President's National Security Telecommunications

The President’s National Security Telecommunications Advisory Committee (NSTAC)

Issue Review

A Review of NSTAC Issues Addressed Through NSTAC XXVII

August 2004

XXVII_FrontMatter.indd 1 10/8/04, 4:31 PM XXVII_FrontMatter.indd 2 10/8/04, 4:31 PM Table of Contents 10/8/04, 4:31 PM 3 XXVII_FrontMatter.indd XXVII_FrontMatter.indd 4 10/8/04, 4:31 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

Table of Contents

Executive Summary...... iii Introduction ...... vii Active Issues...... 1 Financial Services ...... 1 Satellite Security...... 5 Legislation and Regulation, 2000–2004 ...... 9 Research and Development...... 16 Network Security ...... 21 Previously Addressed Issues ...... 27 Wireless Services (including Priority Services) ...... 27 Wireless Security ...... 33 Physical Security of Telecommunications Resources...... 37 Information Sharing/Critical Infrastructure Protection...... 40 Last Mile Bandwidth Availability ...... 45 Network Convergence ...... 49 Response to September 11, 2001, Terrorist Attacks ...... 57 Information Assurance...... 60 Legislation and Regulation, 1994–1999 ...... 66 Industry/Government Information Sharing and Response...... 70 Globalization...... 75 National Information Infrastructure ...... 78 Common Channel Signaling ...... 81 Obtaining Critical Telecommunications Facility Protection During a Civil Disturbance...... 83 Energy...... 85 Enhanced Call Completion...... 90 Underground Storage Tanks...... 94 International National Security and Emergency Preparedness Telecommunications ...... 96 Telecommunications Systems Survivability...... 98 Telecommunications Service Priority ...... 100

XXVII_FrontMatter.indd 1 10/8/04, 4:31 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

Table of Contents (concluded)

Telecommunications Service Priority Carrier Liability ...... 102 Physical Security of the Public Switched Network ...... 103 Intelligent Networks...... 104 National Research Council Report ...... 106 Commercial Satellite Survivability...... 108 Industry Information Security...... 111 National Telecommunications Management Structure...... 112 Telecommunications Industry Mobilization ...... 113 Commercial Network Survivability ...... 116 Funding of NSTAC Initiatives...... 118 Electromagnetic Pulse...... 119 International Diplomatic Telecommunications ...... 121 Automated Information Processing ...... 122 National Coordinating Mechanism...... 124 Appendices A. NSTAC Implementing and Governing Documentation...... A-1 Executive Order 12382, President’s National Security Telecommunications Advisory Committee...... A-1 Charter of the NSTAC ...... A-3 NSTAC Bylaws...... A-6 1983 Correspondence from the U.S. Department of Justice, Antitrust Division ...... A-10 B. NSTAC Membership...... B-1 C. NSTAC XXVII Executive Report to the President ...... C-1 D. Acronyms ...... D-1

XXVII_FrontMatter.indd 2 10/8/04, 4:31 PM Executive Summary 10/8/04, 4:31 PM 1 XXVII_FrontMatter.indd XXVII_FrontMatter.indd 2 10/8/04, 4:31 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

Executive Summary

President Ronald Reagan issued Executive During the past 22 years, the NSTAC has Order (E.O.) 12382 on September 13, 1982, worked cooperatively with the National which established the President’s National Communications System (NCS), an inter- Security Telecommunications Advisory agency consortium of Federal departments Committee (NSTAC) to provide the President and agencies that serves as the focal point with a unique source of national security for NS/EP communications planning. and emergency preparedness (NS/EP) com- The NCS coordinates the planning of munications policy expertise. Impetus for NS/EP communications to support any the NSTAC’s establishment included the crisis or disaster. By virtue of its mandate divestiture of AT&T, increased Government to address NS/EP communications issues, reliance on commercial communications, the NSTAC’s partnership with the NCS is and the potential impact of new tech- unique in two ways: it facilitates industry nologies on communications supporting involvement with both the defense and NS/EP requirements. Appendix A includes civil agencies comprising the NCS; E.O. 12382, as well as additional NSTAC and it regularly sustains interaction implementing and governing documentation. between industry and the NCS member departments and agencies through the Since its inception, the NSTAC has advised National Coordinating Center for four Presidents on issues pertaining to Telecommunications (NCC), the the reliability and security of communi- Telecommunications Information Sharing cations and its impact on protecting the and Analysis Center (Telecom-ISAC), Nation’s critical infrastructures—issues and the Network Security Information that are vital to America’s security and Exchanges (NSIE) process. The NSTAC’s economic interests. Today, members of the perspective and its experiences with a wide communications and information technology range of Federal departments and agencies industries recognize the NSTAC as a model make the NSTAC a key strategic resource for industry/Government collaboration. for the President and his national security Its record of accomplishments includes sub- and homeland security teams in their stantive recommendations to the President, efforts to protect our Nation’s critical leading to enhancements of the Nation’s infrastructures in today’s dynamic and NS/EP communications, critical infra- evolving environment. structure policies, and related information systems security posture. Enhancements in The NCS was officially transferred the form of operational programs and policy from the Department of Defense to the solutions benefit both industry and the Department of Homeland Security (DHS) Government as the security requirements for on March 1, 2003. the communications infrastructure evolve.

iii

XXVII_FrontMatter.indd 3 10/8/04, 4:31 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

Executive Summary (continued)

The NCS’ capabilities are being leveraged in  The Financial Services Task Force DHS’ Information Analysis and Infrastruc- examined vulnerabilities related ture Protection Directorate to enhance the to the financial services sector’s cross-Government and private/public efforts dependence on the telecommunica- to protect critical infrastructures, while tions infrastructure, analyzed issues ensuring national level NS/EP functions are regarding network resiliency that fully satisfied. Since June 6, 2002—when could impact the financial services President George W. Bush proposed creating sector, and provided advice to the DHS—the NCS and the NSTAC have worked President on methods to help ensure with the Bush Administration to ensure a resilient services. smooth transition of NCS capabilities and partnerships to DHS.  The Satellite Task Force examined the use of commercial satellites in The NSTAC is composed of up to 30 NS/EP missions, vulnerabilities, and Presidentially-appointed senior executives mitigation techniques. In addition, representing the communications, informa- the group proposed recommendations tion services, electronics, aerospace, and to the President for enhancing the banking industries. Collectively, this group security of the commercial satellite is known as the NSTAC Principals. infrastructure and the robustness of Appendix B provides a listing of current NS/EP communications. NSTAC members.  The Legislative and Regulatory The primary NSTAC working body is the Task Force examined national Industry Executive Subcommittee (IES), policies and regulatory issues that which consists of representatives appointed conflict with NS/EP missions. by each NSTAC Principal. The IES holds In addition, the group developed regular meetings to consider issues, recommendations to the President analyses, and/or recommendations for on barriers to information sharing presentation to the NSTAC Principals under the Critical Infrastructure (and in turn to the President), and forms Information Act of 2002. task forces and working groups to address specific issues requiring in-depth analyses.  The Research and Develop- During the NSTAC XXVII cycle, from May ment (R&D) Task Force developed 2003 to May 2004, the IES formed the a proceedings document following following task forces and working groups: the NSTAC’s fifth Research and Development Exchange (RDX) Workshop, held in March 2003, that identified major findings regarding the trustworthiness of NS/EP telecommunications and information systems.

XXVII_FrontMatter.indd 4 10/8/04, 4:31 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

Executive Summary (concluded)

The NSTAC’s RDX Workshops TSP is the regulatory, administrative, and stimulate and facilitate a dialogue operational framework that authorizes among industry, the Government, priority provisioning and restoration of com- and academia on emerging munications services for Federal, State, and security technology R&D issues, local government users, as well as select and often result in programmatic non-governmental users. An NSTAC recom- enhancements to our Nation’s mendation also resulted in the establishment NS/EP capabilities. In addition, of separate NSTAC and Government NSIEs. the group produced papers on both The NSIEs meet regularly to address the an NS/EP definition and the threat of electronic intrusions and software possible development of a pilot vulnerabilities, as well as mitigation testbed for NS/EP research and strategies to protect the Nation’s critical development purposes. communications and information systems.

 The Operations, Administration, Appendix C contains the NSTAC XXVII Maintenance, and Provision- Executive Report to the President, which ing (OAM&P) Working Group includes summaries of the May 2004 NSTAC examined the standard on OAM&P Business and Executive Sessions, as well as baseline security requirements for task force recommendations made to the the management plane and provided President during the NSTAC XXVII Cycle recommendations to the President on (May 2003–May 2004). the adoption and use of the OAM&P Telecommunications Standard by Copies of NSTAC reports pertaining to the Federal Government and other the issues addressed in this document are critical infrastructures. available through:

Many NSTAC recommendations result in Office of the Manager operational activities that enhance NS/EP National Communications System communications and information systems. Customer Service Division For example, the NCC, an industry and Gov- P.O. Box 4502 ernment coordination center for day-to-day Arlington, Virginia 22204-4502 operational support to NS/EP communica- (703) 607-6211 tions, began as an NSTAC recommendation. www.ncs.gov/nstac/nstac.html The NCC’s mission evolved to include the [email protected] Telecom-ISAC in 2000. The Telecommuni- cations Service Priority (TSP) System, once an NSTAC issue, is also now an operational system.

XXVII_FrontMatter.indd 5 10/8/04, 4:31 PM XXVII_FrontMatter.indd 6 10/8/04, 4:31 PM Introduction 10/8/04, 4:31 PM 1 XXVII_FrontMatter.indd XXVII_FrontMatter.indd 2 10/8/04, 4:31 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

Introduction

Purpose The Committee’s findings have provided the President and administration members This edition of the NSTAC Issue Review with industry-based expertise and advice on provides a comprehensive report of issues communications and information systems addressed by the President’s National plans and policies. The NSTAC Issue Review Security Telecommunications Advisory records the contributions that industry and Committee (NSTAC) from its first meeting Government representatives have made in December 1982 to its most recent meeting to ensure the security and the emergency on May 19, 2004. For each active and response capabilities of the Nation’s com- previous issue addressed by the NSTAC, munications and information infrastructure. the following information is provided A review of the issues previously addressed when applicable: names of the investigat- by the NSTAC provides background infor- ing groups, length of time required for the mation on several Government programs investigation, issue background, a synopsis and initiatives that have resulted from of NSTAC actions and recommendations, NSTAC recommendations. actions resulting from NSTAC recommendations, reports issued, and members of the current/active investigating groups. Active Issues

During the NSTAC XXVII cycle from May 2003 to May 2004, NSTAC task forces addressed issues in the following areas:

 Financial Services

 Satellite Security

 Legislation and Regulation

 Research and Development

 Network Security Previously Addressed Issues

Since its first meeting on December 14, 1982, the NSTAC has addressed a wide range of national security and emergency preparedness communications issues.

vii

XXVII_FrontMatter.indd 7 10/8/04, 4:31 PM XXVII_FrontMatter.indd 8 10/8/04, 4:31 PM Active Issues 10/8/04, 4:31 PM 1 XXVII_ActiveIssues.indd XXVII_ActiveIssues.indd 2 10/8/04, 4:31 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

Active Issues

Financial Services The NSTAC, therefore, established the Financial Services Task Force (FSTF) Investigation Group to conduct the analysis during NSTAC Cycle XXVII. Financial Services Task Force (FSTF) History of NSTAC Actions Period of Activity and Recommendations

March 2003–April 2004 The FSTF emphasized that the concept of resiliency and its components of diversity, Issue Background redundancy, and recoverability are critical to In November 2002, the Federal Reserve understanding some of the national security Board (FRB) and BITS—a nonprofit and emergency preparedness (NS/EP) issues industry consortium of the 100 largest currently challenging the FS and telecom- financial institutions in the United States munications industries. The task force that focuses on issues related to security, acknowledged that it is imperative for the FS crisis management, e-commerce, payments, sector to maintain diversity as a component and emerging technologies—briefed the of resiliency. The primary challenges identi- Industry Executive Subcommittee (IES) of fied by the FSTF with respect to diversity the President’s National Security Telecom- were the failure of critical services resulting munications Advisory Committee (NSTAC) from loss of diversity; the ability to ensure on the significant dependence of the that diversity is predictable and continually financial services (FS) sector on the tele- maintained; and the potential for lack of communications infrastructure to support clear understanding of terms and conditions core payment, clearance, and settlement in telecommunications contracts or tariffs processes of financial institutions. (and the potential for resulting confusion Given that dependence, disruption of tele- when financial services institutions establish communications services could hamper business continuity plans). critical financial services processes, poten- The FSTF recognized that without a real- tially affecting the national economy. time process to guarantee that a circuit’s To minimize operational risks and ensure path or route is static and stable, an NS/EP the timely delivery of critical financial customer cannot be assured at all times that services, the FRB recommended that the the diversity component of the resiliency NSTAC analyze telecommunications infra- plan will retain its designed characteristics. structure issues pertaining to network However, the telecommunications infra- redundancy and diversity. structure was designed and engineered based on a business model directed at the general public.

XXVII_ActiveIssues.indd 1 10/8/04, 4:31 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

When necessary, networks have been Both sectors pledged to continue in their modified or developed to meet specific efforts to engage members of their com- needs at the customer level except where munities, as well as the public sector, in limited by the available technology or a constructive dialogue to foster mutual a customer’s willingness to purchase understanding of their operations and unique requirements. unique needs.

The FSTF emphasized that all interested Furthermore, the framework that the FSTF parties should support research and devel- developed to analyze the dependencies of opment activities for improving managed the FS sector on the telecommunications network solutions and alternative tech- industry could be adapted to conduct risk nologies as a potential means for achieving assessments of other critical infrastructures. high resiliency for the FS customer base. Targeted capital incentives should also be On the basis of the FSTF report, the NSTAC considered as a tool to encourage critical recommended that the President: infrastructure owners, including the FS  Support the Alliance for Telecommu- sector, to make the necessary investments nications Industry Solutions’ National to mitigate telecommunications resiliency Diversity Assurance Initiative and risks to their business operations. develop a process to: Appropriately structured capital recovery incentives for critical business operations – Examine diversity assurance could be used to accelerate immediate capabilities, requirements, and investments to mitigate vulnerabilities to best practices for critical NS/EP critical NS/EP operations. customers and, where needed

The FSTF also noted that when different – Promote research and devel- business continuity strategies cannot fully opment to increase resiliency, guarantee operational sustainability, spe- circuit diversity, and alternative cifically engineered and managed efforts transport mechanisms. might be required. The degree of assurance that a business operation deems adequate to  Support financial services sector achieve a high level of resiliency will dictate initiatives examining: the decisions and the appropriate approach – The development of a feasible to be pursued. To that end, the task force “circuit-by-circuit” solution to concluded that cross-sector assessments ensure telecommunications or customer-provider assessments would services resiliency remain useful tools to facilitate better understanding of the need for resiliency. – The benefits and complexities Indeed, FSTF members acknowledged of aggregating sector-wide the importance of promoting mutual NS/EP telecommunications understanding among the FS and telecom- requirements into a common munications sectors to effectively address framework to protect national NS/EP-related issues. economic security.

XXVII_ActiveIssues.indd 2 10/8/04, 4:31 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

 Coordinate and support relevant Financial Services cross-sector activities (e.g., standards Task Force Membership development, research and development, pilot initiatives, and exercises) Chair in accordance with guidance Mr. William Sweeney, provided in Homeland Security Electronic Data Systems Corporation Presidential Directive 7. Co-Vice Chair  Provide statutory protection to Mr. Roger Callahan, Bank of America, Inc. remove liability and antitrust Co-Vice Chair barriers to collaborative efforts Ms. Cristin Flynn, BellSouth Corporation when needed in the interest of national security. AT&T Mr. Harry Underhill  Continue to promote the Telecommunications Service The Boeing Company Priority program as a component Mr. Robert Steele of the business resumption plans of financial services institutions. Computer Sciences Corporation Mr. Guy Copeland  Promote research and development efforts to increase the resiliency Lucent Technologies and the reliability of alternative Mr. Karl Rauscher transport technologies. MCI, Inc.  Examine and develop capital Ms. Joan Grewe investment recovery incentives for critical infrastructure owners, Microsoft Corporation operators, and users that invest Mr. Joel Greenberg in resiliency mechanisms to Nortel Networks Limited support their most critical NS/EP Dr. Jack Edwards telecommunications functions. Northrop Grumman Corporation Report Issued Mr. William Gravell

 Financial Services Task Force Report, Qwest Communications April 2004. Mr. Thomas Snee

Raytheon Company Ms. Heather Kowalski

Science Applications International Corporation Mr. Hank Kluepfel

XXVII_ActiveIssues.indd 3 10/8/04, 4:31 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

SBC Communications, Inc. SBC Communications, inc. Ms. Rosemary Leffler Ms. Suzy Henderson

Sprint Corporation Securities Industries Mr. John Stogoski Automation Corporation Mr. Andrew Bach United States Telecom Association Mr. David Kanupke Sprint Corporation Mr. Todd Colvin VeriSign, Inc. Mr. Michael Aisenberg Sprint Corporation Ms. Laura Harper Verizon Communications Ms. Ernie Gormsen Verizon Communications Mr. Lowell Thomas Other Financial Services Task Force Industry Participants Financial Services Task Force Government Participants BellSouth Corporation Mr. David Barron U.S. Department of Homeland Security Mr. Darrell Mak BellSouth Corporation Mr. Shawn Cochran U.S. General Services Administration Mr. Tom Sellers BellSouth Corporation Mr. Doug Langley Federal Communications Commission Mr. Ken Moran BITS Mr. John Carlson Federal Reserve Board Mr. Ken Buckley BITS Ms. Heather Wyson Federal Reserve Board Mr. Chuck Madine Electronic Data Systems Corporation Ms. Liesyl Franz

The George Mason University Dr. Kevin McCrohan

The George Washington University Dr. Jack Oslund

Qwest Communications Mr. Jon Lofstedt

Raytheon Company Mr. James Craft

XXVII_ActiveIssues.indd 4 10/8/04, 4:31 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

Satellite Security History of NSTAC Actions and Recommendations Investigation Group The STF study complements past NSTAC Satellite Task Force (STF) work in the area of commercial satellite survivability (CSS), such as the studies Period of Activity the NSTAC conducted in the 1980s on satellite vulnerabilities. (See the Commer- September 2003–March 2004 cial Satellite Survivability section in the Issue Background Previously Addressed Issues of this NSTAC Issue Review.) The NSTAC IES CSS Task The terrorist attacks on September 11, 2001, Force assisted the National Communica- caused unprecedented disruption to tions System (NCS) by reviewing proposed communications and marked a dramatic objectives and implementation initiatives of surge in the use of national security and the commercial SATCOM interconnectivity emergency preparedness (NS/EP) services. architecture. The STF was established to: The attacks also raised security concerns about the protection of the Nation’s vital  Review applicable documentation that telecommunications systems against threats. addresses the vulnerabilities of the Currently, a Federal program does not commercial satellite infrastructure exist to ensure NS/EP communications via  Define potential policy changes commercial satellite systems and services. that have to be made to bring the Previous security issues regarding NS/EP infrastructure into conformance satellite programs focused on providing an with a standard for mitigating alternative means of communications under the vulnerabilities nuclear attacks.  Consider Global Positioning In January 2003, the Director, National System timing capabilities during Security Space Architect, requested that the deliberations the President’s National Security Telecom- munications Advisory Committee (NSTAC)  Coordinate this response with consider embarking on a study of infrastruc- representatives from the National ture protection measures for commercial Communications System satellite communications (SATCOM) systems. In response, the NSTAC’s Industry Executive  Draft a task force report with findings Subcommittee (IES) formed the Satellite and Presidential recommendations. Task Force (STF) to analyze and assess commercial SATCOM systems’ vulnerabili- The STF engaged broad and active participa- ties and make policy recommendations to tion from representatives of NSTAC member the President on how the Federal Govern- companies, non-NSTAC commercial satellite ment should work with industry to mitigate owners and operators, commercial satellite vulnerabilities to the satellite infrastructure. trade associations, Government agencies, and technical experts.

XXVII_ActiveIssues.indd 5 10/8/04, 4:31 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

The task force examined all types of On the basis of its analysis and review of commercial SATCOM systems, which include related policy issues, the NSTAC offered the fixed satellite service, broadcast satellite following recommendations to the President: service, mobile satellite service, and satellite digital audio radio service. To understand  Direct the Assistant to the President the vulnerabilities of SATCOM systems, for National Security Affairs, the STF compared the severity of potential Assistant to the President for threats against the degree of susceptibility Homeland Security, and Director, of key elements in these services, including Office of Science and Technology the radio frequency links, ground segment, Policy, to develop a national policy cyber segment, and space segment. with respect to the provisioning and management of commercial The STF conducted two surveys to gain an SATCOM services integral to NS/EP understanding of how Federal agencies use communications, recognizing the commercial SATCOM systems and services vital and unique capabilities com- for NS/EP, as well as to document vulner- mercial satellites provide for global abilities of infrastructure. The STF surveyed military operations, diplomatic 14 Federal departments and agencies on missions, and homeland security their use of commercial satellites and contingency support; services, backup communications plans, and anticipated communications requirements.  Fund the Department of Homeland The Satellite Industry Association surveyed Security to implement a commer- its member satellite operators to provide cial SATCOM NS/EP improvement voluntary self-assessments of the industry’s program within the NCS to vulnerabilities and mitigation techniques procure and manage the non- currently used. Department of Defense satellite facilities and services necessary The Government survey revealed that to increase the robustness of agencies do not fully optimize or protect Government communications; the satellite infrastructure. Civil agencies have a shortage of in-house technical  Appoint several members to expertise that can integrate satellite commu- represent service providers and nications into their network architectures, associations from all sectors of the and agency procurement processes do not commercial satellite industry to the allow them to compete effectively for com- NSTAC to increase satellite industry mercial SATCOM capacity. The industry involvement in NS/EP. survey revealed that the satellite industry The STF concluded its activities upon NSTAC has already taken steps to ensure that the approval of its report. security of the infrastructure adequately protects its commercial business interests. Report Issued

The STF concluded its analysis of satellite Satellite Task Force Report, March 2004. security in January 2004 and presented its findings in the STF Report.

XXVII_ActiveIssues.indd 6 10/8/04, 4:32 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

Satellite Task Force Membership The George Washington University Dr. Jack Oslund Co-Chair Mr. Bob Britton, Hughes Network Systems, Inc. Lockheed Martin Corporation Mr. Amir Dehdasty

Co-Chair Inmarsat Limited Mr. William Reiner, The Boeing Company Mr. Jack Deasy

Vice Chair Inmarsat Limited Mr. Peter Hadinger, Mr. Robert Demers Northrop Grumman Corporation Intelsat BellSouth Corporation Mr. Joe Jankowski Mr. Shawn Cochran Intelsat MCI, Inc. Mr. Michael Kelley Ms. Joan Grewe Lockheed Martin Corporation Motorola, Inc. Mr. Steve Adelmann Mr. Ben LaPointe Lockheed Martin Corporation Qwest Communications Dr. Al Dayton Mr. Jon Lofstedt Loral Space & Communications Ltd. Raytheon Company Mr. Bob Berry Mr. Alan Goldey Loral Space & Communications Ltd. Rockwell Collins, Inc. Mr. D. D’Ambrosio Mr. Ken Kato Loral Space & Communications Ltd. Science Applications Mr. John Stern International Corporation The MITRE Corporation Mr. Hank Kluepfel Dr. Edward Jacques SBC Communications, Inc. Mobile Satellite Ventures Ms. Rosemary Leffler Mr. Carson Agnew Other Satellite Task Force Industry Mobile Satellite Ventures and Nongovernmental Participants Mr. Brian Deobald The Aerospace Corporation PanAmSat G2 Satellite Solutions Mr. Richard Buenneke Mr. Don Brown The Boeing Company Satellite Industry Association Mr. Robert Steele Mr. David Cavossa

XXVII_ActiveIssues.indd 7 10/8/04, 4:32 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

Satellite Industry Association Office of Science and Technology Policy Mr. Richard Dalbello Mr. Mark LeBlanc

SES Americom U.S. Strategic Command Ms. Leslie Blaker Major Robert Licciardi

Spacenet Inc. U.S. Strategic Command Mr. Pat Fagan Mr. Steven Shirley

Verestar, Inc. Satellite Task Force Briefers Ms. Kay Sears The Aerospace Corporation Satellite Task Force Mr. Michael Ware Government Participants The Electromagnetic Pulse Commission Defense Information Systems Agency Dr. Michael Frankel Mr. Richard Bourdon U.S. General Services Administration Defense Information Systems Agency Mr. David Jarrell Ms. Hillary Morgan Institute of Defense Analyses U.S. Department of Transportation Dr. Edward Conrad Ms. Hollace Twining National Intelligence Council Federal Communications Commission Mr. John Gass Ms. Linda Haller* National Security Agency U.S. General Services Administration Mr. Ronald Kidwell Ms. Sabrina Crane Office of the Undersecretary of the Air Force U.S. General Services Administration Lieutenant Colonel Timothy Deaver Mr. Thomas Sellers

National Communications System Mr. Dale Barr

National Communications System Mr. Tom Falvey

National Communications System Mr. Gabriel Martinez

National Security Space Architect Lieutenant Commander R. Bronson Armstrong

* Ms. Haller provided only technical expertise to the STF efforts.

XXVII_ActiveIssues.indd 8 10/8/04, 4:32 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

Legislation and Regulation, Furthermore, advances in network 2000–2004 technologies and the convergence of packet and circuit switched networks challenge Investigation Groups industry and the Government to maintain a secure, reliable network infrastructure in Legislative and Regulatory support of NS/EP activities; and the NSTAC Working Group (LRWG) seeks to ensure the regulatory environment supports this objective. Also, in conjunction Legislative and Regulatory with the establishment of the Department Task Force (LRTF) of Homeland Security (DHS) and the passage of the Critical Infrastructure Infor- Period of Activity mation Act of 2002 (CII Act), the NSTAC LRWG: September 23, 1999– examined homeland security policies February 14, 2001 relating to the protection of critical physical and cyber infrastructures that support LRTF: February 15, 2001–Present NS/EP communications.

Issue Background History of NSTAC Actions and Recommendations Within the evolving telecommunications marketplace and infrastructure, it is At NSTAC XXII, the Industry Executive important that legislative and regulatory Subcommittee (IES) reported its intent to policies progress to ensure continued fulfill- examine the following legislative and ment of national security and emergency regulatory issues: preparedness (NS/EP) requirements. Therefore, the President’s National Security  Options for eliminating barriers to Telecommunications Advisory Commit- information sharing for CIP tee (NSTAC) monitors the regulatory  Information sharing for critical environment and various legislative and infrastructure protection (IS/CIP) regulatory activities that could impact NS/EP legal and regulatory issues pending services, operations, and communications. before Congress For instance, barriers to information sharing among industry and the Government  The definition of foreign ownership within the critical infrastructure protec- within the telecommunications tion (CIP) arena are of primary concern. industry and how it affects Consequently, the NSTAC focused on NS/EP communications. analyzing Congressional activities aimed at removing information sharing barriers The IES also agreed to continue monitoring related to the Freedom of Information the regulatory environment surrounding Act (FOIA). network convergence for any impact on NS/EP communications.

XXVII_ActiveIssues.indd 9 10/8/04, 4:32 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

During the NSTAC XXIII cycle, the Legislative The LRWG also examined foreign ownership and Regulatory Working Group (LRWG) regulations and their impact on NS/EP. addressed these issues and others at the The group examined domestic regulatory request of other NSTAC task forces. history and analyzed several mergers and acquisitions between domestic and foreign The LRWG examined impediments to telecommunications carriers. The group information exchange, especially critical found that the current regulatory structure infrastructure information sharing. satisfied the different interests of the The group undertook an in-depth analysis industry and Government parties involved. of FOIA, examining FOIA’s potential to The LRWG concluded that it was unclear hinder industry information sharing with whether further statutory or regulatory the Government. In accordance with FOIA, changes would effectively enhance the the public can request and gain access role of national security issues in foreign to records maintained by Government ownership situations at that time. The LRWG departments and agencies. Such potential documented its findings in a working group disclosure of data deters industry from paper and shared its analysis with the sharing information with the Government. NSTAC’s Globalization Task Force, which Although there are a number of exemptions addressed the issue in its May 2000 report to to FOIA’s requirements for disclosure of NSTAC XXIII. information, none of the exemptions clearly covers information pertaining to At its February 15, 2001, meeting, the IES critical infrastructure protection. The LRWG approved the transition of the LRWG to a met several times with Department of standing body, the Legislative and Regula- Justice (DOJ) officials to exchange views tory Task Force (LRTF). The LRTF agreed to on perceived problems and potential address the following tasks: legal solutions. As a result of their deliberations, the LRWG agreed with DOJ  Examine whether existing legal and representatives on the need for a nondisclo- regulatory authority is adequate to sure provision to protect “security-related” ensure NS/EP requirements will be information voluntarily shared with met in the converged and next gen- the Government. The LRWG shared its eration network (NGN) environment analysis with the NSTAC’s Information  Identify and address other legal and Sharing/Critical Infrastructure Protection regulatory issues related to conver- Task Force, which addressed the issue in its gence, as appropriate May 2000 report to NSTAC XXIII.  Analyze IS/CIP legal and regulatory In addition to analyzing FOIA, the LRWG issues pending before Congress worked with the DOJ to examine antitrust and the Administration and those, and liability issues as impediments to if any, to be recommended for information sharing between industry and NS/EP implications the Government.

XXVII_ActiveIssues.indd 10 10/8/04, 4:32 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

 Consider the legal issues discussed at The LRTF also examined whether the NSTAC Research and Development current legal and regulatory environment Exchanges, including linked or third is adequate to ensure NS/EP services in party liability and new privacy legis- the converged and NGN environment and lation and regulations produced a report offering an analysis of the issue. The LRTF coordinated with  Address legal and regulatory issues participants in the Government’s Conver- affecting the other IES task forces at gence Task Force, who discussed the status their request. of the Government’s work in the area of network convergence and the assurance of During the NSTAC XXIV and XXV cycles, NS/EP communications services. The LRTF addressing barriers to information sharing concluded in its documentation that until such as FOIA, liability, and anti-trust con- the standards for packet-based services tinued to be an important topic. The LRTF are established and the Government’s monitored pending FOIA legislation from requirements in the evolving environment the 106th and 107th Congresses and heard are certain, new legislation or regulation from Congressional staff on the status and is premature. The task force also stated outlook of this legislation. The NSTAC that the legal issues underlying the also participated in correspondence with provisioning of NS/EP priority services the President concerning information to the Federal Government in an NGN sharing legislation. On August 7, 2000, the environment are extremely complex and NSTAC sent a letter to President Bill Clinton might require further study. The LRTF asking him to support legislation that shared its analysis with the NSTAC Network would protect critical infrastructure Security/Vulnerability Assessment Task protection information voluntarily shared Force (NS/VATF), which incorporated its with the Government from disclosure analysis into the NS/VATF’s March 2002 under FOIA and limit liability. After the report to NSTAC XXV. NSTAC XXIV Meeting in June 2001, the NSTAC acknowledged the continued During the NSTAC XXVI cycle, the LRTF importance of the topic and resubmitted examined existing legal penalties for the letter to President George W. Bush committing Internet attacks to determine asking him to support such legislation. whether those penalties should be On September 26, 2001, President Bush strengthened or whether additional replied by noting that he supported a penalties were needed. The LRTF drafted narrowly drafted exception to FOIA to a report, Penalties for Internet Attacks protect information about corporations’ and Cyber Crime, in which the NSTAC and other organizations’ vulnerabilities to concluded sufficient legal authority exists information warfare and malicious hacking. to penalize and deter those who commit In a December 17, 2001, letter to the cyber crimes. The LRTF also made President, the NSTAC Chair encouraged the additional recommendations for pursuing President to continue to support information a well-rounded and proactive approach sharing legislation. to combating cyber crime. The LRTF recommended the President:

XXVII_ActiveIssues.indd 11 10/8/04, 4:32 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

 Increase prosecution of cyber crime The letter also states that the FCC and the at the State level and allot additional National Telecommunications and Infor- funds to the States to better train mation Administration should accelerate personnel to combat cyber crime ongoing efforts to improve interoperability among Federal, State, and local public  Encourage Congress to ratify the safety communications agencies. The letter Council of Europe’s Convention further encourages the Administration to on Cyber Crime and implement support full and adequate Federal funding legislation to reimburse communi- for wireless PAS. cations service providers for costs incurred in responding to data The LRTF continued to examine information preservation requests sharing in the NSTAC XXVI and NSTAC XXVII cycles. During these cycles, Congress  Encourage other nations to adopt passed the Critical Infrastructure Informa- policies and procedures to better tion Act of 2002 (CII Act), which provided mitigate and respond to cyber crimes additional FOIA and liability protections for companies that voluntarily share critical  Encourage companies to implement infrastructure information with DHS. cyber security best practices. After the CII Act was enacted, the LRTF In addition to addressing existing legal assessed whether additional informa- penalties for committing Internet attacks, tion sharing barriers remained and also the LRTF was tasked by the Wireless Task examined other legal and nonlegal barriers Force to assess the legal and regulatory for the purposes of homeland security. aspects of the Federal Communications During the NSTAC XXVII cycle, the LRTF Commission (FCC) Report & Order (R&O) drafted a report, Barriers to Information on Priority Access Service (PAS). The LRTF Sharing, in which it made a series of recom- reviewed the R&O and, after carefully mendations for improving the exchange of considering the merits of reopening the PAS CII between industry and the Government rule-making, it concluded that revisiting the and for protecting CII that is voluntarily rules would be a lengthy process and doing provided to the Government by critical infra- so could unintentionally slow the deploy- structure owners and operators. The LRTF ment of Wireless Priority Service (WPS). recommended the President direct the As a result of its conclusion, the NSTAC appropriate departments and agencies, in sent a letter to the President offering rec- coordination with industry, to: ommendations on how to facilitate the  Develop a process to resolve widespread deployment of wireless PAS. multi-jurisdictional (Federal, In the letter, the NSTAC commended the State, local) conflicts within the FCC for adopting a Second R&O for PAS, appropriate boundaries of federal- which indicates that carriers providing PAS ism and national, homeland, and shall have liability immunity from Section economic security. 202 of the Communications Act.

XXVII_ActiveIssues.indd 12 10/8/04, 4:32 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

 Work with Congress to modify  Evaluate proposed policies and the CII Act so that DHS is the regulations to ensure that homeland clearinghouse and dispenser of security and NS/EP implications CII information. have been consolidated

 Encourage Congress to extend  Complete a review of existing protection of the CII Act to cover policies and regulations for potential departments and agencies other than cross-sector conflicts with homeland DHS; and, if other agencies should security and NS/EP priorities and be designated as such, the NSTAC work with DHS to promptly resolve recommends that they adopt the any identified conflicts same rules and procedures as DHS for handling CII.  Implement a framework to resolve multi-jurisdictional (Federal, State,  Work diligently with Congress and local) conflicts and, if necessary, to ensure the CII Act’s FOIA recommend an appropriate legisla- exemption and liability provisions tive resolution. remain intact. During the NSTAC XXVII cycle, the LRTF During the NSTAC XXVII cycle, the LRTF began to address concerns that terrorists or also reviewed the policy landscape for politically motivated adversaries could easily national policies and regulations that could access sensitive information, such as the potentially conflict with homeland security location of critical telecommunications facili- and NS/EP missions. More specifically, the ties, on the Internet and use this information LRTF examined telecommunications policy to plan an attack on the Nation’s telecommu- conflicts related to fuel storage, water sector nications infrastructure. During the NSTAC infrastructure, critical facilities markings, XXVIII cycle, the LRTF will continue to jurisdictional conflicts, and common evaluate the national and homeland security underground facilities. The LRTF deter- implications of critical infrastructure data mined that policy conflicts existed, and that that is openly accessible on the Web sites of they were mainly the result of overlapping Federal departments and agencies. It also and contradictory policies and regulations will continue to review Federal departments’ at the Federal, State, and local levels. and agencies’ policies and practices for On October 16, 2003, the NSTAC sent a posting critical infrastructure information to letter to President George W. Bush recom- the Internet. mending that he ask the Homeland Security Council, the National Security Council, On an ongoing basis, the LRTF continues to and Federal departments and executive track and monitor the legislative and regu- agencies, including independent agencies, latory activities that could impact NS/EP to do the following: services, operations, and communications.

XXVII_ActiveIssues.indd 13 10/8/04, 4:32 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

Actions Resulting from  Letter to President George W. Bush on NSTAC Recommendations Protection of Critical Infrastructure Information, June 2001 In the Barriers to Information Sharing report, the NSTAC advised the President  Penalties for Internet Attacks and that DHS should be the clearinghouse Cyber Crime, April 2003 and dispenser of CII information and that  Barriers to Information Sharing, CII Act protections should cover depart- September 2003 ments and agencies other than DHS. In a related action, on February 18, 2004, DHS  Letter to President George W. Bush on launched the Protected Critical Infrastruc- National Policies and Regulations that ture Information (PCII) Program, pursuant Conflict with Homeland Security and to the CII Act. The PCII Program Office (PO) NS/EP Missions, October 16, 2003 is located within the DHS Information Analysis and Infrastructure Protection Legislative and Regulatory Directorate and serves as the clearinghouse Task Force Membership and dispenser of CII. The PCII Program will be implemented in three phases. Chair In phase three, the PCII PO will be able to Ms. Louise Tucker, disseminate CII to other Federal, State, and Telcordia Technologies, Inc.* local Governments. However, each receiving Vice Chair entity must first obtain accreditation from Mr. Gerald Harvey, the PCII PO and comply with PCII PO Lockheed Martin Corporation requirements and objectives. AT&T Also, in an October 28, 2003, letter to the Mr. Harry Underhill NSTAC, the Assistant to the President for Homeland Security wrote that the staff of BellSouth Corporation the Executive Office of the President had Mr. David Barron been asked to convene a meeting with the other White House stakeholders to review The Boeing Company the recommendations in the NSTAC’s policy Mr. Robert Steele conflict letter and “analyze their impact to NS/EP communications.” Computer Sciences Corporation Mr. Guy Copeland Reports Issued MCI, Inc.  Letter to President Bill Clinton on Mr. Dennis Guard Protection of Critical Infrastructure Microsoft Corporation Information, August 7, 2000 Mr. Bill Guidera

* Telcordia Technologies, Inc. is a wholly owned subsidiary of SAIC, which is a member of the NSTAC.

