|
Part 3
The following parameters can be used to identify
areas of weakness in current efforts and to compare current efforts with the
alternative approach that will be described shortly. These
parameters are listed in Table 3: Table 3: Parameters for Comparing
Currently Mandated Initiatives with an Alternative Approach
~ The nature and extent of the focus on information,
data gathering, the cataloguing of facts, and modeling; ~ The different nature of terrorism post
9/11 and the implications of these differences for the nation, the
world, and humankind; ~ The way in which the definition of the problem
drives or fails to drive actions; ~ The role of pragmatic strategies; ~ The degree to which organizational, professional,
jurisdictional, cultural, and political ~ The degree to which "state of the science"
and "state of the technology" issues are recognized and
understood; ~ The degree of preciseness in the use of commonly
used terms; and ~ The adequacy, appropriateness, and potential
usefulness of approaches to understanding and assessing vulnerabilities.
Several of these parameters and aspects of
them are discussed more fully here. The Way in Which the Problem is Being
Defined A common frame of reference could help people
understand each other when they speak of homeland security efforts and
critical infrastructure security and continuity. The Homeland Security Impact
Scale that will be described shortly may help provide such a framework.
This impact scale may provide a context for understanding in a very general
way the nature and scope of the challenges, threats, and problems facing the
nation and the world. The impact scale can be seen as providing a way
of looking at and comprehending the dynamically changing nature of the
situation in which we find ourselves. The impact scale provides a frame
of reference for understanding, considering, and interpreting the nature and
scope of the problems, challenges, and threats that face us. It also
provides a framework for considering the actual, possible, and potential
impacts of those problems, challenges, and threats. The Homeland
Security Impact Scale can help focus attention on ways of looking at actions
needed to address those problems, threats, and challenges. It can
conceivably help us focus homeland security and critical infrastructure
protection efforts along the most positive and constructive lines possible. Recognition of Critical Infrastructure
Sector Interdependencies and the Nature of Cascading Failures and Impacts Key to understanding the problems, threats,
and challenges posed by terrorism today, is understanding critical
infrastructure independencies and the potential for cascading failures and
impacts. This understanding can be critical to the success of efforts
to maximize homeland security and critical infrastructure protection.
Yet, such a focus often gets left out of discussions of "critical
infrastructure". Cascading failures and impacts refer to what can
happen when failures or disruptions involving specific infrastructure assets
or sectors have ripple effects that can extend to other infrastructure
sectors. Some excellent analyses and discussions of
cascading impacts and the interdependencies of infrastructure elements can be
found in the writings of Richard G. Little (1999, 2002, May 2002) and Jeffrey
R. Gaynor (2002) among others. A report issued in April of 1999 by the
U.S. Department of Commerce also provided an excellent analysis of the
cascading impacts that cyber-related failures and disruptions could have on
national and global economies. Indeed these same kinds of failures could be
triggered today by cyberterrorism and cyberwarfare or by sabotage or
mischievous acts. The cascading effects could become widespread as a
result of the slowly evolving degradation of cyber-related systems or the
rapid and cascading failure of such systems and interconnected
infrastructure. Other relevant work on cascading impacts was
done during the years leading up to Y2K. Many regional, national, and
global scenarios were considered. Among these were scenarios by the
Naval War College and the Department of Defense. Scenarios considered
by the Naval War College are available online (Naval War College,
1999). Senator Robert Bennett who had been at the
forefront of Y2K efforts was one of the first to emphasize the significance
of connectivity issues and interdependencies amongst the various
infrastructure sectors. He was one of the first to draw attention to the very
real potential for cascading failures. Consideration of Y2K-related
scenarios can also be found online in a White Paper on Y2K (Paula D. Gordon,
1998 and 1999). A graphic depiction of Senator Bennett's approach can
also be found there. Scenarios have also been used widely since
9/11 in workshop exercises and simulations. Several that have been far
reaching in their implications have involved cyberterrorism
threats. Some examples include the Gartner Group's Sector 5
Conference held in Washington, DC, August 21 - 23, 2002 and the Digital Pearl
Harbor Exercise also held in 2002. Information on both is
online. As previously noted, consideration of such scenarios are
extremely pertinent today because cyberterrorism and cyberwarfare and other
threats to cybersecurity and continuity could trigger the same kinds of
mid-range and worst-case scenarios that were envisioned with Y2K. The
attack of the slammer worm in early 2003 was the most recent example of how
fast an attack could spread and how widely cybersecurity could be
breached. Consider what the extent of the damage might have been had
there been no software patches to stop the spread of this worm and no
relatively simple ways to repair and prevent damage. Other exercises and simulations have focused
attention on a wide range of other kinds of scenarios, including ones
involving public health threats. Scenario-driven exercises can be
extremely helpful in that they can force individuals to consider
interdependencies that they had not previously considered. Some selected causes that could result in
significant cascading impacts are listed below. If any of the following
were to occur slowly and incrementally over time or if they were to occur as a
result of quickly cascading failures and disruptions, the societal as well as
economic impacts could be severe and long lasting. Some of the possible causes of significant societal
and economic consequences include the following: ~ Widespread or regional disablement of the Internet; ~ Widespread or selective disablement of computer
systems or complex digital control and SCADA systems; ~ Destruction or disablement of refineries and/or
pipelines; ~ Disruption or disablement of transportation
systems; ~ Disruption or disablement of the financial
sector; ~ Disruption or disablement of telecommunications
systems; ~ Disablement of water purification and/or distribution
systems; ~ Chernobyl- or Bhopal-type catastrophes.
A longer listing of potential problems will be
provided shortly. Similar lists of problems that could be associated
with cascading infrastructure failures can also be found in Part 2 of the
White Paper on Y2K noted earlier (Paula D. Gordon, 1998 and 1999). Recognizing the interdependency of
infrastructure sectors or elements is crucial to the development of any plan
of action whether it involve preparedness, protection, mitigation,
contingency planning, crisis management, response, recovery, or continuity of
operations. Recognizing the interdependencies of infrastructure sectors
and assets is also crucial to any steps that are taken to strengthen the
infrastructure. Viewing infrastructure sectors as if they could be
understood sufficiently if considered solely in isolation from one another
has extremely limited utility at best. Interestingly enough, much attention is paid
to interdependencies in The National Strategy to Secure Cyberspace
and in The National Strategy for the Physical Protection of Critical
Infrastructure and Key Assets. The discussion of cascading
impacts, however, seems to be sharply circumscribed. Worst case,
catastrophic, or cataclysmic scenarios in which resources would be
significantly impacted or totally overwhelmed are not really
considered. Neither are the possible worst case and near term impacts
of catastrophic events. An assumption is also made that intensive
analytic and modeling techniques can provide the most sound basis for
developing and implementing a plan of action. The myriad of possible
scenarios and the ultimate unpredictability of what can happened and how
scenarios might actually unfold can render the use of such techniques of only
limited utility to planners, policymakers and managers. The way in
which a crisis unfolds and the factors affecting the responses to a crisis
cannot ultimately be predicted; the factors that can come into play simply
cannot be fully foreseen. Actions simply cannot be pre-scripted. Interdependencies and Cascading Impacts
and Ripple Effects One way of viewing infrastructure
interdependencies might be found in the following children's nursery rhyme: For want of a nail the shoe was lost; Another way of viewing interdependencies and
the potential for cascading impacts might be in terms of the following
analogy: If one were to throw rocks into a still pond, each rock would
create ripple effects. If rocks were thrown into the pond
simultaneously or in rapid succession and were in close enough proximity to
one another, ripple effects would intersect and would create new ripple
effects of their own. These effects cannot be predicted.
Possibilities can, however, be considered. Owing to the many factors
influencing the configuration of such ripple effects, it is not possible to
map every conceivable scenario that could occur, nor would it be a wise way
of using significant portions of one's resources. What can be helpful
is to think through many different possible scenarios, including simple
scenarios. Even simple scenarios can provide extremely significant
learning experience. Indeed, if the learning that can be gleaned
through studying simple scenarios has not been mastered, there is little to
be gained in trying to absorb the lessons of more complicated and daunting
scenarios. Yet another way of viewing cascading impacts
is to consider what happened as a result of the attacks on September
11. Cascading Impacts Resulting from 9/11 It is critically important that we recognize
the cascading impacts that have occurred as a result of 9/11. It is
also important that we recognize that such impacts are continuing to
occur. Many seem to have little awareness or understanding of these
impacts even though the effects of 9/11 are still very much with us.
