Homeland Security Watch

News and analysis of critical issues in homeland security

November 13, 2013

Jeh Johnson nomination to be DHS Secretary: live blogging of Homeland Security Committee hearing

Filed under: Congress and HLS,DHS News — by Christopher Bellavita on November 13, 2013

The information below is one person’s observation of today’s Jeh Johnson nomination hearing.  The post starts at the bottom of the page. You can probably see the streaming video of the hearing at “http://www.hsgac.senate.gov/hearings/nomination-of-hon-jeh-c-johnson-to-be-secretary-us-department-of-homeland-security.”

Coburn ends the hearing by reminding whoever’s listening that agreeing to take on a job like DHS Secretary takes a huge toll on the nominee’s family.  He suggests Johnson maybe not be seeing his family again before Christmas.  It is meant as a joke – perhaps.

[2:29] Coburn says he hopes Johnson will consider staying on for the next administration, “so that we don’t lose all this tremendous experience and gray hair, and have to re-train another  leader.”

And then he offers Johnson a huge white binder with “alternative views of homeland security collected over the past 6 years.”

At 2:27 Johnson gets to make closing comments. He compliments the people who he’s dealt with preparing for the hearing.  He says he believes in the hearing process. He pledges to having an open and transparent relationship with the committee. He predicts that at the end of his tenure at DHS, the committee will say “Johnson was somebody that worked well with us in a bipartisan fashion.”

Carper comes back on at 2:23 with cyber security. Compliments NIST (http://www.nist.gov/) for working with the private sector. DHS needs to find quality employees for the cyber work DHS does.

Carper then moves to loan wolves (or “stray dogs,” as a colleague terms them).

At the 2:21 mark, the conversation moves to acquistions.  Coburn asks what Johnson will do to firm up the DHS acquisitions process.  Johnson says it starts with getting quality people involved in the acquisitions process.

At the 2:19 mark the issue of “broken travel” comes up (i.e., when someone flies somewhere and then takes a train or bus and then connects somewhere else to fly again [h/t to D. for the explanation]. Coburn: “Can you state for this committee what role you envision for DHS in tracking the travel of US persons, at home or abroad, that are not on a suspicious list or  on a high risk list?”

Johnson: There are privacy and civil liberty concerns with travel. We have a problem with suspicious individuals laundering their travel. That’s a fact.  It’s a blind spot (for the US). [Expect to hear more about this one.]

At the 2:15:30 mark, back to more traditional homeland security topics.  Coburn on homeland security spending: Do we spend the money on risk or do we spread the money out?  [Great question.]

Coburn says he feels we should spend the money where risk is the greatest.  Johnson says he “thinks” he agrees.

Coburn: We’ve spent 37 billion on grants, and less than 25% has gone to highest risk areas. (He blames congress’ parochial interests for some of this.) Coburn agrees with the Obama Administration’s plan to consolidate all DHS grants and then base awards on risk.  How does Johnson feel about that?

Johnson: “It’s an issue that a number of people have raised with me, how we dispense grant money; it’s taxpayer money….  In general the professionals who I’ve consulted  over the past couple of weeks seem to feel that we need to move in the direction of a risk based approach to homeland security, and that probably entails focusing our grant money in the same direction as well. So I’d be inclined to agree with you if what you’re saying is we need to make efficient use of our taxpayer dollars for purposes of homeland security.”

Coburn then brings up the lack of performance metrics. Grant reform is a big deal to Coburn. Money should be spent to reduce risk, and not to make a politician look good, he says – not allowing the windmill to obscure his vision.

Johnson says he’ll work with the committee to reform grant programs.

Around the 2:14 mark, Coburn gets another turn questioning Johnson.  He first congratulates John Pistole for TSA improvement.  Then comments on how negligent the Congress and the country has been confronting the problems of mental illness.

At 2:11, Carper reviews the LAX shooting and sends “a shout out” to TSA. He then asks what Johnson will do to mitigate the threat against TSA and other DHS employees. “We need to look at how to provide for their safety,” is Johnson’s response.

Carper reminds Johnson of the importance of keeping guns out of the hands of people who have mental illness. He also underscores to Johnson and whoever is still listening to the hearings at this point the importance of “See something. Say Something.”

At the 2:09 mark, Carper turns to the issue of “state and local stakeholders.”  A lot of DHS work involves state, local and non-profits (like Red Cross). What steps would Johnson take to make sure the DHS works effectively with state and locals?

Johnson: “I’ve been struck by the emphasis people up here [in Congress] and at DHS place on [state, local, private sector relationships]… and the attention … they want me to pay to it, and it’s pretty apparent to me that it’s part of the mission.” He then goes on to talk about his New York City experience, working with New York Police Department.  He concludes his answer to the question about what steps he’d take to make sure DHS works effectively with state and locals by saying, “I think I get that.”  That seems to be it for state and local; nothing about fire, emergency management, public health, and the other non-law enforcement participants in the homeland security enterprise.

At the 2:06 mark (I‘m now using the video timing, not my pacific time clock; an archive of the video stream is still available on the Senate site): Carper asks Johnson what Johnson thinks are the major management challenges for DHS, and his role fixing them. Johnson refers to GAO report on DHS high risk issues (http://www.gao.gov/highrisk/strengthening_homeland_security/why_did_study#t=1).  Management issues: vacancies, efficient procurement; unqualified audit financial statement; business intelligence (with 6 different account systems). Talks about leadership as sometimes requiring that you “push people,” as you might push a sluggish aircraft carrier. (Expect more DoD metaphors to enter the homeland security vocabulary,)

11:47 AM – Back to blogging. The hearing is over, so I’ll just summarize the remaining 30 minutes or so.

8:57 AM  - Need to attend to my day job for awhile.  Back later.

8:51 AM  - Sen Carper defines “high risk” list.  High risk = ways of wasting taxpayer money. Arnold B provides  details:  http://www.gao.gov/highrisk/overview

8:45 AM – Senator Paul “Does the 4th Amendment apply to my Visa purchases?” Can a single warrant apply to millions of things? Can you have due process with only one side represented? (FISA court.)  Should we decide the scope of the 4th Amendment in secret.  Johnson wants “robust discussion” as he’s had in past use of force decisions. Paul “due process is not a bunch of good people sitting in a room discussing whether to kill someone.” Should we target Americans overseas who are not engaged in combat? Paul argues for an examination of due process and paying attention to the 4th amendment.

8:37 AM - Senator Ayotte asking about AQ. Johnson describes 3rd phase of AQ terrorism – loan wolf.  Harder to detect; need more local focus by state/local first responders. Now asking about interrogation of AQ. How to balance the benefit of interrogation with domestic laws and protections. How can we have a policy that allows us to gather information and prosecute. Johnson – “There’s authority for a pre-Miranda national security interrogation. We need to codify that.”  And then the discussion moves to DHS employees abusing DHS overtime policy.

8:26 AM – Senator Begich’s (Alaska) turn – CBP denied a request from a tourist company to move; Begich says approving the request would actually make money for the government (and CBP), and “DHS would make a 20% profit.”  Discussing Coast Guard and the Arctic. Johnson in favor of [Coast Guard] being agile with resources we have. Domestic drone activity discussed. Johnson uses the “risk based strategy” mantra again. DHS has two offices related to drones. Question about disaster assistance to houses of worship. Starts a discussion about church-state relations

8:19 AM Senator Levin’s turn – 2 million corporations created in the US each year; states approve the corporation without asking who they are.  Senator Levin is about to expand DHS mission to monitor ownership of who own the 2 million corporations created by states annually. Advocates for support for a Levin-Grassly bill to do this. States opposed to the bill.  Johnson says he wants to understand the issue better.  GAO report on border report discussion – says terror threat is greater in the north than it is in the south. Coast guard needs helicopters….

8:11 AM McCain – Says Johnson will be confirmed.  Then starts asking questions about border apprehensions and what constitutes border security. Apprehensions are up? Apprehensions are down? who knows what any of that means. McCain gets his border information from CBP not DHS.  McCain wants 90% effectiveness at the border.  McCain wants a yes or no answer; Johnson uses his “inclined to…” response.  Johnson then says he wants to cooperate with McCain, but he wants to understand the issue better before he commits to what McCain asks. McCain says he won’t support Johnson unless he commits to the 90% target.

