Inside Energy July 22, 2002
Bush homeland strategy draws applause, questions
By David Jones
President Bush's national strategy for promoting homeland security, which the White House released on Tuesday, generally won favorable reviews from several analysts, though some questioned whether the plan provides enough detail about protecting essential energy infrastructure and overemphasizes threats from cyber attacks.
''The National Strategy for Homeland Security'' calls for beefing up protection for energy systems and other critical infrastructure because of the potentially catastrophic consequences of a terrorist attack. ''Our society and modern way of life are dependent on networks of infrastructure -- both physical networks such as our energy and transportation systems and virtual networks such as the Internet,'' the strategy document noted. ''If terrorists attack one or more pieces of our critical infrastructure, they may disrupt entire systems and cause significant damage to the nation.''
But all the country's assets and systems within each critical infrastructure sector -- energy, food, water, public health and others -- are not equally vital. The government, then, must apply a consistent yardstick in evaluating the value of assets and systems to focus its efforts on the highest priorities, the Bush plan said. The federal budget must reflect the differences in resources needed to safeguard vital assets and systems on one hand and resources needed to protect other important infrastructure on the other. Terrorists could try to cause widespread damage and disruption by attacking electronic and computer networks -- cyber attacks -- ''which are linked to other critical infrastructures such as our energy, financial and securities networks,'' the Bush strategy warned. As terrorists continue to build their technical capabilities and learn more about potential targets, the plan said, ''cyber attacks will become an increasingly significant threat.''
Bush said science and technology would play critical parts in countering terrorism, and his proposal would give the new department the power to coordinate most of the federal government's domestic security r&d. This would involve developing countermeasures against weapons of mass destruction, establishing a national laboratory for counter-terrorism r&d, setting standards for anti-terrorist technology, and conducting technology demonstrations and pilot deployments.
Developing effective bulwarks against attacks also must include harnessing the best analytic, modeling and simulation tools, the administration said, and the proposed Department of Homeland Security ''would take as its foundation the National Infrastructure Simulation and Analysis Center.'' NISAC, a joint project of Los Alamos National Laboratory and Sandia National Laboratories that assesses natural and manmade threats to dams, power plants and other infrastructure, would be shifted to DHS under legislation the Bush administration sent to Capitol Hill.
The Bush strategy also lists other initiatives to protect critical infrastructure, including constructing a list of key assets, building partnerships with companies and state and local governments, drafting a national plan for protecting infrastructure, and guarding systems against infiltration.
This emphasis on developing a national strategy to fortify energy systems against attacks is overdue, said Richard Lawson, chairman of the Washington consulting company Energy Environment & Security Group Ltd. ''It's a terrific first step,'' he said. ''We're quite pleased. It finally orients infrastructure protection in a centralized direction.'' Lawson has worked with NISAC for several years and recently led a working group that looked at protecting energy infrastructure as part of broad plan the U.S. Energy Association issued on Friday to promote energy security (related story p. 16).
The White House report's emphasis on threats from attacks to computers and networks is understandable, Lawson said, because the most policymakers have focused on the dangers of attacks on hard targets. ''There hasn't been an awareness of cyber attacks, but they represent a real threat,'' he said, adding that the Bush strategy would help raise awareness of this danger.
Energy operations, like most essential infrastructure, are almost exclusively privately owned and managed, and ''it will certainly be a huge task to connect the private sector and the government sector in creating an appropriate response,'' Lawson said. He noted the concern that some companies might have about disclosing proprietary information to government agencies for fear it might one day be disclosed to the public. One approach would be to ask energy trade associations to collect information from their members in bulk form, he suggested, and use the data in aggregated form, as the Edison Electric Institute does.
Criticism over cyber focus
David Heyman, senior fellow at the Center for Strategic and International Studies, a Washington think tank, also praised the Bush strategy. But he called some of it old hat and suggested it might have gone too far in warning of the dangers of cyber attacks on energy assets.
''It's a good, comprehensive document that provides a fairly dramatic portrayal'' of terrorist threats, said Heyman a former adviser to the Energy Department on science and technology policy. ''It also provides good explanatory material. It's a 'Homeland Security 101' because it does a good job of educating as well as laying out a blueprint.''
The document's assessment of critical infrastructure weaknesses, however, ''is nothing new. Areas of vulnerability were identified in the mid-1990s. There were many initiatives during the Clinton administration to bolster our critical infrastructure,'' he said. Testing computers for the Year 2000 bug, Heyman said, provided ''a test run for possible attacks on critical infrastructure.''
DOE's Y2K programs, in which the Nuclear Regulatory Commission and the Federal Regulatory Commission worked with almost all energy system operators to ensure computer systems kept working, could offer a model for DOE in offering incentives to operators for strengthening their security systems, Heyman said.
Another strategy to combat attacks is to develop what Heyman calls the Intergrid -- a system of energy grid links featuring localized distributed power that, like the Internet, would connect producers and consumers. DOE officials have promoted distributed energy systems, in which power is produced at or near the site where it is used, as being much less vulnerable to terrorist assaults, yet the Bush strategy fails to even mention them. ''Decentralized, distributed and diverse. That's the solution,'' he said.
Heyman also cast doubt on the Bush plan's emphasis on cyber threats. Attacks on energy computer systems are a real danger, he said. ''But, in fact, the experts I've talked spoken with say it's difficult to remotely attack a switching station or a power plant. There are sophisticated layers of protection. It would require inside information to be successful,'' Heyman said.
In addition, Heyman cautioned, the White House and Congress appear to be scrambling haphazardly to create a Department of Homeland Security. ''I still have great concern about the speed with which they're trying to implement the new agency. The [strategy] document is extraordinarily broad,'' he said. ''It took eight months to prepare the proposal. It should take more than two months to create the department.'' Heyman said he favored a phased implementation in which DHS would be slowly put together ''rather than the [current] moon shot approach.''
Like Lawson and Heyman, John Pike of defense and security analysis group globalsecurity.org, had some good things to say about the Bush strategy. But he shared Heyman's reservations about cyber threats and said the document leaves a host of unanswered questions.
''I don't think there were any great surprises,'' said Pike, formerly with the Federation of American Scientists. ''The good news was its stress on public-private partnerships and the extent that it recognized that most of what could get blown up isn't owned by the government.''
The Bush strategy, though, came up short on specifics in describing what public-private partnerships for energy security would look like, he said.
Further, the administration still has not provided help to non-government security managers on how to prepare and respond to attacks, or even how to react when the government warns of increased terrorist threats through its color warning codes. ''If we go from [code] yellow to orange, no one knows what they're supposed to do,'' he asked. ''I'm bewildered that the government hasn't put out a checklist of what they're supposed to do.''
Pike also shared Heyman's skepticism about the plan's dire warnings that terrorists might soon target computer systems and networks at energy operations. ''I'm the designated skeptic about cyber attacks,'' Pike said, noting that every day businesses across the country put up with power interruptions and related system problems. ''The question is, what could terrorists do [through a cyber attack] that would rise above a normal industrial accident?'' he said.
The White House strategy shows just how much remains to be done, Pike said. ''It will take a lot of people spending a lot of time and effort'' to shape a national program, he said. ''It'll be much more interesting to read next year's edition.''
Copyright 2002 The McGraw-Hill Companies, Inc.
