By Jerome Kahan

Abstract

From the early 1990s onwards, U.S. civilians and law enforcement officials have faced the threats from terrorists and other forms of violent extremists, with efforts focused on protecting these individuals from experiencing death or injury from these adversaries. However, even after the 9/11 tragedy, policy-makers have paid insufficient attention to the danger of attacks being launched with the intent of deliberately disrupting or destroying major elements of the nation’s critical infrastructure – including our transportation, communications, financial, and public health capabilities and facilities. In addition to physical threats, the potential threat of cyber-strikes against the “nervous systems” that control operations of critical infrastructures such as our electric power grid has come to the fore. Presidents Clinton, Bush, and Obama have issued scores of directives, executive orders, and strategies designed to protect our critical infrastructure and key resources from attacks by terrorists, only to discover that these intelligent adversaries can adapt to and even negate these measures. With a staggering number of systems defined as “critical,” efforts to prioritize resources aimed at reducing the risks to these critical infrastructure assets have not proved effective. Other lingering problems include how to conduct cross-sector assessments and finding ways for private owners and operators – who are responsible for most of the nation’s infrastructure – to work with the government in forging sustained partnerships for defending these critical targets from all attackers. Given these considerations, after discussing the meaning of critical infrastructure and the threats these systems face, this article summarizes the policies promulgated by Presidents Bush, Clinton, and Obama in their attempts to safeguard the nation’s critical infrastructure. It will also address such issues as the sector construct, the use of risk methods in decision making, and the importance of public-private partnership. It then offers a series of conclusions followed by a set of recommendations for President Trump to consider on how the U.S. can more effectively meet and defeat the growing threats to our critical infrastructure from terrorists as well as violent extremists.

---

The U.S. needs an integrated and collaborative approach designed “to achieve a vision of a Nation in which physical and cyber critical infrastructure remain secure and resilient, with vulnerabilities reduced, consequences minimized, threats identified and disrupted, and response and recovery hastened.”¹

Introduction

On February 26, 1990, Patrick Leahy took the floor of the Senate to remind his fellow legislators that the U.S. is a “target-rich society… totally dependent on interlocking networks and nodes for communications, transportation, energy transmission, financial transactions, and essential government and public services […vulnerable to terrorist attacks that] could cause havoc, untold expense, and perhaps even mass deaths….”² These remarks were unexpected, since U.S. leaders in Congress and the White House had only recently recognized the dangers posed by terrorists and other violent extremist to our citizens and other residents, but had not yet fully appreciated the emerging threat of these adversaries mounting physical and/or cyber-attacks against our valuable and vulnerable infrastructure assets.

Later in the 1990s, the U.S. did in fact experience attacks by domestic extremists that destroyed major infrastructure targets while killing or injuring many Americans, notably the basement bombing of the North Tower of the World Trade Center in New York on February 26, 1993 and the truck-bomb explosion outside the Federal Building in Oklahoma City on April 19, 1995. These incidents should have been wake-up calls for the nation to prepare itself for more attacks against such targets. However, this realization was late in coming, occurring over six years later when on September 11, 2001 two aircraft hijacked by members of the al-Qaeda terrorist organization were deliberately flown into New York City’s Twin Towers turning these structures into rubble, while another aircraft damaged a side of the Pentagon, and a fourth crashed into a field in rural Pennsylvania – with all these events killing a total of almost 3000 people.³

As the years passed, in addition to concerns over physical attacks against our infrastructure, government officials warned the nation that many of our adversaries have also been developing the capacity to launch cyber-strikes against the computer-based elements of our critical assets and systems, with the potential of adversely affecting or even halting their operations.⁴ Commenting on these trends, the Director of National Intelligence (DNI) in his briefing to the Senate Armed Services Committee on the latest version of the Intelligence Community’s Worldwide Threat Assessment, cautioned that “terrorism will remain one of several primary national security challenges … in 2016.” ⁵ DNI Clapper went on to reinforce a point he made in previous briefings regarding weaknesses and vulnerabilities in key infrastructure sectors across the nation that terrorists and violent extremist groups can attack and disrupt, with potential adverse consequences for our security, society, and economic welfare.

After discussing what is meant by critical infrastructures and explaining the threats these systems face, this article lays out the strategies, directives, and executive orders issued by Presidents Clinton, Bush, and Obama in their attempts to protect critical infrastructure targets from attacks launched by terrorists or violent extremists. It then assesses such issues as the sector construct, the National Infrastructure Protection Plan, the use of risk methods in decision making, the importance of resilience, and the need for public-private partnerships. On the basis of these analyses, the article offers a series of conclusions followed by a set of recommendations on how to enhance the ability of the U.S. to meet and defeat the threats posed to our critical infrastructure for President Trump to consider.

Meaning of “Critical” Infrastructure

In the 1980s, policy makers in the Executive Branch and Congress were primarily concerned over the deterioration, technological obsolescence, and insufficient growth capacity of the nation’s public infrastructure, not the threat from terrorists or violent extremists. These issues had been in the public domain for decades, as exemplified in a 1963 study by the Congressional Budget Office (CBO) that pointed out the appalling condition of major segments of the nation’s infrastructure judged to be “directly critical” to the country’s economy.⁶ Without using the word “critical,” a second CBO report in 1988 assessed the adequacy and condition of those infrastructure facilities “important for the vitality of the economy and for public health and safety.”⁷ It was not until the nation began to worry about terrorist threats in the 1990s, however, that the term “critical” in reference to our infrastructure came into serious use.⁸ Indeed, as the third millennium began, many of the familiar infrastructures known for their deterioration or obsolescence began to be treated as potentially significant terrorist targets.⁹

Definitions and Examples

An official definition of critical infrastructure is found in the USA PATRIOT Act, which states that these are “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.”¹⁰ Put more tersely, critical infrastructures are comprised of assets and systems proclaimed by presidential order or legislated by Congress to be essential to the overall safety and security of the U.S. The specific infrastructures deemed to be critical can vary as a function of their relative importance and their vulnerability, which puts certain sectors at greater risk to terrorist attack than others.¹¹ Currently, there are 16 officially designated critical infrastructure sectors providing “the essential services that underpin American society and serve as the backbone of our nation’s economy, security, and health….”¹² These sectors encompass chemicals, commercial facilities, communications, critical manufacturing, dams, defense industrial base, emergency services, energy, financial services, food and agriculture, government facilities, public health, information technology, nuclear reactors, transportation systems, and water systems.¹³ Each of these sectors are in turn composed of systems, subsystems, and individual key assets likely to be the actual targets attacked. In addition, the nation has key resources, which the Patriot Act defined as those “publicly or privately controlled resources essential to the minimal operations of the economy and government,” a generalized meaning, always referred to but never explained, which later came to include national monuments and icons representing the nation’s traditions, heritage, and values or recognized for their historical, cultural, political, or religious significance.¹⁴

Database Difficulties

Given the numerous elements within each major sector, a National Asset Database (NADB) was established in 1963 to serve as a “comprehensive catalog that includes an inventory and descriptive information regarding the assets and systems” that comprise the country’s Critical Infrastructure and Key Resources (CI/KR).”¹⁵ The NADB was designed to provide a database that would support a process for allocating resources to defend those targets whose vulnerabilities and consequences posed the greatest risk when facing terrorist attacks. But problems arose with the credibility and comprehensiveness of the methods used to populate this database, methods that included: visiting certain locations; seeking inputs from federal agencies, state and local governments, and private entities; extracting information from open sources and commercial databases; and relying on individual facilities to provide data voluntarily – a host of non-analytic and piecemeal activities that did not lead to useable results.¹⁶ Starting in 2006, the government took a new tack which sought to annually identify “nationally significant critical infrastructures” by parsing the elements of each infrastructure sector into assets that have fixed locations or that functioned as a single targetable entity as well as clusters composed of two or more associated assets or nodes that a single attack could damage.¹⁷ This also proved difficult to implement, since it is relatively easy to identify single assets such as buildings, bridges, or ports, but as put by an acknowledged expert, “most CIKR are part of a complex system… composed of numerous assets connected together as a network of nodes and links.”¹⁸

One year later, the Implementing Recommendations of the 9/11 Commission Act of 2007 called for establishment of a single prioritized list that would serve as a national database of systems and assets determined to be so vital to the nation’s functioning and well-being that their destruction or disruption would “cause national or regional catastrophic effects.”¹⁹ In response, while keeping the NADB alive, DHS created a new process for prioritizing the nation’s most critical assets and systems by maintaining two lists as a function of the level of consequences caused by a terrorist attack or other hazard– a top priority Type 1 list containing assets that would have the highest consequences to the nation if they were destroyed or damaged, and a Type 2 list including all entries on the Type 1 list plus additional assets that would have less serious but still significant national consequences.²⁰

Where We Are

Believe it or not, DHS is still seeking to produce an accurate and comprehensive picture of the nation’s critical infrastructures, trying to respond to the 2013 GAO Report which asked for greater assurance that the two-tier list indeed captures the highest-priority systems and assets, whether owned and operated by government or industry.²¹ A major stumbling block yet to be overcome is the lack of agreement on what constitutes a “unit of critical infrastructure” – that is, how each of the various systems, subsystems, assets, and nodes within each sector should be counted.²² Moreover, the number of units within each sector has continued to expand over time, making it even more difficult to track this growth and produce an accurate inventory of vital assets and systems. These factors have increased the difficulty of determining how many critical infrastructure units are actually so indispensable that their loss or inability to function would have high consequence national effects.

