Skip to main content

I3P Charter

Background

The Growing Threat to the Information Infrastructure

The nation's growing dependence on computer networks for communications, data management and the operation of critical infrastructures renders it increasingly vulnerable to computer-based, or cyber, attacks against our information infrastructure, including the Internet, telecommunications backbones, and interconnected computer networks. The last few years have witnessed an exponential increase in damaging attacks, including viruses and worms such as Code Red, the Melissa and ILOVEYOU viruses, and distributed denial of service (DDoS) attacks against e-commerce websites. Malicious code (viruses, worms and Trojan horses) caused over $30 billion of damage worldwide in 2000 and 2001, according to Computer Economics. The CERT Coordination Center indicates that the number of reported computer security incidents has more than doubled during each of the past three years. Experts predict that these problems will continue to increase.

Attacks on computer networks now threaten not only our information infrastructure but also other critical infrastructures-such as banking and finance, transportation, and energy-that rely on information technology. In 1998, a teenager hacked into a Federal Aviation Administration control tower at a Massachusetts airport, disrupting essential systems for six hours. More recently, an Australian man was found guilty of hacking into his municipality's computerized waste management system and causing at least one million liters of raw sewage to spill into local parks and rivers and a Hyatt hotel. But these attacks on discrete nodes of a single infrastructure sector do not convey the full danger associated with cyber attacks on critical infrastructures. Because these nodes are highly interdependent, attacks on a part of one infrastructure can damage other parts of that infrastructure as well as other infrastructures altogether. An expert on the North American power industry has observed that the loss of one particular core switching station could severely impact the flow of natural gas in the United States; a scarcity of natural gas to fuel electricity generators could cause large sections of America's power grid to fail; and power failures could crash this country's financial and transportation systems (and other key infrastructures.) As National Security Advisor Condoleezza Rice recently stated: "The President himself is on the record as stating that infrastructure protection is important to our economy and our national security and therefore it will be a priority for this administration."

Significantly, the problem is not confined to the stereotypical teenage hacker who attacks systems for the mere challenge of it. Rather, recent years have seen a growth in attacks coming from much more sophisticated actors, such as organized crime groups seeking illicit financial gain and politically motivated groups attacking U.S. government websites. Cyber attacks by terrorist groups bent on coercing U.S. policymakers are an all-too-real possibility. Perhaps most significantly, foreign nations are developing cyber attack techniques for activities ranging from covert espionage against U.S. government agencies or U.S. industry to information warfare against the United States. As a recent Defense Science Board report stated: "At some future time, the United States will be attacked, not by hackers, but by a sophisticated adversary using an effective array of information warfare tools and techniques. Two choices are available: adapt before the attack or afterward."

Cyber security is also vital to protecting personal privacy, an issue that the American public is increasingly concerned about. The Federal Trade Commission recently observed that Americans are especially worried about "the specter of identity theft." Available statistics suggest that this concern is justified. According to TransUnion, a leading credit reporting agency, the number of calls or complaints about identity theft grew from 35,000 in 1992 to over 550,000 in 1998. Thieves may use stolen personal information to access a victim's existing accounts, create new accounts in the victim's name, or commit other types of fraud. A May 2000 survey of identity theft victims by the California Public Interest Research Group (CALPIRG) and the Privacy Rights Clearinghouse found that "[i]n 15% of the cases, the thief actually committed a crime and provided the victim's information when he or she was arrested." Since terrorists use identity theft to facilitate their movements and operations, identity theft is one of several areas in which privacy and national security concerns overlap.

But while the cyber security problem continues to grow, and public concern increases commensurately, the state of our technical defenses is not keeping pace. Indeed, the widening knowledge gap between cyber attackers and defenders led William Schneider, Chairman of the Defense Science Board, to conclude that the "DoD cannot today defend itself against an Information Operations attack by a sophisticated nation state adversary." Yet, the Office of Management and Budget (OMB) reports on computer security at federal agencies have consistently identified the Department of Defense as a relative bright spot. The OMB recently reported that "many [other] agencies have virtually no meaningful systems to test or monitor system activity and therefore are unable to detect intrusions, suspected intrusions, or virus infections." Even private companies that employ sophisticated intrusion detection systems and other computer security measures find that their vulnerabilities are increasing. On the one hand, the core technologies underlying the Internet were not built with security in mind. On the other hand, the growing complexity of computer technologies multiplies attack routes and makes it harder to anticipate how problems will cascade through information networks. In the words of Richard Clarke, Special Advisor to the President for Cyber Security, "Our infrastructure is fragile." The United States urgently needs new technologies that will "harden" and protect our information infrastructure, making it more robust and resilient in the face of attacks.

The Origin of the I3P

In 1998, the President's Committee of Advisors on Science and Technology (PCAST) recognized that investments in information security research and development (R&D) were made primarily on a tactical basis-to fulfill an immediate perceived need for private sector commercial reasons. There was no institution or collection of institutions that looked at the landscape defined by the state of the art in information security and the existing body of ongoing public and private R&D, and identified the gaps in the national information security R&D portfolio. It recommended that the government fund an independent, non-governmental and non-commercial laboratory that would accomplish this important task-by articulating the nation's information security requirements, cataloguing ongoing R&D efforts, and identifying gaps in the country's R&D portfolio. It recommended that this institution have $100 million available to fund these activities.

At the request of the Department of Defense, the Institute for Defense Analyses (IDA) analyzed this problem further and in April 2000 published a report recommending the establishment of an Institute for Information Infrastructure Protection (I3P) that would perform the functions described by the PCAST. It recommended funding the mature institute at a rate of $100 million per year. The institute, it suggested, would disburse most of this money to outside cyber security researchers.