The effects include psychosocial and societal impacts, as well as major
economic repercussions. The 9/11 attacks as well as the subsequent
anthrax attacks also have led to a refocusing of attention of government
efforts and resources. Significant resources have not only been directed
to response and recovery efforts, more resources continue to be directed at
addressing homeland security and defense needs. There are even ripple
effects from raising or lowering the nation's alert status. The attacks of 9/11 immediately affected numerous
sectors. Other sectors have been affected more gradually over
time. Sectors that have been affected have included, but have not
been limited to public works and emergency services, telecommunications,
financial and financial services sectors, airlines, railways, tourism, the
hospitality sector, and the insurance sector. While to date there
seems to be awareness of some of these impacts, the most recent strategy
documents do not seem to reflect a full recognition of the nature and extent
of the impacts on security, economic stability, and the social fabric. The Nature and Extent of the Focus on
Information, Data Gathering, the Cataloguing of Facts, and Modeling Another parameter that deserves attention involves
the nature and extent of the focus on information, data gathering, the
cataloguing of facts, and modeling. There is a point at which detailed
information, data gathering, and cataloguing of facts can overwhelm the mind
or otherwise make it difficult to consider, let alone settle upon a sound
course of action. In the midst of a crisis, a focus on these can get in
the way of taking immediate action or near term actions that the situation
may require. In fact, a continuing quest for facts can be a way of delaying
action when action could be taken based on facts that are abundantly
obvious. In a crisis situation, in a situation in which
the costs of inaction are high, one can be best served by taking the wisest
actions possible at the time. Substituting study and acquisition of
data for action for action may give one a sense of control, but it may cause
the loss of valuable time and minimize one's chances for action or
survival. There are those who seem to be wedded to slow
and methodical approaches to data gathering and analysis even in
circumstances where common sense, experience, training, preparation, and good
judgment could yield equally useful if not superior insights concerning what
needs to be done. There are seemingly few who are versed in taking
action based on what has been learned and what can be readily learned.
For those unused to working in crisis situations, it can be helpful to
consider what the differences might be between taking action in the near term
and waiting to act until after extensive time and effort were spent in data
gathering, study, and analysis. It can also be helpful to recognize
that only a certain range of results are conceivable in data gathering and
analytical efforts. It can be helpful to consider what the range
of possible results might be and then ask these questions: Would any of
these possible results affect the course of action that seems the most sound
based on what is already known? Would any of the conceivable results of
extensive research and analysis make a significant difference regarding what
needs to be done? What common set of actions are needed whatever the
results of the analyses might be? Surely there are actions that could
be undertaken relying on common sense, experience, and good judgment
alone. Note: Dean Harper and Haroutun Babigian (1971)
described the concept of "advocacy evaluation" in the mental health
field. The approach that I have described here has been borrowed and
adapted from their work. There is a widespread penchant today for
dedicating extraordinary resources to data gathering, analysis, benchmarking,
and assessment. Such proclivities can be emphasized to the point of
slowing or even paralyzing the problemsolving process. There are also
widespread tendencies to ignore common sense, or fail to use good judgment,
or fail to draw on one's experience and wisdom. If those heading up
efforts to rebuild Europe at the time of the Marshall Plan had allowed
themselves to be hobbled by kinds of tendencies that are so prevalent today,
we might still be rebuilding Europe. There are simply certain things
that need to be done. Indeed, there are things that need to be
done no matter what the short term or long term economic consequences.
