Abstract
The Department of Homeland Security (DHS) has used a partnership planning model of implementation to address the protection of critical infrastructure and key resources (CIKR). The partnership relies upon existing regulators and operators to secure CIKR with little ability of DHS to compel action. Instead, the Department of Homeland Security acts to define and draw attention to tasks related critical infrastructure protection. This article analyzes Government Accountability Office reports to characterize variations in success of the partnership by assessing the extent to which DHS has addressed key components of partnership planning: creating a structure that encourages collaboration, establishing trust across partners, monitoring partners’ performance, attending to differences in partners’ organizational culture, identifying and leveraging existing relationships among partners, and instilling a sense of a common mission in the partnership. The findings underscore the limitations of partnership approaches in addressing complex problems that lack strong leadership and clear policy goals.
Keywords
Introduction
In 2003, the federal government launched a major effort to protect elements purported to be fundamental to America’s economy, security, health, and way of life—termed as “critical infrastructure and key assets [resources]” (National Strategy; U.S. Department of Homeland Security [DHS], 2003). Similar to other areas of emergency management at the state and local levels, federal critical infrastructure protection (CIP) explicitly rests on the basic notion of partnerships. However, unlike other partnership cases in which goals are defined, partners are manageable in number, and tasks are known, CIP spans a wide range of actors whose tasks are unclear and continually evolving. Given the enormity of the task facing the federal government and the complexity of the interactions necessary to carry out such abroad partnership, this article considers the logic, the utility, and limitations of the partnership model in CIP. The investigation presented in this article hopes to contribute to the administration of emergency management through partnerships from a policy design and implementation perspective.
Partnership planning arrangements similar to CIP have been used to grapple with broad and complex polices such as mental health service delivery (Isett & Provan, 2005), emergency management (Kapucu, 2006a, 2006b; Kapucu, Augustin, & Garayev, 2009), regional transit (Chisholm, 1992), juvenile justice (Schneider, 2009), and education (O’Toole & Meier, 2006; Stoker, 1991). These experiences suggest that partnerships can be essential mechanisms by which to implement policy when expertise is largely in the hands of the regulated, the scope of the policy to be implemented is broad, and a premium is placed on flexible responses to problems. However, they additionally suggest that the partnership model of implementation can be tenuous because often tasks are not well defined, the lead organization has very little control, and there are very few additional resources to offer partners. In essence, the head of the partnership must exhort action from partners rather than simply require it.
Such a challenge faces the DHS in its effort to protect U.S. critical infrastructure and key resources (CIKR) from natural and human-induced hazards. CIP policy is tremendously broad and complex, running the full gamut of actors in American public policy: nongovernmental organizations, private firms, federal agencies, state agencies, and local governments. Given that many key CIKR assets are held by nonfederal entities, DHS has taken a less direct role in CIP by heavily relying on the security actions of governments closer to the regulation of specific CIKR assets or the asset owners. The DHS has developed a CIP plan the implementation of which relies on partnerships in 18 key “sectors” of critical infrastructure to plan for and coordinate information sharing and defensive actions. The successful implementation of the overall multisector CIP partnership is dependent on the leadership abilities of DHS and its Office of Infrastructure Protection (OIP) to identify partners with CIKR assets and convince them to layer additional responsibilities related to CIP onto their existing tasks.
In this article, I assess the partnership model as applied to CIP policy. I examine government planning documents related to CIP and a virtual census of Government Accountability Office (GAO) reports that assess the implementation of CIP. I then characterize variations in success of the implementation of CIP by assessing the extent to which DHS has addressed key components of partnership planning identified in the policy literature: creating a structure that encourages collaboration, establishing trust across partners, monitoring partners’ performance, attending to differences in partners’ organizational culture, identifying and leveraging existing relationships among partners, and instilling a sense of a common mission in the partnership. I conclude the article with implications for CIP policy and other policies that intend to use a similar form of partnership planning for implementation.
