Homeland Security Watch

China won the competition to host the recently concluded 2008 Olympics on July 13, 2001 – just two months before 9/11. For those wondering whether or not we are more secure today than we were before 9/11, consider a broader metric offered today by Thomas Friedman.

Friedman reflects on how China and America have spent the last seven years:

China has been preparing for the Olympics; we’ve been preparing for al-Qaeda. They’ve been building better stadiums, subways, airports, roads and parks. And we’ve been building better metal detectors, armored Humvees and pilotless drones.

The Olympics are over – and were a triumph. Al Qaeda, on the other hand, remains a threat. Fighting terrorism is harder than putting on a $50 billion international competition. (The latter is the Olympics.) But, Friedman points out that the hidden costs are beginning to show:

Compare arriving at La Guardia’s dumpy terminal in New York City and driving through the crumbling infrastructure into Manhattan with arriving at Shanghai’s sleek airport and taking the 220 mph magnetic levitation train, which uses electromagnetic propulsion instead of steel wheels and tracks to get to town in a blink.

At least he notes that China is not equally blessed. Beyond Beijing, that country is still in worse shape than the U.S. Friedman’s point is different: Consider how much modern infrastructure has been built in China since 2001 and how much infrastructure has been postponed in America since 2001. The next president needs a devoted nation-building program in America.

“The next president,” Friedman explains, “can have all the foreign affairs experience in the world, but it will be useless if we, as a country, are weak.” Homeland Security, in other words, is a critical part of keeping America competitive and investments in securing America can also pay dividends in quality of life. A safe and efficient public transportation system is both more secure and more effective.

The next election is not about who is tough enough on terrorists. Both Obama and McCain are equally committed to combating terrorism. The real metric is who is “strong enough, focused enough, creative enough and unifying enough to get Americans to rebuild America.”

Yesterday the Transportation Security and Infrastructure Protection Subcommittee held its hearing entitled “Partnering with the Private Sector to Secure Critical Infrastructure: Has the Department of Homeland Security Abandoned the Resilience-based Approach?”

I had the opportunity to testify along with DHS Assistant Secretary Bob Stephan, Bill Raisch of the International Center for Enterprise Preparedness at NYU, Dr. Kevin Stephens, Director of the New Orleans Health Department, and Shawn Johnson, Vice Chairman (soon-to-be chair), Financial Services Sector Coordinating Council. Dr. Stephens provided stark details about the state of the health system’s ability to manage another crisis in New Orleans, given the poor state of the infrastructure there nearly three years after Hurricane Katrina.

The 14th is part of a month of hearings the Homeland Security Committee is dedicating to resilience. Wednesday’s hearing focused on clarifying exactly how DHS views resilience as a priority in the overall strategy of the Department and on identifying ways that DHS can do better in working with the private sector to increase our resilience. Perhaps the best way to paraphrase everyone’s position would be as follows:

Chairwoman Jackson-Lee: Resilience should be part and parcel of the nation’s effort to protect the homeland. To do so requires that DHS effectively share threat information with the private sector, measure resilience (since protection can’t be measured: when is enough, enough?), and think creatively about the enterprise value to a company that invests in resilience. Citing the number of times we use the term resilience isn’t proof enough that action is being taken.

A/S Stephan: We already do resilience. It is mentioned ## times among our existing documents, such as the National Infrastructure Protection Plan (NIPP), the National Response Framework, and various sector specific documents. Through the NIPP, sector-specific plans are developed to accomplish the goal of security, resiliency, and preparedness. Moreover, the emphasis on resilience is a red herring generated by some in academia and think tanks to suggest that (a) DHS is misguided and (b) we ought to sacrifice efforts to prevent and protect in order to bounce back from likely fatal attacks.

Czerwinski: Resilience is more than the ability to “bounce back.” Measures to make the private sector more resilient must provide a “double bottom-line” that delivers both the ability to minimize the impacts of terrorism or natural disasters, but also the value of increased performance and improved commerce during the majority of the time when a threat isn’t present. Doing so requires connecting effectively across the sectors with a balanced approach to three key factors: strategic human capital, technology, and governance. Naturally, the framework offered in our paper on Global Movement Management would be a brilliant step forward.