In-depth studies might well refine those most obvious actions in minor ways,
but the actions that are taken may be little different from what they would
have been had no extensive assessment been completed. In the end,
the assessment of costs, risks and benefits involve consideration of values,
principles, and purposes, any or all of which can override consideration of
costs and risks. If proclivities for in-depth studies and
assessments had driven Mayor Giuliani's efforts, the response to the attacks
of 9/11 would have been stultified. The nine miners in Pennsylvania
would not have been rescued. The Three Mile Island near melt down
in the '70s would have ended in large-scale disaster. Special
Operations Forces that have been so key to military efforts since 9/11 would
not be able to take action in dynamical changing and life threatening
circumstances. There are reasons why many have become so
reliant on or enamored of doing extensive analysis. Such analysis can
be a substitute for action. It can be a way of delaying action. It can
also provide an illusion of control in a time of extreme uncertainty. Another
reason is that the Newtonian paradigm, empirical methodology, and reliance on
analysis that focuses on quantifiable data and measures have become deeply
engrained in the minds of most everyone. This includes all who have
studied in a university in recent decades and it also therefore includes most
who function in roles of public responsibility. Institutions of higher
learning tend to focus on "narrow rationalist" approaches to understanding
problems, threats, and challenges. They do not tend to do a good job in
helping to develop the kind of leadership, managerial competencies, and
organizational skills of a Rudy Giuliani. They do not tend to
train individuals who are comfortable in exercising initiative; accepting and
wielding responsibility; thinking "outside the box"; using sound
judgment; and wedding knowledge, understanding, insight, intuition, well
honed instincts, experience, and common sense to action. Indeed in
organizations that are heavily micromanaged and regulated, those who have
such capabilities can be seriously handicapped in their attempts to act using
their common sense, knowledge, wisdom, judgment, understanding, creativity,
skills, and discretion. Indeed, such individuals can find it difficult
getting hired in the first place. The Different Nature of Terrorism and
Terrorist Threats Post 9/11 and the Implications of These Differences The new kind of homicidal/suicidal terrorist
values neither life nor the future viability of civilization. This new
kind of terrorist manifests neither humanity nor conscience. They
appear to have no moral compass or sense of the sanctity of life.
Perspectives that were typical concerning the behavior of terrorists prior to
9/11 can no longer be viewed as being applicable. There is no way of
predicting with any degree of certainty what any one of this new kind of
terrorist, any group of such terrorists, or any network of terrorist groups
might do. Will they go after hard targets, soft targets, mixes of
these, or will they simply make threats and use fear to try to undermine the
stability of society? A fairly thorough cataloguing of possible
terrorist actions already exists. A vast amount is now known regarding
the past and present intentions of the terrorists. Surely efforts to
learn more need to continue in order to deter, kill, or apprehend and bring
terrorists to justice. But how much more comprehensive or detailed does
our knowledge need to be in order for us to take effective action when it
comes to emergency preparedness and contingency planning and taking steps to
strengthen our security? There are only so many kinds of protective and
preventive measures that can be taken. Why not begin by doing what we
can do based on what we already know needs to be done? Why not plan to
enhance our efforts when it is possible to do so? Once basic
preparedness steps have been taken, additional questions might be
asked. What can be done now based on what is currently known regarding
weapons and tactics that could conceivably be used? What can be done
now based on what is currently understood concerning the potential impacts of
such weapons and tactics? In what ways could additional information
conceivably alter basic actions that are needed now? Why not attend as
fully as possible to basics now? The fact is that anything could happen
at any time. The government's Ready Campaign launched in February of
2003 is a first step in the right direction. But there are numerous other
preparedness approaches and initiatives, some of which have long track
records. FEMA's community-based program model known as Project
Impact is but one example. Other preparedness efforts undertaken during
1998 and 1999 for Y2K by FEMA and the Red Cross, as well as the President's
Council on the Year 2000 Conversion could also be used as models or built
on. The Citizen Corps, even if the program is not funded by Congress,
could be implemented in some form. Our challenge is to continue to do
what can be done now to address the problems, threats, and challenges we
face, while keeping our focus on our goals of strengthening our national
economic, personal, and societal security to the extent possible. We are in a different ballgame post
9/11. There are no clear rules. Today's terrorists have stated
and demonstrated their intent to destroy life without concern for even their
own lives. They have been clear that there is no way that they can be
appeased. There is nothing that can be done to change them from their
destructive course of action. The implications that such aberrant
behavior has for the future stability of the world are grave indeed.
