May 7, 2003 | Lecture on Department of Homeland Security
The aftermath of the September 11, 2001, attacks on the Pentagon and the World Trade Center illustrates the high vulnerability of America's infrastructure to terrorist attacks and the massive consequences of not protecting it. While the terrorists were able to utilize deficiencies in America's overall approach to intelligence sharing and aviation security, similar vulnerabilities exist in every infrastructure vital to the security, economy, and survival of the nation, such as computer networks, energy supplies, and transportation systems.
Today, the federal government and most Americans recognize that responsibility for protecting critical infrastructure from terrorism does not rest solely with any one level of government. While the new Department of Homeland Security (DHS) will take the lead in many of these efforts, the level of security required demands unprecedented levels of cooperation and coordination across government and private-sector boundaries. Adequate protection of America's critical infrastructures and key assets will rest on the ability of the federal, state, and local governments to cooperate with each other and the private sector.
STRATEGIC APPROACH TO PROTECTING CRITICAL INFRASTRUCTURES
Securing the nation's critical infrastructure has rightly become an increasingly vital component of a post-September 11 homeland security strategy. The USA PATRIOT Act defines critical infrastructure as "systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters."
As a result of the increased attention to this issue since September 11, the Administration has recognized the importance of establishing a national strategy to protect and defend America's critical infrastructure components while placing an increased reliance on the private sector to assist and guide this process. The release of the National Strategy for the Physical Protection of Critical Infrastructures and Key Assets in February of this year was a very important step in advancing this mission and ensuring nationwide coordination and cooperation.
As evidenced by September 11, terrorists are flexible, creative, and resourceful, and have learned to target areas of particular vulnerability while avoiding those that are more protected and predictable. By targeting America's critical infrastructures, these terrorists seek to advance their goal of disrupting and imposing financial consequences on the government, society, and the economy. Our technology and sophisticated society are therefore excellent targets for terrorists and must rise to this unprecedented challenge with security improvements and infrastructure protection in a way not currently being done.
Meeting this challenge will require cooperation and coordination across government and commercial boundaries. Yet the nature of the threat also requires a degree of decentralization since the task of homeland defense is too large, complex, and expensive for one isolated federal department to control.
While homeland security and traditional national security issues have much in common, there are some important differences that greatly vary the process by which they are implemented. National security has traditionally been recognized as the responsibility of the federal government, relying on the collective efforts of the military, the foreign policy establishment, and the intelligence community. Homeland security, however, is a shared responsibility that cannot be accomplished by the federal government alone. During the Cold War era, many government and private-sector operations isolated themselves and their infrastructures as a matter of security.
This antiquated approach to the safety of the American public is no longer appropriate or acceptable. The current culture and increased threats facing our nation require unprecedented levels of trust and collaboration between public and private stakeholders. They require coordinated action on the part of federal, state, and local governments, with increasing reliance on the private sector as well as concerned citizens all across the country. This is especially important in the context of protecting our nation's critical infrastructures and key assets.
Private industry owns and operates approximately 85 percent of our critical infrastructures and key assets. Therefore, much of the expertise and many of the resources required for planning and taking better protective measures lie outside the federal government. The new front line of defense for America's critical infrastructure has become the communities and individual institutions that make up our critical infrastructure sector.
More can and must be done to ensure that this remains a priority in the long term within homeland security planning. The nation's critical infrastructures must be more clearly defined and identified, followed by a comprehensive assessment of how best to protect them and eliminate vulnerabilities.
The federal government is responsible for issuing standards and "best practices" to ensure a coordinated approach among all aspects of critical infrastructure protection. In addition, we must focus more attention on the interconnectivity of infrastructure and its ability to operate effectively in emergency situations. A successful critical infrastructure protection strategy also depends on clearly defined and attainable expectations, as well as cooperation and coordination across all levels of government and all business sectors.
Since the creation of the new Department of Homeland Security, many lawmakers and policymakers have begun to question the roles that the private sector should play in helping to secure America's critical infrastructure. Some of these people have falsely assumed that placing more responsibility on the private sector--or allowing it to take more responsibility--is the wrong approach.
Historically, many barriers have impeded the public-private partner relationship. Many of these barriers are attitudes from a bygone era of mistrust and bad interactions between the government and businesses. Today's fluid marketplace and vulnerability to terrorism in a post-9/11 world demand a new, more cooperative set of attitudes and relationships.
There remain many challenges to overcome in ensuring cooperation, but it is important to recognize that these challenges and roles are often different for industry and the government. Because most of America's critical infrastructure is owned or operated by the private sector, these businesses and companies face a greater degree of threat than the government and should therefore feel a greater incentive to engage in increased protection and security.