8:03 AM – Senator Tester’s turn at questions (and statements). Focus on DHS morale. Asks for ideas to cultivate future leadership at all levels of DHS? Johnson says you have to have passion for the mission.  How do you motivate people? Johnson: complement them for a job well done. Tester asks about CBP pay, border security technology. Johnson uses the buzz phrase “risk based strategies.”  Tester: on to the private sector and contractors.  DHS favors big contractors; Tester wants smaller organizations to have a shot.  Johnson says he’s in favor of competition. Questioning gets into the details of how to write contract specifications.

7:58 AM – Coburn asks what DHS programs might not be necessary. Johnson suggests some intel programs.  Coburn asks about DHS cyber security problems, including DHS internal cyber procedures. If DHS can’t take care of its own cyber issues why trust it with the cyber portfolio, he asks.

7:54 AM – Coburn starts his testimony by asking Johnson to give him information.  Johnson says “If confirmed I will look at the issue and be inclined to give you the information.” Coburn going through a list of things he wants to learn about DHS and asks Johnson to look into the issues, including intel, fusion centers, border security, immigration enforcement.  Johnson good at responding that he will “be inclined” to provide what’s asked. 7:58 AM

7:50 AM – Johnson talking about what he learned about leadership. Needs to be able to see the entire enterprise.  Tells a story about actually reading memos and asking people why others agreed to the memo’s suggestions.  He cites the 11 for, 1 against story about decision making.  Carper: “leadership is the courage to stay out of step when everyone else is wrong.”

7:47 AM  – Carper: what is your vision for DHS? and what are the challenges?  Fill management positions; focus on terrorism, immigration, move the ball forward on cyber security; get off the GAO high risk list (whatever that is); read Coburn’s writing on DHS.  ”We need to be vigilant.”  Recongizes morale issues at DHS. Believes protecting the american public is the core mission of the US government.

7:44 AM – starts with three standard questions: any conflicts of interest? anything preventing you from doing your job? will you respond to “reasonable summons” from congress.  No to first 2, and yes to last one.

7:35 AM – Johnson starts his testimony by introducing his family. Describes his past experience related to homeland security and DoD.  Reads the DHS mission. Understands many senior positions in DHS are vacant. Will get DHS off the GAO “high risk” list. Says he won’t shrink from hard decisions – hints at previous drone decision and don’t ask/don’t tell decision.  Going through a list of his decisions.  Pledges transparency and candor with congress.  Use to be an intern for Sen. Moynihan. Cites a photo with his family car parked next to the Capitol.  Says those days may not return in our lifetime. Ends at 7:44 AM.

7:32 AM – McCaskill — has 5 issues, but they went by too quickly for me to catch them:   1)right sizing DHS, 2) cohesive department, 3) DHS as directorate, 4) procure bio terrror stuff, 5) DHS needs a clean audit.

7:31 AM – Carper asks Johnson to turn in another draft of his answers to the committee; too many of them were cut and pasted from other hearings, Carper claims.

7:29 AM – Coburn’s critique of DHS comes in a binder:  1) Establish proper balance between freedom and security. CBP owns drones, but hasn’t filed privacy statements. 2) Is DHS spending on Intel and counter terrorism helping to make us safer? who knows? 3) Can DHS secure borders and handle immigration? 90 billion spent in the last decade on border security, with minimal effect. 4) DHS needs to prove it can work with private sector, especially with cyber. 5) Needs to manage major acquisition programs effectively. 6) FEMA disaster declaration process needs fixing. Asks Johnson to “run a transparent shop” (whatever that means).

7:19 AM – Coburn’s turn.  He warns everyone his opening statement will be “lengthy.” Coburn to Johnson: It’s not “if” you’ll be confirmed; it’s “when.” But he’s still concerned by cut and paste responses from past hearings.

7:18 AM – Carper: “DHS lacks cohesion and a sense of team; morale is low at DHS; fiscal environment constrains what DHS can do.  Even on a good day DHS secretary is a very very hard job.”  DHS has 13 vacant leadership positions; it’s executive swiss cheese.  Basically, Carper in favor of Johnson. Suggests Johnson seek advice from former DHS secretaries, Comptroller, former DoD secretaries.

7:08 AM – Menendez: “Johnson oversaw 10,000 attorneys in DoD.” DoD has 10,000 lawyers?

7:06 AM – Booker: “All three previous DHS Secretaries support Johnson’s nomination; so does law enforcement.”

7:03 AM – Hearings start. The nominee will be introduced by Senator Robert Menendez and Senator Cory A. Booker

6:57 AM[pacific time] — Hearings are being streamed at http://www.hsgac.senate.gov/hearings/nomination-of-hon-jeh-c-johnson-to-be-secretary-us-department-of-homeland-security.  They start at 10 AM eastern; 7 am pacific

November 12, 2013

Wednesday: Confirmation hearing on the nomination of Jeh C. Johnson to be Secretary of the Department of Homeland Security

Filed under: Congress and HLS,DHS News — by Christopher Bellavita on November 12, 2013

On Wednesday 11/13 at 10am (EST), the Senate Homeland Security and Governmental Affairs Committee will hold a confirmation hearing for Jeh Johnson to be Secretary of Homeland Security.

I am told by a colleague who is in a position to know, there’s a good chance the hearings will be carried by C-SPAN and (for maybe part of the hearings) by some cable news outlets.

I did not see the Johnson hearings on the C-SPAN schedule for Wednesday.  But that could change.

At 10 am on Wednesday, C-SPAN 1 is scheduled to show the House of Representative’s Morning Hour, “during which members speak on a variety of topics.”

C-SPAN 3 plans to broadcast the 10 am House-Senate Conference Committee Meeting on the Fiscal 2014 Budget. Fairly significant.

C-SPAN Radio scheduled its flexibly generic “Public Affairs Programming” in the 10 am slot.  So, who knows.

I thought Al Jazeera might be interested in broadcasting views about the (probably) next Secretary of the Department of Homeland Security.  They have something called “News” scheduled for 10 AM Wednesday, meaning “Live, breaking and in-depth news coverage reports on America and the world for an American audience. Human-centered reporting reveals how events affect Americans and the interconnectedness of people across the world.” Again, who knows.

My colleague said the hearing will be streamed from the Senate Homeland Security and Governmental Affairs Committee website. As of Monday night, I did not see any information about streaming on the Committee site.  But Monday was, after all, a federal day off for a lot of people.  Maybe tomorrow.

If the hearings are broadcast or streamed, I‘ll do liveblogging of the event on this site.

 

 

August 20, 2013

QHSR 2.0 – the preparedness phase

Filed under: Congress and HLS,General Homeland Security — by Christopher Bellavita on August 20, 2013

While DHS is waiting to learn who its fourth leader will be, homeland security geeks (you know who you are) spend the summer quadrennially reviewing homeland security.

If you care about homeland security and want to add your voice to the 2nd QHSR discussion, you have at least two options.  You can join the conversation on IdeaScale and you can go to the “Quadrennial Homeland Security Communities of Practice” message board. (Registration required on both sites.)

Here’s how the IdeaScale works:

  • Users submit their ideas
  • The “community” discusses and votes for the ideas.
  • The best ideas bubble to the top.

I could not discover what happens to the ideas that bubble to the top.

The QHSR Communities of Practice site “addresses question of governance in the Homeland Security Enterprise – The Public Private Relationship.”

I interpreted those words to mean you could talk about anything as long as it had to do with public-private relationships in homeland security.  Most of the 90+ posts did have a private sector connection, even the discussions of memes and the-always-appropriate “what is homeland security?”

The IdeaScale site has a richer variety of issues.  As of last night, there were 140 of them — including:

  • the impact of Obamacare on public health
  • whether local law enforcement could be trusted with homeland security
  • facial recognition
  • global recovery
  • cryptocurrencies
  • aging
  • politics as a waste
  • Christion Zionism
  • infectious illegal immigrants
  • the security of homeland security vehicles
  • tablet computers for prison inmates
  • privacy concerns hindering homeland security efforts

There were many more.

Even if few of those ideas make it into the 2nd QHSR, they do offer candidates for news stories, research papers, conspiracy theories and congressional hearings.

I spent a few days last week in the company of 30 state, local, federal and private sector people, all of whom had some connection to homeland security.

I asked about the QHSR.

Most people had heard something about it. Some thought it was a strategy. Others said it was a law.  It was a plan.  A report.

