By Robert Schmidt

“The line separating threats that apply only to the private sector from those associated with traditional national security concerns must give way to a concept of shared threats. Shared threats demand a shared response, built from increased partnerships between government and the owners and operators of our infrastructures.”[1]


To date, the concept of a shared response between government and industry has been forgotten or neglected in favor of information sharing. To achieve an effective risk mitigation strategy, we must correct this mistake.


Information Sharing Is Broken
While a worthy goal, information sharing between government and industry doesn’t work, except under the most favorable and proscribed conditions. There are several trust and performance issues that impede effective “public-private” information sharing:

1. The private sector does not trust the government to safeguard its secrets regarding infrastructure protection successes or failures, fearing that improperly used information will lead to increased regulation, anti-trust concerns, or unfavorable press coverage. These factors may all degrade an enterprise’s ability to effectively compete in the marketplace. Current efforts to reassure the private sector (PCII, etc.) are ineffective.
   
   
2. The private sector lacks confidence in recently established “information sharing programs,” (ISACs, InfraGard’s VPN, HSIN or USP3, etc.), because of their inability to deliver actionable information at an “institutional level”. The information currently being “shared” on multiple portals may be interesting or even entertaining, but it cannot be termed actionable. As a consequence, it has low value for infrastructure protection. The private sector and government share some of the blame for the failure of these portals to deliver. However, the demonstrated inability of government to effectively disseminate actionable information provides little incentive for the private sector to engage in the process.
   
   
3. The information sharing process is further inhibited by the protocols that have been established for information handling within the federal government. Even local governments complain that the “information sharing” process is, at best, inconsistent from one federal agency to the next. In many instances the process ends up being a one-way street. The private sector and local governments put information into the process only to have it disappear without any meaningful feedback from the federal government about how the information was used or if any action was taken as a result. The opaque nature of activities that may or may not be undertaken by the government, especially law enforcement agencies, is a constant source of concern and frustration for the private sector and local governments.
   
   
   

“Actionable Information” is the only information that is important to C level decision makers in private industry.

These barriers prevent actionable information from ever being shared between “institutions.” Actionable information is only shared by individuals who:

a) Trust each other
b) Have a stake in each other’s wellbeing
c) Are united by a common adversary.


Industry and government share information between individuals who know and trust each other. When government officials share actionable information they do so from a high level in government directly and personally to a correspondingly high level in industry. The trigger for this sharing is an “imminent threat.” Industry uses the same trigger to talk to government, but only if the threat is beyond the immediate capacity of the enterprise to effectively mitigate. This often leads to a shared response. Unfortunately, the trusted group is a small percentage of public-private individuals and the information is so enterprise specific that it holds little value for strategic decision making within an industry, city or state.


These issues of trust raise several interesting questions:

1) If actionable information is only exchanged by individuals who trust each other, how do we expand the groups of trusted agents that exist between government and industry? “Industry associations” have a good track record of bringing sector participants together to address common regulatory issues (or adversaries). However, for obvious reasons, government rarely participates in a meaningful manner. Industry groups that have formed specifically to work closely with government are, unfortunately, almost always “stove piped” (ISACs, etc.) and give participants a narrow view of the shared threat/response environment.

2) How do we expand the circle of trust beyond specific sectors or “stovepipes” and engage industry across sectors to expand our communal operational awareness? The Protective Security Advisor (PSA) program that DHA is currently establishing shows promise in this area. The FBI’s InfraGard Program has developed an impressive footprint and seems to be gaining some traction in this field. There also are a variety of “infrastructure” associations (ASIS, etc.) that strive to cross stovepipes and expand our awareness on a variety of topics. Connecting the subject matter experts that populate these groups in a cohesive fashion remains a significant challenge.

3) How do we develop, and expand, industries’ response capability and how do we coordinate this response with government? Not surprisingly, none of the associations, organizations, or programs above has a response capability. Nor would we expect them to develop such a capability. Response to large-scale events is historically the purview of government. However, industry must begin to relieve some of the mantle of responsibility from government. The scope and complexity of the global economy is beyond the reach of a solitary government response. Thus, the private sector must begin to ensure, on our own and in concert with each other, that our individual pieces of the infrastructure are robust and secure from threats. In the event that a threat occurs we must coordinate our plans with government resources if we are to be successful and recover quickly.


