Homeland Security Watch

The Congressional Research Service published a solid new report last week entitled “Vulnerability of Concentrated Critical Infrastructure: Background and Policy Options. It’s available here.

The report examines the forces that have led to the geographic concentration of certain types of critical infrastructure (e.g. petrochemical operations on the Gulf of Mexico, west coast port facilities, rail hubs in Chicago and Missouri), including natural location of resources, economies of scale, and agglomeration (or cluster) economies.

The report then considers if and how the geographic concentration of critical infrastructure creates an unnecessary vulnerability to terrorism or natural disasters, and whether a government should find policy mechanisms to encourage the dispersion and/or redundancy of infrastructure as a hedge against catastrophic loss…or whether the natural mechanisms of the insurance and risk management markets can fulfill this function over time.

I think this is in area where a broad policy response is warranted in theory, but could probably never work in practice. Trying to impose broad policy conditions on the future development of entire sectors will impose costs that are almost certainly greater than potential benefits. But at the margins there is a role for government to develop or identify “strategic capacity reserves” similar to the Strategic Petroleum Reserve, to act as a hedge or safety stock against catastrophic loss, perhaps in areas such as port capacity and public health infrastructure.

The Wall Street Journal has an story today (available here) on the building boom for bioterrorism labs, noting that no less than seven “biosafety level 4 (BSL-4)” labs are under construction or on the drawing board today.

From the article:

…That jump in cost was a fraction of what the federal government plans to spend on new facilities to fight bioterrorism — at least $1.0 billion over the next decade on seven large new buildings housing laboratories for research designated “biosafety level-4,” reserved for life-threatening diseases with no known cure. The amount of space reserved for BSL-4 research could top 100,000 square feet in the seven buildings, experts say….

For the past few decades, research on BSL-4 agents has been limited primarily to the CDC and the U.S. Army Medical Research Institute of Infectious Diseases at Fort Detrick in Frederick, Md. But with the threat of bioterrorism and emerging infectious diseases, these facilities aren’t adequate for the growing demand for research into BSL-4 agents, scientists say. Prior to the new facility, the CDC’s most recent lab for highly infectious diseases was built in 1988. A U.S. Army lab facility planned for Fort Detrick will be 700,000-square-feet — the size of seven Wal-Marts — and will cost at least $400 million, although plans could change by the time it is completed in 2013.

Some critics have questioned the many construction projects and the need for so much lab space devoted to BSL-4 research. “It’s a mystery what they are going to fill these labs up with, because there are, frankly, not that many BSL-4 agents, and not that many researchers to keep these places busy,” said Edward Hammond, director of Austin, Texas-based Sunshine Project, which monitors the U.S. biodefense program.

Clearly there is the need for more capacity, given the current realities of the bioterror threat and the potential for genetically engineered bioweapons. My primary concern after reading the article is that all of this seems to be taking place haphazardly, in the absence of a clearly defined bioterrorism strategy that aligns agency roles and funding priorities. The article indicates that four separate agencies are building BSL-4 facilities: DHS, the Centers for Disease Control, the National Institute of Allergy and Infectious Disease (NIAID) at NIH, and the U.S. Army Medical Research Institute of Infectious Diseases. Are they working closely together? Do the White House and OMB have a strategy that aligns and prioritizes all of this activity? And have these investments been tested against related funding priorities, such as providing grants to develop the next generation of scientists who will be needed to work in these labs?

If not, these investments are unnecessarily risky, and the potential for waste and duplication of effort is high.

The Washington Post has a story on a new DHS Office of Inspector General (OIG) report entitled “Major Management Challenges Facing the Department of Homeland Security.”

From the Post story:

Nearly three years after it was formed, the mammoth Department of Homeland Security remains hampered by severe management and financial problems that contributed to the flawed response to Hurricane Katrina, according to an independent audit released yesterday.

The report by Homeland Security Inspector General Richard L. Skinner aimed some of its most pointed criticism at one of DHS’s major entities, the Federal Emergency Management Agency. Katrina and a subsequent storm, Rita, added to FEMA’s “already overburdened resources and infrastructure,” the report said.

I think the arguments in the report are essentially correct, but other than the warnings on the importance of Katrina oversight, there’s not much new in the report. It’s basically a summary of the OIG’s current and recent work, and it reads similar to the “material risks” section of a company’s annual report or IPO filing in the way that it lists everything that is going wrong or could go wrong. It would be more helpful to DHS if the OIG wrote a report that said “these are the top 3 or 5 management challenges with which you need to be concerned.”