XXVII_ActiveIssues.indd 14 10/8/04, 4:32 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

Nortel Networks Limited Microsoft Corporation Mr. Ray Strassburger Mr. Scott Forbes

Northrop Grumman Corporation Qwest Communications Mr. Tim Nagle Mr. Tom Snee

Qwest Communications Science Applications Mr. Jon Lofstedt International Corporation Mr. Hank Kluepfel Rockwell Collins, Inc. Mr. Ken Kato Sprint Corporation Mr. John Stagowski SBC Communications, Inc. Ms. Rosemary Leffler United States Telecommunications Association Sprint Corporation Mr. David Kanupke Mr. Michael Fingerhut Verizon Communications VeriSign, Inc. Ms. Ernie Gormsen Mr. Michael Aisenberg Verizon Communications Verizon Communications Mr. Lowell Thomas Mr. James Bean Legislative and Regulatory Other Legislative and Regulatory Task Force Briefers Task Force Industry Participants BellSouth Corporation Bank of America, Inc. Mr. Doug Langley Mr. John Huffstutler Federal Communications Commission BellSouth Corporation Mr. Jim Dailey Ms. Cristin Flynn Legislative and Regulatory Task Force BellSouth Corporation Government Participants Mr. Lloyd Nault Defense Information Systems Agency Cellular Telecommunications Ms. Hillary Morgan & Internet Association Ms. Kathryn Condello U.S. Department of Energy Mr. John Greenhill The George Washington University Dr. Jack Oslund

Lockheed Martin Corporation Mr. Larry Duncan

XXVII_ActiveIssues.indd 15 10/8/04, 4:32 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

Research & Development (R&D) To ensure inclusion of all stakeholders in the R&D community, the NSTAC has tra- Investigation Groups ditionally invited representatives from a broad number of private sector companies,  Network Security Task Force (NSTF) academic institutions, and key Government agencies with NS/EP and/or R&D respon-  Network Security Group (NSG) sibilities, such as the Office of Science and  Network Group (NG), Intrusion Technology Policy (OSTP), the Defense Detection Subgroup (IDSG) Advanced Research Projects Administra- tion (DARPA), and the National Institute  Research and Development of Standards and Technology (NIST). Exchange Task Force (RDXTF) During the course of the Workshop, participants endeavor to frame key policy issues;  Research and Development Task identify and characterize barriers and Force (RDTF) impediments inhibiting R&D; discuss how stakeholders can cooperate and coordinate Period of Activity efforts as the communities of interest shift;  NSTF: February 21, 1990– and develop specific, clear, realistic, and August 26, 1992 actionable recommendations for actions by key stakeholders and decision makers.  NSG: December 1994–April 1997 The roots of the RDX Workshop date back to  NG, IDS: April 22, 1997– 1990, when the growing number of hacker September 23, 1999 incidents led to the formation of the NSTAC’s Network Security Task Force (NSTF).  RDXTF: July 18, 2000–July 29, 2003 The task force’s purpose was to assess the threats to, and vulnerabilities of, the public  RDTF: July 29, 2003–Present switched telephone network, and a key Issue Background component of the task force’s work included examining R&D issues related to security Periodically, the President’s National with a particular emphasis on improving Security Telecommunications Advisory Com- commercially applicable tools. mittee (NSTAC) conducts a Research and Development Exchange (RDX) Workshop. In mid-1991, the NSTF identified six areas The broad purpose of the Workshop is to in which R&D on commercially applicable stimulate and facilitate a dialogue among security tools was needed and asked the industry, the Government, and academia on Government to share information about its emerging security technology research and R&D efforts in those areas. development (R&D) activities that have the potential to affect the national security and emergency preparedness (NS/EP) posture of the Nation, whether positively or negatively.

XXVII_ActiveIssues.indd 16 10/8/04, 4:32 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

The subsequent briefings provided by In 1997, in response to a number of stimuli, representatives of the National Security including the recommendations from the Agency and NIST to the NSTAC, which con- 1996 RDX Workshop, the Network Group’s stituted the NSTAC’s first RDX Workshop, (formerly the NSG) IDSG conducted a study demonstrated that the Government already of intrusion detection technology R&D had R&D efforts under way in all of and analyzed it in terms of meeting those areas. NS/EP requirements. The IDSG made four recommendations to the President, including NSTAC R&D activities gained momentum the need to increase R&D funding for in March 1996, when the NSTAC’s Industry control systems of critical infrastructures Executive Subcommittee (IES) determined and to encourage cooperative develop- that it would again be useful to address ment programs to maximize the use of network security R&D issues and charged existing R&D resources in industry, the the NSG with facilitating a seminar for Government, and academia. The task force’s industry and Government participants to recommendations reinforced previous discuss network security R&D activities NSTAC recommendations to examine the and issues. The purpose of the seminar need for, and feasibility of, collaborative was threefold: (1) encourage a common R&D approaches for security technology. understanding of network security Those recommendations also provided problems affecting NS/EP telecommunica- the basis for the concept of the third RDX tions; (2) identify R&D activities in Workshop, Enhancing Network Security progress to address those problems; and Technology: R&D Collaboration, held in (3) define additional network security R&D October 1998 at Purdue University’s Center activities needed. for Education and Research in Information Assurance (IA) and Security to examine The NSG specified four areas of interest collaborative approaches to security for further investigation—authentica- technology R&D. The participants, which tion, intrusion detection, integrity, and for the first time included members of the access control—and conducted the second academic community, also discussed the RDX Workshop on September 18, 1996. need for training more information tech- Because the objective was to facilitate nology (IT) security professionals, creating meaningful discussion among participants, large-scale testbeds to test security products participation at the Workshop was limited and solutions, and promoting the creation of to 50 people representing 15 companies and IA Centers of Excellence in academia. 11 Government organizations, including one federally funded R&D center. The NSTAC limited industry representation to NSTAC member companies.

XXVII_ActiveIssues.indd 17 10/8/04, 4:32 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

Deliberations at the RDX Workshop at Specifically, the event examined Purdue University resulted in several trustworthiness from four different per- findings and recommendations for future spectives: cyber and software security, industry, Government, and academia physical security, integration issues, and work, as well as three recommenda- human factors. From this event, the NSTAC tions for future NSTAC consideration, developed seven specific findings, including including the need to “conduct another the need to clearly define the term NS/EP R&D Exchange [Workshop] in the spring of in a post-September 11, 2001, world char- 2000 to continue the dialogue on the long- acterized by a rapidly changing technology term issues associated with infrastructure and threat environment and the need for assurance and network security,” such as a large-scale testbed that could be used as new threats and convergence. The third an environment to test NS/EP systems and NSTAC RDX Workshop also provided the critical infrastructures. model for all future workshops. To directly address the findings from the At the University of Tulsa in September 2003 RDX Workshop during the NSTAC 2000, participants at the NSTAC’s fourth XXVII cycle, the RDTF developed a “living” RDX Workshop examined issues of transpar- discussion paper providing the back- ent security in a converged and distributed ground for the policy components of the network environment and discussed the evolving definition of NS/EP. The RDTF also need to address the shortage of qualified examined several large-scale public and information security professionals, expand private testbeds, reviewing their capacity to the number of universities participating in test the telecommunications and information the IA Centers of Excellence program, and systems infrastructures for NS/EP purposes. promote best practices, standards, and pro- The task force formulated recommenda- tection profiles to enhance the security of tions for a joint industry, Government, and the next generation network. Findings and academia large-scale pilot testbed that recommendations from the Workshop could advance the current state of NS/EP included the establishment of NSTAC integration activities. task forces to address standards and best practices for network security. Currently, the RDTF is preparing for its next scheduled RDX Workshop in October The NSTAC’s fifth and most recent 2004 in Monterrey, California. The 2004 Workshop—held in March 2003 at the RDX Workshop will reconsider the issues Georgia Technology Information Security addressed at the fifth RDX Workshop in Center (GTISC) at the Georgia Institute of Atlanta, Georgia, examining progress made Technology in Atlanta, Georgia—explored in the areas identified. the full range of telecommunications and information systems trustworthiness issues as they pertained to NS/EP telecommunications systems.

XXVII_ActiveIssues.indd 18 10/8/04, 4:32 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

History of NSTAC Actions  NS/EP Definition Discussion Paper, and Recommendations April 2004

Following the 2003 RDX Workshop in Research and Development Atlanta, Georgia, the NSTAC provided Task Force Membership the Director, OSTP with policy advice on specific areas of security technology R&D Chair that should be taken into account when Mr. Guy Copeland, providing input to the President’s fiscal Computer Sciences Corporation year 2004 budget request. In addition, the Co-Vice Chair RDTF provided its NS/EP Definition Discus- Dr. Jack Edwards, Nortel Networks Limited sion Paper to the Executive Office of the President to utilize in ongoing discussions Co-Vice Chair on NS/EP communications. Mr. Hank Kluepfel, Science Applications International Corporation Reports/Proceedings Issued The Boeing Company  Network Security Research and Mr. Robert Steele Development Exchange Proceedings, September 1996 Lockheed Martin Corporation Mr. Gerald Harvey  Report on the NS/EP Implications of Intrusion Detection Technology Lucent Technologies Research and Development, Mr. Frank Cantarelli December 1997 Motorola, Inc.  Research and Development Exchange Mr. Ben La Pointe Proceedings: Enhancing Network Security Technology R&D Collabora- Microsoft Corporation tion, October 20–21, 1998 Mr. Theodore Tanner

 Research and Development Exchange Qwest Communications Proceedings, Transparent Security Mr. Jon Loftstedt in a Converged and Distributed Raytheon Company Network Environment, Mr. Frank Newell September 28–29, 2000 SBC Communications, Inc.  Research and Development Exchange Ms. Rosemary Leffler Proceedings, R&D Issues to Ensure Trustworthiness in Telecommunica- VeriSign, Inc. tions and Information Systems that Mr. Mark Kosters Directly or Indirectly Impact National Security and Emergency Preparedness, Verizon Communications March 13–14, 2003 Mr. James Bean

XXVII_ActiveIssues.indd 19 10/8/04, 4:32 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

Other Research and Development Task Force Participants

U.S. Department of Homeland Security, Science and Technology Directorate Dr. Simon Szykman

Georgia Institute of Technology Dr. Seymour Goodman

XXVII_ActiveIssues.indd 20 10/8/04, 4:32 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

Network Security This initial list of security requirements was developed as a consensus document Investigation Groups and submitted as a contribution to the Alliance for Telecommunications Industry Internet Security/Architecture Solutions (ATIS) Committee T1—Tele- Task Force (ISATF) communications, Working Group T1M1.5 OAM&P Architecture, Interface and Operations, Administration, Maintenance, Protocols for consideration as a standard. and Provisioning (OAM&P) Standard Working Group Representatives from T1M1.5, the NSTAC NSIE, the Government NSIE, and T1M1 Periods of Activity liaison organizations further refined ISATF: April 2002–April 2003 the initial document and developed the standard, entitled Operations, Administra- OAM&P Working Group: February 2003– tion, Maintenance, and Provisioning Security August 2003 Requirements for the Public Telecommu- nications Network: A Baseline of Security Issue Background Requirements for the Management Plane. Committee T1 approved the standard During the NSTAC XXVI cycle (March (T1.276-2003) in July 2003. 2002–April 2003), the Industry Executive Subcommittee (IES) created the Internet During the NSTAC XXVII cycle (May Security/Architecture Task Force (ISATF) to 2003–May 2004), the IES created the Opera- study such issues as identifying pervasive tions, Administration, Maintenance, and software/protocols and defining the “edge” Provisioning (OAM&P) Standard Working elements of the Internet. Group to further examine the standard and develop conclusions and recommendations In 2002, the NSTAC’s Network Security for action. Information Exchange (NSIE) and the Government NSIE established the Security History of NSTAC Actions Requirements Working Group (SRWG) and Recommendations to examine the security requirements for controlling access to the public switched Following the NSTAC XXV Meeting on network, in particular with respect to the March 13, 2002, the IES turned to network emerging next generation network. and Internet security issues. At the meeting, Members of the SRWG, representing a the Special Advisor to the President for cross-section of telecommunications Cyberspace Security discussed the serious carriers and vendors, developed an initial threats posed by vulnerabilities within list of security requirements that would the Domain Name Servers and the Border allow vendors, Government departments Gateway Protocol. and agencies, and service providers to implement a secure telecommunications network management infrastructure.

XXVII_ActiveIssues.indd 21 10/8/04, 4:32 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

In response to these concerns, the IES Finally, the task force observed that while created the ISATF to provide recommenda- many organizations are successfully cor- tions to the President on how to identify recting and remediating vulnerabilities, and remedy vulnerabilities in pervasive a streamlined method for disseminating software/protocols, define the “edge” expeditiously corrected information to the elements of the Internet, and determine telecommunications and Internet service ways that the NSTAC could integrate its provider (ISP) communities is not utilized. efforts to define and monitor significant critical infrastructures supporting the The ISATF recommended that the President Internet with other industry activities. direct the appropriate departments and agencies, in coordination with industry, to: In its First Steps in Identifying and Reme- diating Vulnerabilities in Pervasive • Consolidate Government-funded watch Software/Protocols report, the ISATF center operations of agencies and depart- analyzed five stages relevant to identifying ments dedicated to the detection and and remediating vulnerabilities in pervasive dissemination of information software and protocols: prevention, related to Internet vulnerabilities into detection, information sharing, analysis, one organization to create a more and correction. In the area of preven- efficient and effective collaborative tion, the task force advocated aggressive industry/Government information public-private research and development sharing partnership activities and cited the need to develop • Establish a lead organization within the adequate alerting and warning systems Department of Homeland Security to to continue to support the operations of coordinate with industry, a process for information sharing and analysis centers. warnings, notification, coordination, and The task force also identified barriers to the remediation of widespread problems in a effective detection of vulnerabilities, such national emergency as the myriad number of forums devoted • Recognize the need to involve all to detection and the lack of standardiza- aspects of the Internet in the process of tion in reporting procedures. Third, the identifying significant vulnerabilities, task force emphasized that significant including the Web hosting, network barriers to information sharing exist, such access provider (NAP), backbone, and as the Freedom of Information Act (FOIA) ISP communities and liability concerns, and advocated the creation of legislation that would ease the • Fund efforts related to identifying sharing of critical information. The ISATF and mitigating vulnerabilities in the also concluded that the analysis functions most critical protocols or software within industry that detect and publish vul- relied upon within key sectors of the nerabilities appear to be adequate, but the Nation’s infrastructure Government may find some benefit in better leveraging available synergies by consolidat- ing Government-funded analysis centers where appropriate.

XXVII_ActiveIssues.indd 22 10/8/04, 4:32 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

• Promote and support legislation to The ISTAF recommended to the address FOIA, antitrust, and President that: liability concerns regarding information shared by industry for the • The Government should continue its purposes of critical infrastructure work to identify the critical NS/EP protection (CIP). missions and functions supporting those missions that rely on the Additionally, the ISATF made other recom- Internet and encourage the parties mendations focused on developing a process responsible for those missions to for the Internet community, both private ensure that they are adequately and public, to share information within the protected through redundancy and component communities, and within the alternative capabilities. larger telecommunications and Internet infrastructure context. • Industry, standards bodies, software vendors, equipment vendors, network During the NSTAC XXV Meeting, concern operators, and end users of all was also expressed over the ability to defend products and services that make the Internet by protecting the edges of the up the Internet should ensure that Internet against attack or exploitation. these products have built-in baseline In response to these concerns, the IES security features and that these capa- tasked the ISATF to provide guidance on bilities are appropriately configured how to define the edge of the Internet. and kept up-to-date.

Through detailed analysis, the ISATF • The Government should work determined that because the Internet is with Internet security experts not a single network but a network of and standards bodies to develop a interconnected networks, there is no single standard set of “key warnings and definition of the edge as the definition indicators” that all service providers depends on perspective. The ISATF also can use as a baseline to measure noted that there are many different ways security threats. to define the edge that include, but are not limited to the following: all systems that The NSTAC’s OAM&P Working Group rec- contain IP addresses that do not route IP ognized that Executive Orders, Presidential packets; the composition of information directives, and Presidential commissions systems; and zones of responsibility for have specified infrastructures as national network operators versus end users. assets that are critical to the defense and In addition, the group noted that emphasis economic security of the United States. should be placed not on defining the edge of Telecommunications is one of these the Internet but on defending the Internet as critical infrastructures. Security for the the adoption of a single definition of the edge network management functions controlling could prevent critical security precautions this infrastructure is essential. from being addressed in other areas.

XXVII_ActiveIssues.indd 23 10/8/04, 4:32 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

Many standards for network management T1.276-2003 addresses security for network security exist; however, compliance is low element, management system, and element and implementations are inconsistent across management system equipment only; the various telecommunications equipment it does not specifically address security and software providers. for other equipment, such as customer premises equipment. Separate and apart In addition, service providers are specifying from the T1.276-2003 requirements, the similar but different requirements for current standard assumes that effective products, which results in inconsistent hardware and software controls provided by vendor feature sets and potentially higher the operating system (OS) protect the data costs for vendors. Finally, as the telecommu- and resources being managed. nications industry transitions to a converged network environment, new security chal- In addition, the OAM&P Standard Working lenges are introduced, and threats in the Group recommended to the President that: public network now become threats in the management and control planes. • The National Institute of Standards and Technology (NIST) review the Previous NSIE security assessments of the T1.276-2003 standard. If a review public network have also documented the finds a conflict between the T1.276- management plane’s vulnerabilities and 2003 standard and existing Federal susceptibility to intruder attacks. Because an Information Processing Standards increasing number of networks are closely and NIST publications, NIST should tied to intranets, these networks are sus- make these conflicts known to the ceptible to hacker threats. Furthermore, the appropriate standards bodies. lack of standards to address this issue enables intruders to penetrate vulner- • Federal departments and agencies be abilities and further deteriorate the encouraged to use the T1.276-2003 telecommunications networks. Therefore, an standard in requests for proposals, urgent need exists for this baseline standard as appropriate. to provide much-needed security mecha- • Through the Department of nisms for telecommunications carriers and Homeland Security (DHS), vendors to implement. encourage other infrastructures to The OAM&P Standard Working Group consider the elements of the T1.276- reviewed T1.276-2003 and concluded that 2003 standard as a baseline for the current standard addresses only one security requirements and adapt aspect (i.e., the management plane) of an appropriate requirements for their overall end-to-end security solution. respective infrastructure.

XXVII_ActiveIssues.indd 24 10/8/04, 4:32 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

Actions Resulting from Operations, Administration, NSTAC Recommendations Maintenance, and Provisioning Standard Working Group Membership DHS created the Information Analysis and Infrastructure Protection Directorate to Chair identify and assess intelligence informa- Dr. Jack Edwards, Nortel Networks Limited tion concerning threats to the United States, issue warnings, and take preventative and Cellular Telecommunications protective action against those threats. & Internet Association The watch center capabilities of several Ms. Kathryn Condello Federal Government agencies were also Lucent Technologies consolidated within DHS. Ms. Anne Frantzen The Homeland Security Act of 2002 included Microsoft Corporation a provision (section 214) establishing the Mr. Philip Reitinger protection of voluntarily shared critical infrastructure information. The National Raytheon Company Cyber Security Partnership (NCSP) Task Mr. Vernon Joyner Force 4, Working Group 5 designated a liaison to work with T1M1 as they explore SBC Communications, Inc. technical standards and Common Criteria. Mr. Jonathan Boynton T1.276-2003 will be one of the many Science Applications standards that will be considered as the International Corporation NCSP works to secure cyberspace. Mr. Hank Kluepfel In addition, the International Telecommuni- cation Union is developing an international Other Operations, Administration, standard based on the requirements Maintenance, and Provisioning outlined in T1.276-2003. Standard Working Group Participants Reports Issued: Cellular Telecommunications • First Steps in Identifying and Reme- & Internet Association diating Vulnerabilities in Pervasive Mr. Rick Kemper Software/Protocols, April 2003. National Institute of Standards • Defining the Edge of the Internet, and Technology June 2003. Mr. Rick Kuhn

• Operations, Administration, Main- tenance, and Provisioning (OAM&P) Security Requirements for the Public Telecommunications Network: A Baseline of Security Requirements for the Management Plane, August 2003

XXVII_ActiveIssues.indd 25 10/8/04, 4:32 PM XXVII_ActiveIssues.indd 26 10/8/04, 4:32 PM Previously Addressed Issues 10/8/04, 4:32 PM 1 XXVII_PreviousIssues.indd XXVII_PreviousIssues.indd 2 10/8/04, 4:32 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

Previously Addressed Issues

Wireless Services The OMNCS recommended that the task (Including Priority Services) force’s charge be to: (1) define the scope of the issues regarding wireless services, Investigation Groups and (2) advise the Government on how to minimize any adverse effects of emerging Wireless/Low-Bit-Rate Digital Services digital mobile communications standards Task Force (W/LBRDSTF) and technologies on mobile national security and emergency preparedness (NS/EP) users. Wireless Services Task Force (WSTF) On October 3, 1991, in its final NSTAC XIII Legislative and Regulatory report, the W/LBRDSTF concluded that Task Force (LRTF) no Government organization existed for defining NS/EP requirements for wireless Wireless Task Force (WTF) digital communications. In addition, the task Periods of Activity force determined that compatibility problems existed between certain existing and W/LBRDSTF: March 1991–October 1991 developing voice/data devices (for example, secure telephone unit [STU]-III analog) and WSTF: December 1991–September 1995 the emerging digital wireless network. LRTF: February 2001–Present Based on the task force’s report, the NSTAC recommended that the Government WTF: April 2002–January 2003 determine the appropriate organization to address and monitor wireless digital Issue Background interface issues. Accordingly, the Government tasked the OMNCS Wireless At its March 15, 1991, meeting, the Services Program Office (WSPO) with President’s National Security Telecommu- the responsibility. nications Advisory Committee’s (NSTAC) Industry Executive Subcommittee (IES) In December 1991, following the estab- established the Wireless/Low-Bit-Rate lishment of the WSPO, the IES approved Digital Services Task Force (W/LBRDSTF) the establishment of a follow-on Wireless to address Office of the Manager, National Services Task Force (WSTF). The IES Communications System (OMNCS) concerns tasked the WSTF to provide an industry about the possible adverse effects of perspective to the WSPO and to assist in developments in the rapidly evolving developing a plan of action for address- wireless telecommunications sector that ing NS/EP wireless issues. This included would impact the public switched identifying Government requirements network’s ability to handle secure voice and developing a white paper to support and data communications. standards activities.

XXVII_PreviousIssues.indd 27 10/8/04, 4:32 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

The IES also instructed the task force to Since then, the subgroup has assisted in continue its investigation into wireless developing CPAS forms and a manual for the services supporting NS/EP. To that end, the administration of CPAS. Additionally, the task force surveyed the evolving wireless subgroup monitored the development and services environment and identified and modifications of standards and regulatory assessed candidate solutions that would issues relevant to CPAS, which is now referred ensure interoperability and connectiv- to as Wireless Priority Service (WPS). ity among wireless services and between wireless and non-wireless systems. The NSTAC revisited WPS issues during the NSTAC XXVI cycle (March 2002– The WSTF, in conjunction with the OMNCS April 2003). After scoping current wireless WSPO and the Federal Wireless Users issues related to NS/EP users, the IES Forum, addressed methods for incorporating formed the Wireless Task Force (WTF) to priority access into wireless systems for study issues relating to the ubiquitous rollout NS/EP use. In addition, they determined of WPS at its April 18, 2002, meeting. the potential for emerging wireless In addition to analyzing the impediments technologies to complement existing to the ubiquitous rollout of WPS, the IES communications support in the Federal detailed the task force to study how WPS Response Plan (FRP) Emergency Support can be promoted publicly and explore non- Function (ESF) #2 (Communications). device specific and secure solutions for deploying WPS. The WSTF established the Cellular Priority Access Service (CPAS) subgroup in July History of NSTAC Actions 1994 to investigate technical, administra- and Recommendations tive, and regulatory issues associated with the deployment of a nationwide priority At the October 3, 1991, NSTAC XIII access capability for NS/EP cellular users. Meeting, the NSTAC approved the following W/LBRDSTF recommendations On March 2, 1995, the IES instructed to the President: the WSTF to determine the NS/EP implications of, and scope the future task force • The Government should establish involvement in, wireless technologies. a focal point, supported by the These technologies include land mobile National Security Agency (NSA) radio/specialized mobile radio, mobile and the National Institute of satellite services, personal communications Standards and Technology (NIST), services, and mobile wireless access to to address and monitor wireless data networks. digital interface issues

At its September 22, 1995, meeting, the • The Government should formulate IES placed the WSTF on standby status policies at a high level to ensure until needed by the Government. At that that all wireless digital service meeting, the IES also voted to place the acquisition activities take NS/EP CPAS subgroup under the direction of the needs into account. NS/EP group.

XXVII_PreviousIssues.indd 28 10/8/04, 4:32 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

The NSTAC reconvened the task force At the NSTAC XXV Executive Breakfast on following the establishment of the WSPO. March 13, 2002, Senator Robert Bennett (R-UT) requested that the NSTAC revisit the At the March 4, 1994, NSTAC XVI Meeting, issue of WPS and further examine obstacles the NSTAC approved the WSTF report and to the ubiquitous rollout of WPS. In response forwarded recommendations to the to this charge, the NSTAC tasked the WTF Government on pursuing implementation with assessing the issues related to the of a single, nationwide priority access ubiquitous deployment of WPS. capability for NS/EP users and expanding the FRP ESF#2 planning process to make The WTF closely monitored the deployment more effective use of wireless technologies of WPS, noting that the ubiquitous and services. deployment of the program had not been achieved for a variety of operational, At the NSTAC XVII Meeting, held on technical, funding, and regulatory reasons. January 12, 1995, the task force reported on WTF members agreed that the ubiquitous, its activities in the areas of wireless interop- nationwide deployment of WPS would erability and cellular priority access. be achieved through the inclusion of all wireless technologies in the solution set, At the NSTAC XVIII Meeting, the WSTF satellite back-up capabilities, and the partici- presented its task force report and recom- pation of large and small wireless carriers. mendations on the NS/EP implications Members also cited inadequate Govern- of land mobile radio/specialized mobile ment funding, lack of liability protection for radio, mobile satellite services, personal carriers, and technological limitations as communications services, and wireless data additional impediments to the ubiquitous to the President. The report had several rollout of WPS. Lastly, the WTF determined recommendations related to the Govern- the need for an effective WPS outreach ment continuing to actively exploit campaign to State and local Governments, emerging technologies in support of NS/EP smaller wireless carriers, private sector activities by working at the international, critical infrastructure protection providers, Federal, State, and local levels in defining and the general public. Providing these wireless requirements. entities with timely and accurate informa- Additionally, the subgroup submitted the tion would dispel misconceptions regarding Cellular Priority Access Services Subgroup the WPS program and facilitate the inclusion Report, which recommended the Govern- of WPS in various NS/EP homeland security, ment continue to gain a consensus on CPAS contingency, and disaster recovery plans. regulatory, administrative, and technical As a result of this analysis, the NSTAC issues to finalize a comprehensive CPAS offered the following recommendations to implementation strategy. the President:

XXVII_PreviousIssues.indd 29 10/8/04, 4:32 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

• Encourage the development of WPS – State and local Governments— solutions for all wireless technologies Emphasizing the role of WPS (e.g., cellular/personal communi- in homeland security and the cations service, third generation importance of expediting zoning networks, paging, and other wireless and siting requests from wireless data services) to maximize WPS carriers, including the use of coverage, increase ubiquity, and give Government sites and buildings, NS/EP users the flexibility to handle to increase WPS coverage a variety of emergencies and disasters and ubiquity

• Reaffirm that the Federal Com- – Smaller carriers—Educating munications Commission’s (FCC) them on WPS and encouraging Second Report and Order (R&O) their involvement in the program on Priority Access Service (PAS) does extend liability protection to – Private sector critical infrastruc- wireless priority solution providers ture providers—Facilitating equivalent to liability protection greater awareness of the WPS found in wireline priority communi- program and enabling improved cations programs contingency and disaster recovery programs • Encourage and support adequate funding for the development and – The general public— deployment of a multi-technology Detailing the benefits WPS and multi-carrier WPS program, provides for public safety and including a satellite backup capabil- homeland security ity to continue through WPS full • Direct the National Communications operational capability and later System (NCS), Government agencies generations and integration with the and departments, and organizations Government Emergency Telecommu- with NS/EP missions to implement nications Service (GETS) proactive policies regarding the implementation and use of the WPS • Direct the appropriate departments and agencies to conduct outreach program, including: and educational campaigns regard- – Stockpiling WPS-enabled phones ing WPS and its role in homeland for large-scale distribution to security, specifically targeting: NS/EP users during emergencies

– Monitoring WPS usage following distribution of WPS handsets to protect against fraud and abuse

XXVII_PreviousIssues.indd 30 10/8/04, 4:32 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

– Developing a WPS directory In the letter, the NSTAC commended the assistance function, enabling FCC for adopting a Second R&O for PAS, NS/EP users to locate one which indicates that carriers providing another during emergencies. PAS shall have liability immunity from Section 202 of the Communications Act; • Direct the NCS and Government states that the FCC and the National agencies and departments involved Telecommunications and Information in WPS planning and program man- Administration (NTIA) should accelerate agement to address the technical ongoing efforts to improve interoperability limitations of wireless and other between Federal, State, and local public network technologies that may have safety communications agencies; and a negative impact on the assurance, encourages the Administration to support reliability, and availability of an full and adequate Federal funding for PAS. end-to-end WPS solution. These limitations include but are not limited to: Actions Resulting from NSTAC Recommendations – Insufficient commercial capacity available to support NS/EP users A Memorandum of Understanding established the WSPO as the Government focal – Technical infeasibility of point within the OMNCS Technology and offering wireless priority at the Standards Division (now the OMNCS network egress within the initial Technology and Programs Division), with operating capability time frame full-time participation from NSA and NIST. – Processing limitations of On October 19, 1995, the OMNCS, through Signaling System 7 (SS7) during the WSPO, submitted a CPAS Petition for periods of congestion Rulemaking to the FCC to authorize the – Security vulnerabilities resulting nationwide CPAS service. After two years from the convergence of voice of soliciting comments from industry on and data networks and the SS7 the CPAS Petition for Rulemaking, the FCC adopted the First R&O for PAS on – Challenges associated with the August 6, 1998. integration of GETS with WPS. The OMNCS worked on CPAS implemen- In addition, the WTF worked jointly with the tation through four parallel approaches: Legislative and Regulatory Task Force (LRTF) modifying cellular standards to incorpo- to assess the legal and regulatory concerns rate CPAS, encouraging the FCC to issue with WPS during the NSTAC XXVI cycle. CPAS rules, developing CPAS administra- Specifically, they addressed whether the tive processes, and stimulating competitive FCC should revise the Second R&O for PAS. interests of service providers to implement The NSTAC reviewed the R&O and, on the CPAS capability. January 22, 2003, sent a letter to the President offering recommendations on PAS.

XXVII_PreviousIssues.indd 31 10/8/04, 4:32 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

On July 3, 2000, the FCC adopted the There are also plans to expand WPS to Second R&O for PAS, establishing the be offered on the Code Division Multiple regulatory, administrative, and operational Access (CDMA) platform in the future. framework enabling commercial mobile radio service providers to offer WPS to Reports Issued NS/EP personnel. The R&O also provided Wireless/Low-Bit-Rate Digital Services Task WPS priority levels and qualifying Force Final Report: Towards National Security criteria to be used as the basis for all and Emergency Preparedness Wireless/Low- WPS assignments. In their rule making, Bit-Rate Digital Services, September 1991. the FCC determined that (1) WPS was in the public interest; (2) WPS offering should Wireless Services Task Force, January 1994. be voluntary; (3) carriers should have limited liability if uniform operating pro- Emerging Wireless Services Report, cedures were followed; and (4) the NCS is September 1995. responsible for day-to-day administration of the program. Cellular Priority Access Services Subgroup Report, September 1995. After the terrorist attacks of September 11, 2001, the NS/EP Wireless Task Force Report: Wireless Priority community had a renewed interest in Service, August 2002. fully implementing WPS and White House personnel directed the NCS to establish an active program. A WPS-like solution was made available in Salt Lake City in time for the 2002 Olympic Winter Games and the NCS launched an immediate solution in May 2002 in the greater metropolitan areas of Washington, D.C., and New York City. As a result of the NCS integration into the Department of Homeland Security (DHS), WPS is now offered through the DHS Information Analysis and Infrastructure Protection (IAIP) Directorate. WPS is offered in most major metropolitan markets on the Global System for Mobile Communi- cations (GSM) platform. The initial carrier for WPS is T-Mobile, which will reach full operating capability in 2004. In addition, the WPS program expanded to additional GSM carriers in 2004, including AT&T Wireless, Cingular, and Nextel.

XXVII_PreviousIssues.indd 32 10/8/04, 4:32 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

Wireless Security At the President’s National Security Telecommunications Advisory Com- Investigation Group mittee (NSTAC) XXV Meeting held on March 13, 2002, participants discussed the Wireless Task Force (WTF) topic of security vulnerabilities in wireless communications devices and networks. Period of Activity Since subscribers use wireless technologies April 2002–January 2003 to transmit voice, data, and video in support of NS/EP operations, meeting participants Issue Background agreed that the NS/EP community needed to identify its security requirements and under- Numerous wireless technologies are being stand potential wireless vulnerabilities. used with greater regularity to transmit After an initial scoping of wireless security voice, data, and video in support of and other related wireless issues, the NSTAC national security and emergency prepared- Industry Executive Subcommittee (IES) ness (NS/EP) operations. However, there are formed the Wireless Task Force (WTF) at increasing concerns that wireless commu- its April 18, 2002, meeting. The IES tasked nications could expose NS/EP users to new the WTF to determine how the NS/EP user security threats and vulnerabilities. can operate in a secure environment and to As such, the NS/EP community needs to provide conclusions and recommendations understand its security requirements and to the President regarding wireless security. identify potential wireless vulnerabilities. History of NSTAC Actions Challenges exist at many levels, including and Recommendations product design, wireless standards, and wireless/Internet convergence. First, the To adequately discuss these subjects and wide use of commercial off-the-shelf formulate actionable recommendations products and legacy equipment by the designed to help offset wireless threats NS/EP community is an important and vulnerabilities, the WTF agreed to: consideration because these devices and (1) define the terms “wireless” and “wireless equipment were not designed with security;” (2) identify NS/EP wireless NS/EP security requirements in mind and users’ unique requirements; (3) compile a sometimes without security features at all. list of wireless vulnerabilities and threats; Second, interoperability issues arise from and (4) where known, identify mitigation the implementation of different security approaches to address wireless vulnerabili- models and standards—for instance, there ties and threats. The task force used the are several conflicting policies either estab- expertise of subject matter experts from lished or in development, designed to inhibit NSTAC member companies, as well as other or prohibit the use of particular wireless information technology companies, industry capabilities and connectivity to classi- associations, and Government participants, fied networks and computers. Third, the throughout its study of wireless security. extension of the Internet into the wireless domain adds new security challenges.

XXVII_PreviousIssues.indd 33 10/8/04, 4:32 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

After defining NS/EP user requirements, • Direct Federal departments and the task force identified advantages to agencies to construct mitigation using wireless systems for NS/EP communi- and alleviation policies regarding cations, as well as vulnerabilities and wireless vulnerabilities and further threats that must be addressed before using consider the applicability of the wireless capabilities for mission-critical recent wireless security policies of NS/EP communications. The WTF’s findings the National Institute of Standards concurred with other prevalent studies, and Technology (NIST) and the which determined that any vulnerabili- Department of Defense to all Federal ties that exist in conventional wired and departments and agencies computer communications and networks are applicable to wireless technologies. • Direct Government chief information officers to immediately emphasize The WTF concluded that there is a range enterprise management controls, of wireless security, which varies from with respect to wireless devices, effective, practical security on the commer- to ensure that appropriate security cial wireless networks, to significantly less controls are implemented, given that security on the public wireless networks. the banning of wireless devices is As such, an NS/EP agency must ensure counterproductive and ignores the that its NS/EP communications are secured efficiency that such devices brings appropriately for its mission. The WTF also to users agreed that the extent to which these vulnerabilities have been or can be addressed • Direct Federal departments and would be a function of the degree to which agencies to work in concert with organizations with experience in security industry to develop security prin- issues manage the network. ciples and to resolve security-related deficiencies in wireless devices when The WTF concluded its analysis of employed by NS/EP users wireless security in January 2003 and presented its findings in its WTF Report • Direct Federal departments and on Wireless Security. The task force agencies using wireless communica- found that wireless security challenges tions to address wireless security exist at many levels, including product threats and vulnerabilities, and to design, wireless standards, and wireless/ consider the end-to-end security of Internet convergence. Based on its analysis of their respective communications and issues related to wireless security, the NSTAC information system capabilities offered the following recommendations • Direct Federal departments and to the President: agencies using wireless communications to purchase and implement fully tested and compliant secure wireless products and services

XXVII_PreviousIssues.indd 34 10/8/04, 4:32 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

• Direct appropriate staff to advocate The task force agreed that it is a serious funding initiatives for replacing non- issue, which is not limited exclusively to secure analog with secure digital “wireless” or “third-generation” wireless NS/EP equipment and systems devices, because any device connected to the Internet can be attacked. The WTF • Direct Federal departments and concluded that although the tasking agencies using microwave communi- referenced wireless specifically, the cations facilities to address unpro- NSTAC has already studied the larger tected link security vulnerabilities. issue as it relates to the convergence In addition, advise State and local of telecommunications networks and Governments and other critical the Internet. The complete findings based infrastructure providers of the vul- on the task force’s initial scoping were nerability of unprotected microwave forwarded to NSTAC stakeholders for review. communications as part of the homeland security initiative The WTF concluded its activities upon NSTAC approval of its reports and final- • Establish policies regarding the ization of its findings on the security of public availability and dissemina- Internet-enabled wireless devices. tion of Federal critical infrastructure information (such as the policies Actions Resulting from on Internet availability of Federal NSTAC Recommendation Communications Commission and the Federal Aviation Administration NSTAC wireless security recommendations databases of tower locations). were formed after considerable collaboration with experts from industry and At a December 2, 2002, IES task force the Government. Thus the recommenda- briefing, the Chair of the President’s tions were provided to and well received by Critical Infrastructure Protection Board other technical and policy advisory groups. requested that the WTF consider examining For example, the Network Reliability and the security of Internet-enabled wireless Interoperability Council (NRIC) VI, which communications devices and the efficacy assures homeland security, optimal of installing anti-virus software for reliability, interoperability, and intercon- wireless telephones, since such devices are nectivity of, and accessibility to, the public becoming increasingly more integrated with telecommunications networks, maintained computing functions. In response to the close coordination with NSTAC efforts Administration’s request, the WTF scoped and recommendations. NRIC’s best prac- the issue. tices and recommendations complemented NSTAC findings regarding wireless security The WTF reported a number of observations principles and the resolution of security- on the security of Internet-enabled wireless related deficiencies in wireless devices. devices in its Wireless Task Force Findings: Security of Internet-Enabled Wireless Devices, January 2003.

