Homeland Security Watch

I’m still out a Livermore with the Stimson Center task force and so only have a couple updates:

HLSwatch reader William Cumming sent in word that The Society of American Military Engineers, Alexandria, Va., has been chosen for the role of Secretariat for The Infrastructure Security Partnership (TISP)-a public-private partnership dedicated to improving the nation’s critical infrastructure resilience (SAME). The role of Secretariat had formerly been filled by the American Society of Civil Engineers (ASCE).

As Secretariat, SAME will provide logistical support to the organization; however, TISP will retain its own identity, branding and mission. Part of SAME’s new role in moving TISP forward will include helping to initiate a series of quarterly forums addressing issues related to the nation’s infrastructure and featuring panel discussions with a wide variety of leaders.

In the meantime, David Bodenheimer of Crowell & Moring will moderate a panel discussion entitled “Securing Our Critical Infrastructure: Money, Security, and Homeland Security Opportunities” on October 2, 2008, with:
• Robert B. Stephan, Assistant Secretary, Infrastructure Protection, Department of Homeland Security
• Jessica Herrera-Flanigan, Partner, Monument Policy Group and Former Staff Director and General Counsel, House Homeland Security Committee
• Paul B. Kurtz, Partner, Good Harbor Consulting, LLC
• Mick Kicklighter, Director, Center for Infrastructure Protection, School of Law, George Mason University.

China won the competition to host the recently concluded 2008 Olympics on July 13, 2001 – just two months before 9/11. For those wondering whether or not we are more secure today than we were before 9/11, consider a broader metric offered today by Thomas Friedman.

Friedman reflects on how China and America have spent the last seven years:

China has been preparing for the Olympics; we’ve been preparing for al-Qaeda. They’ve been building better stadiums, subways, airports, roads and parks. And we’ve been building better metal detectors, armored Humvees and pilotless drones.

The Olympics are over – and were a triumph. Al Qaeda, on the other hand, remains a threat. Fighting terrorism is harder than putting on a $50 billion international competition. (The latter is the Olympics.) But, Friedman points out that the hidden costs are beginning to show:

Compare arriving at La Guardia’s dumpy terminal in New York City and driving through the crumbling infrastructure into Manhattan with arriving at Shanghai’s sleek airport and taking the 220 mph magnetic levitation train, which uses electromagnetic propulsion instead of steel wheels and tracks to get to town in a blink.

At least he notes that China is not equally blessed. Beyond Beijing, that country is still in worse shape than the U.S. Friedman’s point is different: Consider how much modern infrastructure has been built in China since 2001 and how much infrastructure has been postponed in America since 2001. The next president needs a devoted nation-building program in America.

“The next president,” Friedman explains, “can have all the foreign affairs experience in the world, but it will be useless if we, as a country, are weak.” Homeland Security, in other words, is a critical part of keeping America competitive and investments in securing America can also pay dividends in quality of life. A safe and efficient public transportation system is both more secure and more effective.

The next election is not about who is tough enough on terrorists. Both Obama and McCain are equally committed to combating terrorism. The real metric is who is “strong enough, focused enough, creative enough and unifying enough to get Americans to rebuild America.”

Yesterday the Transportation Security and Infrastructure Protection Subcommittee held its hearing entitled “Partnering with the Private Sector to Secure Critical Infrastructure: Has the Department of Homeland Security Abandoned the Resilience-based Approach?”

I had the opportunity to testify along with DHS Assistant Secretary Bob Stephan, Bill Raisch of the International Center for Enterprise Preparedness at NYU, Dr. Kevin Stephens, Director of the New Orleans Health Department, and Shawn Johnson, Vice Chairman (soon-to-be chair), Financial Services Sector Coordinating Council. Dr. Stephens provided stark details about the state of the health system’s ability to manage another crisis in New Orleans, given the poor state of the infrastructure there nearly three years after Hurricane Katrina.

The 14th is part of a month of hearings the Homeland Security Committee is dedicating to resilience. Wednesday’s hearing focused on clarifying exactly how DHS views resilience as a priority in the overall strategy of the Department and on identifying ways that DHS can do better in working with the private sector to increase our resilience. Perhaps the best way to paraphrase everyone’s position would be as follows:

Chairwoman Jackson-Lee: Resilience should be part and parcel of the nation’s effort to protect the homeland. To do so requires that DHS effectively share threat information with the private sector, measure resilience (since protection can’t be measured: when is enough, enough?), and think creatively about the enterprise value to a company that invests in resilience. Citing the number of times we use the term resilience isn’t proof enough that action is being taken.

A/S Stephan: We already do resilience. It is mentioned ## times among our existing documents, such as the National Infrastructure Protection Plan (NIPP), the National Response Framework, and various sector specific documents. Through the NIPP, sector-specific plans are developed to accomplish the goal of security, resiliency, and preparedness. Moreover, the emphasis on resilience is a red herring generated by some in academia and think tanks to suggest that (a) DHS is misguided and (b) we ought to sacrifice efforts to prevent and protect in order to bounce back from likely fatal attacks.

Czerwinski: Resilience is more than the ability to “bounce back.” Measures to make the private sector more resilient must provide a “double bottom-line” that delivers both the ability to minimize the impacts of terrorism or natural disasters, but also the value of increased performance and improved commerce during the majority of the time when a threat isn’t present. Doing so requires connecting effectively across the sectors with a balanced approach to three key factors: strategic human capital, technology, and governance. Naturally, the framework offered in our paper on Global Movement Management would be a brilliant step forward.

Johnson: Nothing to see here. The Financial Services Sector has worked closely with the Treasury Department since long before 9/11 to manage an interdependent relationship among partners and competitors in this sector. DHS, through the FS-Sector Coordinating Council, works well in coordinating our efforts to be resilient, which for this sector means the ability to get business back online if ever a disruption were to interrupt our operations. I wouldn’t change a thing.

