September 11, 2001 was a turning point in national critical infrastructure protection. It launched the creation of the U.S. Department of Homeland Security, a rush of increased security and infrastructure hardening, and formal public-private security partnerships in each sector. Yet in many ways it followed a decades-long pattern in U.S. critical infrastructure policy: a pivotal event exemplifies a changing risk environment and sparks evolution in policy and approach. From the Cold War to the War on Terror, critical infrastructure policy continues to evolve in its purpose, understanding, and execution.
In 1963, President Kennedy established the National Communications System by a presidential memorandum. Following the many communication mishaps among agencies such as NATO, the Department of Defense, and even foreign leaders during the Cuban Missile Crisis, Kennedy wanted to improve national security communications to better prepare for a major crisis such as a nuclear attack.
In subsequent decades, the United States saw an increase in the rate of attacks against U.S. embassies and citizens abroad in addition to the dissolution of the Soviet Union. Computers entered the mainstream business environment to operate crucial functions in many sectors, adding a wholly new dimension to critical infrastructure.
As a result, President Reagan signed Executive Order 12656 in 1988, charging the head of each federal department and agency with the responsibility of protecting critical resources and facilities within their organizations. This marked a major shift toward the critical infrastructure protection policies in place today.
The first terrorist attack on the World Trade Center in 1993 made the threat of an attack on American soil real. In April 1995, 168 people were killed and hundreds more were injured when a bomb exploded in the Alfred P. Murrah Federal Building in Oklahoma City. The bombing became the major catalyst for President Clinton to put critical infrastructure protection policies in place such as the establishment of the President’s Commission on Critical Infrastructure Protection (PCCIP) in July 1996 and Presidential Decision Directive No. 63 in May 1998.
Shaping our policies by learning from past events will not change, and for good reason. The evacuation and fire safety regulations developed after the 1993 World Trade Center bombing were crucial when 13,000 to 15,000 people safely exited the buildings on September 11. Even so, the destruction of the towers led to a federal investigation as to how to better improve the structure and safety of high-rise buildings, and since then, many changes have been implemented to make buildings safer and evacuation times shorter. This past year, the National Oceanic and Atmospheric Administration (NOAA) changed its policy on issuing weather alerts when infrastructure owners and operators failed to fully understand the scale and scope of Superstorm Sandy’s impact in New York and New Jersey.
Yet a new evolution is under way that is more pre-emptive than past policy shifts. The years after 9/11 were marked by a reactive ramp-up of physical protection—guns, guards, and gates—but also by growing partnerships that prioritize information sharing and proactive risk management. Those partnerships have matured and are starting to shift focus, replacing “protection” in the security lexicon with “resilience.”
Resilience recognizes that the risk environment is changing, as always, but now at a faster pace. Learning from past events is no longer likely to leave us better prepared for the next one. Threats change too quickly to prevent or protect against each one. Critical infrastructure partners are now working together not to prevent the next disaster, but to put in place policies and capabilities that allow them to take the hit, get back up and running quickly, and recover faster. This sea change is beginning to show a larger effect on critical infrastructure policies than any one event could.