Part 3

Comparing Currently Mandated Initiatives
with an Alternative Approach


The following parameters can be used to identify areas of weakness in current efforts and to compare current efforts with the alternative approach that will be described shortly.   These parameters are listed in Table 3:


Table 3: Parameters for Comparing Currently Mandated Initiatives with an Alternative Approach

~ The way in which the problem is being defined, and, most importantly, the extent to which critical infrastructure sector interdependencies and the nature of cascading failures and impacts are understood;

~ The courses of action that have been identified and the basis for determining what courses of action to take;

~ The nature and extent of the focus on information, data gathering, the cataloguing of facts, and modeling;

 ~ The different nature of terrorism post 9/11 and the implications of these differences for the nation, the world, and humankind;

~ The way in which the definition of the problem drives or fails to drive actions;

~ The role of pragmatic strategies;

~ The degree to which organizational, professional, jurisdictional, cultural, and political challenges are recognized and addressed;

~ The degree to which "state of the science" and "state of the technology" issues are recognized and understood;

~ The degree of preciseness in the use of commonly used terms; and

~ The adequacy, appropriateness, and potential usefulness of approaches to understanding and assessing vulnerabilities. 


Several of these parameters and aspects of them are discussed more fully here.


The Way in Which the Problem is Being Defined


A common frame of reference could help people understand each other when they speak of homeland security efforts and critical infrastructure security and continuity. The Homeland Security Impact Scale that will be described shortly may help provide such a framework.  This impact scale may provide a context for understanding in a very general way the nature and scope of the challenges, threats, and problems facing the nation and the world.  The impact scale can be seen as providing a way of looking at and comprehending the dynamically changing nature of the situation in which we find ourselves.  The impact scale provides a frame of reference for understanding, considering, and interpreting the nature and scope of the problems, challenges, and threats that face us.  It also provides a framework for considering the actual, possible, and potential impacts of those problems, challenges, and threats.  The Homeland Security Impact Scale can help focus attention on ways of looking at actions needed to address those problems, threats, and challenges.  It can conceivably help us focus homeland security and critical infrastructure protection efforts along the most positive and constructive lines possible.


Recognition of Critical Infrastructure Sector Interdependencies and the Nature of Cascading Failures and Impacts


Key to understanding the problems, threats, and challenges posed by terrorism today, is understanding critical infrastructure independencies and the potential for cascading failures and impacts.  This understanding can be critical to the success of efforts to maximize homeland security and critical infrastructure protection.  Yet, such a focus often gets left out of discussions of "critical infrastructure".  Cascading failures and impacts refer to what can happen when failures or disruptions involving specific infrastructure assets or sectors have ripple effects that can extend to other infrastructure sectors.


Some excellent analyses and discussions of cascading impacts and the interdependencies of infrastructure elements can be found in the writings of Richard G. Little (1999, 2002, May 2002) and Jeffrey R. Gaynor (2002) among others.  A report issued in April of 1999 by the U.S. Department of Commerce also provided an excellent analysis of the cascading impacts that cyber-related failures and disruptions could have on national and global economies. Indeed these same kinds of failures could be triggered today by cyberterrorism and cyberwarfare or by sabotage or mischievous acts.  The cascading effects could become widespread as a result of the slowly evolving degradation of cyber-related systems or the rapid and cascading failure of such systems and interconnected infrastructure.   


Other relevant work on cascading impacts was done during the years leading up to Y2K.  Many regional, national, and global scenarios were considered.  Among these were scenarios by the Naval War College and the Department of Defense.  Scenarios considered by the Naval War College are available online (Naval War College, 1999).  


Senator Robert Bennett who had been at the forefront of Y2K efforts was one of the first to emphasize the significance of connectivity issues and interdependencies amongst the various infrastructure sectors. He was one of the first to draw attention to the very real potential for cascading failures.  Consideration of Y2K-related scenarios can also be found online in a White Paper on Y2K (Paula D. Gordon, 1998 and 1999).  A graphic depiction of Senator Bennett's approach can also be found there. 


