Magazine article Security Management

The Long Road to Secure Infrastructure: New Government Plans to Protect Critical Infrastructure Lack Substance despite a Decade-Long Effort by Federal Officials and Private-Sector Partners

Magazine article Security Management

The Long Road to Secure Infrastructure: New Government Plans to Protect Critical Infrastructure Lack Substance despite a Decade-Long Effort by Federal Officials and Private-Sector Partners

Article excerpt

WITH LITTLE FANFARE, the U.S. Department of Homeland Security (DHS) announced earlier this year the completion of 17 sector-specific plans (SSPs) amending last year's National Infrastructure Protection Plan (NIPP) Together the documents establish a risk-based approach to protecting the country's critical infrastructure and key resources and ensuring their resilience in the event of natural or man-made disasters.

But the country is still a long way from having its critical infrastructure secured-or even having a complete plan for doing so.

Contributors and observers alike give DHS high marks for its handling of the process; however, they emphasize that the documents are not a finished playbook so much as a framework for continued planning, which remains largely unfinished. DHS acknowledges as much itself,

"As DHS has strained to point out, this is a first step. This is the beginning of a process," says Larry Clinton, president of the Internet Security Alliance (ISA) and member of the IT Sector Coordinating Council (SCC), one of 17 industry panels that collaborated with DHS on the sector-specific annexes.

[ILLUSTRATION OMITTED]

But even this first step may not quite be complete, says John A. McCarthy, head of George Mason University's Critical Infrastructure Protection Program, which consulted DHS on both the NIPP and some of the sector-specific annexes. McCarthy says assessments should be further along than some SSPs indicate.

While a 2003 presidential directive defined the 17 sectors and mandated the NIPP, McCarthy notes that the federal government first took an expanded view of critical infrastructure protection nearly a decade ago, when President Clinton issued the first directive relating to critical infrastructure. That directive called for numerous actions on the part of government officials and industry experts. For example, the directive mandated vulnerability assessments of critical infrastructure and public-private collaboration in developing countermeasures.

"I'm loath to be critical because it's an enormous undertaking, but I'm interested in outcomes," McCarthy says. "How close are we to getting basic measures of vulnerabilities? I look through the NIPP, and I see a lot of 'to be developed.' This has been on the table for a decade, and we need to move forward."

The SSPs--seven of which are available to the public--take varying approaches for different sectors at various stages of cataloguing assets and assessing risk. Progress will be assessed in annual reports on further SSP development.

Some sectors were farther along than others entering the process. The nuclear sector, for example, had little new work to do because it was already heavily regulated and had for years been required to address these issues by federal and state governments.

Similarly, those companies operating in the financial services sector, which took a big hit on 9-11, understood the importance of emergency preparedness and had made great strides to address its operational vulnerabilities, though it still plans to focus future work on ensuring service continuity.

Because of their importance to all other sectors, the communications and IT sectors cited a need to coordinate further with other industries to ensure their resilience, and in the case of IT, to guarantee "robust, coordinated" incident response and data recovery in the event of a major cyberattack.

As for how the government has gone about this, ISA's Clinton cheered DHS for starting "with a blank sheet of paper" and making industry an equal partner. …

Search by... Author
Show... All Results Primary Sources Peer-reviewed

Oops!

An unknown error has occurred. Please click the button below to reload the page. If the problem persists, please try again in a little while.