From time to time I will totally plagerize and publish from classics of analytical thinking on both HS and EM that illuminated policies or issues for me. Here is one them that will be four years old in September. I don't always agree with DAN but this piece was brilliant. I have engaged in several comments on HLSWatch.com over last several days on the definition of HS and believe this testimony nails it.
Written Testimony Before the
United States Senate
Committee on Homeland Security and Government Affairs
The Next Five Years"
Daniel B. Prieto
Senior Fellow and Director
Homeland Security Center
The Reform Institute
September 12, 2006
Chairman Collins, Senator Lieberman, and distinguished members of the Committee on Homeland Security and Governmental Affairs, thank you for inviting me to testify before you today. My name is Daniel Prieto. I am Director of the Homeland Security Center at the Reform Institute. Previously, I was Fellow and Research Director of the Homeland Security Partnership Initiative at the Belfer Center for Science and International Affairs at the Harvard University Kennedy School of Government.
My testimony today reflects my own views and analysis and does not reflect the official position of any institution with which I am affiliated.
Since 9/11, homeland security in the US has, in large part, been an attempt to organize but not necessarily to optimize domestic assets and activities to detect, prevent, respond to, and recover from high-consequence events -- either terrorist induced or natural. There are also a number of related international components, including military action against terrorist groups; overseas intelligence and law-enforcement cooperation, and programs to detect and interdict threats among travelers, emigrants and cargo before they arrive in the United States.
Setting aside military operations, our homeland security efforts over the first five years since 9/11, have centered on five significant areas of activity: creating new law and policy; creating new organizations; developing new strategies and plans; implementing new “consensus” programs (e.g. CT-PAT, US-VISIT, PCII); and pursuing innovative but controversial programs (e.g. NSA domestic surveillance, use of commercial data for terrorism-related analysis as with TRIA and SecureFlight).
These activities face the following major challenges over the next five years.
1. Adaptation to a changing threat environment.
2. Management. We need to strengthen the management of our new homeland security organizations, in particular DHS. Failure to do this will make America less safe by leaving DHS a weak institution lacking in credibility and challenged to carry out its mandate.
3. Doctrine. Homeland security strategy documents since 2001 have provided tactics, methods and processes, but have failed to articulate strategy and doctrine that provide clear guidance for implementation and goals by which we can measure progress.
4. Engaging citizens and the private sector. To date, we have not done nearly enough to educate the public or to engage the resources and goodwill of the private sector.
5. Technology. While the U.S. is the envy of the world when it comes to technology, the federal government struggles to implement important homeland security technology projects and to transfer important commercial and mass-market technologies into the homeland security realms.
6. Coming to consensus on controversial intelligence and information sharing programs. We must reach consensus on intelligence and information sharing programs that unnecessarily force a choice between security and liberty. Failure to do so undermine government credibility, threatens the security of the country, and undermines core social values.
The Changing Threat
Looking at the threat environment, the world has not stood still since 9/11 Two major factors will pose significant new challenges over the next five years.
First, nuclear proliferation threats will increase, especially from Iran, North Korea, and Pakistan.
Second, the terrorist threat is evolving and may look quite different five years from now. AL Qaeda Central is weaker today, but it is stronger as an inspirational movement to cells that are increasingly independent, self-starting and home-grown. This is exemplified by the perpetrators of the London transit bombings and the thwarted London airline plot. Furthermore, the speed of radicalization has accelerated. Wars in Iraq and in Lebanon provide grievances that make recruitment to radical Islamist groups easier. The proliferation of new media outlets and terrorists’ use of the internet increase exposure to inciteful materials and training. Finally, like Afghanistan was for Bin Laden in the 1980s, Iraq provides a theater for the next generation of terrorist leaders to train, make connections, and build reputations.
Homeland Security Management
In the next five years, it is critical to stabilize and strengthen new homeland security organizations, especially the DHS. DHS represents a large-scale merger of many agencies in addition to a number of start-up activities. The ability of DHS to manage the integration of these efforts and ensure that the whole of DHS is greater than the sum of the parts relies on a strong and experienced management cadre and the creation of a unified culture. There has been less emphasis on rationalization of authorities and programs, functions and activities. The U.S. Government Accountability Office (GAO) rated the management challenge facing the department as “high risk” and noted that the successful transformation of a large organization takes from five to seven years. In the private sector, large scale mergers take 3-5 years or longer to work out. In a much less dynamic government environment, GAO’s estimate of 5-7 years may even be conservative.
The birth of DHS has not been easy. For its successes, it has suffered significant failures and missteps, which in my view have seriously damaged its credibility. Even though the largest natural disaster in US history by geographical impact (almost 90,000 square miles impacted) Katrina was its lowest moment, but it has been beset by a number of public missteps on critical infrastructure protection, grant funding, financial management, contract management, and technology; the repeated and frequent missing of Congressional deadlines; high turnover among senior staff; limited expertise among professional staff; difficulty in creating a professional cadre in important areas due to large-scale outsourcing of key strategy and integration tasks to outside contractors and an over-reliance on detailees who maintain loyalty to their home organizations; and general problems of coordination between DHS’ left and right hands.
