Country and Western singer Toby Keith immortalized this phrase in his gravelly ballad about relationship expectations. His sentiment was right at home last month at the Conference Board of Canada’s Critical Infrastructure (CI) Security Conference. As several presenters and delegates noted, despite the passage of six and a half years since 9/11, Canada still lacks a comprehensive, clear strategy aimed at securing Critical Infrastructure and ensuring, to the extent possible, its business resiliency.

Ironically, the conference coincided with the unexpected release of a Public Safety Canada Consultation Paper, oddly entitled ‘Working Towards a National Strategy and Action Plan for Critical Infrastructure.’ This of course contrasts with the Department’s November 2004 ‘Position Paper on a National Strategy for Critical Infrastructure Protection.’ If the plan in releasing the... uhhh…Plan was to deflect expectations, the strategy backfired. Moving from a ‘Position Paper’ to a ‘Working Towards’ plan may constitute progress in official Ottawa circles, but for people involved in operating or protecting CI, it’s merely continuing an inexcusable delay.

Despite this, there was a distinct air of optimism at the conference’s conclusion. This sentiment emanated from a month of unprecedented, informed, blunt, public analysis of federal inactivity on CI security, and Public Safety Minister Stockwell Day publicly overruling a Natural Resources Canada decision to end threat analysis briefings. The event provided a forum for detailed and specific CI Security recommendations, and the announce­ment that the Board will be assembling delegate recommendations is a further welcome development. Add to that the Public Safety solicitation of input, and it’s clear that something is in the air. I believe it’s called opportunity.

These are no small issues but there is palpable willingness among operators, industry, law enforcement and local governments to participate and achieve tangible results. Some of the topics under consideration will be governance and accountability, funding, information sharing, credentialing, technology deployment, cyber security, business resiliency and sector specific concerns. Each area presents choices, but as our friends south of the border have demonstrated, action is possible – although we may well choose not to proceed as they have. In the U.S., a series of Sector Specific Plans were designed with industry using a Risk Management Framework. The result was a series of enforceable sectoral Anti-Terrorism Standards. Recognizing their litigious propensity, the Americans also decided to enact the U.S. Safety Act with a civil liability exemption model based on deployment of certified technologies. I personally think a statutory presumption of civil liability exemption where regulatory standards are met is a better way to go, but doing nothing is not a wise “choice.”

Given the federal foot-dragging on this file, perhaps it’s also time to assign responsibility for federal completion of CI security issues to a single department – like Public Safety Canada. That way, if, for example, the mass transit sector doesn’t have a federally funded, two way continuous information sharing and threat analysis entity up and running by a defined date there will be specified persons to hold accountable both at Transport Canada and Public Safety. I seem to recall this approach being at the heart of the Auditor General’s 2003 Review of federal Anti-Terrorism Initiatives and a big part of the raison d’être for creating Public Safety and Emergency Preparedness Canada. Accountability works, when it’s real.

Finding the best funding model for CI security is also a priority. A $7.5M federal grant is frequently more effective than a $10M federal grant, 25% of which must come from either the operator or local government. It’s also a good idea to make sure that, whenever possible, federal CI security funding perform a public safety purpose. Bad guy lookout biometrics that recognize fugitive criminals as well as ­security risks or marine radar surveillance systems that detect small and fast moving gun and drug smugglers, and would-be power plant attackers, are examples of this dual benefit approach.

Perhaps the most glaring deficiency is our incomprehensible resistance to creating and operating industry-specific, two-way, federally funded information sharing entities. Once again, the U.S. can be something of a model with their Information Sharing and Analysis Centers. We’ve already got an Integrated Threat Assessment Center (ITAC), which could be beefed up to include an all hazards capacity.     

What we don’t want to do, is allow federal inactivity to lead to an un-coordinated approach on issues like credentialing for employees at critical infrastructure. To the extent possible, a person cleared to work at an East Coast seaport should be able to use that clearance to work at a Toronto airport or, if we’re really efficient, participate in the cross-border, low-risk programs like FAST or NEXUS. This national approach, with an effective bad-guy look-out component, is essential because we want to prevent a CI employee fired for security or integrity reasons from getting a different CI job just by changing towns or changing names.    

Finally, let’s get on with the measures that combine both security and business operations like finally implementing pre border clearance, so traffic is checked before it gets on that billion-dollar-a-day infrastructure called a bridge. At seaports, let’s recognize that, in today’s world, the ability of four illegals to stroll unimpeded out of the Port of Halifax is an unacceptable security deficiency, that if left unchecked will turn into a trade barrier. It’s long past time to admit that getting rid of the public policing presence at seaports was a ­mistake and that in correcting it, we turn this ­deficiency into a security and trade enhancement.  

There is still much to be done, and Toby has the right approach.

___
Associate Editor Scott Newark, a former Crown Prosecutor, is currently the Vice Chair/ Operations of the National Security Group.
© FrontLine Security 2008