Critical Infrastructure Protection:
Progress Coordinating Government and Private Sector Efforts Varies by Sectors' Characteristics
GAO-07-39, Oct 16, 2006
As Hurricane Katrina so forcefully demonstrated, the nation's critical infrastructures and key resources have been vulnerable to a wide variety of threats. Because about 85 percent of the nation's critical infrastructure is owned by the private sector, it is vital that the public and private sectors work together to protect these assets. The Department of Homeland Security (DHS) is responsible for coordinating a national protection strategy including formation of government and private sector councils as a collaborating tool. The councils, among other things, are to identify their most critical assets, assess the risks they face, and identify protective measures, in sector-specific plans that comply with DHS's National Infrastructure Protection Plan (NIPP). GAO examined (1) the extent to which these councils have been established; (2) the key facilitating factors and challenges affecting the formation of the councils; and (3) the overall status of the plans and key facilitating factors and challenges encountered in developing them. GAO obtained information by reviewing key documents and conducting interviews with federal and private sector representatives. GAO is not making any recommendations at this time since prior recommendations are still being implemented. Continued monitoring will determine whether further recommendations are warranted.
All 17 critical infrastructure sectors have established their respective government councils, and nearly all sectors have initiated their voluntary private sector councils in response to the NIPP. However, council activities have varied due to council characteristics and level of maturity. For example, the public health and health-care sector is quite diverse and collaboration has been difficult as a result; on the other hand, the nuclear sector is quite homogenous and has a long history of collaboration. As a result, council activities have ranged from getting organized to refining infrastructure protection strategies. Ten sectors, such as banking and finance, had formed councils prior to development of the NIPP and had collaborated on plans for economic reasons, while others had formed councils more recently. As a result, the more mature councils could focus on strategic issues, such as recovering after disasters, while the newer councils were focusing on getting organized. Council members reported mixed views on what factors facilitated or challenged their formation. For example, long-standing working relationships with regulatory agencies and within sectors were frequently cited as the most helpful factor in establishing councils. Challenges most frequently cited included the lack of an effective relationship with DHS as well as private sector hesitancy to share information on vulnerabilities with the government or within the sector for fear the information would be released and open to competitors. GAO's past work has shown that a lack of trust in DHS and fear that sensitive information would be released are recurring barriers to the private sector's sharing information with the federal government, and GAO has made recommendations to help address these barriers. DHS has generally concurred with these recommendations and is in the process of implementing them. At the time of GAO's review, all of the sectors were preparing plans, although these plans were at varying stages of completion--ranging from nearly complete to an outline. Nevertheless, all sectors expected to submit their plans to DHS by the December 2006 deadline. DHS's 18-month delay in issuing the NIPP and the changing nature of DHS guidance on sector plans were cited as challenges to developing the plans. As of August 2006, collaboration between the sector and government councils on the plans, which is required by the NIPP, had yet to take place for some sectors. Issuing the NIPP and completing sector plans are only first steps to ensure critical infrastructure is protected. More remains to be done to ensure the adequate protection of our nation's critical infrastructure. A number of sectors still need to identify their most critical assets across their sectors, assess their risks, and agree on protective measures. DHS, the Department of Health and Human Services, and the Environmental Protection Agency had no formal comments on the draft report but provided technical comments.