Homeland Security Watch

The Senate’s version of the FY 2009 spending bill to fund DHS actually provides less funding for the Office of Policy than the Bush Administration requested. The Policy Office was created after Secretary Chertoff came to office as part of his Second Stage Review. Most everyone welcomed the move as only overdue. Today, the Policy Office is a cross-cutting entity operating out of the Office of the Secretary with portfolios such as Policy Development, Strategic Plans, International Relations, Immigration Statistics, and Private Sector engagement, and it houses the Homeland Security Advisory Council.

It is a critical Department function that may someday serve as vital a role as its counterpart at the Defense Department. Like DoD, DHS now creates a strategic assessment of its policies, plans, priorities, and goals for a four-year window. The Pentagon calls it the Quadrennial Defense Review, and DHS is now at work on its first ever Quadrennial Homeland Security Review. The QDR is an influential document that benefits from senior leadership buy-in, Congressional support, and sweat from across the Defense community. The QHSR is off to a rough start.

The FY08 appropriations act funded the QHSR with only $1,500,000. (An additional $150,000 was assigned to the CFO’s office to support the QHSR.) Nearly all of that funding is being spent on contractor support to help the Office of Policy write the QHSR. The current Senate FY09 bill takes DHS to task for this:

The [Senate] Committee [on Appropriations] is concerned that almost the entire request of $1,500,000 for the QHSR is for contractor support even though many of the functions intended for contractors are inherently governmental. Contracting out the job of long-term planning and goal setting undermines the mission and purpose of this Department. Requiring agencies to work together to develop long-term goals was one of the intended benefits of the creation of the Department. Therefore, funds for contractor support shall only be used for administrative and clerical tasks in support of the QHSR.

The Committee is right to be concerned about outsourcing such a critical initiative as the first QHSR. However, blame can be shared. The Defense Department QDR is funded at nearly 10x the amount given to DHS, and the Pentagon leadership is heavily invested in supporting the QDR drafting process with staff from across the services and the civilian leadership. The DHS Policy Office is being given a pittance to perform this QHSR the right way, but the Policy Office is also not supported by the DHS leadership sufficiently to gain the DHS-wide support necessary to staff it up.

In my meetings with Chertoff this year I’ve asked about the QHSR nearly every time. His response indicates a downplayed priority. It could be because the QHSR will benefit the next Administration more than the current one, but the process needs to be institutionalized and supported for the long-term success of the Department. Let’s hope that over the course of the appropriations negotiations we see an elevated profile – as well as higher funding – for the QHSR initiative.

IBM’s Global Leadership Initiative and GWU’s Homeland Security Policy Institute are teaming up for an event next Monday, June 9th. The panel kicks off with Bradley Buswell, DHS Deputy Under Secretary for Science & Technology, followed by a unique panel of experts:

Parney Albright
Former DHS Assistant Secretary for Science and Technology
Currently Managing Director & Vice Chairman of Civitas, LLC

Christian Beckner
Professional Staff Member
Senate Homeland Security and Governmental Affairs Committee

Greg Nojeim
Director, Project on Freedom, Security and Technology, Center for Democracy and Technology

Langdon Greenhalgh
CEO
Global Emergency Group

The panel and discussion will examine the critical role of technology in homeland security, both as an opportunity and as a challenge. For many, technology holds forth the promise of solving a host of our greatest homeland security and counterterrorism challenges: providing the right information to the right people at the right time. For others, technology poses an abiding challenge: projects fall short of promises, privacy protections can become subjugated, and men and women on the front lines are often frustrated by new technologies that complicate their jobs before making them easier. The speakers will examine successes and failures from both the public and private sectors to draw lessons that guide the way for future investments and innovation.

I’ll moderate the discussion with Frank Cilluffo, Director of the Homeland Security Policy Institute. I hope to see some of our readers there.

RSVP to hspi1@gwumc.edu or at (202) 994-4787 by Friday, June 6th, 2008. Details below:

Monday, June 9, 2008
10:00 am – 1:15 pm
The George Washington University
Marvin Center, 800 21st Street, NW Washington, DC 20052
Third Floor
Continental Ballroom

Yesterday the Transportation Security and Infrastructure Protection Subcommittee held its hearing entitled “Partnering with the Private Sector to Secure Critical Infrastructure: Has the Department of Homeland Security Abandoned the Resilience-based Approach?”

I had the opportunity to testify along with DHS Assistant Secretary Bob Stephan, Bill Raisch of the International Center for Enterprise Preparedness at NYU, Dr. Kevin Stephens, Director of the New Orleans Health Department, and Shawn Johnson, Vice Chairman (soon-to-be chair), Financial Services Sector Coordinating Council. Dr. Stephens provided stark details about the state of the health system’s ability to manage another crisis in New Orleans, given the poor state of the infrastructure there nearly three years after Hurricane Katrina.

The 14th is part of a month of hearings the Homeland Security Committee is dedicating to resilience. Wednesday’s hearing focused on clarifying exactly how DHS views resilience as a priority in the overall strategy of the Department and on identifying ways that DHS can do better in working with the private sector to increase our resilience. Perhaps the best way to paraphrase everyone’s position would be as follows:

Chairwoman Jackson-Lee: Resilience should be part and parcel of the nation’s effort to protect the homeland. To do so requires that DHS effectively share threat information with the private sector, measure resilience (since protection can’t be measured: when is enough, enough?), and think creatively about the enterprise value to a company that invests in resilience. Citing the number of times we use the term resilience isn’t proof enough that action is being taken.

A/S Stephan: We already do resilience. It is mentioned ## times among our existing documents, such as the National Infrastructure Protection Plan (NIPP), the National Response Framework, and various sector specific documents. Through the NIPP, sector-specific plans are developed to accomplish the goal of security, resiliency, and preparedness. Moreover, the emphasis on resilience is a red herring generated by some in academia and think tanks to suggest that (a) DHS is misguided and (b) we ought to sacrifice efforts to prevent and protect in order to bounce back from likely fatal attacks.

Czerwinski: Resilience is more than the ability to “bounce back.” Measures to make the private sector more resilient must provide a “double bottom-line” that delivers both the ability to minimize the impacts of terrorism or natural disasters, but also the value of increased performance and improved commerce during the majority of the time when a threat isn’t present. Doing so requires connecting effectively across the sectors with a balanced approach to three key factors: strategic human capital, technology, and governance. Naturally, the framework offered in our paper on Global Movement Management would be a brilliant step forward.

Johnson: Nothing to see here. The Financial Services Sector has worked closely with the Treasury Department since long before 9/11 to manage an interdependent relationship among partners and competitors in this sector. DHS, through the FS-Sector Coordinating Council, works well in coordinating our efforts to be resilient, which for this sector means the ability to get business back online if ever a disruption were to interrupt our operations. I wouldn’t change a thing.

Raisch: If resilience is the goal, then a method to measure or assess progress is indispensable in order for businesses to determine if their investments in resilience are actually accomplishing anything and to be able to claim to stakeholders or possible adversaries that they are prepared to manage a crisis or disruption. Voluntary accrediting measures provided for in the 9/11 Act (H.R. 1) require the government to take the initiative “as a catalyst and investor in this process.”

Stephens: Help.

Main take-away is this: Resilience is still a complex concept that can be approached from a variety of different angles. DHS is doing a lot to make sure the private sector is prepared and protected, but more can be done through an overarching framework that recognizes the interdependencies among the different sectors and the ways in which the risks of the 21st century make those interdependencies more important than any specific sector. Incentivizing the private sector to take action can be done by embracing a broader definition of resilience to include some level of value that actually improves commerce during those times when no attack or disaster is taking place. Investments in security and performance can be mutually reinforcing, not just mutually exclusive.