The Threats

For our purposes, we define terrorism and other forms of violent extremist actions as “any activity dangerous to human life or potentially destructive of critical infrastructure or key resources, intended to intimidate or coerce a civilian population or influence the policy of a government.”²³ Unlike natural disasters, these adversaries are motivated by “a complex mix of political, economic, and psychological objectives,” which can explain their interest in destroying or disabling the nation’s critical infrastructures and key assets.²⁴ Such intelligent adversaries are also capable of striking “anything, anywhere, anytime,” [… while we cannot] protect “everything, everywhere, all the time.” ²⁵ Additionally, they have the ability to exploit system vulnerabilities, negate protective measures, and shift from well defended to lesser defended but still significant targets. To accomplish their objectives, these antagonists can use physical means or, if suitably sophisticated, can employ cyber strikes or mixed attacks against our CI/KR, as discussed below.

Physical Threats

Depending on the nature of the target and the purpose of the strike, terrorists or violent extremists can use a variety of physical weapons to halt or disrupt the functioning of a critical asset. Attack methods that might be employed include coordinated strikes with homemade bombs ranging from sophisticated explosive devices to simpler pipe bombs or pressure cooker explosives carried to targets by passenger cars, pickup trucks, buses, motorbikes, or even maritime vessels; the use of suicide bomber detonations in crowded areas such as transportation stations; or the placement of explosive devices at targets that are then left for remotely controlled subsequent detonation.²⁶ Another approach, which evokes grim thoughts of 9/11, is for terrorists or other violent extremist to use a purchased, rented, or stolen private aircraft loaded with explosives as a weapon by crashing it into a critical infrastructure target, such as a major financial or government facility.

Chemical and biological weapons (CBW) consist of “a toxic agent and some form of delivery device,” both elements of which can be acquired by determined adversaries using materials and equipment readily available in the economy and assembled into weapons, perhaps with assistance from domestic or international experts.²⁷ These weapons could be aimed at critical targets with the capacity to release agents upon impact or else deployed inside a building with its agents released remotely, thereby contaminating these targets and putting them out of use for varying periods of time – in either case causing injuries if not deaths to exposed individuals.

It is also possible that adversaries might gain access to low level but still dangerous radioactive substances used for medical or research purposes, such as cesium, in order to build a radiological dispersal device (RDD) and explode this weapon in or near major commercial or government facilities with the intent of causing panic and economic damage. Less likely but far more terrifying would be terrorist groups detonating an illicitly acquired nuclear weapon or an improvised nuclear device (IND) constructed in the midst of a major metropolitan center. This would likely cause “mass fatalities and infrastructure damage from the heat and blast of the explosion and significant consequences from both the initial nuclear radiation and the subsequent radioactive fallout.”²⁸

When it comes to tactics, smart, technologically advanced attackers might be able to exploit the complex interdependencies among infrastructure sectors to create cascading consequences by launching a well-placed attack that causes a system failure within a centralized sector, which in turn induces failure in another linked sector, and so on.²⁹ Attackers might also be able to exploit a system’s “single point of failure,” which if destroyed or disabled by a highly accurate strike could not only stop that system from operating, but also induce cascading consequences as other system elements “take up the slack for the failed component, overloading these nodes, and prompting additional nodes to fail one after another in what is known as a vicious circle.”³⁰

Reinforcing growing concerns over the threat to the nation’s critical infrastructure systems, FBI attendees at a 2015 conference on the electric power grid reportedly expressed concern that terrorist groups such as ISIS or its supporters are about to gain capabilities needed to disrupt the county’s electric system, but experts sought to calm things down by arguing that creation of cascading effects that could lead to a power blackout over a wide region would require these adversaries to employ an entirely different, more sophisticated approach which they do not now possess.³¹ A year later, the views of these experts were validated by an analysis suggesting we may not yet have experienced catastrophic cascading attacks because terrorists or extremists “most likely lack the intelligence, organizational coordination, manpower, and resources to conduct a strategic … campaign against nationally significant infrastructure targets… and at least for the moment remain content to attack most visible and easily accessible individual locations.”³² In the meantime, rather than sitting still, increasing our knowledge of the complex interdependencies among the nation’s infrastructure systems will help private and public owners install a variety of protective measures which can at least reduce the risk of future terrorist attacks causing high impact cascading effects.³³

Cyber attacks

For over a decade, before cyber space was seen as a hostile environment, Islamic terrorist groups “expressed interest in capabilities that could exploit […. America’s] cyber vulnerabilities [in order] to disrupt provision of services, exact economic costs, and undermine public confidence.”³⁴ Despite this stated goal, a renowned national security expert opined in June 2011, that “cyber-attacks have not been the most attractive route for terrorists, […but predicted that] as groups develop their cyber capacity to wreak great damage against infrastructure over the coming years, the temptation will grow” to launch such attacks against the U.S.³⁵ In fact, one year later the Secretary of Defense warned that a cyber attack on the nation’s critical infrastructure could be catastrophic, amounting to a “cyber Pearl Harbor” ….that would not only cause physical destruction and loss of life, but also “paralyze and shock the nation and create a new, profound sense of vulnerability.”³⁶

There is little question that terrorists may have been behind some of the computer intrusions or so-called “hacks” which in recent years have caused personal and proprietary data and other sensitive information to be made public.³⁷ Of far greater concern to security officials, however, is the fear that certain terrorist organizations may soon acquire the skills and technologies to conduct sophisticated cyber attacks that could “disrupt, deny, destroy, or… exploit systems and networks essential to the functioning of critical U.S. infrastructure, with potentially devastating effects on economic security, the environment, national security, and public health and safety.”³⁸ In 2014, an expert claimed that many of our critical sectors are protected by a “Cyber Maginot Line” that unfortunately enables attackers to bypass this barrier and attack exposed critical infrastructure targets.³⁹

Particularly worrisome is the prospect of terrorists seeking to attack the Supervisory Control and Data Acquisition (SCADA) systems associated with the functioning of critical infrastructures in order to disrupt or degrade whatever service they provide to their customers.⁴⁰ These cyber attacks alone are not likely to cause significant consequences if they target complex and redundant networks, but might have the effect of amplifying the damage caused by a physical strike.⁴¹ Such so-called blended attacks, where the physical and virtual worlds converge, offer our adversaries the capability to leverage cyber space in ways that cause severe damage to critical infrastructures.⁴² A particular threat that industry needs to guard against is the case of “insiders” with specialized knowledge of and access to complex information technology systems helping their external terrorist counterparts to launch a successful blended attack even against well secured infrastructure targets.⁴³

Presidential Policies

Presidents Clinton, Bush, and Obama produced a plethora of directives, executive orders, and strategies for dealing with both physical and cyber threats to our critical infrastructure, some truly groundbreaking, particularly those of Clinton, but many Bush and Obama initiatives were warmed- over variations of previous policies.

