We're In This Together!
Critical Infrastructure
© 2007 FrontLine Security (Vol 2, No 1)

Professional emergency planners know that even the best plans depend on the extent to which critical infrastructure (CI) services are available to help responders mitigate and recover from the event. While local emergencies such as storms and accidents often disrupt CIs, work-arounds are often possible in short order, and additional materials and labour can be supplied from outside the affected area.

Independent Electricity System Operator Power Distribution Control Centre.

But would this be the case in large-scale regional or national emergencies? The 1998 Ice Storm, 9/11, and Hurricane Katrina all provide vivid examples of how the widespread and long-term loss of electricity, telecommunications, fuel, transportation, and water virtually halt recovery efforts.

In 2003, the Premier of Ontario declared provincial emergencies to deal with both the SARS crisis and the 2003 Blackout. These events presented challenges in different ways. While these crises were managed as provincial emergencies, they clearly had national and international significance.

On the most basic level, the federal government needed to coordinate with the provincial government and provincial critical infrastructures – health in the SARS crisis and electricity in the blackout. At the strategic level, the federal government needed to stay abreast of the situation, understand what was being done, provide assistance if necessary and, most importantly, manage the international implications. For example, in the hours immediately following the August 2003 Blackout, the media quoted the Canadian Prime Minister and the New York State governor, who blamed each other’s country for causing the blackout. At all costs, government and the CIs need to coordinate to ensure the political does not overtake the technical.

Clearly then, any widespread or national-level emergency depends on the ability of government and these infrastructures to understand the threats facing them, and to take measures to prevent, mitigate, respond and recover. But the CIs are very diverse. It has been estimated that critical infrastructure sectors make up about 40% of our economy in terms of the capital value of facilities and number of employees. And about 85% are owned or operated by the private sector. So how do governments and the CIs work together to understand what needs to be done, and take the necessary steps? The answer, in one word, is partnership.

In Canada today, there is no framework at the national level to link the federal government with the CIs, although a draft strategy has been under development by Public Safety Canada for several years. Some sectors, such as telecommunications and banking/finance, have long-standing regulatory relationships with the federal government, but most sectors do not. And there is no mechanism to bring the sectors together to understand and enhance their interdependencies through extreme scenarios.

U.S. Department of Homeland Security

The Need for Partnership
Wikipedia defines a partnership as “a contract between individuals who, in a spirit of cooperation, agree to carry on an enterprise, contribute to it, by combining property, knowledge or activities and to share its profit”. While this definition is often used in the context of a contractual business relationship, it can also apply to agreements between organizations that cooperate on matters of mutual interest with no financial exchange. This form of recognized partnership can provide the basis for trusted cooperation between government and the CI sectors.

Two partnership approaches have been vigorously debated: regulatory and non-regulatory. But in today’s complex world of managing physical and cyber security threats and all-hazards, a non-regulatory approach has a number of advantages.

A non-regulatory partnership:

  • Provides flexibility to address all-threats, all-hazards
  • Supports rapid changes needed to address new threats
  • Encourages innovation to develop new security and resiliency solutions
  • Provides a trusted environment that encourages two-way information-sharing between the government and the CIs

Canada doesn’t have a partnership framework, but the U.S. does. So what can we learn from their experience? What barriers had to be overcome, and does it work?

The U.S. Experience: Federal Leadership
The US has been actively interested in protecting critical infrastructure since President Clinton signed Presidential Decision Directive 63 in 1998 that declared “…the United States will take all necessary measures to swiftly eliminate any significant vulnerability to both physical and cyber attacks on our critical infrastructures, including especially our cyber systems.”

This interest intensified after 9/11 when President Bush issued Homeland Security Presidential Directive 7, identifying 17 critical infrastructure and key resources “so vital to the United States that the incapacity or destruction of such systems would have a debilitating effect on the nation.” This directive set out the framework for the National Infrastructure Protection Plan (NIPP) and a new public-private partnership to integrate protection activities across all sectors.

One goal of the new Department of Homeland Security (DHS) was to develop the necessary relationships with the CI sectors. It’s difficult to understate the significance of establishing DHS – the most significant transformation of the US government since World War II. They had a big job to do. Aside from the enormous administrative challenge of bringing together many organizations from other departments they had to do something that had never been done before – develop a National Infrastructure Protection Plan that would describe how the CIs would increase their security posture.

