Homeland Security Watch

Whoever says that homeland security is a domestic enterprise misses the big picture (and a number of posts here). GAO this month released a study commissioned by the Congress that investigates how U.S. Customs and Border Protection engages the global community to harmonize security standards intended to secure the international supply chain. “CBP has taken a lead role in working with foreign customs administrations and the World Customs Organization (WCO),” GAO states.

Oceangoing cargo containers serve as the lifeblood of global trade. Yet they also pose a risk of terrorist exploitation, according to the GAO and numerous other studies. CBP is the main government entity in the U.S. responsible for overseeing security of the global supply chain.

The adoption of uniform international customs security standards is the foundation for governance frameworks that can support greater security through mutual recognition of customs security-related practices and programs. Ultimately, such governance frameworks enable partnering nations to recognize and accept security measures taken by another administration. This leads to less porous security networks, greater efficiencies, and a more resilient global economy.

CBP collaborated with eleven other members of the WCO to develop the Framework of Standards to Secure and Facilitate Global Trade (SAFE Framework), which draws upon familiar concepts of the Container Security Initiative (CSI) and the Customs-Trade Partnership Against Terrorism (C-TPAT). While these two programs have their flaws, the SAFE Framework provides standards for collaboration among numerous national customs organizations participating in the global supply chain. As of July 2008, 154 WCO members had signed letters of intent to implement the SAFE Framework standards.

While the SAFE Framework establishes a system of mutual recognition for smoother global trade among interdependent countries, it is by no means the only effort underway to harmonize global supply chain security initiatives. GAO reports that in June 2007, “CBP signed a mutual recognition arrangement with New Zealand – the first such arrangement in the world – to recognize each other’s customs-to-business partnership programs.” Just this summer, CBP signed mutual recognition agreements with Jordan and Canada, and by early 2009, CBP anticipates establishing a mutual recognition agreement with the European Commission, representing 27 nations of the European Union.

First, a sincere thank you to PJ Crowley, James Carafano, Clark Ervin, and Peter J. Brown for their contributions to HLSwatch during this past week. James’ piece on the cyber attacks conducted on Georgia during its confrontation with Russia over South Ossetia raised questions about not only who was to blame, but how Georgia should respond.

Both The Washington Post and The Wall Street Journal ran stories this past week about how cyber attacks on government and private sector entities of Georgia are invoking a debate about whether offensive measures in cyber space amount to acts of war. Because the cyber attacks occurred during the military offensive between Russia and Georgia, it begs the question about whether and how a government should respond to attacks on its cyber assets by way of the electromagnetic spectrum.

Finely-calibrated responses to attacks involving traditional kinetic methods has existed and evolved over the centuries. But measuring the appropriate response to a cyber attack is a unique challenge because information operations (IO) use digital weapons, new methods of attack, and novel targets.

Michael N. Schmitt, author of Computer Network Attack and the Use of Force in International Law: Thoughts on a Normative Framework, (1999), offers perhaps the most concrete way of answering the difficult question: “When does the attack rise to the level of a ‘use of force’ under international law?”

The Schmitt analysis applies a quantitative scale (1 to 10) to each of seven factors in order to determine if a cyber attack equates to an armed attack and to characterize any information operation as being closer to one end of a spectrum or the other. These seven factors are:
• Severity
• Immediacy
• Directness
• Invasiveness
• Measurability
• Presumptive Legitimacy
• Responsibility

This amounts to a modern adaptation of Just War Theory. One of the latter’s tenets is “always in response.” Let’s see whether that makes it into practice in the 21st century.

The new National Emergency Communications Plan (NECP) , which was released last month is definitely a work in progress. And yet, exactly how far we have now come in general with respect to synchronizing planning and communications as we work to achieve national preparedness objectives including the NECP was apparent, for example, during the Nuclear Regulatory Commission’s meeting earlier this week with FEMA and state and local representatives.

In a free-flowing, roundtable discussion, state and local representatives spoke directly to the full Commission along with FEMA Director David Paulison. Among the issues raised was the need for federal personnel to actually take part in large-scale drills and exercises. This sort of frank exchange was unimaginable a few years ago. Today, however, it is essential. Making the NECP a coherent and user-friendly plan in a short amount of time requires a serious effort from all stakeholders.

The NECP’s stated “milestones” illustrate just how little time they have.

The first milestone calls for a review of the DHS’ emergency communications capability framework within 18 months “during a series of technical working group meetings with stakeholders from the emergency response community.” Another requires the creation within 24 months of the new emergency communications capability framework, which will be incorporated as the communications and information management capability in the DHS/FEMA National Preparedness Guidelines/TCL. This will serve as a basis for future grant policies.

The very next initiative demands that “within 12 months, tactical planning among Federal, State, local, and tribal governments occurs at the regional interstate level.”

Consider these goals set forth by the NECP:

Goal 1: By 2010, 90 percent of all high-risk urban areas designated within the Urban Areas Security Initiative (UASI) are able to demonstrate response-level emergency communications 3 within one hour for routine events involving multiple jurisdictions and agencies.

Goal 2: By 2011, 75 percent of non-UASI jurisdictions are able to demonstrate response-level emergency communications within one hour for routine events involving multiple jurisdictions and agencies.

Goal 3: By 2013, 75 percent of all jurisdictions are able to demonstrate response level emergency communications within three hours, in the event of a significant incident as outlined in national planning scenarios.

Progress toward the initial milestones appears to be underway already. According to the NECP, Regional Emergency Communications Coordination Working Groups (RECCWGs) are taking shape in each of the 10 FEMA regions, “to assess emergency communications capabilities within their respective regions, facilitate disaster preparedness through the promotion of multijurisdictional and multiagency emergency communications networks, and ensure activities are coordinated with all emergency communications stakeholders within the RECCWG’s specific FEMA region.”