XXVII_PreviousIssues.indd 35 10/8/04, 4:32 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

Reports Issued

Wireless Task Force Report: Wireless Security, January 2003.

Wireless Task Force Findings: Security of Internet-Enabled Wireless Devices, January 2003.

XXVII_PreviousIssues.indd 36 10/8/04, 4:32 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

Physical Security of The VTF also addressed the Government’s Telecommunications Resources concern that the telecommunications infrastructure may be especially vulnerable Investigation Group because trusted physical access is granted to individuals requiring entrance to sites Vulnerabilities Task Force (VTF) where critical telecommunications assets are concentrated. During its deliberations, Period of Activity the task force stressed how the nationwide web of telecommunications assets has May 2002–February 2003 become far too extensive to ensure Issue Background full access control to prevent tampering. While critical sites and equipment are Following the business and executive sessions secured to the extent possible with elec- of the President’s National Security Telecom- tronic locks, padlocks, fences, alarms, munications Advisory Committee (NSTAC) security cameras, and the like, access XXV Meeting, the NSTAC Industry Executive control remains an important issue because Subcommittee chartered the Vulnerabilities the loss of or damage to a site housing Task Force (VTF) to examine possible risks numerous critical telecommunications assets associated with the concentration of critical could have local or “last mile” impacts telecommunications assets in telecom hotels and adversely affect national security and and Internet peering points, as well as emergency preparedness (NS/EP) services. vulnerabilities involving equipment chain Primary factors influencing the efficacy of control and trusted access procedures of access control procedures include to telecommunications facilities. The VTF individuals with malicious intent, the concluded that, while the telecommunica- omnipresent insider threat, the lack of a tions infrastructure is inherently vulnerable standard personal identification and to physical attack, the existence of multiple background check capabilities, and a lack interconnection facilities, such as telecom of universally applied access control hotels, has helped to disperse telecommu- procedures and best practices. nications assets over numerous locations, thereby reducing service impacts caused by Furthermore, the VTF addressed issues the loss of any one facility. The task force regarding the security of products and acknowledged that the physical destruction services delivered to critical locations (i.e., of individual critical telecommunications chain of control). The task force concluded facilities could disrupt service at the local that, although security will remain a level and restrict access to the infrastructure. priority, no policy actions are deemed Therefore, site-by-site mission-critical risk necessary at this time. However, if networks analyses are the only way for organizations become reliant on commodity equipment, to identify possible vulnerabilities that this could become an issue for consideration. could affect critical functions supporting those missions.

XXVII_PreviousIssues.indd 37 10/8/04, 4:32 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

History of NSTAC Actions • Adopt telecommunications services and Recommendations procurement security policy guidelines that provide incentives to In order to mitigate risks associated with companies that follow best practices concentration of assets, the NSTAC recom- established by the Network mended that the President, in accordance Reliability and Interoperability with responsibilities and existing mecha- Council, high levels of security nisms established by Executive Order standards, and other recognized 12472, Assignment of National Security and business contingency principles. Emergency Preparedness Telecommunications Functions, direct the appropriate depart- In order to mitigate risks associated with ments and agencies to fund and undertake trusted access issues, the NSTAC recom- the following: mended that the President, in accordance with responsibilities and existing mecha- • Work with risk assessment nisms established by Executive Order organizations and service providers, 12472, Assignment of National Security and to conduct site-by-site mission- Emergency Preparedness Telecommunications critical risk analyses to identify Functions, direct the appropriate depart- vulnerabilities that could affect ments and agencies to: NS/EP communications and operations; and provide adequate • Coordinate with industry and State funding and resources for depart- and local Governments to develop ments and agencies to identify, guidance for: mitigate, and remediate vulner- – creating national standards and abilities that could affect individual capabilities for national security critical mission functions background checks, screening, • Establish a mechanism to and National Crime Information coordinate infrastructure data Center reviews requests from Federal, State, and – identifying the criteria for local governments to the information inclusion in background checks and communications sector – identifying who should be subject • Work with industry to develop and to background checks. implement a cross-functional threat warning system that both carriers • Lead the research and development and the Government could adopt as and standards bodies efforts to make part of their internal threat warning available a standard “tamper-proof,” and response procedures; and certificate-based picture identi- coordinate with industry to develop fication technology to enable the a process for sanitizing threat positive identification of individuals information for distribution at critical sites

XXVII_PreviousIssues.indd 38 10/8/04, 4:32 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

• Coordinate with industry to develop • Vulnerabilities Task Force Report: a national plan for controlling access Internet Peering Security, April 2003. at the perimeter of a disaster area, in coordination with State and local Governments. This plan should be incorporated in the Federal Response Plan

• Adopt telecommunications service procurement security policy guidelines that provide positive incentives to those companies that follow Network Reliability and Interoper- ability Council best practices for access control.

Actions Resulting from NSTAC Recommendations

Following the NSTAC XXVI Meeting held on April 30, 2003, the IES created the Trusted Access Task Force (TATF), as a follow-on to the work of the VTF, specifically itsTrusted Access Report. The TATF was charged to examine how industry and the Government can work together to address concerns associated with implementing a national security background check program for access to key facilities. Future editions of the NSTAC Issue Review will summarize the activities and deliberations of the TATF once the group completes its report with Presidential recommendations.

Reports Issued

• Vulnerabilities Task Force Report: Chain of Control, March 2003.

• Vulnerabilities Task Force Report: Telecom Hotels, March 2003.

• Vulnerabilities Task Force Report: Trusted Access, March 2003.

XXVII_PreviousIssues.indd 39 10/8/04, 4:32 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

Information Sharing/Critical Specifically, the IES directed the task force Infrastructure Protection to, among other things, continue interaction with Government leaders responsible Investigation Groups for PDD-63 implementation, and examine mechanisms and processes for protected, Information Sharing/Critical Infrastructure operational information sharing that would Protection Task Force (IS/CIPTF) help achieve the goals of PDD-63.

National Plan to Defend Critical Infrastruc- At NSTAC XXIV, the National Coordinator tures Task Force (NPTF) for Security, Infrastructure Protection, and Counter-terrorism requested the Periods of Activity NSTAC’s assistance in developing the Administration’s National Plan for Critical IS/CIPTF: September 1999–March 2002 Infrastructure Protection. The NSTAC’s IES NPTF: June 20, 2001–September 20, 2001 established the NPTF to draft a response to the National Coordinator’s request. Issue Background Subsequently, NPTF leadership met with National Security Council and Critical In investigating Information Assurance Infrastructure Assurance Office (CIAO) staff issues, the NSTAC worked closely with the to discuss approaches for providing input President’s Commission on Critical Infra- to the national plan. The chosen approach structure Protection and other Federal focused on providing input on capabilities organizations concerned with examining for national information sharing, analysis, physical and cyber threats to the Nation’s and dissemination to counter cyber threats. critical infrastructures. Federal efforts in this arena culminated with the release of History of NSTAC Actions presidential policy guidance—Presidential and Recommendations Decision Directive (PDD) 63, Critical Infrastructure Protection, May 22, 1998. Building on outreach work conducted by the Subsequently, PDD-63 implementation NSTAC Information Infrastructure Group became a focal point for NSTAC activities. during the NSTAC XXII cycle (see the Infor- mation Assurance section in this NSTAC Following a reevaluation of NSTAC Issue Review), the IS/CIPTF continued to subgroups in September 1999, the Industry provide input to the Director, CIAO, on the Executive Subcommittee (IES) created the National Plan for Information Systems Pro- IS/CIPTF to address information sharing tection (Version 1.0). This plan was the first issues associated with critical infrastructure major element of a more comprehensive protection (CIP). effort by the Federal Government to protect and defend the Nation against cyber vulnerabilities and disruptions. The IS/CIPTF members shared industry concerns and developed a dialogue with the Government that helped to shape the plan.

XXVII_PreviousIssues.indd 40 10/8/04, 4:33 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

In its May 2000 report to NSTAC XXIII, the Specifically, the task force examined the IS/CIPTF provided NSTAC-recommended NCC’s historical experiences to determine input to the plan regarding the National how and what information is shared and Coordinating Center for Telecommunica- the utility of information sharing for tions (NCC) as the Information Sharing industry and Government. As part of the and Analysis Center (ISAC) for the telecom- study, the IS/CIPTF examined the NCC’s munications industry. Year 2000 (Y2K) experiences for lessons learned that could benefit infrastructure In parallel with its work associated with the protection efforts. The task force also identi- National Plan for Information Systems Protec- fied benefits of information sharing to both tion (Version 1.0), and as part of continuous industry and Government. efforts to share NSTAC expertise with industry and Government, the IS/CIPTF The IS/CIPTF also requested that the monitored the development of the Partner- NSTAC’s Legislative and Regulatory ship for Critical Infrastructure Security. Working Group (LRWG) examine the The Partnership is an industry/Government Freedom of Information Act (FOIA) as a effort to raise awareness about critical infra- potential impediment to information structure security and facilitates industry sharing and report its findings to the participation in the national process to task force. The LRWG’s work provided the address CIP. Through individual NSTAC task force with the background necessary member company participation, the NSTAC to voice industry concerns about the need shared expertise, successes, lessons learned, for legal provisions to protect critical infra- and experiences to further facilitate the structure protection-related information development of the Partnership in support from disclosure. of PDD-63 objectives. The IS/CIPTF documented its findings in The IS/CIPTF also examined mechanisms its report to NSTAC XIII in May 2000. and processes for protected, operational The IS/CIPTF concluded that historical and information sharing that would help achieve Y2K experiences demonstrate information the goals of PDD-63 and further the role of sharing to be a worthwhile effort; however, the NCC as an ISAC for telecommunications. for widespread information sharing over an (See the Industry/Government Information extended period of time to take place, legal, Sharing and Response section in this operational, and perceived impediments NSTAC Issue Review for a discussion of how must be overcome. Based on the IS/CIPTF’s the NSTAC’s support for the evolving role report, the NSTAC recommended that of the NCC helped pave the way for the the President: establishment of the NCC as an ISAC for telecommunications.)

XXVII_PreviousIssues.indd 41 10/8/04, 4:33 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

• Support legislation similar to the During the NSTAC XXIV cycle, the IS/CIPTF Y2K Information and Readiness also continued to address barriers to sharing Disclosure Act that would protect CIP CIP-related information, including possible information voluntarily shared with law enforcement restrictions on industry the appropriate departments and sharing network intrusion data with ISACs agencies from disclosure under FOIA or similar information sharing forums. and limit liability. The task force requested that the NSTAC and Government Network Security and Informa- At the May 16, 2000, NSTAC XXIII meeting, tion Exchanges (NSIE) assist in investigating a Government request was made for this issue. industry advice and recommendations for revision of the National Plan for Informa- The NSTAC NSIE representatives reported tion Systems Protection. During the NSTAC that, historically, they had not discussed XXIV cycle, the IS/CIPTF developed a intrusions into their networks and systems response based on the NSTAC’s experi- with anyone else after reporting them to ence with proven processes for industry law enforcement because case agents had and Government partnership at the told them that doing so might compromise technical, operational, and policy levels. the investigation of their cases. In working Specifically, the task force documented with the Department of Justice, the NSIEs NSTAC findings related to the three broad found that although common practice objectives of Version 1.0 of the national discourages victims of such crimes from plan—Prepare and Prevent, Detect and sharing information, no laws or policies Respond, and Build Strong Foundations— prohibit victims from discussing crimes that should be reflected in Version 2.0 of against them even after they have reported the plan. In addition, the task force them to law enforcement. To address the proposed that a new broad objective—Inter- situation, the Chief, Computer Crime and national Considerations—be included in the Intellectual Property Section, Depart- plan’s Version 2.0. The NSTAC approved the ment of Justice, agreed to work with the response, and forwarded it to the President. law enforcement community to implement This information was also shared with the policies that encourage victims to share Information and Communications (I&C) such information, and to educate victims Sector Coordinators: the U.S. Telecom on those policies. The NSIEs concluded that Association, the Telecommunications it would be necessary for the private sector Industry Association, and the Information to ensure that personnel interacting with Technology Association of America; and law enforcement on such cases are aware the I&C Sector Liaison, the U.S. National that they are permitted and encouraged to Telecommunications and Information share this information for network security Administration (NTIA). The informa- purposes using appropriate mechanisms. tion was subsequently included in the I&C Sector Report that NTIA forwarded it to the President in April 2001.

XXVII_PreviousIssues.indd 42 10/8/04, 4:33 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

At the June 6, 2001, NSTAC XXIV meeting, Before a national capability can become the National Coordinator requested the fully operational, industry and Govern- NSTAC’s assistance in developing the Bush ment must address—individually and in Administration’s National Plan for Critical collaboration—numerous policy, legal, Infrastructure Assurance. At that meeting, financial, operational, and technical issues. Federal officials also briefed a new national Nevertheless, the NSTAC clearly determined initiative for information sharing and dis- that the ISACs should be leveraged by both semination, the Cyber Warning Information industry and Government in building such a Network (CWIN), to the NSTAC as part national capability and should serve as the of the discussion on national information Government’s primary means of interface sharing capabilities. The IES formed the with industry. In addition, the NSTAC NPTF to discuss the proposed CWIN and determined that industry and Government develop further input to the national plan. should develop communications mechanisms The NPTF held discussions with members to link the ISACs to each other as well as of the Government’s CWIN Working with Government. The NSTAC also found Group to gain a better understanding of that infrastructures should consider alter- the CWIN initiative. The NSTAC input to native means for communicating during the national plan—based on the NPTF emergencies as appropriate to the sector. work—included an industry-based assess- For example, the telecommunications ment of a national information sharing, industry developed an alerting and coor- analysis, and dissemination capability for dination mechanism, which connects key addressing “cyber crises”. The assessment elements of the sector and provides reliable considered CWIN as a part of that larger and survivable communications in the event national capability. other communications mechanisms are unavailable or requirements warrant its use. The NSTAC’s input focused on the need for The NSTAC forwarded its report containing a recognized, authoritative, national-level input on the national plan to the President in capability to disseminate warnings and facili- November 2001. tate response and mitigation efforts for cyber crises across the Nation’s infrastructures. Reports Issued The NSTAC also concluded that key elements of such a capability spanning • Information Sharing/Critical public and private sectors should include Infrastructure Protection Task Force information collection and sharing, informa- Report, May 2000. tion analysis, dissemination of alerts and • The NSTAC’s Response to the National warnings, and post-event analysis. Plan, April 2001. The NSTAC recognized that conceptu- • Information Sharing for Critical alizing the architecture for a national Infrastructure Protection Task Force capability for addressing cyber crises is a Report, June 2001. complex undertaking.

XXVII_PreviousIssues.indd 43 10/8/04, 4:33 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

• The NSTAC’s Input to the National Plan: An Assessment of Industry’s Role in National Level Information Sharing, Analysis, and Dissemina- tion Capabilities for Addressing Cyber Crises, November 2001.

XXVII_PreviousIssues.indd 44 10/8/04, 4:33 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

Last Mile Bandwidth The task force included broad representation Availability of NSTAC member companies and NCS departments and agencies. During the Investigation Group remainder of the NSTAC XXIV cycle, the LMBATF gathered data from both industry Last Mile Bandwidth Availability organizations and the Federal Government Task Force (LMBATF) regarding their experiences with provisioning at the local level. The task force also Period of Activity solicited input from telecommunications service providers on the processes for pro- LMBATF: January 18, 2001–March 6, 2002 visioning at the local level and the factors Issue Background affecting provisioning periods. Based on the input, the LMBATF agreed that the scope of At the 23rd meeting of the President’s the study should apply to non-universally NSTAC on May 16, 2000, the Deputy available services throughout the United Secretary of Defense, and the Manager, States, including fiber optics, T1 and T3 National Communications System (NCS), lines, integrated services digital network and addressed the inability of the Nation’s digital subscriber line technologies. military and national security organizations to obtain the timely provisioning History of NSTAC Actions of high-bandwidth circuits at the local and Recommendations level, referred to as the “last mile.” The LMBATF concluded its analysis of the Subsequently, in an October 2000 letter to “last mile” provisions during the NSTAC the NSTAC Chair, the NCS Manager asked XXV cycle and presented its findings and the NSTAC to recommend what the Govern- recommendations in the March 2002 “Last ment could do to expedite the provisioning Mile” Bandwidth Availability Task Force of “last mile” bandwidth or mitigate the Report at NSTAC XXV. The task force found provisioning periods for such services. that the provisioning periods for high- After scoping the key issues in coordina- bandwidth services in the “last mile” are tion with Government, the NSTAC affected by a combination of complex Industry Executive Subcommittee formed factors, such as intricate legislative, the LMBATF at its January 18, 2001, regulatory, and economic environments; Working Session. The task force was to challenging site locations; and contracting examine the root causes of the provisioning policies and procedures. Furthermore, while periods, how the Government might work the Telecommunications Act of 1996 sought with industry to reduce provisioning times to encourage competition, many carriers, or otherwise mitigate their effects, and what both incumbent and competitive, are policy-based solutions could be applied to dissatisfied with the results. This, combined the provisioning of high-bandwidth circuits with a high level of marketplace uncertainty, for NS/EP services. has reduced infrastructure investment by incumbents and competitors alike.

XXVII_PreviousIssues.indd 45 10/8/04, 4:33 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

The task force also concluded that current Overall project management is vital to Government contracting arrangements effective network deployment, systems inte- also create difficulties. In many instances, gration, and achievement of project goals. contracts are only vehicles for ordering Because telecommunications services are services and do not represent a firm provided by a multitude of companies, users commitment on the part of the Government must track service orders and manage the to purchase a service. Because such network from a centralized perspective. commitments are not in place, the carrier cannot be assured of recovering its infra- The task force also studied whether the structure investment. Furthermore, when Telecommunications Service Priority (TSP) the business case warrants such investment, System can be used to expedite “last mile” carriers are limited by contracts’ failure provisioning requests because TSP provi- to list the sites to be served or the types sioning assignments are used by the NS/EP and quantities of services to be provided. community to facilitate the expedited Problems also occur because Government installation of telecommunications circuits contracts legally bind the prime contractor that otherwise could not be installed within but make no explicit demands on subcontrac- the required time frame. Although TSP tors on which the prime contractor depends. seems to be an applicable solution for many NS/EP “last mile” bandwidth requests, The Government is adversely affected TSP provisioning assignments can only be by funding cycles that do not coincide applied to services originating from new with the time needed to obtain high- business requirements. Therefore, TSP bandwidth services. Funding is not allocated provisioning cannot be used to replace or until the user identifies an immediate need transfer existing services, such as those and obtains approval. However, the associated with the contract transition. deployment of high-bandwidth infrastruc- Finally, TSP cannot be used to make up for ture often requires years of planning and time lost because of inadequate planning coordination for allocating capital, obtaining or logistical difficulties. According to these rights-of-way authority, and installing parameters, many “last mile” provisioning service facilities. The imperfect intersection requests are not eligible for the TSP System, of these inherently mismatched processes even if the requested service could be used often results in lengthy provisioning periods. for executing an agency’s NS/EP mission. An alternative for meeting Government The negative consequences of the funding organizations’ service requirements may be process are often exacerbated by a frag- the implementation of alternative technolo- mented management structure. In many gies to fulfill bandwidth requirements on a cases, project managers are responsible temporary or permanent basis. for separate portions of the network, with no single entity responsible for planning or monitoring the provisioning of end-to- end service.

XXVII_PreviousIssues.indd 46 10/8/04, 4:33 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

Based on this analysis, the LMBATF report • Direct the Federal Government Chief recommended that the President, in accor- Information Officers Council to dance with responsibilities and existing propose, and assist in implementing, mechanisms established by Executive Order improved Government contract- 12472, Assignment of National Security and ing practices for communications Emergency Preparedness Telecommunications services that will enhance the avail- Functions and other existing authority: ability of broadband services for the “last mile.” • Direct the appropriate departments and agencies, in coordination with In support of the recommendations, industry, to reevaluate their com- NSTAC “Last Mile” Task Force Report also munications service contracting and suggested that both industry and Govern- purchasing procedures and practices ment encourage: and take action to— • Government contracting officers – Provide sufficient authority to engage all industry and Gov- and flexibility to meet their ernment representatives in joint needs, consistent with planning sessions current conditions • Industry representatives to work with – Allow long lead-time ordering Government contracting officers in and funding commitments based joint planning sessions on projected requirements • Use of a contract structure that – Allow infrastructure funding makes all carriers involved in the where necessary for anticipated delivery of the service parties to the future needs or to accelerate contract with direct accountability to installation so that customer the Government contracting entity requirements can be met • Contracting practices that require – Share or assume risk for new end users to identify requirements service capital investment to and to communicate future needs ensure timely delivery to network providers. End users and network providers should jointly – Allow and provide for per- identify complicating factors and formance incentives for all discuss alternatives. performing parties: industry and Government, organizational Finally, the NSTAC “Last Mile” Bandwidth and individual Availability Task Force Report encouraged Government to: – Require end-to-end project management of communications • Establish realistic service require- service ordering and delivery. ments and timelines and select the service options that meet its needs with acceptable risk.

XXVII_PreviousIssues.indd 47 10/8/04, 4:33 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

• Convene a working group consisting of industry and Government stakeholders in the provisioning process to develop and recommend a streamlined approach to all aspects of the process, including planning, ordering, and tracking. The resulting proposal should be comprehensive, simplifying steps and organizations as much as possible; should share information appropriately at all points; and should support flexibility in meeting end user needs. The working group should give strong consideration to a single Government database to support the process and a single point of contact, such as a phone number or an e-mail address, to ensure accuracy of information and provide exception handling.

• Establish or contract for project managers who have all necessary management control tools at their disposal; access to pertinent information; and experience, responsibility, and authority for obtaining and overseeing delivery of the end-to-end service.

The LMBATF concluded its activities upon NSTAC approval of its report.

Report Issued

“Last Mile” Bandwidth Availability Task Force Report to NSTAC XXV, March 2002.

XXVII_PreviousIssues.indd 48 10/8/04, 4:33 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

Network Convergence History of NSTAC Actions and Recommendations Investigation Groups Following NSTAC XXII in June 1999, the Information Technology Progress Impact Industry Executive Subcommittee (IES) Task Force (ITPITF) created the ITPITF to examine the potential Convergence Task Force (CTF) implications of Internet Protocol (IP) network and public switched network (PSN) Network Security Vulnerability Assessments convergence on existing NS/EP services Task Force (NS/VATF) (e.g., Government Emergency Telecommuni- cations Service [GETS] and Telecommunica- Periods of Activity tions Service Priority [TSP]) and to prepare ITPITF: September 1999–June 2000 for a Research and Development (R&D) Exchange Symposium focusing on network CTF: June 2000–June 2001 convergence issues.

NS/VATF: June 2001–March 2002 The ITPITF analyzed issues related to GETS functionality in IP networks. The ITPITF Issue Background determined that because IP networks do not have network intelligence features analogous Telecommunications carriers are imple- to Signaling System 7 (SS7), IP networks menting cost-effective packet networks to may not support activation of GETS access remain competitive in the evolving telecom- and transport control and features. munications marketplace and to support Furthermore, without quality of service (QoS) wide-scale delivery of diverse, advanced features to enable priority handling and broadband services. However, because of transport of traffic in IP networks, GETS their large investments in circuit switched calls may encounter new blocking sources network infrastructure, carriers are initially and be subject to poor completion rates leveraging the best of both infrastructures, during overload conditions. resulting in a period of network conver- The ITPITF concluded that as the NGN gence during the transition to the next evolves, telecommunications carriers’ SS7 generation network (NGN). In this evolving networks will become less discrete and more network environment, the NSTAC recog- dependent on IP technology and interfaces. nizes that industry and Government must Therefore, it will be necessary to consider strive to identify and remedy associated the security, reliability, and availability network vulnerabilities to ensure sustained of the NGN control space related to the critical communications capabilities of the provision and maintenance of NS/EP NS/EP community. Accordingly, the NSTAC service capabilities. established task forces to analyze various infrastructure, security, and operational In addition, the ITPITF analyzed potential vulnerabilities stemming from network con- implications of convergence on TSP services. vergence and to provide recommendations to mitigate the vulnerabilities.

XXVII_PreviousIssues.indd 49 10/8/04, 4:33 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

The ITPITF concurred with the oversight Additionally, the ITPITF recommended committee that TSP services remained that the NSTAC XXIV work plan include an relevant in converged networks, as TSP examination of the potential NS/EP impli- assignments could still be applied to identifi- cations related to possible security and able segments of the PSN. However, because reliability vulnerabilities of the control space TSP applies only to circuit switched in the NGN. networks, a new program may be needed to support priority restoration and provi- On September 28 and 29, 2000, the sioning in end-to-end packet networks. President’s NSTAC co-sponsored its fourth R&D Exchange. The event was co-sponsored The ITPITF also examined evolving network by the White House Office of Science and technologies and capabilities that could Technology Policy (OSTP) and conducted support NS/EP functional requirements in conjunction with the Telecommunica- in both converged networks and the NGN. tions and Information Security Workshop The ITPITF concluded that QoS and other 2000 held at the University of Tulsa in new NGN capabilities would require some Tulsa, Oklahoma. The purpose was to enhancement to best satisfy specific exchange ideas among representatives from NS/EP requirements. industry, Government, and academia on the challenges posed by network convergence. Based on the ITPITF’s May 2000 report to Discussions of convergence issues at the NSTAC XXIII, the NSTAC recommended that workshop and the R&D Exchange led to the the President, in accordance with responsi- following conclusions: bilities and existing mechanisms established by Executive Order 12472, Assignment of • There is a shortage of qualified infor- National Security and Emergency Prepared- mation technology (IT) professionals, ness Telecommunications Functions, direct particularly those with expertise the appropriate departments and agencies, in information assurance and/or in coordination with industry, to: computer security.

• Promptly determine precise func- • Developing a business case for tional NS/EP requirements for security poses difficult challenges in convergence and the NGN the commercial sector, and there is a need to offset the high costs and • Ensure that relevant NS/EP func- high risks associated with R&D in tional requirements are conveyed security technology. to standards bodies and service providers during NGN standards • Given the complexity and interde- development and implementation. pendence introduced to networks by convergence and the proliferation of network providers and vendors, best practices, standards, and protection profiles that help to ensure secure interoperable solutions must be evenly applied across the NGN.

XXVII_PreviousIssues.indd 50 10/8/04, 4:33 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

• There is a need to enhance R&D • Invest in R&D programs that efforts to develop better testing encourage the development of best and evaluation programs to reduce practices in NGN security, such as the vulnerabilities introduced by improved testing and evaluation, malicious software. broadband protection profiles, and NGN security standards. From these conclusions, the participants at the R&D Exchange offered several To support the Government, the recommendations for consideration by the NSTAC should: Government and the NSTAC. These recommendations focus on improving • Consider the issues of best practices network security in a converged and and standards in its report to distributed environment. Specifically, the NSTAC XXIV Government should: • Consider the evolving standards of due care legal issues discussed at the • Establish and continue to fund Government programs to encourage R&D Exchange, including linked or increasing the number of graduate third party liability and new privacy and undergraduate students legislation and regulations such as pursuing study in computer the Health Insurance Portability and security disciplines Accountability Act of 1996

• Conduct another R&D Exchange • Increase the funding and support to the National Security Agency and in partnership with one or more other Government agencies to facili- of the IA Centers of Excellence to tate the certification of additional discuss the difficulties in and strate- Information Assurance (IA) Centers gies for both increasing the number of Excellence to train and educate of qualified IT security profession- the next generation of information als and enhancing the academic technology security professionals curricula to meet the security challenges of the NGN. • Develop tax credits and other financial incentives to encourage Beginning in September 2000, the Con- industry to invest more capital in vergence Task Force (CTF) analyzed issues the research and development of related to the potential security and reliabil- security technologies ity vulnerabilities of converged networks. Based on briefings received from industry • Expand partnerships on critical and Government representatives, the CTF infrastructure protection issues by concluded that the public switched telephone encouraging more representatives network (PSTN) is becomingly increasingly from academia and State and local vulnerable as a result of its convergence with Governments to participate packet networks.

XXVII_PreviousIssues.indd 51 10/8/04, 4:33 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

Of particular concern to the CTF was Through examination of related past NSTAC the interoperation of the intelligent reports and participation in a National network of the PSTN with IP networks Coordinating Center for Telecommunica- via existing gateways. The CTF noted tions single point of failure exercise, the CTF that malicious attacks on these gateways members determined that a scenario could could impact overall network availability not be envisioned, even in the converged and reliability. Members suggested that network environment, in which a single possible remedies for these vulnerabilities point of failure could cause widespread include signaling firewalls implemented at network disruption. Members found it more network gateways and embedded security likely that any single points of network capabilities defined through standards. failure would have only local or “last The CTF determined that additional analysis mile” impacts. However, the CTF concluded of these security vulnerabilities is required that unforeseen points of failure precluded to gain further understanding of the definitive assertions regarding the implau- possible consequences of the evolving NGN. sibility of a national level network failure. Such an analysis should include examina- The CTF also found that converged network tion of the convergence of wireless data vulnerabilities and possible points of failure networks with the PSTN. could impact service availability and reliability essential to NS/EP operations rather Furthermore, it was agreed that the NGN than creating network component failures. must offer the NS/EP community quality Members suggested sharing detailed of service, reliability, protection, and network data among industry, Government, restoration features analogous to those and academia was needed to further under- of the PSTN. To achieve this, the CTF stand converging networks and achieve suggested that Government foster strong more accurate network modeling and simu- working relationships with NGN carriers lation techniques to analyze vulnerabilities and work to specify security requirements and their impacts. in packet network procurements in an effort to attain network reliability commensurate The CTF also examined the ongoing with that of the PSTN. standards development efforts supporting NS/EP priority requirements in the In response to concerns expressed by converged network. Group members prominent Government officials, the CTF concluded that, as the NGN evolves to offer also examined issues of possible single more advanced broadband services, the points of failure in converged networks Government must remain actively involved and associated possibilities of widespread in the relevant standards bodies’ activities to network disruptions. help define and ensure the consideration of NS/EP requirements in the IP environment.

XXVII_PreviousIssues.indd 52 10/8/04, 4:33 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

The CTF further encouraged the Government Additionally, the CTF recommended that to remain actively involved in working the NSTAC XXV work plan include the group activities related to NS/EP issues following tasks: including the Internet Engineering Task Force and the International Telecommunica- • Examine the NS/EP security and reli- tions Union. ability implications of the convergence of wireless data Based on the CTF’s June 2001 report to networks with the PSTN and NSTAC XXIV, the NSTAC recommended that traditional wireless networks the President direct the appropriate departments and agencies, in coordination with • Support the efforts of the Govern- industry, to: ment Subgroup on Convergence as requested by the Government in • Specify network security, service accordance with NSTAC’s charter level, and assurance requirements in contracts to help ensure reliability • Further examine converged network and availability of NS/EP communi- control space-related vulnerabili- cations during network convergence ties, including those of signaling and in the developing NGN and media gateways, and analyze possible NS/EP implications. • Ensure that standards bodies consider NS/EP communications Actions Resulting from functional requirements during their NSTAC Recommendations work addressing network conver- Based on NSTAC recommendations, the gence issues, including security of National Communications System (NCS) PSTN-IP network SS7 control traffic is actively participating in various standards and development of packet network bodies to ensure consideration of NS/EP priority services functional requirements during convergence and in the NGN. The NCS is contributing • Plan and participate in additional to activities of the European Telecommuni- exercises examining possible vul- cations Standards Institute, Telecommunica- nerabilities in the emerging public tions and Internet Protocol Harmonization network (PN) and subsequent NS/EP over Networks (ETSI TIPHON) group. implications on a national and inter- ETSI TIPHON is examining several security national basis issues related to convergence, including identification and authentication procedures • Utilize the Telecommunications for emergency calls, and issues related Information Sharing and Analysis to cyber attacks and malicious intrusion Center (Telecom-ISAC) to facili- into networks. tate the process of sharing network data and vulnerabilities to develop suitable mitigation strategies to reduce risks.

XXVII_PreviousIssues.indd 53 10/8/04, 4:33 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

The NCS is also active in International • Network disruptions, particularly Telecommunication Union Standardization distributed denial of service Sector efforts regarding recommendation (DDoS) attacks E.106, Description of the International Emergency Preference Scheme (IEPS). • Security and vulnerability of the IEPS recognizes the requirement for converged network control space, priority communications among Govern- including wireless, network simu- ment, civil, and other essential users of lation and testing, standards, and public telecommunications services in consequence management issues crisis situations. IEPS, which is similar to • Needed countermeasures (e.g., func- GETS, would give authorized users priority tional requirements) to address the access to and transport of NS/EP-related issues above. calls on an international basis within The NS/VATF noted that the the PSTN and integrated services digital September 11, 2001, terrorist attacks on network infrastructures. the World Trade Center and the Pentagon Citing findings of the ITPITF, on have renewed concerns regarding physical March 9, 2001, the National Coordinator threats to the PN. While the telecommunica- for Security, Infrastructure Protection, and tions infrastructure had not been a direct Counter-terrorism established, in conjunc- target of terrorism, it could be in the future. tion with OSTP, an interagency Convergence Therefore, the NS/VATF concluded that subgroup under the Counter Terrorism Federal, State, and local Government assis- and National Preparedness Information tance related to preventing, mitigating, and Infrastructure Protection Assurance Group. responding to such an occurrence should The purpose of this Convergence Working be coordinated through the Telecom-ISAC. Group (CWG) was to address issues associ- In addition to the enduring physical threat ated with the convergence of the voice and to the Nation’s networks, the NS/VATF data networks and the implications of this concluded that cyber attacks present a convergence on NS/EP telecommunica- growing threat to the security of U.S. tions services. The associated policy, legal, information systems and, consequently, security, and technical issues were previ- to the critical communications of the ously identified in a Report of the CTF, NS/EP community. As cyber network attack dated December 29, 2000. The CWG issued techniques increase in sophistication and its final report on February 14, 2002. intruders continue using DDoS techniques to exploit vulnerabilities, cyber attacks will Recent and Planned Activities likely cause greater collateral impacts to NS/EP communications. Because of this Following NSTAC XXIV in May 2001, the IES threat environment, the NS/VATF concluded formed the Network Security/Vulnerability that industry and Government should Assessments Task Force (NS/VATF) and continue participating in ISACs to develop charged the group to address public network and implement unified and centralized policy and technical issues related to: capabilities to respond to attacks as they are occurring.

XXVII_PreviousIssues.indd 54 10/8/04, 4:33 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

The NS/VATF also concluded that additional • Specifying security standards in steps are necessary to enhance the security contracts and purchase orders. of the control space of the evolving PN. This process would result in more As network convergence continues, commercial off-the-shelf products malicious attacks focusing on the network and services, which the Government control space are increasingly feasible; can then procure at reduced cost therefore, industry and Government coop- • Increasing stakeholder awareness of eration is necessary to address control cyber vulnerabilities and mitigation space vulnerabilities and implement strategies, including strong cyber remedial tools. The NS/VATF also encour- security and response plans. aged industry and Government support of the Network Security and Information The NS/VATF concluded that the PN and Exchanges’ (NSIE) efforts to develop a its services supporting NS/EP users would cross-industry security posture that could continue to be at risk from increasingly help provide a foundation for protecting the technologically sophisticated, well-coordi- control space of the emerging PN. nated threat sources. Therefore, industry and Government must continue to work The NS/VATF also expressed concern about together to devise countermeasures and security issues affecting NS/EP communi- strategies to help mitigate the impacts of cations transiting wireless networks and physical and cyber attacks on the PN and technologies, including the security of the other critical infrastructures. interoperation of wireless and wireline networks—and, more specifically, activities Based on the NS/VATF’s March 2002 report addressing the wireless access protocol. to NSTAC XXV, the NSTAC recommended The task force also concluded that Govern- that the President direct the appropriate ment should deploy wireless local area departments and agencies, in coordination networks with higher levels of security and with industry to: consider policies that would reduce the risks • Coordinate and prioritize through of using personal area network devices. the Telecom-ISAC, Government On the basis of its analysis, the NS/VATF assistance to industry to protect the stated that some of the best strategies for Nation’s critical communications countering vulnerabilities of the critical tele- assets and to mitigate the effects of communications infrastructure involved: an attack as it is occurring

• Encourage and adequately support • Increasing Government participation in standards bodies, and develop- the development and adoption of ing a coordinated Government-wide baseline standards and technologies approach to standards development including version 6, Internet Protocol Security, and the Emergency Telecommunications Service scheme, to help bolster core security and reliability of the NGN

XXVII_PreviousIssues.indd 55 10/8/04, 4:33 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

• Support the NSIEs’ efforts to develop a cross-industry security posture that could help provide a foundation for containing the control space of the emerging public network

• Work with standards bodies to ensure consideration of NS/EP communications functional requirements while addressing the security of the interoperation of wireless and wireline networks, and more specifically, activities addressing wireless access protocol

• Ensure that all wireless local area networks used by the Gov- ernment meet the highest level of security standards available, with priority given to those supporting NS/EP missions

• Develop policies and procedures to support the use of personal area network devices while reducing their risk of compromise. Reports Issued:

• Information Technology Progress Impact Task Force Report on Convergence, May 2000.

• Research and Development Exchange Proceedings: Transparent Security in a Converged Network Environment, September 2000.

• Convergence Task Force Report, June 2001.

• Network Security Vulnerability Assessments Task Force Report, March 2002.

XXVII_PreviousIssues.indd 56 10/8/04, 4:33 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

Response to September 11, 2001, History of NSTAC Actions Terrorist Attacks and Recommendations After identifying nearly 40 policy and Investigation Group operational lessons learned from the September 11 “Lessons Learned” September 11, 2001, response, the ad hoc Ad Hoc Group group narrowed its focus to the following issues: access procedures to disaster sites, Period of Activity communications procedures, and industry representation within the NCC. October 15, 2001–December 3, 2001 The major issue dealt with procedures for Issue Background access to disaster sites affected by the attacks. Specifically, inconsistent access control The terrorist attacks of September 11, 2001, procedures for moving telecommunications required industry and Government to equipment and personnel into and out of the marshal resources at the national, State, World Trade Center disaster area created and local levels to support response and confusion and presented obstacles for the recovery efforts. A critical part of those telecommunications companies engaged in efforts was the restoration of emergency the restoration of the infrastructure. telecommunications services and the pro- Procedures were revised each time a new visioning of communications to emergency authority took responsibility for managing response personnel. The National Com- access to the disaster area. Depending on munications System and the National the phase of the response, local respond- Coordinating Center for Telecommunica- ers, State authorities, or Federal personnel tions (NCC), in partnership with NSTAC were in control. The invocation of both crisis companies, played a major role in management, i.e. law enforcement officials ensuring a quick response and recovery treated the disaster area as on ongoing of telecommunications capabilities in the crime scene, and consequence management wake of the September 11, 2001, attacks. measures served to complicate the access Subsequently, in response to a request from control issue even further. the Special Advisor to the President for Cyberspace Security, the NSTAC formed Based on the ad hoc group’s analysis, the the September 11, 2001 “Lessons Learned” NSTAC recommended that the President Ad Hoc Group to provide an industry direct the appropriate departments and perspective on lessons learned in responding agencies to lead a national effort to examine to the September 11, 2001, tragic events. remedies to perimeter access control issues. The NSTAC Chair discussed the ad hoc The NSTAC determined that these remedies group’s analysis in its December 12, 2001, should consider overlapping jurisdic- letter to the President. tions and result in consistent processes and procedures for incorporation into the Federal Response Plan and State and local emergency response plans.

XXVII_PreviousIssues.indd 57 10/8/04, 4:33 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

The objective was to ensure that any In the aftermath of the September 11, 2001, future national response efforts to attacks, the NS/EP community reaffirmed unanticipated attacks would be fully the critical role wireless communications planned and coordinated and consistently plays in response to national emergencies. carried out without delay. Similarly, Internet services were deemed to be increasingly important in disaster Additionally, the ad hoc group response and central to the mission- addressed communications procedures critical operations of business and during emergencies. The events of Government agencies. Accordingly, the September 11, 2001, demonstrated the ad hoc group examined the mix of industry need for standard procedures to improve representation in the NCC and found that communications among decision makers, NCC members represented (1) the majority operational personnel, and other stakehold- of the wireless carrier market share, ers during emergencies. Such procedures (2) more than half of the Internet backbone would have to take into account the provider market, and (3) a minority of the severity of the emergency, the classifica- Internet access provider market. The ad hoc tion of the communications, the location group concluded that augmenting Internet of the communicators, and the telecom- access provider membership in the NCC munications capabilities available, among could help the NCC better address potential other factors. The ad hoc group found that network security issues. Such issues the requisite operational procedures were included the threat of distributed denial already developed and in place at the NCC, of service attacks and software viruses including procedures related to the NCC’s launched by end users via dial-up connec- Telecommunications Information Sharing and tions to the network. Analysis Center (Telecom-ISAC) function. The NSTAC had consistently identified As part of its lessons learned analysis, the ISACs as the appropriate focal points for ad hoc group reviewed previous NSTAC coordinating communications among recommendations, recognizing that the industry players and between industry and NSTAC’s cumulative work could provide Government in the new threat environment. valuable information related to ensuring Consequently, the ad hoc group concluded reliable infrastructure services and securing that the telecommunications industry the Nation’s critical facilities. The group also should work through NCC representatives recognized that the sharing of such infor- to address communications requirements mation had gained new importance with during emergencies. the national focus on homeland security. Previous NSTAC studies selected for review The ad hoc group also analyzed NCC by the group were in the areas of cellular industry representation. The group priority access, energy service priority, acknowledged that the NCC must maintain protection of critical facilities, public proper industry representation to meet network convergence and vulnerabilities, operational challenges in the evolving threat and national information sharing, analysis, and technology environments. and warning.

XXVII_PreviousIssues.indd 58 10/8/04, 4:33 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

The group concluded that such studies and associated recommendations could demonstrate best practices for use by other organizations concerned with the physical and cyber security of critical infrastructures supporting multiple sectors.

XXVII_PreviousIssues.indd 59 10/8/04, 4:33 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

Information Assurance To address the distinctive characteristics of those infrastructures, the IATF estab- Investigation Groups lished three risk assessment subgroups to examine each infrastructure’s dependence Information Assurance Task Force (IATF) on information technology and the associated IA risks to its information systems. Information Infrastructure Group (IIG) Following NSTAC XIX, the IES renamed Periods of Activity the IATF the IIG and gave it the mission to continue acting as the focal point for IATF: May 15, 1995–April 22, 1997 NSTAC IA and critical infrastructure protection (CIP) issues. IIG: April 22, 1997–September 23, 1999 In investigating IA/CIP issues, the IIG Issue Background worked closely with the President’s Com- mission on Critical Infrastructure Protection At NSTAC XVII, the Director of the National and other Federal organizations concerned Security Agency briefed the NSTAC Prin- with examining physical and cyber threats cipals on threats to U.S. infrastructures. to the Nation’s critical infrastructures. In the ensuing months, the NSTAC’s Issues Federal efforts in this arena culminated with Group sponsored a number of meetings with the release of presidential policy guidance— representatives from the national security Presidential Decision Directive (PDD) community, law enforcement, and civil 63, Critical Infrastructure Protection, departments and agencies to discuss infor- May 22, 1998. Subsequently, PDD-63 mation warfare (defensive) and information implementation became a focal point for assurance (IA) issues. At the May 15, 1995, the IIG’s activities. Industry Executive Subcommittee (IES) Working Session, the members approved History of NSTAC Actions establishing the IATF to serve as a focal and Recommendations point for IA issues. More specifically, the IES charged the IATF to cooperate with the The IATF’s Electric Power Risk Assessment U.S. Government to identify critical national Subgroup completed its IA risk assessment infrastructures and their importance to report in preparation for the March 1997 the national interest, schedule elements for NSTAC XIX meeting. In compiling infor- assessment, and propose IA policy recom- mation for this report, the Electric Power mendations to the President. Risk Assessment Subgroup met with representatives from eight electric utilities, two The IATF worked closely with industry and industry associations, an electric power pool, Government representatives to identify equipment manufacturers, and numerous critical national infrastructures and ulti- industry consultants. mately selected three for study: electric power, financial services, and transportation.

XXVII_PreviousIssues.indd 60 10/8/04, 4:33 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

Based on these interviews, the subgroup The subgroup found that industry assessed the extent to which the infrastruc- organizations treated security measures ture depends on information systems and as fundamental risk controls—that a how associated vulnerabilities placed the system of independent, mutually reinforc- electric power industry at increased risk to ing checks and balances within critical denial-of-service attacks. Based on the sub- systems and networks was unique to the group’s findings, the NSTAC recommended financial services industry, providing a high that the President: level of integrity. The subgroup concluded that at the national level the industry was • Assign the appropriate department sufficiently protected and prepared to or agency to develop and conduct address a range of threats. However, the an ongoing program within the subgroup identified security implications and electric power industry to increase potential vulnerabilities associated with the the awareness of vulnerabilities and industry’s dependence on the telecommu- available or emerging solutions nications infrastructure being subjected to deregulation, the integration of dissimilar • Establish an NSTAC-like advisory information systems and networks resulting committee to enhance industry/ from mergers and acquisitions, and the Government cooperation regarding introduction of Web-based financial services. regulatory changes affecting Based on the Financial Services Risk Assess- electric power ment Report, the NSTAC recommended that • Provide threat information and the President: consider providing incentives for • Assign to the appropriate department industry to work with Government or agency the mission of identifying to develop and deploy appropriate external threats and risk mitigation security features for the electric to the financial services infra- power industry. structure, facilitating the sharing The IIG’s Financial Services Risk Assess- of information between industry ment Subgroup submitted its final and Government recommendations in a report to NSTAC XX • Assign the appropriate department in December 1997. In compiling information or agency the task of working for this report, the Financial Services Risk with the private sector to develop Assessment Subgroup conducted confiden- a mutually agreeable solution for tial interviews with institutions representing effective background investigations money center banks, securities credit firms, for sensitive positions credit card associations, third-party proces- sors, industry utilities, industry associations, • Assign the appropriate department and Federal regulatory agencies responsible or agency the task of monitoring the for industry oversight. new/emerging areas of electronic money and commerce, including new payment services

XXVII_PreviousIssues.indd 61 10/8/04, 4:33 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

• Ensure that the NSTAC continues to Workshop findings were categorized into have at least one member from the four areas: 1) threats and deterrents, financial services industry. 2) vulnerabilities, 3) protection measures, and 4) infrastructure-wide issues. Based on The IIG’s Transportation Risk Assessment the IIG’s final Transportation Risk Assess- Subgroup sponsored a workshop on ment Report, the NSTAC recommended that September 10, 1997, to discuss the the President: transportation information infrastructure. Topics included intermodal information • Continue support for the efforts of dependencies, industry/Government the Department of Transportation information sharing, transportation to promote outreach and awareness information infrastructure vulnerabilities, within the transportation infrastruc- and Government understanding of the ture as expressed in PDD-63, Critical transportation industry’s information infra- Infrastructure Protection. structure vulnerabilities. The workshop, held at Fort McPherson, Georgia, included As part of the above recommendation, the representatives from many major trans- NSTAC specifically recommended that the portation companies, including airlines, President and the Administration ensure multimodal carriers, rail, highway, mass support for the following activities: transit, and maritime. The subgroup • Timely dissemination of documented its findings in an Interim Government information on Transportation Information Risk Assessment physical and cyber threats to the Report to NSTAC XX in December 1997. transportation industry The IIG continued to investigate transpor- • Government research and devel- tation information infrastructure issues opment programs to design through the NSTAC XXII cycle. As part of infrastructure assurance tools and that effort, the IIG worked with Department techniques to counter emerging of Transportation representatives to conduct cyber threats to the transportation outreach meetings with transportation information infrastructure industry associations to better understand intermodal transportation trends. • Industry/Government efforts to The IIG also hosted another workshop on examine emerging industry-wide March 3 and 4, 1999, in Tampa, Florida, vulnerabilities such as those related which included representation from each to the Global Positioning System transportation sector. Participants discussed industry trends, including increased reliance • Future Department of Transpor- on information technology and the rapid tation conferences to simulate growth of intermodal transportation. intermodal and, where appropriate, inter-infrastructure information exchange on threats, vulnerabilities, and best practices.

XXVII_PreviousIssues.indd 62 10/8/04, 4:33 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

Following NSTAC XX, the IIG formed an • In accordance with responsibilities Electronic Commerce (EC)/Cyber Security and existing mechanisms established Subgroup to address two issues: the by Executive Order 12472, Assign- short-term, technical, and time-sensitive ment of National Security and issue relating to cyber security training Emergency Preparedness Telecommun- and forensics; and the long-term, policy ications Functions, designate a focal oriented, high-level issue of the NS/EP point for examining the NS/EP implications of EC. In addressing the short- issues related to widespread adoption term issue, the subgroup found that industry of EC within the Government and Government needed a stronger partnership to establish appropriate levels of trust • Direct Federal departments and and understanding and to foster cooperation agencies, in cooperation with an in addressing cyber security issues. At the established Federal focal point, to September 1998 NSTAC XXI meeting, the assess the effect of EC technologies NSTAC approved the subgroup’s study paper on their NS/EP operations. along with the IIG report and made the At the NSTAC XXI Executive Session, the following recommendation: U.S. Attorney General requested that the NSTAC and the Department of Justice (DOJ) • The President should direct the appropriate departments and work together to address cyber security agencies to continue working with and crime. The IES determined that the the NSTAC to develop policies, projects DOJ suggested should not be procedures, techniques, and tools to addressed by the NSTAC at large but facilitate industry/Government agreed that the NSTAC could help facilitate a cooperation on cyber security. partnership between the DOJ and individual corporations. This agreement To address the long-term issue, the IIG resulted in a meeting on March 5, 1999, continued to investigate the NS/EP between the NSTAC chair and the Attorney implications associated with the adoption General where they discussed the pos- of EC within industry and Government. sibilities for industry and Government The group focused its efforts on issues participation on mutually beneficial projects. associated with the changing business and These efforts ultimately resulted in DOJ’s security processes and policies necessary Cyber Citizen program. to implement EC. The IIG’s conclusions and recommendations were included in its Building on past NSTAC efforts in address- June 1999 report to NSTAC XXII. Based on ing IA and CIP issues, the IIG continued to that report, the NSTAC recommended that coordinate with Federal officials responsible the President: for PDD-63 implementation during the NSTAC XXII cycle.

XXVII_PreviousIssues.indd 63 10/8/04, 4:33 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

Specifically, in accordance with the PDD-63 Finally, PDD-63 emphasizes the importance emphasis on public-private partnerships, of relying on nonregulatory solutions to IIG members focused on sharing the lessons address infrastructure vulnerabilities. and successes of NSTAC and offering it as a In satisfying this objective, the Administra- possible model for other infrastructures. tion underscored the value of promoting industry standards and best practices to Actions Resulting from improve IA. That approach is consistent NSTAC Recommendations with and follows on the December 1997 NSTAC XX recommendation regarding the NSTAC advice to the President and the creation of a private sector Information Administration has had significant Systems Security Board. applicability to PDD-63 implementation. PDD-63 directs Federal lead agencies to Reports Issued identify infrastructure sector coordinators within industry to provide perspective • Information Assurance Task Force on CIP programs. At NSTAC XXI in Report, March 1997. September 1998, the NSTAC concluded that • Electric Power Information Assurance more than one entity or sector coordinator Risk Assessment Report, March 1997. would be required to represent the diverse information and communications sector. • Information Infrastructure Group In February 1999, following IES outreach Report, December 1997. to the Administration on the issue, the Department of Commerce acted in concert • Financial Services Risk Assessment with NSTAC advice and selected three Report, December 1997. industry associations to serve as sector coordinators for the information and • Interim Transportation Information communications sector. Risk Assessment Report, December 1997. PDD-63 also calls for the private sector to explore the feasibility of establishing one • Cyber Crime Point Paper, or multiple Information Sharing and December 1997. Analysis Centers (ISAC). On the basis of • Information Infrastructure Group the December 1997 NSTAC recommen- Report, September 1998. dation regarding a cross-infrastructure National Coordinating Mechanism, IES • Cyber Security Training and Forensics representatives engaged in a dialogue Issue Paper, September 1998. with senior Administration officials on the prospects of creating multiple infra- • Information Infrastructure Group structure-based ISACs. That dialogue Report, June 1999. was important to the eventual decision to Transportation Information Infra- establish the National Coordinating • structure Risk Assessment Report, Center for Telecommunications as an June 1999. ISAC for telecommunications.

XXVII_PreviousIssues.indd 64 10/8/04, 4:33 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

• Report on NS/EP Implications of Electronic Commerce, June 1999.

XXVII_PreviousIssues.indd 65 10/8/04, 4:33 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

Legislation and Regulation, The IES established the LRWG as a 1994–1999 permanent working group, which received tasking from the IES when task forces require Investigation Group clarification or analysis on legislative or regulatory matters affecting a specific issue. Funding and Regulatory Working Group (FRWG) As the first major overhaul of telecommunications policy since 1934, the Tele- Legislative and Regulatory Group (LRG) communications Act of 1996 (Telecom Act) redefined competition and regulation in Periods of Activity virtually every sector of the communications industry. In response to passage of FRWG: December 1982–December 1994 the Telecom Act and the evolving telecom- LRG: December 1994–September 1999 munications environment, the IES charged the group to examine legislative, regulatory, Issue Background and judicial actions that potentially impact NS/EP telecommunications. At its inaugural meeting in December 1982, the NSTAC established the FRWG to In its charge to the LRG, the IES placed examine funding alternatives and regula- particular emphasis on monitoring tory issues for candidate enhancements to implementation of the Telecom Act. NS/EP telecommunications. In 1984, the In addressing this charge, the group FRWG formed the Funding of NSTAC Initia- established a framework for analysis, and tives Task Force to investigate approaches in January 1997, began working closely to NSTAC funding mechanisms. The FRWG with industry and Government to develop a reconvened in 1990 to review the NSTAC common understanding of the NS/EP funding methodology. The FRWG remained implications of the new law. active until 1994 addressing issues such as enhanced call completion, underground The group found the Telecom Act did not storage tanks, and telecommunications alter carrier responsibilities for the provision service priority carrier liability. The NSTAC of NS/EP services. However, the group Industry Executive Subcommittee (IES) later determined that continued change in the changed the name of the FRWG to the LRG regulatory and industry structure warranted per the December 1994 Industry Executive increased educational outreach efforts for Subcommittee Guidelines. The LRG did not new entrants and existing carriers regarding become active until January 1997 following their mandatory and voluntary obligations. the passage of the landmark Telecommuni- At NSTAC XIX in March 1997, the cations Act of 1996. The IES reconstituted Assistant to the President for Science the LRG as the Legislative and Regulatory and Technology asked the NSTAC to Working Group (LRWG) following the IES investigate the possibility of a widespread reorganization in September 1999. telecommunications outage.

XXVII_PreviousIssues.indd 66 10/8/04, 4:33 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

Subsequently, the LRG analyzed the legal The LRG agreed that a National Services and regulatory obstacles that would hinder planning process, as conceived by the service restoration during widespread, NRIC, could serve as an effective means major service outages, and presented for promoting NS/EP telecommunica- those findings in its December 1997 report tions requirements. Consequently, the to NSTAC XX. The LRG found the most LRG assessed what actions it should take significant legal and regulatory obstacle to ensure that industry and Government to be the apparent uncertainty about consider NS/EP requirements during the who could expeditiously address carriers’ planning process. In its report to NSTAC XX, concerns regarding their compliance the group presented its findings and recom- with relevant laws or regulations during mended that the IES continue to assess the emergency situations. development of the NRIC recommendations regarding National Services. In response to this finding, the IES charged the LRG to examine options for enhancing Following NSTAC XX, the LRG established communication on NS/EP matters among the National Services Subgroup to study industry, the Federal Communications the feasibility of defining NS/EP telecommu- Commission (FCC), and other relevant nications functions as National Services. Government organizations. To that end, The subgroup submitted a paper to the LRG investigated the role of the FCC NSTAC XXI in September 1998 geared to Defense Commissioner; investigated the facilitating public awareness of selected need for an NS/EP industry advisory body NS/EP-critical telecommunications functions to the FCC; and documented the intergov- and capabilities. The paper also promoted ernmental relationships between the FCC, the continued consideration of NS/EP the National Communications System, telecommunications service objectives by and the Office of Science and Technology industry and Government during the future Policy regarding NS/EP responsibilities. deployment of NS/EP National Services. Discussions with FCC officials prompted the LRG to work jointly with the Network In October 1997, the President’s Group’s Widespread Outage Subgroup to Commission on Critical Infrastructure develop procedural guidelines to help tele- Protection (PCCIP) released its final report communications carriers resolve issues with and recommendations on protecting the the FCC when critical emergency telecom- Nation’s critical infrastructures, including munications services needed to be restored the telecommunications infrastructure. in a timely manner. Following NSTAC XX, the IES charged the LRG to review the PCCIP’s recommendations In July 1997, the Network Reliability and for potential legislative and regulatory Interoperability Council (NRIC) provided implications for NS/EP telecommunications. the FCC with a series of recommendations Addressing this charge, the LRG also aimed at improving the planning process for conducted a preliminary analysis of National Services and deployable telecom- Presidential Decision Directive (PDD) 63, munications services intended or required Critical Infrastructure Protection, which built on a national or regional basis. on the PCCIP’s recommendations.

XXVII_PreviousIssues.indd 67 10/8/04, 4:33 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

The President issued PDD-63 on Per request by the President’s Council May 22, 1998, and outlined a national on Y2K Conversion, the IES forwarded policy to eliminate vulnerabilities in the a summary of the LRG’s findings in Nation’s critical infrastructures. Given the February 1999. LRG’s findings, the IES decided to undertake a more detailed assessment of the planned The IES also charged the LRG to identify implementation of PDD-63. the barriers to the issuance of wireless telecommunications priority access rules by Following NSTAC XXI and in response to the FCC and to evaluate NSTAC’s level of information sharing policy outlined in continued support of the Cellular Priority PDD-63, the IES tasked the LRG with Access Service (CPAS), now referred to as identifying and assessing legal and regu- Wireless Priority Service. The LRG learned latory obstacles to sharing outage and that due to a number of factors, the NCS was intrusion information. To that end, the LRG addressing a new approach for providing determined that identification and discus- wireless priority access based on channel sion of existing and proposed NS/EP-related reservation rather than the technology origi- outage and intrusion information sharing nally proposed for CPAS. mechanisms could provide additional insights to assist the IES in assessing critical The LRG also reviewed convergence issues information sharing issues, particularly in light of legislative, regulatory, and judicial those associated with the implementation actions that might affect existing and future of PDD-63. To better understand the infor- public networks and potentially impact mation sharing environment and the entities NS/EP telecommunications. The LRG’s involved in the process, the LRG developed preliminary analysis of convergence a report illustrating the entities with whom revealed no significant implications for telecommunications companies shared NS/EP telecommunications. outage and intrusion information and Reports Issued reviewing potential legal barriers that could inhibit the information sharing process. • Legislative and Regulatory Group Report, December 1997. In addition to evaluating the landscape of outage and intrusion information sharing, • Legislative and Regulatory Group the IES tasked the LRG to examine relevant Report, September 1998. Year 2000 (Y2K) issues, particularly the success of the Year 2000 Readiness and • Procedure for Problem Resolution with Disclosure Act (Y2K Act) in being a catalyst the Federal Communications Commis- to information sharing within industry. sion and the National Coordinating The LRG sent a letter to the NSTAC’s IES Center for Telecommunications During representatives seeking their companies’ Emergency Telecommunications comments on the Y2K Act and any addi- Disruptions, September 1998. tional legislative or regulatory actions that National Services Subgroup White could facilitate Y2K-related information • Paper, September 1998. sharing and remediation.

XXVII_PreviousIssues.indd 68 10/8/04, 4:33 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

• Legislative and Regulatory Group Report, June 1999.

• Telecommunications Outage and Intrusion Information Sharing Report, June 1999.

XXVII_PreviousIssues.indd 69 10/8/04, 4:33 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

Industry/Government In response, the NSTAC Industry Executive Information Sharing Subcommittee (IES) established the NCC Vision Task Force in October 1996 to and Response consider the implications of the new environment for the functions performed by Investigation Groups the NCC. The IES charged the task force to National Coordinating Center for determine whether the mission, organiza- Telecommunications (NCC) Vision tion, and capabilities of the NCC were still Task Force valid, considering the ongoing changes in technology, industry composition, threats, Operations Support Group (OSG) and requirements. Following the IES group reorganization in April 1997, the task force Information Sharing/Critical Infrastructure became the NCC Vision Subgroup and later Protection (IS/CIPTF) Task Force the NCC Vision-Operations Subgroup under the OSG. In 1997, the NSTAC also revisited Periods of Activity the original concept for an industry/Govern- NCC Vision Task Force: October 15, 1996– ment mechanism to coordinate planning, April 22, 1997 information sharing, and resources in response to NS/EP requirements. OSG: April 22, 1997–September 23, 1999 Unlike the original NCM plan that applied to the telecommunications infrastructure, IS/CIPTF: September 23, 1999– this revised NCM concept involved linking May 16, 2000 all the Nation’s critical infrastructures Issue Background (e.g., telecommunications, financial services, electric power, and transportation). The NSTAC formed the National Coor- In July 1997, the OSG created the NCM dinating Mechanism (NCM) Task Force Subgroup to explore the need for and feasi- in December 1982 to facilitate industry/ bility of an NCM across infrastructures. Government response to the Government’s In May 1998, the President released growing NS/EP telecommunications Presidential Decision Directive (PDD) 63, service requirements in the post- a critical infrastructure protection divestiture environment. The task force directive calling for, among other things, submitted its final report, the NCM industry participation in the Government’s Implementation Plan, to the NSTAC on efforts to ensure the security of the January 30, 1984. That report led to Nation’s infrastructures. As it continued to formation of the NCC, an emergency refine the NCM concept, the NCM Subgroup response coordination center that supports considered this Government initiative. the Government’s NS/EP telecommunications requirements. Since 1984, threats to the NS/EP telecommunications infrastructure changed significantly.

XXVII_PreviousIssues.indd 70 10/8/04, 4:33 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

In September 1998, the OSG formed the History of NSTAC Actions Year 2000 (Y2K) Subgroup to address and Recommendations several Y2K issues raised at the NSTAC XXI meeting, including the need for Y2K During 1997, the NCC Vision Subgroup outreach efforts, the need to emphasize con- worked closely with the National Communi- tingency planning and restoration scenarios, cations System (NCS) member organizations the potential for public overreaction to and NCC industry representatives to develop the Y2K problem, and the lack of a global a common framework for assessing the approach to handle Y2K problems that were NCC’s ongoing role. The subgroup validated international in scope. The effort was a the original ten NCC chartered functions continuation of earlier efforts by the NCC and updated the NCC Operating Guidelines Vision-Operations Subgroup, which began (both written in 1984) for the current a study of the NCC’s operational readiness operational environment. The subgroup and coordination capabilities for potential also determined that an electronic intrusion public network disruptions caused by the incident information processing function Y2K problem. could be integrated into the NCC’s activities. In August 1997, the subgroup held an Following NSTAC XXII the IES tasked the industry/Government tabletop exercise to OSG to examine potential lessons learned test the draft concept of operations for NCC from Y2K experiences that could be applied intrusion incident information processing. to critical infrastructure protection efforts. The OSG documented the subgroup’s The OSG focused on the experiences of activities and accomplishments in the OSG’s the NCC to determine how its operations report to the December 11, 1997, NSTAC XX during the Y2K rollover period translated meeting. The NSTAC approved the OSG’s into functions to be performed as Informa- NSTAC XX report and recommended that tion Sharing and Analysis Center (ISAC) the President: (in accordance with PDD-63). In addition the OSG continued to monitor enhancements • Establish a mechanism within the to the NCC that ensured an electronic Indi- Federal Government with which cations, Assessment, and Warnings (IAW) the NCC can coordinate intrusion capability to support the ISAC function. incident information issues and with which NSTAC groups can coordinate In September 1999 following a reevaluation the development of standardized of NSTAC working groups, the IES created reporting criteria. the IS/CIPTF to examine mechanisms and processes for protected, operational infor- The NSTAC also endorsed NCC implementa- mation sharing that would help achieve the tion of an initial intrusion incident informa- goals of PDD-63 and further the role of the tion processing pilot based on voluntary NCC as an ISAC for telecommunications. reporting by industry and Government. In addition, the IES directed the IS/CIPTF to In 1998, the NCC modified its standard continue, through outreach efforts, interac- operating procedures to accommodate an tion with Government leaders responsible electronic intrusion incident information for PDD-63 implementation. processing capability.

XXVII_PreviousIssues.indd 71 10/8/04, 4:34 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

With the OSG’s support and assistance, Throughout the NSTAC XXI cycle, the OSG the NCC began its intrusion incident infor- considered the infrastructure protection mation processing pilot on June 15, 1998. efforts of the Federal Government in con- The NCC Vision-Operations Subgroup junction with the enhanced role of the NCC. worked closely with the Office of the IES and NCM Subgroup members met with Manager, NCS (OMNCS) and the Manager, members of the National Infrastructure NCC, as the NCC implemented the intrusion Protection Center (NIPC) to address the incident processing pilot, which it completed role of industry in the Government’s new in October 1998. In addition, the NCC IA environment. The Government created Vision-Operations Subgroup developed a the NIPC in February 1998 as a national paper, the NCC Intrusion Incident Reporting critical infrastructure threat assessment, Criteria and Format Guidelines, to establish warning, vulnerability, law enforcement standardized reporting criteria and to outline investigation, and response entity. steps in NCC electronic intrusion report The NIPC’s mission is to detect, deter, collection, processing, and distribution. assess, warn of, respond to, and investigate The OSG report to NSTAC XXI includes computer intrusions and unlawful acts, the paper. Leading up to NSTAC XX, both physical and cyber, that threaten or the NCM Subgroup met jointly with the target the Nation’s critical infrastructures. Information Infrastructure Group’s Infor- As a result of these meetings, the NCC mation Assurance (IA) Policy Subgroup and NIPC began to develop processes to and produced a joint report. The report detail the flow of information between concluded that the revised NCM concept the two entities. provided the framework for the Federal Government and the private sector to At the end of the NSTAC XXI cycle, the address solutions to infrastructure OSG concluded that the NCC provided protection concerns. The OSG included the a model for all infrastructures by which joint report in its full NSTAC XX report, information could be gathered, analyzed, which the NSTAC approved. Specifically, the sanitized, and provided to the Government. NSTAC recommended that the President: In addition, regarding PDD-63 implementation, the OSG concluded that more than • Direct the appropriate departments one individual or entity would be needed to and agencies to work with the NCS serve as the sector coordinator to represent and NSTAC in further investigating the highly diverse information and commu- the NCM concept. nications sector. The NSTAC approved the OSG’s September 1998 report to NSTAC XXI Subsequently, IES representatives presented and recommended that the President direct the revised NCM concept to senior Govern- the lead departments and agencies as ment officials to aid the Administration’s designated in PDD-63 to: efforts to establish national policy on the protection of critical national infrastructures.

XXVII_PreviousIssues.indd 72 10/8/04, 4:34 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

• Consider adapting the NCC model At the end of the NSTAC XXII cycle, the OSG as appropriate for the various concluded that the NCC already performed critical infrastructures to provide the primary functions of an ISAC for the warning and information centers for telecommunications sector and that industry reporting and exchange of informa- and Government should establish it as such. tion with the NIPC through the The OSG’s Y2K Subgroup investigated NCM process domestic and international Y2K preparedness and contingency planning efforts for • Establish an industry/Government the telecommunications infrastructure. coordinating activity to advise in the selection of a sector coordinator The subgroup held a number of informational and provide continuing advice meetings with Government representatives to effectively represent each to address ongoing Y2K readiness and con- critical infrastructure. tingency planning efforts. To understand public concerns about the Y2K problem, Following NSTAC XXI, the OSG’s NCC the Y2K Subgroup also investigated the Vision-Operations Subgroup worked closely initiatives of grassroots Y2K community with the OMNCS and the Manager, NCC, as forums and those groups promulgating the NCC continued its electronic intrusion “doomsday” scenarios. The subgroup’s incident processing function. The subgroup findings are included in the OSG’s June 1999 continued to assist the NCC in evaluating NSTAC XXII report. Based on that report, any needed revisions to the IAW reporting the NSTAC recommended that the President: criteria and format guidelines. • Direct the President’s Council on Y2K The OSG’s NCC Vision-Operations Subgroup Conversion and the Federal Govern- also assessed whether the NCC requires ment continue providing timely, additional industry and Government meaningful, and accurate Y2K participation within the NCC to widen the readiness and contingency planning scope of expertise and operational personnel information related to the informa- available to fulfill the IAW mission. tion and communications critical During the NSTAC XXII cycle, the subgroup infrastructures to State and local developed a list of companies and Govern- governments, thereby enhancing the ment departments and agencies for the flow of information to the general Manager, NCS, to consider as candidates for public and community Y2K groups. participation in the NCC. Actions Resulting from PDD-63 established the concept of an NSTAC Recommendations ISAC that would be a private sector entity responsible for gathering, analyzing, sanitiz- The NSTAC’s support for the evolving role ing, and disseminating to industry private of the NCC helped pave the way for the sector information related to vulnerabilities, establishment of the NCC as an ISAC for threats, intrusions, and anomalies affecting telecommunications under the provisions the critical infrastructures. of PDD-63.

XXVII_PreviousIssues.indd 73 10/8/04, 4:34 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

During 1997, the NSTAC advocated and later endorsed the NCC’s implementation of an electronic intrusion incident reporting capability based on voluntary reporting by industry and Government. In January 2000, the National Security Council agreed with the NSTAC’s 1999 conclusion that the NCC was performing the primary functions of an ISAC. In March 2000, the NCC formally achieved initial operating capability as an ISAC for the telecommunications sector. Reports Issued

• Operations Support Group Report, December 1997.

• Information Assurance: A Joint Report of the IA Policy Subgroup of the Information Infrastructure Group and the NCM Subgroup of the Opera- tions Support Group, December 1997.

• Operations Support Group Report, September 1998.

• Operations Support Group Report, June 1999.

XXVII_PreviousIssues.indd 74 10/8/04, 4:34 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

Globalization As a result, the NSTAC Industry Executive Subcommittee (IES) tasked the OSG in Investigation Groups April 1997 to monitor the U.S. information infrastructure’s global interfaces, National Information Infrastructure (NII) because of the potential for increased Task Force vulnerabilities adversely affecting the national interest. Specifically, the OSG Operations Support Group (OSG) gathered information on the International Information Infrastructure Group (IIG) Telecommunication Union’s Global Mobile Personal Communications by Satellite Memo- Globalization Task Force (GTF) randum of Understanding. In October 1998, the IES tasked the IIG to conduct a forward- Periods of Activity looking analysis of the GII and associated NS/EP opportunities and challenges. NII: August 2, 1993–March 18, 1997 During a reorganization of the IES and its OSG: April 22, 1997–September 23, 1999 working group structure in September IIG: April 22, 1997–September 23, 1999 1999, the IES formed the GTF to continue to address the GII issue. Specifically, the GTF: September 23, 1999–May 16, 2000 IES tasked the GTF with developing a “picture” of the GII in 2010, identifying Issue Background NS/EP issues. The GTF was also given two additional tasks that were global in In 1993, the NSTAC established an NII Task scope: assessing the security implications of Force and charged it with examining the foreign ownership of telecommunications implications of the evolving U.S. information networks and examining export policies infrastructure for NS/EP communications. dealing with the transfer of strong encryp- The NII Task Force observed that the NII’s tion products, satellite technology, and connectivity to the emerging Global Infor- high-performance computers. mation Infrastructure (GII) potentially presented both opportunities and risks for During the NSTAC XXII and XXIII cycles, NS/EP communications. In its March 1997 the IIG and GTF researched and gathered report to NSTAC XIX, the NII Task Force information from industry and Government concluded that the pervasive and rapidly experts on emerging space-, airborne, evolving nature of the GII necessitated a and land-based communications systems continuing effort by NSTAC task forces and services. These information gathering and working groups to track the GII’s activities provided the GTF with the implications for NS/EP communications. insights needed to characterize the GII in 2010 and draw conclusions about NS/EP telecommunications preparedness.

XXVII_PreviousIssues.indd 75 10/8/04, 4:34 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

Drawing on these insights, the GTF was Through the case studies, the group found able to describe what physical network that the current regulatory structure elements, services, and protocols might satisfied the different interests of the be prominently featured in 2010, paying parties involved. The LRWG concluded that specific attention to the global homog- it was unclear whether further statutory enization of communications capabilities, or regulatory changes would effectively expected improvements to quality of enhance the role of national security issues service and network assurance, and the in foreign ownership situations at this time. ubiquity and availability of advanced com- The GTF May 2000 report to NSTAC XXIII munications technologies as pertaining includes the LRWG analysis of the issue. specifically to NS/EP users. The GTF documented its analysis in its May 2000 Based on the GTF’s report, the NSTAC report to NSTAC XXIII. Based on that recommended that the President: analysis, the NSTAC recommended that • Ensure that the review process for the President direct appropriate depart- commercial arrangements involving ments and agencies to: foreign ownership remains adequate to protect NS/EP concerns as the • Conduct exercises in those areas and environments in which NS/EP environment evolves and becomes operations can be expected to take more complex. place to ensure that the required Lastly, addressing technology export, the high-capacity, broadband access to GTF compiled some basic information on the GII is available the key technology export issue areas. Given that technology progresses faster • Ensure that NS/EP requirements, such as interoperability, security, than export policy can keep up with it, the and mobility, are identified and con- GTF recommended continued monitoring of sidered in standards and technical developing export policies and regulations. specifications as the GII evolves to The GTF also investigated guidelines to 2010 and identify any specialized assist companies in understanding Govern- services that must be developed ment approval of technology sales. The GTF to satisfy NS/EP requirements not completed its tasking to scope the issue of satisfied by commercial systems. technology export, concurring with the Government’s efforts to periodically In addition, the Legislative and Regulatory reevaluate the limits placed on the export Working Group (LRWG) assisted the GTF in of technologies. assessing the security implications of foreign ownership of telecommunications networks. Reports Issued The LRWG examined domestic regulatory • National Information Infrastructure history and conducted analyses of several Task Force Report, March 1997. mergers and acquisitions between domestic and foreign telecommunications carriers. • Operations Support Group Report, September 1998.

XXVII_PreviousIssues.indd 76 10/8/04, 4:34 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

• Information Infrastructure Group Report, June 1999.

• Globalization Task Force Report, May 2000.

• Global Infrastructure Report, May 2000.

• Paper on Foreign Ownership: Telecommunications and NS/EP Implications, May 2000.

