9.1 CIP Mission

WHO? The Department of Homeland Security.

WHAT? Was assigned the core mission of critical infrastructure protection from its founding.

WHEN? Concern for US critical infrastructure stems directly from the 1998 Tokyo Subway Attacks.

WHERE? As predicted in 1997, cyber-attack can be mounted from anywhere in the world.

WHY? The basic concern is subverting critical infrastructure to create WMD effects without WMD.

Certainly, the 1995 Tokyo Subway Attacks raised the specter of terrorist WMD attacks. They also raised concern about attacks against critical infrastructure. As 9/11 later demonstrated, subverting critical infrastructure can achieve WMD effects without the use of WMD. So, what is critical infrastructure? They are basic services needed to sustain society. Societies are human organizations. Critical infrastructure sustain human organization. What constitutes critical infrastructure depends upon the complexity of the society. Nomadic and agrarian societies require less critical infrastructure than urban societies. For American society, Presidential Policy Directive #21 identifies 16 critical infrastructure sectors.

1. Chemical

2. Commercial Facilities

3. Communications

4. Critical Manufacturing

5. Dams

6. Defense Industrial Base

7. Emergency Services

8. Energy

9. Financial Services

10. Food & Agriculture

11. Government Facilities

12. Healthcare & Public Health

13. Information Technology

14. Nuclear Reactors, Materials, & Waste

15. Transportation Systems

16. Water & Wastewater Systems

PPD-21 in 2013 was only the most recent executive guidance on critical infrastructure protection. The first executive guidance on critical infrastructure protection was PDD-63 issued in 1998. Following the 1995 Tokyo Subway Attacks, President Clinton commissioned a panel to examine the vulnerability of US critical infrastructure to similar attack. The final report released in October 1997 said that US infrastructure was secure, but then made an incredible prediction regarding its future security. The President’s Commission predicted that cost saving measures connecting more industries to the Internet might eventually make them vulnerable to cyber-attack. What made the prediction incredible was that the Internet was still in its relative infancy with no more than 70 million users worldwide in 1997. That’s compared to 4.2 billion users worldwide today. President Clinton took no chances and issued Presidential Decision Directive #63 in May 1998 directing his administration on critical infrastructure protection from both physical and virtual attack. The guidance came too little too late, and was unable to protect the transportation sector on 9/11. However, PDD-63 was the blueprint when critical infrastructure protection became a DHS mission. PDD-63 became the blueprint for the DHS National Infrastructure Protection Plan. Although the plan has been revised, it remains basically the same as when first issued in 2006. The plan is comprised of two parts: 1) an organization, and 2) a process. The organization is comprised of Sector Coordinating Councils, one for each infrastructure sector. Each SCC is made up of government and industry representatives. Their purpose is to collect information, analyze data, and share insights on how to protect their different sectors. Each sector is guided by a process called the Risk Management Framework. The RMF is a continuous improvement process that begins by identifying critical infrastructure. The RMF then steps infrastructure owners through a process of identifying protective measures, performing cost-benefit analysis to select measures, implementing measures, then analyzing results. It sounds very simple and straight forward, but it’s not. Security costs money, and eats into profits. DHS Homeland Security Grant Programs can’t pay industry for protective improvements. In the absence of Federal funding, the National Infrastructure Protection Plan has met with limited success.