The U.S. Census released the Consolidated Federal Funds Report for FY 2004 today. This report provides a detailed breakdown of federal government spending each year, down to the agency and county level. As the press release notes today:

Fiscal Year 2004 is the first full year for which data are included for the Department of Homeland Security.

There’s a lot to be learned from a detailed analysis of the data. I have copied the state-level data for the Department of Homeland Security (broken down by grants, procurement, and salaries) and created a spreadsheet that ranks homeland security spending by state in each category. You can download the spreadsheet here.

One of the most interesting results is the ranking of states for homeland security grants in FY 2004 on a per capita basis. The top ten states (plus DC and Puerto Rico) on the list:

1. West Virginia ($53.83)
2. Florida ($48.91)
3. Alabama ($43.42)
4. Virginia ($31.33)
5. Washington, DC ($29.24)
6. North Dakota ($26.91)
7. Puerto Rico ($25.47)
8. Alaska ($20.58)
9. Arkansas ($18.76)
10. Kentucky ($16.59)

Other than DC, VA and FL, not exactly a high-risk bunch. And the one state that is usually cited (Wyoming) is nowhere to be found (it’s at #26). And the bottom ten:

43. Utah ($5.14)
44. Missouri ($4.82)
45. Colorado ($3.80)
46. Nevada ($3.47)
47. California ($3.09)
48. Hawaii ($3.02)
49. Illinois ($2.97)
50. Rhode Island ($2.89)
51. Arizona ($2.82)
52. Georgia ($2.30)

I haven’t yet looked deeper into the state data to figure out why there is such a large variance. No doubt part of it is due to the small-state bias in the original homeland security grant formulas, but that can’t explain all of it, since there are large states near the top and small states near the bottom. Perhaps some of the variance is the result of funding for disaster relief – that could explain Florida’s high per capita ranking. For what it’s worth, the average unweighted ranking of a “blue state” is 29.5 (out of 51) and the average unweighted ranking of a “red state” is 23.8, although this is likely a function, at least partially, of the small-state bias. Or perhaps the fact that some states have spent appropriated grant funds faster than others has an impact on the data.

The spreadsheet (Excel format) contains the full list as well as similar rankings for DHS procurement, salaries, and total spending on a state-by-state basis.

The New York Times weighs in today on the issue of chemical plant security:

It is hard to believe, but more than four years after the Sept. 11 attacks, Congress has still not acted to make chemical plants, one of the nation’s greatest terrorist vulnerabilities, safer. Last week, Senators Susan Collins, a Maine Republican, and Joseph Lieberman, a Connecticut Democrat, unveiled a bipartisan chemical plant security bill. We hope that parts of the bill will be improved as it works its way through Congress, though even in its current form the bill would be a significant step.

Also, this story in Chemical & Engineering News provides the first industry perspective on the bill. Look for this issue to be a key point of contention as the bill moves forward:

In a notable change from an earlier draft of the legislation circulated by Collins’ staff, the bill would allow governors to establish more stringent security standards for chemical plants in their states.

I’m still waiting for the full bill to show up on Thomas. Why does it take 8 days (and counting) to get a bill posted for the public to see?

Update (12/30): The bill is now up at the link above.

The Democratic staff of the House Homeland Security Committee released a report today entitled “Leaving the Nation at Risk: 33 Unfulfilled Promises From the Department of Homeland Security.”

Many of the criticisms of DHS in the report are definitely valid, especially those concerning intelligence and state & local information-sharing programs, which need to be strengthened and accelerated. As I wrote in this post, I think there are definitely people in the new team who get this. But it still won’t be easy for DHS to win the turf battles in this area.

But other criticisms in the report I don’t really understand. In several places, the report criticizes DHS for going slow or shutting down cost-ineffective or technologically unproven projects (e.g. going slow on UAVs at the border). From my perspective, this is exactly what DHS should be doing, and not chasing good money after bad or uncertain.

Not every R&D project or technology deployment is going to pan out, due to the limits of technology and the complexity of the homeland security challenge. This fact shouldn’t let DHS off the hook, but I think it needs to be taken into account when people (quite validly) criticize the Department.