Early Initiatives

In June 1995, two months after the Oklahoma City bombing, President Clinton issued Presidential Decision Directive –39, asserting that national policy was not only to deter and defeat terrorism, but also to vigorously respond to all terrorist attacks on our territory, citizens, or facilities.⁴⁴ Seeking to turn policy into practice the following year, Clinton signed an Executive Order which explained that the nation faced cyber as well as physical threats to its CI/KR.⁴⁵

The Order also called for establishing a Presidential Commission on Critical Infrastructure Protection (PCCIP) with the mandate of developing a comprehensive national strategy for protecting our infrastructure.⁴⁶ After a wide-ranging effort that included inputs from dozens of experts, the PCCIP produced a report in October 1997 that offered a set of recommended actions the nation should take in dealing with both cyber and physical threats to our critical infrastructure.⁴⁷ These results were captured in a White Paper on May 22, 1998 for dissemination to interested public and private parties and translated into Presidential Decision Directive-63 on the same date.⁴⁸

After affirming the nation’s commitment to reduce physical and cyber vulnerabilities in our critical infrastructures which might be exploited by terrorists, PPD-63 assigned lead agency responsibilities for protecting each of the eight sectors identified as critical by the PCCIP.⁴⁹ The Directive formed an interagency Critical Infrastructure Coordination Group (CICG) housed in the Department of Commerce (DOC) which analyzed critical infrastructure issues and developed policy recommendations for senior White House officials, including plans to coordinate with private counterparts in defending high value critical sectors against terrorist attacks and formulating plans for reconstitution of services in the event of successful strikes.⁵⁰ PPD-63 also established in DOC the Critical Infrastructure Assurance Office (CIAO) to coordinate the federal government’s initiatives on critical infrastructure safety.⁵¹ Additionally, the Directive formed the National Infrastructure Protection Center (NIPC) within the FBI as the principal government body for facilitating threat assessments, warnings, law enforcement investigations, and responses as well as serving as a conduit for sharing this information with the private sector.⁵² Finally, the Directive set in motion the establishment of Information Sharing and Analysis Centers (ISACs) to better enable private owners and operators to share threat information about infrastructure sectors with each other and also with the government.⁵³ As it turned out, many of the organizations formed by PPD-63 exist to this day and the essence of its policies influenced subsequent administrations in their efforts to protect the nation’s CI/KR from terrorist attacks and other hazards.⁵⁴

Concerned over the growing unconventional terrorist threat facing the nation, President Clinton signed Presidential Decision Directive-62 – a classified measure reportedly elaborating upon the nation’s counterterrorism policy and the various threats posed by terrorists, including the risk that these adversaries “will be tempted to exploit vulnerabilities in our critical infrastructure.”⁵⁵ Accordingly, Clinton ordered that we increase our effectiveness in countering these threats and prepare to manage the consequences of any successful terrorist attacks against our critical physical and cyber systems infrastructure.⁵⁶

Reacting to his increased alarm that terrorists will use cyberspace to attack the nation, President Clinton, in early 2000, unveiled Defending America’s Cyberspace, Version 1.0 of his National Plan for Information Systems Protection, with the objectives of detecting, preventing, and responding to major cyberattacks against our critical infrastructure, while building institutions and laws to support cybersecurity programs. ⁵⁷ Seeking to lay the groundwork for a more comprehensive strategy, the Plan proposed ten programs for federal agencies to undertake with assistance from industry, including improved warning of unauthorized intrusions and enhanced safeguarding of proprietary data.⁵⁸ Although a GAO Report praised Clinton’s National Plan as an excellent first step for countering cyberspace dangers, it cautioned against establishing mandatory guidelines for federal agencies in managing their computer security programs, rather than granting these agencies greater latitude in dealing with this new threat, preferably on a voluntary basis.⁵⁹

The Wakeup Call

The devastating terrorist attacks of September 11, 2001 had the effect of leading the nation’s highest officials to finally take seriously the need to secure our CI/KR from the dangers posed by such adversaries.⁶⁰ In an immediate response to the 9/11 tragedy, President Bush signed into law the USA PATRIOT Act, which, among other provisions, called for a “continuous national effort… to ensure the reliable provision of cyber and physical infrastructure services critical to maintaining the national defense, continuity of government, economic prosperity, and quality of life in the United States.”⁶¹ In early 2002, Bush’s new White House Office of Homeland Security issued the first ever National Strategy for Homeland Security (NSHS), which incorporated “Protecting Critical Infrastructures and Key Assets” as one of its critical mission areas.⁶² Later that year, after intense negotiations with the White House, Congress approved the Homeland Security Act forming the Department of Homeland Security (DHS), a new Cabinet Agency with a polyglot of homeland security responsibilities, including protection of our critical infrastructure from terrorist threats.⁶³ Partly in response to congressional hearings held in early October 2002 over “who’s in charge” of critical infrastructure protection, DHS was assigned the job of ensuring that all policies and programs designed to safeguard the nation’s CI/KR would be implemented in an effective, coordinated, and comprehensive manner – a challenging task to say the least, as we will discuss.⁶⁴

Further emphasizing the importance of securing our critical infrastructure, President Bush, in early 2003, issued the National Strategy for the Physical Protection of Critical Infrastructures and Key Assets which set forth goals, objectives, and guiding principles …to secure “the infrastructures and assets vital to our public health and safety, national security, governance, economy, and public confidence,[ defined] roles and responsibilities, [… and identified] major initiatives that will drive our near-term protection priorities.”⁶⁵ In late 2003, Bush issued Homeland Security Presidential Directive -7 entirely devoted to establishing a national policy that would identify, prioritize, and protect our CI/KR from attacks.⁶⁶ In an unexpected burst of candor, the President sought to manage expectations by acknowledging in HSPD – 7 that it would not be possible to protect all of our critical infrastructure assets against all attacks, but that “improvements in security can make it more difficult for attacks to succeed and can lessen the impact of attacks that may occur.”⁶⁷

The growing danger of cyber attacks was not lost on President Bush, who before the 9/11 tragedy had issued an Executive Order on Critical Information Protection in the Information Age, a document built on work done by President Clinton aimed at further underscoring the importance of defending the nation’s critical infrastructure against cyber attacks. This also established the goal of ensuring that any disruptions that do occur “are infrequent, of minimal duration, manageable, and cause the least damage possible.”⁶⁸ More operationally, in early 2003 Bush issued the National Strategy to Secure Cyberspace, which proposed a series of practical actions to defend the nation’s critical infrastructure from cyber attacks – an initiative that was immediately criticized as “just another policy document with plenty of good ideas […about cybersecurity] but few teeth.”⁶⁹ In an attempt to put bite into this allegedly toothless strategy, which had come under continued criticism for almost five years, President Bush in January 2008 signed a pair of classified orders which provided a comprehensive approach to cybersecurity – anticipating future cyber threats, directing the gathering, assessment, and distribution of cyber threat information, and describing the missions and operations of various cyber organizations across the federal government. ⁷⁰ These twin Directives led to issuance in January 2008 of the Comprehensive National Cybersecurity Initiative (CNCI), a classified joint directive consisting of a dozen steps aimed at coordinating the government’s effort in responding to the increasing number of cyberattacks on federal computer systems, including the formulation of strategies to deter cyber intruders.⁷¹ While praising the thrust of the joint directive, many cyber-security experts criticized this initiative because it excluded privately-owned systems where most cyber threats have occurred and which will likely remain key targets for future strikes.

