The objectives of this report were to summarize recent findings on computer security and critical infrastructure protection and to identify preliminary lessons learned from the Year 2000 date conversion experience that could benefit critical infrastructure protection efforts. Data sources were earlier government studies on computer security and financial statement audits of 24 Federal departments and agencies. The U.S. computer-based critical infrastructures are at increasing risk of severe disruption. Interconnectivity increases the risk that problems affecting one system will also affect other interconnected systems. Government officials are increasingly concerned about attacks by individuals and groups with malicious intentions, such as terrorists and nations engaging in information warfare. These intruders could launch attacks on systems supporting energy distribution, telecommunications, and financial services, to severely damage or disrupt national defense or other operations, resulting in harm to the public welfare. The report suggested factors from the Year 2000 experience that were relevant to longer term critical infrastructure protection and that should be considered when developing a national strategy. These factors included: (1) providing high-level congressional and executive branch leadership; (2) understanding risks to computer-supported operations; (3) providing adequate technical expertise; (4) providing standard guidance; (5) establishing public-private sector relationships; (6) facilitating progress and monitoring performance; (7) developing an incident identification and coordination capability; and (8) implementing fundamental information technology management improvements. Notes, figure, abbreviations, appendixes