The Department of Homeland Security's (DHS) Critical Infrastructure Protection Cost-Benefit Report
GAO-09-654R: Published: Jun 26, 2009. Publicly Released: Jun 26, 2009.
In 2005, Hurricane Katrina devastated the Gulf Coast, damaging critical infrastructure, such as oil platforms, pipelines, and refineries; water mains; electric power lines; and cellular phone towers. The infrastructure damage and resulting chaos disrupted government and business functions alike, producing cascading effects far beyond the physical location of the storm. Threats against critical infrastructure are not limited to natural disasters. For example, in 2005, suicide bombers struck London's public transportation system, disrupting the city's transportation and mobile telecommunications infrastructure. In March 2007, we reported that our nation's critical infrastructures and key resources (CIKR)--systems and assets, whether physical or virtual, so vital to the United States that their incapacity or destruction would have a debilitating impact on national security, national economic security, national public health or safety, or any combination of those matters--continue to be vulnerable to a wide variety of threats. According to DHS, because the private sector owns approximately 85 percent of the nation's CIKR--banking and financial institutions, telecommunications networks, and energy production and transmission facilities, among others--it is vital that the public and private sectors work together to protect these assets. The Homeland Security Act of 2002 created DHS and gave the department wide-ranging responsibilities for, among other things, leading and coordinating the overall national critical infrastructure protection effort. For example, the act required DHS to (1) develop a comprehensive national plan for securing the nation's CIKR and (2) recommend measures to protect CIKR in coordination with other agencies of the federal government and in cooperation with state and local government agencies and authorities, the private sector, and other entities. Homeland Security Presidential Directive 7 (HSPD-7) further defined critical infrastructure protection responsibilities for DHS and those federal agencies--known as sector-specific agencies (SSA)--responsible for particular industry sectors, such as transportation, energy, and communications. HSPD-7 directed DHS to establish uniform policies, approaches, guidelines, and methodologies for integrating federal infrastructure protection and risk management activities within and across CIKR sectors. The Conference Report accompanying the Department of Homeland Security Appropriations Act, 2005, directed DHS to complete an analysis on whether the department should require private sector entities to provide DHS with existing information about their security measures and vulnerabilities in order to improve the department's ability to evaluate critical infrastructure protection nationwide. This direction was consistent with concerns raised by the House Appropriations Committee about DHS's progress conducting vulnerability assessments for critical infrastructure facilities generally, and security measures at chemical facilities in particular.
DHS used two contractors to complete the cost-benefit report at a cost of about $3.4 million. In August 2005, the first contractor developed a draft proposal that discussed the scope of the information required to complete the report and the security and vulnerability information currently available to DHS. It also proposed surveying the public and private sectors to collect information on the costs anbenefits of providing vulnerability assessment and security information to DHS. DHofficials said that DHS rejected this approach because DHS was involved in developing a public-private partnership structure and officials believed that doingsurvey on possible regulatory costs would have adversely affected the partnershipbuilding process. DHS officials also said that the Paperwork Reduction Act (PRA)--which requires agency requests for information to undergo internal and OffManagement and Budget review and approval and includes, among other requirements, public comment periods for the proposed information-gathering method--could have resulted in some delays in gathering data for the report, but it was not the primary reason for rejecting the proposed survey approach. DHS subsequently tasked the second contractor to complete the report using a different methodology, and according to DHS, this contractor produced a draft report in December 2005. This contractor compiled publicly available information on the costs and benefits to the public and private sectors of requiring vulnerability and security information be provided to DHS. Although the second contractor's report discussed potential public and private sector costs and benefits, it did not articulate which of these costs and benefits were most important, nor did it conclude whether the costs exceeded the benefits, or vice a versa, with regard to potential requirements for the private sector to provide information on vulnerabilities and existing security measures. DHS took receipt of the second contractor's report and, according to DHS officials, continued to revise it throughout the following year to incorporate information from the final NIPP and it's supporting sector specific plans. In addition to a discussion of potential costs and benefits, DHS's final report, dated June 2007, includes a general discussion of critical infrastructure risk management and associated information needs, an overview of the existing regulatory environment for each of the CIKR sectors, and the availability of security information and its utility to security partners, such as CIKR owners and operators. DHS officials told us that they believe the final report was useful because it provided insights on different regulatory approaches across sectors and used appendixes to present more detailed regulatory overviews of three sectors--the chemical sector, the electricity sub sector of the energy sector, and the food and agriculture sector. They added that some sectors used this information to help write sector specific plans (SSPs) that are to augment the NIPP and detail the application of the NIPP framework to each CIKR sector. Nonetheless, DHS officials said that they believe that the report is outdated because DHS's CIKR program has evolved and matured since the report was originally completed, including DHS's efforts to promote and achieve voluntary information sharing between DHS and the private sector. Regarding the latter, DHS officials stated that they believe that the type of report directed by the Conference Report--that DHS analyze whether private sector entities should be required to provide information to the department--conflicts with the partnering/voluntary information-sharing approach DHS was already mandated to pursue under the Homeland Security Act.