Homeland Security Watch

News and analysis of critical issues in homeland security

May 29, 2012

“… it is not fish they are after.”

Filed under: Budgets and Spending,Business of HLS — by Christopher Bellavita on May 29, 2012

“The charm of fishing is that it is the pursuit of what is elusive but attainable, a perpetual series of occasions for hope.” — John Buchan

Homeland Security Research Corp. (HSRC) describes itself as “a Washington, DC-based international market research and strategic consulting firm serving the homeland security community.”

Two years ago, it projected that

Over the next four years: the U.S. HLS-HLD (i.e. federal, state and local governments, and the private sector) funding will grow from $184 billion in 2011 to $205 billion by 2014. The market will grow from $73 billion in 2011 to $86 billion by 2014.

In another 2010 report– about the private sector’s role in homeland security — HSRC notes:

The private sector procurement of homeland security related products and services represents 15-16% of the total US Homeland Security market. The US private sector HLS market is larger than the combined federal aviation, maritime and land transportation HLS markets. Over the next five years, the US private sector HLS market is forecasted to grow … from $7.7 billion in 2010 to $11.2 billion by 2014.

(To digress, this report contributed to my personal collection of favorite homeland security facts by pointing out The US private sector controls 86% of the nation high-priority infrastructure sites.” The usual estimates typically cite an 85% figure. Since the 85% number has no basis in anything beyond rhetoric, I admire the attention to precision suggested by 86%.  I also respect the creative addition of “high priority” to the otherwise mundane term, “critical infrastructure.”)

A third HSRC 2010 report points out that DHS is just part of the homeland security enterprise:

While the DHS plays a key role in homeland security, it does not dominate the US counter terror … market. The combined state and local markets, which employ more than 2.2 million first responders, totaled $15.8 billion (2009), whereas the DHS HLS market totaled $13.1 billion. …In spite of the fact that nine years passed since 9/11 with no successful terror attack on the continental USA, periodic, multi-year Harris polls, reveal consistent growth of public concern about another major terrorist attack.

That concern suggests opportunity:

Future small scale terror attacks (successful or not) will maintain this trend in the future. [sic] For example, the failed 2009 Christmas attack aboard a flight bound for Detroit and the attempted car-bombing in New York’s Time Square (February 2010) resulted in immediate White House intervention, Congressional hearings and a radical air passengers screening upgrade program costing over $1.6 billion.

But even if the federal budget does not come through, there’s still state and local government.

Most analysts overlook the fact that the OMB federal rules demand that state and local HLS activities must be financed at the state, county and city level. Annually, all the states and over 40,000 counties and cities fund $53-$62 billion of their HLS activities, while the federal government supplements this spending with grants valued at $3-5 billion annually.


“Fishing is a delusion entirely surrounded by liars in old clothes.” — Don Marquis

A recent two-day Counter Terror Expo was sparsely attended, writes Andrea Stone in Huffington Post.

“This is probably one of the worst I’ve been to in years,” said Jason Henry of Field Forensics, a Florida manufacturer of explosives and hazardous-material-detection devices that was incorporated in September 2001. “Nobody’s walking the show.”

“It was not as well attended as we expected,” said Mark Anderson, a representative of FLIR, which manufactures sophisticated thermal imaging equipment for police and the military and was an event cosponsor. …

“Unless a war pops up somewhere else, the homeland security mission will become much more important [compared with a declining DoD mission],” said John Gritschke, a manager for Laser Shot, a Texas-based maker of training videos.

… Despite the low attendance at the expo, most exhibitors said business was good.

That bothered Benjamin Friedman, a Cato Institute analyst.

“Our panicked response to 9/11 has made a kind of self-licking ice cream that tries to keep us worrying about terrorism and sells us defenses against it,” Friedman stated …. “This conference is a small part of that.”

“The good news is that austerity has meant that there is less money for homeland security, shrinking the homeland security industrial complex and bringing it into increased competition with its far bigger cousin, the military industrial complex,” Friedman added.

But one can always count on human nature’s self destructiveness.

Whether it’s war fighters or cops, Patricia Schmaltz of Virginia-based A-T Solutions sees a vibrant market for her company’s antiterrorism training classes. “I don’t see peace on Earth coming anytime soon,” she said.

“We would definitely support it but we don’t see it,” Schmaltz said. “So long as there are bad guys and nutcakes out there, we’ll be in business.”


Meanwhile, in a completely unrelated story, Rebecca Shlien reports the third annual Homeland Security Bass Tournament took place on Friday, May 18th in Decatur, Alabama.

… [Roughly] 300 current and retired firefighters, police officers, first responders and military troops came to cast a line—and not only from North Alabama.

[The tournament’s founder said] “I know we’ve got one [participant] here from Iowa, we’ve got Kentucky, Tennessee, Georgia, Mississippi and Florida, so we draw them from quite a ways…. The jobs that these guys have, there’s a lot of tense, a lot of stress involved, and to get out there on the water and go fast in a bass boat, spend a few hours catching some fish, it really helps you unwind.”

If you’re interested, you can watch a video about last year’s Homeland Security Bass Tournament here: http://www.youtube.com/watch?v=LtxiA43BrnY

“Many men go fishing all of their lives without knowing that it is not fish they are after.” — Henry David Thoreau

May 28, 2012

The Cyber-Tootsie Roll Effect (Or Please Stop Calling Every Cyber Something An Attack)

Filed under: General Homeland Security — by Arnold Bogis on May 28, 2012

Imagine for a moment that you got your wallet stolen.

It could be from your back pocket in a crowd or your bag hanging on a chair in a busy restaurant.

Now, if the police caught the individual responsible, would they be charged with assault? Almost certainly not (assuming that you did not notice the initial theft because it was surreptitious).  You (or the victim) would most likely feel assaulted, offended and distraught about the invasion of privacy and security.  Yet the authorities would not consider your “feelings,” instead moving forward to deal with the specifics of the situation as they pertain to existing law.

Seems reasonable.  Right?  A pick pocket, if caught, shouldn’t be charged with assault.

Moving over to the cyber realm, is it me or is every possible type of incident beginning to be described as a “cyber attack!” And if you label every problem a nail, then a hammer is always the answer.

A few weeks ago Paul Rosenzweig of the blog Lawfare shared a list of ““Significant Cyber Attacks” on Federal systems since 2004” that he states is from sources on Capitol Hill.  I do not know Mr. Rosenzweig but he seems to be a sophisticated observer and analyst of cyber-related topics, so I am not claiming that everywhere he looks, everything he sees looks like a cyber attack to him.  That this list originated in some Congressional office is the disturbing part.  Just a few examples of incidents included in this list of “attacks” (the full list can be found the Lawfare blog post):

We have theft, we have espionage, and we have negligence. Could some of these turn out to reveal vulnerabilities leading to extortion or attacks at a later date?  Certainly.  Do these and other similar examples from the full list represent potential risks to our national security?  Perhaps.  But do they represent attacks?  No.

To be sure, there are attacks included on the list.  As well as cases of espionage that are frightening.  But you don’t guard against pick pockets in the same manner as you do muggers or attackers wishing to inflict bodily harm.

When you do in the cyber realm, you may end up in a “go time” mode similar to Security Debrief’s L. Vance Taylor:

These attacks aren’t coming because of any real or perceived lack of cyber security protocols in the private sector. The attacks are coming because we allow countries like China to use cyber space to lie to us, steal from us, cheat us and even physically harm us without consequences or repercussions. It has to end.

If Congress wants to do something productive to address cyber security, it should work (along with the Administration) to establish deterrents that will make countries like China think twice before taking our lunch. Two such deterrents could include:

  1. Banning businesses that are headquartered in countries that hack into our CIKR networks from competing on projects in the U.S. sectors where American networks have been compromised or attacked.
  2. Instituting economic sanctions (equaling up to 10 times the costs of the financial implications of a given cyber attack) on any foreign country attacking America or her industries.