One person said the QHSR influenced what that person did at work:  ”Everything we do is aligned to the 2010 Review.”  That person works for DHS.

No one else in the room was able to identify any impact the 2010 QHSR had on what they do. No one.  The consensus was the 2014 Report would have the same result.

“Why is the QHSR Important?” asks the 2nd QHSR Engagement Bulletin.

The 2010 Report “described the what of homeland security.”  The 2014 Report “will begin to describe the how of homeland security.”

Another description (available here) says the “first quadrennial review answered the question, ‘What is homeland security?’ ” And the “second quadrennial review is focusing on how we work together to address critical security challenges in the face of evolving threats and resource constraints.”

The Engagement Bulletin has a a buzzing description of five specific things the 2nd QHSR will do.

  • Apply a strategic, risk based approachusing a rigorous, data-driven analytic approach.
  • Learn from the past to help plan for the future….
  • Maximize impact….
  • Help create a DHS that “works together even more efficiently.
  • Engage the entire homeland security enterprise….

I admire the ideals reflected in those aspirational objectives and the belief that the homeland security world might work that way.

I wonder what measures could be used to determine whether the QHSR will do those 5 things.

I wonder what “learn from the past” measures are used within DHS and in Congress to figure out what impact the 1st QHSR Report had in the homeland security enterprise. (Seriously. I’d appreciate learning, if anyone knows.)

Why even do this exercise?

Blame Congress.  It mandated that every 4 years there be a review of “the homeland security of the nation.” Whatever that means.

Congress directed the Review to be:

a comprehensive examination of the homeland security strategy of the Nation, including recommendations regarding the long-term strategy and priorities of the Nation for homeland security and guidance on the programs, assets, capabilities, budget, policies, and authorities of the Department.

That’s a tall order.  Bravo to those in the Arena who are trying to make this work.

If I remember correctly about what happened after the 1st QHSR Report was issued, Congress held hearings, DHS folks testified, Congress said there should be more progress.

That’s probably going to happen again.

But all that is later.  Right now, cynic, realist or idealist, you have an opportunity to offer your ideas, debate with people who care about homeland security, and who knows, maybe make a difference.

July 26, 2013

DHS Deputy Secretary confirmation fight exacerbates vacancies problem

Filed under: Congress and HLS,DHS News,General Homeland Security — by Christian Beckner on July 26, 2013

In late June the President nominated Alejandro Mayorkas, current Director of USCIS, to be the next Deputy Secretary of the Department of Homeland Security.  This nomination was a critical first step in addressing the issue of DHS leadership vacancies that I wrote about here a couple of weeks ago, and which has attracted notable media attention since Secretary Napolitano announced her resignation two weeks ago.

Until a few days ago, I assumed that this nomination would move forward smoothly, given Mayorkas’ very good reputation and his performance leading USCIS for the last four years.   But as has been reported in the news this week, there’s been a bump in the road in his nomination process, related to a reported DHS Inspector General investigation into certain investments made via the Immigrant Investor Program (known as EB-5), and Mayorkas’ alleged involvement in key decisions related to this matter.

The Senate Homeland Security and Governmental Affairs Committee held its confirmation hearing for Mayorkas yesterday (July 25th), likely having scheduled this hearing before this news broke with the intent to try to get him confirmed before the August recess.  Senator Coburn and the other Republican members of the Committee boycotted the hearing, arguing that these  issues raised by the IG needed to be resolved before the nomination should move forward.

I’ve reviewed the transcript of yesterday’s hearing, all relevant news clippings on this EB-5 matter, and the relevant documents released by Senator Grassley yesterday.  This is definitely the kind of issue that Senate Committees need to look at and sort out as part of a confirmation process.  There’s still a lot of confusing and contradictory information in the public record on this matter, so I don’t feel confident to comment on the substance of the allegations.  But from a process standpoint, I would note that these allegations are being brought forward publicly by the IG (who is under his own investigative cloud) in a way that seems very unfair to Mayorkas – who was perplexed and blindsided by these allegations at the hearing, and appears to have had no opportunity to respond to them in the year that the IG’s investigation has been open.   The IG’s actions in relation to the Homeland Security and Governmental Affairs Committee also appear to be very strange – the Committee apparently only learned about this matter from the IG earlier this week, and Senator Carper indicated at the hearing that he found no relevant information on this matter in Mayorkas’ FBI background report.

And unfortunately, the net result of this matter is that it now seems unlikely that Mayorkas will be confirmed before Secretary Napolitano departs DHS on September 7th.  (The Senate will be on recess from August 3 to September 9, so will have no opportunity to confirm him after next Friday, August 3rd).  That will create a significant and troubling leadership gap at the top of DHS, just in time for the 12th anniversary of the September 11th attacks, and right in the middle of hurricane season.  The Department is also likely to have a full legislative agenda this fall (cyber security, border security, appropriations etc.) and on the policy front is charged with working on the second Quadrennial Homeland Security Review (QHSR) and updating the National Infrastructure Protection Plan this fall.   These issues will all suffer if there is a prolonged senior leadership gap after Secretary Napolitano’s departure.

For these reasons, I hope that the Senate will find a way to resolve this issue and move forward soon on Mayorkas’s nomination.  And it is also imperative that the White House nominate someone as soon as possible to be the next Secretary of DHS, and also finally move forward on nominating and appointing individuals for other key vacant positions (CBP, I&A, ICE, IG, etc.) as soon as possible.

Congressional prospects for NSA operations

Filed under: Congress and HLS,Intelligence and Info-Sharing,Terrorist Threats & Attacks — by Philip J. Palin on July 26, 2013

As I explained in an early June post, I have mostly been reassured by the controversy over NSA domestic intelligence gathering.  So far the evidence I have seen indicates operations have been undertaken consistent with the law, with judicial authorization, and with Congressional oversight.

The close vote on Wednesday night to continue funding NSA operations is another example of the system working as it ought.  It is helpful and appropriate that policy of this sort be actively and critically examined by the people’s representatives.  Our security mavens have been forcefully reminded of their obligation to consult with Congress on policy and strategy.  (And I even hope against hope that those in Congress may have learned to listen more carefully.  I know I’m a glutton for disappointment.)

If some are tempted to “learn” from this experience that they need to be even more secretive, they are idiots.  If they instead recognize the benefit of proactive and principled engagement at the policy level, we will all be better off: both in terms of our tactical security and the preservation of liberty.

I am glad the funding was continued.  I am glad the vote was close.  I am glad that other efforts are underway to ensure legal constraints on domestic intelligence operations.  Yesterday reporting by ProPublica identified six proposals still under consideration by Congress:

1) Raise the standard for what records are considered “relevant”

2) Require NSA analysts to obtain court approval before searching metadata

3) Declassify Foreign Intelligence Surveillance Court opinions

4) Change the way Foreign Intelligence Surveillance Court judges are appointed

5) Appoint a public advocate to argue before the Foreign Intelligence Surveillance Court

6) End phone metadata collection on constitutional grounds

Read more on each proposal by Kara Brandeisky at ProPublica

July 11, 2013

DHS Vacancies Watch

Filed under: Congress and HLS,DHS News,General Homeland Security — by Christian Beckner on July 11, 2013

We are now more than halfway through 2013, and the number of vacancies of leadership positions at DHS continues to increase.  Until two weeks ago, the President had not yet nominated a single official to serve at DHS in a Senate-confirmed position, and had only made one senior-level appointment to a position that does not require Senate confirmation – the selection of Julia Pierson to serve as the new director of the Secret Service.

Having a certain level of senior-level vacancies in a Cabinet department is normal, given the typical churn of confirmed and appointed officials.  But if enough positions are open for a long enough period of time, it can lead to significant operational and management risks to that Department, and also diminishes its accountability to the U.S. Congress.

I am afraid that the Department of Homeland Security is now at the point where it is facing these risks.   As I note below, there are currently no less than 14 senior-level vacancies at DHS.  Given this, I think that it is critical that the White House prioritize nominations and appointment for the key positions listed below, and that when nominations are made, that the Senate act quickly on nominations for qualified candidates.

Below is a list of the Senate-confirmed positions that are currently unfilled (or will soon be unfilled) at DHS:

1. Deputy Secretary: Former Deputy Secretary Jane Holl Lute stepped down in May 2013.  Under Secretary for NPPD Rand Beers is currently serving as Acting Deputy Secretary.  On June 27th, the White House nominated current USCIS Director Alejandro Mayorkas to become the new Deputy Secretary, and his nomination is pending with the Senate Homeland Security and Governmental Affairs Committee.  His confirmation would open up a new vacancy at USCIS.