Scenarios have also been used widely since 9/11 in workshop exercises and simulations.  Several that have been far reaching in their implications have involved cyberterrorism threats.   Some examples include the Gartner Group's Sector 5 Conference held in Washington, DC, August 21 - 23, 2002 and the Digital Pearl Harbor Exercise also held in 2002.   Information on both is online.   As previously noted, consideration of such scenarios are extremely pertinent today because cyberterrorism and cyberwarfare and other threats to cybersecurity and continuity could trigger the same kinds of mid-range and worst-case scenarios that were envisioned with Y2K.  The attack of the slammer worm in early 2003 was the most recent example of how fast an attack could spread and how widely cybersecurity could be breached.  Consider what the extent of the damage might have been had there been no software patches to stop the spread of this worm and no relatively simple ways to repair and prevent damage.


Other exercises and simulations have focused attention on a wide range of other kinds of scenarios, including ones involving public health threats.  Scenario-driven exercises can be extremely helpful in that they can force individuals to consider interdependencies that they had not previously considered.


Some selected causes that could result in significant cascading impacts are listed below.  If any of the following were to occur slowly and incrementally over time or if they were to occur as a result of quickly cascading failures and disruptions, the societal as well as economic impacts could be severe and long lasting. 


Some of the possible causes of significant societal and economic consequences include the following:
~ Widespread or regional disablement of portions of the electric power grid;

~ Widespread or regional disablement of the Internet;

~ Widespread or selective disablement of computer systems or complex digital control and SCADA systems;

~ Destruction or disablement of refineries and/or pipelines;

~ Disruption or disablement of transportation systems;

~ Disruption or disablement of the financial sector;

~ Disruption or disablement of telecommunications systems;

~ Disablement of water purification and/or distribution systems;

~ Chernobyl- or Bhopal-type catastrophes. 


A longer listing of potential problems will be provided shortly.  Similar lists of problems that could be associated with cascading infrastructure failures can also be found in Part 2 of the White Paper on Y2K noted earlier (Paula D. Gordon, 1998 and 1999).


Recognizing the interdependency of infrastructure sectors or elements is crucial to the development of any plan of action whether it involve preparedness, protection, mitigation, contingency planning, crisis management, response, recovery, or continuity of operations.  Recognizing the interdependencies of infrastructure sectors and assets is also crucial to any steps that are taken to strengthen the infrastructure.  Viewing infrastructure sectors as if they could be understood sufficiently if considered solely in isolation from one another has extremely limited utility at best.


Interestingly enough, much attention is paid to interdependencies in The National Strategy to Secure Cyberspace and in The National Strategy for the Physical Protection of Critical Infrastructure and Key Assets.  The discussion of cascading impacts, however, seems to be sharply circumscribed.  Worst case, catastrophic, or cataclysmic scenarios in which resources would be significantly impacted or totally overwhelmed are not really considered.  Neither are the possible worst case and near term impacts of catastrophic events.  An assumption is also made that intensive analytic and modeling techniques can provide the most sound basis for developing and implementing a plan of action.  The myriad of possible scenarios and the ultimate unpredictability of what can happened and how scenarios might actually unfold can render the use of such techniques of only limited utility to planners, policymakers and managers.  The way in which a crisis unfolds and the factors affecting the responses to a crisis cannot ultimately be predicted; the factors that can come into play simply cannot be fully foreseen.  Actions simply cannot be pre-scripted.


Interdependencies and Cascading Impacts and Ripple Effects


One way of viewing infrastructure interdependencies might be found in the following children's nursery rhyme:


For want of a nail the shoe was lost;
For want of a shoe the horse was lost;
For want of a horse the rider was lost;
For want of a rider the battle was lost;
For loss of the battle the kingdom was lost;
And all for the want of a horseshoe nail.


Another way of viewing interdependencies and the potential for cascading impacts might be in terms of the following analogy:  If one were to throw rocks into a still pond, each rock would create ripple effects.  If rocks were thrown into the pond simultaneously or in rapid succession and were in close enough proximity to one another, ripple effects would intersect and would create new ripple effects of their own.  These effects cannot be predicted.  Possibilities can, however, be considered.  Owing to the many factors influencing the configuration of such ripple effects, it is not possible to map every conceivable scenario that could occur, nor would it be a wise way of using significant portions of one's resources.  What can be helpful is to think through many different possible scenarios, including simple scenarios.  Even simple scenarios can provide extremely significant learning experience.  Indeed, if the learning that can be gleaned through studying simple scenarios has not been mastered, there is little to be gained in trying to absorb the lessons of more complicated and daunting scenarios.


