Fully utilize the materials that have been provided to you in order to support your response

Order Code RL33648

Critical Infrastructure: The National Asset Database

Updated July 16, 2007

John Moteff Specialist in Science and Technology Policy

Resources, Science, and Industry Division

Critical Infrastructure: The National Asset Database

Summary

The Office of Infrastructure Protection (OIP) in the Department of Homeland Security (DHS) has been developing and maintaining a National Asset Database. The Database contains information on over 77,000 individual assets, ranging from dams, hazardous materials sites, and nuclear power plants to local festivals, petting zoos, and sporting good stores. The presence of a large number of entries of the latter type (i.e. assets generally perceived as having more local importance than national importance) has attracted much criticism from the press and from Members of Congress. Many critics of the Database have assumed that it is (or should be) DHS’s list of the nation’s most critical assets and are concerned that, in its current form, it is being used inappropriately as the basis upon which federal resources, including infrastructure protection grants, are allocated.

According to DHS, both of those assumptions are wrong. DHS characterizes the National Asset Database not as a list of critical assets, but rather as a national asset inventory providing the ‘universe’ from which various lists of critical assets are produced. As such, the Department maintains that it represents just the first step in DHS’s risk management process outlined in the National Infrastructure Protection Plan. DHS has developed, apparently from the National Asset Database, a list of about 600 assets that it has determined are critical to the nation. Also, while the National Asset Database has been used to support federal grant-making decisions, according to a DHS official, it does not drive those decisions.

In July 2006 the DHS Office of the Inspector General released a report on the National Asset Database. Its primary conclusion was that the Database contained too many unusual and out-of-place assets and recommended that those judged to be of little national significance be removed from the Database. In his written response to the DHS IG report, the Undersecretary of DHS did not concur with this recommendation, asserting that keeping these less than nationally significant assets in the Database gave it a situational awareness that will assist in preparing and responding to a variety of incidents.

Accepting the DHS descriptions of the National Asset Database, questions and issues remain. For example, the National Asset Database seems to have evolved away from its origins as a list of critical infrastructures, perhaps causing the differences in perspective on what the Database is or should be. As an inventory of the nation’s assets, the National Asset Database is incomplete, limiting its value in preparing and responding to a wide variety of incidents. Assuring the quality of the information in the Database is important and a never-ending task. If DHS not only keeps the less than nationally significant assets in the Database but adds more of them to make the inventory complete, assuring the quality of the data on these assets may dominate the cost of maintaining the Database, while providing uncertain value. Finally, the information currently contained in the Database carries with it no legal obligations on the owner/operators of the asset. If, however, the Database becomes the basis for regulatory action in the future, what appears in the Database takes on more immediate consequences for both DHS and the owner/operators.

Contents

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

A Short Review of the DHS IG Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

The National Asset Database: What It Is and What It Is Not . . . . . . . . . . . . . . . . . 5

What Are Its Intended Uses? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 First Step in Identifying Critical Assets and Prioritizing Risk

Reduction Activities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Situational Awareness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Basis for Allocating Critical Infrastructure Protection Grants . . . . . . . . . . . 11

Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Quality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 What to Keep . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 A Potential Change in Status for the Database . . . . . . . . . . . . . . . . . . . . . . 14 Congressional Action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

List of Figures

Figure 1. National Asset Database Entries by Sector . . . . . . . . . . . . . . . . . . . . . . . 3

1 Department of Homeland Security. Office of the Inspector General. Progress in Developing the National Asset Database. OIG-06-04. June 2006. 2 Operation Liberty Shield was a comprehensive national plan to protect the homeland during U.S. operations in Iraq. For a discussion of some of the other initiatives taken as part of Operation Liberty Shield, see CRS Report RS21475, Operation Liberty Shield: Border, Transportation, and Domestic Security, by Jennifer E. Lake.

