Is DHS Dropping the Ball on Critical Infrastructure Protection?

Congress Passed Critical Infrastructure Protection Provisions in 2016

The Critical Infrastructure Protection Act was a bill introduced in Congress in 2013 and 2015 and finally passed in the National Defense Authorization Act for Fiscal Year 2017 (NDAA). Congress said the provisions were designed to “to protect Americans from an electromagnetic pulse (EMP), a threat experts consider one of the most serious risks to our national security.”

There is very little information available about the federal government’s implementation of Critical Infrastructure Protection provisions of the NDAA. There are several reports that the Department of Homeland Security (DHS) is supposed to have filed by now with Congress. I can’t find the reports. It raises questions as to whether the required work is actually being done – and the quality and transparency of any work as well.

On December 23, 2016, the provisions of the Critical Infrastructure Protection Act (CIPA) were passed as section 1913 of the National Defense Authorization Act for Fiscal Year 2017. The NDAA is 970 pages long. (Click here for the relevant 4 pages with the public law provisions of “CIPA.”) The links to the full Act and U.S. Code versions are provided below. (It gets confusing because the government at times likes to cite an Act, and at other times likes to cite to the U.S. Code. – often is does both in the same document. This can make it very hard to follow.)

What Has DHS Done on the Critical Infrastructure Protection Provisions?

There has been a great deal of public attention, press articles and increased awareness to the threat of EMP since September of 2017 when it was widely reported that North Korea detonated a hydrogen bomb and threatened the U.S. with an EMP attack. For example Newsweek, CBC News, The Huffington Post, and the Boston Herald, to name only a few, on the EMP threat.

What is not at all in the public domain is any information on the federal government’s activities or operations to prepare for an attack on the critical infrastructure. It has been over a year since the critical infrastructure protection provisions were implemented. There are specific timelines for reports and actions in the provisions.

We’ve heard crickets. In fact, the “Energy Sector-Specific Plan” has not been updated since 2015 and makes only 3 cursory references to EMP and GMD events.

These reports required by the NDAA are critical to inform Congress and the public on DHS efforts to protect the United States against threats such as EMP and GMD.

What Are the Critical Infrastructure Protection Provisions of Section 1913 of the NDAA?

Here are the main requirements and reports mandated by the section 1913 of the NDAA:

1. Section 1913(a)(1) adds the terms “EMP” and “GMD” to the definitions section of the Homeland Security Act of 2002 (6 U.S.C. §101 et seq.) [NOTE: This has been done.]
2. Section 1913(a)(2) adds 6 U.S.C. §121(d)(26)(A) titled: “Information and Analysis and Infrastructure Protection.” This section requires that DHS conduct a to conduct an intelligence-based review and comparison of the risks and consequences of EMP and GMD facing critical infrastructure and submit to Congress within 6 months of  December 23, 2016 a recommended strategy to protect and prepare the critical infrastructure of the homeland against threats of EMP and GMD. This strategy must be updated every 2 years. [NOTE: I have not been able to find this review and strategy. Also, see 5 below.]
3. Section 1913(a)(3) adds 6 U.S.C. § 195f titled: “EMP and GMD mitigation research and development.” This section requires DHS conduct research and development to mitigate the consequences of threats of EMP and GMD. There are specific requirements about the scope of the research and development. [NOTE: I have not been able to find any information on this.]
4. Section 1913(a)(4) adds 6 U.S.C. § 321p titled: “National planning and education.” This section requires DHS to include in national planning frameworks the threat of an EMP or GMD event and also to “conduct outreach to educate owners and operators of critical infrastructure, emergency planners, and emergency response providers at all levels of government regarding threats of EMP and GMD.” [NOTE: I have not been able to find any information on this.]
5. Section 1913(c): “DEADLINE FOR INITIAL RECOMMENDED STRATEGY.—Not later than one year after the date of the enactment of this section, the Secretary of Homeland Security shall submit the recommended strategy required under paragraph (26) of section 201(d) of the Homeland Security Act of 2002 (6 U.S.C. § 121(d)), as added by this section.” [NOTE: I have not been able to find any information on this. Also, see 2 above.]
6. Section 1913(d): “REPORT.—Not later than 180 days after the date of the enactment of this section, the Secretary of Homeland Security shall submit to Congress a report describing the progress made in, and an estimated date by which the Department of Homeland Security will have completed—
   • including threats of EMP and GMD (as those terms are defined in section 2 of the Homeland Security Act of 2002, as amended by this section) in national planning, as described in section 527 of the Homeland Security Act of 2002, as added by this section;
   • research and development described in section 319 of the Homeland Security Act of 2002, as added by this section;
   • development of the recommended strategy required under paragraph (26) of section 201(d) of the Homeland Security Act of 2002 (6 U.S.C. §121(d)), as added by this section; and
   • beginning to conduct outreach to educate emergency planners and emergency response providers at all levels of government regarding threats of EMP and GMD events.”

[NOTE: I have not been able to find any information on this.]

The Initial Deadlines For Reports Have Passed

It looks to me like DHS should have submitted at least two reports to Congress by now, possibly 3. I have not seen them. Specifically:

• Section 1913(a)(2): Within 6 months of  December 23, 2016 a recommended strategy to protect and prepare the critical infrastructure of the homeland against threats of EMP and GMD should have been submitted to Congress.
• Section 1913(c): Not later than one year after the date of the enactment of this section, the Secretary of Homeland Security shall submit the recommended strategy required under 6 U.S.C. §121(d)(26)(A) [Seems to be similar to the report mentioned above in PL 14-328 §1913(a)(2).]
• Section 1913(d): Not later than 180 days after the date of the enactment of this section, DHS was supposed to submit a report to Congress a report describing the progress made in most of the provisions of PL 14-328 §1913.

These reports were supposed to be unclassified (i.e., should be available to the public) and were supposed to be submitted to:

• U.S. House of Representatives, Committee on Homeland Security
• U.S. House of Representatives, Permanent Select Committee on Intelligence
• U.S. Senate Committee on Homeland Security and Governmental Affairs
• U.S. Senate Select Committee on Intelligence

Conclusion

If DHS has not done the reports required by section 1913 of the NDAA for Fiscal Year 2017, one would hope that DHS requested and was granted an extension of time by Congress for good cause shown.

If the reports simply have not been done, that would be bad. Really bad. Unless I’m mistaken, isn’t the Department of Homeland Security in charge of homeland security?

References:

Public Law version:

• Public Law 114-328: National Defense Authorization Act for Fiscal Year 2017. See: §1913. EMP and GMD Planning, Research and Development, and Protection and Preparedness.

U.S. Code version:

• 6 U.S.C. §101—Definitions [Note: Added definitions for “EMP” and “GMD”]
• 6 U.S.C. §121(d)(26)(A)—Information and Analysis and Infrastructure Protection
• 6 U.S.C. §195f—EMP and GMD mitigation research and development
• 6 U.S.C. §321P—National planning and education

For more information from congress: