"So many things are in flux due to governor turnover and the new [Office of Homeland Security]," said Chris Dixon, digital government coordinator for the National Association of State CIOs (NASCIO). "If we're all going to have confidence that we're aiming for the same thing, it's going to take somebody at the national level to promulgate something to hone our focus and build a consensus approach."
Most states are moving ahead, albeit at varying levels, with critical infrastructure assessment plans, and they're choosing concepts and tools from a multitude of sources. "There are various approaches out there right now," said Thom Rubel, director of State Information Technology Economic and Technology Studies for the National Governors Association (NGA).
Some new approaches are promising, while others, well underway, point to strategies that are critical to the success or failure of an infrastructure protection plan.
Starting from Scratch
Washington state began developing a plan in 2000 that requires compliance by late 2003; it addresses infrastructure protection on four levels: physical, personnel, technology and data.
"We spent about a year working with state agencies, higher education and so forth to make sure we covered everything everyone could think of at that time," said Mike McVicker, the state's director for telecommunication services.
A key part of the plan is to promote coordination between agencies. Each agency director or secretary must provide the DIS with written confirmation on the status of an "annual strategic plan and infrastructure portfolio," which describes progress toward compliance with the plan's policies and standards.
Public-Private Partnerships
A comparable effort in New Mexico began with similar coordination but unraveled. The New Mexico Critical Infrastructure Assurance Council (NMCIAC) was developed in 1998 as a cooperative, private and public sector enterprise. Its goals were to exchange information among the business community, industry, educational institutions, the FBI, and New Mexico state and local governments; and to ensure the protection of the state's critical infrastructure.
The organization, directed by the University of New Mexico (UNM), was to assess the threats, vulnerabilities, countermeasures, and responses to infrastructure attacks and unauthorized system intrusions that might affect NMCIAC organizations and the general public.
Initially the group collaborated, formulating good ideas; but in time the NMCIAC languished, becoming fairly innocuous, according to Dennis Morrison, director of Information Technology Security, Evaluation and Risk Assessment for the New Mexico Institute for Mining and Technology, which has taken over leadership of the project from UNM in an effort to revive the organization.
The initial collaboration stalled largely due to lack of both funding and private-sector interest, Morrison said. After Sept. 11, the various agencies charged with protecting the state's critical infrastructure fell into the "typical federal approach" of protecting their own backyards.
Although the NMCIAC presented itself as a nongovernment organization, the government presence within the council, which included the FBI, may have been enough to turn off the private sector. "That seems to be what private enterprise really gets suspicious about -- a government-run information sharing [group] because of the fear of exposure," said Morrison.
The NMCIAC was intended to facilitate information sharing among its members to promote both an understanding of threats and knowledge about response during an incident; but the perception that it was government-run may have inhibited that process.
"We see it time and time again," Morrison said. "Suppose you're looking at cyber-security. If you report some kind of illegal access to your system, and that hits the press at the wrong time or gets released in the wrong way, it affects the bottom line.
"What we had addressed, and are still looking at pretty closely, are some technologies that can [make anonymous] those kinds of reports, but at least say this kind of thing has happened and get the information out," he added. "It's got to be something that's not a government entity that protects these private enterprises. Until you do that, you're not going to get much involvement from them."
As a volunteer organization with little funding, the NMCIAC eventually wore down. Some agencies within the state, such as the Department of Transportation, have critical infrastructure plans in place, but they've taken the stovepipe approach in protecting their own systems, according to Morrison.
The Right Formula
The recently launched New York Cyber Security and Infrastructure Protection Initiative takes steps to crush the stovepipe mentality and promote private-sector involvement.
The initiative identifies 13 major sectors -- transportation and telecom are examples -- in which critical infrastructures need protection. Each sector is assigned co-chairpersons, one from government and one from private industry, who are responsible for collaborating on plans to protect infrastructure in that sector.
"These are high-level people," said Will Pelgrin, initiative director. "That was a requirement, that they be at a level that could command the resources and attention it deserves.
"The real focus is encouraging sharing of information; something unique within our group is that we meet as a collective with all sectors," Pelgrin said. "The sectors come together to share information so we're not building stovepipe information. So many of these sectors have dependencies and interdependencies between and among each other [that] to keep a stovepipe fashion is the wrong formula if we're going to succeed."
The initiative, formalized in September, is still in its infant stages, but "four or five concrete meetings" held to date were well attended. Pelgrin said the initiative was spawned in Gov. George Pataki's office, showing the importance of infrastructure protection from New York state's perspective.
The state is employing methods developed during Y2K -- information-sharing strategies that built trust and yielded results, according to Pelgrin. To quell private industry concerns about freedom of information and information access, the state developed communication standards that mirror those used during Y2K, which were designed to safeguard against the release of potentially damaging information.
New York also adopted a definition of critical infrastructure similar to the one provided in Presidential Decision Directive (PDD) 63, a federal guideline developed in 1998. The New York version, which follows, allows each sector to add, but not subtract from the definition:
Cyber assets both technology-based, physical and/or logical, which are so vital that their infiltration, incapacitation, destruction or misuse would have a debilitating impact on the health, safety and welfare or the economic security of the citizens and businesses of New York state.
New York's work in this area is already a model for other states. "The Office of Public Safety pulled together nine additional northeast states to look at it from a homeland security perspective," Pelgrin said. "Those states want to be a part of what New York is doing. We will be able to provide them with templates so we can start sharing information."
Valuable Tools
Information sharing is also the key to Michigan's plan, which was slated for release in December. "It's looking at how can we coordinate our activities, and how can we respond when there is an incident in a more coordinated way given various scenarios and various threats," said Dan Lohrmann, chief security officer for the state's newly created Office of Security and Disaster Recovery.
Michigan relied heavily on vulnerability-assessment tools provided on the National Institute of Standards and Technology (NIST) Web site, and also used guidelines from the U.S. General Accounting Office and the National Infrastructure Protection and Computer Intrusion program (NIPCI). "There's really an abundance of resources out there," Lohrmann said. "From the federal government, from think tanks, to NIST, which has kind of been the bible for us."
New Mexico's Morrison added, "There are some really good tools being developed. We've seen a really good one out of the Sandia National Laboratories for water systems that is an assessment tool. It says 'OK, what are the threats, and what is the likelihood of the threat, and what's the cost of the threat?"'
Also, the federal Critical Infrastructure Assurance Office is working with the NGA to make Matrix -- a software assessment tool developed for federal agencies -- available to states.
In spite of progress made by many jurisdictions, developing a critical infrastructure plan that crosses agency borders requires a national directive, said NASCIO's Dixon.
"Any level of government can sit down and say, 'What's critical to my business?' But then they put blinders on, and it's going to stop at the borders of their business activity," he said. "Where it gets tricky is determining linkages between sectors and levels of governments and functions of government."