XXVII_PreviousIssues.indd 77 10/8/04, 4:34 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

National Information • Advise Government on technical Infrastructure and other considerations that will accelerate commercialization of Investigation Group a nationwide high speed network available to NS/EP users National Information Infrastructure (NII) Task Force • As a minimum, address architectural, policy, and regulatory issues, Period of Activity along with those research and development focus areas, pilot/ August 2, 1993–March 18, 1997 demonstration projects, and civil/ military telecommunications issues Issue Background identified by OSTP and the National At the August 2, 1993, Industry Executive Economic Council. Subcommittee (IES) meeting, the Plans The task force relied on The National Working Group (subsequently reestablished as Information Infrastructure: An Agenda for the Issues Group) recommended that a task Action, released by the administration on force be established to address NS/EP tele- September 15, 1993, as a guide for its work. communications issues related to the evolution This document called for the NSTAC to of the U.S. information infrastructure. continue to offer advice to the President The IES established an NII Task Force to on NS/EP telecommunications issues, provide a series of reports with recommen- work with the Federal Communications dations to the President. The task force’s Commission’s Network Reliability Council charge was to: (subsequently renamed the Network Reli- ability and Interoperability Council) and • Identify, in collaboration with Government, potential dual- complement the work of the U.S. Advisory use applications of the NII and Council on the NII. To better focus on its recommend Government actions charge and coordinate with the Information Infrastructure Task Force and its commit- • Identify potential NS/EP implica- tees, the NII Task Force established three tions of the NII and recommend subgroups: the Policy Subgroup, the Applica- Government actions tions Subgroup, and the Future Commercial Systems and Architecture Subgroup. • As a minimum, address items identified by the Director, Office of Science The Policy Subgroup’s final report, Approach and Technology Policy (OSTP) at to Security and Privacy on the NII, sum- NSTAC XV (for example, security, marized the findings of the subgroup in resiliency, interoperability, network security. It made preliminary standards, and spectrum) recommendations on ways to ensure that expansion and enhancement of the information infrastructure would be compatible with telecommunications security concerns.

XXVII_PreviousIssues.indd 78 10/8/04, 4:34 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

The Applications Subgroup assessed History of NSTAC Actions NII applications that the Government and Recommendations was developing. In doing so, the subgroup developed criteria to select applications The task force presented its interim report at for increased emphasis. The subgroup NSTAC XVI on March 2, 1994. made a number of recommendations related The report provides the background on to developing dual-use applications. the task force’s establishment, its activities Additionally, the subgroup established and future direction, and a summary that an Emergency Health Care Information includes a proposed statement for the NSTAC Focus Group to address health care-specific XVI Executive Report. The statement reiter- issues for the NII. The subgroup chose this ates the task force’s commitment to assisting application area as a model for examining the President in ensuring it satisfies NS/EP important information infrastructure requirements on the NII. The NSTAC application issues, such as interoperability, approved both the report and the proposed privacy, and security. statement for forwarding to the President. The task force presented an NII Task The final report of the Future Commer- Force Status Report at NSTAC XVII on cial Systems and Architecture Subgroup January 12, 1995. The report discussed the addressed the architectural principles and work of the task force’s three subgroups— trends and NS/EP performance issues of the Policy Subgroup, the Applications the current and future NII. It examined Subgroup, and the Future Commercial the NII from the perspective of three major Systems and Architecture Subgroup. components: the public switched network, The status report also addressed the 12 broadcast networks, and the Internet. recommendations culled from the individual subgroup reports. Additionally, the Issues Group addressed the information infrastructure issue, The task force presented its third report working with the OSTP to develop plans to NSTAC XVIII on February 28, 1996. for an NII Symposium at the Naval War The report included analysis and recommen- College (NWC), Newport, Rhode Island, dations regarding three NS/EP issues: October 17–19, 1994. The Issues Group 1) the need for an NII Security Center of planned the symposium with the OSTP in Excellence (SCOE), 2) the emerging Global response to an NWC invitation to the NSTAC Information Infrastructure (GII), and to participate in a communications-focused 3) Emergency Health Care Information. game designed to address the NII. The NWC The NSTAC approved forwarding recommen- produced a non-attribution report for distri- dations to the President regarding the latter bution to all participants, and it is available two issues. Following NSTAC XVIII, the IES to any interested parties upon request. charged the task force to further investigate the advisability of establishing a SCOE, henceforth referred to as the Information Systems Security Board (ISSB).

XXVII_PreviousIssues.indd 79 10/8/04, 4:34 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

The task force conceptualized the ISSB as The ISEC issued its report in January 1998 a private sector entity that would promote in which it recommended that, although it information systems security principles and supported the concept of the ISSB, studies standards to improve the reliability and revealed that establishment of such a board trustworthiness of information products would be duplicative of private endeavors. and services. The task force developed the ISSB Concept Paper, which outlined the At the same time, however, the ISSB functions and processes of the ISSB and concept has influenced the Clinton served as the centerpiece for an outreach Administration’s policy on implementing effort undertaken to ascertain the viability Presidential Decision Directive 63, Critical of the ISSB model. After contacting more Infrastructure Protection. Specifically, in than 100 major information technology an approach consistent with the NSTAC’s companies, industry associations, Govern- ISSB recommendation, the Administration’s ment agencies, and major information Critical Infrastructure Assurance Office technology users, the NII Task Force deter- underscored the value of promoting industry mined that there was broad support for the standards and best practices to improve ISSB concept and that industry should take infrastructure assurance. the lead in its formation. Reports Issued The task force presented its fourth and final • NII Task Force Interim Report, report at NSTAC XIX on March 18, 1997. February 1994. The report focused on the ISSB initiative and the NS/EP implications of the GII. • NII Task Force Report, January 1995. The NSTAC recommended the President endorse the private sector ISSB initiative. • NII Task Force Report, February 1996. Lastly, the NSTAC approved a recommenda- NII Task Force Report, March 1997. tion to sunset the NII Task Force. •

Actions Resulting from NSTAC Recommendations

The Information Technology Industry Council (ITIC) sponsored an effort to explore formation of the ISSB; the ITIC hosted the first meeting of this group on January 21, 1997. Following the meeting, the Information Security Exploratory Committee (ISEC), a consortium of interested stakeholders, met regularly to discuss the possibility of operationalizing the ISSB concept.

XXVII_PreviousIssues.indd 80 10/8/04, 4:34 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

Common Channel Signaling • Present appropriate recommendations to NSTAC XVI. Investigation Groups The CCS Task Force received informational Common Channel Signaling (CCS) briefings on the CCS architecture and Task Force on CCS network security incidents and concerns, protocol changes, the role of the NS/EP Panel Network Security Information Exchange in evaluating and determining CCS failures, Periods of Activity and the Network Reliability Council’s CCS Task Force: April 28, 1993– Signaling Network System Focus Team. January 31, 1994 At NSTAC XVI, March 2, 1994, the IES deactivated the task force. NS/EP Panel: March 1994–March 1995 At the March 2, 1995, IES meeting, the Issue Background NS/EP Group Chair explained that during the preceding year, no significant outages At the April 28, 1993, Industry Executive had occurred during the group’s monitoring Subcommittee (IES) meeting, the Operations of the CCS network. (The panel’s name was Working Group NS/EP Panel recommended changed to the NS/EP Group in accordance that the IES establish a task force to with the December 1994 IES Guidelines.) investigate common channel signaling. The Chair concluded that if no significant The task force would determine whether outages occurred in the next quarter, the widespread, long- duration CCS outages group would discontinue monitoring the affecting multiple interconnected carriers CCS network. were a significant risk to the public switched network and NS/EP telecommunications. History of NSTAC Actions The IES established the CCS Task Force to: and Recommendations

• Determine if there were failure The task force reported its conclusions mechanisms that could potentially and recommendations to NSTAC XVI on lead to widespread, long-duration March 2, 1994. The task force concluded CCS outages among multiple inter- that the CCS architecture was inherently connected carriers reliable and that the probability of a large- scale, long-duration, multiple carrier CCS • Evaluate the risk to NS/EP outage resulting from a failure condition user telecommunications propagated to other CCS networks presented a low risk to NS/EP telecommunications. • If significant risk existed, examine The IES recommended to deactivate the task procedural or technological force and tasked the NS/EP Panel to monitor alternatives for mitigating it CCS reliability for a year before reactivating or disbanding the task force.

XXVII_PreviousIssues.indd 81 10/8/04, 4:34 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

After receiving this tasking, the NS/EP Panel developed plans for a February 1995 tabletop CCS restoration exercise.

In February 1995, the Network Operations Forum conducted the CCS restoration exercise, thus fulfilling the obligations of the CSS Task Force charge.

Report Issued

• Final Report of the Common Channel Signaling Task Force, January 31, 1994.

XXVII_PreviousIssues.indd 82 10/8/04, 4:34 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

Obtaining Critical Department of Justice (DOJ) and Department Telecommunications of Defense representatives briefed the panel on the roles of the DOJ, the National Guard, Facility Protection During and active duty military personnel during a Civil Disturbance national emergencies.

Investigation Group As a result of the meeting, the National Coordinating Center for Telecommunica- NS/EP Panel tions (NCC), working closely with the NS/EP Panel, agreed to develop guidelines to assist Period of Activity emergency planners during their prepara- September 1993–April 1994 tions for and response to civil disturbances. The NS/EP Panel and the NCC developed the Issue Background document in close coordination with the Cali- fornia Office of Emergency Services and the The April 1992 civil disturbance in California Utilities Emergency Association. Los Angeles identified the need for standardized guidelines in requesting the protection In May 1994, the NCC and the NS/EP Panel of critical telecommunications facilities. issued Guidelines for Obtaining Protection of In response to the problems noted, the Critical Telecommunications Facilities During NS/EP Panel met with California State, Civil Disturbances. The document serves as Federal Government, and telecommu- a guide for telecommunications industry nications industry representatives in emergency planners when discussing their San Francisco. The meeting participants facility protection needs with local, State, generally agreed that emergency response and Federal authorities. personnel were not sufficiently prepared to respond to the crisis that overwhelmed local On October 4, 1995, the NS/EP Panel law enforcement and fire protection services. conducted an industry/Government Critical Telecommunications industry representa- Telecommunications Facilities Protection tives discussed their difficulties in exercise simultaneously at three separate obtaining protection for their facilities, locations using video teleconferencing while other participants acknowledged they linking sites in Arlington, Virginia; Oakland, had been confused about whom to contact California; and Los Angeles, California. and who had authority during the wide- The exercise provided an opportunity for spread civil unrest. Because the President key emergency response planners at the declared the crisis to be a Federal emer- local, State, and national levels to develop gency, points of contact and authorities working relationships, gain a better under- changed, causing some confusion. standing of the many planning factors Participants raised this issue at the required by each participant, and define the meeting and questioned how to obtain critical steps in the protection process. critical telecommunications facility protection during a Federal emergency.

XXVII_PreviousIssues.indd 83 10/8/04, 4:34 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

Participants noted this exercise helped clarify the lines of communication when requesting protection from the city to county to State to national levels and helped clarify the various roles and responsibilities of the organizations involved. The activity also highlighted planning shortfalls that required correction to streamline the protection process. The NS/EP Panel identified two key issues for inclusion in the Guidelines for Obtaining Protection of Critical Telecommunications Facilities During Civil Disturbances document: (1) adding procedures for transitioning from Federal control back to State control and (2) discussing the legal aspects of federalized versus non-federalized troops.

In an October 1996 conference call, participants of the industry/Government exercise discussed options for clarifying the feder- alization issues. The NS/EP Panel added new language to the document, indicating that both federalized and non-federalized National Guard troops, each with different chains of command, may participate in restoring and maintaining law and order. In addition, the panel added a section authorizing the Secretary of Defense to determine when Federal military forces should withdraw from the disturbance area and when National Guard units would return to State control.

Reports Issued

• Guidelines for Obtaining Protection of Critical Telecommunications Facilities During Civil Disturbances, May 1994.

• Protection of Critical Facilities Exercise, After-Action Report, December 1995.

XXVII_PreviousIssues.indd 84 10/8/04, 4:34 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

Energy The Department of Energy (DOE), National Communications System (NCS), and Investigation Groups the North American Electric Reliability Council (NERC) participated in the Energy Energy Task Force Task Force.

NS/EP Panel The NSTAC Industry Executive Subcom- mittee (IES) charged the first Energy Task Periods of Activity Force with developing recommendations to Energy Task Force: August 31, 1988– mitigate the effects of electric power outages March 29, 1990 on telecommunications. It examined interdependencies between electric power and Energy Task Force: October 3, 1991– telecommunications after a major earthquake. May 27, 1993 Further, at NSTAC X, the task force presented the following recommendations: NS/EP Panel: March 8, 1994– October 5, 1994 • Sponsor further research on the impact of a major earthquake on Issue Background electric power, telecommunications, and transportation systems In 1986, the Telecommunications Systems Survivability (TSS) Task Force initially • Establish a nationwide process for reviewed the vulnerability of telecom- restoring electric power and munications to the loss of commercial distributing energy supplies during electric power and presented the results of major emergencies. its review at the February 8, 1987, NSTAC VII meeting. The TSS Task Force concluded The NSTAC approved the Energy Task Force the telecommunications industry would be Final Report, which recommended that extremely vulnerable to an extended electric the Government: power outage. As a result, the NSTAC Develop a program for assigning recommended to the President that Govern- • electric power restoration priorities ment initiate a study to identify options for to NS/EP telecommunications users ensuring electric power survivability as it and providers to provide the soonest related to telecommunications. The NSTAC possible service restoration also offered its services to support the effort. Following the President’s reply, the NSTAC • Establish a program for assigning pri- formed the Energy Task Force and it became orities for the supply, transport, and the focal point of a joint electric power and delivery of fuels to NS/EP telecom- telecommunications industry effort to address munications users and providers the question of electric power survivability as it relates to telecommunications.

XXVII_PreviousIssues.indd 85 10/8/04, 4:34 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

• Grant a national security waiver The energy issue concluded when NSTAC from those applicable subparts of the XV charged the IES to deactivate the Energy Government’s underground storage Task Force. The NSTAC also tasked the IES tank regulation (40 Code of Federal to request progress reports from the Govern- Regulations Part 280) ment on the status of its recommendations.

• Ensure that NS/EP telecommuni- History of NSTAC Actions cations users who need electric and Recommendations power to operate their customer premises equipment have a backup As a result of an NSTAC VIII recom- power capability that can operate mendation, the IES formed the first through at least a seven-day electric Energy Task Force. The task force was power outage the focal point of an electric power/ telecommunications industry effort to • Fund studies to examine the feasibil- address the issue of electric power surviv- ity of the Government’s developing ability as it relates to telecommunications. and supplying long-lasting, cost- The DOE, NCS, and the NERC actively par- effective backup power sources for ticipated in the Energy Task Force. critical telecommunications facilities. On October 3, 1991, NSTAC XIII approved In October 1991, the NSTAC reactivated the the recommendation to establish a follow-on Energy Task Force to advise the NCS and Energy Task Force. The task force’s charge the DOE concerning the implementation of was to support the OMNCS in its efforts with energy priority initiatives for telecommuni- DOE to develop criteria and a process for cations facilities. The reactivated task force identifying critical industry NS/EP assisted in developing the DOE’s Telecom- telecommunications facilities that qualify munications Electric Service Priority (TESP) for electric power restoration and priority initiative in response to the original task fuel distribution. force’s first two recommendations. When fully implemented, the TESP initiative would At the May 27, 1993, NSTAC XV meeting, provide priority electric power restoration to members approved the Energy Task Force critical NS/EP telecommunications facilities. Final Report and the task force’s recommendations, and forwarded both to the After reviewing DOE’s National Energy President. The task force recommended that Strategy (NES) in December 1991, the the Government: IES also charged the Energy Task Force to review the NES from the perspective • Continue to support the operation, of benefits to NS/EP telecommunications administration, and management of enhancements and develop NS/EP telecom- DOE’s TESP initiative munications energy concerns/issues for incorporation into DOE’s next issue/update of the NES.

XXVII_PreviousIssues.indd 86 10/8/04, 4:34 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

• Assign Federal responsibility for the • Focus more R&D on alternative establishment of a program to ensure backup power technologies for the priority availability of fuel supplies telecommunications industry by for telecommunications companies encouraging cooperative R&D agree- during emergencies ments between the U.S. national laboratories and interested telecom- • Encourage the Nation’s electric munications companies. utilities to coordinate with telecommunications companies to provide On March 8, 1994, the NS/EP Panel dis- safe access to disaster areas requiring cussed power outages that occurred during Telecommunications Service Priority the recent winter storms on the East Coast provisioning or restoration and during the Northridge earthquake, and their effect on telecommunications. • Encourage State and local govern- The panel agreed that a call from the power ments to modify their emergency companies would have alerted carriers to plans to allow telecommunications, the impending rolling blackouts and the electric utility, and fuel supply need to switch to an emergency backup company’s access into areas experi- power source. Additionally, the panel agreed encing outages that the TESP initiative should be more responsive to industry’s requirements during • Modify the Federal Response Plan emergencies and disasters. As a consequence and the National Plan for Telecom- of this discussion, the panel scheduled munications Support in Nonwartime briefings from the NCS Office of Plans and Emergencies to include TESP and to Programs on the status of its discussions address emergency fuel resupply, with DOE on TESP, and then with DOE on access, and safety issues. the status of the TESP initiative. The Energy Task Force also recommended On October 13, 1994, as a result of indus- that, to address the improvement of electric try’s concerns about the initiative, the power survivability under disaster con- NSTAC invited the DOE to address the joint ditions, the President’s National Energy Operations Working Group (OWG) and Plans Strategy should: Working Group (PWG) meeting. • Increase research and develop- The former TESP initiative was intro- ment (R&D) and incentives to duced as the National Electric Service reduce transmission and distribu- Priority (ESP) Program in Support tion vulnerabilities of Telecommunications. ESP was defined as a program developed jointly between • Evaluate locating dispersed power DOE, the NCS, and the telecommunica- generation closer to customer loads tions industry. Under ESP, electric utilities as a possible means of further voluntarily add NS/EP telecommunications reducing transmission and facilities to their ESP programs. distribution vulnerabilities

XXVII_PreviousIssues.indd 87 10/8/04, 4:34 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

The ESP program emphasizes local Actions Resulting from coordination between electric utilities and NSTAC Recommendations telecommunications facilities. In response to the Energy Task Force In response to criticism that the DOE was recommendations at NSTAC X, the OWG not responsive to industry’s needs during NS/EP Panel discussed the status of NCS the 1994 winter storms, the DOE represen- and DOE activities. The panel expressed tative noted several problems contributed support for recent NCS and DOE initiatives to the insufficient generating capacity. and concluded that industry should continue Utilities had been asked to switch from nat- to advise the NCS and DOE on implementa- ural gas; barges were unable to get through tion of the energy initiatives. The IES and ice to deliver coal; northeastern electric NSTAC approved the recommendation to power companies were purchasing power establish a follow-on Energy Task Force. from California, Florida, and Oklahoma. Its charge was to support the OMNCS efforts However, the rising demand resulted in with DOE and NCS to develop criteria and a brownouts, followed by rolling blackouts. process for identifying critical industry NS/EP telecommunications facilities that In December 1994, the NCS provided an qualify for electric power restoration and updated list of critical telecommunications priority fuel distribution. facilities to DOE. The DOE collected electric utility points of contact information that On April 2, 1991, the NCS issued Directive the telecommunications industry supplied. 3-8, Provisioning of Emergency Power in DOE continues to work with all 50 States to Support of NS/EP Telecommunications. ensure nationwide ESP implementation. The DOE and the NCS worked together to identify critical telecommunications In regard to other telecommunications facilities that qualify for priority electric energy issues, DOE recommended industry power restoration. contact each State and that the State enroll in the fuel set-aside program. DOE further In December 1993, DOE began implement- stated that, as a result of Hurricane Andrew ing the TESP initiative and made plans that hit Florida, power companies and to update the critical facility list. As of telecommunications providers were working September 1993, 28 States indicated their more closely together. Finally, in response desire to voluntarily participate in the TESP to industry’s request to obtain access to a initiative; with additional States expected disaster site, DOE stressed that such access to follow. could be dangerous. Criminal elements can harm utility workers unless there is suffi- At the October 13, 1994, OWG-PWG cient law enforcement personnel available to meeting, DOE explained that it replaced ensure their protection. the TESP initiative with its ESP program in support of telecommunications.

XXVII_PreviousIssues.indd 88 10/8/04, 4:34 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

DOE had developed the ESP program in response to the National Security Advisor’s request that the Secretary of Energy develop and implement a priority process for electric power restoration. DOE is working with all 50 States in implementing ESP nationwide. DOE’s partnership with the NCS and the telecommunications industry is facilitating ESP implementation.

Reports Issued

• Report on Earthquake Hazards, June 8, 1989.

• Energy Task Force Final Report, February 1990.

• Energy Task Force Final Report: Telecommunications Electric Service Priority and National Energy Strategy Review, April 1993.

XXVII_PreviousIssues.indd 89 10/8/04, 4:34 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

Enhanced Call Completion The FRWG prepared a study addressing the regulatory and technical components Investigation Groups of assured access. The study reported that at its initial meeting, the FRWG concluded Industry Executive Subcommittee (IES) that the Government required enhanced call Funding and Regulatory Working completion for NS/EP traffic. The FRWG Group (FRWG) members agreed, however, that they must further define the technical features of the Enhanced Call Completion (ECC) Task Force issue before identifying regulatory issues. ECC Ad Hoc Group On August 22, 1990, the FRWG recom- Periods of Activity mended that it establish an ECC Task Force to determine how existing and evolving IES FRWG (Assured access): June 7, 1990– technologies could best be exploited to September 1990 enhance the priority access, transport, and egress of NS/EP traffic. The FRWG’s study ECC Task Force: December 13, 1990– also stated that the proposed task force July 17, 1992 should evaluate the Intelligent Networks Task Force Final Report and recommendations, ECC Ad Hoc Group: July 17, 1992– and coordinate its efforts with those of the August 2, 1993 Office of the Manager, National Communica- IES FRWG (Regulatory aspect of tions System (OMNCS) to avoid duplication. call-by-call preferential treatment): Following the FRWG’s investigation of July–December 1993 issues affecting assured access to the PSN Issue Background by NS/EP callers and its subsequent recommendations, the NSTAC, at its Following its reactivation after NSTAC XI, December 13, 1990, meeting charged the the NSTAC IES tasked the FRWG to investi- IES to establish a task force to review the gate NS/EP issues affecting assured access issue of enhancing call completion for to the public switched network (PSN). NS/EP users during periods of congestion. During FRWG discussions with the Gov- Specifically, the IES directed the task force ernment, the group agreed that assured to identify technical approaches and to access was only one component of the recommend a plan of action for obtaining Government’s need for enhanced NS/EP enhanced call completion in both the near call completion. The group defined assured and long term. access as priority access to, transportation through, and egress from the PSN for The ECC Task Force studied existing and NS/EP users when portions of the PSN evolving technologies that would provide the were either physically isolated or too NS/EP user PSN access and call completion congested to permit unhindered access and without interruption, with minimum delay, call completion. and on a preferential basis during network damage or congestion.

XXVII_PreviousIssues.indd 90 10/8/04, 4:34 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

During its 18-month investigation, the It met with the Government Emergency task force identified 26 current or planned Telecommunications Service (GETS) integra- enhanced call completion features and tor and Government contractors to discuss defined their NS/EP application, availabil- demonstration plans and scenarios. ity, and acquisition procedures. The task force also determined the importance of the As part of its charge to inform the Gov- High Probability of Call Completion (HPC) ernment about ECC services affecting the standard in implementing an NS/EP call National Level NS/EP Telecommunications identifier to provide call-by-call preferential Program initiatives, the group assisted treatment and to enhance existing the Government in developing educa- PSN features. tional materials such as the ECC Services Cost/Benefit Analysis Report, and the 1993 At the July 17, 1992, NSTAC XIV meeting, National Communications System (NCS) members approved the ECC Task Force’s Member Agency Telecommunications report for forwarding to the President, the Enhancement Handbook. The group worked two proposed recommendations to the with the Government in addressing potential President, and the proposed NSTAC XIV regulatory impediments to implementing charges to the IES. In response to these enhanced call completion services. It framed charges, the IES deactivated the ECC Task and defined significant elements in the Force and established an ad hoc group to call-by-call preferential treatment issue work with the Government to: before forwarding the issue to the FRWG for its action. • Advocate and support approval of the HPC standard, investigate In July 1993, the FRWG responded to an potential ECC regulatory issues April 14, 1993, memorandum to the NCS with the FRWG and implement ECC Executive Agent directing the NCS to work network capabilities. with the FRWG to investigate potential regulatory issues arising from the imple- At the August 2, 1993, IES meeting, mentation of enhanced call completion members approved the deactivation of the attributes for NS/EP activities. The FRWG ECC Ad Hoc Group, which had completed explored whether the prohibition of undue its work. The group served as a forum preferences in Section 202(a) of the Com- for issues such as cellular priority access, munications Act of 1934, as amended, preferential access for North Atlantic required a specific Federal Communications Treaty Organization countries, and future Commission (FCC) regulation authorizing broadband services. It assisted the Govern- the provision of priority calling features to ment in its effort to obtain approval of the NS/EP users of the PSN. HPC standard—published as American National Standards Institute T1.631 in The FRWG determined FCC approval of August 1993. The group also worked closely preferential treatment would benefit both with the Government to develop ECC industry and Government. features demonstration scenarios.

XXVII_PreviousIssues.indd 91 10/8/04, 4:34 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

Following IES approval, the OMNCS – Take advantage of existing and forwarded a letter to the FCC requesting emerging services, features, and that the Commission issue an opinion capabilities in the PSN regarding whether common carriers may provide call-by-call priority service – Continue to support the near- for connecting emergency calls over term adoption of the HPC the public switched network. The FCC standard by the Exchange responded by issuing a Public Notice on Carriers Standards Association January 7, 1994, which requested that T1 Committee public Comments be filed with the Commis- – Investigate the NS/EP advantages sion by February 15, 1994, and that Reply of a calling name delivery service Comments be filed by March 1, 1994. The OMNCS filed Reply Comments with the – Work with NSTAC’s FRWG FCC on March 1, 1994, requesting that the to investigate potential Commission issue a favorable opinion. regulatory issues

On August 30, 1995, the FCC responded – Sponsor industry ECC forums to to the OMNCS regarding the call-by-call further define ECC and resolve priority issue. In its letter, the FCC stated implementation issues. that the request for declaratory ruling filed on November 29, 1993, was moot • The Government should use the ECC because lawful tariffs implementing the Task Force report as a reference for federally managed GETS program had gone modifying or implementing current into effect. Call-by-call priority is a feature or future services and technologies. of the GETS program. Therefore, the FCC In response to NSTAC XIV charges, dismissed the petition for declaratory ruling the IES established the ECC Ad without prejudice. Hoc Group. On August 2, 1993, IES members deactivated the ECC Ad History of NSTAC Actions Hoc Group. and Recommendations Actions Resulting from On December 13, 1990, NSTAC XII charged NSTAC Recommendations the IES to establish the ECC Task Force as a result of the FRWG’s investigation of assured In response to an NSTAC XIV recommenda- access issues. On July 17, 1992, NSTAC tion from the ECC Task Force, the White members approved the ECC Task Force’s House issued a memorandum to the NCS report for forwarding two proposed recom- Executive Agent on April 14, 1993, directing mendations to the President: the NCS to work with the FRWG to investigate potential regulatory issues arising from • The Government should take the the implementation of ECC attributes for following steps to enhance call NS/EP activities. completion for NS/EP users:

XXVII_PreviousIssues.indd 92 10/8/04, 4:34 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

The FRWG sought to clarify whether prohibitions of undue preferences in the Communications Act of 1934 required a specific FCC regulation to authorize the provision of priority calling features to NS/EP users of the public switched network. The FCC resolved the issue on August 30, 1995, when the FCC informed the OMNCS of its decision regarding the call-by-call priority issue.

Reports Issued

• Assured Access Issue Paper, October 13, 1989.

• Report on the FRWG Review of Assured Access, November 7, 1990.

• Final Report of the Enhanced Call Completion (ECC) Task Force, July 1992

• Final Report of the Enhanced Call Completion (ECC) Ad Hoc Group, December 1993.

XXVII_PreviousIssues.indd 93 10/8/04, 4:34 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

Underground Storage Tanks The FRWG received briefings from the EPA and support staff on EPA UST regulations. Investigation Group The FRWG also investigated UST regulations at the Federal, State, and local levels. Industry Executive Subcommittee Funding The group also surveyed several local and Regulatory Working Group (FRWG) exchange carriers and interexchange carriers to determine UST policies and procedures. Period of Activity The survey revealed that industry was April 12, 1990–March 1, 1991 reviewing the UST requirements as a result of the EPA regulations, and that companies Issue Background used several criteria when developing UST requirements. The FRWG developed a In 1988, the Energy Task Force voiced paper outlining the UST issue and recom- concerns that the Environmental Protection mended the following: Agency (EPA) regulations on underground fuel storage tanks would encourage telecom- • A waiver of EPA UST regulations munications carriers to reduce the amount should not be pursued. The waiver of fuel available for their backup generators. would not make a significant The EPA regulations (40 Code of Federal contribution to meeting Govern- Regulations Part 280), originally proposed ment backup power needs because in April 1987, included standards for main- companies were already pursuing taining the integrity of the tank, protecting their own UST programs, State and against spill and overfill, and detect- local regulations would be addressed ing leaks. The telecommunications industry regardless of any Federal waiver, modified or replaced several thousand and telecommunications companies underground storage tanks (UST) pursuant would probably not use Federal to these regulations and added detection waivers unless mandated by monitoring systems. the Government.

The Energy Task Force considered the impli- The FRWG supported the implementation of cations of the regulations and concluded that the other Energy Task Force recommendations. if the telecommunications industry complied Government should specify an with the new EPA regulations, the public • NS/EP backup fuel requirement in switched network might not have enough cooperation with industry. backup fuel storage capacity in all locations to operate through normal power outages. Actions Resulting from The Energy Task Force recommended NSTAC Recommendations that the Government grant a national security waiver from those parts of the • At the December 12, 1990, NSTAC regulations that affected NS/EP XII meeting, members agreed with telecommunications providers. the recommendation not to pursue a waiver of EPA UST regulations.

XXVII_PreviousIssues.indd 94 10/8/04, 4:34 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

Report Issued

• Energy Task Force Final Report, February 1990.

XXVII_PreviousIssues.indd 95 10/8/04, 4:34 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

International National Security After considering a variety of potential and Emergency Preparedness problem areas, the ad hoc group concluded that although modern telecommunications Telecommunications technologies are increasingly capable of supporting NS/EP needs, inadequate planning Investigation Group for using such technologies might impede Ad Hoc Group of the Industry Executive the President’s ability to effectively react to Subcommittee (IES) Plans Working international events. Group (PWG) The ad hoc group recommended to the Period of Activity October 24, 1990, PWG meeting that it form a task force to: July 25, 1990–March 1, 1991 • Identify and assess the biggest Issue Background problem areas affecting future U.S. international NS/EP Effective worldwide communications telecommunications capabilities directly influences the Nation’s ability to promote its national security interests in • Develop recommendations for an the global arena and to meet its inter- U.S. international NS/EP telecom- national responsibilities. Changes in the munications plan of action using international environment will profoundly both Government and private affect the telecommunications capabilities sector telecommunications needed to support the U.S. NS/EP posture. resources and capabilities to meet Significant changes in the international tele- evolving U.S. international NS/EP communications industry–Eastern European telecommunications needs. modernization, U.S. carrier involvement in The PWG concluded that the ad hoc group other countries, and development of new needed to refocus the issue and directed it technologies and international standards– to review the international NS/EP telecom- will also affect the means for providing the munications issue again with a sharper focus requisite capabilities. of the original charge. The ad hoc group During the last few years, the industry/ met several times and presented a revised Government NS/EP telecommunications set of proposed task force charges at the planning community demonstrated March 6, 1991, PWG meeting. The PWG increasing interest in and concern concluded that an international task force about the international dimensions of was not warranted, but that the PWG Chair NS/EP telecommunications. should send a letter to the Deputy Manager, National Communications System (NCS), advising of the ad hoc group’s findings and gauging NSTAC’s willingness to address the international issue if requested by the Government.

XXVII_PreviousIssues.indd 96 10/8/04, 4:35 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

The Deputy Manager, NCS, forwarded a copy of the PWG Chair’s letter to NCS principals to convey the PWG’s willingness to assist the Government in its effort to enhance overseas NS/EP communications.

Report Issued

• Ad Hoc International Group of the IES Plans Working Group, International National Security and Emergency Pre- paredness Telecommunications Issue, October 1990.

XXVII_PreviousIssues.indd 97 10/8/04, 4:35 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

Telecommunications The TSS Task Force completed reports on Systems Survivability Government actions taken in response to NSTAC recommendations from the CNS, Investigation Group CSS, and Electromagnetic Pulse Task Forces, and submitted them to the NSTAC Telecommunications Systems on November 6, 1987. The task force Survivability (TSS) Task Force submitted similar reports on automated information processing and the National Period of Activity Coordinating Mechanism to NSTAC IX on September 22, 1988. The NSTAC approved March 6, 1986–June 8, 1989 these reports and forwarded them to the Issue Background President on the respective dates. The TSS Task Force also completed an assessment of The NSTAC developed the TSS issue in the applicability of network management December 1982 to address all aspects technology to NS/EP telecommunications of the telecommunications survivabil- survivability, which the NSTAC forwarded ity question. The Commercial Satellite to the President on September 22, 1988. Survivability (CSS) and Commercial The TSS Task Force assisted the Office of Network Survivability (CNS) issues evolved the Manager, National Communications from the NSTAC’s initial focus on TSS. Systems (OMNCS) in developing the On March 6, 1986, the NSTAC Industry Federal Government’s policy on essential Executive Subcommittee (IES) established line service (ELS). the TSS Task Force and directed it to determine whether NSTAC recommendations On June 8, 1989, the NSTAC approved the had inconsistencies, whether the recommen- TSS Task Force’s final report and disbanded dations met the Government’s NS/EP the task force. The NSTAC also directed the telecommunications policy requirements, IES to proceed with the study of intelligent and whether the Government effectively networks and virtual networks useful- responded to the recommendations. In early ness for enhancing network survivability, 1987, the NSTAC charged the TSS Task which the TSS Task Force initiated, pending Force to assess the impact of new technolo- review of the issue by the IES Plans Working gies on telecommunications survivability. Group (PWG).

The TSS Task Force concluded that no History of NSTAC Actions serious inconsistencies or gaps existed and Recommendations among NSTAC recommendations and the The NSTAC approved the TSS Task Force’s recommendations sufficiently met the final report and disbanded the task force on Government’s NS/EP telecommunications June 8, 1989. policy objectives. The NSTAC forwarded to the President the TSS Task Force recommendation to initiate a study to identify options for ensuring survivable electric power.

XXVII_PreviousIssues.indd 98 10/8/04, 4:35 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

Actions Resulting from Reports Issued NSTAC Recommendations • TSS: Industry Responses to The TSS Task Force’s electric power May 13, 1983 Questionnaire, recommendations led to the establishment September 1983. of the original Energy Task Force, and • TSS Task Force—Subgroup 1 Review, the intelligent networks study led to the September 1986. establishment of the Intelligent Networks Task Force. The IES, through the Opera- • TSS Task Force—Review of Power, tions Working Group (OWG) NS/EP Panel, September 1986. provides a continuing evaluation of the overall progress and direction of TSS. • TSS Task Force—Review of Security, The NS/EP Panel identifies any new September 1986. concerns relating to TSS, advises the OWG of areas requiring NSTAC or NCS actions or • TSS Network Management Report, study, monitors the status of general surviv- June 21, 1988. ability of telecommunications systems, and • TSS Review of Government Actions reports periodically on the status of TSS to in Response to NSTAC-Recommended the OWG. Initiatives, June 21, 1988. As part of the CNS program, the OMNCS • TSS Electric Power Survivability Office of Plans and Programs monitored Status Report, August 9, 1988. network management developments, including local exchange carrier network • TSS Task Force Final Report: management capabilities. In addition, Telecommunications System members assigned to the OMNCS Office of Survivability—Assessment and Technology and Standards Network Future Directions, May 2, 1989. Management and Technology Planning task assessed the effects of congestion on NS/EP telecommunications and how expert systems could improve network management for NS/EP telecommunications. The NCS continued to encourage compliance with NCS Notice 3-0-1, NS/EP ELS, which recommended that Federal departments and agencies having NS/EP telecommunications missions consider obtaining ELS to increase their probability of obtaining a timely dial tone. The Department of Energy was directed to implement several Energy Task Force recommendations.

XXVII_PreviousIssues.indd 99 10/8/04, 4:35 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

Telecommunications The task force also assisted the TSP Program Service Priority Office in establishing the initial TSP System Oversight Committee charter. The National Investigation Group Communications System (NCS) Council of Representatives TSP Subcommittee and Telecommunications Service Priority (TSP) the TSP Task Force drafted and approved Task Force the charter in February 1990, and the Department of Defense (DoD) and the Period of Activity General Services Administration (GSA) approved the charter in November 1990. December 1984–December 1990 Subsequently, adoption of an amendment Issue Background occurred in April 1991.

In December 1984, the NSTAC identified The task force had a role in both the creation TSP as an urgent issue because of the need of the TSP Oversight Committee and the for a system that authorized both priority selection of Oversight Committee members. provisioning and restoration of NS/EP During the week of September 28 through services for Federal, State, and local govern- October 3, 1987, the TSP Task Force and ments and private users. The TSP System NCS Council of Representatives met and replaced the Restoration Priority (RP) discussed the operational framework for System, which covered only the restora- the TSP System, including the establish- tion of Federal Government, inter-city, ment of the TSP Oversight Committee. and private lines. The NSTAC Industry On March 29, 1990, the TSP Task Force rec- Executive Subcommittee (IES) established ommended that the Manager, NCS, appoint the TSP Task Force on February 21, 1985, to the following initial members to the TSP advise and assist the Office of the Manager, Oversight Committee: AT&T, Contel, McCaw National Communications System (OMNCS) Cellular, MCI, Bellcore, Sprint, GTE, State of in developing the TSP System, specifically California, State of South Carolina, Depart- regarding provisioning, restoration, mainte- ment of Transportation, Federal Emergency nance, legal, and regulatory issues. Management Agency, DoD, GSA, Depart- ment of Energy, Department of Commerce, History of NSTAC Actions National Telecommunications and Informa- and Recommendations tion Administration, and FCC. The NSTAC approved the membership list and delegated The task force worked closely with the future industry TSP Oversight Committee OMNCS in the development of the TSP membership nominating authority to the IES. System and provided assistance with its implementation. Specifically, the task Additionally, the task force assisted in devel- force had a significant advisory role in oping the documentation that made the TSP creating the Petition for Rulemaking and System operational. Proposed Federal Communications Commission (FCC) Rules for the TSP System.

