States, other countries seem reluctant to exclude privately owned information systems when discussing cyber security and protection of those systems by military assets. The attacks on Estonia were directed against such privately owned organizations as daily newspapers and banks. (224) Thus, the implication is that even NATO is comfortable with considering the use of the military to protect privately owned computer networks and data, notwithstanding potential legal impediments.
The Obama Administration certainly has cybersecurity on its radar screen. The extent to which this effort will cover private IT networks and which governmental agency, if any, will be responsible for this infrastructure is unclear at this early stage of President Barrack Obama's first term. The Administration, noting that the strength and vitality of the U.S. economy, infrastructure, public safety, and national security were built on the foundation of cyberspace, insists that the U.S. global digital infrastructure, based largely upon the Internet, is not secure or resilient enough today or for future purposes. (225) The Obama Administration initially took the position that the government should partner with academia, the private sector, the civil liberties community, international partners, the Congress, and state and local governments to innovate and adopt cutting edge technology, while enhancing national security and the global economy. (226)
So, on 9 February 2009, President Obama directed a sixty-day review of the government's plans, programs and activities that address U.S. communications and information infrastructure. (227) The review's purpose was to develop a strategic framework to ensure that the government's initiatives in this area were integrated, resourced, and coordinated within the Executive Branch and with Congress and the private sector. (228) In April, the interagency group undertaking the review concluded its work and submitted its findings and recommendations for President Obama's review. (229) The inclusion of the private sector within this review may shed some light on the Administration's upcoming position on whether a government agency should be involved in the protection of private sector infrastructure, including the DIB, but no final decision has been articulated at this point.
In addition to the Obama Administration's cybersecurity efforts, Congress is in the process of addressing this issue as well. In August 2009, cybersecurity legislation previously introduced by Senate Commerce Chairman John (Jay) Rockefeller and Senator Olympia Snowe underwent major changes. (230) The senators sent the revised version of the bill to the Commerce and Intelligence committee aides for review following the August 2009 recess. (231) The bill addresses various cybersecurity issues. Prominent in the revised bill are provisions instructing the Commerce Secretary to work with the White House Office of Personnel Management to hire, train, and certify government cyber professionals. (232)
In the new version, the drafters ultimately curtailed a section of the prior legislation that would have allowed the president, during a cyber emergency, to limit or even shut down Internet traffic to and from any compromised government or U.S. critical infrastructure information system or network. (233) The new proposal directs the president to work with industry during a cyber emergency on a national response as well as the timely restoration of affected networks. (234) This alteration illuminates one of the primary issues surrounding any potential DOD or Air Force involvement in protecting DIB IT infrastructure: can the government legally impede a private network that it does not own, even if for a just purpose--protecting its networks?
The drafters also eliminated earlier language requiring an advisory panel to ensure national security would not be compromised before approving the renewal or modification of a contract between the U.S. government and the entity that oversees global Internet addresses. (235) Certainly, there are by necessity a number of issues in the contracting realm, especially with regard to sharing information between the government and private entities, as discussed in Section IV below.
The reworked draft includes a biennial cyber review beginning in 2013 to review the current posture of the country's IT infrastructure, including an unclassified summary of roles, missions, accomplishments, plans, and programs associated with securing that infrastructure. (236) The bill also sets up a cybersecurity advisory panel of representatives from industry, academia, nonprofit organizations, interest and advocacy groups, and state and local governments. (237) In addition, the legislation would create state and regional cybersecurity enhancement programs and a threat and vulnerability clearinghouse for the government and the private sector. (238) The initial bill specified that the Commerce Department would serve as home to the clearinghouse, but the latest version leaves its designation vague. (239) However, the inclusion of the Commerce Department in the discussion should not be overlooked. The connection between private industry and commerce regulations may be the conduit for initial government involvement in private sector cybersecurity efforts.
Other provisions would require a comprehensive analysis of the federal statutory and legal framework applicable to cyber-related activities in the United States and a joint intelligence threat assessment by the ODNI and the Commerce and Homeland Security secretaries. (240) Interestingly, the early press reports do not mention the military's possible involvement in these efforts. Whether that indicates a retreat from this earlier proposal or a failure of accurate reporting is unknown at this point. But, the 20 August 2009 Air Force memo about supporting the USCYBERCOM mission discussed earlier does not mention protection of privately owned critical IT infrastructure either. (241)
H. Summary of Authority
Thus, in regard to this issue, the DOD shares some responsibility with the DHS in protecting the nation's critical infrastructure. Particularly, the DOD takes a leading role in assisting in the protection of critical infrastructure with its partners in the DIB sector. Neither the DOD, nor any other governmental entity, has the authority to unilaterally protect infrastructure that it does not own, whether it is part of the DIB sector or not. This includes the IT infrastructure not owned by the DOD.
Based on current law and policy, participation in the protection of critical infrastructure by private-sector DIB members is completely voluntary. Based on those same laws, the federal government at least affords some protection to private-sector DIB members who provide information through the PCII Program. Although, it appears the law does not call for the PCII Program to receive information not related to potential terrorism, nor does the CII Act's protections appear to extend to information provided directly to the DOD. Nevertheless, information provided to the DHS can then be used to coordinate protection of all IT critical infrastructure components, including members of the DIB. But, it is unclear as to what degree intelligence agencies such as the NSA--which, as of the early part of 2009, may be more involved than in the past--may share information it collects, either overseas or domestically, with the DHS, the DOD, and more importantly, the DIB.
