DHS issues infrastructure protection plan

The Homeland Security Department released the first specific details of how it intends to protect the country's critical infrastructure from terrorist attacks. DHS promises its National Infrastructure Protection Plan (NIPP) will greatly enhance security, but industry and security experts remain skeptical.

The 175-page draft document, which has not been posted online, establishes a framework for operational risk assessment, said Kirk Whitworth, a DHS spokesman. It sets measurable milestones of what government and industry need to do to protect major physical, human and cyber assets from terrorist attacks.

President Bush issued Homeland Security Presidential Directive 7 in December 2003 to guide NIPP's policy development and make it the authority on national critical infrastructure protection.

The plan provides procedures for establishing and coordinating priorities, and it will help in the annual budget processes for all federal agencies that are responsible for protecting critical infrastructure, Whitworth said. NIPP will enhance the protection of physical and cyber assets and improve information sharing among public- and private-sector partners.

Robert Stephan, DHS' assistant secretary for infrastructure protection, said he was not pleased with the lack of detail in the interim NIPP released in February and demanded more specifics in the new draft, Whitworth said.

DHS released the NIPP draft last month and was scheduled to accept comments on it until Dec. 5. DHS plans to approve a final version of NIPP in early 2006, Whitworth said. Specific requirements for each of the 17 critical infrastructure sectors, such as cybersecurity and telecommunications, will be due six months later.

The draft sets an aggressive timeline and is a positive step forward, said Barry Scanlon, a partner at James Lee Witt Associates, an emergency management consulting firm. But the private sector still has concerns about the plan, namely how long it took DHS to issue it and how much the department will cooperate with its partners.

DHS will have to reach out to the private sector for the plan to succeed because industry owns 85 percent to 90 percent of the critical infrastructure, Scanlon said. The private sector also has concerns about working with DHS, which has not always been willing to collaborate in the past, he added.

"The real question is, where are we in six months?" he said.

A draft plan would have been fine three years ago, but it should be more specific and aggressive now, given what officials have learned about improving security since the 2001 terrorist attacks , said Warren Suss, president of Suss Consulting.

The current version isn't a plan or even a plan for a plan, Suss said. It's a plan for a procedure to develop a plan or a list of guidelines that avoids dealing with tough issues, he said.

"This document completely glosses over any specific ways to avert direct threats to our nation's economy," Suss said. "It serves mostly to diffuse responsibility rather than come up with specific remedies" or ways to pay for the security improvements, he said.

Protecting critical infrastructure takes more than sharing lessons learned, Suss said. It takes making and enforcing laws that impose requirements to meet effective safety standards, he said, adding that he believes the government should follow the legislative model it used to improve highway safety by requiring motorists to wear seat belts.