New National Infrastructure Protection Plan Released

A new version of the National Infrastructure Protection Plan (NIPP) was released yesterday.

I’ve extracted and attached the full Table of Contents (4 pages) and the Executive Summary (6 pages) as separate documents.  Both are worth reading, if only to identify the parts of the full document you may want to read more closely.  For a super-compact summary, I’ve included a short excerpt from the Preface, and a list of the major sections of the document in this post.

[Update 02/25: DHS Released an “NIPP Consolidated Snapshot” (2 pages), which I’ve linked to here.]

The Preface to the 2009 NIPP, written by former DHS Secretary Michael Chertoff, states:

“The NIPP meets the requirements that [President Bush] set forth in Homeland Security Presidential Directive (HSPD) 7, Critical Infrastructure Identification, Prioritization, and Protection, and provides the overarching approach for integrating the Nation’s many CIKR (Critical Infrastructure and Key Resources) protection initiatives into a single national effort.  It sets forth a comprehensive risk management framework and clearly defined roles and responsibilities for the Department of Homeland Security; Federal Sector-Specific Agencies; and other Federal, State, regional, local, tribal, territorial, and private sector partners implementing the NIPP.”

The NIPP has an Executive Summary, 7 main sections, and 6 appendices:

  • Executive Summary
  • 1. Introduction
  • 2. Authorities, Roles, and Responsibilities
  • 3. The Strategy: Managing Risk
  • 4. Organizing and Partnering for CIKR Protection
  • 5. CIKR Protection as Part of the Homeland Security Mission
  • 6. Ensuring an Effective, Efficient Program Over the Long Term
  • 7. Providing Resources for the CIKR Protection Program
  • Appendix 1: Special Considerations (Cross-Sector Cybersecurity and International CIKR Protection)
  • Appendix 2: Summary of Relevant Statutes, Strategies, and Directives
  • Appendix 3: The Protection Program
  • Appendix 4: Existing Coordination Mechanisms
  • Appendix 5: Integrating CIKR Protection as Part of the Homeland Security Mission
  • Appendix 6: S&T Plans, Programs, and Research & Development

Overview of Napolitano’s Action Directives

In her first 10 days in office, new Homeland Security Secretary Janet Napolitano has issued 12 “action directives” focused on specific homeland security areas.  Here’s an overview of all the action directives, including their purpose and a brief look at what they may indicate for Homeland Security policy in the Obama administration.

What is an action directive?

According to the DHS press release, action directives “instruct specific offices and agencies to gather information, review existing strategies and programs, and to provide oral and written reports” by a specified date.  The dates are specified separately for each directive.

So essentially the action directives are reviews of existing programs.  Although the action directives do not direct any changes to the programs under review, the specific areas each directive specifies for review give an indication of programs that may begin seeing changes after the reviews are complete.

List of Action Directives

The list of action directives follows.  I’ve listed all the relevant dates for each directive as [Date issued / date oral presentations due / date written reports due].  I’ve linked each directive in this list to the DHS press release that includes it.

Note: Although the initial press release didn’t give both oral and written dates for the 5 action directives issued on that date, based on the press releases for the other action directives, this appears to be an error, and I’ve made the assumption that all 5 of those directives have the same oral and written response dates.  No date was specified for oral presentations for the last action directive (immigration and border security).

Brief Analysis:

Although immigration and border security was the last action directive issued, it is by far the longest and most specific directive, while at the same time allowing the shortest time between issuance of the directive and due date for the final report.  This may be a reflection of Secretary Napolitano’s experience with immigration, but in any case it indicates a likely increase in emphasis on immigration and border security compared to the previous administration.

The other theme clearly evident in many of the action directives is interoperability and integration, integration, integration.  Napolitano stated during her confirmation hearing that a primary focus under her watch would be integration of DHS agencies into a single cohesive agency, and the action directives reflect that.

DHS IG Report: DHS’ role in fusion centers

The DHS Office of Inspector General issued a report last week on “DHS’ Role in
State and Local Fusion Centers”.  The report was issued in response to a request from U.S. Representative Bennie G. Thompson, Chairman of the House Committee on Homeland Security.