Ineffectiveness or immaturity has led to the subsequent devolution of key functions that DHS inherited only a few years ago. DHS has increasingly spun off, shed, or had its responsibilities diminished in such areas as intelligence and information fusion, critical infrastructure protection, and post-disaster housing and health. In the most recent federal personnel survey, DHS employees ranked their organization at or near the bottom on nearly every measure of effectiveness. DHS is often viewed by other departments -- Justice, State, and DOD -- as second rate organization with second rate people. It also cannot be known as a second-career bureaucracy, of the many factors that destroyed effectiveness and efficiency in predecessor organizations such as the former Office of Emergency Preparedness in the 1960’s. It has the legal authority now to hire expertise from non-US experts under provisions of the preparedness title of the Robert T. Stafford Disaster Relief and Emergency Assistance Act (42 U.S.C. Sections 5121 et seq). Development of new human resources must be accomplished.
DHS is falling behind, and the window of opportunity to get things right may be closing. While DHS has made progress in rationalizing many basic operations, too much of DHS lacks strong management and adequate coordination. In the next five years, DHS must resolve key management issues, cease being an umbrella organization, and become a unified enterprise. Perhaps political leadership in DHS could better reflect administration and Congressional policy if they were fewer and more skilled and senior.
If DHS fails to create synergy among many entities it inherited and to mature into a more effective organization, we will be worse off as a country. If it continues to receive highly critical reviews from its own inspector general and unflattering portrayals in the press, if its employees continue to suffer from low morale and confidence in their agency, if it continues to spin off or shed key functions with which it was entrusted, and if its fails to improve its reputation among counterparts at other agencies, then the DHS risks becoming the DMV of the federal government, widely viewed as inefficient and ineffective. Worse yet, criticism of DHS becomes self-fulfilling: the more negatively viewed the organization is the less effective it becomes.
Presentation of these facts is not meant to be an indictment of DHS. DHS is not responsible for the social and historical milieu it inherited but is responsible for what it does with it. Many of the problems were to be expected in a merger integration exercise as large and complex as DHS. My point in raising them is to ask that this committee do all it can to shepherd the maturation of DHS. It may be necessary to read between the lines when senior DHS officials state that they have all the resources and capabilities they need, rosy scenarios which may be borne of political expediency and pride. It also may be necessary to moderate a growing desire to withhold or cut funding to DHS as a punitive measure. To the extent that DHS’ shortcomings stem from under-resourced or structurally weak management, the better solution would be to address the root of the problem.
To do this, key CxO level positions must be given greater power and more resources. The Chief Financial Officer (CFO), the Chief Information Officer (CIO), and the Chief Procurement Officer continue to lack effective department-wide authority. Some changes under Secretary Chertoff have helped, in particular increasing the power of the Deputy Secretary. But an organizational chart that gives the Deputy Secretary 22 direct reports, while failing to fully leverage the CxO positions does not make sense. Creation of a Policy Office and an Office of Strategic Plans are also significant steps in the right direction. Nonetheless, management control and integration of DHS, in my view, remain far too weak.
Congress plays an important role in DHS management as well, acting in an equivalent capacity to a board of directors. The creation of permanent homeland security committees in both the House and Senate reflect an important step in streamlining Congressional oversight. But the failure of Congress to allow this Committee and the House Committee on Homeland Security to obtain effective oversight and input on key statutes vested in DHS prevents effective integration of DHS programs functions and activities. Non-germane programs to Homeland Security could remain with traditional oversight relationships. At least one-third (1/3) of DHS’s programs, functions, and activities are unrelated to homeland security. The GAO could help in identifying these authorities, programs, functions, and activities. They should not be lumped in the analysis of expenditures of DHS on homeland security or closely related activities. At the same time, Katrina provided a galvanizing event that has allowed Congress to be much more assertive on homeland security in this past year. Reports critical of the Katrina response and leadership as well as bills on ports, chemical security, border security, FEMA and FISA/domestic surveillance, and CFIUS all demonstrate growing Congressional leadership and assertiveness. A close examination of the recommendations of reports by the White House, GAO, Senate and House indicate the recommendations have often made repeatedly in the past and are not new to post 9/11 findings and efforts, just a new context. For example in the early 90’s the Senate considered a number of bills on domestic response based on its bipartisan report on federal disaster relief efforts during Hurricane Andrew. The failure to adopt these recommendations in the past, again this could be done by GAO, should be identified and used to guide future correction of problems. Funds to make these corrections should be provided. Some of these fixes are not expensive. Finally, homeland security efforts in this Congressional session appear both more bipartisan and bicameral.
While these are all steps in the right direction, more needs to be done to rationalize oversight and ensure that Congress provides increasing efficient, effective, and focused homeland security oversight. Also, technical amendments should be immediately adopted to substitute the Secretary DHS formally for all statutes vested in DHS that list some other federal officer except where the President is that official.
The Senate Homeland Security continues to lack jurisdiction over several key homeland security components, especially in the areas of transportation. The Senate and the House homeland security committees should have jurisdiction all counterterrorism elements of DHS.
• Significantly strengthen DHS management directorate
• Continue to streamline Congressional oversight and fully empower Senate and House homeland security committees to have full oversight over DHS.
While over a dozen homeland security “strategy” documents have been produced since 2001, most of them are simply documents about tactics, methods and processes, and as identified by GAO most do not have a common analytical basis and focus and that makes for redundancy and overlaps and more important gaps in coverage. As such, they fail to articulate strategy and doctrine, which can guide implementation and provide goals against which activities and programs can be measured. As a result, too many programs end up being ad hoc, piecemeal and reactive, and they often lack clear links to a coherent whole. Tactics and stand alone programs must give way to comprehensive strategy and doctrine. This is particularly true in the areas of preparedness and critical infrastructure.
According to Paul McHale, Assistant Secretary of Defense for Homeland Defense, the United States should assume that we will continue to face traditional military challenges from nation-states and terrorists will attempt multiple simultaneous mass casualty CBRN attacks against the U.S. Homeland.