The streamed recording is available at the Subcommittee’s website on the hearing.

One of our readers offered a healthy does of skepticism about resilience as a concept. I thought it would be valuable to make this part of a new post to follow up the recent coverage of this topic and the hearings in the House this week.

>>[Jonah does] not include concerns about response in this concept: “Turning victims into patients is important for response, but resilience is different.” Yet your guest poster, Robert Kelly, does: “That is the essence of resilience – the ability to rapidly respond to and recover from a catastrophic event.”

I see a difference between response/recovery and resilience. Being resilient should render the ability to respond effectively. However, rapidly flying in emergency food and water to a hurricane zone, for example, to limit the hardship of the victims would be response, while resilience would be building homes less vulnerable to the effects of a hurricane and getting the ports and businesses up and running. (I should note that my guests on this blog don’t have to agree with me and vice versa.)

>>And Steve Flynn includes it among his “four pillars of resilience” in his recent Foreign Affairs piece: “Second is resourcefulness, which involves skillfully managing a disaster once it unfolds…Ensuring that U.S. society is resourceful means providing adequate resources to the National Guard, the American Red Cross, public health officials, firefighters, emergency-room staffs, and other emergency planners and responders.”

It is important to take Steve’s four factors as a whole. If we selected only the third factor — rapid recovery — I could see the point that my separation of response and resilience would be problematic. However, Steve’s factors are robustness, resourcefulness, rapid recovery, and the means to absorb new lessons. Taken together, I think you’d agree that resilience is more than emergency response, but nevertheless dependant on it being executed well.

>>Unfortunately, I think the concept requires a lot of refining. But hopefully these hearings will not be the only cuts at this effort.

I, too, hope these hearings are the beginning of a sustained effort to build in, rather than bolt on, the important capability of resilience. But the concept of resilience already has been refined to a point that enables action. First steps would include making resilience a strategic goal as part of such plans as the Quadrennial Homeland Security Review.

To refine this concept further, consider the following parameters:

Resilience should afford a deterrent value: Terrorists are not deterred by fear of retaliation, but by fear of failure. Resilience delivers a deterrent value by reducing the likelihood that the impact of an intentional attack will transpire.

Resilience helps to avoid self-inflicted wounds: Resilience — if done right — affords the decision maker the enhanced ability to focus response efforts on the part of the system that is actually stressed.

Investments in resilience should be “dual use” in nature: Investments in resiliency not only address vulnerabilities due to terrorist attacks or natural disasters. Resilience also facilitates the global flows of trade/travel.

The private sector is an asset first, a target second: This is a critical step toward being able to make the case for private sector engagement. Several options exist.

Redundancy is not resiliency. Having costly back-up systems or two of everything is the easy and most expensive way to “bend and not break.” If done correctly, resiliency is more akin to the concept of Intelligent Immunity we put forth in the latest GMM paper.

Congressman Bennie Thompson, chairman of the House Homeland Security Committee, set the tone for yesterday’s first Congressional hearing on resilience by asserting that America’s strategy for protecting the homeland must balance prevention with resilience since 100% security is unobtainable. Moreover, “we all have a role to play,” he said, implying that resilience is the responsibility of the federal government, states and localities, academia, and the private sector, which explains the presence of DHS, MIT, ATT&T, SAP, and the Homeland Security Center for Risk & Economic Analysis of Terrorism Events at USC as witnesses. Chairman Thompson concluded his opening remarks with his refrain that success in this mission demands “honesty with the American people” and a worthy goal of securing the homeland is that we do so based on a “freedom from fear.”

DHS Assistant Secretary for Policy, Stewart Baker, represented the federal government and its views on resilience, as well as current efforts to invest in this capability. Much of A/S Baker’s prepared remarks focused on the ability to “bounce back” as the goal of resilience. This is important, but it leaves out other dimensions that make the concept of resilience valuable (i.e. deterrence, measured response, dual use, etc.).

However, he did emphasize certain efforts to use information more effectively as a resource for alerting populations at risk as soon as an attack or disaster is known to be imminent. Baker cited such measures as “reverse 9/11,” instant messaging, blogs, Google Maps, and twitter as means for fostering an organized response. (Blogs?)

Mr. Baker did identify at least one area that would generate substantial improvement. He described DHS’s work with the Treasury Department, the Financial Services Sector Coordinating Council Subcommittee for Research and Development, and ChicagoFIRST to develop a risk management tool for the finance sector. This includes a computer simulation of the value chains of a generic financial enterprise to allow organizations to create and run “disruption scenarios tailored to their individual business models, using their own proprietary data as well as generic data for the rest of the financial sector,” according to Baker.

Professor Yossi Sheffi of MIT broadened the scope of the discussion to include the important ability of obtaining information early in order to act earlier and with more precision. He cited specifically the prerequisite of devolving decision making to the levels closest to the “front lines” in order to be not only quicker in responding, but also more surgical in that response so as to minimize overreactions that risk amplifying the circumstances.

AT&T’s Susan Bailey echoed this with an explanation that her firm not only prepares for disruptions, but they monitor, pattern, and then profile internet traffic that they support to establish a baseline. Aberrations and abnormalities — often antecedents to cyber attacks — can then be identified and zeroed in on. Indeed, Erroll Southers of the Homeland Security Center for Risk & Economic Analysis of Terrorism Events described how the British implicitly join detection and resilience.

Several members cited the media coverage yesterday of a study that found a nationwide inability on the part of emergency rooms to manage large and unexpected influxes of patients that would likely follow a terrorist strike or natural disaster. Naturally, A/S Baker had little to say about this. That may be the job of the DHS Medical Advisor or HHS, but it isn’t even resilience in the first place. This scenario describes the need for “surge capacity” in hospitals in order to facilitate an emergency response. Turning victims into patients is important for response, but resilience is different.

Interestingly, Rep. Lungren invoked a missing aspect of resilience. If “we all play a part,” as the Chairman appropriately notes, then we must find a way for resilience to become a part of the bottom line for the private sector. He raises a good point. While regulations will surely get industry’s attention, the best form of resilience — indeed the best form of homeland security — reduces the risk of terrorist attack or disruption while also improving the facilitation of trade and travel.

Resilience in the form of redundancy (costly back up facilities or other investments that go unused until disaster strikes) is a blunt measure. Today the Subcommittee on Border, Maritime, and Global Counterterrorism convenes their hearing on “Assessing the Resiliency of the Nation’s Supply Chain.” This is a perfect opportunity to explore smart resilience, as opposed to simply the ability to bounce back.

– Guest Post –

It won’t just be the flowers blooming in May. With House Homeland Security Committee Chairman Bennie Thompson (D-MS) declaring May as “Resilience Month” in his committee, “resilience” has blossomed from the seed first planted by the likes of Steve Flynn at the Council on Foreign Relations and IBM’s work on Global Movement Management into an influential concept that has attracted the attention of leaders in the public and private sectors.

I will be one of the many corporate leaders and experts to testify as the House Homeland Committee and each of its subcommittees hold hearings in May centered on resilience. The newfound prominence of the issue on Capitol Hill comes as many firms have made great strides in improving their ability to continue operations in the face of a crisis. That is the essence of resilience – the ability to rapidly respond to and recover from a catastrophic event. As government authorities explore strategies for enhancing national resilience, they must look to the private sector for examples to follow and for opportunities for partnership.