The NECP makes no mention of how all this greater emphasis on regional coordination ties into the Task Force for Emergency Readiness (TFER), a new concept which has received considerable attention lately. This will have to be addressed by the DHS Office for Interoperability and Compatibility (OIC) as it fine tunes Communications Unit Leader (COML) training. OIC is charged with devising, “a tool for training (COMLs) and their command and general staff to perform the critical mission of managing interagency and cross-disciplinary communications during all hazards incidents.”

In the next 18 months, OIC must not only develop and disseminate “training program guidance and curricula for emergency communications technical staff,” but also provide, “educational and training opportunities to emergency response agencies per requests through technical assistance programs.”

Roy Jones, communications manager at the Maine Emergency Management Agency, offers an upbeat assessment of the NECP. “It is really good to have these deadlines. Some may be difficult to achieve, and others may need to be revised as with any plan. However, overall, they are reasonable and they reflect input from the stakeholders. This plan allows us to better see what is on the way and what everyone else is currently working on,” says Jones.

Yet deadlines are not the only source of pressure on the implementation of the NECP. The Association of Public-Safety Communications Officials (APCO) International stressed to Congress that motivation and organization can only get you so far.

During his testimony last month before the House Homeland Security Committee’s Subcommittee on Emergency Communications, Preparedness and Response, APCO International Vice President Richard Mirgon asserted that if “the goals of the NECP are to be successful, the Administration and Congress must ensure the NECP and the interoperable emergency communications grant programs are fully funded.”

Peter J. Brown, a freelance writer from Maine, writes frequently about the role of satellite technology in disaster response and emergency management operations.

All too often, the visceral reaction to a story about homeland security is “huh?” The latest example for me is this headline in last week’s USA Today, “TSA weighs gun ban in unsecured areas.”

The gist of the article is that, prompted by the request of Atlanta’s Hartsfield-Jackson Airport, the Transportation Security Administration is pondering whether airports may ban firearms from terminals, parking lots, and other parts of the airport before screening checkpoints. At checkpoints and beyond, firearms, as well as other weapons – knives, bombs, etc. – are, of course, banned. The rationale for that ban, of course, is that firearms can be used to kill masses of people past the checkpoint, including people on board airplanes.

The “huh” factor here comes from two things. First of all, if guns are banned past the checkpoint because they can be used to kill people, doesn’t it go without saying that they should likewise be banned before the checkpoint because they can be used to kill people? In other words, isn’t the point of the present ban to prevent mass killing? If so, why should guns be banned past the checkpoint but not before it?

Second, if there’s no practical difference between the pre-checkpoint area and the post-checkpoint area in terms of the possibility that guns can be used to kill people, what is TSA “weighing?”

Yes, of course, there is the Second Amendment. Under certain circumstances, people may legally carry firearms. However, implicitly, the foregoing sentence means that there are other circumstances under which people legally may not carry firearms. The circumstance that legally permits airports to ban firearms past the checkpoint – people on board airplanes could be killed – is the same circumstance that should make banning firearms anywhere on airport property a no-brainer.

Surely it isn’t the case that the lives of those in airports who are planning to board airplanes are worthier of protection than the lives of those who are at airports for other reasons – to drop off family or friends; to shop or dine at restaurants or shops before checkpoints; or to work in parts of the airport before checkpoints. If not, as I say, TSA’s deliberative process can and should be short.

That is not to say that there wouldn’t be legal challenges. (Remember the judge who sued his dry cleaners for ruining his favorite pants, seeking $65 million in damages?) But that’s what TSA’s lawyers are for. Those lawyers stand a good chance of ultimately prevailing, if the recent upholding of the ban by a federal judge Monday is any indication. In any event, TSA policy makers should take out their “Approved” stamp; firmly affix it to Hartsfield-Jackson’s application; and move on to weighing closer questions.

Clark Kent Ervin is Director of the Homeland Security Initiative at The Aspen Institute. Ervin served as the first Inspector General of the United States Department of Homeland Security from January 2003 to December 2004. Prior to his service at DHS, he served as the Inspector General of the United States Department of State from August 2001 to January 2003.

Bombs and bullets are not the only thing flying around in the Russia-Georgian war that broke out over the weekend. According to a recent story in The Telegraph, the Georgian Ministry of Foreign Affairs claimed “[a] cyber warfare campaign by Russia is seriously disrupting many Georgian websites, including that of the Ministry of Foreign Affairs.” That is not the first time Russia has been accused of cyber warfare.

A widely publicized cyber assault against Estonia in 2007 increased suspicion that Russia is using online malicious activity as a tool of national policy. The assault disrupted public and private Estonian information networks with massive denial-of-service attacks. The Estonia attacks targeted the Web sites of banks, telecommunication companies, media outlets, and government agencies, eventually forcing the country to block all foreign Internet traffic. Many Web sites were shut down by denial-of-service attacks, in which the attacker uses thousands of hijacked computers to bombard a Web site with use­less information until it is overloaded. Estonia’s defense minister described the attacks as “a national security situation…. It can effectively be compared to when your ports are shut to the sea.” The Estonia and Georgian attacks testify to the dis­ruptive power of a coordinated cyber offensive

Russia is not the only one. China uses “cyber-spying” as a matter of course -and America is one of their prime targets.

U.S. government information systems are attacked every day from sources within the country and around the world. Some of these intrusions have been extremely serious, compromising security and costing millions of dollars. Penetration of computer networks at the National Defense University proved so pervasive that the university was forced to take the entire computer network offline and install new information system defenses.

These attacks come from states, criminal networks, “hackivists” (online political activists) and other malicious actors.

In addition, bad people exploit the freedom of the Internet-terrorists included. They go online to gather intelligence, raise money, share tradecraft in chat rooms, and coordinate propaganda messages.

The lesson for the United States is take the challenge of cyber threats seriously. The initiatives that will likely best serve the United States and its international partners in the cyber conflicts of the 21st century are those derived from private sector experience, emerging military and intelligence capabilities for conducting information warfare, and law enforcement measures for combating cyber crime. The U.S. needs a national framework that builds on these capabilities, encouraging them to collaborate and reinforce one another. These initiatives should include:

• Adopting best practices. Both government agencies, such as the National Institute for Standards and Technology, and the private sector continue to develop best practices and lessons learned. These can be effective tools. Ensuring that these are refreshed and applied should be government’s first priority.

• Employing risk-based approaches. All information programs must include assessments of criticality, threat, and vulnerability as well as measures to efficiently and effectively reduce risks.

• Fostering teamwork. Cybersecurity is a national responsibility requiring international cooperation. The United States must maintain effective bilateral and multinational partnerships to combat cyber threats.

• Exploiting emergent private sector capabilities. These may come from many sources, such as small companies and foreign countries. The U.S. government must become a more agile consumer of cutting-edge commercial capabilities.

• Focusing on professional development. Most government information programs underperform because, due to inattentive senior leadership, they lack clear requirements and hold unrealistic projections of the resources required to implement those requirements. National security professionals must have familiarity with a number of diverse security-related disciplines and practice in interagency operations, working with different government agencies, the private sector, and international partners.

• Developing robust offensive capabilities to respond to cyber attacks and malicious acts by either state or non-state threats using the full range of military, intelligence, law enforcement, diplomatic, and economic means.

What is needed, however, is not massive reorganization, massive government bureaucracy, massive infusions of government cash, or massive intrusions into the marketplace and the lives of Americans. What is needed is long-term commitment and sound initiatives based on better and faster acquisition of commercial services; better and smarter management of military, intelligence, and information technology programs; and better and sustained professional development of federal, state, local, and private sector leaders.

James Jay Carafano, Ph.D., is Assistant Director, Kathryn and Shelby Cullom Davis Institute for International Studies and Senior Research Fellow, Douglas and Sarah Allison Center for Foreign Policy Studies at The Heritage Foundation in Washington, DC.

Last week the FBI outlined its new “theory of the case” regarding the 2001 anthrax attack. So far, almost all of the focus has remained on the whodunit, a scientist named Dr. Bruce E. Ivins, who committed suicide late last month as the FBI was closing in on him. Far less attention has been given to whatdunit, the United States Army Research Institute of Infectious Diseases or USAMRIID, and whether sufficient institutional security measures have been developed within government laboratories and government-sponsored research programs to ensure that we can detect the next bio-bomber.

Lingering questions from the Ivins case, particularly the reaction of his co-workers at Fort Detrick, suggest that we have a lot of work to do to build an effective security system to monitor the potential misuse of the world’s most deadly substances. And it is possible that our actions since 2001 have expanded the danger.

Based on new scientific tools used in the investigation, the FBI is certain that the agent used in the attack came from a specific flask used in research at the Army lab. That flask was “effectively the murder weapon” according to U.S. Attorney Jeffrey Taylor. So, whether or not Dr. Ivins did it, the FBI is convinced that someone at USAMRIID did. At least one government scientist weaponized an agent, removed it from the facility and used it to kill five people without being detected. The combination of background checks, peer observation and physical security at Fort Detrick in place in 2001 was inadequate.

Even now, many of Dr. Ivins’ co-workers are not convinced he did it because they believe they would have seen him do it. These doubts should sound an alarm about the state of bio-security today. Seven years after the incident, no one associated with Fort Detrick has yet explained what has been done to make a repeat incident less likely.

Let’s compare aviation and bio-security. Aviation security is far from perfect, but we have responded aggressively and systematically to the 9/11 failure. We know a lot more about passengers before they arrive at the airport. We inspect them and their baggage thoroughly before they are allowed to board an airplane. Once on board, a potential hijacker faces a locked cockpit door, an air marshal, a better trained crew and a plane-full of inquisitive eyes. There remains a residual threat to aviation, most likely from air cargo, but at least we have done as much as we can to prevent another suicide hijacking.

Unfortunately, it is possible our response to the other 2001 terror attack has been backwards. We have spent many billions of dollars developing vaccines and deploying detection equipment based on the belief that the threat was external – a terrorist organization would develop and deploy a biological weapon against the United States.

That danger certainly exists, but we now know that this was an insider job. Someone working for a secretive agency and in control of the most dangerous technologies that exist used them against the society they were charged to protect. And, because the scope of research on bio-defenses has expanded exponentially since 2001, the insider threat now could be even greater.

In the coming days, it will be imperative for the Departments of Defense, Homeland Security and Health and Human Services to come forward and tell us what has been done at government labs across the country and within government-sponsored research programs in light of the USAMRIID case to strengthen bio-security. What new research protocols have been established? What kind of peer review system is now in place? What kind of detection equipment has been installed as workers exit labs? How have background checks been strengthened? If Dr. Ivins was suffering from declining mental health, to what extent are labs monitoring scientists and looking for danger signs?

We now know that in 2001 we were attacked not just by al Qaeda but also by a government agency. Significant questions linger as to whether the government’s biological security is keeping pace with biological research. The government cannot retreat behind a veil of secrecy. The American people deserve to know that government bio-defense programs now have more effective security measures in place so that we are sufficiently protected from both internal and external threats.

The case should be far from closed.

P.J. Crowley is a Senior Fellow and Director of Homeland Security at the Center for American Progress in Washington, D.C. He served as Principal Deputy Assistant Secretary of Defense for Public Affairs and then as Special Assistant to the President of the United States for National Security Affairs, serving as Senior Director of Public Affairs for the National Security Council.

I am taking vacation next week. This break presents an opportunity to bring in some real talent. On Monday, we’ll have a post from P.J. Crowley, author of Safe at Home: A National Security Strategy to Protect the American Homeland, the Real Central Front. P.J. is Senior Fellow and Director of Homeland Security at the Center for American Progress.