The Los Angeles Times has an interesting story about Colorado Springs’ plans to develop the first city-wide sensor network in the U.S. to detect radiological and nuclear threats:

In this quiet bedroom community surrounded by five military bases, including NORAD, which monitors North American airspace, city officials believe that they have to worry about terrorism as much as some of the nation’s biggest cities. That’s why Merritt, the city’s senior traffic engineer, has become the point person in an effort to install a monitoring system that could detect a “dirty bomb” or another similar radiological terrorist attack….

But Colorado Springs appears to be the first city in the nation to prepare a citywide system. Ottawa, Canada, is the only other North American city that has a similar setup, according to the company that makes the products Colorado Springs is using.

The article notes that the cost of this is likely to be in the $1m-$2m range for the city. Given the fact that NORAD and Northcom are in Colorado Springs, this seems like a relatively prudent investment from a risk standpoint.

Hopefully this will motivate efforts at the federal level to develop and implement a national strategy for nuclear and radiological detection. There have been some solid progress in R&D for rad/nuc sensors and the development of standards in the last four years. And a new office was created in 2005 – the Domestic Nuclear Detection Office (DNDO) – to drive this effort. But it’s not yet clear to me that there is a clear strategy in the federal government about how to implement sensors in a way that creates a “national detection architecture.”

One key element of this will be finding the right balance between federal, state and local funding. DHS has a role in funding detection capabilities in cities, but should only do so if states and cities are willing to spend some of their own money (at least 30%) in support of this mission.

For more information, see this related article in the Colorado Springs Gazette from early November and this whitepaper from the company that is implementing the system for Colorado Springs.

CQ had a story in their final edition before the holidays about a new report released by the Democratic staff of the House HSC entitled “The Vital Link to Improving Information Sharing with State, Local and Tribal Law Enforcement.”

Amid some partisan rhetoric is a very solid analysis of one of the toughest problems in the last few years: getting meaningful intelligence to front-line law enforcement officials – and not just sanitized products made meaningless by classification rules and procedures.

The key proposal in the report is the following:

Rather than pursuing this patchworked approach, the United States would be better served by a solution modeled on the Central Services’ Police International Counter Terrorism Unit (PICTU) and New Scotland Yard’s Joint Terrorism Analysis Centre (JTAC) in the United Kingdom (UK). JTAC, with PICTU’s assistance, has established a successful process by which highly classified intelligence information is converted to a law enforcement sensitive-type format that can be widely disseminated to police officers to support both threat assessment and prevention planning. JTAC is staffed not only by intelligence analysts but also by a select group of police officers with security clearances – including representatives from PICTU – who know firsthand what information their colleagues in the field need to intercept terrorists and foil their plans. JTAC, with PICTU’s assistance, can identify what intelligence information would be of interest at a local level, redact whatever portions of that information might harm the national security, and funnel it to an appropriate audience. In addition to the critical role that PICTU plays in this process, it also uses open source material to inform local police forces of terrorist threats and how to address them when intelligence resources are lacking.

The report compares the JTAC to the National Counterterrorism Center (NCTC) in the U.S., and argues that we need a “PICTU” equivalent as a key step in solving the problem of frontline information-sharing.

This seems like a solid proposal, especially the joint-staffing element of it. The UK’s experience is not directly applicable to the United States in some respects, mainly due to different legal and institutional structures. But both countries face the same fundamental challenge, and the British model here is one worth emulating as part of a broad solution that addresses the structural, technological and cultural challenges of info-sharing.

ps. For more background on JTAC and PICTU see here and here.

Update (12/29): text edited to add link to report.

For obvious reasons, it’s a very slow week for homeland security-related events in DC.

But for those of you like me who have been asking yourselves, “What can hermeneutics teach us about the war on terror?”, it appears that the college English professors of the world are smart mobbing at the Marriott Wardman Park for the Modern Language Association’s annual conference, which will include sessions such as:

- Representing 9/11
- Arab Pop Culture Speaks Back
- Pop Culture and the War on Terror
- Critique and Terror: The New Americanists and Cultural Politics Today

I suppose “Deconstructing the Home(less)land” will have to wait until next year.

(Please e-mail if you have suggestions about additions to this list for this week, or future weeks.)

The New York Times has an interesting question and answer interview with Steve Flynn of the Council on Foreign relations posted on its site today.

His reaction to the NSA story:

There’s no question, in my view, that dealing with al-Qaeda and the ongoing terrorist threat requires a different level of and different kinds of authority than existed before 9/11. But as a core principle, if you’re going to raise the authority of the government to a new level, then you have to raise the bar on accountability. Unfortunately, what we seem to have today is a constant rising of government’s level of authority with a diminishing level of accountability. The result of that, in the long run, will be a backlash by the public and a loss of support for important measures, particularly as the time between terrorist incidents expands.