Based on such an assumption, the United States should develop a doctrine of homeland security preparedness not unlike prevailing U.S. military doctrine for most of the last 50 years. That doctrine required U.S. military forces to be prepared for two near-simultaneous wars in different theaters. A similar doctrine for homeland security would require the U.S. – DHS, other federal agencies, the National Guard, NORTHCOM and state and local entities – to be prepared to address two to three simultaneous high-consequence events, of the kind envisioned by the fifteen DHS National Planning Scenarios.
Once such a doctrine is established, it would have immediate ramifications for planning.
It would suggest, for example, greater and more specialized training for the National Guard, which has increasingly become the “Swiss army knife” of homeland security. The creation of National Guard “Special Forces” for homeland security would require Guardsmen to receive specific training against certain scenarios and that such specialization could occur on a regional basis, depending on event likelihood in a particular geography. For example:
DHS National Planning Scenario Geographically Based Training
Scenario 1: Nuclear Detonation – 10-Kiloton Improvised Nuclear Device National Capital Region, New York
Scenario 6: Chemical Attack – Toxic Industrial Chemicals New Jersey
Scenario 9: Natural Disaster – Major Earthquake California
Scenario 10: Natural Disaster – Major Hurricane Florida
Scenario 14: Biological Attack – Foreign Animal Disease (Foot and Mouth Disease) Texas, Missouri, Oklahoma, Nebraska
Improved training, greater specialization, a more sharply defined homeland security mission and free for-credit education at public state universities could provide a powerful incentive and improve recruiting, retention, and morale in the National Guard and Reserve. Training could also leverage existing DHS university centers of excellence, and provide meaningful joint training and cooperation with active military [NEST] teams and first responders.
A second implication of such a homeland security doctrine might be that NORTHCOM would also be in a better position to engage in 2-3 disaster scenarios if they had their own dedicated resources. They are currently only allocated 1,000 permanent personnel and $70 million. Compare that to DOD’s budget in 2004 of approximately $400 Billion and 1.4 million active duty personnel. Perhaps the domestic role of the National Guard should be more structured and formalized as part of support to NORTHCOM with extended deployments of Guard personnel to active duty positions in NORTHCOM. An outstanding report of the Defense Science Board on homeland defense and homeland security could be fully implemented. A Congressional mandate to expedite the rewriting of Executive order 12656, as amended, to integrate fully homeland security and homeland defense on an all-hazards basis would be helpful.
In addition, it would be valuable to increase the level of joint training and exercises between National Guard, NORTHCOM, and state and local officials to address specific scenarios. No course currently exists for State and local officials to explain to them how the Guard is activated, deployed or the decision taken to federalize or keep the GUARD in a non-federalized role in large scale domestic events. As a result much confusion exists witness the current arguments over allowing the statutory authority for GUARD deployments in large-scaled domestic emergencies where unique federal interests are implicated. It should be noted that at least a dozen major studies of the National Guard role in domestic events have been conducted in the last three decades, and virtually none of the recommendations adopted. Some of these were Congressionally mandated studies. Also there has been no attempt to address the issues raised by the approximately 15% of National Guard personnel that are State and local first responders.
• Establish analog to military two-war doctrine for DHS, National Guard and Northcom
• Create National Guard Special Forces, providing specialized training against the fifteen DHS National Planning Scenarios
• Dedicate resources to Northcom
Critical Infrastructure Protection
The latest version of the National Infrastructure Protection Plan is based on progress in three areas: public-private partnership, information sharing, and risk-based prioritization. These are obvious, if important tactics, but they are only tactics. Our critical infrastructure protection efforts are inadequate for 10 key reasons.
First, DHS still lacks a strategy that meets the requirements of the Homeland Security Act. to [establish priorities, and recommend actions to protect CI, TBA]
Second, DHS assumed that the private sector would be the principal funder and implementer of its own security. That has not happened. In the next five years, Washington needs to step up to make sure that we protect critical infrastructure better. Congress must recognize that cost allocations for security and protective measures can be complicated, not necessarily just passed on to the consumer, and are certainly not trivial on their direct and indirect impacts on industries and other sectors of the economy.
Third, DHS was not granted new legal authorities, other than what it inherited from legacy offices, for security over vital critical infrastructure sectors. Pending legislation to grant DHS authority over chemical security, for example would be a step in the right direction, but addressing these gaps in authority have been slow coming and must be completed.
Fourth, DHS and the Congress, as well have fallen into a seeming political correctness over critical infrastructure, as if all sectors pose equal risks. They do not. We must come to consensus on which sectors are more important than others. HSPD-7 started in this direction when it put priority on CI, which if attacked would have WMD-like effects. Secretary Chertoff, also started in the right direction when he talked about the importance of risk based allocations for grant funding. But the failure to establish and articulate clear priorities has been evident in DHS’ miscues over the national critical infrastructure database and grant funding reductions to Washington, DC and New York.
Fifth, Prioritization of CI sectors should be based on
• Vulnerability and Consequence. What industries best provide the terrorist trifecta: bodies, theater, and economic impact.
• Company Ability to Address Vulnerability. Some industries are more capable of implementing significant security enhancements on their own and in the near term. The industries least able to protect themselves are those that exhibit low growth, low profit margins, tight cash flow, long-lived capital assets, which are difficult to retrofit or replace; and industries that are not tightly regulated and therefore lack a quick mechanism by which the government can mandate greater security.
