September 11, 2001, changed everything. I have the honor of working with homeland security professionals who felt a calling to serve as a result of that tragic day. Reflecting on the “State of the Union” 20 years later as it relates to physical and cybersecurity, I look to the 9/11 Commission report as the visioning document for homeland security in the post- 9/11 world.
In response to the attacks, Congress commissioned the bipartisan National Commission on Terrorist Attacks Upon the United States (9/11 Commission) in 2002 “to prepare a full and complete account of the circumstances surrounding the September 11, 2001 terrorist attacks, including preparedness for and the immediate response to the attacks.” (https://www.9-11commission.gov/)
The founding principles of the United States are part of what make the United States special and unique. At the same time, these principles have also created silos that play a role in homeland security efforts. As established in the Constitution, the government was intentionally structured with separation between federal, state, and local governments, as well as between the branches of government. The 9/11 report called out these silos and challenged everyone within the homeland security enterprise, including elected officials, to find ways to work together to improve information sharing and collaboration across all levels of government. The following sections are some of the text from the 9/11 report as it relates to infrastructure and cybersecurity, as well as collaboration across all levels of government and the private sector.
Excerpts from the Public Statement Release of the 9/11 Commission Report, July 22, 2004 (https://govinfo.library.unt.edu/911/report/911Report_Statement.pdf)
- At home, we need to set clear priorities for the protection of our infrastructure, and the security of our transportation. Resources should be allocated based upon those priorities, and standards of preparedness should be set. The private sector and local governments should play an important part of this process.
- If, God forbid, there is another attack, we must be ready to respond. We must educate the public, train and equip our first responders, and anticipate countless scenarios.
- The most important failure was the one of imagination.
Excerpts from the 9/11 Commission Report Executive Summary (https://govinfo.library.unt.edu/911/report/911Report_Exec.pdf)
- The missed opportunities to thwart the 9/11 plot were also symptoms of a broader inability to adapt the way government manages problems to the new challenges of the twenty-first century.
- Unity of Effort: Sharing Information. The U.S Government has access to vast amount of information. But it has a weak system for processing and using what it has. The system of “need to know” should be replaced by a system of “need to share”
The report recommendations noted above were built upon in the National Infrastructure Protection Plan. Two years after the 9/11 Commission report, the first National Infrastructure Protection Plan was released (https://www.dhs.gov/xlibrary/assets/NIPP_Plan_noApps.pdf). Since 2006, the National Infrastructure Protection Plan has been supplemented and updated and is currently going through a refresh process (https://www.cisa.gov/national-infrastructure-protection-plan). This plan sets the framework and priorities for both cyber and infrastructure security. Additionally, the plan established various groups across the federal government (Government Coordinating Councils) and both the public and private sectors (Sector Risk Management Agencies). These various stakeholder engagement groups are intended to help work across the different sectors and levels of government to share information, improve coordination, and strengthen the ability of our nation to prepare for and respond to all hazards.
The vast majority of critical infrastructure is owned and operated by local governments and the private sector. As such, these professionals are on the front lines for the protection and resiliency of their critical infrastructure assets. This responsibility for protection and resiliency investments at the local level is similar to how disaster response is locally executed, state coordinated, and federally supported. Although federal and state governments are essential partners in these security efforts, local and private sector agencies need to be intentional and proactive in their roles for physical and cyber infrastructure security and response.
“One universal action item for all professionals in public service is building trust between other groups and individuals involved in cyber and infrastructure security”
Professionals in public service, public or private, need to keep responsibility for security in the front of their minds and not become complacent. Whether in designing, building, operating, or maintaining physical or cyber-related infrastructure, anyone in these positions has a role in homeland security. Some of the activities within a given sector may be seen as “normal” but on closer review these activities also have resiliency components and need to be understood as such. Professionals in the cyber and physical infrastructure profession needs to continue to work together and be intentional about improving the security and resiliency of the nation’s critical infrastructure. The federal government has invested millions of dollars in the development of critical infrastructure security resources to aid SLTT and private sector professionals’ efforts on improving security and resiliency. Being busy and having multiple roles is a reality that all agencies and professionals face, but that cannot be an excuse for inaction or not engaging with the federal resources available (generally at no cost). One universal action item for all professionals in public service is building trust between other groups and individuals involved in cyber and infrastructure security. Building and maintaining trust, and all that goes into that, is an essential part of homeland security efforts and is a foundational need. Critical infrastructure professionals owe it to their communities, and the nation as a whole, to be intentional about leveraging federal resources, implementing mitigation measures, hardening critical assets, improving response capabilities, responsibly sharing information, and strengthening the ability to manage problems and threats.
In their closing public statement on the 9/11 Commission Report, Honorable Thomas H. Kean and Honorable Lee H. Hamilton stated, “We believe that in acting together, we can make a difference. We can make our nation safer and more secure.” I believe their comments are just as true today as they were on July 22, 2004. Let us all respond to the calls for action in the 9/11 Commission Report by building on the framework and priorities in the National Infrastructure Protection Plan and being intentional about building partnerships, sharing information, and working together to improve the preparedness and resiliency of the cyber and infrastructure systems in the United States of America.
