Critical Infrastructure and a Cyberattack
Presidential Decision Directive 21 (PDD-21) identifies 16 critical infrastructures. PDD-21 lays out the national policy to maintain secure, functioning and resilient critical infrastructure. Select a critical infrastructure sector from the list below and discuss the impact that a cyberattack could have on that system or service: Communication Sector (voice communications, digital communications, or navigation) Energy Sector (electric power grid) Water and Wastewater Systems Sector (water supply or sewage) Healthcare and Public Health Sector (hospitals) Transportation Systems Sector (rail or air) Financial Services Sector (banking ) It is the third and fourth order effects from the cyberattack on the chosen critical infrastructure that shows the far reaching and devastating effect of a cyberattack. To demonstrate the interconnectedness of critical infrastructure, explain the cascading effects on other critical infrastructure. Then, discuss the measures DHS has taken to ensure resiliency of the selected infrastructure and the measures that need to be implemented in the future. The Critical Infrastructure and a Cyberattack assignment Must be three to four pages in length (excluding the title and reference pages) and formatted according to APA style as outlined in the Ashford Writing Center. Must include an introductory paragraph with a succinct thesis statement. The thesis must be in both the introduction and the conclusion. Must use at least three scholarly sources or official government sources in addition to the course text. *Must thoroughly explains the cascading effects on other critical infrastructure. *Must thoroughly discusses the measures DHS has taken to ensure resiliency of the selected infrastructure and the measures that need to be implemented in the future. *This assignment must display meticulous comprehension and organization of syntax and mechanics, such as spelling and grammar. Written work contains no errors and is very easy to understand. *The use of transition words is a must. Reference: Text Kamien, D. (Ed.). (2012). The McGraw-Hill homeland security handbook: Strategic guidance for a coordinated approach to effective security and emergency management (2nd ed.). New York, NY: McGraw-Hill. Chapter 2: The Terrorist Threat to Surface Transportation: The Challenge of Securing Public Places Chapter 15: The Necessity of Interagency Collaboration Chapter 20: Critical Infrastructure and Interdependency Revisited Chapter 31: Role of Corporate Security Chapter 32: Corporate Emergency Management Chapter 34: Building a Resilient Nation Article U.S. Department of Homeland Security. (2014). Fiscal years 2014-2018 strategic plan. Retrieved from http://www.dhs.gov/sites/default/files/publications/FY14-18%20Strategic%20Plan.PDF Mission 4: Safeguard and Secure Cyberspace This resource provides current information on the Department of Homeland Security Mission 4: Safeguard and Secure Cyberspace. Web Pages U.S. Department of Homeland Security. (2015, October 27). Critical infrastructure sectors. Retrieved from http://www.dhs.gov/critical-infrastructure-sectors This website is the official website for the Department of Homeland Security and addresses the specific mission to enforce and administer our immigration laws. You will need to review this website prior to completing Discussion 1. Accessibility Statement Privacy Policy U.S. Department of Homeland Security. (2015, January 8). Safeguard and secure cyberspace. Retrieved from http://www.dhs.gov/safeguard-and-secure-cyberspace This website is the official website for the Department of Homeland Security and addresses the specific mission to safeguard and secure cyberspace. You will need to review this website prior to completing Discussion 1. Recommended Resources Text Kamien, D. (Ed.). (2012). The McGraw-Hill homeland security handbook: Strategic guidance for a coordinated approach to effective security and emergency management (2nd ed.). New York, NY: McGraw-Hill. Chapter 21: Homeland Security for Drinking Water and Wastewater Utilities Chapter 22: Civil Aviation Security: On the Ground and In the Air Chapter 35: The Community Resilience System: Operationalizing a Whole Community Approach Chapter 36: Collaboration Not Isolation: A Joint Approach to Business Continuity and Resilience Article North American Electric Reliability Council. (2004, July 13). Technical analysis of the August 14, 2003 blackout: What happened, why, and what did we learn? Retrieved from http://www.nerc.com/docs/docs/blackout/NERC_Final_Blackout_Report_07_13_04.pdf This article provides an example of the vulnerability of one critical infrastructure sector and will help with the successful completion of the Critical Infrastructure and a Cyberattack assignment.