I was honored to chair a national symposium, Building a Resilient Nation: Enhancing Security, Ensuring a Strong Economy, in New York City at the end of March of this year that brought together business leaders and industry experts to discuss the importance of resilience to our national and economic security. Listening to presentations from speakers representing major sectors of our economy – the supply chain, risk assessment and management, financial, energy and telecommunications – I was inspired by the pioneering efforts of many corporations and also anxious about the enormous work that remains. The Reform Institute will soon release a report with findings and recommendations for enhancing resilience based on the proceedings of the symposium.

Making resilience a national priority will bring the focus that has been lacking from the mission of DHS since its inception. Resilience can also tap into the energy, resolve and ingenuity of the American people, as opposed to current policy, which views citizens and private industry only as potential victims and targets. And, perhaps most importantly, a national focus on resilience can bring much-needed stability to an economy that has been overwhelmed by market failure, heightened uncertainty, and failing infrastructure.

A catastrophic event that severely disrupted economic activity could have a devastating effect on our economy. By hardening vulnerabilities such as our infrastructure and supply-chain and generally enhancing the ability of the U.S. to stay open for business during a crisis, we will bolster investor and consumer confidence in our economy. Moreover, every dollar spent on resilience can be a dollar invested in deterrence: targets that don’t fail or generate ripple effects when attacked are far less attractive to terrorists.

The attention towards resilience is a welcome sign. We must now ensure that resilience becomes a comprehensive plan of action, and not simply an empty slogan. This will require public-private collaboration to implement innovative new systems and programs already being initiated by the private sector, such as SAP’s supply chain management software and CSX’s Network Operations Workstation. It will also demand effective leadership to shepherd these changes through. That will be my message to Congress.

Robert W. Kelly is Senior Advisor to the Reform Institute’s Homeland and National Security Center.  He is also a Founder and Managing Partner of CenTauri Solutions, LLC, a professional services firm that specializes in high-end consulting and technical services for the public and private sectors.

DHS today rolled out its Small Vessel Security Strategy (SVSS). The SVSS is designed to reduce risk without needlessly reducing “the freedom of operation common to the nation’s waterways,” according to the Department’s statement.

Homeland Security Secretary Michael Chertoff cites the bombing of the USS Cole at a port in Yemen in 2000 as evidence that terrorists view the maritime domain as a target. He is quoted as saying that the security paradigm in today’s domestic waterways and port areas rely on an “honor-based neighborhood watch program.” The SVSS, he said, replaces this environment “with an efficient and successful means to combat terrorism along our waterways.”

Readers may recall the National Small Vessel Security Summit that DHS convened in June 2007. Findings from this event informed the SVSS and identified risks associated with the illicit use of small vessels. The SVSS focuses on the following threats:
• waterborne improvised explosive devices;
• use of conveyances for smuggling weapons into the U.S.;
• use of conveyances for smuggling terrorists into the U.S.; and
• use of “waterborne platforms for conducting a stand-off attacks.”

To mitigate these threats, the Small Vessel Security Strategy seeks:
• Better identification of small vessels operating in U.S. waters;
• Expanded radiological/nuclear detection capabilities;
• Improved situational awareness and information sharing;
• Enhanced data analysis to identify high-risk concerns;
• Leveraged technology to enhance the ability to detect, determine intent and when necessary, interdict small vessels; and
• Deepened “coordination, cooperation, and communications between federal, state, local and tribal partners in addition to the private sector and international partners.”

The document actually includes descriptions of the authorities vested in DHS and the overall federal government in implementing this strategy. It also includes details about the roles served by each agency within and outside of DHS, and also a list of relevant interagency institutions. DHS plans next to develop the small vessel security implementation plan to take place this year.

P.J. Crowley, Senior Fellow and Director of Homeland Security at the Center for American Progress convened a panel discussion yesterday morning on the near-term future of HLS and the new report from P.J. and CAP, entitled “Safe at Home.”

The Chairman of the House Homeland Security Committee, Congressman Bennie Thompson, kicked off the gathering with his own scene setter of where things are today. The discussion invoked such important topics as resiliency, HLS doctrine, the role of people in securing the homeland, and how to overcome information sharing obstacles that currently hinder overall progress.

My very first post on this blog covered a presentation by Chairman Thompson at an event at the Homeland Security Policy Institute. Then, as now, the oversight environment for DHS was contentious. Back then, the policy community was abuzz with the switch in power in the Congress. Yesterday morning’s discussion focused on how this Congressional session will finish out and how the next Presidential administration can obtain the best footing in taking leadership in securing the homeland.

Chairman Thompson intends to dedicate a series of hearings to resiliency and another solely to the topic of the transition from this administration to the next in terms of handling the transfer of DHS leadership. Thompson’s strategic goal, he said, was to achieve a secure homeland based on a “freedom from fear.”

Thompson also dropped a couple of other news items, too:

The Senate is expected to work up an authorization bill for the Department of Homeland Security sometime this July.

The HLS Committee plans to reach out to members of the presidential campaigns in their process of looking into transition issues.

My colleague, Dan Prieto, and former 9/11 Commission senior staffer Barbara Grewe spoke on the panel that followed, with P.J. Crowley moderating.

P.J. opened with an incisive analysis of the state of homeland security affairs based on his new paper, Safe at Home: A National Strategy to Protect the American Homeland, the Real Central Front. That last clause is a direct criticism of those who suggest that Iraq is the central front in the war on terrorism. P.J. explains that its just the best funded front: We spend twice as much on securing Iraq as we do on securing the U.S. He didn’t miss the opportunity to take issue with the term “war on terror” either.

Dan, noting the roll-out this week of IBM’s new report on the subject, clarified the role for resilience in this domain:

“Resiliency is defined as the ability to recover quickly from, or to resist being affected by a shock or disruption. Resiliency is a more powerful concept than simply “response and recovery” because it demands that security and commerce be treated as simultaneously achievable goals.”

The new IBM report, Global Movement Management: Strengthening Commerce, Security, and Resilience in Today’s Networked World, provides a survey and analysis of the \ three main components of resilience: people, technology, and governance. Dan explained further that:

“[Resilience] implies a greater level of forethought and planning ahead of time instead of simply reacting after an event. It stresses the importance of how to train people, build systems and technology and implement governance so that people are prepared on the front lines to react in the right way. It is about making sure that the right people have the right information at the right time to make the right decisions in the right way.”

Overall, a pithy deconstruction of how our nation’s investments risk being misapplied led to a trenchant discussion of how best to trigger the next phase in securing the homeland. If he had his way, P.J. would focus far more resources on the likelier threats, such as IEDs, chem., and cyber. His report offers, among other things, the following table:

Click to enlarge

Last week DHS Secretary Michael Chertoff delivered a speech at Yale University entitled “Confronting The Threats To Our Homeland.” Citing the five-year mark for DHS and the three-year mark for his tenure as its head, he explained that such an occasion warrants not just one speech, but four.

And the first — the one he delivered at Yale — offers insight into the way he views the “challenges and threats that we face over the next five and ten years relating to homeland security in the broadest sense.” He did offer this caveat: his views would be focused not only on counterterrorism, but also on threats to public safety and other risks that “are of national dimension.”

Chertoff promised that his second speech would address “what we have done and what we need to continue to do to prevent these threats.” The third speech will focus on how to reduce vulnerabilities to threats. (Not sure how this will differ from speech #2.) The final speech he plans to give is on response to catastrophic events, man-made or natural.

