White House rewriting core security policy document

The Bush administration is rewriting the document that signaled the beginning of the federal government’s efforts to deal with critical-infrastructure protection and cybersecurity to take into account post-Sept. 11 homeland security requirements.

Signed by President Bill Clinton on May 22, 1998, Presidential Decision Directive-63 (PDD-63) made it the policy of the U.S. government to lead a public/private partnership aimed at eliminating all major vulnerabilities to the nation’s critical physical and cyber infrastructures. In addition to setting a 2003 deadline for the establishment of a defense against intentional cyberattacks aimed at critical infrastructure, PDD-63 also created the U.S. Federal Bureau of Investigation’s National Infrastructure Protection Center (NIPC) — now part of the Department of Homeland Security — and encouraged private-sector participation through information sharing and analysis centers (ISAC).

Now the Bush administration is poised to release a version of that document that will be recast under the title Homeland Security Presidential Directive (HSPD).

“The idea was to reflect the changes in the bureaucracy at the Department of Homeland Security (and to give) more importance to the ISACs,” said Roger Cressey, former chief of staff at the President’s Critical Infrastructure Protection Board. The document has already been reviewed by a committee of deputy agency secretaries, he said.

It focuses on terrorist threats to the nation’s vital economic infrastructures as a way to weaken the U.S. economy and damage public confidence. It also recognizes the DHS as the main agency at the federal level for critical-infrastructure protection and the need to coordinate security efforts with the private entities that own and operate more than 85 percent of the nation’s critical infrastructures.

The original document assigned private-sector liaison duties to eight federal agencies. The new one adds to that list the Department of Agriculture, the Nuclear Regulatory Commission and a yet-to-be determined position at the Transportation Security Administration to cover the transportation of hazardous materials.

The rewrite also emphasizes identifying, cataloging and prioritizing the nation’s critical systems with respect to how vital they are to the nation’s economy and national security, as well as how vulnerable they are to terrorist attack.

The revamped document also calls for the development by next March of a system to aid information sharing between federal, state and local government agencies and the private sector. The White House has also directed the DHS to establish a national indications and warning architecture to detect incidents that could point to a larger, coordinated attack against critical infrastructures.

In a Nov. 6 letter to Paul Kurtz, special assistant to the president and senior director for critical-infrastructure protection at the White House, Harris Miller, president of the Arlington, Va.-based Information Technology Association of America, underscored the need for the new directive to “provide for an explicit role for the federal government as a supporter of industry’s ‘first responder’ status.”

Miller also stressed the need for specific information-sharing controls so private-sector data is protected from inadvertent disclosure. And he called on the government to help provide security clearances for private-sector officials if government information on threats must remain classified.

The draft of the new policy document has been circulating throughout the halls of government for more than six months. It wasn’t clear whether the concerns of the ITAA and other industry groups will lead to major changes before the final document is released.