The report reviews successes and challenges in detail, and makes 7 recommendations.  The DHS Office of Intelligence and Analysis (DHS I&A) is the organization in DHS responsible for fusion centers, and the report states that I&A agreed with all 7 recommendations, and “has proposed plans and taken action that, once fully implemented, will reduce a number of the deficiencies…identified.”

Here’s a summary of the recommendations:

  1. Improve responses to Requests for Information, and identify designated points-of-contact between I&A and fusion centers for information needs.
  2. Expand training courses, including adding additional course locations (not just Washington D.C.), and exploring online training.
  3. Integrate all relevant I&A division roles and responsibilities into the fusion center program.
  4. Review and increase assignments of DHS staff to fusion centers.
  5. Develop measurable performance standards for the fusion center program, and justify continued costs.
  6. Improve interconnectivity among the multiple unclassified and classified information systems used to share and obtain information from fusion centers.
  7. Explore funding options and identify sufficient resources for the fusion center program.  This includes providing staff to the State and Local Program Office to oversee and manage the program.

Regardless of intent, whether or not any of these recommendations are implemented will ultimately come down to funding.  To this end, recommendations #4 (increase DHS staff assigned to fusion centers), #6 (improve interconnectivity among systems), and the 2nd half of #7 (providing staff to oversee and manage the program) are probably the least likely to be implemented in the near future.  But expect funds for some or all of these to be requested in the DHS FY2010 budget.

Executive order on lab biosecurity

President Bush issued an executive order last week establishing a working group to review biosecurity at U.S. labs and issue a report to the President within 180 days with “recommendations for any new legislation, regulations, guidance, or practices for security and personnel assurance” and “options for establishing oversight mechanisms.”  The order covers “federal and nonfederal facilities that conduct research on, manage clinical or environmental laboratory operations involving, or handle, store, or transport biological select agents and toxins.”

Insufficient biosecurity at U.S. labs was highlighted in the report from the Commission on the Prevention of  WMD Proliferation and Terrorism released last month.  In response to that report, the Senate Committee on Homeland Security and Governmental Affairs indicated it may introduce legislation to strengthen lab security as well.

There is considerable overlap in purpose between the new working group and the Senate committee efforts, and the Commission has undoubtedly done some of the investigative work outlined in the executive order.  So the new working group may serve more as a platform to ensure executive branch agency cooperation and input into new legislation than as an actual investigative body.

Biological terrorism warnings gaining increased attention

Concerns about the risk of biological attack on the United States have led the list of potential threats in 3 important reports released in December, making it increasingly likely that both policy and technology to combat biological terrorism will be at the forefront of HS policy in the Obama administration.

  • WORLD AT RISK: The Report of the Commission on the Prevention of WMD Proliferation and Terrorism: The bi-partisan Commission on the Prevention of Weapons of Mass Destruction Proliferation and Terrorism released this long-awaited report on December 4th about the current state of the WMD threat against the U.S..  The report states that the odds are greater than ever that the world will see an attack using a biological or nuclear weapon in the next five years, with biological weapons considered the greatest threat.
  • Ready or Not? Protecting the Public’s Health from Diseases, Disasters, and Bioterrorism: Trust for America’s Health (TFAH) and the Robert Wood Johnson Foundation (RWJF) released the sixth annual Ready or Not? report, which finds that progress made to better protect the country from disease outbreaks, natural disasters, and bioterrorism is now at risk, due to budget cuts and the economic crisis.  In addition, the report concludes that major gaps remain in many critical areas of preparedness, including surge capacity, rapid disease detection, and food safety – all of which could increase the damage from a biological attack.
  • DHS Homeland Security Threat Assessment for the years 2008-2013: This intelligence assessment predicts that in the next five years, terrorists will try to carry out a catastrophic biological attack.
    • NOTE: This assessment was marked “for official use only,” but was leaked to the media the week of Dec. 22.  Since I don’t condone leaking details of reports not intended for public distribution, I won’t include any links to the report or to any details of it until/unless it’s officially released for public distribution.
  • Update 01/08/2009: The threat of biological terrorism was emphasized at at a Washington Institute Special Policy Forum Wednesday, with speakers including current Assistant to the President for Homeland Security and Counterterrorism Ken Wainstein and former CIA Counterterrorist Center department chief Charles “Sam” Faddis.