Chapter Books for this Assignment

CHAPTER 21 461 HOMELAND SECURITY FOR DRINKING WATER AND WASTEWATER UTILITIES Stanley States, Ph.D. Director of Water Quality and ProductionPittsburgh Water and Sewer Authority Water utilities, both drinking water and wastewater, provide essential services to the public on a 24/7/365 basis. They are designed with a great deal of redundancy to help ensure uninterrupted service. Despite these efforts, utilities are potentially subject to interruptions resulting from a variety of emergencies. Natural disasters (e.g., hurricanes, blizzards, earthquakes, tornadoes, flooding) and major accidents (fires, explosions, electrical power grid failures, equipment failures, accidental contamination) have impacted utilities for years. While water systems have always been susceptible to emergencies caused by human activities, ranging from simple vandalism to thefts and incidents perpetrated by disgruntled insiders (e.g., employees, contractors), the attacks of September 11, 2001, increased awareness of the possibility of a public utility being targeted by terrorists. As with most industries, drinking water and wastewater companies typically have limited money, staff, and time to prepare for emergencies. Utilities also have a number of other requirements that compete for limited resources. These include dealing with aging infrastructure and responding to ever more stringent federal, state, and local regulations intended to protect the health and safety of the communities served. For drinking water systems the overarching regulation is the federal Safe Drinking Water Act and its continually evolving amendments governing the chemical, microbiological, and radiological quality of drinking water. For wastewater systems the primary regulation is the federal Water Pollution Control Act (Clean Water Act), which limits the public health and environmental impacts of the treated liquid effluent ultimately discharged to receiving streams and the waste biosolids disposed of in landfills. Drinking water and wastewater utilities must also respond to newly discovered public health and environmental contaminants such as the trace concentrations of pharmaceuticals, personal care products, and endocrine disruptors that have been detected in wastewater plant effluents, surface and ground waters, and even drinking water supplies in recent years. Security and emergency preparedness needs are just one of a number of concerns for the water industry. 462 Prior to the attacks of September 11, 2011, most emergency planning at utilities focused on accidents, equipment failures, and the specific natural disasters that are most likely to occur in a given water system’s location. In the several year period immediately following 9/11, the emphasis on emergency planning for utilities shifted to incidents initiated by humans. In fact, the federal Bioterrorism Act of 2002 mandated that all U.S. drinking water utilities serving more than 3,300 persons conduct a formal vulnerability assessment to identify intentional acts to which a specific water system might be vulnerable. This regulation also required drinking water utilities to update their emergency response plans to include man-made events identified in the vulnerability assessment. The major hurricanes of 2005 (Katrina and Rita) redirected attention to vulnerabilities associated with natural disasters and refocused water utility emergency preparedness efforts to an “all hazards” approach. Several factors contribute to the difficulty experienced by water utilities in devoting money, staff, and time to security and emergency preparedness. First of all, there are relatively few regulations actually mandating that utilities devote significant resources to this area. In most states, the primary regulatory agency responsible for overseeing the activities of drinking water and wastewater utilities is usually the state department of environmental protection, environmental resources, or public health. These agencies typically require utilities to develop and maintain emergency response plans (ERPs) and associated operations and maintenance plans (O&M plans). As mentioned, the federal government, under the Bioterrorism Act of 2002, required drinking water systems (but not wastewater systems) to conduct formal vulnerability assessments and then to develop ERPs to include man-made events. Other than these requirements, there are few regulations across the United States requiring specific actions by utilities in the areas of security and emergency planning.

CHAPTER 22 489 CIVIL AVIATION SECURITY: ON THE GROUND AND IN THE AIR Rafi Ron CEO, New Age Security Solutions (NASS) Robert Faber Former Senior Oversight Counsel, House Transportation Committee THE PSYCHOLOGICAL BATTLE OF AVIATION SECURITY Terrorism can be thought of as the use of violence, or the threat of violence to exert influence over large segments of the civilian population to bring about change or create fear. Why do governments devote a disproportionate share of their resources to protect aviation as a potential target? With vulnerabilities in other transportation modes as well as stationary venues, what accounts for the persistent interest in airplanes and airports? The answer is likely found in the nature of the aviation experience itself and the value terrorists place on elevating their “status” in the eyes of their peers and rivals. Airplane travel by definition is the transportation mode of choice to meet the time-sensitive needs of an increasingly fast-paced, just-in-time culture. It therefore enjoys greater prestige as a mode of travel and delivery and consequently as a target. Passengers who travel by air, for both business and leisure, are more likely to be opinion leaders and frequently have higher incomes than the populace at large—a status itself not lost on terrorist organizations. 