2. Under Secretary for Intelligence and Analysis: Former Under Secretary for I&A Caryn Wagner left DHS in December 2012.  Bill Tarry has been serving as Acting Under Secretary since that date, but his acting role will hit the 210 day limit under the Vacancies Act in the next ten days.  No nomination has been announced yet.

3. General Counsel:  Former GC Ivan Fong left DHS in September 2012.  Former Counselor to Secretary Napolitano John Sandweg was named as Acting General Counsel, but is now listed on the DHS website as Principal Deputy General Counsel, presumably because he had been in the acting position for longer than the 210 days allowed by the Vacancies Act.

4. Inspector General:  Former IG Richard Skinner left DHS in January 2011.  The President nominated Roslyn Mazer to serve in the position in July 2011, and her nomination was withdrawn in June 2012 following opposition by members of the Senate Homeland Security and Governmental Affairs Committee.  It’s now been over a year since her nomination was withdrawn, and no new nominee has been put forward.  Charles Edwards served as Acting IG until hitting the Vacancies Act limit and is currently listed as the Deputy IG on the OIG’s website.  He is currently being accused of a range of abuses of his position in a letter sent last month by Sen. McCaskill and Sen. Ron Johnson.

5. Commissioner, Customs and Border Protection: Alan Bersin was nominated as CBP Commissioner in September 2009, and in March 2010 was put in the position via a recess appointment by the President.  The Senate Finance Committee held a nomination hearing for Bersin in May 2010, but his nomination was never reported out of the Finance Committee, and his recess appointment expired at the end of 2011.   Since that time, former Border Patrol chief David Aguilar and Deputy Commissioner Thomas Winkowski have served as Acting Commissioner, but no new nominee has been put forward.

6. Director, Immigration and Customs Enforcement:  ICE Director John Morton announced his intent to resign in June and is departing at the end of July.

In addition to these six Senate-confirmed position, there are also senior leadership vacancies in at least eight other senior positions that do not require Senate confirmation, including Chief Privacy Officer, Officer for Civil Rights & Civil Liberties, Assistant Secretary for the Office of Health Affairs, Director of the Domestic Nuclear Detection Office, Assistant Secretary for the Office of Cybersecurity and Communications, Chief Information Officer, Assistant Secretary for the Office of Legislative Affairs, and Executive Secretary.

July 2, 2013

Where The Heck’s My Dec?

Filed under: Congress and HLS,Disaster,Legal Issues — by Christopher Bellavita on July 2, 2013

The post for Tuesday, July 2, 2013 was removed at the author’s request.

March 7, 2013

Issues in Homeland Security Policy for the 113th Congress

Filed under: Congress and HLS — by Christopher Bellavita on March 7, 2013

Congressional Research Service (CRS) published its outline of homeland security issues facing the 113th congress.  You can find a copy of the 70 page CRS report on the Federation of American Scientists’ CRS homeland security reports page.

Here is a direct link to the report:  http://www.fas.org/sgp/crs/homesec/R42985.pdf

From the Introduction:

This report outlines an array of homeland security issues that may come before the 113th Congress. After a brief discussion of the overall homeland security budget, the report divides the specific issues into five broad categories:

• Counterterrorism and Security Management,

• Border Security and Trade,

• Immigration,

• Disaster Preparedness, Response, and Recovery, and

• Departmental Management.

Each of those areas contains a survey of topics briefly analyzed by Congressional Research Service experts. The information included only scratches the surface on most of these issues.

More detailed information can be obtained by consulting the CRS reports referenced herein, or by contacting the relevant CRS expert.

 

On a related topic, here’s my favorite Doonesbury report on CRS (click for a larger image):

January 3, 2013

Due process: Collect, keep, and kill

No free man shall be seized or imprisoned, or stripped of his rights or possessions, or outlawed or exiled, or deprived of his standing in any other way, nor will we proceed with force against him, or send others to do so, except by the lawful judgment of his equals or by the law of the land. (Clause 39, Magna Carta)

No person shall… be deprived of life, liberty, or property, without due process of law… (Fifth Amendment to the Constitution of the United States)

–+–

Recent months have seen one-time expediencies dressed-up as new principles to frame the relationship between citizen and State.  Three examples:

On the Friday after Christmas the Senate reauthorized broad executive authority for  electronic surveillance and collection. The vote was 73-to-23 and extended for five years the Foreign Intelligence Surveillance Act. The House adopted the legislation earlier in the year.  On Sunday the President the signed the extension into law. Proposed amendments, including those offered by Senator Wyden,  that would have enhanced Congressional oversight of FISA were defeated.  FISA was originally intended to provide due process for the gathering of intelligence on non-citizens and so protect the privacy of citizens.  There has been increasing concern regarding how FISA methods now unintentionally — but perhaps quite widely — sweep up citizen communications as well.

According to a December 13, 2012 Wall Street Journal report, there may be good cause for concern.   In an exclusive investigative report, Julia Angwin found that new Department of Justice guidelines, “now allow the little-known National Counterterrorism Center to examine the government files of U.S. citizens for possible criminal behavior, even if there is no reason to suspect them. That is a departure from past practice, which barred the agency from storing information about ordinary Americans unless a person was a terror suspect or related to an investigation. Now, NCTC can copy entire government databases—flight records, casino-employee lists, the names of Americans hosting foreign-exchange students and many others. The agency has new authority to keep data about innocent U.S. citizens for up to five years, and to analyze it for suspicious patterns of behavior. Previously, both were prohibited.”

Meanwhile the White House is, according to several sources including Presidential adviser John Brennan, developing a legal and procedural framework for the deadly use of drones. Addressing the use of drones during an October 18 appearance on “The Daily Show,” President Obama said,  “One of the things we’ve got to do is put a legal architecture in place, and we need Congressional help in order to do that, to make sure that not only am I reined in but any president’s reined in terms of some of the decisions that we’re making.”  According to a May report in the New York Times, “Mr. Obama has placed himself at the helm of a top secret “nominations” process to designate terrorists for kill or capture, of which the capture part has become largely theoretical. He had vowed to align the fight against Al Qaeda with American values; the chart, introducing people whose deaths he might soon be asked to order, underscored just what a moral and legal conundrum this could be.”   Among the President’s decisions, presumably, was the targeted killing of Anwar al-Awlaki, a US citizen who was killed by drone-delivered Hellfire missiles on September 30, 2011 and his sixteen year-old son, also born in the US, who was killed in another drone attack two weeks later.  Both citizens were killed in Yemen.

The predominant motivation in each instance above — and others — is the protection of the American people and nation.  There is no imminent threat of Orwellian intention or intervention.

In each of these examples legislators and the executive are attempting to develop due process that is appropriate to their understanding of the present challenge.   (The judicial branch is poised to soon rejoin consideration of the issue.)

Nonetheless while it is, I suspect, the specific intention of no one, the space where individual liberty adjoins civil authority is being incrementally reshaped.  In the Anglo-American tradition there has long been in both theory and practice the presumptive primacy of individual initiative, what Blackstone termed “the absolute rights of man.”  The balance is shifting toward a presumed ability by the government to maintain order.

Perhaps this is the inevitable outcome of more and more diverse individuals living in dense proximity to each other.  Perhaps it is a prudent response to demonstrated risk.  Perhaps it reflects an emerging social consensus that liberty is less valued than previously.  Or we might be in the process of  redefining liberty.  These shifts might even be the accidental consequence of what Nassim Taleb has termed “naive interventionism”.  The preference, even obligation, to “do something” over doing nothing, even when the doing is non-productive or counter-productive.

Whatever the cause, the pattern can be perceived and seems to be persisting.

December 6, 2012

Senator Coburn gives a second warning to homeland security

Filed under: Budgets and Spending,Congress and HLS,State and Local HLS — by Christopher Bellavita on December 6, 2012

Senator Tom Coburn fired another warning shot over the bow of the USS Homeland Security Enterprise.

On December 4th, the man likely to become ranking minority member of the Homeland Security and Governmental Affairs Committee released “Safety at Any Price: Assessing the Impact of Homeland Security Spending in US Cities.” The 54 page report — well worth reading — “exposes misguided and wasteful spending” in the Urban Area Security Initiative (UASI) grant programs.