So, given the limited ability for the DOD to assist in protecting the DIB IT critical infrastructure, how should the Air Force proceed with the current effort and should the Air Force push to expand its abilities in this area, and if so, how? Before answering those questions, one must analyze what, if any, contractual liabilities the Air Force may face by assisting in the protection of individual defense contractor's information infrastructure.
IV. WHAT RESPONSIBILITY DOES THE AIR FORCE INCUR, IF ANY, BY ASSISTING IN OR PROTECTING INFORMATION TECHNOLOGY OF SELECTED DEFENSE CONTRACTORS?
In 1984, Congress passed the Competition in Contracting Act (CICA). (242) The provisions of CICA that apply to the DOD are codified at 10 U.S.C. [section][section] 2304-2305. A few additional competition provisions applicable to all federal agencies are found in Title 41, United States Code. (243) "[I]t is a fundamental principle of government procurement that competition must be conducted on an equal basis, that is, offerors must be treated equally and be provided with a common basis for the preparation of their proposals." (244) Could a potential defense contractor successfully claim that an incumbent contractor possesses an unfair competitive advantage if the DOD protected the existing contractor's IT infrastructure or provided that contractor with information that allows the contractor to protect their own infrastructure? With respect to this issue, a contractor would have an unfair competitive advantage if a contractor possessed "source selection information" relevant to the contract not available to all competitors and that information would assist in obtaining the contract. (245) Also, the presence of an "organizational conflict of interest" may also lead to a claim of unfair competitive advantage. (246)
A. Unfair Competitive Advantage Based on Possession of Source Selection Information
As referred to in the definitions section above, the term "unfair competitive advantage" is a term of art defined within the FAR. Generally, a contractor competing for the award of a federal contract may have an unfair competitive advantage if that contractor possesses proprietary information that it obtained from the government in an unauthorized manner, or it possesses "source selection information" relevant to the contract that was not available to all competitors and that information would assist that contractor in winning the contract award. (247) Obviously, the unauthorized possession of proprietary information by a contractor would be problematic. However, with regard to potential protests by contractors who object to current contractors having their IT infrastructure protected by the government, this type of unfair competitive advantage is irrelevant.
Is there, then, any relevance to the second type of unfair competitive advantage claim--one where source selection information is at issue? At first glance, one might say yes. However, the real answer lies within the definition of "source selection information." Source selection information is also a term of art defined by the FAR. (248) This category of information includes information primarily related to an agency's evaluation of a bid or proposal to enter into a government contract. (249) This type of information includes such information submitted by a potential contractor as bid prices, costs, technical evaluation plans, ranking of bids by competitors, the list of competitors making bids, evaluations of bids, and the like. (250) It does not, however, include the type of information that is relevant to the issue at hand.
For example, refer back to the previous discussion of a DIB partner exchanging information with the Air Force for purposes of protecting that DIB partner's critical IT infrastructure. In order to adequately protect IT infrastructure of the DIB, there must be a meaningful exchange of information between the DOD and private sector DIB partners. This information would include, among other things, information about how different IT systems work and vulnerabilities that exist on them. The result would be that certain defense contractors would possess threat and vulnerability information to protect their IT infrastructure that other private sector companies would not have. This information would provide a significant benefit to defense contractors and could place them in an advantageous position with respect to the DOD's confidence that the DIB partner's IT infrastructure was as secure as possible.
Now fast forward--what about a future procurement? If the security of the bidding contractors' IT infrastructure is a factor in selecting the eventual award winner, would not existing DIB contractors, who have received threat and vulnerability information from DOD sources, be in the best position to prove that their IT systems are secure and thus they are the right company for the job? By extension, would private companies who are not defense contractors be at a disadvantage in the bidding process? The initial response to those questions is likely yes. But is that particular question relevant to having an unfair competitive advantage, as that term is defined in the FAR? It does not appear likely.
First, the type of threat and vulnerability information in the possession of private DIB companies does not meet the FAR definition of "source selection information." Threat and vulnerability information is not related to the bids being placed by companies vying for a contract, nor does it reveal any sort of evaluation of companies, their capabilities, or resources that would allow a certain company to know what its competitors are contending they can provide to the government if they are selected for the contract. It is this type of insider information that the FAR seeks to prevent from getting into the hands of one company, thus giving it an unfair competitive advantage over the others, not the threat and vulnerability information that some company has received through its previous relationship with the DOD.
Second, it will likely be no surprise to any competitor for this type of DOD contract that the security of its IT infrastructure would be at issue. The request for proposals disseminated by the DOD will probably list this as one of the requirements for winning the contract. That same proposal will likely discuss what the DOD-contractor relationship will be once the contract is awarded, with regard to the winner's infrastructure security. While the competitors will probably not know the details of each other's IT vulnerabilities, it is equally likely that all competitors will know that some vulnerabilities must exist. Thus, the question becomes: if this threat and vulnerability information is not the kind of source selection information that the FAR seeks to prohibit a contractor from possessing, could a competitor successfully claim that information nonetheless gives that contractor an improper advantage in some future procurement process because the previous relationship that the contractor had with the DOD creates a conflict of interest?
