Homeland Security Watch

A former FBI intelligence analyst speaks out today in a Washington Post op-ed on the Bureau’s failures to develop a successful intelligence shop since 9/11. She alludes to a DOJ Inspector General report that criticized FBI’s treatment of intelligence analysts earlier this year, a report that noted that the Bureau’s retention of analysts was low, in part because they were treated like “second-hand citizens” and frequently assigned menial tasks .

But she notes:

It wasn’t the photocopying or the lack of promotion potential that compelled me to leave my job as an FBI analyst this year — it was the frustration of working in a system that does not yet recognize analysis as a full partner in the FBI’s national security mission.

Many of the first-hand details in the rest of the article are devastating, such as:

Analysts found that in many cases they had to operate with a dearth of information and intelligence resources. For example, not all the people carrying the title “All Source Analyst” in the division for which I worked even had desktop access to the Internet or to intelligence community e-mail and intranet servers.

And:

There is no guidance giving field offices the information they need to direct case reporting to the appropriate analytic groups, and no policy mandating that they do so. In this vacuum, the analyst’s access to investigative data becomes almost entirely a function of personal relationships cultivated with agents in the field — a difficult task for those whose work it is to assess threats emerging across the nation and overseas.

Articles such as this confirm my long-standing belief that it was a serious blunder not to create a “MI-5″ type organization to lead domestic intelligence, either within DHS at its inception or as a stand-alone entity. Nevertheless, I have been cautiously optimistic until now that the FBI would eventually adapt and get its act together on analysis. Articles like this severely dent this optimism.

A mid-course correction might be an even worse alternative at this point, although perhaps a reinvigorated intelligence shop at DHS could be the foundation for a shift of responsibility from the FBI to DHS on domestic intelligence.

CQ’s package of year-end stories (by subscription only) is interlaced with some juicy nuggets of information.

For example, is DHS planning to move FEMA into the Coast Guard?

There is no shortage of speculation about possible changes. Some have heard that FEMA will become part of the U.S. Coast Guard, others that FEMA will be responsible for only the economic aspects of disaster response — as opposed to actual rescue operations.

I’m skeptical on this one, mostly because the Coast Guard’s plate is already close to full; but we’ll see…

And another story notes that a new report will be released that criticizes explosives detection activities in the aviation system in January:

In late January, federal investigators will release a “scathing” report exposing major gaps in the TSA’s system for screening airline passengers and their bags for bombs, according to Rep. John L. Mica, R-Fla., chairman of the House Aviation Subcommittee. The agency has not deployed enough bomb detection equipment, Mica said, and has not trained all of its screeners to identify bombs hidden in bags or on people.

Perhaps Kip Hawley’s changes to TSA’s screening rules last week were a preemptive response to this report?

And finally, another story notes that DHS received 5,000 (!) public comments on the National Infrastructure Protection Plan.

Early in 2005, an interim National Infrastructure Protection Plan (NIPP) unveiled by the government earned mixed reviews. A more robust draft NIPP emerged in November after lawmakers complained the plan had been delayed for too long.

The first round of public comment ended in early December, netting some 5,000 comments from government and private sector sources; a second round is expected.

I don’t envy the team that gets to read and process all of these…

The Wall Street Journal has a rather dour opinion piece today on homeland security, one that questions whether it’s even worth the government’s effort to try to secure the homeland. The piece cites several recent setbacks in the nation’s homeland security efforts (DHS personnel reform, congressional oversight, and FBI’s Trilogy project) as examples of government failing to exhibit the “can-do” spirit needed for success.

The article then argues:

But the points aptly illustrate the underlying problem with our collective homeland security apparatus, which is that no government bureaucracy is ever going to be the kind of well-oiled machine that can reliably and effectively prevent domestic terrorist threats. And this is to say nothing of natural disasters.

Instead, what we have is a kind of antiterror version of France’s pre-World War II Maginot Line; an expensive, highly visible static defense against a nimble adversary. Congress loves it because it offers the chance to throw money at domestic constituencies, and liberals love it because it allows them to sound hawkish on terror without having to fire a shot. The rest of us, however, need to be realistic about its abilities.

I’m of a mixed opinion on these arguments. I agree absolutely that the US homeland security system needs to become more nimble, adaptive, efficient and mission-focused. But unlike the writer, I’m not yet ready to give up on the men and women working for the government on homeland security around the country today. Why can’t DHS become a “well-oiled machine?” There are plenty of examples of effective government bureaucracies - including the FEMA of the 1990s, and today’s Coast Guard - that show that this is possible. And it shouldn’t be that difficult to figure out how to do this. For starters: (1) cut down on red tape, (2) remove roadblocks to hiring good people, (3) empower people on the frontline to make decisions, (4) give them the tools and intelligence they need, (5) create organizational transparency, and (6) show zero tolerance for internal turf wars.

I also think that “Maginot Line” is an unfair epithet for homeland security. To be certain, there are elements of the homeland security system, such as checkpoints at borders or airports, that have a Maginot Line-like character to them. But that’s not the whole system. Homeland security is more aptly described today as “defense-in-depth,” with interconnecting layers of security - intelligence, detection tools, boots on the ground, credential checks, physical barriers, public awareness, etc. - each contributing to a create a spider’s web of defenses that harden targets and deny terrorists entry and access to materials. There’s still a long way to go to get the system where it needs to be, but it’s hardly fair to compare it to the Maginot Line.

