New government plans to protect critical infrastructure lack substance despite a decade-long effort by federal officials and private-sector partners.
With little fanfare, the U.S. Department of Homeland Security (DHS) announced earlier this year the completion of 17 sector-specific plans (SSPs) amending last year’s National Infrastructure Protection Plan (NIPP). Together the documents establish a risk-based approach to protecting the country’s critical infrastructure and key resources and ensuring their resilience in the event of natural or man-made disasters.
But the country is still a long way from having its critical infrastructure secured—or even having a complete plan for doing so.
Contributors and observers alike give DHS high marks for its handling of the process; however, they emphasize that the documents are not a finished playbook so much as a framework for continued planning, which remains largely unfinished. DHS acknowledges as much itself.
“As DHS has strained to point out, this is a first step. This is the beginning of a process,” says Larry Clinton, president of the Internet Security Alliance (ISA) and member of the IT Sector Coordinating Council (SCC), one of 17 industry panels that collaborated with DHS on the sector-specific annexes.
But even this first step may not quite be complete, says John A. McCarthy, head of George Mason University’s Critical Infrastructure Protection Program, which consulted DHS on both the NIPP and some of the sector-specific annexes. McCarthy says assessments should be further along than some SSPs indicate.
While a 2003 presidential directive defined the 17 sectors and mandated the NIPP, McCarthy notes that the federal government first took an expanded view of critical infrastructure protection nearly a decade ago, when President Clinton issued the first directive relating to critical infrastructure. That directive called for numerous actions on the part of government officials and industry experts. For example, the directive mandated vulnerability assessments of critical infrastructure and public-private collaboration in developing countermeasures.
“I’m loath to be critical because it’s an enormous undertaking, but I’m interested in outcomes,” McCarthy says. “How close are we to getting basic measures of vulnerabilities? I look through the NIPP, and I see a lot of ‘to be developed.’ This has been on the table for a decade, and we need to move forward.”
The SSPs—seven of which are available to the public—take varying approaches for different sectors at various stages of cataloguing assets and assessing risk. Progress will be assessed in annual reports on further SSP development.
Some sectors were farther along than others entering the process. The nuclear sector, for example, had little new work to do because it was already heavily regulated and had for years been required to address these issues by federal and state governments.
Similarly, those companies operating in the financial services sector, which took a big hit on 9-11, understood the importance of emergency preparedness and had made great strides to address its operational vulnerabilities, though it still plans to focus future work on ensuring service continuity.
Because of their importance to all other sectors, the communications and IT sectors cited a need to coordinate further with other industries to ensure their resilience, and in the case of IT, to guarantee “robust, coordinated” incident response and data recovery in the event of a major cyberattack.
As for how the government has gone about this, ISA’s Clinton cheered DHS for starting “with a blank sheet of paper” and making industry an equal partner. “That is the first major, positive step, and it really sets the tone for all the successive steps we now need to take.”
While McCarthy says he’s concerned with results—not processes—participants say crafting the NIPP and SSPs provided ancillary benefits by bringing people together within and across sectors. This was especially important in some industries including the diverse Commercial Facilities SCC. There, shopping mall and apartment building owners are learning valuable lessons from sports venues and especially casino operators, says Roger Platt of the Real Estate Roundtable, an SCC co-chairman.
Doug Walters, security director for the Nuclear Energy Institute, said his already-fortified sector would benefit from the NIPP as a “vehicle for relationships.”
“I generally think it helps understanding, getting us to a point where it’s really an integrated response…. What the NIPP helps us do is look at an integrated response and know where other resources will come from,” Walters says.
More articles in this month's Homeland Security Department: