Executive Order 13231

Critical Infrastructure Protection in the Information Age

Legislation

By: George W. Bush

Date: October 18, 2001

Source: Executive Order 13231, as recorded in the Federal Register.

About the Author: Executive Orders are directives issued by the President of the United States. The intent of this type of order, which has been in place since the first presidency of George Washington is usually to dictate specific action by officials or agencies working with the President on a specific issue. In more extreme cases of national emergency or threat to national security, an Executive Order can be used to impact upon specific members of groups within the general population. One famous case of this type of use of the directive occurred during the course of World War II (1939–1941), when President Franklin Roosevelt issued an Executive Order to intern American citizens of Japanese ancestry. On October 16, 2001, President Bush issued Executive Order 13231.

INTRODUCTION

With the world's increasing reliance on technology in all aspects of daily life, the threat posed by terrorists to use technology to interrupt the flow of information around the globe has grown more serious. There are few aspects of life in Western societies that are not directly connected to the information superhighway, as this flow of information around the globe has become known. The three tenets that help populations operate safely; free traffic of business and commerce, a strong government, and a national defense, could all be potentially crippled if the technological infrastructure supporting those institutions was compromised.

In the wake of the attacks of September 11, 2001, the United States government began to reassess all aspects of its national security including the potential threat to the nation's informational infrastructure posed by cyberterrorism.

Attacks launched over communications wires and computer networks can become manifest in numerous forms and with a large array of possible outcomes. Most commonly, information terrorists aim to introduce viruses into computer systems enabling them either to steal critical information or to destabilize public systems.

Cyber virus attacks can range from relatively harmless, in terms of human cost—such as those involving informational or commercial Internet sites being compromised—to attacks that could result in a large degree of human casualties. Such attacks include a cyber terrorist being able to shut down an electrical grid for an extended period of time, infiltrate national defense systems, or even destabilize nuclear power plants.

In addition to the countless benefits that information technology has offered, it has presented terrorists with the ability to wage their battles a world away from the site they plan to attack. A further danger involves the ease with which terrorists can communicate with one another without being detected.

Responding to this new reality required a coordinated response by the government and on October 16, 2001, President Bush issued Executive Order 13231 to protect the United States in the modern age of communications and technological reliance.

PRIMARY SOURCE

By the authority vested in me as President by the Constitution and the laws of the United States of America, and in order to ensure protection of information systems for critical infrastructure, including emergency preparedness communications, and the physical assets that support such systems, in the information age, it is hereby ordered as follows:

Section 1: Policy. (a) The information technology revolution has changed the way business is transacted, government operates, and national defense is conducted. Those three functions now depend on an interdependent network of critical information infrastructures. The protection program authorized by this order shall consist of continuous efforts to secure information systems for critical infrastructure, including emergency preparedness communications, and the physical assets that support such systems. Protection of these systems is essential to the telecommunications, energy, financial services, manufacturing, water, transportation, health care, and emergency services sectors.

(b) It is the policy of the United States to protect against disruption of the operation of information systems for critical infrastructure and thereby help to protect the people, economy, essential human and government services, and national security of the United States, and to ensure that any disruptions that occur are infrequent, of minimal duration, and manageable, and cause the least damage possible. The implementation of this policy shall include a voluntary public-private partnership, involving corporate and nongovernmental organizations.

Section 2: Scope. To achieve this policy, there shall be a senior executive branch board to coordinate and have cognizance of Federal efforts and programs that relate to protection of information systems and involve:

1. cooperation with and protection of private sector critical infrastructure, State and local governments' critical infrastructure, and supporting programs in corporate and academic organizations;
2. protection of Federal departments' and agencies' critical infrastructure; and
3. related national security programs. ...

Section 4: Continuing Authorities. . . . (b) National Security Information Systems. The Secretary of Defense and the Director of Central Intelligence (DCI) shall have responsibility to oversee, develop, and ensure implementation of policies, principles, standards, and guidelines for the security of information systems that support the operations under their respective control. In consultation with the Assistant to the President for National Security Affairs and the affected departments and agencies, the Secretary of Defense and the DCI shall develop policies, principles, standards, and guidelines for the security of national security information systems that support the operations of other executive branch departments and agencies with national security information. . . .

(c) Additional Responsibilities: The Heads of Executive Branch Departments and Agencies. The heads of executive branch departments and agencies are responsible and accountable for providing and maintaining adequate levels of security for information systems, including emergency preparedness communications systems, for programs under their control. Heads of such departments and agencies shall ensure the development and, within available appropriations, funding of programs that adequately address these mission areas. Cost-effective security shall be built into and made an integral part of government information systems, especially those critical systems that support the national security and other essential government programs. Additionally, security should enable, and not unnecessarily impede, department and agency business operations.

Section 5: Board Responsibilities. Consistent with the responsibilities noted in section 4 of this order, the Board shall recommend policies and coordinate programs for protecting information systems for critical infrastructure, including emergency preparedness communications, and the physical assets that support such systems. Among its activities to implement these responsibilities, the Board shall:

(a) Outreach to the Private Sector and State and Local Governments. In consultation with affected executive branch departments and agencies, coordinate outreach to and consultation with the private sector, including corporations that own, operate, develop, and equip information, telecommunications, transportation, energy, water, health care, and financial services, on protection of information systems for critical infrastructure, including emergency preparedness communications, and the physical assets that support such systems; and coordinate outreach to State and local governments, as well as communities and representatives from academia and other relevant elements of society....