On Tuesday I posted an analysis of federal homeland security spending in FY 2004 on a state-by-state basis, using new data that was released on that day from the US Census Bureau’s annual Consolidated Federal Funds Report.

I focused my comments on the state-by-state per capita ranking of homeland security grant funds spent that year. But the spreadsheet also contains per-capita rankings of DHS procurement on a state-by-state basis, which paint an interesting picture of the geographic distribution of funds to the private sector:

The top ten:

1. Washington, DC ($1,324.61)
2. Virginia ($267.77)
3. Maryland ($81.90)
4. Alaska ($51.15)
5. Hawaii ($41.29)
6. Texas ($29.82)
7. Arizona ($18.48)
8. Georgia ($17.29)
9. Washington ($14.69)
10. Florida ($13.65)

No surprise that DC, VA, and MD are the top three…although bear in mind that it’s quite possible that some of these totals could reflect where the check is cut, not where the work is done. The rest of the states are all home to traditional government contractors and/or known for their appropriations clout.

And down at the bottom of the list:

43. Delaware ($0.85)
44. Illinois ($0.80)
45. Wisconsin ($0.75)
46. Utah ($0.72)
47. Nevada ($0.69)
48. Mississippi ($0.44)
49. South Dakota ($0.36)
50. North Dakota ($0.25)
51. Arkansas ($0.24)
52. Nebraska ($0.11)

There is definitely a large disparity between the top 20% and bottom 20% of this list. This must be one reason why Illinois is now trying to actively cultivate homeland security businesses.

The full ranking of states (plus DC and Puerto Rico) can be found in the spreadsheet.

The Arizona Republic writes yesterday about U.S. assistance to Mexico to support border security activities:

…the reality is that U.S. taxpayers have bankrolled much of Mexico’s increased border vigilance. From X-ray scanners and helicopters to intelligence training, the United States has been quietly pouring millions of dollars into Mexico in the hopes of bolstering U.S. national security.

U.S. spending on military and police aid to Mexico has more than tripled in the past five years to $57.8 million with the hope it will help protect America’s southern flank. But the funding also marks a dramatic shift in the relationship between the two countries, as Mexico, long wary of accepting military and police aid from its northern neighbor, becomes the third-biggest recipient in Latin America behind Colombia and Peru.

I don’t have a problem with this. Border security accounts for only a portion of the $57.8 million, which also includes other security-related aid for missions such as drug interdiction and port and maritime security. This total is a relatively small sum in comparison with total border security spending, and this type of investment seems consistent with Sec. Chertoff’s stated perspective of looking at the entire border system and prioritizing investments based upon their system-wide impact. It doesn’t make sense to put all of our resources on one side of the line.

The only thing in the story that stands out as a waste of money is this:

Meanwhile, Canada has gotten only one item from the United States since 2001: a 50-foot patrol boat used by the Royal Canadian Mounted Police in Vancouver.

Why are we buying patrol boats for the RCMP? Canada can afford their own.

Following up on the story on behavioral profiling at TSA that I mentioned in this post, Brian Dickerson at the Detroit Free-Press has a helpful guide on “How to talk to a TSA screener”. Some highlights:

SCREENER: Where you headed today, young fella?

RIGHT: I’m visiting my grandparents in Des Moines.

WRONG: I have a one-way ticket to Paradise!

And:

By contrast, the passenger who answers a screener’s questions in a forthright, self-confident manner is unlikely to arouse suspicion, regardless of her answers.

SCREENER: What a lovely pair of earrings! Where did you get them?

PASSENGER B, smiling brightly as she makes eye contact with her interrogator: I obtained them in exchange for sexual favors at a Taliban trading post outside Kabul. I got a pair just like them for my sister, but the CIA had her killed before our mutual friend in Frankfurt could deliver them.

SCREENER: What a pity. She would have loved them! Have a safe trip, ma’am.

Read the whole thing.

According to this story today in Information Week, DHS is going to begin testing RFID passports at SFO:

The Department of Homeland Security will begin testing passports embedded with radio frequency identification (RFID) technology at the San Francisco International Airport mid-January, a spokesperson for the agency said Friday.

Australia, New Zealand and Singapore have begun to issue passports to travelers with RFID chips. Many pass through the San Francisco, making it a likely location to test the technology, according to Anna Hinken, a US-Visit spokesperson at the Department of Homeland Security. “We’re bringing technology to the borders and chose RFID as one to help reach the goals of expediting safe entrance into the United States,” she said.

And the story details new tests on the way:

And there are more trials underway. RFID chips have been embedded in I-94 forms. People who frequently cross U.S. borders to work, for example, are required to carry these forms. Tests at the five border crossings will continue through spring 2006. A formal evaluation on the project is scheduled by March. The department will then make a decision on whether to continue the program. Since August, the US-Visit program has tested forms with RFID at five United States border crossings: two in Nogales Ariz.; two in Blaine, Wash.; and one in Alexandria Bay, New York.

The Collins-Lieberman chemical security bill that was introduced on Dec. 19 finally appeared on the Internet today. I’ve just finished reading through it, and it’s a well-written and thoughtful bill, taking into account the complete cycle of security for chemical plants - not just initial validation, but also efforts to maintain security and develop local response capabilities for chemical plant attacks or other incidents. It strikes an appropriate balance between the real need for security and unduly burdensome regulation.

