Elements of a National Policy
Ashton B. Carter, John M. Deutch
and Philip D. Zelikow
A Report of
Visions of Governance for the Twenty-First Century
A Project of the John F. Kennedy School of Government
1998 by the Board of Trustees of Leland Stanford Junior University and the Board of Trustees of Harvard University
This report was made possible in part by the Carnegie Corporation of New York, the John D. and Catherine T. MacArthur Foundation, and the Herbert S. Winokur Public Policy Fund at Harvard University. The statements made and views expressed are solely the responsibility of the authors.
Foreword: Preventive Defense
Catastrophic Terrorism: Elements of a National Policy
Imagining the Transforming Event
Organizing for Success
Intelligence and Warning
Prevention and Deterrence
Crisis and Consequence Management
About the Authors
About Visions of Governance for the Twenty-First Century
About the Stanford-Harvard Preventive Defense Project
Foreword: Preventive Defense
Through more than four decades of Cold War, American national security strategy was difficult to implement but easy to understand. America was set on a clear course to contain Soviet expansionism anywhere in the world, all the while building a formidable arsenal of nuclear weapons to deter the Soviet Union from using military force against it or its allies. Now, with the end of the Cold War, the underlying rationale for that strategy—the threat from the Soviet Union—has disappeared. What strategy should replace it? Much depends on finding the correct answer to this question.
The world survived three global wars this century. The first two resulted in tens of millions of deaths, but the third—the Cold War—would have been even more horrible than the others had deterrence failed. These three wars trace a path that leads to the strategy needed for the post-Cold War era.
At the end of the First World War, the victorious European allies sought revenge and reparations; what they got was a massive depression and another world war. The United States sought "normalcy" and isolation; what it got was total war and leadership in winning it. Because it failed to prevent and then to deter Germany’s aggression, America was forced to mobilize a second time to defeat it.
At the end of the Second World War, America initially chose a strategy based on prevention. Vowing not to repeat the mistakes made after World War I, the Truman administration created the Marshall Plan, which sought to assist the devastated nations of Europe, friends and foes alike, to rebuild. The Marshall Plan and other examples of the preventive defense strategy, aimed at preventing the conditions that would lead to a future world war, were an outstanding success in Western Europe and in Japan.
But the Soviet Union turned down the Marshall Plan and, instead, persisted in a program of expansion, trying to take advantage of the weakened condition of most of the countries of Europe. The resulting security problem was clearly articulated by George Kennan, who forecast that the wartime cooperation with the Soviet Union would be replaced with a struggle for the heart of Europe and that the United States should prepare for a protracted period of confrontation. Kennan’s analysis was accepted by the Truman administration, which then formulated a strategy that would get us through the Cold War: deterring another global war while containing the Soviet Union’s demonstrated expansionist ambitions. Deterrence supplanted prevention: there was no other choice.
Even deterrence was a departure from earlier American military strategy. The United States had twice previously risen to defeat aggression, but it had not maintained the peacetime military establishment or the engagement in the world to deter World Wars I or II. Marshall and other defense leaders around Truman created the peacetime posture and new security institutions required. In time, as George Kennan had forecast, the Soviet Union disintegrated because of the limitations of its political and economic systems. Deterrence worked.
The result is a world today seemingly without a major threat to the United States, and the U.S. is now enjoying a period of peace and influence as never before. But while this situation is to be savored by the public, foreign policy and defense leaders should not be complacent. This period of an absence of threat challenges these leaders to find the vision and foresight to act strategically, even when events and imminent threats do not compel them to do so.
To understand the dangers and opportunities that will define our nation’s strategy in the new era, we must see the post-Cold War world the way George Marshall looked upon Europe after World War II, and return to prevention. In essence, we now have another chance to realize Marshall’s vision: a world not of threats to be deterred, but a world united in peace, freedom, and prosperity. To realize this vision, we should return to Marshall’s strategy of preventive defense.