B. Organizational Conflict of Interest
An organizational conflict of interest (OCI) may be a more fertile area for complaints with regard to efforts by the Air Force to protect DIB critical IT infrastructure. Increasingly, OCIs have appeared in federal procurements. (251) There are several reasons for this phenomenon. First, "the consolidation within the industries serving the U.S. Government, particularly in the information technology and defense industries" has increased the number of OCI problems. (252) This is a result of fewer contractors that produce a particular good or service, so each ends up producing a wider range of goods or services. (253) Second, the government is utilizing contractors more frequently for various services that require some level of judgment by those contractors. (254) For example, rather than hiring a private contractor to provide computer repair services, the government might contract with a firm that advises the government on which computer hardware or software to purchase. (255) The third reason for the increasing occurrence of OCIs in government procurements is the use of marketing-encouraging contracts. (256) These "umbrella" contracts involve multiple companies covering multiple federal agencies, and because they provide low minimum dollar guarantees, a contractor's profit is increasingly dependent upon its ability to market to federal agencies. (257) A recent example of this situation occurred in connection with a Department of Interior contractor providing IT services under a General Services Administration (GSA) Federal Supply Schedule program that allowed the contractor to provide IT services to numerous agencies. (258)
The following elements must be established to prove an OCI exists. First, there must be a conflicted party. (259) The definition of a conflicted party is more expansive than one might imagine. For example, the definition might be triggered when an individual in a firm's research and development office helps a government agency draft specifications for a new weapon system and the management office of the same firm competes for the contract to build that same weapon system for the government. (260)
Second, there must be some interest or benefit in the conflicted party's involvement. (261) Third, the conflicted party must have some responsibility to a third party, which is usually the government. (262) The most frequent example is when the third party (for example, the DOD) is attempting to obtain an unbiased opinion (for example, on how to structure a military IT network) from a conflicted party (for example, a defense contractor). (263) An OCI's definition also includes a provision for a situation when a conflicted party has an "unfair competitive advantage." (264)
There are three major categories of OCIs. (265) The first is the "biased ground rules" group. (266) This describes a situation "where a company sets the ground rules for a future competition by, for example, writing the specifications that competitors for a contract must meet." (267) The second category deals with "impaired objectivity." (268) This situation refers to a company being asked to perform some task that requires objectivity, but some other role within the company calls into question the company's ability to be unbiased. (269)
The third category, and the one most relevant to issues of the DOD's involvement in protecting private-sector DIB IT infrastructure, is the "unequal access to information" situation. (270) This situation occurs when a company has access to nonpublic information, often because it has previously been involved with a government contract of the same or similar nature, which gives it an upper hand in competing for a later contract. (271) With regard to "unequal access to information" OCI challenges, courts have examined the following issues more broadly: (1) whether a particular offeror had access to nonpublic information that was unavailable to a protestor, (2) whether that information was competitively useful in responding to a solicitation, (3) whether the awardee was afforded an unfair advantage by having unequal access to that information, and (4) whether having unequal access to that information prejudiced the protestor. (272)
The means by which to challenge a procurement alleged to involve an OCI is a bid protest. (273) A contractor may protest a bid with the contracting agency, the GAO, or the United States Court of Federal Claims (COFC). (274) A dissatisfied entity may protest either the propriety of the solicitation (i.e., before the contract is awarded) or the actual awarding of a contract. (275) When a protestor alleges that OCI tainted a contract award, resolution of that protest will generally hinge on the existence of the claimed "taint." (276) Generally, involvement by the winner of a contract award in the evaluation and selection process will establish taint. (277) If that taint is proven to have existed, then the follow-on issue is whether any harm was actually done in regards to the OCI. (278)
A second type of OCI can occur in situations where performance of a contract, rather than the awarding of it, can lead to a future OCI if a particular company is awarded the contract. (279) This situation generally arises when a contractor is hired to perform some service, and then that same contractor, or more frequently a related company or subcontractor, is responsible for evaluating the quality of the general contractor's services. (280)
In either of these situations, the associated contractor has a duty to identify and evaluate potential OCIs as early in the acquisitions process as possible. (281) The contracting officer must avoid, neutralize, or mitigate significant OCIs before contract award. (282) There is also a provision for waiving rules regarding OCIs when doing so is deemed to be in the government's interest. (283) But when protests have been upheld on OCI grounds, the situation usually involves an agency failing to recognize an OCI, or if it did recognize the OCI, it failed to adequately deal with it. (284) In these situations, the GAO and the COFC appear to show little deference to the government's position. (285) Obviously, in "unequal access to information" OCI cases, the government could alleviate or mitigate the problem by sharing information with all competing offerors, if they are cleared to have access to that information. (286) Fortunately, if the DOD takes steps to aggressively address potential OCI situations by avoiding, neutralizing, or mitigating them, the GAO and COFC appear ready to deny protests concerning them. (287) Also, when a contracting officer identifies a contractor that might create an OCI and excludes it from a competition, the GAO and COFC appear to be reluctant to uphold a protest from the excluded contractor. (288)
Thus, in the context of the DOD taking a role in protecting the critical IT infrastructure of the DIB, the ultimate concern in awarding future contracts will probably be those situations where a particular company has unequal access to information. In this case, one might question whether threat and vulnerability information related to a contractor's, and even the DOD's, IT infrastructure may give that contractor an unequal access to information that places it in such an advantageous position that it becomes the favorite for the awarding of contracts. Again, the threat and vulnerability information a current contractor possesses places that contractor in a better position to argue that its IT infrastructure is secure. It further allows that contractor to claim that not only is its infrastructure secure, but it has already been certified, to some degree, by the DOD. Certainly, this provides the contractor with some advantage in future procurement projects. But, does it create a true OCI?
