Critical Infrastructure Protection: History, Overview & Update

by Kay C. Goss

On 30 July 2014, the Federal Emergency Management Agency (FEMA) released the National Protection Framework, the last in a series of five frameworks. The National Planning Frameworks describe how the whole community works together to achieve the National Preparedness Goal (released in September 2011), which serves as the cornerstone for implementing Presidential Policy Directive 8 on national preparedness (signed by President Barack Obama on 30 March 2011). The national goal is, “A secure and resilient nation with the capabilities required across the whole community to prevent, protect against, mitigate, respond to, and recover from the threats and hazards that pose the greatest risk.”

The five frameworks, which highlight the roles and responsibilities “from the fire house to the White House,” are part of the National Preparedness System, with one framework for each of the following preparedness mission areas:

Placing an Emphasis on Critical Infrastructure

Critical infrastructure protection has long been a priority in the United States. However, most of this vital protection planning remained classified as a function of the federal government. After the Oklahoma City bombing and Omnibus Counterterrorism Act of 1995, many agencies and organizations became aware and engaged in the protection planning process.

In May 1998, President William Jefferson Clinton solidified and defined the new emphasis and challenge, by issuing Presidential Decision Directive 63 (PDD-63), which recognized parts of the national infrastructure as critical to the national and economic security of the United States, and required steps to be taken to protect it. The basic guidelines and general principles the president enunciated in PDD-63 to protect this infrastructure included:

  • Consult with, and seek input from, congress on approaches and programs;
  • Share responsibilities and partnerships between owners, operators, and the government, and encourage international cooperation;
  • Make frequent assessments of critical infrastructures’ existing reliability, vulnerability, and environment because, as technology and the nature of threats to critical infrastructures continue to change, protective measures and responses must be able to adapt;
  • Use market incentives as the first choice for addressing the problem of critical infrastructure protection; use regulation only if there is a failure to protect the health, safety, or wellbeing of U.S. citizens and, in such cases,identify and assess available alternatives to direct regulation, which include providing economic incentives to encourage the desired behavior or information to help the private sector make decisions;
  • Make available the full authorities, capabilities, and resources of the government, including law enforcement, regulation, foreign intelligence, and defense preparedness to ensure critical infrastructure protection;
  • Respect privacy rights – consumers and operators must have confidence that information will be handled accurately, confidentially, and reliably;
  • Encourage – through research, development, and procurement – the introduction of increasingly capable methods of infrastructure protection;
  • Serve as a model to the private sector of how infrastructure assurance is best achieved and distribute results;
  • Focus on preventative measures as well as threat and crisis management; encourage private sector owners and operators to provide maximum feasible security for the infrastructures they control and to provide the government necessary information to assist on a voluntary basis; and
  • Take into consideration the essential needs, activities, and responsibilities of state and local governments and first responders.

PDD-63 was updated on 17 December 2003 by President George W. Bush through Homeland Security Presidential Directive 7 for critical infrastructureentification, prioritization, and protection, which described that some critical infrastructure is “so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety.” This critical infrastructure now includes 16 sectors: chemical; communications; dams; emergency services; financial services; government facilities; information technology; transportation; commercial facilities; critical manufacturing; defense industries; energy; food/agriculture; healthcare/public health; nuclear reactors/waste; and water/wastewater.

Redefining the Federal Government’s Role

On 12 February 2013, the White House released Presidential Policy Directive 21 (PPD-21), which outlined and emphasized the federal role in critical infrastructure protection – especially the leadership of the U.S. Department of Homeland Security – and set three overarching strategic imperatives:

  • “Refine and clarify functional relationships across the federal government to advance the national unity of effort to strengthen critical infrastructure security and resilience”;
  • “Enable efficient information exchange byentifying baseline data and systems requirements for the federal government”; and
  • “Implement an integration and analysis function to inform planning and operational decisions regarding critical infrastructure.”

To strengthen critical infrastructure, the U.S. Department of Homeland Security operates two national critical infrastructure centers – one for physical infrastructure and another for cyber infrastructure – that function in an integrated manner and serve as focal points for critical infrastructure partners to obtain situational awareness and integrated, actionable information to protect critical infrastructure. Their effectiveness depends on the quality and timeliness of information and intelligence they receive from the federal departments and agencies, critical infrastructure owners and operators, and state, local, tribal, and territorial entities.

In case of a disruption in the primary systems, the goal is “to enable efficient information exchange through the identification of requirements for data and information formats and accessibility, system interoperability, and redundant systems and alternate capabilities.” PPD-21 recognized that information sharing within the government and with the private sector needed to increase, while also respecting privacy and civil liberties.