Readers may recall the February 28, 2008, post that described ways in which we could work with other countries to build their counter- and anti-terrorism capacity through existing multilateral mechanisms to gain better cooperation overseas. The Center for Strategic and International Studies yesterday rolled out their new report that delves into the same topic with a focus on how the State Department and Pentagon ought to be better integrated in executing security assistance programs. While interagency coordination is the goal, and the report makes significant gains in this direction, there no mention of the Department of Homeland Security and its overseas presence serving a role.

The explicit recommendation in the paper is to rebalance the roles of State and DOD in carrying out “preventative civilian foreign and development policy instruments.” In doing so, the authors of the report, Kathleen Hicks and Stephen Morrison, recommend a better engagement of the U.S. Agency for International Development (USAID) and international NGO’s. Congresswoman Susan Davis, Congressman Geoff Davis, former DOD CFO Dov Zakheim, and president and CEO of CARE USA Helene Gayle spoke on the panel that convened at the Capitol to introduce the paper’s findings.

The aspects of the report most relevant to this blog deal with counter terrorism capacity building. The report suggests that “joint strategic planning and coordination” ought to occur between State, DOD, and USAID. The report offers solid recommendations for accomplishing this, but includes no mention of the role of the federal agency most involved with civilian efforts to combat terrorism: the Department of Homeland Security. The panel expressed doubt that DHS could contribute much to the mission due to its own lack of organization. The moderator even questioned whether the topic has anything to do with the new report.

It is no surprise that DHS does not immediately come to mind when considering an international strategy. However, this one, focused on civilian capacity for combating terrorism with reduced role for DOD, is incomplete with out DHS. And while DHS may not yet be up to the task, let’s make it so. The February 28, 2008, post offers some specific options.

Much of the CSIS report focuses on critical details about how things work now and where the drivers of the problems actually exist. For example, it describes the potential of USAFRICOM, the use and misuse of CERP funds, and the lessons learned from Provincial Reconstruction Teams. It is clear that an interest remains in attempting to reassert the role of the State Department’s regional Assistant Secretaries in the context of powerful country ambassadors and unified combatant commanders (formerly CINCs). There is a call for joint regional planning entities to better integrate these roles.

For more on this topic, see the 2001 report on Forward Strategic Empowerment: Synergies Between CINCs, the State Department, and Other Agencies. The report is the product of a taskforce led by former Army Chief of Staff Shy Meyer and former Undersecretary for Political Affairs Tom Pickering.

Reader Eric asked about the adoption by other nations of the ‘homeland security’ concept. HLSWatch asked Secretary Chertoff in yesterday’s meeting to discuss his recent trip to the Middle East. A member of the media there asked him a question that allies in general ask the U.S.:

The “U.S. fights terrorism overseas to prevent terrorists from performing terrorist acts in the U.S. What’s your comment on these thoughts?

Read: The U.S. advocates a layered global defense against terrorism to keep the threat away from the homeland. This implies to audiences overseas that we’d rather have it out on their homelands. Can’t blame them for assuming the worst, but Chertoff is right to say that a layered defense is the best defense. How that helps allies is in how we define “layers.”

A layered defense isn’t just about geographic layers though. There are information layers that reveal intentions and enable us and our allies to act before an attack. Financial flows also serve as a layer to create a hurdle that terrorists must cross in organizing an attack. Layers like these are opportunities to complicate the efforts of an adversary and force him into a vulnerable or detectable position.

Allies don’t just benefit from the U.S. pursuing a layered defense. We all do since a true layered defense in the 21st century requires certain basic agreements to be struck among allies. They include the nature of the threat, concepts of success, and acceptable trade-offs. In this sense, any progress the U.S. and Europe make in resolving information sharing for transatlantic flights is mutually beneficial. Of course, if we can’t convince our allies of the mutual benefit, either there isn’t one or we’re not very convincing.

The United Kingdom released its next national security strategy, entitled “Security in an Interdependant World.” It lays out “guiding principles” that underpin their strategy. The strategy also provides a threat assessment, defines “drivers” of insecurity, the UK’s responses to these threats and drivers, and an organizing framework for how the UK plans to work with and leverage other countries, organizations, and efforts to achieve national security. The strategy is similar in some ways to our national and homeland security strategies, but differences in emphasis and threat perception represent a divide in the way the U.S. views global threats and the way our closest ally does.

The UK strategy identifies six guiding principles that serve as both functions of the security strategy and the goals of it. They are “human rights, the rule of law, legitimate and accountable government, justice, freedom, tolerance, and opportunity for all.” The document notes, however, that the strategy can not be static in its pursuit of these goals. The UK government acknowledges that they must continually review the focus of its efforts, including identifying other “sectors or countries or international institutions [that] should be encouraged to play their part.”

A threat assessment in the strategy document identifies the following primary risks faced by the UK:

• Terrorism
• Nuclear weapons and WMD
• Transnational organized crime
• Instability driven by failed and failing states
• Civil emergencies
• State-based threats to the UK

The threat assessment acknowledges that threats posed by other countries or states remains the same as in 1998. The UK reasserts the view articulated in its 1998 Strategic Defence Review that

“for the foreseeable future, no state or alliance will have both the intent and the capability to threaten the United Kingdom militarily, either with nuclear weapons or other weapons of mass destruction, or with conventional forces.”

The current U.S. view of countries like Iran and Syria differ profoundly from this assessment. Our national security strategy argues that “Syria and Iran, continue to harbor terrorists at home and sponsor terrorist activity abroad.” And that “We may face no greater challenge from a single country than from Iran.” What do the British know that we don’t? Or are they missing something we’re not?

Okay, back to the slopes for me. We’ll dig into other relevant aspects of the new UK national security strategy next time.

Eric Schmitt and Tom Shanker wrote in the New York Times about current government efforts to adapt deterrence — described in the article as a hold-over strategy of the Cold War — to the terrorist threat of today. Deterrence, the effect of dissuading an adversary from taking a certain approach, strategy, or measure at your expense — is a strategy as old as war itself. Even Sun Tzu explained over 2000 years ago that “‘The supreme act of war is to subdue the enemy without fighting.” And while the President and many other pundits said in the wake of 9/11 that terrorists could not be deterred, policy makers and practitioners have never set aside deterrence as a component of anti- and counter-terrorism programs.

The difference between Cold War deterrence, when threat of retaliation was the currency of dissuasion, and today is that terrorists are difficult to retaliate against if they die in the attack or go underground. (We’ll probably never again have the opportunity we had after 9/11 to route them in a discrete geographic domain like Afghanistan.) Terrorists today respond instead to a fear of failure.

Policy options to pursue deterrence against terrorists is the subject of work done by the Council on Foreign Relations, RAND, and others, including the Nuclear Defense Steering Committee and the Nuclear Defense Working Group from 2004 to today. Schmitt and Shanker show how deterrence never really left the scene after the Cold War’s end, even at the local level. Paul Browne, the New York City Police Department’s chief spokesman is quoted explaining how deterrence helped to prevent a 2003 attempted attack on the Brooklyn Bridge. Indeed, everyone from CENTCOM to SpecOps to the State Department invest in deterrence.

The article points out some of the more recent applications of deterrence in cyberspace. Cyberspace represents a unique challenge and opportunity. The ubiquity of anonymous social hubs throughout the net offer those seeking support, recruits, and sympathy for terrorist attacks an advantage only available in cyberspace: It is hard to capture or kill someone on the Internet. However, the cyber domain also offers us an advantage: We can track and observe the behavior of terrorist groups on the Internet without their knowing, and use the information we gain to disrupt and even deter them.