In short, Congress should stop legislating the private sector as a means to giving the nation the illusion that it’s doing something about cyber security. Instead, it should do something to prevent future attacks and actually bring perpetrating countries to justice.

Mr. Taylor was describing his theory of response to attacks such as the recent targeting of the natural gas industry. Yet in seeing a tootsie roll, uh, I mean cyber attack originating in China (or Russia or any other country not counted as “allies”) in every event he suggests a tough sounding stance of deterrence that doesn’t take into account reality.

  1. Not every cyber incident is an attack.
  2. Not every cyber incident, even those that are attacks, can be accurately attributed.  We may suspect an attack came from Chinese computers, but can’t prove it.  Or perhaps we think it’s Russian hackers, but actually a group in Indonesia routed the attack through Russia.
  3. Not every cyber incident comes from a state of concern.  China and Russia are often singled out, and Iran has gotten attention in recent weeks, yet there are hackers in almost every country.  What if per #2 U.S. hackers attempt to shut down a piece of critical infrastructure but make it appear to be an attack from China?  And it is also an uncomfortable truth that allies spy on each other–the French have long been suspected of state-sponsored industrial espionage and does anyone remember Jonathan Pollard?
  4. What if other states adopt similar cyber policies?  Should U.S.-based hackers be discovered attempting to infiltrate an Indian government agency’s networks, what should the Indians do in response?  What if confidential industrial information was stolen, should they sanction U.S. companies through whose networks the attack took place without their knowledge?

It is also a fact that not only do hackers live in the United States, but our government is suspected of producing cyber weapons and maybe even (shhhhhh…..) undertaking a little cyber espionage:

Researchers have identified a sophisticated new computer virus 20 times the size of Stuxnet, the malicious software that disabled centrifuges in an Iranian nuclear plant. But unlike Stuxnet, the new malware appears to be used solely for espionage.

Variously dubbed Flame, Skywiper and Flamer, the new virus is the largest and possibly most complex piece of malware ever discovered, which suggests it is state-sponsored, researchers said.

As with Stuxnet, the creator of Flame remains a mystery, though some analysts say they suspect Israel and the United States, given the virus’s sophistication, among other things.

Some researchers say that certain characteristics common to Stuxnet and Flame suggest that whoever ordered up Stuxnet is also behind Flame.

The cyber realm is complicated.  There exist no simple answers to complex issues.  Unfortunately this world is not full of tootsie rolls, but instead reads like a John Le Carre novel.

May 23, 2012

Standards of Cover(-up)

Filed under: State and Local HLS,Technology for HLS — by Mark Chubb on May 23, 2012

For weeks now, the Los Angeles Fire Department has been under intense scrutiny for errors in its reporting of response time data. Previously reported figures suggested the department was doing pretty well meeting its response-time targets despite budget cutbacks that affected service levels. However, it later came to light that the methodology for calculating response-time data presented to elected officials was flawed. These flaws included a failure to present the results of models as predictions rather than actual response data and errors in the way response times were measured and performance against targets reported.

When it became clear that the fire department’s responses had been affected by changes in staffing and service levels, the media and elected officials began asking some difficult questions. Unfortunately, most of these questions were precisely the wrong ones.

It’s one thing to ask whether the department is meeting response time targets. It’s another thing entirely to ask whether these targets are meaningful indicators of service performance. Errors in reporting could affect the answer in either case, but the effects would be very different.

In Los Angeles, it’s now clear that the fire department does not meet its stated targets. It should be equally clear that these targets are arbitrary and all but meaningless in the vast majority of cases. (In other words, the Los Angeles Fire Department remains a world-class outfit despite the cuts.) Unfortunately, the latter fact has dawned on very few people despite abundant evidence that the unwelcome answer to the first question is due in large measure to the growing dependence of the community on fire department responses to many low-priority and even non-emergency events where time matters very little if at all.

The expectation that fire departments are there to deal with anything unwelcome or untoward that people encounter when no one else is there to help them has not come about by accident. Firefighters love to be loved (and needed) and have been all too willing to answer these calls without regard to the costs. The controversy in Los Angeles suggests these costs are not just fiscal. The opportunity cost of attending so many low-priority and non-emergency calls is clear: The system cannot meet the performance expected when genuine emergencies arise.

For firefighters the answer is simple: expand capacity. For administrators, that’s simply not an option in these austere times. Sadly, elected officials too rarely take responsibility for the fact that you cannot please all of the people all of the time.

Nearly everybody these days accepts the adage that when it comes to performance, speed, quality and cost matter, but you can only have two of these. This is especially true when it comes to emergency services. The problem is that our expectation of which two we are willing to accept varies a lot depending upon the circumstances.

When it comes to situations that clearly are not time critical, time should not matter. But it does when you confuse it with an indicator of quality. And almost every fire department does just that because they have no idea how to measure quality but they can measure time.

Fire departments are inherently inefficient operations. They operate on two basic premises: 1) no one should ever have to wait for a response and 2) every response should be treated as an emergency until proven otherwise. These two assumptions combine with pernicious effect when it comes to the way we handle 911 calls. And let’s be clear about this 911 is no longer shorthand for “emergency.” These days, about 40 percent of all calls coming into public safety answering points are misdials and many more involve queries that have nothing whatsoever to do with police, fire or emergency medical services.

Rather than take a few seconds to find out what’s really going on, most agencies insist that dispatching decisions get made within 60 seconds of call receipt regardless of circumstances. This was once a relatively simple affair because it relied on the intuition and judgment of experienced call-takers and dispatchers who made the call based on relatively simple heuristics. When they were equipped with little more than a telephone and a radio console, the required action took little time or effort. Not so today. These days we have two, three or even more layers of technology between call-takers and dispatching decisions. Even after a dispatch is initiated, we have even more layers of technology through which signals alerting stations and conveying information about the call must pass before responders get the message.

These interventions have made it possible to track the most minute details about each and every incident. But they have not made the process of delivering emergency service faster or more efficient. In fact, it’s just the opposite. In many instances we have become unwitting slaves to the planned obsolescence of the technologies themselves and helpless victims of the technological hurdles involved in marrying up diverse platforms supplied by competing vendors procured by different agencies.

When fire departments talk about standards of cover – the five dollar phrase for these response targets – they rarely acknowledge the fatal flaws in the logic (or lack thereof) they apply to deciding what matters. These standards, often derived from flawed analogies to fire growth curves and the onset of brain death following cardiac arrest, were easy to meet using legacy technologies that were far simpler and more efficient. But now we must contend with the expanded and often unrealistic performance expectations arising from our inability or unwillingness to make the simplest distinctions about the services we provide.

Adopting arbitrary standards of cover, like 60 second call processing times and five minute travel times, may allow us to direct the blame at others when we miss the mark overall, but it does almost nothing to solve the problem when performance falls short.

When time matters, it matters a lot and cost is not much of an issue. The good news is that getting these decisions right involves little more than giving people permission and encouragement to treat very different situations differently. The quality of the outcome always depends on how well the people perform, and when the way they use the technology becomes an impediment to what they are trying to accomplish we have the tail wagging the dog.

The single biggest factor affecting our success may well our willingness to recognize that what people experiencing or witnessing an event do before we arrive matters much more than how long it takes us to get there. Sure, response time and the quality of care help, but not if people wait too long to seek help or take no action to mitigate the consequences before we get there.

The best case in point may very well be right in my back yard: King County and Seattle, Washington have managed to achieve a 50 percent survival rate from witnessed cardiac arrest involving shockable arrhythmias (ventricular fibrillation and ventricular tachycardia). Sure, we were among the first communities to establish a fire-based advanced life support paramedic program. Yes, we send first-response EMTs on fire-based units to every call, and often as many as 10 responders to confirmed cardiac arrest calls. But the factor that has probably made the most difference has been the frequency and quality of bystander CPR.

Other programs send paramedics on the first due fire engines whenever possible. We do not. Some use dispatchers to give CPR instructions over the phone. We do too. But we do something even more important: We get out in the community and teach everyone willing to give us a few minutes of their time how to save a life.

