Homeland security is a team sport. The Whole of Community doctrine recognizes that homeland security – in particular, emergency management and critical infrastructure security and resilience efforts – are best done via shared efforts of State and local governments, the private sector, non-governmental organizations (NGOs) in partnership with the Federal government.
President Trump’s new Executive Order (EO) on Achieving Efficiency Through State and Local Preparedness doubles down on part of that concept.
Federal policy must rightly recognize that preparedness is most effectively owned and managed at the State, local, and even individual levels, supported by a competent, accessible, and efficient Federal Government. Citizens are the immediate beneficiaries of sound local decisions and investments designed to address risks, including cyber attacks, wildfires, hurricanes, and space weather. When States are empowered to make smart infrastructure choices, taxpayers benefit.
Elsewhere in the EO, there is a focus on reviewing and updating National Critical Infrastructure Policy, including foundational documents such as National Security Memorandum 22. The President calls for that review to “achieve a more resilient posture; shift from an all-hazards approach to a risk-informed approach; [and] move beyond information sharing to action”. He also calls for the establishment of a Risk Register to drive that work. There is a lot to like in the EO’s call for a policy refresh and, while there is a lot that remains to be done, this sets the tone for needed homeland security evolutions. This is one of the most positive things I’ve seen yet from the new administration.
Of note, however, is that there is not a clear role called out for the private sector in the planning and policy work. This is a missed opportunity. Much of U.S. critical infrastructure is owned and operated by the private sector and it is the private sector that is essential for making critical lifeline functions, such as energy, transportations, communications, cloud computing and data management, and water secure and resilient. The private sector’s role in doing so includes:
- Financial accountability and decision making for budget and value creation for infrastructure operations
- Front line security and business continuity programs
- Development of technical products that enable security and resilience
- Operations management
- Risk transfer and risk management processes
- Customer communications
In other words, you can’t achieve the goals of keeping the country more secure and resilient without the U.S. private sector. I have no doubt that members of the Trump Administration recognize that, and I am confident that the strategies inherent in the new Executive Order and update to National Critical Infrastructure Policy will reflect that view. Unfortunately, however, there is uncertainty in how the private sector will be involved in shaping those updates.
The main reason for this is that the Secretary of Homeland Security has not yet renewed the Critical Infrastructure Partnership Advisory Council (CIPAC) which is the authority that is used for the U.S. Government to regularly collaborate with critical infrastructure owners and operators. The use of the term “Council” is a bit of a misnomer as CIPAC is not really a single Council but instead is the process and legal protections that are used by DHS and another 10 or so cabinet agencies which serve as Sector Risk Management Agencies to regularly collaborate with critical infrastructure companies. This process gets operationalized through the establishment of Sector Coordination Councils (SCCs) across the 16 critical infrastructure sectors as well as cross sector groups such as the ICT Supply Chain Risk Management Task Force, the Enduring Security Framework, and other issue specific working groups.
These groups give critical infrastructure owners and operators and their representatives – largely private sector companies and their representatives — a seat at the table for planning, operations, and information sharing for major critical infrastructure efforts. For example, CIPAC groups are involved in Hurricane Response efforts to reestablish functioning of the electricity grid, prioritizing worker needs during the pandemic, and going “Shields Up” in the face of potential Nation-State cyber attacks. An important element of CIPAC is that the authority allows for the private sector to share information about the risks and vulnerabilities they are seeing in their operations without exposing sensitive information to the public or accruing liability for acknowledging potential vulnerabilities. It also allows competitors in industry to collaborate for the purpose of the national interest without raising antitrust concerns. And, it is an efficient way for industry to engage with government through a common structure rather than relying on lobbying efforts and “pick-a-door” approach to engagement.
My company, Exiger, currently is a member of the IT and Defense Industrial Base Sector Coordinating Council and finds great value in the dialogue. And I know from my time at CISA and its predecessors that major U.S. critical infrastructure companies do so as well. For almost 20 years, CIPAC has served as the basis for the private sector helping shape the homeland security agenda – not primarily as a service provider with financial incentives but instead as organizations that are on the front line of securing the homeland and have commitments to their customers and shareholders that they will deliver critical functions securely.
Governance and process is not always headline grabbing but it is key to delivering outcomes. The President’s new Executive Order seemingly recognizes that. Following from it, DHS should make the decision to reestablish CIPAC or replace it immediately with a similar process that enables critical infrastructure owners and operators to consistently and efficiently engage with Sector Risk Management Agencies without absorbing undue legal risk and uncertainties. We are not going to make the nation more cyber resilient or prepared for catastrophic incidents without the private sector having a major role. And it is CIPAC which enables that role most effectively.