Sharpening the Focus on Critical Infrastructure, Cybersecurity and Interdependencies
Bob Kolasky of the DHS discusses the new National Infrastructure Protection Plan and other important aspects of critical infrastructure protection.
Bob Kolasky serves as director of strategy and policy for the U.S. Department of Homeland Security’s (DHS) Office of Infrastructure Protection. He leads initiatives and policy activities to help integrate cyber and physical risk management efforts with critical infrastructure owners and operators, and to improve infrastructure resilience in the face of terrorism, climate change and other risks.
Kolasky’s career focus has been on analyzing issues related to homeland security strategy, planning and policy. Kolasky joined the federal government following his graduation from the Harvard Kennedy School in 2002. Kolasky provided written responses to questions about the new National Infrastructure Protection Plan (NIPP) and other important aspects of critical infrastructure protection including cybersecurity and climate change.
Question: What was the impetus for the rewrite of NIPP and the creation of a new 2013 document?
Answer: In the face of the nation’s evolving risk, President Obama issued Executive Order 13636, Improving Critical Infrastructure Cybersecurity and Presidential Policy Directive (PPD) 21 on Critical Infrastructure Security and Resilience, in February 2013. These policies highlight the need to augment our existing focus on managing critical infrastructure risk through physical protective measures with more emphasis on strengthening security and resilience across interrelated systems.
PPD-21 mandated the update to NIPP. Since the previous NIPP was revised in 2009, growing interdependencies across infrastructure systems, particularly reliance on information and communications technologies, have produced new vulnerabilities to physical and cyber threats.
The new plan, NIPP 2013, guides efforts across the critical infrastructure community to enhance security and resilience in conjunction with national preparedness policy.
What were the significant changes made from previous editions of NIPP?
NIPP 2013 is informed by the evolution of the infrastructure risk, policy and operating environments, as well as experience gained and lessons learned from exercises and real-world events, such as Sandy and various cyberincidents. The 2013 plan lays out an enterprise approach to risk management that incorporates cyber and physical security and resilience measures. It also builds on previous plans by emphasizing how security and resilience complement efforts to reduce critical infrastructure risk. In so doing, it builds on the risk management framework introduced in the 2006 NIPP and emphasizes the role of information sharing while still leaving the principle mechanism for managing critical infrastructure risk — voluntary public-private partnerships — intact.
With critical infrastructure mostly owned by the private sector, do you influence the private sector to expend resources to protect that infrastructure when such an investment detracts from the bottom line?
NIPP calls for a proactive and inclusive partnership among all levels of government and the private sector to take advantage of existing capabilities and to develop new ones. Ultimately it is the responsibility of individual organizations to secure and ensure the physical and economic resilience of their assets and facilities. That said, NIPP partnership structure provides a framework for the government and private-sector collaboration to increase efficiency and effectiveness.
With a new emphasis on cybersecurity, what have you found works best in getting public and private enterprises to coordinate and share information before and during an attack?
In response to PPD-21, the National Institute of Standards and Technology developed a voluntary framework for reducing cyber risks. The Cybersecurity Framework consists of standards, guidelines and best practices for promoting critical infrastructure protection and assisting owners and operators in managing cyber-related risks.
To support adoption of the framework, DHS has established the C3 Voluntary Program. The program emphasizes three Cs:
- Converging critical infrastructure community resources to support cybersecurity risk management and resilience through use of the framework;
- Connecting critical infrastructure stakeholders to the national resilience effort through cybersecurity resilience advocacy, engagement and awareness; and
- Coordinating critical infrastructure cross-sector efforts to maximize national cybersecurity resilience.
The voluntary program will serve as the point of coordination within the federal government to leverage and enhance existing capabilities and resources to promote use of the Cybersecurity Framework. The voluntary program will link critical infrastructure owners and operators to DHS and other federal government programs and resources, including the Cyber Resilience Review. It will assist organizations interested in conducting risk assessments, and stakeholder rollout kits to assist organizations with outreach to colleagues and customers about the C3 Voluntary Program.
What role will climate change play in critical infrastructure, and how are climate adaptation strategies being pursued to counter a rapidly changing world?
Addressing the potential impacts of climate change is a component of managing the complex and interdependent risks that we face as a nation. Over the past several decades, there has been a heightened focus on changing waterways, shifting temperature patterns, air quality conditions, lost land and extreme weather events, and how these issues can affect the environment, economy, national security and overall public well-being.
While discussions of climate change have often focused on impacts to natural environments, climate and weather events can also directly affect services people rely on, such as water, energy, transportation, communications and emergency services. Critical infrastructure is subject to a wide variety of natural phenomena and is typically designed to withstand the weather-related stressors of a particular locality.
But shifts in climate patterns increase the range of potential risks that critical infrastructure faces. Most infrastructure being built today is expected to last for 50 years or longer. Therefore, it is important to understand how future climate might affect these investments in the coming decades.
How did Sandy impact revisions to NIPP?
Sandy revealed a number of infrastructure-related insights that helped contextualize the revisions to NIPP 2013. The storm affected critical infrastructure in unprecedented and unexpected ways, demonstrating how interdependencies between infrastructure systems can magnify impacts and delay restoration, and underscoring how preplanning, coordination and improved building approaches can ease effects.
Following the storm, communications, energy, transportation, water and wastewater systems were inoperable or severely degraded for weeks and months following the storm. Additionally, Sandy demonstrated the importance of regional partnerships in response and recovery efforts and the value of trusted relationships between public and private organizations, without which the nation’s response to the storm would have been measurably worse.
What tactics do you recommend for addressing infrastructures that cross state boundaries and are typically not coordinated with multiple government agencies?
Not all state and local stakeholders have aligned interests and concerns, and the tactics vary considerably for best coordinating across local, state and regional boundaries. However, trusted partnership and information sharing represent valuable mechanisms for enhancing coordination among various stakeholders.
In addition to the national partnership structure articulated in the NIPP 2013 and the information sharing tools I described previously, there are a number of state, local and regional efforts that seek to coordinate effectively across jurisdictional boundaries.
At the regional level, the All Hazards Consortium is a partnership across the states and cities of North Carolina, the District of Columbia, Maryland, Virginia, West Virginia, Delaware, Pennsylvania, New Jersey and New York focused on homeland security, emergency management and business continuity issues.