The only concern I have is the timeline for implementation. The bill gives DHS a full year to write the regulations for chemical plant security; and then gives the industry another year to comply. So if the bill passes in, say, May 2006, we could be talking about May 2008 before compliance really emerges on an industry-wide basis. Do we have this luxury of time?

USA Today had a great overview piece this week on the interoperability of first responder and law enforcement communications systems. The article does a good job of summarizing the key challenges of interoperability:

Local agencies often lack the money and radio frequencies needed to upgrade equipment. And federal aid is sorely limited. Even with more money and frequencies, other hurdles thwart seamless communication among first responders:

• City, county, state and federal agencies buy radio equipment for their own needs. Turf battles often keep neighboring agencies from buying compatible gear, or even from teaming in an emergency. The federal government can’t force all agencies in a state or region to buy the same gear.

• Safety agencies often fail to plan for interagency communication in disasters or to train officers in how to talk to their counterparts.

• Technology standards that would let disparate radio systems talk with each other have been delayed. Experts at least partly blame foot-dragging by radio manufacturers.

The upshot: Free-flowing communication among agencies in the USA won’t come till 2023. At least that’s the projection of Safecom, a program in the Homeland Security Department that promotes public-safety communication.

If the costs are really as high as indicated in this article (e.g. $150-300m for the state of Mississippi alone, and $60b nation-wide), I’m uncertain as to whether this is the best way to be spending money on homeland security. There’s certainly a need for gateways that can patch together different systems on the fly, but it’s questionable whether some of the brand new radio systems that states and cities are buying are good investments, especially if they are not interoperable on a national basis.

The “$60 billion” that might be spent in the next two decades needs to be carefully weighed against other needs, such as training for first responders and new terrorism prevention capabilities. Alternatively, interoperable communications might be a more feasible investment if the federal government were to lead this effort, create a national system that promotes efficiency and economies of scale, and reduce substantially these projected costs.

Update (1/2): Another good story on this topic.

Former Congressman Tom McMillen has an interesting and provocative comment on homeland security at Huffington Post that recounts his experience as a young Olympic athlete in Munich in 1972, discusses his reactions to the film Munich, and puts forth an original and common-sense agenda for homeland security that includes the following items (slightly paraphrased for succinctness):

1. Fund our homeland security needs by level of risk and not by politics.
2. Establish a World Security Organization modeled after the World Health Organization.
3. Engage our young people who do not believe terrorism presents a danger to them.
4. Secure nuclear material globally today, not a decade from now.
5. Develop the will to finance responsibly the war on terror.

The second proposal, for a World Security Organization, is particularly intriguing and worthy of further discussion. It gets to an idea that I’ve been obsessed with for the last three years: what sort of international framework do we need to govern and enhance homeland security activities on a global basis?

McMillen writes:

We sorely need a global organization dedicated to mobilizing the resources of the many nations needing stability. Over 50% of the funds spent on global security is spent by the United States, while nations like China and India spend very little, less than 5% of worldwide governmental security spending. While these nations may think that global terrorism, since it is not a threat within their borders, does not affect them, they must realize that they, by necessity, have a huge stake in a stable, terror-free world. China, for example, has amassed over a trillion dollar trade surplus with the US just since 1990. Without a stable world and a stable US economy, where would China’s economy be? Isn’t it time for the US to ask for significant world support for the war on terror?

I agree with the problem that McMillen identifies here, but have some concerns as to whether creating a new international organization is the right solution, unless it is done the right way. For one, it’s too often the case that international organizations become ineffective bureaucratic paper-pushers. That’s not what is needed and would probably be counterproductive. For another, there are a number of existing international organizations that already play this role to some degree, such as Interpol, IAEA, WHO, ICAO, IMO, and the WCO. The relationship of a new “World Security Organization” to these existing agencies needs to be clarified.

However, I would be in favor of a World Security Organization that was light and flexible in its design - almost a special-ops force structure - and had a clear and narrowly-defined mandate that included the following responsibilities:

- Provide a means to agree upon and jump start the implementation of global homeland security policies and activities such as the Container Security Initiative (CSI) and the G8 SAFTI initiative.
- Create an international funding mechanism that can be used to share costs and also provide homeland security-related assistance to at-risk developing countries.
- Provide a forum to share best practices on an international basis in diverse areas such as response training, WMD detection, and critical infrastructure protection.
- Provide a forum for agreements on interoperability and technical standards for homeland security technologies such as biometrics and cargo seals.

It will be interesting to see if this idea begins to enter the policy dialogue. I’m glad to see McMillen bring it up.

This editorial in the Vero Beach Press-Journal (login req’d - borrow one here) asks a good question:

Does organization trump leadership in disaster management?

And later:

Had former, unlamented FEMA director Michael Brown been in the Cabinet when Hurricane Katrina bore down on the Gulf Coast, would he have performed any differently? Would he have had a plan? Would he have implemented it effectively? All we know for certain is he did not act, Homeland Security did not act and government at all levels was laggard in responding.