Don’t get me wrong. People here still worry about response times. But they have a lot less reason to do so because we have nothing to hide: We rely on the public as much as they rely on us, and we’re proud of it.

May 22, 2012

Seven someday posts

Filed under: General Homeland Security — by Christopher Bellavita on May 22, 2012

Writing for this blog lets me use cognitive surplus to explore different facets of homeland security.

Clay Shirky coined the term cognitive surplus to mark his recognition that “the time Americans once spent watching television has been redirected toward activities that are less about consuming and more about engaging [in blogs, for example]….  And these efforts aren’t fueled by external rewards but by intrinsic motivation—the joy of doing something for its own sake.”

I think that accurately describes why people write for Homeland Security Watch — whether writing a post or a comment.  It is intrinsically satisfying for us to think out loud about homeland security issues.

I’ve been doing work related travel for the past 5 weeks. As I sit in a hotel room on my last night before heading home to a plot of Oregon grass that hasn’t been cut in weeks, I realize my cognitive surplus is currently down to stems and seeds. (To mix several metaphors.)

I cannot complain.  I heard and talked and thought about lots of intriguing ideas over the past 34 days, many of which I put on my “why don’t you write about this someday” list.

Here are seven items on that list, in no particular order, and expressed more through speculation than research.

1. The 2012 National Preparedness Report may be homeland security’s first post-modern document.

I understand “modern” in this context to mean a time of a single dominant narrative. I use “post-modern” to refer to a time of multiple narratives, multiple points of view about the world.  Modernity requires a single narrative; post-modernity requires recognizing there will not be and cannot be one story.  The Preparedness Report  — and whole community — is about making room for many stories. (But then isn’t that a dominant narrative? I want to think more about this.)

2. As far as I can tell, no one in the homeland security enterprise (Big E or little e) has responded publicly to the risk assessment critique John Mueller and Mark Stewart make in their book Terror, Security and Money.

They claim homeland security money used to prevent terrorism has been spent with little regard for benefits. They assert homeland security’s terrorism risk assessment has been characterized — among other things — by “probability neglect.”  Probability neglect means ignoring the statistical evidence about the likelihood of a significant terrorist attack. Strategies that support probability neglect include emphasizing worst-case scenarios, overestimating terrorist capabilities, amplifying target importance, and calculating risk elements incorrectly. There’s much more to their criticism. Basically they argue the risk based emperor — mostly the terrorism emperor — has no clothes. They even provide evidence to support their assertions. I’m surprised the emperor has not responded. (Or maybe the emperor has, and I wasn’t paying attention.)

3. The common wisdom seems to support the idea that the Arab Spring was helped significantly by social media, facebook and twitter in particular.

I heard a second hand report about someone in an Egyptian revolutionary leadership position who says the common wisdom is wrong.  People who expressed their outrage online over the Mubarak government were called “couch activists” by people who took to the streets.  But when the government shutdown the Egyptian internet, the couch activists got angry they couldn’t tweet or Facebook anymore. That got them off their couches and into the streets. Interesting, if correct. (As I said, it was a second hand report.)

4. Appendix II.1 of the U.S Coast Guard’s Deepwater Horizon Incident Specific Preparedness Review is titled “Characteristics And Qualifications Of An Effective Crisis Leader.”

It’s worth a read.  Here’s an excerpt:

“Many Government Agencies and private corporations ‘grow’ leaders from within. They also often bring in proven leaders from outside to provide new leadership and direction for the organization; however, the skills of organization and the ability to manage and lead are only baseline competencies when a crisis arises. The outcome of a crisis or the success of a response to the crisis is directly related to effective crisis leadership. Some leaders are naturally suited for such a role, but often are not the ones who find themselves confronting a crisis or are not the ones placed in the position of leadership when the crisis occurs. Leaders involved in crisis management may find themselves on national television, with little or no media training or experience for their leadership position. Crisis managers are required to make critical and binding decisions without the benefit of lengthy study or peer-reviewed advice. The crisis dictates the pace, tempo, and duration that drives the decision making process. Leaders not trained and prepared to function effectively in a crisis can create an image of incompetence, chaos, or disorganization, even if the incident is being managed competently and effectively. In most cases, the leader in a crisis is the “face” of the organization he or she represents; in some cases it may be virtually the only time the public is aware of the organization. The reputation of that organization will largely be determined by the performance of the crisis leader.”

The report then identifies 10 attributes of an effective crisis leader. In my opinion, Appendix II.1 is not your usual government appendix.

5. What’s the story with private sector fusion centers?

I know some private sector organizations — usually large corporations — have representatives in some fusion centers. Companies can be good sources of information, and they can benefit from receiving appropriate information.  Recently I’ve heard that some global corporations have started developing their own fusion centers — not just corporate intelligence units, but actual fusion centers.  I wonder if there’s any truth to that.

6. Where do good homeland security ideas come from?

The answer can be as simple as a bunch of guys – gender neutral meaning of guys — sitting around drinking coffee or beer. That’s the claim Steve Johnson makes in a TED video, here. (I added the homeland security part.) That’s also what happens in a good homeland security seminar discussion. (Except for the drinking part.)

7. What did Hitler think about the security vulnerabilities of cloud computing?

According to this four minute video, he apparently placed too much trust in his Information Technology folks.

I have a friend who says when “Hitler” comes up in a conversation, it’s time to stop talking.

No one’s listening anymore.

May 18, 2012

Three issues, thirty posts, can we improve homeland security?

Filed under: Catastrophes,General Homeland Security,Preparedness and Response,Privacy and Security — by Philip J. Palin on May 18, 2012

If you haven’t noticed, Fridays are my responsibility here.

Daily blogging — most blogging — tends toward multiple short pieces.  Whether news or commentary,  unpaid (and many paid) bloggers seldom have enough time to do much more than aggregate, trying to make interesting connections that might otherwise go unnoticed.

With more contributors — one for each weekday — HLSWatch has morphed toward analysis and advocacy.  It will probably seem a strange analogy, but drafting these weekly contributions is for me a bit like attending church.  It is a discipline that I find helpful in focusing attention to aspects of reality I might otherwise neglect.

In this vein, I perceive the need for a bit more continuity between weekly services: a kind of lectionary.   Since beginning to post in 2009 my choice of topics has been opportunistic, even impressionistic.  Over the next few months I intend to give more consistent attention to three issues:

Catastrophes –  I am increasingly persuaded the federal role in homeland security should mostly be focused on preventing, preparing for, mitigating, responding to, and recovering from very high consequence events.  I also perceive the federal government has a key role in encouraging some modest, but consistent attention to catastrophic potential by other levels of government and the private sector.  Catastrophes and potential catastrophes are, I will argue, complex events that unfold in distinct ways, different than emergencies or disasters.  Some of the skills that are essential to managing emergencies and disasters can be profoundly counterproductive in potential catastrophes.   At least these are my current perceptions.  Can these claims hold up to my own analysis and your criticism?

Private Resilience – There’s lots of talk — often empty talk — about private-public partnerships.  I’m all in favor of meaningful and practically focused private-public relationships. I am, though, much more interested in readiness and resilience that does not depend on the public sector.  There is some intriguing evidence that many resilient neighborhoods have emerged in contention with the public sector.  Is resilience a synthesis of a private antithesis engaging a public thesis? My interest in private resilience is related to my focus on potential catastrophes.  In the very worst events private need will exceed public supply by several multiples. What are the characteristics of systemic resilience?  How is such resilience engendered?  Resilience can wither, how and why? My colleague Arnold Bogis has been clear that he perceives “resilience” to be little more than an intellectually sloppy buzz word.  Can I convince him otherwise? Will he convince me?

Civil Liberties – Since 9/11 several legal measures have been undertaken that challenge — even directly assault — freedoms that were previously taken for granted. Other than various indignities at the airport, the narrowing of our liberties has not seemed to elicit sustained citizen concern… and even at the airport the protests have more often been whines than something more substantive. The explosive expansion of digital commerce and sociability provides the government (and others) unprecedented opportunity for intruding into civil and private “space.”  There are reasonable motivations — preventative and protective — for this intrusion.  The long-term consequences for our civil liberties are worth careful consideration and active engagement.  Related, at least for me, is the issue of individual responsibility and the role of citizenship.  Perhaps the government is not so much taking away civil liberties as the citizens are trading them away.

