U.S. Defense Department Developing Critical Infrastructure Intelligence Network
The system will provide a common operating picture during disasters.
An intelligence network being developed at the Pentagon will enable military leaders to monitor disasters as they happen. The network will provide a common operating picture, allowing officials to better plan for and react to events adversely affecting the critical infrastructure and the military mission.
The Defense Critical Infrastructure Intelligence Network will allow officials to monitor natural disasters that could damage critical infrastructure assets, which would negatively impact the department’s ability to defend the nation. The network also will help the military maintain situational awareness and make more informed decisions during “no-notice” catastrophes, including manmade disasters, such as bombings or cyber attacks.
“We’re looking at ways to not only have an excellent situational awareness and have a common operating picture but a common database system that allows us to compare apples to apples, that allows us to store information in such a way that there’s transparency and there’s a good analytic database whereby experts who are looking at the same problem from different perspectives can provide analysis in a standardized fashion so that we can make qualitative as well as quantitative decisions,” reveals Charles Kosak, deputy assistant secretary of defense for defense continuity and mission assurance in the Office of the Under Secretary of Defense for Policy.
The network will include data at multiple classifications. “It would be enclaved in such a way that you would have communities that would have access at the top secret levels and then other communities that would have access at other levels,” Kosak reports.
The system will be especially helpful for events in which officials have advance notice. “We’re trying to build a capability that when we see a cone of a hurricane, for example, going across a swath of territory, we have enough information on that common operating picture that we can understand what can be impacted, what the potential loss of those capabilities means and then begin to look at potential mitigation to minimize the impact of that event,” Kosak asserts.
He cites Hurricane Sandy, the so-called superstorm, which devastated the Northeastern United States in 2012. “Given how it impacted New York and New Jersey, you can imagine if that happened here in the national capital region. By having a common operating picture where we can look at our defense critical assets and our own task essential assets, we can look at other critical infrastructure,” Kosak states. “That not only allows us to do our job but ensures we have all the elements maintaining our functions. Also partnering with the Department of Homeland Security, we can almost predictively understand what the impact is going to be and put mitigations in place so that we can move assets, potentially even move people and resources to build resilience into the capital.”
While the Defense Department is dependent upon critical infrastructure, such as the electrical grid and communications systems, it owns very little. “For example, even though the department has no authority over private sector power distribution, we are utterly dependent on the electric grid to execute our core missions, so we’re very focused on partnering with the Department of Homeland Security and with the defense industrial base to build resilience,” Kosak says.
The different agencies and infrastructure owners, he points out, have disparate responsibilities during disasters. “Health and Human Services will be focused on hospitals and making sure there is sufficient resiliency there. Department of Homeland Security will be focused on electric power substations that are potentially going under and how that might impact the populace in those areas. The electric power industry would be focused on how they could reconstitute capabilities as quickly as possible,” he observes.
Ideally, the Defense Critical Infrastructure Intelligence Network will benefit all. “We want to include a lot of information so that we can interface with our partners in the private sector and with the Department of Homeland Security in a balanced way and are not too focused on the Defense Department,” Kosak elaborates.
“The bottom line is we’re trying to develop a capability in which we could query and pull data from that common operating picture very quickly and be able to understand the breadth and scope of what we’re dealing with in a more predictive sense and be able to look at putting plans in place and taking action in advance of a storm,” he offers. “If it’s a no-notice event, we can quickly understand what has been impacted and the potential workarounds to be able to restore capabilities as quickly as possible,” he adds.
In case of a no-notice event, national continuity policy ensures three things: seamless movement between safe and crisis states, the ability to reconstitute capacity within 12 hours and the ability of departments and agencies to work together, communicating effectively, sharing information and maintaining situational awareness, he notes.
Kosak says he is not yet certain when the system will be up and running. “I’m more focused on driving the requirements and the strategic and policy piece, and the chief information officer is putting in place the master schedule. It will work itself through the Joint Requirements Oversight Council schedule within the department,” he offers. The program management team is working with the Defense Department mission assurance decision makers and other stake holders to further refine long-term requirements for the system. While the system has reached full operational capability on some key objectives, the team intends to add more features as soon as possible.
In his position, Kosak oversees the department’s continuity, mission assurance, domestic counter-terrorism, information-sharing and global anti-terrorism policies and programs. His office develops plans, policies and leadership support initiatives to assure the department can execute its core functions, even in the face of asymmetric military threats and severe natural hazards to defense installations and infrastructure. Kosak also co-chairs a mission assurance steering group with his counterpart on the joint staff.
Kosak describes three pillars necessary for assuring the department can fulfill its mission. The first is the identification of a list of mission-supporting assets. “We literally prioritize assets in terms of their criticality to the mission, in terms of vulnerabilities that may exist therein. The identification process is essential,” he offers.
The next is the assessment process. “We’re building at this point a joint assessment capability that looks at not just the physical, traditional areas of focus, given the conventional threats of the past, but is now focused on cyber expertise and very, very heavily focused on the asymmetric element that is so pronounced today for a nation state or a transnational criminal or terrorist organization to try to hurt the United States and impact the department’s ability to do its job. That process is called the Joint Mission Assurance Assessment program,” Kosak states. “The problem we’ve had in the past, quite frankly, is a lot of focus on physical, not enough on virtual. Now we’re bringing them together as never before.”
Risk management is the third pillar, which requires assessing vulnerabilities and whether they can be mitigated. “We have to rack and stack the key plans and the key single points of failure that we’ve identified, and we have to look at the probability of attacks so that we can basically invest resources, time and effort to address single points of failure or vulnerabilities and do so in a way that’s most effective,” he says.
If, for example, a combatant commander prioritizes a specific cybervulnerability, “we look to rack and stack that with other vulnerabilities and make a strategically informed recommendation to the secretary and deputy secretary to take a look at investments,” Kosak states.
Fixing identified vulnerabilities often is the bigger challenge. “We have a bit of history of identifying a lot of problems and vulnerabilities, but we need to improve upon our ability to actually fix things,” he acknowledges.