New National Infrastructure Protection Plan Released

A new version of the National Infrastructure Protection Plan (NIPP) was released yesterday.

I’ve extracted and attached the full Table of Contents (4 pages) and the Executive Summary (6 pages) as separate documents.  Both are worth reading, if only to identify the parts of the full document you may want to read more closely.  For a super-compact summary, I’ve included a short excerpt from the Preface, and a list of the major sections of the document in this post.

[Update 02/25: DHS Released an "NIPP Consolidated Snapshot" (2 pages), which I've linked to here.]

The Preface to the 2009 NIPP, written by former DHS Secretary Michael Chertoff, states:

“The NIPP meets the requirements that [President Bush] set forth in Homeland Security Presidential Directive (HSPD) 7, Critical Infrastructure Identification, Prioritization, and Protection, and provides the overarching approach for integrating the Nation’s many CIKR (Critical Infrastructure and Key Resources) protection initiatives into a single national effort.  It sets forth a comprehensive risk management framework and clearly defined roles and responsibilities for the Department of Homeland Security; Federal Sector-Specific Agencies; and other Federal, State, regional, local, tribal, territorial, and private sector partners implementing the NIPP.”

The NIPP has an Executive Summary, 7 main sections, and 6 appendices:

• Executive Summary
• 1. Introduction
• 2. Authorities, Roles, and Responsibilities
• 3. The Strategy: Managing Risk
• 4. Organizing and Partnering for CIKR Protection
• 5. CIKR Protection as Part of the Homeland Security Mission
• 6. Ensuring an Effective, Efficient Program Over the Long Term
• 7. Providing Resources for the CIKR Protection Program
• Appendix 1: Special Considerations (Cross-Sector Cybersecurity and International CIKR Protection)
• Appendix 2: Summary of Relevant Statutes, Strategies, and Directives
• Appendix 3: The Protection Program
• Appendix 4: Existing Coordination Mechanisms
• Appendix 5: Integrating CIKR Protection as Part of the Homeland Security Mission
• Appendix 6: S&T Plans, Programs, and Research & Development

Event: PS-Prep Public Meeting #2

Sorry for the late notice on this one…  I plan to attend this meeting, and I’ll post an entry after the meeting.

The second of 2 public meetings on PS-Prep, a new DHS voluntary preparedness accreditation and certification program for the private sector, will be held on Monday February 23.  See my original post for more information on PS-Prep.

Date:     Monday, February 23, 2009
Time:     9am - 2:30pm
Location: American Red Cross Ballroom, Hall of Service
          1730 E Street, NW
          Washington, DC 20006
Register: privatesectorpreparedness@hsi.dhs.gov, or
          703-416-8407

• Meeting Announcement in the Federal Register
  
• Original Post
• PS-Prep Announcement in the Federal Register
• PS-Prep comments web site

Overview of Napolitano’s Action Directives

In her first 10 days in office, new Homeland Security Secretary Janet Napolitano has issued 12 “action directives” focused on specific homeland security areas.  Here’s an overview of all the action directives, including their purpose and a brief look at what they may indicate for Homeland Security policy in the Obama administration.

What is an action directive?

According to the DHS press release, action directives “instruct specific offices and agencies to gather information, review existing strategies and programs, and to provide oral and written reports” by a specified date.  The dates are specified separately for each directive.

So essentially the action directives are reviews of existing programs.  Although the action directives do not direct any changes to the programs under review, the specific areas each directive specifies for review give an indication of programs that may begin seeing changes after the reviews are complete.

List of Action Directives

The list of action directives follows.  I’ve listed all the relevant dates for each directive as [Date issued / date oral presentations due / date written reports due].  I’ve linked each directive in this list to the DHS press release that includes it.

Note: Although the initial press release didn’t give both oral and written dates for the 5 action directives issued on that date, based on the press releases for the other action directives, this appears to be an error, and I’ve made the assumption that all 5 of those directives have the same oral and written response dates.  No date was specified for oral presentations for the last action directive (immigration and border security).

• [Jan 21 / Jan 28 / Feb 10]: Critical Infrastructure Protection
• [Jan 21 / Jan 28 / Feb 10]: Risk analysis
• [Jan 21 / Jan 28 / Feb 10]: State and local information sharing
• [Jan 21 / Jan 28 / Feb 10]: Transportation security
• [Jan 21 / Jan 28 / Feb 10]: State, local, and tribal integration
• [Jan 23 / Feb 03 / Feb 17]: Cyber security
• [Jan 23 / Feb 10 / Feb 17]: Northern border strategy
• [Jan 27 / Feb 09 / Feb 23]: FEMA state and local integration
• [Jan 27 / Feb 09 / Feb 23]: National planning
• [Jan 28 / Feb 10 / Feb 24]: First responder health surge capacity
• [Jan 28 / Feb 10 / Feb 24]: Hurricane Katrina
• [Jan 30 / None / Feb 20]: Immigration and border security

Brief Analysis:

Although immigration and border security was the last action directive issued, it is by far the longest and most specific directive, while at the same time allowing the shortest time between issuance of the directive and due date for the final report.  This may be a reflection of Secretary Napolitano’s experience with immigration, but in any case it indicates a likely increase in emphasis on immigration and border security compared to the previous administration.

The other theme clearly evident in many of the action directives is interoperability and integration, integration, integration.  Napolitano stated during her confirmation hearing that a primary focus under her watch would be integration of DHS agencies into a single cohesive agency, and the action directives reflect that.

• DHS Press Release Jan 21: First 5 action directives
• DHS Press Release Jan 23: Cyber security and Northern border strategy
• DHS Press Release Jan 27: FEMA  state and local integration and National planning
• DHS Press Release Jan 28: First responder health surge capacity and Hurricane Katrina
• DHS Press Release Jan 30: Immigration and border security

Obama pushes security upgrades for seaports & emergency communications

From Government Security News:

As President Obama put some meat on the bones of his promised infrastructure revitalization plan, it became clear yesterday that strengthening security at the nation’s seaports and improving first responder communications networks are two areas likely to receive federal funding in the short term.

In his Saturday radio and Internet address on Jan. 24, Obama provided more details than ever on his “American Reinvestment Plan,” aimed at creating or saving three to four million jobs.

In addition to repairing traditional roadways and mass transit systems, said Obama, infrastructure revitalization “means protecting America by securing 90 major ports and creating a better communications network for local law enforcement and public safety officials in the event of an emergency.”

• Full story
• Transcript of President Obama’s weekly radio address

DHS lessons learned from Mumbai attacks

DHS Under Secretary Charles Allen (DHS Office of Intelligence and Analysis) testified last week before the Senate Committee on Homeland Security and Governmental Affairs, discussing both the lessons DHS learned from the November terrorist attacks in Mumbai, and the information sharing efforts of DHS with regard to the attacks.

Although committee testimony can sometimes be a bit dry, Allen’s testimony is relatively short and offers some insight into DHS policy direction, so you may want to read it.  Here are some highlights:

Prevention and Deterrence:

• Previously disrupted plots (and previously identified targets) may resurface.
  • Reducing security protection leaves attackers an opening, no matter how much time has passed since the intial threat.
• A determined and innovative adversary will make great efforts to find security vulnerabilities and exploit them.
  • Think like attackers to identify our weak points before they exploit them.
• Security must be unpredictable for the adversary, but predictably responsive to those it is meant to protect.
• Target knowledge was paramount to the effectiveness of the attack.
  • DHS is working on programs to help detect pre-attack surveillance.
• “Low tech” attacks can achieve terrorist strategic goals-and can be dramatically enhanced by technology enablers.
  • Note: The attackers may have used wireless devices from hostages to monitor and interfere with the response against them.

Response and Recovery

• Response to a similar terrorist attack in a major U.S. urban city would be complicated and difficult.
• A unified command system is of paramount importance if governments are to respond to terrorist attacks quickly and effectively.
• Public-private interactions are crucial and must be developed before an incident occurs.
• Threat Information must be quickly and accurately conveyed to the public.
  • But he stressed DHS has procedures and practices to balance this with the need to ensure attackers can’t use the information to further their attack goals.
• Training exercises that integrate lessons learned are critical.
  • Future national exercises will include Mumbai-style attacks.
• We must protect the attack sites to collect intelligence and evidence to identify the perpetrators.
  • Proper evidence collection must be incorporated into training, planning, and response.

Note: Several reports were cited in the testimony, almost all marked For Official Use Only (FOUO), so they’re not available to link to.  If you would like access to any of these reports, I suggest you either contact your local fusion center or information sharing center, or contact I&A directly (they may point you to a regional organization that can properly vet you as having legitimate need to see the document).

Final Note: Controlling Wireless Information

Use of wireless devices by attackers is already being targeted from a technology standpoint (The NYPD expressed interest in jamming or intercepting wireless signals at the same hearings).  I expect this to become a hot topic, and I expect it to be addressed from an infrastructure & policy standpoint as well (giving responders some measure of control of private wireless infrastructure during an attack).  A combination of both would be necessary to deny attackers information they could use without interfering with the wireless information responders need, so watch for some policy debate on this issue.

• Full transcript of Allen’s testimony
• DHS Office of Intelligence and Analysis

DHS cybersecurity proposals more modest than DNI comments suggested

From HS Daily Wire:

Earlier this year Director of U.S. National Intelligence Mike McConnell said the government would require broad powers to monitor all Internet traffic in order to secure the U.S. critical information infrastructure; DHS Secretary Michael Chertoff outlines a more modest approach.

Earlier this year, Director of National Intelligence Mike McConnell told the New Yorker that the government would require broad powers to monitor all Internet traffic in order to secure the U.S. critical information infrastructure. Chertoff outlined a more modest agenda, saying that his agency’s primary goal would be to “get control of the dot-gov domain,” and insisting that government involvement in securing private networks would be strictly by invitation.

• Full article

House bills focus on improved information sharing

A couple bills in the House intended to promote information sharing.  Both have passed in the House, but haven’t yet passed in the Senate.

[Update 10/09: See also: Seven Years after 9/11, Spies Finally Forced to Share - If nothing else, the photo posted with the article is worth a smile]

1. H.R. 3815, Homeland Security Open Source Information Enhancement Act:

Requires DHS to use publicly available information to analyze U.S. critical infrastructure nodes from the perspective of terrorists and other attackers, and share the unclassified results with appropriate federal, state, local, tribal, and private-sector officials

2. H.R. 4806, Reducing Over-Classification Act

Requires DHS to develop policies to prevent the overclassification of information and promote the sharing of unclassified information.  Specifically requires that DHS consult with representatives of state, local, tribal, and territorial government and law enforcement, organizations with expertise in civil rights, civil liberties, and government oversight, and the private sector” to develop these policies.