Count me among the skeptics on the idea of making FEMA a cabinet-level agency again. I can understand how the loss of cabinet status lessened FEMA’s prestige and access after 2003, but that’s not a sufficient excuse for their performance in Katrina. As the Post recounted last week, FEMA was already losing its effectiveness during the period from 2001-2003 before it was moved into DHS. I think the heart of the problem was leadership - and the focal point of any solution needs to also be focused on leadership, and finding ways to bring back the sense of mission and purpose that had made FEMA a model agency under James Lee Witt. If the plan for FEMA focuses on moving the boxes around, then there’s a high probability that what we’ll end up with is the “appearance of action” rather than “fixing the problem.”

The Boston Globe has a story today on the use of behavior detection in aviation security screening, noting how the TSA initiative follows the Israeli model of behavior detection and that an initial pilot project at Logan Airport has expanded to other airports in the Northeast. The article notes:

The TSA is facing opposition from the American Civil Liberties Union, which filed a lawsuit in Massachusetts last year claiming behavior detection can be easily abused because TSA officers have to guess who is suspicious, leading to racial profiling.

I get frustrated when I read things like this. This kind of “cry wolf” absolutism on civil liberties fails to examine the potential security benefits of a given initiative and rationally weigh it against the impact on civil liberties. And I always hear the ACLU criticizing homeland security activities, but I never hear them offering alternative proposals on how they would conduct security. Do they want watch list matching? (No.) Do they want risk-based profiling? (No.) Or registered traveler programs? (No.) Or something else? Do they really think that screening should be entirely random, and have a process where an 88-year old grandmother has the same chance of getting pulled aside as a young foreign citizen from a country with known terrorist connections?

I’d like to know.

A new issue of Homeland Security Affairs, published by the Naval Postgraduate School in Monterey, was put up on the web last week. Its contents are here. The issue contains several interesting articles, including “Potholes and Detours in the Road to Critical Infrastructure Protection Policy.”

The authors walk through some of the reasons why efforts to improve critical infrastructure protection have been suboptimal, including the lack of standards, the devolution of authority to states and cities, and the difficulty (disputed by the authors) of regulating private sector activity.

The authors’ argument about the need for a federal lead role in critical infrastructure protection due to the distributed and intrastate nature of infrastructure is the strongest section of the piece:

Consider the case of the Alaskan telecommunications sector. Alaska’s telecommunication infrastructure supports local police, fire, and emergency management functions as well as consumer telephone and Internet access. Without it, Alaskans would be isolated from the rest of the United States. Naturally, it makes sense for the Federal government – through the Department of Homeland Security – to provide funding and training to Alaskans so they can strengthen their telecommunications infrastructure and harden it against potential terrorist attacks. However, this strategy is inadequate and dangerous, because Alaska’s telephone and most Internet services are dependent on a single building in Seattle! The Weston building in Seattle is the sixth largest telecom hotel in the nation, and it provides connectivity to the citizens of Alaska. Alaskan’s cannot protect this major asset no mater how much money the Federal Government provides, because it lies outside of their jurisdiction.

In addition to the problem of an asset in one state being critical to another state, there is the overarching problem of Interstate Commerce laws that regulate and shape infrastructures such as telecommunications, energy, power, and transportation. States have little power over the Federal regulators when it comes to passing laws that might affect an element of one of these infrastructures and weaken the same infrastructure at the national level. Examples of this can be found in cross-sector interdependencies. For example, the largest electrical power plant in Missouri (New Madrid) is totally dependent on the rail system that delivers coal from Wyoming. Rail transportation and electrical power sectors are regulated by federal agencies – not Wyoming and Missouri – and yet, a policy that may ensure reliable electric power generation in Missouri could conflict with energy policies affecting Wyoming….

Read the whole thing.

I generally like William Arkin’s Early Warning blog at Washingtonpost.com, but his latest post goes off the deep end. He writes:

Let’s hope as well that 2006 isn’t another year where weapons of mass destruction destroy America. From the continuing house of pain in Iraq to hurricane Katrina to the end of the year news that the Department of Energy secretly sniffed around mosques for radioaction, the government is so enamored of exotic threats from nuclear and biological weapons that it can barely see straight. In the case of Katrina, it couldn’t fulfill its fundamental duties….

Sure al Qaeda is “interested” in acquiring WMD; PROOF WAS FOUND IN AFGHANISTAN, the nuclear crazies say. And then there are all the loose nukes in Russia and the missing nuclear materials and the suitcase nuclear bombs. I wonder whether there is any veracity to the presumption of any kind of a serious terrorist WMD threat.

Huh? Nuclear and biological weapons are “exotic threats”? The terrorist WMD threat isn’t “serious”? Call me a “nuclear crazy” if you must, but for my money, nuclear and biological threats are practically the whole ballgame in homeland security and counterterrorism, because the potential consequences of attack are so high. If these are exotic threats, then what does he think the real threats are?

And what did efforts to protect the United States against WMD-related threats have to do with the response failures of Hurricane Katrina? If anything, the response to Katrina tells me that the US government needs to be doing MORE to prepare to respond to WMD-related attacks, in concert with preparedness for natural disasters.

The editorial pages of the Washington Post and the Wall Street Journal - which usually disagree with each other - are in lock-step on the border security bill passed by the House early last week.