Inheriting the challenge of dealing with the threat of cyber terrorism, five months after assuming office, President Obama called for a 60-day review by governmental and non-governmental experts of the cybersecurity “plans, programs, and activities underway throughout government” ⁷² After a two month effort, this review came up with the rather stark conclusion that “the Nation’s approach to cybersecurity over the past 15 years has failed to keep pace with the threat.”⁷³ To begin fixing this problem, the review recommended that the President clarify the cybersecurity-related roles, responsibilities, and authorities of the various federal agencies, as well as appoint a “Cyber Czar” to facilitate government and private cooperation in countering and responding to cyber incidents. Among the other two dozen recommendations was the need to improve cyber threat information sharing, intelligence gathering, and analysis. Over a year later, however, the GAO concluded that only two “of the 24 recommendations in the President’s cyber policy review have been fully implemented,” blaming this unresponsiveness on the lack of timely and proper guidance to different agencies, and the delay in appointing the proposed Cyber Czar, which did not turn out to be a valid reason for the slowness in executing the cyber review’s recommendations, as we will discuss.⁷⁴

If at First You Don’t Succeed

Having already put priority on efforts to safeguard our critical infrastructure from cyber attacks, President Obama, in his first National Security Strategy (NSS) issued in 2010, reminded the nation of the broader need to “protect and reduce vulnerabilities in critical infrastructure” from physical as well as cyber threats.⁷⁵ Obama spent much time and effort the following years persuading Congress to pass legislation on cybersecurity, such as the House-sponsored Cybersecurity Act of 2012, giving the federal government and the private sector tools necessary to protect our most critical infrastructures from growing cyber threats, which the Senate failed to pass.⁷⁶ At this point, the President signed a classified Policy Directive which reportedly offered “updated principles and processes as part of an overarching national cyber policy framework” to guide federal agencies in defensive and offensive cyber-operations to block, thwart, preempt against, or respond to cyber threats, but which did not include guidance for the host of private owners and operators responsible for the preponderance of the nation’s critical infrastructure. ⁷⁷

Turning his attention to gaining the confidence of private industry in the fight against cyber threats, Obama signed an Executive Order in early 2013, calling for the development of a “set of […voluntary] standards, guidelines and practices to help non-governmental organizations manage cyber risks to their critical infrastructures.” ⁷⁸ In response, the National Institute of Standards and Technology (NIST) developed a Cybersecurity Framework that contained a set of “standards, guidelines, and practices to …help owners and operators of critical infrastructure better manage cyber risks while furthering their business interests, with incentives to help induce participation.”⁷⁹ Still available, the Framework is not a one-size-fits-all approach, but can be tailored to suit the needs of different infrastructure sectors and organizations and will be updated through inputs as conditions change.⁸⁰

Despite all these attempts by President Obama, a GAO Report to Congress in February 2013 observed that interagency battles for policy control, coupled with private sector concerns over too much government intrusion, have made it difficult for the Administration to develop and implement essential cybersecurity programs to contain the danger of cyber attacks against the nation’s CI/KR.⁸¹ Only a year later, another GAO Report told Congress in no uncertain terms that much more needs to be done to “accelerate the progress made in bolstering the cybersecurity posture of … the nation’s most critical…infrastructure systems.”⁸²

In a reaction to the unending series of criticisms on how his Administration was handling the issue of cyber threats, the President produced a Cybersecurity National Action Plan (CNAP) in February of 2015, advertised as “the capstone of more than seven years of determined effort by this Administration, building upon lessons learned from cybersecurity trends, threats, and intrusions.”⁸³ This ambitious initiative proposed near-term actions to help “deter, discourage, and disrupt malicious activity in cyberspace,” while offering longer-term actions aimed at fostering cybersecurity improvements by federal agencies and the private sector.⁸⁴ In response to one of the CNAP’s recommendations, Obama established a Commission on Enhancing National Cybersecurity charged with proposing a series of actions to be taken over the next decade to improve the nation’s awareness of cyber threats as well as steps government agencies and private companies could take to protect our critical infrastructure “in light of current and projected trends in cybersecurity threats…”⁸⁵

The Commission’s efforts, captured in their Report on Securing and Growing the Digital Economy, were provided to President Obama on the first of December this year, as scheduled, but were also directed at President-elect Trump to assist him in dealing with this challenging issue when he became Commander-in-Chief.⁸⁶ Threats to our nation’s cybersecurity considered by the Commission were not limited to terrorists, but ran the gamut from other nations to criminal groups and online bandits. In their Report, the Commissioners examined a wide range of issues to determine “what is working well, where the challenges exist, and what needs to be done to incentivize and cultivate a culture of cybersecurity in the public and private sectors.” ⁸⁷ The Commission’s findings are organized into 16 recommendations and 53 associated action items, all of which are said to flow from six so-called “major imperatives” and consistent with 10 so-called “foundational principles” – a rather overbroad and highly complex structure that masks many of the more significant outputs. In commenting on the Report, President Obama claimed that much progress has been made in cybersecurity during his two terms in office, but acknowledged that “now it is time for the next Administration to take up this charge and ensure that cyberspace can continue to be the driver for prosperity, innovation, and change – both in the United States and around the world.”⁸⁸ Examples of steps the new Administration ought to consider in coming to grips with the risks from cyberspace include incentivizing government agencies as well as private entities to make cybersecurity a top priority for national security and economic reasons; employing the most cost-effective cybersecurity measures to protect our CI/KR against all forms of cyber threats; strengthening cooperation between the public and private sectors during all phases of a cyber-attack; and developing meaningful metrics for judging the efficacy of cybersecurity strategies. Noting the urgency of enhancing the nation’s cybersecurity, the Commission suggested that many of its recommendations be started during the all-important first 100 days of the Trump Administration.

In the meantime, DHS informed Congress that it is considering a variety of organizational changes that would enable the Department to better address “the realities of today’s cyber environment and its impacts on critical infrastructure.”⁸⁹ As put by one expert, however, there are no “utopian” organizational solutions for solving the problem of dealing with threats from cyberspace, so Congress should not expect too much from any “reorganization of the deck chairs on the Titanic,” if this somewhat overworked metaphor can be used.⁹⁰

The Sector Construct

Earlier we defined the concept of a critical infrastructure sector, but it is useful to trace the evolution of how many sectors have over the years been judged to be critical. In 1997, Clinton’s Presidential Commission on Critical Infrastructure Protection (PCCIP) highlighted eight broad sectors deemed vital to the security and economic well-being of the nation. Not to be outdone, President Bush’s 2002 National Strategy for Homeland Security (NSHS) identified 11 critical infrastructure sectors terrorists might be expected to target, subsuming and expanding the eight sectors identified during Clintons’ reign, but within a year Bush’s HSPD-7 had inflated the list to include 17 critical sectors while maintaining the essence of the 11 found in the NSHS.⁹¹ Five years later, President Bush approved adding an additional sector on critical manufacturing, bringing the total number to 18.⁹² Finally, in February 2013, Obama’s Presidential Policy Directive- 21 solidified the number of critical infrastructure sectors to the current set of 16 as summarized earlier, after making a few substantive and nomenclature changes.⁹³

Whatever their numbers and types, an alphabet soup of organizations came into being as a means of ensuring that the nation’s critical sectors would be properly protected. More specifically, with the creation of the Department of Homeland Security (DHS), since early 2003 each of the critical sectors was assigned a Sector-Specific Agency (SSA) with the primary role of developing a Sector-Specific Plan (SSP) for use by all infrastructure stakeholders which would tailor national strategic guidance to the unique operating conditions of the sector in question.⁹⁴ In addition, Sector Coordinating Councils (SCCs) were established as “self-organized and self-governed councils that enable critical infrastructure owners and operators, their trade associations, and other industry representatives to interact on a wide range of sector-specific strategies, policies, and activities…,” while Government Coordinating Council (GCCs) were formed as counterparts for each privately run SCC to ensure an appropriate balance between public and private interests. ⁹⁵ Finally, Cross-Sector Councils (CSCs) were developed by The Partnership for Critical Infrastructure Security (PCIS) to enable leaders of each of the SCCs to consult among themselves on matters pertaining to critical infrastructure security and also to facilitate the engagement of private owners and operators with government officials at all levels “for the purpose of achieving consensus on joint priorities and actions to advance critical infrastructure security, protection and resilience.” ⁹⁶

In addition to its involvement in the various critical sector organizations, DHS conducts visits and surveys of the nation’s high-priority infrastructures as a means of gathering information that can help SSA and SCC representatives decide how best to invest in strengthening the security and resilience of their respective facilities and systems.⁹⁷ GAO recently concluded that the Department has made progress in employing these surveys and visits to evaluate how well critical infrastructures across the nation are protected against adversarial physical and cyber strikes and also to have the necessary resiliency in case such an incident happens, but nonetheless recommended that DHS needs to make additional improvements in producing timely and accurate assessments, including elimination of redundancy or gaps in methods used and improved coordination of vulnerability assessments.⁹⁸

National Infrastructure Protection Plan (NIPP)

Homeland Security Presidential Directive (HSPD-7) called for the Secretary of Homeland Security “to produce a comprehensive, integrated National Plan for […CI/KR] Protection that would outline national goals, objectives, milestones, and key initiatives” for defense against terrorism, with the due date set for the end of 2004.⁹⁹ Though the required deadline was not met, an interim product that came to be known as the National Infrastructure Protection Plan (NIPP) was published in early 2005, followed by a “for comment draft” so relevant agencies at all governmental levels and interested private entities would have more time to respond.