100

XXVII_PreviousIssues.indd 100 10/8/04, 4:35 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

The task force helped create the TSP Reports Issued Service Vendor Handbook, which provides operational details of the TSP System that • TSP Information Guide, service vendors will use as guidance for December 1989 (published for implementation and operation of TSP. the TSP Task Force by the U.S. The task force developed the TSP Informa- Telephone Association, now the tion Guide, a TSP primer for small telephone U.S. Telecom Association). companies, published by the United States • TSP Service Vendor Handbook Telephone Association in December 1989. (NCSH 3-1-2), July 1990. Furthermore, the task force had a significant advisory role in creating NCS issuances on • Final Report of the TSP Task Force, TSP procedures. Specifically, the task force September 1990. helped develop NCS Directive 3-1, which clarified the responsibilities of and procedures for all TSP System entities. The task force also assisted in the development of the TSP Service User Manual, which provided a set of guidelines for all users of the TSP System.

The task force presented its final report at NSTAC XII in December 1990, including a recommendation to the President, which stated that the Federal Government should continue to support and administer the TSP System, as defined in NCS Directive 3-1.

Actions Resulting from NSTAC Recommendations

TSP System implementation began on September 10, 1990. The implementation plan included a two-and-a-half-year period for transition from the RP to the TSP System. The TSP System became fully operational on March 9, 1993.

Today, the TSP Oversight Committee continues to meet on a biannual basis. Likewise, the OMNCS continues to provide the operational support for the TSP System.

101

XXVII_PreviousIssues.indd 101 10/8/04, 4:35 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

Telecommunications Service • Carriers should develop internal Priority Carrier Liability policies for preempting non- NS/EP users. Investigation Group On March 15, 1991, the FRWG reported its Industry Executive Subcommittee (IES) findings to the IES. The IES concurred with Funding and Regulatory Working the FRWG’s findings. Group (FRWG)

Period of Activity

November 16, 1990–January 31, 1991

Issue Background

The Federal Communications Commission Telecommunications Service Priority (TSP) Report and Order authorizes telecommunications carriers to install or restore NS/EP telecommunications on a priority basis over services that do not serve NS/EP requirements. The FRWG reviewed this issue to further define the protection against liability offered by the TSP Report and Order. One area of concern identified by the working group was 911 service. The working group concurred that the TSP Report and Order offered adequate protection to carriers. The FRWG also observed that services provided under contract rather than through tariffs may not be protected by the TSP Report and Order language. The FRWG reached the following conclusions:

• The TSP Report and Order offered sufficient protection against liability charges arising from the disruption of non-NS/EP user tariffed services

• The TSP Report and Order had not fully defined the legal ramifications of preempting a contracted versus a tariffed service

102

XXVII_PreviousIssues.indd 102 10/8/04, 4:35 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

Physical Security of the The PWG, in conjunction with the OMNCS Public Switched Network Office of the Joint Secretariat, prepared a physical security study that examined Investigation Group current industry/Government activities, including results from a questionnaire given Industry Executive Subcommittee (IES) to the National Coordinating Center for Plans Working Group (PWG) Telecommunications industry representatives on physical security policy, operational Period of Activity procedures, and methods.

December 1990–September 1991 The study also documented past NSTAC task force and OMNCS efforts regarding Issue Background physical security of NS/EP telecommu- On December 13, 1990, at NSTAC XII, nications facilities, sites, and assets and an NSTAC member questioned the relevant conclusions and recommendations physical security of the public switched of those past efforts. The study concluded network (PSN), because the issue resur- that current industry/Government activity faced in the National Research Council and past NSTAC and OMNCS documents report on the growing vulnerability of demonstrated industry and Government the PSN. Several task forces had previously made substantial progress in addressing addressed physical security. In March 1990, the physical security of telecommunications the NSTAC’s National Research Council facilities, sites, and assets. According to the Report Task Force Final Report addressed study, physical security was well planned the physical security issue and stated that and managed in general. industry agreed there were PSN vulner- After reviewing the information in this abilities, but disagreed that there was a study, the PWG concluded that it needed no growing trend. The NSTAC tasked the IES further NSTAC review at that time. The IES to work with the Office of the Manager, amended and approved the physical security National Communications System (OMNCS) study at the September 5, 1991, IES meeting. to address this issue. The IES subsequently assigned the PWG the task of assisting History of NSTAC Actions the OMNCS. The PWG examined the and Recommendations physical security issue to determine if the NSTAC should review further. At the October 3, 1991, NSTAC XIII meeting, members approved the PWG report conclusion that the physical security issue required no further study.

Report Issued

IES Plans Working Group, A Review of Physical Security, September 1991.

103

XXVII_PreviousIssues.indd 103 10/8/04, 4:35 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

Intelligent Networks The IN Task Force presented its final report and recommendations at the November 1990 Investigation Group IES meeting. The IES referred the report to the IES OWG for evaluation. The OWG’s Intelligent Networks (IN) Task Force New Technology Panel developed an executive report on INs in response to the Period of Activity IES charge to evaluate and refine the con- August 1989–October 1991 clusions and recommendations of the IN Task Force Final Report. NSTAC XIII directed Issue Background the IES to disband the IN Task Force. In its Executive Report to the President, NSTAC The Telecommunications System Surviv- offered to provide additional support to ability Task Force selected IN as one of five assist the Government in meeting the chal- study topics focused on determining the lenges of intelligent networks. effect of new technologies on telecommunications systems survivability. In June 1989, History of NSTAC Actions the NSTAC charged the Industry Executive and Recommendations Subcommittee (IES) with continuing the intelligent network effort on an interim At NSTAC XIII, October 3, 1991, the NSTAC basis pending review by the IES Plans approved the following recommendation to Working Group (PWG.) Upon PWG recom- the President in the IES Executive Report on mendation that intelligent networks become Intelligent Networks: a full task force, the IES established the IN • The Government should establish an Task Force in August 1989. IN Program Office to ensure advan- NSTAC XI extended the activities of tages of evolving intelligent networks the IN Task Force until NSTAC XII, are incorporated into planning for December 13, 1990. To meet its charge, and procurement of Government the task force worked with the Office of NS/EP telecommunications. the Manager, National Communications Actions Resulting from System (OMNCS) to derive a set of desired NSTAC Recommendations NS/EP user features and compared them with intelligent network services. The task The OMNCS established an Advanced Intel- force determined the advantages and dis- ligent Networks (AIN) Program Office in its advantages of identified intelligent network Office of Plans and Programs. The primary services for NS/EP telecommunications, objectives of the AIN Program Office are to including interoperability considerations. The IES extended the IN Task Force until • Identify AIN service needs for NSTAC XIII to allow the Operations Working NS/EP telecommunications Group (OWG) to work with the task force and the OMNCS to refine the recommendations • Determine the current status in the task force final report. and planned capabilities of AIN technology

104

XXVII_PreviousIssues.indd 104 10/8/04, 4:35 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

• Demonstrate AIN capabilities supporting NS/EP requirements

• Assess the status of AIN standards activities

• Develop and implement a strategy for influencing the direction of AIN standards.

The AIN Program Office awarded a five-year AIN NS/EP contract to Bellcore to provide a mechanism for collecting IN and AIN data, analyzing new technology developments, and demonstrating AIN-based applications. By meeting those objectives and obtaining pertinent information from Bellcore, the OMNCS will help ensure NS/EP telecommunications users benefit from the evolving AIN technology.

Reports Issued

• The IN Task Force Final Report: The Impact of IN on NS/EP Telecom- munications, November 7, 1990.

• The Industry Executive Subcom- mittee: Executive Report on IN, October 3, 1991.

105

XXVII_PreviousIssues.indd 105 10/8/04, 4:35 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

National Research History of NSTAC Actions Council Report and Recommendations In March 1990, the NSTAC approved the Investigation Group findings of the NRC Report Task Force. National Research Council (NRC) Contrary to the NRC’s findings, the task Report Task Force force concluded the PSN was growing more survivable. This survivability stems Period of Activity: from the increased network diversity provided by the existence of three major August 18, 1989–March 29, 1990 interexchange carriers, the increased user demand for network service availability, the Issue Background deployment of robust network architectures, In June 1989, the NSTAC noted that the NRC and the incorporation of advanced transmis- report, Growing Vulnerability of the Public sion, switching, and signaling technologies. Switched Networks (PSN): Implications The task force also noted that current for National Security Emergency Prepared- technologies and competitive trends were ness, differed from Telecommunications enhancing network robustness. Systems Survivability Task Force findings. Actions Resulting from The NSTAC, therefore, charged the Industry Executive Subcommittee (IES) with NSTAC Recommendations examining those differences and reporting The NRC Report Task Force agreed with back in early 1990. In response, the IES some of the recommendations of the NRC formed the NRC Report Task Force and report and believed that the issue of growing issued the following charges: vulnerabilities of the PSN needed to be further addressed. Therefore, the IES estab- • If it agreed with the NRC report, address what actions should be lished the Network Security Task Force. taken by industry to assist the In 1991, the NRC report attracted consid- Government in implementing the erable attention in Congress and at the NRC’s recommendations Federal Communications Commission (FCC) due to recurring outages of the PSN. • If it did not agree, give the reasons why and the factors bearing on the The FCC established the Network Reliabil- differing perspectives of the IES ity Council on February 27, 1992, to make and the NRC recommendations to the FCC on improving network reliability. The Network Reliabil- • Comment on the report’s ity Council sponsored a symposium from implications for interoperability. June 10-11, 1993, in Washington, D.C., on industry’s best practices for avoiding and The task force issued its final report in minimizing the risk and impact of future March 1990. telephone network outages.

106

XXVII_PreviousIssues.indd 106 10/8/04, 4:35 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

Report Issued

• NRC Report Task Force Final Report, March 1990.

107

XXVII_PreviousIssues.indd 107 10/8/04, 4:35 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

Commercial Satellite In March 1990, the NSTAC approved the Survivability final report of the reactivated CSS Task Force, which concluded that the CSI Phase Investigation Group II Architecture approach was reasonable, and made several recommendations to Commercial Satellite Survivability (CSS) the Government. Task Force History of NSTAC Actions Periods of Activity and Recommendations

December 1982–April 1984 At its first formal meeting on December 14, 1982, the NSTAC established June 1988–March 1990 the CSS Task Force to review a set of specific satellite initiatives selected for implementa- Issue Background tion, develop an implementation concept, At its first formal meeting on and prepare a report of its actions and December 14, 1982, the NSTAC agreed to recommendations for the NSTAC. emphasize commercial satellite communica- In September 1988, the NSTAC concurred tions survivability initiatives. The NSTAC with the IES June 1988 reactivation of the directed the CSS Task Force Resource CSS Task Force to review the proposed Enhancements Working Group to assess the objectives and implementation initiatives vulnerability of the commercial satellite of the CSI Phase II Architecture and communications network and the enhance- offer recommendations. ments to the NS/EP telecommunications infrastructure that the use of commer- In March 1990, the NSTAC approved the final cial carrier satellites and Earth terminals report of the reactivated CSS Task Force. could provide. A separate CSS Task Force The report concluded that the CSI Phase II reviewed a set of specific satellite initiatives Architecture approach was reasonable and it selected for implementation, developed an recommended the Government: implementation concept, and prepared a report of its actions and recommendations • Include Ku-band assets in the CSI for the NSTAC. program to provide “access”

In June 1988, the NSTAC Industry Executive • Augment selected large Ku-band Subcommittee (IES) reactivated the CSS Task earth stations and control facilities to Force to review the proposed objectives and provide Ku-band interoperability implementation initiatives of the Commer- cial SATCOM Interconnectivity (CSI) Phase II Architecture and offer recommendations. The NSTAC concurred with this action in September 1988.

108

XXVII_PreviousIssues.indd 108 10/8/04, 4:35 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

• Use very small aperture terminal The first CSS Task Force’s investigations technology to restore selected trunk- resulted in the definition of 12 initiatives ing between interexchange carrier for improving the survivability and switches and local exchange carrier robustness of commercial satellite com- end offices, and selected users in the munications resources. The investigations United States to access the public also resulted in the incorporation of switched network (PSN) via direct the CSS Program Office, established in connection at an access tandem November 1984, as the CSI Program Office in 1987. In addition, the CSS Task Force • Pursue investigations, analyses, and approved the CSI as part of the National augmentations necessary to ensure Level NS/EP Telecommunications Program. NS/EP telecommunications service can be extended from the United The CSI Program Office reviewed the States to NS/EP users overseas. CSS Task Force Phase II recommendations. The CSI Program Office investigated The NSTAC also approved several specific satellite technologies, such as Ku-band, recommendations to the Government and enhanced capabilities, such as regarding the use and augmentation of connecting to local exchange carriers’ satellite assets to achieve various types switches and providing PSN remote access to of connectivity. NS/EP users, as part of the CSI architecture development effort. The projected CSI Phase During NSTAC Cycle XXVII (May 2003– II Architecture implementation date was in May 2004), the NSTAC revisited issues FY 96, but due to budget constraints, the CSI related to NS/EP dependence on commercial program was terminated in September 1994. satellites with a study focused on commercial satellite vulnerabilities. (See the Reports Issued Satellite Security section in the Active Issues section of this NSTAC Issue Review.) • Issue Papers for Commercial Communications Satellite Actions Resulting from Systems Survivability Initiatives, NSTAC Recommendations March 21, 1983.

The TSS Task Force reviewed the Govern- • Commercial Satellite Communications ment actions taken on the NSTAC’s CSS Task Survivability Report, prepared by the Force Phase I recommendations and found CSS Task Force Resource Enhance- that the CSI Program and the Industry Infor- ments Working Group, May 20, 1983. mation Security Task Force were pursuing most of the CSS initiatives. The TSS Task • Addendum to the Commercial Satellite Force recommended that three aspects Communications Survivability Report, of the CSS initiatives be studied further: May 20, 1983. Ku-band interoperability, up-link jamming • CSS Status Report, April 15, 1984. protection, and transportable terminals.

109

XXVII_PreviousIssues.indd 109 10/8/04, 4:35 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

• Final Report of the CSS Task Force, December 1989.

• Final Report of the CSS Task Force, Appendix A, Technical Subgroup Report, December 1989.

• Final Report of the CSS Task Force, Appendix B, Operational Subgroup Report, December 1989.

• Final Report of the CSS Task Force, Appendix C, International Subgroup Report, December 1989.

110

XXVII_PreviousIssues.indd 110 10/8/04, 4:35 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

Industry Information Security Actions Resulting from NSTAC Recommendations Investigation Group The National Security Agency (NSA) Industry Information Security (IIS) continued and expanded the Protected Com- Task Force munication Zone program. NSA developed standardized encryption modules for Period of Activity terminal unit platforms and reendorsed the Data Encryption Standard algorithm. August 19, 1986–September 22, 1988 Federal agencies continued the information Issue Background security education program.

Based on widespread concern within the Reports Issued Government regarding the protection of • The IIS Task Force Report, Volume I, sensitive but unclassified information, November 1986. the President requested that the NSTAC identify initiatives that would facilitate • The IIS Task Force Report, Volume II, the protection of sensitive information Appendices, November 1986. processing systems. On August 19, 1986, the NSTAC Industry Executive Subcommit- • Status Report of the IIS Task Force, tee (IES) established the IIS Task Force to October 1987. develop industry’s perspective on the issue. The original IIS Task Force defined and • Final Report of the IIS Task Force— identified sensitive information categories, Industry Information Protection, the relationship between telecommunica- Volume I, June 1988. tions and automated information systems, • Final Report of the IIS Task Force— an analysis methodology, and areas for Industry Information Protection, further investigation. The IES then estab- Volume II, Appendices, June 1988. lished a follow-on IIS Task Force to improve information security in telecommunications • Final Report of the IIS Task Force and automated information systems. The IIS Industry Information Protection, Task Force submitted its final report to the Volume III, Annotated Bibliography, NSTAC on September 22, 1988. It contained June 1988. ten conclusions and eight recommendations. The NSTAC approved the report and forwarded it to the President.

History of NSTAC Actions and Recommendations

On September 22, 1988, the NSTAC approved the IIS Task Force final report and forwarded it to the President.

111

XXVII_PreviousIssues.indd 111 10/8/04, 4:35 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

National Telecommunications The NCS completed the NTMS program plan Management Structure in March 1989, and it is updated periodically. The NSTAC disbanded the NTMS Task Force Investigation Group on June 8, 1989.

National Telecommunications Management Actions Resulting from Structure (NTMS) Task Force NSTAC Recommendations

Period of Activity Through the NCC, industry provides advice and assistance in pursuit of NTMS August 19, 1986–June 8, 1989 operational capability.

Issue Background The NCS established the Council of Representatives NTMS Subcommittee to On May 22, 1986, the NSTAC concurred assist in achieving NTMS initial opera- with the Government that there was a need tional capability. The NTMS program for a survivable and endurable management became operational with the implementa- structure to support NS/EP telecommunication of the northeast region in October 1990. tions requirements, and agreed that industry In September 1991, the activation of the and Government should work jointly to southwest and northwest regions provided develop such a capability. As a result, the additional capability. The subcommittee also NSTAC established the NTMS Task Force in completed NTMS regional validations in August 1986 and charged it with assisting in Chicago, Illinois, during November 1992; in developing an NTMS implementation plan. Atlanta, Georgia, during February 1993; and in Denver, Colorado, during April 1993. History of NSTAC Actions and Recommendations Report Issued

On November 6, 1987, the NSTAC forwarded • NTMS Implementation Concept to the President its recommendation to (Final), November 1987. approve the NTMS Implementation Concept. The Executive Office of the President approved the concept on March 25, 1988. The Office of the Manager, National Com- munications System (NCS), opened the NTMS Program Office on June 17, 1988. During the week of July 12–15, 1988, the NCS conducted the NTMS trial exercise to determine the feasibility of the NTMS concept and funding requirements. The NCS successfully tested the National Telecom- munications Coordinating Network concept September 27–29, 1988.

112

XXVII_PreviousIssues.indd 112 10/8/04, 4:35 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

Telecommunications • Dependence on other Industry Mobilization infrastructure systems • Industry and Government Investigation Group mobilization management structure Telecommunications Industry • Jurisdictional issues. Mobilization (TIM) Task Force The TIM Task Force recommended a Period of Activity industry and Government forum be established to assess the seven TIM subject areas. June 7, 1985–June 8, 1989 In December 1985, industry and Govern- Issue Background ment concurred with the formation of the Joint Industry/Government TIM Group, Recognizing the prominent role of the which began addressing TIM subjects on telecommunications industry in a national January 29, 1986. mobilization, the NSTAC formed the TIM Task Force and instructed it to develop an History of NSTAC Actions issue statement. Meanwhile, the Office of and Recommendations the Manager, National Communications System (OMNCS) developed the NS/EP The NSTAC approved and forwarded Telecommunications Plan of Action to to the President the Joint TIM Group’s implement relevant portions of Executive reports, Personnel Issues and Dependence on Order 12472 and National Security Decision Foreign Sources, on November 6, 1987, and Directives 47 and 97. The plan, approved by approved and forwarded to the President the National Communications System (NCS) the reports, Government and Industry Committee of Principals in 1985, included Mobilization Management Structure and an action to provide Government leadership Maintenance of Stockpiles and Inventories on in telecommunications industry mobilization September 22, 1988. planning activities. On June 8, 1989, the NSTAC approved and In September 1985, the TIM Task Force forwarded to the President the Joint TIM identified the following mobilization Group’s final reports onTelecommunications subjects as needing further study: Service Surge Requirements, Dependence on other Infrastructure Systems, and Juris- • Telecommunications service dictional Issues, a final report with overall surge requirements recommendations on telecommunications industry mobilization. The NSTAC then • Personnel issues disbanded the Joint TIM Group.

• Maintenance of stockpiles and inventories

• Dependence on foreign sources

113

XXVII_PreviousIssues.indd 113 10/8/04, 4:35 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

Actions Resulting from The telecommunications industry had NSTAC Recommendations substantially implemented those recommendations and the report addressed them. The original Energy Task Force further The OMNCS believed that the agencies defined the TIM recommendations on assigned to implement the recommendations energy issues, including underground had responded favorably, and that the TIM storage tank regulations. program could be considered a success. The OMNCS also believed that further The National Security Council and the formal monitoring of the TIM program was Executive Office of the President initiated not necessary. a review of overall national security mobilization preparedness. The Federal Reports Issued Emergency Management Agency implemented several TIM recommendations • Volume I, TIM Issue Statement, as part of the Graduated Mobilization September 5, 1985. Response Plan. The OMNCS Office of the • Volume II, Background and Support- Joint Secretariat developed a plan of action, ing Material, September 5, 1985. involving all NCS member organizations, designed to track implementation of the • Personnel Issues, September 1987. TIM recommendations. The plan included identification of task responsibilities, a • Dependence on Foreign Sources, time-phased work plan, and a schedule of October 1987. status reports. The Baseline Mobilization program involved assigning “lead” • Government and Industry Mobi- organizations to follow up and take actions lization Management Structure, necessary to implement each TIM June 1988. recommendation during a three-year period, • Maintenance of Stockpiles and Inven- with 36 tasks distributed among the NCS tories, June 1988. member organizations. • Telecommunications Service Surge In September 1993, the OMNCS Office of Requirements, January 1989. the Joint Secretariat issued its Final Report on TIM Recommendations. The report • Dependence on Other Infrastructure presented the actions taken by various NCS Systems, April 1989. member agencies on 11 recommendations having a significant and immediate effect on • Assessment of TIM Capabilities (V. I), NS/EP telecommunications. The remaining April 1989. 25 recommendations, while of considerable TIM Subject Reports (V. II), importance, were of somewhat lesser signifi- • April 1989. cance relative to their immediate impact on NS/EP telecommunications. • Jurisdictional Issues, April 1989.

• Exercise Participation, April 1989.

114

XXVII_PreviousIssues.indd 114 10/8/04, 4:35 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

• Final Report on TIM Recommendations, September 1993.

115

XXVII_PreviousIssues.indd 115 10/8/04, 4:35 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

Commercial Network • Specification of survivability Survivability requirements for NS/EP services • Development of NS/EP network Investigation Group architecture plans Commercial Network Survivability (CNS) • Development of plans and Task Force procedures for network Period of Activity emergency operations Acquisition and maintenance February 29, 1984–October 9, 1985 • of databases Issue Background • Government participation in In September 1983, the NSTAC Industry standards organizations. Executive Subcommittee (IES) reviewed The President endorsed those initiatives, and the issues associated with telecommunica- the Office of the Manager, National Com- tions systems survivability and decided munications System (OMNCS) undertook its scope was too broad for a single task a CNS program. On November 6, 1987, the force to address. The IES requested that NSTAC approved the Telecommunications the Resource Enhancements Working Systems Survivability (TSS) Task Force’s Group (REWG) and the Emergency Response findings and recommendations on CNS and Procedures Working Group (ERPWG) meet forwarded them to the President. to discuss and refine the issues. The REWG and ERPWG met on November 9, 1983. Actions Resulting from They suggested establishing the CNS Task NSTAC Recommendations Force to develop and prioritize initiatives to enhance the survivability of the terrestrial The TSS Task Force reviewed Govern- portion of commercial carrier networks. ment actions taken on the NSTAC’s The IES initiated the assessment of the CNS recommendations. The task force CNS issue on February 29, 1984. It formed found the Government’s actions focused the CNS Task Force and instructed it to on the highest threat level, but the Gov- improve the survivability of commercial ernment had taken no action on the CNS communications systems and facilities, and Task Force recommendation to form a joint identify initiatives to improve interactive industry and Government group to develop emergency response capabilities among the network architecture plans. The TSS Task commercial networks. Force recommended that the CNS program be expanded to include the entire threat History of NSTAC Actions spectrum and all NS/EP users. and Recommendations

On October 9, 1985, the NSTAC forwarded five CNS recommendations to the President regarding:

116

XXVII_PreviousIssues.indd 116 10/8/04, 4:35 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

The OMNCS established a CNS Program Reports Issued Office which engineered and implemented enhancements in the public switched • CNS Task Force (Interim) Report, network (PSN) for NS/EP disaster recovery December 6, 1984. communications use during regional • CNS Task Force Final Report, emergencies and national crises. The CNS August 1985. Program Office evaluated the effectiveness of those enhancements by modeling the anticipated effects of natural disasters and wartime scenarios using computer simulations and through proof-of-concept testing. The OMNCS used its computer modeling capabilities and extensive database containing detailed information on the structure of the PSN to assess the CNS enhancements. Enhancements included dedicated leased lines in the local exchange carrier networks to provide alternate, survivable routes for NS/EP communications. The program office expected future enhancements to use advanced technology service offerings from those same carriers and from cellular service providers and competitive access providers.

The Mobile Transportable Telecommuni- cations (MTT) program, an associated effort, demonstrated reconnecting isolated portions of the PSN using standard military radio equipment. The MTT program performed these demonstrations with National Guard equipment and participation. The CNS Program Office worked with other National Level NS/EP Telecommunications Program (NLP) elements to ensure interoperability of CNS network enhancements with other NLP component programs, such as Commercial Satellite Command Interconnectivity and the Government Emergency Telecommunications Service. In September 1994, the CNS program was terminated due to budget constraints.

117

XXVII_PreviousIssues.indd 117 10/8/04, 4:35 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

Funding of NSTAC Initiatives The NSTAC instructed all NSTAC task forces and working groups to apply the FNI Investigation Group funding methodology to the recommendations they developed. The FRWG assists Funding of NSTAC Initiatives (FNI) all active and future NSTAC task forces, Task Force when necessary, in providing cost/benefit estimates and proposed funding mecha- Period of Activity nisms for all recommended initiatives using April 3, 1984–December 12, 1984 the guidelines from the funding report.

Issue Background Actions Resulting from NSTAC Recommendations On April 3, 1984, the NSTAC agreed to address the funding of NSTAC initiatives The FRWG (reconvened March 1990) issue to determine the costs and benefits reviewed the NSTAC funding methodology associated with its recommendations to and worked with the Enhanced Call the Government. The purpose of FNI was Completion Task Force to develop an to guide and prioritize NSTAC actions. order-of-magnitude cost model for use by In August 1984, the Funding and Regula- all task forces. The IES renamed the FRWG tory Working Group (FRWG) established the the Legislative and Regulatory Group FNI Task Force to investigate approaches to in accordance with the December 1994 NSTAC funding mechanisms. IES Guidelines.

History of NSTAC Actions Report Issued and Recommendations • NSTAC Funding Methodology, On December 12, 1984, the NSTAC October 25, 1984. approved the funding methodology developed by the FNI Task Force and instructed the Industry Executive Subcom- mittee (IES) to:

• Adopt the methodology developed by the FNI Task Force

• Issue the funding methodology as guidance to all existing and future task forces

• Direct all task forces to determine costs, benefits, and applicable funding mechanisms for each recommended initiative.

118

XXVII_PreviousIssues.indd 118 10/8/04, 4:36 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

Electromagnetic Pulse On October 9, 1985, the NSTAC approved the EMP Final Task Force Report and Investigation Group forwarded a recommendation to the President, calling for a joint industry and Electromagnetic Pulse (EMP) Task Force Government program to reduce the costs of existing techniques for mitigating high- Period of Activity: altitude electromagnetic pulse-induced September 27, 1983–October 9, 1985 transients and to develop new techniques for limiting transient effects. Issue Background: Actions Resulting from The NSTAC Industry Executive Subcom- NSTAC Recommendations mittee initiated the EMP assessment on September 27, 1983, in response to a The Telecommunications Systems Government request for industry’s perspec- Survivability (TSS) Task Force reviewed tive on the options available to industry the Government actions taken on the and Government for improving the EMP NSTAC’s EMP recommendations. It found survivability of the Nation’s telecommunica- that the Government had implemented tions networks. The NSTAC approved the nine of the EMP initiatives or was imple- EMP study on April 3, 1984. menting them. The TSS Task Force made the following recommendations: History of NSTAC Actions and Recommendations • Industry and Government should continue to work together to On December 12, 1984, the NSTAC implement the EMP initiatives forwarded the following recommendations The Government should prepare an on EMP to the President: • unclassified EMP handbook • Designate an appropriate Federal Industry, consistent with cost, agency to serve as an industry point • should incorporate low-cost of contact for EMP mitigation efforts mitigation practices in its new/ and information distribution upgrade programs. • Support industry through its The NSTAC approved the TSS Task Force’s standards organizations in the findings and recommendations on EMP development of electromagnetic and forwarded them to the President on standards that take the EMP November 6, 1987. environment into account The Office of the Manager, National • Undertake a program to improve Communications System (OMNCS) the EMP endurability of the Nation’s designated its Office of Technology and commercial electrical power systems. Standards as the Federal office to serve as an industry and Government point of contact.

119

XXVII_PreviousIssues.indd 119 10/8/04, 4:36 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

It used the American National Standards Institute T1Y1 Committee as a forum for developing electromagnetic standards in support of industry and issued an unclassified EMP handbook EMP( Mitigation Program Approach, NCS-TIB 87-17). The OMNCS received results from a simulated EMP test on an AT&T public switched network (PSN) switch. The OMNCS assessed the EMP impact on the PSN based on test results of transmission, signaling, and switching facilities. EMP test analysis results showed little cause for concern regarding the physical EMP survivability of the PSN, but revealed an increasing PSN vulnerability to EMP- induced switch and signaling upset.

Reports Issued

• EMP Task Force Status Report, January 12, 1984.

• EMP Final Task Force Report, July 1985.

120

XXVII_PreviousIssues.indd 120 10/8/04, 4:36 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

International Diplomatic • Establish a DOS point of contact to Telecommunications serve the telecommunications needs of foreign missions operating in the Investigation Group United States.

International Diplomatic The NSTAC also instructed the IES to Telecommunications (IDT) Task Force assist the DOS in determining the feasibility of using telecommunications resources Period of Activity owned by U.S. industries to support diplomatic requirements during interna- September 27, 1983–December 12, 1984 tional emergencies.

Issue Background Reports Issued

National Security Decision Directive (NSDD) • IDT Task Force Interim Report to IES, No. 97 stipulates that U.S. Government January 16, 1984. missions and posts overseas must have the required telecommunications facilities • IDT Task Force Final Report, and services to satisfy the Nation’s needs March 15, 1984. during international emergencies. The National Communications System requested that the NSTAC advise the Department of State (DOS) on the vulnerability and risks inherent in overseas leased networks and offer remedial measures. On September 27, 1983, the NSTAC Industry Executive Subcommittee (IES) formed the IDT Task Force to study the issue and develop recommendations.

History of NSTAC Actions and Recommendations

In April 1984, the NSTAC forwarded the following recommendations on IDT to the President:

• Review vulnerabilities and risks at overseas diplomatic posts using the guidelines established by the IDT Task Force

121

XXVII_PreviousIssues.indd 121 10/8/04, 4:36 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

Automated Information • Develop NS/EP AIP policy

Processing • Initiate efforts to enhance the survivability of NS/EP AIP in general Investigation Group • Provide the necessary funding and Automated Information Processing (AIP) develop incentives for AIP Task Force survivability enhancements.

Period of Activity The Telecommunications Systems Survivabil- ity (TSS) Task Force worked on the AIP issue. December 14, 1982–December 12, 1984 It reviewed the Government’s responses to Issue Background the NSTAC IV’s AIP recommendations. On September 22, 1988, the NSTAC The need to ensure a survivable AIP approved and forwarded the TSS Task Force capability to support NS/EP telecommunica- findings and recommendations on AIP to tions prompted the NSTAC to initiate a study the President. of the AIP issue on December 14, 1982. The AIP Task Force addressed the issue for Actions Resulting from nearly two years. NSTAC Recommendations

History of NSTAC Actions The TSS Task Force reviewed the and Recommendations Government’s responses to the NSTAC’s AIP recommendations. The task force found In July 1983, NSTAC II recommended that the Commercial Network Survivability the President direct the National Security program was addressing the recommenda- Council, in conjunction with industry, to tions regarding AIP embedded in telecom- identify essential NS/EP functions and munications, but the Government had not their dependence on AIP, and to rank those implemented the recommendations on functions in order of priority on a time- AIP for telecommunications operational phased basis. In April 1984, NSTAC III support and AIP required to support NS/EP recommended that the President establish an functions in general. The TSS Task Force AIP vulnerability awareness program within recommended the Government consider the Government. On December 12, 1984, the implications of all operational support NSTAC IV forwarded the following AIP rec- AIP, especially for network management, ommendations to the President: restoration, and reconstitution; and that the Government implement an NS/EP AIP Establish a full-time management • awareness program. The NSTAC approved entity to implement the telecommu- the TSS Task Force’s findings and recom- nications AIP survivability effort mendations on AIP and forwarded them to the President on September 22, 1988. • Conduct AIP vulnerability awareness programs in conjunction with the private sector

122

XXVII_PreviousIssues.indd 122 10/8/04, 4:36 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

Reports Issued

• Working Group Proceedings on AIP Survivability, October 6, 1982.

• AIP Task Force Report, June 1983.

• Strategy and Recommendations for Achieving Enhanced NS/EP AIP Survivability, October 25, 1984.

• Final Report Addendum, May 1, 1985.

123

XXVII_PreviousIssues.indd 123 10/8/04, 4:36 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

National Coordinating Actions Resulting from Mechanism NSTAC Recommendations The Telecommunications System Investigating Group Survivability (TSS) Task Force reviewed National Coordinating Mechanism (NCM) Government actions taken on the NSTAC’s Task Force NCM recommendations and concluded that the NCM recommendations were carried Period of Activity out promptly and effectively. The task force recommended continuing National December 14, 1982–November 15, 1984 Communications System (NCS) member organizations’ representation in the NCC, Issue Background and continuing Government dissemination The NSTAC recognized the need to establish of NS/EP information. The NSTAC approved a mechanism for coordinating industry and the TSS Task Force’s findings and recommen- Government responses to the Government’s dations on the NCM and forwarded them to NS/EP telecommunication service require- the President on September 22, 1988. ments in the post-divestiture environment. The NCS member agencies’ representation As a result, NSTAC formed the NCM Task in the NCC continues, as does the Govern- Force in December 1982, and charged ment’s dissemination of NS/EP information. it to identify and establish the most The status of the NCC is reported at each cost-effective mechanism to coordinate Industry Executive Subcommittee meeting. industry-wide responses to NS/EP (See the Industry/Government Coordination telecommunications requests. and Response section in this NSTAC Issue History of NSTAC Actions Review for a fuller discussion of more recent and Recommendations NCC actions.)

The NSTAC forwarded a series of NCM Reports Issued recommendations to the President in 1983 • NCM Task Force Report, and 1984. May 16, 1983. The National Coordinating Center for • NCM Implementation Plan (Final Telecommunications (NCC) is the most Report), January 30, 1984. significant result of these recommendations. Established on January 3, 1984, the NCC is a joint industry/Government operations center that supports the Federal Government’s NS/EP telecommunication requirements.

124

XXVII_PreviousIssues.indd 124 10/8/04, 4:36 PM NSTAC Implementing and Governing Documentation 10/8/04, 4:36 PM 1 XXVII_AppendixA.indd XXVII_AppendixA.indd 2 10/8/04, 4:36 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

Executive Order 12382 President’s National Security Telecommunications Advisory Committee

Source: Sec. 2 The provisions of Executive Order 12382 Functions. (a) The Committee shall provide of Sept. 13, 1982, appear at 47 FR 40531, to the President, among other things, infor- 3 CFR, 1982 Comp., p. 208, unless other- mation and advice from the perspective wise noted. of the telecommunications industry with respect to the implementation of Presidential By the authority vested in me as President Directive 53 (PD/NCS-53), National Security by the Constitution of the United States of Telecommunications Policy. America, and in order to establish, in accor- (b) The Committee shall provide infor- dance with the provisions of the Federal mation and advice to the President Advisory Committee Act, as amended regarding the feasibility of implementing (5 U.S.C. App. I), an advisory committee on specific measures to improve the tele- National Security Telecommunications, it is communications aspects of our national hereby ordered as follows: security posture. Section 1. (c) The Committee shall provide technical information and advice in the identifica- Establishment. (a) There is established the tion and solution of problems which the President’s National Security Telecommu- Committee considers will affect national nications Advisory Committee which shall security telecommunications capability. be composed of no more than 30 members. (d) In the performance of its advisory duties, These members shall have particular the Committee shall conduct reviews and knowledge and expertise in the field of assessments of the effectiveness of the telecommunications and represent elements implementation of PD/NCS-53, National of the Nation’s telecommunications industry. Security Telecommunications Policy. Members of the Committee shall be (e) The Committee shall periodically report appointed by the President. on matters in this Section to the President (b) The President shall annually designate a and to the Secretary of Defense in his Chairman and a Vice Chairman from among capacity as Executive Agent for the National the members of the Committee. Communications System. (c) To assist the Committee in carrying out its functions, the Committee may establish appropriate subcommittees or working groups composed, in whole or in part, of individuals who are not members of the Committee.