I have other homeland security-related interests — religious conflict and supply chains, to name two — but I have chosen these three topics for some sustained attention because I wonder if these three may, in combination, point us to an overarching reality.

Is there a persistent cascading complexity that we perpetually endeavor to deny?  Do we regularly walk the edge of chaos, one step from catastrophe, but choose not to notice?  What might be the outcome of noticing?  Are the key components of resilience — flexibility, agility, adaptability, what else? — more effective than command-and-control to deal with cascading, unpredictable consequences?  Is the active application of our civil liberties an essential  tool for effectively engaging this complexity?

I will not post next week.  Between the first Friday in June and Christmas there are 30 Fridays.  In thirty posts, no more than 30,000 words — plus our discussions — can these questions be meaningfully answered?  Will you participate?  Argue with me?  Propose your alternatives?  Can we co-create an enhanced understanding of homeland security through our engagement with these three issues?

Claire Rubin has suggested blogs are not the best format for such extended considerations.  Claire is one of the wisest women I know.  But I have often found creative benefits in gentle foolishness.  So, I will try.

May 16, 2012

See No Evil? Then Just Do It

Filed under: Organizational Issues,Private Sector — by Mark Chubb on May 16, 2012

It’s been awhile since I have managed to post something. The last wholehearted attempt I made was a reflection on May Day observances that I never finished. For some reason or another I could never come to a conclusion to that piece that really satisfied me. At least not in the sense that I was getting to the heart of what I was watching on the news and in the streets, especially here in Seattle. As a result, it sits mouldering in my queue still waiting for rewrite or deletion.

Somehow, though, a few of the themes I struggled with just a couple of weeks ago came into sharper focus for me this week in the form of two articles I read. The first described the effects of growing income inequality on individual mortality. Put simply, those who earn the least can not only expect to live shorter lives, but they can also expect their longevity to diminish as the length or the depth of the gap widens between their earnings and those at the top. The article cites other studies’ speculation as to the causes of income inequality-related mortality while noting that the academic research cited has reached no firm conclusion about specific causes, especially over the short-term. At the same time, the study provides compelling evidence of the cumulative effect of income inequality on health.

The second article suggested that crime really does pay. Or rather that unethical behavior or at the very least less-than-ethical behavior has its rewards. The Harvard Business Review item noted a recent study that displayed significant gaps between the earnings of those men who self-reported improvements in ethical awareness and subsequent ethical conduct as a result of exposure to ethical principles and practices in their post-graduate management curricula. (Sorry, no word on how the women did. Let’s just hope it was considerably better than the boys.) Sadly, but probably not too surprisingly, those who earned the most reported little awareness of or influence from exposure to ethics while earning their MBAs.

These two items got me reflecting anew on a third item that aired on May 1. NPR’s Planet Money Team produced a truly exceptional segment entitled Psychology of Fraud: Why Good People Do Bad Things. This piece examined the story of Toby Groves, a convicted mortgage fraudster who convinced colleagues to conspire with him to create a ghost mortgage, a very real loan for an utterly fictitious property, to cover mismanagement of his business.

In the simplest terms, Toby and his colleagues justified their actions by framing the problem in two very simple but compelling ways. First, instead of seeing their actions as unethical, which they openly acknowledged they were, they reframed the decision as one of business necessity. They supported this framing in a second but equally compelling way by seeing their actions as a personal favor for a trusted friend and valued colleague. In other words, they saw Toby as someone they liked and enjoyed working with who now needed a small favor from them as opposed to the illegal and craven actions of a desperate man at his wits’ end. In short, their decisions to be helpful were aided by the notion that Toby Groves was a business associate, his business was at risk due to financial decisions they all make, and the actions he requested of them (which he openly acknowledged could get them all in heaps of trouble) required little effort on their part and were actions in which they were routinely engaged as part of their normal and legitimate business practices. Clearly, the road to hell — and prison — is paved with good intentions.

If the NPR story had any shortcomings, it was in the lack of resolution I felt from the reforms they suggested might arise to combat the problem of inappropriate cognitive framing of ethical dilemmas in the business environment. How, I wondered, might it help the situation to remind people on the forms they are signing that lying or misrepresentation are unethical or illegal? Don’t they know this already? And who reads the fine print anyway? Sure, it might help to change auditors frequently to keep them from becoming too cosy with those they oversee. But don’t we want auditors to be both rational and fair? Does this not suggest a need for some sort of empathy? How much then is too much?

Clearly, the dilemmas we face are becoming more complex just as they problems that give rise to them become more complicated and even convoluted. The credit crunch that led to the lingering economic stagnation we still endure, the ideological and political excesses of violent extremists here and abroad, and the inability to reconcile political differences for the common good not only reflect certain states of mind but also provoke powerful emotions in us that arise largely from our own cognitive biases. The challenge then is not to oversimplify any of these issues but to see them for what they are: Situations that require us to apply many different frames to achieve not only the proper resolution but sufficient perspective to interpret correctly what sits before our eyes.

We can look upon the health effects of income inequality as the sad but unintended consequences of an otherwise salutary economic system or an injustice that demands redress. We can reward unethical conduct in the workplace and accept unequal rewards for those who look after themselves before others or we can hold one another to account for what each of us thinks, says and does. If it’s true that the road to hell is paved with good intentions, then it’s also worth noting that there’s more than one way to skin a cat and we should try them all rather than looking for the easy way out.

May 15, 2012

Permanent Emergency — Kip Hawley’s time at TSA

Filed under: Aviation Security — by Christopher Bellavita on May 15, 2012

I have one chapter left to read in Kip Hawley and Nathan Means’ book Permanent Emergency.  The book describes Hawley’s term as TSA Administrator, from 2005 until 2009.

I don’t want the book to end.  It’s really good.

I’ve read Tom Ridge’s and Michael Chertoff’s after-office books.   Permanent Emergency is in its own class, at least when it comes to back-in-the-day homeland security memoirs.  Ridge’s book engages the reader.  Chertoff’s book challenges (ok, it’s a hard read).

Hawley and Means’ work is a page turner.  I will not be surprised if Permanent Emergency is made into a movie.  A made-for-TV movie. But still, a movie. (By then, maybe the book can lose the melodramatic subtitle, “Inside the TSA and the Fight for the Future of American Security.”)


Here are some of the questions the book asks and answers:

How did TSA get into the behavioral detection business?  Why do passengers really have to take their shoes off during screening? (It’s not because of the shoe bomber.)

What’s life like for a screener? Why do they check wheelchairs and people who’s hips have been replaced?  Why do they follow rules instead of use their discretion?  What was the only professional decoration Hawley had on his “love me” wall?

What command center did the TV show 24 model?  What law enforcement agency receives “the best and most specialized firearms training?” How long does it take to fire a senior executive who’s not doing his job?

How credible was the UK liquid bomb threat? How long did TSA have to implement the liquids ban? How did they get it done? Why is the 3 ounce rule actually 3.4 ounces? (Ask someone who knows the metric system.) And why plastic bags? What happened to the man in Milwakee who wrote “Kip Haweley is an idiot” on his plastic bag?

How did the TSA blog get started?  And how did Blogger Bob get his job?  Why did TSA use the Blogger platform (available free from Google) instead of spending millions to develop a proprietary blogging platform? Why did the blog change its name from the empirically accurate “Evolution of Security” to the bureaucratically bland “TSA Blog.” (The book doesn’t answer the last two questions, but inquiring minds remain interested.)

Where did Hawley get his ideas from about aviation security as a complex adaptive system?  Why was he told not to talk about complexity theory in public? (Seriously.)


