Order Code RL31556
Report for Congress
Received through the CRS Web
What Makes an
Updated January 29, 2003
John Moteff, Claudia Copeland, and John Fischer
Resources, Science, and Industry Division
Congressional Research Service ˜ The Library of Congress
What Makes an Infrastructure Critical?
The Bush Administration’s proposal for establishing a Department of Homeland
Security includes a function whose responsibilities include the coordination of
policies and actions to protect the nation’s critical infrastructure. However, the
proposal did not specify criteria for how to determine criticality or which
infrastructures should be considered critical.
Over the last few years, a number of documents concerned with critical
infrastructure protection have offered general definitions for critical infrastructures
and have provided short lists of which infrastructures should be included. None of
these lists or definitions would be considered definitive. The criteria for determining
what might be a critical infrastructure, and which infrastructures thus qualify, have
expanded over time. Critical infrastructures were originally considered to be those
whose prolonged disruptions could cause significant military and economic
dislocation. Critical infrastructures now include national monuments (e.g.
Washington Monument), where an attack might cause a large loss of life or adversely
affect the nation’s morale. They also include the chemical industry. While there may
be some debate about why the chemical industry was not on earlier lists that
considered only military and economic security, it seems to be included now
primarily because individual chemical plants could be sources of materials that could
be used for a weapon of mass destruction, or whose operations could be disrupted in
a way that would significantly threaten the safety of surrounding communities.
A fluid definition of what constitutes a critical infrastructure could complicate
policymaking and actions. At the very least, a growing list of infrastructures in need
of protection will require the federal government to prioritize its efforts. Essentially
the federal government will have to try to minimize the impact on the nation’s critical
infrastructure of any future terrorist attack, taking into account what those impacts
might be and the likelihood of their occurring.
There are number of ways the government can prioritize. First, not all elements
of a critical infrastructure are critical. Additional study will be necessary to identify
those elements that are the most critical. Other approaches include focusing on
vulnerabilities that cut across more than one infrastructure, interdependencies where
the attack on one infrastructure can have adverse effects on others, geographic
locations where a number of critical infrastructure assets may be located, or focusing
on those infrastructure belonging solely to the federal government or on which the
federal government depends.
The National Strategy for Homeland Security, released by the Bush
Administration in July 2002, states that the federal government will set priorities for
critical infrastructure protection based on a consistent methodology and an approach
that will allow it to balance the cost and expected benefits. It does not discuss what
that methodology or approach might be. Congress may want to focus some of its
oversight on how the Administration proposes to set priorities and what criteria it
uses to do so. This report will be updated as warranted.
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
What Is a Critical Infrastructure? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Which Assets of a Critical Infrastructure Need Protection? . . . . . . . . . . . . . 8
Surface Transportation: River Crossings . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Transportation Systems: Air Traffic Control (ATC) . . . . . . . . . . . . . . . . . . 10
Observations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Appendices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
What is Infrastructure? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
How the Criteria and Components of Critical Infrastructure Have
Expanded Over Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
List of Tables
Table 1. What Constitutes Critical Infrastructure Over Time . . . . . . . . . . . . . . . 17
Critical Infrastructures: What Makes an
Section II of President Bush’s June 2002 proposal for establishing a Department
of Homeland Security prescribed the responsibilities of the Department’s
Undersecretary for Information Analysis and Infrastructure Protection. Those
comprehensively assessing the vulnerabilities of the key resources
and critical infrastructures in the United States;
....identifying protective priorities and supporting protective
developing a comprehensive national plan for securing the key
resources and critical infrastructures in the United States; and
taking or seeking to effect necessary measures to protect the key
resources and critical infrastructures in the United States....1
Nowhere in the Administration’s proposed legislation was critical infrastructure
defined. However, other documents, including previous legislation, have defined
critical infrastructure and provided illustrative lists of infrastructures that fall within
those definitions. The following discussion recounts how the definition (and the list
of illustrative examples) has broadened over time and what impact this may have on
developing and implementing critical infrastructure protection policy.
What Is a Critical Infrastructure?
Before “critical infrastructure” became a term of interest in the terrorism and
homeland security debate, the seemingly similar term “infrastructure” was a subject
debated by public policymakers. In the 1980s, for example, a much debated issue
was whether there was a national crisis in the condition of America’s
infrastructure–its roads, bridges, dams, wastewater treatment systems, etc. With no
standard or agreed definition, the concept of infrastructure in policy terms has been
fluid, as it appears to be today. (For more discussion of these earlier definitions of
For more information on various aspects of the President’s proposal and the Congressional
response, see Homeland Security on the CRS Home Page [http://www.crs.gov/] .
and debate regarding “infrastructure,” see the Appendix, What is Infrastructure? In
More recently, as homeland security as been assigned the highest national
priority, the term “critical infrastructure” has developed into a major policy concern.