As if to emphasize “misguided and wasteful,” the cover features a toy truck, a toy 4 wheeler, a toy police helicopter, and a small R2D2 robot.

Coburn uasi report

The toys are immediately outside the US Capitol building. I’m not sure what that image is supposed to symbolize. It could mean somebody’s been playing around with Congress. Or maybe it is supposed to be a metaphor for the way Congress treats homeland security.

—————————————

The UASI report is the senator’s second recent warning to the homeland security enterprise.

Last October, he released “Federal Support For And Involvement In State And Local Fusion Centers.” That report questioned federal funding for fusion centers and concluded, among other things, that fusion centers do not contribute much to federal counterterrorism effectiveness, and DHS does not know how much it spent on fusion center support. (Spending estimates ranged — if “ranged” is the correct word here — from $289 million to $1.4 billion.)

The Fusion Center report hit a nerve. Within a week of its release, the International Association of Chiefs of Police, National Sheriffs Association, Major Cities Chiefs, Major County Sheriffs, National Governors Association Homeland Security Advisers Counsel, National Narcotics Officers Coalition Association, National Fusion Center Association, and the Association Of State Criminal Investigative Agencies issued a “joint statement” disagreeing with the report. (Eight public safety associations agreeing on anything in less than a week must be a world record.)

Their statement said, in part, “Simply put, the report displays a fundamental disconnect and severe misunderstanding of the federal government’s role in supporting state and locally owned and operated fusion centers and the critical role that fusion centers play in the national counterterrorism effort.”

Media attention to the Fusion Center report lasted about a week. I wonder how long interest in the UASI report will last.

—————————————

The UASI report has lots of material to provoke media outrage.

Some of the stories of questionable UASI expenditures are old news – for example the one about 13 sno-cone machines (p. 31). Other “questionable projects” were new – at least to me.

One city produced a series of videos titled “A Tale of Disaster and Preparedness.” The UASI report complains the “little more than common sense suggestions” in the video are “presented as a steady stream of jokes….” (p. 32).

I thought the preparedness videos were innocently compelling – sort of like Apple versus PC commercials. But as Will Rogers might have said, one person’s joke is another person’s misused taxpayer funds.

There was a somewhat too long description of a $1000, UASI allowable expense, entrance fee for a five day counterterrorism summit held on an island near San Diego. The Summit featured “40 actors dressed as zombies getting gunned down by a military tactical unit.” (p. 25)

The report even found some UASI money was apparently spent on “a true pork project – a hog catcher in Liberty County [Texas],” used (according to another source) to aid in catching and controlling unruly swine at holding sites. (p. 24)

—————————————

There are many other examples of UASI spending for things and activities that at a minimum activate a reader’s WTF response. But beyond the sometimes surreal stories, the report – addressed to “Dear Taxpayer” – is a serious critique of the $7 billion spent on the UASI programs over the past decade.

Part 2 of the report: “The Politics of Risk” discusses the role of political influence in determining how homeland security money is allocated.

Tom Ridge is quoted as saying he was looking for a grant formula that gets “218 votes in the House or 51 votes Senate….”  Anyone still operating under the assumption that grant awards are – or ever were – based on objective measures of threat or vulnerability or consequence can benefit from spending time with Part 2.

Part 3 asks whether UASI grants have made the nation safer.

This chapter is the latest cover of the “Nobody Knows Whether Homeland Security Spending Is A Worthwhile Investment” song. The report (later) even brings up the Mueller and Stewart critique about acceptable and unacceptable risk. I thought their analysis was anathema in DHS and in Congress. Maybe not everywhere.

Part 3 also describes how homeland security money expands the militarization of state and local law enforcement, including the use of drones and “Long-Range Acoustic Devices” (i.e., sound cannons) in urban areas.

Part 4 was a bit disappointing. It offered a recycled critique that FEMA ineffectively manages grant programs, and shows a surprisingly naïve understanding of how measuring homeland security preparedness is different from measuring risk in the finance and insurance industries. The report avoids trying to explain the causes of this “mismanagement;” saying instead, “It is unclear why FEMA continues to have difficulties in [measuring the effectiveness of its grant programs] considering the experience and expertise of the private sector that is available to inform FEMA’s own efforts.”

How about “Not everything that can be counted counts, and not everything that counts can be counted?”

I thought the report all but gave up in Part 5: “Conclusions and Recommendations.” I did not see anything new here in the slightly more than one page final section.

DHS needs to address A, B, C…
DHS needs to demand Q, R & S from local and state partners…
DHS needs to implement a systematic approach to X, Y & Z…

Yes, DHS ought to do all those things.

But what is that old saying about insanity? About doing the same thing again and again and expecting different results? Those recommendations are not new insights.

—————————————

The UASI report missed an opportunity to break new ground in the decade long search for ways to bring more rigor, order, rationality, and common sense to the homeland security grant process.

On page 5, one finds this nugget of realpolitik:

“Any blame for problems in the UASI program, however, also falls on Congress, which is often more preoccupied with the amount of money sent to its cities than with how the money is spent, or whether it was ever needed in the first place. With so few accountability measures in place, there is almost no way to ensure taxpayers are getting value for their money, and more importantly, whether they are safer.”

The report blames the members of Congress for being more interested in sending money to constituents than figuring out the usefulness of those expenditures.

So what does the report recommend Congress should do to fix this primal cause of the UASI allocation problem?

The only recommendation I could find was in the last sentence of the report: Congress needs to … “demand answers.”

—————————————

Lorelei Kelly describes in another document  called  “Congress’ Wicked Problems,” — also released on December 4th – how and why Congress has become incapacitated, despised and obsolete.   She argues in its present state, Congress “cannot serve the needs of American democracy in the 21st Century.”

Kelly’s essay is especially worth reading in conjunction with the UASI report.

Someone who is sick probably can’t get better by demanding that other people get healthy.

Maybe the next step Congress could take to remedy the significant issues raised in the UASI report is to heal itself first.

I wonder if that healing will be on the agenda of the new ranking minority member of the Homeland Security and Governmental Affairs Committee.

September 26, 2012

Government and the cyber-domain; or command-and-control encounters complexity

Filed under: Congress and HLS,Cybersecurity,Strategy,Technology for HLS — by Philip J. Palin on September 26, 2012

There is considerable expectation that an Executive Order will soon try to pick up the pieces from a failed effort at cybersecurity legislation.  You can read more at CNET, Wall Street Journal, or The Hill (for three very different angles on reality).

Technical challenges, political problems, and real philosophical differences complicated the legislative process.  I already gave attention to many of these issues in a February post.  Whatever the text of the Executive  Order these complications will persist.

Many of the most vexing problems are not particular to cyber.  Similar issues are encountered in regard to strategy, policy, regulation, innovation, security, resilience, and competition in domains seemingly as diverse as eCommerce, supply chains, and the global financial system.

Sunday there was a brief two-page essay in the New York Times Magazine that focuses on how the Internet was created.  Following are a few key paragraphs.  As you read cut-and-paste your preferred networked-entity over the word Internet.  When I do that,  the author’s explanation still holds.

Like many of the bedrock technologies that have come to define the digital age, the Internet was created by — and continues to be shaped by — decentralized groups of scientists and programmers and hobbyists (and more than a few entrepreneurs) freely sharing the fruits of their intellectual labor with the entire world. Yes, government financing supported much of the early research, and private corporations enhanced and commercialized the platforms. But the institutions responsible for the technology itself were neither governments nor private start-ups. They were much closer to the loose, collaborative organizations of academic research. They were networks of peers.

Peer networks break from the conventions of states and corporations in several crucial respects. They lack the traditional economic incentives of the private sector: almost all of the key technology standards are not owned by any one individual or organization, and a vast majority of contributors to open-source projects do not receive direct compensation for their work. (The Harvard legal scholar Yochai Benkler has called this phenomenon “commons-based peer production.”) And yet because peer networks are decentralized, they don’t suffer from the sclerosis of government bureaucracies. Peer networks are great innovators, not because they’re driven by the promise of commercial reward but rather because their open architecture allows others to build more easily on top of existing ideas, just as Berners-Lee built the Web on top of the Internet, and a host of subsequent contributors improved on Berners-Lee’s vision of the Web…

It’s not enough to say that peer networks are an interesting alternative to states and markets. The state and the market are now fundamentally dependent on peer networks in ways that would have been unthinkable just 20 years ago…

When we talk about change being driven by mass collaboration, it’s often in the form of protest movements: civil rights or marriage equality. That’s a tradition worth celebrating, but it’s only part of the story. The Internet (and all the other achievements of peer networks) is not a story about changing people’s attitudes or widening the range of human tolerance. It’s a story, instead, about a different kind of organization, neither state nor market, that actually builds things, creating new tools that in turn enhance the way states and markets work.