Yet another way of viewing cascading impacts is to consider what happened as a result of the attacks on September 11.  


Cascading Impacts Resulting from 9/11


It is critically important that we recognize the cascading impacts that have occurred as a result of 9/11.  It is also important that we recognize that such impacts are continuing to occur.  Many seem to have little awareness or understanding of these impacts even though the effects of 9/11 are still very much with us.  The effects include psychosocial and societal impacts, as well as major economic repercussions.  The 9/11 attacks as well as the subsequent anthrax attacks also have led to a refocusing of attention of government efforts and resources.  Significant resources have not only been directed to response and recovery efforts, more resources continue to be directed at addressing homeland security and defense needs.  There are even ripple effects from raising or lowering the nation's alert status.


The attacks of 9/11 immediately affected numerous sectors.  Other sectors have been affected more gradually over time.   Sectors that have been affected have included, but have not been limited to public works and emergency services, telecommunications, financial and financial services sectors, airlines, railways, tourism, the hospitality sector, and the insurance sector.   While to date there seems to be awareness of some of these impacts, the most recent strategy documents do not seem to reflect a full recognition of the nature and extent of the impacts on security, economic stability, and the social fabric.


The Nature and Extent of the Focus on Information, Data Gathering, the Cataloguing of Facts, and Modeling


Another parameter that deserves attention involves the nature and extent of the focus on information, data gathering, the cataloguing of facts, and modeling.  There is a point at which detailed information, data gathering, and cataloguing of facts can overwhelm the mind or otherwise make it difficult to consider, let alone settle upon a sound course of action.  In the midst of a crisis, a focus on these can get in the way of taking immediate action or near term actions that the situation may require. In fact, a continuing quest for facts can be a way of delaying action when action could be taken based on facts that are abundantly obvious. 


In a crisis situation, in a situation in which the costs of inaction are high, one can be best served by taking the wisest actions possible at the time.  Substituting study and acquisition of data for action for action may give one a sense of control, but it may cause the loss of valuable time and minimize one's chances for action or survival.   


There are those who seem to be wedded to slow and methodical approaches to data gathering and analysis even in circumstances where common sense, experience, training, preparation, and good judgment could yield equally useful if not superior insights concerning what needs to be done.  There are seemingly few who are versed in taking action based on what has been learned and what can be readily learned.  For those unused to working in crisis situations, it can be helpful to consider what the differences might be between taking action in the near term and waiting to act until after extensive time and effort were spent in data gathering, study, and analysis.  It can also be helpful to recognize that only a certain range of results are conceivable in data gathering and analytical efforts.   It can be helpful to consider what the range of possible results might be and then ask these questions:  Would any of these possible results affect the course of action that seems the most sound based on what is already known?  Would any of the conceivable results of extensive research and analysis make a significant difference regarding what needs to be done?  What common set of actions are needed whatever the results of the analyses might be?  Surely there are actions that could be undertaken relying on common sense, experience, and good judgment alone.    Note: Dean Harper and Haroutun Babigian (1971) described the concept of "advocacy evaluation" in the mental health field.  The approach that I have described here has been borrowed and adapted from their work.


There is a widespread penchant today for dedicating extraordinary resources to data gathering, analysis, benchmarking, and assessment.  Such proclivities can be emphasized to the point of slowing or even paralyzing the problemsolving process.  There are also widespread tendencies to ignore common sense, or fail to use good judgment, or fail to draw on one's experience and wisdom.  If those heading up efforts to rebuild Europe at the time of the Marshall Plan had allowed themselves to be hobbled by kinds of tendencies that are so prevalent today, we might still be rebuilding Europe.  There are simply certain things that need to be done.   Indeed, there are things that need to be done no matter what the short term or long term economic consequences. In-depth studies might well refine those most obvious actions in minor ways, but the actions that are taken may be little different from what they would have been had no extensive assessment been completed.   In the end, the assessment of costs, risks and benefits involve consideration of values, principles, and purposes, any or all of which can override consideration of costs and risks.


