by Jim McKay
, Justice Editor, Government Technology Magazine
8:00 a.m. January 15, 2003 PDT
The following article is from Government Technology Magazine, a division of e.Republic, Inc. a leading publishing and research corporation that serves the state, local and education markets with the latest news and education on Information Technology. For additional information, please visit their website at: www.govtech.net
The views expressed in this publication are those of the author, and do not necessarily reflect those of the e11th hour editorial staff.
Lack of national strategy forces a fractured approach to critical infrastructure protection.
S STATES ATTEMPT
to determine which critical infrastructures to protect and how to protect them, they do so without a national template or guideline. In essence, states are creating their own critical infrastructure protection plans until a national strategy emerges.
"So many things are in flux due to governor turnover and the new [Office of Homeland Security]," said Chris Dixon, digital government coordinator for the National Association of State CIOs (NASCIO). "If we're all going to have confidence that we're aiming for the same thing, it's going to take somebody at the national level to promulgate something to hone our focus and build a consensus approach."
Most states are moving ahead, albeit at varying levels, with critical infrastructure assessment plans, and they're choosing concepts and tools from a multitude of sources. "There are various approaches out there right now," said Thom Rubel, director of State Information Technology Economic and Technology Studies for the National Governors Association (NGA).
Some new approaches are promising, while others, well underway, point to strategies that are critical to the success or failure of an infrastructure protection plan.Starting from Scratch
Washington state began developing a plan in 2000 that requires compliance by late 2003; it addresses infrastructure protection on four levels: physical, personnel, technology and data.
Washington's Department of Information Services (DIS) provides policy, standards and guidelines that agency directors are encouraged to follow. In developing the infrastructure protection guidelines and standards, the state looked at federal models, among others, but in the end developed its plan "from scratch."
"We spent about a year working with state agencies, higher education and so forth to make sure we covered everything everyone could think of at that time," said Mike McVicker, the state's director for telecommunication services.
A key part of the plan is to promote coordination between agencies. Each agency director or secretary must provide the DIS with written confirmation on the status of an "annual strategic plan and infrastructure portfolio," which describes progress toward compliance with the plan's policies and standards.
A comparable effort in New Mexico began with similar coordination but unraveled. The New Mexico Critical Infrastructure Assurance Council (NMCIAC) was developed in 1998 as a cooperative, private and public sector enterprise. Its goals were to exchange information among the business community, industry, educational institutions, the FBI, and New Mexico state and local governments; and to ensure the protection of the state's critical infrastructure.
The organization, directed by the University of New Mexico (UNM), was to assess the threats, vulnerabilities, countermeasures, and responses to infrastructure attacks and unauthorized system intrusions that might affect NMCIAC organizations and the general public.
Initially the group collaborated, formulating good ideas; but in time the NMCIAC languished, becoming fairly innocuous, according to Dennis Morrison, director of Information Technology Security, Evaluation and Risk Assessment for the New Mexico Institute for Mining and Technology, which has taken over leadership of the project from UNM in an effort to revive the organization.
The initial collaboration stalled largely due to lack of both funding and private-sector interest, Morrison said. After Sept. 11, the various agencies charged with protecting the state's critical infrastructure fell into the "typical federal approach" of protecting their own backyards.
Although the NMCIAC presented itself as a nongovernment organization, the government presence within the council, which included the FBI, may have been enough to turn off the private sector. "That seems to be what private enterprise really gets suspicious abouta government-run information sharing [group] because of the fear of exposure," said Morrison.
The NMCIAC was intended to facilitate information sharing among its members to promote both an understanding of threats and knowledge about response during an incident; but the perception that it was government-run may have inhibited that process.
"We see it time and time again," Morrison said. "Suppose you're looking at cyber-security. If you report some kind of illegal access to your system, and that hits the press at the wrong time or gets released in the wrong way, it affects the bottom line.
"What we had addressed, and are still looking at pretty closely, are some technologies that can [make anonymous] those kinds of reports, but at least say this kind of thing has happened and get the information out," he added. "It's got to be something that's not a government entity that protects these private enterprises. Until you do that, you're not going to get much involvement from them."
As a volunteer organization with little funding, the NMCIAC eventually wore down. Some agencies within the state, such as the Department of Transportation, have critical infrastructure plans in place, but they've taken the stovepipe approach in protecting their own systems, according to Morrison.
The Right Formula
The recently launched New York Cyber Security and Infrastructure Protection Initiative takes steps to crush the stovepipe mentality and promote private-sector involvement.
The initiative identifies 13 major sectorstransportation and telecom are examplesin which critical infrastructures need protection. Each sector is assigned co-chairpersons, one from government and one from private industry, who are responsible for collaborating on plans to protect infrastructure in that sector.
"These are high-level people," said Will Pelgrin, initiative director. "That was a requirement, that they be at a level that could command the resources and attention it deserves.
"The real focus is encouraging sharing of information; something unique within our group is that we meet as a collective with all sectors," Pelgrin said. "The sectors come together to share information so we're not building stovepipe information. So many of these sectors have dependencies and interdependencies between and among each other [that] to keep a stovepipe fashion is the wrong formula if we're going to succeed."
The initiative, formalized in September, is still in its infant stages, but "four or five concrete meetings" held to date were well attended. Pelgrin said the initiative was spawned in Gov. George Pataki's office, showing the importance of infrastructure protection from New York state's perspective.
The state is employing methods developed during Y2Kinformation-sharing strategies that built trust and yielded results, according to Pelgrin. To quell private industry concerns about freedom of information and information access, the state developed communication standards that mirror those used during Y2K, which were designed to safeguard against the release of potentially damaging information.