The first official NIPP was finally published by DHS in 2006, with the goal to “prevent, deter, neutralize, or mitigate the effects of deliberate efforts by terrorists to destroy, incapacitate, or exploit” the nation’s critical infrastructure vulnerabilities, ensuring that targeted entities have the ability to respond and recover rapidly from attacks.¹⁰⁰ NIPP 2009 updated the first edition, with attention to developing a structure that would integrate the full range of efforts for defending the nation’s CI/KR into a unified effort.¹⁰¹ It also reminded the nation that terrorist attacks against our critical infrastructure “could significantly disrupt the functioning of government and business alike and produce cascading effects far beyond the affected [… target] and physical location of the incident, [… which] could result in large-scale human casualties, property destruction, […and] economic disruption.”¹⁰²

NIPP 2013, still active pending a further edition, provides the foundation for an integrated and collaborative approach to achieve the vision of a nation “in which physical and cyber critical infrastructure remains secure and resilient, with vulnerabilities reduced, consequences minimized, threats identified and disrupted, and response and recovery hastened.”¹⁰³ It also focuses more on ensuring greater alignment by the NIPP to the national preparedness efforts instituted by Presidential Directive PPD-8, which sought to prepare the nation at all public and private levels to deal with “threats that pose the greatest risk to the security of the nation, including acts of terrorism, cyber-attacks, pandemics, and catastrophic natural disasters.”¹⁰⁴

Finally, while these issues appeared to various degrees in previous editions, the 2013 NIPP highlights seven basic tenets and a dozen calls for action designed “to guide the national effort over the next four years,” such as recognizing the unique diversity of the critical infrastructure community, relying upon joint public and private planning and actions for protecting CI/KR, developing greater understanding of cross-sector interdependencies, identifying and being able to respond to the potential cascading effects of attacks, and using an outcomes approach for evaluating progress toward achieving goals.¹⁰⁵ This represented quite an agenda for Obama to follow, much of which was not accomplished, so these initiatives will fall into the hands of the next Administration.

Managing Risk

From its inception, DHS has sought risk methods that can result in cost-effective programs capable of providing assurance to all critical sectors that these assets are relatively safe and secure, especially when faced with the uncertain and unpredictable dangers of attacks by terrorists or violent extremists. Indeed, the Secretary for Homeland Security noted in 2005 that “tough choices must be made” […in allocating our limited resources] using “objective measures of risk.”¹⁰⁶ This makes sense, since not all assets require the same level of protection, given variations in the criticality, vulnerability, and exposure of individual systems within a critical sector – so a risk-informed process is brought in to identify targets that would result in the highest consequences if attacked and which therefore require higher levels of protection.¹⁰⁷ In other words, risk assessment is “the process of qualitatively or quantitatively determining the probability of an adverse event and the severity of its impact on an asset […providing] the basis for the rank ordering of risks and for establishing priorities for countermeasures.”¹⁰⁸

Risk Management Framework

In an attempt to deal in an organized manner with risk as related to critical infrastructure protection, NIPP 2006 presented a comprehensive Risk Management Framework (RMF) that enabled decision makers to prioritize protection initiatives and investments across sectors in an effort to ensure that government and private resources are applied where they offer the most cost-effective benefits for mitigating risk when facing both physical and cyber threats from terrorists.¹⁰⁹ The RMF comprised a generalized “ five-step process for identifying, prioritizing, applying, and evaluating infrastructure protection improvement measures.”¹¹⁰ In addition, recognizing the veritable menu of different risk methods available for use by federal representatives and private owners, DHS developed a set of standardized criteria – credibility, reproducibility, transparency, comparability, and accuracy – which could be adapted for use in assessing risk for each of the systems in each sector.¹¹¹ The next edition, NIPP 2009, reinforced the need for a common RMF which would establish goals, assess risks, prioritize programs, allocate protective resources in ways that offer the greatest return on investment, and be adaptable and flexible enough to support risk assessments for all infrastructure stakeholders. ¹¹²

To actually calculate risks in connection with the hazards facing our CI/KR, the 2006 NIPP put forward the formula of risk as a function of the likelihood of an attack being attempted by an adversary (i.e., threat), the probability that an attack is successful (i.e., vulnerability), and the expected damage incurred in terms of such measures as fatalities, injuries, economic impacts, and psychological effects expressed in terms of dollars lost (i.e., consequences).¹¹³ This complicated risk formulation, where the three variables are interdependent, can be represented by the equation Risk = L (Attack) x P (Success | P (Attack) x C (dollars lost)).¹¹⁴ A simpler approach, with each of these variables individually estimated and then multiplied together as if they were independent, cannot be used for terrorist attacks where the adversary can adjust tactics in seeking to counter protective measures. Risk assessments become even more demanding if applied to complex adaptive systems (CAS), such as a variegated transportation network or an intertwined power grid, where nonlinear effects, feedback loops, and other complicating issues arise.¹¹⁵

In September 2006, DHS entered into contract with the American Society of Mechanical Engineers (ASME) to develop and apply a prototype version of a Risk Assessment Methodology for Critical Asset Protection or RAMCAP that would be consistent with the NIPP’s standardized risk criteria.¹¹⁶ As promoted, the purpose of this methodology is “to identify and prioritize investments in preparedness of the nation’s critical infrastructure, including protection….against hazards due to terrorism, naturally occurring events, and other potential threats.”¹¹⁷ The comprehensive and complicated RAMCAP process called for infrastructure assets to be characterized, threats to be established, consequence and vulnerability analyses to be conducted, and risks to be assessed and managed. RAMCAP was designated as the “centerpiece” of risk assessments in the 2006 NIPP, but did not appear in subsequent versions issued under the Obama Administration with DHS offering no explanation for this parting of the ways, leaving it to ASME to say farewell.¹¹⁸

National Research Council Report

Unhappy with how the Obama Administration was handling the overall issue of risk, Congress asked the National Research Council (NRC) to review and assess DHS’s overall risk analysis activities in 2008.¹¹⁹ Among the risk methods and models reviewed were those associated with terrorist attacks against the nation’s critical infrastructure, including the Strategic Homeland Infrastructure Risk Assessment (SHIRA) which annually helps decision makers understand the nature of the risks of terrorist attacks to each sector as well as a risk-based method for identifying chemical facilities to be regulated (CFATS) and a computer-assisted tool to assess and manage risks in the transportation sector (TRAM).¹²⁰

In its 2010 Final Report, the NRC did not question DHS’s use of the formula risk as a function of threat, vulnerability, and consequences when seeking to prioritize and allocate resources for protecting critical sectors against natural disasters. However, when facing threats from terrorists or violent extremists whose targets and tactics can change rapidly and unexpectedly, the Council indicted DHS for employing inadequate risk methods, recommending this problem be taken care of rapidly.¹²¹ In this connection, the NRC examined the processes used by DHS’s Federal Emergency and Management Administration (FEMA) in allocating grant funds to States and local communities for the purpose of protecting their infrastructures from threats by terrorists. The Council noted that in recent years FEMA has used the formula of risk as the likelihood of an attack occurring multiplied by its consequences – while setting vulnerability at unity.¹²² Despite FEMA’s explanation that conducting infrastructure vulnerability assessments for all grant applicants would be too hard, the Council questioned the need to neglect infrastructure vulnerability and concluded that FEMA’s whole approach to risk is arbitrary and misleading – creating confusion and controversy on the part of applicants due to the lack of transparency of how the agency allocates federal resources to competing grantees in order to “buy down “risks. For all these reasons, NRC recommended that FEMA “undertake an external peer review of its risk-informed formulas for grant allocation … and improve the transparency of these crude risk models.” ¹²³

Although the NRC Report questioned the utility of terrorist threat models, a year after it was published, a group of risk modeling experts announced that they were developing a model which simulated behaviors of interacting players, with terrorists as attackers and critical infrastructure owners as defenders using a three step game theory “defender-attacker- defender” approach.¹²⁴ However, while creative, such mathematically-based attempts to model reality are not only complicated to employ, but produce outputs that are difficult for policy makers to interpret based on results that cannot be substantiated. This is why decision makers in many cases turn to qualitative methods instead to estimate risks, as the NRC explained, often relying upon expert opinion, an approach that has value but which brings its own challenges.¹²⁵

