Sunday, November 23rd, 2014

The Obameter

Make security part of new infrastructure design


"Will ensure that security is considered and built into the design of new infrastructure, so that our critical assets are protected from the start and more resilient to naturally-occurring and deliberate threats throughout their life-cycle."


Updates

A deliberate move toward "resilience" in infrastructure

It's been a slow process, but the Obama administration is accelerating steps toward fortifying the nation's critical infrastructure.

During the 2008 presidential campaign, Barack Obama promised to make sure that "security is considered and built into the design of new infrastructure, so that our critical assets are protected from the start and more resilient to naturally-occurring and deliberate threats throughout their life-cycle."

"Critical infrastructure” is defined by the PATRIOT Act of 2001 as "systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.” These can range from the electrical grid and water systems to highways and airports.

Meanwhile, the definition of "resilience” may be even more important for analyzing this promise.

Various government reports have used somewhat different definitions for "resilience,” but one of the broadest was offered in an August 2009 report by the Homeland Security Studies and Analysis Institute, a federally funded research institute. The institute's definition used three "mutually reinforcing objectives.” One was the ability to avoid hazards altogether; the second was the ability to "bend but not break” in the face of threats; and the third was the ease with which service can be restored after damage occurs.

Defining "resilience” matters because it goes a step beyond "protection,” which is the basis for one of the key federal documents that governs critical infrastructure -- Homeland Security Presidential Directive 7, signed by President George W. Bush on Dec. 17, 2003.

Initially, resilience took a back seat under Obama. "Most infrastructure projects initiated as a part of the economic stimulus efforts in 2009 were undertaken without the addition of any new requirements that infrastructure be more resilient in the face of manmade and naturally occurring dangers -- these ‘shovel-ready' projects were completed using pre-existing construction criteria,” said Stephen Flynn, the founding co-director of the George J. Kostas Research Institute for Homeland Security at Northeastern University.

But that's changing. The White House appears to be redrafting this directive so that it includes the standard of "resilience," and the homeland-security page on the White House website says that "ensuring the resilience of our critical infrastructure is vital to homeland security. Working with the private sector and government partners at all levels will develop an effective, holistic, critical infrastructure protection and resiliency plan that centers on investments in business, technology, civil society, government, and education.”

How has the funding gone? Spending on "infrastructure protection and information security” in the Department of Homeland Security budget has fluctuated from year to year, but it was $52 million -- or 6 percent -- higher in fiscal year 2012 than it was in fiscal year 2009, and the administration has requested a 31 percent bump for fiscal year 2013 compared to fiscal 2012.

The administration cites several areas of progress on improving the resilience of critical infrastructure, such as efforts by the Coast Guard in the wake of the April 2010 BP Deepwater Horizon oil spill to add a layer of risk-based security for offshore drilling units on the U.S. Outer Continental Shelf, and more than 680 assessments of critical infrastructure sites by DHS officials.

We should note, as we did in our previous update, that critical infrastructure goes well beyond the reach of the federal government, since most pieces of it are owned and operated by either the private sector or by states and localities. So while the Obama administration can provide guidance and funding, other levels of government and the private sector are the ones who have to carry out the necessary upgrades.

Making the nation's critical infrastructure more resilient will be a years-long, or even decades-long, process, but the administration has moved the ball forward. We rate this a Compromise.

Sources:

Department of Homeland Security, Homeland Security Presidential Directive 7, accessed Dec. 18, 2012

White House, homeland security home page, accessed Dec. 18, 2012

Government Accountability Office, "Critical Infrastructure Protection: Update to National Infrastructure Protection Plan Includes Increased Emphasis on Risk Management and Resilience,” March 2010

Department of Homeland Security, main budget page, accessed Dec. 18, 2012

National Infrastructure Advisory Council, "Critical Infrastructure Resilience: Final Report and Recommendations,” Sept. 8, 2009

American Public Works Association, "APWA Emergency Management Committee Meets in D.C.,” April 2012

Email interview with Stephen Flynn, the founding co-director of the George J. Kostas Research Institute for Homeland Security at Northeastern University, Dec. 18, 2012

Lots going on with critical infrastructure protection

During the presidential campaign, Barack Obama said that his administration will work to "ensure that security is considered and built into the design of new infrastructure, so that our critical assets are protected from the start and more resilient to naturally occurring and deliberate threats throughout their life cycle."