I think that’s exactly right.

And a good definition of resilience, and what it means to build it into critical infrastructures and key assets:

In my view we need to inventory the things in our society that are both critical and currently vulnerable and quickly work to make them more resilient. Resilience can take one of three forms. One way is to harden things such as putting Jersey barriers around important buildings to keep truck bombs from getting too close. Another is redundancy. For instance, the distribution system of our electric gird would be more resilient if we have an inventory of spare electrical transformers so if one is targeted, it can be replaced quickly and power can be readily restored. Have spares would make transformers a less attractive terrorist target. The third form is to make your response capabilities as good as possible. For instance, the Trans-Alaska oil pipeline really doesn’t lend itself to hardening or redunancy. But quick response to a repair an accidental or intentional breach in the pipeline could be an effective deterrent. An emphasis on one or more elements of resiliency would depend on both balancing the potential consequences of a successful terrorist attack and the costs associated with each of the resiliency options.

For more on the topic of resilience, I highly recommend MIT professor Yossi Sheffi’s new book entitled The Resilient Enterprise.

The Q&A also includes insightful comments on aviation security and cargo security. Read the whole interview.

The New York Times has a follow-up piece today on the NSA story, which seems to confirm prior suspicion around the blogosphere (see these prescient posts by Bruce Schneier, Defense Tech, and Early Warning) that a large element of this story is about the use of new technologies:

What has not been publicly acknowledged is that N.S.A. technicians, besides actually eavesdropping on specific conversations, have combed through large volumes of phone and Internet traffic in search of patterns that might point to terrorism suspects. Some officials describe the program as a large data-mining operation….

Officials in the government and the telecommunications industry who have knowledge of parts of the program say the N.S.A. has sought to analyze communications patterns to glean clues from details like who is calling whom, how long a phone call lasts and what time of day it is made, and the origins and destinations of phone calls and e-mail messages. Calls to and from Afghanistan, for instance, are known to have been of particular interest to the N.S.A. since the Sept. 11 attacks, the officials said.

This so-called “pattern analysis” on calls within the United States would, in many circumstances, require a court warrant if the government wanted to trace who calls whom.

Assuming this is true, my reactions are mixed. I can see real security benefits from this kind of analysis in some instances, especially in terms of using relationship analysis to build out a the web of connections between people and their identifiers (i.e. phone numbers, e-mail addresses). If there are these tangible security benefits, and it is done in a way that makes a clear effort to protect privacy by such means as anonymization of data and user audits, then this can be an appropriate tool in the war on terror.

But this story reinforces what I wrote last Monday in this post, and my sense that the extra-legal path that has been chosen by the Administration will harm our efforts to fight the war on terror in the long-run, for all of the potential short-run benefits. A story like this has the potential to tar ALL data mining and data analysis activities in the government, without making distinctions between activities based upon their security benefits, built-in privacy protections, and consistency with other legal and societal norms.

I think it’s time for the United States to have an open and honest debate about data mining and data analysis for homeland security, one that shifts the debate away from the current dynamic where scaremongering and accusations of treason are the normal mode of discourse.

A good starting point for this discussion is my former colleague Mary DeRosa’s excellent study on Data Mining and Data Analysis for Counterterrorism, published last year.

US News and World Report has a new story about radiation detection teams (NEST teams) covertly monitoring sites such as mosques and office buildings in the United States – from outside of the buildings, but on private property, without warrants:

In search of a terrorist nuclear bomb, the federal government since 9/11 has run a far-reaching, top secret program to monitor radiation levels at over a hundred Muslim sites in the Washington, D.C., area, including mosques, homes, businesses, and warehouses, plus similar sites in at least five other cities, U.S. News has learned. In numerous cases, the monitoring required investigators to go on to the property under surveillance, although no search warrants or court orders were ever obtained, according to those with knowledge of the program. Some participants were threatened with loss of their jobs when they questioned the legality of the operation, according to these accounts.

In contrast to the NSA story, this doesn’t seem like a big deal to me, given the less intrusive nature of this type of surveillance: the privacy rights of nuclear materials are fundamentally different than the privacy rights of people. This seems like exactly what the US government should be doing, and living in the DC metro area, I’m damn glad that NEST teams exist and are doing this.

Read the transcript. Lots of interesting nuggets of information, and the Q&A itself gets turned into a venue for scoring points on various turf battles.

According to FCW, Sen. Collins and Sen. Lieberman have introduced a bill to create a new National Homeland Security Academy:

“It was clear to me as I was working to create a Department of Homeland Security that we would need to find a way to make sure department professionals, as well as the state and local officials with whom they work, understand the full scope and range of responsibilities entrusted to the department, not just the details of their own particular jobs,” Lieberman said in a news release.

The academy would train leaders and provide cross-disciplinary education to government officials at all levels “so that they can develop the bonds and relationships that will make their work more efficient and effective,” Lieberman said.

According to the release, the academy would be modeled on the Defense Department’s war colleges. Its purpose would be to ensure that DHS’ new and midlevel executive employees and other federal, state and local officials understand DHS’ mission and undergo hands-on training and simulation exercises….

This would be a common-sense element of a long-term strategy to build up human capital on homeland security. The Academy’s scope needs to be defined, however, in a way that is clearly different than the war colleges, given the diffuse nature of homeland security.

For example, given the private sector’s key role in homeland security and infrastructure protection, it seems like chief security officers or related private sector execs should be able to attend a program like this, if their companies are willing to foot the bill.

And the scope of training needs to be explicitly broad: not just focused on response to attacks, but also having strong programs on prevention-related activities, and courses that focus on the challenge of designing homeland security in a way that is integrated with other national interests, such as privacy rights and the efficient movement of commerce.

Josh Marshall asks:

…When was the last time there was a major terror alert? They were something like a regular occurence for the eighteen months or so before the 2004 election. And through 2004 the administration pushed the line that al Qaida was aiming to disrupt the elections themselves. But as near I can tell there hasn’t been a single one since election day.

Through 2004, of course, critics of the administration routinely questioned whether the frequency and timing of the various terror alerts were not all or in part for political effect.

How do we explain what appears to be a night and day difference between the year prior to November 2004 and the year since in terms of terror alerts and scares?

My quick take on these questions:

1. Wikipedia’s page on the Homeland Security Advisory System has an accurate and complete list of the “orange alerts” that have taken place.

The last full scale alert was nearly two years ago, around the 2003-04 holiday period. Since then, there have been two “partial” alerts – the one for financial centers in NY, NJ and DC in August 2004; and one for transit assets after the London bombings this year. But basically it’s been two years since the last full alert. If we’re counting partial alerts, then there actually has been one since the Nov. 2004 election.

Overall, the timetable seems to undercut the idea of politicization in the run-up to the election. If that were the case, wouldn’t they have increased from 2003 to 2004?

2. In terms of the question about “why”, here’s the top-level list of plausible hypotheses:

a. Alerts have diminished due to post-2004 election environment and lack of need to politicize fear.
b. Alerts have diminished due to gradual reduction of al-Qaeda threat against US.
c. Alerts have diminished due to realization in DHS that alert system is a poor means of communicating to the general public about threats.

I’ll put most of my chips on #3. Consider this quote from the person most identified with the threat advisory system, Tom Ridge, after he had left DHS:

“People focus too much on colors. It could be numbers, it could be animals,” Ridge said. “The American public wants us to focus more on the information.”

He’s mocking his own baby. Why? I think the senior leadership of DHS realized in 2004 that the advisory system was essentially counterproductive, since it was causing freakouts in the low-threat heartland and leaving local leaders and law enforcement officials asking, “ok, so it’s orange, now tell me what am I supposed to do?”

This is my sense as to why the “financial centers” alert in 2004 was narrow, and why Sec. Chertoff has essentially mothballed the broader alert system since he took office.

The second part of the Washington Post’s story on the Department of Homeland Security focuses on FEMA’s evolution within DHS, from the inception of the department to Katrina. The narrative as it is told resembles a Greek tragedy: an outcome that was foreseen by all but somehow is impossible to change. It paints a softer picture of Mike Brown than most portrayals in the last three months, but at the end of the piece his culpability for Katrina is still very evident.

The main lesson that I take away from these two stories in the Post is that as a nation, we really can’t afford to let the DC “power game” be played when we’re talking about homeland security any longer, and allow turf and power to trump mission performance and effectiveness. Al-Qaeda’s not obsessed with org charts, budgets, and reporting relationships. Al-Qaeda’s not entangled in bureaucratic warfare. Can we afford to be?