48.1 F
Washington D.C.
Tuesday, March 28, 2023

PERSPECTIVE: Security Must Come with Infrastructure Privatization

President Trump this week unveiled his long-awaited infrastructure plan, intended to spur $1.5 trillion in infrastructure spending. The president’s approach absolves the federal government from devoting significant money to modernizing a depilated and failing infrastructure and would increase the percentage of our nation’s infrastructure owned and operated by the private sector and other non-federal entities, amplifying a trend toward divesture and privatization of infrastructure that is considered a continued good.

As part of the announcement, the White House is considering allowing federal agencies to divest assets if they can “demonstrate an increase in value from the sale would optimize the taxpayer value for Federal assets.” In plain English, the federal government may consider selling off assets such as the Ronald Reagan National Airport and Dulles International Airport, the Washington Aqueduct, the Tennessee Valley Authority and the Bonneville Power Administration.

I do agree that the private sector entities and state and local governments may be suited to manage those assets. After all, the majority of our nation’s infrastructure is owned and operated by entities other than the federal government. These organizations understand the unique attributes of a region, have better technical capability, different capital expenditure strategies, and can often better attract and pay a skilled workforce.

This unique and sometimes complex provisioning of a basic public good has underpinned unprecedented economic prosperity and our way of life. Equally important, infrastructure is vital to our national security, enabling transportation and communications networks, a defense industrial base, and outside-the-wire capabilities that support our warfighting missions.

As such, 20 years ago the Clinton administration envisioned a public-private partnership to protect critical infrastructure, where market incentives would be the first choice for addressing incentivizing the asset owners and operators to protect “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.” The goal was a partnership between government and industry that was mutual and cooperative.

This public-private partnership took on greater significance on 9/11, when Osama bin Laden weaponized and targeted critical infrastructure. For the past 17 years, the critical infrastructure community has worked in partnership to manage all hazards, from homegrown violent extremists to extreme weather. However, as the risk environment grows more complex — and lower-probability, high-consequence threats become higher probability (electromagnetic pulses, geomagnetic disturbances, coordinated cyber attacks, catastrophic natural disasters) — the cost to protect infrastructure and the goods, services and people that transit across it and benefit from it is becoming more expensive. And the incentives provided by the federal government don’t offset the costs.

Transferring and privatizing infrastructure comes with risks that we must manage and mitigate up front. The security and resilience of these assets is what I am most concerned about. Since 9/11, the risk environment has become increasingly complex and spans the low-tech to highly sophisticated threats. Look at power generation and transmission. Damage from copper theft and rudimentary attacks on substations can easily surpass seven figures. Operators must monitor terrestrial and space-based weather, anticipating tornadoes, hurricanes and solar storms that can damage above-ground infrastructure or, more concerningly, long lead time, purpose-built equipment. Insider threats must be accounted for and addressed, whether malicious actors or unwitting spear phising victims. Increasingly destructive malware targeted at plant control systems can have the same chilling effect we saw in Ukraine in December 2015. And today’s geopolitical environment elevates concerns about other nation-states that recognize the strategic importance of our infrastructure, have taken advantage of the digitized environment to gain footholds in our lifeline systems, and will not hesitate to leverage them as part of an “escalate to deescalate” strategic doctrine.

Puerto Rico is illustrative of the reality of a lower-risk but high-impact existential threat, whether Mother Nature or manmade. The island’s power grid collapsed in the face of Hurricane Maria, creating a six-month “super blackout” that has been exacerbated by an aging grid, contracting scandals, personnel challenges and material shortages, highlighting the fragility of an infrastructure ecosystem that is highly dependent on electricity. Communications are still hampered, reliable clean water is hard to come by as is access to healthcare, and businesses large and small remain shuttered, amounting to a humanitarian and economic crisis on an island that is home to 3.4 million American citizens.

The same owners and operators who are expected to anticipate this increasingly dynamic risk environment and harden their assets from these threats must account for falling energy costs and turning a profit and/or subsidizing other state infrastructure projects. In the face of these trade-offs, security can often take a backseat to other investments, such as long lead time items and specialty purpose-built equipment.

As we drive toward privatization, one thing is clear — we need to provide economic incentives or direct regulation to encourage leading practice in security and resilience. The compliance-oriented standards and best practices developed by the 60-member Interagency Security Committee or the legal liability protections of its Safety Act Program are a starting place for how we can consistently drive security that rises above voluntary frameworks into the marketplace. If the federal government expects more private ownership of infrastructure, it must ensure security moves beyond being viewed as a cost center and gets the same billing as profitability.

The energy-efficient building practices that have resulted in green certification of nearly 40 percent of commercial office space across 30 office markets in the United States are one model. Widespread adoption of Energy Star and LEED certification resulted from both support of energy-efficiency advocates across the country and municipal policy that mandated energy-efficient buildings standards. We can do better with security, as well. It is time for public-private partnership to drive a vision and policy framework for a more secure and resilient infrastructure.

The views expressed here are the writer’s and are not necessarily endorsed by Homeland Security Today, which welcomes a broad range of viewpoints in support of securing our homeland. To submit a piece for consideration, email [email protected]. Our editorial guidelines can be found here.

Caitlin Durkovich
Caitlin Durkovich is a Director at Toffler Associates, a strategic consulting and advisory firm that architects better futures for public and private sector clients around the globe with an unwavering commitment to be the catalyst for change. A recognized expert in critical infrastructure security and resilience, including cybersecurity, Caitlin helps public and private sector clients navigate the complex operational challenges posed by an increasingly interconnected and interdependent global economy. Over the course of nearly two decades of developing physical and cyber risk management approaches, Caitlin has successfully advanced public-private partnerships that drive thought leadership, influence policy, and evolve industry practices to manage security and operational risks.Caitlin served nearly eight years in the Obama Administration, including four years as Assistant Secretary for Infrastructure Protection with the Department of Homeland Security. She led the mission to protect critical infrastructure and redefined public-private risk management for emerging issues like complex mass attacks, electric grid security, cybersecurity, GPS resilience, and climate adaptation planning. Her experience also includes leading homeland security projects with several government agencies while at Booz Allen Hamilton and pioneering early warning cyber intelligence at iDefense (acquired by Verisign).Caitlin earned a B.A. in public policy studies from the Terry Sanford Institute of Public Policy at Duke University and a certificate in business strategy from The Aspen Institute.

Related Articles

- Advertisement -

Latest Articles