What We Need to Ask of Government

We need to ask the government to enable the private sector to participate in its own defense by:

a) Transitioning technology and knowledge from government (DoD, Intelligence community, etc.) into the private sector market place.

b) Practicing the concept of a “shared response.” This can best be achieved by expanding the scale and scope of public-private exercises to go beyond “table-tops”. They must stress more than communication and coordination paths to force joint response decisions, based on actionable information shared between government and industry.

c) Support programs that bring together and establish trust (on an individual, personal basis) between the private sector and government at a local level (the FBI’s InfraGard program, DHS’s PSA program, Chicago First, etc.) and encourage the integration of these programs with each other.


InfraGard’s Role

As President of the InfraGard National Members Alliance (INMA), it seems appropriate that I take a few moments to highlight what we believe our role should be in assisting with the development of a shared response capability.

At the outset we need to acknowledge a few premises that will form the foundation of our strategy:

1) The United States cannot and will not prevent future terrorist attacks on our infrastructure. As a result, we must concentrate on making our infrastructure resilient (quick to recover) and robust.

2) The infrastructure will be protected locally. Local owners and operators of the infrastructure are in the best position to create robust enterprises. The value of the InfraGard Program is found in its 84 local InfraGard Members Alliances (IMAs).

3) The response of federal, state, and local governments must be coordinated with the response of industry to facilitate a quick recovery.

4) The original expectations of InfraGard members must be adjusted to correct for the erroneous notion that the government will provide access to sensitive, actionable information to a self-selected subset of the population. In addition, the original expectations of government must be adjusted to correct for the mistaken belief that the private sector will expend resources to provide sensitive data to the government without a detailed understanding of how the information will be used or without a demonstrated return on their investment.

To date, the InfraGard Program has a good track record of building individual trust relationships between industry and government (primarily the FBI). The creation of these trusted relationships has little to do with institutional information sharing across secure portals. As a result, the INMA has largely minimized its participation in the information sharing paradigm and is instead concentrating on providing value to subject matter experts (SMEs) that exist across sectors and within government.


The identification of a broad range of SMEs and the collaboration that can exist between them will be a critical factor in creating a resilient and robust set of infrastructures. It is the INMA’s primary goal to support the creation, through its IMAs, of trusted forums where vetted SMEs can meet, exchange knowledge and prepare their enterprises for undesirable events. In this way, the INMA seeks to assist with the creation of a robust infrastructure.


Coordination with state and local governments has been elusive for many of those concerned with infrastructure protection. Often state and local governments lack the expertise or bandwidth to effectively coordinate infrastructure protection plans across jurisdictions and enterprises. For instance, many municipalities have failed to disclose, let alone practice, simple evacuation plans with the private sector. InfraGard is in a unique position to help facilitate such exercises through its extensive network of IMAs. It is one of the INMA’s strategic goals to ensure that greater participation between government and the private sector is possible. In this way, the INMA can help create a resilient infrastructure.



Conclusion

The United States’ infrastructure will be protected locally. The notion that the federal government should develop an umbrella approach to infrastructure protection through information sharing is unworkable.


Government needs to accept a patchwork of local solutions that solve local problems. Government and industry need to build trust within the diverse groups that are willing and able to participate in a shared response to infrastructure threats.


InfraGard faces four major challenges: 1) continually identifying high quality SMEs across sectors, 2) connecting SMEs that populate the patchwork of local solutions with each other, 3) creating a trusted collaborative environment with government at the local, state, and national level, and 4) establishing value for the private sector and government.


It is the INMA’s belief that by working together we can overcome the obstacles that stand in the way of genuine collaboration on infrastructure protection issues, but we face significant cultural and institutional barriers that conspire to keep us from our goals. The patient pursuit of building trust one individual, one institution, and one agency at a time is painstakingly slow but absolutely necessary. If we stay the course we will ultimately succeed and create a stronger, more robust and resilient infrastructure and country.

Robert Schmidt is president of the InfraGard National Members Alliance.



[1] From President Clinton’s Commission of Critical Infrastructure Protection (PCCIPP).