Preventive Defense is a concept of defense strategy for the United States in the post-Cold War Era. It stresses the need to anticipate security dangers which, if mismanaged, have the potential to re-create Cold War-scale threats to U.S. interests and survival. The foci of Preventive Defense are: proliferation of weapons of mass destruction, catastrophic terrorism, "loose nukes" and other military technology from the former Soviet Union, Russia’s post-Cold War security identity, and the peaceful rise of China.
Preventive Defense is the most important mission of national security leaders and of the defense establishment. They must dedicate themselves to Preventive Defense while they deter lesser but existing threats—in Iraq and North Korea—and conduct peacekeeping and humanitarian missions—in Bosnia, Haiti, Rwanda, and so on—where aggression occurs but where American vital interests are not directly threatened.
This report is the sixth in a series of Preventive Defense Project reports on key applications of Preventive Defense. We are grateful to our colleagues in the Catastrophic Terrorism Study Group and the Visions of Governance for the Twenty-First Century for their collaboration
This report is a product of the Catastrophic Terrorism Study Group, a nine-month long collaboration of faculty from Harvard University, the Massachusetts Institute of Technology, Stanford University, and the University of Virginia. The Group involves experts on national security, terrorism, intelligence, law enforcement, constitutional law, technologies of Catastrophic Terrorism and defenses against them, and government organization and management. The Group is co-chaired by Ashton B. Carter and John M. Deutch, and the project director is Philip D. Zelikow. Organized by the Stanford-Harvard Preventive Defense Project, the work of the Study Group is part of the Kennedy School of Government’s "Visions of Governance for the Twenty-First Century" project, directed by Dean Joseph S. Nye, Jr. and Elaine Kamarck.
While the danger of Catastrophic Terrorism is new and grave, there is much that the United States can do to prevent it and to mitigate its consequences if it occurs. The objective of the Catastrophic Terrorism Study Group is to suggest program and policy changes that can be taken by the United States government in the near term, including the reallocation of agency responsibilities, to prepare the nation better for the emerging threat of Catastrophic Terrorism.
An article based on this report will be published in the journal Foreign Affairs in the November/December 1998 issue.
The authors would like to thank the members of the Catastrophic Terrorism Study Group:
Graham T. Allison, Jr.
Joseph S. Nye, Jr.
William J. Perry
J. Terry Scott
Though practically all of these group members are sympathetic to the conclusions in this report, and some enthusiastically endorse them, none is responsible either for particular opinions expressed here or for the way we have written this report and expressed those judgments.
We would also like to thank the staff who was responsible for organizing the Study Group in addition to assisting in the preparation of this report: Gretchen Bartlett, Lainie Dillon, Hilary Driscoll, Sarah Peterson, and Kristin Schneeman.
Finally, the Study Group is grateful for the support of the Carnegie Corporation of New York, the John D. and Catherine T. MacArthur Foundation, and the Herbert S. Winokur Public Policy Fund at Harvard University.
CATASTROPHIC TERRORISM: ELEMENTS OF A NATIONAL POLICY
Imagining the Transforming Event
We find terrorism when individuals or groups, rather than governments, seek to attain their objectives by means of the terror induced by violent attacks upon civilians. When governments openly attack others, we call it war, to be judged or dealt with according to the laws of war. When governments act in concert with private individuals or groups, the United States government may call it war, or state-sponsored terrorism, and retaliate against both the individuals and the governments. Whatever the label, terrorism is not a new phenomenon in national or international life, although terrorists may be animated by a greater variety of motives than ever before, from international cults like Aum Shinrikyo to the individual nihilism of the Unabomber.
What is certainly new is that terrorists may today gain access to weapons of mass destruction (WMD). These can come in a variety of forms: nuclear explosive devices, germ dispensers, poison gas weapons, or even the novel destructive power of computers turned against the societies that rely on them. What is also new is an unprecedented level of national and global interdependence on an invisible infrastructure of energy and information distribution.