The presidential campaigns are being fought on several fronts. This week, energy policy is the most visible front line, but terrorism and the imperative to keep Americans safe at home will return to the front page soon. In that process, we’ll hear about why staying the course in Iraq is desirable as a means of “winning it the right way by winning it” as Senator McCain asserted yesterday at a celebtrity appearance before a crowd of bikers waiting to see Kid Rock perform. We’ll also hear from Senator Obama that the logic of staying in Iraq is based on a wish that America continue to vindicate bad decisions made ever since we invaded, to include the decision to invade in the first place.

All of this is important, but it is a secondary argument to the important question of determining what has worked and what hasn’t in achieving the indisputable success that no attack has been successfully carried out on the U.S. since 9/11. Depending on our answer to that question, we can focus on continuing those efforts that are constructive and promptly end those efforts that are ineffective or counterproductive, or both.

It is hard to make the case that the invasion of Iraq has allowed the U.S. to fight terrorists overseas rather than here on the CONUS. If anything, that war has made the U.S. less secure by a number of measures (overstretched military, denuded international legitimacy, skyrocketing national debt, inflamed rather than defanged terrorist adversaries, etc.). However, by taking a comprehensive assessment of efforts we as a nation have undertaken, those developments that are reasonably out of our control but still relevant, and the indirect consequences of a combination of the two trends, we can gain a useful understanding of what has worked and what hasn’t.

Fortunately, national security analysts at SAIC and professional staff from the Defense Threat Reduction Agency’s Advanced Systems and Concepts Office conducted an open-source literature review to identify hypotheses explaining why the United States has not been attacked successfully by terrorists since 9/11. This two hundred page study organized the reasons why we’ve not yet been attacked successfully into two categories:

Capabilities – Terrorists have been unable to succeed in conducting another large-scale attack on the homeland due to the effectiveness of U.S. defenses or because of the terrorists’ limited capabilities. The authors further address this thesis as part of two different “baskets” of issues:

• U.S. and Allied Counterterrorism Efforts: U.S. and allied initiatives have decisively limited terrorists’ capabilities to conduct attacks on the homeland by driving al-Qaeda’s leaders from their Afghanistan sanctuary, disrupting several terrorist plots, and forcing operatives to focus on preserving their own security rather than training for and carrying out new attacks. At home, potential targets have been hardened, coordination between government agencies has improved, and public awareness has increased scrutiny of suspicious behavior.

• Terrorist Attack Capabilities: Limitations on terrorist capabilities that are less dependent on U.S. and allied counterterrorism activities have prevented terrorist attacks on the U.S. This treatment suggests that a number factors independent of our anti-and counter-terrorism efforts are to credit. Examples of such factors include the time needed to recover from damage done to al-Qaeda and the requirements necessary for deploying terrorist veterans of the Iraq war, the challenged of acquiring WMD capabilities, and the broad assimilation of U.S. Muslims limiting the pool of potential “homegrown” jihadists.

Motivations – While a number of terrorist groups possess the ability to attack the United States, they have chosen not to do so for a variety of reasons. These categories are further subdivided into the following four baskets:

• Another Attack is a Bad Idea: Terrorists have concluded that another strike on the United States is ill-advised. This category suggests that al-Qaeda’s leaders prefer to wait until they can perpetrate an attack that surpasses 9/11 in terms of destruction and symbolism or that terrorists are concerned that another attack on the homeland would be counterproductive/ineffective in achieving their objectives.

• These Are Busy Times: Various groups maintain a significant attack capability, but other targets (i.e. n Europe, Middle East, and apparently China) are more attractive than the U.S. homeland due to operational challenges or political inclinations.

Two presumed terrorists crashed a truck bomb into a state police station Monday and threw two grenades, killing 16 policemen and wounding 16 others. It wasn’t in Iraq or Afghanistan. Nor was the attack even in the Middle East. This was in China.

Chinese officials have warned that Uighur extremists with links to foreign-based Islamist extremist organizations pose the greatest security threat to the Beijing Olympic Games.

The attack killed patrol troops from the People’s Armed Police, a paramilitary force responsible for putting down riots, guarding embassies and safeguarding the border. Last month, police in the regional capital killed five Uighurs in a raid on an apartment. Authorities accused them of preparing a holy war against Chinese rule.

Chinese authorities have identified the East Turkestan Islamic Movement as a key terrorist group in this situation. The Washington Post reports in its coverage of today’s bombing that China executed three people in the restive Xinjiang region July 9 convicted of being East Turkestan Islamic Movement members. The Uighur population is overwhelmingly Muslim seeks to break away from Chinese rule.

In April China announced that it had broken up two Uighur terrorist cells plotting to kidnap foreigners and bomb hotels during the Olympics. 45 people were arrested and accused of ties to the East Turkestan Islamic Movement.

The LA Times is reporting the suicide death of the bioweapons scientist employed at Ft. Detrick who was considered by the FBI to be the suspect in the 2001 anthrax attacks that killed five people and severely sickened 17 others. Steven Hatfill? Nope.

The LA Times report said the Feds ruled out Hatfill and settled on Bruce E. Ivins, a different bioweapons expert at Ft. Detrick, as the culprit. Hatfill had been under investigation for years and publicly proclaimed “a person of interest” by then Attorney General John Ashcroft.

In June, the Justice Department reached a settlement valued at $5.85 million with Steven Hatfill, who sued them for trashing his name in the media.

The Washington Post tells that FBI Director Robert Mueller changed leadership of the anthrax investigation in 2006, instructing the new investigators to re-examine leads and reconsider potential suspects. Turns out that Ivins had an impressive record for his research on behalf of the Defense Department in the area of anthrax decontamination. Ivins also is reported to have conducted extra-curricular research that tipped the investigation in his direction. What is odd is that the following information was public for years:

Ivins was one of the nation’s leading biodefense researchers, according to the Times report, and co-author of numerous anthrax studies, including one on a treatment for inhalation anthrax published in the July 7 issue of the journal Antimicrobial Agents and Chemotherapy.