If proclivities for in-depth studies and assessments had driven Mayor Giuliani's efforts, the response to the attacks of 9/11 would have been stultified.  The nine miners in Pennsylvania would not have been rescued.   The Three Mile Island near melt down in the '70s would have ended in large-scale disaster.  Special Operations Forces that have been so key to military efforts since 9/11 would not be able to take action in dynamical changing and life threatening circumstances.


There are reasons why many have become so reliant on or enamored of doing extensive analysis.  Such analysis can be a substitute for action.  It can be a way of delaying action. It can also provide an illusion of control in a time of extreme uncertainty. Another reason is that the Newtonian paradigm, empirical methodology, and reliance on analysis that focuses on quantifiable data and measures have become deeply engrained in the minds of most everyone.  This includes all who have studied in a university in recent decades and it also therefore includes most who function in roles of public responsibility.  Institutions of higher learning tend to focus on "narrow rationalist" approaches to understanding problems, threats, and challenges.  They do not tend to do a good job in helping to develop the kind of leadership, managerial competencies, and organizational skills of a Rudy Giuliani.   They do not tend to train individuals who are comfortable in exercising initiative; accepting and wielding responsibility; thinking "outside the box"; using sound judgment; and wedding knowledge, understanding, insight, intuition, well honed instincts, experience, and common sense to action.  Indeed in organizations that are heavily micromanaged and regulated, those who have such capabilities can be seriously handicapped in their attempts to act using their common sense, knowledge, wisdom, judgment, understanding, creativity, skills, and discretion.  Indeed, such individuals can find it difficult getting hired in the first place.


The Different Nature of Terrorism and Terrorist Threats Post 9/11 and the Implications of These Differences


The new kind of homicidal/suicidal terrorist values neither life nor the future viability of civilization.  This new kind of terrorist manifests neither humanity nor conscience.  They appear to have no moral compass or sense of the sanctity of life.  Perspectives that were typical concerning the behavior of terrorists prior to 9/11 can no longer be viewed as being applicable. There is no way of predicting with any degree of certainty what any one of this new kind of terrorist, any group of such terrorists, or any network of terrorist groups might do.  Will they go after hard targets, soft targets, mixes of these, or will they simply make threats and use fear to try to undermine the stability of society?   A fairly thorough cataloguing of possible terrorist actions already exists.  A vast amount is now known regarding the past and present intentions of the terrorists.  Surely efforts to learn more need to continue in order to deter, kill, or apprehend and bring terrorists to justice.  But how much more comprehensive or detailed does our knowledge need to be in order for us to take effective action when it comes to emergency preparedness and contingency planning and taking steps to strengthen our security?  There are only so many kinds of protective and preventive measures that can be taken.  Why not begin by doing what we can do based on what we already know needs to be done?  Why not plan to enhance our efforts when it is possible to do so?  Once basic preparedness steps have been taken, additional questions might be asked.  What can be done now based on what is currently known regarding weapons and tactics that could conceivably be used?  What can be done now based on what is currently understood concerning the potential impacts of such weapons and tactics?  In what ways could additional information conceivably alter basic actions that are needed now?  Why not attend as fully as possible to basics now?  The fact is that anything could happen at any time.  The government's Ready Campaign launched in February of 2003 is a first step in the right direction.  But there are numerous other preparedness approaches and initiatives, some of which have long track records.   FEMA's community-based program model known as Project Impact is but one example.  Other preparedness efforts undertaken during 1998 and 1999 for Y2K by FEMA and the Red Cross, as well as the President's Council on the Year 2000 Conversion could also be used as models or built on.  The Citizen Corps, even if the program is not funded by Congress, could be implemented in some form.  Our challenge is to continue to do what can be done now to address the problems, threats, and challenges we face, while keeping our focus on our goals of strengthening our national economic, personal, and societal security to the extent possible.


We are in a different ballgame post 9/11.  There are no clear rules.  Today's terrorists have stated and demonstrated their intent to destroy life without concern for even their own lives.  They have been clear that there is no way that they can be appeased.  There is nothing that can be done to change them from their destructive course of action.  The implications that such aberrant behavior has for the future stability of the world are grave indeed.  The full implications have yet to sink in fully.  As others have said, "This is not your father's war."


The reason that any of this is important is that how the problem is understood can affect our motivation to take action.


