Critical Infrastructure Protection Program - Part 2

Selecting a CIPP Implemented at the Local Government Level

Selection Process. Since computer security, forensics, and cyberterrorism are of prime interest, it is only natural to select the Critical Infrastructure Protection Program (CIPP) that covers the Information Technology (IT) and Communications sectors.  Moteff, Copeland, and Fischer (2003) define this sector as computing and telecommunications equipment, software, processes, and people that support the:

• Processing, storage, and transmission of data and information
• Processes and people that convert data into information and information into knowledge
• Data and information themselves

The Selected CIPP. I selected the City of North Miami Beach, Florida, CIPP.  Of all considered local government programs, the City of North Miami Beach appears to possess the most comprehensive CIPP of all.  They have an excellent program.  However, there still is room for improvement (Anonymous, n.d.).

Evaluating the Selected CIPP Implemented at the Local Government Level

Securing the Community. There is an old saying in business that directly applies to our concerns about critical infrastructure assurance – “think globally, act locally.”  In the final analysis, all disasters are local.  That was certainly the case on September 11, 2001.  If we are truly to secure the nation’s homeland, we must proceed by securing our respective communities one by one (Juster, 2002).

Indeed, the community represents an essential focal point for building a foundation for any national initiative that seeks to influence the public.  All of us live in communities and look to the community for leadership to assure our safety, our economic opportunities, and our QOL.  The first people on the scene in a crisis are not the feds … but the local emergency response teams.  We need leadership at the local level to survive terrorist attacks.  Public confidence starts in the community and is dependent on how well the community plans ahead, responds to crises, and reestablishes order from chaos.  It was not by accident that the public face in New York and Washington, DC, on September 11 and in the days thereafter, was the mayor of each of these cities (Juster, 2002).

A Different Viewpoint. It is interesting to note that Lewis & Darken (2005) take issue with Juster (2002) and the “think globally, act locally” strategy.  They say that this policy is not only dangerous – because local jurisdictions will never have the capability to protect their CI assets – but an unfortunate waste of money.  In fact, Paul Posner (2003) of the Government Accountability Office (GAO) recognized this problem soon after the formation of the Department of Homeland Security (DHS) and testified to the U.S. Senate Committee on the Judiciary, “The challenges posed in strengthening homeland security exceed the capacity and authority of any one level of government.”

Re-evaluation of National Strategy Needed.  It is time to re-evaluate the national strategy and replace state and local strategies with a national effort.  The Department of Interior and Forest Service have done this: A federal force has mainly fought large forest fires across regional boundaries.  The food and agriculture sector has done this to some extent.  For example, Food and Drug Administration (FDA) regulators work with the private sector to ensure the safety of the food supply.  Additionally, whether or not we admit it, the Federal Bureau of Investigation (FBI) is a national police force that transcends state and local borders (Lewis & Darken, 2005).  Lewis & Darken (2005) make a reasonable case for rethinking of our strategy from one where the current local government runs the show with support from the federal government to a strategy where the federal government runs the show with support from local governments.  It seems feasible and reasonable for broad, wide-area disasters.  For strictly local disasters, however, the local government would best deal with them.

Weaknesses of the Selected CIPP

Telecommunications/IT Sector Challenges. All levels of government are working together to address vulnerabilities of the telecommunications and IT sectors.  However, state and local governments face special challenges related to working with the private sector.  These special challenges include addressing vulnerabilities in the nation’s computer-controlled systems and developing mechanisms and processes to protect them from attack.  The private sector plays a central role in securing cyberspace because it depends on this infrastructure to conduct business.  Additionally, it owns and operates the vast majority of the infrastructures and cyber systems upon which the nation depends (Hopkins, 2003).

Interdependency of Communications and IT. Many organizations rely on computers and the Internet for day-to-day operations (both on-site and remote), delivery of services, data management, and marketing.  This situation illustrates the difficulty in separating physical critical infrastructure protection (CIP) from cyber CIP and separating the communications sector from all the other sectors.  As a result, safeguarding communications and IT is essential to assuring the survival of CIs.  Home users and small businesses can contribute to cyber security by using safe passwords, maintaining and updating virus protection and patches, and using traffic filtering, firewalls, and similar good practices (Anonymous, 2008).

Not Enough Effort Being Expended. In 2002, Richard Clarke, chairman of the president’s Critical Infrastructure Protection Board, said, “I’m never satisfied.  I’m feeling good about the federal government’s own activities and that major sectors of the private sector are taking action.  For example, the banking and finance sector is doing a great deal; the electric power grid is for the first time thinking about encryption; and the IT sector itself is beginning to talk about quality software development and making security a design criteria.  Companies like Oracle [Corporation], Sun [Microsystems Inc.], Microsoft [Corporation], and Cisco [Systems Inc.,] are leading that effort.  IT security is also a top issue in the private sector” (Verton, 2002).