Critical Infrastructure: The National Asset Database

Introduction

The Office of Infrastructure Protection (OIP) in the Department of Homeland Security (DHS) has been developing and maintaining a National Asset Database. The Database contains information on a wide range of individual assets, from dams, hazardous materials sites, and nuclear power plants to local festivals, petting zoos, and sporting good stores. The presence of a large number of entries of the latter type (i.e. assets generally perceived as having more local importance than national importance) has attracted much criticism from the press and from Members of Congress. Many critics of the Database have assumed that it is (or should be) DHS’s list of the nation’s most critical assets and are concerned that, in its current form, it is being used inappropriately as the basis upon which federal resources, including infrastructure protection grants, are allocated. According to DHS, both of those assumptions are wrong.

The purpose of this report is to discuss the National Asset Database: what is in it, how it is populated, what the Database apparently is, what it is not, and how it is intended to be used. The report also discusses some of the issues on which Congress could focus its oversight. This report relies primarily on a DHS Office of the Inspector General (DHS IG) report,1 released on July 11, 2006, but makes reference to other government documents as well.

A Short Review of the DHS IG Report

The genesis of the National Asset Database remains somewhat unclear. A list of critical sites was begun in the spring of 2003 as part of Operation Liberty Shield.2

The list contained 160 assets, including chemical and hazardous materials sites, nuclear plants, energy facilities, business and finance centers, and more. The assets were selected by the newly formed Protective Services Division within the Office of Infrastructure Protection, in what was then called the Information Analysis and

CRS-2

3 DHS offered assistance to help protect these sites through its Buffer Zone Protection Plan program. At times the State Homeland Security grants could be used to help pay for overtime of law enforcement officials and National Guardsmen protecting critical sites. 4 According to testimony by the then Undersecretary for Information Analysis and Infrastructure Protection, a list of 1,700 assets (according to the DHS IG report the actual number was 1,849) was culled from the larger list. However, the DHS IG report implied that the Protected Measures Target List grew independently, to which was added additional information from the states and other sources, leading to a combined list of 28,368 assets, which then grew into the National Asset Database. 5 In June 2004, the House Appropriations Committee made reference to a Unified National Database of Critical Infrastructure, described as a master database of all existing critical infrastructures in the country. See, U.S. Congress. House of Representatives. Department of Homeland Security Appropriations Bill, 2005. H.Rept. 108-541. p. 92. The comparable Senate Appropriations Committee report (S.Rept. 108-280) made reference to a National Asset Database. The budget request for FY2005 mentions the development of a primary database of the nations critical infrastructure, but gave it no name. 6 The statutory definition of critical infrastructure is given in the USA PATRIOT Act (P.L.107-56). It is: “…systems and assets…so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health and safety, or any combination of those matters.” There are currently 12 sectors of the economy and 5 groups of key resources (dams, commercial assets, government facilities, national monuments, nuclear facilities) that DHS considers as possessing systems or assets that, if lost, may have a critical impact on the United States.

Infrastructure Protection Directorate, Department of Homeland Security. The Secretary of DHS asked states to provide additional security for these sites.3

During the course of the year (2003), DHS continued to collect information on various assets from a variety of sources. By early 2004, DHS had accumulated information on 28,368 assets. Although Operation Liberty Shield was now considered over, the initial list of 160 critical assets, those judged to be in need of additional protection because of their vulnerability and the potential consequences if attacked, grew to 1,849 assets and became known as the Protected Measures Target List.4 It is not clear when the information being gathered became known as the National Asset Database.5

By January 2006, according to the DHS IG report, the Database had grown to include 77,069 assets, ranging from nuclear power plants and dams to a casket company and an elevator company. It also contains locations and events ranging from Times Square in New York City to the Mule Day Parade in Columbia Tennessee (which, according to the city’s website, draws over 200,000 spectators each year for the week-long event).