From the Post’s piece:

Before leaving town the House of Representatives passed a terrible bill designed to shore up American border security — or, at least, to appear to do so. The bill, sponsored by Judiciary Committee Chairman F. James Sensenbrenner Jr. (R-Wis.), is dangerous because of what it does and what it doesn’t do. It contains any number of mindless criminal penalties for immigration violations, and it would make both detention and deportation of illegal immigrants easier. But it would do nothing to rationalize U.S. immigration policy. The Bush administration, which has rightly argued for a more sensible approach, disgracefully got behind the bill. And House members, many of whom know better, passed it 239 to 182.

I think the “many of whom know better” comment is exactly right. As I argued earlier here and here, we’re still in the early innings on this legislation, and for many members of Congress this was a consequence-free vote.

The Wall Street Journal is even harsher on the bill:

Tom Tancredo has done everyone a favor by stating plainly the immigration rejectionists’ endgame–turn the United States into the world’s largest gated community. The House took a step in that direction this month by passing another immigration “reform” bill heavy with border control and business harassment and light on anything that will work in the real world.

…The legislation is aimed at placating a small but vocal constituency that wants the borders somehow sealed, come what may to the economy, American traditions of liberty or the Republican Party’s relationship with the increasingly important Latino vote.

Clearly the business community is going to be more engaged in the next stages of border legislation and will try to moderate its contents.

At the end of the day, I think the most likely outcome is a relatively modest bill that strengthens border staffing and technology, improves the detention and removal process, and makes modest improvements to workplace enforcement, but doesn’t include a Southern border fence or a guest worker program. There’s a chance that these latter two items could be packaged together as part of a grand compromise between the key factions on this issue, but there is a rhetorical chasm between these factions right now, so compromise will not be easy.

Carie Lemack, a co-founder of Families of September 11, had an editorial in USA Today on Tuesday asking who would take up the role of the 9/11 Commission and its successor, the 9/11 Public Discourse Project:

More than four years after the attacks, shocking gaps remain in our nation’s defense against terrorism. Keeping a watchful, skeptical eye on the government is in the best tradition of our republic.

As the commissioners go their separate ways, the question remains: Who will champion the reforms that haven’t been adopted?

That’s a good question. I’m still not sure why the Public Discourse Project was ended - was it a money issue? Hopefully the ten commissioners will still be engaged in the public dialogue on an individual basis. And the Government Accountability Office, Inspectors General of the key agencies, and the media are all key cogs in holding government officials accountable and bringing these issues to public attention.

And I think the blogosphere has an important and growing role. This site will certainly strive to play a small part in keeping a “watchful, skeptical eye” on homeland security activities, in the bipartisan spirit of the 9/11 Commission, and promote an open, informed dialogue on key issues.

The editorial continues:

Progress to address the greatest threat — the threat of nuclear terrorism — does not appear to be a top priority. At the current rate, the U.S. government’s effort to “lock down” nuclear materials in the former Soviet Union, so it can’t be stolen or bought by terrorists, will not be completed for 14 years.

And the most difficult recommendation from the 9/11 Commission has been all but abandoned: Who will push Congress to reorganize itself to provide adequate oversight over intelligence and homeland security?

On this first issue, I couldn’t agree more. This needs to be the #1 priority for U.S. national security today. Period.

On the issue of congressional oversight, I think it’s too strong to say that this recommendation has been “all but abandoned” - there was some very real progress on homeland security oversight between the 108th and 109th Congresses, particularly in the House, where the Homeland Security Committee now has solid jurisdiction over most of the key homeland security issues. But it’s correct to say that there is still much more to do, especially in the Senate, where efforts to consolidate jurisdiction in the Homeland Security and Government Affairs Committee (HSGAC) went only halfway, with committees like Judiciary and Commerce retaining substantial jurisdiction.

My thoughts are with Ms. Lemack and others who lost loved ones on 9/11, in what must be a difficult time of year.

The Congressional Research Service published a solid new report last week entitled “Vulnerability of Concentrated Critical Infrastructure: Background and Policy Options. It’s available here.

The report examines the forces that have led to the geographic concentration of certain types of critical infrastructure (e.g. petrochemical operations on the Gulf of Mexico, west coast port facilities, rail hubs in Chicago and Missouri), including natural location of resources, economies of scale, and agglomeration (or cluster) economies.

The report then considers if and how the geographic concentration of critical infrastructure creates an unnecessary vulnerability to terrorism or natural disasters, and whether a government should find policy mechanisms to encourage the dispersion and/or redundancy of infrastructure as a hedge against catastrophic loss…or whether the natural mechanisms of the insurance and risk management markets can fulfill this function over time.

I think this is in area where a broad policy response is warranted in theory, but could probably never work in practice. Trying to impose broad policy conditions on the future development of entire sectors will impose costs that are almost certainly greater than potential benefits. But at the margins there is a role for government to develop or identify “strategic capacity reserves” similar to the Strategic Petroleum Reserve, to act as a hedge or safety stock against catastrophic loss, perhaps in areas such as port capacity and public health infrastructure.

The Wall Street Journal has an story today (available here) on the building boom for bioterrorism labs, noting that no less than seven “biosafety level 4 (BSL-4)” labs are under construction or on the drawing board today.

From the article:

…That jump in cost was a fraction of what the federal government plans to spend on new facilities to fight bioterrorism — at least $1.0 billion over the next decade on seven large new buildings housing laboratories for research designated “biosafety level-4,” reserved for life-threatening diseases with no known cure. The amount of space reserved for BSL-4 research could top 100,000 square feet in the seven buildings, experts say….