What Needs to Be Done to Improve on the Identified Weaknesses

Fund the Private Sector. Since the private sector owns and operates most of the nation’s computer and cyber systems, it is only natural that the private sector takes the lead role in protecting their own systems.  The state and local governments follow the lead of the private sector.  State and local governments can contribute to a greater extent in protecting the IT and telecommunications CI sectors.  They can do this by contributing funds to help the private sector do a better job in defending their systems from those who intend to harm them.

An Integrated System. The telecommunications and IT sectors are inseparably interwoven with most of the other CI sectors but more so with each other.  Rather than separating the physical CIP from the cyber CIP, we should take the systems approach by dealing with them as an integrated system.  If anything, they should be dealt with as a system of systems.

Additional Initiatives. Since 2002, much has been done to overcome the weaknesses of a CIPP at the local government level.  However, even more can be done.  Additional initiatives that can/should be taken include the following (Anonymous, 2006):

• Strengthen interoperable communications capabilities
• Enhance planning infrastructure capabilities to ensure preparedness for terrorism and all hazard events
• Strengthen information sharing and collaboration capabilities
• Establish a CIP for the state

Conclusion

Terrorists seek to undermine confidence in our public and private institutions and in our ability to manage the consequences of their attacks.  In response, the federal government must work collaboratively and in partnership with state and local governments, with the private sector, and with local citizens.  To the extent that government and private industry are believed to be doing everything within reason to protect the public from harm, the public’s confidence in its institutions will remain intact despite such attacks.  We can have the best national strategy for homeland security that the most brilliant minds in Washington can devise, and yet we will fail in our endeavor if local communities do not meet the immediate challenges of a terrorist disaster (Juster, 2002).

Local governments represent the front lines of protection and the face of public services to the American people.  Their core competencies must include knowledge of their communities, residents, landscapes, and existing critical services for maintaining public health, safety, and order.  Communities look to local leadership to assure safety, economic opportunities, and QOL.  Public confidence, therefore, starts locally and is dependent upon how well communities plan and protect their citizens, respond to emergencies, and establish order out of chaos (Anonymous, 2003).  To this end, the City of North Miami Beach Police Department, the private sector, and concerned citizens have begun an important partnership and commitment to action (Anonymous, n.d.).

References

Anonymous (n.d.). City of North Miami Beach, Florida, Critical Infrastructure Protection Program. The official website of the City of North Miami Beach, Florida. Retrieved from http://northmiamibeach.govoffice.com/index.asp?Type=B_BASIC&SEC=%7BF04CACB1-1126-4FF5-85C3-81ACF84754F9%7D.

Anonymous (2003, February). The National Strategy for the Physical Protection of Critical Infrastructures and Key Assets. Washington, DC: The White House.

Anonymous (2006). State enhancement plan. Retrieved from http://www.oregon.gov/OPS/CJS/docs/Homeland_Security/2006_State_Enhancement_Plan.pdf.

Anonymous (2008, February 12). Best practices for the protection of critical infrastructure. Public Safety and Emergency Preparedness Canada. Retrieved from http://www.publicsafety.gc.ca/prg/em/nciap/best_practices-en.asp.

Hopkins, B. (2003). State Official’s Guide to Critical Infrastructure Protection. Lexington, Kentucky: The Council of State Governments, 100 pp.

Juster, K. I. (2002, February 13). Homeland security and critical infrastructure assurance: The importance of community action. Remarks of the Undersecretary of Commerce for Export Administration at the conference on Critical Infrastructures: Working Together in a New World, Austin, Texas. Retrieved from http://www.bis.doc.gov/news/2002/communityactionimportantnhomelandsecurity.htm.

Lewis, T. G., & Darken, R. (2005). Potholes and detours in the road to critical infrastructure protection policy. Homeland Security Affairs, 1(2).

Moteff, J., Copeland, C., & Fischer, J. (2003, January 29). Critical infrastructures: What makes an infrastructure critical? Report for Congress, Congressional Research Service, The Library of Congress, Order Code RL31556, 20 pp.

Posner, P. (2003, September 3). Homeland security: Reforming federal grants to better meet outstanding needs. Testimony before the Subcommittee on Terrorism, Technology, and Homeland Security; Committee on the Judiciary, US Senate. GAO-03-1146T. 

Verton, D. (2002, September 6). White House cyber security chief defines cyberthreat. Computerworld. Retrieved from http://www.computerworld.com/action/article.do?command=printArticleBasic&articleId=74033.

###