490 To be sure, terrorists are also busy targeting trains (Madrid 2004), buses (London 2005), ships (Yemen 2000), and public gatherings (repeatedly). But destroying a plane is the gold standard by which terrorists are measured. This is in part because of the effort that has been undertaken to make air travel secure. Terrorists who can penetrate the aviation security system feel they have accomplished more than less secure targets. But perhaps more fundamentally, air travel adds extra emotional potential. It embodies an additional element of “drama,” so compelling in a media-driven culture. A certain percentage of passengers on all flights are afraid of flying in the first place; therefore, tensions begin at an elevated level. People are well aware they uniquely lack control of their environment on an airplane. Quite independent of terrorist intentions, air passengers depend on the expertise and judgment of hundreds of people to ensure a safe flight: pilots, mechanics, air traffic controllers, etc. Terrorists have the potential to enhance the drama and attract attention to their cause when they target aircraft. They can easily draw out a threat to aviation over a period of hours, preying on the inherent fear of an aviation passenger’s sense of vulnerability. If the terrorists choose, they have time to force travelers, media, governments, and the public to watch and agonize over the pending disaster. All of these factors feed the fundamental goals of the terrorists: to raise their status among their peers and rivals by grabbing the world’s attention and forcing decision makers to consider their policies and positions. In the terrorists’ world, enhancing the respect for their family, tribe, or organization is the highest aspiration in this life and many believe “self-sacrifice” will bring their ultimate reward in the hereafter. Such goals are more attractive than wealth or convenience or integrity. They have succeeded if others respect them. It makes no difference whether it is brought about by admiration or fear; either one enhances their status. Their only fear is failure and the resulting dishonor. PRE–9/11 HISTORY Aviation hijackings began as early as the 1930s, remaining a rare occurrence through the 1950s. For the most part, they were not carried out by terrorists. They were the activities of criminals or people seeking political asylum. In the United States, little attention was given to the threat until the 1960s when an international trend of hijacking airplanes to Cuba developed, including a couple of flights from U.S. airspace. Few of these flights resulted in personal injuries.

CHAPTER 35 825 THE COMMUNITY RESILIENCE SYSTEM: OPERATIONALIZING A WHOLE COMMUNITY APPROACH M. J. Plodinec Community and Regional Resilience Institute INTRODUCTION The Federal Emergency Management Agency (FEMA) has promulgated a new doctrine—A Whole Community Approach to Emergency Management—to serve as a foundation for increasing individual preparedness and engaging with members of the community as vital partners in enhancing the resiliency and security of our Nation.1 When successfully implemented, such an approach has tremendous potential for leveraging resources and energy in the private and nonprofit sectors to enhance the resilience of communities. However, while emergency managers are being encouraged to use this new approach, there is little practical experience in this country to guide them. Further, a Whole Community approach calls on emergency managers to employ skills that may have been seldom needed in the past. Most importantly, they are required to establish relationships and forge partnerships with others in the community—to move from command-and-control to collaboration. Even if equipped with the proper skills, the emergency manager simply may not know who appropriate partners are. 826 In late 2011, the Community and Regional Resilience Institute (CARRI) initiated pilot testing of its Community Resilience System and process. This is one of the first (and certainly the most ambitious) effort to implement a Whole Community approach in the United States. This marks the culmination of a four-year-long effort involving over 200 community leaders; federal, state, local, and tribal representatives; researchers; and members of the financial and insurance communities. It is already offering some important “lessons learned” to emergency managers in terms of how to implement a Whole Community approach. In this chapter, we first describe what a Whole Community approach entails. We then introduce the Community Resilience System (CRS) and process. The CRS process has been based both on lessons learned from previous disasters (e.g., Hurricane Katrina) and on advice from community leaders. We describe in detail the first two steps, forming the leadership team and assessing the community. We then describe the initial pilot testing of the CRS. We close with some general guidance for emergency managers looking to implement a Whole Community approach in their own communities, including some observations based on initial pilot testing. WHOLE COMMUNITY APPROACHES Whole Community approaches to emergency management are already in use in the United Kingdom, the Netherlands, and elsewhere.2 The basic premise behind any Whole Community approach is relatively simple. If the whole community is going to be impacted by a disaster, then the whole community should be involved in planning to respond to and recover from disruptive events. As the United States has moved toward an “all-hazards”/“maximum of maximums” approach to emergency management planning, it has become increasingly clear that most local governments do not have the resources needed to both respond to and recover from disaster.3 By involving all sectors of the community in planning, all of the resources that would be used for response and recovery in the community—whether belonging to the local government, nonprofit organizations, private business, or even individuals and neighborhoods—can be used more efficiently and effectively.

