Critical Infrastructure Protection Forum
March 30, 2016
Ladies and Gentlemen,
Often described as the backbone of a country’s economy and security, critical infrastructure represents a fundamental element in the public’s perception and confidence in the way a state functions. Leaders and decision makers from both the public and private sectors are called upon to respond to potential threats against any of these critical assets and to protect life, property, public health and the environment. I would like to further explore with you this morning some of the challenges that we encounter as we secure, guard and maintain a resilient critical infrastructure in our countries and globally.
In the United States and throughout the world, resources and structures defined as critical represent those basic systems necessary for a well-operating society. Critical infrastructure is diverse and complex not only because of the variety of sectors it covers, from communications, emergency services, information technology to nuclear reactors and transportation systems; it is complex also due to the special nature of its ownership. Public and private entities are interlinked through a shared responsibility to keep these systems functional and safe at all times, a process that requires proactive and coordinated efforts, along with an integrated approach to risk management.
To give an example, the US ICT industry developed the nationwide mission critical communication network in Romania that is operated by the Special Telecommunications Service and used by multiple Government agencies, including the Ministry of Internal Affairs, the Ministry of Defense and the Romanian Intelligence Service. The United States is without question a world technology leader in mission critical communications equipment.
Currently, the Romania Government’s communications system is in its 6th year of operation and has reached technological and capacity maximum. It is important that Romania continue investing in its TETRA network.
In national preparedness against natural or manmade disasters, just like in risk management, no entity can ever succeed in isolation.
As a consequence of the growing asymmetric security threats identified at the onset of the 21st century, the protection of critical infrastructure has become a matter of key importance to governments and decision makers. After 9/11, the United States mandated the Department of Homeland Security to coordinate the plan to secure our national critical infrastructure. The US Department of Homeland Security drafted a first version of the National Infrastructure Protection Plan, followed by an update in 2009 and a comprehensive Presidential Policy Directive on Critical Infrastructure Security and Resilience in 2013, which led to the most recent strategy adopted that same year. All these documents emphasize the national unity of efforts required to properly defend critical systems, along with the importance of effective information exchanges between owners and operators. The Department of Homeland Security provides strategic guidance, conducts assessments of vulnerabilities, emerging trends or imminent threats, while also evaluating key interdependencies among the sixteen critical infrastructure sectors. Other sector specific agencies play key roles based on their institutional knowledge and specialized expertise. The Department of State engages international partners to strengthen the security and resilience of critical infrastructure through exchanges of good practices and lessons learned. The Department of Justice, particularly the Federal Bureau of Investigation, coordinates counterterrorism and counterintelligence investigations to reduce terrorist and other threats, actual or attempted attacks on or sabotage of critical infrastructure. Designed as a multiagency national focal point, the National Cyber Investigative Joint Task Force integrates information related to cyber threat investigations. The Department of Commerce is actively involved in the promotion of improved security for technology through its partnerships with the private, research or academic sectors. In addition to this definition of the various roles and responsibilities assigned to specific agencies, the 2013 Presidential Directive also identifies three strategic imperatives that emphasize the need to have clear functional relationships across the government, efficient, timely and actionable information exchanges, along with an integration and analysis function to inform planning and operational decisions regarding critical infrastructure.
This overview of the US perspective on the environment of critical infrastructure today should emphasize what is in fact the foundation of all our efforts in homeland security – risk management. As we partner for critical infrastructure security and resilience, we actually engage into an enterprise approach to collectively manage risk. No state, agency or entity can handle risk alone; therefore it is essential to share information, use resources effectively and minimize duplication of efforts. Each government or industry partner involved in this exchange manages risk by looking at its own commitments to the community or the customers it serves; each partner faces its own constraints generated by policies, regulations, business plans or resources. It is only by accepting that perspectives differ and risk management practices vary that this mechanism becomes effective. Risk has an economic dimension that is taken into account by both government and private sector owners, but there are some non-economic values that are essential and should be incorporated into critical infrastructure security and resilience initiatives – protection of privacy and civil liberties. While information sharing remains open and transparent in this public – private collaboration, privacy must be also safeguarded and liberties guaranteed.
The 2013 National Infrastructure Protection Plan looks beyond the traditional physical threats or natural disasters that have a potential impact on critical infrastructure. Information and communications technologies are now fully integrated into most critical infrastructure operations, which means cyber risks play a major role in the current threat environment. Malicious and sophisticated cyber actors exploit vulnerabilities, get unauthorized access to information and take advantage of increased global connectivity for theft, fraud or abuse. Consolidating the security and resilience of cyberspace has become an important mission, as outlined in the President’s Executive Order on Improving Critical Infrastructure Cybersecurity issued in 2013. In a world of wireless connectivity and cloud computing, national infrastructures are more interdependent and interconnected than ever before. The integration of cyber and physical security efforts is possible through partnerships across geographic boundaries as demonstrated by the outstanding cooperation between American and Romanian law enforcement agencies and computer security incident response teams over the last decade.
The international critical infrastructure community today can be successful only through a shared vision that puts open communication and trusted relationships at its core. This vision has been formally recognized in the most recent version of the US National Infrastructure Protection Plan that emphasizes the need for global collaboration for capability enhancement. The same document lists “learning and adaptation” as one of its strategic goals and the event today is a great opportunity to put it into practice as we interact with colleagues from various public or private entities from Romania and the region. We welcome your cooperation and your commitment to strengthen the security and resilience of critical infrastructures across the world and we look forward to other opportunities to develop this partnership.