Nation’s infrastructure at ‘critical’ junction

In 2003, then-President George W. Bush signed a Homeland Security Directive (HSPD-7) which instructed the Department of Homeland Security (DHS) to lead the effort in strengthening the protection of America’s critical infrastructure through the development of a National Infrastructure Protection Plan (NIPP). But since that time, little progress has been made in developing anything other than a minimally progressive and overwhelmingly cumbersome process.

At least that is the case according to a new report released by the Washington, DC-based think-thank, the Heritage Foundation, which is entitled “How to Fix Critical Infrastructure Protection Plans: A Guide for Congress.” In the report, which was released April 27, authors Jena Baker McNeill and Richard Weitz remind the government that, “The national infrastructure is vital for the daily functioning of American society, thus representing an attractive target for terrorists. Not all infrastructure is equally important, nor can every aspect be protected equally, so the focus must be on the protection of critical infrastructure.”

The authors identify the system’s most troublesome issues, including the inability of the NIPP -- which is reviewed and reissued by DHS every three years -- to make much progress since its inception, the lack of funding from the government, inadequate information sharing between government agencies and between the government and the public, overusing the designation “critical” when designing infrastructure strategies, the lack of effective and meaningful public-private partnerships, the inability of DHS to evolve with the threat and the inherent nature of infrastructure’s complexity.

McNeill and Weitz also highlighted the role of cyber-space as a new critical infrastructure not yet fully addressed by the government.

“When something becomes a new threat -- the system must be able to change dynamically to accommodate this development. An example of this problem is in relation to cyber networks. The cyber domain has proven to be a major threat to infrastructure in that networks are in themselves infrastructure but also other infrastructure relies on cyber networks to operate.

“As the 2009 NIPP observes, ‘Cyber infrastructure enables all sectors’ functions and services, resulting in a highly interconnected and interdependent global network of CIKR.’ This shows the need to enhance the security of electronic information and communications systems, including the data they store and distribute. But to do so adequately -- critical infrastructure protection will need to adapt to the increased risk as well as change to accommodate the unique nature of the cyber domain.

“Deciding how to grow and adapt to evolving threats is fundamentally a product of sound risk-assessment methods, something that neither Congress nor DHS has interwoven sufficiently in the law or policymaking process,” the authors added.

McNeill and Weitz also provide a framework to guide the government in resolving the issues it faces. The authors recommend that among the most important things the government can do is focus on critical infrastructure that, if it were to be attacked and fail, would have catastrophic consequences.

“Protection, recovery, and resilience efforts should focus on protecting those assets whose disruption could inflict the most catastrophic human or financial losses,” writes McNeill and Weitz.

They also recommend improving the relationship between the public and private sector, so that the government can give more responsibility -- a bottom-up, rather than a top-down approach -- to those companies and businesses that own and operate the majority of America’s critical infrastructures. The authors also highlight the importance of further research into how best to strengthen infrastructure, as well as the importance of increased education, awareness and training for both government and private business employees that work at critical sites.

McNeill and Weitz are most disapproving of the government in terms of what they see as its weak legislative oversight regarding critical infrastructure. 

“One of the major reasons why Congress often seems to enact ineffective critical infrastructure legislation is because of its current oversight system,” the authors write. “At least 86 different subcommittees and committees have some form of oversight over the Department of Homeland Security -- creating a daunting number of committees with jurisdiction over critical infrastructure matters. Few Members of Congress have detailed knowledge of homeland security and critical infrastructure protection issues despite being tasked with legislating on these very matters.

“The result is that policies often reflect the political priorities of the Member rather than genuine national needs… Congress must consolidate oversight of homeland security [and] simultaneously, Congress needs to develop an ‘in-house’ way to examine risk and threats to the nation based on scientifically acceptable risk methodologies.

“Legislating on imagination, as opposed to risk, has all too often led to costly, economically crippling measures, such as the 100 percent scanning mandate, that do little to add to the security of the nation,” McNeill and Weitz conclude.

“Without resolving these challenges, it will be difficult for the Administration to make any real progress toward building an effective national enterprise capable of handling tangible threats to truly critical infrastructure.”