CHAPTER 36 847 COLLABORATION NOT ISOLATION: A JOINT APPROACH TO BUSINESS CONTINUITY AND RESILIENCE Richard Stones CSyp FSyI High-profile terrorist events, dramatic disasters, and major industrial accidents all focus the mind into thinking that this is what all threats look like. The reality for the majority of businesses in the UK, however, is very different; it is the most mundane of events, the accidents that happened because somebody forgot to do what their procedure told them to do, or because they thought they could bypass a policy and do something another way, that presents a more realistic risk. The one thing you can be sure of when operating in this manner is that when it goes wrong, and it does, it costs money if you’re lucky and life if you’re not. The UK business population comprises 95 percent subject matter experts, a group for whom the luxury of the corporate security advisor, the dedicated risk manager, or the occupational health and safety manager are a mere aspiration. More often this is a function performed by some other member of the workforce, who probably pulls in this extra work at home as an addition to their day job. These are the people that owners trust and depend upon to protect their businesses, and it is down to the goodwill of the workers that this usually is the case. Is this good? Is it best practice and could it be done better? Yes and no. Yes, because these people are generally the more trusted members of your workforce; they care about the business and take pride in the importance of their additional role But no, because it is not necessarily a best practice, and it could be done better—but for many businesses, it has to do. But also no, as in many cases, although well intentioned, these people are not adequately trained to the level necessary to protect the business; as people familiar with risk with recognise it is often the insignificant overlooked issues that result in the major incidents. 848 The irony in all of this is that in many cases these SMEs are sometimes called upon by your business to support that last-minute order that has just come in or they may be already supplying the most insignificant of components that serve to complete your businesses product. They are insignificant until they are not there. Then what? It is only when they are taken out by disaster, man-made or natural, that you, as bigger businesses, begin to consider the what-if factor, or as I like to call it the “WIF” (pronounced “wiff”): “What if” we had done this to prevent that? Events over the last decade have served to galvanise our thoughts to the real possibility, and consequence, of disaster, and yet we still see car production halted by one of the world’s largest car manufacturers as a result of their continuity strategy failing to consider the potential loss of a supplier, or in the UK, like all other countries, we regularly see businesses large and small being displaced and their function stopping as a result of flood, fire, chemical spillages, and other unforeseen disasters. The problem, however, is, as mentioned, that these people are at the end of, or form an integral part of, your supply chain. Have you considered this in your business continuity plans? Before you all rush off to check, let me save you a job. You haven’t, or at least not in the detail necessary to maintain your own organisation’s functionality and continuity. Why? It’s simple really; the business continuity plan didn’t require the people writing it to consider this possibility. Many will argue that I’m wrong and that this is an integral part of the process of risk mitigation. So why, as the local copper, do I see displaced businesses struggle after an accidental fire, after a burglary, or the multitude of other incidents, not disasters, that disrupt normal working? Ten years ago as an Acting Inspector at a local police station in north Nottinghamshire I asked myself the very same question. My wife, a dentist, rang me to tell me that our dental practice in North Derbyshire had been broken into. Several hours later, after berating colleagues in the neighbouring police force, I sat at my desk and considered the approach that I had taken and then thought about my own force. Were we any better? Probably not. Could we be? Without doubt. Are we now? Yes. Why? Collaboration, not isolation.
CHAPTER 2 21 THE TERRORIST THREAT TO SURFACE TRANSPORTATION: THE CHALLENGE OF SECURING PUBLIC PLACES Brian Michael Jenkins Director of the National Transportation Security Center at the Mineta Transportation Institute INTRODUCTION The discovery of notes in Osama bin Laden’s compound indicating that the terrorist leader was contemplating attacking trains in the United States on the tenth anniversary of September 11 underscores the continuing terrorist threat to public surface transportation. Public surface transportation—trains and stations, buses and bus depots, even groups of people waiting at bus stops—offers terrorists an attractive target: easy access and easy escape, concentrations of people in confined environments that enable an attack to achieve the high body counts terrorists seek, and confined environments that can enhance the effects of explosives and unconventional weapons. This poses enormous challenges for security. THE THREAT IS REAL The terrorist threat to public surface transportation is real. While terrorists remain obsessed with attacking commercial aviation, they regard surface transportation as a killing field. Between September 11, 2001 and December 31, 2011, terrorists carried out 75 attacks on airliners and airports worldwide, causing 157 deaths. During the same period, terrorists carried out nearly 1,804 attacks on surface transportation, most of them against bus and train targets, killing more than 3,900 people. (This does not include attacks in war zones like Afghanistan and Iraq.)1 22 While terrorists recently have attacked aviation targets less often, they have been attacking surface transportation more frequently. Between 1970 and 1979, terrorists carried out a total of 15 