Yesterday the Transportation Security and Infrastructure Protection Subcommittee held its hearing entitled “Partnering with the Private Sector to Secure Critical Infrastructure: Has the Department of Homeland Security Abandoned the Resilience-based Approach?”
I had the opportunity to testify along with DHS Assistant Secretary Bob Stephan, Bill Raisch of the International Center for Enterprise Preparedness at NYU, Dr. Kevin Stephens, Director of the New Orleans Health Department, and Shawn Johnson, Vice Chairman (soon-to-be chair), Financial Services Sector Coordinating Council. Dr. Stephens provided stark details about the state of the health system’s ability to manage another crisis in New Orleans, given the poor state of the infrastructure there nearly three years after Hurricane Katrina.
The 14th is part of a month of hearings the Homeland Security Committee is dedicating to resilience. Wednesday’s hearing focused on clarifying exactly how DHS views resilience as a priority in the overall strategy of the Department and on identifying ways that DHS can do better in working with the private sector to increase our resilience. Perhaps the best way to paraphrase everyone’s position would be as follows:
Chairwoman Jackson-Lee: Resilience should be part and parcel of the nation’s effort to protect the homeland. To do so requires that DHS effectively share threat information with the private sector, measure resilience (since protection can’t be measured: when is enough, enough?), and think creatively about the enterprise value to a company that invests in resilience. Citing the number of times we use the term resilience isn’t proof enough that action is being taken.
A/S Stephan: We already do resilience. It is mentioned ## times among our existing documents, such as the National Infrastructure Protection Plan (NIPP), the National Response Framework, and various sector specific documents. Through the NIPP, sector-specific plans are developed to accomplish the goal of security, resiliency, and preparedness. Moreover, the emphasis on resilience is a red herring generated by some in academia and think tanks to suggest that (a) DHS is misguided and (b) we ought to sacrifice efforts to prevent and protect in order to bounce back from likely fatal attacks.
Czerwinski: Resilience is more than the ability to “bounce back.” Measures to make the private sector more resilient must provide a “double bottom-line” that delivers both the ability to minimize the impacts of terrorism or natural disasters, but also the value of increased performance and improved commerce during the majority of the time when a threat isn’t present. Doing so requires connecting effectively across the sectors with a balanced approach to three key factors: strategic human capital, technology, and governance. Naturally, the framework offered in our paper on Global Movement Management would be a brilliant step forward.
Johnson: Nothing to see here. The Financial Services Sector has worked closely with the Treasury Department since long before 9/11 to manage an interdependent relationship among partners and competitors in this sector. DHS, through the FS-Sector Coordinating Council, works well in coordinating our efforts to be resilient, which for this sector means the ability to get business back online if ever a disruption were to interrupt our operations. I wouldn’t change a thing.
Raisch: If resilience is the goal, then a method to measure or assess progress is indispensable in order for businesses to determine if their investments in resilience are actually accomplishing anything and to be able to claim to stakeholders or possible adversaries that they are prepared to manage a crisis or disruption. Voluntary accrediting measures provided for in the 9/11 Act (H.R. 1) require the government to take the initiative “as a catalyst and investor in this process.”
Main take-away is this: Resilience is still a complex concept that can be approached from a variety of different angles. DHS is doing a lot to make sure the private sector is prepared and protected, but more can be done through an overarching framework that recognizes the interdependencies among the different sectors and the ways in which the risks of the 21st century make those interdependencies more important than any specific sector. Incentivizing the private sector to take action can be done by embracing a broader definition of resilience to include some level of value that actually improves commerce during those times when no attack or disaster is taking place. Investments in security and performance can be mutually reinforcing, not just mutually exclusive.
The streamed recording is available at the Subcommittee’s website on the hearing.