Raisch: If resilience is the goal, then a method to measure or assess progress is indispensable in order for businesses to determine if their investments in resilience are actually accomplishing anything and to be able to claim to stakeholders or possible adversaries that they are prepared to manage a crisis or disruption. Voluntary accrediting measures provided for in the 9/11 Act (H.R. 1) require the government to take the initiative “as a catalyst and investor in this process.”

Stephens: Help.

Main take-away is this: Resilience is still a complex concept that can be approached from a variety of different angles. DHS is doing a lot to make sure the private sector is prepared and protected, but more can be done through an overarching framework that recognizes the interdependencies among the different sectors and the ways in which the risks of the 21st century make those interdependencies more important than any specific sector. Incentivizing the private sector to take action can be done by embracing a broader definition of resilience to include some level of value that actually improves commerce during those times when no attack or disaster is taking place. Investments in security and performance can be mutually reinforcing, not just mutually exclusive.

The streamed recording is available at the Subcommittee’s website on the hearing.

The Transportation Security and Infrastructure Protection Subcommittee convenes its resilience hearing this Wednesday, the 14th. I’ll testify with DHS Assistant Secretary Bob Stephan, Bill Raisch of the International Center for Enterprise Preparedness at NYU, and the Director of the New Orleans Health Department.

The 14th is part of a month of hearings the Homeland Security Committee is dedicating to resilience. Wednesday’s hearing is intended to educate the members on what resiliency really means, what the private sector is doing to achieve resilience, and how DHS can work with the private sector within a framework to promote resilience.

The hearing begins at 2PM in the Homeland Security Committee’s room (311 Cannon House Office Building). Consider attending if you are in WDC. It’ll also stream at the Subcommittee website after the hearing concludes.

Among other things, I intend to describe ways in which the Global Movement Management framework applies to the goal of resiliency and will upload the oral statement later on Wednesday. In the meantime, please feel free to send in your thoughts on the issues in which the Subcommittee is interested for this hearing.

One of our readers offered a healthy does of skepticism about resilience as a concept. I thought it would be valuable to make this part of a new post to follow up the recent coverage of this topic and the hearings in the House this week.

>>[Jonah does] not include concerns about response in this concept: “Turning victims into patients is important for response, but resilience is different.” Yet your guest poster, Robert Kelly, does: “That is the essence of resilience – the ability to rapidly respond to and recover from a catastrophic event.”

I see a difference between response/recovery and resilience. Being resilient should render the ability to respond effectively. However, rapidly flying in emergency food and water to a hurricane zone, for example, to limit the hardship of the victims would be response, while resilience would be building homes less vulnerable to the effects of a hurricane and getting the ports and businesses up and running. (I should note that my guests on this blog don’t have to agree with me and vice versa.)

>>And Steve Flynn includes it among his “four pillars of resilience” in his recent Foreign Affairs piece: “Second is resourcefulness, which involves skillfully managing a disaster once it unfolds…Ensuring that U.S. society is resourceful means providing adequate resources to the National Guard, the American Red Cross, public health officials, firefighters, emergency-room staffs, and other emergency planners and responders.”

It is important to take Steve’s four factors as a whole. If we selected only the third factor — rapid recovery — I could see the point that my separation of response and resilience would be problematic. However, Steve’s factors are robustness, resourcefulness, rapid recovery, and the means to absorb new lessons. Taken together, I think you’d agree that resilience is more than emergency response, but nevertheless dependant on it being executed well.

>>Unfortunately, I think the concept requires a lot of refining. But hopefully these hearings will not be the only cuts at this effort.

I, too, hope these hearings are the beginning of a sustained effort to build in, rather than bolt on, the important capability of resilience. But the concept of resilience already has been refined to a point that enables action. First steps would include making resilience a strategic goal as part of such plans as the Quadrennial Homeland Security Review.

To refine this concept further, consider the following parameters:

The Middle East is beginning to appreciate the importance of homeland security in new ways, and the United Arab Emirates appears to be at the forefront. With what’s being billed as the Middle East’s first event focused exclusively on homeland security, Abu Dhabi will host a conference on protecting national borders, building disaster resilience, and countering international terrorism next month.

Entitled “International Security / National Resilience,” the gathering takes place March 2-5, 2008, at Abu Dhabi and is sponsored by HH General Sheikh Mohammed Bin Zayed Al Nahyan, Crown Prince of Abu Dhabi and Deputy Supreme Commander of the UAE Armed Forces, along with the UAE Ministry of Interior. ISNR Abu Dhabi follows ISNR London, which was held 4-5 December 2007.

Last year the UAE President, His Highness Shaikh Khalifa Bin Zayed Al Nahyan created a new government agency charged with protecting vital facilities and utilities in the emirate of Abu Dhabi. With critical infrastructure that includes onshore and offshore petroleum facilities, power generation stations, water desalination plants, a natural gas transportation network, airports, seaports, and service networks, its no wonder they see the value in their own version of a DHS. However, since all of this infrastructure is owned by the emirate, they’ll likely have an easier go of it than DHS, which must navigate a domain of critical infrastructure owned almost entirely by the private sector.

Promoters of ISNR Abu Dhabi explain that the gathering will provide a comprehensive look at homeland security issues to enable “governmental authorities to respond resiliently to natural disasters as well as man-made ones.” This is just the sort of opportunity the U.S. Department of Homeland Security should capitalize on by sending delegates armed with speeches and presentations that explain the way we perceive the threat, the lessons we’ve learned, and the interest we have in supporting their efforts in a partnership against a threat that requires cooperation in order to be combated.

