Homeland Security identifies potential infrastructure targets

The Homeland Security Department has developed a framework to identify vulnerabilities in critical infrastructure, but the effort to protect such targets from terrorist attacks is a task still in its infancy, a key department official said Thursday.

Robert Liscouski, the assistant secretary for infrastructure protection, told a group of experts at The Infrastructure Security Partnership, which is made up of private associations and public agencies focused on security-related issues, that full implementation of a national infrastructure protection plan is two to three years away.

"[Our] ability to determine targets and the intent [of terrorists] is a pretty tough job," Liscouski said. But, he added, "we have had relative success" in identifying vulnerabilities in "a target-rich environment such as the U.S."

The law that created the Homeland Security Department mandated that a system be developed for identifying and protecting critical infrastructures, such as electrical grids, water supplies and transportation systems. One of the challenges, Liscouski said, is that most such infrastructure is not owned by the federal government; rather, it rests in the hands of the private sector.

"To get companies to adapt to the process is a steep hill to climb," he said, because they must absorb the costs, which then are "passed on to the consumer because that's how costs get shared."

The federal government is concerned with developing "best practices" for infrastructure protection in a cost-effective way, he added. The carrot-and-stick approach to risk management is one of the several tax, insurance and market incentives being explored.

The agency charged with building a framework to protect infrastructure has identified more than 30,000 potential targets through the National Asset Database, Liscouski said, with the three central areas being cyber, physical and human components. Of those, he said, "the cyber component will remain a vulnerable one."

"We don't have all of the resources in the world to protect" the vast infrastructure, Liscouski said, and the government must prioritize vulnerable targets judiciously. The agency is developing a tactical strategy that cuts across all infrastructures and is continually developing them, he added.

Homeland Security has simulated "livewire" cyber attacks on computers, banks and utilities. Liscouski said in an interview, adding that those exercises have "significant value," and another exercise is expected soon.

The rollout of a national plan to protect infrastructure will be coordinated between the private sector and federal, state and local agencies. But challenges remain outside Washington, he said, because the actions occur across the United States.

The first draft of the national plan is expected by the end of this year, Liscouski said. Specific sectors, such as those covered by the Energy and Defense departments, will develop national plans that address their concerns.

Until then, Liscouski said, "we've got to mitigate the next attack. We've got to protect against the next event" while the national plan matures.