In the six months following the anthrax mailings, Ivins conducted unauthorized testing for anthrax spores outside containment areas at USAMRIID and found some, according to an internal report by the U.S. Army Medical Research and Materiel Command, which oversees the lab.

In December 2001, after conducting tests triggered by a technician’s fears that she had been exposed, Ivins found evidence of anthrax and decontaminated the woman’s desk, computer, keypad and monitor, but didn’t notify his superiors, the Times reported. The report says Ivins performed more unauthorized sampling on April 15, 2002.

This information was reported by USAToday in 2004.

“I swabbed approximately 20 areas of (her) desk, including the telephone computer and desktop,” Ivins told Army investigators. Half of the samples, he found, “were suspicious for anthrax.”

Rather than report the contamination, Ivins said, he disinfected the desk. “I had no desire to cry wolf.”

Ivins also helped the FBI analyze one of the anthrax-tainted envelopes sent to Senator Daschle’s Washington office.

It is unclear if anything Ivins did before the attacks in September and October 2001 was suspicious. We’ll never know whether Bruce Ivins was indeed the perpetrator among the 20-30 scientists at Ft. Detrick under investigation. Ivins had been told about the impending prosecution and apparently committed suicide by overdosing on Tylenol with Codeine.

Section 2401 of the Implementing Recommendations of the 9/11 Commission Act of 2007 directs the Secretary of Homeland Security to “conduct a review of the homeland security of the Nation.” The review is called the Quadrennial Homeland Security Review (QHSR).

As part of this review, the Secretary will examine the homeland security strategy, make recommendations regarding the long-term homeland security strategy and priorities, and provide guidance on the programs, assets, capabilities, budget, policies, and authorities of the Department of Homeland Security.

DHS has designated a core staff for the QHSR within the Office of Policy, as well as “work teams” to manage and conduct the Review. The work teams include employees dedicated full-time to the QHSR, detailed personnel from DHS and other Federal departments and agencies, and contract support.

DHS Deputy Assistant Secretary for Strategic Plans, Alan Cohn, is responsible for managing this first QHSR. Yesterday, Alan testified before a House Subcommittee hearing about where things stand on the current effort. Christine Wormuth, Senior Fellow in the International Security Program at CSIS, also testified at the hearing.

Christine made a solid point: Despite having an able leader in Alan Cohn, don’t expect the QHSR to meet its goals with a budget as small as $1.5 million and 6 full time staff. As a comparison, DOD has multiple offices throughout the Department working already on their 2010 Quadrennial Defense Review with substantially larger budgets available to them.

Section 2401(b)(2) of the 9/11 Act directs the Secretary to provide Congress, and make publicly available, a resource plan for the QHSR. The Resource Plan explains the implementation phases, estimates of the required resources, and explainst the QHSR Work Teams.

According to the resource plan, the QHSR report will be written and delivered to Congress at the end of 2009. The interim work is to lay the foundation for the ultimate deliverable next year. Nevertheless, DHS is at a disadvantage due to a few critical factors:

1) Disengaged senior leadership
2) Massive turnover at the transition
3) Temptation to offer recommendations covering an unwieldy scope

On the disengaged leadership, I’ve seen no evidence that Secretary Chertoff is as engaged in the QHSR as the Secretary of Defense is in the QDR. On the occasions when I’ve met with him, the Secretary responded to my questions about the QHSR with minimal detail. The budget request alone is evidence of lacking buy-in, but its proof, too, that the White House doesn’t understand the potential value of this Review.

The implications of substantial turnover for the Department of Homeland Security include the risk that Christine pointed out during the hearing:”No matter what party wins the presidential election, the incoming team will want to take a fresh look at DHS and is likely to be somewhat skeptical of work done in advance for the QHSR.”

Finally, while the review is mandated by Congress to make recommendations regarding the long-term homeland security strategy and priorities of the Department of Homeland Security, the maxim of “know your audience” enters in. The QHSR is more for the Department than for the Congress. With the new Administration coming in, there will be a premium placed on assessing the programs, assets, capabilities, budget, policies, and authorities of the Department, not normative statements.

The next Administration will craft its own national security strategy and, possibly, a new homeland security strategy (the latter may be folded into the former). Therefore, the recommendations will be less valued than the net assessment of the DHS landscape, which is challenging enough as it is. Alan and his team are uniquely capable of doing this.

The next Administration would be wise to avail itself of the QHSR deliverables and the career staff leadership who are responsible for it. The current Administration would benefit from committing more resources – leadership buy-in and financial support – to the QHSR process if it intends to make good on its commitment to a smooth transition to the next Administration.

Yesterday the Chairman of the House Homeland Security Committee, Bennie Thompson, published in the New York Times a response to the July 21 op-ed in the same paper by DHS Deputy assistant secretary for policy development Stephen Heifetz. Heifetz argued that overlapping Congressional committees and both political Parties are the source of the Department’s inability to “develop — and put in place — a broad risk assessment methodology.”

Subtext: While many authorities and influential groups have called for the consolidation of Congressional oversight of DHS, the Administration has made only mild intonations about the need to do so. It seemed as though the cautious approach was taken because the Executive Branch cannot reorganize the Legislative, and it’s the latter’s business.

Further subtext: The Secretary of Homeland Security only recently called for such a reorganization in testimony before Congress, an assertiveness not seen before. And now this high profile op-ed in the New York Times by a policy official at DHS.

We know they’ve always wanted fewer masters in the Congress than the +/-80 committees and subcommittees that they now deal with. But why the overt shift in attention by DHS to Congress now? What changed?

Chairman Thompson suggests that part of the reason is that while the Republicans controlled the Congress, there wasn’t much appetite by the Administration for challenging them on this issue. Now that the Democrats are in charge – and challenging the Administration – there is a new found motivation for Congressional reform.

The core issue may not be Congress at all here. Heifetz argues that the ability to conduct adequate risk-based homeland security investments and strategies is hampered by the multiple parochial demands of Congress. That may be true with regard to state grants, but there are a lot of other options that are within the Department’s control for making progress.