This blog has written before about the opportunities – some missed – for sharing our expertise in homeland security to benefit reluctant friends overseas. We have a shared interest in protecting our civilians. And the U.S. could really use some friends nowadays in that region.

The Pelindaba nuclear facility in South Africa was the target of an armed assault yesterday. Nevermind the talk of flying airplanes into reactors, this is a real world case wherein armed men were able to penetrate a series of security measures and actually enter the control room. This article was sent in by reader Steve Bogden.

A CRS study in 2005 entitled “Nuclear Power Plants: Vulnerability to Terrorist Attack,” argues that despite the heightened security measures imposed on nuclear facilities in the U.S. by the Nuclear Regulatory Commission, industry has been slow to implement them.

The NRC explains its position on protecting nuclear facilities here with its three phase plan that was to be completed by now. I do not know where this effort stands.

In the past, security measures known as “buffers” or “layers” were considered the best way to restrict unauthorized access to such crucial infrastructure as a nuclear power plant’s control panel. Earlier this month, a man was discovered to be bringing a pipe bomb into a nuclear plant in Arizona – the largest one in the country in fact.  If the perpetrators of the break-in at Pelindaba had been armed with such a bomb, it is doubtful that any existing buffers would have stopped a terrible outcome.

Here is the article:

Attack at Pelindaba nuclear facility
By Graeme Hosken
The Pretoria News
November 09, 2007

A brazen attack by four gunmen on the Pelindaba nuclear facility has left a senior emergency officer seriously injured.

Anton Gerber, Necsa emergency services operational officer spoke to the Pretoria News from his hospital bed hours after the attack.

He was shot in the chest when the gunmen stormed the facility’s emergency response control room in the early hours of Thursday morning.

The shooting comes four months after Necsa’s newly appointed services general manager Eric Lerata, 43, was gunned down in front of his Montana home after returning from a business trip in France.

‘one of them attacked me with a screwdriver’
Pelindaba is regarded as one of the country’s most secure national key points.

It is surrounded by electric fencing, has 24-hour CCTV surveillance, security guards and security controls and checkpoints.

The attack comes as the country prepares to preside over an International Atomic Energy Agency convention on nuclear safety.

The convention is aimed at achieving a high level of global nuclear safety via safety related technical co-operation; establishing and maintaining effective defences in nuclear installations against potential radiological hazards and preventing accidents with radiological consequences.

A visibly shaken Gerber, who was rushed to Eugene Marais hospital, on Thursday said that he was sitting in the control room with his fiancée Ria Meiring when he heard a loud bang.

‘I could not let anything like that happen’
Meiring, who was working nightshift, is the supervisor of the control room.

Gerber said he kept Meiring company. “I do not like it when she is at work at night and I go with her to keep her company and ensure that she is safe,” he said.

Describing the attack Gerber said they were inside the electronically sealed control room when they heard a loud bang.

They then spotted the gunmen coming into the facility’s eastern block.

It is believed that the attackers gained access to the building by using a ladder from Pelindaba’s fire brigade and scaling a wall.

The men are thought to have forced open a window by pulling out several louvers.

Pushing Meiring underneath a desk, Gerber attacked two of the gunmen as they forced their way into the control room and ran straight for the control panel.

“I did not know what they were going to do. I just kept on hitting them even when one of them attacked me with a screwdriver.

“I knew that if I stopped they would attack Ria or do something to the panel.

“I could not let anything like that happen,” he said.

Unbeknownst to Gerber one of the robbers had shot him in the chest as he fought them off.

The bullet narrowly missed his heart breaking a rib before puncturing his lung. Doctors said the bullet missed his spine by 2cm.

Gerber, who at one stage thought he was going to die, said he had been very scared.

“The facility is meant to be safe. There are security guards, electric fences and security control points. These things are not meant to happen,” he said.

Necsa spokesperson Chantal Janneker confirmed the attack.

She declined to say how the gunmen had gained access to the facility or whether they had stolen anything.

Janneker said Necsa was conducting an internal investigation into the attack.

Once the police investigation was complete Necsa would divulge what happened, she said.

Later in the afternoon, Pretoria News was phoned by a man identifying himself as a Necsa legal adviser, saying the newspaper will be breaching the National Keypoints Act by publishing the story.

He said that Necsa may seek a court order preventing dissemination of the story.

He claimed that the interview with Gerber was “unethical” as “he was under sedation and thus incoherent” when it was conducted.

Pretoria News sought and was granted permission to interview Gerber, by hospital management, and Gerber himself. While he was obviously in pain, he appeared coherent and made sense throughout the interview.

His recall of the events was sequential and to the point. He also agreed to have his picture taken in his hospital bed.

North West police spokesperson Superintendent Louis Jacobs said that no arrests had been made.

“A case of armed robbery and attempted murder are being investigated,” he said.

GAO released a statement this week on the SAFE Port Act. The Act covered a range of policies focused on maritime security, but may be best known for its mandate to scan 100% of all incoming maritime cargo. DHS is principally responsible for executing on the Act, but relevant component agencies include the U.S Coast Guard, Customs and Border Protection, Domestic Nuclear Detection Office, and the Transportation Security Agency.

