review and revision of the national infrastructure protection plan
TRANSCRIPT
July 8, 2013
Lisa Barr
DHS/NPPD/IP/Office of Strategy and Policy
245 Murray Lane SW, Mail Stop 8530
Arlington, VA 20598-8530
Via e-mail to: [email protected]
RE: Review and Revision of the National Infrastructure Protection Plan (Docket # DHS-2013-
0024)
Dear Ms. Barr:
The Information Technology Industry Council (ITI) appreciates the opportunity to respond to the
Department’s planned rewrite of the National Infrastructure Protection Plan (NIPP) to conform
to the requirements of Presidential Policy Directive (PPD) 21, Critical Infrastructure Security
and Resilience.
ITI is the premier voice, advocate, and thought leader in the United States for the information
and communications technology (ICT) industry. ITI’s members1 comprise the world’s leading
technology companies, with headquarters worldwide. Cybersecurity is rightly a priority for all
governments. We share the goal with governments of improving cybersecurity and therefore our
interests are fundamentally aligned. As both producers and users of cybersecurity products and
services, our members have extensive experience working with governments around the world
on cybersecurity policy. In the United States, ITI is a member of the IT Sector Coordinating
Council (SCC), and many of our companies are members of the IT and/or Communications
Sector Coordinating Councils. Through the SCCs and other bodies and avenues we take
seriously our responsibility in the public-private partnership to improve cybersecurity.
ITI supports the review and revision of the NIPP to ensure that it remains relevant to the critical
infrastructure (CI) mission over time. Based on the initial list of proposed changes included in
the Federal Register (FR) notice, and the request for additional changes to make the NIPP more
relevant and useful in strengthening the security and resilience of the nation’s critical physical
and cyber infrastructure, ITI has the following comments and suggestions, which we present in
relation to the headings in the FR.
Review of the Risk Management Approach
National Critical Infrastructure Prioritization Program (NCIPP): Consistent with the 2006
NIPP, DHS has established the NCIPP, which uses a tiered approach to identify
nationally significant CI each year. Per a recent GAO report,2 DHS has made several
changes to how it assigns assets to the list but has not identified the impact of the changes
on the list’s users or validated its approach to developing the list. A revised NIPP should
1 See attached ITI member list.
2 U.S. Government Accountability Office, CRITICAL INFRASTRUCTURE PROTECTION: DHS List of Priority Assets
Needs to Be Validated and Reported to Congress, March 2013. http://www.gao.gov/assets/660/653300.pdf
Page 2 of 3
explicitly call for all SCCs to have greater input into the development and review of the
NCIPP prioritization lists.
IP-enabled infrastructure and assets: The 2009 NIPP reinforces the importance of joint
input from both the IT and Communications sectors for IP-enabled infrastructure and
assets. Future versions of the NIPP should seek to preserve this structure.
Closer Integration of Physical and Cyber Security
Research and development (R&D): Sector-specific R&D efforts for improving the
resiliency of critical infrastructure, as outlined in PPD-21 (e.g. the National Critical
Infrastructure Resilience and R&D Plan), should solicit input from both the associated
Sector-Specific Agencies and SSCs.
Updates to Information-Sharing Tools and Mechanisms
Leveraging Executive Order (EO) 13636: Section 4 of EO 13636, Improving Critical
Infrastructure Cybersecurity, focuses on increasing information sharing from government
to industry. The EO outlines a number of steps intended to improve the government’s
sharing of actionable information with the private sector on specific, targeted cyber
threats as well as technical indicators that flag risks generally. Future versions of the
NIPP should include the same steps presented in the EO.
Security and privacy: The revised NIPP should include comprehensive security
mechanisms and privacy considerations for cyber threat data that federal entities may
share with private sector.
Other
Bolstering the public-private partnership: In revising and implementing a revised NIPP,
DHS must fully implement and utilize the partnership structures and policies described in
the original NIPP that are aimed toward improving our nation’s cybersecurity posture.
The IT sector, though the IT SCC, began an effort in 2012 to work with DHS to identify
ways to improve our collaboration and better. Although at a nascent stage, we are
encouraged by our discussions with DHS thus far and appreciate their apparent
commitment to aligning our goals and efforts to improve infrastructure protection and
resilience, and in particular cyber security. However, it is imperative that the top
leadership at DHS and in the Administration fully commit to executing the Department’s
roles and responsibilities related to CIKR protection, as well as specific mechanisms for
the governance, coordination, and information sharing necessary to enable effective
partnerships, as described in the NIPP. A renewed commitment, followed by action, by
DHS to partner with industry to set and execute on common cybersecurity goals via a
NIPP framework will make our nation’s cyber posture stronger.
Outreach to other governments: We appreciate the outreach to U.S. industry that DHS is
conducting regarding this NIPP rewrite. Outreach should not solely be domestic,
however. The U.S. Government should conduct extensive global outreach to educate
other governments about the NIPP and any planned revisions—what they are and what
they are not—and encourage those governments to similarly take approaches to CI
security and resilience based on public-private partnerships. This will minimize the
chances that some governments might misunderstand DHS’s work and assume the U.S.
Government is developing a new regulatory process related to cybersecurity. Particularly
Page 3 of 3
given that a number of governments around the world already misunderstand the U.S.
public-private partnership approach, and are embarking down worrisome regulatory paths
in the cybersecurity field, outreach to foreign governments explaining exactly what the
Administration intends to do will help mitigate any chances foreign governments will
develop their own policies based on a misunderstanding of ours.
ITI would like to thank DHS for its industry outreach regarding revision of the NIPP. We hope that
our input is helpful and will receive due consideration. We are available at any time to elaborate on
our comments and our suggestions. ITI and its members look forward to continuing to work with
DHS and the Administration generally to improve America’s cybersecurity posture. Please continue
to consider ITI a resource on cybersecurity issues moving forward.
Sincerely,
Danielle Kriz
Director, Global Cybersecurity Policy