|
 |
by John A. McCarthy
Events in recent history like Y2K, the September 11th terrorist attacks and concerns about subsequent attacks, and the devastating effects from natural disasters, as seen with hurricane Katrina in 2005, have resulted in increased interaction between the government and the private sector in the United States. With roughly 85% of the Nation’s critical infrastructure owned and operated by the private sector, the Federal government saw a need to engage the private sector as a partner.
Owners and operators of the nation’s 17 critical infrastructure/key resource (CI/KR)[1] assets and the Federal departments and agencies charged with regulating those assets have been considering security issues for many years. Often, however, they were operating on separate paths or with little communication between the public and private entities. Recognizing the need to draw upon expertise found in the private sector, and the difficulty of integrating multiple governmental agencies and the private sector, the Department of Homeland Security (DHS) proposed a sector partnership model that includes broad based industry representative groups called sector coordinating councils (SCCs), and corresponding government coordinating councils (GCCs). Each of the critical infrastructure sectors would have an SCC and GCC to work collaboratively on homeland security issues. The private sector encouraged the creation of GCCs to decrease the amount of duplicative efforts and initiatives that were coming from government departments and agencies with similar and related missions and areas of authority. The Interim National Infrastructure Protection Plan (NIPP), released in February 2005, initially outlined how the partnership model could be constructed.
As part of this initiative, the George Mason University Critical Infrastructure Protection (CIP) Program is providing administrative and analytical secretariat support to six of the sector coordinating councils: Food and Agriculture; Water; Dams, Locks and Levees; Healthcare; Commercial Facilities; and Oil and Natural Gas.
The CIP Program at George Mason University, School of Law is designed to integrate law, policy, and technology to enhance the security of cyber-networks, physical systems and economic processes supporting the nation's critical infrastructures. The program, originally called the CIP Project, received initial funding in 2002 from the Federal government, which was renewed through the current fiscal year. Managed through the National Institute of Standards and Technology (NIST), the grant is used to fund basic and applied research, as well as support information and outreach activities related to the key components of the national research agenda. Among the many topics explored, key areas of focus have been cyber security, physical security, information sharing between public and private sectors, regional, state and local issues, and privacy concerns. The project has expanded to address unexplored areas of critical infrastructure protection. By 2004, the CIP grant had evolved into a family of projects under the overall umbrella of the CIP Program.
The Private Sector Programs (PSP) was established in December 2003 within CIP program to provide analytical, academic and secretariat support on cross sector and interdependency issues facing private sector owners and operators of critical infrastructure, as well as to help manage the interface with DHS. This work identifies legal, economic, business and cultural solutions to enable the private sector to enhance critical infrastructure protection both through private initiatives and interface with the federal government. PSP is funded through a contract with the Department of Homeland Security's Infrastructure Partnerships Division.
Sector Partnership Model
The National Infrastructure Advisory Council (NIAC) was established to provide advice to the Secretary of Homeland Security and the President on the security of information systems for the public and private institutions that constitute the critical infrastructure of our Nation’s economy. It is composed of up to 30 members from industry, state and local government, and academia. During the summer of 2005, the NIAC established a Sector Partnership Model Working Group from a DHS requested study and provided recommendations on its structure, function and implementation.
In October 2005, the Working Group presented its Initial Report and Findings to the NIAC[2], affirming the structure of the partnership model presented in the NIPP, and recommending key operating principles, including that the partnership be considered a collaboration of equals between the government and the private sector. The approach includes sector based and cross-sector partnerships.
Sector Level Partnerships
Each of the 17 critical infrastructure sectors identified in the NIPP is organizing a sector coordinating mechanism to act as a strategy and policy setting body. Some of these councils have existed for many years, such as the Financial Services Sector Coordinating Council, while others, like the Dams sector, are just now forming for the first time. The sector coordinating mechanism, a role envisioned in HSPD[3] -7, will act much like the designated “sector coordinator” named in 1998 in PDD[4] - 63 “Critical Infrastructure Protection”.
HSPD-7 specifies that DHS and Sector-Specific Agencies (SSAs) (DOD[5], DOE[6], DOI[7], EPA[8], HHS[9], Treasury, USDA[10], etc.) “shall collaborate with the private sector and continue to support sector-coordinating mechanisms:
(a) To identify, prioritize, and coordinate the protection of critical infrastructure and key resources; and
(b) To facilitate sharing of information about physical and cyber threats, vulnerabilities, incidents, potential protective measures, and best practices.”
