Project 12 Report: Improving Protection of Privately Owned Critical Network Infrastructure Through Public-Private Partnerships
- 35 pages
- For Official Use Only
- November 2008
The United States relies on critical infrastructure and key resources (CIKR) for government operations and the health and safety of its economy and its citizens. The President issued National Security Presidential Directive 54 (NSPD-54)/Homeland Security Presidential Directive 23 (HSPD-23), which formalized the Comprehensive National Cybersecurity Initiative (CNCI). NSPD-54/HSPD-23 directs the Secretary of Homeland Security, in consultation with the heads of other Sector-Specific Agencies, to submit a report detailing the policy and resource requirements for improving the protection of privately owned U.S. critical infrastructure networks. The report is required to detail how the u.S. Government can partner with the private sector to leverage investment in intrusion protection capabilities and technology, increase awareness about the extent and severity of cyber threats facing critical infrastructure, enhance real-time cyber situational awareness, and encourage intrusion protection for critical information technology infrastructure.”
Under the auspices of the Critical Infrastructure Partnership Advisory Council (CIPAC) and the National Infrastructure Protection Plan (NIPP) Partnership Framework, the Department of Homeland Security (DHS) formed a private-sector CIKR owner and operator working group to respond to this tasking. Private-sector input proved critical to appreciating the scale and scope of the task and in developing a set of actionable recommendations that reflects the reality of shared responsibility between the public and private sectors with respect to securing the nation’s cyber assets, networks, systems, and functions.
The public and private-sector CIKR communities recognize that the challenges are significant, the threat is present and growing, and immediate proactive action must be taken. As such, this report includes short-term recommendations, often building upon accomplishments and activities already under way and existing trusted relationships with CIKR organizations. The report identifies an aggressive series of milestones that will result in tangible progress over the next year. For each recommendation, efforts should be made to investigate and leverage ongoing activities and, where appropriate, avoid creating new projects or working groups when one already exists.
Some recommendations within this report represent long-term objectives, with many requiring detailed legal and policy analysis, as well as advanced interagency planning and coordination. In some of these cases, feasibility studies, analysis, and additional investigation are needed. In addition, an integration and management process will need to coordinate efficiently among the various related efforts.
Overview and Scope
Project 12 asks one fundamental question: “How can government work with the private sector to enhance the security of the CIKR networks?” Some related topics are the primary focus of other CNCI areas and, therefore, are not discussed in detail here. In particular, the topics of cyber research and development (R&D) and cybersecurity “leap-ahead” technologies are the focus of other CNCI efforts.
The public and private-sector CIKR communities recognize that the significant challenges and the growing threat require immediate and proactive action. This report includes short-term recommendations, often building on accomplishments and activities already under way and existing trusted relationships with CIKR organizations. The report identifies an aggressive series of milestones that will result in tangible progress over the next year. Where applicable, these activities should build on existing security and assurance efforts across the cyber infrastructure to increase resiliency and operational capabilities throughout the CIKR sectors. For each report recommendation, efforts should be made to leverage ongoing activities and, where appropriate, avoid creating new projects or working groups.
Some recommendations within this report represent long-term objectives that require detailed legal and policy analysis, as well as advance planning and coordination. In some of these cases, feasibility studies, analysis, and additional investigation are needed. In addition, an integration and management process will be needed to coordinate among the various related efforts.
There is a need for a plan in which the CIKR sectors, working through the NIPP Partnership model, can engage in appropriate activities across the CNCI, beyond those explicitly included within the scope of Project 12. Industry has equities and expertise that should be understood and incorporated across the CNCI. In particular, DHS will work with the Office of Science and Technology Policy as the leader for Initiatives 4 and 9 to ensure that OSTP receives the inputs, perspectives, and requirements identified in this report and can benefit from NIPP partners’ expertise. DHS also will work with the various private-sector entities responsible for complying with information security statutes (i.e. financial, healthcare) that include an information security training component. The ESF, outlined in the introduction to this report, will provide an important venue for collaboration with NIPP partners under the CIPAC framework, to address long term strategic issues related to globalization.
In accordance with NSPD-54/HSPD-23, DHS intends to use the NIPP Partnership Framework to engage with CIKR on all aspects of the CNCI where CIKR input is relevant, feasible, and appropriate. DHS will work with its Office of General.Counsel and consult with DOJ to ensure legal issues are considered. DHS has developed an engagement plan to include initial briefings on CNCI to PCIS/Federal Senior Leadership Council, all SCC/GCCs, and the ISAC Council to provide a baseline understanding of CNCI. Once a baseline has been established, work will begin to incorporate CIKR sector input into appropriate CNCI activities. DHS will work with the FBI and the Secret Service to provide briefings and engage as appropriate with InfraGard and ECTF members.