surface transportation attacks that caused fatalities. (Only incidents with fatalities are included to avoid apparent increases that are due solely to better reporting.) The number grew to 43 attacks with fatalities in the 1980s, 281 in the 1990s, and 465 in the decade between 2000 and 2009. Many of these attacks involved a few fatalities and did not make headline news, but 11 of them since 9/11 resulted in 50 or more deaths, and three of the attacks (including one carried out by a deranged arsonist) each killed nearly 200 people. The total number of fatalities in these 14 attacks is the approximate equivalent of the fatalities in seven major airline crashes. One can imagine the furor that would have resulted if seven commercial airliners had been brought down by terrorists after 9/11. The West is not immune. Most of the attacks have occurred in developing countries like India, but there have been attacks on trains and buses in France, Spain, the United Kingdom, Russia, and Japan. Further terrorist plots against surface transportation targets have been uncovered and foiled in the United Kingdom, Germany, Spain, Italy, and Australia. Attacks on surface transportation could also occur in the United States. Since 9/11, there have been seven reported terrorist plots involving attacks on trains in the United States. Authorities reportedly uncovered a plot in 2003 to release poison gas in New York’s subways. In 2004, New York police infiltrated a plot by two men to bomb a mid-Manhattan subway station. In 2006, a terrorist plot was uncovered in Lebanon to blow up train tunnels under the Hudson River. Bryant Vinas, a homegrown recruit to al Qaeda, offered terrorists his assistance in attacking the Long Island Railroad where he once worked, and in 2009, authorities uncovered a mature plot to bomb New York’s subways. Faisal Shazad, the Time Square bomber, initially planned to follow up that attack with a bombing at New York’s Grand Central Station. In 2010, Farooque Ahmed was arrested in an FBI sting operation for planning to bomb Washington’s Metro stations.2

CHAPTER 15 323 THE NECESSITY OF INTERAGENCY COLLABORATION Steven Pugh Captain, United States Air Force INTRODUCTION One of the principal, and most accelerated, changes in recent U.S. history is the nation’s reliance on information technology. Five decades ago, the impact of digital infrastructure on our way of life was essentially nonexistent. Today, the United States’ digital infrastructure has become a strategic national asset. Pundits have warned of adversarial hackers who could infiltrate and shutdown critical Industrial Control Systems (ICS) such as water treatment facilities, power grids, or even nuclear power stations—their warnings are not without merit. A whole-of-government approach must be used to confront and thwart these new, advanced threats. The domain of cyberspace is unique for the Department of Homeland Security (DHS) because it is the only main mission area that is man-made. It is also the newest of the mission areas. Additionally, cyberspace enables or supports all other mission areas with which DHS has been charged. Another unique aspect is that cyberspace literally permeates all facets of the government, not just DHS. Because of this unique characteristic, the success of DHS is intimately tied with its ability and capacity to work effectively with other departments and agencies—known as interagency collaboration. In addition to the broad nature of cyberspace, the scope of knowledge required to secure and defend cyberspace, and the scale of the Internet, make developing a solution challenging. Some of the problems within cyberspace are simply too broad for one department to take on singlehandedly. Fortunately, as Mr. Stanton from Johns- Hopkins University writes, “Cyberspace lends itself to such collaboration between government and private actors” (Stanton, 2008). To avert digital disaster, a comprehensive solution must be achieved. An attacker needs only one vulnerability to gain access to a digital network and wreck havoc. 324 In a fiscally constrained environment, the nation needs to leverage as much efficiency as possible. Thomas Stanton writes, “Inter-agency collaboration, important before, has become essential for program managers. Agencies must begin to pool administrative resources to jointly enhance the quality of their programs” (Stanton, 2011). The idea of interagency collaboration has a solid theoretical foundation, though its execution has a rather inconsistent record of accomplishment. The lessons of past failures can show us where an organization’s inability to work outside itself has led to unimaginable consequences, and yet we can easily point to overwhelming success when agencies have utilized their individual strengths by working together. We can learn from these case studies and use them as models as we move forward as a successful nation. Knowledge sharing should be among the top priorities for the government when it comes to securing our digital infrastructure. Many of our adversaries use the same tools, tactics, and techniques to silently move through our networks; agencies need to share this data so we can present a solid, unified front in the face of cyberspace adversaries. Additionally, protecting our digital infrastructure plays into the larger strategy of cyberspace deterrence. The Department of Defense publicly declared, “Defending the homeland is an important part of deterrence” (Department of Defense, 2011). We can effectively deny, disrupt, and minimize adversarial activity by securing our critical assets. These behaviors present a solid foundation that our government leaders rely on when discussing response actions towards an adversary for cyberspace aggression. The US commercial sector needs guidance on proper cyber-hygiene. Large companies can often afford to hire cyberspace security experts, but small businesses may not. Wars now target the will of a population in addition to military forces, and altering a person’s livelihood is a quick way to erode support of military action.

CHAPTER 20 437 CRITICAL INFRASTRUCTURE AND INTERDEPENDENCY REVISITED Rae Zimmerman Professor of Planning and Public Administration Director, Institute for Civil Infrastructure Systems (ICIS) Wagner Graduate School of Public Service, New York University Note: This work was originally supported by several grants, including the National Science Foundation (NSF) Cooperative Agreement No. CMS–9728805 for the Institute for Civil Infrastructure Systems (ICIS) at New York University (in partnership with Cornell University, Polytechnic University of New York, and the University of Southern California); Urban Infrastructure in a Time of Crisis (grant number 0204660) and Bringing Information Technology to Infrastructure (grant number 0091482); and a grant from the U.S. Department of Homeland Security (DHS) through a subaward from the University of Southern California for the first Homeland Security Center of Excellence. The author’s opinions, findings, and conclusions or recommendations are not necessarily those of NSF or DHS. CRITICAL INFRASTRUCTURE AND ITS SECURITY Infrastructure supports the economy, public health and welfare, and security in ways that are often difficult to ascertain. Interdependencies among infrastructures and other activities magnify their contribution to these sectors both positively and negatively, and are of growing concern in the infrastructure security arena. The importance of infrastructure is portrayed in a number of ways. One is the contribution of infrastructure to the gross domestic product (GDP). An estimate by the World Bank is that the GDP increases 15 percent as infrastructure capital doubles.1 Given the difficulty of estimating specific social and economic contributions of infrastructure, another overall way of assessing its contribution has been in terms of the value of infrastructure assets. U.S. assets in 2009 were valued at several trillions of dollars directly for the utilities and transportation sectors alone and a larger amount if other related sectors are included.2 These estimates of asset value or financial impacts may not take into account dependencies and interdependencies among infrastructure sectors and between these sectors and other parts of the economy, or at least do not make those relationships explicit. 438 The security of infrastructure has become a major objective of national policy. Since the mid-1990s or earlier these policies have been reflected in regulations, guidelines, executive orders, reports, legislation, plans, and strategies. Infrastructure security in general evolved out of earlier concerns over protecting communications. That theme continues to dominate infrastructure security policy, attaining more prominence as cybersecurity has had increasing attention along with its increasing interconnections with other infrastructures. As a collection of activities and facilities, infrastructure is complex, pervasive, and thus particularly open to terrorism. To make infrastructure secure, we need to understand its interdependencies and their relationship to infrastructure vulnerabilities. Definitions: Infrastructure, Critical Infrastructure, and Interdependent Infrastructure The current term infrastructure is relatively new, dating from about the 1980s, and earlier, and the concept had to do mainly with military installations and public works.3 In 1997, the President’s Commission on Critical Infrastructure Protection (PCCIP) adopted a definition that refers to networks, processes, synergy, and continuity “to produce and distribute a continuous flow of essential goods and services.”4 The concept of critical infrastructure and its interdependencies with other sectors is even more recent than the concept of infrastructure, and links infrastructure and security. Both ideas followed a national emphasis on the performance of infrastructure to promote health, safety, and welfare. For example, Presidential Decision Directive (PDD) 63 defined critical infrastructure as “those physical and cyber-based systems essential to the minimum operations of the economy and government.”5 PDD 63 clearly acknowledged interdependence in the critical infrastructure sectors, emphasizing information technology and cybersecurity, and called for “a particular focus on interdependencies” in the development of sector plans. Section 1016(e) of the Patriot Act of 2001 defined critical infrastructure as “systems and assets, whether physical or virtual, so vital to the nation that the incapacity or destruction of such systems would have a debilitating impact on security, national economic security, [or] national public health and safety or any combination of these matters.”6 As policies regarding critical infrastructure evolved, the scope of the concept evolved as well. The National Infrastructure Protection Plan (NIPP) of 2009 identified critical infrastructures together with a broader set of sectors called critical infrastructure and key resources (CIKR) comprising 18 sectors that include “agriculture and food, defense industrial base, energy, healthcare and public health, national monuments and icons, banking and finance, water, chemical, commercial facilities, critical manufacturing, dams, emergency services, nuclear reactors, materials, and waste, information technology, communications, postal and shipping, transportation systems, and government facilities.”7 HSPD–7 provides the foundation for critical infrastructure protection, and the U.S. DHS authority to protect critical infrastructure originates in the Homeland Protection Act of 2002.8 The categories are similar to those used in lifeline engineering, for example, which focuses on transmission and distribution systems.9 The continuing significance of critical infrastructure is reflected in the annual designation by the President of the United States, since 2009, of December as Critical Infrastructure Month.

