GAO: Critical Infrastructure Protection Progress Status

The GAO recently released a review of the nation's critical infrastructure protection plans. The plans are generally not as comprehensive as they really ought to be at this point.

One of the big problems is that the National Infrastructure Protection Plan (NIPP) was released 18 months late, in June 2006.

The NIPP is a base plan that is to serve as a road map for how DHS and other relevant stakeholders should use risk management principles to prioritize protection activities within and across sectors in an integrated, coordinated fashion. The NIPP also requires the individual sector-specific agencies to submit plans to DHS by the end of December 2006 detailing the application of the national plan’s core elements to each of their respective sectors.

With only 6 months to work with the NIPP, a number of infrastructure sectors have not been able to develop their plans at a high level of detail or specificity. The GAO found that all of the sectors are working on it, but their work varies widely. The NIPP relies on a collaborative model in which sector councils and government councils guide the sharing of information and development of plans to manage sector risks, but at this time, not all councils are created equal:

Each of the infrastructure sectors has established government councils, and voluntary sector councils have been formed in response to the recommended NIPP partnership model for all sectors except transportation systems. The characteristics and levels of maturity vary significantly across the sectors.

In general, the GAO found that the sectors in which there is a long history of regulation and sharing information have done by far the best job of organizing themselves and developing plans.

The more mature councils, including banking and finance and telecommunications, were able to focus on strategic activities, such as developing plans on how to resume operations as soon as possible after a disaster. In contrast, the newer councils—including public health and healthcare and commercial facilities—were still focusing on identifying key stakeholders and members, developing charters, and getting organized.

Representatives from 13 government and 10 sector councils agreed that having prior relationships—either formally between the federal government and the private sector based on regulatory requirements, or informally within and across industries—facilitated sector-specific plan development.

Some councils have struggled with sharing information, mostly due to distrust:

Representatives with six government and five sector councils noted that the private sector continues to be hesitant to provide sensitive information regarding vulnerabilities to the government as well as with other sector members due to concerns that, among other things, it might be publicly disclosed.

This report, as well as our past work, demonstrates that many private sector partners do not trust the government enough yet to share information on their security vulnerabilities.

DHS has set up an advisory council to deal with the sectors' hesitance in sharing information, but it's not yet clear if the new council is working:

To address this concern about public disclosure of sensitive information and to enhance information sharing, in March 2006 DHS created the Critical Infrastructure Partnership Advisory Council—open to members of all councils—that is exempt from the Federal Advisory Committee Act, but it is too soon to determine if this council has promoted more sharing.

Trust is significant, as has been widely documented. The GAO correctly focuses on personal relationships:

We reported that trust was critical to overcome members’ reluctance to disclose their weaknesses, vulnerabilities, and other confidential or proprietary business information, but that trust had to be built over time and through personal relationships.

For local first responders, these principles apply as well. Recognizing the threat to critical infrastructure is something that may take time, but it is effort well spent if the result is better preparedness and response.