New Presidential Policy Directive 21 (PPD 21) “Kicks the Can” on Critical Infrastructure Protection

On February 12th President Obama released Presidential Policy Directive 21 in conjunction with his State of the Union Address.  PPD 21 directs the Department of Homeland Security to work with critical infrastructure owners and operators, federal agencies that oversee critical sectors (SSA’s or sector-specific agencies), and State, Local, Tribal and Territorial governments (SLTT’s) to protect critical infrastructure from attack or disruption.  The new policy recognizes the importance of cybersecurity in critical infrastructure protection, which the 2009 National Infrastructure Protection Plan does not address as vigorously.  It also establishes “national critical infrastructure centers” in the physical and cyber space designed to promote information sharing and collaboration.  Additionally, the policy orders the State Department to be engaged with DHS on issues of international interdependencies and multi-national ownership, growing concerns of the global economy.

But PPD 21 is just as interesting for what it includes that isn’t new, and much of it is not new.  It raises several questions about what progress has been made over the past 5-10 years, and why the Obama Administration feels the need to reset the timer.

For example, PPD 21 requires DHS to “identify and prioritize critical infrastructure” as an “additional role and responsibility”.  But DHS has been doing this for years.  In 2003 I received a phone call from a DHS contractor.  As coordinator of state-owned infrastructure, I must have made some list of contacts given to a (probably Booz Allen) contract DHS employee.  I was asked a series of questions regarding critical infrastructure in my jurisdiction.  The information was needed, according to the contractor, because the Department of Homeland Security was compiling a state-by-state list of critical infrastructure.  In the years since, I have submitted revisions and updates to my “Tier 1 and Tier 2” lists of sites.  The Government Accountability Office (GOA) describes this process this way in a 2010 report:

“The process of identifying these nationally significant assets and systems is conducted on an annual basis and relies heavily on the insights and knowledge of a wide array of public and private sector security partners. CIKR categorized as Tier 1 or Tier 2 as a result of this annual process provide a common basis on which DHS and its security partners can implement important CIKR protection programs and initiatives, such as various grant programs, buffer zone protection efforts, facility assessments and training, and other activities. DHS has other tiered categories of infrastructure whose destruction or disruption would not have a significant national or regional impact, though local impacts could be substantial.”

DHS’ “additional roles and responsibilities” also includes the development of vulnerability assessments on CI/KR, which they have also done for years via their Protective Security Advisors.  These efforts are aimed at meeting the risk management goals of prioritization and the establishment resource allocation priorities via programs such as the Buffer Zone Protection Program.  The list of “additional roles” within PPD 21 for DHS goes on to include providing informational support, coordination with Federal departments on prosecutorial issues, and mapping.  All of which are old news.

PPD 21 does little to enhance the CI/KR resilience programs already in existence.  And while movement toward cybersecurity and a nod to the national continuity directives are helpful, they are also kind of obvious.  These are simple adjustments not grand new (State of the Union announcement!) plans.  It will be interesting to see what comes of the “national critical infrastructure centers”, and we look forward to reading the annual reports.  But in the end, PPD 21’s most significant contribution to improving the National Infrastructure Protection Plan might be the removal of the National Monuments and Icons and Postal and Shipping sectors.  No one was quite sure what to do with those.  Make Mount Rushmore more resilient or teach UPS how to manage emergencies?