Homeland Security Watch

News and analysis of critical issues in homeland security

May 7, 2008

House Homeland Homes in on Resilience

Filed under: Strategy — by Jonah Czerwinski on May 7, 2008

Congressman Bennie Thompson, chairman of the House Homeland Security Committee, set the tone for yesterday’s first Congressional hearing on resilience by asserting that America’s strategy for protecting the homeland must balance prevention with resilience since 100% security is unobtainable. Moreover, “we all have a role to play,” he said, implying that resilience is the responsibility of the federal government, states and localities, academia, and the private sector, which explains the presence of DHS, MIT, ATT&T, SAP, and the Homeland Security Center for Risk & Economic Analysis of Terrorism Events at USC as witnesses. Chairman Thompson concluded his opening remarks with his refrain that success in this mission demands “honesty with the American people” and a worthy goal of securing the homeland is that we do so based on a “freedom from fear.”

DHS Assistant Secretary for Policy, Stewart Baker, represented the federal government and its views on resilience, as well as current efforts to invest in this capability. Much of A/S Baker’s prepared remarks focused on the ability to “bounce back” as the goal of resilience. This is important, but it leaves out other dimensions that make the concept of resilience valuable (i.e. deterrence, measured response, dual use, etc.).

However, he did emphasize certain efforts to use information more effectively as a resource for alerting populations at risk as soon as an attack or disaster is known to be imminent. Baker cited such measures as “reverse 9/11,” instant messaging, blogs, Google Maps, and twitter as means for fostering an organized response. (Blogs?)

Mr. Baker did identify at least one area that would generate substantial improvement. He described DHS’s work with the Treasury Department, the Financial Services Sector Coordinating Council Subcommittee for Research and Development, and ChicagoFIRST to develop a risk management tool for the finance sector. This includes a computer simulation of the value chains of a generic financial enterprise to allow organizations to create and run “disruption scenarios tailored to their individual business models, using their own proprietary data as well as generic data for the rest of the financial sector,” according to Baker.

Professor Yossi Sheffi of MIT broadened the scope of the discussion to include the important ability of obtaining information early in order to act earlier and with more precision. He cited specifically the prerequisite of devolving decision making to the levels closest to the “front lines” in order to be not only quicker in responding, but also more surgical in that response so as to minimize overreactions that risk amplifying the circumstances.

AT&T’s Susan Bailey echoed this with an explanation that her firm not only prepares for disruptions, but they monitor, pattern, and then profile internet traffic that they support to establish a baseline. Aberrations and abnormalities — often antecedents to cyber attacks — can then be identified and zeroed in on. Indeed, Erroll Southers of the Homeland Security Center for Risk & Economic Analysis of Terrorism Events described how the British implicitly join detection and resilience.

Several members cited the media coverage yesterday of a study that found a nationwide inability on the part of emergency rooms to manage large and unexpected influxes of patients that would likely follow a terrorist strike or natural disaster. Naturally, A/S Baker had little to say about this. That may be the job of the DHS Medical Advisor or HHS, but it isn’t even resilience in the first place. This scenario describes the need for “surge capacity” in hospitals in order to facilitate an emergency response. Turning victims into patients is important for response, but resilience is different.

Interestingly, Rep. Lungren invoked a missing aspect of resilience. If “we all play a part,” as the Chairman appropriately notes, then we must find a way for resilience to become a part of the bottom line for the private sector. He raises a good point. While regulations will surely get industry’s attention, the best form of resilience — indeed the best form of homeland security — reduces the risk of terrorist attack or disruption while also improving the facilitation of trade and travel.

Resilience in the form of redundancy (costly back up facilities or other investments that go unused until disaster strikes) is a blunt measure. Today the Subcommittee on Border, Maritime, and Global Counterterrorism convenes their hearing on “Assessing the Resiliency of the Nation’s Supply Chain.” This is a perfect opportunity to explore smart resilience, as opposed to simply the ability to bounce back.

3 Comments »

104032

Comment by Arnold

May 7, 2008 @ 1:03 pm

While the idea of resilience is great, as the basis for homeland security strategy it is still a little mushy. There is not agreement on what exactly it means.

For example, you do not include concerns about response in this concept: “Turning victims into patients is important for response, but resilience is different.” Yet your guest poster, Robert Kelly, does: “That is the essence of resilience – the ability to rapidly respond to and recover from a catastrophic event.”

And Steve Flynn includes it among his “four pillars of resilience” in his recent Foreign Affairs piece: “Second is resourcefulness, which involves skillfully managing a disaster once it unfolds…Ensuring that U.S. society is resourceful means providing adequate resources to the National Guard, the American Red Cross, public health officials, firefighters, emergency-room staffs, and other emergency planners and responders.”

