The views expressed in this paper are those of the
author and do not necessarily reflect the views of the
Department of Defense or any of its agencies. This
document may not be released for open publication until
it has been cleared by the appropriate military service or
government agency.
STRATEGY
RESEARCH
PROJECT
CRITICAL INFRASTRUCTURE PROTECTION
MR. JOHN S. TOMKO, JR.
Department of the Army
DISTRIBUTION STATEMENT A:
Approved for Public Release.
Distribution is Unlimited.
USAWC CLASS OF 2002
★ ★★
U.S. ARMY WAR COLLEGE, CARLISLE BARRACKS, PA 17013-5050
20020502 040
USAWC STRATEGY RESEARCH PROJECT
CRITICAL INFRASTRUCTURE PROTECTION
by
Mr. John S. Tomko, Jr.
Department of the Army Civilian
COL Frank Hancock
Project Advisor
The views expressed in this academic research paper are those of the
author and do not necessarily reflect the official policy or position of the
U.S. Government, the Department of Defense, or any of its agencies.
U.S. Army War College
CARLISLE BARRACKS. PENNSYLVANIA 17013
DISTRIBUTION STATEMENT A:
Approved for public release.
Distribution is unlimited.
ABSTRACT
AUTHOR: Mr. John S. Tomko, Jr.
TITLE: Critical Infrastructure Protection
FORMAT: Strategy Research Project
DATE: 09 April 2002 PAGES: 49 CLASSIFICATION: Unclassified
The infrastructures addressed in this paper represent a framework of inter-dependent networks
and systems comprising industries, institutions, functions, and distribution capabilities. They
provide a continual flow of goods and services essential to the economic well-being and security
of the United States, as well as to its defense. On the National and commercial side, the
infrastructure is defined by nine areas or sectors. These are: Banking and Finance;
Transportation; Electric and Gas (Power); Information and Communications
(Telecommunications); Law Enforcement; Government Services; Fire; Emergency Health
Services; and the Water Supply. On the Defense side they are: Financial Services;
Transportation; Public Works; Defense Information Infrastructure and Command, Control, and
Communications; Intelligence, Surveillance and Reconnaissance; Health Affairs; Personnel;
Logistics; and Space. And while the commercial side doesn’t necessarily depend on the
Defense side for its survival, with the exception of Public Works, the same cannot be said for
the Department of Defense.
The reader should gain a sense that, in general, critical infrastructure protection is not
insurmountable. In fact, protecting the infrastructure is something we do daily, especially in the
Department of Defense for those infrastructures that we own and operate. And the reader
should take away the knowledge that there is considerable thought and debate going into the
subject.
Ill
TABLE OF CONTENTS
ABSTRACT.Ill
PREFACE.VII
LIST OF TABLES.IX
CRITICAL INFRASTRUCTURE PROTECTION.1
BACKGROUND.4
ARMY INFRASTRUCTURE ASSURANCE. 5
STRATEGIC PLANNING ENVIRONMENT. 5
PRINCIPLES AND RELATIONSHIPS.5
ENVIRONMENT.6
CAPABILITIES AND CONSTRAINTS.7
STRATEGIC PLANNING DYNAMCS.9
PLANNING ACTIVITIES (TACTICAL AND OPERATIONAL).10
PLANNING ACTIVITIES (STRATEGIC).10
FUSION ACTIVITIES.11
MISSION ANALYSIS METHODOLOGY.11
BACKGROUND.12
Problem.13
MISSION ANALYSIS METHODOLOGY.13
FUSION ACTIVITY.17
PROBLEM.18
FACTS BEARING ON THE PROBLEM.19
CONCEPT.19
Risk Management. 19
V
FUSION ACTIVITY MISSION.20
FUSION ACTIVITY REQUIREMENTS.20
FUSION ACTIVITY CONCLUSIONS. 25
CONCLUSION. 25
ENDNOTES. ....27
GLOSSARY. 29
BIBLIOGRAPHY. 33
VI
PREFACE
In the opening months of the Third Millennium, the United States enjoys an economic,
military, and political preeminent position globally. Despite a lagging economy, the “war on
terrorism,” and other factors, the United States finds itself in an enviable position vis a vis the
other nations of the world. This position was achieved during the 20th Century as the United
States established markets, took advantage of technology, and established or strengthened its
infrastructures both at home and abroad. This latter area has become not only a boon but also
a burden. A boon because the infrastructures facilitate unprecedented growth. A burden
because the infrastructures are increasingly dependent upon one another not only for local
operations but also for survival within the global community.
The infrastructures addressed in this paper represent a framework of inter-dependent
networks and systems comprising identifiable industries, institutions, functions, and distribution
capabilities. They provide a continual flow of goods and services essential to the economic
well-being, security, and defense of the United States. On the National and commercial side,
the infrastructure is defined by nine areas or sectors. These sectors are Banking and Finance,
Transportation, Electric and Gas (Power), Information and Communications
(Telecommunications), Law Enforcement, Government Services, Fire, Emergency Health
Services, and the Water Supply. On the Defense side these infrastructures are Financial
Services: Transportation: Public Works: Defense Information Infrastructure and Command,
Control, and Communications: Intelligence, Surveillance, and Reconnaissance: Health Affairs:
Personnel: Logistics: and Space. And while the commercial side doesn’t necessarily depend
upon the Defense side for its survival, with the exception of Public Works, the same cannot be
said for the Department of Defense.
Therein lies the problem for the policy makers not only at the National-level but also
within the Department of Defense. For the Department of Defense the issue is one of
dependency and reliance upon the commercial sector to deliver goods and services when and
where needed. As Defense drew down forces, closed installations, and contracted more of its
operations, it created a greater dependency upon the private sector. The private sector itself
went through similar changes: the most important of which were the consolidation of operations,
increased foreign ownership of once U.S stalwarts, the closing of plants in the Continental
United States, and the movement of operations to foreign countries. Thus, the United States
and the Department of Defense are also dependent upon the infrastructures of foreign
countries. This, of course is a significant issue when developing military campaign plans.
VII
The reader should gain the sense that, in general, critical infrastructure protection is not
insurmountable. In fact, protecting the infrastructure is something we do daily, especially in the
Department of Defense for those infrastructures that we own and operate. What the reader
should take away is the knowledge that there is considerable thought and debate going into the
subject. Additionally, there are those who have provided approaches and solutions that
capitalize on existing programs as a means of reducing redundancy and cost. The difficulty,
however, is the lack of a clear way ahead not only at the National level but also within the
Department of Defense. This becomes more important as we define not only the meaning the
meaning of Homeland Security but also the functions, systems and assets associated with that
mission.
The author is grateful to Colonel Frank R. Hancock for his excellent insights on
improving the content of this paper and Dot Overcash for her editing suggestions. Don Bennett
deserves mention for his patience and perseverance while I developed and refined the Army
Infrastructure Assurance Program. Additionally, Thomas Burrell and Doug Gaskell of Booz-
Allen and Hamilton note mention for their tireless effort and assistance as we set out to discover
what critical infrastructure protection meant not only for the Army but also for the Department of
Defense. Also Carol Corbin (USACW Class of 2001) who continued the work back in the
Pentagon while I struggled with the Strategy Research Paper. Finally, a tip of the hat to all of
the Department of Defense and Inter-agency personnel involved in the critical infrastructure
protection journey.
If you browse through the bibliography you will note that I have referenced a number of
excellent books, articles, and papers. I am grateful to the authors who have contributed to my
learning and I thank them for their scholarship. I must also inform the reader that any and all
comments, interpretations, and errors of fact within this paper are entirely my own.
LIST OF TABLES
TABLE 1 PROPOSED FUSION ACTIVITY ORGANIZATION AND MANNING
REQUIREMENTS-.
24
IX
CRITICAL INFRASTRUCTURE PROTECTION
America’s critical infrastructures underpin every aspect of our lives. They are the
foundations of our prosperity, enablers of our defense, and the vanguard of our
future. They empower every element of our society. There is no more urgent
priority than assuring the security, continuity, and availability of our critical
infrastructure.
...the nation is so dependent on our infrastructures that we must view them
through a national security lens. They are essential to the nation’s security,
economic health, and social well being. In short, they are lifelines on which we as
nation depend.
—Critical Foundations Protecting America’s Infrastructures: The Report
of the President’s Commission on Critical Infrastructure Protection,
October 1997, p vii.
The images of the events of September 11,2001 are burned into the memory of all
Americans both at home and abroad. The pictures viewed on the cable news and major
television networks and in newspapers worldwide brought home to all the vulnerability of the
American homeland. In the aftermath we ask ourselves how this happened and if it will happen
again. We question, given the extent of the attack, why we weren’t better prepared for it. We
also question if we are prepared for the potential of other such attacks. And we wonder if the
Executive and Legislative branches of the Federal government are prepared to take the
necessary steps to resolve related issues. The President and his Cabinet are attempting to
answer these questions. The concerns of the American people will be answered with
statements of policy. Some related policy [antiterrorism, force protection, combating terrorism,
and critical infrastructure protection] was debated, drafted, and promulgated in the previous
administration. It is this policy and its execution that warrants our attention; for it is the
underpinning of thought and action related to homeland security.
A review of each of the related policies is not within the scope of this paper. However,
one policy, critical infrastructure protection, bears mention in that it is a vital national interest and
is at the heart of how this country operates and upon which this country survives. Any
antiterrorism or force protection actions under the umbrella of territorial security, homeland
defense, or homeland security will focus on the infrastructures of the United States as potential
centers of gravity.
In 1996 the Clinton Administration published Executive Order 13013, Critical Infrastructure
Protection.^ It established the President’s Commission on Critical Infrastructure Protection; an
organization chartered to explore the national-level ramifications of the protection or lack thereof
of the nation’s infrastructure. The effort began as an attempt to determine the cyber
infrastructure protection requirements relating to cyber war, information operations, encryption
initiatives and, tangentially, the Year 2000 problem. The preamble to Executive Order 13010, in
fact, establishes “critical infrastructures” as vital U.S. interests. That is, they are immediately
connected to national survival, safety and vitality. As provided in the preamble these critical
infrastructures include; “telecommunications, electrical power systems, gas and oil storage and
transportation, banking and finance, transportation, water supply systems, emergency services
(including medical, police, fire, and rescue), and continuity of government.”^ The work of the
Commission resulted in the publication of Presidential Decision Directive 63, Critical
Infrastructure Protection, in both a classified and unclassified version. The White House
published, for general public distribution, an unclassified White Paper^ describing “the key
elements of the Clinton Administration’s policy on critical infrastructure protection.” It
established the objective and the concept that the Federal government would adhere to in order
to assure a reliable infrastructure supporting enduring constitutional government.