For the past few decades, research on BSL-4 agents has been limited primarily to the CDC and the U.S. Army Medical Research Institute of Infectious Diseases at Fort Detrick in Frederick, Md. But with the threat of bioterrorism and emerging infectious diseases, these facilities aren’t adequate for the growing demand for research into BSL-4 agents, scientists say. Prior to the new facility, the CDC’s most recent lab for highly infectious diseases was built in 1988. A U.S. Army lab facility planned for Fort Detrick will be 700,000-square-feet — the size of seven Wal-Marts — and will cost at least $400 million, although plans could change by the time it is completed in 2013.

Some critics have questioned the many construction projects and the need for so much lab space devoted to BSL-4 research. “It’s a mystery what they are going to fill these labs up with, because there are, frankly, not that many BSL-4 agents, and not that many researchers to keep these places busy,” said Edward Hammond, director of Austin, Texas-based Sunshine Project, which monitors the U.S. biodefense program.

Clearly there is the need for more capacity, given the current realities of the bioterror threat and the potential for genetically engineered bioweapons. My primary concern after reading the article is that all of this seems to be taking place haphazardly, in the absence of a clearly defined bioterrorism strategy that aligns agency roles and funding priorities. The article indicates that four separate agencies are building BSL-4 facilities: DHS, the Centers for Disease Control, the National Institute of Allergy and Infectious Disease (NIAID) at NIH, and the U.S. Army Medical Research Institute of Infectious Diseases. Are they working closely together? Do the White House and OMB have a strategy that aligns and prioritizes all of this activity? And have these investments been tested against related funding priorities, such as providing grants to develop the next generation of scientists who will be needed to work in these labs?

If not, these investments are unnecessarily risky, and the potential for waste and duplication of effort is high.

The Washington Post has a story on a new DHS Office of Inspector General (OIG) report entitled “Major Management Challenges Facing the Department of Homeland Security.”

From the Post story:

Nearly three years after it was formed, the mammoth Department of Homeland Security remains hampered by severe management and financial problems that contributed to the flawed response to Hurricane Katrina, according to an independent audit released yesterday.

The report by Homeland Security Inspector General Richard L. Skinner aimed some of its most pointed criticism at one of DHS’s major entities, the Federal Emergency Management Agency. Katrina and a subsequent storm, Rita, added to FEMA’s “already overburdened resources and infrastructure,” the report said.

I think the arguments in the report are essentially correct, but other than the warnings on the importance of Katrina oversight, there’s not much new in the report. It’s basically a summary of the OIG’s current and recent work, and it reads similar to the “material risks” section of a company’s annual report or IPO filing in the way that it lists everything that is going wrong or could go wrong. It would be more helpful to DHS if the OIG wrote a report that said “these are the top 3 or 5 management challenges with which you need to be concerned.”

The U.S. Census released the Consolidated Federal Funds Report for FY 2004 today. This report provides a detailed breakdown of federal government spending each year, down to the agency and county level. As the press release notes today:

Fiscal Year 2004 is the first full year for which data are included for the Department of Homeland Security.

There’s a lot to be learned from a detailed analysis of the data. I have copied the state-level data for the Department of Homeland Security (broken down by grants, procurement, and salaries) and created a spreadsheet that ranks homeland security spending by state in each category. You can download the spreadsheet here.

One of the most interesting results is the ranking of states for homeland security grants in FY 2004 on a per capita basis. The top ten states (plus DC and Puerto Rico) on the list:

1. West Virginia ($53.83)
2. Florida ($48.91)
3. Alabama ($43.42)
4. Virginia ($31.33)
5. Washington, DC ($29.24)
6. North Dakota ($26.91)
7. Puerto Rico ($25.47)
8. Alaska ($20.58)
9. Arkansas ($18.76)
10. Kentucky ($16.59)

Other than DC, VA and FL, not exactly a high-risk bunch. And the one state that is usually cited (Wyoming) is nowhere to be found (it’s at #26). And the bottom ten:

43. Utah ($5.14)
44. Missouri ($4.82)
45. Colorado ($3.80)
46. Nevada ($3.47)
47. California ($3.09)
48. Hawaii ($3.02)
49. Illinois ($2.97)
50. Rhode Island ($2.89)
51. Arizona ($2.82)
52. Georgia ($2.30)

I haven’t yet looked deeper into the state data to figure out why there is such a large variance. No doubt part of it is due to the small-state bias in the original homeland security grant formulas, but that can’t explain all of it, since there are large states near the top and small states near the bottom. Perhaps some of the variance is the result of funding for disaster relief - that could explain Florida’s high per capita ranking. For what it’s worth, the average unweighted ranking of a “blue state” is 29.5 (out of 51) and the average unweighted ranking of a “red state” is 23.8, although this is likely a function, at least partially, of the small-state bias. Or perhaps the fact that some states have spent appropriated grant funds faster than others has an impact on the data.

The spreadsheet (Excel format) contains the full list as well as similar rankings for DHS procurement, salaries, and total spending on a state-by-state basis.

The New York Times weighs in today on the issue of chemical plant security:

It is hard to believe, but more than four years after the Sept. 11 attacks, Congress has still not acted to make chemical plants, one of the nation’s greatest terrorist vulnerabilities, safer. Last week, Senators Susan Collins, a Maine Republican, and Joseph Lieberman, a Connecticut Democrat, unveiled a bipartisan chemical plant security bill. We hope that parts of the bill will be improved as it works its way through Congress, though even in its current form the bill would be a significant step.

