Critical Infrastructure Protection
Critical Infrastructure Protection
The mission of the Department of Homeland Security is stop acts of terrorist within the United States, not have the United States be vulnerable to terrorist attacks, and reduce the damage to the United States if there would be a terrorist attack. Since this department inception in 2003, the Department of Homeland Security has a component in place to support its mission and has been a member of the U.S. Intelligence Community. In July of 2005, the DHS was reorganized and called the Second Stage Review or “2SR”. The former Secretary of DHS, Michael Chertoff, began a strengthened office of Intelligence and Analysis (I&A) and made the Assistant Secretary for Information Analysis the Chief Executive Officer for that department. He also tasked I&A with ensuring that intelligence is coordinated, fused, and analyzed within the Department to provide a common operational picture; provide a primary connection between DHS and the IC as a whole; and to act as a primary source of information for state, local and private sector partners.
The Homeland Security Act of 2002, assigned the original DHS intelligence component—the Directorate of Information Analysis and Infrastructure Protection—with responsibility to receive, analyze, and integrate law enforcement and intelligence information in order to— “(A) identify and assess the nature and scope of terrorist threats to the homeland; (B) detect and identify threats of terrorism against the United States; and (C) understand such threats in light of actual and potential vulnerabilities of the homeland.” Congress also made information sharing a top priority of the new DHS intelligence organization, requiring it “to disseminate, as appropriate, information analyzed by the Department within the Department, to other agencies of the Federal government with responsibilities related to homeland security, and to agencies of State and local government and private sector entities, with such responsibilities in order to assist in the deterrence, prevention, preemption of, or response to, terrorist attacks against the United States (Randol, 2010)”.
A critical infrastructure is defined as any facility, system, or function which provides the foundation for national security, governance, economic vitality, reputation, and way of life. In short, critical infrastructure is by definition essential for the survival of the nation. The US Patriot Act defines it as “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.” FEMA defines critical infrastructure as “personnel, physical assets, and communication (cyber) systems that must be intact and operational 24x7x365 in order to ensure survivability, continuity of operations, and mission success, or in other words, the essential people, equipment, and systems needed to deter or mitigate the catastrophic results of disasters.”
Critical Infrastructure Protection (CIP) consists of all proactive activities to protect indispensable people, physical assets, and systems (especially communications or cyber systems) which are guided by a systematic and reliable decision making process which assists leaders to determine exactly what needs protection, where, and how. It is proactive in the same sense that mitigation in emergency management is proactive and goes beyond normal security, defensive postures. The basic steps of CIP consist of: identifying the critical infrastructures, determining the threats against those infrastructures, analyzing the vulnerabilities of threatened infrastructures, assessing the risks of degradation or loss of a critical infrastructure, and applying countermeasures where risk is unacceptable (“The Safety”, 2014). Within the Department of Defense, a streamlined command and control structure and growth of the cyber force in size and skills, including offensive capabilities, are required to effectively operate as well as to provide some deterrent to attack.
Meanwhile, legal code for cybersecurity has not kept pace with technological developments. Comprehensive cybersecurity legislation is required—beginning with mandatory participation of critical infrastructure owners and operators in federal information-sharing programs in a way that incorporates appropriate safeguards for industry liability and citizen privacy—in order to completely bridge the current public-private division of responsibilities for collective defense. Cybersecurity has grown to be a key issue for the administration and indeed for the nation in the last several years even though concern for the integrity of Critical Infrastructure (CI) functions was evident in the 1990s. For CI, which includes a range of sensitive data and performs valuable functions that support the health, safety, and economic vitality of our modern nation, the growth of networked connections in cyberspace has meant the introduction of new threat vectors to systems that were not designed to securely connect to today’s Internet.
Because improving the cybersecurity of CI encompasses such a large body of work, widely distributed across government and private sector entities, unity of effort is difficult to achieve. President Obama admits that “when it comes to cybersecurity, federal agencies have overlapping missions and don’t coordinate and communicate nearly as well as they should – with each other or with the private sector (La Bash and Landis, 2013)” The vulnerabilities that should concern IS professionals who protect the U.S.’s critical infrastructure is not having a system that would advise them of current, present, and future vulnerabilities. A system of this would be able to advise you of early indicators of vulnerability In order to accomplish this task, a survey of all operations should be undertaken.
The survey should include: General Administrative Information, Management Awareness and Control Programs, Identification of Hazards/Potential rises; and Business Characterization. The ultimate benefits to be gained from this type of survey are in terms of identifying areas in need of attention, establishing a list of potential crisis situations, determining what commitments your organization is comfortable with and documenting current efforts. Once the survey program has been developed and implemented, it must be evaluated and kept up-to-date. This can be accomplished by reviewing actual responses and by conducting a detailed audit of each element of the business. The survey program is the initial step, toward reducing vulnerability. Next, you must organize the operation. The management chain is critical to this process. You must ensure that all levels of management become part of the program. (Sikich, 1998). Make a senior manager directly responsible to top management and the board of directors. The formal assignment of a senior manager to the position of “Crisis Management
Programs, Director,” or some other appropriate title, can accomplish the initial portion of this item. Set aside specific time for reports on crisis management preparedness issues. This can be accomplished by preparing an agenda for senior staff and board of director meetings that includes a discussion of crisis management preparedness as a mandatory item. You have to give it more than lip service though. Also, you must make the discussion substantive. Provide more than the dull and tiring statistics on reportable accidents, etc. Communicate compliance through all levels of the organization through company policy and procedures. This can be accomplished through formal adoption of policy at the highest levels of the company.
The Protecting Cyberspace as a National Asset Act, was introduced last June by Sen. Joseph Lieberman (I-Conn.) and revised in December by the Senate Committee on Homeland Security and Governmental Affairs. It calls for the formation of a National Center for Cybersecurity and Communications (NCCC) within the U.S. Department of Homeland Security (DHS) that would be responsible for protecting both federal computer networks and critical infrastructure owned by the private sector against cyber attacks.
Although the White House already has broad wartime powers, making aspects of the proposed act redundant, opposition to the bill has centered on its provision to give the federal government the authority to define what is meant by “critical infrastructure.” According to the bill the government can “take measures to protect any computer system whose destruction or disruption of reliable operation would cause national or regional catastrophic effects.” This could include cutting off the system from the Internet. Owners of facilities labeled as critical infrastructure would be notified as soon as this designation is made. An owner could appeal this designation but, as the bill is currently written, the government would make the final decision to disconnect, which is not subject to judicial review (Greenemeier, 2011).
Greenemeier, L. (2011). What is the Best Way to Protect U.S. Critical Infrastructure from a Cyber Attack? Retrieved from http://www.scientificamerican.com
La Bash, M. and Landis, C. (2013, August). Legal, Policy, and Organizational Impedients to the Protection of Critical Infrastructure from Cyber Threats. Retrieved from http://www.cmu.edu/mits/files/mits2-paths.com
Randol, M. (2010, March). The Department of Homeland Security Intelligence Enterprise: Oper- Rational Overview and Oversight Challenges for Congress. Retrieved from http://fas.org/sgp/crs/homesec/R40602.pdf
Sikich, G. (1998). Critical InfrastructureVulnerability. Retrieved from http://www.disaster-resource.com
The Safety and Security of Critical Infrastructure. (2014, January). Retrieved from http://www.drtomoconnor.com/3430/3430lecto1a.htm