Americans were shocked by the tragic results of the August 1998 terrorist attacks against their embassies in Kenya and Tanzania. By comparison with the threat of catastrophic terrorism, we believe that the threat of ordinary terrorism of the kind we have known over the last generation is being taken seriously. The United States government’s commitment to address that danger is fundamentally sound. We are not as confident that the United States government is suitably prepared to address the new threat of catastrophic terrorism that utilizes weapons of mass destruction or intensive cyber-assault.
Long part of Hollywood’s and Tom Clancy’s repertory of nightmarish scenarios, catastrophic terrorism is a real possibility. In theory, the enemies of the United States have motive, means, and opportunity. The U.S. government has publicly announced that terrorist groups are attempting to manufacture chemical weapons and destroyed one such facility operating in the Sudan. As India and Pakistan build up their nuclear arsenals and Russia, storehouse for tens of thousands of weapons and the material to make tens of thousands more, descends toward a future none can foresee, it is not hard to imagine the possibilities. The combination of available technology and lethality has made biological weapons at least as deadly a danger as the better known chemical and nuclear threats. The bombings in East Africa killed hundreds. A successful attack with weapons of mass destruction could certainly kill thousands, or tens of thousands. If the device that exploded in 1993 under the World Trade Center had been nuclear, or the distribution of a deadly pathogen, the chaos and devastation would have gone far beyond our meager ability to describe it.1
Experts combining experience in every quadrant of the national security and law enforcement community all consider this catastrophic threat perfectly plausible today. Technology is more accessible, society is more vulnerable, and much more elaborate international networks have developed among organized criminals, drug traffickers, arms dealers, and money launderers: the necessary infrastructure for catastrophic terrorism. Practically unchallengeable American military superiority on the conventional battlefield pushes this country’s enemies toward the unconventional alternatives.2
Readers should imagine the possibilities for themselves, because the most serious constraint on current policy is lack of imagination. An act of catastrophic terrorism that killed thousands or tens of thousands of people and/or disrupted the necessities of life for hundreds of thousands, or even millions, would be a watershed event in America’s history. It could involve loss of life and property unprecedented for peacetime and undermine Americans’ fundamental sense of security within their own borders in a manner akin to the 1949 Soviet atomic bomb test, or perhaps even worse. Constitutional liberties would be challenged as the United States sought to protect itself from further attacks by pressing against allowable limits in surveillance of citizens, detention of suspects, and the use of deadly force. More violence would follow, either as other terrorists seek to imitate this great "success" or as the United States strikes out at those considered responsible. Like Pearl Harbor, such an event would divide our past and future into a "before" and "after." The effort and resources we devote to averting or containing this threat now, in the "before" period, will seem woeful, even pathetic, when compared to what will happen "after." Our leaders will be judged negligent for not addressing catastrophic terrorism more urgently.
Using imagination, we hope now to find some of the political will that we know would be there later, "after," because this nation prefers prevention to funereal reconstruction. When this threat becomes clear the President must be in a position to activate extraordinary capabilities. The danger of the use of a weapon of mass destruction against the United States or one of its allies is greater at this moment than it was during the Cold War, or at least since 1962. The threat of catastrophic terrorism is therefore a priority national security problem, as well as a major law enforcement concern. The threat thus deserves the kind of attention we now devote to threats of military nuclear attack or of regional aggression, as in the Defense Department’s major regional contingencies that drive our force planning and the resources we devote to defense.
The first enemy of imagination is resignation. Some who contemplate this threat find the prospects so dreadful and various that they despair of doing anything useful and switch off their troubling imagination. They are fatalistic, like someone contemplating the possibility of a solar supernova, and turn their eyes away from the threat. Some thinkers reacted the same way at the dawn of the nuclear age, expecting doom to strike at any hour and disavowing any further interest in the details of deterrence as a hopeless venture. But as in the case of nuclear deterrence, the good news is that more can be done.