The private sector is driven by bottom lines, consumer and shareholder confidence, and market forces, which are strong incentives for increased security. But a change in focus is necessary for this process to succeed. Businesses around the nation should view the government's demands on their expertise not just as a cost, but also as an opportunity.
The government can assist to some degree in this process and, in fact, has the obligation to do so. The government should not inhibit any industry's efforts to protect itself; instead, it should ensure that businesses have the tools necessary to do so. However, it will be impossible for the government to pay for all of the necessary security improvements to the level required by the current threat. The assessment of who will foot the bill must be done on a case-by-case basis.
If industry fails to implement the appropriate levels of protection, then the government will likely have to intervene and enforce stricter regulations. The airline industry after 9/11 is a recent example of the government intervention required because of the private sector's failure to respond to the threat. This should not be the case with America's critical infrastructures and key assets.
This process could become a slippery slope only if industry chooses not to fulfill its responsibilities to meet the current threat. The ball is in the court of each of our nation's key industries and companies, and responsibility ultimately lies with them to implement their own security improvements, using the federal government as a guiding and motivating source.
Since most of America's critical infrastructure is owned or operated by the private sector, it is important to ensure that industry is willing to engage the government in cooperating to implement the appropriate levels of protection and security. However, legal concerns and a lack of detailed information can limit the extent to which the private sector is willing to be involved in federal efforts.
The Administration and Congress should work together to allow federal agencies that rely on the private sector for infrastructure information to maintain Freedom of Information Act (FOIA) exemptions. Many private firms are reluctant to provide extensive information on vulnerability because they fear that this information could become public and therefore adversely affect public or shareholder confidence. Such fears are major roadblocks to a dialogue with the private sector and could severely diminish levels of cooperation.
Public accountability must be preserved, but access to sensitive information must be restricted. For example, information on the weak areas of a chemical plant should not be posted on the Web for a terrorist to download and then use to attack that chemical plant. Instead, a cleansed vulnerability assessment should be made available to those who live or do business around that particular area.
Congress should provide narrowed antitrust exemptions for companies that share information on infrastructure protection. When corporations work together, concerns inevitably arise that they are trying to subvert the market. Antitrust laws, which try to prevent such practices, also inhibit companies from sharing information on the vulnerability of the infrastructure or the means to protect it.
Cooperation on protecting critical infrastructure and information sharing should be exempt from antitrust laws in order to protect companies from unjust lawsuits. Similarly, independent private-sector mechanisms for sharing information, known as Information Sharing and Analysis Centers (ISACs), should also be exempt from these antitrust laws. Any legislation to accomplish this goal will have to be carefully crafted in order to prevent it from being used to achieve anti-competitive objectives.
Congress should also seek to reduce the liability for service providers who adopt best-practice security measures. Such a move would allow additional incentives for businesses to adopt new standards of security and participate in information sharing.
Congress should further assist in this process by removing tax penalties that make it more difficult for the private sector to invest in security. They should instead enact a reform that would allow infrastructure owners to deduct the full cost of security-related spending in the year such expenses are incurred. Allowing industries to write off security spending all at once will reduce the significant costs, thereby improving the all-important bottom line for companies investing in security.
Lead federal agencies should work with companies and businesses to develop new and improved security standards for industry. Federal agencies should also assist in creating risk assessment programs for the private-sector companies involved in infrastructure protection. Though the government can advise owners and operators of infrastructure of a suspected threat, it cannot assess the risk, vulnerability, or survivability of each asset.
Lead agencies should use a best-practices model for the private sector that enables them to conduct more accurate assessments. Such a model would allow industry to address security necessities by meeting a set of performance standards instead of firm government specifications. The Defense Department's internal assessment program would be a useful guide for beginning this process.
While the private sector should play a leading role in securing America's critical infrastructures, the burden will also rest heavily on the new Department of Homeland Security. The DHS's organization and structure will serve as a critical vehicle in ensuring and initiating communication across all levels of government and between federal agencies while also greatly improving the opportunities for government-industry cooperation.
DHS also provides a streamlined and consolidated approach to homeland security, which will be especially important in working with the private sector to secure America's critical infrastructure. The integration of critical infrastructure protection and intelligence analysts under a single Undersecretary within DHS should provide for a more focused agenda than the disjointed and inefficient organization previously spread throughout the federal government.
