Professional Documents
Culture Documents
MFR Nara - t8 - Cipp - Mccarthy John A - 1-21-04 - 00706
MFR Nara - t8 - Cipp - Mccarthy John A - 1-21-04 - 00706
Commission Sensitive
The purpose of this meeting with John McCarthy was to gain a better understanding of critical
infrastructure - what it is and how it is defined. McCarthy worked with Commissioner Gorelick,
when she was the Deputy Attorney General, on the Critical Infrastructure Working Group
(CIWG).
McCarthy's work involves the Critical Infrastructure Protection Project (CIP Project). The CIP
Project is a joint effort of George Mason University and James Madison University to develop a
nationally recognized program that fully integrates the disciplines of law, policy, and technology
for enhancing the security of cyber networks and economic processes supporting the nation's
critical infrastructures. The consideration of all three disciplines -law, policy, and technology-
is what makes the CIP Project unique. The CIP Project is funded by a grant from the National
Institute of Standards and Technology (NIST). One effort that McCarthy has worked on as part
of the CIP Project mapped the U.S. fiber optics system, roughly 850/0 of it. This mapping
revealed that it was possible to "balkanize" the U.S. by crippling one critical node in the fiber
optics system.
Great debate exists among government officials and academicians as to what critical
infrastructure should include and should not include. McCarthy draws a distinction between
"critical infrastructure" (which reside at a high-level, national environment) and "critical assets"
(which reside at a more local, company/ corporate environment).
The U.S. national infrastructure can be viewed as a continuum. Not everything in our national
infrastructure is or should be considered "critical infrastructure." McCarthy's concern is that the
U.S. Department of Homeland Security (DHS) may be taking on too much by trying to define
critical infrastructure too broadly. Too broad of a definition would setup the U.S. to defend our
entire national infrastructure instead of what is truly critical. A broad definition would also
violate one of the maxims of warfare, "He who wants do defend everything defends nothing."
Commission Sensitive
UNCLASSIFIED
UNCLASSIFIED
Commission Sensitive
Criticallnfrastru re
Protecti()n(CIP)
(truly·.key.proc~ssesand
business sectors; including thet3
'SAC's - Information. sharinQandllliIWl~~
AnalysisCeoters·'.'vVitgleacj
ag~nGi~sancjp~~tor
··.·,¢oo ret frlat<DF~)J( ./::"' ...:.".
21~ssified··.Gov~rn~entMat~ri
+
·····:·~usiness·
Proprietary'·nforrncHio· •••
Concern about our critical infrastructure can be traced back to the early 1990's. The first Gulf
War in 1990-91 required a greater logistical dependency on the U. S. private sector than ever
before for wartime supplies. Then with the implosion of the USSR in 1991-92 and the
Oklahoma City bombing of 1995, the focus of our security concerns started shifting inwardly.
The dot.com and e-commerce revolution demonstrated our reliance on the cyber infrastructure of
computers and the Internet.
The Critical Infrastructure Assurance Office (CIAO) was initially created within the U.S.
Department of Commerce. In addition, the National Infrastructure Protection Center (NIPC) and
Information Sharing and Analysis Centers (ISACs) were created. With the creation of DRS,
many of the responsibilities of CIAO and NIPC moved to DRS.
Commission Sensitive 2
UNCLASSIFIED