We formed a Catastrophic Terrorism Study Group to move beyond a realization of the threat to consider just what can be done about it. This group began meeting in November 1997. We examined other studies that consider this problem. We received information and advice from some current government officials as well as from those who had considered the problem from the perspectives of governments in Great Britain, Israel, Germany, and Russia. We now advance practical proposals for consideration and debate. We avoid a grand solution, preferring to shape "bricks" that strengthen existing structures, consider the very different technical challenges presented by nuclear, biological, chemical, and cyber threats, and provide a foundation for future adaptation and future building.
Organizing for Success
The threat of catastrophic terrorism typifies the new sort of security problem the United States must confront in the post Cold War world. It is transnational, defying ready classification as foreign or domestic, either in origin, participants, or materials. As the World Trade Center incident demonstrated, one group can combine U.S. citizens with resident aliens and foreign nationals, operating in and out of American territory over long periods of time.
The greatest danger may arise if the threat falls into one of the crevasses in our government’s field of overlapping jurisdictions, such as the divide between terrorism that is "foreign" or "domestic;" or terrorism that has "state" or "non-state" sponsors; or terrorism that is classified as a problem for "law enforcement" or one of "national security." The law enforcement/national security divide is especially significant, carved deeply into the topography of American government.
The national security paradigm fosters aggressive, proactive intelligence gathering, presuming the threat before it arises, planning preventive action against suspected targets, and taking anticipatory action. The law enforcement paradigm fosters reactions to information voluntarily provided, post-facto arrests, trials governed by rules of evidence, and general protection for the rights of citizens.
We start with a concept for an overall end-to-end strategy. This has at least four elements: (1) intelligence and warning; (2) prevention and deterrence; (3) crisis and consequence management; and (4) a process for coordinated acquisition of needed materials, equipment, and technology. Throughout, there must be clear guidance about what our institutions should be able to do and definition of the roles and missions of involved agencies at all levels of government.
In an address at the U.S. Naval Academy, President Clinton announced on May 22, 1998, that we must approach the new terrorist challenges of the 21st century "with the same rigor and determination we applied to the toughest security challenges of this century." To that end he signed Presidential Decision Directive (PDD) 62 and appointed a National Coordinator for Security, Infrastructure Protection, and Counterterrorism to "bring the full force of all our resources to bear swiftly and effectively." The National Coordinator and PDD-62, like the predecessor PDD-39, look to "lead agencies" on one or another issue to "identify a program plan with goals and specific milestones." The National Coordinator will produce an annual "Security Preparedness Report," offer budget advice, and lead in the development of guidelines for crisis management.3
We welcome the presidential determination to address the danger of catastrophic terrorism and see no harm in the designation of a responsible White House aide. But we suggest a different emphasis when it comes to solving the difficult problems of shared powers and overlapping authorities.
We place no faith in czars. An unidentified, incautious administration official explained to reporters that "when money was going to the war on drugs, we created a drug czar. Now money is going to counterterrorism, and so we’ll have a czar for that, except this one will have real power."4 A national coordinator may be necessary, but is certainly not sufficient. For better or worse, however, "real power" resides in the executive departments and companies that actually have people, equipment, money, and the capacity to do things. This report thus focuses on building such capabilities, rather than dwelling on coordination at the apex.
"In form," Richard Neustadt explained long ago, "all Presidents are leaders nowadays. In fact this guarantees no more than that they will be clerks. Everybody now expects the man inside the White House to do something about everything. ... But such acceptance ... merely signifies that other men have found it practically impossible to do their jobs without assurance of initiatives from him. ... They find his actions useful in their business. ... A President, these days, is an invaluable clerk. His services are in demand all over Washington. His influence, however, is a very different matter."5
Well before the idea of a terrorism czar had been conceived, James Q. Wilson had noticed that "whenever a political crisis draws attention to the fact that authority in our government is widely shared, the cry is heard for a ‘czar’ to ‘knock heads together’ and ‘lead’ the assault on AIDS, drug abuse, pollution, or defense procurement abuses. Our form of government, to say nothing of our political culture, does not lend itself to czars...."6
Also, most of the expensive functional capabilities that must be brought together to cope with the danger of catastrophic terrorism are capabilities that are needed for other purposes, too, from reconnaissance satellites to National Guardsmen. Unifying these capabilities exclusively for one challenge will not work in practice. The people making decisions about using these capabilities against terrorists should be the same people who must consider the other missions and who can weigh and reconcile competing demands.
