Homeland Security Watch

News and analysis of critical issues in homeland security

March 30, 2010

85% More From The Private Sector About Critical Infrastructure

Filed under: Infrastructure Protection — by Christopher Bellavita on March 30, 2010

I was reading a paper by my colleague Nick Catrantzos  yesterday when I came across this sentence:

“…infrastructure defense is assumed to fall primarily into the hands of the private sector, which operates 85% of critical infrastructure.”

I ranted a year ago about the 85% number in a post that appeared on this blog.

The Number simply won’t die. It lives beyond truth or lie. Its reality is independent of time and space.

So I wrote back to Nick summarizing what I believe is the problem with The Number.

Nick — who loves the English language as a gardener treasures orchids — once presented me with a knit picker.  So he is aware of my tendency to occasionally pole vault over mouse turds.

Nick also has spent time in the same Circus and has been known to pick a nit or two, so he responded back with some evidence about the 85% number.  I pushed back.  He returned fire.  As did I.

Then he wrote something that shined a light on a bias I did not see I had.

A year ago, I wrote:

…the 85% figure has been used to justify a laissez fair critical infrastructure strategy. Private sector “ownership and control” has been interpreted to mean government frequently has to ask politely before it tries to do anything to improve safety and security.

If the 85% figure is wrong — or at least unsupported by any empirical basis — maybe the policies derived from that belief are also wrong.

Basically, I thought the 85% number was used to justify the government not pushing the private sector hard enough when it comes to protecting critical infrastructure.

Nick — who is a security manager and former security consultant for public and private organizations — described how this “who owns what” issue looks from the private sector.

My dilemma, perhaps a distant cousin to your own, has been in encountering an obdurate, logic-proof insistence by cops, fire fighters, emergency managers, fusion center staff, and DHS minions to define my employer and all critical infrastructure stewards as private sector entities.

It does not matter how much we demonstrate that we are a public agency and a regional extension of government.  As far as these people are concerned, we are private, hence unworthy of sensitive information (even if we were the ones to originate it) and inherently suspect of being profit driven (no matter how many wasteful, feel-good programs we underwrite for some avowed public good).  Even being part of the same retirement system and driving vehicles with tax-exempt license plates — two surefire convincers everywhere else — have no impact in shaking the conviction that we are infrastructure stewards, hence private sector mercenaries.

My unproven suspicion is that much of what is at the bottom of this categorization is a sort of tribal urge to satisfy two unstated objectives:

1.  Limit the in-group to an established comfort zone and organizationally and traditionally familiar faces.

2.  Assure that the existing in-group gains and keeps primacy at the trough of grants and other funding destined for public sector actors who are new both to homeland security and critical infrastructure protection.

If there are points to this fugue that resonate with me as an infrastructure steward, they are these:

A.  Critical infrastructure is definitely in both public and private hands.  Given the types of infrastructure that exist, it is reasonable and credible to accept that they are mainly privately owned and operated.

B.  Whether that percentage figure of 85% is anything more than an approximation or an archly crafted statistic meant to advance an ulterior agenda is mildly interesting to an infrastructure steward. At the end of the day, the hand on the wrench or on the SCADA system comes from the same gene pool, skill set,  and population.

C.  Even a critical infrastructure operation that is entirely managed by a public agency is going to have some private sector involvement and exposure.  Construction comes to mind.  We are always building or modifying facilities and upgrading systems.   Contrary to popular belief, even the wealthiest of public agencies cannot hire everyone they meet.   Contractors and subcontractors are as ubiquitous as they are indispensable.

D.  The original point of emphasizing private ownership and operation, to the extent I absorbed one, seemed to be as a means of emphasizing that protecting critical infrastructure is a shared responsibility and one that would be imperiled by ignoring private sector stakeholders. That point still makes sense to me.

Share and Enjoy:
  • Digg
  • Reddit
  • Facebook
  • Yahoo! Buzz
  • Google Bookmarks
  • email
  • Print
  • LinkedIn


