Infrastructure Protection Programmes in Other

Summary of other National Programmes

The elements of the critical infrastructure identified in this report are consistent with those identified in other national programmes researched. By their very nature cyber threats transcend national borders. Infrastructure elements operate beyond national borders, and so infrastructure protection must be considered on an international scale. It is important that New Zealand be aware of, and as far as reasonable participate in, the critical infrastructure protection initiatives of other Western nations.

United States of America

In July 1996 the President established the President's Commission on Critical Infrastructure Protection (PCCIP) [ Executive Order 13010, 15 July 1996, Critical Infrastructure Protection] to review and recommend a national policy for protecting critical infrastructures. The PCCIP Report [ Critical Foundations, Protecting America's Infrastructures, October 1997] eventually led to the promulgation in January 2000 of the "National Plan for Information Systems Protection".

There is considerable infrastructure protection activity underway in the United States, both at the federal and state levels. There is significant effort undertaken at federal level to complete vulnerability assessments of critical infrastructure elements with these assessments including 'red teaming' or penetration testing. At state level Hawaii is particularly active and recently hosted a three day seminar on the protection of the electric power infrastructure.

Arguably the most effective protective measure implemented by the US has been the establishment of the National Infrastructure Protection Center (NIPC). The NIPC, which is hosted by the FBI, has widely representative staffing from other national agencies. It serves as a national critical infrastructure threat assessment, warning, vulnerability, and law enforcement investigation and response entity. It provides timely warnings of international threats, comprehensive analysis and law enforcement investigation and response. The main mission of the NIPC is to detect, deter, assess, warn, respond, and investigate unlawful acts involving computer and information technologies and unlawful acts, both physical and cyber, that threaten or target US critical infrastructures.

United Kingdom

Extensive activity on Information Age Government (IAG) is ongoing in the United Kingdom. Protection of the UK Critical Information Infrastructure (CII) is within the portfolio of the Home Secretary. An advisory committee, the IAG Champions, has drafted a policy for the protection of critical infrastructure and this is currently with the Home Secretary for consideration. BS7799 (equivalent to AS/NZS 4444) [ Information Security Management in two Parts: Part 1 is the code of practice for information security management, Part 2 is the specification for information security management systems.] is being advocated as the standard for CII owners, and it is understood that the Cabinet Secretary has invited all departments to advise by 31 December 2000 their plans for adopting/satisfying this standard.

Robustness of service is a focal requirement of IAG, and the challenge is to accurately and quickly identify threats. Public attitudes to system failure will be unforgiving as was demonstrated by the recent passport problems where the inability of the systems to cope with requirements resulted in significant inconvenience (and cost) to many individuals. The 'Love Bug' demonstrated the fallibility of non-robust systems, and UK virus companies have now been tapped to provide immediate advice when they detect any security incidents.

The UK equivalent of New Zealand's Secure Electronic Environment (SEE) network extends throughout government, with most intra-government business now conducted over the network. Any potential for non-availability of this network is a real issue for government - it will become more so as IAG becomes a reality. There may be lessons here for the SEE project.

A close relationship has been developed with the private sector - both business and academic. For example, the Information Assurance Advisory Council established at Kings College London has a diverse membership and is an effective forum. Engagement of infrastructure owners is central to the CII programme with the approach being one of persuasion rather than regulation. The UK government views the establishment of Computer Emergency Response Teams (CERTs) as central to CII and would encourage the development of a CERT for each community of interest within the CII.

Australia

The Commonwealth government has recognised the need for infrastructure protection for several years. An inter-departmental committee was formed and led by the Attorney-General's Department. In December 1998 this produced a report recommending an ongoing effort to protect the National Information Infrastructure.

The committee recommended, among other things, that: a formal structure be established to coordinate infrastructure protection; AusCERT (Australian computer emergency response team) be funded; and that accreditation for IT security training be set up. In the 2000/01 commonwealth budget round information infrastructure received $2m. This figure was intended for coordination and central funds; actual protection activities are to be undertaken by the agencies and companies owning the infrastructure.

The interdepartmental committee has continued and has been raising awareness among infrastructure owners, partly through a consultative industry forum involving the private sector. Recently the Attorney-General's department has recommended to the commonwealth government that general IT security promotion (i.e. non-critical infrastructure protection) be passed to the National Office for the Information Economy, an agency concerned with e-commerce and e-government.

Canada

A Critical Infrastructure Protection Task Force (CIPTF) was established in 1 April 2000 within the Department of National Defence, but reporting operationally to the Privy Council Office. Its mandate is to review critical infrastructures in Canada and develop a framework for future action in terms of protecting them. The CIPTF expects to present its report to Cabinet in early-2001.

A five-part strategy is being proposed based around strong interaction both with the private sector and with other international critical infrastructure programmes. It is likely that a new organisation for CIP will be established to lead and coordinate the national response. As an interim measure a pilot Government of Canada Information Protection Coordination Centre (GIPCC) has been set up to provide better coordination and management of cyber incidents affecting government departments and agencies. Pending establishment of the new organisation, the GIPCC has been temporarily located with the RCMP.