– Executive Summary –
Origin of the Research Question
The owner of a commercial office building can contact the Department of Homeland Security (DHS) and request that a federal representative tour the building to identify vulnerabilities from terrorism. Information about the physical attributes of the facility is entered into a computer program to model risks along with high definition photographs of the exterior. To mitigate the risks from terrorist threats, DHS suggests strategies, such as adding fences, installing electronic access control devices, mounting additional closed circuit television cameras, or conducting random security screenings of visitors. DHS will also provide free training courses for the building’s security officers to learn about searching for improvised explosives, handling bomb threats, or identifying terrorists who are conducting surveillance. These services that DHS offers to privately owned commercial facilities (CF) fall under the department’s statutory critical infrastructure (CI) protection mission and extend to 77,069 locations designated as “critical infrastructure” in the United States. How does the recommendation that an office building surround itself with a higher fence align with the federal mission to protect “the assets, systems, and networks, whether physical or virtual, so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof?” Are the federal resources being expended to provide security consultation to individual infrastructure facilities helping to accomplish the DHS’s cornerstone mission of protecting the country from terrorist attacks?
The chapters of this thesis explore the ideas that not everything designated as critical meets the definition of criticality; the methodologies for evaluating infrastructure are not aligned to the threats from terrorism; when supposedly CI, especially CF, are damaged or destroyed, it turns out the facility was not critical after all; and the overall systems of essential-to-life infrastructure across the country are more resilient than the current methodologies presuppose.
This research is a meta-analysis of government policies on infrastructure protection (IP) to address the question of how these facilities became designated as critical and if the scope of the current IP effort is inhibiting the department’s ability to accomplish the mission. This research is limited to the risk evaluation, vulnerability assessment, and protection of physical infrastructure facilities. Rather than simply restating problems with IP that have already been published by the Government Accountability Office (GAO) and Congressional Research Service, this thesis intends to determine the origins of current CI protection policies and the underlying challenges in accomplishing the mission.
- Literature Review
This research examines the federal IP policies that have been issued over the past 35 years to determine the origin and evolution of the mission. Within these documents, a consensus can be drawn that the definition of the term “critical infrastructure” is the systems and assets that are nationally significant and the loss of which would result in debilitating consequences to the safety and security of the United States. The 10 overarching CI policies released over the past 19 years consistently describe CI as being nationally significant, providing vital services, being part of an interconnected system, causing debilitating impacts if destroyed, and providing a service necessary to the health and safety of the general public.
Based on the analysis within this thesis, infrastructure that lacks national significance, criticality, and interconnectedness to other infrastructure systems does not meet this definition. The protection strategies for CF presented in the 2010 NIPP Sector Specific Plan (SSP)—Commercial Facilities lack information about the continuation of essential-to-life services or protection of nationally significant facilities, which underpins the definitions of CI. As a result, the CF sector serves as an example of the misalignment between what is critical to the nation and what is currently designated as critical by DHS. The CF plan puts emphasis on resilience, openness, and profitability, which does not suggest that critical functions are being carried out or the loss of those functions would result in debilitating impacts to the nation. While resilience, openness, and profitability are positive business practices, it is ineffective for DHS to be writing plans about concepts that do not correspond to criticality, which is the underlying principle of the IP mission.
This inefficiency creates a discrepancy between the federal policies that define CI and how DHS currently addresses its statutory IP mission to identify, prioritize, and protect the nation’s most vital infrastructure.
- Problems with current DHS critical infrastructure policies
This research summarizes the concrete shortfalls with IP that have been documented by other sources including the GAO. A problem with the current policies is that many of the 77,069 facilities do not meet the consensus definition identified in the literature review but are still considered to be “critical infrastructure.” The origin of this issue may have stemmed from the early directive for the newly formed DHS to develop a list of all of the critical facilities across the country. This thesis explores the challenges from the creation of the National Asset Database (NADB) and the mandate to develop a centralized list of facilities. The problems with the creation of the list were likely compounded by the need to rely on individual facilities to self-assess, and subsequently, overestimate risk. Within this research, the DHS CI chemical sector serves as an example of the challenges that occur with identifying and assessing critical facilities despite spending hundreds of millions of dollars and still resulting in an undetermined reduction in the risk from terrorism.