The IG report categorized entries in the National Asset Database by critical infrastructure/key resource sector (see Figure 1).6 Additionally, the DHS IG report identified some of the entries with more specificity. For example, the Database contained, at the time, 4,055 malls, shopping centers, and retail outlets; 224 racetracks; 539 theme parks and 163 water parks; 1,305 casinos; 234 retails stores;

CRS-3

7 Department of Homeland Security. National Infrastructure Protection Plan. Released June 30, 2006. See, [http://www.dhs.gov/xprevprot/programs/editorial_0827.shtm]. 8 According to the DHS IG report, examples of existing government databases that have contributed to the National Asset Database include the Chemical Sites List (an Environmental Protection Agency database), and the Government Services Administration list of GSA Buildings.

514 religious meeting places; 127 gas stations; 130 libraries; 4,164 educational facilities; 217 railroad bridges; and 335 petroleum pipelines.

Source: Office of the Inspector General. Department of Homeland Security. Taken from Progress in Developing the National Asset Database.

The DHS gets information for the Database from a variety of sources. According to the National Infrastructure Protection Plan (NIPP)7, sources include existing government and commercially available databases;8 sector-specific agencies and other federal entities; voluntary submittals by owners and operators; periodic requests for information from states and localities and the private sector; and DHS- initiated studies. The number of assets in the Database is expected to grow as additional information is gathered.

The DHS IG report focused much of its attention on information provided by states and localities as the result of two data requests made by DHS. According to the DHS IG report, the vast majority of the 77,069 entries was collected as a result of those requests.

Commercial Assets, 17327

National Monuments and Icons, 224

Public Health, 8402

Postal and Shipping, 417

Energy, 7889

Not Specif ied, 290

Dams, 2029Agriculture and Food, 7542

Inf ormation Technology, 757

Transportation, 6141

Banking and Finance, 669

Water, 3842

Telecommunications, 3020

Chemical/Hazardous Materials, 2963

Nuclear Pow er Plants, 178

Emergency Services, 2420

Government Facilities, 12019

Def ense Industrial Base, 140

Figure 1. National Asset Database Entries by Sector

CRS-4

9 Department of Homeland Security. Office of the Inspector General. Op. Cit. p. 11. The Office of Domestic Preparedness is now called Grants and Training and is located within the Federal Emergency Management Agency, newly reconstituted by the Post-Katrina Management Reform Act of 2006 (part of the FY2007 DHS appropriation bill). Referred to as ODP throughout this report, it manages the majority of grants to states and localities for homeland security and critical infrastructure protection. 10 Ibid p. 8. 11 Ibid p. 8. This is similar language used in ODP’s Urban Areas Security Initiative grants. 12 Ibid. p. 12. 13 The collection of personal information in the Database requires DHS to publish a Privacy Impact Assessment. That Assessment can be found at [http://www.dhs.gov/xlibrary/assets/privacy/privacy_pia_nadb.pdf]. A discussion of the Assessment is beyond the scope of this report. Site last visited on July 16, 2007. 14 Department of Homeland Security. Office of the Inspector General. Op. cit. p. 6. 15 According to the DHS IG report, the Database contains 11,018 entries identified as nationally significant, 32,631 identified as not considered nationally significant, and 33,419 whose significance are undetermined.

According to the IG report, the first data call to the states, made by the Office of Domestic Preparedness in 2003, yielded poor quality data.9 The IG report described the guidance given states and localities as “minimal.”10 The guidance apparently did tell states, however, to “consider any system or asset that, if attacked, would result in catastrophic loss of life and/or catastrophic economic loss.”11 As a result, assets such as the petting zoos, local festivals and other places where people within a community congregate, or local assets ostensibly belonging to one of the critical infrastructure sectors, were among the assets reported. According to the IG report, many state officials were surprised to learn that additional assets from their states were added to the Database, which raises additional questions about how the information was collected.