Based on these criteria, the top priorities for critical infrastructure protection are chemical facilities; transportation including airlines, ports, mass transit, and hazmat transport; and energy, including oil, gas, and the electric grid. When these assets exist in concentrated geographic areas, they are of even greater importance.
Sixth,, it is my understanding that DHS has scaled back its CIP activities. If the Protective Services Division is no longer active, then DHS has rather reduced itself to the role of coordinating the activities of other federal agencies. This is a mistake, and in my view fails to carry out the intent of the Homeland Security Act.
Seventh, Congress is failing to use all available policy tools at its disposal to enhance the security of critical infrastructure. It has painted a false choice between private sector self-protection and business-harming regulation. The government has failed to creatively use tax policy to promote additional investments in security to the extent that it believes that industry, on its own, is not investing enough. Take for example the chemical industry. Often derided as negligent when it comes to security, major chemical manufacturers have spent $3 billion since 9/11 to enhance security, hardly evidence of negligence. If society believes that more security is warranted, the government should catalyze greater investment by providing tax incentives that make security projects more attractive. Had such tax breaks been provided soon after 9/11 the debate over inherently safer technologies within pending legislation would not be so heated, because, I believe, many more companies would have already pursued such projects.
Eighth, the recommendations of the President’s Commission on Critical Infrastructure Protection that issued its final report in the fall of 1997 have never been implemented. Perhaps a decade later that report and its recommendations should be comprehensively reviewed and updated. A critical defect of that report was its failure to identify system weaknesses, for example large-scale energy outages still provide test-beds for restoration of service priorities as do telecommunication outages. These are system wide issues not isolated sectors and impacts.
Ninth, of the recommendations in 1997 of the PCCIP was to explore fully the use of the Defense Production Act of 1950 and its application both to critical infrastructure protection and service restoration and priority issues. In conjunction with the Energy Policy and Conservation Act, these statutes should be comprehensively updated to deal with energy supply and outage issues and also restoration priorities. The 1982 Congressionally mandated opinion by the Attorney General on emergency energy authority should be updated. That opinion revealed that some Governor’s have more emergency energy authority than the President.
Tenth, the position of the key political CIP official in DHS should be upgraded and filled on a long-term basis perhaps a five or seven year term so that a distinguished and expert person could fill that role. That position as some others in DHS should be considered nonpartisan.
• Quickly come to consensus on critical infrastructure priorities.
• Use all policy tools available, including mix of tax incentives, assistance in setting best practices, and smart regulation.
• Grant DHS sufficient authority where it is lacking, especially chemical security.
Engaging Society (1328)
Critical homeland security stakeholders outside of government – especially the general public and the private sector must be engaged much more fully. In 2002, the CSIS produced a study called “Civil Security” that is still a principal study of reasons why the public must be more closely integrated into homeland security efforts. Citizen Corps programs in DHS require more funding and direct political support.
I have argued since 9/11 of the need to create a culture of preparedness. For this to happen, we need to view our citizens as a critical backbone of American strength and resilience. The federal government has struggled mightily to strike a balance between providing more information while fearing that more information will frighten the public or provide an advantage to our enemies. This debate should end. The more informed and self-reliant we are when the next disaster strikes, the better off we will be. Perhaps adopting and publicizing planning standards reflecting the difficulty in deploying federal assistance within the first 72 hours of an event or incident that results in Presidential declaration of emergency or disaster would improve public understanding that they are largely on their own in that time frame. Hopefully, federal assistance can be more timely, but funding and staffing to provide assistance within the first 72 hours is probably not politically feasible. So State and local governments must be able to operate during that initial time-frame to provide assistance. It should be noted on the record that few states actually engage other than as a financial pass-through in emergency preparedness and response. Perhaps that should be changed, or more emphasis placed on mutual aid and the Emergency Management Assistance Compact approved by Congress in 1992.
States should be mandated to do all that they can to protect their citizens and their property with as little federal assistance as possible.
The most persuasive recent arguments on this front come from Brian Jenkins of RAND in his new book, Unconquerable Nation:
“The best way to increase our ability as a nation to respond to disasters, natural or man-made, is to enlist all citizens through education and engagement, which also happens to be a very good way to reduce the persistent anxieties that afflict us. We have not done this…The federal government’s decision to tell citizens to go on living their lives, offering only the vague admonition to be vigilant, has “encouraged dependency,” rather than “promoting self-reliance… We need to aggressively educate the public through all media, in the classrooms, at town halls, in civic meetings, through professional organizations, and in volunteer groups. This means more than speeches in front of the American flag. The basic course should include how to deal with the spectrum of threats we face, from “dirty bombs” to natural epidemics, with the emphasis on sound, easy-to-understand science aimed at dispelling mythology and inoculating the community against alarming rumors and panic.”
Public Education Proposals
• Significantly increase funding for and visibility of ready.gov to serve as a well-recognized and leading portal for the public to access detailed and deep information on threats and preparedness.
• DHS should increase its activities to support education and outreach efforts by trusted public information outlets, including the Red Cross, state and local authorities, and media outlets.
• DHS should establish an advisory board, comprising scientists to ensure that materials are accurate and up to date, and experts on communications, sociology and psychology to ensure that materials are most effective at providing education that empowers the public.
• Public Education should not be confused with Emergency Public Information efforts and training, including the issuance of PARs (Protective Action Recommendations) to the Public. This is a highly technical area and should be better funded or information deficiencies alone can and have resulted in death and destruction.
