UNCLASSIFIED

Commission Sensitive

MEMORANDUM FOR THE RECORD

Type of event: Interview of John A. McCarthy

Date: January 21,2004
Special Access Issues: NA
Prepared by: Mark Bittinger
Team Number: 8
Location: National Center for Technology & Law, George Mason University School of Law,
3301 Fairfax Drive, Arlington, VA 22201
Participants - Non-Commission: John A. McCarthy, Executive Director, Critical Infrastructure
Protection Proj ect
Participants - Commission: Mark Bittinger and Emily Walker

The purpose of this meeting with John McCarthy was to gain a better understanding of critical
infrastructure - what it is and how it is defined. McCarthy worked with Commissioner Gorelick,
when she was the Deputy Attorney General, on the Critical Infrastructure Working Group
(CIWG).

McCarthy's work involves the Critical Infrastructure Protection Project (CIP Project). The CIP
Project is a joint effort of George Mason University and James Madison University to develop a
nationally recognized program that fully integrates the disciplines of law, policy, and technology
for enhancing the security of cyber networks and economic processes supporting the nation's
critical infrastructures. The consideration of all three disciplines -law, policy, and technology-
is what makes the CIP Project unique. The CIP Project is funded by a grant from the National
Institute of Standards and Technology (NIST). One effort that McCarthy has worked on as part
of the CIP Project mapped the U.S. fiber optics system, roughly 850/0 of it. This mapping
revealed that it was possible to "balkanize" the U.S. by crippling one critical node in the fiber
optics system.

Great debate exists among government officials and academicians as to what critical
infrastructure should include and should not include. McCarthy draws a distinction between
"critical infrastructure" (which reside at a high-level, national environment) and "critical assets"
(which reside at a more local, company/ corporate environment).

The U.S. national infrastructure can be viewed as a continuum. Not everything in our national
infrastructure is or should be considered "critical infrastructure." McCarthy's concern is that the
U.S. Department of Homeland Security (DHS) may be taking on too much by trying to define
critical infrastructure too broadly. Too broad of a definition would setup the U.S. to defend our
entire national infrastructure instead of what is truly critical. A broad definition would also
violate one of the maxims of warfare, "He who wants do defend everything defends nothing."

Commission Sensitive
UNCLASSIFIED
 UNCLASSIFIED
Commission Sensitive

The National Infrastructure Continuum

(physical and cyber security)

Criticallnfrastru re
Protecti()n(CIP)
(truly·.key.proc~ssesand
business sectors; including thet3
'SAC's - Information. sharinQandllliIWl~~
AnalysisCeoters·'.'vVitgleacj
ag~nGi~sancjp~~tor
··.·,¢oo ret frlat<DF~)J( ./::"' ...:.".
21~ssified··.Gov~rn~entMat~ri
+
·····:·~usiness·
Proprietary'·nforrncHio· •••

Concern about our critical infrastructure can be traced back to the early 1990's. The first Gulf
War in 1990-91 required a greater logistical dependency on the U. S. private sector than ever
before for wartime supplies. Then with the implosion of the USSR in 1991-92 and the
Oklahoma City bombing of 1995, the focus of our security concerns started shifting inwardly.
The dot.com and e-commerce revolution demonstrated our reliance on the cyber infrastructure of
computers and the Internet.

The President's Commission on Critical Infrastructure Protection (PCCIP) reported out to

President Clinton in 1997 with an assessment of the threats and vulnerabilities of critical
infrastructures in the U. S. In order to address the many recommendations proposed by the report
of the PCCIP, the president issued Presidential Decision Directive 63 (PDD-63), an action
program which was based largely on the PCCIP report.

The Critical Infrastructure Assurance Office (CIAO) was initially created within the U.S.
Department of Commerce. In addition, the National Infrastructure Protection Center (NIPC) and
Information Sharing and Analysis Centers (ISACs) were created. With the creation of DRS,
many of the responsibilities of CIAO and NIPC moved to DRS.

Commission Sensitive 2
UNCLASSIFIED