In one of the latest in a long and unacceptable list of otherwise avoidable critical infrastructure (CI)-enabled consequences, on March 26, 2024, the combination of a vulnerable bridge structure coupled with a loss of power on an outbound ship produced a catastrophic infrastructure failure when that ship collided with the Key Bridge in the port of Baltimore, Maryland. That local incident produced cascading consequences on land and sea transportation routes and trade into and out of the area.
Advancements in CI preparedness thought, policy, planning, and execution are long overdue. Through continuous CI innovation and implementation of operationally proven, objectively measurable, nationally comprehensive, and compatible preparedness mindsets, metrics, methodologies, and technologies, the U.S. can realize and sustain CI resilience and optimally ensure the comprehensive preparedness of CI and the spectrum of American life it enables.
To the above ends, it is worthy of note it has been 18 years since – in the wake of the long-predicted catastrophic failure of the “protected” New Orleans levee system – the Homeland Security Advisory Council’s (HSAC) 2006 Critical Infrastructure Task Force Report, made as its principal recommendation: “Promulgate Critical Infrastructure Resilience as the top-level-strategic objective – the desired outcome to drive national policy and planning.” It has been 13 years since the HSAC’s Community Resilience Task Force recommended a community-by-community “American Resilience Assessment” and 11 years since Presidential Policy Directive 21 made “Critical Infrastructure Security and Resilience” the nation’s CI preparedness goals. As evidenced by near-daily accounts of the failures of and successful attacks upon U.S. infrastructures, resilience-based CI preparedness and, by extension, community and domestic preparedness are increasingly conspicuous in their absence.
Self-Inflicted Vulnerabilities and Objectively Unmeasurable Goals
Owing to the “flexibility” of American English and consistent with President Ronald Reagan’s observation in 1985 that “Status quo you know is Latin for the mess we are in,” Americans have popularized and effectively homogenized the term “resilience” into iterations of 1990s-era CI protection, information systems security, and preparedness goals. As a result, currently inextricably cyber-reliant CI and domestic preparedness trajectories in the U.S. continue to make the nation more exploitable, exploited, and consequence-enabling. In reality, cyber-reliant CI invites and multiplies consequences. Compounding this situation, as U.S. energy needs increase and billions are earmarked for CI projects, the country has restricted domestic energy production, sold its oil reserves, and become increasingly reliant on China, a nation decisively engaged in transforming U.S. CI into vectors to inflict consequences of unprecedented scope, duration, and intensity on the nation.
The U.S. has been unable to transcend “the mess we are in” largely because, for the past 28 years, it has focused on achieving objectively unmeasurable CI and domestic preparedness goals. No one can quantify how much protection or security is required to achieve and sustain the conditions the words imply. To sharpen the focus on this “mess,” author Alex Haley provides insight: “Either you deal with what is the reality, or you can be sure that the reality is going to deal with you.” The CI and domestic preparedness reality is that – absent timely CI product and service delivery – the country will quickly spiral into ~330 million people fighting each other to survive. Despite that reality, the nation’s reliance on cyberspace continues to grow. Reliance attracts global and domestic predators and focuses their CI targeting. Federal agencies have confirmed China’s “state-sponsored cyber actors are seeking to pre-position themselves on IT networks for disruptive or destructive cyberattacks against U.S. critical infrastructure in the event of a major crisis or conflict with the United States.”
Examining the Nation’s CI and Domestic Preparedness Organization and Lexicon
Like its predecessor organizations, the Cybersecurity & Infrastructure Security Agency organizes federal CI policies and programs into 16 functional (i.e., “vertical” top-down) sectors. The reality is CI operations naturally integrate and operate horizontally – community-by-community – across the country. Thus, both vertical and horizontal CI perspectives and requirements must be equally sought, respected and acted upon.
In the wake of the events of September 11, 2001, response and recovery has been the primary focus of CI and domestic preparedness efforts. In doing the right thing 23 years ago, the nation effectively lost and must regain emphasis on the proactive (i.e., preparedness) side of the event curve specifically, prevention and continuity. In this regard and in 2018 dollars, it is estimated that for every dollar spent on mitigation efforts, $6 dollars in response and recovery operations are saved. This figure does not include prolonged human suffering and costs stemming from opportunistic crime, panic, and societal collapse.
While essential to awareness, understanding, meaningful change, and preparedness, language has played a subtle yet pivotal role in maintaining an inadequate CI and national preparedness status quo. An undisciplined lexicon must be recognized and rejected. Given CI and domestic preparedness realities, there can no longer be tolerance for ambiguity or blurring the distinctions between words, including activity and accomplishment, iteration and innovation, process and progress, rhetoric and results. In the current absence of disciplined, question-and-answer-based “information exchange” and objectively measurable progress in correcting CI and preparedness trajectories, the popular lexicon has proven itself a barrier to achieving long-overdue change.
Correcting U.S. CI and Domestic Preparedness Trajectories
First, continuous innovation (not iteration) in CI and domestic preparedness is imperative. Amplifying his definition of insanity, Albert Einstein noted: “We cannot solve our problems with the same thinking we used when we created them.”