Every man is the hero of a biography he had a hand in writing. This book is no exception.  At times Permanent Emergency reads like a 21st century version of Mr. Smith Goes to Washington. Like Mr. Smith, Hawley (and the talented team of people he collected and credits) got things done. Not everything he wanted to do. But progress.

Also like Mr. Smith, I’m sure there were people in Washington who wanted Hawley gone before he did leave.  I spoke with a few of them over the years.  The consensus from those few was “nice guy, but in over his head.”

OK, but who’s not in over their head in this homeland security business? That does not mean you can’t learn how to get things accomplished.

Permanent Emergency would be a valuable addition to almost any homeland security academic program in the country. For one thing, it’s written so well students will actually read it. I’m not kidding when I say it’s a page turner.

For another, it shows how one person (ok, one person with great contacts and experience) can make a difference. It shows the importance of being able to spot talent and clear the path for that talent to disrupt — in creative and productive ways – staid organizations. It shows the role politics, bureaucracy, leadership, science, research, trial and error, communication, good and bad luck, public relations, physical energy, commitment, intelligence, risk management, sacrifice and persistence play in getting things done in homeland security.

It also reminds the reader how much uncertainty and stumbling and making things up characterized homeland security’s first years.


I met Kip Hawley twice. I found him creatively thoughtful, sincere, and caring. He also appears to listen to the people talking to him. Those traits come through in the book.

Before I read Permanent Emergency I was not a fan of how TSA does its mission. For a lot of reasons, I think on balance the costs — including the privacy we surrender to fly — are greater than the benefits we receive from submitting to the government.  I recognize there are other views — including Kip Hawley’s.

After reading Hawley and Means’ book, I’m still not a TSA fan.  But the authors make me doubt some of the reasons why I hold the postion I do.

Whether you largely agree with TSA’s role in homeland security or not, if you read this book your views about the agency and the people who serve in it will change.  Maybe permanently.


May 14, 2012

Nuclear Terrorism: Are We Winning or Losing?

Filed under: General Homeland Security — by Arnold Bogis on May 14, 2012

As regular readers of this blog know, we’ve hosted a robust back-and-forth regarding the risks of nuclear terrorism.  Along those lines, for those wishing to read a succinct and interesting summary of arguments for both sides, I would recommend a recent Arms Control Wonk post by Michael Krepon (please follow the link for a full bio, but the short version is: Co-founder of the Henry L. Stimson Center. Prior to co-founding the Stimson Center, Krepon worked at the Carnegie Endowment for International Peace, the US Arms Control and Disarmament Agency during the Carter administration, and in the US House of Representatives, assisting Congressman Norm Dicks.)

He gives voice to those concerned about the threat:

Graham Allison predicted in Nuclear Terrorism (2004) that, “In my considered judgment, on the current path, a nuclear terrorist attack on America in the decade ahead is more likely than not.”

And those slightly more dismissive:

John Mueller’s answer, in Atomic Obsession: Nuclear Alarmism from Hiroshima to Al-Qaeda (2010) is that nuclear dangers are far less than we presume:

Fears and anxieties about them, while understandable, have been excessive, and they have severely, detrimentally, and even absurdly distorted spending priorities while inspiring policies that have often been overwrought, ill conceived, counterproductive, and sometimes massively destructive. And they continue to do so.

It is not a long post, so I instead of continuing to post quotes in absence of my own analysis, I’ll just end with his conclusion:

Are we winning or losing the battle against proliferation? There are indicators that point in both directions. How you answer this question probably reflects your optimistic or pessimistic nature.

Again, if you’re interested in the topic (and proliferation in general, which he addresses in an earlier related post) it is worth your time:


May 11, 2012

National Preparedness Report: Voice, vision, and a reality beyond systems engineering

Filed under: Preparedness and Response,Strategy — by Philip J. Palin on May 11, 2012

This is the second in a two-part consideration of the recently released National Preparedness Report.  Please see the prior discussion immediately below.


As was the case with NSC-68, the National Preparedness series is being authored by a collective.  This is the way of government.  Recall that Jefferson’s draft of the Declaration was edited first by a committee and then by the entire Continental Congress.  It is unusual for clarity of thought to survive such a process.

I know — and respect — several individuals who are contributing to the National Preparedness series.  I don’t know their individual contributions and have not asked for their private critiques, concerns, or enthusiasms.  I empathize with their struggle to deal with the tensions involved in generating any document of this sort — and even more, the challenges to practically advancing policy.

I am using the National Preparedness series to press my arguments and make my own contributions to national resilience. The documents are helpful to this work.  I appreciate the outcomes, even as I unfavorably compare the outcomes to the Declaration of Independence and NSC-68.

At least I did not choose Shakespeare and Lincoln as your benchmarks.

The music of the Declaration reflects the remnant of Thomas Jefferson’s voice that survived the editorial process.  The clarity-of-argument in NSC-68 is a double-echo of the dialectic between Kennan and Nitze.   In some ways, the document is Nitze’s edit of Kennan’s Long Telegram.  Two superb minds engaging the same problem, disagreeing, agreeing, refining and reframing.  In the end, Nitze’s voice was strongest, but he would not have sung this song without Kennan’s prelude.

If there is a principal author of the National Preparedness series I do not hear his or her voice.

This is typical of most government reports, even those, as from GAO or CRS, who identify specific authors.  There are a host of motivations for this default anonymity.  Potentially the most powerful — and least credible — is the desire to achieve a tone of omniscient authority.

By contrast, in both the Declaration and NSC-68 any discerning reader is fully aware an argument is being offered, a case is being made, counter-arguments are anticipated, a dialogue is assumed… even as the author(s) scrambles for the moral high ground and persuasive preemption.  With all his personal confidence, network of influence, and even with the power of the President’s pen expected, Nitze does not proclaim.  He describes.  He questions.  He argues.

Why is that sort  of voice so rare?

This is a substantive, not merely stylistic difference.  The vain attempt for omniscient authority asserts right-and-wrong and a claim to compliance.  Offering an argument honors  and invites the independent judgment of your readers.

From section VI, A of NSC-68:

The full power which resides within the American people will be evoked only through the traditional democratic process: This process requires, firstly, that sufficient information regarding the basic political, economic, and military elements of the present situation be made publicly available so that an intelligent popular opinion may be formed. Having achieved a comprehension of the issues now confronting this Republic, it will then be possible for the American people and the American Government to arrive at a consensus. Out of this common view will develop a determination of the national will and a solid resolute expression of that will.

Again, this was a classified document.  No one was trying to pander to a political audience.  The document itself circulated among mostly elite circles at a time when both classified documents and elite circles were more tightly contained than today.  What would be the reaction of “intelligent public opinion” if the National Preparedness series included the quoted paragraph?

What might it mean if Nitze actually believed and behaved as if the stated assumption were true? Do we?


Homeland security suffers from taxonomy-obsession.

What is prevention?  How is it differentiated from protection?  Doesn’t mitigation sometimes prevent?  Sometimes protect?  Isn’t mitigation often a “response” to a prior event?  When does response become recovery?  Are some events non-recoverable?  I have asked each of these questions in earnest more than once. (“Hi, my name is Phil, and I’m obsessive-compulsive regarding the seams between the homeland security mission areas.”)

There has been a persisting tendency to perceive that if we could just accurately frame the homeland security domain and its principal parts, we could then assign roles and responsibilities with clarity, fund appropriately, and craft the best of all possible worlds.

Systems engineering was especially hot at the turn of the century, perhaps this discipline is more a part of the homeland security field’s DNA than we have fully acknowledged.  Are we hard-wired by the time-and-place of homeland security’s genesis to constantly cycle through requirements analyses? (There’s a vision of hell if I’ve ever heard one.)

Whatever its source, there is a continuing fascination with finding the right taxonomy.  Below, again, is the National Preparedness framework of five mission areas and thirty-one core capabilities.  Farther below is Carl Linnaeus‘ taxonomy for the animal kingdom: six classes consisting of various orders, then families and so on (by clicking on the image you can see a larger version).  The parallels are, I think, remarkable.