In support of President Obama’s Preparedness Directive, a classified Strategic National Risk Assessment (SNRA) was undertaken in December 2011 by a group of experts from DHS, other Federal agencies, the intelligence community, and academic consultants “to help identify the types of incidents that pose the greatest threat to the nation’s homeland security,” positing a range of scenarios including a situation where a terrorist fires a man-portable improvised explosive device (IED) against “a concentration of people, and/or structures such as critical commercial or government facilities, transportation targets, or critical infrastructure sites.”¹²⁶ Notwithstanding the expertise and information brought to bear, it was difficult to estimate accurately the frequency of terrorist attacks and equally challenging to gauge the severity of these impacts and put the diverse types of consequences into common units of measurement. The SNRA Report candidly acknowledged the many uncertainties, limitations, and caveats associated with the effort, though its results were used to help establish national preparedness levels.¹²⁷

The SNRA Report also recognized the need to develop a separate risk method for stakeholders below the national level. This led FEMA to issue the Threat and Hazard Identification and Risk Assessment (THIRA) Guide in April 2012 for local owners of infrastructures that were potentially exposed to terrorist attacks or other hazards. FEMA worked hard to help these stakeholders compute risk using the THIRA process – estimating threats, developing scenarios, accounting for vulnerabilities, and calculating consequences – but the various steps were too complicated for typical users to execute without specialized expert support not always available.¹²⁸

Taking Stock

In both governmental and private domains, risk methods for individual sector assessments are presently far more developed than approaches that compute and compare risks across the spectrum of critical infrastructure sectors, taking account of the complexities created by our nationwide network of assets and systems.¹²⁹ This gap led to a flurry of activities by research institutions to investigate a variety of approaches for computing cross-sector risks, none of which has yet borne fruit.¹³⁰

While DHS continues to seek ways to find the illusive common risk method, the Department’s Risk Steering Committee in 2010 published the second edition of the Risk Lexicon in another attempt to persuade all components to at least agree on risk fundamentals, and the Office of Risk Management and Analysis (RMA) soon issued a primer called Homeland Security Risk Management Fundamentals.¹³¹ However, neither calls for cooperation nor pedagogic publications have helped DHS find a well-supported risk-informed process for prioritizing and allocating resources to shield the nation’s CI/KR against terrorist threats. But this challenge is not new. Over a decade ago, a band of experts observed that in calculating the risk of potential terrorist attacks, private executives and government policymakers must grapple with far greater uncertainties than ever before…, “increasing the difficulty of developing policies and strategies for efficiently and effectively protecting the nation’s CI/KR.”¹³² Sadly, this observation rings true today, whether due to the intrinsic difficulty of finding a solution, or as some believe, the failure of DHS to find the best and the brightest risk experts from government, industry, and academia to attack this problem and bring together a synergy of expertise needed to do the job.

Integrating Resilience

A decade ago, making critical infrastructures resilient to physical attacks from terrorists or other hazards suddenly became a significant goal for stakeholders concerned with the defense of these vital assets. Since this concept seemed to have dozens of meanings cutting across many different fields of endeavor, the National Infrastructure Advisory Council (NIAC) stepped in to offer a definition of infrastructure resilience as “the ability to reduce the magnitude and/or duration of disruptive events […through the ability to] to anticipate, absorb, adapt to, and/or rapidly recover from […. such an] event.”¹³³ As the NIAC sought to clarify, a resilient infrastructure has the ability to bend but not break, in contrast to protective measures which tend to be brittle and might fail when experiencing a powerful assault. Examples of enhancing the resilience of critical facilities include increasing redundancies, making buildings more robust, and developing systems that can “self-heal” after being damaged.¹³⁴ These types of solutions, if incorporated into an infrastructure system, would enable its performance to degrade gracefully after absorbing a major blow, while sustaining minimum but critical services until it can restore its services as soon as possible to a satisfactory post-incident level.¹³⁵

The CITF Report

In a 2006 Report to the DHS Secretary, the Critical Infrastructure Task Force (CITF) of the Homeland Security Advisory Council (HSAC) strongly advocated that resilience serve as the overarching framework for reducing risks associated with all threats to critical infrastructure, making critical infrastructure resilience (CIR) “the top level strategic objective—the desired outcome—to drive national policy and planning,” replacing the goal of critical infrastructure protection (CIP) that had been driving the national effort.¹³⁶ Despite the sudden pressure from public and private organizations to emphasize CIR at the expense of CIP, however, DHS argued that protecting critical infrastructure assets and making them more resilient should serve as complementary not competitive approaches when seeking to reduce risks associated with terrorist attacks.¹³⁷

From another perspective, the CITF members observed that “resilience is an important strategy to help mitigate the multitude of risks facing owners … of critical infrastructure.”¹³⁸ This important comment went relatively unnoticed by the infrastructure community until four years after their Report was issued, DHS’s Homeland Security Studies and Analysis Institute undertook a comprehensive study of the relationship between risk and resilience, analytically validating the proposition that risk and resilience are inversely related – that is, the greater the resilience of a system, the lower the risk to that system from all hazards including terrorist attacks, while the lower the resilience of a system, the more it is at risk.¹³⁹ The study demonstrated that this relationship can be translated into practical planning techniques that show how much the level of risk can be lowered when facing a given threat as a function of how much resilience is incorporated into a critical asset.¹⁴⁰

Continuing to fly the flag of resiliency, President Obama proclaimed September 2009 National Preparedness Month, explaining that a resilient nation is “one in which individuals, communities, and our economy can adapt to changing conditions as well as withstand and rapidly recover from disruptions due to emergencies.”¹⁴¹ And a year later the President made the argument in his first NSS that when incidents occur we must be resilient by being able to adapt to changing conditions, prepare for and withstand a disruption, maintain critical functions and rapidly recover from this incident, and then return to normalcy.¹⁴² Obama reaffirmed in his 2015 NSS that the federal government is “working with the owners and operators of our Nation’s critical cyber and physical infrastructure across every sector… to decrease vulnerabilities and increase resilience.”¹⁴³

The Business Case

The CITF Report argued that the business case for investments in CIR “are both compelling and well aligned with private sector interests, a necessary condition for progress given the private sector ownership of the vast majority of our infrastructures.”¹⁴⁴ A decade later, a Report by the Congressional Research Service (CRS) concluded there was relatively little direct government support or incentives for private sector owners or operators to implement resilience-oriented measures for their critical infrastructures…recommending that Congress might investigate whether market forces are sufficient to drive such investments and if not whether government assistance measures might be needed.¹⁴⁵ Meanwhile, the PS-PrepTM program had already started to operate under FEMA’s auspices with the goal of improving the preparedness of private sector and not-for-profit organizations through […voluntary] conformance to consensus-based…standards and best practices, “while DHS had earlier put in place a Ready Business mentorship program where smaller businesses are paired with larger companies to learn about resilience measures.”¹⁴⁶

While it took time for this message to take hold, in recent years investments in resilience have come to be seen as good business practices for many private entities across all sectors, with an increasing number of corporations “embracing resilience as a framework to maintain core operations, fulfil corporate responsibilities, and develop new business opportunities as global economic, social and environmental conditions shift ever more rapidly.”¹⁴⁷ Firms began to understand that investments in resiliency can improve customer confidence in their processes and products by giving them a greater capacity to keep functioning in the event of a major hazard.¹⁴⁸ To help “make buildings and tunnels terror-resistant and terror-resilient,” DHS even initiated the Building and Infrastructure Protection publication Series (BIPS) for use by city planners, architects, engineers, and builders.¹⁴⁹ In addition, with an eye on the private sector, plans were announced in April 2016 for DHS and the University of Illinois to jointly launch a Critical Infrastructure Resilience Institute (CIRI) that will seek to develop new technologies and business approaches for improving the security and resiliency of critical infrastructures.¹⁵⁰

Public and Private Partnerships

The fact that most of the nation’s critical infrastructures are privately owned and operated means that “the government must work closely with the private sector in developing a […coordinated] strategy for defending these facilities from terrorist attacks and ensuring their resiliency in the event of such incidents.”¹⁵¹ DHS assumed the responsibility for making this happen, reaffirming late last year that “this endeavor is a shared responsibility among Federal, state, local, tribal, and territorial entities, and public and private owners and operators of critical infrastructure.”¹⁵² In principle, partnerships should work in mutually supportive ways where private actors “are best positioned to determine and implement risk-mitigation strategies to reducing the vulnerability of the CIKRs they own and operate to various disruptions, […while] government agencies can contribute essential resources to CIKR protection and are also well positioned to address threats.”¹⁵³ In practice, however, over the years it has proved difficult to forge and sustain this relationship, given the differing views of public and private entities in why and how they safeguard critical sectors.