Engage the Private Sector
In policy and strategy documents since September 11, 2001, the Administration and Congress have repeatedly stressed the critical importance of “public-private partnerships” to make the country safer. Five years after 9/11, such partnership is more hope than reality:
• The federal reorganization since 9/11 has raised the difficulty and transaction costs for the private sector to work with the federal government.
• Information sharing between government and the private sector remains stunted.
• Overall investment in private sector security initiatives has been modest.
• The federal government has failed to provide meaningful incentives or standards for securing critical sectors that pose the highest risk and where voluntary efforts have proven to be insufficient.
• The private sector has not been effectively integrated into response and recovery planning for major disasters, though some promising public-private initiatives have been piloted
• The protections of the Defense Production Act against anti-trust and other information sharing activities have not been fully explored as evidenced by little or no action taken since 1997 when the PCCIP final report was issued. That statute should be reviewed completely for its impact and usefulness on homeland security and homeland defense.
In short, the capabilities, assets, and goodwill of the private sector to bolster our homeland security remain largely untapped. We need to find a way forward for true partnering between the public and private sectors on homeland security.
In fixing these problems, it is important to bear in mind a few essential principles that can be used to identify what responsibilities should be met by the private sector, those that are the responsibility of government, and those that can be shared jointly. Policymakers should remember that the government is inevitably a major market player whose actions directly affect the ability of the private sector to invest more in security. For its part, the private sector is not just a target, but also an important source for information, assets, and capabilities that the government does not possess. Furthermore, policymakers should not overlook the fact that industry leaders possess a sense of patriotism and civic duty that can be harnessed to improve U.S. security. American companies are willing to commit their time, expertise, and resources to support the homeland security mission. The federal government must make a concerted effort to recognize and encourage such actions as part of a successful partnership between the federal government and the private sector.
Federal security efforts must be tailored to address specific vulnerabilities in individual sectors. Too often federal officials treat the private sector as if it were a single actor, yet the consequences of a terrorist attack on a critical sector vary widely by sector. Nonregulatory approaches are often preferable, but when voluntary efforts do not achieve adequate levels of security, lawmakers and regulators may need to take action. Furthermore, Washington must realize that government regulation is not always in conflict with the best interests of the private sector. In many instances, federal action can help to bound market uncertainties, making it easier for markets to work and for the private sector to make investment decisions. Federal standards would also help ease industry fears of liability should their security efforts be defeated by a terrorist attack.
To make America more secure, the federal government urgently needs to provide better leadership on homeland security issues and become a more active partner with the private sector.
Private Sector Proposals
• Washington needs to change its policy paradigm regarding the private sector, which, in effect, tells companies to protect themselves. On critical infrastructure issues, Washington needs to provide leadership, not followership.
• Washington must move beyond talking about the need to dramatically improve information sharing with the private sector and hold government officials accountable for actually doing it.
• DHS must strengthen the quality and experience of its personnel. One way to do this aid in this effort could be to establish a personnel exchange program with the private sector.
• Congress and the administration should work closely with industry to establish security standards and implement and enforce regulations where necessary and, especially, where industry is seeking standards and regulation.
• Congress should establish targeted tax incentives to promote investments in security and resiliency in the highest-risk industries.
• Congress should establish federal liability protections for companies that undertake meaningful security improvements.
• Homeland security officials should substantially increase the number of exercises for responding to catastrophic events. Private sector assets and capabilities should be fully integrated into these exercises, with a view to achieving deeper private sector integration into national and regional emergency response plans.
• Federal response plans should identify specialized supplies/capabilities that will be in short supply following certain types of terrorist incidents or high-consequence events, including vaccines, ventilators, electric transformers, laboratory capacity, and decontamination equipment. Washington should work with the private sector to ensure the availability of these supplies and capabilities.
• DHS should establish a federal awards program, modeled after the prestigious Malcolm Baldridge National Quality Awards program, which recognizes private sector achievement and innovation in homeland security.
• If the Executive Branch cannot do so, then Congress should intervene in the personnel security system to ensure that barriers to effective fungibility of security clearances is improved and perhaps should mandate that the revision of Executive order 10450 which guides the personnel security system but it woefully outdated should be revised or superseded.
America is the envy of the world when it comes to technology, but too many homeland security technology projects since 9/11 have faltered, from the FBI’s virtual case file and DHS Homeland Security Information Network to border security systems. We need to do better to use technology and innovation to protect America. This is true not only on next generation projects like CBRN detection, but also on migrating mass-market technologies like digital maps and online market places into the homeland security arena.
Outside of the military realm, the federal government is not good at managing technology projects. Too many in government still view IT as obscure work divorced from policymaking and far less important. As a result, it tends to treat the management of technology projects as an afterthought — rather than integral to good policymaking. In the 1990s, the private sector transformed itself by learning how to deploy advanced technology strategically. The federal government needs to catch up.
DHS S&T directorate faces significant challenges. Weak management and leadership, staffing problems, the absence of coherent long term strategy, and financial problems have lead to proposed cuts in its budget and calls for its reorganization.
Outside of S&T, homeland security technology efforts face challenges as well. We continue to face poor communications and information sharing among first responders, state and local emergency managers, and homeland security officials during disasters. Issues related to the interoperability of voice communications are well known and continue to receive significant attention.
One area that deserves much greater attention is providing better situational awareness to first responders and the public through digital maps.
Situational awareness requires a common geographic frame of reference for everyone involved that can be easily updated as event details become clear. What evacuation and supply routes are open, closed, or destroyed? Where are essential supplies, industrial facilities and oil, gas, electric and communications lines? Where are shelters, hospitals, and churches and are they full? In a real time terrorist event, such as a dirty bomb or chemical release, knowing whether to go east or west a few blocks can mean the difference between life and death.
