Skip to main content
SpringerLink
Log in

A Brief Chronicle of CIP Main Events in the USA Before and After September 11, 2001

  • Chapter
  • First Online:
European Critical Infrastructure Protection

  • 534 Accesses

Abstract

The irrefutable fact that CIP is mainly based on “lessons learned”, statistical data about previous accident, incident and experiences, suggests looking at the USA as the country that has more than a 100 years experience in the field. Starting from the end of 1700 with the protection of roads, railroads and waterways, passing through the tragic events of 9/11 and Hurricane Katrina, until the recent challenges with information security and cyber terrorism, USA has covered, before many others, a long walk in the path of Critical Infrastructure Protection and homeland security. Such wide range of experiences, success stories, and tragic events suggest the need to explore such CIP evolution to learn from them and inspire the decision for the future. Key moments of the USA’s history in CIP will be considered together with the evolution of what is considered “critical” through the analysis of the sector listed as highest priority in CIP.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 84.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Hardcover Book
USD 109.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    A chronological timeline of all the US events involving CIs is available at: http://disaster-timeline.com/?page_id=18 (01.09.2013).

  2. 2.

    According to the Department of Homeland Security: “The National Infrastructure Protection Plan (NIPP) provides a unifying framework that integrates a range of efforts designed to enhance the safety of our nation’s critical infrastructure. The overarching goal of the NIPP is to build a safer, more secure, and more resilient America by preventing, deterring, neutralizing, or mitigating the effects of a terrorist attack or natural disaster, and to strengthen national preparedness, response, and recovery in the event of an emergency”. Further information on this topic can be found on the DHS website: http://www.dhs.gov/national-infrastructure-protection-plan (01.09.2013). The NIPP is available here: www.dhs.gov/xlibrary/assets/NIPP_Plan.pdf (01.09.2013).

  3. 3.

    The EPCIP has been established by the Justice and Home Affairs Council, on EC’s proposal, with the “Communication from the Commission of 12 December 2006 on a European Programme for Critical Infrastructure Protection”. The key element of the Communication was a proposal for a directive on the identification and designation of European CIs. According to the EU, the Communication “sets out the principles, processes and instruments proposed to implement EPCIP. The threats to which the programme aims to respond are not confined to terrorism, but also include criminal activities, natural hazards and other causes of accidents, using an all-hazards approach”. The proposal also contained a scenario consisting of a detailed legislative framework in the field of European CIs (ECI), with a specific procedure for identifying and designating ECI and a common approach in assessing the need to improve the protection of such infrastructures. More information on this topic is available on the EU’s website: http://europa.eu/legislation_summaries/justice_freedom_security/fight_against_terrorism/l33260_en.htm (01.09.2013).

  4. 4.

    The topic of the consultations initiated by the US Federal Government has its logic in the fact that more than 85 % of the US Infrastructures are privately owned (Bush 2003). For this specific reason, the US Federal Government clearly wanted to produce laws that have been widely discussed with the Infrastructures owners and operators to reach a balanced level of awareness and agreement of public/private interests and consequently amend the legal framework accordingly. The first example of this large involvement of CI owners and operators is the “President’s Commission on Critical Infrastructure Protection” (PCCIP) established in October of 1997, which highlighted the topic of CIs and made a series of specific recommendations for their protection. Following that experience, on May 22, 1998, the President approved the Presidential Decision Directive 63, establishing a National CIP policy and a government framework to develop and implement infrastructure protection measures. In fact, the discussion did not stand only for a more balanced perspective on the issue, but also constituted the specific moment when both government and Infrastructures owners have drawn a line between the respective playing space and competencies in the matter of security. Later on, the French legal framework, on this topic, will be used as a “European” example in the proper allocation of the playing space between government and private sector in the field of CIP.

  5. 5.

    Is there even more to say on this topic, if another variable is considered. The same roads, waterways, dams and pipelines were reconsidered as “Critical” also 100 years later, in the 80s, when the same US Government was planning their maintenance and assessing their obsolescence. These kinds of events give a clear perception of the CIP lifecycle and their recurrence throughout the history.

  6. 6.

    Brown (2006).

  7. 7.