A-1

XXVII_AppendixA.indd 1 10/8/04, 4:36 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

Sec. 3 Administration. (a) The heads of Executive agencies shall, to the extent permitted by law, provide the Committee such information with respect to national security telecommunications matters as it may require for the purpose of carrying out its functions. Information supplied to the Committee, shall not, to the extent permitted by law, be available for public inspection. (b) Members of the Committee shall serve without any compensation for their work on the Committee. However, to the extent permitted by law, they shall be entitled to travel expenses, including per diem in lieu of subsistence. (c) Any expenses of the Committee shall, to the extent permitted by law, be paid from funds available to the Secretary of Defense. Sec. 4 General. (a) Notwithstanding any other Executive Order, the functions of the President under the Federal Advisory Committee Act, as amended (5 U.S.C. App. I), except that of reporting annually to the Congress, which are applicable to the Committee, shall be performed by the Secretary of Defense, in accord with guidelines and procedures established by the Administrator of General Services. (b) In accordance with the Federal Advisory Committee Act, as amended, the Committee shall terminate on December 31, 1982, unless sooner extended.

Ronald Reagan The White House, September 13, 1982.

[Filed with the Office of the Federal Register, 4:39 p.m., September 13, 1982.]

A-2

XXVII_AppendixA.indd 2 10/8/04, 4:36 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

Charter of the President’s National Security Telecommunications Advisory Committee

I. Official Designation. Under Executive D. The Chairman of the Federal Order 12382, dated September 13, 1982, Communications Commission will and Executive Order 13225, dated be invited to participate in the September 30, 2001, this Committee activities of the Committee and is officially designated the President’s its subcommittees. Agencies and National Security Telecommunications officials of the Executive Branch may Advisory Committee (“the Committee”). also be invited to participate.

II. Membership and Organization. III. Objective, Scope of Activity, and Duties.

A. Membership and organization A. The Committee will function will be in accordance with in accordance with Section 2 of Executive Order 12382, dated Executive Order 12382, dated September 13, 1982. September 13, 1982. The Committee will provide information and B. There will be an Executive Secretary advice to the President on all who will be the Manager, National telecommunications aspects Communications System, under affecting national security and section 10(e) of the Federal Advisory emergency preparedness. Key policy Committee Act as amended statements include, but are not (5 U.S.C. App. I). limited to, Executive Order 12472, “Assignment of National Security C. The Committee will provide and Emergency Preparedness such guidance and direction as Telecommunications Functions” and is necessary and appropriate to National Security Decision Directive ensure the effective functioning of Number 97 (NSDD-97), “National any subcommittee so established. Security Telecommunications Policy.” Except where a special rule applicable to such subcommittees B. The Committee’s officers will have appears in an amendment to this the following responsibilities: Charter, the provisions of this Charter shall apply mutatis mutandis (1) The Chair will convene, to the subcommittees. preside at, and adjourn all meetings at his discretion, with the advance approval of the Executive Secretary.

A-3

XXVII_AppendixA.indd 3 10/8/04, 4:36 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

However, the Chair will also be The Executive Secretary will also obliged to adjourn any meeting maintain copies of all reports, the Executive Secretary advises which the Committee receives, him to adjourn when the issues, or approves. Executive Secretary determines an adjournment to be in the C. The Committee may consult public interest. with interested parties, agencies, interagency committees, or groups (2) The Vice Chair will act as Chair of the United States Government and in the absence of the Chair. with private groups and individuals as the Committee decides is (3) The Executive Secretary, who necessary or desirable. will be the Manager, National Communications System, IV. Official to Whom the will attend all meetings Committee Reports. and will advise the Chair to adjourn, or will adjourn, any A. The Committee will report in writing meeting when the Executive to the President of the United Secretary determines it is in the States, through the Assistant to public interest. The Executive the President for National Security Secretary will invite agencies Affairs, and to the Secretary and officials from the Executive of Defense, in his capacity as Branch to attend the meetings, Executive Agent for the National as he deems appropriate. Communications System. The Executive Secretary will B. The Committee, and any prepare the minutes of each subcommittees established by the meeting, the accuracy of which Committee, will work with the the Chair will certify and which Office of the Manager, National will at a minimum contain: Communications System, and a record of the membership appropriate representatives from present and the members of National Communications System the public who participate member organizations. in the meeting including the interests and affiliations they C. Any subcommittee established represent; a description of by the Committee will report to matters and materials discussed the Committee. and the conclusions, if any, reached; and the rationale for V. Estimated Costs and Staff Support. any recommendations made by A. Members of the Committee will serve members of the Committee. on it without any compensation for their work and in accordance with Section 3 of Executive Order 12382, dated September 13, 1982.

A-4

XXVII_AppendixA.indd 4 10/8/04, 4:36 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

B. The estimated annual cost of operating the Committee and its subcommittees is $2.4 million, including travel expenses, per diem, contractor support, and staff support.

C. The Secretary of Defense, in his capacity as Executive Agent for the National Communications System, will supply staff and support functions for the Committee. The estimated annual personnel staffing of such functions is 11.5 staff years, excluding contract support.

VI. Meetings and Termination.

A. The Committee will meet approximately every 9 months at the call of the Chair. Subcommittees will meet as necessary for their assigned responsibilities.

B. Under Executive Order 13225, dated September 30, 2001, the Committee will terminate on September 30, 2003, unless formally determined to be in the public interest to continue it for an additional period. A continuing need for the advice offered by this Committee is anticipated.

VII. Filing. This charter will be considered approved as of this date; copies will be filed with the Administrator of General Services and the Library of Congress under the provisions of the Federal Advisory Committee Act as amended (5 U.S.C., App. I).

A-5

XXVII_AppendixA.indd 5 10/8/04, 4:37 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

National Security Telecommunications Advisory Committee Bylaws

Adopted: July 20, 1983 The IES is authorized to Amended: June 8, 1989 form subordinate Groups, Amended: January 12, 1995 titled Working Groups, Task Amended: April 7, 2003 Forces, or other appropriate title, necessary to carry out Article I: Organization and Operation the direction provided by the NSTAC and to develop Section 1: The National Security and recommendations for the Telecommunications Advisory NSTAC in accord with the Committee (NSTAC) shall NSTAC Charter and the be organized and operate in IES’s mission. The purpose accordance with the Federal of the IES is to advise Advisory Committee Act, as the NSTAC on matters amended (5 U.S.C. App. 2), concerning procedures, Executive Order 12382, plans, and policies for 13 September 1982, the the telecommunications Charter of the NSTAC, and and information systems these Bylaws. that support national security and emergency Section 2: The provisions of the Federal preparedness. The IES Advisory Committee Act, as shall meet approximately amended (5 U.S.C. App. 2), one month before and Executive Order No. 12382, one month after an 13 September 1982, and NSTAC meeting. At additional the Charter of the NSTAC Working Sessions of the shall govern in the event Subcommittee of the whole, of any conflict between the IES shall carry out its the provisions thereof and role as the NSTAC’S principal these Bylaws. working body.

Section 3: The NSTAC shall be supported by an Industry Executive Subcommittee (IES).

A-6

XXVII_AppendixA.indd 6 10/8/04, 4:37 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

The IES performs the Section 3: Only NSTAC entities may be following functions: represented on the IES or identifies, plans, and defines subordinate Groups. NSTAC issues; strengthens industry and Government Section 4: Members of the NSTAC may coordination; examines not designate alternates. legislative and regulatory Members of the IES or any issues; oversees network subordinate Group may security activities; provides designate an alternate. feedback on the status of Such designation must be NSTAC recommendations; in writing with a copy and directs and oversees the provided to the Office of work of subordinate Groups. the Manager, National The IES shall report to the Communications NSTAC and the subordinate System (OMNCS). Groups shall report to the IES. An alternate shall have the privileges of a member. Article II: Membership Section 5: Consistent with any Section 1: The members of the NSTAC applicable security clearance shall be appointed by the requirements, any member President in accordance of the IES or his or her duly with the provisions of designated alternate may be Section 1(a) of Executive accompanied at any meeting Order No. 12382, dated by advisors. Any member or 13 September 1982. alternate may authorize an adviser to speak on behalf of Section 2: Each member of the NSTAC the member or alternate. shall have the authority to appoint one member of Article III: Chair and Voting the IES. The same individual may represent an industry Section 1: The Chair and Vice Chair entity on the IES and on one of the NSTAC shall be or more subordinate Groups. appointed by the President Except as provided in in accordance with the Article III, Section 5, provisions of Section the membership of the 1(b) of the Executive subordinate Groups shall Order No. 12382, dated consist of IES members 13 September 1982. elected by the IES for a term of two NSTAC cycles.

A-7

XXVII_AppendixA.indd 7 10/8/04, 4:37 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

Section 2: The Chair of the IES shall be With or without a quorum at the Deputy Manager of the a meeting, the Chair of the National Communications IES or subordinate Group System and not number in may conduct a recorded vote the count for a quorum nor by mail at any time absent vote on issues before the IES. objections of any member. At an IES Working Session, In the case of a mail vote, the IES member from the a quorum is constituted by NSTAC Chair’s company shall receipt of votes from more chair the Working Session. than half of the membership. The Chairs of subordinate A non-response from an Groups formed by the IES IES or subordinate Group will be appointed by the IES member will be considered a Working Session Chair. vote in the affirmative.

Section 3: A quorum of the Committee, Article IV: Minutes and Reports the IES or subordinate Group is required to vote on issues Section 1: Committee records will be being addressed. Except as maintained as set forth in the set forth in Section 5, a Federal Advisory Committee quorum is constituted by Act, 5 U.S.C. App. 2. the presence of more than Section 2: A written summary will half of the membership be prepared for each IES of the Committee, IES or meeting and meeting of subordinate Group. the IES Working Session. Section 4: Only members of the NSTAC, Summaries of the meetings the IES, or subordinate will be prepared by the Group may vote. All issues OMNCS and forwarded to will be decided, and members of the meeting recommendations or body and other participating decisions made, by a majority entities to review for accuracy vote of those members and completeness. present at any NSTAC, IES, or Section 3: A consolidated annual subordinate Group meeting. report of results of all Section 5: Absent a request for a NSTAC activities shall be recorded and/or secret ballot prepared and distributed vote, all votes shall be by to all members, and to any either a show of hands or by Federal Government entity voice vote. Any member may upon request. Other reports request a recorded and/or shall be prepared as directed secret ballot vote at any time. by the NSTAC.

A-8

XXVII_AppendixA.indd 8 10/8/04, 4:37 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

Section 4: All reports except minority Section 3: Studies, analyses, reports shall be prepared by recommendations, or the OMNCS and forwarded options developed by any to the members for review subordinate Group shall and comment at least 15 days be submitted to the IES, prior to final distribution. by report or briefing, for consideration prior to Section 5: Minority reports may be presentation or submission prepared by any industry to the NSTAC. member(s) and forwarded to the OMNCS. The OMNCS Article VI: Amendment of the Bylaws will attach the minority report to the majority report. Section 1: Amendment of the Bylaws may be proposed by any Article V: Issue Development member of the NSTAC at any time. Such amendments Section 1: Issues for consideration by may be adopted or dismissed the NSTAC may be suggested only by majority vote of by any Government or the NSTAC. industry entity, or any other person. The OMNCS Section 2: An amendment to the Bylaws will prepare suggested shall become effective issues into issue papers for immediately following consideration by the IES. its adoption.

Section 2: The IES will review all issue papers and recommend to the NSTAC their approval or disapproval for further consideration, or recommend such other action as is deemed necessary. For issues sent to a subordinate Group for study, analysis and/ or the development of recommendations or options, the IES will provide guidance and direction as necessary.

A-9

XXVII_AppendixA.indd 9 10/8/04, 4:37 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

Antitrust Division

Office of the Assistant Attorney General Washington, D.C. 20530

June 1, 1983

Lt. Gen. William J. Hilsman Manger, National Communications System Washington, D.C. 20305

Dear General Hilsman:

In response to your May 2, 1983, letter to Ronald G. Carr, the Antitrust Division has reviewed the April 18, 1983, draft report of the NSTAC Emergency Response Procedures Working Group on the establishment of a National Coordinating Mechanism. In particular, the Division focused on the proposed functions of the National Coordinating Mechanism (NCM) as set out in Section 6, “Conclusions,” of the draft report and Annex B.

The views expressed in this letter are preliminary and respond to your suggestion that we provide general guidance to the Funding and Regulatory Working Group prior its June 2, 1983 meeting.

In summary, we believe the functions of a National Coordinating Mechanism, if carried out along the lines suggested in Chapter 6 and Annex B, pose no significant competitive problems that would rise to the level of a possible Antitrust violation if such activities were carried out in a manner designed to minimize any anticompetitive potential and if the appropriate government agencies retain the responsibility for necessary procurement and regulatory decisionmaking.

As we understand it, the NCM would have four organizational components. Overall policy would be set by a General Forum, “an industry-wide organization with widespread membership” which would meet semi-annually to provide the opportunity for members of the communications industry to discuss National Security-Emergency Preparedness (NS/EP) needs. Subordinate to the General Forum would be two standing committees: (1) the Technical Planning Committee, which would focus on matters involving technical interoperability, (2) the Operations Planning and Policies Committee, which would focus on those involving operating methods and procedures relating to NS/EP. A National Coordinating Center (NCC) would be responsible for day to day planning activities and for responding to NS/EP requirements as they occur. The NCC would consist of an operations center located at a government facility and be staffed with representatives of the National Communications System, and “selected representatives of the industry.” Carriers not physically present would remain in electronic contact with the NCC. Lastly, a Secretariat would be responsible for administrative coordination and support.

According to Appendix B, the NCM would appear to have four types of functions. The first, would be to provide a coordination point for dealing with communications emergencies, including service disruptions. This activity includes development of the “watch center”

A-10

XXVII_AppendixA.indd 10 10/8/04, 4:37 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

operations of the NCC, technical analysis/damage assessments of service disruptions, and coordination or direction of prompt restoration of telecommunication services. (Items 1, 2, 4, 7.) The second basic function would be to coordinate and assist in the provision of time sensitive NS/EP service requests. (Items 8, 11.) The third category is a broader planning function in which the NCM would assist in the development of technical standards and network planning to meet NS/EP needs and to assist the overall development of each carrier’s network so as to insure that NS/EP needs are taken into consideration. (Items 3, 9, 10.) Finally, the NCM would provide a mechanism to supply the government and, potentially, other carriers with critical information about resources available to meet NS/EP needs or emergency requirements. (Items 5, 6.)

The following discussion of these functions, including the issue of the appropriate scope industry membership in the NCM and its component activities, is based on the descriptions set out in the draft report.

From the description, it would appear that the NCM, although sponsored and supported by the government, would largely function as a joint activity among potentially competing members of the telecommunications industry. The antitrust laws do not prohibit collective activity between competing members of an industry simply because they are competitors. Instead, the question asked by the antitrust laws is whether or not the collective activity at issue has the probable effect of lessening competition in the markets at issue. In the case of the NCM, the proposed essential elements recommended by the Working Group do not appear to do so. Rather, they would enable the industry to provide collectively that which each member of the industry could not provide individually, i.e., a nationwide, interoperable system of independent carrier networks in which the resources of all are available to meet this Nation’s NS/EP needs. Consequently, the key focus of any antitrust and competitive analysis is on the methods and procedures by which the essential objectives are implemented.

1. Membership. Under the Sherman Act, if joint facilities established by competing firms become essential to participating effectively in markets served by venture’s participants, participation in the activity on reasonable terms by all competing enterprises may be mandated. To the extent that participation in the NCM would confer a competitive advantage therefore, exclusion by industry members of competing firms might be of concern. As we understand the proposal, however, the scope of the NCM and its components would be established by the Government to meet public NS/EP needs, not private interests. In such a circumstance, the decision to limit membership in a particular activity should be made by responsible government agencies, rather than by industry participants, themselves, limiting possible antitrust concerns. In turn, the criteria utilized by the sponsoring government agencies should be designed to promote as broad as possible participation in the group, with membership in any activity restricted only to the minimum extent necessary to achieve the objectives of such an activity, e.g., limiting physical presence at an NCC to numbers that prevent the NCC from becoming an operationally unmanageable undertaking. In this regard, we note that the government, as “the purchaser” of NS/EP services should have every incentive to maximize industry participation, and limit participation, if at all, only to ensure that the benefits of the NCM are maximized.

A-11

XXVII_AppendixA.indd 11 10/8/04, 4:37 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

2. Coordination of Service Disruptions and Similar Emergencies. As we understand it, the goal of this function is to ensure that existing communications requirements can be maintained in the face of disruption of the network of one or more carriers as a result of, e.g., equipment failure, natural disasters, sabotage or war. The goal of the NCM in this activity would not be to process service orders to meet added requirements, but to assure that services already ordered by government agencies and the private sector can be provided in the face of adversity. On the facts as set out above, there would appear to be few, if any, competitive or antitrust issues at stake in this type of activity, to the extent the actual restoration and back-up processes do not have the effect of disadvantaging any particular carrier. Consequently, the procedures involved should minimize any possibility that the services of any carrier will be unreasonably excluded from the backup and restoration process.

3. Coordination of Additional NS/EP Requirements. Under this function, the NCM would assist the government in obtaining a quick, coordinated industry response to time-sensitive NS/EP requirements, such as the provision of additional circuits and equipment to areas hit by a disaster, or for Presidential travel or military mobilization requirements. As we understand it, this activity is different from that just described because it would result in new government orders for additional services or equipment. Here, the competitive and antitrust risks are greater in that, if appropriate safeguards are not adopted, the NCM could theoretically serve as a mechanism for allocating government orders among competing firms to the detriment of the government’s interest. Such an allocation could result, if, for example, firms represented at the NCC decided among themselves who would bid for a particular circuit order when several of them could do so, or if failure to have a representative at the NCC would mean that a particular firm, as a result of procedures agreed on by the carriers present at the NCC, would not have the opportunity to bid on the circuit request.

These theoretically possible competitive problems could be minimized to the extent that the relevant government agencies make the procurement decisions and establish the appropriate bidding processes for emergency telecommunications, with the NCM merely supporting those processes and providing a mechanism coordinating an end-to-end response once the government’s procurement decisions were made. What should be avoided, therefore, is the adoption by participating carriers, themselves, of practices that would undercut the ability of government procurement officers to obtain such benefits of competition as procurement regulations envisioned in the circumstances at issue. So long as the NCM merely facilitates actions desired by government agencies in their capacity as a purchaser of communications services, antitrust concerns would be minimized.

4. Industry Standard-Setting and Planning. Standard setting to promote interoperability is widespread across a broad spectrum of American commercial activity, including the communications industry. Under the antitrust laws, such standard-setting processes pose few problems if access to the standard setting bodies are available to competing industry members whose products and services are affected by the standard-setting process and to the extent that reasonable procedures are utilized to assure that the competing firms will have the opportunity to

A-12

XXVII_AppendixA.indd 12 10/8/04, 4:37 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

present their views before such standards are collectively adopted.

Nevertheless, both competitive and antitrust issues may be raised to the extent that such standard setting becomes a vehicle to place the products or services of a firm at a competitive disadvantage. Where such actions are taken, it can be alleged that the participants in the standard setting process undertook collective action to eliminate a competitor from the market. Such actions should not give rise to antitrust liability to the extent that the actions in question represented reasoned and reasonable choices and were not undertaken for an exclusionary purpose. In some cases, however, the adoption of standards by collective industry action, e.g., for interoperability or interconnection, may result in a choice that will confer relatively greater competitive benefits on one firm or technology. Consequently, competitive risks would be minimized to the extent that the standards adopted responded to specific NS/EP objectives in a manner that maximized carrier flexibility to meet those standards.

5. Information Sharing. Finally, the proposed NCM envisions that a limited amount of carrier information concerning available NS/EP resources will be provided to the NCC. It is also envisioned that a mechanism will be adopted by which individual carrier actions, such as the introduction of new services or the planning of facility routes, may be scrutinized so that the NS/EP consequences of these carrier activities can be reviewed to enhance NS/EP benefits. The fundamental competitive and antitrust concerns regarding such information plans are to ensure that proprietary carrier information is not involuntarily disclosed to competitors, and that voluntary sharing arrangements do not have the effect of reducing competition among carriers in the introduction of new services and the construction of new facilities. Thus, procedures should be adopted to foreclose potentially anticompetitive information disclosures.

For example, it would appear preferable for each carrier to maintain its own inventory of spare circuits, etc., rather than to create a centralized data base of such information, unless access to such a data base was strictly controlled and limited to the carrier concerned or to government employees. Of course, these concerns are minimized with respect to information that relates not to the overall commercial capabilities of each carrier, but to purely emergency resources, e.g., mobile facilities or the status of equipment dedicated to NS/EP requirements. In this regard, the operating environment of the NCC should be designed to minimize opportunities for informal and unauthorized access by employees of one carrier to the proprietary information of other carriers.

In the same fashion, the opportunities for disclosure of proprietary information to competing carriers in the process of planning new facilities should also be minimized. For example, it would appear prudent for carriers to obtain information from government employees as to appropriate routings for facilities and to base their actions independently upon such recommendations, rather than for competing carriers to agree on facility routings, particularly where the effect would be to require advance disclosure of construction plans to competitors.

In sum, we believe that the proposals outlined in the draft Working Group report can form an appropriate basis for a National Coordinating Mechanism that will meet government NS/EP requirements while minimizing competitive antitrust risks. The Antitrust Division will continue

A-13

XXVII_AppendixA.indd 13 10/8/04, 4:37 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

to work closely with your staff, the NSTAC, and other federal agencies to assure that the NCM is implemented in a manner consistent with both our agencies’ legal and policy concerns.

Sincerely,

William F. Baxter Assistant Attorney General Antitrust Division

A-14

XXVII_AppendixA.indd 14 10/8/04, 4:37 PM NSTAC Membership 10/8/04, 4:37 PM 1 XXVII_AppendixB.indd XXVII_AppendixB.indd 2 10/8/04, 4:37 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

The President’s National Security Telecommunications Advisory Committee (NSTAC) Membership (as of May 19, 2004)

Dr. Vance D. Coffman, NSTAC Chair ...... Chairman and CEO Lockheed Martin Corporation

Mr. F. Duane Ackerman, NSTAC Vice Chair...... Chairman, President, and CEO BellSouth Corporation

Mr. James F. Albaugh ...... President and CEO Integrated Defense Systems The Boeing Company

Dr. J. Robert Beyster ...... Chairman and CEO Science Applications International Corporation (SAIC)

Mr. Gregory Brown*...... President and CEO Commercial, Government, and Industrial Solutions Sector Motorola, Inc.

Mr. Gary D. Forsee ...... Chairman and CEO, Sprint Corporation

Mr. Van B. Honeycutt ...... Chairman and CEO Computer Sciences Corporation (CSC)

Mr. Clayton M. Jones ...... President and CEO, Rockwell Collins, Inc.

Mr. Craig O. McCaw...... Chairman, Teledesic Corporation

Mr. Craig J. Mundie ...... Senior Vice President, Microsoft Corporation

Mr. Richard C. Notebaert ...... Chairman and CEO, Qwest Communications

* Membership pending White House approval (as of May 19, 2004).

B-1

XXVII_AppendixB.indd 1 10/8/04, 4:37 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

Mr. Donald J. Obert ...... Group Executive, Network Computing Group Bank of America, Inc.

Mr. G. William Ruhl ...... CEO, D&E Telephone Company United States Telecom Association (USTA)

Dr. Hector de J. Ruiz ...... President and CEO Advanced Micro Devices, Inc. (AMD)

Ms. Patricia F. Russo...... Chairman and CEO, Lucent Technologies

Mr. Stratton Sclavos...... Chairman and CEO, VeriSign, Inc.

Mr. Stanley Sigman* ...... President and CEO, Cingular Wireless Cellular Telecommunications & Internet Association (CTIA)

Ms. Susan Spradley...... President, Wireline Networks Nortel Networks Limited

Mr. William H. Swanson ...... Chairman and CEO, Raytheon Company

Mr. Lawrence A. Weinbach...... Chairman and CEO, Unisys Corporation

Mr. Edward E. Whitacre, Jr...... Chairman and CEO SBC Communications, Inc.

Position Vacant...... AT&T

Position Vacant...... Electronic Data Systems Corporation (EDS)

Position Vacant...... MCI, Inc.

Position Vacant...... Northrop Grumman Corporation

Position Vacant...... Verizon Communications

* Membership pending White House approval (as of May 19, 2004).

B-2

XXVII_AppendixB.indd 2 10/8/04, 4:37 PM NSTAC XXVII Executive Report to the President 10/8/04, 4:37 PM 1 XXVII_AppendixC.indd XXVII_AppendixC.indd 2 10/8/04, 4:37 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

Executive Report on the 27th Meeting of the President’s National Security Telecommunications Advisory Committee (NSTAC XXVII) May 19, 2004

The President’s National Security This Executive Report summarizes Telecommunications Advisory those presentations and deliberations. Committee (NSTAC) held its 27th Also attached are the recommendations to meeting (NSTAC XXVII) on May 19, 2004, the President from NSTAC XXVII (Attach- at the U.S. Chamber of Commerce in ment 1) and an attendance list of NSTAC Washington, D.C. The meeting, which Principals (Attachment 2). centered around the theme “Advising the President on Critical Telecommunica- NSTAC XXVII Business Session tions: Partnership in a New Era,” focused Opening Remarks. on issues surrounding national security and emergency preparedness (NS/EP) Dr. Vance Coffman, Chairman and Chief communications in this time of height- Executive Officer (CEO), Lockheed Martin ened security within industry and the and NSTAC Chair, called to order the 27th Government, specifically, the Depart- NSTAC Business Session on May 19, 2004, at ment of Homeland Security (DHS), the 8:15 a.m. at the U.S. Chamber of Commerce Department of State (DOS), the Federal in Washington, D.C. Dr. Coffman noted that Communications Commission (FCC), and the day would serve as his last meeting as the executive and legislative branches. the NSTAC Chair, and that at the end of the The NSTAC Principals met with former day’s proceedings, Mr. F. Duane Ackerman, Virginia Governor James S. Gilmore III BellSouth, the current NSTAC Vice Chair, during the Executive Breakfast; reviewed would be assuming the Chairmanship. NSTAC activities over the past cycle, Introduction of Key Government received several briefings, and met with Officials and NSTAC Principals. Secretary of State Colin Powell and other Dr. Coffman then recognized the senior senior Administration officials during the Government officials participating in Business Session; engaged in discussion the meeting: with Representative Joseph Barton (R-TX) and a number of senior Administration  Mr. Robert Liscouski, Assistant officials during the Executive Session; met Secretary for Infrastructure Pro- with Chairman Michael Powell, FCC, during tection, Information Analysis and the Executive Luncheon; and met with Infrastructure Protection (IAIP) President George W. Bush and other senior Directorate, DHS; Administration leaders.

C-1

XXVII_AppendixC.indd 1 10/8/04, 4:37 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

 Dr. John Marburger, Director of the This review included an overview of the President’s Office of Science and Financial Services Task Force (FSTF), the Technology Policy (OSTP); Satellite Task Force (STF), the Operations, Administration, Maintenance, and Provision-  Dr. Charles McQueary, ing (OAM&P) Working Group, the Trusted Under Secretary for Science Access Task Force (TATF), the Legisla- and Technology, DHS; tive and Regulatory Task Force (LRTF), the NSTAC Outreach Task Force (NOTF),  Lieutenant General Patrick Hughes, the Research and Development Task U.S. Army (Ret.), Assistant for Force (RDTF), and the Cyber Scoping Homeland Security for Information Group (CSG). Analysis; and Dr. Coffman opened his presentation with  Secretary of State Colin Powell, DOS. an overview of the work and accomplish- Dr. Coffman then recognized the following ments of the FSTF. Continuing its tasking NSTAC Principals recently appointed by from NSTAC Cycle XXVI, the FSTF explored President George W. Bush: Mr. Gary Forsee, the physical aspects of the financial Sprint, and Mr. William Swanson, Raytheon. services sector concerns for resiliency and redundancy capabilities of the telecommu- Dr. Coffman additionally recognized nications infrastructure. The FSTF issued a two individuals who have been recently report to the President that provided seven nominated to serve on the NSTAC and key recommendations and a strong assess- are awaiting final approval by the ment of the additional measures needed President: Mr. Greg Brown, Motorola, to ensure the resiliency and reliability of and Mr. Stanley Sigman, Cellular Telecom- critical NS/EP circuits. munications and Internet Association. Dr. Coffman then presented the work of the Dr. Coffman then reviewed the agenda for STF during the past cycle. He noted the STF the day, outlining the presentations that examined the use of commercial satellites would be given by Government stakeholders. in national NS/EP missions, vulnerabilities, Before delivering his “Cycle in Review,” and mitigation techniques. The STF coor- Dr. Coffman thanked all NSTAC Principals dinated with many non-NSTAC companies who served as Champions for key NSTAC and Government agencies, and proposed issues over the past year, as well as those recommendations to the President for who volunteered to lead the development of enhancing the security of the commercial key NSTAC issues through the next cycle. satellite infrastructure and the robustness NSTAC XXVII Cycle in Review. of NS/EP communications. The STF report identified 22 findings, and highlighted the Dr. Coffman presented the “Cycle in need for the Government to improve the Review,” which outlined the activities of the management of its commercial satellite NSTAC during the XXVII cycle. communications (SATCOM).

C-2

XXVII_AppendixC.indd 2 10/8/04, 4:37 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

The report also provided three Dr. Coffman noted that the participants recommendations to the President would hear more on this issue during regarding the need for a national policy the Executive Session from on the provisioning and management of Mr. Richard Notebaert, Qwest. commercial SATCOM services, funding to support the implementation of commer- Dr. Coffman then addressed the work of cial SATCOM NS/EP, and the appointment the LRTF. This task force has continued to of commercial satellite service providers advise the President on national policies and associations to represent the SATCOM and regulatory issues that conflict with industry on the NSTAC. NS/EP missions. The LRTF drafted, and the NSTAC submitted, a letter to the President, Dr. Coffman then discussed the work of which included recommendations on the OAM&P Working Group. This working this issue. In addition, the LRTF drafted, group was established as a follow-on to and the NSTAC submitted, a report to the the spring 2003 Network Security President, which included recommendations Information Exchange. In the report on barriers to information sharing under submitted to the President, the group the Critical Infrastructure Information Act recommended the adoption and use of of 2002. The group is currently examining the OAM&P Telecommunications Standard issues regarding open-source critical infra- by the Federal Government and other structure data. Dr. Coffman encouraged critical infrastructures. The group also the member companies to conduct internal developed policy guidance related to the reviews of the information posted to their standard on OAM&P Baseline Security respective Web sites. He noted that the LRTF Requirements for the Management Plane to would continue its activities through the promote awareness and implementation of next NSTAC cycle. the standard. Next, Dr. Coffman discussed the NOTF The TATF was the next subject addressed and its work to solicit feedback and input by Dr. Coffman. He stated that the TATF is on NSTAC products and outreach examining ways to implement a national initiatives, and promote the adoption of security background check program. NSTAC recommendations. To accomplish The TATF is also examining various these goals, the task force arranged Government and private sector background meetings with key Government stakehold- check processes and credentialing to better ers from the OSTP, the Homeland Security capture concerns with the current system. Council (HSC), the Office of Management The group is expected to submit its report and Budget (OMB), and the National to the President during NSTAC Cycle Security Council (NSC). The task force also XXVIII, and will continue to address the developed and delivered an NSTAC orien- development of a national plan for control- tation briefing to members of the Industry ling access at the perimeter of a disaster Executive Subcommittee (IES) and is area and the adoption of telecommu- currently planning an IES off-site meeting nications service procurement security scheduled for September 15–17, 2004, at the policy guidelines. Kingsmill resort in Williamsburg, Virginia.

C-3

XXVII_AppendixC.indd 3 10/8/04, 4:37 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

Dr. Coffman continued his briefing with An NSTAC ad hoc group convened and an overview of the RDTF. This task force produced a report suggesting that the NIAC developed an official proceedings document report also consider separately examining as a follow-up to the 2003 Research and each sector with regard to its own cir- Development Exchange (RDX) and formed cumstances and that a higher degree of actionable plans to address the findings. interdependency in a sector may both The task force also developed a paper necessitate and lead to a higher degree addressing the definition of NS/EP and of coordination. examined the development of a pilot testbed for NS/EP research and develop- In conclusion, Dr. Coffman acknowledged ment purposes. Dr. Coffman then discussed and thanked the IES members for their the scheduling of the 2004 NSTAC RDX for hard work and also thanked the attendees October/November on the West Coast and for their participation in the NSTAC noted that the task force will continue its XXVII Meeting. activities through the next NSTAC cycle. IAIP Six-Month Outlook.

Dr. Coffman then reviewed the activities Dr. Coffman introduced Assistant Secretary of the most recently established group, Liscouski, who thanked the NSTAC Princi- the Cyber Scoping Group (CSG). pals and IES members for the opportunity The CSG examined and prioritized issues to speak with them and for their hard work. associated with cyber-related infrastruc- Mr. Liscouski recognized the NSTAC as ture interdependencies. Specifically, the a richly talented body from which DHS group examined Voice over Internet welcomes input and looks forward to Protocol (VoIP) and network conver- continued partnership. In the past 14 gence issues, software quality, and cyber months, DHS has worked diligently to attack vulnerabilities. Dr. Coffman noted address the tactical and strategic challenges that the group would hear more on those arising from building the new Depart- issues during the Executive Session from ment and the work laid out in The National Mr. Craig Mundie, Microsoft. Strategy for Homeland Security, The National Strategy to Secure Cyberspace, and The Lastly, Dr. Coffman discussed opportunities National Strategy for the Physical Protection pursued by the NSTAC to collaborate with of the Critical Infrastructure and Key Assets. the National Infrastructure Advisory Mr. Liscouski recognized the critical impor- Council (NIAC). The NSTAC provided tance of input from the private sector to input to the NIAC’s draft “Report on identify and protect the Nation’s critical Cross Sector Interdependencies and Risk infrastructures—80 percent of which is Assessment Guidance.” owned by the private sector—and noted that DHS is diligently pursuing that goal.

Looking ahead, Mr. Liscouski described the IAIP Directorate’s priorities for critical infrastructure protection over the next six months.

C-4

XXVII_AppendixC.indd 4 10/8/04, 4:37 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

Mr. Liscouski characterized that period as Dr. Coffman asked Mr. Liscouski where posing increased risk of potential terrorist he believes the NSTAC can provide addi- activity, noting high-profile events such tional input. Mr. Liscouski replied that the as the political conventions, the summer NSTAC’s current issues (trusted access, vul- Olympics, and the Presidential election. nerabilities, etc.) are the appropriate ones He said that IAIP is working on a plan to to examine. He added that the NSTAC can identify and validate potential targets, and help DHS identify areas where immediate noted that DHS formed an interagency action can be effective and can also help working group to examine security priori- distribute the appropriate homeland security ties for the upcoming events. Mr. Liscouski message, turning awareness to action. said the bombings in Madrid, Spain, on When asked what role DHS is playing in March 11, 2004, highlighted remaining security measures for the summer Olympics vulnerabilities and the terrorists’ enduring in Athens, Greece, Mr. Liscouski said the desire to cause mass casualties, disrupt the Secret Service and the Coast Guard are sup- democratic political process, and erode the porting and advising the Greek Government. public’s confidence in the Government. The White House and Research DHS is actively working to develop a tactical and Development. plan, due in December 2004, to fulfill Dr. Marburger summarized the key roles the responsibilities laid out in Homeland and responsibilities of OSTP to ensure the Security Presidential Directive 7 (HSPD-7); delivery of NS/EP telecommunications however, DHS recognizes that it cannot wait during times of national crisis. He stated until December to begin protecting critical that, in contrast to the six-month outlook infrastructure and has therefore begun provided by Mr. Liscouski, the OSTP has a implementing key programs. Mr. Liscouski longer term role in providing interagency noted the importance of industry working coordination of research and develop- with State and local governments to ensure ment (R&D) programs and science and that critical infrastructures are secure, technology policy. He suggested that emphasizing that effective public and private swift advances in information technology sector coordination is a critical component present both opportunities and challenges of planning and preparedness. Mr. Liscouski with respect to NS/EP telecommunications. noted that one major effort under way at Dr. Marburger recognized the increased DHS is to raise the Nation’s current base importance of coordination and coop- level of security by elevating the security eration among agencies in this rapidly expectations and activities for the “yellow” changing environment. He said the unique security baseline. The goal is to build the insights of the President’s NSTAC are par- capability to sustain an elevated state of ticularly valuable, noting that committee alert in the absence of a specific threat recommendations are explicitly incorpo- without overburdening State and local rated in OSTP plans, including annual governments and the private sector. budgetary documents.

C-5

XXVII_AppendixC.indd 5 10/8/04, 4:37 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

Dr. Marburger also described his Dr. McQueary commented on the growth of participation in the NSTAC’s 2003 RDX, the S&T Directorate, which began with only noting the important role this event plays in 6 employees and now has a staff of 250. helping to determine national R&D priorities. He noted that he has been impressed with Colonel (Select) Greg Rattray, NSC, added the quality of the people it attracts and that the draft NS/EP definition paper, with the passion the employees have for developed by the RDTF, has proven their important mission. He emphasized extremely helpful in the development of a the progress made in the areas of standards report being produced within the Executive and interoperability for first responders and Office of the President (EOP) addressing the discussed the work that S&T is conducting evolving definition of the term. to counter biological and chemical attacks. Dr. McQueary highlighted the blue mod- DHS and Research and Development. eling capabilities being used to enhance Dr. Coffman introduced Dr. McQueary, detection and response efforts in mass who thanked the NSTAC Principals for the transit facilities and the BioWatch program, opportunity to speak with them. He also which is designed to monitor the air for acknowledged the work of the Commission biological agents. Closing his remarks, led by Governor Gilmore, noting that the Dr. McQueary stated that effective working principles of the Gilmore Commission report partnerships among industry, academia, were used to help define the role of the new Federal and national laboratories, and the Science and Technology (S&T) Directorate Government are critical in protecting the within DHS. Nation from terrorist attacks.

Dr. McQueary outlined the mission of the When asked whether the BioWatch program S&T Directorate: to conduct, stimulate, and has the capability to detect sarin gas, enable research, development, testing, and the gas recently found in a shell in Iraq, evaluation; and to ensure the timely transi- Dr. McQueary replied that for security tion of technologies and capabilities to first considerations, he could not publicly divulge responders and others at Federal, State, the program’s capabilities because it may and local levels. While initially focused on draw attention to what they cannot detect. technology, the directorate has recently In response to a question regarding how the become engaged in systems application, NSTAC can support the directorate’s initia- driving and determining capabilities, tives, Dr. McQueary replied that modeling investments, and improvements. To that will play a very important role in future end, the organization has a $1 billion S&T activities; and he will rely heavily on budget, with 60 percent set aside for opera- the private sector, including NSTAC member tional needs, and the remainder dedicated to companies, for simulation capabilities. private sector, academia, and national and Federal laboratories. Dr. McQueary recognized private industry’s important role in translating capabilities into products.

C-6

XXVII_AppendixC.indd 6 10/8/04, 4:37 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

Industry and Homeland Security. In response to the terrorist attacks, UBS and PaineWebber implemented their com- Mr. Joseph Grano, Jr., Chairman, UBS munication plans and provided support for Financial Services Inc. and Chairman, Home- employees as well as clients and competitors land Security Advisory Council (HSAC), in need of assistance. Operations/technical briefed on the impact of the war on staff and senior management immediately terrorism on the financial industry. launched to crisis management mode. Mr. Grano reviewed the chain of events Mr. Grano highlighted several lessons on the morning of September 11, 2001, learned to better prepare companies for specifically, the financial market’s reactions another disaster. He emphasized the need to the events. On September 11, 2001, the for companies to differentiate between New York Stock Exchange (NYSE) delayed disaster recovery and business continuity its 9:30 a.m. opening and then announced planning, and recognize the importance of at 9:58 a.m. that it would remain closed for both cyber and physical security, public and the day. Later that afternoon, the NYSE, private partnerships, and communications the American Stock Exchange, and the and preparedness. UBS and PaineWebber National Association of Securities Dealers realized the importance of employee Automated Quotation (NASDAQ) announced emergency contact information as well as they would also be closed the following day. the need to understand the psychographics Due to severe damage to Verizon’s central of their employees. switching facility located near the World Trade Center, the connectivity of firms Mr. Grano then described numerous terrorist to customers and the markets was attacks from 1979 to the present as a severely disabled. reminder of the magnitude of terrorism the United States faces today, but emphasized Mr. Grano noted that on September 12, 2001, that the United States is safer today than on members from the financial sector and September 10, 2001, because the country utility companies met with Government is more aware of its vulnerabilities and has leaders to discuss the reopening of the taken steps to mitigate those weaknesses. markets the next day. As a result of the He continued by stating the importance of meeting, the decision was made to delay remembering the war on terror is “not about the opening of the equities markets until giving up liberty but about securing liberty.” September 17, 2001, to avoid the risk of prematurely opening the market, causing Mr. Grano discussed the critical infrastruc- the stock market to crash, and diminishing ture landscape of the northeastern United the global population’s faith in the market. States, illustrating the vast numbers of The terrorist attacks caused tremendous airports, chemical facilities, power stations, harm to the financial industry. The industry pipelines, rail lines, police departments, and suffered a significant loss of life, collateral hospitals, and the importance of the public damage, loss of electrical power, communi- and private sectors to collaborate. cations, and transportation, as well as the closure of stock and bond markets, which greatly affected industry profits.

C-7

XXVII_AppendixC.indd 7 10/8/04, 4:37 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

The National Strategy for the Physical Intelligence suggests that these terrorist Protection of Critical Infrastructure and groups are planning to conduct an attack Key Assets has three strategic objectives: greater than the September 11, 2001, (1) prevent terror attacks within the United attacks by possibly employing a weapon States; (2) reduce the Nation’s vulnerability of mass effect (e.g., biological or chemical to terrorism; and (3) minimize damage and weapons), and targeting large gatherings recover from an attack quickly. He noted or critical infrastructures. To prevent these DHS is striving to meet the challenges of attacks, DHS is focusing on upcoming these objectives by creating directorates events, including the dedication of the related to the six critical mission areas World War II Memorial, the G-8 Summit, and initiatives defined in the National the Democratic and Republican national Strategy, which are intelligence and conventions, and the Presidential election warning, protecting critical infrastructure, and inauguration. LTG Hughes summarized defending against catastrophic terrorism, his briefing by saying that the terrorists emergency preparedness and response, are still out there, and it is the job of DHS domestic counterterrorism, and border and to prevent attacks, and if not prevented, transportation security. then minimize their effects and respond to the consequences. Mr. Grano concluded by emphasizing the importance of protecting the Nation’s critical LTG Hughes then responded to a question infrastructure and the need for the private expressing concern about the economic sector’s involvement, as 80 percent of the impact of another terrorist attack, spe- critical infrastructure is privately owned. cifically, if a terrorist attacked a common gathering place, such as a fast food restau- DHS Intelligence Overview. rant or shopping mall. He emphasized the Dr. Coffman introduced Lieutenant importance of citizens reporting suspicious General (LTG) Patrick Hughes, U.S. Army activities, such as surveillance on “soft (Ret.), Assistant Secretary of Homeland targets” of this nature. A Principal asked Security for Information Analysis, who what more the NSTAC or information began his briefing by stating that DHS has sharing and analysis centers (ISAC) can quickly become a member of the overall U.S. do for DHS to prevent future attacks. intelligence community, working daily with LTG Hughes responded that DHS needs the Federal Bureau of Investigation, Central to establish secure communications links Intelligence Agency, National Security at the secret level with the ISACs and Agency, and Department of Defense. increase training and awareness with State LTG Hughes then discussed the current and local governments and the private situation of terrorist activity around the sector, making people more aware of the world and in the United States. He noted ways in which they can help to secure the that the United States is “currently being infrastructures vital to the United States. probed by terrorist groups attempting to Participants expressed the need to keep enter the United States, most likely with a the lines of communications open on plan to strike us.” receiving intelligence.

C-8

XXVII_AppendixC.indd 8 10/8/04, 4:37 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

LTG Hughes stated that when DHS verifies In addition, he encouraged feedback from intelligence on specific threats, it contacts industry on resolutions in the United companies or ISACs to share the information. Nations and other international organiza- A Principal expressed concerns about tions necessary to help industry do its job, cultural diversity and viewpoints at DHS. especially in the area of security and inter- LTG Hughes responded by noting that DHS national concerns. A Principal asked how has employees representing diverse opinions national security communications relates to and perspectives from numerous cultures. next generation networks (e.g., electronic He concluded his briefing by saying that messaging for emergency communications). DHS needs the NSTAC for its “information, Secretary Powell said in recent years, the intelligence, advice, assistance, knowledge, Department has begun to use secure video and wisdom.” teleconferencing; and he would like to see the installation of secure video conferencing International Views. capabilities with select foreign ministers. Dr. Coffman introduced Secretary Powell, Concluding his remarks, Secretary Powell who thanked the NSTAC Principals for said that while the Internet and new tech- the opportunity to speak with them again nologies are changing how DOS personnel this year. Secretary Powell described the conduct business, the telephone will remain DOS efforts in implementing secure com- an important communications vehicle. munications and broadband for all of Adjournment. its employees. He commented that the Internet has changed how the Department Dr. Coffman thanked the NSTAC does business. For example, consulate Principals and the senior Government officers send bulletins with pictures via officials for their participation in the telegraph regularly. In addition, visa appli- Business Session. He indicated that there cations including pictures and application would be additional opportunities for status can be accessed remotely from further discussion during the Executive anywhere in the world. He added, however, Session and Executive Luncheon. that the ease in access comes at a price. Dr. Coffman also took the opportunity to Secretary Powell stressed the importance thank DHS staff, as well as IES members, for groups, such as the NSTAC, to address for their hard work and support throughout the issues related to network security, the past year. Dr. Coffman adjourned the privacy, and cyber crime by building in the Business Session at 10:25 a.m. necessary safeguards when infrastructures are developed. He said the exporting of necessary tools—technology and legislative principles—to allies is necessary, as is ensuring that intelligence officers track the activities of terrorists.

C-9

XXVII_AppendixC.indd 9 10/8/04, 4:37 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

NSTAC XXVII Executive Session To prepare for these incidents, DHS is planning to re-baseline the yellow Opening Remarks. threat level. DHS recognizes that the efforts Dr. Coffman called to order the 27th NSTAC implemented during times of increased Executive Session in the U.S. Chamber threat posture (orange or red level) are not of Commerce in Washington, DC, on sustainable and therefore are executed only May 19, 2004, at 10:35 a.m. Dr. Coffman during elevated threat levels. However, to explained that the NSTAC Executive Session ensure that the Nation is best prepared for a provides the NSTAC Principals, along with terrorist incident during the yellow security the senior Government officials in atten- posture, DHS is working to raise the level of dance, the opportunity to discuss the chal- sustainable security efforts. lenges before the NSTAC with the highest In response to Mr. Liscouski’s warning, the levels of industry and the Government. NSTAC Principals asked what DHS expects Prior to the actual Executive Session from the NSTAC companies in the upcoming discussion, Dr. Coffman invited period of increased risk. Mr. Liscouski Ms. Janet Jefferson, Industry Operations emphasized the threats are of national Branch Chief, Office of the Manager, importance, and for this reason, industry National Communications System (NCS), must engage not only with the Federal Gov- to the dais to be recognized for her many ernment but also with the appropriate State years of service to the Government and and local agencies. Furthermore, he noted specifically, the NSTAC. As Ms. Jefferson that in the event of an attack, DHS would planned to retire from Government service need input from industry to rebuild the shortly after the NSTAC XXVII Meeting, infrastructures in the aftermath. A Principal Dr. Coffman presented her with a plaque informed Mr. Liscouski that industry is best of appreciation. able to respond when information regarding IAIP Six-Month Outlook. an imminent threat is provided, and it is Dr. Coffman reintroduced Mr. Liscouski, essential that industry be kept abreast of who wished to expand upon his presen- threat information. A participant suggested tation on “Security Planning for Period that the NSTAC examine both industry of Increased Risk” during the Business preparedness for the NSSEs and industry Session. He informed the NSTAC Princi- response in the event of an attack. pals that during the upcoming six to eight Mr. Liscouski endorsed this suggestion. months, the Nation was to enter a period of Congressional Views increased risk of potential terrorist activity. on Homeland Security. Specific upcoming high-profile National Special Security Events (NSSE) that concern Dr. Coffman introduced Representative (Rep.) DHS as potential terrorist targets include Barton, the recently elected Chairman of the the national World War II Memorial Dedica- House Committee on Energy and Commerce. tion, the Democratic National Convention, On behalf of the legislative branch, the Republican National Convention, and Rep. Barton welcomed the out-of-town the Presidential Inauguration. NSTAC Principals to Washington, D.C.

C-10

XXVII_AppendixC.indd 10 10/8/04, 4:37 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

He stated that the NSTAC serves an A Principal asked how the committee is important function in its unique public/ looking to balance Internet privacy and private partnership role. Rep. Barton terrorist actions. Rep. Barton discussed discussed his role as chairman of the House the USA PATRIOT Act and explained that Committee on Energy and Commerce. it is now mandatory to secure a writ from This committee has jurisdiction on tele- a Federal magistrate to obtain wiretap- communications policy and also oversees ping capabilities. There are formal processes Internet privacy and security issues. that check the Government’s powers. Rep. Barton said the committee has made When asked about monitoring Internet progress in identifying and developing traffic, Rep. Barton stated that his commit- policies on pressing issues. A few weeks ago, tee did not have jurisdiction specifically the committee held a hearing on spyware on that issue because it is more of an entitled, “Spyware: What You Don’t Know intelligence matter. Can Hurt You,” and discussed the necessity Discussion of Future NSTAC Issues. to increase penalties for Internet abusers. It is expected that the bill (H.R. 2929, The Dr. Coffman invited Dr. Brian Dailey, Safeguard Against Privacy Invasions Act) will Lockheed Martin and Industry Executive be marked up shortly. Rep. Barton predicted Subcommittee (IES) Working Session Chair, that the U.S. Congress would likely approve to facilitate the discussion of future NSTAC the “spyware bill” later this year. issues for consideration. Dr. Dailey in turn invited the NSTAC Principal/Champion for Dr. Coffman asked about the committee’s each issue to briefly discuss the issue and work in balancing the freedoms and rights any relevant NSTAC history on the topic. of citizens while also maintaining protection Next Generation Networks Challenges. of information. Rep. Barton explained that historically, legislation having to do with Mr. Craig Mundie, Microsoft, reminded the private sector is reactive, not proactive. the NSTAC Principals that the convergence The legislative branch is currently trying to of the public switched telephone network catch up with the private sector. Rep. Barton and Internet protocol networks into the affirmed that every citizen has a “guaran- global next generation network (NGN) teed right to privacy,” and the computer is is changing how the Government and not necessarily an open window to informa- critical infrastructures meet their needs tion; laws are still in effect. There needs to for national security and emergency be a balance between the need for infor- preparedness (NS/EP) communications. mation gathering and privacy. While the To address this issue, on the March 4, 2004, legislative branch does not necessarily have NSTAC Principals’ Conference Call, the the answer, it is entertaining a privacy Principals established the Cyber Scoping protection bill. Rep. Barton also noted Group to examine issues associated with that he; Rep. Edward Markey (D-MA); NGN convergence and cyber security. Senator Richard Shelby (R-AL); and Senator Christopher Dodd (D-CT) lead a Congressional privacy caucus.

C-11

XXVII_AppendixC.indd 11 10/8/04, 4:37 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

The work of the group culminated in a Mr. Notebaert explained that during the conference call with several NSTAC course of the previous NSTAC cycle, task Principals held on May 14, 2004, during force members quickly acted to develop which a proposal was made to establish guidance for creating national standards and a task force to: (1) agree on a high-level capabilities for national security background description of the expected network envi- checks, screening, and National Crime ronment or ecosystem of the NGN, and Information Center reviews; identifying the its interdependencies, on which NS/EP criteria for inclusion in background checks; applications will rely; (2) identify NS/EP and identifying who should be subject to user requirements for the NGN, outline how background checks. To gather data, the task these requirements will be met, describe force distributed a questionnaire to several how end-to-end services will be provi- NSTAC member companies and Government sioned, and explain how the interfaces agencies requesting input on their current and accountability among network partici- background check processes. The task force pants and network layers will work; and also interviewed representatives from the (3) examine relevant user scenarios and General Services Administration’s Federal expected cyber threats, and recommend Identity Credentialing Committee, the Trans- optimal strategies and actions to address portation Security Administration (TSA), cyber threats to meeting NS/EP user the Nuclear Regulatory Commission, the requirements and delivery of services. Department of Defense, the Federal Bureau There was wide agreement that a task force of Investigation, and DHS. Mr. Notebaert should be established. stated that the task force has the preliminary research for the tasking completed but Trusted Access. will continue its work into the next cycle to Mr. Richard Notebaert, Qwest, provided analyze the data gathered during the afore- an overview of the activities of the Trusted mentioned task and apply it to the concept of Access Task Force (TATF) during the a national background check process. NSTAC XXVII cycle. He reminded the Principals that the task force was created Mr. Notebaert further stated that while the as a result of discussions held at the NSTAC task force members have not yet completed XXVI Meeting and was tasked to address an extensive analysis of the data, they several recommendations from the Vulner- determined that the airport environment, abilities Task Force’s (VTF) March 2003 with its variety of people, such as passen- report, entitled “Trusted Access to Tele- gers, pilots, maintenance workers, and food communications Facilities.” He noted that vendors with access to important facility trusted access to telecommunications locations, is very similar to conditions expe- facilities and NSSEs remains of the utmost rienced at a telecommunications facility. importance both for prevention of an attack Consequently, the task force is interested in as well as mitigation and restoration activi- learning more from the TSA to determine if ties should an attack occur. physical security lessons learned and/or best practices from the airport community may be applied to background check processes for the telecommunications industry.

C-12

XXVII_AppendixC.indd 12 10/8/04, 4:37 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

He pointed out that the task force will Colonel (Select) Greg Rattray, National have to determine how regimented the Security Council, further added that the background check process should be and State Department may need to be involved then decide on specific criteria that should to establish international agreements on be applied to the application process. the issue. The NSTAC Principals agreed He confirmed that work had not yet begun that the IES should more clearly define the on tasks 3 and 4 and encouraged Govern- parameters of the issue and determine if the ment counterparts to become more actively issue should be included in the work of the engaged in the task force activities moving NGN group or if a separate task force should forward, especially with regard to issues be established to address it. related to the physical security of NSSEs Adjournment. over the next six to eight months. Dr. Coffman expressed his appreciation to International Concerns. the NSTAC Principals and the senior Govern- Mr. Stratton Sclavos, VeriSign, briefed the ment officials for their active participation NSTAC Principals on the need to examine in both the Business and Executive Sessions. the threats to the Nation’s cyber infrastruc- He also recognized the important work of ture from abroad. Recently, attacks to the the IES and how it provided the framework cyber network have been increasing daily; for a successful NSTAC meeting. Dr. Coffman and as a result, U.S. companies have been adjourned the NSTAC XXVII Executive experiencing negative economic and Session at 12:05 p.m. productivity impacts. Mr. Sclavos explained the majority of these attacks either origi- nated or were sustained outside of the United States, and the attacks suggest that the security of our economic and cyber infrastructure could be threatened by the global nature of the Internet. Since there is currently no international Internet regulation, Mr. Sclavos recommended that the NSTAC examine the development of an international security framework for the Internet as either an extension of the NGN convergence issue or as a separate issue altogether.

Dr. Coffman commented that the issue of international threats to the Internet is worthy of examination by the NSTAC; however, he noted that the issue is complex and needs to be more clearly defined.

C-13

XXVII_AppendixC.indd 13 10/8/04, 4:37 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

NSTAC XXVII General Gordon presented each NSTAC Executive Luncheon Principal with a certificate recognizing and honoring his/her participation on Opening Remarks. the NSTAC. He then introduced FCC Dr. Coffman called the Executive Luncheon Chairman Michael Powell and invited him to order at 12:15 p.m. in the Herman Lay to come forward to share with the Princi- room at the U.S. Chamber of Commerce, pals his views of the telecommunications Washington, D.C. He introduced General environment and the FCC’s recent activities John Gordon, Assistant to the President related to national and homeland security. for Homeland Security, and asked him to Remarks, FCC Chairman administer the oath of office to those NSTAC Michael Powell. Principals who were recently appointed to Chairman Powell thanked the NSTAC the Committee by President George W. Bush. for inviting him to participate in its NSTAC Oath of Office. annual meeting. He noted that the FCC and General Gordon welcomed the NSTAC the NSTAC share the same desire and com- Principals to the Luncheon and congratu- mitment to provide the American public lated them on their appointments to one with the most secure, competitive, and of the Nation’s most successful public– technologically advanced telecommunica- private partnerships. He noted that the tions system possible. He commented that NSTAC has the honor of being the when the NSTAC was created over 20 years Presidential advisory committee with the ago, the Federal Government was concerned most recommendations acted upon by with the divestiture of AT&T and the long- the President. General Gordon then called lasting effects the break-up would have the following NSTAC Principals forward for on national security. Since that time, the the oath of office: Nation’s telecommunications network has evolved into one of the most innovative  Mr. Gary Forsee, and advanced networks in the world and Sprint Corporation; offers unprecedented choices for consumers. However, with new services and capabili-  Mr. Richard Notebaert, ties, interdependencies within and across Qwest Communications; the telecommunications network and other critical infrastructures continue to deepen,  Ms. Patricia Russo, causing increased security risks. Over the Lucent Technologies; last several years, the FCC has embraced  Mr. Stratton Sclavos, and encouraged a new economic environ- VeriSign, Inc.; and ment, which led to increased competition; however, it must also continue to focus on  Mr. William Swanson, enhancing security across the network. Raytheon Company.

C-14

XXVII_AppendixC.indd 14 10/8/04, 4:37 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

Chairman Powell stated that two issues— In 2002, the FCC re-chartered its the converging telecommunications network Network Reliability and Interoperability and the complexity of the threat to the Council (NRIC) to address new threats to Nation—make securing the network ever the homeland by significantly broadening more challenging. While the Cold War both the focus and membership of the pitted the U.S. Federal Government against group to gain a more holistic view of a definable enemy with a specific threat, the network security. Membership in the war on terrorism is far more diffuse, frag- group now includes representatives from mented, and elusive, making the constantly the Internet service provider, wireless, morphing threat much harder to neutralize. and satellite communities. In early 2004, Chairman Powell noted that the FCC has NRIC expanded its focus from primarily taken several steps to mitigate threats to wireline issues to include wireless topics and the telecommunications infrastructure by appointed Mr. Timothy Donahue, President striving to deeply integrate a homeland and Chief Executive Officer (CEO), Nextel, security focus into its daily operations as the Chair of NRIC VII—the first time a and actively encouraging industry to CEO from the wireless sector has assumed do the same. Recently, the FCC revised that position. The NRIC VII goal of driving its Strategic Plan, making homeland rapid growth of alternative communications security (HLS) one of the six pillars of issues directly reflects emerging trends in its operations. As such, each FCC bureau/ the industry. In addition to re-chartering office must integrate an HLS focus into the NRIC, the FCC created the Media its work with the goal of evaluating and Security and Reliability Council (MSRC) strengthening the communications infra- to better utilize and secure the Nation’s structure and facilitating new thinking media assets. As a result of the terrorist to assist in rapid restoration following attacks on September 11, 2001, 22 of an attack. In addition, the FCC created the New York City’s broadcasters lost broadcast HLS Policy Council, composed of senior facilities, which severely degraded service managers from each of the bureaus, to raise to the largest broadcasting market in the HLS issues the FCC must address, and the United States. The FCC will use the MSRC Office of Homeland Security to act as a to study, develop, and report on best single conduit for other Government depart- practices to ensure the reliability and ments and agencies in their interactions security of multi-channel video facilities with the FCC on HLS related topics. such as cable television.

Chairman Powell also outlined several Chairman Powell also noted several areas in initiatives the FCC has undertaken to keep which the FCC is working with other Federal pace with the changing technological and partners to enhance Government-wide com- market environment. munications capabilities. Specifically, the FCC works with the National Communica- tions System to make enhancements to the Wireless Priority Access System and the Telecommunications Service Priority System.

C-15

XXVII_AppendixC.indd 15 10/8/04, 4:37 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

In addition, the FCC is also interacting He encouraged all NSTAC member with State regulatory agencies to set up companies to embrace the evolving network a forum for examining interdependencies realities and work to secure the networks as between the water, energy, and telecom- they continue to emerge. munications sectors. Adjournment. Moving forward, Chairman Powell Dr. Coffman thanked Chairman Powell and commented that the Nation is turning the the NSTAC Principals for their participation corner on digital migration, and very soon, in the Executive Luncheon and welcomed emerging technologies such as wireless the new members to the Committee. fidelity, broadband over power lines, He reminded the Principals that they would cable to the home, and new applications be traveling to the White House imminently such as voice over Internet protocol and to meet with the President. Dr. Coffman streaming media will be commonplace. adjourned the Luncheon at 1:10 p.m. Currently, two percent of U.S. firms use Internet protocol (IP) telephony; however, by 2007, IP telephony usage is expected to reach 19 percent. According to a Yankee Group survey, 73 percent of wireline service providers and 31 percent of wireless service providers are either implementing or testing packet telephony technology. While these innovations will continue to bring enhancements and benefits to the American consumer, they will also increase the complexity of securing the infrastructure. As the Nation’s telecommunications regulatory body, the FCC is embracing the realities of IP technology and must create a regulatory environment in which companies will flourish.

In closing, Chairman Powell stated that as the telecommunications networks continue to expand, so must the Nation’s focus on security measures to protect them. Unlike the situation with circuit switched technology, the telecommunications industry has the opportunity to employ security mechanisms in the emerging technologies at the front end of implementation.

C-16

XXVII_AppendixC.indd 16 10/8/04, 4:37 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

Attachment 1 Report Recommendations to the President from the 27th Meeting of the President’s National Security Telecommunications Advisory Committee (NSTAC XXVII) May 19, 2004

The President’s National Security  Fund the Department of Homeland Telecommunications Advisory Commit- Security to implement a commercial tee (NSTAC) Satellite Task Force (STF) SATCOM NS/EP improvement examined potential national security and program within the National emergency preparedness (NS/EP) issues Communications System (NCS) to related to satellites. Based on STF analysis procure and manage the non- and review of related policy issues, the Department of Defense satellite NSTAC recommends, in accordance with facilities and services necessary responsibilities and existing mechanisms to increase the robustness of established by Executive Order 12472, Government communications. Assignment of National Security and Emergency Preparedness Telecommunications  Appoint several members to Functions, and other existing authority, that represent service providers and the President— associations from all sectors of the commercial satellite industry to the  Direct the Assistant to the President NSTAC to increase satellite industry for National Security Affairs, involvement in NS/EP. Assistant to the President for Homeland Security, and Director, To guide rapid implementation of these Office of Science Technology Policy, recommendations with specific steps to to develop a national policy with secure the commercial SATCOM infrastruc- respect to the provisioning and ture for NS/EP, the task force provided the management of commercial satellite framework of an action plan for Federal communications (SATCOM) departments and agencies. services integral to NS/EP communications, recognizing the vital and unique capabilities commercial satellites provide for global military operations, diplomatic missions, and homeland security contingency support.

C-17

XXVII_AppendixC.indd 17 10/8/04, 4:37 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

To improve NS/EP policy, the task force The Financial Services Task Force (FSTF) suggested the establishment of a steering of the NSTAC recommends that the committee to examine how commercial President, in accordance with responsibili- SATCOM can best be used in an operational ties and existing mechanisms established support role to the National Response Plan, by Executive Order 12472, Assignment study satellite technology export controls of National Security and Emergency Pre- and their impact on the economic stability paredness Telecommunications Functions, of the domestic satellite industry, and direct the appropriate departments and reevaluate domestic and foreign policies on agencies to— the use of commercial SATCOM in support of NS/EP missions.  Support the Alliance for Telecommu- nications Industry Solutions’ National To increase the robustness of Government Diversity Assurance Initiative and communications through better use of com- develop a process to: mercial SATCOM, the task force suggests the following actions: (1) maintain awareness – Examine diversity assurance of commercial SATCOM usage within the capabilities, requirements, and Federal Government, enabling decision best practices for critical NS/EP makers to rapidly prioritize commercial customers and, where needed, satellite services required to support NS/EP – Promote research and devel- needs; (2) extend the purview of the Tele- opment to increase resiliency, communications Service Priority to all fixed circuit diversity, and alternative satellite service operators and extend the transport mechanisms. Wireless Priority Service model to mobile satellite operators; and (3) develop, in  Support financial services sector coordination with the commercial satellite initiatives examining: industry, a strong and proactive information assurance policy to further reduce the vul- – The development of a feasible nerability of command and control links. “circuit by circuit” solution to ensure telecommunications Furthermore, the task force suggests services resiliency, and actions to mitigate vulnerabilities in the SATCOM infrastructure. These suggestions – The benefits and complexities include conducting studies on physical of aggregating sector-wide vulnerabilities, identifying a system-wide NS/EP telecommunications hierarchy of physical and cyber requirements into a common vulnerabilities to terrorist attack, framework to protect national developing a plan and process to rapidly economic security. mitigate interference, and developing security requirements commensurate with NS/EP communications needs.

C-18

XXVII_AppendixC.indd 18 10/8/04, 4:37 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

 Coordinate and support relevant  Develop a process to resolve cross-sector activities (e.g., standards multi-jurisdictional (Federal, State, development, research and develop- and local) conflicts within the ment, pilot initiatives, and exercises) appropriate boundaries of federal- in accordance with guidance provided ism and national, homeland, and in Homeland Security Presidential economic security. Directive 7.  Work with Congress to modify  Provide statutory protection to remove the Critical Infrastructure Informa- liability and antitrust barriers to col- tion Act of 2002 (CII Act) so that laborative efforts when needed in the the Department of Homeland interest of national security. Security (DHS) is the clearinghouse and dispenser of CII information.  Continue to promote the Telecommu- nications Service Priority program as a  Encourage Congress to extend the component of the business resumption protections of the CII Act to cover plans of financial services institutions. departments and agencies other than the DHS and, if other agencies  Promote research and development should be designated as such, the efforts to increase the resiliency NSTAC recommends that they adopt and the reliability of alternative the same rules and procedures as transport technologies. DHS for handling CII.

 Examine and develop capital investment  Work diligently with Congress to recovery incentives for critical infra- ensure the CII Act’s Freedom of Infor- structure owners, operators, and users mation Act exemption and liability that invest in resiliency mechanisms to provisions remain intact. support their most critical NS/EP telecommunications functions. The NSTAC’s Operation, Administration, Maintenance, and Provisioning (OAM&P) The Legislative and Regulatory Task Force (LRTF) Standards Working Group was formed to of the NSTAC recommends that the President, further examine the standard and develop in accordance with responsibilities and existing conclusions and recommendations for mechanisms established by Executive Order further action. The OAM&P Standards 12472, Assignment of National Security and Working Group made the following Emergency Preparedness Telecommunications recommendations to the President: Functions, and other existing authority, direct the appropriate departments and agencies, in coordination with industry, to:

C-19

XXVII_AppendixC.indd 19 10/8/04, 4:38 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

 Direct the National Institute of Standards and Technology (NIST) to review the T1.276-2003 standard. If a review finds a conflict between the T1.276-2003 standard and existing Federal Information Processing Standards (FIPS) and NIST publications, NIST should make these conflicts known to the appropriate standards bodies.

 Encourage Federal departments and agencies to use the T1.276-2003 standard in requests for proposals, as appropriate.

 Encourage other infrastructures through the Department of Homeland Security to consider the elements of the T1.276-2003 standard as a baseline for security requirements and adapt appropriate requirements for their respective infrastructure.

C-20

XXVII_AppendixC.indd 20 10/8/04, 4:38 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

Attachment 2 Attendance of Members at the 27th Meeting of the President’s National Security Telecommunications Advisory Committee (NSTAC XXVII) May 19, 2004

Dr. Vance D. Coffman, Chair ...... Lockheed Martin Corporation

Mr. F. Duane Ackerman, Vice Chair...... BellSouth Corporation

Dr. J. Robert Beyster ...... Science Applications International Corporation

Mr. Gregory Brown*...... Motorola, Inc.

Mr. Gary Forsee...... Sprint Corporation

Mr. Van B. Honeycutt ...... Computer Sciences Corporation

Mr. Clayton M. Jones ...... Rockwell Collins, Inc.

Mr. Craig O. McCaw...... Teledesic Corporation

Mr. Craig Mundie...... Microsoft Corporation

Mr. Richard C. Notebaert ...... Qwest Communications

Mr. Donald J. Obert ...... Bank of America, Inc.

Mr. G. William Ruhl ...... U.S. Telecom Association

Dr. Hector de J. Ruiz ...... Advanced Micro Devices, Inc.

Ms. Patricia F. Russo...... Lucent Technologies

* Membership pending White House approval (as of May 19, 2004).

C-21

XXVII_AppendixC.indd 21 10/8/04, 4:38 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

Mr. Stratton Sclavos...... VeriSign, Inc.

Mr. Stanley Sigman* ...... Cellular Telecommunications & Internet Association

Mr. William Swanson ...... Raytheon Company

Mr. Lawrence A. Weinbach...... Unisys

* Membership pending White House approval (as of May 19, 2004).

C-22

XXVII_AppendixC.indd 22 10/8/04, 4:38 PM Acronyms 10/8/04, 4:38 PM 1 XXVII_AppendixD.indd XXVII_AppendixD.indd 2 10/8/04, 4:38 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

Acronyms

AIN ...... Advanced Intelligent DDoS...... Distributed Denial Networks of Service

AIP ...... Automated Information DHS ...... Department of Processing Homeland Security

ATIS ...... Alliance for DoD...... Department of Defense Telecommunications DOE ...... Department of Energy Industry Solutions DOJ...... Department of Justice CCS...... Common Channel Signaling DOS ...... Department of State CIAO ...... Critical Infrastructure Assurance Office EC ...... Electronic Commerce

CII Act...... Critical Infrastructure ECC...... Enhanced Call Completion Information Act of 2002 EISISG...... Embedded Interoperable CIP ...... Critical Infrastructure Security Issue Protection Scoping Group

CNS...... Commercial Network ELS...... Essential Line Service Survivability EMP ...... Electromagnetic Pulse COP...... Committee of Principals E.O...... Executive Order COR ...... Council of Representatives EPA ...... Environmental CPAS ...... Cellular Priority Protection Agency Access Service ERPWG ...... Emergency Response CSI ...... Commercial SATCOM Procedures Working Group Interconnectivity ESF ...... Emergency Support CSS ...... Commercial Satellite Function Survivability ESP ...... National Electric CTF ...... Convergence Task Force Service Priority Program in Support of CWG ...... Convergence Telecommunications Working Group ETSI ...... European CWIN ...... Cyber Warning Telecommunications Information Network Standards Institute DARPA ...... Defense Advanced Research FCC ...... Federal Communications Projects Administration Commission

D-1

XXVII_AppendixD.indd 1 10/8/04, 4:38 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

FNI...... Funding of IDSG ...... Intrusion Detection NSTAC Initiatives Subgroup

FOIA ...... Freedom of Information Act IDT...... International Diplomatic Telecommunications FRB ...... Federal Reserve Board IEPS ...... International Emergency FRP ...... Federal Response Plan Preference Scheme FRWG ...... Funding and Regulatory IES ...... Industry Executive Working Group Subcommittee FS...... Financial Services IIG...... Information FSTF...... Financial Services Infrastructure Group Task Force IIS ...... Industry Information GETS...... Government Emergency Security Telecommunications IP ...... Internet Protocol Service ISAC...... Information Sharing and GII...... Global Information Analysis Center Infrastructure ISATF ...... Internet Security GNSS...... Government Network Architecture Task Force Security Subgroup IS/CIP ...... Information Sharing for GSA...... General Services Critical Infrastructure Administration Protection GTISC...... Georgia Technology IS/CIPTF ...... Information Sharing Critical Information Security Center Infrastructure Protection GTF ...... Globalization Task Force Task Force

HPC...... High Probability of ISEC ...... Information Security Call Completion Exploratory Committee

IA ...... Information Assurance ISP ...... Internet Service Provider

IAIP...... Information Analysis and ISSB ...... Information Systems Infrastructure Protection Security Board

IATF ...... Information Assurance IT ...... Information Technology Task Force ITIC...... Information Technology IAW...... Indicators, Assessment, Industry Council and Warnings ITPITF...... Information Technology I&C...... Information and Progress Impact Task Force Communications

D-2

XXVII_AppendixD.indd 2 10/8/04, 4:38 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

LMBATF ...... Last Mile Bandwidth NOAHG...... NSTAC Outreach Availability Task Force Ad Hoc Group

LRG...... Legislative and NOTF ...... NSTAC Outreach Task Force Regulatory Group NPTF...... National Plan to Defend LRTF ...... Legislative and Regulatory Critical Infrastructures Task Force Task Force

LRWG...... Legislative and Regulatory NRC ...... National Research Council Working Group NRIC ...... Network Reliability and MTT ...... Mobile Transportable Interoperability Council Telecommunications NSA...... National Security Agency NAP...... Network Access Provider NSDD...... National Security NCC ...... National Coordinating Decision Directive Center for NS/EP ...... National Security and Telecommunications Emergency Preparedness NCM...... National Coordinating NSG ...... Network Security Group Mechanism NSIE...... Network Security NCS...... National Communications Information Exchange System NSSC...... Network Security NCSP...... National Cyber Steering Committee Security Partnership NSSOG...... Network Security Standards NERC ...... North American Electric Oversight Group Reliability Council NSTAC...... The President’s NES...... National Energy Strategy National Security NG ...... Network Group Telecommunications Advisory Committee NGN...... Next Generation Network NSTF...... Network Security Task Force NII...... National Information Infrastructure NS/VATF ...... Network Security/ Vulnerability Assessment NIPC ...... National Infrastructure Task Force Protection Center NTIA ...... National NIST...... National Institute of Telecommunications and Standards and Technology Information Administration NLP ...... National Level NS/EP NTMS...... National Telecommunications Telecommunications Program Management Structure

D-3

XXVII_AppendixD.indd 3 10/8/04, 4:38 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

NWC ...... Naval War College RDTF...... Research and Development Task Force OAM&P...... Operations, Administration, Maintenance, and RDX...... Research and Development Provisioning Exchange

OCS...... Office of Cyberspace RDXTF ...... Research and Development Security Exchange Task Force

OMNCS...... Office of the Manager, REWG ...... Resource Enhancements National Communications Working Group System R&O ...... Report and Order OS...... Operating System RP ...... Restoration Priority OSG ...... Operations Support Group SATCOM ...... Satellite Communications OSTP...... Office of Science and SCOE...... Security Center Technology Policy of Excellence OWG ...... Operations Working Group SRWG...... Security Requirements PAS...... Priority Access Service Working Group

PCCIP...... President’s Commission on SS7...... Signaling System 7 Critical Infrastructure STF ...... Satellite Task Force Protection STU...... Secure Telephone Unit PCII...... Protected Critical Infrastructure Information Telecom-...... Telecommunications

PDD...... Presidential Decision ISAC...... Information Sharing and Directive Analysis Center

PN...... Public Network TESP ...... Telecommunications Electric Service Priority PO...... Program Office TIM ...... Telecommunications PSN...... Public Switched Network Industry Mobilization PSTN...... Public Switched TIPHON ...... Telecommunications and Telephone Network Internet Protocol PSTF ...... Protecting Systems Harmonization Over Task Force Networks

PWG...... Plans Working Group TSP ...... Telecommunications Service Priority QoS...... Quality of Service TSS ...... Telecommunications R&D ...... Research and Development Systems Survivability

D-4

XXVII_AppendixD.indd 4 10/8/04, 4:38 PM The President’s National Security Telecommunications Advisory Committee NSTAC XXVII Issue Review

UST...... Underground Storage Tank

USTA...... United States Telecom Association

VTF ...... Vulnerabilities Task Force

W/LBRDSTF ..... Wireless/Low-Bit-Rate Digital Services Task Force

WOS...... Widespread Outage Subgroup

WPS ...... Wireless Priority Service

WSPO...... Wireless Services Program Office

WSTF ...... Wireless Services Task Force

WTF ...... Wireless Task Force

Y2K ...... Year 2000

D-5

XXVII_AppendixD.indd 5 10/8/04, 4:38 PM XXVII_AppendixD.indd 6 10/8/04, 4:38 PM