The White Paper focused on two aspects of national power: economic and military. It
described them as “mutually reinforcing and dependent”'* and “increasingly reliant upon certain
critical infrastructures and upon cyber-based information systems.”*’ These infrastructures,
mentioned previously, are found in the preamble to Executive Order 13010. For the
Commission and for the Nation the issue is the increasing automation and interlinking of these
infrastructures as a result of “advances in information technology and the necessity of improved
efficiency,”*^ thus, rendering them increasingly vulnerable to human error, failure in equipment,
acts of nature, and attacks both physical and cyber. The Paper suggested that “future enemies,
whether nations, groups or individuals, may seek to harm us in non-traditional ways including
attacks within the United States.”’ It states further “our economy is increasingly reliant upon
interdependent and cyber-supported infrastructures and non-traditional attacks on our
infrastructure and information systems may be capable of significantly harming both our military
power and our economy.”^
President Clinton’s intent was clear: “take all necessary measures to swiftly eliminate
significant vulnerability to both physical and cyber attacks on our critical infrastructures,
including especially our cyber systems.”^ The President established the following objective:
No later than the year 2000, the United States shall have achieved an initial
operating capability and no later than five years from the day the President
signed Presidential Decision Directive 63 the United States shall have achieved
2
and shall maintain the ability to protect our nation’s critical infrastructure from
intentional acts that would significantly diminish the abilities of;
• the Federal Government to perform essential national security missions and to
ensure the general public health and safety.
• state and local governments to maintain order and to deliver minimum essential
public services.
• the private sector to ensure the orderly functioning of the economy and the delivery
of essential telecommunications, energy, financial and transportation services.
The concept included a “Public-Private Partnership to Reduce Vulnerability.’’” That is, the
public and private sectors, in close coordination, should work to eliminate potential
vulnerabilities to facilities in the economy and in the government. The concept, to the extent
practicable, should neither include increased government regulation nor “unfunded government
mandates to the private sector.’’” Additionally, the concept required the establishment of a
National Coordinator, Lead Agencies, and Sector Liaison Officials who shall contribute to a
“sectoral National Infrastructure Assurance Plan.’’” Their task was to develop a plan for
“assessing the vulnerabilities of the sector to cyber or physical attacks; recommending a plan to
eliminate significant vulnerabilities; proposing a system for identifying and preventing attempted
major attacks; developing a plan for alerting, containing and rebuffing an attack in progress and
then, in coordination with FEMA as appropriate, rapidly reconstituting minimum essential
capabilities in the aftermath of an attack.’’” Further, the “National Coordinator, in conjunction
with the Lead Agency Sector Liaison Officials and a representative of the National Economic
Council, shall ensure their overall coordination and integration of the various sectoral plans, with
a particular focus in interdependencies.’’” Additional detail was provided in terms of guidelines
and structure and organization. The objective and the concept were presented in detail.
A National Security Strategy For A Global Age was published in December 2000.” It
established “the protection of our critical infrastructures” as a vital national interest. The
National Security Strategy details, to some extent, the means with which the United States
attains its objective to “take all necessary measures to swiftly eliminate significant vulnerability
to both physical and cyber attacks on our critical infrastructures, including especially our cyber
systems”” through the concept of Public and Private partnerships. These means included new
budget proposals and specific new proposals for “Federal Cyber Systems Training and
Education program to offer IT [explanation added: Information Technology] education in
exchange for federal service; an intrusion detection network for the Department of Defense and
for federal civilian agencies; and the institute for Information Infrastructure Protection”” touted
as “an innovative public and private partnership to fill key gaps in critical infrastructure protection
3
R&D.”’^ An increase of 32 per cent in Research and Development was proposed in computer
security research for the fiscal year 2001 budget.^*^ Other resources mentioned are the National
Plan for Information Systems Protection and the National Infrastructure Protection Center
(NIPC) established in 1998.
The Clinton Administration policy for protecting critical infrastructure recognizes
infrastructure as a vital national interest. The policy establishes an objective, provides a
concept, and furnishes resources. While the Clinton Administration could neither foresee the
devastation nor anticipate the affect of that destruction on the national and global economy
resulting from the September 11’*" attack, its critical infrastructure protection policy provides a
starting point for homeland security actions. In the wake of the September 11‘^ terrorist attack,
the Bush Administration will fine-tune this policy. Considering the current will of the people and
the mood in Congress, it appears that the Administration will receive the necessary resources to
carry its homeland security and critical infrastructure protection programs. The difficulty facing
the current Administration is in determining infrastructure “criticality” in terms of what to protect,
when to protect it, and how to protect it. This will be done in the face of competing private
sector and Congressional interests. Keeping in mind the admonition that if you protect
everything you protect nothing, the Administration will walk a fine line in balancing the concept,
objectives, and resources relating to critical infrastructure protection.
BACKGROUND^’
The antecedents of the current Department of Defense Critical Infrastructure Protection
Program are the “Key Asset Protection Program” and the “Critical Asset Assurance Program.”
Initiated in 1989, the former concentrated on the protection of those off-post non-military assets
(privately owned assets supporting the Department or government owned and contractor
operated assets) within the Continental United States. The U.S. Army Corps of Engineers was
the executive agent and the U.S. Army Forces Command was the action agent for this program
and the Defense Investigative Service also played a role.
In 1998, the Department of Defense expanded the protection program renaming it the
“Critical Asset Assurance Program.” This focused on the protection of critical assets both on
and off post and both within and outside of the Continental United States. For the next year the
Secretary of the Army was the program executive agent. Flis program action agent was the
Director of Operations, Readiness and Mobilization, Office of the Deputy Chief of Staff for
Operations, Fleadquarters Department of the Army. The role of other organizations, namely
U.S. Army Forces Command and the Defense Security Service (formerly the Defense
4
Investigative Service) remained undefined although each maintained cognizance of the ever-
evolving program.
In August 1999, program executive agency was transferred to the Assistant Secretary of
Defense (Command, Control, Communications and Intelligence). The transfer resulted from
action initiated by the Army because of the ever-changing nature of the program and the need
to have the requisite policy written in the highest levels of the Defense establishment. With the
change in executive agency also came a change in program name - “Critical Infrastructure
Protection Program.” The current program extended the Critical Asset Assurance Program by
focusing on both cyber and physical infrastructures although, because of the nature of the
business of the new executive agent, the Critical Infrastructure Protection Office emphasized
the cyber infrastructures. The Army did not back away from the problem just because it handed
policy responsibility to the Office of the Secretary of Defense. The Army embarked on a re¬
tooling of its internal program; resulting in the “Army Infrastructure Assurance Program.”
ARMY INFRASTRUCTURE ASSURANCE^^
The Army Infrastructure Assurance Program derives its authority from Sections 117, 3013
and 3962 of Title 10 - Armed Forces, United States Code, Presidential Decision Directive 63,
Critical Infrastructure Protection, and Department of Defense Directive 5160.54, The Critical
Asset Assurance Prog ram.
STRATEGIC PLANNING ENVIRONMENT
PRINCIPLES AND RELATIONSHIPS
Army infrastructure assurance is designed to ensure the continued performance of the
functions required for mobilization, deployment, sustainment, redeployment, and reconstitution
missions in support of a unified combatant command’s operations and contingency plans. It
leverages existing Army protection programs (physical security, personal security, information
systems security, antiterrorism and force protection, and operations security); however, it is
more than just protection of assets and personnel. Headquarters Department of the Army,
Army Major Commands, and Army installation commanders assure Army infrastructure through
plans, operations, force protection and contracts that preserve the capability to perform the
functions required to support the warfighter across the full operational spectrum. These plans,
operations, and contracts emphasize not only protection activities but also alternative courses of
action and contingency plans to ensure that the Army can mobilize, deploy, sustain, re-deploy,
and reconstitute forces. The natural consequences of these activities in today’s environment
5
are that, in the absence of a major theater war, Army infrastructure assurance actions must also
ensure the viability of the communications zone in the Continental United States.
Army infrastructure assurance is guided by two fundamental principles; leverage existing
programs and ensure support to the warfighter. By leveraging existing programs, the Army
incorporates active and passive measures to protect and preserve Army infrastructure (cyber
and physical), equipment and personnel potentially reducing redundancy and cost. The Army
ensures support to the warfighter through analysis of potentially vulnerable systems, functions,
and assets and linking these to the warfighter through an analytical process (discussed later in
this paper) based on the unified combatant commander’s operations or contingency plan(s).
These foregoing actions are also linked to current and future readiness programs in order to
maintain awareness of risk management efforts associated with the Army’s power projection
platforms. Additionally, the Army ties these efforts to the Planning, Programming, Budgeting
and Execution System in order to provide an additional level of visibility tied to resources used
to mitigate vulnerabilities. This allows for the prudent application of resources against those
deficiencies threatening the continuance of functions supporting the execution of the unified
combatant command’s operations and contingency plans. Likewise, it allows for similar support
to Homeland Security.
ENVIRONMENT
The growing complexity and interdependence of Army, Department of Defense, national
and international infrastructures, coupled with an increase in outsourcing and privatization of
Army and Department of Defense functions, directly affect the Army’s readiness and its ability to
conduct operations. These factors, along with a more computer literate population and the
emergent asymmetrical capabilities of its adversaries, increase the risk to the Army’s ability to
undertake its Title 10 - Armed Forces United States Code missions in support of the warfighter.
Constrained resources complicate mitigation of these risks. Nonetheless, as the Army enters
the Third Millennium, it must look beyond traditional protection programs to strategies that
assure the capability to perform missions required to execute the National Military Strategy.
The United States exists in a complex and potentially dangerous environment that
includes terrorist threats and on-going cyber attacks. The free and open nature of our society
makes it increasingly vulnerable to terrorist and asymmetric attacks. A growing population
increases the vulnerability to the effects of manmade and natural disasters. As a major source
of Homeland Security resources, the Army must be prepared to respond to increasing calls for
capabilities within this complex, danger-filled environment.
6
Threats of both a natural and manmade nature are increasingly capable of causing mass
casualties and infrastructure damage within the United States and within the combatant
commander’s area of operations. They can disrupt the planning and conduct of military
operations and represent a significant challenge to public, private, Federal, and host nation
supporting resources.
The battle space for Army infrastructure assurance is primarily the United States, its
territories, possessions, and all potential areas of operations within which any one of the Unified
Combatant Commanders operates. Unlike the continental battle space for Homeland Security,
ships in international waters, aircraft in international airspace, U.S. embassies and overseas
military bases, remain part of the battle space. Host nation assets supporting the execution of
mission essential functions in foreign countries are also included. The foregoing describes a
massive physical space, with extreme varieties in facilities, weather, and terrain. Infrastructure
assurance planning and execution is required for the entire spectrum of operations. This,
coupled with the enormity of the battle space, makes detailed advance planning difficult, but
nonetheless required.
Another portion of the operational environment is the understanding of the concept of
functions, systems, and assets. This understanding is essential for successful execution and
support to the combatant commander. Functions are high-level aggregations of mission-
focused tasks. Systems are various mechanisms used to perform the functions. Functions can
be accomplished by using the two types of systems that are categorized as either process
systems or information systems. Process systems capture how work is accomplished from a
conceptual perspective irrespective of the tools used to perform the work. An information
system represents the interconnection of communication networks, computers, and databases
that make information available to users. Finally, assets are military, public or private, on- or off-
post, domestic or foreign resource, real property (land, buildings, or other structures, etc.)
supplies, equipment, and software.