Chairman Thompson puts it this way:

The primary obstacle to a risk-based homeland security strategy is not the need for a Congressional reorganization. During a hearing my committee held last month, expert witnesses asserted the need for a “chief risk officer” at D.H.S., as well as a new presidential directive committed to carrying out risk-management principles in all homeland security functions.

Unfortunately, this administration has not demonstrated an effective risk-management approach, a failure that inevitably leads to political interference from both sides of the aisle.

We need a risk-based approach to homeland security that allocates our limited resources proportionally to risk. D.H.S. then needs to make periodic assessments to gauge our progress in mitigating those risks. This is not being done because the administration is unwilling to make the tough choices that will make our country safer.

I’m in Sante Fe, New Mexico, this week with the Stimson Center’s Task Force on Leveraging National Laboratory S&T Assets for 21st Century Security. Today we’re at Los Alamos National Lab, tomorrow at Sandia National Lab. Blogging will be sporadic until I return.

The Euroscience Open Forum 2008 taking place in Barcelona, Spain, is covered in a short UPI story highlighting the Forum’s focus on nuclear forensics, which is the science specializing in nuclear threat detection.

Nuclear forensics cuts across the entire mission space from deterrence and dissuasion, to detection through consequence management, to attribution and response. It is a core part of the mission of combating smuggled nuclear weapons.

Speaking at the Eurpean Forum, Gabriele Tamborini of the European Commission Joint Research Center Institute for Transuranium Elements told UPI that the threat posed by nuclear terrorism has become a serious field of study.

“Nuclear forensics may provide information on the history, the intended use and possibly on the origin of nuclear material.”

“This scientific discipline is at the interface between physical science, prosecution, non-proliferation and counter-terrorism.”

For our part, the U.S. has formed the National Technical Nuclear Forensics Center (NTNFC) under the DNDO. It represents an important reorganization.

While the Department of Homeland Security is not responsible for the entire spectrum of nuclear forensics, the NTNFC is a step forward in two clearly needed capabilities:
1. Across the government, unify various competencies and programs that are focused on aspects of the forensics mission.
2. Develop, enhance, and maintain technical forensics capabilities for pre-event needs.

The FBI provides the Deputy Assistant Director at the NTNFC, and it also provides a senior liaison from the FBI lab. The Department of Defense and the Department of Energy both provide detailees.

The Forensics Center also has a Working Group, made up of members from each relevant federal agency and members of the intelligence community, which meets regularly. There is an “Interagency NTNF Program & Budget Crosscut” under development to help align relevant programs and harmonize budget requests. Lastly, the NTNFC – and the DNDO in general – work with interagency partners in planning and executing exercises that support the research, development, and deployment of technologies, as well as shared concepts of operations.

DHS Inspector General conducted a comprehensive review of the Department’s intentional activities and interests. This blog considers the international side of homeland security to be one of the most important dimensions to successfully carrying out the Department’s missions. The IG appears to agree in his new and in-depth investigation of DHS international affairs. Coupled with a rare study of the Department’s global efforts, this new report offers a number of recommendations for improving the institutional capacity of DHS to meet its important international objectives.

I’ve been looking at this issue since 2004 and subsequently wrote a short paper with colleagues at the Center for the Study of the Presidency on how DHS can be more creative in tapping into existing networks overseas among allies and distant friends. We focused on creating dialogue based on shared interests and the exchange of capabilities through training and technology sharing. Ultimately, we came to the realization that no significant progress could be made without a strategic plan for DHS international activities. The IG confirmed these findings and in his Executive Summary he similarly calls for a “strategic plan to prepare guidance on training and technical assistance abroad.”

The IG also takes aim at how DHS is managing its interests overseas with an enterprise perspective and management mindset. The report notes that while the DHS Office of International Affairs, led by an Assistant Secretary for Policy, is the chief management entity stateside, the Department relies upon a mix of management approaches to its presence abroad. In some cases, DHS relies upon component staff (CBP, ICE, USCG, etc.) or they’ve named actual attaches to represent the Department. The IG finds that neither version is optimal and that this approach must be strengthened and refocused.

In all, the IG makes eighteen recommendations. They cover such topics as organizational issues, interagency coordination, implications of funding constraints, and tangible (missed) opportunities for more valuable efforts that support U.S. homeland security interests overseas. Where the IG addresses the importance of international training and technical assistance (T&TA), three constraints on DHS are called out:

1. Insufficient coordination among DHS, State, and DOD.
2. Insufficient information about funds available for DHS international programs
3. Uneven commitment of staff by larger component agencies to valuable T&TA initiatives. (IG specifically calls out FEMA, CBP, and TSA.)

T&TA represents the most tangible work OIA and the Department can do in this mission without drifting into operations that are carried out by component agencies and are part of a different debate/analysis. I noted in particular the echoes of previous works by others and posts here on strengthening DHS’s hand in adding value in the T&TA mission area, as well as related interagency coordiantion challenges. For example:

Forge a New Currency of Counterterrorism Cooperation Through NATO

Middle East Eyes Homeland Security

Europe Steps In to Bridge Mediterranean. But Where’s the U.S.?

Panel Seeks to Integrate CT and Security Assistance, Sans DHS

Int’l Security Summit Misses HLS Opportunity

DHS 2.0 (section on international affairs)

Homeland Security Technology, Global Partnerships, and Winning the Long War

Ever since DHS stood up there has been a battle underway to resist the temptation to fund every countermeasure and combat every conceivable threat. By in large that battle is being lost. However, a piece in yesterday’s New York Times by the deputy assistant secretary for policy development at DHS suggests that the culprit is excessive and disorganized Congressional oversight of the Department of Homeland Security.

Deputy assistant secretary Stephen Heifetz writes that “tangled homeland security laws” obstruct the ability of DHS to prioritize risks. Congressional committees and both political Parties are the source of the Department’s inability to “develop — and put in place — a broad risk assessment methodology.”

