It should be a surprise to no one that the recent GAO report “Critical Infrastructure Protection: Current Cyber Sector-Specific Planning Approach Needs Reassessment” identified a long-standing gap in DHS’ strategy to protect critical infrastructure – namely the bifurcation of physical and cyber security strategies.

The National Infrastructure Protection Plan, which outlines the strategy for sector-specific agencies to identify and address vulnerabilities in our critical infrastructure, was originally drafted to ensure that the government and the private sector identify vulnerabilities and implement mitigation efforts across the domains of physical and cyber security.  That strategy was developed to ensure that planning and investment to protect against physical security attacks didn’t neglect, expose or create vulnerabilities to cyber attacks on infrastructure.

We need a holistic approach that coordinates the strategy around guns, gates and guards to protect physical infrastructure with our strategy to protect our networks, SCADA systems and cyber infrastructure.  Though we can’t seem to move beyond creating strategies and engaging in planning – recent arrests in the United States demonstrate our adversaries aren’t as bureaucratic.  While we are treating the two security worlds of physical and cyber as independent, one can easily imagine the scenario of a coordinated attack on U.S. soil starting first with a cyber attack on our 911 and communications systems immediately followed by kinetic attacks on critical infrastructure and soft targets with little effort and risk to the attackers.

We indeed need more emphasis on cyber security.  Leadership and accountability are key factors in achieving progress, but we also need to move beyond planning and into action. The government needs to clearly identify achievable priorities across the government and private sector, provide guidance on what should be done, measure progress and hold both government and private sector leadership accountable for protecting our nation.

The 2009 Financial Crisis underscored the fact that plans and regulation alone aren’t sufficient to prevent a crisis.  There were plenty of indicators that we were on the verge of one but no action was taken until our financial system virtually crashed. While the government is still working on the National Infrastructure Protection “Plan” and the Cyber Security “Strategy”— our infrastructure is increasingly and continuously under serious cyber attacks, and we face serious threats from domestic-based terrorists intent on perpetrating the next big event.  We can’t afford another crisis before we respond with serious leadership and action to address the risk.