Leverage the Long-Standing Public-Private Partnership for Critical Infrastructure Protection
The Department of Homeland Security needs to reverse direction and bring the private sector back into its efforts.
Notwithstanding the public rhetoric about the value of the public-private partnership and collaboration with the private sector, the reality is the Department of Homeland Security (DHS) instead has moved to disenfranchise its long-standing engagement with many of the private sector owners and operators of the nation’s critical infrastructure.
These voluntary, private sector-organized and governed entities have been delivering value for protecting critical infrastructure since the 1990s. However, with the launch of efforts to rewrite the National Infrastructure Protection Plan in 2012, the DHS set about to replace the existing partnership framework between government and industry with an approach driven by government control and regulatory oversight rather than by collaboration and partnership. Such an approach will serve to disenfranchise current efforts and do little, if anything, to improve critical infrastructure protection or national security and resilience.
In 1996, President Clinton issued Executive Order 13010 establishing the President’s Commission on Critical Infrastructure Protection (PCCIP). In October 1997, the commission issued its report urging a national effort to ensure the security of the United States’ increasingly vulnerable and interconnected infrastructures. It recommended greater cooperation and communication between the private sector and government, because critical infrastructure protection was a shared responsibility.
Building on the recommendations of the commission, Presidential Decision Directive (PDD)-63 was promulgated in 1998 as the first comprehensive attempt to protect physical and cyber-based systems essential to the economy and government. PDD-63 established critical infrastructure protection as a national goal and articulated a strategy for cooperative government-private sector initiatives to accomplish it. The policy emphasized that government, to the extent feasible, would focus on market-based incentives for addressing critical infrastructure protection and avoid increased government regulation. The government was to consult with owners and operators of critical infrastructures to encourage the voluntary creation of private sector information sharing and analysis centers (ISACs).
PDD-63 also established the National Infrastructure Protection Center (NIPC) within the FBI to serve as the principal government body to facilitate the U.S. government’s infrastructure threat assessment, warning, law enforcement investigation and response. The NIPC was designated to serve as the conduit for information sharing with the private sector through the ISACs. The Critical Infrastructure Assurance Office (CIAO) within the Department of Commerce also was created under PDD-63 to coordinate the federal government’s initiatives on critical infrastructure assurance efforts and to support the ISACs. The Defense Department had the primary liaison and coordination responsibility with the telecommunications industry.
As a result of increasing incidents of cyber attacks on government facilities and private companies, infrastructure protection initially focused on cybersecurity. The circumstances around Y2K and the denial of service attacks in 2000 highlighted this issue. The Clinton administration actively encouraged the formation of sector-specific ISACs to enhance sharing information among companies and between the government and the private sector. ISACs were stood up between 1999 and 2001 in the financial services, telecommunications, electricity and information technology sectors. Over time, ISACs evolved into the primary mechanisms for government-industry interaction on critical infrastructure protection and cybersecurity efforts.
Today, 18 ISACs are delivering operational capability and value every day and coordinating in a cross-sector manner both sector to sector and through the National Council of ISACs (NCI).
In 1999, the Partnership for Critical Infrastructure Security (PCIS) was formed by the private sector to enhance protection, preparedness and resilience efforts across the nation’s critical infrastructure sectors. The main focus would be policy and strategy activities in support of the critical infrastructure protection mission.
Coupled with the emergence of ISACs and their technical and operational capabilities, the partnership framework between government and the private sector would continue to grow and deliver value in an effort to improve national security and resilience.
The events of September 11, 2001, reinforced the necessity of the public-private partnership for critical infrastructure protection. On October 9, 2001, President Bush signed Executive Order 13228, establishing the new Office of Homeland Security within the National Security Council. In July 2002, the National Strategy for Homeland Security was released, which further identified the importance of engagement with the private sector in furthering the mission of critical infrastructure protection.
In 2001, the financial services community established the first sector coordinating council to complement and support efforts of the ISAC in the mission to improve critical infrastructure security and resilience. Today, more than 4,000 members participate.