The full implications have yet to sink in fully. As others have said,
"This is not your father's war." The reason that any of this is important is
that how the problem is understood can affect our motivation to take action. In the Volume 1 of the Discourses,
Meher Baba addressed the subject of non-violence and violence. He wrote
that in a situation in which a mad dog is in a school yard, that a mad dog
must be subdued using violence in order to protect the
weak. This analogy seems to me to be wholly applicable to
the homicidal/suicidal terrorists in the world today: Today's homicidal/suicidal
terrorists can be seen as the mad dogs and the nation and the world as the
school yard. The threat they pose is increased exponentially
owing to their willingness to used weapons of mass destruction and disruption
to achieve their destructive goals. It behooves us to do all in our
power to rid ourselves of the threat they pose and to take defensive action
in face of the attacks that we have suffered. At the same time we need
to be doing all we can to strengthen and secure our situation. If we
fail to act, our future and the future of generations to come will be in ever
increasing jeopardy. There can be multiple reasons for the fact
that so many seem to be oblivious to the changes in the world that have
occurred as a result of 9/11 and the implications of these changes. One
of the reasons can be a certain naivete concerning human nature and the
assumption that surely what we have seen to date have been isolated examples
of aberrant behavior. For others, they may simply be disinclined or
reluctant to recognize the full extent of the challenges and threats that
face us. They may be in a state of denial. Yet another reason can be a
deeply embedded assumption that taking action based on the results of
traditionally accepted modes of analysis somehow holds the key to our
security, that such approaches will allow us to control the situation that we
find ourselves in and they can be relied on to do so in the future.
Many seem to believe that action taken base on the use of these modes of
analysis that have been so widely relied on in more stable times will somehow
get us out of the situation that we are presently in. They may be
acting on the assumption, if not the hope, that a reliance on such approaches
can in and of themselves somehow make things right. The Way in Which the Definition of the
Problem Drives or Fails to Drive Action The November 2002 Hart/Rudman Task Force
Report was a call to action. The President of the Council on Foreign
Relations, Lawrence Gelb wrote the following in the introduction to the
report: "┘Still, given the stakes - potentially the loss of
thousands of innocent American lives and the mass disruptions of American's
economy and society-there are things we must be doing on an emergency basis
to reduce our vulnerabilities here at home┘." (Council on Foreign
Relations, November 2002). The interconnectivity of specific sectors of
the infrastructure to the economy is stressed in the November 2002
Hart/Rudman report. The report also includes recommendations concerning
specific steps that can be taken to reduce vulnerabilities.
In making a case for implementing these recommendations, the authors of the
report place their recommendations within a larger context of
concerns. In their view, preparedness is crucial since
preparedness can help "reduc(e) the appeal (of terrorism) as an
effective means of warfare." The authors underscore the
importance of taking steps to prepare for, protect against, and mitigate the
impacts of possible attacks, and to be prepared to recover from them when
they occur. They write: "By sharply reducing, if not eliminating,
the disruptive effects of terrorism, America's adversaries may be deterred
from taking their battles to the streets of the American
homeland." The approach taken by The Heritage Foundation
in their Backgrounder issue of September 10, 2002 also emphasizes the need
for action. The authors of that issue state the following:
"Despite the progress that has been made on homeland security thus far,
much more needs to be done to eliminate blatant vulnerabilities, increase
security, boost efficiencies, and facilitate preparedness and response
capabilities in every community." (Heritage Foundation, September
2002). One of the recommendations in the report
involves the need to address GPS vulnerabilities, since GPS plays such an
important part in the nation's infrastructure. (Heritage Foundation, January
2002). Note: There is no comparable treatment of GPS vulnerabilities
in The National Strategy to Secure Cyberspace and The
National Strategy for the Physical Protection of Critical Infrastructure and
Key Assets. Little assurance can be found in these documents
that DHS or the Homeland Security Council (formerly the Office of Homeland
Security) might be constituting themselves in such a way that they will be
certain to identify and address such cross-cutting and complex areas of
concern. Perhaps this would be a more fitting role for the White House
Office of Science and Technology Policy to play. It is edifying to note that The
National Strategy to Secure Cyberspace and The National
Strategy for the Physical Protection of Critical Infrastructure and Key
Assets reflect a greater consciousness of infrastructure vulnerabilities
and their connection to national, economic, personal, and societal security
than other government documents or legislation that have been issued or
passed since 9/11. These documents are headed in the right
direction, but would be better focused if many of the prescriptions and