Johnson: Nothing to see here. The Financial Services Sector has worked closely with the Treasury Department since long before 9/11 to manage an interdependent relationship among partners and competitors in this sector. DHS, through the FS-Sector Coordinating Council, works well in coordinating our efforts to be resilient, which for this sector means the ability to get business back online if ever a disruption were to interrupt our operations. I wouldn’t change a thing.

Raisch: If resilience is the goal, then a method to measure or assess progress is indispensable in order for businesses to determine if their investments in resilience are actually accomplishing anything and to be able to claim to stakeholders or possible adversaries that they are prepared to manage a crisis or disruption. Voluntary accrediting measures provided for in the 9/11 Act (H.R. 1) require the government to take the initiative “as a catalyst and investor in this process.”

Stephens: Help.

Main take-away is this: Resilience is still a complex concept that can be approached from a variety of different angles. DHS is doing a lot to make sure the private sector is prepared and protected, but more can be done through an overarching framework that recognizes the interdependencies among the different sectors and the ways in which the risks of the 21st century make those interdependencies more important than any specific sector. Incentivizing the private sector to take action can be done by embracing a broader definition of resilience to include some level of value that actually improves commerce during those times when no attack or disaster is taking place. Investments in security and performance can be mutually reinforcing, not just mutually exclusive.

The streamed recording is available at the Subcommittee’s website on the hearing.

The Transportation Security and Infrastructure Protection Subcommittee convenes its resilience hearing this Wednesday, the 14th. I’ll testify with DHS Assistant Secretary Bob Stephan, Bill Raisch of the International Center for Enterprise Preparedness at NYU, and the Director of the New Orleans Health Department.

The 14th is part of a month of hearings the Homeland Security Committee is dedicating to resilience. Wednesday’s hearing is intended to educate the members on what resiliency really means, what the private sector is doing to achieve resilience, and how DHS can work with the private sector within a framework to promote resilience.

The hearing begins at 2PM in the Homeland Security Committee’s room (311 Cannon House Office Building). Consider attending if you are in WDC. It’ll also stream at the Subcommittee website after the hearing concludes.

Among other things, I intend to describe ways in which the Global Movement Management framework applies to the goal of resiliency and will upload the oral statement later on Wednesday. In the meantime, please feel free to send in your thoughts on the issues in which the Subcommittee is interested for this hearing.

One of our readers offered a healthy does of skepticism about resilience as a concept. I thought it would be valuable to make this part of a new post to follow up the recent coverage of this topic and the hearings in the House this week.

>>[Jonah does] not include concerns about response in this concept: “Turning victims into patients is important for response, but resilience is different.” Yet your guest poster, Robert Kelly, does: “That is the essence of resilience – the ability to rapidly respond to and recover from a catastrophic event.”

I see a difference between response/recovery and resilience. Being resilient should render the ability to respond effectively. However, rapidly flying in emergency food and water to a hurricane zone, for example, to limit the hardship of the victims would be response, while resilience would be building homes less vulnerable to the effects of a hurricane and getting the ports and businesses up and running. (I should note that my guests on this blog don’t have to agree with me and vice versa.)

>>And Steve Flynn includes it among his “four pillars of resilience” in his recent Foreign Affairs piece: “Second is resourcefulness, which involves skillfully managing a disaster once it unfolds…Ensuring that U.S. society is resourceful means providing adequate resources to the National Guard, the American Red Cross, public health officials, firefighters, emergency-room staffs, and other emergency planners and responders.”

It is important to take Steve’s four factors as a whole. If we selected only the third factor — rapid recovery — I could see the point that my separation of response and resilience would be problematic. However, Steve’s factors are robustness, resourcefulness, rapid recovery, and the means to absorb new lessons. Taken together, I think you’d agree that resilience is more than emergency response, but nevertheless dependant on it being executed well.

>>Unfortunately, I think the concept requires a lot of refining. But hopefully these hearings will not be the only cuts at this effort.

I, too, hope these hearings are the beginning of a sustained effort to build in, rather than bolt on, the important capability of resilience. But the concept of resilience already has been refined to a point that enables action. First steps would include making resilience a strategic goal as part of such plans as the Quadrennial Homeland Security Review.