Partnerships and Public Policy
Governmental partnerships come in a variety of forms that include different combinations of intergovernmental partnerships, public–private partnerships, and various forms of nongovernmental partnerships. Regardless of the specific form, the basic notion consists of coproduction of services or functions with different potential roles and relationships. The most developed literature about partnerships concerns intergovernmental partnerships as fundamental to the American government (Agranoff & McGuire, 1999; Bardach, 1976, 1998; McIntyre Hall & Kennedy, 2008). Indeed, many of the Great Society programs and environmental regulations of the 1970s are founded on a partnership model with the federal government providing direction and funding, and states or localities carrying out programs in support of federal objectives (James, 1972; Kettl, 1979; Pressman & Wildavsky, 1984). More recent attention has focused on public–private partnerships for the funding and delivery of such services as highways, mass transportation, and K-12 education (Goetz, Dempsey, & Larson, 2002; Linder, 2000; Stoker, 1991). For these, the central ingredients are governmental funding or purchase of services from private entities.
As elaborated in the following text, the partnership model used by DHS for CIP builds on these basic notions with the federal government providing program direction and encouragement and both subnational governmental and private-sector players taking the lead in implementing risk management strategies, collecting information, and sharing potential and real threats with relevant partners (other entities and lead agencies) in each sector. Though the relationships are in principle collaborative ones that require a good deal of trust and agreement about goals (see Kernaghan, 1993), some key distinctions can be drawn between this kind of partnership and the broader notions of collaboration that are highlighted in the current public administration literature. Chief among these is that the partnership model has a hierarchal structure—one entity, in this case the federal government, is senior to others. Partnerships additionally contrast with collaborative frameworks where actors involved in implementation have very specific roles, expected outcomes, and resources with which to accomplish those goals (Hill & Lynn, 2003; Jennings & Ewalt, 1998). Partnerships often have fewer constraints on membership and fewer tools for government to coerce action from partners. Put differently, the literature on collaboration is helpful for thinking about the nature of the relationships among partners in CIP partnerships but says little about their responsibilities and functions.
Similar to conceptions of “joined-up” or shared governance (6, 2004), partnerships akin to that utilized in CIP policy create very little new “government.” Rather, the partnership relies on the expertise and existing contacts of actors already engaged in addressing the problem (or similar problems) to perform tasks relevant to the partnership. Thus, partnerships are particularly well placed in policies, such as CIP, that do not have large formal implementation apparatuses, cover multiple policy areas, and are complex in the sense that they require the assistance of private and public actors.
The tasks associated with leading this kind of partnership are quite different than a traditional regulatory setting. The agency that leads the partnership does not act as a traditional principal, but rather as a persuader that encourages partners’ actions, provides coordination for those actions across the partnership, legitimizes efforts on behalf of the partnership, and mobilizes attention to certain types of known or new issues (Weber & Khademian, 2008). Lead agencies do very little “hiring” of personnel; rather, they must actively identify existing actors—private, nonprofit, federal, state, local—who have the expertise, goal similarity, and desire to work with the partnership (Kernaghan, 1993). The lead agency often has very little to exhort participation on the part of potential partners; thus, its task of identifying willing partners is doubly important (Weissert, 2001). The lack of a formal apparatus not only adds to partnership flexibility but also creates an environment in which there are very few sanctions for partners who fail to perform duties to which they have agreed. Agencies charged with implementing the partnership model can increase their chances of success by attending to notable factors identified in the successful implementation of other partnerships and similar types of collaborative relationships: appropriate planning, performance monitoring, identifying goal communalities across partners, working with existing organizational culture in partners, building trust, and incorporating partners who have current or previous working relationships (see Table 1 for a summary).
Elements of Success in Partnership Planning.
Source. Author and other scholars cited in the article.
Note. DHS = Department of Homeland Security.
Elements of a Successful Partnership Design
It is the lack of traditional controls in the implementation of a policy using the partnership model that makes partnership planning critical (Kettl, 2003; Milward & Provan, 2003). The partnership must have clear goals and clear tasks to accomplish those goals to identify partners and maintain their participation in the partnership. Some expectations regarding performance and a system to monitor this performance ought to accompany the list of goals and tasks, with the caveats regarding a lack of formal sanctioning authority. Simply making partners aware that someone is monitoring their performance can urge action (Daley, 2009; Goetz et al., 2002; Popkin et al., 2003; Rogers & Weber, 2010); if this information is made available to other partners, a peer effect can create further encouragement. In addition, while variable, partnerships ought to have an idea of the universe of actors from which they can draw for tasks related to the partnership. This enables the lead agency to properly identify the actors whose goals and other internal motivations best match with the tasks specified for reaching the goals of the partnership.