The Role of NIPPs

Private partners were involved in the production and execution of the three NIPPs issued thus far, given that these owners and operators control the bulk of our critical infrastructure systems. From the outset, private industry assisted in developing and implementing these plans via their representatives on the sector coordinating and cross sector councils – helping them obtain sensitive information from the federal government on evolving threats and, in turn, enabling them to offer assistance to government representatives on methods for protecting the various sectors.

Stressing the need for partnership, in the preface to NIPP 2006, the Secretary of Homeland Security argued that continued collaboration and cooperation among government agencies and private businesses is essential in securing the nation’s critical infrastructure.¹⁵⁴ Consistent with its subtitle, Partnering to Enhance Protection and Resiliency, NIPP 2009 stressed the importance of “public and private partners working together to secure our national-level CI/KR, promoting an environment in which owners and operators, responsible for the bulk of the nation’s infrastructure, can better carry out their sector protection responsibilities.”¹⁵⁵ NIPP 2013, Partnering for Critical Infrastructure Security and Resilience, stressed even more the need for federal departments and agencies to work with State, local, regional, and private sector partners in promoting continuous improvement of security and resilience efforts. ¹⁵⁶ NIPP 2013 also made the point that industry needs to be encouraged “to go beyond what is in their commercial interest and invest in the national interest through active engagement in partnership efforts with federal agencies in safeguarding critical infrastructure.” ¹⁵⁷ Tensions rose, however, as federal agencies bound by government regulations on the protective initiatives clashed with industry owners who relied upon voluntary security measures, often employing best practices, to defend their vast infrastructure network.

Involvement in the NIPP process should have made company executives aware of the need to cooperate fully with the federal government in safeguarding the nation’s CI/KR, since their assets constitute “primary strategic targets of contemporary terrorism […and attacks by these adversaries] can cause severe and cascading economic damages not only to the targeted businesses but […to] other sectors in a country’s overall critical infrastructure ….” ¹⁵⁸ Yet many executives continue to put top priority on the bottom line – that is, to manage profitable businesses with little “commercial incentive to fund vulnerability reductions, […largely] because these costs in their view outweigh the benefits of reducing the risk from terrorist attacks.¹⁵⁹

Stimulating Partnerships

Early in his second term Obama issued Presidential Policy Directive-21, which highlighted the need for streamlining how the current public-private partnership operates in estimating physical or cyber-attacks threats to our CI/KR and in cooperating with each other if such attacks occurred.¹⁶⁰ To these ends, the Directive established a National Infrastructure Coordinating Center (NICC) within DHS with the mission of exchanging key information in the event of physical threats, as well as a National Cybersecurity and Communications Integration Center (NCCIC) with the responsibility of serving as “a 24×7 cyber situational awareness, incident response, and management center [… that] shares information among public and private sector partners to build awareness of vulnerabilities, incidents, and mitigations.”¹⁶¹ While the NICC has operated as planned, the NCCIC had no regulatory authority to impose cyber security measures, which led to federal agencies seeking to meet their individual policy goals facing off with private companies striving to meet their financial needs, thus stalling forward progress in the fight against cyber terror threats to our critical infrastructure. ¹⁶²

In an effort to gain the needed support from industry, President Obama proclaimed November of 2013 Critical Infrastructure Security and Resilience Month, telling the American people that the country was seeking new ways to strengthen public-private partnerships so we can better manage risks to our critical infrastructure and mitigate the adverse effects of terrorist attacks if they occur.¹⁶³ This public proclamation did not seem to have the desired effect on industry, as most private infrastructure owners seemed to be more concerned about natural or accidental hazards than terrorism, although many safeguards against these dangers can also help protect against terrorist strikes, especially for electric power, oil and gas, and water and wastewater, systems.¹⁶⁴ Among those who have tried to persuade captains of industry to change their perspectives is an expert on the U.S. power grid who proclaimed that protecting our infrastructure from both cyber and physical threats requires “a holistic approach to security” with shared responsibilities between industry and government.¹⁶⁵ Yet private owners and operators, wearing their business hats, continue to stand their ground as DHS and other federal officials keep up their efforts to find common ground on the issue of critical infrastructure protection.

As it turns out, private owners alone should not be blamed for a lack of progress in cooperative endeavors. After all, as discussed earlier, it was a group of businessmen who formed The Partnership for Critical Infrastructure Security (PCIS) and established the Critical Infrastructure Partnership Advisory Council (CIPAC) – a private organization that continues to convene meetings between industry and government on issues affecting a variety of critical sectors, including nuclear, financial services, energy, emergency services, dams, and transportation systems with a focus on aviation.¹⁶⁶ Perhaps more such initiatives by CIPAC will pay off in moving both sides closer together if both businessmen and bureaucrats dedicate themselves to ensuring the safety of the nation’s CI/KR. ¹⁶⁷

Efforts to coordinate cybersecurity policies have entailed their own challenges and need to be discussed separately largely because “[m]ost of the work that needs to be done to secure cyberspace is in the private sector, but private enterprise and government agencies have not been on the same page […and it will] take time for all the stars to align.”¹⁶⁸ These were the words of one of the Cyber Czars appointed by President Obama with the responsibility of harmonizing public-private cybersecurity programs, but who encountered difficulties in doing so and stepped down from this post after serving for two and a half years to be replaced by another Czar, in an unproductive and somewhat laughable “musical chairs” process spanning most of the Bush and Obama years. ¹⁶⁹ This constant failure of Cyber Czars to coordinate public and private efforts to defend our critical infrastructures from cyber threats demonstrates the difficulty of bringing both of these sides together in what ought to be a common battle, not only in cyberspace but also on the ground where we still need greater coordination to safeguard our CI/KR from physical attacks.

Conclusions

While progress has been made in reducing the risk of attacks against the nation’s CI/KR from terrorists and violent extremists, more can be done to lower the level of risk still further in the face of evolving and increasingly aggressive threats, especially more sophisticated cyber-attacks. However, despite concerns over potentially cascading nationwide consequences, we have not yet experienced major attacks on our critical infrastructure systems that caused such a serious adverse impact. On the one hand, this might mean that we have been successful in meeting the condition put forward in 1993 by President Clinton that the nation’s protective programs must ensure that any deliberate “interruption or manipulation of [… our] critical functions … be brief, infrequent, manageable, geographically isolated, and minimally detrimental to the welfare of the United States.”¹⁷⁰ On the other hand, this good news might mean that our adversaries do not yet have the means to strike at our infrastructure targets in ways that would lead to adverse consequences that ripple throughout the nation – falling short of Al Qaeda’s imputed objectives “to attack rich and visible components of the nation’s critical infrastructure to disrupt the U.S. economy, undermine confidence in the monetary system and inflict fresh wounds in the American psyche.”¹⁷¹ In either case, it is time to review the following five conclusions drawn from the previous analyses. ¹⁷²

[1]Defending against Terrorism

Studies upon studies have tried to understand, anticipate, and interpret the when, where, and how of terrorist attacks against CI/KR targets, but with limited results.¹⁷³ Improved intelligence on the plans and capabilities of dangerous individuals and groups who might attack our infrastructure is indispensable, but difficult to acquire, process, and distribute in a timely manner. Moreover, “unlike natural disasters that are controlled by … Mother Nature,” clever adversaries can adjust their tactics and/or target selection to overcome or work around our defensive strategies.¹⁷⁴ Additionally, the sheer complexity of the sector system, with its shifting array of critical sectors supported by a multifaceted management system, has become a hindrance to decision-makers seeking to deploy specific protection programs to reduce the risk of terrorist attacks against potential targets in each sector. DHS attempts to simplify this complicated sector structure have run into an entangling web of legal and regulatory matters, particularly related to cyber security.¹⁷⁵

[2]Ensuring sectors are “critical”