Legislation, regulation, many theories of management and the practice of most managers assume someone is in charge of something.  Someone is accountable for discreet action that leads to reasonably foreseeable consequences.  There are intentional practices to regulate, systematize, and evaluate.   Certainly this is part of reality, but only part and its proportion of the whole seems to be decreasing.  In homeland security I expect most of our reality cannot be accurately described in these traditional “Newtonian” terms.

When I have most seriously failed it has been because I have very reasonably, diligently, and intelligently applied the lessons learned in one corner of reality to another corner of reality without recognizing the two realities are almost totally different.

 

August 2, 2012

NYT editorial and op-ed on cybersecurity

Filed under: Congress and HLS,Cybersecurity,General Homeland Security — by Philip J. Palin on August 2, 2012

The issue certainly deserves sustained and serious attention.   It is not, however, where I spend most of my time.  So… without further comment and just to be sure you did not miss: two recent pieces from the New York Times editorial page. To read the commentary in full please click on the link.

Cybersecurity at Risk

Published: July 31, 2012

Relentless assaults on America’s computer networks by China and other foreign governments, hackers and criminals have created an urgent need for safeguards to protect these vital systems. The question now is whether the Senate will provide them. Senator John McCain, a Republican of Arizona, and the Chamber of Commerce have already exacted compromises from sponsors of a reasonably strong bill, and are asking for more. Their demands should be resisted and the original bill approved by the Senate.

READ THE FULL EDITORIAL

A Law to Strengthen Our Cyberdefense

By ASHTON B. CARTER and JANE HOLL LUTE
Published: August 1, 2012

OVER the last decade, the United States has built a sophisticated security system to protect the nation’s seaports against terrorists and criminals. But our nation’s critical infrastructure is not similarly secured from cyberattack. Although we have made progress in recent years, Congressional action is needed to ensure that our laws keep pace with the electronically connected world we live in. The bipartisan Cybersecurity Act of 2012, currently before the Senate, offers a way forward.

READ THE FULL OP-ED

July 17, 2012

Highlights from “The Future of Homeland Security: Evolving and Emerging Threats”

Filed under: Congress and HLS — by Christopher Bellavita on July 17, 2012

Last week, the Senate Homeland Security and Governmental Affairs Committee held the first in a series of hearings about the future of homeland security. Wednesday’s hearing focused on evolving and emerging threats.

You can watch and read the hearing transcripts here.

I gleaned a few excerpts from the speakers prepared remarks. I encourage those with an interest in homeland security rhetoric, thought, analysis, fact, social construction, discourse, comity and history to download and read the full statements.

—————————————-

First, my favorite part of all the testimony, from Brian Jenkins.

The sentiments are not new; they appear in his Unconquerable Nation. But neither are they old.

Common Will and Common Purpose

Terror is just as much an enemy as the terrorists who try to create it. Our reactions to terrorism are part of any assessment. America has come through the dark shadow of 9/11, but as a nation, are we stronger?

Individual acts of courage inspire us, but Americans remain anxious rather than confident in the country’s ability to survive the threats we face. Fear-mongers and doomsayers still find a receptive audience.

Instead of our traditional self-reliance, Americans look too much to government to protect them, in part the reflection of rhetoric that, rather than involving us in a national effort, tells us that as individuals we can do nothing beyond remaining vigilant.

Americans have come to hold unrealistic expectations about security, believing that risk can be abolished. We are too ready to seek someone to blame when security fails.

Instead of the stoicism needed for a long fight, Americans remain vulnerable to overreaction. A terrorist attack of even modest scale could provoke paroxysms of panic.

Whatever one thinks about the wisdom, or the folly, of the wars in Iraq and Afghanistan, the sacrifices of war have been borne unequally. Our sense of community has eroded.

Terrorists did not create America’s anxieties. Terrorism acted as their condenser. Nor will America’s homeland be secured in the mountain passes of Afghanistan, the Arabian Peninsula, or the sands of the Sahara. Our commonwealth, our common defense, will come only from the recovery our own sense of common will and common purpose.

—————————————-

Joseph I. Lieberman

This coming November will mark the tenth anniversary of the signing into law of the Homeland Security Act legislation created in this Committee in the aftermath of al Qaeda’s attack on 9-11. Given this coming milestone, it seems appropriate not only to reflect on the major homeland security developments of the last decade but also to look ahead to the next ten years, and examine whether we are adequately prepared to address them.

The preeminent threat to our homeland security today remains the threat of terrorism….

The cyber threat is the second most significant threat to the United States….

The violence in Mexico by drug trafficking organizations has reached the level where it is now a direct threat to our national security….

Transnational organized criminal groups are becoming increasingly sophisticated and are engaged in a wide variety of activities, from human smuggling to Medicare fraud….

…[While] our threats are becoming increasingly interrelated, we continue to address them in a fragmented way, with different agencies responsible for different threats.

—————————————-

Susan M. Collins

In an understatement, the [9/11] Commission’s report observed that, “[i]magination is not a gift usually associated with bureaucracies.” Yet, imagination is precisely what is needed to address emerging threats. We must persistently ask: Where are the future threats? What technology could be used? Do we have the intelligence that we need? Are we prepared to thwart novel plans of attack? What will our enemy look like in two, five, or even ten years?

—————————————-

Michael V. Hayden

Because of globalization, the international structure that was created by the Treaty of Westphalia more than five centuries ago is no longer dominant. …. most of the attributes of the age of industrialization made the state stronger and more relevant. Most of the effects of today’s globalization make the state weaker and less relevant…. But here we sit with institutions optimized and practiced for the earlier age: methodical, thorough, stable….

We all agreed in the 9-11 Commission Report that we needed a domestic intelligence service and it would be best to house it in the FBI. But look at the reaction even today when the bureau tries to collect information without a criminal predicate, in that area we called “spaces between cases.”

And heaven save us from the Associated Press if the New York City Police Department tries to do the same thing….

This committee knows more than most how many of our secrets (state and industrial) are being stolen by foreign governments; how much of our wealth is being pilfered by criminal gangs; and how much of our infrastructure is vulnerable to cyber enabled anarchists and malcontents….

I should add that cyber, terrorist and criminal threats today all merge in a witches’ brew of danger.

—————————————-

Brian Michael Jenkins

The United States confronts a more diverse terrorist threat in 2012 than it has in the past. Al Qaeda, still our principal concern, has exploited the turmoil created by the Arab uprisings to make tactical advances and open new fronts. In addition, several incidents in the past year suggest a resurgence of Iranian-sponsored terrorism. Mexico faces what some analysts have called a “criminal insurgency” by the country’s drug cartels, which could expose the United States to the kind of savagery seen in that country. The global economic crisis has spawned mass protests.

These are legitimate expressions of popular discontent, but they attract violence-prone anarchists and may generate their own violent fringe groups. Anti-federal-government sentiments, a continuing current in American history, have become more virulent, fueled in part by economic dislocation that transcends the current economic crisis, deep national divisions, and the rancorous partisanship that characterizes contemporary political debate.

—————————————-

Frank J. Cilluffo

… [At] the level of principle, we need to be as flexible and adaptive as our adversaries, who are nothing if not creative and ever-thinking. A static posture is an ineffective one. After all, each time we raise the security bar (often at great cost to the U.S. Treasury) our adversaries devote themselves determinedly to crafting a reasonably inexpensive and clever way around the latest security measure(s). Their ingenuity and inventions are often vivid, and include body and “booty” bombs. Now is not the time to ease off the gas pedal. Rather we should and must keep up the pressure and exploit this unique window of counterterrorism opportunity by maintaining, if not accelerating, the operational tempo. The threat would look and be markedly different otherwise….

To my mind, the cybersecurity community’s state of development is akin to that of the counterterrorism community as it stood shortly after 9/11….

Now is the time to act. For too long, we have been far too long on nouns, and far too short on verbs.