Rating this promise is tricky. Tim Clancy of George Mason University's Center for Infrastructure Protection said that the promise "goes well beyond the reach of the federal government, given that most infrastructures are owned and operated by the private sector," he said. "Construction of infrastructures in certain sectors such as transportation (roads, bridges, public transit systems) are dependent on federal funding but are built by states and localities, while some are only partially so (electrical grid) and others not at all (IT networks and manufacturing plants, for example)."

In addition, Obama's promise appears to be forward-looking -- specifically, improving the robustness of newly built or installed infrastructure. By contrast, most of what the Department of Homeland Security has been focusing on in recent years addresses retroactive efforts to assess and protect existing infrastructure.

Finally, any project to revamp the security of major infrastructure assets is inevitably going to take years, if not decades. So it's a bit unfair to expect miracles from any administration in one year.

Still, we'll take a look at what has been done so far.

Late in the Bush administration, the Department of Homeland Security issued the 2009 version of the National Infrastructure Protection Plan, which provides a strategy for assuring "a safer, more secure, and more resilient America by preventing, deterring, neutralizing, or mitigating the effects of deliberate efforts by terrorists to destroy, incapacitate, or exploit elements of our nation's [critical infrastructure and key resources, or CIKR] and to strengthen national preparedness, timely response, and rapid recovery of CIKR in the event of an attack, natural disaster, or other emergency."

It was the first update to the plan in three years, and it is now the Obama administration's job to put it into practice.

The administration has advanced the ball in critical infrastructure protection in a number of areas, Clancy said.

In Homeland Security's annual budget, the line item for Infrastructure Protection and Information Security has grown from nearly $807 million in fiscal year 2009 to $899 million for fiscal year 2010. That's less than the $918 million requested by the Obama administration, but still a healthy increase of about 11 percent over the prior year's amount.

The final appropriations bill did specify that $20 million be spent on the National Infrastructure Simulation and Analysis Center, whose congressionally mandated mission -- to be a "source of national expertise to address critical infrastructure protection” research and analysis -- is in tune with the president's promise.

In addition, Homeland Security Secretary Janet Napolitano announced Infrastructure Protection Program grants in excess of $1 billion in fiscal year 2009 and deployed 93 "protective security advisers" to assist with efforts by states and localities to protect critical infrastructure.

Clancy added that the economic stimulus bill passed in February 2009 provided funding through the Energy Department to advance a new "smart grid” that would eventually become a next-generation North American electrical grid, including improved security features. "I think the administration should get credit for that," Clancy said. "It"s going to take many years to evolve to a smart grid, but in year one, the administration demonstrated they would follow through."

On the cyber infrastructure side, the administration undertook a Cyber Policy Review before encountering a delay over an appointment of a permanent cybersecurity "czar,” Clancy said.

All this adds up to a lot of activity on critical infrastructure protection, though with few details yet on how improvements will specifically be "built into the design of new infrastructure." Still, it's enough to call this promise In the Works.

Sources:

Department of Homeland Security, "Budget in Brief" for fiscal year 2010, accessed Jan. 13, 2010

 

THOMAS, text of the Department of Homeland Security Appropriations Act of 2010 (H.R. 2892)

 

Department of Homeland Security, "National Infrastructure Protection Plan: Partnering to Enhance Protection and Resiliency," 2009

 

Department of Homeland Security, "Progress in Implementing 9/11 Commission Recommendations Guarding Against Terrorism and Ensuring Transportation Safety" (news release), July 22, 2009

 

Department of Homeland Security, web page on the National Infrastructure Simulation and Analysis Center, accessed Jan. 13, 2010

 

Sandia National Laboratory, web page on the National Infrastructure Simulation and Analysis Center, accessed Jan. 13, 2010

 

Wall Street Journal, "Security Cyber Czar Steps Down," Aug. 4, 2009

 

E-mail interview with Tim Clancy, George Mason University's Center for Infrastructure Protection, Jan. 13, 2010