Perfect Partners for Infrastructure Protection

Hardly a day passes by without a headline related to infrastructure—from the interest in “smart cities,” to calls for increased investment, to a focus on economic prosperity and competitiveness, to ongoing recovery efforts following major disasters. Yet, as the backbone of society, infrastructure typically goes unnoticed throughout the course of people’s daily lives. Infrastructure is the engine of commerce, the basis of trade, the key to functioning communities, and the foundation of essential services, but it is easily taken for granted. Often, it is only when an incident occurs—leading to a disruption in services we have come to expect— that most peoples’ attention is drawn to the importance of infrastructure itself.

Despite this tendency to ignore infrastructure’s importance, today, there is a heightened public focus on infrastructure arising out of the 21st-century’s unstable security environment. This has encouraged nations and companies to think broadly about the array of risks facing their relevant infrastructure, including climate change and extreme weather, cyber threats, acts of terrorism, and aging and failing components. The consequences of these risks—to both the public and private sectors—can be seen in events throughout the last decade. Hurricanes Katrina and Sandy, wildfires, and flooding across the western states demonstrate how weather can disrupt the availability of lifeline functions and other critical services to individuals and businesses. Overseas, Typhoon Haiyan and the 2011 Japan Tsunami illustrate the scale and complexities that disasters may present on a society, including cascading effects across industries and global supply chains. The 2013 bombing at the Boston Marathon and recent economic losses as a result of cyber attacks on America’s retailers highlight the damage that can be wrought by manmade incidents.

Industry and governments around the world recognize the importance of minimizing threats, mitigating potential consequences, and rapidly responding to and learning from incidents that do occur. For example, following the September 2013 attack at the Westgate Mall in Nairobi, Kenya, the Federal Bureau of Investigation (FBI), the U.S. State Department, and the U.S. Department of Homeland Security (DHS) joined efforts to analyze the tactics, techniques, and procedures utilized in the attack. Insights from this analysis were used to share lessons learned and develop preparedness material in coordination with the nation’s shopping mall owners. While government agencies analyzed the attack, the private sector played an equally integral role by providing expertise on the types of information that would most readily allow them to undertake augmented security measures, secure facilities against similar attacks in the future, and keep their customers and the public safe.

This and other events highlight how incidents in one country can inform security and resilience efforts in another. Furthermore, transnational supply chains create incentives for a global focus on infrastructure challenges and opportunities. As companies optimize operations and adopt more efficient supply chains, they become increasingly dependent on uninterrupted operations in other sectors, which may be nationally or internationally based. Individual components of this expansive network can unintentionally introduce vulnerabilities and dependencies that result in cascading effects across the network if an incident occurs.

In our interconnected world, a number of countries have come together to begin addressing the growing risks, dependencies, and interdependencies across systems. Notably, government agencies from Australia, Canada, New Zealand, the United Kingdom, and the United States have formed a collaborative effort— known as the Critical Five—to coordinate on infrastructure security and resilience. These nations embrace certain common approaches to enhancing security and resilience, including partnership building, information sharing, and risk management.

 Whether through dedicated business- government forums (like Australia’s Trusted Information Sharing Network) or information sharing mechanisms (like the United Kingdom’s work setting up safe information exchanges), each country is actively engaged in building trusted  information sharing channels using public-facing websites, information portals and gateways, partnerships, and other approaches. Additionally,each nation relies on strong, multidirectional partnerships with public and private infrastructure owners, operators, and  stakeholders to share information, best practices, and lessons learned,

as well as inform approaches to securing both individual assets and the infrastructure network as a whole. This engagement can be brought to bear across international boundaries through the mechanism of the Critical Five, which has already collaborated on the development of a “Shared Narrative on the Evolution of Critical Infrastructure.” The Narrative provides a high-level overview of the meaning and importance of critical infrastructure to the respective governments.