CAPABILITIES AND CONSTRAINTS
The Army brings a number of tangible capabilities to bear on the infrastructure assurance
mission. These are the Army’s existing protection, reporting and resource management
programs. These mature programs ensure the overall protection of soldiers and property as
well as the management and resourcing of the force. These programs must be synchronized in
order to prioritize efforts for ensuring support to the warfighter.
7
The Army is also faced with three significant constraints to its effort to support the
warfighter through infrastructure assurance. The first is the fusion of existing assessments .
Currently, there is no focal point for the fusion of vulnerability and risk management information.
Information from vulnerability assessments (Balanced Survivability Assessments, Joint Staff
Integrated Vulnerability Assessments, Transportation Infrastructure Criticality and Vulnerability
Assessments, and Service-directed vulnerability assessments) and other related reports and
inspections are not readily available while others are restricted. Additionally, there are currently
no efforts to correlate the results of these and related assessment and “Red Team” reports to
determine the overall infrastructure vulnerability of an Army power projection platform or
supporting Army installation. Most notable is the lack of an ability to determine overall
vulnerability trends and to correlate these with trends both within the Federal government and
the private sector.
The second constraint is outsourcing and privatization . Today, the increased number of
privatized and outsourced functions complicates the Army’s ability to assure the infrastructure
required to support the execution of combatant command operations and contingency plans.
The availability, under an all hazards scenario, of privatized or outsourced personnel,
equipment, and services is essential to the accomplishment of the Army’s mission Title 10 -
Armed Forces United States Code missions. Procedures governing these privatized and
outsourced functions and activities require detaiied review to ensure that they fully support Army
infrastructure assurance activities.
The final constraint is in the realm of support to civil authorities concurrent with the
execution of a Unified Combatant Command operations plan . Because of its flexibility, the Army
is able to respond to general-purpose requests for support if other missions are not also a
current requirement. When responding to situations requiring the full implementation of the
National Military Strategy, support to civil authorities could be severely constrained. Events that
call for the use of Army forces in conjunction with, or as a precursor to, a major theater war,
could easily exceed current capabilities. In addition, a series of coordinated attacks,
independent of a major theater war, can exhaust the Army’s ability to respond. Of course, the
events of September 11'^, 2001, now add another element to the mix. That is, the emphasis on
Homeland Security. The Army will surely be called upon to contribute forces to a greater
degree than those now guarding airports and nuclear power plants. It is possible to see major
changes in the role of the National Guard. The question for the leadership is: “How do we allay
the fears of the American public relative to military support to civil authorities in the case of
natural disasters?”
8
STRATEGIC PLANNING DYNAMCS
Army infrastructure assurance, like warfighting, is conducted on three levels; strategic,
operational, and tactical. The strategic level equates to the Headquarters Department of the
Army. The operational level is the Army major commands and the tactical level is the Army
installations (posts, camps, and stations). Each level supports infrastructure assurance through
different means. However, the sum total of work performed at these levels creates a synergism
to assure Army infrastructure in support of the warfighter at all levels.
Within the strategic, operational, and tactical levels of infrastructure assurance
commanders and staffs execute distinct planning activities. They accomplish these activities
with differing methods based upon experience, responsibilities, and needs. There are three
principle and four supporting activities relevant to Army infrastructure assurance. The three
activities used to analyze the combatant commander’s requirements in order to identify, assess,
and mitigate risks are analysis , assessment , and mitigation . The Army uses a structured
mission-based analysis to identify those infrastructure functions, systems, and assets that are
essential to the accomplishment of the Army's Title 10 mission in support of the warfighter. As
required by existing protection programs. Headquarters, Department of the Army, Army Major
Commands, and Army installations ail conduct assessments . These assessments provide an
objective evaluation of the vulnerabilities and risks associated with a specific installation,
system, or asset. Commanders and staffs conduct mitigation in response to the vulnerabilities
and risks identified through the assessment process. Mitigation reduces or eliminates long-term
risk to people and property from hazards and their effects. The intent is to focus on actions that
produce repetitive benefits over time, not on those actions that might be considered emergency
planning or emergency preparedness.
The Army relies on five supporting planning activities (indications, warning, incident
response, remediation, and reconstitution) to assure Army infrastructure. These activities are
developed and provided independently of Army infrastructure assurance. However, the Army
leverages these existing activities to provide a complete program that assures Army
Infrastructure, before, during and after an event.
The Army Staff provides indications of possible threat and natural events to Army Major
Commands and Army installations through the existing force protection program and command
channels. This provides installation commanders with indications of events that may directly
threaten Army or commercial infrastructures supporting the execution of Unified Combatant
Command operations or contingency plan(s). State and local governments also provide
9
installation commanders with indications that assist in adjusting mitigation procedures in
response to a threat or natural conditions.
The Army Staff provides warning of threat and natural events to Army Major Commands
and Army installations using the existing command and control systems. These warnings
provide installation commanders the information needed to make mitigation decisions.
Incident response seeks to eliminate the cause or source of an event and is conducted
primarily by installation commanders. The Army Staff and Army Major Commands support
incident response by providing resources that allow subordinate commanders to eliminate the
cause or source of an event.
Army installation commanders conduct remediation activities to minimize or alleviate the
negative impact of a hazardous situation on people, facilities, operations, or services, and by
quickly restoring the functions required to support a unified combatant command operation or
contingency plan(s). The Army Staff supports remediation by providing resources to ensure
Army Major Command and Army installation commanders can facilitate immediate response.
The Army Staff also supports remediation through the Joint Staff and the Office of the Secretary
Defense to coordinate remediation efforts of the national, public, and private infrastructures.
Reconstitution is conducted at all levels and seeks to rebuild or restore an infrastructure
after it has been damaged or compromised. The Army Staff and Army Major Commands
support incident response by providing resources to rebuild or restore an infrastructure after it
has been damaged or compromised.
PLANNING ACTIVITIES (TACTICAL AND OPERATIONAL)
At the tactical level, commanders assure Army infrastructure through implementation of
Army protection programs. At the operational level. Army Major Command staffs and
commanders ensure these protection programs are implemented and sustained with adequate
resources to ensure the Army installation has the capability to perform the functions required to
support the warfighter.
PLANNING ACTIVITIES (STRATEGIC)
At the strategic level, the goal is to assure the capability of the United States Army to
perform the functions required to support the operations and contingency plan(s) of the unified
combatant commands. To do this, the Army Staff focuses on three principle activities: strategic
analysis, strategic assessment, and strategic mitigation.
Strategic Analysis . The Army Staff develops and provides a mission-based analysis
capability to Army Major Commands and Army installation commanders in order to identify
10
those functions that, when not assured, will result in a negative impact on the installation
commanders' ability to execute their missions as well as the Army's ability to support the unified
combatant command operations and contingency plan(s). A mission-based analysis also helps
department-level planners and policy makers identify intra- and interdependencies between and
among supporting infrastructures, both public and private.
Strategic Assessment . The Army Staff uses a variety of existing assessment programs to
identify and understand the vulnerabilities and risk associated with a specific installation, system
or asset. These assessments include Joint Staff Integrated Vulnerability Assessments,
Balanced Survivability Assessments, physical security assessments, information systems
security assessments, the Installation Status Report, other reports, and reports from the
Inspector General. Based on these assessments, the Army Staff provides subordinate
commanders an integrated assessment of vulnerabilities that affect their ability to support
execution of unified combatant Command operations or contingency plan(s).
Strategic Mitigation . The Army Staff supports mitigation programs by providing strategies
and resources to Army subordinate commanders as a part of existing programs. The Army
Staff also supports mitigation through the Joint Staff and the Office of the Secretary Defense to
coordinate mitigation with national public and private infrastructures.
FUSION ACTIVITIES.
The convergence of the strategic, operational, and tactical levels is the fusion of the eight
infrastructure assurance planning activities. However, the focus is on the fusion of mission-
based analysis with existing vulnerability and risk assessments. The capability to fuse and
synthesize this information provides an Army-level view of vulnerabilities, trends, and mitigation
priorities. Fusion activities assist each level in planning and programming resources and they
provide the capability to monitor the expenditure of resources used to mitigate vulnerabilities
and manage risk. Additionally, fusion activities offer a consolidated infrastructure vulnerability
assessment report to the Army installation commander assisting in his infrastructure
vulnerability mitigation management efforts. The next section provides a proposal for the
mission, organization, and capabilities required for a fusion activity.
MISSION ANALYSIS METHODOLOGY^^
Real vulnerabilities...exist. Infrastructures have always been subject to local or
regional outages resulting from earthquakes, storms, and floods. Their owners
and operators, in cooperation with local, state, and federal emergency services,
have demonstrated their capacity to restore services efficiently. Physical
vulnerabilities to man-made threats, such as arson and bombs, are likewise not
11
new. But physical vulnerabilities take on added significance as new capabilities
to exploit them emerge, including chemical, biological, and even nuclear
weapons. As weapons of mass destruction proliferate, the likelihood of their use
by terrorists increases.
--Critical Foundations Protecting America’s Infrastructures: The Report
of the President’s Commission on Critical Infrastructure Protection,
October 1997, p 5.
BACKGROUND
Army infrastructure assurance, like warfighting, is conducted at the strategic, operational,
and tactical levels. The Army, as the predominant land force, is required under Title ^0-Armed
Forces, United States Code, to man, equip, train, deploy, sustain, re-deploy, and reconstitute a
force in order to support the unified combatant commander. To meet these responsibilities, the
Army depends on public, private, and Department of Defense infrastructure both in the
Continental United States and outside of the Continental United States. In order to determine
the relative value of an infrastructure on an Army asset the Army requires a methodology for
analyzing the unified combatant commander’s operations plan or contingency plan and the time-
phased force deployment list. The methodology proposed below fulfills the requirement for an
analytical process to identify functions, systems, and assets by which the Army supports the
execution of the unified combatant commander’s operations plan. This analytical process
identifies supporting infrastructures, both public and private, and intra- and inter-dependencies
between and among infrastructures. It also serves as a way to fine-tune plans. Identifying the
functions supporting the warfighter and integrating these results into existing vulnerability and
risk assessment processes provides the basis for focused mitigation of infrastructure
vulnerabilities. The Army achieves this objective by synchronizing the results of the analysis of
the operations or contingency plans with existing protection programs (Army and other) to
ensure a'holistic program addressing mitigation strategies across the full spectrum of hazards.
At the tactical (installation) level, commanders assure Army infrastructure through the
implementation of Army protection and security programs. At the operational (Army Major
Command) level, commanders and staff ensure that these protection and security programs are
implemented and sustained with adequate resources to ensure that the Army installation (posts,
camps, and stations) has the capability to perform the functions required to support the
warfighter. At the strategic (Headquarters Department of the Army) level, the goal is to assure
the capability of the United States Army to perform those functions required to support the plans
of the unified combatant commands. To accomplish this, the Army requires an analysis
methodology and provides it to the Army Major Commands and the Army installations so that
12
they can identify those functions, systems, and assets that, when not assured, result in a
negative impact on the Army commander’s ability to execute his mission. This methodology
also helps the department-level planners and policy makers to identify intra- and inter¬
dependencies between and among supporting infrastructures, both public and private.
Problem
The Army does not currently have a process to identify mission essential functions that
are in direct support to the unified combatant commander. Likewise, the Army does not
currently have a process through which mission essential functions, systems and assets can be
vetted against existing vulnerability assessment processes in order to perform focused risk
management.
Facts Bearing on the Problem
There are four significant facts that, the inability to deal with any one of them, cause the
Army to fail in its responsibilities under Title 10 - Armed Forces, United States Code. These are
as follows:
• Scarce mitigation resources require the development of a focused ability to identify
mission essential functions.
• The Unified Combatant Commander’s operations plans, the time-phased force
deployment lists, and high demand low density assets are all crucial to identifying
mission essential functions, systems, and assets in support of the warfighter.
• The correlation of information derived from a mission-based analysis and existing
vulnerability assessments and studies is essential in determining the Army’s ability to
support the warfighter.
• Multiple agencies and organizations perform vulnerability assessments.
MISSION ANALYSIS METHODOLOGY
As previously stated. Army Infrastructure Assurance concentrates on assuring functional
capability as opposed to concentrating specifically on the protection of individual assets. This
concept is never more important than when attempting to determine the “criticality” of systems,
functions, or assets as they support the Title 10 - Armed Forces, United States Code,
responsibilities of the Army in relation to its support of the warfighter. The Office of the
Assistant Secretary of Defense (Command, Control, Communications, and Intelligence) has
wrestled for over two years in attempting to determine infrastructure “criticality” in terms of
infrastructure “vulnerability” of a given asset. The approach has concentrated on vulnerability
assessments relating to assets “owned” by the commanders of the combatant commands.
Unfortunately, it has turned out to be nothing more than these commanders submitting wish lists
of vulnerable assets that are “owned” by others. That is, the Services, the Host Nations, and
contractors. This approach allows for no rigor nor does it consider the Commanders-in-Chief’s
13
requirements as articulated in the operation plan(s) and time-phased force deployment lists.
Additionally, it does not allow for determining how another operation or contingency may affect
the outcome of the war fight because of the potential dependence by other warfighters on
similar infrastructure assets.
The author searched for alternative means for determining what the Army had to do in
order to ensure that it could support the warfighter through the full spectrum of operations. The
methodology finally agreed upon was a basic input / output model with feedback mechanisms
covering four processes of analysis. These processes are; Identify the Army resources
provided to the warfighter; Link the warfighter’s Army resources to Army and Defense
infrastructure functions; Array intra- and inter-dependent systems and assets by owner(s); and
Identify vulnerable mission essential systems and assets. The analysis associated with these
processes encompasses Mobilization and Deployment ; Army Assessment. Mitigation and
Protection Processes ; and Reports and Studies . The desired end state of the analysis is an
Army capable of supporting the warfighter under all conditions. The methodology described
below may not be the only one allowing the Army or another Service, for that matter, to conduct
a capability analysis; this one worked to a degree that was not found in other methodologies
tried.
Process I, Identify the Army resources provided to the warfighter.
In Process I planners require an understanding of how the warfighter intends to
accomplish the described mission. In other words we are looking for his requirements and his
intent and we are identifying Army warfighting requirements of the unified combatant
commander so that they can be linked to the supporting Army infrastructure. These become the
basic input with which our analysis starts. We find these requirements in the.Time-phased
Force Deployment List, the list of War Reserve Stocks, and the operations plan. The process
step is to identify Army units. Army support functions. Army supporting assets, and Army
required supplies from both the operations plan or the contingency plan and the Army War
Reserve Stocks. The Time-phased Force Deployment List tells us when these “assets” are
required in theater, the mode of transport, and the aerial port or seaport of debarkation. This
information in-turn allows us to determine Army personnel and equipment and Army War
Reserve Stocks in both the Continental United States and those outside of the Continental
United States. The output from this basic review yields a list of the overall requirements of the
warfighter in terms of Army personnel and equipment. Army War Reserve Stocks, warfighter
“critical assets” as found in Appendix 16 of the operations plan. Flexible Deterrent Options,
14
functions, systems, and assets, and Army personnel and equipment already in the theater of
operations.
Process II, Link the warfighter’s Army resources to Army and Defense infrastructure
functions.
In Process II the output from Process I carry over to become input for the Process II
analysis. Two additional inputs are added at this stage. The first is the Army Mobilization
Operations and Execution System and the Forces Command Mobilization and Deployment
System. This set of documents gives the analyst a better understanding of how the Army
mobilizes itself to support the warfighter. It also contains details pertaining to the functions of
the mobilization stations and other mobilization requirements. However, while these sets of
documents cover the vast majority of the Army and how it mobilizes, each Army Major
Command has its own documents relating to mobilization and deployment. When required,
these documents also become another input to Process II. The second form of input is the
Defense Sector infrastructure characterizations. Described earlier in this paper, these
characterizations provide a view of how the infrastructure within a Defense Sector is arrayed, its
intra-dependencies, and its potential inter-dependencies with the other Defense Sectors. The
process involved in this step is to establish relationships between and among all of the available
information contained in the input as described. Three outcomes result from this procedure.
First, we find the inter- and intra-dependent systems and assets required to mobilize and move
personnel, equipment, and supplies owned and provided for by the Army and the Department of
Defense . Second, we find inter- and intra-dependent systems and assets required to mobilize
and move personnel, equipment, and supplies owned and provided for bv the agencies of the
Federal Government and by commercial enterprises . Third, we find the functions required to
provide strategic, operational, and tactical command, control, communications, and intelligence
support. This output forms the input for Process III. It also completes the Mobilization and
Deployment Assessment.
Process III, Array intra- and inter-dependent systems and assets by owner(s).
Process III is the beginning of the Army Assessment, Mitigation and Protection
Processes. During this step sorting is the primary action. Taking the output of Process II, and
reintroducing the Defense sector characterizations as a baseline, the analyst sorts the
information based upon organization asset ownership and organization mitigation
responsibilities. Two outcomes result from this sorting. The first provides feedback to the
Defense infrastructure sector lead with a verified list of required functions, systems, and assets.
This list supports revision of the Defense Infrastructure Sector Assurance Plan. The second,
provides feedback to various Army, Joint, and National organizations in the form of a verified list
15
of functions, systems, and assets in order to assist in vulnerability assessments, risk
management, and mitigation efforts.
Process IV, Identify vulnerable mission essential systems and assets.
Process /V takes all of the previous information (lists of mission essential functions and their
associated systems and assets) and some new information (in the form of reports and studies)
for the purpose of identifying vulnerable mission essential assets. These reports are reviewed
in a process that we call “Fusion Activities” (these activities are covered in detail later on in this
paper). These reports and studies may be:
• Joint Staff Integrated Vulnerability Reports (conducted by the Joint Staff);
• Balanced Survivability Assessments (conducted by the Defense Threat Reduction
Agency); Commercial Reports;
• Transportation Infrastructure Criticality and Vulnerability Assessments (conducted by the
U.S. Army Transportation Engineering Agency);
• National Industrial Security Program Assessments (conducted by the Defense Security
Service);
• Defense Security Service Arms and Explosives Security Support:
• Information Assurance Readiness Reviews (conducted by the Defense Information
Systems Agency);
• Joint Program Office - Special Technical Countermeasures Infrastructure Assurance
Program Assessments;
• National Security Agency Information Security Vulnerability Assessments (conducted by
the National Security Agency);
• SECRET Internet Protocol Router Network Compliance Validations (conducted by the
Defense Information Systems Agency);
• Security Readiness Reviews (conducted by the Defense Information Systems Agency);
• Vulnerability Assessments (conducted by the Defense Logistics Agency in conjunction
with the U.S. Army Corps of Engineers);
• Inspector General Reports addressing process or procedural vulnerabilities;
• Federal Bureau of Investigation reports and assessments;
• Other assessment reports addressing vulnerabilities.
Three things take place during this process. First, a comparison is made of systems and
assets associated with mission essential functions against results from the reports, studies, and
assessments addressing vulnerabilities. Second, a determination is made of the quality and
quantity of the information available on assessed systems and assets. Third, an analysis is
made of Army-wide vulnerabilities, trends, and resources to assure Army infrastructure. This
results in the following output.
• One, a list of vulnerable mission essential systems and assets that can be sorted by
function, geographical location, region, and owner.
• Two, a list of vulnerable mission essential systems and assets that can be sorted by
function, geographical location, region, and owner requiring reassessment.
16
• Three, a list of trends and resources associated with mission essential systems and
asset vulnerabilities that can be sorted by function, geographical location, region, and
owner.
These outputs can serve as the basis for developing a mitigation strategy or strategies by
function, by geographical location, by region, or by owner. Additionally, the results of the
analysis can be fed back to the warfighter and the Joint Staff in order to fine-tune the operations
plan and or the time-phased force development list.
Example
The Commander-in-Chief Pacific is told that a vulnerability exists at a bridge in the Pacific
Northwest. This bridge, he is told, conveys the only road into an ammunition supply facility.
Additionally, he is told that not only does the bridge convey the road it also conveys all of the
fuel and power lines, not to mention the water main, into the facility. He is further told that, if a
terrorist were to drop the bridge a war fight would be in jeopardy in a designated region of his
area of operation. The Commander-in-Chief is concerned. He cannot believe that this single
“critical” infrastructure could affect the outcome of a campaign. He wonders who would draw up
a plan that allowed for such a vulnerability. However, his background and experience tell him
that what he really needs to do is to attack the problem from two angles. The first is to
determine how much a delay there will be in moving ammunition to the theater if the bridge is
destroyed. Second, to determine how he can work around the problem. Using the mission
analysis methodology he determines that the in-theater commander has significant stock of
ammunition in depots in country. Based upon the calculations he has enough ammunition of all
kinds to fight the campaign for ninety days without re-supply. Additionally, the engineers tell the
Commander-in-Chief Pacific that they can have the bridge back in operation in less than two
weeks. However, if the engineers are incorrect in their assessment, he has the ability to
coordinate movement of ammunition from other deep port facilities on the West Coast and still
meet ammunition requirements in theater. What the mission analysis told the Commander-in-
Chief Pacific was that the bridge, while vulnerable, was not “critical” to the execution of the plan.
FUSION ACTIVITY^®
...sharing information isn’t enough; we need the analytic tool to examine
information about intrusions, crime, and vulnerabilities and determine what is
actualiy going on in the nation’s infrastructures. Deciding whether a set of cyber
or physical events is coincidence, criminal activity, or a coordinated attack is not
a trivial problem. In fact, without a central information repository and analytic
capability, it is virtually impossible to make such assessments until after the fact
-Critical Foundations Protecting America’s Infrastructures: The Report
17
of the President’s Commission on Critical Infrastructure Protection,
October 1997, p 28
The concept of operations for the Army Infrastructure Assurance Fusion Activity is
designed to express as abstract idea relating to infrastructure assurance risk management.