To refine this concept further, consider the following parameters:

The Middle East is beginning to appreciate the importance of homeland security in new ways, and the United Arab Emirates appears to be at the forefront. With what’s being billed as the Middle East’s first event focused exclusively on homeland security, Abu Dhabi will host a conference on protecting national borders, building disaster resilience, and countering international terrorism next month.

Entitled “International Security / National Resilience,” the gathering takes place March 2-5, 2008, at Abu Dhabi and is sponsored by HH General Sheikh Mohammed Bin Zayed Al Nahyan, Crown Prince of Abu Dhabi and Deputy Supreme Commander of the UAE Armed Forces, along with the UAE Ministry of Interior. ISNR Abu Dhabi follows ISNR London, which was held 4-5 December 2007.

Last year the UAE President, His Highness Shaikh Khalifa Bin Zayed Al Nahyan created a new government agency charged with protecting vital facilities and utilities in the emirate of Abu Dhabi. With critical infrastructure that includes onshore and offshore petroleum facilities, power generation stations, water desalination plants, a natural gas transportation network, airports, seaports, and service networks, its no wonder they see the value in their own version of a DHS. However, since all of this infrastructure is owned by the emirate, they’ll likely have an easier go of it than DHS, which must navigate a domain of critical infrastructure owned almost entirely by the private sector.

Promoters of ISNR Abu Dhabi explain that the gathering will provide a comprehensive look at homeland security issues to enable “governmental authorities to respond resiliently to natural disasters as well as man-made ones.” This is just the sort of opportunity the U.S. Department of Homeland Security should capitalize on by sending delegates armed with speeches and presentations that explain the way we perceive the threat, the lessons we’ve learned, and the interest we have in supporting their efforts in a partnership against a threat that requires cooperation in order to be combated.

This blog has written before about the opportunities – some missed – for sharing our expertise in homeland security to benefit reluctant friends overseas. We have a shared interest in protecting our civilians. And the U.S. could really use some friends nowadays in that region.

The Pelindaba nuclear facility in South Africa was the target of an armed assault yesterday. Nevermind the talk of flying airplanes into reactors, this is a real world case wherein armed men were able to penetrate a series of security measures and actually enter the control room. This article was sent in by reader Steve Bogden.

A CRS study in 2005 entitled “Nuclear Power Plants: Vulnerability to Terrorist Attack,” argues that despite the heightened security measures imposed on nuclear facilities in the U.S. by the Nuclear Regulatory Commission, industry has been slow to implement them.

The NRC explains its position on protecting nuclear facilities here with its three phase plan that was to be completed by now. I do not know where this effort stands.

In the past, security measures known as “buffers” or “layers” were considered the best way to restrict unauthorized access to such crucial infrastructure as a nuclear power plant’s control panel. Earlier this month, a man was discovered to be bringing a pipe bomb into a nuclear plant in Arizona – the largest one in the country in fact.  If the perpetrators of the break-in at Pelindaba had been armed with such a bomb, it is doubtful that any existing buffers would have stopped a terrible outcome.

Here is the article:

Attack at Pelindaba nuclear facility
By Graeme Hosken
The Pretoria News
November 09, 2007

A brazen attack by four gunmen on the Pelindaba nuclear facility has left a senior emergency officer seriously injured.

Anton Gerber, Necsa emergency services operational officer spoke to the Pretoria News from his hospital bed hours after the attack.

He was shot in the chest when the gunmen stormed the facility’s emergency response control room in the early hours of Thursday morning.

The shooting comes four months after Necsa’s newly appointed services general manager Eric Lerata, 43, was gunned down in front of his Montana home after returning from a business trip in France.

‘one of them attacked me with a screwdriver’
Pelindaba is regarded as one of the country’s most secure national key points.

It is surrounded by electric fencing, has 24-hour CCTV surveillance, security guards and security controls and checkpoints.

The attack comes as the country prepares to preside over an International Atomic Energy Agency convention on nuclear safety.

The convention is aimed at achieving a high level of global nuclear safety via safety related technical co-operation; establishing and maintaining effective defences in nuclear installations against potential radiological hazards and preventing accidents with radiological consequences.