Commonly held goals across partners are the key to overcoming the collective action difficulties that accompany a broad effort to cajole actors without any real threat of sanction. Successful partnerships incorporate similar missions across partners regarding how to reach collectively held goals (Daley, 2009). Goal clarification and identification of resultant goal commonalities can encourage participants to take a long view of problems so that the transaction costs that accompany the choice to partner are offset (O’Toole, 1997). Partnerships with clearly identified and commonly held goals are stronger because partners who share the same goal also share the same level of risk of failing to achieve that goal, helping to avoid potential shirking and encouraging additional participation (Kapucu, 2006b). An additional benefit to shared goals is that the commonly held values become partnership norms that can become enforceable standards (informally or formally) across actors (van Raaij, 2006), which helps to address issues related to performance monitoring. If partners have only marginal goal commonality with the partnership, then their participation may be ephemeral or take the partnership in a different direction than is envisioned by its goals.
In addition to goal commonality, more effective partnerships work with organizations that have a culture of collaboration (Jennings & Krane, 1994; Reitan, 1998). Existing organizational cultures have a potential to hinder network formation as found in Dawes’s (1996) survey of state government managers. An understanding of organizational cultures can work synergistically with other aspects of partnership planning by providing another mechanism of control (Kenis & Provan, 2006). The first step in finding partners who share a culture of collaboration is to incorporate actors who have worked or currently work together in other capacities (Moynihan, 2009; Waugh & Sylves, 2002). This allows creating fewer startup coordination costs for the partnership and also assists in incorporating actors who share some level of trust (Kapucu et al., 2009), a common element necessary for any attempt to join actors in a common mission with many incentives to shirk (Agranoff & McGuire, 2001).
The Structure of CIP
The 2009 update to the DHS’s National Infrastructure Protection Plan (NIPP; U.S. DHS, 2009) is responsible for the current organization of CIP into 18 sectors related to CIKR. The raw number of sectors has steadily increased with the expansion of the definition “infrastructure” to include many hitherto non-security-related sectors. The nascent definition of critical infrastructure and the structure of the partnership to protect it were initially created by the 1996 Presidential Commission on Critical Infrastructure Protection (PCCIP) and a subsequent Presidential Decision Directive (PDD) 63 issued by President Clinton. The current powers and structure of the partnership to protect CIKR are a function of several national strategies (e.g., National Strategy for the Physical Protection of Critical Infrastructure and Key Assets) and Homeland Security Presidential Directives (HSPD), most notably HSPD-7, and are in conjunction with other homeland security-related enabling legislation and executive orders (for a full list of relevant authorities, see the NIPP; U.S. DHS, 2009). As the number of planning documents and directives has expanded, so has the definition of critical infrastructure.
Table 2 shows the current categorization of critical infrastructures and key resources identified by DHS as vital to the day-to-day functioning of the United States. Immediately apparent is the shear scope of critical infrastructure—nearly all sectors of U.S. policy and federal agencies seem to have a role to play in its protection. In addition, the types of agencies brought together under the CIP umbrella are strange bedfellows in terms of goal alignment. Never before have agriculture, banking, finance, or food been considered by previous policies as “infrastructure” nor have they been explicitly linked as part of a broad policy agenda. This does not, of course, mean that these policy domains are unimportant to the goals of CIP: protecting those assets that are “essential to the nation’s security, public health and safety, economic vitality, and way of life” (NIPP; U.S. DHS, 2009, p. 1). Certainly, the events of late 2008 show the impact of finance on the U.S. economy and its ability to project power. Outbreaks of salmonella in spinach and peppers caused a loss of confidence in food purchasing; deliberate attacks on the food supply by outside agents might shake the very core of the U.S. consumer.
Sector-Specific Agencies and Critical Infrastructure and Key Resources.
Source. National Infrastructure Implementation Plan (U.S. Department of Homeland Security, 2009, p. 3).
The problem with infrastructure policy or any other policy that has little commonality among its subareas is that the definition of “critical infrastructure” is nearly without boundary. It would be, frankly, challenging to find an agency in the U.S. government that did not think of its task as “critical” to the country. Using such a broad rubric to qualify a policy domain as part of U.S. infrastructure could very well turn into a self-fulfilling prophecy, that is, labeling a policy domain as critical may, in fact, make it critical and part of the U.S. infrastructure. This all depends, though, on the strength of DHS as an organizer and the openness of the myriad subsystems that are potentially affected by the new conceptualization of infrastructure policy.