New York also adopted a definition of critical infrastructure similar to the one provided in Presidential Decision Directive (PDD) 63, a federal guideline developed in 1998. The New York version, which follows, allows each sector to add, but not subtract from the definition:
Cyber assets both technology-based, physical and/or logical, which are so vital that their infiltration, incapacitation, destruction or misuse would have a debilitating impact on the health, safety and welfare or the economic security of the citizens and businesses of New York state.
New York's work in this area is already a model for other states. "The Office of Public Safety pulled together nine additional northeast states to look at it from a homeland security perspective," Pelgrin said. "Those states want to be a part of what New York is doing. We will be able to provide them with templates so we can start sharing information."
Information sharing is also the key to Michigan's plan, which was slated for release in December. "It's looking at how can we coordinate our activities, and how can we respond when there is an incident in a more coordinated way given various scenarios and various threats," said Dan Lohrmann, chief security officer for the state's newly created Office of Security and Disaster Recovery.
Michigan relied heavily on vulnerability-assessment tools provided on the National Institute of Standards and Technology (NIST) Web site, and also used guidelines from the U.S. General Accounting Office and the National Infrastructure Protection and Computer Intrusion program (NIPCI). "There's really an abundance of resources out there," Lohrmann said. "From the federal government, from think tanks, to NIST, which has kind of been the bible for us."
New Mexico's Morrison added, "There are some really good tools being developed. We've seen a really good one out of the Sandia National Laboratories for water systems that is an assessment tool. It says 'OK, what are the threats, and what is the likelihood of the threat, and what's the cost of the threat?'"
Also, the federal Critical Infrastructure Assurance Office is working with the NGA to make Matrixa software assessment tool developed for federal agenciesavailable to states.
In spite of progress made by many jurisdictions, developing a critical infrastructure plan that crosses agency borders requires a national directive, said NASCIO's Dixon.
"Any level of government can sit down and say, 'What's critical to my business?' But then they put blinders on, and it's going to stop at the borders of their business activity," he said. "Where it gets tricky is determining linkages between sectors and levels of governments and functions of government."<<
Jim McKay is Justice Editor for Government Technology Magazine.
Article copyright © Jim McKay, Government Technology Magazine; all rights reserved
| r e a d i n g |
Combating Chemical, Biological, Radiological, and Nuclear Terrorism: A Comprehensive Strategy (A Report of the Csis Homeland Defense Project); Frank J. Cilluffo, Sharon L. Cardash, Gordon Nathaniel Lederman; ISBN: 0892063890
Terrorism, Asymmetric Warfare, and Weapons of Mass Destruction: Defending the U.S. Homeland; Anthony H. Cordesman; ISBN: 0275974278
How Did This Happen? Terrorism and the New War; Gideon Rose, James F. Hoge Jr.; ISBN: 1586481304
The Age of Terror: America and the World After September 11; Strobe Talbot, Nayan Chanda ; ISBN: 0465083560
Terrorism, Asymmetric Warfare, and Weapons of Mass Destruction: Defending the U.S. Homeland; Anthony H. Cordesman; ISBN: 0275974278
Insurgency & Terrorism: Inside Modern Revolutionary Warfare; Bard E. O'Neill, Edward C. Meyer; ISBN: 1574883356
What Went Wrong: Western Impact and Middle Eastern Response; Bernard Lewis; ISBN: 0195144201
Scourge: The Once and Future Threat of Smallpox; Jonathan B. Tucker; ISBN: 0871138301
The New Face of Terrorism: Threats from Weapons of Mass Destruction; Nadine Gurr, Benjamin Cole; ISBN: 1860644600
Holy War, Inc.: Inside The Secret World of Osama Bin Laden; Peter L. Bergen; ISBN: 0743205022
From Time Immemorial: The Origins of the Arab-Jewish Conflict over Palestine; Joan Peters; ISBN: 0963624202
Terror in the Mind of God: The Global Rise of Religious Violence (Comparative Studies in Religion and Society); Mark Juergensmeyer; ISBN: 0520223012
Economic Sanctions and American Diplomacy; Richard Haass, Council on Foreign Relations; ISBN: 0876092121
Terrorism and U.S. Foreign Policy
; Paul R. Pillar, Michael H. Armacost; ISBN: 0815700040
Insurgency & Terrorism: Inside Modern Revolutionary Warfare;Bard E. O'Neill, Edward C. Meyer; ISBN: 1574883356
The Ultimate Terrorists; Jessica Stern; ISBN: 0674617908
The New Jackals: Ramzi Yousef, Osama bin Laden and the Future of Terrorism; Simon Reeve; ISBN: 1555534074
| u s e n e tg r o u p s |
| w e b s i t e s |
National Security Agency
Office of Homeland Security (White House)
Subcommittee on Terrorism and Homeland Security (US Gov)
Defense Technical Information Center (US Dept of Defense)
DefenseLINK (Official Website of the US Dept of Defense)
GAO Reports: Homeland Security (US General Accounting Office)
US Immigration & Naturalization Service (USINS INS)
Jane's Information Group
Jane's Regional Security Digest
Homeland Security and Defense (Business Week publication)
Center for Security Policy
ANSER Institute for Homeland Security
Organization for Security and Co-operation in Europe
Center For Strategic & International Studies
Regional Centre for Strategic Studies
The Henry L. Stimson Center
Adm. Blair on Regional Security, Fight Against Terrorism (US Dept of State)
The Army and Homeland Security: A Strategic Perspective... (US Army War College)
(*see our resource directory for add'l resources)