Comment by William R. Cumming

March 30, 2010 @ 5:53 am

Well another great discourse on CIP and the 85% paradigm. Since that year ago litany, a PhD student wrote me asking based on my reference to to the September 1997 PCCIP report as the basis for that number she challenged me for the specific reference. Of course she was right and the report does NOT use that percentage anywhere. I wrote her back agreeing with her conclusion and then suggested that my memory from the Presidential Directive drafting sessions for PD-63 (I attended perhaps 5 of the almost one dozen for FEMA) that I distinctly remember Michael Vatis (last at Dartmouth if memory serves) and then representing DOJ using that percentage. She was last heard trying to track him down. Anyhow she also is researching that issue so hope she reads this post and comment and shares her research with all. Certainly a worth thesis topic.
And to agree with the conclusion of the post, usually SCADA and critical infrastruture are shared by the entire spectrum of the economy whatever the origins or ownership.
What really concerns me almost 13 years later from issuance of the PCCIP report is that so little of regulated industry or standards setting organizations has been devoting sufficient effort to resiliency and interoperability and redundancy and repairability of their systems. The result is that a teenage with a .22 rifle can do significant month long damage to many sectors of the economy much less with explosives or more sophisticated incendiaries.
So hoping this subject reappears from time to time and would be interesting to see the ISACs report on their findings and conclusions on this subject which would seem to be part of their basic goals in developing resiliency.
Another arena that interests me on CIP and cyber security is how come over 2,000 pages of new legislation on health care did not consider any of that concern? Hoping of course I may be wrong and someone might find some. Just as budget impacts are produced by CBO and Environmental Impact Statements and Assessments are produced perhaps we need a statutory mandate across the board or in each new act of Congress for a “resiliency” impact statement.

Comment by Dan O'Connor

March 30, 2010 @ 11:13 am

I think the points Chris Bellavita and Mr. Cumming makes are important but with due respect to them and others; to what end?
Having also dropped the 85% stat in a March 2nd response ;

(Cumming; “…The book appears to have overlooked, and Chris and Dan also, the fundamental flaw in all Homeland Security efforts to date. What is that flaw? Look at the 15 specific scenarios for national planning adopted early on and also look at the dialectic that 85% of all critical infrastructure is privately owned!…”.)

How and what response is expected and/or demanded by the end user? Where do the consumer and citizen fit in? If the number is in fact accurate so what? What is the magical number that action is initiated for a resiliency campaign?

I bring this up because CIP and resiliency now have to grow or be created from and in an increasingly volatile and terse fiscal environment. These institutions will only self correct and/or increase inefficiencies when it affects their bottom lines. This is not a linear problem and therefore the percentage of ownership has a degree of irrelevance to it. Each substrate of critical infrastructure has a co-dependent; power delivery; energy. energy; economy. Economy; revenue stream etc. Where will the surplus capital infusion come from?

Is this a Keynesian problem or a Milton Friedman one in terms of how economics can solve the problem? Is it a DoD problem, where a lot of the technological innovation we currently use was born in the 60’s and 70’s. Is it a DARPA problem? I hear a lot of people like one of their projects pretty well. Even if you used CIP resiliency as a works project, the idea is free, the implementation is costly. Urbanization also makes upgrades and improvement difficult.

Also, critical infrastructure is never revolutionary. It, almost universally is an evolutionary byproduct of growth, technology, and requirement, not the other way around. So it’s a constant retrofit. Need or desire always belays innovation and delivery. Perhaps an overstatement or hyperbole on my part, but that does seem to be the case. It’s astounding that as late as the 1940’s wood was still used for pipes in this country. So is it too big to fail? The better question, from my point of view is how do we make it smaller, repeatable, and redundant; resilient. At the end of the day industry and privately owned companies will only change when it meets their own self interests. Until the end user votes with a change in behavior, it may not matter what percentage of the infrastructure is owned.

Torture numbers, and they’ll confess to anything. ~Gregg Easterbrook

Comment by William R. Cumming

March 30, 2010 @ 11:47 am

Great comment by Dan. My whole point is that we never seem to consider the systems do fail, often with help by human intervention [see the Normal Accident–Perrow]or lack thereof. We actually have designed intentionally most of the critical systems to be highly unresilent and lacking in essential stability. Why? My only explanation is that the system designers have NO incentives to build in resiliency. Perhaps their viewpoint is too stovepiped by their specific expertise and lack of knowledge of impacts of failures. Most levees and dams in the US were built during the 30’s and 40’s and all have a useful life of perhaps 90-120 years. Then what? Were they designed for what happens when their useful lives end due to exceedence or failure or silting? I would argue for broader perspectives–since the internet was a DOD/DARPA initiative but now appears to be leading to allowing catastrophic societal attacks perhaps there is a need for some longer term perspectives? And of course “critical” to who or what segments of society?

Comment by Stiv Morray

July 26, 2011 @ 7:17 am

Also, critical infrastructure is never revolutionary. It, almost universally is an evolutionary byproduct of growth, technology, and requirement, not the other way around.

RSS feed for comments on this post. TrackBack URI

Leave a comment

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>