As the mass market has rapidly adopted mapping products over the last 5-10 years -- online maps with satellite imagery and GPS-based systems in our phones and cars (think Mapquest, GoogleMaps, OnStar) – it is not acceptable for the men and women who protect the homeland to be stuck in the dark ages, nor the public they are tasked to help defend.
Military resources were called into action by DHS during the response to Katrina. But homeland security should not have to beg, borrow and steal from others when it comes to their situational awareness. First-rate digital maps should not be “in case of emergency break glass.” Such capabilities should be in the basic toolkit of homeland security professionals, and they should be readily shared with first responders and state and local officials.
Just as important is empowering the public with geographic situational awareness so they can better plan and make decisions at times of disaster. As we saw in New Orleans, the public is frequently on its own in the immediate aftermath of a disaster, and empowering individuals to create and share response plans with their families or co-workers remains a documented unmet need.
- All major print, online and broadcast media should agree on a single map strategy for informing the public before and during an emergency, eliminating duplication of efforts and ensuring as consistent and accurate of an information flow as is possible
- DHS could finance local “map czars” who are empowered to cut through the bureaucracy to decide what is presented on such maps, including rapidly changing information during a crisis.
Developing such map and situational awareness capabilities is critical, especially since DHS mass evacuation plans remain inadequate and "are an area of profound concern," with 9 out of 10 evacuation plans deemed inadequate.
Another area where technology should be used much more effectively is in inventorying and coordinating the supply and delivery of disaster response assets. Future disasters envisioned by the Department of Homeland Security -- attacks with chemical, biological, radiological and nuclear agents, natural disasters, bombings -- will all require specialized response resources, many of which the government will not be in apposition to supply. Federal, state and local governments should identify critical supplies and capabilities -- vaccines, ventilators, generators, electric transformers, laboratory capacity, decontamination equipment, logistics, transport, warehousing -- that they will need ahead of time.
According to a recent report commissioned by the White House after Katrina, the "Achilles' heel" of our national preparedness is the ability, among all those players, to identify critical supplies and resources before a disaster strikes and finding and delivering them quickly afterward.
Everyday technology, properly harnessed, can help address some of the most glaring deficiencies
identified by the White House study. Building an eBay-like system to match regional disaster-response needs with companies that can pledge assistance ahead of time or help out in real time would save dollars and lives. Properly built and maintained, it would ensure that the vast majority of private pledges and donations are put to good use, instead of going unused. It would allow state, local and federal governments to inventory available critical assets rapidly and would be much faster than relying on government bureaucrats to create a resource database on their own. Such a system would also serve as a focal point for cooperation between government, the private sector and NGOs. It would allow the establishment of significant cooperation, trust, and interaction in advance of the next disaster so that we are better prepared when the next disaster hits.
• Improve situational awareness by greatly expanding availability of digital imaging and mapping capabilities to homeland security professionals as well as to the public directly and via media outlets.
• Drive preparedness with internet based market mechanisms that make it easier to inventory and secure critical response assets from non-governmental actors
Intelligence and Information Sharing
We need to moderate the discussion around homeland security innovations that suggest a zero sum tradeoff between civil liberties and security. We can enhance civil liberties and security at the same time. But in order to do that, Congress and the courts need to reassert themselves. The White House should be more willing to engage Congress and the courts to ensure programs’ legitimacy. Reaching consensus on controversial programs would gurantee sustainability of important programs while giving the public comfort that the programs are well managed, subject to careful oversight, accountable. Failure to reach consensus on controversial programs weakens both our government and our security over the long term.
Using technology to fight terrorism makes sense, given the weakness of good-old-fashioned human spying to penetrate jihadist terrorist groups. What does not make sense is the failure of cooperation between the three branches of government. A failure to achieve consensus between the three branches of government threatens technology innovation to fight terrorism, thereby threatening the long-term security of the country.
The disclosures on NSA domestic surveillance should have come as a surprise to no one. The Administration has displayed remarkable consistency since 9/11 in its aggressive use of technology and data analysis to uncover terrorist plots. The recently revealed NSA program is only the latest instance of Administration efforts to use data mining and other technology techniques in the war on terror. A 2004 survey by the U.S. Government Accountability Office found 199 non-classified federal data mining projects, a number that would grow if classified projects were included. Many of these programs have raised little controversy. Cargo security programs analyze volumes of shipper and cargo manifest data. Companies as diverse as FedEx, Western Union and AOL have been helping the feds and law enforcement by allowing them to look at portions of their customer and subscriber data. Other experiments -- including the Defense Department’s Total Information Awareness (TIA) program and TSA efforts to use commercially-available consumer data in airline passenger screening – raised public outcry and privacy concerns and were shut down by Congress.
Using technology to fight terrorism makes sense, given the weakness of good-old-fashioned human spying to penetrate jihadist terrorist groups. What does not make sense is the Administration’s failure to work more closely with willing allies in both Congress and the courts on the design and implementation of efforts like the NSA program. The abiding perception that the White House is taking a largely go-it-alone approach not only threatens technology innovation to fight terrorism, but it also threatens the long-term security of the country.
Despite the fits and starts, the Administration’s persistence in using data analysis as a tool in the war on terrorism marks the recognition of a simple truth: traditional human spying is insufficient to the modern terrorist threat. America’s spies are short on Arabic language skills and the cultural knowledge and diversity that would allow them to infiltrate an increasingly decentralized jihadist movement. How, for example, would an American spy ever hope to penetrate a group like the home-grown London subway bombers?