A visibly shaken Gerber, who was rushed to Eugene Marais hospital, on Thursday said that he was sitting in the control room with his fiancée Ria Meiring when he heard a loud bang.

‘I could not let anything like that happen’
Meiring, who was working nightshift, is the supervisor of the control room.

Gerber said he kept Meiring company. “I do not like it when she is at work at night and I go with her to keep her company and ensure that she is safe,” he said.

Describing the attack Gerber said they were inside the electronically sealed control room when they heard a loud bang.

They then spotted the gunmen coming into the facility’s eastern block.

It is believed that the attackers gained access to the building by using a ladder from Pelindaba’s fire brigade and scaling a wall.

The men are thought to have forced open a window by pulling out several louvers.

Pushing Meiring underneath a desk, Gerber attacked two of the gunmen as they forced their way into the control room and ran straight for the control panel.

“I did not know what they were going to do. I just kept on hitting them even when one of them attacked me with a screwdriver.

“I knew that if I stopped they would attack Ria or do something to the panel.

“I could not let anything like that happen,” he said.

Unbeknownst to Gerber one of the robbers had shot him in the chest as he fought them off.

The bullet narrowly missed his heart breaking a rib before puncturing his lung. Doctors said the bullet missed his spine by 2cm.

Gerber, who at one stage thought he was going to die, said he had been very scared.

“The facility is meant to be safe. There are security guards, electric fences and security control points. These things are not meant to happen,” he said.

Necsa spokesperson Chantal Janneker confirmed the attack.

She declined to say how the gunmen had gained access to the facility or whether they had stolen anything.

Janneker said Necsa was conducting an internal investigation into the attack.

Once the police investigation was complete Necsa would divulge what happened, she said.

Later in the afternoon, Pretoria News was phoned by a man identifying himself as a Necsa legal adviser, saying the newspaper will be breaching the National Keypoints Act by publishing the story.

He said that Necsa may seek a court order preventing dissemination of the story.

He claimed that the interview with Gerber was “unethical” as “he was under sedation and thus incoherent” when it was conducted.

Pretoria News sought and was granted permission to interview Gerber, by hospital management, and Gerber himself. While he was obviously in pain, he appeared coherent and made sense throughout the interview.

His recall of the events was sequential and to the point. He also agreed to have his picture taken in his hospital bed.

North West police spokesperson Superintendent Louis Jacobs said that no arrests had been made.

“A case of armed robbery and attempted murder are being investigated,” he said.

GAO released a statement this week on the SAFE Port Act. The Act covered a range of policies focused on maritime security, but may be best known for its mandate to scan 100% of all incoming maritime cargo. DHS is principally responsible for executing on the Act, but relevant component agencies include the U.S Coast Guard, Customs and Border Protection, Domestic Nuclear Detection Office, and the Transportation Security Agency.

GAO delved into this one. They “visited domestic and overseas ports; reviewed agency program documents, port security plans, and post-exercise reports; and interviewed officials from the federal, state, local, private, and international sectors.” GAO’s recommendations focus on the need to develop strategic plans, better plan the use of DHS human capital, and establish performance measures. The programs addressed in this document can be organized as follows:

DHS – through the Domestic Nuclear Detection Office – is starting to test and evaluate equipment focused on the blind spots around the shipment of containerized cargo.  While this effort satisfies Section 121(i) of the SAFE Port Act of 2006, it also reflects proposals made by the Homeland Security Advisory Council in 2005 when it’s Task Force on Preventing Weapons of Mass Effect explained the importance of adopting a layered prevention strategy.  Intermodal chokepoints served as key examples for the Task Force’s argument.  Specifically, the gaps in scanning and other preventive measures needed to be in place when a target item (i.e. cargo container) transferred one conveyance (boat) to another (rail).  The Task Force considered this next layer a “critical deficiency” that required the Department’s attention.The DNDO announced yesterday that: 

The U.S. Department of Homeland Security (DHS) will soon begin conducting multiple projects in the Port of Tacoma, Wash., to evaluate technology and concepts of operations for radiation detection that will scan cargo at various points in transfer from ship to rail.  By establishing a Rail Test Center (RTC) at the port, DHS will identify and evaluate radiological and nuclear detection solutions for intermodal rail port facilities that can be used across the country.