In a recent article, an expert observed that the nation has for decades “been expending resources on misaligned efforts to protect thousands of facilities, the destruction or disruption of which would not cause widespread damage or cascading effects and should not be designated as critical.”¹⁷⁶ Whether the number is eight, 11, 16, 17, or 18, this comment leads to the conclusion that it has indeed been a mistake to have continued for decades to designate a set of critical infrastructure sectors as virtually indispensable to the economic health and social functioning of the nation when the disruption or even the loss of many of the systems in so-called “critical” sectors would not have nationwide consequences but at worst would cause unwanted implications for various localities or areas. What we have not seen is a “shared effort between the private sector and the federal government…to disaggregate what is ‘critical’ …from what is ‘dangerous’ … but not necessarily critical.”¹⁷⁷ Applying such a process would make it easier to establish priorities and allocate limited resources to protect those systems or sectors of true national significance by removing assets of significance only to regions or localities.¹⁷⁸

[3] Developing Appropriate Risk Methods

Despite the National Research Council’s urgent plea that DHS improve its risk management processes against physical and cyber threats to our CI/KR, the Department has shown no serious signs of pulling together the divergent risk methods employed by its components to develop a common platform that can be adapted to account for specific threats to be faced as well as the particular characteristics of each system in each sector that might be a target. Meanwhile, the private sector has continued to employ a conglomerate of fundamentally different risk methodologies, moving away rather than towards a common platform.¹⁷⁹ In addition, critical systems are becoming so complex that many of the traditional methods of risk analyses no longer apply, requiring a common platform to provide more sophisticated tools. Finally, a common risk platform would support “cross-sector risk comparisons for investment, planning, and resource prioritization decisions,” benefitting the entire community of critical sector proprietors.¹⁸⁰

[4] Countering Cyber-threats

There are no foolproof solutions for securing critical infrastructure targets against anticipated cyber-attacks from terrorists. The cyber security technologies we currently rely upon to control many of our most critical infrastructures were not designed to withstand deliberate cyber-attacks employing advanced technologies in an attempt to subvert, disable, or destroy the functioning of these targets.¹⁸¹ The best defensive technological solutions we now have available can only try to disrupt a multistage cyberattack while it is in progress, which generally offers only one opportunity to discover and intercept the intrusion before serious damage is done.¹⁸² Moreover, as we improve our capabilities, our opponents are sure to apply innovative tactics to try and overcome our cybersecurity measures in what one expert said might resemble an arms race in cyberspace.¹⁸³ To make matters worse, hampering our defensive efforts is the unwillingness and/or inability of DHS and other federal agencies to share fully sensitive cybersecurity information with private owners and operators, while private security experts have little faith in government regulations. These impediments have prevented the development of an effective cybersecurity strategy, without which we will not have the capabilities needed to deal with the growing threat of cyber attacks on our critical infrastructures.

[5] Measuring Progress

Like all federal agencies, since inception DHS has been required by law to produce an Annual Performance Report that presents performance measures for each of its offices and components based on realistic metrics.¹⁸⁴ In addition, Presidential Directive HSPD-7 required each Sector Specific Agency (SSA) to produce an Annual Report for DHS that provided sector-level performance feedback for major activities, highlighting programs that reduced risks to CI/KR from adversary attacks while identifying and potentially eliminating protective activities that did not meet this objective.¹⁸⁵ However, these requirements were not satisfactorily met. The Office of Management and Budget (OMB) concluded in 2006 that neither DHS nor its SSAs had developed acceptable performance goals or established specific annual and longer-term cross sector performance measures and metrics.¹⁸⁶ One major shortcoming is that these assessments relied upon “bean-counting” – the number of activities or percentage of desired actions – not outcome measures that gauge how well specified activities contributed to the overall infrastructure security strategy.¹⁸⁷ NIPP 2013 sought to correct this problem by calling for critical infrastructure partners “to identify high-level outputs or outcomes to facilitate evaluation of progress” toward the National Plan’s goals and priorities. ¹⁸⁸ However, a 2015 GAO Report concluded that SSAs needed to “better measure cybersecurity progress,” which is more demanding than measuring progress in physical protection of CI/KR.¹⁸⁹ In July of this year, DHS instituted a new process of identifying assessment tools, the same time that a GAO expert testified that DHS had made progress in improving their processes for conducting critical infrastructure assessments, but told members of a House subcommittee that further enhancements are needed. ¹⁹⁰

Recommendations

With President Obama no longer in office, it is up to the next Administration to deal with the dangers of safeguarding our network of critical infrastructure sectors against physical and cyber-attacks. Accordingly, President Trump should ask his Homeland Security Secretary to undertake the following steps.¹⁹¹

• Improve the safety of our critical infrastructure against terrorism…Pull together a panel of federal, industry, and academic experts to examine how the nation can improve its defenses against physical and/or cyber-attacks by intelligent adversaries, develop mutually reinforcing strategies for physical and cybersecurity protection and resilience, and take steps to enhance these strategies by applying currently available methods as well as harnessing new technologies, with funds available for government initiatives and federal financial support for private stakeholders.
• Ensure that critical sectors are actually “critical”… Apply strict criteria to only identifying targets with national implications if disrupted or destroyed as “critical,” ensure that these assets are given federal attention and resources to safeguard them from terrorist attacks, thus narrowing the number of currently categorized critical infrastructures, reducing the number of sectors and/or systems within sectors, and reorienting the sector construct as appropriate.
• Develop a risk method for informed infrastructure decisions … With assistance from a panel of experts; formulate a common risk concept acceptable to government and industry that can be adapted as necessary for each of the systems in each sector, and also provide a credible, transparent, reproducible, and accurate cross-sector risk methodology for discovering weaknesses, ensuring that priorities are established, and allocating resources in a balanced manner.
• Develop policies for measuring progress… Assign high priority to development of a set of outcome-based measures and metrics that can enable the Department to rate how well each of the truly critical sectors have been protected against a spectrum of physical and cyber terrorist threats, including their resiliency if attacked in terms of degradation speed and recovery rate.
• Getting Congress on Board… Work diligently with Congressional leaders on both sides of the aisle to pass legislation that supports policies and programs to make our critical infrastructure more secure against physical as well as cyber-attacks from terrorists and violent extremists, avoiding overregulation that can tie the President’s hands and alienate the private sector.

If the above recommendations are heeded, we may be able to properly if not perfectly prepare the nation to defend its truly critical infrastructure from deliberate attacks, even as our adversaries develop new offensive tactics and technologies to counter our defenses and attack these targets. If this is not done, the incoming administration will continue to try and protect too many non-critical systems at the expense of defending those targets that have national significance, will fail to forge a cohesive national effort in securing our infrastructure by not gaining needed cooperation between government and industry, and will establish more commissions that keep going over the same old issues – with decision-makers staying in the same place no matter how hard they try to move ahead, as if they were running on a “human treadmill.”¹⁹²

What is needed to break this cycle is clear and convincing support from the next President, DHS, and other federal agencies with responsibilities for protecting critical infrastructure systems attacks, private owners and operators who cooperate with the federal government in reducing the risks to our infrastructure and a bipartisan Congress that will pass legislation necessary for protecting critical sectors without encumbering private owners with mandates that limit their capability and creativity. In sum, by implementing cost effective, risk-informed protective and resilience measures, we should be able to prevent, mitigate the effects of, and respond to future attacks by terrorists and violent extremists that could adversely impact the functioning of our government, businesses, transportation and communication systems, energy supplies and distribution, and essential public services.

About The Author

Jerome H. Kahan is an independent analyst with over 40 years of experience in national and homeland security, having held senior positions in government and the private sector. At the State Department, he was a member of the Policy Planning Staff, Deputy Assistant Secretary for Intelligence and Research, and Counselor with the U.S. Embassy in Turkey. Mr. Kahan has also worked as a Senior Fellow with various research organizations, including the Brookings Institution, where he wrote or contributed to books and articles, and the Homeland Security Studies and Analysis Institute, where he managed projects on risk, resilience, and terrorism. Mr. Kahan taught as an Adjunct Professor at Georgetown University, and been a member of the Council on Foreign Relations and the International Institute of Strategic Studies. He has a master’s degree from Columbia University in Electrical Engineering and a Bachelor of Science Degree from Queens College. He may be reached at jhkahan@cox.net

Notes

---