If you are over 45 you probably have a vague memory of Linnaean taxonomy from 7th grade science.  If you’re under 45 and/or a biologist you know this system has been mostly superseded by other descriptive systems.  Linnaeus sought to distinguish by function. Many of the newer systems highlight origins and relationships.

Linnaeus advanced our understanding.  The five mission areas and 31 core capabilities also advance our understanding.  But the greatest value will almost certainly emerge from recognizing and making sense of the relationships across the mission areas and core capabilities.  There are, and will need to be, functional divisions within the homeland security “kingdom.”  But these divisions are means, not ends.

The November 2011 version of the National Preparedness System closes with the following two paragraphs:

While the National Preparedness System builds on a number of proven processes, it will evolve to capitalize on new opportunities and meet emerging challenges. Many of the programs and processes that support the components of the National Preparedness System exist and are currently in use; others will need to be updated or developed. As the remaining PPD-8 deliverables are developed, further details will be provided on how the National Preparedness System will be implemented across the five mission areas in order to achieve the National Preparedness Goal.

This document describes a collaborative environment and living system whose components will be routinely evaluated and updated to ensure their continued effectiveness. This environment will be supported through collaboration and cooperation with international partners, including working closely with our neighbors Canada and Mexico, with whom we share common borders. In the end,the National Preparedness System’s strength relies on ensuring the whole community has the opportunity to contribute to its implementation to achieve the goal of a secure and resilient Nation.

The National Preparedness System is emerging.  As it does, can it find a unique voice, well-matched to its extraordinary mission, capable of effectively advancing the purposes articulated in PPD-8?  As it emerges, can the National Preparedness System avoid the reductionist specialization that is endemic to modern organizations? With the second annual National Preparedness Report will we read and believe that relationships are being fostered across mission areas and core capabilities, among jurisdictions, and between private, public and civic sectors?

Linnaeus warned, “Nature does not proceed by leaps.”   Neither does the best policy-making.  But each can grow, change, and evolve.

May 10, 2012

The National Preparedness Report: Trying to describe reality and outlining how to engage it

Filed under: Preparedness and Response,Strategy — by Philip J. Palin on May 10, 2012

Presidential Policy Directive 8 begat the National Preparedness Goal, the NPG begat the National Preparedness System.  This lineage has now begat the National Preparedness Report.

The forebears for this race of documents might be extended into the mist of history and myth: a veritable Book of Numbers or Metamorphoses of policy-making.

But surely the one common ancestor looming over this titillating thicket of conceptual coupling would be NSC-68.    If ever there was an Ur text, this is one.  In fifty-eight pages a national policy was articulated with such clarity and strength that it seemed to call-forth — creating not just framing — a half-century of national purpose.   President Truman signed the document on September 30, 1950.  Some suggest NSC-68 achieved its apotheosis on November 9, 1989.

The problem of preparedness is no less acute or consequential than the problems facing Truman, Acheson, Nitze, Kennan, et al.  Here’s how PPD-8 situates our current challenge:

This directive is aimed at strengthening the security and resilience of the United States through systematic preparation for the threats that pose the greatest risk to the security of the Nation, including acts of terrorism, cyber attacks, pandemics, and catastrophic natural disasters. Our national preparedness is the shared responsibility of all levels of government, the private and nonprofit sectors, and individual citizens. Everyone can contribute to safeguarding the Nation from harm. As such, while this directive is intended to galvanize action by the Federal Government, it is also aimed at facilitating an integrated, all-of-Nation, capabilities-based approach to preparedness.

This is a big idea.  Read it again, not as a dollop of  political/bureaucratic prose but as if it was an earnest expression of national intent.

NSC-68 was also capabilities-oriented.  A long quote:

In examining our capabilities it is relevant to ask at the outset–capabilities for what? The answer cannot be stated solely in the negative terms of resisting the Kremlin design. It includes also our capabilities to attain the fundamental purpose of the United States, and to foster a world environment in which our free society can survive and flourish.

Potentially we have these capabilities. We know we have them in the economic and military fields. Potentially we also have them in the political and psychological fields. The vast majority of Americans are confident that the system of values which animates our society–the principles of freedom, tolerance, the importance of the individual, and the supremacy of reason over will–are valid and more vital than the ideology which is the fuel of Soviet dynamism. Translated into terms relevant to the lives of other peoples–our system of values can become perhaps a powerful appeal to millions who now seek or find in authoritarianism a refuge from anxieties, bafflement, and insecurity…

These capabilities within us constitute a great potential force in our international relations. The potential within us of bearing witness to the values by which we live holds promise for a dynamic manifestation to the rest of the world of the vitality of our system. The essential tolerance of our world outlook, our generous and constructive impulses, and the absence of covetousness in our international relations are assets of potentially enormous influence.

These then are our potential capabilities. Between them and our capabilities currently being utilized is a wide gap of unactualized power.

It is worth recalling that NSC-68 was a classified document.  The public did not see it until a quarter-century after the President’s signature.   In our Ur text policy-makers are self-consciously communicating, arguing, analyzing, trying to persuade their fellow policy-makers.

The National Preparedness Goal lists thirty-one core capabilities.  The National Preparedness Report gives attention to each.  “Freedom, tolerance, the importance of the individual, and the supremacy of reason over will” are not  among the thirty-one.

Each of the core capabilities are organized by five mission priorities.  Within the government, these mission-with-capability-clusters increasingly reflect lines of authority and responsibility.  What we have in the NPG, NPS, and NPR is an effort to describe reality and an emerging structure for engaging that reality.

It tends to be a very instrumental view of reality, almost mechanistic.   It is, at least in my judgment, consistent with observations of reality. It is also complicated.  The National Preparedness System has begun to remind me of Ptolemy’s eccentric, epicycle,  and equant.  It works, but is less than elegant.

This is not meant as a fundamental critique of the National Preparedness collection and is certainly not a criticism of these documents’ authors.

It is an expression of concern regarding contemporary rhetoric, by which I mean the art of decision making.

If the National Preparedness authors had used a rhetoric similar to NSC-68, my obscure voice at this little blog would have congratulated them.  From nearly every other corner they would have been savaged, being accused of superficiality, hypocrisy, and — probably — jaw-dropping hubris.  Yet this older rhetoric and its now seemingly quaint gathering of evidence and argument is still honored for having set-the-stage for winning the Cold War.

Beyond matters of style, I perceive an important substantive difference between the intellectual and operational assumptions set out in NSC-68 and those unfolding from the National Preparedness collection.  What are those differences?  What may be their practical implications?

Take some time to read NSC-68 and come back tomorrow.

May 8, 2012

It’s Physics: Why Women Shouldn’t be Allowed to Fight with the Marine Corps Infantry

Filed under: Homeland Defense — by Dan OConnor on May 8, 2012

This summer, for the first time in the Marine Corps’ 237-year history, women will be enrolled in the Officer Infantry Course, one of the most demanding training evolutions in the entire military. Women Marines now serve in a variety of combat support and combat service support roles splendidly, as they do in the Army, Navy and Air Force.

It should stay that way.

Not because men are superior to women, or because male Marines want to discriminate against female Marines. Marines are Marines. But men are different from women. And that difference, when exposed in combat will be deadly, not only for the fighting female Marine, but for her male and female counterparts.

The Infantry Officer Course (IOC) teaches Marine Officers to be better leaders and killers than their enemies. It’s where we build Marine Infantry skills to win our wars and lead our Marines. War is killing. Let that sink in. It is legal murder, encouraged, ordered and demanded. In order to be effective at it, proficiency must not only be gained, but practiced and perfected.

The Basic School is where all Marine Second Lieutenants go to become basically trained officers prior to their military occupational assignment. During one of their training exercises years ago, the evaluators “killed” a 6’1”, 195 lb. male Marine Officer. He was within prescribed height and weight standards, and in an excellent state of fitness. He was also 30 years old. The evaluator then assigned the only available Marine, a female officer to carry the “dead” officer from the training battle field. The female officer was within the “normal” or “average” range for size; she was 5’4” and 125-130 lb. She was in superior physical condition, was 23 years old, and had a perfect physical fitness score on her most recent test. Both were wearing typical combat loads of 65-80 lb. of gear.