    In the last example can also be found the premises of the criterion of “alternative” to be adopted by the EU Member States in the procedure of identifying potential European Critical Infrastructures. The Annex 3 of the Council Directive 2008/114 on the “identification and designation of European critical infrastructures and the assessment of the need to improve their protection” refers to the concept of “alternatives”: “The significance of the impact will be determined either by using national methods for identifying critical infrastructures or with reference to the cross-cutting criteria, at an appropriate national level. For infrastructure providing an essential service, the availability of alternatives, and the duration of disruption/recovery will be taken into account”. Such criterion explicitly remind of the invitation sent to the MSs, and formulated in the premises of the Regulation EU No 994/2010 of the European parliament and of the Council of October 20, 2010 “concerning measures to safeguard security of gas supply and repealing Council Directive 2004/67/EC”, where it is explicitly stated: “In order to reduce the impact of potential crises triggered by the disruption of gas supplies, Member States should facilitate the diversification of energy sources and gas delivery routes and supply sources”. In fact, this statement is a call for the “redundancy” of the distribution network as it is further specified in the following of the Regulation: “Sufficient and diversified gas infrastructure within a Member State and across the Union, including in particular new gas infrastructure connecting current isolated systems forming gas islands to their neighbouring Member States, is essential for tackling supply interruptions”.

  8. 8.

    It is important to note that the same initial sectors, that emerged at the beginning of the US history of CIP, are the same considered as “critical” in the Directive 114/08 of the European Council about ECIs, circumstance that further strengthen the path followed by the topics tackled by this study on CIP.

  9. 9.

    In 1947, the “National Security Act enacted and created the modern day Department of Defense. The War Department became the Department of the Army and the air unit was separated out from the Army and became the Air Force. The Navy and Marines were united under the Department of the Navy. The National Security Act also created the National Security Council in the White House as well as the Central Intelligence Agency”. (http://chnm.gmu.edu/cipdigitalarchive/timeline.php?century=19&decade=5&year=1947. 01.09.2013).

  10. 10.

    To have a deep focus on topics like “reconstruction” and “resilience” of buildings, the Business and Defense Service Administration (BDSA) was created in the October of 1953.

  11. 11.

    Reagan (1961), pp. 569–586.

  12. 12.

    According to the NIAC (National Infrastructure Advisory Council): Resilience has become an important dimension of the critical infrastructure protection mission, and a key element of the value proposition for partnership with the government because it recognizes both the need for security and the reliability of business operations. To address the gap between private-sector business practice and protection-focused government policies, the Critical Infrastructure Partnership Study called for renewed focus on resilience efforts. It issued a specific recommendation that the NIAC conduct a study toexamine what steps government and industry should take to best integrate resilience and protection into a comprehensive risk-management strategy.” National Infrastructure Advisory Council (2009).

  13. 13.

    These circumstances set the premises for the establishment of the National Institute for Standards and Technology (NIST—U.S. Department of Commerce).

  14. 14.

    The industrial plans covered also the “chemical risk” in those industries that were dealing with dangerous substances. This circumstance let also foresee the “American Seveso” and the need of having an “Operator Security Plan” as the summa of the knowledge about risks, security measures implemented and preparedness. American Chemistry Council, Chlorine Institute Inc. and Synthetic Organic Chemical Manufacturers Association (2001).

  15. 15.

    It is worthy to point to what I got to write about Computer Forensics: “The constant presence of computer equipment in the scene of a crime, the importance of the information they contain, the fragility and volatility of the computer data, the importance of correct acquisition and management of computer evidence, including their use in court, are conditions that have created fertile ground for the emergence of a new branch of forensic science, known as computer forensics” in G. Taddei Elmi, “Corso di Informatica Giuridica”, 3rd edition, 2010, Edizioni Giuridiche Simone, pp. 187. For a definition of Digital Forensics, it is worthy to quote Giovanni Ziccardi: “computer forensics is the discipline that deals with the preservation, identification, study of the information contained in the computer, or the computer systems in general, in order to highlight the existence of evidence relevant to the fulfillment of investigation” in Luparia, Ziccardi, “Investigazione penale e tecnologia informatica”, Giuffré Editore, 2008.

  16. 16.

    The Computer Security […] assigned the National Institutes of Standards and Technology (NIST) the responsibility for developing security standards and guidelines for sensitive information in government computershttp://chnm.gmu.edu/cipdigitalarchive/timeline.php?century=19&decade=9&year=1987 (01.09.2013).

  17. 17.

    The Defense Advanced Research Projects Agency (DARPA), under the Department of Defense, creates the Computer Emergency Response Team (CERT) at Carnegie Mellon University”.

  18. 18.