I had the opportunity to visit a nondescript office building outside of DC in 2005 where several floors were filled with government experts tracking and analyzing radical and fanatic traffic on the web. They had Arabic and Farsi translators, tech specialists, hackers, counter-terrorism experts, and cultural analysts observing targeting activity all over on the Internet that represented likely threats or threatening groups and individuals. I asked why they didn’t just shut down the sites that clearly fostered anti-American or anti-Western sentiment, or those that flat out called for recruits to attack the U.S. They told me that it was better to know where these people were (a la Afghanistan) rather than run them underground only to pop up somewhere unknown (a la Waziristan) on the net. We use information gathered from activities like this to interrupt terrorist efforts through a number of means, including disinformation. Sowing doubt among terrorists and their supporters can be as effective in gaining a deterrent value as aiming nuclear weapons at a superpower.

In a sense, the cyber domain is the closest thing we have to what Afghanistan offered in the weeks and months that followed 9/11. It is the only place we can identify an active domain for us to target.

Today Congresswoman Jane Harman, chair of the Homeland Security Intelligence, Information Sharing and Terrorism Risk Assessment Subcommittee, published an op-ed in a California paper about how urgent homeland security is – or should be – as a national priority, suggesting that the next President must address the lack of an “effective strategy against major threats.”

She describes a horrific scenario that could take place at LAX: a dirty bomb attack on a highly populated civilian area. Try not to get spun up on the suggestions that terrorists might obtain enough americium from smoke detectors to make a bomb. (Estimates of the necessary amount of detectors range from 1500 to 7500.)

The real value in Harman’s article is the brief treatment she gives of the priorities the next President must embrace to secure the homeland. Readers will recognize some as similar to those included in the previous post entitled 2008 Wish List: Part I. Congressman Harman identifies enhanced intelligence, better stewardship of hazardous materials, stronger partnerships with international partners, and deeper involvement with the state and local authorities.  These are her words:

• Take the offensive against potential threats. Part of this equation is better intelligence - understanding the motivations and capabilities of our enemies, and using that information to anticipate and prevent attacks. For all its tough talk on terrorism, the Bush administration has done a particularly poor job on this front.

• Secure dangerous materials. The ingredients for a dirty bomb can be found in thousands of facilities across the United States - from hospitals to laboratories to water treatment plants - which often have extremely lax security.

Cesium and americium bind chemically to concrete and asphalt and become lodged in cracks on the surface of sidewalks, streets and buildings. Clean-up is nearly impossible. In some cases, demolition is the only practical solution.

• Enhance international relationships and cultivate new ones. Our allies are an extended defensive barrier, and there is much we can learn. Our solid relationship with the British enabled us to disrupt a terror plot to smuggle liquid explosives onto airplanes bound for the United States in 2006.

• Make state and local law enforcement a truly integral part of a homeland security strategy. Federal communication with these partners must improve. Law enforcement stands on America’s front lines and can offer valuable perspectives that inform the national intelligence cycle. They know their communities best. Programs established through the recently enacted 9/11 act will help facilitate information-sharing and avert needless panic caused by ambiguous “gut feelings.” DHS’s continued unwillingness to include local first responders meaningfully in preparing intelligence products borders on the irresponsible.

These explanations are pretty short on detail, but it is an op-ed. Hopefully, this is a sign of productive oversight from her Subcommittee on these important priorities. A hearing on the priority and potential role of the Congressionally mandated Quadrennial Homeland Security Review would be an ideal setting in which to address these questions.

Tomorrow, the National Cybersecurity Division – part of DHS’s Office of Cyber Security and Communications will hold its second large-scale national cyber exercise, Cyber Storm II. The exercise follows Cyber Storm I, held Feb. 6-10, 2006, the first government-led, full-scale exercise (FSE) on cyber security. These FSEs are intended to improve public and private sector interaction for enhanced decision making and information sharing, as well as better public communication techniques and stronger response and recovery capabilities.

The Cyber Storm II scenario will include coordinated cyber and physical attacks on critical infrastructure to simulate a political and economic agenda. Participants in the FSE include Federal, State, local, and international governments, as well as private sector entities from multiple critical infrastructure sectors.  The adversary for Cyber Storm I was depicted in this rendering (click to enlarge):

The National Cybersecurity Division (NCSD) is responsible for providing cyber security coordination and preparedness under Homeland Security Presidential Directive 7. The shorthand mission for NCSD is to coordinate the federal government’s “interaction with state and local government, the private sector and the international community concerning cyberspace vulnerability reduction efforts.”

I’d like to add one more goal for Cyber Storm II: Define cybersecurity once and for all.

In an article published by CSO Magazine, Rick Lawhorn, the former Chief Information Security Officer for GE Financial, identifies four different definitions of cyberterrorism or Cybercrime that need to be reconciled:

State Department definition, Title 22 of the U.S. Code, Chapter 38, Section 2656f(d): premeditated, politically motivated violence perpetrated against noncombatant targets by subnational groups or clandestine agents, usually intended to influence an audience.

FBI definition: the unlawful use of force or violence against persons or property to intimidate or coerce a government, the civilian population, or any segment thereof, in furtherance of political or social objectives.

Defense Department definition: the calculated use, or threatened use, of force or violence against individuals or property to coerce or intimidate governments or societies, often to achieve political, religious, or ideological objectives.

United Nations definition: any act intended to cause death or serious bodily injury to a civilian, or to any other person not taking an active part in the hostilities in a situation of armed conflict, when the purpose of such act, by its nature or context, is to intimidate a population, or to compel a government or an international organization to do or to abstain from doing any act. Article 2(b) of International Convention for the Suppression of the Financing of Terrorism, May 5, 2004)

Lawhorn is right. The absence of a standard definition of the cyber threat hobbles efforts to track it, understand it, and identify the characteristics that comprise its profile.  This same gap plagues efforts to combat overall terrorism. This is most apparent when we attempt to work with allies overseas, but the recent REAL ID showdown with Montana, South Carolina, and Maine are another example close to home. If cybersecurity is achieved by orchestrating federal, state, local, and international governments, as well as private sector entities from multiple critical infrastructure sectors, a baseline definition is an unavoidable first step.

UPDATE — DHS Issued a press release this evening with a link to more information about Cyber Storm II.

CQ ran a story today commemorating the fifth anniversary of DHS by citing the roundtable Secretary Chertoff convened on Monday with about ten bloggers. At the roundtable, Chertoff outlined the Department’s goals over the next year and fielded questions on a range of topics. Details about this gathering are available here.  In follow-up, CQ Homeland Security’s editor invited more than two dozen experts in government, think tanks, and the private sector to comment (in about 200 words) on whether the creation of DHS was a good idea and, if you had the chance to do it all over again, what would you have done differently?

My response is listed second under the Academia and Think Tanks grouping.  Since its available by subscription, I’ll only excerpt my comments below.

All are worth a read, but I recommend reading the contributions from Clark Ervin (former DHS IG), P.J. Crowley, Scott Hastings (former US-VISIT CIO), James Lee Witt, Bennie Thompson, and Sec. Chertoff.

Jonah Czerwinski, managing consultant for Global Business Services at IBM and a senior adviser on Homeland Security Projects at the Center for the Study of the Presidency

“The stand-up of DHS has delivered both winners and losers during a tumultuous start challenged by self-inflicted wounds. The path forward requires a strategy that rebalances the homeland security mission with clear priorities and a new strategic framework.