In the Volume 1 of the Discourses, Meher Baba addressed the subject of non-violence and violence.  He wrote that in a situation in which a mad dog is in a school yard, that a mad dog must be subdued using violence in order to protect the weak.    This analogy seems to me to be wholly applicable to the homicidal/suicidal terrorists in the world today: Today's homicidal/suicidal terrorists can be seen as the mad dogs and the nation and the world as the school yard.   The threat they pose is increased exponentially owing to their willingness to used weapons of mass destruction and disruption to achieve their destructive goals.  It behooves us to do all in our power to rid ourselves of the threat they pose and to take defensive action in face of the attacks that we have suffered.  At the same time we need to be doing all we can to strengthen and secure our situation.  If we fail to act, our future and the future of generations to come will be in ever increasing jeopardy.


There can be multiple reasons for the fact that so many seem to be oblivious to the changes in the world that have occurred as a result of 9/11 and the implications of these changes.  One of the reasons can be a certain naivete concerning human nature and the assumption that surely what we have seen to date have been isolated examples of aberrant behavior.  For others, they may simply be disinclined or reluctant to recognize the full extent of the challenges and threats that face us.  They may be in a state of denial. Yet another reason can be a deeply embedded assumption that taking action based on the results of traditionally accepted modes of analysis somehow holds the key to our security, that such approaches will allow us to control the situation that we find ourselves in and they can be relied on to do so in the future.  Many seem to believe that action taken base on the use of these modes of analysis that have been so widely relied on in more stable times will somehow get us out of the situation that we are presently in.  They may be acting on the assumption, if not the hope, that a reliance on such approaches can in and of themselves somehow make things right.


The Way in Which the Definition of the Problem Drives or Fails to Drive Action


The November 2002 Hart/Rudman Task Force Report was a call to action.  The President of the Council on Foreign Relations, Lawrence Gelb wrote the following in the introduction to the report: "┘Still, given the stakes - potentially the loss of thousands of innocent American lives and the mass disruptions of American's economy and society-there are things we must be doing on an emergency basis to reduce our vulnerabilities here at home┘." (Council on Foreign Relations, November 2002).


The interconnectivity of specific sectors of the infrastructure to the economy is stressed in the November 2002 Hart/Rudman report.  The report also includes recommendations concerning specific steps that can be taken to reduce vulnerabilities.    In making a case for implementing these recommendations, the authors of the report place their recommendations within a larger context of concerns.   In their view, preparedness is crucial since preparedness can help "reduc(e) the appeal (of terrorism) as an effective means of warfare."   The authors underscore the importance of taking steps to prepare for, protect against, and mitigate the impacts of possible attacks, and to be prepared to recover from them when they occur.  They write: "By sharply reducing, if not eliminating, the disruptive effects of terrorism, America's adversaries may be deterred from taking their battles to the streets of the American homeland."  


The approach taken by The Heritage Foundation in their Backgrounder issue of September 10, 2002 also emphasizes the need for action.  The authors of that issue state the following: "Despite the progress that has been made on homeland security thus far, much more needs to be done to eliminate blatant vulnerabilities, increase security, boost efficiencies, and facilitate preparedness and response capabilities in every community." (Heritage Foundation, September 2002).  
A number of specific recommendations are made there.  


One of the recommendations in the report involves the need to address GPS vulnerabilities, since GPS plays such an important part in the nation's infrastructure. (Heritage Foundation, January 2002).   Note: There is no comparable treatment of GPS vulnerabilities in The National Strategy to Secure Cyberspace and The National Strategy for the Physical Protection of Critical Infrastructure and Key Assets.  Little assurance can be found in these documents that DHS or the Homeland Security Council (formerly the Office of Homeland Security) might be constituting themselves in such a way that they will be certain to identify and address such cross-cutting and complex areas of concern.  Perhaps this would be a more fitting role for the White House Office of Science and Technology Policy to play.


It is edifying to note that The National Strategy to Secure Cyberspace and The National Strategy for the Physical Protection of Critical Infrastructure and Key Assets reflect a greater consciousness of infrastructure vulnerabilities and their connection to national, economic, personal, and societal security than other government documents or legislation that have been issued or passed since 9/11.   These documents are headed in the right direction, but would be better focused if many of the prescriptions and initiatives in them did not overshadow a concern for action in the near term and if they were not embarked on a path that could result in a deluge of information that might be either counterproductive or of limited usefulness.