Specifically, it outlines a proposal to establish, within the Army, a method for analyzing multiple
vulnerability assessments and reports as they relate to the combatant commander’s operations
plan. The result is comprehensive infrastructure assurance risk management plans with
associated cost.
The need for an infrastructure assurance fusion activity is demonstrated by the fact that
the Army does not have a means of correlating the disparate reports and vulnerability
assessments, provided by numerous organizations both inside the Army and the Department of
Defense and external to the Department of Defense, in order to determine risk to its ability to
support the unified combatant commander. A fusion activity, as described herein, provides that
capability. The fusion activity is seen as a value added organization providing another tool for
infrastructure assurance risk management activities supporting strategic readiness.
The need for a fusion activity is based upon experience gained over the last two years. It
is built on conclusions drawn from various mission-based analysis studies and the inability of
the critical infrastructure protection community to determine an acceptable meaning of and
standard for “criticality.”
The author recognizes the difficulty in establishing new organizations at any time but
especially in today’s environment. However, the Army cannot afford not to regard an
organization of this type, considering the possibilities for a focused and coordinated
infrastructure assurance risk management strategy.
The concept and ideas expressed may appear threatening to some stakeholders. This is
always true when innovation is proposed. However, there are significant long-term benefits to
be gained militating against perceived parochialism. It is the best interests of National Security
that stakeholders share ideas about improving the concept, specifically in the areas of policy
related to the sharing of various types of vulnerability assessments and reports across the inter¬
agency.
PROBLEM
From an infrastructure assurance (critical infrastructure protection) standpoint, the Army
does not have a means of correlating mission essential functions supporting operations or
18
contingency plan execution with the disparate reports and vulnerability assessments.
Specifically, the Army does not have an organization chartered to:
• Manage the identification of all strategic, operational, and tactical functions, systems and
assets required to support Army execution of a unified combatant command operations
or contingency plan.
• Oversee and act as a catalyst for the fusion of Army infrastructure assurance analytical
activities with existing assessment and mitigation activities.
FACTS BEARING ON THE PROBLEM
• No central clearing house exists within the Army for the express purpose of correlating
infrastructure information in order to provide a comprehensive risk management
information to installation commanders and the unified combatant commander.
• There are numerous reports, studies, and assessments concerning infrastructure
vulnerabilities developed by Defense and public and private organizations. These
reports can be installation or asset specific.
CONCEPT
Risk Management
The essence of any decision-making is making trade-offs among very difficult and
complex objectives that are often in conflict and competition with one another. Good qualitative
risk assessment and management must be grounded on basic systems engineering philosophy
and principles. Good risk studies must be judged against valid criteria. The Center for Risk
Management of Engineering Systems, University of Virginia suggests 10 criteria for risk studies.
The study must be...
• Comprehensive,
• Adherent to evidence,
• Logically sound,
• Practical and politically acceptable,
• Open to evaluation,
• Based on explicit assumptions and premises,
• Compatible with institutions,
• Conducive to learning,
• Attuned to risk communication, and
• Innovative.
Army infrastructure assurance risk management is a process that must answer the
following set of questions.
• What can go wrong?
• What is the likelihood something will go wrong?
• What are the consequences if something goes wrong?
• What can be done to mitigate the consequences?
• What options are available and what are the associated trade-offs?
19
What is the impact on future options of current decisions?
FUSION ACTIVITY MISSION
The fusion activity provides functional risk assessments in support of the operations
planning of the Army component of the unified combatant commander through the identification
of vulnerable mission essential functions, systems, and assets. Specifically, the activity shall;
• Identify strategic, operational, and tactical functions, systems and assets required to
support Army execution of each approved unified combatant command operations
plan or concept plan;
• Analyze the dependencies of these functions upon functions performed by the
Department of Defense, Federal, state, local, or private infrastructures; and
• Match the dependent functions, systems, and assets against existing vulnerability
assessments.
FUSION ACTIVITY REQUIREMENTS
The function of the fusion activity is to identify mission essential systems and assets. The
identification is accomplished by performing three macro-level tasks. These tasks are:
• Compare the systems and assets associated with mission essential functions against
results from, reports, studies, and assessments addressing vulnerabilities.
• Determine the quality and the quantity of the information available on assessed systems
and assets.
• Analyze Army-wide vulnerabilities, tends, and resources to assure Army infrastructure.
Inherent in the macro-level tasks are two distinct sets of tasks focusing on analytical
operations and business operations . The analytical operations are those tasks associated with
correlating the various assessments with the output from the mission-based analysis process in
order to develop risk-based management strategies and options. The business operations
tasks are these tasks required to support the operation of the fusion activity.
As a minimum, the fusion activity must be able to perform the analytical operations tasks
listed below. Other analytical tasks may develop over time as experience is gained. These
tasks are not listed in order of importance.
• Develop an analytical methodology for correlating the various assessments with output
from the mission-related analysis process for infrastructure-related risk-based analysis.
• Develop infrastructure-relate risk-based management strategies and options.
• Develop a research methodology for determining reports and materials necessary for
conducting infrastructure-related risk-based analysis.
• Develop costing models and tools for infrastructure-related risk-based management.
• Develop measurements for infrastructure-related risk-based analysis and management.
• Review infrastructure-related engineering reports and assessments.
20
• Review infrastructure-related transportation reports and assessments.
• Review infrastructure-related telecommunications and information management reports
and assessments.
• Review infrastructure-related intelligence reports and assessment.
• Review infrastructure-related logistics reports and assessments.
• Review infrastructure assurance findings contained in Department of Defense and Army
Inspector General reports.
• Review infrastructure-related findings contained in Joint Integrated Vulnerability
Assessments.
• Review infrastructure-related findings contained in Balanced Survivability Assessments.
• Review infrastructure-related findings private sector infrastructure vulnerability
assessments.
• Review infrastructure-related findings contained in General Accounting Office, Office of
Management and Budget reports, and Congressional committee reports and
investigations.
• Ascertain infrastructure-related trends and conduct trend analysis.
• Conduct infrastructure-related risk-based management conferences, symposia, and
workshops.
• Write and coordinate infrastructure-related risk-based management reports.
• Recommend infrastructure-related risk-based policy.
As a minimum, the fusion activity must be able to perform the business operations listed
below. Other business operations tasks may develop over time as experience is gained. These
tasks are not listed in order of importance.
• Receive, catalogue, and maintain all fusion activity-related documents.
• Review and edit final reports to conform to acceptable practices.
• Develop and maintain databases necessary for the operation of the fusion activity.
• Develop, defend, and manage the fusion activity budget.
• Establish and maintain a local area computer network within the fusion activity.
• Establish and maintain SIPERNET and NIPRNET connectivity for the fusion activity.
• Administer the internal information system of the fusion activity.
• Develop and maintain standing operating procedures for obtaining, cataloguing, and
maintaining fusion activity-related documents.
• Develop and maintain standing operating procedures for writing and editing reports.
• Develop and maintain standing operating procedures within the fusion activity for
physical security, operations security, information security, and personal security.
• Develop and maintain security classification guidance for the reports generated by the
fusion activity.
• Establish and maintain standing operations for the receipt of and accounting for
classified documents.
• Establish and maintain automation accounts.
• Develop and maintain standing operating procedures for the purchase, set up, operation,
and maintenance of the hardware, software, and firmware required for day-to-day
operations of the fusion activity.
• Develop and maintain standing operating procedures for information management within
the fusion activity.
21
The manpower requirements for the fusion activity are those necessary to sustain and
maintain the activity’s operation in order to accomplish the stated mission by performing the
stated tasks associated with the stated function. Manpower requirements are associated with
two distinct areas. These are the aforementioned analytical and business operations.
Analytical Operations . The volume and type of analysis conducted requires a workforce
grounded in basic analytical skills and experienced in both operations and planning. The nature
of the analysis and its association with supporting the installation commander unified combatant
commander requires a mature workforce experienced in specific fields with the ability to
understand relationships between and among their field of experience and others. The
analytical environment requires a workforce able to understand disparate concepts, articulate
differences and similarities, and draw conclusions about risk. Initially the workforce is composed
of persons representing specified combat service and combat service support branches of the
Army. These branches represent a core element in the determination of risk at the strategic,
operational, and tactical level. These branches are signal, transportation, military policy,
intelligence, and engineer. To round out the analytical expertise, persons with experience in
risk management, cost analysis, operations research, and management analysis provide
additional depth. The manpower for the analytical activity is allocated to military and civilian
billets and contractor support. In this case, the contractors perform specific tasks related to cost
analysis and risk management. It is anticipated that the person assigned to each military and
civilian billet will perform three quarters of a man-year of effort directly related to the tasks
previously mentioned. Contract work is billed as a full man-year of effort for cost analysis and
risk management. Modifications to the manpower requirements are anticipated as experience is
gained over time.
Business Operations . The business operations team is the support element of the
analytical team and the fusion activity. The volume and type of analysis conducted requires a
mature workforce grounded in basic operations skills and experienced in both operations and
planning. The nature of the analysis and its association with supporting the installation
commander and the unified combatant commander requires a workforce capable of developing
resources, conducting research, and providing innovative approaches to conducting efficient
and effective business operations. Since the analytical environment requires a workforce able
to understand disparate concepts, articulate differences and similarities, and draw conclusions
about risk, the business operations team brings cohesion to the fusion activity. Initially, the
workforce is composed of persons representing specified functional areas. These functional
areas represent the core element in supporting the determination of risk at the strategic.
22
operational, and tactical level. These functional areas are budget, library sciences, editing,
security (physical, personal, and operations) and systems administration. The manpower for
the business operations team of the fusion activity is allocated civilian billets and contractor
support. In this case, the contractors perform the specific tasks of library sciences, security,
editing, and systems administration. It is anticipated that persons assigned to the civilian billet
will perform a full man-year of effort directly related to the tasks shown above. Contract work is
billed as a full man-year of effort. Modifications to the manpower requirements are anticipated
as experience is gained over time.
Fusion Activity Leadership . A director heads the fusion activity. The director establishes
priorities, allocates work, and provides oversight to both the analytical and business operations
teams. The director directs conferences, symposia, and workshops and is the lead executive
on all work generated by the fusion activity. The director also serves as the primary point of
contact on matters of mutual interest to the Office of the Secretary of Defense, the Unified
Combatant Commanders, the Joint Staff, Headquarters Department of the Army, the Army
Major Commands and activities, the other Military Departments, and the Defense Agencies,
institutions of higher learning, and the private sector. The director has original classification
authority.
Manning . Proposed manning for the fusion activity has two distinct teams and is depicted
in Figure 1. All billets require, as a minimum, top secret (SCI SI/TK) clearances. Some
individuals may be “read on” to special access programs. Other clearance requirements may
be imposed as the activity matures.