(ii) Consult with potentially affected communities, including the legal, auditing, financial, and insurance communities, to the extent permitted by law, to determine areas of mutual concern; and

(iii) Coordinate the activities of senior liaison officers appointed by the Attorney General, the Secretaries of Energy, Commerce, Transportation, the Treasury, and Health and Human Services, and the Director of the Federal Emergency Management Agency for outreach on critical infrastructure protection issues with private sector organizations within the areas of concern to these departments and agencies. In these and other related functions, the Board shall work in coordination with the Critical Infrastructure Assurance Office (CIAO) and the National Institute of Standards and Technology of the Department of Commerce, the National Infrastructure Protection Center (NIPC), and the National Communications System (NCS).

(b) Information Sharing. Work with industry, State and local governments, and nongovernmental organizations to ensure that systems are created and well managed to share threat warning, analysis, and recovery information among government network operation centers, information sharing and analysis centers established on a voluntary basis by industry, and other related operations centers. In this and other related functions, the Board shall work in coordination with the NCS, the Federal Computer Incident Response Center, the NIPC, and other departments and agencies, as appropriate.

(c) Incident Coordination and Crisis Response. Coordinate programs and policies for responding to information systems security incidents that threaten information systems for critical infrastructure, including emergency preparedness communications, and the physical assets that support such systems. In this function, the Department of Justice, through the NIPC and the Manager of the NCS and other departments and agencies, as appropriate, shall work in coordination with the Board. . . .

(e) Research and Development. Coordinate with the Director of the Office of Science and Technology Policy (OSTP) on a program of Federal Government research and development for protection of information systems for critical infrastructure, including emergency preparedness communications, and the physical assets that support such systems, and ensure coordination of government activities in this field with corporations, universities, Federally funded research centers, and national laboratories. In this function, the Board shall work in coordination with the National Science Foundation, the Defense Advanced Research Projects Agency, and with other departments and agencies, as appropriate.

(f) Law Enforcement Coordination with National Security Components. Promote programs against cyber crime and assist Federal law enforcement agencies in gaining necessary cooperation from executive branch departments and agencies. Support Federal law enforcement agencies' investigation of illegal activities involving information systems for critical infrastructure, including emergency preparedness communications, and the physical assets that support such systems, and support coordination by these agencies with other departments and agencies with responsibilities to defend the Nation's security, the Board shall work in coordination with the Department of Justice, through the NIPC, and the Department of the Treasury, through the Secret Service, and with other departments and agencies, as appropriate.

(g) International Information Infrastructure Protection. Support the Department of State's coordination of United States Government programs for international cooperation covering international information infrastructure protection issues. . . .

(i) Coordination with Office of Homeland Security. Carry out those functions relating to protection of and recovery from attacks against information systems for critical infrastructure, including emergency preparedness communications, that were assigned to the Office of Homeland Security by Executive Order 13228 of October 8, 2001. The Assistant to the President for Homeland Security, in coordination with the Assistant to the President for National Security Affairs, shall be responsible for defining the responsibilities of the Board in coordinating efforts to protect physical assets that support information systems.

SIGNIFICANCE

In the wake of September 2001, the government of the United States was forced to reconsider all possible threats that could be posed to the nation. This executive order outlines the commitment of the government in exposing the potential for further harm to be exacted against the United States. While this order by no means introduced the notion of the vulnerability of the nation's infrastructure in light of its reliance on technology, it used the attacks as a reason to strengthen defenses already in place.

In presenting this order, the government recognizes that terrorists are committed to discovering new ways of attacking their enemies, and recognizes that terrorist organizations have dedicated themselves towards enhancing their ability to bring down the information infrastructure of the United States.

The information age has made it extremely difficult, or even impossible, to create any physical barriers between the government and the outside world. Whereas in the past, secret documents were locked behind sealed and guarded doors, the nature of today's reliance on technology means that with enough motivation and the proper knowledge, criminals and terrorists can sometimes gain access to information at the highest levels of government and the defense community.

The primary action taken in light of this order was the creation of the President's Critical Infrastructure Protection Board, whose job it is to offer the recommendations for policies to protect the nation's critical systems from attack, and to provide an emergency plan for responding to such an attack. The board was created to work as a partner with the Office of Homeland Security.

FURTHER RESOURCES

Books

Ball, Kirstie and Webster, Frank. The Intensification Of Surveillance: Crime, Terrorism and Warfare in the Information Age . London: Pluto Press, 2003.

Web sites

Rand.com. "The Networking of Terror in the Information Age." <http://www.rand.org/publications/MR/MR1382/MR1382.ch2.pdf> (accessed July 4, 2005).

The Office of Homeland Security. "Research and Technology: Information and Infrastructure." <http://www.dhs.gov/dhspublic/display?theme=26> (accessed July 4, 2005).