If traditional spying is currently ill-suited to find terrorists and will take up to a decade to fix, then the growing use of data-analysis techniques to fight terrorism is valuable and legitimate. If human spies are hard pressed to find more terrorists needles in the global haystack, another way to find more needles is to examine larger data haystacks. Combining technologies that analyze communication content, communications traffic, and social networks has the potential to help protect Americans. The average American understands this. According to a poll right after the NSA story broke, 63 percent of Americans supported the NSA program.
At the same time, these programs are imperfect and risk the wrongful entrapment of innocent citizens along with legitimate terrorists. That risk is magnified to the extent that these programs are insufficiently embedded in law or implemented absent the robust involvement of Congress and the courts.
A failure to better involve Congress and the courts in new, meaningful ways to fight terrorism needlessly risks the security of everyday Americans. First, the risk of overreach, mistakes or abuse risk a backlash similar to the ones that killed TIA and TSA programs. Such a backlash risks an overreaction and conceivably slap restrictions on the ability of this and future presidents to fight the war on terror. That risk is exacerbated by the largely go-it-alone approach that has characterized the White House approach to NSA programs to date.
Furthermore, the lack of a crystal clear legal framework to govern the NSA program puts the careers of government intelligence professionals at risk. It makes intelligence officials more likely to mistakenly violate individual civil liberties and privacy laws, making them vulnerable to lawsuits and accusations of abuse. Guidelines, rules and procedures for the intelligence community must be developed in consultation with the other two branches of government, who must also play an explicit approval and oversight role. The lack of clear guidance on the treatment of terrorist detainees provides a cautionary tale.
To maximize the benefits of technology innovation against terrorism while minimizing the risks, the Administration must involve the courts and Congress to the greatest extent possible. A failure to do that needlessly risks American civil liberties, the careers of intelligence community professionals, and a backlash by the Congress and the courts that overly restricts the ability of this and future presidents to use technology creatively to keep Americans safe. Global terrorism is a 21st century threat, and we must use 21st century technologies to fight it. At the same time, we must not lose sight of an 18th century American innovation – a government of checks and balances where the whole is greater than the sum of the parts.
• Do not wait for court resolution of constitutional issues.
• Seek rapprochement between Congress and White House and increased role for courts.
The President and the Congress have taken bold policy, legal and institutional steps to improve information sharing. New laws have been written, Executive Orders promulgated, and new organizations created. While the reforms undertaken are impressive, they are only a first step. On their own, they are sufficient neither to bring about the needed changes in behavior nor to build the technology systems that are needed to enable better sharing.
To ensure that policy reforms fully translate into changed behavior within critical agencies and departments, substantial leadership attention at the highest levels of government is necessary. These leaders, including the President and the Director of National Intelligence, need to identify the policies, rules, procedures, and incentives/disincentives that will promote information sharing and foster the creation of an environment of policies, business rules and technologies that will support it. Better policies, clearer rules, and more robust oversight for intelligence information makes all of us more secure both in our Constitutional rights and against terrorist threats.
Sharing information must become part of the DNA of our intelligence, national and homeland security, and defense communities. It must be woven into the fabric of department and agency cultures, bureaucratic behavior, and standard operating procedures for intelligence and law enforcement, into the education and training of government officials, and into the technology systems that these stakeholders use every day.
As an associate member of the Markle Foundation Task Force on Homeland Security, I strongly recommend that in the next five years the U.S. implement the recommendations of the Markle Foundation Task Force, including the innovative recommendations of this most recent report.
In particular, the Markle Task Force has recommended that the federal government:
• adopt an authorized use standard to protect civil liberties in the sharing and accessing of information the government has lawfully collected; this standard would replace existing outdated standards based on nationality and place of collection;
• take a “risk management” approach to classified information that better balances the risks of disclosure with the risks of failing to share information;
• create a government-wide dispute resolution mechanism to facilitate responsible, consistent, and lawful information sharing;
• develop tools, training, and procedures to enhance the use of the information sharing environment and its technological capabilities by line analysts and by senior officials;
• expand community-wide training, modern analytic methods, and new tools to enhance the quality of information sharing and analysis;
• encourage the use of new technologies such as anonymization, and the use of expert and data directories;
• employ immutable audit systems to facilitate both accountability and better coordination of activities within the information sharing environment; and
• create an Information Sharing Institute.
In addition to these proposals, I personally believe that there may be the need for comprehensive legislation governing the entire lifecycle of commercial data for terrorism-related purposes within the federal government. This is of particular importance as commercial data is increasingly being co-mingled with government data for the purposes of terrorism-related analysis. This use and sharing is currently governed by a raft of disparate rules, developed in a piecemeal manner piecemeal over time. Among many others, these include the Privacy Act and the E-Government Act, the Federal Information Security Management Act, the financial Modernization Act, and Patriot Act amendments to the Fair Credit Reporting Act. Add to this the recently finalized Protected Critical Infrastructure Information (PCII) regime. Potentially adding the data sharing and protection regimes contemplated in pending legislation for chemical security (S. 2145 and HR. 5695) and port security (S. 2459 and HR. 4954), and it quickly becomes apparent that these many rules create significant opportunity for confusion or conflict. Other contemplated legislation – for example, S. 3713 (Clinton); S. 1789 (Specter); HR. 5827 (Sweeney) – would all complicate the equation further.
