The Briefing

Protecting Critical US Infrastructure

Wednesday, March 4, 2015
Image credit: 
isak55, Shutterstock

Presidential Decision Directive 63 was a novel and creative first step in establishing a national policy for the protection of critical US infrastructure.  Novel, in that it was the first presidential national security directive to be born unclassified; creative, in that PDD 63 proposed new public/private partnerships that, while in growing manifestations among all the post-industrial democracies, had not hitherto been the principal focus of any national security institutions.  Nevertheless, PDD 63 failed in grappling with the complex problem of critical infrastructure protection, and this failure has persisted throughout its later incarnations, Homeland Security Presidential Directive 7 and Presidential Policy Directive 21.  Partly this was due to the institutional torpor of the final months of the Clinton administration; partly to the difficulty of mandating, in the absence of congressional legislation, those regulations that might have given real energy to the public/private relationship; but largely to a conceptual failure — the failure to grasp that critical infrastructure protection was more than simply the twenty-first version of flood control, but was instead the face of a new kind of warfare, required by (and requiring) a new kind of constitutional order.

PDD 63 defined the critical infrastructure as composed of five essential domains: banking and finance, energy, transportation, telecommunications, and government services.  The rationale behind this definition arose from the vital interests each of these sectors, and all of them interacting and taken together, embodied for the country.  By “vital” I mean a role so crucial that its interdiction, should it persist, would mean the collapse of the society as it is currently constituted.  PDD 63 also created the Infrastructure Sharing and Analysis Centers (ISACs) built around the various sectors — energy, telecommunications, etc. — and composed of representatives from private companies and their government counterparts.  PDD 63 also established the National Infrastructure Assurance Council, an advisory group largely drawn from the private world, and called for a National Critical Infrastructure Assurance Plan to be drafted within two years.  As it turned out, the NIAC never met in the Clinton administration but though a Plan was eventually promulgated, it was done with little input from Congress.

At first glance, PDD 63 appeared to provide lead federal agencies for each of the various sectors. In fact it also created the National Infrastructure Protection Center, which was to be the focal point for all threat assessment, vulnerability analysis, early warning, law enforcement and response coordination — a kind of super-ISAC run by the government — and required all federal agencies to provide the NIPC with any information about threats and cyberattacks as they became aware of them.  The NIPC was lodged in the Department of Justice, effectively making DOJ the lead agency for critical infrastructure protection.  Because DOJ is modestly funded, and because its focus is on investigation and prosecution, this was a fateful choice.  Among other consequences, this step effectively walled off the NSA from infrastructure protection with, I have come to believe, tragic consequences.

If the US government had taken the names it already had on its terrorist watchlist and swept airline reservations, that would have revealed that at least two people whose names were on the watchlist had purchased tickets to fly on the morning of September 11, 2001. If airline records of those purchased tickets had been cross-checked with the street addresses of the purchasers, correlating the names generated with their telephone numbers — thus gaining new names — and then cross-checked these with post office records, frequent flyer numbers and passenger lists, we would have known the identities of all nineteen hijackers and that they were all flying on four flights on the same day within minutes of each other.

These links, in themselves innocent, would not have been enough, however, to yield a finding of probable cause necessary for a warrant. Yet within two weeks of the 9/11 attacks, the United States had located hundreds of emails linked to the hijackers, in English and Arabic, sent four to six weeks before September 11, some of which included operational details of the planned terrorist assault.

After 9/11, PDD 63 was superseded by HSPD 7, which made the new Department of Homeland Security the lead agency.  This too was a mistake — the problem of critical infrastructure protection is a global problem, not a homeland one, and indeed the linking to the global electronic network is what makes the infrastructure so vulnerable in the first place — though perhaps not a mistake of the same magnitude as the assignment to DOJ.  New sectors were added — for example, agriculture — without much thought as to their short-term criticality.  This arrangement was preserved by the Obama administration in its PPD 21.  Even the most modest legislative action — a statute calling for voluntary action by the private sector — failed in Congress.

On January 12, the president gave a major address on the subject of cyber protection principally devoted to privacy protection for consumers. That same day, hackers from the Islamic State penetrated the Twitter and YouTube accounts of the US Central Command.  With the current controversies surrounding the NSA and the US role in cyberwarfare, one wonders whether it is even possible to get US critical infrastructure protection back on track.