GAO delved into this one. They “visited domestic and overseas ports; reviewed agency program documents, port security plans, and post-exercise reports; and interviewed officials from the federal, state, local, private, and international sectors.” GAO’s recommendations focus on the need to develop strategic plans, better plan the use of DHS human capital, and establish performance measures. The programs addressed in this document can be organized as follows:

DHS – through the Domestic Nuclear Detection Office – is starting to test and evaluate equipment focused on the blind spots around the shipment of containerized cargo.  While this effort satisfies Section 121(i) of the SAFE Port Act of 2006, it also reflects proposals made by the Homeland Security Advisory Council in 2005 when it’s Task Force on Preventing Weapons of Mass Effect explained the importance of adopting a layered prevention strategy.  Intermodal chokepoints served as key examples for the Task Force’s argument.  Specifically, the gaps in scanning and other preventive measures needed to be in place when a target item (i.e. cargo container) transferred one conveyance (boat) to another (rail).  The Task Force considered this next layer a “critical deficiency” that required the Department’s attention.The DNDO announced yesterday that: 

The U.S. Department of Homeland Security (DHS) will soon begin conducting multiple projects in the Port of Tacoma, Wash., to evaluate technology and concepts of operations for radiation detection that will scan cargo at various points in transfer from ship to rail.  By establishing a Rail Test Center (RTC) at the port, DHS will identify and evaluate radiological and nuclear detection solutions for intermodal rail port facilities that can be used across the country.

A major recommendation and recurring theme from the Nuclear Defense Working Group at the Center for the Study of the Presidency held that detection efforts were strongest when targets were in motion or under scrutiny already (i.e. cargo was only screened when checked, registered, or loaded, and usually at only one of those points).  Containers and other targets at rest were a glaring weakness, according to the NDWG, in need of innovative solutions that did not include scattering expensive scanners over every square inch of an airport or seaport.  The same DNDO announcement reminded me of that recommendation with this detail:

Projects being considered for further evaluation at the RTC include scanning cargo on the dock, during transport to the rail yard, entering the rail yard, in the container storage stack, during train assembly, and as the train leaves the port.

These are promising efforts, albeit nascent ones.  These are also only one part of the broader effort to reduce the threat of smuggled nucs.  Let’s hope the non-proliferation and Nunn-Lugar-type programs get the same attention.  More on that can be found at Jeffrey’s ArmsControlWonk.com.

GovExec has an excellent story in its latest issue that looks at the chemical plant security threat, and describes the conditions that create the imperatives for strong government action in the sector. This is an issue that I’ve written about extensively on this site over the past year, consistent with the arguments put forward in this piece. There’s not much new in the story, but it serves as a useful reminder of why vigorous enforcement by DHS, and strengthened legislation by Congress, is necessary to protect Americans against these real threats.

The Department of Homeland Security issued an advance notice of rulemaking for chemical facility security regulations last week, published on Thursday in the Federal Register. These regulations follow the loose mandate set forth in Sec. 550 of the FY 2007 DHS appropriations bill, following blocked efforts to pass comprehensive chemical security legislation earlier in 2006 - a process followed closely, as loyal readers know, on this site. Comments on the regulations are due no later than February 7, 2007.

I’ve read through the full document, and while there are some solid sections of it (for example, the sections on risk assessment and vulnerability analysis), there are a number of aspects of the draft regulations that are troublesome. I find four key flaws with the draft regs:

1. Excessive deference. The regulations have a very obsequious and overly legalistic tone, bending over backward to provide the chemical facilities with means to contest decisions, and provide for a drawn-out mediation process before penalties might be used. This type of deference might be acceptable in non-security contexts, but it seems misplaced when the topic is a critical homeland security vulnerability.

2. Inspection process. The draft regulations state that DHS will only conduct inspections during regular business hours and will provide at least 24-hour notice of an incoming inspection. From a security perspective, this is ludicrous. Terrorists could attack a chemical facility at any hour of the day, and in fact might be more likely to attack some facilities at night, if the adjacent area has a larger nighttime population than a daytime population. And giving advance notice of inspections is an invitation for scofflaw plants to cover up poor execution of their security plans. Instead, DHS should be employing an “any place, any time” approach to inspections.

3. State law preemption. DHS interprets Sec. 550 as giving them the mandate to block the enforcement of state laws (such as the one on the books in New Jersey) on chemical facility security, a provision that has already earned a strident rebuke from Sen. Collins. Throughout the debate over the past year, I’ve argued that states should be allowed to set tougher regulations consistent with principles of federalism, and I believe it’s a mistake for DHS to block their ability to do so.

4. “Chemical Terrorism-Vulnerability Information”. A long section of the draft regs discusses DHS’s decision to create a new category of “sensitive-but-unclassified” information: Chemical Terrorism-Vulnerability Information (CVI). At a broader level, the last thing that DHS needs to do right now is to create a new category of SBU information; as the GAO has exhaustively analyzed, the proliferation of SBU categories has inhibited effective information-sharing within the federal government. Reading the draft regs, I worry also that this section would inhibit the ability of local law enforcement and response officials to learn about security at chemical facilities within their jurisdiction. This would be unfortunate, since these are the officials who will be on the scene before the feds if an attack occurred.

Overall, these draft regs confirm my earlier concerns that the language in the final appropriations bill would turn out to be insufficient. Congress needs to step up to the plate again in the 110th Congress on this issue, building off of the earlier proposals that passed the two homeland security committees. And concerned citizens can submit comments at regulations.gov (docket # DHS-2006-0073) by the Feb. 7th deadline.

On Monday, the House passed S. 3880, the Animal Enterprise Terrorism Act by unanimous consent, clearing the way for it to potentially be signed into law by the President. The Act “provide[s] the Department of Justice the necessary authority to apprehend, prosecute, and convict individuals committing animal enterprise terrorism.”

Normally this is the kind of bill that I would ignore on the blog, given the fact that it’s essentially trivial in nature, giving the DOJ new narrow authorities that it already essentially had based on the discretionary application of broader authorities. I don’t disagree with its contents; I just think it doesn’t matter all that much.

