In this lesson, we will establish the connection between Homeland Security and Cybersecurity.
Establish the Connection between Homeland Security and Cybersecurity
As we said, 9/11 demonstrated the destructive power of subverting critical infrastructure. But the potential threat to the infrastructure was well-known well before 9/11. Again, in response to the 1985 Tokyo subway attacks, in July 1996, President Clinton appointed a commission on critical infrastructure protection to report on this scope and nature of vulnerabilities and threats to the nation’s infrastructure, and recommend a comprehensive national plan for protecting it, including any necessary regulatory changes. In October 1997, the commission released its report, essentially finding that no immediate crisis threatened the nation’s infrastructure.
However, it did raise a concern about cybersecurity. According to the commission, the rapid assimilation of computer networks into infrastructure employed the same computer hardware and protocols that were facilitating the explosive growth of the Internet.
Once isolated systems were now accessible online to a growing pool of hackers with the knowledge and skills to do harm. The report concluded that the threat and vulnerability of cyber attack against the nation’s infrastructure was both real and growing. President Clinton responded in May 1998 by issuing Presidential Decision Directive number 63, directing Federal Agencies to take action for critical infrastructure protection.
PDD-63 identified a set of 12 infrastructure sectors whose assets should be protected. According to PDD-63 any interruptions in the ability of these infrastructures to provide their goods and services must be brief, infrequent, manageable, geographically isolated, and minimally detrimental to the welfare of the United States. To achieve this goal, a lead federal agency was assigned responsibility for each sector. Their job was work with industry representatives to develop corresponding Sector Security Plans. The individual sector security plans were to integrated into an overarching National Infrastructure Assurance Plan. PDD-63 set the goal protecting the nation’s critical infrastructure from intentional attacks both cyber and physical by the year 2003. That, of course, did not happen.
Following 9/11 and the creation of the Department of Homeland Security, in December of 2003, President Bush issued Homeland Security Presidential Directive number 7, building on the framework established by PDD-63. HSPD-7 expanded the number of infrastructure sectors from 12 to 18 and assigned new Sector-Specific Agencies to lend supervision with the new Department of Homeland Security taking responsibility for 11 of the new sectors.
As before, Federal Agencies were to work with industry representatives develop Sector-Specific plans And work towards the overarching strategy of the National Infrastructure Protection Plan. The first National Infrastructure Protection Plan was released by DHS in 2006, and was since updated in 2009 and 2013. The basic strategy outlined in the National Infrastructure Protection Plan is called the Risk Management Framework.
The RMF is essentially a continuous improvement process comprised of the following steps.
One, Set Goals and Objectives. Two, Identify Infrastructure. Three, Assess and Analyze Risk. Four, Implement Risk Management Activities. And five, Measure Effectiveness. In February 2013, President Obama issued Presidential Policy Directive number 21, superseding HSPD-7.
PPD-21 reduced the number infrastructure sectors from 18 to 16, but otherwise left intact the previous structure. PPD-21 also placed strong emphasis on the need for greater resilience and cybersecurity in the nation’s infrastructure.
As predicted by the 1997 Presidential Commission Report, cyber attack has indeed become a growth industry. The essential concern about cyber attack against the nation’s infrastructure is that it could result in catastrophe exceeding any the nation has endured. The worst catastrophe in the nation’s history was the 1900 Galveston hurricane that killed 12,000 people. The consequences of cyber attack could be even greater. Among many potential scenarios examined by the federal government, three in particular keep security experts awake at night.
One, an extended disruption to the North American electric grid.
Two, multiple simultaneous nuclear meltdowns. And three, disrupting the Federal Reserve System. While none of these scenarios would be easy to execute, their probabilities of occurrence are sufficient to warrant protective action.
Let us review the major points of this article.
1, 9/11 demonstrated the destructive power of subverting infrastructure.
2, the potential threat from infrastructure was well known before 9/11.
3, In response to the 1995 Tokyo subway attacks, President Clinton appointed a commission to examine the threat to the nation’s infrastructure.
4, In its 1997 report, the Presidential Commission concluded that the nation’s infrastructure was essentially safe, but warned it could become increasingly vulnerable to cyber attack.
5, As a result of the 1997 Presidential Commission report, in 1998 President Clinton issued PDD-63 setting up a framework for protecting critical infrastructure from both cyber and physical attack.
6, In 2003, President Bush replaced PDD-63 with HSPD-7, essentially retaining the same structure. 7, The basic elements of the nation’s critical infrastructure protection framework, are
- 1, defined infrastructure sectors,
- 2, designate Lead Federal Agencies, and
- 3, conduct public-private partnerships for developing Sector-Specific Plans.
- 4, According to an overarching National Infrastructure Protection Plan, using
- 5, Risk Management Framework for continuous improvement.
8, In 2013 President Obama replaced HSPD-7 with PPD-21, again retaining most of the same elements but with increased emphasis on cybersecurity.
9, The potential consequences of a cyber attack on the nation’s infrastructure could far exceed the worst disaster ever experienced in the United States.