Second, an advanced, reality-based culture of CI and domestic preparedness driven by resilience-based mindsets must be implemented. These mindsets include:
- Behind every silver lining is a dark cloud.
- Never assume or be satisfied with the status quo.
- Reality is the ultimate measure of success or failure.
- Everything is a target, and the internet is a global vector to U.S. targets.
- Anticipate, accept, and prepare for CI and domestic preparedness failures.
- Accept no single point of failure (e.g., the New Orleans levee system, high-consequence-producing automated systems).
- Add reliance to risk elements (i.e., threat, vulnerability, and consequence), exercises, and resilience assessments.
- Respect “the predator’s view” (i.e., the “view” from the outside looking in) and understand the dangers of public pronouncements, and advertising that focus predator targeting. In addition, heed the teachings of Sun Tzu: “The opportunity of defeating an enemy is provided by the enemy himself” and “Never interrupt your enemy when he is making a mistake.”
- Equalize resilience-based CI protection, cybersecurity, and domestic preparedness efforts across the event continuum (i.e., prevention and continuity, response and recovery).
- “Lessons learned” not acted upon are consequence enablers and amplifiers.
- The only acceptable “new normal” is one superior to its predecessor.
Third, objectively measurable, operationally proven, nationally comprehensive, and compatible preparedness goals can and must be achieved. In so doing, the country can and will provide for the predictable provision of CI products and services and the continuity of American life.
Unlike CI protection, cybersecurity, and information-sharing efforts, resilience is objectively measurable. Time is a universally accepted metric and is the metric of resilience. Time makes CI and domestic preparedness quantifiable and thus manageable, achievable, and sustainable.
As Einstein observed: “If you can’t explain it simply, you don’t know it well enough.” Accordingly, Figure 1 illustrates the practice of resilience. It is the convergence of continuously knowing:
- What an entity (i.e., individual, family, business, community, nation) finds important or critical and what it is reliant upon.
- How long that entity is willing to be without something important or critical or something it is reliant upon; and
- The identification, testing, and availability of adaptive capacities and alternative CI products and services to ensure (at worst) predictable recovery from events short of a global Armageddon.
Additionally, the U.S. must begin reducing its cyber-reliant target values. Technologies must be made SMARTR (SMART + Resilient, pronounced smarter), and “back to the future” solutions must be implemented including:
- Mandating physical overrides, training people, and annually certifying them to operate overrides on all high-consequence-producing networked or automated CI systems; and
- Retaining hard copies of all vital (i.e., consequence-producing) information to reduce or eliminate the consequences of ransomware.
In a nutshell, resilience-based CI and, by extension, domestic preparedness are cost-neutral, proactive, operationally proven, objectively measurable, comprehensive, compatible, achievable, sustainable, unifying, and empowering end states. Uniquely, resilience-based CI and domestic preparedness allow people, businesses, and communities nationwide to work first in their best interests and, ultimately, in the best interests of all.
The Bottom Line
The U.S. cannot afford to maintain iterations of its 1990s-era CI and domestic preparedness goals and thereby continue to learn the hard way. Military historian and Hoover Institution Senior Fellow Dr. Victor Davis Hanson’s quote perhaps best captures the decidedly human preparedness obstacle the country must quickly overcome: “States are like people. They do not question the awful status quo until some dramatic event overturns the conventional and lax way of thinking.” After 18 years, a much higher CI and domestic preparedness bar must finally be set. The U.S. must operationalize resilience-based preparedness across the spectrum of its daily life. Only in so doing can the country simultaneously prevent the otherwise guaranteed infliction of CI-enabled consequences and ensure the safety, security, preparedness, quality of life, and future for this and generations of Americans to follow.
Jeff Gaynor
Retired U.S. Army Colonel Jeff Gaynor brings six decades of highly decorated military, communications monitoring and combat arms, intelligence, counterintelligence, defense intelligence senior executive service, and private sector critical infrastructure (CI) and national security and preparedness expertise to the most fundamental and urgent of national imperatives: Ensuring the operational resilience of the nation’s CI. His experience ranges from foxholes to the White House as President Ronald Reagan’s and George H.W. Bush’s communications security officer, as the principal action officer for the creation of the Defense Department’s Information Assurance Program, and as the Defense Department’s Y2K operations officer. Nine months before the long-predicted failure of the “protected” New Orleans Levee System, Jeff created and directed the Homeland Security Advisory Council’s Critical Infrastructure Task Force (CITF). The CITF questioned the effectiveness of the CI protection status quo and, in itsJanuary 2006 report, recommended critical infrastructure resilience be promulgated as “the top-level strategic objective – the desired outcome to drive national policy and planning.” Almost two decades later, Jeff continues to spearhead the physical implementation of resilience-based CI, business, community, and national preparedness mindsets, metrics, methodologies, and technologies for the U.S. and its allies.
- Jeff Gaynorhttps://www.domprep.com/author/jeff-gaynor