Organizational Affiliation . Because of the nature of the work, the audience of the product,
and the impact on the Army, the fusion activity falls under the purview of the Under Secretary of
the Army. The organization may be located within the National Capital Region but preferably
not in the Pentagon. The activity may be located at an institute of higher learning, such as the
U.S. Army War College, Carlisle, Pennsylvania, or co-located with the Center for Army Analysis
at Fort Belvoir, Virginia. Other locations deemed conducive to the research, inquiry, analysis,
information sharing, and report writing and the distribution may also be considered.
Fusion Activity Findings . The fusion activity produces detailed infrastructure risk-based
reports. These reports form the basis for infrastructure assurance risk management at the
installation-level. At a minimum, the reports contain mitigation options and associated costs as
a means of assisting the Army installation commander in his risk management activities. Other
reports focus on risk-based Defense-wide or Army-wide trends for use by the Army leadership.
All reports are informational and suggestive in nature. Reports do not direct action to be taken.
23
That is, the Army installation commander uses the report as a tool as he formulates his risk-
based management strategy. The distribution of the reports has yet to be determined. At a
minimum, the Under Secretary of the Army and the Assistant Secretaries of the Army (Civil
Works and Installations and Environment), The Army G3, and the Assistant Chief of Staff
(Installation Management), the Army Major Command and the Army installation commander
will receive copies.
Para / Ln
Position
Grade / Rank
Branch
Req^d
01
Office of the Director
01 /01
Director
SES
Civilian
1
01/02
Deputy Director
GS-0343-15
Civilian
1
01 03
Legal Counsel
COL
JAGC
1
Paragraph Total
3
02
Analytical Operations Team
02/01
Tactical Telecommunications Analyst
LTC / MAJ
Signal
2
02 /02
Tactical Transportation Analyst
LTC / MAJ
Transportation
2
02 /03
Tactical Security Analyst
LTC / MAJ
Military Police
2
02/04
Tactical Intelligence Analyst
LTC / MAJ
Intelligence
2
02/05
Engineering Analyst
GS-0810-13
Civilian
2
02/06
Management Analyst
GS-0343-12/13
Civilian
2
02 /07
Operations Research Analyst
Contractor
2
02 /08
Risk management Specialist
Contractor
2
02/09
Cost Analyst
Contractor
2
Paragraph Total
20
03
Business Operations Team
03/01
Budget Analyst
GS-0344-14
Civilian
1
03/02
Librarian
Contractor
1
03/03
Editor
Contractor
1
03/04
Security officer
Contractor
1
03/05
Automation Systems Administrator
Contractor
1
Paragraph Total
5
Aggregate
28
TABLE 1 PROPOSED FUSION ACTIVITY ORGANIZATION AND MANNING
REQUIREMENTS.
24
FUSION ACTIVITY CONCLUSIONS
The need for an infrastructure assurance fusion activity is demonstrated by the fact that
the Army does not have a means of correlating the disparate reports and vulnerability
assessments, provided by numerous organizations, in order to determine risk to its ability to
support the unified combatant commander. A fusion activity, as described above, provides that
capability. The fusion activity is a valued added organization providing a tool for risk-based
management and readiness activities.
The concept of a fusion activity, while discussed in this paper in terms of Army needs,
transcends the Army and the other Services. In order to have value added risk assessment
support for the warfighter and in order to maintain consistent Department of Defense policy, the
fusion activity is more appropriately a Department of Defense asset. It should be Defense¬
centric and not Service-centric. Considering the plethora of reports and assessments from
within and outside of the Department of Defense, the sensitivities concerning report and
assessment contents, and the requirement for unbiased review and analysis, the fusion activity
is more appropriately an organization under the cognizance of the Under Secretary of Defense
(Policy). Since the fusion activity is not an operational organization, it can be organized and
maintained as part of the Office of the Secretary of Defense. The details of how this is
accomplished and the reporting requirements require negotiation.
CONCLUSION
The contents of this paper cover critical infrastructure protection. Army infrastructure
assurance, mission-based analysis, and a proposal for a fusion activity. The reader should
have gained a sense that, in general, critical infrastructure protection is not insurmountable. In
fact, protecting the infrastructure is something we do daily, especially in the Department of
Defense for those infrastructures that we own and operate. And the reader should take away
the knowledge that there is considerable thought and debate going into the subject.
Additionally, the reader should understand that approaches and solutions have been provided
that capitalize on existing programs as a means of reducing redundancy and cost. Finally, the
reader should be aware of the lack of a clear way ahead not only at the National level but also
within the Department of Defense. This lack of clear and consistent policy becomes more
important as we define the meaning of and the mechanisms for supporting Homeland Security.
Another point the reader should remember is the concept of the fusion activity. This paper
dealt with the issue from the Army point of view. Considering the policy implications of critical
infrastructure protection relating to Homeland Security, it is important for the Office of the
25
Secretary of Defense to have a organization, perhaps under the cognizance of the Deputy
Under Secretary of Defense (Policy) for Policy Support, focusing on interpreting assessment
information and evaluations related to Department of Defense infrastructures. This can lead to
clear concise policy formulation and promulgation across the broad spectrum of Department of
Defense interests.
WORD COUNT; 10,610
26
ENDNOTES
' Executive Order 13010, President’s Commission on Critical Infrastructure Protection, July
15, 1996. Amended three times. On November 13, 1996 by Executive Order 13025 [Changed
Section 1 by modifying the first sentence of section 1 (a).]. On April 3, 1997 by Executive Order
13041 [Added the Assistant to the President for Economic policy and the Assistant to the
President and Director, Office of Science and technology Policy to the Principals Committee of
the Commission.]. On October 11, 1997 by Executive Order 13064 [Amended Section 1.
Section 5(a). Amended Section 2. Section 6(f) and (g). Amended Section 3 by inserting a new
Section 7 (a) and (b). Renumbered Sections 7 and 8 of E.O. 13010 as SectionsS and 9.].
^ Ibid.
^ White Paper, The Clinton Administration’s Policy on Critical Infrastructure Protection:
Presidential Decision Directive 63, May 22,1998.
Ibid, 1.
^ Ibid.
^ Ibid.
’ Ibid.
^ Ibid.
® Ibid, 2.
Ibid.
'' Ibid.
Ibid.
Ibid.
Ibid.
Ibid.
A National Security Strategy for A Global Age, The White House, December 2000.
’’ ibid, 24.
Ibid, 24.
Ibid, 24.
27
20
Ibid, 24.
Author’s unpublished working papers. The information contained in the working papers
was developed over time and is drawn from original briefings and information papers developed
by the author. Additional material in the manuscript is derived from internal email, meeting
notes, and the author’s recollection of conversations with the numerous players (Office of the
Secretary of Defense, Joint Staff, Military Departments, Defense Agencies, contractors and
consultants) in critical infrastructure protection and Army infrastructure assurance.
Author’s working papers. Unpublished "Department of the Army Strategic Planning
Guidance for Infrastructure Assurance,’’ DRAFT Version 3.0, May 7, 2001. The information
contained in the working papers formed the basis for a concept to describe strategic planning
guidance relative to Army Infrastructure Assurance.
Section 117 Readiness Reporting System: Establishment; Reporting to Congressional
Committees. Section 3013 Secretary of the Army. Section 3062 [Army] policy; Composition;
Organized Peace Establishment. Department of Defense Directive 5160.54 is under revision
since the Fall of 1999. It has undergone several informal and formal coordination actions. At
this writing it is being prepared for another formal coordination effort. Despite this situation, the
Directive has validity as related policy.
^'‘Working Paper, unpublished Concept of Operation (CONOPS), “Army Infrastructure
Assurance OPLAN-based Analysis Concept of Operations (CONOPS),’’ DRAFT Version 1.0,
June 15, 2001; developed an written by the author. The term “Mission Analysis” is an
improvement upon the original term in that “OPLAN-based analysis” connotes that the
methodology only applies to the approved operations plan(s) of the unified combatant
commander. In retrospect, it is felt that “mission analysis” is less constricting and allows for its
application against contingency plans and other types of plans for which infrastructure and the
dependence thereon is important.
Working paper, unpublished Concept of Operations (CONOPS), “Army Infrastructure
Assurance Fusion Activity Concept of Operations (CONOPS),” DRAFT Version 1.6, May 9,
2001; developed and written by the author. The term “Mission Analysis” is an improvement
upon the original term in that “OPLAN-based analysis” connotes that the methodology only
applies to the approved operations plan(s) of the unified combatant commander. In retrospect,
it is felt that “mission analysis” is less constricting and allows for its application against
contingency plans and other types of plans for which infrastructure and the dependence thereon
is important.
28
GLOSSARY
[the terms provided in this glossary are taken from section ii terms of draft Army Regulation 525-
XX, Army Infrastructure Assurance. They are provided here because they constitute a body of
information that is required to understand the subject covered in this paper.]
Assessment (Infrastructure)
An appraisal of the military’s reliance on infrastructure, the impacts of that reliance on missions,
functions, and tasks, and the identification of options to mitigate vulnerabilities.
Asset (Infrastructure)
Any infrastructure facility, equipment, or resource that performs a mission essential function.
Assurance (Infrastructure)
Identifying potential actions that can be taken to restore the functions if they are lost, damaged,
corrupted, or compromised; and identifying and recommending options to mitigate, protect, and
improve these functions.
Command, Control, and Communications Infrastructure Sector
This defense infrastructure sector is composed of a number of assets, facilities, networks,
systems, and business processes that support the command, control, and communications
functions necessary for defense operations. DISA [Defense Information Systems Agency:
emphasis added.] is responsible for coordinating the assurance of activities of this defense
infrastructure sector.
Critical Infrastructure
A term used by the office of the secretary of defense to describe infrastructure so vital that its
degradation or loss would have debilitating impacts on defense or economic security.
Defense Information Infrastructure (Dll) Defense Infrastructure Sector
The Dll is the web of communications networks, computers, software, databases, applications,
weapons system interfaces, data, security services, and other services that meet the
information processing and transport needs of the DOD [Department of Defense: emphasis
added.] users across the range of military operations. It encompasses: (1) sustaining bases,
tactical, DOD-wide information systems, and command, control, communications, computers,
and intelligence (C4I) interfaces to weapons systems; (2) the physical facilities used to collect,
distribute, store, process, and display voice, data, and imagery; (3) the applications and data
engineering tools, methods, and processes to build and maintain the software that allow
command and control (C2), intelligence, surveillance, and reconnaissance (ISR), and mission
support users to access and manipulate, organize, and digest proliferating quantities of
information; (4) the standards and protocols that facilitate interconnection and interoperation
among networks; and (5) the people and assets that provide the integrating design,
management and operation of the dii, develop the applications and services, construct the
facilities, and train others in dii capabilities and use, (Dll Master Plan Version 7.0, page 2.1).
Disa [Defense Information Systems Agency: emphasis added] is responsible for coordinating
the assurance activities of this defense infrastructure sector.
29
Financial Services Defense Infrastructure Sector
Financial institution services fall into two categories. The first category consists of servicing
official DOD [department of defense: emphasis added.] (i.e. Appropriated fund) disbursing and
paying operations and providing cash and accepting deposits for credit to officially designated
treasury general accounts. The second includes servicing individuals and on-base
organizations (i.e. Non-appropriated funds) with normal deposit, maintenance of accounts,
safekeeping, and other financial services functions. The defense finance and accounting
service (DFAS) supports official DOD activities and provides military and civilian pay, travel pay,
transportation pay, vendor pay, contractor pay, dispersing, payment of foreign military sales,
and general defense business operations fund accounting. DFAS is responsible for
coordinating the assurance activities of this defense infrastructure sector.
Health Affairs Defense Infrastructure Sector
DOD [Department of Defense: emphasis added.] maintains extensive health care infrastructure
across it facilities world-wide (sic). In addition, DOD manages a larger system of non-DOD care
facilities within its health care network. The health care infrastructure consists of facilities and
sites located at DOD installations, information systems linking those facilities, and networks of
health care among the services and components. The Office of the Assistant Secretary of
Defense for Health Affairs is responsible for coordinating the assurance activities of this defense
infrastructure sector.
Infrastructure
The framework of inter-dependent networks and systems comprising identifiable industries,
institutions, functions, and distribution capabilities that provide a continual flow of goods and
services essential to the defense and economic security of the United States.
Installation
An aggregation of contiguous or near contiguous, common mission-supporting real property
holdings under the jurisdiction of the Department of Defense controlled by and at which an army
unit or activity is permanently assigned or temporarily stationed.
Intelligence, Surveillance and Reconnaissance Defense Infrastructure Sector
This defense infrastructure sector is composed of those assets, facilities, networks, and
systems that support the development, production, and conduct of ISR [intelligence,
surveillance, and reconnaissance: emphasis added.] Activities, such as intelligence production
and fusion centers. DIA [Defense Intelligence Agency: emphasis added.] is responsible for
coordinating the assurance activities of this infrastructure sector.
Logistics Defense Infrastructure
The logistics defense infrastructure sector includes all activities, facilities, networks, and
systems that support the provision of supplies and service to us forces worldwide. The logistics
defense infrastructure includes material acquisition and development; the storage, movement
(strategic movement is the responsibility of the transportation infrastructure defense sector and
USTRANSCOM [US Transportation Command: emphasis added.]), and distribution of supplies;
maintenance of material and supplies; and the final disposition of material no longer needed by
DOD [Department of Defense: emphasis added..] The Defense Logistics Agency is responsible
for managing most consumable supplies, administering contracts, and acquiring materials and
services, and coordinating the assurance activities of this defense infrastructure sector.
30
Mitigation
Long-term activities conducted prior to an event to minimize or alleviate the potential adverse
effects of a hazardous situation on people, facilities, operations, or services.
Personnel Defense Infrastructure Sector
The personnel defense infrastructure sector includes a large number of assets hosted on
component [Department of Defense components include the Military Departments and the
Defense Agencies: emphasis added.] sites; a network of facilities within and among service
components; and computational and information systems linking those sites and facilities. The
personnel infrastructure is not only responsible for its own assets, but also coordinates
commercial services and facilities that support the personnel function including, but not limited
to, recruitment, record keeping, and general training requirements. The Defense Human
Resources Agency is responsible for coordinating the assurance activities of this defense
infrastructure sector.
Public Works Defense Infrastructure Sector
Public works includes five distinct physical infrastructure sectors: land and facilities, electric
power, oil and natural gas, water and sewer, and emergency services (fire, medical, hazardous
material handling, etc.). This defense infrastructure sector is composed of networks and
systems, principally for the distribution of the associated commodities and the real property it
supports. The generation, production, and transport of these commodities for and to DOD
[Department of Defense: emphasis added.]. Real property assets are primarily the function of
their respective national infrastructures. The US Army Corps of Engineers is responsible for
coordinating the assurance activities of this defense infrastructure sector.
Reconstitution
Actions taken to re-establish an organization or capabilities of an organization that have been
destroyed or severely damaged.
Remediation
Post event actions taken to facilitate immediate response, to minimize or alleviate the negative
impact of a hazardous situation on people, facilities, operations, or services, and to quickly
restore services.
Response
Activities to address the immediate and short-term effects of an emergency or disaster.
Risk
A concept used to give meaning to things, forces, or circumstances that pose a danger t people
or to things that they value. Normally stated in terms of the likelihood of harm or loss from
hazard.
Sector
One of two divisions of the economy (private or public); an identified group (of industries or
infrastructures) which performs a similar function within a society, e.g., vital human services.
31
Sector (Defense Infrastructure)
Infrastructure owned, operated or provided by the Department of Defense. Defense
infrastructure sectors include the Dll [Defense Information Infrastructure: emphasis added.], C3
[command, control, and communications: emphasis added.], space, ISR [intelligence,
surveillance, and reconnaissance: emphasis added], financial services, logistics, public works
(includes DOD-owned or -operated utilities, roads, rails and railheads and their interface to
commercial and other government systems), personnel, and health affairs.
Space Defense Infrastructure
The space defense infrastructure sector is composed of both space- and ground-based assets
including launch, specialized logistics, and control systems. Facilities are located worldwide on
both DOD-controlled and private sites. US Space Command is responsible for coordinating the
assurance activities of this defense infrastructure sector.
Transportation Defense Infrastructure Sector
The transportation defense infrastructure sector includes resources (surface, sea and lift assets;
supporting infrastructure; personnel; and related systems) and interrelationships of DOD,
federal, commercial, state/local agencies, and non-US activities that support DOD global
transportation needs. US Transportation Command is the single manager for DOD
transportation, and responsible for coordinating the assurance activities of this defense
infrastructure sector.
Unified Combatant Command
A command with a broad continuing mission under a single commander and composed of
significant assigned components of two or more military departments, and which is established
and so designated by the President, through the Secretary of Defense with the advice and
assistance of the Chairman of the Joint Chiefs of Staff.
Vulnerability
The characteristics of a system which cause it to suffer a definite degradation (incapability to
perform the designated mission) as a result of having been subjected to a certain level of effects
in a hostile environment.
32
BIBLIOGRAPHY
Alberts, David S. Defensive Information Warfare . National Defense University, Washington
D.C., 1996.
Arnold, H. D., J. Hukill, J. Kennedy and A. Cameron. Targeting Financial Systems as Centers
of Gravity: Low Intensity and No Intensity Conflict . Defense Analysis 10, no. 2, 1994.
Armed Forces, United States Code, Section 117, Title 10. [This publication may be obtained
from the Superintendent of Documents, P.O. Box 371954, Pittsburgh, PA 15250-7954.]
Armed Forces, United States Code, Section 3013, Title 10. [This publication may be obtained
from the Superintendent of Documents, P.O. Box 371954, Pittsburgh, PA 15250-7954.]
Army Infrastructure Assurance: A Report on the Outcome of the MANHATTAN 2001 Political-
Military Game, U.S. Department of the Army, Plans Branch, Military Support Division,
Director of Operations readiness and Mobilization, Office of the Deputy Chief of Staff for
Operations and Plans, Washington DC April 12, 2001. [Restricted distribution.]
Assignment of National Security Emergency Preparedness Responsibilities in POD
Components . U.S. Department of Defense Directive 3020.36, 1988. [This publication may
be obtained from Directives and Records Branch, Washington Headquarters Services,
155 Defense Pentagon, Washington, DC 20301-1155.]
Blechman, Barry M. et al. The American Military in the 21st Century . New York: S. Martin’s
Press, 1993.
Bush, George, Establishing the Office of Homeland Security and the Homeland Security
Council . Executive Order 13228, Washington, D.C.: The White House October 8, 2001.
Cameron, Gavin, “Multi-track Microproliferation: Lessons from Aum Shinrikyo and Al Qaida,”
Studies in Conflict and Terrorism, vol. 22, no. 4, (October-December 1999): 227.
Carter, Aston B., “Adapting Defense to Future Needs,” Survival The lISS Quarterly, Winter
1999-2000): 101.
Chairman Joint Chiefs of Staff, Chairman’s Readiness System, Instruction 3401.01B.
Chairman Joint Chiefs of Staff, Global Status of Resources and Training System . Instruction
3401.02.
Chairman Joint Chiefs of Staff, Charter of the Joint Reguirements Oversight Council . Instruction
5123.01.
CIP Analysis & Assessment Prototype (PI) . Final After Action Report, The Joint Program Office
for Special Technology Countermeasures, Dahlgren, Virginia, 15 March 2000. [Restricted
distribution.]
Clinton, William Jefferson, Executive Order 13010: Critical Infrastructure Protection.
Washington D.C.: The White House, 1996. [This publication may be obtained from the
Superintendent of Documents, P.O. Box 371954, Pittsburgh, PA 15250-7954.]
33
Cohen, William S., Annual Report to the President and the Congress , U.S. Government Printing
office, 1998.
Cohen, William S., Report of the Quadrennial Defense Review . Washington, D.C., 1997.
Colpo, Michael. Smell the Coffee: Military Support to Civilian Authorities & Homeland Defense
Here & Now , Strategy research Project. Carlisle Barracks: U.S. Army War College, 7
April, 1999.
Continuity of Operations Policy and Planning , U.S. Department of Defense Directive 3020.26,
May 1996. [This publication may be obtained from Directives and Records Branch,
Washington Headquarters Services, 155 Defense Pentagon, Washington, Dfc 20301-
1155.]
Department of Defense Financial Management Regulation . 7000.M-R^. [This publication may
be obtained from Directives and Records Branch, Washington Headquarters Services,
155 Defense Pentagon, Washington, DC 20301-1155.]
Department of Defense Trusted Computer . U.S. Department of Defense 5200.28-STD,. [This
publication may be obtained from Directives and Records Branch, Washington
Headquarters Services, 155 Defense Pentagon, Washington, DC 20301-1155.]
POD Antiterrorism/Force Protection (AT/FP) Program . U.S. Department of Defense Directive
2000.12. [This publication may be obtained from Directives and Records Branch,
Washington Headquarters Services, 155 Defense Pentagon, Washington, DC 20301-
1155.]
POD Combating Terrorism Program Procedures , U.S. Department of Defense Instruction
2000.12. [This publication may be obtained from Directives and Records Branch,
Washington Headquarters Services, 155 Defense Pentagon, Washington, DC 20301-
1155.]
POD Combating Terrorism Program Procedures , U.S. Department of Defense Directive
2000.14. [This publication may be obtained from Directives and Records Branch,
Washington Headquarters Services, 155 Defense Pentagon, Washington, DC 20301-
1155.]
POD Combating Terrorism Standards . U.S. Department of Defense Directive 2000.16. [This
publication may be obtained from Directives and Records Branch, Washington
Headquarters Services, 155 Defense Pentagon, Washington, DC 20301-1155.]