Public Exposure: Both the WMD Commission report and the DHS threat assessment received widespread coverage on mainstream media outlets, including Fox, CBS, MSNBC, and the Los Angeles Times.

Expectations: In my post on the WMD Commission report, I said to expect alot more focus on biological terrorism, including legislation and funding for both R&D and increasing capabilities.  In addition, as these reports gain more public exposure, and as voters become more numb to bad financial news, expect alot more political attention on homeland security and biological terrorism, especially from U.S. Senators who will be up for re-election in 2010.

GAO faults agencies for lack of coordination on interoperability

According to a report from the Government Accountability Office (GAO) released on December 12, DHS, DOJ, and the Treasury Department are no longer coordinating with each other to develop a nationwide federal wireless communications service for use by first responders.  The report, requested by Senate Homeland Security and Governmental Affairs Committee Chairman Joe Lieberman (ID-CT)  and Ranking Member Susan Collins (R-ME), found the different departments are now working on individual interoperability projects rather than implementing the Integrated Wireless Network (IWN) program.

Expect changes in U.S. approach to cybersecurity

The U.S. approach to cybersecurity is likely to change significantly under the Obama administration.  Although it’s not clear yet exactly what priorities will be sacrificed to make room for the increased focus, or how the changes will all play out, here are some highlights of recent activities in this area:

  • Reports: A recent report highlighted weaknesses in U.S. cybersecurity efforts, and recommended changes to U.S. cybersecurity leadership and policy, including the White House taking over the lead for cybersecurity efforts from DHS.
  • Obama Administration: President-elect Obama’s statements during the campaign, and his relationships with the authors of the reports (several of whom are advisors to his campaign), suggest that he’ll probably appoint a “cybersecurity czar” at the White House to coordinate national cybersecurity efforts.  Speculation is rising about who he’ll appoint to the post.
  • Congress: Key members of Congress have stated concerns about our lack of preparedness and inability to protect from and respond to cyber attacks.
    • Rep. Dutch Ruppersberger (D-MD), chair of the House Intelligence subcommittee on Technical Intelligence, says billions of dollars need to be invested by both government and the private sector.  Rep. Ruppersberger also supports appointment of a “cybersecurity czar” at the White House.
    • Rep. James Langevin (D-RI), chair of the House Homeland Security subcommittee on Cybersecurity, said “We’re way behind where we need to be now.”  Rep. Langevin has also called for leadership of cybersecurity efforts to be removed from DHS, and for increases in our offensive cyber warfare capabilities to use as a deterrent (much as our offensive conventional and nuclear capabilities are used as a deterrents to conventional and WMD attacks).
  • DHS: Although DHS Secretary Michael Chertoff agrees we have significant vulnerabilities, he cautions against changing leadershipof cybersecurity efforts at this stage.  But incoming Secretary Janet Napolitano may have a different view, especially if changes are supported by President-elect Obama.
  • Front-Line Stakeholders: Many key participants in a recent cyberwar simulation exercise reported that we’re not prepared for a real cyberwar.
  • Recent Precedents: Cyber attacks aimed at Estonia earliet this year, and aimed at Georgia during the recent conflict between Russia and Georgia in South Ossetia underscored both the likelihood and effectiveness of cyber-attacks during a conflict of any kind.  These attacks were effective, even though they are widely believed to have come from non-state actors (Russian sympathizers).

Summary:

With agreement about our vulnerability all the way from the front line to Congress and the White House, expect some major changes in both leadership and policy.  Increases in funding should also be expected, though whether funding comes as new expenditures or shifting of funding from other areas remains to be seen.

For more information: