April 27, 2010 | Backgrounder on Homeland Security
Abstract: Highways, bridges, power plants, and cyber networks are all part of the national infrastructure— which is essential for the daily functioning of American society. The Department of Homeland Security carries the prime responsibility for protecting “critical infrastructure” from terrorist attacks and natural disasters. The problem currently plaguing the federal government efforts to implement a unified protection plan for the country is that, when it comes to determining which infrastructures are truly critical and which are important but not always essential, chaos reigns. For its part, Congress has at least 86 committees and subcommittees that oversee the Department of Homeland Security, providing for a complex and often burdensome system that impedes successful policy implementation. Three national security experts provide a guide for Congress with which to navigate the country’s infrastructure priorities.
National infrastructure—from roads, dams, bridges, and power plants to cyber networks—assists in the daily functioning of American society. The Department of Homeland Security (DHS) has the principal responsibility for leading national efforts to identify, assess, and protect critical infrastructure from acts of terrorism and other disasters. In 2003, President George W. Bush issued Homeland Security Presidential Directive-7 (HSPD-7), which assigned responsibility for coordinating national measures to strengthen protection of critical infrastructure and resources to the Secretary of Homeland Security. HSPD-7 also instructed the new Department of Homeland Security to support these measures through the development of a National Infrastructure Protection Plan (NIPP) “to identify and prioritize United States critical infrastructure and key resources and to protect them from terrorist attacks.”
The first NIPP was issued in 2006 with scheduled revisions every three years. In February 2009, the Department of Homeland Security completed the first review. The new revisions, however, made only small progress in integrating federal, state, local, and private-sector efforts into a truly cooperative national enterprise that can ensure the resiliency of national infrastructure while allowing the economy it supports to grow, innovate, and prosper. Instead of focusing on the current approach to critical infrastructure protection, Congress—in partnership with the Administration, the private sector, and diverse state and local actors—should:
Guarding the Gates
The NIPP defines the main roles and responsibilities of the federal, state, and local government agencies, as well as of the private-sector actors engaged in protection of critical infrastructure and key resources (CIKR). It also provides a unifying structure for integrating CIKR protection and resiliency into a single national framework based on risk-prioritization to protect America’s CIKR from terrorist attacks and natural or technological hazards.
Within the NIPP, there are 18 sector-specific plans (SSPs) that tailor the application of the NIPP to the unique requirements of each of the 18 CIKR sectors. The SSPs (nine have been made public; nine are considered too sensitive for public release) assign responsibilities to 11 sector-specific agencies (SSAs) and other actors that manage the CIKR-protection programs in the 18 sectors. The SSPs also provide guidance for sharing information within a sector, with uniform methods for conducting risk analysis, and which actions and protocols to pursue during emergencies. The following are the CIKR sectors and their sector-specific agencies:
The above sectors work under their SSAs in partnership with their respective federal, state, and local governments, as well as with non-governmental and private agencies. Together, the NIPP base plan and its complementary sector-specific plans are meant to provide a unifying structure for integrating current and future CIKR protection efforts by the entire homeland security community, with a focus on developing and implementing effective operational measures within each individual sector.
Reviewing the Review. In order to reflect new developments among the evolving risks to U.S. critical infrastructure, the NIPP is reviewed and reissued by DHS every three years. Sector-specific plans are reviewed and addressed in the interim period between full updates. On February 17, 2009, DHS released the finalized version of the NIPP, completing the first triennial review process. Although the core NIPP principles and policies remain similar to those in the 2006 draft, the 2009 version did update the plan to incorporate major homeland-security-related developments, including updates to program elements and concepts during the past three years, the issuance of 18 SSPs, and a new 18th CIKR sector (critical manufacturing).
In her first day in office, Secretary of Homeland Security Janet Napolitano issued five action directives, listing subjects about which she wanted to receive priority internal DHS reviews. Critical infrastructure protection was the first subject on the list, followed by risk analysis, state and local intelligence-sharing, and transportation security, also related to the NIPP. Yet the Obama Administration has made only minor gains in terms of placing critical infrastructure protection and resiliency at the forefront of its policy agenda.
The burden is on DHS to continually develop CIKR protection from the ground up—resisting the urge to govern from the top down. The reason for this is twofold. First, principles of limited government call for an increased role for the private sector and state and local governments. Second, economic realities require solutions that achieve security goals but maintain the flexibility of the private sector to conform practices in the most cost-effective manner.