Drell, Sidney D., Abraham D. Sofaer, George D. Wilson. “The Present Threat”, Hoover Digest,
no. 1 (2000): 110.
Echevarria II, Antulio J. The Army and Homeland Security: A Strategic Perspective . Strategic
Studies Institute, U.S. Army War College, Carlisle Barracks, PA, March 2001.
Executive Order 13010, Critical Information Infrastructure, Weekly Compilation of Presidential
Documents, vol. 32, no. 29, (July 22, 1996), ppl 242-1244. [This publication may be
obtained from the Superintendent of Documents, P.O. Box 371954, Pittsburgh, PA 15250-
7954.]
34
Federal Acquisition Regulation . [This publication may be obtained from Superintendent of
Documents, P.O. Box 371954, Pittsburgh, PA 15250-7954.]
Flournoy, Michele A., et al, QDR 2001: Strategy-Driven Choices for America’s Security , National
Defense University Press, Washington D.C., April 2001.
General Accounting Office, HOMELAND SECURITY. A Framework for Addressing the Nation’s
Efforts. Statement of David M. Walker, Comptroller General of the United States,
September 21,2001.
General Accounting Office, HOMEI-AND SECURITY. A Risk Management Approach Can Guid e
Preparedness Efforts . Statement of Raymond J. Decker, Director, Defense Capabilities
and Management, October 31, 2001.
Gorelick, Jamie S. National Security in the Information Age . Speech at the U.S. Air Force
Academy, Colorado Springs, February 29, 1996.
Griffith, Samuel B., Sun Tzu: The Art of War . Oxford University Press, London, 1963.
Henry, Ryan and C. Edward Peartree. Military Theory and Information Warfare. Parameters 28
- no. 3 (Autumn 1998); 121-135.
House Select Committee on Terrorism and Homeland Security, Statement for the Record, On
Defensive Information Operations . Larry T. Wright, Chief, Defense Science Board Task
Force, October 3, 2001.
Howard, Michael and Peter Paret. Carl Von Clausewitz ON WAR . Princeton University press,
Princeton, New Jersey, 1989.
Letterman, Lester H. Defense of Critical Infrastructure. Strategy Research Project. Carlisle
Barracks; U.S. Army War College, 7 April 1999.
Libicki, Martin. What is Information Warfare? . National Defense University, Washington, D.C.
1995.
Mario, Francis H. WMD Terrorism and U.S. Intelligence Collection. Terrorism and Political
Violence, vol. 11, no. 3, (Autumn 1999); 53.
Mayes, Kelly L. An Analysis of Current United States Homeland Defense Policies . Strategy
Research Project. Carlisle Barracks; U. S. Army War College 6 April 2000.
McNeilly, Mark. Sun Tzu and the Art of Modem Warfare . Oxford University Press, London,
2001.
McRae, Hamish. The World in 2020. Harvard Business School Press, Boston, 1994.
Military Assistance to Civil Authorities . U.S. Department of Defense Directive 3025.15,
Washington D.C.; Office of the Assistant Secretary of Defense (Special Operations and
Low Intensity Conflict), 1997. [This publication may be obtained from Directives and
Records Branch, Washington Headquarters Services, 155 Defense Pentagon,
Washington, DC 20301-1155.]
35
Molander, Roger C., Andrew S. Riddle, and Peter A. Wilson. Strategic Information Warfare: A
New Face of War , Parameters, 26 (Autumn 1996), 81-92.
National Plan for Information Systems Protection: An Invitation to Dialogue , Version 1.0, Critical
Infrastructure Assurance Office, 1999. [This publication may be obtained from the
Superintendent of Documents, P.O. Box 371954, Pittsburgh, PA 15250-7954.]
Payne, Allan D. The Impact of Computer Network Attacks on Infrastructure Centers of Gravity ,
Strategy Research Project. Carlisle Barracks: US Army War College, 7April 1999.
Physical Security Eguipment . U.S. Department of Defense Directiye 3224.3. [This publication
may be obtained from Directiyes and Records Branch, Washington Headquarters
Seryices, 155 Defense Pentagon, Washington, DC 20301-1155.]
Physical Security Program, U.S. Department of Defense Directiye 5200.8-R. [This publication
may be obtained from Directiyes and Records Branch, Washington Headquarters
Seryices, 155 Defense Pentagon, Washington, DC 20301-1155.]
Physical Security Technical Vulnerability Reporting System . U.S. Department of Defense
Instruction 5215.2. [This publication may be obtained from Directiyes and Records
Branch, Washington Headquarters Seryices, 155 Defense Pentagon, Washington, DC
20301-1155.]
Presidential Decision Directiye 12656, Assignment of Emergency Preparedness
Responsibilities. [This publication may be obtained from the Superintendent of
Documents, P.O. Box 371954, Pittsburgh, PA 15250-7954.]
Presidential Decision Directiye 29, Security Policy Coordination . Washington, D.C., September
16, 1994. [This publication may be obtained from the Superintendent of Documents, P.O.
Box 371954, Pittsburgh, PA 15250-7954.]
Presidential Decision Directiye 39, U.S. Policy on Counter-Terrorism . [This publication may be
obtained from the Superintendent of Documents, P.O. Box 371954, Pittsburgh, PA 15250-
7954.]
Presidential Decision Directiye 62, Combating Terrorism . [This publication may be obtained
from the Superintendent of Documents, P.O. Box 371954, Pittsburgh, PA 15250-7954.]
Presidential Decision Directiye / NSC-63, Critical Infrastructure Protection . Washington, D.C.,
May 22, 1998. [This publication may be obtained from the Superintendent of Documents,
P.O. Box 371954, Pittsburgh, PA 15250-7954.]
Presidential Decision Directiye 56, Managing Complex Contingencies . May 1997. [This
publication may be obtained from the Superintendent of Documents, P.O. Box 371954,
Pittsburgh, PA 15250-7954.]
Presidential Decision Directiye 67, Continuity of Goyernment Operations . [This publication may
be obtained from the Superintendent of Documents, P.O. Box 371954, Pittsburgh, PA
15250-7954.]
36
PriceWaterhouseCoopers. Department of Defense Critical Infrastructure Protection Plan for
Logistics, Sector Defense Overview and Demonstration . June 14, 2001. [Restricted
distribution.]
Protection of POD Personnel and Activities Against Acts of Terrorism and Political Turbulence .
U.S. Department of Defense Handbook 2000.12H. [This publication may be obtained
from Directives and Records Branch, Washington Headquarters Services, 155 Defense
Pentagon, Washington, DC 20301-1155.]
Questech, Inc. Computer Security Threats Chart . Falls Church, VA, September 1997.
Risk Assessment and Mitigation Methodologies For Force Projection Platforms. Final Report,
U.S. Department of the Army, Department of Systems Engineering, United States Military
Academy, West Point, New York, 4 August 2000. [Prepared for the Director of Military
Support, Pentagon, Washington, D.C. [Restricted distribution.]
Ross, Mitchell P. National Information Systems: The Achilles Heel of National Security.
Strategy Research Project. Carlisle Barracks; US Army War College, 3 April 1997.
Security Criteria and telecommunications Guidance System Evaluation Criteria. U.S.
Department of Defense Manual 5030.58-M. [This publication may be obtained from
Directives and Records Branch, Washington Headquarters Services, 155 Defense
Pentagon, Washington, DC 20301-1155.]
Smulian, Paul R. National Security Agency. The Effects of Presidential Decision Directive 63 on
the Public . Strategy Research Project. Carlisle Barracks: US Army War College, 1 April
2000.
Snow, Donald M. The Shape of the Future the Post-Cold War World . Armonk, New York,
London, England: M.E. Sharpe Inc., 1991.
Software Engineering Institute. Report to the President’s Commission on Critical Infrastructure
Protection . Carnegie Mellon, University, January 1997.
Senior Readiness Oversight Council (SROC) . U.S. Department of Defense Directive 5149.2.
[This publication may be obtained from Directives and Records Branch, Washington
Headquarters Services, 155 Defense Pentagon, Washington, DC 20301-1155.]
Stern, Jessica. The Ultimate Terrorist . Harvard University Press, Cambridge, Massachusetts,
1999
Taylor, Scott R., et al. Conseguence Management in Need of a Time Out . Joint Forces
Quarterly 22 (Summer 1999): 78-85.
The Critical Asset Assurance Program . U.S. Department of Defense Directive 5160.54. [This
publication may be obtained from Directives and Records Branch, Washington
Headquarters Services, 155 Defense Pentagon, Washington, DC 20301-1155.]
Toffler, Alvin and Heidi. War and Anti-War: Survival at the Dawn of the 21st Century ; Little
Brown, New York, 1993.
37
The White House. White Paper, The Clinton Administration Policy on Critical Infrastructure
Protection: Presidential Decision Directive 63 . May 22, 1998; available from
< http://www.fas.ord/irp/offdocs/paper598.htm >: accessed 18 Sep 01.
The White House. A National Security Strategy for a New Century , October 1998.
U.S. Attorney General Janet Reno. Critical Infrastructure Security . Memorandum to the
Presidential Cabinet, Washington, D.C., March 14, 1996.
U.S. Department of the Army, The Army Physical Security Program , Army Regulation 190-13,
September 30, 1993.
U.S. Department of the Army, Personal Security , Army Regulation 190-58, March 22,1989.
U.S. Department of the Army, Information Security . Army Regulation 380.19, February 27,
1998.
U.S. Department of the Army, Anti-Terrorism Force Protection (AT/FP) . Army Regulation 525-
13. [Restricted distribution.]
U.S. Department of the Army, Army Infrastructure Assurance , Army Regulation 525-XX,
coordination draft, Military Support Division, Office of the Director for Operations,
Readiness and Mobilization, Office of the Deputy Chief of Staff for Operations and Plans,
October 2001. [Restricted distribution.]
U.S. Department of the Army, Operations Security A rmy Regulation 530-1. [Restricted
distribution.]
U.S. Department of Defense, Defense Federal Acquisition Regulation . [This publication may be
obtained from Directives and Records Branch, Washington Headquarters Services, 155
Defense Pentagon, Washington, DC 20301-1155.]
U.S. Department of Defense. Report of the National Defense Panel: Transforming Defense :
National Security in the 21st Century . National Defense Panel, Arlington, Virginia,
December 1997.
U.S. Department of Defense. Strategic Assessment 1999: Priorities for a Turbulent World .
Institute for National Strategic Studies, National Defense University 1999
U.S. Department of Defense Joint Publication 3-07.2, Joint Tactics. Techniques and Procedures
for Antiterrorism .
U.S. Department of Defense Joint Publication 6-06.7, Security Policy for the GCCS
Intercomputer Network .
Welch, Claude E., Jr., and Arthur K. Smith. Military Role and Rule . North Scituate,
Massachusetts: Duxbury Press, 1974.
Williamitis, Gregory M., Implementing the National Security Strategy of Critical Infrastructure
Protection . Carlisle Barracks, PA March 31,2000.
38