Using the analysis above, one must first analyze whether there is a "conflicted party." One could imagine a situation that would involve a conflicted party in the context of information sharing. For example, assume a current defense contractor (Contractor A) continually undergoes meaningful dialogue with the DOD about threats and vulnerabilities regarding its IT infrastructure. Also, assume these discussions result in Contractor A obtaining various software patches or other means by which to make its IT infrastructure secure to a level satisfactory to the DOD.
Further, assume that Contractor A and DOD together routinely test the known vulnerabilities and search for new ones. Contractor A gives significant input into searching for vulnerabilities and providing solutions regarding its IT infrastructure and the DOD's infrastructure, to include best methods for the two to interface, to the extent that the infrastructures almost become one. Then, at some point the DOD decides it needs some other contractual support for another one of its missions. Next, the DOD determines that the mission requires an IT infrastructure that possesses a certain level of security. Assuming Contractor A attempts to obtain the contract, Contractor A might then be a conflicted party based on the fact that it had access to information about the existing IT infrastructure that no other competitor for that contract would be authorized to have. At that point, Contractor A would likely be considered a "conflicted party."
Assuming that Contractor A is a conflicted party, then the next question is fairly simple to answer. Does Contractor A have some interest in its involvement in this process? Given the fact that the Contractor A is now bidding for a new contract with the government, it is clear that Contractor A has a financial interest in obtaining the contract.
Finally, does Contractor A have some responsibility to the third party in this scenario, the DOD? It appears so, maybe on two levels. First, Contractor A already has a significant working relationship with the DOD. In fact, not only is Contractor A privy to information about its and the DOD's IT infrastructure, it has been actively involved in testing vulnerabilities and modifying the infrastructure to the extent that Contractor A's infrastructure and the DOD's nearly merged into one. The situation now exists that, based on its access to certain information, only Contractor A, or others using its interfacing methodologies, can interface with the DOD IT infrastructure. Secondly, Contractor A may be involved in establishing the criteria by which the body that selects the winner of the new contract measures the security level of each competitor's IT infrastructure. In other words, Contractor A becomes, in essence, the evaluator of each competitor's compliance with the established security requirement for the new contractor's IT infrastructure. Either of these situations would lead one to believe that Contractor A has some significant responsibility with respect to DOD concerns.
At this point, all three elements exist for a potential competitor to protest either the solicitation for the award, or the actual awarding of the contract to Contractor A. Does that necessarily mean that Contractor A may not be allowed to bid for or win the contract? First, any OCI could be eliminated by the DOD providing all competitors with whatever information they need to secure their IT infrastructure and to interface with the DOD systems. Then Contractor A would not have any advantage based on its prior dealings with the DOD. Second, even if the competitors did not receive the threat and vulnerability information, if the contracting officer becomes aware of the potential OCI, he or she needs only to neutralize or mitigate the conflict. This could be done in any number of ways, but sharing the information with the competitors seems to be the optimal solution. Finally, the head of the agency, in this case the DOD, may waive conflict rules, upon a written request and a determination by the agency head that it is in the government's interest to do so. (289)
Given the foregoing potential contractual liabilities, what are the Air Force's options relative to the mandate that the DOD assist in protecting critical DIB infrastructure? There are some graduated solutions to this issue. First, at the most minimal level, the Air Force can negotiate memoranda of agreement (MOAs) with defense contractors currently operating under contract with the Air Force. This is obviously a reactive response to the problem and requires cooperation from the private sector businesses. The government cannot impose mandatory information-sharing on the private sector under current law, and the Air Force and its DIB partners would have to reach some consensual agreement. But, it would seem to be in the best interest of all parties to enter into such agreements, in light of the capabilities that both parties possess. Any such MOA should include provisions for safeguarding information, with the understanding that there may be some legal issues as to enforcement of these safeguard provisions if the private sector passes information directly to the Air Force. There appears to be no statutory guarantee to protect information passed in this manner from disclosure. One adjustment to this option is to have contractors submit information directly to the DHS through its PCII Program, but this appears to be an inefficient way to conduct business, and the DHS may not be able to fully protect information passed for purposes other than protecting critical infrastructure from terrorist attack.