In early 2000, the White House National Security Council (NSC) staff and the Office of Science and Technology Policy (OSTP) began developing a white paper on the I3P concept. Together with key members of the PCAST, OSTP developed a recommendation to establish the I3P. They proposed that it be a non-governmental agency funded through the National Institute for Standards and Technology (NIST) in the U.S. Department of Commerce and that it perform the basic functions outlined by the PCAST and the IDA. The white paper projected that the I3P would initially be funded at $50 million per year.

The OSTP Director and some PCAST members conveyed the proposal to key members of Congress in July 2000. The proposal to create the I3P also appeared in the President's 2001 budget. In response, Congress appropriated funding in 2001 and 2002 to the Institute for Security Technology Studies (ISTS) at Dartmouth College to establish the I3P.

Purpose

Mission Statement

The I3P identifies critical challenges in information infrastructure protection, and sustains a collaborative community of multi-disciplinary researchers to address them. The I3P serves as a trusted partner for industry and government, and provides an independent forum that facilitates the open exchange of ideas.

Mission Tasks

  • Collaborate with academia, industry and government to develop a national R&D agenda for cyber security;
  • Serve as an information clearinghouse on the status of R&D efforts for information infrastructure protection;
  • Foster collaboration among cyber security R&D efforts in academia, industry and government; and
  • Facilitate specific high leverage research and the development of new security technology for information infrastructure protection.

Functions

To fulfill its purpose, the I3P shall establish a consortium of relevant academic and not-for-profit centers of excellence and maintain strong ties with key institutions in government and industry.To develop a national research agenda, the I3P shall:

  • In consultation with consortium members and other stakeholders, establish information security R&D requirements without regard to fielded tools or practices, ongoing or planned research, fiscal or other constraints;
  • Inventory fielded information security products and procedures to establish a clear picture of the state of the art in information security;
  • Inventory ongoing and planned information security R&D in the private and public sectors;
  • Using the above studies of stakeholder requirements and existing and planned products and research, identify gaps in the nation's R&D portfolio;
  • Identify and prioritize R&D efforts needed to fill these gaps;
  • Continuously review the above information to maintain an accurate picture of existing products and research, stakeholder requirements, and R&D gaps; and
  • Provide input to the President's Critical Infrastructure Protection Board, the Office of Science and Technology Policy, the National Institute of Standards and Technology and other government agencies about stakeholder requirements, existing products and research, R&D gaps, cyber security research priorities, and other items.

To promote collaboration and information-sharing, the I3P shall:

  • Undertake extensive and ongoing consultation with representatives of government and industry, including members of different critical infrastructure sectors, to ensure that these actors have input on I3P activities;
  • Hold such periodic workshops, cluster groups, and other events as the consortium deems necessary and as funding permits to foster collaboration within the information security community;
  • Establish a digital archive of information relating to cyber security and information infrastructure protection R&D;
  • Develop a sophisticated web presence featuring tools to facilitate collaboration and information-sharing among the researchers and centers of excellence in the information security community; and
  • Regularly update the consortium's online resources to ensure that the digital archive and I3P web portal remain current and useful.

To facilitate research and development of cyber security technologies, the I3P shall:

  • Develop a structure to manage a competition for grants to perform research that would fill the gaps in the nation's cyber security and information infrastructure protection R&D portfolio;
  • Ensure that the above structure permits objective and unbiased decision-making and subjects proposals by consortium members and non-members to the same level of scrutiny and the same selection criteria; and
  • Should funding become available through government and/or other sources, solicit, receive and evaluate grant proposals to meet identified information security needs and distribute funds in accordance with the aforementioned priorities and the judgment of I3P consortium members.

Values

  • Leadership. The I3P will play an active role in setting the national agenda for cyber security and information infrastructure protection research. It will contribute proactive, strategic insights to the agenda-setting and funding processes.
  • Decentralization. The I3P will keep its in-house staff small. It will use information technology to overcome geographic constraints. It will disburse any available research funds to institutions throughout the United States.
  • Collaboration. The I3P will seek out opportunities to foster collaborative programs that realize synergies, eliminate redundancies, and otherwise obtain maximum benefit from scarce resources.
  • Selectivity. The I3P will invite leading centers of excellence in cyber security and information infrastructure protection research to become consortium members.
  • A Holistic Perspective. The I3P will maintain a broad and balanced view by engaging with academic, research, industry, and government institutions and soliciting the input of a wide range of stakeholders.

Membership Criteria

Consortium member organizations are not-for-profit research and academic institutions actively engaged in significant research and development of cyber security and information infrastructure protection technology in the national interest. Member organization representatives will be qualified senior researchers.The definitions of specific terms include:

  • "Not-for-profit research and academic institutions" include academic institutions, other institutes or centers associated or affiliated with academic institutions, Federally Funded Research and Development Centers, and other non-commercial technical R&D organizations.
  • "Information Infrastructure Protection" refers to technologies, processes, policies and activities to detect, prevent and respond to and to improve resiliency, robustness and accountability in the face of attacks against the system of advanced computer systems, databases and telecommunications networks that make electronic information widely available and accessible.
  • "Actively engaged in significant research" means community recognition as a center of excellence for performing information infrastructure protection research, as evidenced by publications in research journals and technical bulletins, presentations at research conferences and workshops, opinions of prominent researchers, level of research effort, and/or importance of research results.
  • "In the national interest" means intended to improve the security posture of systems vital to U.S. critical infrastructure sectors, national security and government systems, and commercial sector systems in which the general public needs to have confidence.
  • "Qualified senior researcher" means a person who possesses a sophisticated understanding of information infrastructure protection, depth and breadth of experience, proven judgment, and community stature.

Last Updated: 7/2/12