What happened? The female could not lift the male Marine. She could barely move him. She removed her gear to improve her strength-to- weight ratio. She still was unable to manage the weight.

Then what happened?

In order to move the problem along, the evaluator “unkilled” the male and “killed” the female and reversed their roles. The male put back on all his combat gear. So did the female officer, both adding the additional weight. Even though the male was not in the same physical condition as his female peer, he bent over and scooped her up, gear and all, and carried her several hundred yards.

Years before the phrase entered the language, the evaluator engaged in what today is called “gender norming.”

Military gender norming is the practice of judging female military service members, applicants or recruits by less stringent standards than their male counterparts. Physical standards are lowered, modified, or just plain overlooked. Norming is all about fairness and equity. Norming metrics allow for “equal competition”.

But there’s nothing equal, normal or fair about war. Anyone who’s ever fought in one can tell you that.

Women Marines have every bit of integrity and are every bit as good and possibly better than their male counterparts in marksmanship, intellect, problem solving, managing stress, and leadership. But it’s for the same reason women don’t play in the NFL, NBA, NHL, or run marathons as fast as men, or bench-press 1,000+ pounds, nor will they ever be truly equal in combat.

The march of women’s rights simply cannot overpower the Laws of Physics. The average man is 5” taller and 50 lb. heavier than the average woman. Men have a lower body fat percentage than women, more lean body mass, and are anatomically different in terms of physical make up, angles of leverage, and skeletally. The physics favor the male species, not the female. Men create more force.

This is Newton’s second law of motion. Force is equal to mass times acceleration. Bigger things that go faster create more force. They always have and always will. There is no engineering feat or physics norming phenomena that can mitigate the capability of a male to lift more, jump higher, run faster, hit harder, and execute violence better than a woman. There is no formula to replicate the combination of force and aggression.

Combat is the most physically demanding, most mentally fatiguing, and most forceful violent interaction humans can perpetuate against one another. It is highly kinetic in nature; blunt force trauma if you will. And it’s final.

It follows, then, as sure as the laws of physics, that if women are introduced to Marine Combat Infantry Units the readiness and capability of those units will be denigrated. If women are not successful in completing the training, the uproar against the “sexist men’s club” and purposeful exclusion will rain down from the sky. In either case trust will be compromised, and trust is a vital element in successful combat.

Those who advocate that women and men are the same and can perpetuate physical brutality equally are far more abusive and anti-women than any group who advocates against putting females into this “opportunity”. There is nothing “Pro Woman” about making women second-class killers.

From a national security perspective, this latest experiment by the Marine Corps, conducted largely because of politics, will only damage and weaken our nation and our ‘Corps.

We have met the enemy, and it is us.

Dan O’Connor is a retired Marine officer with 22 years service.  These are his opinions.

May 6, 2012

Cyber attack currently underway targeting natural gas industry

Filed under: Cybersecurity — by Philip J. Palin on May 6, 2012

Here’s something worth reading.  I am only displaying the first three paragraphs of a fairly indepth piece of reporting.

By Mark Clayton writing in the Christian Science Montior.

A major cyber attack is currently underway aimed squarely at computer networks belonging to US natural gas pipeline companies, according to alerts issued to the industry by the US Department of Homeland Security.

At least three confidential “amber” alerts – the second most sensitive next to “red” – were issued by DHS beginning March 29, all warning of a “gas pipeline sector cyber intrusion campaign” against multiple pipeline companies. But the wave of cyber attacks, which apparently began four months ago – and may also affect Canadian natural gas pipeline companies – is continuing.

That fact was reaffirmed late Friday in a public, albeit less detailed, “incident response” report from the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), an arm of DHS based in Idaho Falls. It reiterated warnings in the earlier confidential alerts made directly to pipeline companies and some power companies.


During the House of Representatives so-called Cyber Week there was disagreement regarding the nature of the cyber threat.  Following is a recent Richard Clark quote differentiating an acute threat from a chronic threat:

People keep asking, well, do we have to have a cyber Pearl Harbor in order for people to do the right thing? Implicit in that question is sort of a hope that that will happen and then maybe we’ll fix everything. I don’t know that there ever will be a cyber Pearl Harbor. What I do know is that we’re suffering the death of a thousand cuts in the little Pearl Harbors that are happening every day, where cyberespionage and cybercrime are having a huge cumulative and negative effect. The theft of research and development information, the theft of intellectual property, the theft even of transactional data is giving huge economic advantage to our competitive opponents in other countries. If we all sit around waiting for the apocalypse to do something appropriate on cybersecurity, it may never happen and we may never solve the problem.

In the New York Time’s Friday piece on the National Preparedness Report, the reporter emphasized cyber vulnerabilities (not where my first read took me):

… it was the report’s findings about cybersecurity that appeared to be the most troubling, and they continued a drumbeat from the Obama administration about the need for Congress to pass legislation giving the Department of Homeland Security the authority to regulate computer security for the country’s infrastructure.

The report said that cybersecurity “was the single core capability where states had made the least amount of overall progress” and that only 42 percent of state and local officials believed that theirs was adequate.

I hope HLSWatch readers will take the time to read the NPR.  I would welcome your comments, concerns, or more here.   How should we read it?  What are the major take-aways?  What are the major questions raised?  What should we do with it? What can we do with it?  If there is a delta between should and can, what does that tell us?

May 5, 2012

Poetics of homeland security

Filed under: General Homeland Security — by Philip J. Palin on May 5, 2012

For the ancient Greeks poeisis was the making, producing, creating of anything… including verse.

At this blog — especially with the encouragement of Christopher Bellavita (the Greek and Latin amalgam meaning Christ-bearer/Beautiful Life) — we periodically wonder and argue about the making of homeland security.

The last few days I have been in New England on various homeland security assignments.  After my last Saturday morning appointment I discovered the Brattle Bookshop at 9 West Street in Boston.  From their open air shelves (and shelves and shelves) of $1, $3, and $5 books, I purchased The Collected Poetry of W.H. Auden (Random House, 1945).

This edition includes September 1, 1939, that Auden later exiled from his authorized oeuvre, but was so often quoted in the days following September 11, 2001.  Especially:

I sit in one of the dives
On Fifty-second Street
Uncertain and afraid
As the clever hopes expire
Of a low dishonest decade:
Waves of anger and fear
Circulate over the bright
And darkened lands of the earth,
Obsessing our private lives;
The unmentionable odour of death
Offends the September night…

The last stanza is my favorite, but it has been less associated with homeland security.  See comments for this bit.

So down a dim alley I found an old restaurant where I shared a late lunch with Auden.  Adam Gopnik later joined us, helpfully explaining what the poet means by “Double Man.”

At the time, and even at Auden’s death, the war poems were not critically admired.  Many claimed America had confused, even cheapened the Englishman.

But in our own war-time the words have found renewed resonance.  From Spring 1940:

O not even war can frighten us enough,
That last attempt to eliminate the Strange
By uniting us all in terror
Of something known, even that’s a failure
Which cannot stop us taking our walks alone,
Scared by the unknown unconditional dark,
Down the avenues of our longing:
For however they dream they are scattered,
Our bones cannot help reassembling themselves
Into the philosophic city where dwells
The knowledge they cannot get out of;
And neither a Spring nor a war can ever
So condition his ears as to keep the song
That is not a sorrow from the Double Man.
O what weeps is the love that hears, an
Accident occurring in his substance.

Last weekend I returned to my childhood home.  There most do not share our concerns.  The debt is a bigger deal than any pending disaster (rather is the pending disaster). For them TSA is a bigger threat than terrorism.  Should I disagree? Though I was happy to have an old friend guide me through the full-body scanner at the Peoria airport.

A bare remnant seeks the philosophic city where dwells The knowledge.

What are we to make of that, O Christ-bearer?

What are we to make of that, O beautiful life?

