The Homeland Security Department is finalizing a cybersecurity plan to help the private sector protect critical infrastructure. But at least some in industry are less than excited about it.
The Homeland Security Department-led effort to update the National Infrastructure Protection Plan (NIPP) is expected to be sent to the White House on Nov. 8, according to a copy of the draft plan and a presentation obtained by Federal News Radio.
The document, subtitled (Partnering for Critical Infrastructure Security and Resilience comes on the heels of the National Institute of Standards and Technology release of the draft cybersecurity framework for critical infrastructure providers. The national plan, which would update a 2009 version, hopes to create an integrated approach to protecting water, electrical, telecommunications, financial and other critical infrastructure systems. President Barack Obama called for DHS to lead the NIPP update effort in his February 2013 Presidential Policy Directive-21, which coincided with the release of his executive order calling for NIST to lead the effort to develop a cyber framework.
DHS expects the NIPP to help critical-infrastructure providers assess and analyze threats of critical-infrastructure systems as a way to inform risk-management activities. The document would help providers decide how best to secure critical infrastructure against human, physical and cyber threats, while also taking into account costs to the organization. DHS also addresses cyber information sharing across the communities “to build awareness and enable risk-informed decision making.”
The need to update the NIPP has become clearer over the last few years as cyber attacks have changed and become more complex and focused against critical infrastructure systems. DHS found in July 2012 a huge increase in the number of security intrusions against critical infrastructure providers.
But at least two industry experts say DHS developed the NIPP without taking into account input from the critical-infrastructure providers.
“The biggest problem with the NIPP is it’s a document written for government, by government and not a plan to improve resilience,” said the industry source, who requested anonymity so they could talk freely about the draft plan. “Many of us thought and had optimism that we would leverage what we learned from first NIPP and its update and address critical infrastructure security from an all hazards perspective. We had 30 meetings with government, and that’s their metric — how many meetings they could have. They will try to characterize this as a collaborative effort, but almost none of what was discussed at those meetings found its way into the document. We were not at table for any of the writing. I believe what’s in this document was predetermined.”
The industry expert said the lack of private-sector inclusion is clear in several parts of the document, including in the Call to Action section, under the title “Federal Steps to Advance the National Effort.”
“This is a 63-page document and 28-page supplement and it doesn’t talk about how we will all work together, how we will set joint priorities or how we will agree on joint objectives,” the source said. “The first sentence of the Call to Action says it all.”
That first sentence reads, “This Call to Action primarily guides the federal government; it can also inform private sector, state, local, tribal and territorial and regional efforts.”
A DHS official said the NIPP development process has been collaborative.
“Over the past eight months, DHS has worked with critical infrastructure owners and operators, as well as federal, state and local partners to update the National Infrastructure Protection Plan (NIPP),” the official said by email. “During this process, DHS engaged thousands of stakeholders from across the country, including representatives from all critical infrastructure sectors.”
But Scott Algeier, the executive director of the IT-Information Sharing and Analysis Center (IT-ISAC), said industry hoped DHS would address their concerns in this final draft, but it didn’t happen.
“The real shame of it is that many of us have been providing this input for months, but DHS continues to produce drafts that do not incorporate it,” he said by email. “It is as though they had meetings with us to check off the ‘meet with industry’ box rather than to develop a document that reflected the input of the owners and operators.”
There are seven specific updates in this new document from the one four years ago:
Elevates security and resilience as the primary aim of critical infrastructure planning efforts;
Expands and updates critical-infrastructure risk management to address alignment to the National Preparedness System, across the prevention, protection, mitigation, response and recovery mission areas;
Focuses on national priorities jointly determined by public and private sector, while limiting discussion of federal programs;
Integrates cyber and physical security and resilience efforts into an enterprise approach to risk management;
Affirms the reality that critical infrastructure security and resilience efforts require international collaboration;
Continues progress to support execution of the National Plan at both the national and community levels; and
Presents a detailed Call to Action, including steps the federal government will undertake-working with critical infrastructure partners-to make progress toward security and resilience.
The Call to Action is separated into three broad categories: building on partnerships, innovation to manage risk and focusing on outcomes.
Under each of these categories are specific goals, such as enabling risk-informed decision-making through enhanced situational awareness by developing interoperability standards and by improving federal information sharing resources such as the National Cybersecurity and Communications Integration Center and the National Infrastructure Coordinating Center.
Information sharing shortcomings
Algeier said the information-sharing section is a key shortcoming of the document because it doesn’t do anything to enhance national-level situational awareness.
“It basically says we need to do more information sharing, but it does not provide a framework for doing so. You can’t just say ‘share information’ and expect that a national capability will somehow emerge,” he said. “There are deep concerns within the critical infrastructure owner operator community that the structures that have underpinned the public-private partnership for the last decade or more are not being properly supported with the current draft.”
Algeier added the document pays lip service to the fact that critical-infrastructure providers manage risk on a daily basis.
“There is a lot of unnecessary lecturing to industry in the document,” he said.
Finally, the plan addresses agency participation in specific sectors as developed by DHS’ Integrated Task Force in June 2013. For example, the General Services Administration and DHS are responsible for government facilities, and the Energy Department will work with the energy sector.
“Federal departments and agencies that are not designated as sector specific agencies, but have unique responsibilities, functions or expertise in a particular critical infrastructure sector, assist in identifying and assessing high-consequence critical infrastructure and collaborate with relevant partners to share security and resilience-related information within the sector, as appropriate,” the document stated.
The industry source said DHS isn’t accepting any more comments on the draft document and is meeting with individuals to discuss why the plan includes specific items.
“This is a disappointment and huge missed opportunity,” the source said.