CHAPTER 31 743 ROLE OF CORPORATE SECURITY Ronald J. Kelly Director, IBM Corporate Security INTRODUCTION The terrorist attacks of 9/11 were a watershed for the United States, for the relatives of the victims, for the administration, for ordinary citizens, for American corporations worldwide, and for the people who are responsible for developing, implementing, and maintaining the security of corporate America. Time may not yet have healed the wounds of 9/11, but it is beginning to blur the sense of threat. Or perhaps there is a growing sense of security resulting from the frantic burst of government activity afterward. This response led to the wars in Afghanistan and Iraq; the commitment of American combat forces or special forces in North Africa, Central Asia, the Philippines, and elsewhere; the PATRIOT Act; the Department of Homeland Security (DHS); the 9/11 Commission; a national ‘’intelligence czar’’; and a sense among the public that although law enforcement and intelligence communities had failed, the problems were being fixed. There have been months of hearings on what went wrong, who failed us, who is to blame. People have asked why the American intelligence community did not prevent the attacks, assuming simplistically that all the pieces of the jigsaw puzzle were there, waiting for the CIA and FBI to communicate with each other and put them together. There has been broad support for hurriedly implementing all the recommendations of the 9/11 Commission, although no one has satisfactorily explained how the pieces of the puzzle would have come together if those recommendations had been in place before the attack. 744 There are many things that, as members of the public, we do not know and may not know for several years: whether the U.S. government departments reorganized under DHS are functioning better than they were beforehand; whether the country would have been better protected by a smaller, more selective reorganization; whether we should change, weaken, or strengthen the PATRIOT Act; whether the reorganization of the intelligence community will make us safer. Also, many high-profile critics tell us that the steps the government has taken to protect the national infrastructure are not enough, that the infrastructure is still vulnerable. (They are right, but why should we want to give that information to our enemies?) Anyone who thinks seriously about this threat must conclude that there could be another terrorist attack at any time, with no warning, no chatter, no raising of the alert level, no government announcement, and none of the commentary we normally receive from experts in the media. The effort to carry the war to certain terrorists abroad was necessary and has been helpful; the arrests of many al-Qaida operatives worldwide may have delayed a follow-up attack on the United States. The work of the Joint Terrorism Task Forces (JTTF) has made it much more difficult for terrorists to recruit, organize, and put together an operation in the United States without fear of detection and further arrests. However, there is nothing to suggest that terrorists have given up. On the contrary, there is an ongoing barrage of threats against the West, and innumerable individuals are willing to sacrifice their lives in an attack on the United States. Preventing such an attack may be beyond the resources of federal, state, or local governments. There is a saying: ‘’The government has to get it right 100 percent of the time; the enemy has to get it right just once.’’ Therefore, the government needs help. The private sector owns or operates more than 85 percent of the nation’s critical infrastructure and thus should be in the forefront of governmental efforts to protect the country. Corporations must play a significant role in reducing the risk of an attack against the business infrastructure and in preparing for the consequences of an attack if one occurs. Corporate America has to help turn soft targets into tough targets and increase its own survivability. Major corporations need to take the responsibility for developing and implementing fundamental security practices, including risk assessment, baseline security, emergency planning, crisis management, screening of employees, and protecting critical infrastructure. Corporations also need to examine their vulnerabilities, dependencies, and logistic needs and determine how they will function if they are temporarily denied the use of certain assets. Most important, DHS needs to form an interactive partnership with the private sector.

CHAPTER 32 763 CORPORATE EMERGENCY MANAGEMENT Donald L. Schmidt Emergency Response Planning Practice Leader, Marsh Risk Consulting INTRODUCTION What Is Emergency Management? Many terms are used for emergency management in the private sector: emergency response planning, contingency planning, crisis management, disaster planning, etc. However, emergency management, the term used in the public sector, is more inclusive and is becoming increasingly popular in the private sector. Emergency management has four phases: mitigation, preparedness, response, and recovery. Since September 11, 2001 one more phase has emerged from mitigation: prevention or deterrence. Emergency management begins with mitigation—identifying a threat; assessing its potential impact on people, facilities, operations, and the environment; and taking steps to reduce the probability of occurrence or the severity of consequences. Preparedness involves organizing and training people, providing facilities and equipment, and developing policies and procedures for responding. The response phase includes actions taken to safeguard people and stabilize the incident. In the private sector, recovery includes continuity of critical business functions, addressed in business continuity plans, and disaster recovery. Crisis management is an overarching executive-level plan that includes making strategic decisions; communicating with stakeholders such as employees, stockholders, customers, and suppliers; and addressing the emotional needs and health care of affected employees and their families, i.e., the human impact. 764 National Preparedness Standard: NFPA 1600 The National Commission on Terrorist Attacks upon the United States (9/11 Commission) reviewed the need for preparedness in the private sector and noted in Chapter 12 of its report:1 ‘’the private sector controls 85 percent of the critical infrastructure in the nation [and] the ‘first’ first responders will almost certainly be civilians.’’ The commission acknowledged that lack of a standard contributed to lack of preparedness. It asked the American National Standards Institute (ANSI) to develop a standard for the private sector. After a series of workshops that included representatives from many private-sector industries and associations as well as public officials, ANSI’s Homeland Security Standards Panel endorsed NFPA 1600, Standard on Disaster/Emergency Management and Business Continuity Programs.2 NFPA 1600—on which this chapter is based—was promulgated by the National Fire Protection Association (NFPA) under the consensus-based process of standards development accredited by ANSI and established common criteria for emergency management and business continuity. Congress then acted on the recommendation of the 9/11 Commission and incorporated Section 7305, Private Sector Preparedness, into the National Intelligence Reform Act of 2004, Title VII—Implementation of 9/11 Commission Recommendations. The Act, signed into Law by President Bush on December 17, 2004, recognizes NFPA 1600, Disaster/Emergency Management and Business Continuity Programs, as our national preparedness standard. (a) FINDINGS.—Consistent with the report of the National Commission on Terrorist Attacks Upon the United States, Congress makes the following findings: (1) Private sector organizations own 85 percent of the Nation’s critical infrastructure and employ the vast majority of the Nation’s workers. (2) Preparedness in the private sector and public sector for rescue, restart and recovery of operations should include, as appropriate— (A) a plan for evacuation; (B) adequate communications capabilities; and (C) a plan for continuity of operations. (3) The American National Standards Institute recommends a voluntary national preparedness standard for the private sector based on the existing American National Standard on Disaster/Emergency Management and Business Continuity Programs (NFPA 1600), with appropriate modifications. This standard establishes a common set of criteria and terminology for preparedness, disaster management, emergency management, and business continuity programs.

CHAPTER 34 811 BUILDING A RESILIENT NATION Stephen Flynn Co-Director of the Kostas Research Institute for Homeland Security; and Professor of Political Science at Northeastern University Sean Burke Associate Director of the Kostas Research Institute Assuring security, safety, and prosperity in the twenty-first century requires building and maintaining resilience in the face of chronic and catastrophic risks. Americans must brace themselves in the years ahead for large-scale disruptions, fueled by unconventional conflict around the globe, changes in climate, and the sheer complexity and interdependencies of transnational modern systems and networks. Ensuring that individuals, communities, and critical infrastructure have the capacity to withstand, respond to, rapidly recover from, and adapt to man-made and natural disturbances will prove indispensible to sustaining our way of life and quality of life. Alternatively, a lack of resilience will be a competitive disadvantage, with individuals and investors avoiding places and companies that cannot provide continuity of essential services in the face of stress. Moreover, resilience provides deterrence value to adversaries whose aim is mass disruption or destruction, as attempts to target resilient societies or systems will gain little return for their nefarious efforts. Building resilience requires a strategy for harnessing America’s greatest assets: civil society and the private sector. To accomplish this, Washington must revisit the approach it adopted after the attacks of September 11 that has increasingly mired federal law enforcement, border, and transportation agencies in a Cold War-era legacy system of classified documents and security clearances. Security officials blocked from sharing information on threats and vulnerabilities with the public will only grow increasingly isolated from those to which they are responsible. Barriers to adequately informing and empowering civil society must be removed. In the end, only a well-informed citizenry can effectively defend the nation from the diverse range of risks to the homeland. 812 Building resilience also requires that the government not promise more protection and assistance than it can deliver. The indisputable fact is that there never will be enough professionals at the right place at the right time when terrorists or disasters strike. Intelligence and technologies are fallible, and the forces of nature cannot be deterred. Experience has shown time and again that when it comes to detecting and intercepting terrorist activities or dealing with a catastrophic natural event, the first preventers and first responders will almost always be civilians and system operators who by circumstance find themselves unwitting targets of terrorists or in the path of a disaster when it strikes. Importantly, in order to better develop the nation’s capacity to manage danger and disasters, the government must be careful to not end up alienating the people they are working to protect. Advancing security measures without spelling out the vulnerability they were designed to address can lead to a resentful and uncooperative public. This anger and skepticism will in turn impede future government efforts to improve security. Forcing the public to accept a safety or security measure without fully explaining why it is necessary and what it is supposed to accomplish is exactly the wrong way to build the trust necessary for long-term success. The public sector needs to look at the private sector and everyday people not as potential victims to be protected, but as essential allies whose active collaboration is indispensible to building a more resilient society. If there is one lesson to take away from the twentieth century it is that it is both futile and counterproductive to pursue safety and security efforts with the avowed aim to eliminate risks. While risks can and should be mitigated, it gets exponentially more expensive and difficult to try and reduce those risks to zero. Not only will those efforts face the law of diminishing returns, they will also invariably generate unintended consequences. Instead, the goal must be to develop policies and incentives that encourage resilience at the community level, and within and across networks and infrastructure sectors locally, regionally, and nationally.