At the end of the day, any attempt to harmonize or create a unified regime for the use and sharing of commercial data for terrorism-related purposes should provide be comprehensive and address government’s handling and management of data from “cradle to grave”: procurement, storage, use, ability to combine with other data, sharing within government and with government contractors, encryption, anonymization, dispute, and redress. At the moment all of the movement on these fronts is piecemeal, ad hoc, and uncoordinated. This creates lack of clarity, potential conflict, and reduces confidence in government to the extent data is mishandled, misused or leads to false positives that are difficult to redress or correct. This is unacceptable.
To ask are we safer automatically politicizes what should be non-partisan policy! Here is what I would say-What exactly has been accomplished in the five years since 9/11 and what still needs to be done? Also how do we calibrate the fact that gaps in accomplishments or gaps in identification of needs might lead to oversight of fundamental flaws in our approach to homeland security. For example, emergency communications interoperability is commonly identified but there is no real federally mandated lead such as under Exevutive order 12472 that created the NCS and its TSP system. Also, should the funding stream really follow the traditional post-world war II system essentially adding the States to the civil service by using them to implement federal grant programs in the Homeland Security arena. Of the 3400 county geographic jurisdictions in the US almost 5-600 are losing populations. The top 250 jurisdictions by population are the really key targets. Should their be dispersal of there key employees and assets under some trigger?
Should k-12 educational programs on individual and family preparedness be implemented?
Should new technologies get patents that include a discussion of how those technologies can be impacted from disruption? If this is the long-war should more effort be made to explain why their needs to be a partial mobilization of our society to deal with that fact? If ISLAM is just one of the breeding grounds for terrorism what revisions in intelligence or information sharing are necessary to protect us? Not that security clearances and need to know are still a major choke point with preventing integration of state and locals into the anti-terrorism counter-terrorism activity. Could the GUARD be utilized to somehow get around this issue by mandating that a GUARD liaison to each local jurisdiction of 250K population or more be adopted.
Should the system failure implications be incorporated into all federal lawmaking and rulemaking as in an EIS.
Many many more ideas and brainstorming could be done but I leave that to you!
Are we safer? At the five year anniversary of 9/11, the question is unavoidable.
In many ways the answer is yes. The U.S. has not been attacked again on U.S. soil. Our military has successfully degraded Al Qaeda Central and is cooperating successfully with allies to detect and thwart additional attacks. Our defenses at home are stronger. We embarked on the largest reorganization of the federal government since 1947, creating the Department of Homeland Security, the Directorate of National Intelligence, and Northcom. We have sought to improve information sharing – our ability to “connect the dots” -- with new laws and new institutions. We have sought to make it easier to find terrorists through the innovative use of technology and legal changes while at the same time seeking to protect civil liberties with a the creation of civil liberties boards and privacy offices. Airline security has been boosted. Private chemical manufacturers have invested $3 billion on greater security since 9/11. Nuclear plants have raised security to meet a higher level of design basis threat, required by the Nuclear Regulatory Commission [check]. Add to these measures a higher level of public awareness and precaution, and in many ways we are safer.
But in many ways, we are not safer.
The world has not stood still since 9/11. Nuclear proliferation will become an increasing problem and Al Qaeda is adjusting and evolving. At home, our homeland security efforts are still very much a work in progress. The emblem of our shortcomings is Katrina, with all of the significant gaps it exposed in our leadership, preparedness, coordination, and effectiveness to deal with even widely foreseen homeland security threats. We face other significant challenges going forward. DHS struggles mightily to meet the expectations that came with its creation. The DNI is finding its way, but early compromises limited its power from the outset. Chemical plants and ports are still not secure enough. Transit authorities can’t find enough money to implement desirable security measures. We lack a national consensus on priorities and our strategies are not robust, leaving us in a perennial state of reaction to the latest threat. A number of big-ticket homeland security technology projects have failed. Innovative programs to enhance security are forcing the tradeoff of liberty for security in an unnecessarily zero-sum game.
“Is it safe?” Dustin Hoffman’s answer to that question in the famous 1976 movie, The Marathon Man, was alternately “yes”… “no”… “it depends.” For every area of progress, significant gaps and vulnerabilities remain. Over the next five years, we must do more and do better.
In five years time, we should all hope to see:
1. A DHS that is a healthy and respected organization, equal to the task Americans expected of it when it was created.
2. A clear doctrine of national preparedness. National Guard Special Forces and a stronger NORTHCOM who train jointly to meet the threat of multiple simultaneous attacks or disasters.
3. A much better educated and empowered public on homeland security. When something happens, they are already well prepared and know where to go for the best and latest information.
4. Critical infrastructure is healthier as a result of a mixture of govt incentives, standards and regulations. Chemical facilities are more secure. The electric grid is less brittle. All forms of transportation, not just airplanes, are less vulnerable and attacks are more resilient/survivable. Security investments have improved the health and resiliency of critical infrastructure.
5. We are using technology better to enhance homeland security. S&T is a well-managed organization with a clear strategy and priorities. Homeland security The federal government is creatively
6. Civ lib/intell debate has reached equilibrium. Fed govt has greater authorities, but with greater power comes greater responsibility. Predicate rule has been relaxed as well as US Persons rule, but public is confident in judicial review, audit, accountability and redress [Markle]
Bill Gates has said that we always overestimate the change that will occur in [five] years and underestimate the change that will occur in 10. While we have made progress in the first five years, I am sure that many are frustrated by the pace of change and what we have not yet achieved. In the next five years, we have the opportunity – in fact, we have the duty – to make every effort to ensure that America is safer and more secure than we might even hope for today.