—————————————-

Stephen E. Flynn

In response to the attacks on 9/11, the Bush Administration mobilized U.S. national security capabilities to go after al Qaeda and those within the international community who supported them. To an overwhelming extent, the strategy was one of prevention by way of military force supported by stepped-up intelligence. … The hoped for outcome of engaging the threat in Iraq and Afghanistan and around the world… was “so we do not have to face them here at home.”

This strategy has involved a considerable amount of national treasure…. That amount translates into a burn-rate of $350 million for each and every day for ten years.

By contrast, the cost of one-hour of these war operations—$15 million—has been the most that has been invested in the entire annual budget for the Citizens Corps Program which was initiated after 9/11 to engage citizens in the homeland security mission by volunteering to support emergency responders….

… [The] total amount of containers inspected overseas in 2011 was just 45,500. This represents 0.5% of the 9.5 million manifests that CBP … reviewed overseas in advance of loading. If the 45,500 number is divided by the 58 … ports and 365 days per year, the result is [security] inspectors are examining with their foreign counterparts on average, 2.15 containers per day per overseas port before they are loaded on carriers bound for the US–two containers each day.

This does not represent much of a deterrent.

…In addition to the ongoing risk associated with terrorism, there is an even more clear and present danger to the safety of Americans that should animate the homeland security mission: natural disasters. It turns out that 91 percent of Americans live in places at a moderate risk of earthquakes, volcanoes, tornadoes, wildfires, hurricanes, flooding, high wind damage….

[The] investment Washington makes in homeland security remains a fraction of the resources devoted to traditional national security. At times, this can have the perverse outcome of actually making civilian targets potentially more attractive to our adversaries. For instance, the U.S. Navy has invested more in protecting the single port of San Diego that is home to the Pacific Fleet, than the Department of Homeland Security has invested in the ports of Los Angeles, Long Beach, San Francisco, Oakland, Seattle, and Tacoma combined, upon which the bulk of the U.S. economy relies….

…Everyday civilians, supported by state and local officials, will need to be better informed and empowered to play a meaningful role. This role includes not only preventing acts of terrorism, but making investments that mitigate the risk of disruption to our communities and critical infrastructure. This will require a homeland security enterprise centered around three efforts: (1) setting appropriate expectations, (2) increasing transparency, and (3) building community and infrastructure resilience.

July 10, 2012

Homeland security’s all star old timers’ game

Filed under: Congress and HLS — by Christopher Bellavita on July 10, 2012

The Senate Homeland Security and Governmental Affairs Committee will hold two hearings this week about The Future of Homeland Security.

July 11th features a session on “Evolving and Emerging Threats.” On July 12th, the topic is the “Evolution of the Homeland Security Department’s Roles and Missions.”

Based on the list of witnesses, homeland security’s future looks a lot like its past.

The lineup is only two people short of an all star team:

  • Michael Hayden
  • Brian Jenkins
  • Frank Cilluffo
  • Stephen Flynn
  • Jane Harman
  • Thad Allen
  • Richard Skinner

I wonder what these first rate intellects will say. I wonder what they will say that is new or substantially different from what they’ve said and written before.

I wonder where homeland security’s all stars get their new ideas from.

Or maybe their ideas about homeland security’s future won’t be new. Maybe these dedicated, proven and honorable leaders will make the same points about homeland security they frequently make when they write or talk.

Maybe — like major league baseball’s all stars — they are not expected to do anything new. Perhaps it’s enough simply to watch them do again what they do often and well.

Maybe they are all stars because their ideas need to be restated, motivated by the eternal hope that words will lead to behaviors that might influence how homeland security evolves.

I wonder if anyone will actually listen to what these people say.

——————————-

Baseball’s all star game matters because the league that wins (tonight, 5 pm Pacific time, Fox TV and radio) gets home field advantage for the world series.

Home field advantage matters. It certainly helped St. Louis in 2011 (that, plus the baseball gods smiling on David Freese)

I would like to believe senate hearings matter.

I recall from the “How a bill becomes law” chapter in my 9th grade civics book that congress holds hearings to discover what the problems are, and then writes laws to solve those problems.

I don’t know the political science literature well enough to know how accurately that chapter describes reality.

But, I have my beliefs.

——————————-

Speaking of beliefs about homeland security, Jonathan Haidt — in his wonderfully written, cognitively disruptive book, The Righteous Mind — cites the work of Tim Gilovich, a social psychologist (p. 84):

His [Gilovich's] simple formulation is that when we want to believe something, we ask ourselves, “Can I believe it?” Then … we search for supporting evidence, and if we find even a single piece of psuedo-evidence, we can stop thinking. We now have permission to believe. We have a justification, in case anyone asks.

In contrast, when we don’t want to believe something, we ask ourselves, “Must I believe it?” Then we search for contrary evidence, and if we find a single reason to doubt the claim, we can dismiss it. You only need one key to unlock the handcuffs of must.”

The best part about the Can I and the Must I reactions is they often happen below the level of conscious awareness.

I’m looking forward to this week’s hearings so I can test myself.

What will I hear that triggers my “Can I believe it” reflex?

What will I hear that triggers my “Must I believe it” reflex?

——————————-

I wonder what would happen if the Senate held a homeland security hearing and no one listened, because they didn’t know how?

February 24, 2012

Creating a Cyber Coast Guard

Filed under: Congress and HLS,Cybersecurity,Private Sector — by Philip J. Palin on February 24, 2012

It is not yet clear if the Cybersecurity Act of 2012 will be taken up by the whole Senate — as previously announced — or disappear into committee review while under sustained attack by those opposed.

Senator John McCain, one of those opposed, has promised a competing piece of legislation:

The fundamental difference in our alternative approach is that we aim to enter into a cooperative relationship with the entire private sector through information sharing, rather than an adversarial one with prescriptive regulations. Our bill, which will be introduced when we return from the Presidents’ Day recess, will provide a common-sense path forward to improve our nation’s cybersecurity defenses.

Last Friday I outlined the perceived — in my judgment, real — tension between collaboration and compliance that any approach to effective cybersecurity will require. The real debate is over how to resolve this tension: with more dependence on voluntary cooperation or the threat of regulation. (To be clear, the proposal unveiled on February 14 by Senators Lieberman, Collins, and others does not create new regulations per se, but it does initiate a public-private process that would eventually create a regulatory regime.)

Some private sector organizations have welcomed the opportunity to frame-up the process, others are ready to do what they can to stop any movement to regulation. So far the private sector line-up on each side seems mostly to reflect revenue streams. Those that may make money on increased attention to cybersecurity are in favor of the current proposal, those that see cybersecurity mostly as a cost are opposed. (The cost-benefit discussion is, so far, not very sophisticated on either side.)

While the efficacy of the new bill is debatable, it is clear the current approach — depending almost entirely on voluntary collaboration — has not worked. The weakest links in the cybersecurity system are the least willing to show up, talk turkey, and truly collaborate in sharing information and changing behavior. What do you do when “pretty please”, earnest presentations on self-interest, and peer pressure do not work? What do you do when neglect by one “house” on the block endangers the safety of the entire block (or city)?

Sanctions are needed. But no matter how tough, sanctions will not be sufficient. Whatever sack of sanctions are available, unless the sanctions are used to craft collaboration (rather than mere compliance) cybersecurity will not be enhanced.  The threat of regulatory sanctions may encourage collaboration, but a rigid regulatory approach alone will only achieve minimal compliance, which in cyberspace will always lag behind new threats and vulnerabilities.

Whichever of the current sides win, execution will be key. The current legislation addresses execution primarily under Title III through a DHS National Center for Cybersecurity and Communications. The new entity would combine several existing offices, and would be directed by a Presidential appointee confirmed by the Senate. Here are the director’s duties enumerated in the current legislation:

(1) manage Federal efforts to secure, protect, and ensure the resiliency of the Federal information infrastructure, national information infrastructure, and national security and emergency preparedness communications infrastructure of the United States, working cooperatively with appropriate government agencies and the private sector;

(2) support private sector efforts to secure, protect, and ensure the resiliency of the national information infrastructure;

(3) prioritize the efforts of the Center to address the most significant risks and incidents that have caused or are likely to cause damage to the Federal information infrastructure, the national information infrastructure, and national security and emergency preparedness communications infrastructure of the United States;

(4) ensure, in coordination with the privacy officer designated under subsection (j), the Privacy Officer appointed under section 222, and the Director of the Office of Civil Rights and Civil Liberties appointed under section 705, that the activities of the Center comply with all policies, regulations, and laws protecting the privacy and civil liberties of United States persons; and

(5) perform such other duties as the Secretary may require relating to the security and resiliency of the Federal information infrastructure, national information infrastructure, and the national security and emergency preparedness communications infrastructure of the United States.

