President Bill Clinton created the President's Commission on Critical Infrastructure Protection in 1996 via an executive order. The next year, the panel issued "Critical Foundations," a report on the risks to the critical infrastructure as it was then defined.
The order, E0 13010 was not the very beginning of the recognition of critical infrastructure. The government has long understood that certain systems and resources are essential for the operation and perpetuation of a civilization. Prior actions, such as the Computer Security Act of 1987 and Executive Order 12656 in 1988 designated the Justice Department as responsible for assisting other agencies in protecting "essential resources and facilities."
In 1996, however, everything coalesced. After the end of the short Persian Gulf War in 1991, America settled in to what felt like a peaceful, prosperous time. A larger-than-life Southern governor moved into the White House, while what remained of the Soviet Union struggled to find a new path forward. Gas was cheap — just a little over $1 a gallon in most places, equal to $1.64 in 2016 dollars — and a new economic boom based on technology and e-commerce was quietly being born.
Special Multimedia Report
Critical Risk: Assessing the cybersecurity of the nation's infrastructure
Then, in 1995, an explosion destroyed a federal office building in Oklahoma City and snapped the nation out of its complacency. That act of domestic terrorism — more than anything else, according to some — led to the recognition that America's critical infrastructure was always going to be at risk.
Jamie Gorelick, now a partner at the Washington D.C. law firm Wilmer, Cutler, Pickering & Hale, was deputy attorney general in 1995, and remembers the effect of the bombing on the Clinton administration's priorities.
"A bomb went off in Oklahoma City, and it was riveting to the nation to think that a domestic terrorist could wreak such havoc," she said. "The White House very much wanted to look comprehensively at our national security and our ability to protect our critical infrastructure and asked the Justice Department to head up that effort. …I think most people thought that in the aftermath of Oklahoma City, where after all a bomb had gone off in a federal building, that that effort would focus on physical security. But as we looked at this we became convinced that computer security, as we were then calling it, was as important if not more important."
The work began very shortly after the bombing, with a presidential decision directive that, among other things, tasked the Justice Department with reviewing the vulnerabilities of all government facilities. It also put Justice in charge of assembling an interagency cabinet-level group to study and assess infrastructure protection. That body, the Critical Infrastructure Working Group, identified the eight critical infrastructure sectors, and also recommended the creation of a presidential commission.
The group drew on expertise from the military and the National Security Agency among other sources. While the initial expectation, in light of the bombing, was a focus on physical security, the emerging world of information technology was soon revealed as a much more imminent worry.
"We were briefed on the nature of the threat, and one of the things we were briefed on was the readily available information that would show the vulnerability of our critical nodes," she said. "You could find available on the internet, available publicly, information on, in essence, how to destroy our communications infrastructure. How to destroy the [industrial control] systems that control our transportation and our energy pipelines, just as a couple of examples. This was terrifying to us. I wrote a memo that basically alerted the cabinet that we were broadening our scope."
The working group ultimately recommended the appointment of a presidential commission. "The reason that we made that recommendation was not simply to punt, which is often the reason that people recommend commissions. We recommended a commission because you had to have a broad consensus among cabinet agencies as to what needed to be done, what the problems were and what the solutions were, and a broad consensus with the private sector of what the threats were and what needed to be done," she said. "The only way to bring all of those people together and form a strong factual basis and recommendations as to what to do was with a presidential commission."
Initially nothing much came of the group's work, but soon Sen. Sam Nunn, D-Ga., who was then chairman of the Armed Services Committee, took up the cause. As Nunn arranged hearings during the summer of 1996, Gorelick suggested to White House officials that it might be prudent to act on the working group's recommendations before she was called to testify.
The groundwork
The PCCIP, created in 1996, delivered its final report to the president in October 1997. Its key area of concern was cyber threats. During the intervening months, the commission members and the officials overseeing the effort found the work they were doing to be highly important—but the urgency of the project was not widely recognized outside of a few circles.
Stevan Mitchell, who is now director of the Office of Intellectual Property Rights in the Commerce Department's International Trade Administration, was one of the commission members. At the time, Mitchell was a trial attorney at the Department of Justice's criminal division.
"The papers made clear, the call for the commission made clear, principals like Sen. Nunn and Deputy [Attorney General] Gorelick, all were asking for this commission to do very serious work, and to really dedicate ourselves to it," Mitchell said. "I would say the sense of urgency was common among the commissioners and among those who called for the commission to be formed. I don't think there was a sense of urgency in the public or even in [some] quarters of government. It was really our job, along with the developing our report and our recommendations, to also do a certain amount of awareness raising."
"It was quite difficult to convince people to give it the priority that we felt urgently necessary. The reason was that people didn't see it in their everyday lives," said Gorelick. "They were just beginning to recognize how dependent they were on the internet on their own computers, and the connectivity among the various systems was not apparent to people. When I testified about this, I gave lots of examples of crooks who were stealing things and shutting down systems; of cyber attacks that were being launched on not just on our defense establishment but on the private sector enterprises on whose backs our national security rested."
Part of the genius of the commission was its transparency, Mitchell said, which contributed to public awareness.
"One of the real novelties of the commission was that we had taken what is today known as defensive information warfare, something that was being discussed at classified levels in the in the bowels of the Pentagon, and opened it up for public scrutiny. A public report, public deliberations even public hearings. And the results I think really bear in the recommendations of the commission."