A major recommendation and recurring theme from the Nuclear Defense Working Group at the Center for the Study of the Presidency held that detection efforts were strongest when targets were in motion or under scrutiny already (i.e. cargo was only screened when checked, registered, or loaded, and usually at only one of those points).  Containers and other targets at rest were a glaring weakness, according to the NDWG, in need of innovative solutions that did not include scattering expensive scanners over every square inch of an airport or seaport.  The same DNDO announcement reminded me of that recommendation with this detail:

Projects being considered for further evaluation at the RTC include scanning cargo on the dock, during transport to the rail yard, entering the rail yard, in the container storage stack, during train assembly, and as the train leaves the port.

These are promising efforts, albeit nascent ones.  These are also only one part of the broader effort to reduce the threat of smuggled nucs.  Let’s hope the non-proliferation and Nunn-Lugar-type programs get the same attention.  More on that can be found at Jeffrey’s ArmsControlWonk.com.

GovExec has an excellent story in its latest issue that looks at the chemical plant security threat, and describes the conditions that create the imperatives for strong government action in the sector. This is an issue that I’ve written about extensively on this site over the past year, consistent with the arguments put forward in this piece. There’s not much new in the story, but it serves as a useful reminder of why vigorous enforcement by DHS, and strengthened legislation by Congress, is necessary to protect Americans against these real threats.

The Department of Homeland Security issued an advance notice of rulemaking for chemical facility security regulations last week, published on Thursday in the Federal Register. These regulations follow the loose mandate set forth in Sec. 550 of the FY 2007 DHS appropriations bill, following blocked efforts to pass comprehensive chemical security legislation earlier in 2006 – a process followed closely, as loyal readers know, on this site. Comments on the regulations are due no later than February 7, 2007.

I’ve read through the full document, and while there are some solid sections of it (for example, the sections on risk assessment and vulnerability analysis), there are a number of aspects of the draft regulations that are troublesome. I find four key flaws with the draft regs:

1. Excessive deference. The regulations have a very obsequious and overly legalistic tone, bending over backward to provide the chemical facilities with means to contest decisions, and provide for a drawn-out mediation process before penalties might be used. This type of deference might be acceptable in non-security contexts, but it seems misplaced when the topic is a critical homeland security vulnerability.

2. Inspection process. The draft regulations state that DHS will only conduct inspections during regular business hours and will provide at least 24-hour notice of an incoming inspection. From a security perspective, this is ludicrous. Terrorists could attack a chemical facility at any hour of the day, and in fact might be more likely to attack some facilities at night, if the adjacent area has a larger nighttime population than a daytime population. And giving advance notice of inspections is an invitation for scofflaw plants to cover up poor execution of their security plans. Instead, DHS should be employing an “any place, any time” approach to inspections.

3. State law preemption. DHS interprets Sec. 550 as giving them the mandate to block the enforcement of state laws (such as the one on the books in New Jersey) on chemical facility security, a provision that has already earned a strident rebuke from Sen. Collins. Throughout the debate over the past year, I’ve argued that states should be allowed to set tougher regulations consistent with principles of federalism, and I believe it’s a mistake for DHS to block their ability to do so.

4. “Chemical Terrorism-Vulnerability Information”. A long section of the draft regs discusses DHS’s decision to create a new category of “sensitive-but-unclassified” information: Chemical Terrorism-Vulnerability Information (CVI). At a broader level, the last thing that DHS needs to do right now is to create a new category of SBU information; as the GAO has exhaustively analyzed, the proliferation of SBU categories has inhibited effective information-sharing within the federal government. Reading the draft regs, I worry also that this section would inhibit the ability of local law enforcement and response officials to learn about security at chemical facilities within their jurisdiction. This would be unfortunate, since these are the officials who will be on the scene before the feds if an attack occurred.

Overall, these draft regs confirm my earlier concerns that the language in the final appropriations bill would turn out to be insufficient. Congress needs to step up to the plate again in the 110th Congress on this issue, building off of the earlier proposals that passed the two homeland security committees. And concerned citizens can submit comments at regulations.gov (docket # DHS-2006-0073) by the Feb. 7th deadline.