Managing Risk. In large part, DHS has been unable to resolve its challenges in critical infrastructure protection because it still lacks adequate tools to assess and manage risks. The level of the annual grants has been steadily falling—from $344 million (FY 2005), to half that total in FY 2006 and FY 2007, to under $49 million in FY 2008—highlighting the need for risk assessment to guide resource allocation. Despite increases in recent years, it is evident that each dollar must be used more effectively.
While the NIPP acknowledges that some degree of risk will always endure and rightly adopts an “all-hazards” approach toward protecting America’s CIKR, the wide variety of threats to the myriad of potential targets means that it is impossible to protect every CIKR from every possible disruption. The current approach to critical infrastructure protection employed by DHS and its partners is inadequate for the following reasons:
Defining partnerships. The NIPP employs a “top-down” model for CIKR protection, where partners exchange data, assessments, best practices, and other information at multiple levels. These networks embrace many actors, but perhaps the most important are those between the diverse public-sector and private-sector entities involved in each sector. According to DHS, more than 700 public-sector and private-sector entities, 300 more than when the 2006 NIPP was issued, are now members of a NIPP Sector Partnership, which consists of the 18 sector-coordinating councils (SCCs), each with a government coordinating council (GCC) for their respective sector.
These public–private partnerships are essential to CIKR protection since the private sector owns and manages an estimated 85 percent of all critical infrastructure in the United States. Private actors are, therefore, best positioned to determine and implement risk-mitigation strategies to reducing the vulnerability of the CIKRs they own and operate to various disruptions. Yet, government agencies can contribute essential resources to CIKR protection and are also well positioned to address threats. For example, they possess unique intelligence on foreign terrorist threats against U.S.-based assets. Likewise, partnerships can also serve to enhance the credibility of SSPs with potential business users by ensuring that the guidelines are written with the input of the individuals who work in or with the relevant commercial sector, and therefore understand its capabilities and vulnerabilities. These institutions, however, need a better idea of the roles and responsibilities of both the private sector and the federal government— including vulnerability assessments, determining criticality, and other activities involved in critical infrastructure protection.
Facing evolving threats. When DHS issued the SSPs for the then 17 sectors in December 2007, department leaders stressed that these plans were not finished products, but rather living documents meant to provide a general framework for future planning. However, part of changing in the face of new threats means developing an accurate picture of risk, and the NIPP is not agile enough to do so. The NIPP has made some changes, including the addition of a “critical manufacturing” sector and CIKR mission integration within state and local fusion centers; expansion of CIKR protection-related education, training, outreach, and exercise programs; and an examination of how adversaries can use CIKR as weapons of mass destruction—however, these efforts still fail to interweave risk as the litmus test for change—instead reverting to a stove-pipe system of criticality.
The Administration must seek ways in which to better examine risk. When something becomes a new threat—the system must be able to change dynamically to accommodate this development. An example of this problem is in relation to cyber networks. The cyber domain has proven to be a major threat to infrastructure in that networks are in themselves infrastructure but also other infrastructure relies on cyber networks to operate. As the 2009 NIPP observes, “Cyber infrastructure enables all sectors’ functions and services, resulting in a highly interconnected and interdependent global network of CIKR.” This shows the need to enhance the security of electronic information and communications systems, including the data they store and distribute. But to do so adequately—critical infrastructure protection will need to adapt to the increased risk as well as change to accommodate the unique nature of the cyber domain.
Deciding how to grow and adapt to evolving threats is fundamentally a product of sound risk-assessment methods, something that neither Congress nor DHS has interwoven sufficiently in the law or policymaking process.
The more fundamental problem of critical infrastructure protection goes back even further to the process of lawmaking. All too often Congress has relied on its own perceptions of risk and how to mitigate risk without any type of risk-based assessment. This biased risk perception, often influenced by politics and other non-security-related aims, as well as the need to “look good” on security, often creates failed policies. An example is cargo security. The 100 percent maritime security mandate was touted by Members of Congress as a means by which to protect ports and other maritime infrastructure from a nuclear bomb in a cargo container. Congress mandated that 100 percent of the maritime cargo coming into the United States undergo radiological scanning. Congress did this, however, without an accurate picture of whether this scenario was actually a credible threat to the industry. In practice, politics drove most of the debate on this measure—and Congress decided it was a problem that must be resolved without any hard data to back its claims. Legislating on imagination, as opposed to risk, has all too often led to costly, economically crippling measures, such as the 100 percent scanning mandate, that do little to add to the security of the nation.