Investigating the CIP Partnership: Method and Data
A formal investigation of the entire implementation effort of CIP policy simply does yet not exist; however, data can be found in GAO investigations of various facets of CIP since the inception of the PCCIP (the first GAO report on CIP was published in 1998—GAO-98-85). While working with these secondary data, I developed sector profiles based on implementation issues covered, actors involved in the CIP partnership, and problems associated with the CIP partnership cited in each GAO report. The data are used to assess the extent to which key components of a partnership model of implementation identified in the literature cited in this article are supported in CIP. The search ultimately looked for successes and failures in the partnership model in terms of the extent to which relevant actors were engaged in the CIP partnership, akin to Chisholm’s (1992) account of an effective “community of interest” in CIP.
Given that the GAO is called on by Congress with little periodicity in its investigations, the use of GAO reports yields multiple small windows into the workings of a large, multifarious partnership like CIP. That said, GAO reports offer highly detailed accounts of programs’ inner workings and information that cannot be found elsewhere. For the purpose of CIP, the GAO typically investigates a particular sector (e.g., wastewater or highways, see GAO-05-165 and GAO-09-57) or a specific problem that may cross a few sectors (such as railroad or port security, see GAO-09-243 and GAO-07-412), but only in rare cases does it attempt to assess functionality across sectors (such as cybersecurity in all sectors, see GAO-04-321 and GAO-08-113). I use all GAO reports (and some testimonies) that focus on CIP for the period of 1998 to 2011. With the help of a research assistant, I conducted separate searches of the GAO’s reports database to ensure that a similar pattern of results emerged and to catch any reports that might have been missed. We searched for all GAO reports that contained “critical infrastructure” in all fields and then conducted secondary searches looking for each of the CIKR sectors and the words critical infrastructure (e.g., “transportation” and “critical infrastructure”). Finally, I examined GAO reports referenced in reports gathered from the initial search. The various search methodologies resulted in 77 reports.
Key Partnership Elements and CIP
For the CIP partnership to be effective, DHS must convince partners to act using other-than a statutory authority. At the root of much of this “convincing” effort is the ability of DHS to coordinate the actions it wishes of its partners with the tasks they already undertake in some fashion. The information found in GAO reports identify key challenges in enhancing the CIP partnership; these challenges are also listed as factors in facilitating partnerships found in the literature on policy implementation.
Structuring the CIP Partnership: Goals, Tasks, and Planning
The real challenge for CIP is the structure of the overall plan of the partnership. In principle, the DHS leads the partnership and delegates other leadership authority to sector-specific agencies (SSAs) given their existing stature and expertise in each respective sector. Each sector also has multiple bodies to represent different sector interests and coordinate sector actions, most notable of which are the Government Coordinating Councils (GCCs) and Sector Coordinating Councils (SCCs). Additional representative bodies that fall outside the formal boundaries of the partnership (e.g., U.S. Computer Emergency Readiness Team [US-CERT] 1 ), but are nonetheless depended on by the partnership, help structure the implementation effort. The organizational chart of the partnership reads like a combination of hierarchy at the top and a network everywhere else—a soft partnership.
In practice, this hybrid organization strains to complete the task of implementing critical infrastructure policy in large part because of difficulties in disseminating information to “partners” (see GAO-12-92, GAO-11-24, and GAO-11-652). The part of the partnership that is structured as a hierarchy has little formal authority to sanction or reward, while the part of the organization that functions more like a network is simply too broad and vaguely defined. The structure of the partnership to implement CIP starts with a shaky foundation of the very basic question (at least, in an organization sense) of what “critical infrastructure” is. The question of “where is critical infrastructure” predates the efforts to mitigate terrorist threats to a time when the federal government was attempting to address “infrastructure” policy in the United States. Simply put, there has never been a coherent effort regarding infrastructure in the United States; moreover, there has never been an infrastructure policy prior to CIP policy. While CIP has formalized hitherto commonly conceived areas of “traditional” infrastructure such as transportation, it has also formally added new areas such as agriculture and national monuments. DHS’s efforts serve as an attempt to create a common codex of “critical infrastructure,” but simply calling something “critical infrastructure” does not make it so—at least not in the eyes of the future would-be partners. Traditional infrastructure actors have been resistant because of a lack of commonality with the goals of CIP while newly anointed actors are unclear of their role.