The Role of Pragmatic Strategies


In 2002, Congressman Horn's Subcommittee on Government Efficiency, Financial Management and Intergovernmental Relations focused considerable attention on cyber-related critical infrastructure.  Testimony before Congressman Horn's Subcommittee, including assessments by the General Accounting Office have tended to focus on cyber-threats, cybersecurity and cyber-related aspects of critical infrastructure.   Congressman Horn also released a "Computer Security Report Card".  This report card was based on agency reports from 24 different agencies.  The reports were required under the Government Information Security Reform Act of 2000.  The vast majority of the agencies received grades of D's and F's.  Exceptions were the Social Security Administration (B-), the Department of Labor (C+), and the Nuclear Regulatory Commission (C).   These results have especially significant implications for critical infrastructure security since the delivery of critical government services would be in jeopardy were there to be a failure of information technology within these agencies.   A question that needs to be asked is this:  Where is the sense of pragmatic concern that drove Y2K remediation efforts?  Efforts to ensure cybersecurity and continuity require a similar commitment to pragmatic action.  Among those addressing such concerns have been Michael Vadis (Dartmouth University), Paul Kurtz (National Security Council, and Edward Yourdon.  See the latter's work released in 2002 entitled Byte Wars: The Impact of September 11 on Information Technology.
An extremely significant but relatively overlooked area of concern has gotten well-deserved attention in hearings held by Congressman Horn's Subcommittee.  This area of concern involves the vulnerability of digital control systems and SCADA systems to sabotage and terrorist acts.  As these systems play such a critically important role in so many critical infrastructure sectors, it is extremely important that adequate attention be given to addressing the vulnerabilities of the systems.  (Joseph M. Weiss, 2002; Alan Paller, 2002; John S. Tritak, 2002)  Many of the mid-range and worst case scenarios considered during Y2K included a concern for the failure of these complex systems and the impacts that cascading impacts and disruptions could have.  (See Paula D. Gordon, 1998 and 1999.)


The Degree to Which Organizational, Professional, Jurisdictional, Cultural, and Political Challenges are Recognized and Addressed


An example of the role that can be played by organizational, professional, jurisdictional, cultural, and political challenges can have in the managing of emergency situations can be found in the response to the anthrax attacks that began in October of 2001.  There are those who feel that the handling of these attacks was extremely problematic.  The individuals who had this point of view cite major problems that were not satisfactorily resolved at the time and that have not been completely resolved since.  These problems included an absence of clarity regarding what the dimensions of the problem were, how to handle the uncertainties concerning the handling of the matter, who was in charge, and what resources could be and would be brought to bear in addressing the problem.  These same individuals feel that unless such matters are resolved, it is unlikely that a future such attack would be handled any more effectively.  There are also those who played key roles in the response to the attack who are apparently unaware of the nature and extent of these unresolved problems.  None of the government strategy documents released since 9/11 and mentioned here seem to reflect any in-depth awareness of such issues.


The Degree to Which "State of the Science" and "State of the Technology" Issues are Recognized and Acknowledged


Complicating the response to the anthrax attack was the fact that key players and spokespersons possessed very different perspectives concerning the state of the science regarding all the different questions surrounding anthrax, including everything from diagnostic and treatment protocols to forensic and decontamination protocols.  In an article on using e-technology to advance homeland security efforts (Paula D. Gordon, January 2002), the need to hold "state of the science" or "consensus development" conferences on a range of different issues is discussed.  These kinds of conferences could utilize an approach developed by the Office of Medical Applications of Research at the National Institutes of Health.  Such conferences are needed in order to advance understanding concerning the status of scientific understanding and research.  They are also need if the scientific community and key government spokespersons are to speak with as informed and consistent a voice as possible regarding cutting edge issues.


The Degree of Preciseness in the Use of Commonly Used Terms


The use of terms associated with "critical infrastructure" has become a source of confusion and a potential impediment to progress regarding critical infrastructure protection efforts.   J. D. Moteff et al. (December 2001 and August 2002) and Richard G. Little (2002) have been among those who have written on this subject.


