The National Strategy for the Physical Protection of Critical Infrastructures and Key Assets (NSPP) and associated U.S. Presidential Executive Orders, Acts, Directives and Policy Statements detail the overall homeland security strategy and call for private companies, as well as federal, state and local agencies, to identify critical infrastructure and assets.
When defining critical infrastructure protection as the strategies, policies and preparedness needed to protect, prevent and respond to attacks on sectors and key assets identified by the U.S. Office of Homeland Security, it is imperative that companies address the national plan for the physical protection of critical infrastructures and key assets in their business recovery and continuity plans.
The scope and complexity of critical infrastructure sectors can make this a daunting task to identify which specific assets are critical. Should it be the responsibility of the federal agencies to work with the private sector in identifying the specific infrastructures and critical assets essential to the government’s critical infrastructure protection, or vice versa?
Cooperation between entitiesSome of the critical infrastructure sectors have already provided guidelines for private companies to identify their own critical assets. These guidelines are rooted in the risk management process, which seek to identify and place value on each of the key assets of the organization (noting that these key assets can be people, facilities, services, processes and programs). Implementing guidelines can result in a measure of loss to the company if their assets are disrupted or destroyed. Most of these guidelines do not provide specific basis for determining “criticality” in the broader economic or social welfare impacts as called for in federal critical infrastructure strategies. Clearly, it is a practical challenge to rely on private companies to identify critical assets in the context of national infrastructure security.
Private ownership of corporations limits government involvement with the corporation’s operations. Information Sharing and Analysis Centers (ISACs) were created in order to provide a model for public/private sector sharing information, particularly in the area of indications and warnings. Despite the creation of sector-focused ISACs, barriers still exist between the public and private sectors because business is motivated by profit. Some of the leading scholars in critical infrastructure protection development, such as Dr. Ted Lewis of the Naval Postgraduate School, purport that the government should think of dual-purpose solutions to make the enhancement of infrastructure protection a profitable endeavor for private businesses.
As the National Strategy calls for cooperation between the private businesses (who own and operate most of the national infrastructure and key assets) and government agencies (who regulate and oversee these corporations), the meaning of “critical infrastructure” in the public policy context must be identified and clearly defined. Unclear or changing criteria for identifying individual critical and key assets can lead to protection inefficiencies, especially where private companies are responsible for security spending.
In the meantime, private businesses must address the protection of critical infrastructure in their business recovery and continuity plans. This need was affirmed by the Joint Committee on Accreditation of Healthcare Organizations in the document JCAHO 2003 ? Health Care at the Crossroads: Strategies for Creating and Sustaining Community-wide Emergency Preparedness Systems, which stated, “This is not our world as we once knew it. It is no longer sufficient to develop disaster plans and dust them off if a threat appears imminent. Rather, a system of preparedness across communities must be in place everyday. Such systems make effective responses to emergencies possible, and they also serve as deterrents to actual attacks. And, they are needed – whatever the level of our sense of security – to facilitate the management of crises that seem to be becoming everyday occurrences.”
SIDEBAR: Homeland Security is Private SecurityOver 75 percent of the current national critical infrastructures and assets identified by the Homeland Security Presidential Directive-7 (HSPD-7) are owned by the private sector and are de-regulated. Implementing this strategy requires a clear definition of “critical infrastructures” and “key assets.” Although the homeland security strategy provides such definitions, the meaning of “critical infrastructure” in the public policy context has been evolving for decades and is still open to debate.
Many private businesses are still grappling for a clear and stable definition to assess criticality so they will know exactly what assets to protect, and determine the appropriate level of protection. While most companies associated with a national critical infrastructure or key asset are able to identify and prioritize the assets that are essential to their business recovery, continuity and operations, many of these same companies are unable to identify the assets that can pose significant danger to life, property, national security and national stability if disrupted.