    In fact, on June 21, 1995, the Presidential Decision Directive 39 not only asked for more focus on counter terrorism but also increased the effort requested in mapping and managing the field of CIs’ vulnerabilities. In particular, these were the key steps covered by the Directive: “It shall be the responsibility of all Department and Agency heads to ensure that their personnel and facilities, and the people and facilities under their jurisdiction, are fully protected against terrorism. With regard to ensuring security: −- The Attorney General, as the chief law enforcement officer, shall chair a Cabinet Committee to review the vulnerability to terrorism of government facilities in the United States and critical national infrastructure and make recommendations to me and the appropriate Cabinet member or Agency head; −- The Director, FBI, as head of the investigative agency for terrorism, shall reduce vulnerabilities by an expanded program of counterterrorism; −- The Secretary of State shall reduce vulnerabilities affecting the security of all personnel and facilities at non-military U.S. Government installations abroad and affecting the general safety of American citizens abroad; −- The Secretary of Defense shall reduce vulnerabilities affecting the security of all U.S. military personnel (except those assigned to diplomatic missions) and facilities; −- The Secretary of Transportation shall reduce vulnerabilities affecting the security of all airports in the U.S. and all aircraft and passengers and all maritime shipping under U.S. flag or registration or operating within the territory of the United States and shall coordinate security measures for rail, highway, mass transit and pipeline facilities; −- The Secretary of State and the Attorney General, in addition to the latter’s overall responsibilities as the chief law enforcement official, shall use all legal means available to exclude from the United States persons who pose a terrorist threat and deport or otherwise remove from the United States any such aliens” (http://www.fas.org/irp/offdocs/pdd39.htm. 01.09.2012).

  19. 19.

    In fact, according to Brown (2006), the CIWG “also nailed down the categories of infrastructure that it felt needed to be reviewed. Drawing on 1988’s Executive Order 12656, the CIWG identified eight categories of critical infrastructure: −- telecommunications; −- electrical power; −- gas and oil; −- banking and finance; −- transportation; −- water supply; −- emergency services; −- continuation of government”.

  20. 20.

    Executive Order 13010 July 15, 1996, available at http://www.fas.org/irp/offdocs/eo13010.htm (01.09.2013).

  21. 21.

    The E.O. 13010 also explains the reason for such decision: “Because many of these critical infrastructures are owned and operated by the private sector”. This element testifies the level of awareness transferred to the US Government by the CIWG’s recommendation.

  22. 22.

    The composition of the PCCIP included the following offices: “(i) Department of the Treasury; (ii) Department of Justice; (iii) Department of Defense; (iv) Department of Commerce; (v) Department of Transportation; (vi) Department of Energy; (vii) Central Intelligence Agency; (viii) Federal Emergency Management Agency; (ix) Federal Bureau of Investigation; (x) National Security Agency”.

  23. 23.

    The PCCIP report not only covered the topics related to CIP and how to properly face the future challenges, but also covered topics like how to initialize and structure the partnership between the stakeholders involved in the challenge for securing the National CIs. For further information: http://www.fas.org/sgp/library/pccip.pdf (01.09.2013).

  24. 24.

    PCCIP report, Appendix A. The sectors previously identified by the CIWG were eight.

  25. 25.

    It is worth to mention the strategy proposed in the field of “Information and Communications”, considered as a hot topic in the E.O. 13010 that established the Commission: “To strengthen the security of the information and communications infrastructure, the Commission recommends that the federal government work in cooperation with industry to: −-Strengthen overall public awareness to gain acceptance of and demand for security in information systems. -- Promote the establishment and rapid deployment of generally accepted system security principles, beginning with those concerning password management and imported code execution. -- Promote industry development and implementation of a common incident reporting process. -- Increase accessibility of government threat and vulnerability information, expertise in system security assessment and product evaluation, and operational exercises to assist government and industry risk management decision making. -- Define and maintain metrics for security, along with the current set of reliability met- rics, for public telecommunications networks. -- Actively promote network assurance research and development. -- Establish an international framework to support the use of strong cryptography on a global basis. -- Promote the development of effective security enabled commercial information technology and services. Accelerate the development and implementation of usable, affordable tools, methodologies, and practices in information security. -- Support uniformone calllegislation against the backhoe threat”. PCCIP report, Appendix A-9, pp. 127.

  26. 26.

    PCCIP report, Chapter 10.

  27. 27.

    Through the initialization and maintaining of various platform of PPP and information sharing.