- Sources of the Problem
This research also examines theoretical explanations for the challenges with accomplishing the current CI protection mission. Modern military theories provide a potential explanation for the focus of DHS’s efforts because the threats from terrorism have likely been evaluated based on the education and experience of senior officials with principles of strategic warfare.
Nationally significant infrastructure facilities that can cripple the essential functions of the entire country would be attractive targets for an enemy nation-state to strike with ballistic missile and airpower capabilities during a war. The current terrorist threat comes from homegrown violent extremist and members of terrorist groups who are motivated to inflict mass casualties in the locations most visible and easily accessible. An individual terrorist or a small group of terrorists most likely lack the intelligence, organizational coordination, manpower, and resources to conduct a strategic warfare campaign against nationally significant infrastructure targets with the intent of crippling essential-to-life systems across the country. The strategic warfare approach of developing a static list of vulnerable assets does not match the unpredictable and dynamic threat from terrorism. The current IP policies identify the likely targets of a nation-state army and assume them to be the same targets that terrorists would have the intention and capability of attacking.
- Case Studies of the Destruction of Critical Facilities
The concept of protecting CI could altogether be a wasted effort because when supposedly CI is destroyed, the impacts are often negligible, or in some cases, even results in economic gains. It should be noted that the loss of human lives can occur with the destruction of critical facilities but the IP mission is not always focused on reducing human loses. In 2013, 32,719 traffic collision fatalities occurred on roadways that fall under the CI transportation systems sector but it is the mission of DHS to protect the physical transportation infrastructure from terrorist attacks rather than investing resources to prevent thousands of annual deaths from occurring during vehicle accidents on the highways. It is within the scope of the DHS mission to assess how a bridge could be attacked with explosives by terrorists but not to assess if installing higher guardrails could prevent a car from accidently driving off the bridge.
Even when terrorists do successfully strike, the consequences may be more complex than making a blanket assumption that all CI facilities should be protected under all circumstances. Case studies of the World Trade Center (WTC) and the Las Vegas Strip casinos challenge the general assertion that negative economic consequences always result from the destruction of a “critical” facility. A case study of the 2014 toxic chemical spill into the primary water source serving Charleston, WV provides an example that is contrary to the assumption that the loss of a facility serving as a sole provider of an essential-to-life service results in cascading, debilitating impacts across all infrastructure sectors. The destruction of supposedly critical facilities has demonstrated that greater resilience does occur across infrastructure systems than DHS generally assumes. Instead of focusing protection efforts on potential losses, greater value may be found in understanding existing resiliency.
While it was unforeseeable at the time, the Lower Manhattan area that was most heavily impacted by the September 11, 2001 (9/11) attacks is more valuable today and better positioned for the future than it was prior to 2001. If terrorists cannot cripple this nation by toppling 100-story commercial high-rise buildings, what kinds of facilities would have a debilitating impact on the entire nation if they were destroyed? Instead of being designated “critical,” the majority of infrastructure facilities are insignificant to the functions of the overall system because the loss of these facilities does not cause widespread disruptions to the nation, region, or even the local area. The worst circumstances may spur the greatest opportunity for positive change, which could shift homeland security strategies to focus primarily on effective recovery rather than protecting existing systems.
- An Alternative Strategy
A solution for accomplishing the task of effectively identifying, prioritizing, and protecting CI is refining the criteria for how facilities are determined to be critical. A lower number of critical facilities will reduce the overall scope of the protection mission. To identify facilities more effectively that are CI, DHS should consider using a risk-based approach within a more narrow definition of the term that can be modeled after best practices from the United Kingdom (UK). The United Kingdom uses the designation of “national infrastructure” to emphasize the scope of the mission, which is focused exclusively on the systems that the entire country is dependent on for daily life. For an infrastructure asset to be considered a national priority, both a high level of criticality and a high likelihood of something negative occurring must exist. Adopting a risk-based approach for both the prioritization of facilities through the likelihood of destruction and evaluation of national impacts can assist DHS in more effectively designating facilities as “critical.”
