Securing critical infrastructure: portfolio based approach

we do not really have good technology, business practices, standards, or the penalties to go along with it.

I think we need to translate a lot of this stuff into business terms. Businesses are going to have business impacts and we need to separate those business impacts from national security impacts. The government needs to focus first on the things that they need to do to protect cyberspace from a national security standpoint.

HSNW: Of late the majority of attention seems to be focused on cybersecurity and cyber threats to critical infrastructure, but what element of critical infrastructure do you see as being overlooked that needs some attention?

BW: That is a hard question. I think we have a very broad economy and all of the different types of infrastructure yield different targets from a terrorism or natural catastrophe standpoint, so the focus has to be broad and holistic. This is why I am such an advocate of looking broadly at large portfolios and not trying to focus exclusively on the most critical asset or the most critical asset in a particular sector.

You have to be careful when you say “Which of the industry or sector should we be most focused on?” because if you do that you run into a game of “Whack-a-Mole” where all of a sudden something pops up and you divert your focus to the chemical sector or the nuclear sector.

What we are seeing now is threats on urban rail from the intelligence seized from the bin Laden compound. Was urban rail a critical priority before? I am not so sure it was if you look at funding and other things. Not so long ago, we became very focused on large hotels because the Mumbai attacks and the realization that we had those same kind of assets here.

So, again, my belief is we need to be prioritizing all of our threats, vulnerabilities, consequences across all of the industry sectors in a portfolio based approach so we are able to react quickly to something new and urgent, but still have a strategic program where we are constantly trying to increase the depth and breadth of our knowledge about our assets.

HSNW: Finally to wrap things up, if you were responsible for NIPP and had a clichéd magic wand, what would be the first three things you would do to secure critical infrastructure?

BW: I come at this question from the perspective of a relatively focused company, so the way we would look at it is I would first like to see a real program to partner with industry and state and local governments to build a comprehensive library or portfolio of the critical assets that we are supposed to protect. The second thing I would do is gather that data and analyze it so we can all agree on what our national priorities are. We cannot secure everything as well as we would like to, so we need to prioritize where we want to spend our resources. From there we can develop a long term resource plan for how we are going to take care of those vulnerabilities, harden those facilities, and how we are going to deal with those threats that we face overall.

So for me, my three actions would be to set up a system where we bring everyone together, prioritize all those things that we are trying to protect, and based on those priorities set out on a real risk management program. I do not know how much of it is defenses, cyber, or counter-surveillance programs because I do not think we have put together a comprehensive look across the country of what it is we are trying to do yet.