Kolasky’s career focus has been on analyzing issues related to homeland security strategy, planning and policy. Kolasky joined the federal government following his graduation from the Harvard Kennedy School in 2002. Kolasky provided written responses to questions about the new National Infrastructure Protection Plan (NIPP) and other important aspects of critical infrastructure protection including cybersecurity and climate change.
Question: What was the impetus for the rewrite of NIPP and the creation of a new 2013 document?
Barry Bahler
PPD-21 mandated the update to NIPP. Since the previous NIPP was revised in 2009, growing interdependencies across infrastructure systems, particularly reliance on information and communications technologies, have produced new vulnerabilities to physical and cyber threats.
The new plan, NIPP 2013, guides efforts across the critical infrastructure community to enhance security and resilience in conjunction with national preparedness policy.
What were the significant changes made from previous editions of NIPP?
NIPP 2013 is informed by the evolution of the infrastructure risk, policy and operating environments, as well as experience gained and lessons learned from exercises and real-world events, such as Sandy and various cyberincidents. The 2013 plan lays out an enterprise approach to risk management that incorporates cyber and physical security and resilience measures. It also builds on previous plans by emphasizing how security and resilience complement efforts to reduce critical infrastructure risk. In so doing, it builds on the risk management framework introduced in the 2006 NIPP and emphasizes the role of information sharing while still leaving the principle mechanism for managing critical infrastructure risk — voluntary public-private partnerships — intact.
With critical infrastructure mostly owned by the private sector, do you influence the private sector to expend resources to protect that infrastructure when such an investment detracts from the bottom line?
NIPP calls for a proactive and inclusive partnership among all levels of government and the private sector to take advantage of existing capabilities and to develop new ones. Ultimately it is the responsibility of individual organizations to secure and ensure the physical and economic resilience of their assets and facilities. That said, NIPP partnership structure provides a framework for the government and private-sector collaboration to increase efficiency and effectiveness.
With a new emphasis on cybersecurity, what have you found works best in getting public and private enterprises to coordinate and share information before and during an attack?
In response to PPD-21, the National Institute of Standards and Technology developed a voluntary framework for reducing cyber risks. The Cybersecurity Framework consists of standards, guidelines and best practices for promoting critical infrastructure protection and assisting owners and operators in managing cyber-related risks.
To support adoption of the framework, DHS has established the C3 Voluntary Program. The program emphasizes three Cs:
- Converging critical infrastructure community resources to support cybersecurity risk management and resilience through use of the framework;
- Connecting critical infrastructure stakeholders to the national resilience effort through cybersecurity resilience advocacy, engagement and awareness; and
- Coordinating critical infrastructure cross-sector efforts to maximize national cybersecurity resilience.
What role will climate change play in critical infrastructure, and how are climate adaptation strategies being pursued to counter a rapidly changing world?
Addressing the potential impacts of climate change is a component of managing the complex and interdependent risks that we face as a nation. Over the past several decades, there has been a heightened focus on changing waterways, shifting temperature patterns, air quality conditions, lost land and extreme weather events, and how these issues can affect the environment, economy, national security and overall public well-being.
While discussions of climate change have often focused on impacts to natural environments, climate and weather events can also directly affect services people rely on, such as water, energy, transportation, communications and emergency services. Critical infrastructure is subject to a wide variety of natural phenomena and is typically designed to withstand the weather-related stressors of a particular locality.
But shifts in climate patterns increase the range of potential risks that critical infrastructure faces. Most infrastructure being built today is expected to last for 50 years or longer. Therefore, it is important to understand how future climate might affect these investments in the coming decades.
How did Sandy impact revisions to NIPP?
Sandy revealed a number of infrastructure-related insights that helped contextualize the revisions to NIPP 2013. The storm affected critical infrastructure in unprecedented and unexpected ways, demonstrating how interdependencies between infrastructure systems can magnify impacts and delay restoration, and underscoring how preplanning, coordination and improved building approaches can ease effects.
Following the storm, communications, energy, transportation, water and wastewater systems were inoperable or severely degraded for weeks and months following the storm. Additionally, Sandy demonstrated the importance of regional partnerships in response and recovery efforts and the value of trusted relationships between public and private organizations, without which the nation’s response to the storm would have been measurably worse.
What tactics do you recommend for addressing infrastructures that cross state boundaries and are typically not coordinated with multiple government agencies?
Not all state and local stakeholders have aligned interests and concerns, and the tactics vary considerably for best coordinating across local, state and regional boundaries. However, trusted partnership and information sharing represent valuable mechanisms for enhancing coordination among various stakeholders.
In addition to the national partnership structure articulated in the NIPP 2013 and the information sharing tools I described previously, there are a number of state, local and regional efforts that seek to coordinate effectively across jurisdictional boundaries.
At the regional level, the All Hazards Consortium is a partnership across the states and cities of North Carolina, the District of Columbia, Maryland, Virginia, West Virginia, Delaware, Pennsylvania, New Jersey and New York focused on homeland security, emergency management and business continuity issues.