But when I came across the bill today, I couldn’t ignore it, after noting that the chief Senate sponsor is Sen. James Inhofe of Oklahoma. Inhofe is probably the person most responsible for blocking the passage of comprehensive chemical plant security legislation this year, motivated as much by jurisdictional pique as any substantive disagreements with the bipartisan legislation put forward by Sen. Collins and Sen. Lieberman.

Given this history, he has a lot of nerve to put forward a bill like this. With the “Animal Enterprise Terrorism Act”, Sen. Inhofe is addressing a minor issue as if it’s a major threat, while at the same time leading efforts to block legislation that would remedy the greatest vulnerability in our domestic infrastructure today - legislation that is needed to improve the security of millions of Americans.

This is shameful. When it comes to homeland security, his priorities have been woefully misplaced, and I’m glad he’s surrendering the gavel at EPW at the end of the 109th Congress.

As I noted in a post last Friday, the Conference Board released a report last week entitled “Navigating Risk: The Business Case for Security,” by Tom Cavanagh, who has written extensively on the topic of the private sector’s role in homeland security over the past few years. The full report is only available if you shell out $495 (or $125 for Conference Board members), but many of its key findings are summarized in this press release and these charts.

There are a number of interesting findings in the report, but the most notable is the “disconnect” that Cavanagh identifies in the way that security is treated in the corporate boardroom:

But there is a strong disconnect between the level of support for security initiatives and the level of influence over security policy within the companies surveyed. In general, the most supportive executives were not the most influential, and the most influential executives (senior C-suite managers) were not the most supportive. In addition, most senior executives surveyed reported that they have little direct responsibility for most aspects of security. Security is an area with a lot of dotted-line relationships, so senior executives are often heavily involved in specific security decisions even though they are not directly accountable for them.

The Demos report that I wrote about last week offers a number of suggestions that address this fundamental dilemma, such as finding security executives with stronger business backgrounds and developing better security metrics and rationales. Taken together, the two reports provides a compelling case that companies need to revisit their existing approaches to security, and ensure that they are appropriately aligned for the many types of disruptions that could pose a significant threat to their businesses.

As I mentioned earlier in the week, I traveled last week to London and spoke at the Global Security Challenge conference. While there, I met a fellow panelist from the British think tank Demos, Charlie Edwards, who was the co-author (along with Rachel Briggs) of a report entitled “The Business of Resilience” released a few months ago.

I read through the report earlier today, and it’s an excellent treatise on the evolving roles and responsibilities of the security function within the private sector. Briggs and Edwards offer a number of insightful observations regarding why security and resilience should be considered as core strategic imperatives, and what companies can do to align security with core business imperatives. They identify six characteristics exhibited by successful companies, which are worth listing here in full:

1. They [companies] understand that security is achieved through the everyday actions of employees right across the company. It is not something that the corporate security department can do to or for the company on its behalf and its functional success is therefore dependent on its ability to convince others to work differently. This places emphasis on communication and requires security departments to value the views of non-security professionals just as much as those of the experts.
2. They recognise the limitations of command and control approaches to change management. Behaviour is altered experience. The power of the corporate security function is now directly proportionate to the quality of its relationships, not the depth of its content knowledge.
3. They understand that their role is to help the company to take risks rather than eliminate them, and to have contingencies in place to minimise damage when things go wrong. Risk-taking is essential to successful business and corporate security departments must not behave as security purists whose work detracts from, rather than contributes towards, the company’s goals.
4. They embrace and contribute towards their company’s key business concerns, and as a result are expanding the security portfolio significantly. Corporate security departments now have responsibilities in areas such as corporate governance, information assurance, business continuity, reputation management and crisis management, which is causing many to question the relevance of the term ‘security’ to describe what they do. The term resilience now more accurately reflects the range of their responsibilities.
5. They draw a clear distinction between the strategic and operational aspects of security management, and have created group corporate security departments to lead on strategy, leaving operational work to be carried out by business units. They all have a clear philosophy to guide their approach to security, which provides direction for non-security professionals, makes it easier to communicate across the company, sell itself to the board, and be credible alongside other functions.
6. Finally, and most important symbolically, the corporate security departments that are leading the way have abandoned old assumptions about where their power and legitimacy come from. Their position does not rest on that which makes them different – their content knowledge – but on business acumen, people skills, only by convincing, persuading, influencing and explaining why a new way of working is in each person’s interest. This requires departments to work through trusted social networks, which places greater emphasis on people, management and social skills than security management ability and communication expertise. In other words, they have to compete on the same terms as every other function in the company. This is leading many organisations to place greater emphasis on these skills than on a security background and some have people working on security who don’t have any security experience at all.

The authors go into great detail on each of these points in the course of the 109-page report. I found their argument in Chapter 10 in favor of greater diversity in the backgrounds and skill sets of security executives to be especially compelling, arguing that senior-level security managers need to be drawn from broader sources than the traditional ones, i.e. former law enforcement, military, and intelligence officials. They argue that security officials need strong business skills, the capability to operate across a flat and/or matrixed organization, and people who are comfortable with the trade-offs inherent in risk management - all skills which are not necessarily found in sufficient depth within the traditional talent pools.

For more on this subject, check out the new Conference Board report entitled “Navigating Risk: The Business Case for Security” (I’ll be writing about it within the next few days).

Steve Flynn from the Council on Foreign Relations issued a report card for the nation’s homeland security efforts, and the grades that he gives are the kind that any child would try to hide from his or her parents:

Port Security: D+
Nuclear Plant Security: B/B+
Air Defense: B
Airport Security: C+
Border Control and Immigration: C
Chemical Plant Security: D-/F
Disaster Response: C-
Bridges, Tunnels, and Other Infrastructure: C
Public Relations: D

I would probably give more favorable grades for some of these, such as airport security and border security, but that’s partially a function of the fact that I’m a product of the era of grade inflation, where a B- is considered a poor grade. But some of these grades - notably Chemical Plant Security and Public Relations - are deservedly poor, given the track record of DHS and Congress over the past couple of years.