initiatives in them did not overshadow a concern for action in the near term
and if they were not embarked on a path that could result in a deluge of
information that might be either counterproductive or of limited usefulness. The Role of Pragmatic Strategies In 2002, Congressman Horn's Subcommittee on
Government Efficiency, Financial Management and Intergovernmental Relations
focused considerable attention on cyber-related critical
infrastructure. Testimony before Congressman Horn's Subcommittee,
including assessments by the General Accounting Office have tended to focus
on cyber-threats, cybersecurity and cyber-related aspects of critical
infrastructure. Congressman Horn also released a "Computer
Security Report Card". This report card was based on agency
reports from 24 different agencies. The reports were required under the
Government Information Security Reform Act of 2000. The vast majority
of the agencies received grades of D's and F's. Exceptions were the Social
Security Administration (B-), the Department of Labor (C+), and the Nuclear
Regulatory Commission (C). These results have especially
significant implications for critical infrastructure security since the
delivery of critical government services would be in jeopardy were there to
be a failure of information technology within these agencies. A
question that needs to be asked is this: Where is the sense of
pragmatic concern that drove Y2K remediation efforts? Efforts to ensure
cybersecurity and continuity require a similar commitment to pragmatic
action. Among those addressing such concerns have been Michael Vadis
(Dartmouth University), Paul Kurtz (National Security Council, and Edward
Yourdon. See the latter's work released in 2002 entitled Byte
Wars: The Impact of September 11 on Information Technology. The Degree to Which Organizational,
Professional, Jurisdictional, Cultural, and Political Challenges are
Recognized and Addressed An example of the role that can be played by
organizational, professional, jurisdictional, cultural, and political
challenges can have in the managing of emergency situations can be found in
the response to the anthrax attacks that began in October of 2001.
There are those who feel that the handling of these attacks was extremely
problematic. The individuals who had this point of view cite major
problems that were not satisfactorily resolved at the time and that have not
been completely resolved since. These problems included an absence of
clarity regarding what the dimensions of the problem were, how to handle the
uncertainties concerning the handling of the matter, who was in charge, and
what resources could be and would be brought to bear in addressing the
problem. These same individuals feel that unless such matters are
resolved, it is unlikely that a future such attack would be handled any more
effectively. There are also those who played key roles in the response
to the attack who are apparently unaware of the nature and extent of these
unresolved problems. None of the government strategy documents released
since 9/11 and mentioned here seem to reflect any in-depth awareness of such
issues. The Degree to Which "State of the
Science" and "State of the Technology" Issues are Recognized
and Acknowledged Complicating the response to the anthrax
attack was the fact that key players and spokespersons possessed very
different perspectives concerning the state of the science regarding all the
different questions surrounding anthrax, including everything from diagnostic
and treatment protocols to forensic and decontamination protocols. In
an article on using e-technology to advance homeland security efforts (Paula
D. Gordon, January 2002), the need to hold "state of the science"
or "consensus development" conferences on a range of different
issues is discussed. These kinds of conferences could utilize an
approach developed by the Office of Medical Applications of Research at the
National Institutes of Health. Such conferences are needed in order to
advance understanding concerning the status of scientific understanding and
research. They are also need if the scientific community and key
government spokespersons are to speak with as informed and consistent a voice
as possible regarding cutting edge issues. The Degree of Preciseness in the Use of
Commonly Used Terms The use of terms associated with
"critical infrastructure" has become a source of confusion and a
potential impediment to progress regarding critical infrastructure protection
efforts. J. D. Moteff et al. (December 2001 and August 2002) and
Richard G. Little (2002) have been among those who have written on this
subject. A major problem that soon emerges as a result
of studying the subject of critical infrastructure and critical
infrastructure protection is that the same terminology is often used in very
different ways. This can be seen even within the same piece of
legislation, report, strategy document, plan, or project. Awareness
concerning this problem needs to be raised. One way of doing this might
be to encourage greater attention to the use of the terminology
"critical infrastructure security" or "critical infrastructure
security and continuity" and to use those terms to apply to "strengthening,
improving, protecting, and restoring critical infrastructure security and
continuity." "Critical infrastructure security"
and "critical infrastructure security and continuity" used in this
way incorporate a kind of directional goal. Using qualifiers may help clarify what meaning
is intended when the term "critical infrastructure" is used.