He cites the roughly 80 committees and subcommittees that oversee DHS as an unfair disadvantage when compared to the mere four committees that claim jurisdiction over the Department of Defense.

This comes at a cost not just in convenience and efficiency. Heifetz suggests that because Washington began to focus on bad things that might happen to us after 9/11, we identified “a seemingly infinite catalogue of worrisome possibilities” that include:
• nuclear, chemical and biological terrorist attacks delivered by planes, ships, cars or other mechanisms
• conventional explosives on mass transit systems
• gunmen in public places
• cyber attacks on computer and communication networks
• natural hazards like earthquakes and hurricanes

To avoid fighting every scenario, we need to measure what is truly a risk. Heifetz argues that doing so isn’t possible because of “dozens of Congressional committees and subcommittees that watch over the department have their own goals and have refused to give up authority.” He states that when every Congressional committee believes its subject area is priority number one, nothing is a priority. No risk assessment can be successful in this environment.

He is right to resist the “anything’s possible” homeland security approach, but Congressional oversight can be blamed for only part of the problem. Invoking the 9/11 Commission recommendation (which has been offered by countless other organizations for over seven years now) to consolidate the committees of jurisdiction into one seems logical. But this is something only the Congress can do. There are things that DHS can do to improve risk assessment.

Risk is measured in many ways, including the White House strategy documents, budget requests, the Quadrennial Homeland Security Review, products of the DHS Office of Risk Management and Analysis, and responses to Congress, to say nothing of the intelligence reporting taking place at the international, federal, and state levels. I buy it that it must be a headache to lead this Department with so many masters, but the assessment of risks should be able to go on regardless. The hard part is getting people to believe it.

Barack Obama today delivered remarks at Purdue University in which he laid out a set of national security priorities. He specifically identified “nuclear, biological, and cyber threats – three 21st century threats that have been neglected for the last eight years.”

He explains in the speech — in so many words — that by “neglected” he means underinvested in and deserving of greater priority. It can be said that when everything’s a priority, nothing is. But if you read the whole speech Senator Obama makes the case that its wiser to focus on the ways in which we are vulnerable as opposed to focusing on the specific enemies. Sounds weird, but it makes sense to suggest that, while national security is broadly defined, we must focus on the threats that can be presented, regardless of the adversary.

For example, while it may be al Qaeda that seeks to use bio-terrorism, we need to focus on defeating that threat if it is employed by any enemy. Same goes for nucs and cyber. And since I’m still here at Maxwell AFB for the Air Force Cybersecurity Symposium, following are Obama’s proposals on addressing cyber threats:

Every American depends – directly or indirectly – on our system of information networks. They are increasingly the backbone of our economy and our infrastructure; our national security and our personal well-being. But it’s no secret that terrorists could use our computer networks to deal us a crippling blow. We know that cyber-espionage and common crime is already on the rise. And yet while countries like China have been quick to recognize this change, for the last eight years we have been dragging our feet.

As President, I’ll make cyber security the top priority that it should be in the 21st century. I’ll declare our cyber-infrastructure a strategic asset, and appoint a National Cyber Advisor who will report directly to me. We’ll coordinate efforts across the federal government, implement a truly national cyber-security policy, and tighten standards to secure information – from the networks that power the federal government, to the networks that you use in your personal lives.

To protect our national security, I’ll bring together government, industry, and academia to determine the best ways to guard the infrastructure that supports our power. Fortunately, right here at Purdue we have one of the country’s leading cyber programs. We need to prevent terrorists or spies from hacking into our national security networks. We need to build the capacity to identify, isolate, and respond to any cyber-attack. And we need to develop new standards for the cyber security that protects our most important infrastructure – from electrical grids to sewage systems; from air traffic control to our markets.

For a brief speech, this was about as much detail as we can expect from a candidate. However, the next president is going to have to delve into such challenges as how effectively to draw the line between monitoring, detecting, dissuading, deterring, and defeating cyber threats. And should we actually endure an attack, we’ve yet to carve out our conops for response, recovery, and retaliation. What does it mean to retaliate for a cyber attack that steals secrets? Or one that shuts down an electrical grid, leading to actual casualties? Or one that isolates our armed services from its chain of command?

Cyber security ought to be a presidential priority and it is positive to see Senator Obama call it out as a strategic concern. We’ll see if John McCain is focused on cyber should his campaign offer a counter-speech.

The Cyberspace Information Operations Study Center hosts its first symposium “Air Force Symposium 2008 – Cyberspace” at Maxwell AFB, Montgomery, AL, this week. Co-hosted by Headquarters 8th Air Force, Barksdale AFB, LA and U.S. Strategic Command, Offutt AFB, NE, the symposium is intended to engage military, industry and academic participants on a broad spectrum of topics affecting the cyberspace mission.

Participants include service members, business leaders, researchers, and academics who wish to participate in advancing the U.S. Air Force mission to “fly and fight” in cyberspace. Workshops focus on Doctrine and Concepts of Operations, Policy and Law, and USAF Cyber Support to National Security.

Sessions will address, among other things, defining cyberspace and working toward establishing the domain, control and use of cyberspace. Participants will also participate in discussions of international and domestic law related to cyberspace and analyze national security and other issues from both military and civilian perspectives.

Scheduled speakers at the symposium include Gen. Kevin P. Chilton, commander, U.S. Strategic Command; Maj. Gen. Charlie Dunlap, Air Force deputy judge advocate general; and Maj. Gen. William T. Lord, commander, Air Force Cyberspace Command.

I’ll be attending as much as I can of the Policy and Law track and Track Three on nat’l security, which involves workshops focused on the question of how “U.S. capabilities and activities in the Cyber Domain can and, if developed, should contribute to national security,” according to materials.

I had to confirm my clearance to attend the conference so my ability to blog from it is going to be rather limited. I’ll do my best to post here about unclassified information and other open developments.

