As we transitioned from the end of 2013 to the beginning of 2014, we were again reminded about the importance of cybersecurity in everyday life. From the big Target breach of data that has become a nightmare, to a wider warning issued this week to retailers from the Department of Homeland Security (DHS), to the NSA changes to collection of our phone records announced by President Obama on Friday, the topic of protecting our data has never been more front and center in the news.
So why should we pay attention to the new version of the National Infrastructure Protection Plan (NIPP)? Is this just another example of government bureaucracy issuing another report that no one really cares about? Or worse, are the public and private sectors working together to divert our attention away from data breaches?
I think not.
While there’s little doubt that the infrastructure protection topic is not very hot (right now), when compared with NSA-Snowden or data breaches at major retailers, protecting the most important items within our “Internet of Things” is a really big deal. I give DHS credit for leading this charge, along with their federal and private-sector partners.
These efforts reflect important milestones following President Obama’s State of the Union speech last year which described the new infrastructure threats we face as a nation.
And this topic is only going to get more important as we move forward. Allow me to explain where we are and where this is going in 2014.
Background on New 2013 NIPP
The 2013 National Infrastructure Protection Plan (NIPP): Partnering for Critical Infrastructure Security and Resilience was released in December, and it replaces the previous version from 2009. President Obama required this update in February 2013 when he signed Presidential Policy Directive 21, which calls for a national unity of effort to strengthen critical infrastructure against vulnerabilities.
The 2013 NIPP Executive Summary begins this way:
Our national well-being relies upon secure and resilient critical infrastructure—those assets, systems, and networks that underpin American society. To achieve this security and resilience, critical infrastructure partners must collectively identify priorities, articulate clear goals, mitigate risk, measure progress, and adapt based on feedback and the changing environment. NIPP 2013: Partnering for Critical Infrastructure Security and Resilience (hereafter referred to as the National Plan), guides the national effort to manage risk to the Nation’s critical infrastructure.
The community involved in managing risks to critical infrastructure is wide-ranging, composed of partnerships among owners and operators; Federal, State, local, tribal, and territorial governments; regional entities; non-profit organizations; and academia. Managing the risks from significant threat and hazards to physical and cyber critical infrastructure requires an integrated approach across this diverse community to:
• Identify, deter, detect, disrupt, and prepare for threats and hazards to the Nation’s critical infrastructure;
• Reduce vulnerabilities of critical assets, systems, and networks; and
• Mitigate the potential consequences to critical infrastructure of incidents or adverse events that do occur. The success of this integrated approach depends on leveraging the full spectrum of capabilities, expertise, and experience….
What has changed?
There have also been numerous “calls to action” on cybersecurity over the years from industry, federal and state governments. How is this different?
The new NIPP is written at a high level and is a simpler read than the old NIPP. As described by Fierce Homeland Security, “security and resilience” are the primary aims of the planning document. I like this summary:
…The new NIPP reaffirms the existing coordination council structure DHS has put in place to coordinate public and private sector actions among 16 identified critical infrastructure sectors. But, it calls on national-level councils to jointly issue multi-year priorities based on multiple information sources, including results of state and regional Threat and Hazard Identification and Risk Assessments (THIRA)….
There are many more details on this topic, related 2013 NIPP supplements, training courses, authority references and other data available at www.dhs.gov/nipp.
The scope of this effort is massive. The Sector-Specific Plans from each of 16 critical infrastructure sectors must be updated during 2014. Once those more specific plans are in place, the implementation of the action items will take years. The new National Institute of Standards (NIST) cybersecurity framework efforts must be leveraged as well.
Now is the time for NIPP 2013
And yet, despite minimal news coverage, there is no more important set of cybersecurity priorities facing our nation than the items covered in this document. Press articles about the smart grid getting hacked or pacemakers issuing unwanted shocks to the body or cars that drive themselves are all related to this broader topic of protecting critical infrastructure in the 21st century.
During a recent lunch conversation with a top technology leader from a large hospital chain, the issue of protecting non-traditional medical devices (that have an IP addresses and often WiFi connectivity) was a huge topic of concern. In fact, over 50% of this security leader’s problems were focused on mitigating risks from these devices. I have heard similar stories from other sectors.
So get ready for some major rollout events on this NIPP topic beginning in February, with more to come in your particular sector throughout the year.
A final point on why you need to engage. We need to improve our industry partnerships. Security and technology teams will fail if we don’t work together to share timely, relevant information in more effective ways.
Jason Nairn, one of my deputy CSOs in Michigan, was recently on a national conference call sponsored by DHS on the new NIPP 2013. During the Q/A section, he asked "What is the most significant accomplishment of the NIPP thus far in the enhancement of our national security?"
The response from DHS:
"The most significant accomplishment of the NIPP program thus far has arguably been the establishment of the critical infrastructure public-private partnership and its subsequent activities to secure and strengthen the resilience of critical infrastructure. The effort to reduce critical infrastructure risk has been a joint voluntary undertaking between critical infrastructure partners in all levels of government and the private sector.
The critical infrastructure partnership is the primary mechanism for promoting and facilitating sector and cross-sector planning, coordination, collaboration, and information sharing to manage risks to critical infrastructure. A 2013 evaluation of the critical infrastructure partnership, conducted in response to Presidential Policy Directive 21, validated the current structure of the partnership at the national level and made recommendations to enhance and expand partnership activities at the regional and local levels."
Therefore, I urge you to read the NIPP 2013 and become engaged in your sector-specific plan in 2014.
Daniel J. Lohrmann is an internationally recognized cybersecurity leader, technologist, keynote speaker and author.
During his distinguished career, he has served global organizations in the public and private sectors in a variety of executive leadership capacities, receiving numerous national awards including: CSO of the Year, Public Official of the Year and Computerworld Premier 100 IT Leader.
Lohrmann led Michigan government’s cybersecurity and technology infrastructure teams from May 2002 to August 2014, including enterprisewide Chief Security Officer (CSO), Chief Technology Officer (CTO) and Chief Information Security Officer (CISO) roles in Michigan.
He currently serves as the Chief Security Officer (CSO) and Chief Strategist for Security Mentor Inc. He is leading the development and implementation of Security Mentor’s industry-leading cyber training, consulting and workshops for end users, managers and executives in the public and private sectors. He has advised senior leaders at the White House, National Governors Association (NGA), National Association of State CIOs (NASCIO), U.S. Department of Homeland Security (DHS), federal, state and local government agencies, Fortune 500 companies, small businesses and nonprofit institutions.
He has more than 30 years of experience in the computer industry, beginning his career with the National Security Agency. He worked for three years in England as a senior network engineer for Lockheed Martin (formerly Loral Aerospace) and for four years as a technical director for ManTech International in a US/UK military facility.
Lohrmann is the author of two books: Virtual Integrity: Faithfully Navigating the Brave New Web and BYOD for You: The Guide to Bring Your Own Device to Work. He has been a keynote speaker at global security and technology conferences from South Africa to Dubai and from Washington, D.C., to Moscow.
He holds a master's degree in computer science (CS) from Johns Hopkins University in Baltimore, and a bachelor's degree in CS from Valparaiso University in Indiana.
Follow Lohrmann on Twitter at: @govcso
Building effective virtual government requires new ideas, innovative thinking and hard work. From cybersecurity to cloud computing to mobile devices, Dan discusses what’s hot and what works in the world of gov tech.