Without resolving these challenges, it will be difficult for the Administration to make any real progress toward building an effective national enterprise capable of handling tangible threats to truly critical infrastructure.
Congress should remove itself from the business of dictating risk and setting standards for critical infrastructure based on ideas that are wholly unrelated to actual security. Protectors of U.S. national infrastructure and the Administration—in partnership with Congress, the private sector, and diverse state and local actors—should:
Accelerate resiliency enhancements. Further efforts to facilitate the timely restoration of essential CIKR following an intentional or natural disaster are warranted. Having quality infrastructure provides a firm foundation for rebounding from a catastrophe. The government should encourage the private sector, which owns most infrastructure, to invest in quality. The federal government could offer additional incentives to promote private-sector protection and resiliency efforts, such as establishing a public recognition program for firms that achieve noteworthy success, or granting CIKR-supportive companies preference in federal contracting or simply promoting the SAFETY Act—which provides liability protection from terrorist acts for companies that develop anti-terrorism technologies. Such technologies can include those used in critical infrastructure protection. At a fundamental level, providing clear transparency and legal protections on information-sharing and innovation would be excellent first steps.
Successfully focusing businesses on resiliency enhancements could have the dual effect of improving the efficiency of business operations under normal as well as under emergency conditions. If a private-sector company makes investments in improving the quality of its cyber networks, these enhancements can also help the company conduct business more efficiently, helping to decrease financial loss and improve customer confidence in their network and data quality.
Promote CIKR-related research. When it comes to research, a vital part of critical infrastructure protection, private-sector leaders have more flexibility and free-market incentive to experiment than their federal counterparts, whose actions are typically more constrained by legislative restrictions, public expectations, and other factors. In fact, the DHS budget request for FY 2011 cuts science and technology spending for almost all of its research areas. Dealing with federal budget realities means that agencies should foster a favorable environment for private-sector innovation. Doing so should include promotion of the SAFETY Act, which encourages private-sector companies to invest in anti-terrorism technologies.
One specific area of critical infrastructure protection that needs to be researched further is “complex systems.” Infrastructure is highly complex, and it is vital that both the government and the private sector understand how systems perform and work. “When systems become overly complex, their behavior cannot be easily predicted by traditional methods of analysis,” such as examining a system’s individual components and aggregating their effects. Furthermore, “[i]n a complex system, elements are [often] so interconnected and their relationship so multifaceted that their properties cannot be properly understood without assessing their interrelationship with each other as well as their relationship with the wider system and its environment.” Since complex systems are difficult to analyze, understanding how they work, predicting their behavior, or determining the optimum means for changing their performance presents a unique challenge that should be carefully explored.
The NIPP can provide a vital tool for promoting successful critical infrastructure protection. Congress can make a valuable contribution by promoting a sound risk methodology and policies focused on keeping Americans free, safe, and prosperous.
Jena Baker McNeill is Policy Analyst for Homeland Security in the Douglas and Sarah Allison Center for Foreign Policy Studies, a division of the Kathryn and Shelby Cullom Davis Institute for International Studies, at The Heritage Foundation. Richard Weitz, Ph.D., is Senior Fellow and Director of the Center for Political– Military Analysis at Hudson Institute.
Press release, “Homeland Security Presidential Directive-7,” U.S. Department of Homeland Security, December 17, 2003, at http://www.dhs.gov/xabout/laws/gc_1214597989952.shtm#1 (April 7, 2010).
U.S. Department of Homeland Security, “Sector-Specific Plans,” December 30, 2008, at http://www.dhs.gov/xprevprot/programs/gc_1179866197607.shtm#2 (April 8, 2010).
U.S. Department of Homeland Security, “More About the Office of Infrastructure Protection,” December 23, 2008, at http://www.dhs.gov/xabout/structure/gc_1189775491423.shtm (April 8, 2010).
U.S. Department of Homeland Security, “National Infrastructure Protection Plan: 2009.”