As time passes and DHS gains the experience and authority it needs to better guide the nation's security and protection efforts, this process is likely to become much more efficient. It is important to remember that improving security to the level that this new post-9/11 world requires is a process. This cannot happen overnight and will likely result in two steps forward and one step back along the way. It took fifty years for the United States to develop our national security program to its current level. Unfortunately, terrorists will not wait for us to get our government in order before attacking us again, so homeland security must be accomplished as quickly and efficiently as possible.
The efforts of DHS are already helping to make our nation's critical infrastructures safer from the many unconventional threats of terrorism. They are engaged in several important functions such as serving as the primary liaison and facilitator for coordination among other federal departments, state and local governments, and the private sector.
DHS is also beginning to build and maintain a complete, current, and accurate assessment of national-level critical assets, systems, and functions while also beginning to assess vulnerabilities and protective postures across the critical infrastructure sectors. These assessments are vital to evaluating threats, providing timely warnings to threatened infrastructures, and building capabilities to evaluate preparedness across government jurisdictions. In addition, DHS plays an important role in collaborating with other federal agencies, state and local governments, and private-sector businesses to define and implement complementary structures and coordination processes.
In order to fulfill these missions, DHS should rely on the valuable models for cooperation that already exist within their structure. The Federal Emergency Management Agency (FEMA), which is now part of the new Department, has extensive experience coordinating and working with multiple federal agencies, the private sector, and local authorities in responding to natural disasters. The government's efforts to secure and prepare the cyber-sector for the Y2K issue should also provide valuable "lessons learned" for doing similar efforts on a much larger and more significant scale. These and other successful models of cooperation will serve as important starting points for DHS in working to incorporate the private sector in securing our nation's homeland from the threat of terrorism.
As noted above, companies interested in working with DHS should consider this an opportunity, not a cost. The new threat environment demands unprecedented levels of partnership and cooperation, so businesses should be more willing than ever before to bring their experience and expertise to the table as requested. They should view the creation of DHS as a more streamlined and direct opportunity to engage with the government. This shift in the government's organizational culture can help to eliminate many of the prior complications and frustrations felt by the private sector when working with the government.
In particular, DHS has created the Office of Private Sector Liaison, which will provide America's business community with a direct line of communication to DHS and help foster dialogue on the full range of issues and challenges faced by America's business sector in the post-9/11 world. This office will deal specifically with America's critical industry sectors as outlined in the President's National Strategy for Homeland Security, as well general business matters and concerns related to the DHS.
Perhaps most important, DHS will give the private sector one primary contact instead of many different ones for coordinating protection activities with the federal government, including vulnerability assessments, strategic planning efforts, and exercises. Such changes will help to ensure that DHS establishes a long-term working relationship with the private sector that will help to eliminate vulnerabilities and secure America's critical infrastructures and key assets.
While progress has certainly been made in securing and identifying America's critical infrastructure, this process is far from complete. A critical step is for the federal government to issue a set of guiding principles or "best practices" to ensure that a coordinated and efficient approach is taken by critical infrastructure sectors. Leadership and guidance at the federal level will provide an increased incentive for the private sector to come on board and cooperate in protecting America's critical infrastructures. To be effective, these best practices must be reinforced by incentives to encourage maximum and responsive cooperation by the private sector.
Another vital component of critical infrastructure protection is information sharing. DHS should expedite its development of a "threat integration center"--something that The Heritage Foundation began calling for immediately after September 11--that will communicate and disseminate important intelligence information regarding terrorist threats quickly and efficiently across all levels of government as well as to the relevant private-sector entities. The critical infrastructure components of DHS must then be linked to this threat integration center, which will greatly improve the government's ability to conduct adequate threat analysis and make the appropriate security enhancements at the nation's most vulnerable and critical locations.
Ultimately, responsibility for securing an element of critical infrastructure belongs to the operator or owner of the technology. In business environments, market forces are typically much more effective than government regulation in effecting timely, efficient, and effective change. Through tax relief, reduced liability, and a framework of business-friendly regulation, Congress can use market forces to enhance the private sector's inherent sense of self-preservation and encourage the private sector to address homeland security needs.
However, as the process of securing the homeland proceeds, Congress and the Administration must be willing to step in to fill the gaps that the private sector cannot address. Acting in the best interests of homeland security is in the economic, political, and regulatory interests of both individual companies and government agencies.
Larry M. Wortzel, Ph.D., is Vice President and Director of the Kathryn and Shelby Cullom Davis Institute for International Studies at The Heritage Foundation. He spoke at a conference on Critical Infrastructure and Homeland Security: Public Policy Implications for Business, sponsored by the U.S. Chamber of Commerce, on April 23, 2003.