May 4, 2012

A tale of two cities… two sectors… two mindsets… stronger together

Filed under: Preparedness and Response,Private Sector — by Philip J. Palin on May 4, 2012

A few weeks ago I attended a regional summit of emergency managers, firefighters, law enforcement and related public officials for a major city and its metro region. My task was to invite these jurisdictions and their agencies to participate in an exercise program that would feature a catastrophic event in another large city a few hundred miles away.

In case of such a horrific event,  the creative assistance of those at the summit would be needed. The exercise would especially focus on the movement of supplies toward the impact zone.

First question, “Why should we share our supplies?”

My response, “Thanks for the chance to clairfy, I’m not talking about sharing your emergency inventory or anything owned by your agencies. The focus would be on facilitating a surge of private sector supply chains, private sector goods — water, food, and pharma, for example — that either originate in this area or need to move through this area.”

“I understood you the first time,” the questioner stated. “Why should we do that? If there’s a real catastrophe in (insert city name) we’ll probably need everything we can get here.”

While I offered some answers and justifications, my responses were not persuasive. Several agreed with the need to keep what they had. Others probably disagreed, but they were quiet. If there is ever a real need, I fully expect the first urban area will move mountains to help the second urban area. But for a whole host of reasons, they were not at all interested in thinking through the problems and process in advance.

Last week I was in another meeting in a different urban area, this time with private sector leaders from power, communications, water, food, pharma, banking, trucking, medical care and other key sectors. The issue was more or less the same: it is a very bad day in the big city. Your local capability is offline, even flattened. Will you work with us and participate in some exercises to think through the problem of re-supply?

The response was enthusiastic. “It’s a very interesting problem,” one offered. “Thinking through this worst-case will help us with other everyday issues,” another said. After a wide-ranging conversation one of the private sector leaders at the table stated, “This is in our self-interest. It is also in the common interest. We should have done this a long time ago.”

In each case there are back-stories, details that help explain the very different reactions. This is not an issue of good versus bad. But it is a story of two very different mind-sets.

After a few years –a lifetime? — of such contrasting experiences, I have a heuristic, a rule of thumb: Humankind is divided between those who are inclined to control and those who are inclined to create. There is a continuum with nearly everyone suspended somewhere between these two extremes (among other axes).  Where do you fall?

Those who seek to control tend to be more pessimistic. Those who seek to create tend to be more optimistic.

Pessimism may have roots in the past, but is expressed prospectively.  Optimism is mostly a matter of how the future is expected to unfold.  Each is an orientation that can skew observation and as a result be self-fulfilling.  At the extremes, both pessimism and optimism are probably forms of psychological self-protection.  Some recent research seems to suggest genetic predispositions are also in play.

The two mind-sets can be complementary, but more often clash and compete. The “control-freak” is an idiot. The “innovator” is a fool.

Any meaningful homeland security strategy must find a way to blend and benefit from both mind-sets and apply them in the here-and-now. Doing so systematically is something that requires much more attention than we currently invest.


Late Thursday afternoon I received a copy of the National Preparedness Report, the first annual as required by PPD-8.  It deserves a closer read and more complete analysis.   But even on a first read, it is easy to perceive the struggle between control or create.  In raw form  the tension of these worldviews warps the strength of each.  When the tension is synthesized, the resilience of the whole system is enhanced.


IT WAS THE BEST OF TIMES, it was the worst of times, it was the age of wisdom, it was the age of foolishness, it was the epoch of belief, it was the epoch of incredulity, it was the season of Light, it was the season of Darkness, it was the spring of hope, it was the winter of despair, we had everything before us, we had nothing before us, we were all going direct to Heaven, we were all going direct the other way…

“… I see a beautiful city and a brilliant people rising from this abyss, and, in their struggles to be truly free, in their triumphs and defeats, through long long to come, I see the evil of this time and of the previous time of which this is the natural birth, gradually making expiation for itself and wearing out.” (A Tale of Two Cities by Charles Dickens)

May 3, 2012

Reading over two terrorists shoulders

Filed under: Radicalization,Terrorist Threats & Attacks — by Philip J. Palin on May 3, 2012

The Combating Terrorism Center at West Point has released 17 of the documents retrieved from the compound in Abbottabad where Osama bin Laden was killed.  In addition to English translations and the original Arabic versions  —  posted online today at 9:00 AM EST — the CTC has issued a short report contextualizing the documents.

See: Last Year at Abbottabad.

While you’re at the CTC site scan their other publications.  Good stuff.

Many HLSWatch readers will also be interested in a Senate Homeland Security and Governmental Affairs staff report on the radicalization of Zac Chesser.  Please access: A Case Study in Online Islamist Radicalization and Its Meaning for the Threat of Homegrown Terrorism.

In July 2010 I posted a piece entitled: Could you or I have talked Zac Chesser out of violent extremism? Arnold Bogis (not yet a fellow poster) and I had a quick exchange on the question.  In the Senate report there is  a tantalizing reference to Chesser almost being talked back from the edge.

Each set of resources offers fascinating insights into terrorist realities.

I recently discovered a cache of letters I had written (rough drafts) and received (in reply) from the early 1980s.  I came away wondering about the vagaries of memory and the often fluid nature of what purports to be real.

It’s a tad intimidating to think how these posts and comments may be read thirty years from now.  If we’re lucky these bytes may prove even more fragile than the thin airmail paper I found in a long forgotten file.   Based on all three examples, humility ages more gracefully than its opposite.

May 1, 2012

Water challenges and US national security

Filed under: Futures — by Christopher Bellavita on May 1, 2012

Time out for a moment from our regularly scheduled cyber issues and al Qaeda commentary for a word from the future, sponsored by the U.S. Intelligence Community.

Global Water Security is a report published in February by the Office of the Director of National Intelligence.  The 30 page intelligence “product” is available here.

The document tries to answer the following question (for the State Department): How will water problems (shortages, poor water quality, or floods) impact US national security interests over the next 30 years?

Here is the Report’s answer:

During the next 10 years, many countries important to the United States will experience water problems—shortages, poor water quality, or floods—that will risk instability and state failure, increase regional tensions, and distract them from working with the United States on important US policy objectives. Between now and 2040, fresh water availability will not keep up with demand absent more effective management of water resources. Water problems will hinder the ability of key countries to produce food and generate energy, posing a risk to global food markets and hobbling economic growth. As a result of demographic and economic development pressures, North Africa, the Middle East, and South Asia will face major challenges coping with water problems.

The Report mostly focuses on the relationship between water security and US global interests.  But the future of water has domestic implications also.

Although most of the Colorado River originates in the basin’s upper states (i.e., Colorado, Utah, Wyoming), a 1922 Colorado River Compact allocates most of the water to the lower states (i.e., California, Arizona, Nevada, and New Mexico).

Unfortunately, the agreement was based on data from the unseasonably wet five years prior to 1922, estimating the average flow to be 17.5 million acre-feet (maf). The actual average flow over the last 100 years has been nowhere near this number, averaging about 13 maf, with high variability ranging from 4.4 maf to over 22 maf.

A 2009 study by the University of Colorado projects that all reservoirs along the Colorado River—which provide water for 27 million people—could dry up by 2057 because of climate change and overuse. More recently, drought and low Lake Mead water levels have resulted in a multi-billion dollar plan to build a 285-mile pipeline to pump groundwater to the Las Vegas area from as far away as Snake Valley, which straddles the Nevada-Utah state line.

A 1944 agreement between the United States and Mexico stipulates the terms of water-sharing between the two countries, with water delivery obligations on each side.

The Colorado and Rio Grande Rivers, as well as their major tributaries, are covered in the agreement. The agreement allows the United States access to tributary contributions from Mexican rivers, and no Mexican access to contributions from US tributary rivers, and therefore many view the agreement as unfair. Delayed water deliveries, and even efforts to reduce canal water leakage, have occasionally complicated broader relations but have not been a major source of stress.

Not yet anyway.

Thanks to Dr. James Tindall for telling me about this report.