Early Challenges
In 2005, DHS released its Interim National Infrastructure Protection Plan (NIPP). From the perspective of the CIs, this interim plan had serious deficiencies. It almost exclusively focused on the terrorist threat, as opposed to all threats and hazards. As a result, it focused on efforts to protect CIs, and virtually ignored the full spectrum of actions that need to be taken, including mitigation, response, recovery and restoration.

This Interim NIPP was in many ways too prescriptive and did not provide the flexibility the diverse sectors needed. DHS came to realize that they needed to engage the CI sectors to address these issues, and this is where the hard part started. There were a number of challenges to be overcome.

  • The vast scope and diversity of the CI sectors
  • Concerns about how sensitive, security-related information would be shared without it becoming public and falling into the wrong hands
  • Fears by the private sector that CI ­initiatives would prompt the creation of burdensome laws and regulations
  • Administrative and legal barriers such as the U.S. Federal Advisory Com­mit­tee Act, that strictly limits how the ­government is able to seek advice from the private sector
  • Defining the role of the state, local and tribal governments

Progress – a Partnership Framework
After a series of consultations with a number of sectors who were already self-organizing to work with DHS, Homeland Security Secretary Chertoff established the partnership framework in March 2006. This was a milestone achievement. It put in place a framework recognized by government and the CI sectors that defines the roles and responsibilities for all levels of government, private industry and non-governmental organizations. To date, almost all of the CI sectors have established their sector coordinating councils and meet regularly with their government counterparts (www.dhs.gov). As well, the Partnership for Critical Infrastructure Security, established in 1999 and composed of the leaders of each of the individual CI sectors, was formally recognized as the private sector’s cross-sector council.

It’s too early to claim that this partnership framework is the perfect and enduring framework for how the CI ­sectors work with government. There are real cultural differences in how government and the private sector work.

However, some success has already been achieved, for example, in developing the NIPP and Sector-Specific Plans, planning for pandemic influenza, and implementing an emergency notification ­system for DHS with the CI sectors. Great potential exists for the sectors to further understand each other’s interdependencies and develop solutions that will optimize recovery across the sectors and minimize the impact on public health and safety and the economy. The result will be an ever-increasing level of resilience for all the critical infrastructures.

Could the U.S. Framework Work in Canada? In general, we can apply the concepts behind the U.S. model directly in Canada. Some Canadian entities are already involved in the U.S. initiatives because many CIs such as electricity, oil and natural gas, dams and information technology are multi-national or have cross-border interests.

In many ways, it should be easier to establish a partnership framework in Canada: with fewer stakeholders, coordination and outreach would be simplified; Canada does not have legal barriers ­similar to the U.S. Federal Advisory Committee Act; and, when common goals are agreed, Canadians can find pragmatic solutions that are less resource-intensive or bureaucratic.

The Way Forward: Leadership with Substance
For their part, the sectors have an interest in supporting the development of a partnership with government on CI matters from both a business and public interest perspective. And government has an opportunity to demonstrate leadership through commitment and action to:

  • Provide leadership in a facilitative, rather than directive way. Recognize existing relationships within and between CI sectors, and reinforce these or build new ones by reaching out to leaders in government and industry. Clarify the roles of Public Safety Canada and other federal departments. Include the provinces as partners.
  • Gain commitment by engaging each CI and invite them to meet this challenge in collaboration with other CIs at the national level. Senior political leaders need to reach out to business leaders to describe the need for their sustained involvement and support.
  • Be ready to respond to real events. We can’t afford to be overtaken by the next crisis. Establish the means to quickly reach out to the CIs on a 24x7 basis to share threat and incident information between government and the CIs. Share and understand each other’s emergency response protocols.

What risks do we face by not acting promptly? Without a recognized partnership framework in place, government and the CI sectors will not be able to effectively coordinate efforts to ensure secure, safe and reliable critical infrastructure services. This is not only a matter of national interest – it is necessary to meet the commitments we have made with our neighbours through the Security and Prosperity Partnership of North America.

Stuart Brindley is the Manager of Training and Emergency Preparedness at Ontario’s Independent Electricity System Operator (IESO) and currently Chairs the U.S. Partnership for Critical Infrastructure Security.
© FrontLine Security 2007