New National Infrastructure Protection Plan Released

A new version of the National Infrastructure Protection Plan (NIPP) was released yesterday.

I’ve extracted and attached the full Table of Contents (4 pages) and the Executive Summary (6 pages) as separate documents.  Both are worth reading, if only to identify the parts of the full document you may want to read more closely.  For a super-compact summary, I’ve included a short excerpt from the Preface, and a list of the major sections of the document in this post.

[Update 02/25: DHS Released an “NIPP Consolidated Snapshot” (2 pages), which I’ve linked to here.]

The Preface to the 2009 NIPP, written by former DHS Secretary Michael Chertoff, states:

“The NIPP meets the requirements that [President Bush] set forth in Homeland Security Presidential Directive (HSPD) 7, Critical Infrastructure Identification, Prioritization, and Protection, and provides the overarching approach for integrating the Nation’s many CIKR (Critical Infrastructure and Key Resources) protection initiatives into a single national effort.  It sets forth a comprehensive risk management framework and clearly defined roles and responsibilities for the Department of Homeland Security; Federal Sector-Specific Agencies; and other Federal, State, regional, local, tribal, territorial, and private sector partners implementing the NIPP.”

The NIPP has an Executive Summary, 7 main sections, and 6 appendices:

  • Executive Summary
  • 1. Introduction
  • 2. Authorities, Roles, and Responsibilities
  • 3. The Strategy: Managing Risk
  • 4. Organizing and Partnering for CIKR Protection
  • 5. CIKR Protection as Part of the Homeland Security Mission
  • 6. Ensuring an Effective, Efficient Program Over the Long Term
  • 7. Providing Resources for the CIKR Protection Program
  • Appendix 1: Special Considerations (Cross-Sector Cybersecurity and International CIKR Protection)
  • Appendix 2: Summary of Relevant Statutes, Strategies, and Directives
  • Appendix 3: The Protection Program
  • Appendix 4: Existing Coordination Mechanisms
  • Appendix 5: Integrating CIKR Protection as Part of the Homeland Security Mission
  • Appendix 6: S&T Plans, Programs, and Research & Development

Overview of Napolitano’s Action Directives

In her first 10 days in office, new Homeland Security Secretary Janet Napolitano has issued 12 “action directives” focused on specific homeland security areas.  Here’s an overview of all the action directives, including their purpose and a brief look at what they may indicate for Homeland Security policy in the Obama administration.

What is an action directive?

According to the DHS press release, action directives “instruct specific offices and agencies to gather information, review existing strategies and programs, and to provide oral and written reports” by a specified date.  The dates are specified separately for each directive.

So essentially the action directives are reviews of existing programs.  Although the action directives do not direct any changes to the programs under review, the specific areas each directive specifies for review give an indication of programs that may begin seeing changes after the reviews are complete.

List of Action Directives

The list of action directives follows.  I’ve listed all the relevant dates for each directive as [Date issued / date oral presentations due / date written reports due].  I’ve linked each directive in this list to the DHS press release that includes it.

Note: Although the initial press release didn’t give both oral and written dates for the 5 action directives issued on that date, based on the press releases for the other action directives, this appears to be an error, and I’ve made the assumption that all 5 of those directives have the same oral and written response dates.  No date was specified for oral presentations for the last action directive (immigration and border security).

Brief Analysis:

Although immigration and border security was the last action directive issued, it is by far the longest and most specific directive, while at the same time allowing the shortest time between issuance of the directive and due date for the final report.  This may be a reflection of Secretary Napolitano’s experience with immigration, but in any case it indicates a likely increase in emphasis on immigration and border security compared to the previous administration.

The other theme clearly evident in many of the action directives is interoperability and integration, integration, integration.  Napolitano stated during her confirmation hearing that a primary focus under her watch would be integration of DHS agencies into a single cohesive agency, and the action directives reflect that.

Expect changes in U.S. approach to cybersecurity

The U.S. approach to cybersecurity is likely to change significantly under the Obama administration.  Although it’s not clear yet exactly what priorities will be sacrificed to make room for the increased focus, or how the changes will all play out, here are some highlights of recent activities in this area:

  • Reports: A recent report highlighted weaknesses in U.S. cybersecurity efforts, and recommended changes to U.S. cybersecurity leadership and policy, including the White House taking over the lead for cybersecurity efforts from DHS.
  • Obama Administration: President-elect Obama’s statements during the campaign, and his relationships with the authors of the reports (several of whom are advisors to his campaign), suggest that he’ll probably appoint a “cybersecurity czar” at the White House to coordinate national cybersecurity efforts.  Speculation is rising about who he’ll appoint to the post.
  • Congress: Key members of Congress have stated concerns about our lack of preparedness and inability to protect from and respond to cyber attacks.
    • Rep. Dutch Ruppersberger (D-MD), chair of the House Intelligence subcommittee on Technical Intelligence, says billions of dollars need to be invested by both government and the private sector.  Rep. Ruppersberger also supports appointment of a “cybersecurity czar” at the White House.
    • Rep. James Langevin (D-RI), chair of the House Homeland Security subcommittee on Cybersecurity, said “We’re way behind where we need to be now.”  Rep. Langevin has also called for leadership of cybersecurity efforts to be removed from DHS, and for increases in our offensive cyber warfare capabilities to use as a deterrent (much as our offensive conventional and nuclear capabilities are used as a deterrents to conventional and WMD attacks).
  • DHS: Although DHS Secretary Michael Chertoff agrees we have significant vulnerabilities, he cautions against changing leadershipof cybersecurity efforts at this stage.  But incoming Secretary Janet Napolitano may have a different view, especially if changes are supported by President-elect Obama.
  • Front-Line Stakeholders: Many key participants in a recent cyberwar simulation exercise reported that we’re not prepared for a real cyberwar.
  • Recent Precedents: Cyber attacks aimed at Estonia earliet this year, and aimed at Georgia during the recent conflict between Russia and Georgia in South Ossetia underscored both the likelihood and effectiveness of cyber-attacks during a conflict of any kind.  These attacks were effective, even though they are widely believed to have come from non-state actors (Russian sympathizers).

Summary:

With agreement about our vulnerability all the way from the front line to Congress and the White House, expect some major changes in both leadership and policy.  Increases in funding should also be expected, though whether funding comes as new expenditures or shifting of funding from other areas remains to be seen.

For more information:

Report offers warning and recommendations on cybersecurity

From The Providence Journal:

The Center for Strategic and International Studies (CSIS), a Washington-based think tank that specializes in national security issues, on December 8th released a year-long study of how the Obama administration can fight threats to the security of the nation’s computer systems — private as well as public.

The report, titled Securing Cyberspace for the 44th Presidency, is intended to draw attention to computer hacking, the theft of electronic information and related dangers of the Internet Age. It may also spark controversy with such suggestions as making the White House the center of a national “cyber security” effort.

“This is not some hypothetical catastrophe,” James A. Lewis, the chief of the study commission, said in a preview of the report on cyber security in September. “We are under attack and taking damage,” said Lewis.

CSIS assembled the 55-member commission that produced the report after more than a dozen secret meetings and several public ones that took testimony from scores of experts on computer technology, the Internet, information security and related fields.

Event: House Homeland Security Committee roundtables on privacy, civil rights, & civil liberties at DHS

  • When:  Wednesday, December 3rd, 2008
  • Where: 311 Cannon House Office Building, Washington D.C.
  • Time:  9:00 am – 4:00 pm

On Wednesday, December 3rd, the Majority Staff of the House Committee on Homeland Security will host a series of roundtable discussions on the future of privacy, civil rights, and civil liberties at DHS.  The event, entitled “A Path Forward: Constitutional Protections in Homeland Security”, is sponsored by Rep. Bennie Thompson, Chairman of the House Committee on Homeland Security.  Experts from the public sector will give their views on the focus the Department should take in dealing with privacy, civil rights, and civil liberties during the new Administration.  There will be a total of six panels:

  • 9am – The Road Ahead: Protecting Civil Liberties in a Natural Disaster
  • 10am – A New Direction:  Privacy Implications in Datamining
  • 11am – The Way Forward: Privacy and Domestic Intelligence & Information Sharing
  • 1pm – The Advancing Lane: Transportation Security & Privacy and Civil Liberties
  • 2pm – The Changing Course:  Privacy, Civil Liberties, and the Border
  • 3pm – A Progressive Dimension: Cybersecurity and Privacy

State laws enforce data privacy

From the Wall Street Journal:

Nevada is the first of several states adopting new laws that will force businesses — from hair stylists to hospitals — to revamp the way they protect customer data.  Massachusetts has already passed a similar law which goes into effect January 1st, and Michigan and Washington State are both considering similar legislation.

While just a few states have adopted such measures so far, the new patchwork of regulations is something many businesses will have to navigate, since the laws apply to out-of-state companies with operations or customers in those states.

DHS cybersecurity proposals more modest than DNI comments suggested

From HS Daily Wire:

Earlier this year Director of U.S. National Intelligence Mike McConnell said the government would require broad powers to monitor all Internet traffic in order to secure the U.S. critical information infrastructure; DHS Secretary Michael Chertoff outlines a more modest approach.

Earlier this year, Director of National Intelligence Mike McConnell told the New Yorker that the government would require broad powers to monitor all Internet traffic in order to secure the U.S. critical information infrastructure. Chertoff outlined a more modest agenda, saying that his agency’s primary goal would be to “get control of the dot-gov domain,” and insisting that government involvement in securing private networks would be strictly by invitation.