Economic prosperity and physical security rely on the effective functioning of the nation’s critical infrastructures. Congress defines critical infrastructures as the “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.” More simply put, critical infrastructures are the processes that enable 21st century life: among others things, power plants, transportation systems, financial networks and communications capabilities. In many cases, critical infrastructures are interdependent, and a substantial decrease in capacity in one critical infrastructure sector may have a catastrophic ripple effect regionally or nationally. For these reasons and others, critical infrastructures continue to be the object of terrorist plots – and, increasingly, the subject of new legislative and regulatory initiatives.
History and Background
Although September 11 heightened the importance of critical infrastructure protection, efforts to safeguard them are more than a decade old. After the 1993 World Trade Center attack and the 1995 bombing of the Alfred P. Murrah Federal Building in Oklahoma City, the Clinton administration began to address security concerns related to critical infrastructures. These efforts continued under the Bush administration. Following September 11, the White House authored Homeland Security Presidential Directive 7 (HSPD-7). HSPD-7 establishes the U.S. policy for “identify[ing] and prioritiz[ing] United States critical infrastructure and key resources…” and mandates a national plan to achieve that policy.
Pursuant to the requirements of HSPD-7, the Department of Homeland Security (DHS) released the National Infrastructure Protection Plan (NIPP) on June 30, 2006. The NIPP underscores the importance of protecting critical infrastructures and establishes the goal of [b]uild[ing] a safer, more secure, and more resilient America by enhancing protection of the Nation’s [critical infrastructures] to prevent, deter, neutralize, or mitigate the effects of deliberate efforts by terrorists to destroy, incapacitate, or exploit them; and to strengthen national preparedness, timely response, and rapid recovery in the event of an attack, natural disaster, or other emergency.
The NIPP creates the framework for unifying critical infrastructure protection efforts across the nation and seeks to mitigate risk by deterring threats, mitigating vulnerabilities and minimizing consequences associated with a terrorist attack or other incident. Because the private sector controls 85 percent of the nation’s critical infrastructure, industry’s voluntary participation in the NIPP’s risk management process is critical.
The NIPP embraces a risk-based philosophy to produce a comprehensive roadmap of national or sector-specific factors that influence critical infrastructure protection activities. This “risk management framework is tailored and applied on an asset, system, network, or function basis, depending on the fundamental characteristics of the individual [critical infrastructure/key resource] sectors.” For example, critical infrastructure sectors primarily dependent on fixed assets and physical facilities may require a bottom-up, asset-by-asset approach while sectors with diverse and logical assets (i.e., telecommunications and information technology) may require a top-down, business or mission continuity approach that focuses on networks, systems and functions.
F urther Defining Critical Infrastructures and Key Resources
As previously noted, critical infrastructures may be defined as “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.” Specifically, there are 12 critical infrastructure sectors in the United States:
# Defense Industrial Base
# Food and Agriculture
# Public Health and Healthcare
# Emergency Services
# Transportation Systems
# Banking and Finance
# Information Technology
# Drinking Water and Water Treatment Systems
# Postal and Shipping
For important sites/resources either not classified directly as a critical infrastructure or for which additional security considerations must be addressed, there are five categories of key assets:
# National Monuments and Icons
# Commercial Nuclear Reactors, Materials and Waste
# Government Facilities
# Commercial Facilities (such as prominent commercial buildings, hotels and sports stadiums)
The NIPP requires specific government agencies to work closely with members of the private sector to obtain the information necessary to ensure that sector assets are adequately represented and that sector and cross-sector dependencies and interdependencies can be identified and analyzed. To accomplish this, the federal government must acquire information regarding all aspects of critical infrastructure operations.
While laws and regulations permit the government to access critical infrastructure information in some instances, DHS, as a general matter, must rely on the private sectors’ willingness to provide information voluntarily. Yet, absent protection from the disclosure requirements of the Freedom of Information Act (FOIA), the private sector has been unwilling to share this information with the federal government. Private industry is worried that competitors, litigants seeking to end-run the discovery process or even terrorists and criminals could use FOIA to compel the federal government to share what would not have been in the public domain but for voluntary disclosure.
Recognizing the private sector’s resistance to divulge business information, Congress offered a remedy. The Homeland Security Act of 2002 statutorily exempts critical infrastructure information from FOIA when provided voluntarily by the private sector. When information is designated as Protected Critical Infrastructure Information (PCII), government disclosure is limited to authorized parties for specific homeland security purposes.
PCII offers significant benefits. Among those identified by DHS are the following:
1. Proprietary, confidential or sensitive infrastructure information can now be shared with governmental entities who share the private sectors commitment to a more secure homeland;
2. Information sharing will result in better identification of risks and vulnerabilities, which will help industry partner with others in protecting their assets;
3. By voluntarily submitting critical infrastructure information to the federal government, industry is helping to safeguard and prevent disruption to the American economy and way of life; and
4. Private industry is demonstrating good corporate citizenship that may save lives and protect communities.
PCII can be used for many homeland security purposes, including analyzing and securing critical infrastructure and protected systems, risk vulnerability assessments and assisting with recovery. DHS published the PCII Interim Rule – the first series of regulations implementing the PCII program – in February 2004.
Despite protection from FOIA offered by the PCII Interim Rules, information flow from the private sector to DHS has been slower than anticipated. Generally, critical infrastructure owners and operators continue to withhold homeland security information from DHS for two reasons. First, while FOIA protection is available, it is not automatic. To obtain the protection, the submitting party must take a series of regulatory steps. Second, even with a statutory exemption from FOIA, many remained concerned that the submitted information may get into the wrong hands. Information that is shared and then released accidentally, for example, could harm or embarrass the submitting party who offered the information to DHS in good faith with the expectation of protection.
Seeking to improve the PCII Interim Rule, DHS published the PCII Final Rule on September 1, 2006. The PCII Final Rule establishes the scope of the PCII program and submission procedures. Information will be protected from unauthorized disclosure when, among other things:
1. Such information is voluntarily submitted, directly or indirectly, to the PCII Program Manager or the PCII Program Manager’s designee;
2. The information is submitted for protected use regarding the security of critical infrastructure or protected systems, analysis, warning, interdependency study, recovery, reconstitution or other appropriate purposes including, without limitation, for the identification, analysis, prevention, preemption, disruption, defense against and/or mitigation of terrorist threats to the homeland;
3. The information is properly labeled; and
4. The submitted information additionally is accompanied by a statement, signed by the submitting person or an authorized person on behalf of an entity identifying the submitting person or entity, containing such contact information as is considered necessary by the PCII Program Manager, and certifying that the information being submitted is not customarily in the public domain.
Furthermore, “[a]ll submissions seeking PCII status shall be presumed to have been submitted in good faith until validation or a determination not to validate….” And, as such, the information will be protected from public disclosure under FOIA, state and local sunshine laws and in civil litigation.
Equally importantly, the PCII Final Rule streamlines the process for submitting critical infrastructure information and addresses administrative and procedural concerns that frustrated information sharing under the PCII Interim Rule. In particular, DHS emphasized several key points:
1 . A submittal validated as protected critical infrastructure information will not lose its protected status except under a narrow set of circumstances;
2. Protected critical infrastructure information will be shared only for the homeland security purposes specified in the statute and not for other collateral regulatory purpose;
3. The PCII Final Rule gives PCII program managers flexibility to designate certain types of infrastructure information as presumptively protected;
4. The PCII Final Rule provides that submissions not validated as protected critical infrastructure information be returned to the submitter or destroyed;
5. The PCII Final Rule provides for submission of critical infrastructure information through DHS field representatives;
6. The PCII Final Rule identifies procedures for indirect submissions to DHS through other federal agencies.
What Should the Private Sector Do Now?
With the release of the NIPP and the clarification of the information protection regulations, the private sector has increased responsibility to safeguard its critical infrastructure. Without continuous input from the private sector, DHS will be unable to develop a comprehensive protection plan that correctly allocates finite resources. Indeed, the risk management process underlying the NIPP assumes that everything cannot be protected; therefore, it is imperative that the private sector cooperate with DHS to develop a national plan that accounts for all stakeholders. Among other things, collaboration includes gathering and submitting critical infrastructure information to DHS.
Collaboration also means working with government stakeholders to develop Sector Specific Plans (SSPs) to supplement the NIPP. HSPD-7 designates executive departments and agencies as Sector-Specific Agencies (SSAs). SSA designations reflect the subject-matter expertise of the particular department or agency when applied to a distinct critical infrastructure sector (i.e., the Department of Treasury is the SSA for the financial services sector; the Department of Defense is the SSA for the defense industrial base sector). Among other responsibilities, SSAs “shall collaborate with all relevant Federal departments and agencies, State and local governments, and the private sector….” Working cooperatively, SSAs and the private sector continue to develop SSPs to provide a more detailed view of each sector’s unique characteristics and protection profile. Each sector’s SSP has been completed, though not approved. While some SSPs will not be public, at least one – the SSP for the Financial Services Sector – has been released publicly.
The formation of the Critical Infrastructure Partnership Advisory Council (CIPAC) is another example of ongoing collaboration between government and the private sector. The purpose of the CIPAC is to improve the sharing of sensitive information with the private sector on critical infrastructure and to encourage greater collaboration for NIPP and other purposes. According to the CIPAC’s Federal Register Notice, because of the highly-sensitive and often confidential nature of CIPAC subject matter, CIPAC will be exempt from certain public disclosure laws. Many of the meetings will be private but some “meetings will be open [to the public] as feasibly consistent with security objectives.”
What Does the Future Hold for Critical Infrastructure Protection?
DHS does not possess regulatory authority to enforce security practices or uniform security standards among most of the nation’s critical infrastructure sectors, and there is concern that some critical infrastructure owners and operators will not comply with the voluntary processes outlined in the NIPP. If DHS experiences difficulty obtaining private sector support, regulation may be necessary. The recent regulation in the chemical sector is a likely harbinger of what is to come. Indeed, it is conceivable that Congress will begin regulating other high consequence and high vulnerability industries (e.g., rail) in the near future.
On April 9, 2007, DHS published its Interim Final Rule on Chemical Facility Anti-Terrorism Standards (the Rule), which establishes risk-based performance standards for the security of high-risk chemical facilities. Other than Appendix A (discussed below), the Rule becomes effective on June 8, 2007, and makes revisions and other policy changes to the Chemical Facility Anti-Terrorism Standards Proposed Rule (Proposed Rule) published at the end of 2006. The most significant change to the Proposed Rule is the inclusion of a proposed appendix entitled “DHS Chemicals of Interest” (Appendix A). Appendix A addresses a perceived weakness in the Proposed Rule, as the Proposed Rule did not specifically identify the chemical substances that DHS considered potentially dangerous. DHS invites comments on Appendix A until May 9, 2007.
Chemical facilities that meet the threshold requirements of Appendix A or are otherwise identified by DHS as potentially high-risk, must complete a questionnaire. The questionnaire elicits information to help DHS determine whether a chemical facility needs to meet the additional requirements of the Rule. If DHS determines that a facility is high-risk, it will be regulated. As such, it will be referred to as a “Covered Facility,” which the Rule defines as “a chemical facility determined by the Assistant Secretary to present high levels of security risk, or a facility that the Assistant Secretary has determined is presumptively high risk….”
Depending upon the perceived risk, Covered Facilities will be placed in one of four risk tiers with commensurate security obligations. While DHS will provide the specific tier requirements to Covered Facilities in forthcoming guidance documents, Covered Facilities will be required to prepare Security Vulnerability Assessments (SVAs) and SSPs that must be approved by DHS. In short, SVAs identifies facility security vulnerabilities. The SSP includes measures that satisfy the identified risk-based performance standards. In certain circumstances, Covered Facilities are permitted to submit Alternate Security Programs, rather than an SVA, SSP or both.
The Rule also contains provisions concerning inspections, audits, recordkeeping and the protection of sensitive information. It also grants DHS enforcement authority, including assessment of fines and, in extreme cases, the issuance of an order for the cessation of operations. The Rule has a section addressing the review and preemption of state and local law and prohibits third party actions.
While Section 550 of the recently passed Department of Homeland Security Appropriations Act of 2007 provides the statutory authority for the Rule, members of the 110th Congress have already proposed amending last year’s chemical security legislation. For example, Section 1501 of the Conference Report to the 2007 Emergency Supplemental Appropriations Act for 2007 (H.R. 1591) contains a provision amending Section 550 to allow state and local governments to adopt more stringent chemical security regulations. Regardless of whether H.R. 1591 becomes law, it will be important to monitor legislative developments that may impact the Rule as currently drafted. Additionally, Section 550 has a three-year sunset provision and will need to be reauthorized either by this Congress or the 111th Congress.
Although DHS does not generally possess regulatory authority to enforce the procedures outlined in the NIPP, it is important for critical infrastructure owners and operators to understand the important role they play in the nation’s security. Members of the private sector must assist the federal government. This means sharing pertinent critical infrastructure information and working to develop plans to ensure the nation’s critical infrastructures are protected. If the private sector fails to do its part, it is quite possible that prescriptive legislation will mandate compliance.