A major problem that soon emerges as a result of studying the subject of critical infrastructure and critical infrastructure protection is that the same terminology is often used in very different ways.  This can be seen even within the same piece of legislation, report, strategy document, plan, or project.  Awareness concerning this problem needs to be raised.  One way of doing this might be to encourage greater attention to the use of the terminology "critical infrastructure security" or "critical infrastructure security and continuity" and to use those terms to apply to "strengthening, improving, protecting, and restoring critical infrastructure security and continuity."   "Critical infrastructure security" and "critical infrastructure security and continuity" used in this way incorporate a kind of directional goal.   


Using qualifiers may help clarify what meaning is intended when the term "critical infrastructure" is used.  By getting in the habit of using qualifiers, meaning might become clearer.  For instance, many have come to use "critical infrastructure" when they are referring to "cyber-related critical infrastructure".  Some use "critical infrastructure" to refer to "physical infrastructure".  Some include both "cyber" and "physical" in their use of the term "critical infrastructure".  Others might use "critical infrastructure" to include other non-cyber and non-physical kinds of critical infrastructure, such as essential government services and or national assets.  It might be helpful to take the extra time and effort to clarify the meaning that one is intending when speaking of critical infrastructure and critical infrastructure security and continuity.   Use of the following terms where appropriate might be helpful:


~ "cyber-focused" or "cyber-related critical infrastructure protection";


~ "cyber-related critical infrastructure, including digital control systems and SCADA systems" (when one intends to include such systems);


~ "cybersecurity/continuity"   Note: Yet another way of clarifying the meaning given to critical infrastructure security or cybersecurity would be to add the concept of "continuity."  For some the concept of continuity may already be encompassed in the concept of critical infrastructure or cybersecurity.  For others, it is important to specify critical infrastructure security and continuity and cybersecurity and continuity.  In this way there is no doubt that the person using terms is concerned for all aspects of protection and security including proactive measures intended to address a range of possible scenarios and remediation efforts to ensure that vulnerabilities are minimized to the extent possible and that continuity of operations is provided for to the extent possible.


~ "critical physical infrastructure";

~ "critical physical and other non-cyber infrastructure";


~ "critical infrastructure in general" (encompassing physical, cyber and other non-cyber-related critical infrastructure); and


~ "critical infrastructure security" might be used as shorthand for "critical infrastructure protection and infrastructure security and continuity in general" when the all-inclusive use of the concept is intended. 


One reason for using these terms with greater care and precision is that a person's perspective concerning "critical infrastructure" may well be grounded in that person's professional training and expertise.  Those who are specialists in one kind of critical infrastructure cannot be expected to have a ready interest or understanding of all the various kinds of critical infrastructure.   Those with specialized expertise may in fact find it hard to understand the various kinds interdependencies that exist among different kinds of critical infrastructure.  They may fail to understand the kinds of cascading impacts that successive or simultaneous failures can have.  An expert in computer technology may have little or not expertise concern digital control or SCADA systems and their vulnerabilities. Or alternatively, those with specialized expertise may intellectually understand that failures involving such systems could occur and could have cascading impacts, but they may have little or no experience or expertise that would prepare them to integrate or translate that understanding into responsible action.


Way to Improve Current Efforts


What might a national strategy or an assessment of national homeland security and critical infrastructure protection efforts look like if it were based on a more comprehensive problem definition found in the National Strategy for Homeland Security or the National Homeland Security Act of 2002 or The National Strategy to Secure Cyberspace and The National Strategy for the Physical Protection of Critical Infrastructure and Key Assets?  What might a national strategy or an assessment of a national homeland security efforts look as if it were based on an even more comprehensive problem definition than the one found in the most recent Hart/Rudman report?    Basing actions on a broader and more comprehensive definition of the nature and scope of the problem could lead to improvements in the way in which homeland security and critical infrastructure protection efforts are being conceived and implemented.


When it comes to discussing efforts involving critical infrastructure, critical infrastructure protection, and critical infrastructure security and continuity, it may prove extremely helpful to consider what an "alternative" definition of "homeland security-related problems, challenges, and threats" might look like.  For the sake of brevity, only the most significant elements of a proposed "alternative" way of defining and approaching the problem will be highlighted here.  Mentioned below are some major elements involved in defining and addressing the homeland security problem using the alternative approach being described here.  Also included is a set of goals that are explicit in the alternative approach. 



Return to Paula Gordon's Homeland Security Page or to Part 3B