Structuring the CIP partnership faces an obvious challenge in that the policy regime is very large. While every sector is itself large in terms of the number of assets and actors who potentially need to be incorporated, variation in that magnitude exists across sectors. The agricultural sector theoretically encompasses more than two million farms, while the nuclear reactors, materials, and waste sector covers 104 commercial reactors, waste disposal facilities, and reactors used to generate medical supplies. In addition, the sectors vary in the breadth of actors they bring to the table; for example, while large, the water sector largely deals with drinking water and wastewater treatment, whereas the transportation systems sector includes a broad range of actors involved in roads, railroads, air, mass transit, maritime transportation, and pipeline systems. Each of these sectors also has various levels of state and local government interactions; for example, the nuclear reactors, materials, and waste sector is largely under the purview of the federal government while the health care and public health sector is largely a function of state and local governments. Because of this disparity regarding size and specificity across sectors, each sector offers different parameters for the inclusion of a future partner in CIP. Adding to the confusion of whether an actor/asset is “critical” is the National Asset Database that offers a more specific conceptualization of “critical” infrastructures and assets than does the NIPP or each of the summaries as self-described by each sector (found on the DHS website). The partnership suffers from incomplete and variable participation by the very partners on which CIP policy implementation greatly depends.
The structure of the partnership, in large part, depends on the ability of partners to layer the CIP requests of DHS on top of existing tasks—the extent to which this is difficult for the partners is a function of the disparity between tasks already performed and those desired by DHS. A nonredundant overlap—that is, an overlap that does not serve a specific purpose of fostering redundancy—is an endemic problem to many homeland security efforts (Kettl, 2003) and is also found in CIP. Because it is difficult to monitor the efforts of partners, it also can be difficult to know which requests for action have been received by said actors and whether the partners have acted on them. Thus, the potential for redundancy in the form of multiple requests to multiple actors is great. In addition to redundant requests, the tasks of partners can also be conflicting (see GAO-06-383 and GAO-11-117), further hampering CIP efforts.
Perhaps the most troubling issue regarding the CIP partnership is the simple lack of tasks that partners are supposed to carry out. The DHS has encouraged a model of risk assessment and mitigation for managers of CIKRs—partners in the CIP policy—yet there these tasks are not communicated effectively nor are they properly resourced (see GAO-08-1157T). In short, because of historical vagaries, shifting definitions of CIP actors, and variability in sector scope, potential partners in CIP find themselves questioning whether, in fact, they qualify as part of CIP.
Performance
Monitoring the performance of actors within the CIP partnership is a monumental challenge for DHS in part due to the sheer number of partners and the dependence up them to carry out tasks for which DHS is necessarily less qualified. Thus, classic issues regarding asymmetries in information between principals and agents play out several times over given the myriad arrangements that form the structure of CIP implementation. DHS has very little resources with which to monitor the actions of partners, and it is unclear that a partnership model of implementation would necessarily lend itself to more “traditional” conceptions of performance monitoring that might include some form of sanction. Nonetheless, given that the CIP effort is publicly orchestrated (and, equally important, funded), the GAO has repeatedly advised the inclusion of accountability mechanisms into CIP policy (see GAO-04-855 regarding result-oriented management; see also GAO-11-24 and GAO-11-223 for specific programs). The lack of performance monitoring extends to the use of federal dollars as the GAO found there was simply no complete way to track the funds used for CIP (see GAO-04-1009). Aside from inefficiency, the GAO concluded that this inability to track funds leads to less security.
Though the size of the partnership is likely not the true issue regarding a difficulty in performance monitoring, the true culprit is the lack of defined tasks and partners (see the previous section). Creating a performance-monitoring system for CIP is a daunting task given the vagueness of the tasks partners are asked to undertake (see GAO-02-957T). In addition, many potential partners are unclear as to whether or where they fit into the CIP policy implementation scheme (see GAO-05-434). Thus, unknown tasks are asked of unsure partners, making monitoring performance an impossible task.