  28. 28.

    Executive Order 13231 of October 16, 2001.

  29. 29.

    Executive Order 13228 of October 8, 2001.

  30. 30.

    The Resilience is intended as the capability of an Infrastructure in minimizing potential events that can negatively affect its continuity, being able to restore its services very rapidly after a failure, attack or natural disaster. More on the topics can be found on the DHS website: http://www.dhs.gov/building-resilient-nation (01.09.2013).

  31. 31.

    Homeland Security Presidential Directive/HSPD-5 (2013).

  32. 32.

    National Response Plan, US DHS (2009).

  33. 33.

    Homeland Security Presidential Directive-7 (2013).

  34. 34.

    It is important to draw the attention on how the awareness on what “CIP really is about” emerges from the text of the HSPD-7. In fact, the Directive contains direct references to the complexity of the Infrastructures, the ownership of CI’s—which is largely in the hand of the private sector—and the evil intentions of the terrorists willing to destabilize US Government and orderly societal life. All of these reference can be clearly seen in the “background” section of the Directive: “-- Terrorists seek to destroy, incapacitate, or exploit critical infrastructure and key resources across the United States to threaten national security, cause mass casualties, weaken our economy, and damage public morale and confidence; −- America’s open and technologically complex society includes a wide array of critical infrastructure and key resources that are potential terrorist targets. The majority of these are owned and operated by the private sector and State or local governments. These critical infrastructures and key resources are both physical and cyber-based and span all sectors of the economy; −- Critical infrastructure and key resources provide the essential services that underpin American society. The Nation possesses numerous key resources, whose exploitation or destruction by terrorists could cause catastrophic health effects or mass casualties comparable to those from the use of a weapon of mass destruction, or could profoundly affect our national prestige and morale. In addition, there is critical infrastructure so vital that its incapacitation, exploitation, or destruction, through terrorist attack, could have a debilitating effect on security and economic well-being; −- While it is not possible to protect or eliminate the vulnerability of all critical infrastructure and key resources throughout the country, strategic improvements in security can make it more difficult for attacks to succeed and can lessen the impact of attacks that may occur. In addition to strategic security enhancements, tactical security improvements can be rapidly implemented to deter, mitigate, or neutralize potential attacks”.

  35. 35.

    The Directive calls for specific commitment in accomplishing ambitious tasks, as: “The Plan shall include, in addition to other Homeland Security-related elements as the Secretary deems appropriate, the following elements: −- a strategy to identify, prioritize, and coordinate the protection of critical infrastructure and key resources, including how the Department intends to work with Federal departments and agencies, State and local governments, the private sector, and foreign countries and international organizations; −- a summary of activities to be undertaken in order to: define and prioritize, reduce the vulnerability of, and coordinate the protection of critical infrastructure and key resources; −- a summary of initiatives for sharing critical infrastructure and key resources information and for providing critical infrastructure and key resources threat warning data to State and local governments and the private sector; and --coordination and integration, as appropriate, with other Federal emergency management and preparedness activities including the National Response Plan and applicable national preparedness goals”.

  36. 36.

    The NIPP released in 2009 has been recently superseded by the new version released in 2013.

  37. 37.

    The will of having a unique definition of what is critical and how the CIs should be adequately protected, seems to be the same intent that drove, in 2006, the European Program on CIP with the consequent promulgation of the Directive 114/08/EC on European Critical Infrastructures.

  38. 38.

    The DHS, in 2009, has also published a specific plan for each sector to provide complete and consistent information to all of the stakeholders.

  39. 39.

    Scalingi (2013).

  40. 40.

    Where the culture, the History, the expertise, the legislative framework, the political background and the economic and geographic variables can be used as an example.

References

Download references

Author information

Authors and Affiliations

  1. Department of Systems and Informatics, University of Florence, Firenze, Italy

    Alessandro Lazari

Authors
  1. Alessandro Lazari
    View author publications

    You can also search for this author in PubMed Google Scholar

Rights and permissions

Reprints and permissions

Copyright information

© 2014 Springer International Publishing Switzerland

About this chapter

Cite this chapter

Lazari, A. (2014). A Brief Chronicle of CIP Main Events in the USA Before and After September 11, 2001. In: European Critical Infrastructure Protection. Springer, Cham. https://doi.org/10.1007/978-3-319-07497-9_2

Download citation

Publish with us

Policies and ethics

Search

Navigation