Home Information Sharing & Analysis Prevention & Protection Preparedness & Response Research Commerce & Trade Travel Security Immigration
About the Department Open for Business Press Room
Current National Threat Level is elevated

The threat level in the airline sector is High or Orange. Read more.

Homeland Security 5 Year Anniversary 2003 - 2008, One Team, One Mission Securing the Homeland

Remarks by Secretary Michael Chertoff at a U.S. Chamber Event on the Completion of the 17 Sector Specific Plans, as Part of the National Infrastructure Protection Plan

Release Date: May 21, 2007

Press Office
U.S. Department of Homeland Security
Press Release
Contact: DHS Press Office, (202) 282-8010

SECRETARY CHERTOFF: Thank you, Ann. On the theory that a picture is worth a thousand words – this is a picture, and this is probably many thousands of words. It reflects a tremendous accomplishment for the people who are here from the various sector-specific groups, for the partnership for critical infrastructure security. I'd like to thank Ken Watson, who is here, for the role that he played in this process; and also to recognize Bob Stephan, who was involved at the very beginning with this process, through the development of the National Infrastructure Protection Plan. And then, of course, the flow down to the sector-specific plans that we’re announcing today.

I also want to recognize Robert Jamison, our Deputy Undersecretary and Acting Undersecretary for National Protection and Programs.

I want to translate this into plain English for the press who are here. We are big country. Most of the resources and the people who work in this country are not owned and operated by the United States government. And the need to protect these resources and these people is a responsibility that we have to share with the private sector. We are long past the time when people thought that the right way to protect the economy or to protect the people who work in the economy is what I call old Soviet style, control and command, or command and control.

In the 21st century we have to think about partnership and about networking. That is how you make protection of our infrastructure and the people who work within it a reality. So the approach that we're taking here I think is very much in the spirit of the 21st century. It is not simply heavy-handed regulation or a bunch of bureaucrats in Washington telling you what the best way is to protect your assets and your people. It's not simply throwing federal money at a problem. It's recognizing that every element of the critical infrastructure has a stake in its own protection. The people who operate and own our businesses have invested a lot of time, effort and money; and the people who work in them have put a lot of their blood, sweat and tears into those businesses. They have as keen an interest in protecting those assets and those people as we do in Washington. In fact, maybe a keener interest.

And so the approach that we've taken here is to harness that natural desire and energy, the patriotism of the private sector – but also, to be honest, the rational, self-interest of those who work within it – to come up with the best possible plans sector by sector, which can then be disseminated throughout our economy as guides and templates for individual businesses to know how to best protect themselves against the possibility of a terrorist attack.

Under Homeland Security Presidential Directive 7, we looked at the private sector and we divided critical infrastructure and key resources into 17 basic areas. We recognized that every sector would be different and that even if we were going to be reasonably general in terms of the kind of guidance we gave, we'd have to at least develop that guidance based on the very real differences between the 17 sectors.

For example, in the chemical and nuclear industries, obviously we're dealing mostly with the security of fixed large plants and sites. And that requires a certain kind of thinking in the physical domain. On the other hand, in the cyber and telecommunication sector, security is not only focused on fixed sites, but it's in the virtual world, cyber world. And, therefore, the approach to security there is very different, even though the end is the same.

And, again, the credibility for doing this right has to come from the fact that the people who have designed these particular plans are those who actually work with the industry and understand its capabilities and its vulnerabilities.

So I'm delighted to say that this approach, culminating with these 17 sector plans – although "culminating" is really not the right word, because we're going to continue, this is just 1.0 – we're going to have 2.0 and 3.0. I think this is a great model for how we go forward in the future.

There are going to be some people who say because it's not a heavy carrot and heavy stick, or sweet carrot and heavy stick, somehow it's not really doing anything; that the only way to do something is to have a lot of mandates or a lot of money flowing out of Washington to the country. But from what I see in the economy of the 21st century – whether it’s what you see with blogging, or what you see with marketing, or what you see with where our assets are going, the rest of the world is moving out of that command-and-control model into a network model. And so that's really what this whole approach is about.

Let me step back and just talk a little bit about our progress to date. Since September 11th, when this enterprise began, of course, we have made a lot of progress both in the physical world and in cyber world, in getting more protection and reducing our vulnerabilities. And the private sector didn't wait for the government to make substantial investments, boosting resiliency, and increasing redundancy and developing contingency plans across various types of critical infrastructure. And I do have to say, although I've kind of downplayed the role of money, the department has provided nearly $2 billion in risk-based grant funding, including almost a half a billion this year, to deter threats, reduce vulnerabilities, and build resiliency.

Moreover, we have recognized that there is a place for regulation. We have, for example, having finally received authority from Congress last year, developed, working with the private sector, comprehensive regulations for the chemical sector. We've done regulations for transportation of hazardous chemicals in the rail area. We've, of course, done a lot of regulation in the aviation area. And one of the reasons we do use regulation is because we recognize that, in some instances, while responsible corporate people take steps on their own, there are occasionally what we can call freeloaders, people who hope that by hiding in the weeds of the responsible actors they can give short shrift to security and hope that they wind up not being caught out. We want to make sure that the few who are irresponsible don’t damage the economic landscape for those vast majority who are being responsible.

Now, of course, the actual path to developing these specific sector-specific plans began with an over-arching framework, the National Infrastructure Protection Plan, which was mandated by one of the Homeland Security Presidential directives. The NIPP is a unifying structure for understanding and managing risk for the nation's infrastructure. And, again, that was also created in partnership with the private sector and issued last year.

Then the NIPP builds upon the individual sector-specific plans like those I have here, which analyze threat vulnerability and consequence at the sector level, and get into very specific nuts and bolts, available to those who actually work in the sector, about how they can analyze and evaluate their vulnerabilities and take steps to correct or mitigate them. And with the completion of these plans, they are now going to be available so that those who have not already put good planning into effect will have the tools to enable them to do so.

This is the first time in the history of the country that the government and the private sector have ever come together on such a large scale to develop a joint plan. And if you think about the literally millions of businesses and the millions of types of economic activity that occur every day, you'll begin to realize what a truly remarkable exercise this has been, to be able to abstract from this at a reasonable level of generality, but also tailored to each sector of the economy, an approach to planning for reducing risk that can be of use to everybody who operates, whether large industrial enterprises, or small businesses.

Let me give you just one example of how this works, picking what to my mind is perhaps the single most challenging sector because of its diversity and the differences of scale between large and small. And that is the commercial facilities sector. Perhaps more than any other sector – certainly as compared with chemical, or nuclear, or financial services – the commercial facilities sector encompasses a very broad category of infrastructure with a huge range of assets: hotels, casinos, sporting facilities, amusement parks, convention centers, office buildings, shopping malls, religious and cultural facilities, and some industrial assets like manufacturing plants.

How do you come up with a plan that addresses all of these? Well, with a collaborative process that put all of these constituencies together, working through their government coordinating council and their private sector coordinating council. This is the kind of unprecedented cooperation you needed if we were going to come up with a plan that would cover the diversity of the interests involved, but also have something meaningful and specific to say about how vulnerability could be addressed.

The plan set forth for commercial facilities sector sets seven clear security goals – among them, ensuring trusted and protection information sharing between the government and the private sector, so we can react and respond in real time if there's a threat or a problem; making sure that timely, accurate threat information is shared so we can give the sector a heads-up when we see something on the horizon; having systems in place to ensure a timely response to and recovery from natural or man-made incidents – and we've seen that time and again in natural disasters, as well as terrorist acts; and instituting a robust sector-wide research and development program to identify and provide independent assessments of methods and tools across the sector.

Using these general goals, the Department has worked with the sector to implement protective measures that are consistent with these goals. This includes deploying our protective security advisors to provide on-site assistance at critical commercial facilities; conducting site-assistance visits with industry feedback, and transforming that into educational reports that owners and operators can use in their own facilities to identify vulnerabilities; working with the private sector to develop more than 800 Buffer Zone Protection Plans, to enhance security around the critical infrastructure; providing security guard training and courses on increasing terrorism awareness – last year we conducted 156 of those sessions; and boosting information sharing across the sector through our Homeland Security Information Network, which has a specifically dedicated portal for commercial facilities.

We also continue to provide tailored threat analysis and risk assessments, which we push out – and I generally see these before they go out the door – and we've invited the sector to participate in major exercises covering terrorism, hurricane preparedness, and pandemic planning.

This is the kind of approach we're taking across the board but tailored to the specific needs of individual sectors, in order to make sure that we are pushing out the wisdom that has been gathered in this room across as broad a range of economic enterprises as is possible.

Finally, let me make maybe the most important point that I have to make up here. There is a very strong business case for making investments of the kind that we're talking about here in increasing security against the possibility of a terrorist attack or a natural disaster. When I hear criticism sometimes of the non-regulatory approach, people say, well, this is really just you're being a cat's paw of the industry, you're letting the business community write the rules. I think that represents a fundamental misunderstanding of the way our economy and our country works.

Without denying the fact that there are times that regulation and spending money makes sense, particularly when you need to make sure that everybody is shouldering their fair share, the fact of the matter is that there is a strong business case for security that everybody in this room understands. Anybody who runs a business or works in a business has put their life into that business. They've invested money, they've invested time, and they're putting their personal efforts into that business. Why should we not assume that the vast majority of these people want to protect their assets and their people in the same way that we assume most parents want to protect their families?

I think, for most businesses, the challenge is not lack of motivation and lack of will. It's lack of understanding and knowledge. And that's what this enterprise and this kind of planning gives you. It gives you the ability to make intelligent decisions about how you make investments so as to maximize the protection that you get. So I believe that harnessing the strong business case to be made for protecting your own assets and your business is the very best engine we have in the 21st century to drive security forward.

Let me conclude by saying that a plan, of course, is only as good as its implementation. This set of plans will no doubt be part of a feedback loop. Some things will work well, some things will need improvement, and we'll continue to make improvements and continue to work with you. But I think it's a very good start, and a very strong delivery on a commitment that we made a couple of years ago to build this process and make it a reality.

I'd like to thank the hundreds, if not thousands, of individuals who contributed their time and energy to these plans, lending their expertise, and working with our department and other departments of government to create a framework that will guide how we manage threats to critical infrastructure well into the foreseeable future.

Thank you for coming and thank you for your work and thank you for your continued dedication to making these plans come to life. (Applause.)

###

This page was last reviewed/modified on May 21, 2007.