According to the IG report, the second request to the states for critical infrastructure information came from the Office of Infrastructure Protection in July 2004 and was “significantly more organized and achieved better results.”12 Guidance was more specific, as was the information requested. DHS requested information for 17 data fields. Of those, DHS considered the following to be most important: address, owner, owner type, phone, local law enforcement point of contact, and latitude and longitude coordinates.13 States were also asked to identify those assets that they felt met a level of national significance. Criteria for identifying assets of national significance was provided by DHS. The criteria described certain thresholds, such as refineries with refining capacity in excess of 225,000 barrels per day, or commercial centers with potential economic loss impact of $10 billion or capacity of more than 35,000 people. Although the request was more specific, states were given much leeway as to what to include, and OIP accepted into the Database every submitted asset.14 As a result, additional assets of questionable national significance were added to the Database.15

The DHS IG report drew two primary conclusions. The first is that the Database

contains many “unusual, or out-of-place, assets whose criticality is not readily

CRS-5

16 Department of Homeland Security. Office of Inspector General. Op. cit. p. 9. 17 Ibid p. 18. 18 Other examples of what the DHS IG considered to be inconsistent were: some states listed schools for their sheltering function, some did not; Indiana listed over 8,000 assets, more than states larger in area and population like New York, Texas, and California; and, fewer banking and finance centers are listed for New York than North Dakota. 19 Office of Homeland Security. National Strategy for Homeland Security. July 2002. p. 30. 20 White House. The National Strategy for the Physical Protection of Critical Infrastructures and Key Assets. February 2003. p. 23.

apparent,”16 while, at the same time, it “may have too few assets in essential areas and may present an incomplete picture.”17 The second conclusion was that the types of assets that were included and the information provided are inconsistent from state to state, locality to locality. For example, California entries included the entire Bay Area Regional Transit System as a single entry, while entries listed for New York City included 739 separate subway stations.18

The IG report made 4 recommendations:

! review the National Asset Database for out-of-place assets and assets marked as not nationally significant, and determine whether those assets should remain in the Database;

! provide state homeland security advisers the opportunity to review their assets in the Database to identify previously submitted assets that may not be relevant;

! during future data calls, provide States a list of their respective Database assets to reduce … duplicate submissions; and

! establish a milestone for the completion of a comprehensive risk assessment of critical infrastructure and key resources and ensure they are accurately captured in the National Infrastructure Protection Plan.

The National Asset Database: What It Is and What It Is Not

The National Strategy for Homeland Security recognized that not all assets within each critical infrastructure sector are equally important, and that the federal government would focus its effort on the highest priorities.19 The National Strategy for the Physical Protection of Critical Infrastructure and Key Assets stated that DHS will develop a methodology for identifying assets with national-level criticality and using this methodology will build a comprehensive database to catalog these critical assets.20 Judging from the criticism leveled at it, many believe the National Asset Database is (or should be) DHS’s list of assets critical to the nation.

CRS-6

21 Department of Homeland Security. Office of Inspector General. Op. cit. p. 29. 22 Department of Homeland Security. National Infrastructure Protection Plan. Op. cit. pg159. 23 See USA Today, “Database is Just the 1st Step,” by Robert Stephan. July 21, 2006. p. 8A. 24 See Congressional Quarterly’s internet publication, CQ Homeland Security, July 29, 2004, at [http://homeland.cq.com/hs/display.do?docid=1278697&sourcetype=31], last viewed July 16, 2007.

However, in his written response to the IG report, the Undersecretary for Preparedness, George Foresman, to whom the Office of Infrastructure Protection reports, stated that the National Asset Database is “not a list of critical assets…[but rather] a national asset inventory…[providing] the ‘universe’ from which various lists of critical assets are produced.”21 According to the National Infrastructure Protection Plan, the National Asset Database is a comprehensive catalog with descriptive information regarding the assets and systems that comprise the nation’s critical infrastructure and key resources.22 The Assistant Secretary for Infrastructure Protection, Robert Stephan, has called the Database a ‘phonebook’ of 77,000 facilities, assets and systems from across the nation, needed to facilitate more detailed risk analyses.23

Some may ask why there should be this difference in perception regarding the National Asset Database. One possible explanation is that, as noted above, the National Asset Database started out as the Protected Measures Target List, which was a prioritized list of assets considered critical at the national level. Also, as reported in at least one media source, when asked for its list of critical assets, Members of Congress were shown the expanded list containing the questionable assets.24 Based on subsequent response, Congressional interest appears focused on a prioritized list.