Steve has a podcast on the CFR site that explains these grades in greater detail. And his new book The Edge of Disaster will be hitting bookstores in early 2007.

The Congressional Research Service released a new report in late September that looks at the issue of how the federal government protects critical infrastructure information, and strikes balances between the protection of sensitive and/or business confidential information and a legitimate public right-to-know:

RL33670: Protection of Security-Related Information, September 27, 2006

It’s a useful of survey of this issue, looking at the different ways in which this issue is handled in different sectors and providing useful explanations the legal concepts of Protected Critical Infrastructure Information (PCII) and Sensitive Security Information (SSI).

Two recently-completed reports by the National Infrastructure Advisory Council (NIAC) were published on the DHS website this week:

The first report is entitled Workforce Preparation, Education and Research (7.3mb download). Its four key recommendations, according to the transmittal letter:

1. The Federal government should continue to support the education of our workforce via the Scholarship for Service Program (Cyber Corps);
2. Designate a coordinating body to oversee cyber security research efforts;
3. Designate a privately administered, public-private Information Assurance (IA) training certification body;
4. The Federal government should do everything in its power to assist states in implementing internationally competitive standards, curricula and teaching methods.

The second report is entitled Public-Private Sector Intelligence Coordination, and it probes questions related to public and private sector cooperation on intelligence as it pertains to critical infrastructure protection. That report makes eight recommendations, including a suggestion that “the U.S. Attorney General should publish a best practices guide for private sector employers to avoid being in conflict with the law” as it pertains to sharing information related to infrastructure vulnerabilities; and a recommendation that DHS and other federal entities should “rationalize and standardize the use of SBU markings, especially “For Official Use Only” (FOUO), and publish standard handling instructions clearly for all intended recipients.”

The Congressional Research Service recently published a report on the National Asset Database, the subject of much controversy following the DHS inspector general’s infamous “Amish Popcorn” report this summer:

RL33648: Critical Infrastructure: The National Asset Database, September 14, 2006

The full HLS Watch collection of CRS reports is available here.

From the New York Times editorial page today, a resolute critique of the current legislative endgame on chemical security:

Congress still has done nothing to protect Americans from a terrorist attack on chemical plants. Republican leaders want to give the impression that that has changed. But voters should not fall for the spin. If the leadership goes through with the strategy it seems to have adopted last week to secure these highly vulnerable targets, national security will be the loser.

The federal government is spending extraordinary amounts of money and time protecting air travel from terrorist attacks. But Congress has not yet passed a law to secure the nation’s chemical plants, even though an attack on just one plant could kill or injure as many as 100,000 people. The sticking point has been the chemical industry, a heavy contributor to political campaigns, which does not want to pay the cost of reasonable safety measures.

The Senate and the House spent many months carefully developing bipartisan chemical plant security bills. Both measures were far too weak, but they would have finally imposed real safety requirements on the chemical industry. The Republican leadership in Congress blocked both bills from moving forward. Instead, whatever gets done about chemical plant security will apparently be decided behind closed doors, and inserted as a rider to a Department of Homeland Security appropriations bill.

It is outrageous that something as important as chemical plant security is being decided in a back-room deal. It is regrettable that Susan Collins, Republican of Maine, the chairwoman of the committee that produced the Senate bill, does not carry enough influence with her own party’s leadership to get a strong chemical plant security bill passed. The deal itself, the likely details of which have emerged in recent days, is a near-complete cave-in to industry, and yet more proof that when it comes to a choice between homeland security and the desires of corporate America, the Republican leadership always goes with big business.

I disagree with the point that the Senate HSGAC and House HSC were too weak - I thought that they were within the target zone - but other than, that is fair critique of what we’ve seen emerge over the last two weeks.

Meanwhile, Reuters provides additional details on the Republican-led deal on this issue in a story tonight, noting that there has been moderate pushback on some of the worst provisions of the industry language (e.g. giving DHS the authority to shutdown plants) - but is still quite weak, essentially codifying the dangerous laissez faire attitude that has prevailed since 9/11 on chemical plant security.

In a story in CQ (subscription only), Rep. Peter King, the Chairman of the House Homeland Security Committee, makes its very clear that he does not support the language that the chemical industry is pushing to include in the FY 2007 DHS appropriations bill:

King said Thursday he does not endorse compromise language that has been circulating for more than a week under his name, and chastised those who claim he did.

“Anyone saying I agreed to this is either a liar, ignorant, or both,” King told CQ Homeland Security. “My experience is that people who spread these lies are usually people who’ve lost big time.”

The language, to be added to the Homeland Security spending bill (HR 5441), would allow the Department of Homeland Security to create interim regulations for chemical security sites.

King said he never backed the language, which was being characterized with his moniker, along with Joe L. Barton, R-Texas, chairman of the House Energy and Commerce Committee. The office of House Speaker J. Dennis Hastert, R-Ill., has taken over the negotiations for King, sources said.

“I never signed onto any compromise,” King said Thursday. “The industry was trying to get out front and box people in.”

This last sentence by King says it all about the chemical industry’s narrow-minded viewpoint on this issue. I hope that members of Congress such as Peter King, Susan Collins, and Judd Gregg continue to fight against the inclusion of such weak language in the appropriations bill.

A story by Eric Lipton in Thursday’s New York Times provides a good summary of the current showdown in Congress over the inclusion of chemical security language in the FY 2007 DHS appropriations bill. The article links to letters sent to Sen. Judd Gregg by a group of Republican Senators and a group of Democratic Senators that offer opposing positions on this debate.

