Last week, CQ reported Homeland Security Secretary Janet Napolitano, speaking before the Senate Homeland Security and Governmental Affairs Committee, made a “dire prediction.” Secretary Napolitano warned the Senate that if Congress does not give DHS “the authority to designate critical infrastructure and set risk-based cyber security standards for it” [in] “a year or 18 months…we would have suffered a major infiltration or attack, and we will find that some part of our critical infrastructure was a gap.”
From the Secretary’s remarks, it appears DHS has yet to publicly recognize the superior critical infrastructure expertise of the Defense Department, National Security Agency and the FBI and has no institutional memory of the many catastrophic “protected” infrastructure failures America has suffered or the Department’s culpability for:
- Failure to implement the Homeland Security Advisory Council’s (HSAC’s) January 2006 recommendation to “Promulgate critical infrastructure resilience (CIR) as the top-level strategic objective—the desired outcome—to drive national policy and planning.”
- The Department’s continued silence on the global, real-time, anomalous behavior and malware detection, neutralization and cyber event reporting technologies demonstrated to it in April 2010.
- DHS’s failure to implement a nationally unifying, individual, business/enterprise and community empowering “American Resilience Assessment” recommended in the HSAC’s June 2011 Community Resilience Task Force Report.
- The Department’s ongoing efforts to disparage and obstruct implementation of comprehensive, nationally compatible, “all-condition,” objectively measurable and operationally proven infrastructure resilience mindsets, methodologies and metrics.
It is disturbing that the leader of an organization that repeatedly uses the term resilience, but dogmatically defends a basic (but among other issues) an operationally inadequate, repeatedly and catastrophically failed, Cold-War Era Critical Infrastructure Protection (CIP) program and has for years stonewalled advancements in infrastructure preparedness, is now calling for additional authority to create and impose increasingly invasive cyber security “standards.”
The Secretary’s “dire prediction” and roundabout effort to foist responsibility on the Congress for her Department’s obvious lack of progress in assuring, beyond their protection, the operational resilience of America’s interdependent cyber and physical infrastructure challenges is — at best —ill-conceived. America’s cyber infrastructure operates at the speed of light, is globally interconnected and technology driven. Additional, increasingly invasive Federal legislation, while perhaps comforting within the Beltway, will not achieve adequate levels of cyber security or the operational assurance and resilience of America’s Information Infrastructure.
The Department has long possessed operationally proven infrastructure resilience recommendations and the information necessary to rapidly implement them. DHS has the authorities, relationships with appropriate Federal Departments and has access to the advanced cyber infrastructure technologies and methodologies it requires to comprehensively address its most fundamental Homeland Security challenge – the operational resilience of the Nation’s critical infrastructure(s).
The threats to, exploitable vulnerabilities of, and the resulting consequences from cyber and physical infrastructure failure grow each day. The issue is not one of organizational authority but rather one of organizational performance and responsibility. The question for the DHS leadership is: Why is a Department born of tragedy and constitutionally sworn to “provide for the common defense,” doing significantly less than it can to achieve that end? An increasingly at-risk population is owed an explanation.