A second option is to require protection in all future contracts with DIB partners. This option targets future DIB partners and current partners on future endeavors. Within this option there are additional choices on how to approach information-sharing. First, future contract solicitations could mandate that all competitors prove their IT infrastructures meet some level of security. The solicitations could describe the required level of security and offer DOD resources to evaluate security compliance. Once the competitor's IT infrastructure is deemed adequate, the contract could mandate that the DIB partner pass on all information related to its IT infrastructure to the Air Force and also allow for routine Air Force inspections of systems to ensure continuing compliance with these requirements. Again, there may be some information safeguarding issues with this approach, and efforts must be made through the procurement process to ensure that no one competitor obtains an unfair advantage over its other competitors.
A less desirable sub-option in the contract arena might be for the Air Force to instead offer the same level of protection for potential contractors who are not already part of the DIB as that received by current DIB contractors. This is an unappealing resolution for a number of reasons. First, it really does not improve the situation over its current status. In essence, it only formalizes information included in the MOAs suggested above into the contract process. Second, this option relies much too heavily upon voluntary cooperation with DIB contractors. However, this option does avoid the opportunity for any competitor to argue that it has not received the same treatment as existing DIB partners.
The most aggressive and comprehensive approach to overcome this obstacle is the passage of new legislation or, at a minimum, amendments to current regulations such as the FAR. A new federal statute could mandate IT security for all DIB members and could include information-sharing, compliance assessments, and information safeguard provisions. The statute could mirror those applicable to the DHS within the Homeland Security and CII Acts. In addition, the existing DHS structure, including the PCII Program, could probably be simply modified. For example, the DOD could act as the conduit for throughput of information into the PCII Program from DIB members. This would avoid the potential issue that currently exists regarding a DIB member's ability to deal directly with DOD rather than having to volunteer information to the DHS only. The legislation should include non-terror protection issues such as attacks by state actors, criminals, and natural disasters, as well.
The new legislation approach would likely meet a great deal of resistance. No doubt business lobbies would object to mandates of this type. Also, the effort required to meet these statutory mandates would be extensive and expensive. In 2003, there were an estimated 250,000 firms in 215 distinct industries within the DIB. (290) Thus, any statutory requirement to protect these assets would be daunting. But does that mean an effort to create new legislation is impossible? Probably not, in fact, a model for the DOD may already exist.
The Department of Energy (DOE) is tasked as the sector-specific agency for critical infrastructure in the energy sector. (291) This sector encompasses 2,800 power plants and 300,000 oil and gas producing sites. (292) The DOE is responsible for protecting nearly every energy asset with the exception of commercial nuclear power facilities. (293) To assist the DOE in its efforts, Congress enacted the Electricity Modernization Act of 2005. (294) This act requires the owners and operators of the nation's electric power grid to, among other things, ensure reliability of the grid. (295) The act also establishes the Electric Reliability Organization to ensure that all energy sector partners comply with the reliability mandates of the act. (296) Given the similarity in size and importance of the DIB and energy sectors, could not a similar statute mandate some form of DOD protection of the DIB infrastructure? Could not the Air Force be designated as the compliance evaluator for critical DIB IT infrastructure, just as the Electric Reliability Organization does for the energy sector? These situations are not entirely analogous, but the similarities give rise to some thought that this is a potential framework for a solution to the DIB IT protection issue.
Current law mandates that the DOD assist in the protection of private-sector DIB critical infrastructure from terrorist attacks. This infrastructure includes, among other things, information technology infrastructures within the DIB. The Air Force's creation of 24 AF provides a unique opportunity for the Air Force to use its capabilities to assist in this effort. While the other services are certainly tasked with protection of the critical infrastructures of the DIB, the Air Force could possess the organizational capabilities to address the IT portion of the infrastructure.
Several obstacles to these efforts exist, however. Current law, in the form of federal statutes, directives, and national plans and strategies, does not allow the Air Force to thoroughly accomplish this mission. Currently, participation by the private-sector DIB partners is almost entirely voluntary. The voluntary nature of these partners' participation extends to sharing of critical infrastructure information. While the information-sharing aspect of critical IT infrastructure protection is critically important, private-sector DIB members are reluctant to provide the information because they lack the assurance that this information, which can be classified or trade secret information, will be completely safeguarded. There may not be an appropriate mechanism that contains adequate statutory safeguards for DIB members to provide such information directly to DOD components. Plus, the mechanisms currently in place, which do appear to have adequate safeguards for this type of information, call for private companies to provide information to the DHS rather than the DOD, and only for terrorist-related protection of critical infrastructure rather than all-encompassing threats.
Even if private DIB members provide information to the DOD, potential contractual liabilities exist with relation to the protection of those members by DOD components. Many of these contractual obligations may eventually disappear if the correct avenue to handle DIB critical infrastructure is chosen. However, in the meantime, DOD components should be aware that protection of, or assistance with protecting, private-sector critical DIB IT infrastructure may result in litigation. Contracting officers within organizations such as 24 AF should understand how to vigilantly detect and avoid, or at least mitigate, any potential conflicts.
Nevertheless, options exist for addressing all of these issues. Current defense contractors should be approached regarding entering into MOAs establishing requirements to protect this infrastructure. All future contracts should require defense contractors to protect their IT infrastructure and to allow DOD evaluation assessments of the compliance in this area. But, given the importance of the defense industry to the success of DOD missions, a more permanent solution is needed. The natural permanent solution is new legislation or amendments to current regulations. Congress should enact a national defense-oriented statute that mirrors DHS statutes related to homeland security. The statute should address not only terrorist threats but should be flexible enough to also address threats by state actors, criminals, and natural disasters, among others. Legislation should also address information safeguarding issues. The approach used with regard to the energy sector may also be a model for future DOD-related legislation.
The hurdle presented by this mandate is not insurmountable, and it is imperative that the DIB critical infrastructure be protected. Cheap, shortcut methods to address this issue will be insufficient to achieve the ultimate goal. Congress, at the urging of the DOD, should make this effort one of its highest priorities before an attack on these infrastructures proves how important they really are.
(1) Memorandum from the Secretary of the Air Force & the Chief of Staff, U.S. Air Force, to all Airmen, subject: Air Force Cyberspace Mission Alignment (Aug. 20, 2009), [hereinafter Cyberspace Memo] available at https://newafpims.afnews.af.mil/shared/ media/document/AFD-090821-046.pdf.
(5) Jen DiMascio, Cyber Experts See Need for Government Cooperation, Policy Changes, DEFENSE DAILY, Oct. 25, 2007, http://www.defensedaily.com/publications/c4i/1051.html (last visited Sep. 13, 2009).
(8) 50 U.S.C. app. [section] 2152(1) (2006).
(9) Id. [section] 2152(2).
(10) 42 U.S.C. [section] 5195c(e) (2006) This definition is also adopted by the Homeland Security Act of 2002, as codified in Title 6, United States Code, 6 U.S.C. [section]101(4), and the Directive on Critical Infrastructure Identification, Prioritization, and Protection, 39 WEEKLY COMP. PRES. DOC. 1816 (Dec. 22, 2003) para. 6(e) [hereinafter HSPD-7].
(11) 50 U.S.C. app. [section] 2152(3) (2006).
(12) 6 U.S.C. [section] 131(3) (2006).
(13) 50 U.S.C. app. [section] 2152(4) (2006).
(14) Id. [section] 2152(5).
(15) Id. [section] 2152(6).
(16) Id. [section] 2152(7).
(17) U.S. DEP'T OF DEF., DEFENSE INDUSTRIAL BASE: CRITICAL INFRASTRUCTURE AND KEY RESOURCES SECTOR-SPECIFIC PLAN AS INPUT TO THE NATIONAL INFRASTRUCTURE PROTECTION PLAN 4 (2007) [hereinafter DIB SSP], available at http://www.dtic.mil/cgibin/GetTRDoc?AD=ADA469334&Location=U2 &doc=GetTRDoc.pdf.
(18) 50 U.S.C. app. [section] 2152(8) (2006).
(19) Id. [section] 2152(9).
(20) 5 U.S.C. [section] 101 (2006).
(21) HSPD-7, supra note 10, para. 6(d).
(22) 50 U.S.C. app. [section] 2152(11) (2006).
(23) 41 U.S.C. [section] 403(6) (2006).
(24) 50 U.S.C. app. [section] 2152(12) (2006).
(25) 6 U.S.C. [section] 101(9) (2006). This definition is also adopted by HSPD-7, supra note 10.
(26) 50 U.S.C. app. [section] 2152(14) (2006).
(27) GEN. SERVS. ADMIN. ET AL, FEDERAL ACQUISITION REG. pt. 2.101 (Jul. 2007) [hereinafter FAR]; see also id. at subpart 9.5.
(28) HSPD-7, supra note 10, para. 6(g). According to HSPD-7, Sector-Specific Agencies conduct their activities with guidance provided by the Secretary of Homeland Security.
(29) 50 U.S.C. app. [section] 2152(17) (2006).
(30) 15 U.S.C. [section] 637(d)(3)(C) (2006). This definition is used in Title 50 U.S.C. 50 U.S.C. app. [section] 2152(18) (2006).
(31) FAR, supra note 27, at 2.101.
(32) Id. at 9.505(b).
(33) U.S. CONST. pmbl.
(34) U.S. CONST. art. I, [section] 8.
(35) Homeland Security Act of 2002, Pub. L. No. 107-296, [section][section] 202, 221, 116 Stat. 2135 (2002).
(36) U.S. CONST. pmbl.
(37) JOINT CHIEFS OF STAFF, JOINT PUB. 3-13, INFORMATION OPERATIONS, at II-5 (13 Feb. 2006).
(38) U.S. CONST. art. III, [section] 2, cl. 1.
(41) See Colonel Allen F. Woodhouse, Information Assurance: A National Policy Struggling with Implementation 4 (Apr. 10, 2001) (unpublished U.S. Army War College Strategy Research Project), available at http://www.dtic.mil/cgi-bin/GetTRDoc?AD_ ADA390580&Location_US&doc_GetTRDoc.pdf.
(42) Michael J. O'Neil & James X. Dempsey, Critical Infrastructure Protection: Threats to Privacy and Other Civil Liberties and Concerns with Government Mandates on Industry, 12 DEPAUL BUS. L.J. 97, 101 (2000); DIB SSP, supra note 17, at 4.
(43) Joe D. Whitley et al., Homeland Security, Law, and Policy through the Lens of Critical Infrastructure and Key Asset Protection, 47 JURIMETRICS J. 259, 262 n.15 (2007).
(44) U.S. CONST art. I, [section] 8, cl. 3.
(45) 6 U.S.C. [section][section] 111, 112, 131, 132 (2006).
(46) 148 CONG. REG. H5633 (daily ed. Jul. 25, 2002) (statement of Rep. Thornberry).
(47) 6 U.S.C. [section] 132 (2006).
(48) THE WHITE HOUSE, THE NATIONAL STRATEGY TO SECURE CYBERSPACE 54 (2003), available at http://www.dhs.gov/xlibrary/assets/National Cyberspace_StrategY.pdf.
(51) HSPD-7, supra note 10, at para. 37.
(52) Id. para. I.
(54) Id. para. (22)(i).
(55) Id. para. 7.
(56) Id. paras. 12-17.
(57) Id. para. 18.
(58) Id. para. 18(g).
(59) Id. para. 19 (emphasis added).
(60) Id. para. 6(h).
(61) Id. para. 15.
(62) Id. para. 15.
(63) Id. para. 22(c).
(64) Id. para. 27.
(65) Id. para. 34.
(66) U.S. DEP'T OF HOMELAND SEC., NATIONAL INFRASTRUCTURE PROTECTION PLAN (2009) [hereinafter NIPP], available at http://www.fas.org/irp/agency/dhs/nipp.pdf.
(67) Id. at i-ii.
(68) Id. at 11-12.
(69) Id. at 18-21.
(70) Id. at 19.
(71) Id. at 18.
(73) Id. (emphasis added).
(74) Id. at 17-18.
(75) Id. at 18.
(76) Id. at 18-20.
(77) DIB SSP, supra note 17, at 4.
(78) NIPP, supra note 66, at 29-30.
(79) Id. at 30-31.
(80) Id. at 32.
(82) DIB SSP, supra note 17, at i.
(84) Id. at i, 4.
(85) Id. at 3
(87) Id. at 5.
(89) Id.; HSPD-7, supra note 10, paras. 18(d), 22(c), 22(h).
(90) DIB SSP, supra note 17, at 17-20.
(91) Id. at 5-6.
(93) Id. at 13.
(94) Id. at 17.
(96) HSPD-7, supra note 10, para. 25(b).
(97) NIPP, supra note 66, at 56.
(98) Id. at 66.
(99) 6 U.S.C. [section] 121 (2006).
(100) DIB SSP, supra note 17, at 7.
(101) Id. at 8
(102) Id. at 14.
(103) NIPP, supra note 66, at 58.
(104) Id. at 66.
(105) 6 U.S.C. [section] 121(d)(12) (2006).
(106) Id. [section] 121(d)(12)(A).
(107) Id. [section] 121(d)(12)(B).
(108) Id. [section][section] 131-134.
(109) Procedures for Handling Critical Infrastructure Information, 71 Fed. Reg. 52,262 (Sept. 1, 2006) (to be codified at 6 C.F.R. pt 29).
(110) Id. [section] 133(a)(l)(A).
(111) Id. [section] 133(a)(1)(B).
(112) Id. [section] 133(a)(1)(C).
(113) Id. [section] 133(a)(1)(D).
(114) Id. [section] 133(a)(1)(E).
(115) Id. [section] 133(a)(1)(F).
(116) Id. [section] 133(F).
(117) Id. [section][section] 133(a)(1), 143, 145.
(118) Id. [section] 133(a)(1).
(119) Id. [section] 133(e).
(120) 6 C.F.R. [section] 29.4 (2009).
(121) 5 U.S.C. [section] 552(b)(4) (2006); FED. R. CIV. P. 26-37.
(122) 18 U.S.C. [section] 798 (2006).
(123) DIB SSP, supra note 17, at 24 (emphasis added).
(124) Id. at 25.
(125) Id. at 44.
(128) Id. (emphasis added).
(129) Id. at 45.
(136) Id. at II.
(137) Id. (emphasis added).
(139) U.S. GOVERNMENT ACCOUNTABILITY OFFICE, DEFENSE INFRASTRUCTURE: ACTIONS NEEDED TO GUIDE DOD'S EFFORTS TO IDENTIFY, PRIORITIZE, AND ASSESS ITS CRITICAL INFRASTRUCTURE 1 (2007) [hereinafter GAO-07-461], available at http://www.gao.gov/new.items/d07461.pdf.
(140) Id. at 4.
(141) Id. at 25.
(143) Id. at 25-26.
(145) U.S. GOVERNMENT ACCOUNTABILITY OFFICE, DEFENSE INFRASTRUCTURE: MANAGEMENT ACTIONS NEEDED TO ENSURE EFFECTIVENESS OF DoD's RISK MANAGEMENT APPROACH FOR THE DEFENSE INDUSTRIAL BASE (2007) [hereinafter GAO-07-1077], available at http://www.gao.gov/new.items/d071077.pdf.
(146) Id. at 1.
(148) Id. at 4.
(149) Id. at 2.
(151) U.S. DEP'T OF DEF., DIR. 3020.40, DEFENSE CRITICAL INFRASTRUCTURE PROGRAM (DCIP) para. 5.3 (19 Aug. 2005).
(152) DIB SSP, supra note 17, at 7.