Title III continues for another 28 pages. Included under Authorities and Responsibilities of the Center, “serve as the focal point for, and foster collaboration between, the Federal Government, State and local governments, and private entities on matters relating to the security of the national information infrastructure.”

On page 114 of the proposed legislation a supervisor training program for the Center is set out. The current language suggests Senator Akaka and his staff have persisted in pushing his perennial concerns. It’s all good. It could be better.

The currently proposed training program  is mostly internally focused. I suggest language be added to focus on mission achievement. Consider for a moment a supervisor training curriculum focused on just one of the duties listed above, ” support private sector efforts to secure, protect, and ensure the resiliency of the national information infrastructure”

What is the nature of the private sector?

What are the private sector’s current efforts related to cyberspace?

What does “secure”, “protect”, and “ensure the resiliency” of cyberspace mean?

What is the national information infrastructure?

What does it mean to “support” the private sector? Why this verb rather than another?

That would be an interesting — valuable — curriculum.   Develop similar curricula around each of the statutory goals, include private sector participants in the curriculum… and a whole new approach to private-public collaboration might be cultivated.

This curriculum should  include a heavy dose of culture, a culture of private-public collaboration.  If the Center becomes a cyber-SEC none of us will be any safer.   Cybersecurity cannot focus on accountability after-the-fact.  The focus must be on cultivating a culture of prevention and resilience, not compliance.

For this purpose, I propose the Akaka Academy for Cybersecurity give close attention to the way the Coast Guard cultivates a collaborative relationship with owners and operators of marine vessels. Just for a taste of what I mean, consider the implications of the following written instruction from a Coast Guard flag officer… and this is not atypical, this approach is entirely consistent with  standard Coast Guard practice.

The Coast Guard’s objective is to administer vessel inspection laws and regulations so as to promote safe, well equipped vessels that are suitable for their intended service. It is not the Coast Guard’s intent to place unnecessary economic and operational burdens upon the marine industry. In determining inspection requirements and procedures, inspection personnel must recognize and give due consideration to the following factors:

  • Delays to vessels, which can be costly, need to be balanced against the risks imposed by continued operation of the vessel, with safety of life, property, and the environment always the predominant factor over economics;
  • Certain types of construction, equipment, and/or repairs are more economically advantageous to the vessel operator and can provide the same measure of safety;
  • Some repairs can be safely delayed and can be more economically accomplished at a different place and time;
  • The overall safety of a vessel and its operating conditions, such as route, hours of operations, and type of operation, should be considered in determining inspection requirements;
  • Vessels are sometimes subject to operational requirements of organizations and agencies other than the Coast Guard; and
  • A balance must be maintained between the requirements of safety and practical operation. Arbitrary decisions or actions that contribute little to the vessel’s safety and tend to discourage the construction or operation of vessels must be avoided.

I know of no better example of effective private-public collaboration than that of the U.S. Coast Guard with the industry it helps regulate, serve, and sometimes save.  It is a cultural model well-suited to the cyber domain.

February 17, 2012

Cybersecurity Act: Collaboration v. Compliance?

Filed under: Congress and HLS,Cybersecurity,Private Sector — by Philip J. Palin on February 17, 2012

On Valentine’s Day the Senate Homeland Security and Governmental Affairs Committee released a proposed Cybersecurity Act of 2012.  The Committee’s Chairman, Joseph Lieberman (I-CT) and ranking member, Susan Collin’s (R-ME) are co-sponsors.

The roll-out has been impressive.  Check out the Committee’s website for gobs of additional background.  All-star testimony was taken on Thursday.

My HLSWatch colleague, Jessica Herrera-Flanigan has authored a persuasive piece for Roll Call pushing for quick adoption.  Rapid approval by the Senate is a big part of the legislative strategy.

Every cyber-specialist, like Jessica, I have communicated with supports the legislation.  Those on the Hill who have come out against are – so far – objecting mostly to procedural or cost concerns. (The best political update I could find on Friday morning is from Ellen Nakashima at the Washington Post.)

Yesterday I used a cross-continent flight to read the 205 pages of statutory prose.  Politico called it a “door-stop of a bill.”

Taken at face-value the language could hardly be more benign.

The clear intent is to prevent when possible – and mitigate when prevention is not possible – “the risk of national or regional catastrophic damage within the United States caused by damage or unauthorized access to information infrastructure…”

To achieve this and similar goals the legislation frames and facilitates a rather intricate process of private-public consultations, information exchange, risk analyses, certification, audits, education, research, and exercises.

In a whole host of ways the language implicitly – but quite obviously – acknowledges that cyber security is not possible without extraordinary – just for emphasis: extra-ordinary – cooperation between government and the private sector and between various elements of the private sector.

As a result, the proposed legislation goes to amazing lengths to encourage information exchange on cyber threats, vulnerabilities, and more.  For example, here are three sections of Title VII Information Sharing (page 163):

(d) EXEMPTION FROM PUBLIC DISCLOSURE.—An cybersecurity threat indicator disclosed by a non-Federal entity to a cybersecurity exchange under subsection (a) shall be— (1) exempt from disclosure under section 552(b)(3) of title 5, United States Code, or any comparable State law; and (2) treated as voluntarily shared information under section 552 of title 5, United States Code, or any comparable State law.

(e) EXEMPTION FROM EX PARTE LIMITATIONS.— Any cybersecurity threat indicator disclosed by a non-Federal entity to a cybersecurity exchange under subsection (a) shall not be subject to the rules of any governmental entity or judicial doctrine regarding ex parte communications with a decision making official.

(f) EXEMPTION FROM WAIVER OF PRIVILEGE.—Any cybersecurity threat indicator disclosed by a non-Federal entity to a cybersecurity exchange under subsection (a) may not be construed to be a waiver of any applicable privilege or protection provided under Federal, State, tribal, or territorial law, including any trade secret protection.

Please, please, please let us know when you are in danger, we promise not to hold you accountable. The federal government is made into a worried parent trying to protect a troubled teenager.

No one tells me the cyberthreat is overdone.   Most tell me it is already worse than is generally known. Threats, vulnerabilities, and consequences are expected to grow.

Everyone seems ready to agree – at least behind closed-doors – the legislation is well-intended and designed to tee-up a meaningful process of private-public consultations, not pre-ordain the results of that consultation.  If anything, many cybersecurity mavens find the proposed language entirely too tentative and toothless.

But one Chief Information Officer I talked with calls the bill a “Trojan horse, superficially attractive and deeply dangerous.”  According to this person the legislation is fundamentally flawed because it moves the focus of discussion from collaboration to compliance.  “As soon as compliance is the agenda,” he says, “the lawyers take over. We will hardly ever see a technologist again.  That’s not what we need.  They are going to replace a messy, difficult, but realistic process of collaboration with an orderly and mostly meaningless process of certification and compliance.  Risk management is hard.  Compliance is easy.  In one case you invest in real outcomes, in the other you create a legally defensible illusion.”

When I outlined the CIO’s critique to a self-defined “Hill Rat” (and lawyer) who has been involved in cybersecurity, he responded, “The lawyers are already too involved.  That’s been a problem.  It’s been easy for government relations people to show up.   We need CIOs, CTOs, CFOs, COOs, and CEOs.  One way to read the legislation is as a small but very sharp blade to cut through the veil of lawyers behind which too many of our cyber-assets are obscured.  No one wants to regulate, but we need to get real about the risk.”

As the Congressional staffer continued he went even further, “You know what?  This is really an anti-regulation bill. Unless we do something like this and get much better at the drill than today, a major system is going to be taken down and people will die.  Russian mafia, Iranian Quds, Chinese class project – who knows who?  Then just imagine the rush to regulation.”

Maybe I am overly influenced by two men who were each speaking with evident candor and concern.   But I come away thinking they are probably both right.

The issue is not so much current Congressional intent as longer-term execution.  Whenever legislation is adopted, how can we keep the focus on substantive collaboration?  Next Friday I will offer a suggestion.

« Previous PageNext Page »