Also, this story in Chemical & Engineering News provides the first industry perspective on the bill. Look for this issue to be a key point of contention as the bill moves forward:

In a notable change from an earlier draft of the legislation circulated by Collins’ staff, the bill would allow governors to establish more stringent security standards for chemical plants in their states.

I’m still waiting for the full bill to show up on Thomas. Why does it take 8 days (and counting) to get a bill posted for the public to see?

Update (12/30): The bill is now up at the link above.

The Democratic staff of the House Homeland Security Committee released a report today entitled “Leaving the Nation at Risk: 33 Unfulfilled Promises From the Department of Homeland Security.”

Many of the criticisms of DHS in the report are definitely valid, especially those concerning intelligence and state & local information-sharing programs, which need to be strengthened and accelerated. As I wrote in this post, I think there are definitely people in the new team who get this. But it still won’t be easy for DHS to win the turf battles in this area.

But other criticisms in the report I don’t really understand. In several places, the report criticizes DHS for going slow or shutting down cost-ineffective or technologically unproven projects (e.g. going slow on UAVs at the border). From my perspective, this is exactly what DHS should be doing, and not chasing good money after bad or uncertain.

Not every R&D project or technology deployment is going to pan out, due to the limits of technology and the complexity of the homeland security challenge. This fact shouldn’t let DHS off the hook, but I think it needs to be taken into account when people (quite validly) criticize the Department.

The Los Angeles Times has an interesting story about Colorado Springs’ plans to develop the first city-wide sensor network in the U.S. to detect radiological and nuclear threats:

In this quiet bedroom community surrounded by five military bases, including NORAD, which monitors North American airspace, city officials believe that they have to worry about terrorism as much as some of the nation’s biggest cities. That’s why Merritt, the city’s senior traffic engineer, has become the point person in an effort to install a monitoring system that could detect a “dirty bomb” or another similar radiological terrorist attack….

But Colorado Springs appears to be the first city in the nation to prepare a citywide system. Ottawa, Canada, is the only other North American city that has a similar setup, according to the company that makes the products Colorado Springs is using.

The article notes that the cost of this is likely to be in the $1m-$2m range for the city. Given the fact that NORAD and Northcom are in Colorado Springs, this seems like a relatively prudent investment from a risk standpoint.

Hopefully this will motivate efforts at the federal level to develop and implement a national strategy for nuclear and radiological detection. There have been some solid progress in R&D for rad/nuc sensors and the development of standards in the last four years. And a new office was created in 2005 - the Domestic Nuclear Detection Office (DNDO) - to drive this effort. But it’s not yet clear to me that there is a clear strategy in the federal government about how to implement sensors in a way that creates a “national detection architecture.”

One key element of this will be finding the right balance between federal, state and local funding. DHS has a role in funding detection capabilities in cities, but should only do so if states and cities are willing to spend some of their own money (at least 30%) in support of this mission.

For more information, see this related article in the Colorado Springs Gazette from early November and this whitepaper from the company that is implementing the system for Colorado Springs.

CQ had a story in their final edition before the holidays about a new report released by the Democratic staff of the House HSC entitled “The Vital Link to Improving Information Sharing with State, Local and Tribal Law Enforcement.”

Amid some partisan rhetoric is a very solid analysis of one of the toughest problems in the last few years: getting meaningful intelligence to front-line law enforcement officials - and not just sanitized products made meaningless by classification rules and procedures.

The key proposal in the report is the following:

Rather than pursuing this patchworked approach, the United States would be better served by a solution modeled on the Central Services’ Police International Counter Terrorism Unit (PICTU) and New Scotland Yard’s Joint Terrorism Analysis Centre (JTAC) in the United Kingdom (UK). JTAC, with PICTU’s assistance, has established a successful process by which highly classified intelligence information is converted to a law enforcement sensitive-type format that can be widely disseminated to police officers to support both threat assessment and prevention planning. JTAC is staffed not only by intelligence analysts but also by a select group of police officers with security clearances – including representatives from PICTU – who know firsthand what information their colleagues in the field need to intercept terrorists and foil their plans. JTAC, with PICTU’s assistance, can identify what intelligence information would be of interest at a local level, redact whatever portions of that information might harm the national security, and funnel it to an appropriate audience. In addition to the critical role that PICTU plays in this process, it also uses open source material to inform local police forces of terrorist threats and how to address them when intelligence resources are lacking.

The report compares the JTAC to the National Counterterrorism Center (NCTC) in the U.S., and argues that we need a “PICTU” equivalent as a key step in solving the problem of frontline information-sharing.

This seems like a solid proposal, especially the joint-staffing element of it. The UK’s experience is not directly applicable to the United States in some respects, mainly due to different legal and institutional structures. But both countries face the same fundamental challenge, and the British model here is one worth emulating as part of a broad solution that addresses the structural, technological and cultural challenges of info-sharing.

ps. For more background on JTAC and PICTU see here and here.

Update (12/29): text edited to add link to report.

For obvious reasons, it’s a very slow week for homeland security-related events in DC.