On Monday, the House passed S. 3880, the Animal Enterprise Terrorism Act by unanimous consent, clearing the way for it to potentially be signed into law by the President. The Act “provide[s] the Department of Justice the necessary authority to apprehend, prosecute, and convict individuals committing animal enterprise terrorism.”

Normally this is the kind of bill that I would ignore on the blog, given the fact that it’s essentially trivial in nature, giving the DOJ new narrow authorities that it already essentially had based on the discretionary application of broader authorities. I don’t disagree with its contents; I just think it doesn’t matter all that much.

But when I came across the bill today, I couldn’t ignore it, after noting that the chief Senate sponsor is Sen. James Inhofe of Oklahoma. Inhofe is probably the person most responsible for blocking the passage of comprehensive chemical plant security legislation this year, motivated as much by jurisdictional pique as any substantive disagreements with the bipartisan legislation put forward by Sen. Collins and Sen. Lieberman.

Given this history, he has a lot of nerve to put forward a bill like this. With the “Animal Enterprise Terrorism Act”, Sen. Inhofe is addressing a minor issue as if it’s a major threat, while at the same time leading efforts to block legislation that would remedy the greatest vulnerability in our domestic infrastructure today – legislation that is needed to improve the security of millions of Americans.

This is shameful. When it comes to homeland security, his priorities have been woefully misplaced, and I’m glad he’s surrendering the gavel at EPW at the end of the 109th Congress.

As I noted in a post last Friday, the Conference Board released a report last week entitled “Navigating Risk: The Business Case for Security,” by Tom Cavanagh, who has written extensively on the topic of the private sector’s role in homeland security over the past few years. The full report is only available if you shell out $495 (or $125 for Conference Board members), but many of its key findings are summarized in this press release and these charts.

There are a number of interesting findings in the report, but the most notable is the “disconnect” that Cavanagh identifies in the way that security is treated in the corporate boardroom:

But there is a strong disconnect between the level of support for security initiatives and the level of influence over security policy within the companies surveyed. In general, the most supportive executives were not the most influential, and the most influential executives (senior C-suite managers) were not the most supportive. In addition, most senior executives surveyed reported that they have little direct responsibility for most aspects of security. Security is an area with a lot of dotted-line relationships, so senior executives are often heavily involved in specific security decisions even though they are not directly accountable for them.

The Demos report that I wrote about last week offers a number of suggestions that address this fundamental dilemma, such as finding security executives with stronger business backgrounds and developing better security metrics and rationales. Taken together, the two reports provides a compelling case that companies need to revisit their existing approaches to security, and ensure that they are appropriately aligned for the many types of disruptions that could pose a significant threat to their businesses.

As I mentioned earlier in the week, I traveled last week to London and spoke at the Global Security Challenge conference. While there, I met a fellow panelist from the British think tank Demos, Charlie Edwards, who was the co-author (along with Rachel Briggs) of a report entitled “The Business of Resilience” released a few months ago.

I read through the report earlier today, and it’s an excellent treatise on the evolving roles and responsibilities of the security function within the private sector. Briggs and Edwards offer a number of insightful observations regarding why security and resilience should be considered as core strategic imperatives, and what companies can do to align security with core business imperatives. They identify six characteristics exhibited by successful companies, which are worth listing here in full:

1. They [companies] understand that security is achieved through the everyday actions of employees right across the company. It is not something that the corporate security department can do to or for the company on its behalf and its functional success is therefore dependent on its ability to convince others to work differently. This places emphasis on communication and requires security departments to value the views of non-security professionals just as much as those of the experts.
2. They recognise the limitations of command and control approaches to change management. Behaviour is altered experience. The power of the corporate security function is now directly proportionate to the quality of its relationships, not the depth of its content knowledge.
3. They understand that their role is to help the company to take risks rather than eliminate them, and to have contingencies in place to minimise damage when things go wrong. Risk-taking is essential to successful business and corporate security departments must not behave as security purists whose work detracts from, rather than contributes towards, the company’s goals.
4. They embrace and contribute towards their company’s key business concerns, and as a result are expanding the security portfolio significantly. Corporate security departments now have responsibilities in areas such as corporate governance, information assurance, business continuity, reputation management and crisis management, which is causing many to question the relevance of the term ‘security’ to describe what they do. The term resilience now more accurately reflects the range of their responsibilities.
5. They draw a clear distinction between the strategic and operational aspects of security management, and have created group corporate security departments to lead on strategy, leaving operational work to be carried out by business units. They all have a clear philosophy to guide their approach to security, which provides direction for non-security professionals, makes it easier to communicate across the company, sell itself to the board, and be credible alongside other functions.
6. Finally, and most important symbolically, the corporate security departments that are leading the way have abandoned old assumptions about where their power and legitimacy come from. Their position does not rest on that which makes them different – their content knowledge – but on business acumen, people skills, only by convincing, persuading, influencing and explaining why a new way of working is in each person’s interest. This requires departments to work through trusted social networks, which places greater emphasis on people, management and social skills than security management ability and communication expertise. In other words, they have to compete on the same terms as every other function in the company. This is leading many organisations to place greater emphasis on these skills than on a security background and some have people working on security who don’t have any security experience at all.

The authors go into great detail on each of these points in the course of the 109-page report. I found their argument in Chapter 10 in favor of greater diversity in the backgrounds and skill sets of security executives to be especially compelling, arguing that senior-level security managers need to be drawn from broader sources than the traditional ones, i.e. former law enforcement, military, and intelligence officials. They argue that security officials need strong business skills, the capability to operate across a flat and/or matrixed organization, and people who are comfortable with the trade-offs inherent in risk management – all skills which are not necessarily found in sufficient depth within the traditional talent pools.

For more on this subject, check out the new Conference Board report entitled “Navigating Risk: The Business Case for Security” (I’ll be writing about it within the next few days).

Steve Flynn from the Council on Foreign Relations issued a report card for the nation’s homeland security efforts, and the grades that he gives are the kind that any child would try to hide from his or her parents:

Port Security: D+
Nuclear Plant Security: B/B+
Air Defense: B
Airport Security: C+
Border Control and Immigration: C
Chemical Plant Security: D-/F
Disaster Response: C-
Bridges, Tunnels, and Other Infrastructure: C
Public Relations: D

I would probably give more favorable grades for some of these, such as airport security and border security, but that’s partially a function of the fact that I’m a product of the era of grade inflation, where a B- is considered a poor grade. But some of these grades – notably Chemical Plant Security and Public Relations – are deservedly poor, given the track record of DHS and Congress over the past couple of years.

Steve has a podcast on the CFR site that explains these grades in greater detail. And his new book The Edge of Disaster will be hitting bookstores in early 2007.

The Congressional Research Service released a new report in late September that looks at the issue of how the federal government protects critical infrastructure information, and strikes balances between the protection of sensitive and/or business confidential information and a legitimate public right-to-know:

RL33670: Protection of Security-Related Information, September 27, 2006

It’s a useful of survey of this issue, looking at the different ways in which this issue is handled in different sectors and providing useful explanations the legal concepts of Protected Critical Infrastructure Information (PCII) and Sensitive Security Information (SSI).

Two recently-completed reports by the National Infrastructure Advisory Council (NIAC) were published on the DHS website this week:

The first report is entitled Workforce Preparation, Education and Research (7.3mb download). Its four key recommendations, according to the transmittal letter:

1. The Federal government should continue to support the education of our workforce via the Scholarship for Service Program (Cyber Corps);
2. Designate a coordinating body to oversee cyber security research efforts;
3. Designate a privately administered, public-private Information Assurance (IA) training certification body;
4. The Federal government should do everything in its power to assist states in implementing internationally competitive standards, curricula and teaching methods.

The second report is entitled Public-Private Sector Intelligence Coordination, and it probes questions related to public and private sector cooperation on intelligence as it pertains to critical infrastructure protection. That report makes eight recommendations, including a suggestion that “the U.S. Attorney General should publish a best practices guide for private sector employers to avoid being in conflict with the law” as it pertains to sharing information related to infrastructure vulnerabilities; and a recommendation that DHS and other federal entities should “rationalize and standardize the use of SBU markings, especially “For Official Use Only” (FOUO), and publish standard handling instructions clearly for all intended recipients.”