Some pre-existing organizations, like the Coast Guard, enjoyed heightened authorities and larger budgets due to the reorganization that created the Department of Homeland Security. Others, such as FEMA, suffered an “org” chart demotion with real consequences on peoples’ lives as seen in the wake of Hurricane Katrina. Newly created entities, such as the Science and Technology Directorate, continue to struggle with the growing pains of integration and the battle for interagency legitimacy. A lot could have been done differently.

Initial objections by the Bush administration to creating a unified Homeland Security Department gave in to a real-word political science experiment that Congress passed in the form of the Homeland Security Act of 2002. The lack of initial administration support for DHS slowed progress and forced DHS to fight unnecessary bureaucratic battles with the Pentagon and the intelligence community, not to mention new counterparts overseas.

The department’s strategy to this day falls short of prioritizing its resources and investments around its uniquely difficult mission: combat significant threats while maintaining — even enhancing — daily operation of the economy and overall quality of life for all Americans and visitors. And don’t forget natural disasters. A framework that puts this entire mission into a workable perspective may be achieved by the forthcoming — and first ever — Quadrennial Homeland Security Review. Regardless, the next president inherits DHS with a responsibility to elevate this department’s stature, rationalize its White House coordinating entities, and craft a strategy sufficient to the task.”

A post here earlier this week detailed a conference on homeland security taking place in the Middle East next month. I suggested the U.S. should be more proactive in engaging that region on such issues as protecting civilians as a means to bridging a perception gap about the threat of terrorism made worse by the Iraq war, among other things. That we have an attaché attending the conference in Abu Dhabi, whereas the British and Spanish are dispatching senior officials, represents an important missed opportunity.

Some readers – only half joking – thought we wouldn’t have much to say of value at the conference anyway. We have a lot to gain from sharing what we do know about protecting the homeland, especially with governments in that region. However, doing so would benefit greatly first by deploying multilateral mechanisms for engagement. NATO is ready for such a role.

NATO’s unique map of nearly sixty countries represents the only multilateral consultative environment in the world wherein the U.S retains a significant – albeit underutilized – political advantage. Creative U.S. leadership of NATO in the 21st century can foster a better consensus between the U.S. and the many other countries within that framework for how to combat the evolving threat posed by terrorism. This would include a targeted mix of security cooperation efforts, deeper dialogue on counterterrorism best practices, and capabilities training. Ultimately, such leadership would serve as the basis for greater cooperative efforts in crucial regions that serve U.S. security and foreign policy interests.

While the very purpose of NATO was questioned after the Cold War ended, many observers expected the post-9/11 security environment to offer the Alliance a lifeline, if not a renewed raison d’etre. Ultimately, uneven U.S. engagement of NATO in Operation Enduring Freedom (Afghanistan), combined with the deterioration of U.S.-European relations in the lead up to and conduct of the Iraq war, fed doubts about NATO’s relevance as the 21st-century security environment took shape. Without an engagement of NATO that redeploys the non-military legitimacy and outreach of the Alliance, the U.S. risks finding its cooperative security options unnecessarily limited when they are needed most.

The first seven years of the war against terrorism demonstrated the importance of developing trust and confidence with non-traditional allies, namely those in the Mediterranean region and the Middle East. U.S. national and homeland security interests would benefit from developing innovative security assistance relationships here as it would garner more confidence and trust among countries that, while not pro-American, have not assumed entrenched anti-American positions. NATO offers the potential to assist in developing capabilities for counterterrorism (defeating terrorists) and antiterrorism (protecting civilians) as the new currency of cooperation.

The current level of political engagement of NATO by the U.S. obliges Western policymakers to pursue a less unified – and suboptimal – approach to working with important countries in the Mediterranean and Middle East, which includes approximately fifteen countries within NATO’s Mediterranean Dialogue and Istanbul Cooperative Initiative. The U.S. can focus resources that reinforce a relatively pro-American political environment without forcing nations of the region to choose between the U.S. and Europe or spurn regional allies by appearing overly pro-western if we engage them through such consultative mechanisms as the Med/D and ICI.

This initiative would enable the development of policy options to help pursue U.S. homeland security and counterterrorism interests while cultivating a more productive dialogue between the U.S. and critical countries in the Mediterranean and Middle East. This includes maximizing or augmenting current NATO programs such as the Program of Work on Defense Against Terrorism, NATO Security Through Science, and the Euro-Atlantic Disaster Response Coordination Center. Each of these efforts contributes greatly to U.S. interests. Yet the U.S. has allowed or even led efforts to cut funding of some of these most essential programs.

Certain perennial challenges would complicate an effort by the U.S. to recalibrate engagement of NATO in this way. First, EU leadership remains reluctant to encourage members also belonging to NATO to support a more substantive NATO role in protecting civilians as well as troops. This “EU Bloc” in NATO can be formidable: France, Belgium, and Germany, among others, regularly obstruct efforts to broaden NATO’s non-military engagement. France routinely objects to – and almost as often succeeds in preventing – proposals at NATO to focus its existing capabilities on homeland security requirements.

This proposed initiative should identify ways for the U.S. to neutralize – or at least offset – unnecessary competition with the EU. One model might employ the NATO “Quad,” whereby political directors from Germany, France, UK, and the U.S. work together on an ad hoc basis to identify shared objectives and negotiate acceptable solutions on a wide range of security concerns through NATO. The tensions surrounding the Iraq war left the Quad to languish, but U.S. leadership to reinitiate this dialogue could generate useful progress.

A second problem is in Washington: Disunity between the U.S. Homeland Security Department’s objectives and the Departments of State and Defense further complicates the use of NATO for these purposes. After more than three years since its creation, DHS runs few, if any, coordinating efforts with State or Defense at the U.S. NATO mission.

Failure to change course from the currently constricted approach to NATO risks denuding this historic alliance that has served American interests for over fifty years, while severely limiting U.S. freedom to develop broader consensus in the war against terrorism, deeper cooperative engagement with the Middle East and Mediterranean region, and a more durable dialogue with the nearly sixty countries under NATO.

We are here to do the work that ensures no other family members have to lose a loved one to a terrorist who turns a plane into a missile, a terrorist who straps a bomb around her waist and climbs aboard a bus, a terrorist who figures out how to set off a dirty bomb in one of our cities. This is why we are here: to make our country safer and make sure the nearly 3,000 who were taken from us did not die in vain; that their legacy will be a more safe and secure Nation.

That’s how we’ll start a mini-series here on HLSWatch to take a look at how the candidates of both parties stack up on homeland security. We’ll take each in turn, and, since the quote above is Senator Barack Obama’s, we’ll start with him. And since this is Chesapeake Tuesday, those of us in DC, Maryland, and Virginia are voting today in the primary elections. If you’re here, please vote!

This series will focus on the priorities of the candidates. Since the campaigns and the candidates cannot reasonably cover every topic within this broad subject of homeland security, let’s see what they highlight as the most important issues for meeting the expectations quoted above.

Obama made headlines at the first Democratic debate of the election season when asked what he would do first after a terrorist attack on the homeland if he was president. Instead of offering the predictable “Kill or capture those responsible, if they aren’t already dead as a result of the attack,” Obama said he’d first make sure the victims were tended to. Interesting. Why not fire missiles at the mountains between Afghanistan and Pakistan to at least send a message while we plan? Why not go before the TV cameras and proclaim that whoever is responsible will be held so? Because we gain two things if we first respond to the victims and neither has to do with political messaging:

1. If the attack is carried out with a form of WMD, there is a lot we can do to mitigate the impact of the attack by forcefully responding to the needs of the victims and effectively communicating or evacuating those nearby and at risk. The president must be engaged.