- Findings, Conclusions, and Recommendations
The evidence presented within this thesis argues that DHS is not fulfilling the mission of protecting the infrastructure that is critical to the nation by expending resources on misaligned efforts at thousands of insignificant facilities. These problems are rooted in the current scope of the infrastructure mission being too large but is further complicated because the types of facilities designated as critical may not be the likely targets of terrorists. The few facilities that are critical to the nation are most likely too large, too remote, or too secure for a terrorist group to destroy, or to have an interest in targeting.
On a local and regional level, redundancy and resiliency occur across infrastructure systems allowing affected areas to absorb outages and unaffected areas to provide alternative services. As a backstop, national emergency response capabilities can quickly deliver essential services during outages, such as the bottled water supplied to Charleston, WV following the chemical spill into the water supply. Also, enormous complexity within infrastructure systems makes predicting the impacts of outages extremely difficult, as demonstrated by the unanticipated economic gains in Lower Manhattan following the 9/11 attacks.
Based on this thesis, DHS should ensure that everything designated as “critical” meets the definition of criticality, that the methodologies used for evaluating infrastructure align to the mission of protecting the nation for terrorism, and that protection efforts account for the existing resiliency within the systems that provide essential-to-life infrastructure across the country.
 “Protective Security Advisors,” June 23, 2015, http://www.dhs.gov/protective-security-advisors.
 Office of Inspector General, Progress in Developing the National Asset Database (OIG-06-40) (Washington, DC: Department of Homeland Security, 2006), http://www.oig.dhs.gov/assets/Mgmt/OIG_ 06-40_Jun06.pdf.
 “What is Critical Infrastructure?” August 26, 2015, http://www.dhs.gov/what-critical-infrastructure. Department of Homeland Security.
 Department of Homeland Security, The 2014 Quadrennial Homeland Security Review (Washington, DC: Department of Homeland Security, 2014), 6, http://www.dhs.gov/sites/default/files/publications/2014-qhsr-final-508.pdf.
 Quadrennial Homeland Security Review, NIPP, PPD–21, Exec. Order No. 13636, NIPP, National Security Strategy, HSPD-7, USA PATRIOT Act, PDD/NSC-63, and Exec. Order No. 13010.
 Department of Homeland Security, Commercial Facilities Sector-Specific Plan an Annex to the National Infrastructure Protection Plan 2010 (Washington, DC: Department of Homeland Security, 2010), http://www.dhs.gov/xlibrary/assets/nipp-ssp-commercial-facilities-2010.pdf.
 The White House, Presidential Policy Directive—Critical Infrastructure Security and Resilience Presidential Policy Directive/PPD-21—Critical Infrastructure Security and Resilience (Washington, DC: The White House, 2013), http://www.whitehouse.gov/the-press-office/2013/02/12/presidential-policy-directive-critical-infrastructure-security-and-resil.
 United States Congress, Committee Reports 109th Congress (2005–2006) House Report 109-713—Part 1 (Washington, DC: United States Congress, 2007), http://thomas.loc.gov/cgi-bin/cpquery/?&sid= cp109alJsu&r_n=hr713p1.109&dbname=cp109&&sel=TOC_192496&.
 “Countering Violent Extremism,” July 20, 2015, http://www.dhs.gov/topic/countering-violent-extremism.
 National Highway Transportation Safety Administration, Traffic Safety Facts 2013 Data (Washington, DC: U.S. Department of Transportation, 2015), http://www-nrd.nhtsa.dot.gov/Pubs/ 812181.pdf.
 “Transportation Systems Sector,” March 25, 2013, http://www.dhs.gov/transportation-systems-sector.