But for those of you like me who have been asking yourselves, “What can hermeneutics teach us about the war on terror?”, it appears that the college English professors of the world are smart mobbing at the Marriott Wardman Park for the Modern Language Association’s annual conference, which will include sessions such as:

- Representing 9/11
- Arab Pop Culture Speaks Back
- Pop Culture and the War on Terror
- Critique and Terror: The New Americanists and Cultural Politics Today

I suppose “Deconstructing the Home(less)land” will have to wait until next year.

(Please e-mail if you have suggestions about additions to this list for this week, or future weeks.)

The New York Times has an interesting question and answer interview with Steve Flynn of the Council on Foreign relations posted on its site today.

His reaction to the NSA story:

There’s no question, in my view, that dealing with al-Qaeda and the ongoing terrorist threat requires a different level of and different kinds of authority than existed before 9/11. But as a core principle, if you’re going to raise the authority of the government to a new level, then you have to raise the bar on accountability. Unfortunately, what we seem to have today is a constant rising of government’s level of authority with a diminishing level of accountability. The result of that, in the long run, will be a backlash by the public and a loss of support for important measures, particularly as the time between terrorist incidents expands.

I think that’s exactly right.

And a good definition of resilience, and what it means to build it into critical infrastructures and key assets:

In my view we need to inventory the things in our society that are both critical and currently vulnerable and quickly work to make them more resilient. Resilience can take one of three forms. One way is to harden things such as putting Jersey barriers around important buildings to keep truck bombs from getting too close. Another is redundancy. For instance, the distribution system of our electric gird would be more resilient if we have an inventory of spare electrical transformers so if one is targeted, it can be replaced quickly and power can be readily restored. Have spares would make transformers a less attractive terrorist target. The third form is to make your response capabilities as good as possible. For instance, the Trans-Alaska oil pipeline really doesn’t lend itself to hardening or redunancy. But quick response to a repair an accidental or intentional breach in the pipeline could be an effective deterrent. An emphasis on one or more elements of resiliency would depend on both balancing the potential consequences of a successful terrorist attack and the costs associated with each of the resiliency options.

For more on the topic of resilience, I highly recommend MIT professor Yossi Sheffi’s new book entitled The Resilient Enterprise.

The Q&A also includes insightful comments on aviation security and cargo security. Read the whole interview.

The New York Times has a follow-up piece today on the NSA story, which seems to confirm prior suspicion around the blogosphere (see these prescient posts by Bruce Schneier, Defense Tech, and Early Warning) that a large element of this story is about the use of new technologies:

What has not been publicly acknowledged is that N.S.A. technicians, besides actually eavesdropping on specific conversations, have combed through large volumes of phone and Internet traffic in search of patterns that might point to terrorism suspects. Some officials describe the program as a large data-mining operation….

Officials in the government and the telecommunications industry who have knowledge of parts of the program say the N.S.A. has sought to analyze communications patterns to glean clues from details like who is calling whom, how long a phone call lasts and what time of day it is made, and the origins and destinations of phone calls and e-mail messages. Calls to and from Afghanistan, for instance, are known to have been of particular interest to the N.S.A. since the Sept. 11 attacks, the officials said.

This so-called “pattern analysis” on calls within the United States would, in many circumstances, require a court warrant if the government wanted to trace who calls whom.

Assuming this is true, my reactions are mixed. I can see real security benefits from this kind of analysis in some instances, especially in terms of using relationship analysis to build out a the web of connections between people and their identifiers (i.e. phone numbers, e-mail addresses). If there are these tangible security benefits, and it is done in a way that makes a clear effort to protect privacy by such means as anonymization of data and user audits, then this can be an appropriate tool in the war on terror.

But this story reinforces what I wrote last Monday in this post, and my sense that the extra-legal path that has been chosen by the Administration will harm our efforts to fight the war on terror in the long-run, for all of the potential short-run benefits. A story like this has the potential to tar ALL data mining and data analysis activities in the government, without making distinctions between activities based upon their security benefits, built-in privacy protections, and consistency with other legal and societal norms.

I think it’s time for the United States to have an open and honest debate about data mining and data analysis for homeland security, one that shifts the debate away from the current dynamic where scaremongering and accusations of treason are the normal mode of discourse.

A good starting point for this discussion is my former colleague Mary DeRosa’s excellent study on Data Mining and Data Analysis for Counterterrorism, published last year.

US News and World Report has a new story about radiation detection teams (NEST teams) covertly monitoring sites such as mosques and office buildings in the United States - from outside of the buildings, but on private property, without warrants:

In search of a terrorist nuclear bomb, the federal government since 9/11 has run a far-reaching, top secret program to monitor radiation levels at over a hundred Muslim sites in the Washington, D.C., area, including mosques, homes, businesses, and warehouses, plus similar sites in at least five other cities, U.S. News has learned. In numerous cases, the monitoring required investigators to go on to the property under surveillance, although no search warrants or court orders were ever obtained, according to those with knowledge of the program. Some participants were threatened with loss of their jobs when they questioned the legality of the operation, according to these accounts.

In contrast to the NSA story, this doesn’t seem like a big deal to me, given the less intrusive nature of this type of surveillance: the privacy rights of nuclear materials are fundamentally different than the privacy rights of people. This seems like exactly what the US government should be doing, and living in the DC metro area, I’m damn glad that NEST teams exist and are doing this.