2. The intel community starts responding immediately. But when the president takes a step back and deals first with the consequences of the attack – if only for the first day – we stand a good chance of learning important facts about the attack and its perpetrators that could be critical in determining the quality of intel and deciding what is the best response for the president.

Obama was criticized for suggesting this. In hindsight it reflects a smart approach that would hopefully be the same for anyone in that office. However, it is telling that his immediate answer already understands this.

But what about his programs? How would he apply our nation’s resources to prevent the next attack or prepare to limit its impact? While it isn’t very exciting, his campaign lists a few priority areas that make sense.

Obama’s position is outlined by his campaign as pursing the following priorities:
• Bolster emergency response
• Protect critical infrastructure
• Improve intelligence capacity and protect civil liberties

All good things, even if the details read as though they were written a year ago. Each of these priorities should be top of the list for any incoming administration, e.g. allocate funds based on risk, revise the response plans and critical infrastructure plans, revise PATRIOT Act and FISA laws to protect civil liberties. And I must admit that it is a welcome sight to have nuclear stewardship articulated as part of this position. Obama’s Spent Nuclear Fuel Tracking and Accountability Act could be a real asset in reducing the threat of dirty bombs or smuggled nuclear material. And finally, he includes the right decision about restoring habeus corpus. More on that issue available in this post.

But this plan also risks falling victim to a sort of policy myopia to which most homeland security plans fall: It does not sufficiently acknowledge and incorporate the interagency and international dimensions of a successful homeland security strategy. (His attention to securing loose nuclear material is a worthy exception.)

I’d like to see more about how he considers homeland security as tying into national security. Moreover, what are his plans regarding the perennial urge to reorganize the Department of Homeland Security and its related structures? What role does he see for the rest of the government “beyond DHS” in securing the homeland?

We’ll see which candidate is up next on HLSWatch. In the meantime, get out there and vote today!

DHS convened a major National Small Vessel Security Summit late last year, and the after action report is now available. While I first considered small boat security to be about as niche a topic as is possible (with more public affairs appeal than public policy), this report shows a heck of a lot of work went into the effort of making the event productive and relevant on a national scale.  The report was prepared by the Homeland Security Institute and, at 122 pages, is a daunting read. Especially with so few pictures. HLSWatch readers get the cliffs notes.  Main recommendations of the effort are as follows:

1.  AIS tracking technologies should not be required for vessels under 65 feet in length until the technology is perfected (read: likely never), the cost of such technology significantly reduced (read: paid by the Feds), and until law enforcement has the ability to track and respond to all vessels in the maritime domain (read: moveable goalpost). RFID technology or other OnStar-like monitoring features can be used in the meantime.

2.  The National Homeland Security Strategy needs a component that represents a National Small Vessel Security Strategy based on a layered defense. (Echoes of the WME Task Force.) This strategy should not, the report explains, focus on deterring a specific type of terrorist attack but should enhance the overall safety and security of the maritime domain. Rightly, the forum recommends that the strategy provide for guidance in coordination with international partners.

3.  Licensing, registration, or tracking of small boats used by private individuals should be accomplished by DHS with the lightest of touch. Failing to do so will be costly, ineffective, and rood (it will “alienate the small vessel operator”).

4.  State, local, tribal, and territorial maritime law enforcement entities need additional funding because, in addition to “other public safety and security missions,” this is too much.

5.  Establish a universal hotline telephone number, similar to the National Response Center 1-800 number, for the boating community to use in reporting suspicious activities and emergency situations.

6.  States could add a boat operator credential — like those required for tractor trailer or school bus drivers — to their state driver licenses. This could lead to a national boat registry for use by law enforcement agencies.

7.  The U.S. should enhance international cooperation and intelligence sharing with “our foreign counterparts,” especially Mexico, Canada, and countries of the Caribbean because these nations are the most likely departure points for a small vessel terrorist attack from overseas.

8.  More fusion centers! The report explains that conference participants felt that additional fusion centers would enable stakeholders to better share, analyze, and disseminate intelligence to with the USCG, CPB, U.S. Navy, the Harbor Master and state and local law enforcement agencies.

9.  Permanent Employment of the DNDO Act: Conference participants believe that federal, state, local, tribal, and territorial law enforcement agencies should be “provided with nuclear detection devices so they can detect radioactive signatures on small vessel and in cargo.” The rest of this language is worth reprinting:

The cost of such equipment requires federal guidance and oversight. In addition, the federal government should develop RAD/NUC detection devices with a stand-off capability in order to provide detection without directly impacting small vessel operators. The federal government should also consider placing nuclear detection devices on commercial vessels in a partnership to increase the chance of detecting a nuclear device or nuclear material before it reaches a major U.S. port or population center. Lastly, the federal government needs to strengthen counter-proliferation initiatives with our foreign counterparts to prevent shipments of WMD, their delivery systems, or related materials from reaching the U.S. maritime domain.

Only have time to make sure you have a link to this final report.

If interested, the official DHS statement about the Framework is here:

WASHINGTON – The Department of Homeland Security (DHS) today released the National Response Framework (NRF), successor to the National Response Plan. The NRF, which focuses on response and short-term recovery, articulates the doctrine, principles and architecture by which our nation prepares for and responds to all-hazard disasters across all levels of government and all sectors of communities. The NRF is responsive to repeated federal, state, local and private sector requests for a streamlined document that is less bureaucratic and more user-friendly. The NRF also focuses on preparedness and encourages a higher level of readiness across all jurisdictions.

The NRF is being released following an extensive process of outreach and coordination between DHS and key stakeholders representing federal, tribal, state and local governments, non-governmental agencies and associations, and the private sector. The latest public comment period for the base document of the NRF closed on Oct. 22, 2007 and the comment period for the support annexes closed on Nov.10, 2007. The final documents reflect the nearly 5,700 comments received from participants of the process.

“The National Response Framework is an essential tool for emergency managers at all levels,” said Homeland Security Secretary Michael Chertoff. “It helps define the roles, responsibilities, and relationships critical to effective emergency planning, preparedness and response to any emergency or disaster. Today’s release reflects the culmination of many months of hard work and collaboration within the nation’s emergency management community.”

The NRF is intended for senior elected and appointed leaders, such as federal department and agency heads, state governors, mayors, tribal leaders, city managers and the private sector. Simultaneously, it informs emergency management practitioners by explaining the operating structures and tools routinely used by first responders and emergency managers at all levels of government.

The NRF is designed to:
o be scalable, flexible and adaptable;
o always be in effect; and
o articulate clear roles and responsibilities among local, state and federal officials.

In addition to releasing the NRF base document, the Emergency Support Function Annexes and Support Annexes will be released and posted at the NRF Resource Center (www.fema.gov/nrf), an online repository of the entire component parts of the NRF. The annexes are a total of 23 individual documents designed to provide concept of operations, procedures and structures for achieving response directives for all partners in fulfilling their roles under the NRF.

Upon finalization and publication of the NRF base document and the annexes, a large focus will be to initiate an intensive nationwide training and exercise program to embed the NRF into the nation’s preparedness and response cycle. Implementation of the NRF training and exercise strategy will include awareness training, position-specific training, exercises (tabletop and functional), and sustainment training.

To make the NRF a living system that can be revised and updated in a more nimble, transparent fashion, the NRF Resource Center was developed. The Resource Center will allow for ongoing revisions as necessary to reflect real-world events and lessons learned.

The NRF and the annexes will go into effect 60 days after publication in the Federal Register.

