James F. Powers Jr.







            Following the 9/11 terrorist attacks on American soil, the US Government transformed
            the existing 1960’s emergency management protocols and created a new methodology for
            thinking like our adversaries—what assets (targets) are critical and likely to influence or
            damage national political objectives and thus cause psychological fear and embarrassment.
            Physical barriers to protect critical infrastructures are not only expensive, but also flawed.
            Never will any public- or private-sector owner of critical infrastructure have sufficient
            resources to protect every designated site. The focus on protection from external physical
            intrusions should now shift to internal cyber protection measures—personnel surety and
            Red Teaming.


            A post-9/11 Approach: Empowered with a plethora of legislation, President George W.
            Bush issued a series of executive orders and directives to frame how America would pro-
            ceed in identifying and protecting America’s critical infrastructures. His vision was clear,
            succinct and unambiguous: Focus not only on potential terrorist attacks, but rather on any
            hazard that might damage, destroy or otherwise incapacitate America’s critical infrastruc-
            tures. The Rationale: regardless of the cause of incapacitation, the consequences will be
            the same.


            Bush’s vision resulted in today’s All-Hazards Approach—terrorist attacks, major disasters,
            and other emergencies. This approach leads planners to consider myriad factors—designat-
            ing and grouping infrastructures by sector, historical analysis of the most-likely scenarios
            impacting infrastructures, emerging intelligence threats, available resources, prioritization
            of infrastructures, ownership (public- and private-sector) of infrastructures, criticality cri-
            teria, stakeholders associated with infrastructures, existing vulnerabilities of infrastruc-
            tures, consequences associated with damage or destruction of infrastructures, available
            resources and overall risk management. The Intent: apply the available resources to the
            most-likely threat.
            The result of this approach produced the US National Infrastructure Protection Plan. The
            current plan (2013) designates 16 sectors; the Information Technology Sector is orchestrat-
            ed by the Department of Homeland Security. For cyber-specific issues, the newly created


                                                                                      9