Homeland Security critical infrastructure effort proceeds unevenly
A national assessment of the country's critical infrastructure is taking shape, but the process has been hampered by uneven development across industry sectors and resistance from some private companies, according to government and industry officials.
The Homeland Security Department is responsible for creating a comprehensive strategy to protect the nation's critical infrastructure and recently issued self-assessment guides to the petroleum industry, said retired Marine Corps Lt. Gen. Frank Libutti, undersecretary of the department's information analysis and infrastructure protection directorate.
"We think we have a great partnership under way with key players and senior leadership in the infrastructure world," he said.
Homeland security and industry officials say developing a strategy to identify and protect the nation's critical infrastructure is difficult because up to 85 percent of it is owned and operated by private firms. Critical infrastructure includes: banking and financial institutions, energy and chemical sites, transportation, telecommunications, government facilities, dams, federal monuments and national icons.
"It's not an even playing field for everybody and we're trying to level the playing field," said Robert Liscouski, DHS assistant secretary for infrastructure protection.
A presidential directive issued in December requires DHS to complete a national plan for critical infrastructure and key resources protection by December 2004.
Liscouski said the financial services and information technology sectors are mature, and they began taking steps to map and protect their critical infrastructure before DHS was formed. He added that the department is evaluating assessments from the petroleum industry and is working with that sector to develop priorities and remedial actions to fix vulnerabilities.
He acknowledged, however, that some sectors are lagging.
"We're working closely with those sectors that are doing well," Liscouski said. "But we're really stressing those that are in the formative stages. The water sector is a good example, and the food and agricultural sectors. They require a lot of our attention and we're working very closely with them to develop their capabilities to share information and understand their vulnerabilities."
In turn, industry is seeking better guidance from DHS on what the department specifically considers to be critical infrastructure, said retired Navy Cmdr. Hank Chase, director of homeland security programs for ITS Corp., which consults industry on critical infrastructure protection needs.
Chase said DHS should issue a finite list of critical infrastructure as soon as possible, along with a better threat warning system and standards for connecting industry sectors during emergencies.
Without an exact list of critical infrastructure, companies might be misdirecting resources, and DHS grant money might be going to areas that do not have the greatest need, according to Chase.
"Grant money flew out of this town sort of willy-nilly without a lot of standardization requirements," Chase said. "That's money that probably could have been spent in better ways."
Democrats on the House Homeland Security Committee criticized DHS in a January report for not yet compiling a comprehensive list of the nation's critical infrastructure.
Chase said some companies are resisting efforts to identify their vulnerabilities, particularly those in the energy sector. These companies do not want to map their critical infrastructure and vulnerabilities for fear it will drive investors away or reveal secrets to competitors.
According to Chase, companies in highly competitive markets may not voluntarily map their critical infrastructure, leaving DHS no choice but to issue mandates.
"They are profit-oriented organizations and a lot of these guys are just sort of waiting and seeing," Chase said. "There hasn't been a whole lot done in terms of capital investments, and they probably aren't going to do it unless the federal government leans on them a little bit."
Senior DHS officials have said they will let private companies take the lead in most cases to protect critical infrastructure. Liscouski said some government mandates may be needed. He added that DHS would work with other federal agencies that have regulatory authority to issue mandates, such as the Nuclear Regulatory Commission when it comes to nuclear power plants.
"It depends upon the sectors. Where the regulatory authority exists, it can be exercised," Liscouski said. "But we believe the private sector is clearly stepping up to the plate to do what they have to do irrespective of regulations. It's always something that's out there.
"I think this administration is working very closely with the sectors and there are a number of legislative initiatives that are being considered," added Liscouski. "Right now, we're working very hard with all the sectors and my experience is that they're stepping up very responsibly to do what they have to do."
DHS also is required to ensure that all federal departments and agencies develop and submit plans for protecting their physical and cyber infrastructure to the Office of Management and Budget by July 2004.