Jonah Czerwinski, “Day One at DHS Starts with 5 Directives,” Homeland Security Watch, January 22, 2009, at http://www.hlswatch.com/2009/01/22/day-one-at-dhs-start-with-5-directives/ (April 8, 2010).
U.S. Department of Homeland Security, “Fact Sheet: Critical Infrastructure and Homeland Security Protection Accomplishments,” September 5, 2008, at http://www.dhs.gov/xnews/releases/pr_1220878057557.shtm (April 8, 2010).
U.S. Department of Homeland Security, “Quadrennial Homeland Security Review Report: A Strategic Framework for a Secure Homeland,” February 2010, p. 66, at http://www.dhs.gov/xlibrary/assets/qhsr_report.pdf (April 8, 2010).
Jena Baker McNeill, “Building Infrastructure Resiliency: Private Sector Investment in Homeland Security,” Heritage Foundation Backgrounder No. 2184, September 23, 2008, at http://www.heritage.org/Research/Reports/2008/09/Building-Infrastructure-Resiliency-Private-Sector-Investment-in-Homeland-Security.
U.S. Government Accountability Office, “Critical Infrastructure Protection: Sector-Specific Plans’ Coverage of Key Cyber Security Elements Varies,” GAO-08-113, October 2007, at http://www.gao.gov/new.items/d08113.pdf (April 8, 2010).
U.S. Department of Homeland Security, “National Infrastructure Protection Plan: 2009.”
Elizabeth Newell, “News+Analysis Critical Alliance,” GovernmentExecutive.com, October 1, 2009, at http://www.govexec.com/features/1009-01/1009-01na2.htmfeatures/1009-01/1009-01na2.htm (April 8, 2010).
U.S. Department of Homeland Security, “Critical Infrastructure Sector Partnership,” at http://www.dhs.gov/xprevprot/partnerships/editorial_0206.shtm (April 26, 2010).
Press release, “Remarks by Secretary Michael Chertoff at a U.S. Chamber Event on the Completion of the 17 Sector Specific Plans, as Part of the National Infrastructure Protection Plan,” U.S. Department of Homeland Security, May 21, 2007, at http://www.dhs.gov/xnews/speeches/sp_1179843074582.shtm (April 8, 2010).
U.S. Department of Homeland Security, “National Infrastructure Protection Plan: 2009,” p. 12.
James Jay Carafano, “Homeland Security’s Blind Spot,” The Washington Examiner, September 14, 2009, at http://www.washingtonexaminer.com/opinion/columns/Homeland-Security_s-blind-spot-8237821-59175902.html (April 8, 2010).
Federal Emergency Management Agency, “Ready Business Mentoring Guide,” April 25, 2006, at http://www.ready.gov/business/_downloads/mentor_guide.pdf (April 8, 2010).
James Jay Carafano, “Missing Pieces in Homeland Security: Interagency Education, Assignments, and Professional Accreditation,” Heritage Foundation Executive Memorandum No. 1013, October 16, 2006, at http://www.heritage.org/Research/HomelandSecurity/em1013.cfm.
Jena Baker McNeill, “Congressional Oversight of Homeland Security in Dire Need of Overhaul,” Heritage Foundation Backgrounder No. 2161, July 14, 2008, at http://www.heritage.org/Research/Reports/2008/07/Congressional-Oversight-of-Homeland-Security-in-Dire-Need-of-Overhaul.
Jena Baker McNeill, “The FY 2011 Homeland Security Budget: Spending Doesn’t Match the Missions,” Heritage Foundation Backgrounder No. 2376, February 26, 2010, at http://www.heritage.org/Research/HomelandSecurity/bg2376.cfm.
Jena Baker McNeill, James Jay Carafano, and Matt A. Mayer, “Eight Years After 9/11: Analyzing Congress’s Homeland Security Agenda,” Heritage Foundation WebMemo No. 2608, September 9, 2009, at http://www.heritage.org/Research/HomelandSecurity/wm2608.cfm.
U.S. Department of Homeland Security, “Fact Sheet: Critical Infrastructure and Homeland Security Protection Accomplishments.”
Jena Baker McNeill, “The SAFETY Act,” Heritage Foundation WebMemo No. 2490, June 17, 2009, at http://www.heritage.org/Research/HomelandSecurity/wm2490.cfm/Research/HomelandSecurity/wm2490.cfm.