Documents dealing with critical infrastructure protection have provided broad
definitions of what makes an infrastructure critical.
Executive Order 13010,2 signed by President Clinton on July 15, 1996, which
established the President’s Commission on Critical Infrastructure Protection, alluded
to what makes an infrastructure critical:
“Certain national infrastructures are so vital that their incapacity or
destruction would have a debilitating impact on the defense or economic
security of the United States.”3
According to this Executive Order (EO) these infrastructures included:
electrical power systems;
gas and oil storage and transportation;
banking and finance;
water supply systems;
emergency services (including medical, police, fire, and rescue);
continuity of government.
Using the language of this EO, the Commission’s final report5 to the President
defined critical infrastructure in the Glossary as:
“Infrastructures so vital that their incapacitation or destruction would have
a debilitating impact on defense or economic security.”
The following supporting definitions were provided:
Infrastructures: The framework of interdependent networks and systems
comprising identifiable industries, institutions (including people and
procedures), and distribution capabilities that provide a reliable flow of
products and services essential to the defense and economic security of the
Executive Order 13010—Critical Infrastructure Protection. Federal Register, July 17,
1996. Vol. 61, No. 138. pp 37347-37350. Reference is on page 37347.
Ibid. p. 37347.
Throughout this report, sectors that are identified as being critical will be bolded the first
time they appear.
President’s Commission on Critical Infrastructure Protection, Critical Foundations:
Protecting America’s Infrastructure, October 1997.
United States, the smooth functioning of government at all levels, and
society as a whole.
Debilitated: A condition of defense or economic security characterized by
Defense security: The confidence that Americans’ lives and personal
safety, both at home and abroad, are protected and the United States’
sovereignty, political freedom, and independence, with its values,
institutions, and territory intact are maintained.
Economic security: The confidence that the nation’s goods and services
can successfully compete in global markets while maintaining or boosting
real incomes of its citizens.
The Commission’s report also defined the infrastructures of each of the sectors
mentioned in this EO.
Banking and Finance: Entities such as retail and commercial
organizations, investment institutions, exchange boards, trading houses,
and reserve systems, and associated operational organizations, government
operations, and support activities that are involved in all manner of
monetary transactions, including its storage for saving purposes, its
investment for income purposes, its exchange for payment purposes, and
its disbursement in the form of loans and other financial instruments.
Electric Power Systems: Generation stations, transmission and distribution
networks that create and supply electricity to end-users so that end-users
achieve and maintain nominal functionality, including the transportation
and storage of fuel essential to that system.
Emergency Services: Medical, police, fire, and rescue systems and
personnel that are called upon when an individual or community is
responding to emergencies. These services are typically provided at the
local level. In addition, state and federal response plans define emergency
support functions to assist in the response and recovery.
Gas and Oil Production Storage and Transportation: The production and
holding facilities for natural gas, crude and refined petroleum, and
petroleum-derived fuels, the refining and processing facilities for these
fuels and the pipelines, ships, trucks, and rail systems that transport these
commodities from their source to systems that are dependent upon gas and
oil in one of their useful forms.
Information and Communications: Computing and telecommunications
equipment, software, processes, and people that support:
the processing, storage, and transmission of data and information;
the processes and people that convert data into information and
information into knowledge; and,
the data and information themselves.
Transportation: Physical distribution systems critical to supporting the
national security and economic well-being of this nation, including the
national airspace systems, airlines, and aircraft, and airports; roads and
highways, trucking and personal vehicles; ports and waterways and the
vessels operating thereon; mass transit, both rail and bus; pipelines,
including natural gas, petroleum, and other hazardous materials; freight
and long haul passenger rail; and delivery services.
Water Supply System: Sources of water, reservoirs, and holding facilities,
aqueducts and other transport systems, the filtration, cleaning and
treatment systems, the pipelines, the cooling systems and other delivery
mechanisms that provide for domestic and industrial applications,
including systems for dealing with water runoff, waste water, and
In response to the Commission’s report, President Clinton signed Presidential
Decision Directive Number 63 (PDD-63) on May 22, 1998.6 The Directive defined
critical infrastructures as “those physical and cyber-based systems essential to the
minimum operations of the economy and government.”7 According to the Directive,
these included, but were not limited to, telecommunications, energy, banking and
finance, transportation, water systems and emergency services.
The Directive also directed certain agencies to identify sector liaisons in those
sectors mentioned above, plus:
intelligent transportation systems;
continuity of government services;
public health services (including prevention, surveillance, laboratory
The Clinton Administration’s Policy on Critical Infrastructure Protection: Presidential
Decision Directive No. 63, White Paper, May 22, 1998.
The distinction between physical-security and cyber-security is almost inextricable and not
clearly articulated. For example, physical assets in the electric power infrastructure would
typically include the generation plant, the turbines and other equipment inside, and
distribution lines and towers. However, the computer hardware and communication lines
that help control the generation and flow of electricity could be considered physical assets
or cyber assets. The data transmitted and stored on the computers and transmitted over the
communication lines and the software used to process and control that data are typically
considered cyber assets. Physical security typically means protecting the physical assets
(including computer equipment) from damage caused by physical forces such as explosion,
breakage, wind, fire, etc. Cyber-security could also mean the physical protection of cyber
assets. Cyber-security, however, typically includes the protection of both physical and cyber
assets from operational failure or from being otherwise compromised by others gaining
unauthorized computer access (including remote access) to the operating software or data.
Providing physical- and cyber-security of critical infrastructures requires a broad range of
effort that can be quite varied (from installing jersey walls to installing firewall software),
and different people or policies may be talking about different activities.
personal health services.
It also identified critical infrastructures that are primarily the responsibility of
the federal government:
law enforcement and internal security;
foreign affairs; and,
The Directive also set a goal that within five years the nation should be able to
protect the national critical infrastructures from intentional attacks that would
significantly diminish the abilities of:
the federal government to perform essential national security
missions and to ensure the general public health and safety;
state and local governments to maintain order and to deliver
minimum essential public services; and,
the private sector to ensure the orderly functioning of the economy
and the delivery of essential telecommunications, energy, financial,
and transportation services.
“Any disruptions or manipulations of these critical functions must be brief,
infrequent, manageable, geographically isolated and minimally detrimental to the
welfare of the United States.”8
The first version of a National Plan for Critical Infrastructure (also called for by
PDD-63)9 defined critical infrastructures as “those systems and assets—both physical
and cyber—so vital to the Nation that their incapacity or destruction would have a
debilitating impact on national security, national economic security, and/or national
public health and safety.”10 While the Plan concentrated on cyber-security of the
federal government’s critical infrastructure, the Plan refers to those infrastructures
mentioned in the Directive.
Following the September 11, 2001 attacks, President Bush signed new
Executive Orders relating to critical infrastructure protection. E.O. 13228,11 signed
October 8, 2001, established the Office of Homeland Security and the Homeland
Security Council. Among the duties assigned the Office was to:
Defending America’s Cyberspace: National Plan for Information Systems Protection.
Version 1.0. An Invitation to a Dialogue. White House. 2000
Ibid. Executive Summary. p 1. Section 1016 of the USA Patriot Act (P.L.107-56), passed
October 16, 2001, used essentially the same definition.
Executive Order 13228—Establishing the Office of Homeland Security and the Homeland
Security Council. Federal Register, Vol. 66, No. 196, October 8, 2001. pp51812- 51817.
“coordinate efforts to protect critical infrastructures..[and]...work with
federal, state, and local agencies and private entities to:
strengthen measures for protecting energy production, transmission, and
distribution services and critical facilities; other utilities;
telecommunications; facilities that produce, use, store, or dispose of
...coordinate efforts to protect critical public and privately owned
...to ensure that special events determined by appropriate senior officials
to have national significance are protected...;
...to protect transportation systems within the United States, including
railways, highways, shipping ports and waterways, and airports and
...to protect United States livestock, agriculture, and systems for the
provision of water and food for human use and consumption....”12
In a separate Executive Order 13231,13 signed October 16, 2001, President Bush
established the President’s Critical Infrastructure Protection Board. Although the
name of the Board might imply a broad mandate, the Board’s duties focus primarily
on the nation’s information infrastructure. However, the EO makes reference to the
importance of information systems to other critical infrastructures such as
“telecommunications, energy, financial services, manufacturing, water,
transportation, health care, and emergency services.”14
This EO also reiterates the goal established in PDD-63, although stated within
the more limited context of protecting against attacks on the nation’s information
infrastructure, that “any disruptions that occur are infrequent, of minimal duration,
and manageable, and cause the least damage possible.”15
Shortly after the Administration issued these Executive Orders, Congress passed
the USA PATRIOT Act (P.L. 107-56). Section 1016 of the Act, called the Critical
Infrastructures Protection Act of 2001, defined critical infrastructures as:
“...systems and assets, whether physical or virtual, so vital to the United
States that the incapacity or destruction of such systems and assets would
Ibid. Section 3 (e) (i), (ii), (iv), (v) and (vi), pp. 5183-5184.
Executive Order 13231—Critical Infrastructure Protection in the Information Age.
Federal Register, Vol. 86, No. 202. October 18, 2001. pp. 53063-53071.
Ibid. Section 1 (a), p. 53063.
Ibid. Section 1 (b), p. 53063
have a debilitating impact on security, national economic security, national
public health and safety, or any combination of those matters.”16
Earlier in Section 1 ...
Purchase answer to see full attachment