However, despite these difficulties, it is unclear that DHS has made much attempt to monitor and, equally importantly, evaluate the actions of partners in CIP. 2 There are some exceptions. The Top Officials Exercise (TOPOFF) is a biannual effort to test emergency response across various levels of government and the private sector. Though critical infrastructure is not the specific focus of TOPOFF, the exercise encounters very similar problems related to coordination—particularly with the private sector—that fail to disappear (see OIG 06-07). In addition, the more “mature” CIP sector of cyberinfrastructure, has conducted two “cyberstorm” exercises in an effort to test responses to potential events that would cripple the information services sector and other interconnected sectors. These events are among the broadest and most visible performance tests the DHS conducts for CIP; however, the lessons derived from cyberstorm exercises appear to fall on deaf ears (see GAO-08-607). A similar finding is reported in trials to deal with pandemic influenza: Planning is useful, but not part of an overall learning regime for the purpose of assessing performance (see GAO-11-632). The findings in these reports indicate that, even when DHS attempts to monitor the activities of partners—albeit in a highly controlled environment—the ability of the partnership to glean lessons from the results is limited given the relative paucity of additional performance monitoring and lack of sanction.
Common Mission and Goals
In such a broad partnership as CIP, participants can feel as though they are disconnected from the larger whole if they are not connected—or made aware that they are connected—to other actors. DHS and the CIP program specifically have made efforts to encourage each sector to think about and express interconnections each sector has with others. Once again, however, this effort is an example of the DHS describing an aspect of the partnership that exists very differently in practice.
As discussed in the previous section, a fundamental challenge to fostering a common mission and goals across partners is the lack of commonly accepted definition of “critical infrastructure.” The Office of Homeland Security experienced immediate growing pains in its attempt to identify critical infrastructure, finding that the existing definition under PDD-63 was insufficient (see GAO-02-474). The definition of CIKR officially expanded as a result of the National Strategy for the Physical Protection of Critical Infrastructure and Key Assets (U.S. DHS, 2003) and has recently expanded in part due to the NIPP (U.S. DHS, 2009). The changing definition means different goals and tasks for different actors, which partially depends on the point at which the actor became classified as part of CIP. These previous relations shape a partner’s concept of “critical infrastructure” and, thereby, the extent to which the partner thinks of commonalities across missions. In the absence of clear programmatic goals, the CIP program has created confusion across sectors—even in cybersecurity where goals and tactics related to security are well aligned (GAO-06-672). Variations also exist across partners regarding the goal of “security.” Though tightly linked through existing, non-CIP-related relationships, the chemical and rail industries have differing views of security that have slowed efforts to partner in CIP (see GAO-05-327). The rail sector and other transportation sector providers must also contend with different conceptions of “security” for each local government—particularly cities—through which they travel. Some of this mission and goal mismatch will exist regardless of any efforts by DHS given the nature of the partnership model and the other issues to which partners must attend in their dealings external to CIP (which are the lion’s share of what they do). However, DHS is still in the process of identifying its goals for CIP that leaves partners to attempt to divine goals individually.
Organizational Culture
Because the CIP partnership deals with so many different actors, it is necessary for DHS to consider the specific impacts organizational culture can have on partner participation. The lead agency for each of the CIKR sectors has its own organizational culture as do the other governmental, private, and nongovernmental actors. The challenges facing CIP in linking the cultures of disparate actors in the security apparatus of the U.S. government are similar to those that have beset DHS as a whole since its inception. One might argue, however, that culture clashes for CIP are more probable and difficult to resolve given the added diversity of governmental and nongovernmental actors and the lack of specific institutional authority inherent to the partnership model of implementation. These organizational cultures affect a number of other factors that facilitate or impede the partnership model for CIP—most notably whether a partner has a so-called “culture of collaboration” (Brass, Galaskiewicz, Greve, & Wenpin, 2004). In addition to an existing culture of collaboration, the GAO has found that some actors—specifically, lead agencies—also have a more inwardly focused culture with regard to security matters. A GAO report (03-121) examining cybersecurity across all sectors found that cybercrimes—key pieces of information for CIP—were vastly underreported because agencies were unwilling to report their own vulnerabilities. Specifically, agencies such as the Department of Defense or the Department of Energy are accustomed to relying on their respective expertise with regard to securing their installations and have little cultural history of sharing this responsibility with other authorities (GAO-04-623).
Existing Relations
Many of the successes (as well as some failures) in the implementation of CIP can be attributed to the fact that some actors in the partnership are currently or have been partners before. The previous relationships among the sectors bring a kind of interconnectedness accompanied by trust that has been fostered by repeated interactions in areas of mutual cooperation. Some partners have natural synergies because of common missions and goals (see the previous section), whereas others have worked together as a result of previous attempts to address other areas of homeland security or, more specifically, CIP.
