Can Business And Government Speak The Same Language?

The Homeland Security Department's National Infrastructure Advisory Council Tuesday held its first meeting since President Bush's November reelection. After a first term largely spent getting its arms around just how much of the nation's critical infrastructure - energy utilities, manufacturing and transportation facilities, telecommunication and data networks, and financial services - is run by private-sector companies, NIAC is now looking for a way to motivate these companies to improve both physical and cyber security. Not an easy task when you consider that corporate America maintains an estimated 85-to-90% of the nation's critical infrastructure.The Jan. 11 NIAC meeting was also the first for Greg Peters, CEO of Internap Network Security Services Corp, who only last week was appointed by President Bush to the council. Peters, a veteran of the telecommunications industry, understands the gravity of NIAC's charter, but he's also optimistic that NIAC can find incentives to promote improved security technology and processes among these critical-infrastructure companies.

"We've got to find a way to bring the private sector closer to the government," Peters said when I met with him in New York the day after his first NIAC meeting. "We have to get a certain number of businesses in compliance (with security standards), or we'll never be safe."

Asking companies to volunteer to invest in new security and processes won't get the job done fast enough, nor will drafting legislation mandating compliance. To successfully deal with the private sector, the Bush administration needs to speak the private sector's language, Peters suggested. This means creating a security certification that critical-infrastructure companies can use to raise their value to shareholders and gain competitive advantage in their respective markets. "Such certification would still be voluntary, but it would appeal to companies that want to be perceived as leaders," he said.

Although such certification doesn't yet exist, Peters and his NIAC colleagues envision an industry-based standards body like the International Organization for Standardization (ISO), being formed to administer the certification.

Technology will also play a key role in coordinating critical infrastructure security. Homeland Security in June introduced a pilot Homeland Security Information Network-Critical Infrastructure program in Dallas that will ultimately link critical infrastructure owners with federal, state, and local emergency response agencies. "Without this, the information we're collecting won't be disseminated to the right people," Peters said.

The critical infrastructure security initiative will get its first taste of success only when the majority of companies across the nation's entire critical infrastructure have bolstered security. Peters believes this is an appropriate and realistic goal for Homeland Security to accomplish during Bush's second term.

What are your thoughts on NIAC's ideas for improving critical-infrastructure security? Could a certification program work?