On November 22, 2002, Congress approved the largest government reorganization since the Truman administration’s creation of the Defense Department and the National Security Council—the DHS. With a mission that specifically included the protection of critical infrastructure, the DHS consolidated responsibility for cyber and physical protection efforts, including functions formerly of the NIPC at the FBI and CIAO at the Department of Commerce.
On December 17, 2003, the Bush administration formalized its policies on critical infrastructure protection and cybersecurity with the issuance of Homeland Security Presidential Directive (HSPD)- 7, superseding PDD-63. HSPD-7 reinforced the role of the private sector and need for collaboration and partnership with the owners and operators of the nation’s critical infrastructure.
In 2006, the initial National Infrastructure Protection Plan was released. It outlined a partnership framework to include sector coordinating councils and the PCIS, ISACs, state and local government, and regional coordinating councils. The framework stressed the need for collaboration between government and industry in meeting shared responsibilities for critical infrastructure protection and cybersecurity to improve national security and resilience. Jointly developed sector-specific plans, created by sector coordinating councils and government coordinating councils, reinforced a risk management approach to the critical infrastructure protection challenge. The partnership framework model was applauded for its true collaboration.
Sector coordinating councils are voluntary, private sector groups, self-organized and self-governed, composed of senior executives and practitioners representing owners and operators of all sizes across the 16 critical infrastructure sectors of the U.S. economy. The work programs and efforts are largely focused on policy, strategy, sector-wide risk management efforts, and collaborative support for the efforts of ISACs while working closely and collaboratively with many of the sector specific agencies of the U.S. government, such as the departments of Treasury and Energy as well as the Environmental Protection Agency and more.
This background and historical context illustrates the evolution and success of the partnership framework between government and the private sector to address the mission of critical infrastructure protection, cybersecurity and the safety, security and resilience of our nation.
Yet, during the rewrite of the National Infrastructure Protection Plan released in 2013, the DHS refused to include reference to the PCIS, the NCI or the partnership framework referenced and articulated in the original version.
I participated in both efforts, and the dichotomy of respect and partnership with the private sector owners and operators of the nation’s critical infrastructure from the original effort to the update in 2013 was striking and disappointing.
With current efforts by the DHS to establish new, undefined,and amorphous information sharing and analysis organizations in the private sector, referred to as ISAOs, as well as efforts to establish new, CEO-driven entities for critical infrastructure sectors in place of the long-standing and well established SCC model, it is clear the DHS is more interested in replacing current, effective and productive structures than they are in real collaboration, notwithstanding the public rhetoric about the stated value of the current partnership framework.
Companies and organizations across the private sector have made significant investments of time, energy and resources to establish and maintain productive capabilities in support of the critical infrastructure protection mission since the 1990s. This includes the voluntary, private sector-led, organized and governed ISACs and sector coordinating councils.
Instead of disenfranchising these organizations, the government—specifically the DHS—should be calling on the leadership in the private sector to examine any current gaps in the mission activities and collaboratively consider methods and approaches to address any identified gaps. That would represent a true effort to leverage partnership and collaboration, as opposed to the example of the creation of the ISAO initiative solely within the government without any participation or consultation with the private sector critical infrastructure owner and operator community.
At a time when our nation is confronted by a risk environment in physical and cybersecurity unlike any we have ever seen, it is more imperative than ever that we come together in government and the private sector to address the challenge that threatens our national and economic security through our shared responsibility. It should not be about who is in control or who is in charge; rather it should be about how we work together more effectively and more collaboratively to improve detection, prevention, protection, mitigation and response to the risks that threaten our nation’s security and resilience.
The DHS and the other departments and agencies of the U.S. government should respect and leverage long-standing, well-established private sector organizations committed to the mission of making our nation safer and more secure and reaffirm a commitment to collaboration and partnership. The American people are depending on us to get it right, and it is way past the time that rhetoric needs to be supported by reality around the public-private partnership for critical infrastructure protection.
Robert B. Dix Jr., is vice president, global government affairs and public policy, Juniper Networks.