Additional public information about the developing cybersecurity policy can be found in an interview with DNI McConnell in the Jan 21, 2008, issue of The New Yorker. In it, interviewer Lawrence Wright describes McConnell’s path to prioritizing cybersecurity, the scale of the challenge to secure both government and private networks, and some of the unique characteristics of the plan that invoke privacy concerns. As noted in yesterday’s post, the President requested $436 million to fund cybersecurity initiatives likely to be driven by this strategy.

Highlights:
• In May 2007, at a meeting with the President and several cabinet members, McConnell asked for authority to wage information warfare against the tech savvy insurgents in Iraq. McConnell identified computer-network defense as an area in which the U.S. was under-invested. The President then charged McConnell to craft a security strategy, not only for government systems but also for American industry and private individuals.

• McConnell’s Cybersecurity Policy, which is still in draft, recommends reducing the access points between government computers and the Internet from two thousand to fifty.

• McConnell expresses concern about private sector defense. “The real question is what to do about industry,” McConnell is quoted as saying. He continues, “Ninety-five per cent of this is a private-sector problem.”

• McConnell suggests that the “real problem is the [cyber crime] perpetrator who doesn’t care about stealing [money] —he just wants to destroy.”

• Privacy protections are considered to be in conflict with enhanced security. A contributor to the strategy and long-time collaborator with McConnell says that the government needs the authority to examine the content of any e-mail, file transfer, or Web search.  Citing a maxim among the info-sec community, he concluded that “Privacy and security are a zero-sum game.”

• Aware of the difficulties in obtaining new powers for security measures, McConnell says that “FISA reform will be a walk in the park compared to this….”

Perhaps the way we’ve arrived at considering spending billions on missile defense for commercial airliners and monitoring paintball games for signs of extremism is along the appealing path of “it could happen.” In the early days following 9/11, many of us in the policy community worried about the nature of follow-on attacks, which gave way to defensive measures based on scenarios, which led to ever more ominous scenarios, and ever more expensive countermeasures. Is this serving us well as an approach to Homeland Security?

To be sure, we have a lot of work to do and a lot of worthy work is underway at DHS, State, and Defense that is critical to combating terrorism. However, we should beware the tendency to shape our strategy based on the theory that “it could happen.” Could terrorists fire surface to air missiles at airplanes leaving LaGuardia? Yes. Likely? Hard to say. Worth $10 billion to reduce but not eliminate the possibility? Hardly.

So it bothered me when Paul J. Browne, an NYPD police spokesman told the New York Times this week, “One call one day may be the one that stops an attempt to destroy the Brooklyn Bridge.” He was justifying the ubiquitous ad campaign across the City’s subway system urging riders to “say something” if they “see something.” The motive initially makes sense: A complacent ridership risks missing indications of a conspiracy to bomb the subway trains. I suppose the assumption is that had the other riders on Spain’s train to Madrid on the morning of March 11, 2004, noticed the terrorists leaving their bomb-rigged bags, the concerned commuter would have alerted others and possibly avoided the carnage.

Last year, according to NYPD, 1,944 subway riders “said something.” By calling 1-800-NYC-SAFE, subway riders warned of “people seen counting in the subway.” Callers worried this was an antecedent to something nefarious and deadly. In all, the hotline received 13,473 calls in 2007, with 644 of those triggering investigations. (Of these calls, 45 were transit related.)

While some crimes were inadvertently uncovered by the callers “ranging from selling false IDs to illegal fireworks peddling” none of the calls resulted from or discovered actual terrorism threats. NYC’s subway riders were applying their own “no-fly list” to other riders. 13,373 callers would have sent fellow riders to secondary, but would have found no terrorists. This is the trickle down effect of “it could happen.”

The “it could happen” approach results from a steep national learning curve about terrorism that persists more than six years after 9/11. Terrorism is a complicated issue, and one that continually evolves. No doubt the general public has little time to read up on radicalism or studied analyses of terrorist behavior. But if our homeland is secured by an “anything’s possible” strategy, we’ll wind up doing at least one of three things:
• Going broke
• Tying up anti-terrorism assets with non-threats
• Eroding our sense of community and eventually our ability to be resilient if we are attacked again

None of these outcomes will happen quickly. However, the prospect does force a cost-benefit analysis of a new kind. Is it worth $10 billion to reduce the chance of a successful MANPAD launch against an airliner? Does a terrorism hotline make us safer if we don’t know what to look for?

National strategies – from Homeland Security to housing programs – require tradeoffs. But assessing the costs and benefits accurately requires balancing near-term and long-term needs with a sober assessment of the strategic threat. Seven years into the national effort to secure the homeland, we still seem to be struggling to understand this equation.

UPDATE: I will concede this: the terrorism hotline serves another potential benefit beyond empowering subway riders. The notion of an overly alert ridership has the potential to introduce enough uncertainty on the part of a perpetrator to second guess the viability of an operation. The flipside is that terrorists become more covert to further lower their profiles. The most effective measure would force a would-be terrorist to take more steps to avoid detection, thereby providing more indicators of a planned attack.

Happy New Year. What follows is not exactly my list of resolutions for 2008, but rather four consolidated priorities I’d like to see accomplished in order to improve our security at home. Since this blog embraces a broad definition of those factors that contribute to (or further denude) our homeland security, the topics are similarly beyond the normal scope of the homeland security debate (state grants, first responder interoperability, etc.)

Preempt the Terrorists’ Pursuit of WMD
We know that terrorists want them. We know that they are hard to detect when smuggled and to respond to when detonated or released. There’s a lot that can be done in the way of eliminating terrorist access to WMD, but it’ll take a sizeable commitment. While Russia’s military maintains more than 1,000 tons of highly enriched uranium (HEU) and at least 150 tons of weapons-grade plutonium, even more HEU remains in research reactors in dozens of nations around the world, many with security inadequate to prevent theft.  The “loose geeks” problem is as relevant as the loose nukes threat. According to the Nuclear Threat Initiative, thousands of weapons scientists (presumably in Russia) are still without a steady paycheck.

In 2008, let’s ramp up Cooperative Threat Reduction (CTR) efforts to role back this twin threat and keep WMD out of terrorists hands to begin with. Start with a plus-up for the CTR budget that amounts to a mere 10% of the budget we annually spend on, say, missile defense. That would be $1 billion for CTR, which is quite a jump from the paltry $342 million presently budgeted.

Finish the Job in Afghanistan to Prevent Further Terrorist Support
Focus on al Qaeda and Basic Stability
Our mission there is on a collision course with itself.  What once was the frontline in fighting terrorism is on the backburner while our security gains there erode.  We need a “surge” in Afghanistan to create the kind of political and security environment to enable our (albeit imperfect) reconstruction teams, more effectively distribute aid, provide the running room that nascent government needs in order to assert itself and gain the legitimacy it so sorely lacks in many parts of the country. That the Taliban and al Qaeda are still operating there after the early successes of 2001 and 2002 is utterly regrettable.

Recommit to NATO
Start with Afghanistan and follow up at Bucharest
Rebalancing America’s troop commitments in Afghanistan consistent with our national security goals is only part of the solution there. It is a NATO operation and our national interests are served by NATO’s success. Our Alliance is more than a sunk cost from the Cold War. NATO brings together 26 nations – largely under U.S. leadership – on a strategic security agenda that reflects U.S. national interests in 2008 and far into the future. Coalitions of the willing may actually have their place, but nothing is more valuable than the potential legitimacy generated by almost 50 countries (including NATO Partners).

We’ve known since 9/11 that our national security interests are in the common interest among our allie