Actors in the emergency management sector are used to the types of coordination challenges that face CIP and, indeed, have engaged in intergovernmental and private coordination in the past with the same entities they are to partner with for CIP (see GAO-04-1009). In addition, actors that have coordinated actions together through existing organizations such as US-CERT are better positioned to work in the CIP partnership. Similarly, a number of the sectors newly designated as “critical infrastructure” have been working together in concert since the release of PDD-63, which has contributed to what the GAO terms “sector maturity” (see GAO-07-39). These sectors are the most “mature” because of their long-standing heavy dependence on cyberinfrastructure—which is variably and broadly defined. Cyberinfrastructure is obviously key to all areas of critical infrastructure today, but during the mid-1990s, the sectors that depended most heavily on it were the most active participants in the activities outlined by PDD-63. While PDD-63 refers to both physical and cyber infrastructures, the clear focus from an implementation perspective was cyber and, thus, the sectors that least depended on cyberinfrastructure for the heart of their operations were relatively absent in actions related to CIP. A small cadre of sectors including communications, information services, treasury, and banking—perhaps thought of as a “clique” in network literature parlance—worked tightly with one another not only because of their interdependence but also because of their common interest in the goals of PDD-63. The actors within those sectors continue their close relations, even as the definition of CIP and the reliance on cyberinfrastructure have expanded.
Trust
A nagging challenge facing the CIP partnership is the level of trust between the myriad actors involved, evidenced by a discussion on this issue at annual joint sector plenary meetings (Critical Infrastructure Partnership Advisory Council [CIPAC], 2010). CIP inherently involves sharing sensitive information with private and public actors, which presents multiple types of risks depending on the information flow. In theory, actors formally and informally share information with each other (bilaterally or multilaterally), with their coordinating committee (SCC, GCC, or CIPAC), with their respective SSA, or with DHS—though, in practice, all information that is formally shared is likely to be seen by DHS given the structure of the partnership. However, information is also shared via Information Sharing and Analysis Centers and portals for the Homeland Security Information Network. Each of these information-sharing bodies has different standards of privacy, both within and across sectors, leading to a multiplicity of trust issues for partners (see GAO-10-972).
The most common complaint among private actors is that the information stream goes only in one direction (see GAO-02-24, GAO-05-434, GAO-06-383, and GAO-08-588). More critically, when DHS does share information, actors (public, too, but mostly private) have no control over what is disseminated. Private actors are particularly worried about DHS revealing information given to them in good faith that also contains trade secrets or other types of information that would give competitors an advantage. In addition, firms are worried about other governmental agencies using the disseminated information for the purposes of potential legal prosecution. In many ways, trust among all actors would alleviate some of this reticence, but this trust does not simply emerge from the ether and must be built over continued interactions among actors or provided via a concrete process by which information is disseminated. For this process to have legitimacy, all partners must be involved in the construction of such a process. Up until this point, however, the risks that accompany information-sharing mistakes are all bourn by the actors who share information with DHS.
Conclusions and Policy Implications
Partnership planning is a politically and administratively attractive approach to implementing policies that deal with large, complex problems. Moreover, actors in emergency management are primed to enter into partnerships, which makes their use as a method by which to implement broad and complex policies dealing with hazard-related management all the more attractive to state and (notably) federal agencies. Politically, partnerships are an easier sell to potential partners: they involve rather than impose upon relevant actors and create little new bureaucratic structure. That said, it is unclear that the CIP partnership is the approach after which future broad-based efforts ought to be modeled. In short, it is uncertain that the successes of coordination and information flow have much to do with the partnership at all. This finding is likely endemic to any CIP-like partnership in which partners’ existing efforts are also components of a new policy.
The CIP partnership is largely successful in areas where partnering was already occurring either as a function of mutual interest or membership in previous organizations designed to address similar problems. Thus, it is unclear that, even when the CIP partnership has seen success in coordination and some positive outcomes, CIP policy and the DHS can claim much credit. It is in this area of the partnership model of implementation where results from existing activities and results from leadership within a new partnership are difficult to parse. Simply positing that DHS is addressing CIP does not make it so and having a plan that only exists for the sake of planning can be dangerous for public confidence in government (Clarke, 1999).
Ways of Strengthening the Partnership
The following recommendations respond to coordination and participation deficiencies raised in this article across the CIP partnership; problems like these beset all policies that rely on a soft partnership for implementation. The CIP partnership suffers from a lack of clear goals and tasks by which to achieve those goals, has very little ability to create linkages between CIP and potential partners if those partners have not previously worked together, and has little awareness of outcomes within in each sector and across the partnership. If the CIP partnership is going to succeed in providing the vague, yet vital goal of securing critical infrastructure, then DHS needs to define specific tasks to reach this goal, restructure the CIP partnership into a more formal implementation arrangement, and put a more specific system or set of systems in place to monitor the activities of CIP actors.
Define more specific tasks for potential partners
Part of the issue associated with the CIP partnership is that there is confusion regarding who is a part of “critical infrastructure” and what their role is. Specifying tasks related to achieving CIP goals reduces the number of actors and also creates an environment in which the actors who are a part of the CIP partnership are more likely to participate. DHS could identify the “most critical” list that can help hone in on specific critical infrastructure items. The selection of these CIKRs could be based on the likelihood of attack and the extent to which the CIKR would result in the failure of other items. It is conceivable that this has been done at a classified or “for official use only” level; however, the partnership itself is not classified and needs to have open communication given that the number of potential members is not known.
Restructure the CIP implementation framework to look less like a partnership
One of the exacerbated problems associated with the CIP partnership is that there seems to be very little control over the activities of partners. This is partly due to a lack of funding and unclear goals by DHS; however, part of this lack of control simply stems from the partnership planning model being applied to such a broad policy area. With the consent of Congress, DHS could change the existing partnership structure to move away from placing non-DHS agencies as lead actors in each CIKR sector. For example, DHS could create its own SSAs to match each CIKR as stand-alone agencies within the DHS hierarchy or within the OIP. The latter option might also consider streamlining the coordination efforts within DHS.
This would at least have the advantage of creating some internal control and cohesion between the head of the partnership (the DHS) and the leaders in each sector (SSAs). A more drastic change would be to see the task of infrastructure protection falling to an entirely new agency that would, while certainly working with the same myriad actors as now, primarily carry out the tasks related to infrastructure protection. In this scenario, DHS would need to be given a greater regulatory authority over a vast array of tasks, promulgate various regulations, and enforce compliance on the parts of public and private actors in line with those regulations. This is more than the traditional model of implementation and its limitations are well known. Each of these options hinders the supposed flexibility lauded in the partnership model and would, particularly in the latter option, create friction and redundancies between DHS and governmental agencies in other sectors. Despite these caveats, moving away from the partnership model as it is currently practiced would provide DHS with the tools to more immediately implement tasks related to its CIP goals given that it would rely less on convincing actors to take action.
Performance monitoring
Finally, in a direct response to GAO observations, the DHS should make efforts to monitor, assess, and encourage performance across partners. At the policy level, this means that DHS must create benchmarks or other assessable items for which partners will be held accountable. At an implementation level, DHS will need to create a system of reporting—self or external. These are highly simplified recommendations; given the breath and complexity of the CIP partnership, it is likely that the concepts of performance and assessment would take many forms. Nonetheless, routine assessments of the security of CIP—broken down by sector or other smaller units—should help to add some clarity to some actors unsure if they are performing the correct tasks and discourage others from simply taking token actions.
None of these options are easy, quick, or in and of themselves a solution to the problems that beset the CIP partnership. Restructuring the partnership to look more top-down might reduce the coordination costs associated with cajoling other actors to take part, but no amount of restructuring can help a policy that has vague goals, few defined tasks, and moving target groups. Similarly, creating a performance-monitoring system that does not have a clear definition of “performance” or an ability to punish actors failing to reach partnership goals might as well not exist. Despite the difficulties associated with changing CIP policy, it is clear that the current framework is unevenly successful—but even that is hard to determine.
Footnotes
Declaration of Conflicting Interests
The author(s) declared no potential conflicts of interest with respect to the research, authorship, and/or publication of this article.
Funding
The author(s) disclosed receipt of the following financial support for the research, authorship, and/or publication of this article: This material is based upon work supported, in part, by the National Science Foundation under Grant CMMI-0924227. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation.