Experience from World War II (such as that of the British Chiefs of Staff Committee or the U.S. Office of War Mobilization) through the Cold War to the present, including the current system of security policymaking the British have devised (after long trial and error) for Northern Ireland, instead counsels us toward a different approach.7 One or another executive agency may be in the lead, but the key is to give responsibility (and accountability) to the people who are in charge of the relevant people and machines; create unglamorous but effective systems for shared decision-making that combine civil, military, and intelligence judgments up and down the chain of command; fashion entities that integrate planning and operational activity at the working level; and focus on the tasks of building up the institutional capacities to do new things. There must be exercises of the entire system to highlight defensive needs, before an incident happens. We turn now to the first crucial task: intelligence and warning.
Intelligence and Warning
Since 1945 the United States has given intense attention to any potentially hostile entity that might deliver weapons of mass destruction against its territory or its allies. The intelligence objectives were straightforward: orientation toward governments and monitoring of weapons development, testing, and deployment. The intelligence task for catastrophic terrorism is complicated by non-state actors, concealed weapons development, and unconventional deployments. In cyber attacks, the delivery of weapons can be entirely electronic.
So the intelligence job is much harder. It is not impossible. The would-be terrorists have problems, too. If states are involved, the organizations tend either to be large and leaky, or small and feckless. If no state is involved, the group may be small, feckless, and pathological, too. These realities form the opportunities for intelligence successes. Even the most formidable Irish terrorist groups took years of experience to acquire their level of professionalism and, for all their skills and training, suffered frequent setbacks in their underground war against British intelligence. Perhaps the most serious recent attempt to carry out an act of catastrophic terrorism was an expertly planned effort to destroy, with a series of simultaneous bomb explosions, the entire electrical power supply for metropolitan London. The attempt was thwarted and British security forces arrested the terrorists.
The U.S. government should seek to have the legal authorities and the capability to monitor—physically and electronically—any group and their potential state sponsors that might justifiably be considered to have a motive and capability to use weapons of mass destruction. The U.S. government should be able to do all that can reasonably be done to detect any use or deployment of such weapons anywhere in the world, by utilizing remote sensing technology and by strengthening and evaluating worldwide sources of information. These would include clandestine collection, open sources such as foreign newspapers and journals or the Internet, and would include better-organized exchanges with key allies and other like-minded states.
Nearly a year before its attack on the Tokyo subway system, the Aum Shinrikyo group had already used the nerve gas, Sarin, in attacks on civilians. Although known to the Japanese news media, the U.S. government did not know. Not only did Washington not know what Japanese law enforcement agencies knew, it is likely that centralized Japanese law enforcement agencies did not know what other local organizations in Japan knew about this prior and well documented use of chemical weapons.
Today the U.S. intelligence community lacks a place to perform "all-source" planning for collecting information, where the possible yields from efforts in overhead reconnaissance, electronic surveillance, clandestine agents, law enforcement databases and informants, and reports from foreign governments, can be sifted and organized for maximum complementary effect. The national security agencies can be proactive. Domestic law enforcement officials understandably are not proactive about intelligence collection but focus their efforts from informants or other collection to investigate suspected criminal actions with the objective of criminal prosecution. Civil liberties properly discourage them from going out and looking for criminals before they have evidence of crime.
On the other hand, domestic law enforcement has many techniques for gathering data, including lawful wiretaps and grand jury investigations. Much of the yield from these efforts is, in turn, closed off to the national security community by law or regulation, to safeguard constitutional rights.8
We believe the U.S. needs a new institution to gather intelligence on terrorism, with particular attention to the threat of catastrophic terrorism. We call this new institution a National Terrorism Intelligence Center. This Center would be responsible for collection management, analysis, dissemination of information, and warning of suspected catastrophic terrorist acts. The Center would need the statutory authority to:
� monitor and provide warning of terrorist threats to relevant agencies of the U.S. government, supporting defense or intelligence operations, as well as law enforcement;
� set integrated collection requirements for gathering information for all the intelligence agencies or bureaus of the U.S. government;
� receive and store all lawfully collected, relevant information from any government agency, including law enforcement wiretaps and grand jury information;
� analyze all forms of relevant information to produce integrated reports that could be disseminated to any agency that needed them, while restricting dissemination of underlying domestic wiretap and grand jury information;
� review planned collection and intelligence programs of all agencies directed toward terrorist targets to determine the adequacy and balance among these efforts in preparation of the President’s proposed budget;
� facilitate international cooperation in counterterrorism intelligence, including the bilateral efforts of individual agencies;
� not manage operational activities or take on the task of general intelligence about the proliferation of weapons of mass destruction (now coordinated in the Director of Central Intelligence Nonproliferation Center);
� be exempt from motions for pretrial discovery in the trials of indicted criminals.9
Since this Center would have constant access to considerable domestic law enforcement information, we believe it should not be located at the Central Intelligence Agency. The highly successful Director of Central Intelligence Counterterrorism Center established in the mid-1980s has a narrower mandate than the National Center that we propose and it would be incorporated into the new National Center. Instead we recommend the National Center be located in the FBI. However, the Center, in our conception, would be responsible to an operating committee, chaired by the Director of Central Intelligence and including the Director of the FBI, the Deputy Secretary of Defense, the Deputy Attorney General, the Deputy Secretary of State, and the Deputy National Security Adviser. The budget would be included within the National Foreign Intelligence Program, which already provides support for the FBI’s National Security Division. Unresolved disputes would go to the National Security Council. The director of the Center would come alternately from FBI and CIA. The major intelligence organizations would all be required to provide a specified number of professionals to the Center, and this number would be exempt from agency personnel ceilings.
The concept of this Center attempts to combine the proactive intelligence gathering approach of the national security agencies, which are not legally constrained in deciding when they may investigate a possible crime, with the investigative resources of law enforcement agencies. We must have an entity that can utilize our formidable but disparate national security and law enforcement resources to analyze transnational problems. This combination should be permitted, consistent with public trust, only in a National Center that has no powers of arrest and prosecution and that establishes a certain distance from the traditional defense and intelligence agencies. The Center would also be subject to oversight from existing institutions, like the federal judiciary, the President’s Foreign Intelligence Advisory Board and the select intelligence committees of the Congress.
There are precedents for creating novel interagency operating institutions that work—the National Reconnaissance Office and the reformed Counterintelligence Center offer relevant illustrations. We are not anxious to create new government institutions. But the problems in information sharing about terrorism are not just products of petty bureaucratic jealousy. They stem from a real question: how do we reconcile the practices of foreign intelligence work with the restrictions that properly limit domestic law enforcement? We believe our proposal offers a possible answer.
Prevention and Deterrence
There are several measures that we believe will contribute to prevention and deterrence of catastrophic terrorism. We suggest three measures here—an international legal initiative to make any development or possession of weapons of mass destruction a universal crime, a National Information Assurance Institute, and stronger federal support to strategic risk analysis of the catastrophic terrorism problem.
Outlawing Terror Weapons
Prevention is intertwined with the concept of deterrence. The U.S. has finally developed a sound, firm, and increasingly credible declaratory policy that criminalizes terrorist activity and supports sanctions, or even the use of force, to thwart an attack or respond. We also believe that the United States must work with other countries to extend the prohibitions against development or possession of weapons of mass destruction. Matthew Meselson and others have recently proposed a convention that would make any individual intentionally involved in biological weapons work liable as an international criminal, prosecutable anywhere, as is the case for pirates or airplane hijackers.10 Defensive work against biological warfare agents would of course be permitted.
There are already international treaties in which governments promise to restrain their weapons developments—the nuclear Non-Proliferation Treaty, the Biological Weapons Convention, and the Chemical Weapons Convention are the most notable examples. Governments breaking such a treaty violate international law. We are pressing a different idea. Prohibited weapon development would become a universal crime, opening the way to prosecution and extradition of individual offenders wherever they may be found, around the world. This idea utilizes the power of national criminal law against people, not the power of international law against governments. It builds on analogous developments in the law of piracy, treaties declaring the criminality of airplane hijacking, crimes of maritime navigation, theft of nuclear materials, and crimes against diplomats.
We are concerned about the actions of governments, too. Over time, we hope the burden of proof in demonstrating compliance with international conventions must also shift away from those alleging noncompliance to those states or groups whose compliance is in doubt. International norms should adapt so that such states are obliged to reassure those who are worried and to take reasonable measures to prove they are not secretly developing weapons of mass destruction. Failure to supply such proof, or prosecute the criminals living in their borders, should entitle worried nations to take all necessary actions for their self-defense.
National Information Assurance Institute
Cyber-terrorism is a special problem, where private sector cooperation is vital, but elusive. The President’s Commission on Critical Infrastructure Protection (often called the Marsh Commission) stressed that industry was reluctant to deal with these problems on its own because the solutions cost money, the risk is unclear, and they fear heavy-handed government action. On the other hand, although the FBI has created a National Infrastructure Protection Center, which can help identify sites that need help, we do not think FBI, with all its operational duties, is the place to build a bridge with the private sector or harness the significant resources and expertise found on the cyber problem within the Department of Defense. So we propose a National Information Assurance Institute, based within the private, nonprofit sector, that could serve as a kind of industry laboratory with a central focus on cyber protection. Placed in the private sector, the institute would not itself own the infrastructure or be part of the government, but it could deal with both sides. It implements the Marsh Commission’s recommendation, seeking a way for industry to organize itself better to deal with this problem as part of a public-private partnership.
For industry, this institute could become:
� a clearinghouse for sharing information assurance techniques and technology;
� a developer of common techniques and technology for information assurance;
� a trusted repository of proprietary information that poses no competitive threat;
� a single point of contact with the law enforcement, national security, and other agencies of the federal government;
� a resource for training and familiarization of industry personnel with technical best practice and government concerns, policies, and regulations.
For government, this institute could become:
� a channel for sharing sensitive intelligence about threats to information infrastructure;
� a center of technical excellence for developing and improving technology and techniques for protecting critical infrastructure;
� a unified government-industry forum for coordinating federal policy, regulation, and other actions affecting infrastructure providers.
We envision that the institute would be established as a not-for-profit research organization by a group of concerned private companies, universities, and existing not-for-profit laboratories. The institute would be governed by a board of directors drawn from the private sector and academia.
The institute staff could be supplemented by detailees drawn from both industry and government. Industry affiliates would not only include the manufacturers and maintainers of information systems, but also service vendors, their trade associations, and the major companies and trade associations from the power, telecommunications, banking, transportation, oil and gas, water and sewer, and emergency service sectors (including multinational companies, with appropriate protection for circulation of U.S.-only classified information).
This new institute could perform information assurance assessments for industry on a confidential basis. Industry representatives would be educated and trained on technical best practice, threats, and government policies. The institute would receive contracts from government. The institute could sponsor and conduct research on security assessment tools, intrusion detection, recovery, and restoration. As it identifies and develops industry standard best practices, and evaluates the vulnerability of commercial products, we prefer to rely where possible on informal private sector enforcement of these ideas in the marketplace (through insurance rating, for example), rather than formal government regulation. The institute could also perform incident evaluations, create a monitoring center for information assurance, provide on-call assistance, and help industry develop contingency plans for failure.