The integration and analysis function resides at the intersection of the two national centers, including the capability to collate, assess, and integrate vulnerability and consequence information with threat streams and hazard information. According to this directive, such integration and analysis would:

  • Aid in prioritizing assets and managing risks to critical infrastructure;
  • Anticipate interdependencies and cascading impacts;
  • Recommend security and resilience measures for critical infrastructure prior to, during, and after an event or incident; and
  • Support incident management and restoration efforts related to critical infrastructure.

Emphasizing Capabilities

The new Protection Framework covers a vast array of capabilities necessary to secure the nation against all hazards and disasters, with key distinctions between protection, prevention, and mitigation. For example, protection covers activities related to all kinds of hazards, while prevention applies only to activities related to imminent terrorist threats. In addition, protection focuses on everyday activities to promote security and threat deterrence, while mitigation focuses on everyday activities to create resilience. The mission activities listed in the Protection Framework are ified into three broad categories:

  • Community and infrastructure protection – including cyber security, defense against weapons of mass destruction threats, defense of agriculture and food, and health security;
  • Transportation and trans-border security – including border security, immigration security, maritime security, and transportation security; and
  • Protection of key leadership and events.

The Protection Framework describes each of its 11 core capabilities and lists critical tasks for each one:

  • Planning – Implement security, protection, resilience, and continuity plans and programs, train and exercise, and take corrective actions;
  • Public information and warning – Determine requirements for protection stakeholder information and information sharing;
  • Operational coordination – Determine jurisdictional priorities, objectives, strategies, and resource allocations;
  • Intelligence and information sharing – Adhere to appropriate mechanisms for safeguarding sensitive and ified information;
  • Interdiction and disruption – Prevent movement and operation of terrorists into or within the United States and its territories;
  • Screening, search, and detection – Develop and engage an observant nation, including individuals, families, communities, and local, state, tribal and territorial government, and private sector partners;
  • Access control andentity verification – Control and limit access to critical locations and systems to authorized individuals carrying out legitimate activities;
  • Cyber security – Detect malicious activity and conduct technical countermeasures and mitigation activities;
  • Physical protective measures – Implement security training for workers, focused on awareness and response;
  • Risk management for protection programs and activities – Identify, implement, and monitor risk management plans; and
  • Supply chain integrity and security – Analyze key dependencies and interdependencies related to supply chain operations.

Thus, the new Protection Framework provides individual, community, private sector, nongovernmental organizations, and government decision makers with an understanding of the spectrum of protection activities “to create conditions for a safer, more secure, and more resilient nation by enhancing protection through cooperation and collaboration.”

FEMA guidance in implementing the National Protection Framework is for the whole community to unite and to build national preparedness. “Partners are encouraged to develop a shared understanding of broad-level strategic implications as they make critical decisions in building future capacity and capability. The whole community should be engaged in examining and implementing the unifying principles and doctrine contained in this framework, considering both current and future requirements in the process.”

These planning and preparedness frameworks provide a strong foundation for all levels of government and all aspects of the private and nonprofit sectors to work together in the protection mission. It is the shared responsibility of everybody – not just law enforcement, emergency management, or homeland security – to protect against potential hazards and disasters as reflected in the December 2011 Strategic National Risk Assessment: aircraft as a weapon; animal disease outbreak; armed assault; biological attack (non-food); biological food contamination; chemical attack (non-food); chemical substance spill or release; chemical/biological food contamination attack; cyber attack against data; cyber attack against physical infrastructure; dam failure; earthquake; explosives attack; flood; human pandemic; hurricane; nuclear attack; radiological attack; radiological substance release; space weather; tsunami; volcanic eruption; and wildfire.

Kay C. Goss, CEM®, is executive in residence at the University of Arkansas and the chief executive officer for GC Barnes Group, LLC. Previous positions include: president at World Disaster Management, LLC (2011-2013); senior principal and senior advisor of emergency management and continuity programs at SRA International (2007-2011); senior advisor of emergency management, homeland security, and business security at Electronic Data Systems (2001-2007); associate Federal Emergency Management Agency director in charge of national preparedness, training, and exercises, appointed by President William Jefferson Clinton (1993-2001); senior assistant to the governor for intergovernmental relations, Governor William Jefferson Clinton (1982-1993); chief deputy state auditor at the Arkansas State Capitol (1981-1982); project director at the Association of Arkansas Counties (1979-1981); research director at the Arkansas State Constitutional Convention, Arkansas State Capitol (1979); project director of the Educational Finance Study Commission, Arkansas General Assembly, Arkansas State Capitol (1977-1979).