Page images
PDF
EPUB

tematic in nature. 13 Systemic and systematic risks can only be addressed through coordinated rather than isolated action. A fact well illustrated by other complex systems such as vaccination statistics and epidemiology in the medical world and in the risk management intervention required in national and global banking systems. 14 Many of these risks have no geographic or country boundaries-impact and influence is global.

The widespread globalization of the Internet also introduces a further development complexity. Scores of countries now have fundamental interests in its evolution and some are even orchestrating local step-changes in technology. 15 However, no country has yet felt able to propose fundamental change on a global basis. Within the U.S., the Internet is seen in many quarters as the starting point for the National Information Infrastructure (NII). Around the world, there is growing recognition that the set of NIIS (assuming each country commits to developing one) should be compatible with each other in an-as yet-undefined way. Who should take the lead in ensuring this compatibility? There is clearly an important role for government leadership in framing this strategic agenda-with strong collaboration with commerce and business.

In practice, the technical scope of the Internet already goes beyond that defined as "Internet services." Ultimately, the communication pathways must enter the user's machine/other digital devices, pass through layers of software and end up in applications programs. The computer industry, along with the many vendors of computer-related equipment, must play a role in determining how this aspect of the Internet will evolve and therefore form part of the supply-side. A key to the success of the Internet is to ensure that the interested parties have an equitable way of participating in its evolution, including participation in its evolving standards process and technology roadmap. A proper role for governments would be to oversee this process to make sure that it meets the wide spectrum of public and industry needs. Yet further complexity and dependency is being introduced by a new breed of service providers who are offering services that will continue to supplant alternative networks. Telephony (through Voice Over IP), television, radio and almost all forms of communication are migrating to the Internet or including the Internet as a key component in the communication path.

CONCLUSIONS ON CURRENT POSITION

• There are no clear accountabilities or guarantees for the continuity of operation of the Internet. Even weaknesses known about for some time have not yet been addressed.

• A significant and growing proportion of the world economy is dependent on the Internet.

• The Internet is currently subject to technical and geopolitical risk and therefore not only the U.S. economy, but economies worldwide, are at risk.

The U.S. Government itself is no longer fully dependent on the Internet, as it has alternative networks at its disposal for critical services. Thus the Internet has moved from having a single 'anchor tenant' to a diverse community of stakeholders without a voice in the operational performance expectations of the current Internet.

• New technologies and emergent Internet uses, such as Voice Over IP and widespread control system connectivity, are increasing dependency and compounding the risk.

OPTIONS ON THE WAY FORWARD

We would consider a two-pronged approach, to address both the immediate risk and the strategic opportunity:

1. Short-Term

To address immediate concerns a series of in-depth and as necessary classified studies, workshops and truly cross-sectoral exercises should be held to allow businesses (that deliver critical aspects of national infrastructure-e.g., energy, transportation and financial) and governments to share critical information under the Protected Critical Infrastructure Information (PCII) Program. The goal of this work

13 Illustrated by work from the Cooperative Association for Internet Data Analysis (www.caida.org).

14 Drawn from standard epidemiology texts and banking risk texts and the opinions of banking regulators. 15 For example, the broad introduction of IPv6 in Korea and Japan.

would be to map the business reliance upon the Internet against known areas of risk and develop a priority plan to focus actions that are necessary for increasing its robustness and integrity.

The work could start with the scope of the U.S. economy in a global context. Interdependency should then dictate that it be extended in the first instance to other countries from the G8 and EU.

2. Medium-Term

There is a need to create the next generation Internet in a form that would be able to handle the emerging demands of business, civil societies and governments. This would include the technical design necessary to meet physical and logical diversity and resilience. In addition, the program should include the development of a Global Internet Management Framework that addresses broad policies and standards, clarity of operational accountabilities, and technology roadmaps. The goal should be to assure the performance and digital integrity of the new Global Internet, in terms of resilience to physical and cyber-security risks, supplier commercial failure, and broader geopolitical risks.

We believe the U.S. should take a leading role in this proposed global initiative. Thank you for the opportunity to express the views of the business community. I look forward to continuing our conversation as our CEO roundtable at BENS (Business Executives for National Security) progresses. We look forward to contributing to the actions that we propose.

APPENDIX

Business Criticality Data

Having recognized the potential for serious negative impact on the U.S. critical national infrastructure in the event of a significant interruption of Internet service, a group of concerned business people carried out an informal survey of key sector companies in early 2005. The graph below shows the findings from that survey, indicating the level of dependency these sectors have on the Internet.

[subsumed][subsumed][subsumed][subsumed][subsumed][subsumed][subsumed][merged small][graphic][subsumed][merged small][merged small][merged small][merged small][merged small]

BIOGRAPHY FOR JOHN S. LEGGATE

As CIO of BP, John Leggate is responsible for the development of BP's digital capability-its related systems, technology, business processes and business opportunities across the company's global operations, Exploration and Production, Refining and Marketing and Trading.

John was elected a Fellow of the Royal Academy of Engineering in July 2005. He was also honored as Commander, The Most Excellent Order of the British Empire (CBE) by the Queen in her 2004 New Year's Honour List. This is in recognition of an outstanding contribution and leadership of the international digital technology agenda.

A chartered engineer, a graduate of Glasgow University and a Fellow of the IEE, began his career in marine consultancy and nuclear energy before joining BP Exploration in 1979. During the 1980-90s he held posts of increasing responsibility in the management and operating of BP's North Sea oil and gas assets.

In 1998, he was appointed President of BP's Azerbaijan International Operating Company, in which capacity he was tasked to manage BP's interests in the unfolding geopolitical and economic debate that centered on crude oil export routes from the Caspian Sea.

John has a particular interest in leadership, the management of high-performance teams and organizational change.

He is married with two children, lives in London and travels widely on behalf of the company.

[merged small][ocr errors][merged small][ocr errors][merged small][merged small][merged small][merged small]

Thank you for the invitation to testify before the Committee on Science of the U.S. House of Representatives on Thursday 15th September 2005 for the hearing entitled "Cybersecurity: How Can the Government Help Address Vulnerabilities in Critical Industries?"

In accordance with the Rules Governing Testimony, I confirm that I have received no federal funding directly supporting the subject matter on which I testified, in the current fiscal year or either of the two proceeding fiscal years.

[merged small][merged small][merged small][ocr errors]
« PreviousContinue »