Beyond the work of the Critical Five, members are working to bring together unique capabilities of government and the private sector to identify solutions to emerging risks and manage the consequences of incidents that occur in their own nations. For example, Canada and the United States are already collaborating beyond specific aims of the Critical Five. In 2011, DHS, the State of Maine, Public Safety Canada (PSC), and the Province of New Brunswick worked with private owners and operators to conduct a cross-border assessment of the energy and transportation systems that move commodities between the United States and Canada. The assessment resulted in recommendations for resilience planning and resource allocation that were shared with all parties involved, including more than 25 federal, state, provincial, local, and private sector partners. Building on this success, DHS and PSC are collaborating with the private sector to conduct a second assessment in the Alaska-Yukon region to examine transportation supply chains of essential goods from the lower 48 states to Alaska, including key transportation routes through Canada. The assessment is a 2-year project involving numerous U.S. and Canadian public and private sector partners throughout the region.

To coordinate these types of efforts, DHS recently released the latest update of the National Infrastructure Protection Plan (NIPP), which articulates a collaborative approach to infrastructure security and resilience efforts across the country. The NIPP calls for a proactive and inclusive partnership among all levels of government and the private sector to take advantage of existing capabilities and develop new ones. Ultimately, it is the responsibility of businesses to secure and ensure the physical and economic resilience of their assets and facilities, but the NIPP partnership structure provides a framework through which the government and private sector can collaborate to increase the efficiency and effectiveness of such efforts.

Such a partnership relies on the comparative advantage of different parts of the critical infrastructure community—where individual members of this community leverage their specific expertise and resources to target the particular infrastructure challenges to which they are best suited, enhancing the overall effectiveness of each partner’s contribution. Efforts informed by these principles can demonstrate a return on investment for the government and industry, enabling the public sector to strengthen security and rapidly respond to and recover from all-hazards events while allowing the private sector to minimize service disruption and profit loss.

When I have the opportunity to meet with C-Suite executives, they remind me that one comparative advantage the government brings to the table is a comprehensive understanding of the range of threats and hazards to our nation’s infrastructure operations.The feedback I receive from owners and operators indicates that they largely do not have access to the constantly shifting threat information, but they want and need it to inform investments in asset and system security and resilience. Additionally, the government relies on the private sector’s expertise in day-to-day infrastructure operation to ensure they have captured a holistic perspective of the threats at large and their potential impacts on operations. Based on discussions with the private sector, we have worked to revamp and streamline the Private Sector Clearance Program to ensure those driving infrastructure security enhancements have access to the information they need and can shape the understanding of the threats we face.

Another example of how the private sector engages with the government is through the partnership structure articulated in the NIPP,particularly through Sector Coordinating Councils (SCCs). SCCs are self-organized, self- run, and self-governed groups of private stakeholders within a sector. Specific membership varies from sector to sector, reflecting the unique composition of each sector; however, membership is typically representative of a broad base of owners, operators, associations, and other entities—both large and small—within a sector.

Take the Electricity Sub-Sector Coordinating Council (ESSCC), whose membership includes companies represented by national associations, including the American Public Power Association, Edison Electric Institute, and the National Rural Electric Cooperative Association. The ESSCC provides a mechanism by which CEO-level utility personnel can engage with each other and with relevant government agencies in an effort to foster and facilitate the coordination of sector-wide policy-related activities and initiatives to improve the reliability and resilience of the Electricity Sub- sector. With the support of the ESSCC, a number of power sector companies, in conjunction with the Electricity Sector Information Sharing and Analysis Center, the Department of Energy, Pacific Northwest National Laboratory, and Argonne National Laboratory, are participating in the Cybersecurity Risk Information Sharing Program (CRISP). CRISP is a pilot program that facilitates the near-real-time sharing of unclassified and classified threat information to infrastructure owners and operators to enhance the sector’s ability to identify, prioritize, and coordinate protection of their systems and assets.

As these efforts demonstrate, governments cannot accomplish the mission of ensuring critical infrastructure security and resilience alone. Private sector partnerships and expertise are vital to this effort. It is only through strong public-private collaborative efforts that we can be assured that our nation and global community is prepared and resilient in the face of an all-hazards event. The critical infrastructure community includes a broad range of stakeholders that are motivated by diverse business drivers— governments by public health and safety, industry by economic success, and citizens by access to critical services—but all have a role to play in protecting and strengthening the very foundation of our societies.