By getting in the habit of using qualifiers, meaning might become
clearer. For instance, many have come to use "critical
infrastructure" when they are referring to "cyber-related critical
infrastructure". Some use "critical infrastructure" to
refer to "physical infrastructure". Some include both
"cyber" and "physical" in their use of the term
"critical infrastructure". Others might use "critical
infrastructure" to include other non-cyber and non-physical kinds of
critical infrastructure, such as essential government services and or
national assets. It might be helpful to take the extra time and effort
to clarify the meaning that one is intending when speaking of critical infrastructure
and critical infrastructure security and continuity. Use of the
following terms where appropriate might be helpful: ~ "cyber-focused" or
"cyber-related critical infrastructure protection"; ~ "cyber-related critical infrastructure,
including digital control systems and SCADA systems" (when one intends
to include such systems); ~
"cybersecurity/continuity" Note: Yet another way of
clarifying the meaning given to critical infrastructure security or
cybersecurity would be to add the concept of "continuity."
For some the concept of continuity may already be encompassed in the concept
of critical infrastructure or cybersecurity. For others, it is
important to specify critical infrastructure security and continuity and
cybersecurity and continuity. In this way there is no doubt that the
person using terms is concerned for all aspects of protection and security
including proactive measures intended to address a range of possible
scenarios and remediation efforts to ensure that vulnerabilities are
minimized to the extent possible and that continuity of operations is
provided for to the extent possible. ~ "critical physical
infrastructure"; ~ "critical physical and other non-cyber
infrastructure";
~ "critical infrastructure in general"
(encompassing physical, cyber and other non-cyber-related critical
infrastructure); and
~ "critical infrastructure security"
might be used as shorthand for "critical infrastructure protection
and infrastructure security and continuity in general" when the
all-inclusive use of the concept is intended. One reason for using these terms with greater
care and precision is that a person's perspective concerning "critical
infrastructure" may well be grounded in that person's professional
training and expertise. Those who are specialists in one kind of
critical infrastructure cannot be expected to have a ready interest or
understanding of all the various kinds of critical
infrastructure. Those with specialized expertise may in fact find
it hard to understand the various kinds interdependencies that exist among
different kinds of critical infrastructure. They may fail to understand
the kinds of cascading impacts that successive or simultaneous failures can
have. An expert in computer technology may have little or not expertise
concern digital control or SCADA systems and their vulnerabilities. Or
alternatively, those with specialized expertise may intellectually understand
that failures involving such systems could occur and could have cascading
impacts, but they may have little or no experience or expertise that would
prepare them to integrate or translate that understanding into responsible
action. Way to Improve Current Efforts What might a national strategy or an
assessment of national homeland security and critical infrastructure
protection efforts look like if it were based on a more comprehensive problem
definition found in the National Strategy for Homeland Security
or the National Homeland Security Act of 2002 or The National
Strategy to Secure Cyberspace and The National Strategy for
the Physical Protection of Critical Infrastructure and Key Assets?
What might a national strategy or an assessment of a national homeland
security efforts look as if it were based on an even more comprehensive problem
definition than the one found in the most recent Hart/Rudman
report? Basing actions on a broader and more comprehensive
definition of the nature and scope of the problem could lead to improvements
in the way in which homeland security and critical infrastructure protection
efforts are being conceived and implemented. When it comes to discussing efforts involving
critical infrastructure, critical infrastructure protection, and critical
infrastructure security and continuity, it may prove extremely helpful to
consider what an "alternative" definition of "homeland
security-related problems, challenges, and threats" might look
like. For the sake of brevity, only the most significant elements of a
proposed "alternative" way of defining and approaching the problem
will be highlighted here. Mentioned below are some major elements
involved in defining and addressing the homeland security problem using the
alternative approach being described here. Also included is a set of
goals that are explicit in the alternative approach. Return to Paula Gordon's Homeland Security Page or to Part
3B |