The article succintly describes the chemical industry’s proposal for legislative language:

Homeland Security Secretary Michael Chertoff would have been authorized to establish regulations requiring security measures, but the regulations would have applied only to a sliver of facilities that manufacture, use or store toxic chemicals and that are deemed to have the “highest levels of security risk.” Mr. Chertoff would not have had the power to shut down plants not in compliance.

The proposal would also have left decisions about security plans entirely up to these high-risk plants.

There can be a principled disagreement in this debate over whether DHS should be allowed to mandate inherently safer technologies (ISTs) - I’m against a strong mandate, but think they should be an option as a last resort if other security measures are inadequate. And there can be a principled disagreement over whether states should have the right to have stronger regulations - something that I support consistent with our nation’s tradition of federalism.

But for the chemical industry to put forward a proposal that gives DHS such weak authority, including zero authority to shut down a plant after an extreme security violation, is ludicrous. It confirms all of my suspicions over the last six months regarding the chemical industry’s lack of seriousness - and to be quite frank, their lack of patriotism - in this debate. I hope that serious-minded Senators - including homeland security committee chairs Collins and King - stick to their guns, and demand legislation that can deliver needed security dividends, instead of this sham proposal.

Newsday has a strong editorial today urging its local member of Congress, House Homeland Security Committee Chairman Peter King, to stick to his earlier support for the House’s chemical security legislation:

One of the most egregious pieces of unfinished business from 9/11 is the continuing vulnerability of chemical plants to terrorist attack. The plants have done a certain amount on their own, but when Congress tries to mandate tighter security, the industry shamefully heads it off.

Now the issue is at our door on Long Island, because the chairman of the House Homeland Security Committee is Rep. Peter King (R-Seaford). This summer, King committed himself to his own committee’s strong bill. But he’s now swatting down accusations that he’s quietly backing away from it and seeking language that would help the chemical industry but stave off tighter plant security. King must put the safety of Americans over any industry’s desires.

I agree, and I hope Chairman King will continue to realize that a common-sense analysis of the vulnerabilities in the chemical sector and the potential consequences of an attack require the passage of strong legislation - like the legislation that passed the Committee - as soon as possible.

Earlier this week CQ had a story (by subscription only), echoed in a piece in the Christian Science Monitor yesterday, on a potential deal to insert bare-bones chemical security language into the homeland security appropriations bill that is currently being conferenced by the House and the Senate. From the CS Monitor story:

This summer, the House Committee on Homeland Security unanimously approved a compromise bill that would give DHS the authority to require some high-risk facilities to use safer chemicals when feasible. If a company disagreed with DHS, the bill set up an interagency appeal process.

It was a hard-fought compromise. But now, its advocates contend that the chemical industry, in conjunction with the White House and the Republican leadership, is reneging on the deal. Instead of bringing it to the floor for a vote, House Republican leaders are amending the Homeland Security appropriations bill: It would give DHS the authority to require chemical plants to develop vulnerability assessments and security plans, but it would specifically forbid DHS from requiring any specific security measure. It reads, “Nothing in this section authorizes the Secretary directly or indirectly to require any particular security measure.” Environmental advocates say that line is aimed at ensuring that DHS cannot require companies to switch to safer chemicals when feasible.

“The industry didn’t like what was passed in committee, and now they’re using the appropriations process to craft a drastically weak, completely industry-friendly version and present it as a fait accompli,” says Andy Igrejas of the National Environmental Trust, a nonprofit environmental advocacy group based in Washington. “A congressman can oppose it, but to do so, he or she’d have to vote against Homeland Security appropriations just six weeks before an election.”

Mr. Igrejas adds, “There was an open process where competing proposals led to something that was a deal [Republican leadership] agreed to honor, and now instead, under industry pressure” it’s going back on its word, he says.

The CQ story contradicts the CS Monitor piece somewhat, stating that the appropriations language, at least in its early draft, doesn’t give the chemical industry everything that it wanted, leaving industry lobbyists fearful that it leaves the government with too much discretion. You can make up your own mind by reading the draft text at this link.

Regardless of the exact nature of the language that ends up in the appropriations bill, this is a shameful way to finally deal with this issue. Thousands of hours went into a serious, mature effort to develop comprehensive chemical security legislation, and the bills that passed out of the Senate Homeland Security and Government Affairs Committee and the House Homeland Security Committee are solid, bipartisan pieces of legislation. They don’t give everyone everything they wanted, but they would ultimately deliver the core of what DHS needs to regulate the sector. But these bills have been blocked from moving forward by the chemical industry, which has tried to talk a good game but has constantly maneuvered behind the scenes to stall or block legislation, and has rarely given an inch to reach a durable compromise. And they’ve been blocked by the petty congressional turf war of Sen. Inhofe.

Meanwhile, the Bush administration has sat on the sidelines this month, instead of using its muscle to support legislation that it has endorsed, with Sec. Chertoff telling Congress this week that he was operating from the “peanut gallery” on this issue. President Bush has engaged Congress incessantly over the last two weeks to argue for the passage of bills on the NSA program and detainee trials, arguing that these are necessary to protect the nation against terrorism. Legislation is without a doubt necessary on these two issues (although not necessarily on the exact parameters that the Administration has requested). But the Administration’s claims that these bills are necessary to protect the nation have a hollow, empty ring to them in light of its failure to take leadership this month on an issue of equal or great importance to the nation’s security - chemical plant security.

This is not a partisan issue. Prominent Republican security experts such as former White House homeland security advisor Richard Falkenrath support common-sense legislation on chemical plant security, and the bills that the Senate and House committees passed were bipartisan bills. Unfortunately, narrow interests are prevailing over bipartisan, security-driven common sense, and outcome that - and I can’t repeat this enough - puts the American people unnecessarily at risk.

From the “Hell freezes over” section of the newspaper:

The Bush administration promised on Wednesday to name a cyber security czar “very soon” to help prevent catastrophic attacks that could cripple the U.S. economy, filling a job that has been vacant since it was created one year ago.

Democrats have criticized the administration for taking too long to hire an assistant secretary for cyber security at the Department of Homeland Security at a time when viruses, worms and other attacks on business computers are increasing.

….”We look forward to announcing the (assistant secretary) candidate to Congress very soon,” George Foresman, preparedness undersecretary at the Department of Homeland Security, told a House panel hearing.

The department has interviewed “numerous candidates” and several have withdrawn from consideration over the past year for various reasons, Foresman said.

For those keeping track, it’s now been fourteen months since Sec. Chertoff announced the creation of this position. Why DHS has yet to name someone to the job continues to mystify me.

The Department of Homeland Security released a report today on the Cyber Storm exercise held several months ago to test cybersecurity response capabilities. The DHS announcement of the report indicates eight major findings in it:

1. Interagency Coordination: Interagency and cross-sector information sharing enhanced overall coordination, communication and response.
2. Contingency Planning, Risk Assessment and Roles and Responsibilities: Clearly defined processes and procedures increased overall ability to plan for and assess situations.
3. Correlation of Multiple Incidents between Public and Private Sectors: The cyber community was effective in addressing individual threats and attacks, but faced challenges in cross-sector situational awareness during a coordinated cyber attack campaign.
4. Exercise Program: Ongoing exercises will strengthen awareness of cyber incident response, roles, policies, and procedures.
5. Coordination between Entities of Cyber Incidents: Establishing expectations, roles, processes and communications in advance will dramatically improve coordination and response.
6. Common Framework for Response to Information Access: Early and ongoing information sharing across governments and sectors created a common framework for response and strengthened relationships between domestic and international response partners.
7. Strategic Communications and Public Relations: Public messaging is an important aspect of incident response and empowers individuals and industry to take appropriate action to protect themselves and the nation’s critical infrastructure.
8. Improvement of Process, Tools and Technology: Improved processes, tools and technology focused on the physical, economic and national security affects of a cyber incident will benefit the quality, speed and coordination of a response.

The most interesting of these findings is #3, indicating that officials found it much more difficult to deal with multiple simultaneous attacks. Here’s the full report.

The Senate Homeland Security and Government Affairs Committee held a hearing today entitled “Homeland Security: The Next Five Years” featuring testimony by Sec. Chertoff as well as testimony by a group of local leaders and experts: LA County Sheriff Lee Baca, NYPD Deputy Commissioner for Counterterrorism Richard Falkenrath, CFR’s Steve Simon, and Reform Institute senior fellow (and HLS Watch contributor) Dan Prieto.

The most interesting part of the hearing was an exchange between Sen. Carper of Delaware and Sec. Chertoff on chemical security legislation. (It’s about 1 hour, 54 minutes into the audio clip found here). Sen. Carper brought up the current procedural impasse on chemical security legislation in the Senate, the result of a dispute between the HSGAC and the Environment & Public Works Committee over jurisdiction and a small handful of contentious issues. Carper asked Chertoff for advice on how the Senate could resolve this impasse and move forward on this legislation, and was essentially pleading with Chertoff to take a stronger role in pushing for the passage of this legislation.

Sec. Chertoff’s responded by detailing the instructions that he has given to “his lawyers” from DHS in their interactions with Congress on this issue, and then admitted that he has remained aloof from Congressional activities on this issue, describing his role as being a member of “the peanut gallery.”

If Sec. Chertoff is really concerned about passing chemical security legislation - consistent with his call in his Georgetown speech last Friday for Congress to pass a bill - then he needs to get out of the “peanut gallery” and become directly involved in finding a compromise among the various stakeholders in Congress on this issue. The differences on the issues among the key stakeholders here can be resolved if DHS and the White House make this a priority in the next few weeks. If, on the other hand, this legislation slips to the 110th Congress, then we’re back at square one, an outcome that is reckless and irresponsible, one that leaves millions of Americans unnecessarily overexposed to the threat of an attack on a chemical facility.

Effective today, DHS has published a set of procedures to guide the collection and use of critical infrastructure information through the Protected Critical Infrastructure Information (PCII) Program. The voluntary PCII program is designed to encourage and facilitate private sector sharing of sensitive or proprietary information with the government, for the purpose of assisting DHS vulnerability assessments and recovery plans.

The Department of Homeland Security has filed “Procedures for Handling Protected Critical Infrastructure Information” with the Federal Register for publication. This final rule, which became effective upon publication in the Federal Register September 1, 2006, amends Homeland Security regulations establishing uniform procedures to implement the Critical Infrastructure Information Act of 2002:

These procedures govern the receipt, validation, handling, storage, marking and use of critical infrastructure information voluntarily submitted to the Department of Homeland Security. This rule applies to all Federal agencies, all United States Government contractors, and State, local and other governmental entities that handle, use, store, or have access to critical infrastructure information that enjoys protection under the Critical Infrastructure Information Act of 2002.

Presumably, uniform and transparent procedures for DHS’ handling of this information will more fully and successfully engage the private sector. You can see the full text of the final rule here.

A quick post from the road. Be sure to check out this story from Chuck McCutcheon at Newhouse News headlined “Crumbling Infrastructure Worries Homeland Security Experts,” which quotes from a post that I wrote a few weeks ago. The story covers what I think is an interesting issue, and one to which Congress is paying increased attention as of late.