Unfortunately, I think the concept requires a lot of refining. But hopefully these hearings will not be the only cuts at this effort.

104043

Comment by William R. Cumming

May 7, 2008 @ 2:48 pm

Interesting how little studied are the NYC blackouts of 1965 and 1977 and the N.E. Grid failure of several years ago. The discovery of EMP (Electro-magnetic Pulse) as a factor in Nuclear attack scenario caused wholesale revisions in both attack and defense strategies. Resiliency is clearly more than ability to respond if some assets are knocked out or no-longer available, or unable to be surged if the incident/event is imminent. Interoperabity and redundancy are factors as well as identification of critical nodes and systems. The real task of developing resiliency is not post hac but in futuro when in designing new technology or improving same it must be designed in from the beginning not after the fact. This may be difficult but clearly the US could muster the scientific and engineering effort to do it. So far efforts at addressing resiliency have been largely left to the private sector based on their self interest in not facing business interruption or need for physical and cyber security. These efforts have not been documented for their achievements or inadquacies yet. Question–who is supposed to do that?
DHS refuses to request funds for resiliency studies and so far Congress has lacked the imagination to provide it. It might also be of interest to see how on a comparative basis other nations or geographic areas have handled large-scale events or plan for them. For example, the European Union (OECD). Has the World Bank ever done any work on resiliency? Canda? Mexico? It is not beyond belief to believe that a major oil disruption may just be around the corner? All the statistical and critical information on consequences is still solely within the private sector if it exists at all. What about allowing DHS to gather statistics on resiliency in each of the sectors established under successor documents to PD 63, issued May 22, 1998.

104113

Comment by Jonah Czerwinski

May 8, 2008 @ 7:55 am

Arnold –

>>For example, you do not include concerns about response in this concept: “Turning victims into patients is important for response, but resilience is different.” Yet your guest poster, Robert Kelly, does: “That is the essence of resilience – the ability to rapidly respond to and recover from a catastrophic event.”

There is a difference between response/recovery and resilience. Being resilient should render the ability to respond effectively. However, rapidly flying in emergency food and water to a hurricane zone to limit the hardship of the victims would be response, while resilience would be building homes less vulnerable to the effects of a hurricane and getting the ports and businesses up and running. (I should note that my guests on this blog don’t have to agree with me and vice versa.)

>>And Steve Flynn includes it among his “four pillars of resilience” in his recent Foreign Affairs piece: “Second is resourcefulness, which involves skillfully managing a disaster once it unfolds…Ensuring that U.S. society is resourceful means providing adequate resources to the National Guard, the American Red Cross, public health officials, firefighters, emergency-room staffs, and other emergency planners and responders.”

It is important to take Steve’s four factors as a whole anyway. If you had selected only the third factor — rapid recovery — I could see your point that my separation of response and resilience would be problematic. However, Steve’s factors are robustness, resourcefulness, rapid recovery, and the means to absorb new lessons. Taken together, I think you’d agree that resilience is more than emergency response, but nevertheless dependant on it being executed well.

>>Unfortunately, I think the concept requires a lot of refining. But hopefully these hearings will not be the only cuts at this effort.

I, too, hope these hearings are the beginning of a sustained effort to build in, rather than bolt on, the important capability of resilience. But the concept of resilience already has been refined to a point that enables action. First steps would include making resilience a strategic goal as part of such plans as the Quadrennial Homeland Security Review.

To refine this concept further, consider the following parameters:

Resilience should afford a deterrent value: Terrorists are not deterred by fear of retaliation, but by fear of failure. Resilience delivers a deterrent value by reducing the likelihood that the impact of an intentional attack will transpire.

Resilience helps to avoid self-inflicted wounds: Resilience — if done right — affords the decision maker the enhanced ability to focus response efforts on the part of the system that is actually stressed.

Investments in resilience should be dual use: Investments in resiliency not only address vulnerabilities due to terrorist attacks or natural disasters. Resilience also facilitates the global flows of trade/travel.

The private sector is an asset first, a target second: This is a critical step toward being able to make the case for private sector engagement. Several options exist.

Redundancy is not resiliency. Having costly back-up systems or two of everything is the easy and most expensive way to “bend and not break.” If done correctly, resiliency is more akin to the concept of Intelligent Immunity we put forth in the latest GMM paper.

RSS feed for comments on this post. TrackBack URI

Leave a comment

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <code> <em> <i> <strike> <strong>