New Presidential directive is more "cyber" aware, but its state and local impact is doubtful

Published: February 15, 2013

General Government ServicesHealth CarePublic FinanceTransportation

On the eve of his State of the Union address, President Obama ushered in a major overhaul of U.S. homeland security policy with Presidential Policy Directive/PPD-21. Much of the news coverage this week referred to the directive as some sort of “cyber” policy. To that end, PPD-21 “identifies energy and communications systems as uniquely critical due to the enabling functions they provide across all critical infrastructure sectors.” However, while PPD-21 is not solely focused on information, or “cyber,” security [See Deltek's latest report on this market], awareness of “cyber threats, vulnerabilities, and consequences” is significantly higher in this directive than in HSPD-7.

The directive refines and reorders Bush-era policy dating back to 2003. In fact, it actually revokes Homeland Security Presidential Directive/HSPD-7 (issued December 17, 2003). It declares that "national policy on critical infrastructure security and resilience...is a shared responsibility among the Federal, state, local, tribal, and territorial (SLTT) entities, and public and private owners and operators of critical infrastructure..." What was once referred to as critical infrastructure protection (CIP) now becomes critical infrastructure security and resilience; however, the directive does not use the acronym "CISR.". This marks the first time this analyst has encountered the new, comprehensive "SLTT" acronym for sub-federal governments.

The directive details three "strategic imperatives" intended to strengthen becomes critical infrastructure security and resilience as follow:

  1. Refine and clarify functional relationships across the Federal Government to advance the national unity of effort to strengthen critical infrastructure security and resilience;
  2. Enable effective information exchange by identifying baseline data and systems requirements for the Federal Government; and
  3. Implement an integration and analysis function to inform planning and operations decisions regarding critical infrastructure.

Sector-specific agencies (SSAs) and federal departments are assigned a wide variety of responsibilities for action, which seem in many ways to repeat the work that was done post-9/11. However, they are directed to work in collaboration with "SLTT entities and critical infrastructure owners and operators." It creates 16 critical infrastructure SSAs where HSPD-7 had previously created six. Of interest here are new SSAs for "Communications," "Energy," "Food and Agriculture," "Government Facilities," "Health Care and Public Health," "Information Technology," "Transportation Systems," and "Water and Wastewater Systems." Each of these will touch different government agencies and special districts/authorities at the state and local levels.

Under strategic imperative one, PPD-21 creates two "critical infrastructure centers operated by DHS – one for physical infrastructure and another for cyber infrastructure. They shall function in an integrated manner and serve as focal points for critical infrastructure partners to obtain situational awareness and integrated, actionable information to protect the physical and cyber aspects of critical infrastructure...Accordingly, an integration and analysis function (further developed in Strategic Imperative 3) shall be implemented between these two national centers."

Finally, the directive has a series of implementations (with delivery dates calculated from the directive):

  • By Wednesday, June 12, 2013: "Within 120 days of the date of this directive, the Secretary of Homeland Security shall develop a description of the functional relationships within DHS and across the Federal Government related to critical infrastructure security and resilience...(I)t should serve as a roadmap for critical infrastructure owners and operators and SLTT entities to navigate the Federal Government's functions and primary points of contact assigned to those functions..."
  • By Friday, July 12, 2013: "Within 150 days of the date of this directive, the Secretary of Homeland Security, in coordination with the SSAs, other relevant Federal departments and agencies, SLTT entities, and critical infrastructure owners and operators, shall conduct an analysis of the existing public-private partnership model and recommend options for improving the effectiveness of the partnership in both the physical and cyber space."
  • By Sunday, August 11, 2013: "Within 180 days of the date of this directive, the Secretary of Homeland Security, in coordination with the SSAs and other Federal departments and agencies, shall convene a team of experts to identify baseline data and systems requirements to enable the efficient exchange of information and intelligence relevant to strengthening the security and resilience of critical infrastructure."
  • By Thursday, October 10, 2013: "Within 240 days of the date of this directive, the Secretary of Homeland Security shall demonstrate a near real-time situational awareness capability for critical infrastructure"
  • By Thursday, October 10, 2013: "Within 240 days of the date of this directive, the Secretary of Homeland Security shall provide to the President, through the Assistant to the President for Homeland Security and Counterterrorism, a successor to the National Infrastructure Protection Plan [aka "the NIPP"] to address the implementation of this directive..."
  • By Thursday, February 12, 2015: "Within 2 years of the date of this directive, the Secretary of Homeland Security, in coordination with the OSTP, the SSAs, DOC, and other Federal departments and agencies, shall provide to the President, through the Assistant to the President for Homeland Security and Counterterrorism, a National Critical Infrastructure Security and Resilience R&D Plan..."

Analyst's Take:

  • Don't underestimate the level of insecurity and confusion this will create among state and local governments' various public- and internal-facing security organizations. The redrafting of the NIPP will spur a sort of political "land rush" as everyone scrambles in search of additional clarity (and even influence) as to how the "cyber" component of PPD-21 will be handled.
  • While PPD-21 might improve the demarcation of authority among various federal entities, it commits the same error as HSPD-7 in keeping commercial and SLTT interests mixed in with private critical infrastructure owners and operators. The one saving feature of PPD-12 is that it asks for a reconsideration of that public-private model within 150 days and for the new NIPP within two years. However, it remains to be seen whether the review of the public-private model will adequately consider the inherent contraditions between commercial and SLTT entities and whether such a reconsideration will inform the new NIPP.
  • As expected, commercial entities are concerned with protecting proprietary interests from homeland security meddling, while SLTT entities are often seeking closer and more coherent coordination with the federal government. Many state and local entities, including special districts (utilities) and authorities (transportation) have been working diligently to create enterprise-wide security programs. Meanwhile, the federal government is still operating a highly siloed and verticalized critical infrastructure security interface.
  • PPD-21 does not indicate, nor (given the current fiscal situation of the federal government) should it be expected that significant subsidies will flow down from the national level for SLTT cyber security investments. To the extent that money does flow down, expect cyber security interests to be pushed aside by physical security interests, which are much more prominent in the minds of most decision makers. As one CIO told this analyst years ago, "Without a high-profile champion, computers don't stand a chance versus boots and suits." Although, this analyst might be proved wrong is someone as high profile as, say, the Vice President, were overseeing this effort with a close eye on the cyber components.
  • For the time being, state and local governments will continue to acquire information security products, solutions, and services as outlined in Deltek's latest report on this market. Deltek will provide additional analysis of the impact of this directive as federal implementation deliverables are launched.