Publisher: Jeffrey Frank Jones
Executive Summary The National Infrastructure Advisory Council (NIAC) set out to determine whether the right people are receiving the right intelligence information at the right time to support robust protection and resilience of the Nation’s critical infrastructure. More than 200 interviews and extensive open-source research uncovered a wealth of insights on this complex problem. First, there have been marked improvements in the sharing of intelligence information within the Federal Intelligence Community, and between the Federal Government and regions, States, and municipalities. However, this level of improvement has not been matched in the sharing of intelligence information between the Federal Government and private sector owners and operators of critical infrastructure. Despite some notable successes, this bi-directional sharing is still relatively immature, leaving a large gap between current practices and an optimal system of effective public-private intelligence information sharing. We observe that trust is the essential glue to make this public-private system work. Trust results when partner capabilities are understood and valued, processes are tailored to leverage these capabilities, and these processes are tested and proven valuable to all partners. When breakdowns in information sharing occur, it erodes trust and is counterproductive to risk management. Information sharing is perhaps the most important factor in the protection and resilience of critical infrastructure. Information on threats to infrastructure and their likely impact underlies nearly every security decision made by owners and operators, including which assets to protect, how to make operations more resilient, how to plan for potential disasters, when to ramp up to higher levels of security, and how to respond in the immediate aftermath of a disaster. We looked at intelligence information flowing from the Federal Government to critical infrastructure owners and operators as well as risk information flowing from critical infrastructure owners and operators to the government. Our study reveals the complex ways information is gathered, analyzed, packaged, and shared among government and the owners and operators of critical infrastructures. In tackling this complex subject, we examined the different stages of the intelligence cycle, including requirements generation, information collection, analysis, and dissemination. To gather a variety of perspectives, we conducted extensive interviews with security directors, chief executives, subject matter experts, and government executives and managers. Recognizing that distinct sector characteristics shape information sharing needs, we conducted case studies of five sectors: Commercial Facilities, Healthcare and Public Health, Energy (Oil and Natural Gas), Banking and Finance, and Chemical. While we found some information sharing approaches to be effective, others were not. As a result, we adopted a “capability maturity approach,” which acknowledges that different Federal agencies have different abilities to share information effectively, and we sought to build on what is working.