(153) GAO-07-1077, supra note 147, at 11-17.
(154) Id. at 11.
(155) Id. at 11-12.
(156) Id. at 11.
(157) Id. at 14.
(158) Id. at 11.
(159) Id. at 11-12.
(160) Id. at 17.
(161) Id. at 18.
(162) Id. at 18-26.
(164) Id. at 18.
(168) Id. at 19.
(170) Id. at 19-21.
(171) Id. at 19.
(172) Id. at 20.
(174) Id. at 14, 20.
(175) Id. at 20.
(177) Id. at 21.
(181) Id. at 21-24.
(182) Id. at 21.
(183) Id. at 22.
(188) Id. at 22-23.
(189) Id. at 23.
(191) DIB SSP, supra note 17, at 44-45.
(192) 6 C.F.R. [section] 29.1(a) (2009).
(193) GAO-07-1077, supra note 147, at 24.
(195) U.S. DEP'T OF DEF., DEFENSE FEDERAL ACQUISITION REG. SUPP. (July 1, 2009).
(196) Id. at 24.
(197) Id. at 25.
(200) Id. at 25-26.
(201) Id. at 25.
(203) Id. at 25-26.
(204) Id. at 26.
(205) Ellen Nakashima, Bush Order Expands Network Monitoring, WASH. POST, Jan. 26, 2008, at A3.
(211) Siobhan Gorman, Bush Looks to Beef Up Protection Against Cyberattacks, WALL ST. J., Jan. 28, 2008, at A8.
(213) Nakashima, supra note 205.
(217) Gorman, supra note 211.
(220) John J. Kruzel, Cyber Warfare a Major Challenge, Deputy Secretary Says, AMERICAN FORCES PRESS SERVICE, Mar. 3, 2008, available at www.af.mil/news/ story.asp?storyID-123088782.
(225) The White House, Homeland Security and Counterterrorism, http://www.whitehouse.gov/issues/homeland_security (last visited Sept. 1, 2009).
(227) Press Release, Office of the White House Press Secretary, Statement by the Press Secretary on Conclusion of the Cyberspace Review (Apr. 17, 2009), available at http://www.whitehouse.gov/the_press_office/ Statement-by-the-Press-Secretary-onConclusion-of-the-Cyberspace-Review/.
(230) Andrew Noyes, Cybersecurity Draft Significantly Altered, NEXTGOV, Aug. 25, 2009, http://www.nextgov.com/nextgov/ng_20090825_4908.php?oref=search (last visited Sept. 21, 2009).
(241) Cyberspace Memo, supra note 1.
(242) Competition in Contracting Act of 1984, Pub. L. No. 98-369, 98 Stat. 1175 (codified in scattered sections of 10 U.S.C. and 41 U.S.C.).
(243) 41 U.S.C. [section][section] 401-424 (2006).
(244) Bath Iron Works Corp., B-290470, B-290470.2, 2002 U.S. Comp. Gen. LEXIS 122 (Aug. 19, 2002).
(245) FAR, supra note 27, at 9.505(b)(2).
(246) Id. at 2.101, 9.505(a).
(247) Id. at 9.505(b).
(248) Id. at 2.101.
(251) Daniel I. Gordon, Organizational Conflicts of Interest: A Growing Integrity Challenge, 35 PUB. CONT. L.J. 25, 26 (2005).
(252) Id. at 26.
(253) Id. at 27.
(259) Id. at 29.
(262) Id. at 30.
(264) FAR, supra note 27, at 2.101.
(265) Gordon, supra note 251, at 32.
(272) Masai Technologies Corp. v. United States, 77 Fed. C1. 433, 448 (2007) (citing ARINC Eng'g Servs., L.L.C. v. United States, 77 Fed. C1. 196, 202 (2007)).
(273) Gordon, supra note 251, at 32.
(274) Id. (citing 31 U.S.C. [section][section] 3551-56, and 28 U.S.C. [section] 1941(b)(4)).
(275) FAR, supra note 27, at 33.103(e).
(276) Gordon, supra note 251, at 34.
(278) Id. at 35.
(279) Id. at 36.
(280) Id. at 36-37.
(281) FAR, supra note 27, at 9.504(a)(1).
(282) Id. at 9.504(a)(2).
(283) Id. at 9.503.
(284) Gordon, supra note 251, at 38.
(287) Id. at 39.
(288) Id. at 40.
(289) FAR, supra note 27, at 9.503.
(290) TED G. LEWIS, CRITICAL INFRASTRUCTURE PROTECTION IN HOMELAND SECURITY: DEFENDING A NETWORKED NATION 50 (2006).
(291) NIPP, supra note 66, at 3.
(292) LEWIS, supra note 290, at 50.
(293) NIPP, supra note 66, at 3.
(294) Pub. L. No. 109-58, 119 Stat. 594 (2005).
(295) 16 U.S.C. [section] 824o (2006).
(296) Id. [section] 824o(a)(2), (c) (2006).
Lieutenant Colonel Todd A. Brown (B.S., Birmingham-Southern College (1989); J.D., University of Alabama (1997), M.S., Air War College (2008)) serves as the Staff Judge Advocate, 187th Fighter Wing, Montgomery, Alabama. He is a member of the Alabama Bar.