The SSAs, DHS, and other related Federal and State agencies have formed a Government Coordinating Council (GCC) to be a counterpart to the private sector entities. In each critical infrastructure sector, the two groups meet together frequently to coordinate activities, plans, and to share information. The PSP also assists the SCCs in working with the cross sector council, PCIS[11]. With the private sector’s input, these bodies are making recommendations to foster the most beneficial public private relationship with the DHS and SSAs.
Cross Sector Coordination
The cross sector coordinating council was established to address common and cross sector concerns of the private sector as well as being the key private sector group providing input into the NIPP development. The Partnership for Critical Infrastructure Security (PCIS) formed in 2000 and was comprised of the designated Sector Coordinators, a role identified in 1998 in Presidential Decision Directive - 63 “Critical Infrastructure Protection”. Subsequently, PCIS has reorganized to align itself with the new roles of sector coordinating mechanism envisioned in HSPD-7, and has been serving as the unofficial cross sector coordinating council. The Sector Coordinating Councils are the members of the cross sector group and are represented on the PCIS by the chair. Related to NIPP implementation, the cross-sector group is providing input to DHS on a number of issues that affect many sectors, including information sharing, physical and cyber security, and research and development.
The NIAC Sector Partnership Model Working Group affirmed the need for a counterpart to PCIS; a government cross-sector council is also to be comprised of the chairs of all the GCCs.
Obstacles for Successful Public Private Partnerships
Legal issues related to information sharing, and risk management and assessment have been of great concern to the private sector. Over many years, they have relayed these concerns to the government, and while some regulatory and programmatic changes have addressed some of them, the public-private partnership continues to work on providing protections to the private sector against liability or from public disclosure for participating in information sharing and risk assessments.
Strengthen the Protections of the PCII Program.
The Homeland Security Act of 2002 includes a provision which a exempts protected critical infrastructure information from disclosure under the Freedom of Information Act (FOIA), and subsequently DHS established the Protected Critical Infrastructure Information (PCII) Program to encourage the private sector to share sensitive and proprietary business information about critical infrastructure with the federal government. Under this program, members of the private sector can voluntarily submit sensitive information to DHS with the assurance that DHS will protect that information. The regulations for the PCII program are very strict and require a specific request as well as additional information to justify keeping any shared information out of the public domain.
After considering feedback from private industry, DHS is seeking ways to improve protections under the PCII program.The Private sector is primarily concerned about the extent to which the information it provides is disseminated within the government, the risks associated with producing the information, and other business and legal issues. In response the NIAC Sector Partnership Model Working Group made recommendations to improve PCII and the Homeland Security Information Network (a web portal for sector) tools designed to address these issues.
There are other legal and economic hurdles to information sharing, including implications from the Sarbanes-Oxley Act, liability limitation techniques for information sharing, harmonizing domestic and international law, and economic incentives for industry to provide information to the government. In addition antitrust issues, economic espionage and trade secrets, privacy, technology transfer, and state/local statutes enter into the picture.
This article discusses the partnership model for overall sector coordination. There are many other critical components to the public private partnership for critical infrastructure protection on the operational level. Information Sharing and Analysis Centers (ISACs), the new intelligence directorate at DHS, and the State, Local and regional organizations are important components which enhance national critical infrastructure protection. Each of these merits its own in-depth analysis and discussion.
NIAC recommendations for improved public private partnerships and enhanced information sharing between the partners are important actions for successful public private partnerships. The efforts by the private sector, DHS and other federal and state governments are intended to create an effective partnership at a level that has not existed before in this nation’s history.
John A. McCarthy is Director and Principal Investigator of the Critical Infrastructure Protection (CIP) Program at the George Mason University School of Law, where he also holds a faculty appointment as Research Professor of Security Studies. A recognized thought leader within the information security policy and risk management arenas, he is considered an authority on critical infrastructure protection and business continuity management issues by industry and government practitioners alike.
[1] The 17 CI/KR’s are Banking and Finance, Chemical, Commercial Facilities, Dams, Defense Industrial Base, Emergency Services, Energy, Food and Agriculture, Government Facilities, Information Technology, National Monuments and Icons, Nuclear, Postal and Shipping, Public Health and Healthcare, Telecommunications, Transportation, and Water.
[2] The Sector Partnership Model Working Group Initial Report and Findings is available on line at http://www.dhs.gov/dhspublic/interweb/assetlibrary/NIAC_SectorPartnershipModelWorkingGroupUpdate_Oct05.pdf
[3] Homeland Security Presidential Directive
[4] Presidential Decision Directive
[5] Department of Defense
[6] Department of Energy
[7] Department of the Interior
[8] Environmental Protection Agency
[9] Health and Human Services
[10] United States Department of Agriculture
[11] Partnership for Critical Infrastructure Security
|