The Washington Post and AP reported on the launching this weekend of an effort to foster cooperation between Europe and the Mediterranean region. It was evidence that previous efforts – like the Barcelona Process – had not delivered, that Europe, the Middles East, and North Africa are interested in overcoming old enmities through common interests, and that the U.S. side-stepped its sixty-year leadership role in such efforts.

Readers will recall previous posts here that describe opportunities for the U.S. to engage critical countries across Europe, the Middles East, and North Africa based on a shared interest in protecting civilians through elevated cooperation in such efforts as homeland security. The vacuum left by an apparent lack of American leadership, as well as disappointing results from previous or other ongoing efforts through the EU and NATO created an opportunity for French President Nicolas Sarkozy step in.

Sarkozy urged the countries around the Mediterranean Sea on Sunday to make peace like European rivals did in the 20th century, as he launched the Union for the Mediterranean.

“We will build peace in the Mediterranean together, like yesterday we built peace in Europe,” Sarkozy told leaders from more than 40 nations in Europe, the Middle East and North Africa, representing nearly 800 million people. “We will succeed together; we will fail together.”

Egypt’s President Hosni Mubarak, co-presiding the summit with Sarkozy, said the union has better chances of success than previous cooperation processes because the new body focuses on practical projects parallel to efforts toward Mideast peace. This is exactly the goal that could have been championed through NATO’s Mediterranean Dialogue, which already includes such critical countries as Algeria, Egypt, Israel, Jordan, Mauritania, Morocco and Tunisia. Combine that with the EU’s already existing EuroMed, and Lebanon, Libya, Syria, and Palestine would be engaged.

Mubarak called on the new union to tackle reducing the wealth “gap” between north and south, and cited other southern Mediterranean “challenges” as education, food safety, health and social welfare. Had the U.S. been actively involved, we could have shaped this priority set to include sharing information, technology, threat assessments, and other best practices focused on combating threats to civilian populations (i.e. by terrorism).

A draft declaration obtained by The Associated Press says the Union for the Mediterranean is to be operational by the end of this year. It will have a dual presidency, held jointly for rotating terms by one country within the European Union and one country on the Mediterranean shore.

Congressional Quarterly’s CQ Homeland Security ran a story revealing views likely held by the presidential candidates on homeland security priorities. Neither candidate has dedicated much airtime to the topic of homeland security, but both have formed teams of volunteer policy advisors focused on developing homeland security positions. This week’s story quotes Ruchi Bhowmik of Obama’s Senate staff campaign and Lee Carosi Dunn from McCain’s staff. Neither spoke as representing the presidential campaigns, but both are accurate indicators of the candidates’ views.

Ruchi offered a constructive view that avoided the “throw the baby out with the bathwater” stance that many fear a change in party would bring to DHS. A key challenge for the next Administration, she said, would be to complete key programs that the current administration has left unfinished.

She views DHS as something of a “delinquent student” with “homework assignments and they’ve been by no means easy homework assignments, but they haven’t really turned them in.” She specifically included the National Response Framework, and described it as a research paper that was treated as an outline by DHS. “It’s OK,” Ruchi explained, “but it really wasn’t what the assignment was.”

Ruchi also explained that “resilience” is a concept that reflects a core goal of DHS to develop strong partnerships with stakeholders, including governors, local law enforcement, the private sector, and citizens in general. She noted that homeland security is achievable only when these groups are made a trusted partner in the process.

CQ also noted the emphasis Ruchi placed on research and development for better sensor technologies for mass transit protection, cargo container screening, medical countermeasures for bio-threats, and cybersecurity, which depends heavily on strong public-private partnerships.

Lee Carosi Dunn, counsel to McCain, emphasized making first-responders’ communications compatible with one another through such legislative efforts as setting aside some broadcast spectrum for first-responders.

Dunn also noted that McCain supports risk-based funding for state homeland security grants, cited transit security, better leveraging of technology between DHS and DOD, infrastructure protection – i.e. nuclear power plants, ports or cybersecurity – and the Real ID program that requires states to meet federally set standards for their driver’s licenses.

Soon it may be time to update the series we posted here on where the candidates stand on homeland security. Let’s hope the media ask the candidates to expand on their concepts and proposals for homeland security.

As reported in today’s Washington Post, an employee of investment firm Wagner Resource Group in McLean, VA, traded music or movie files late last year with other users of the online file-sharing network LimeWire while using a company computer. As a result, he inadvertently made the private files of his firm’s clients accessible on the Net.

This exposed the names, dates of birth, and social security numbers of about 2,000 clients, including Supreme Court Justice Stephen G. Breyer.

This puts into perspective the concern expressed by Peter Schaar, Germany’s data protection commissioner, quoted in another story appearing in today’s Post by Ellen Nakashima. Commenting on a new effort by the Department of Homeland Security to gain access to more private information about individuals visiting the U.S. from Europe (as well as sharing such information about American’s with EU countries), Schaar found:

no “clear rules on purpose limitation” or on the storage period. “First,” he said, “which data are of concern is not really completely clear. Second, who are the competent authorities on the U.S. side? Third, and most important, there is a lack of independent supervision in the United States over data protection.” In European states, independent privacy commissions safeguard the privacy rights of citizens, he said.

If we have social security numbers of Supreme Court Justices being accidentally shared on the Internet, I can see why he might want further assurances. The Post article points out that Schaar’s questions over which “data are of concern is not really completely clear,” may actually be addressed. Unfortunately, it is disturbing which data is to be shared. According to the news:

The agreement, which was described by two European officials, also allows for the transmission of “personal data revealing racial or ethnic origin, political opinion or religious or other beliefs, trade union membership or information concerning health and sexual life” in cases where they are “particularly relevant to the purposes of this agreement.” It defines personal data as “any information relating to an identified or identifiable natural person.”

Political opinion, trade union membership, or information concerning sexual life? This is too much. That the agreement “shall take suitable safeguards, in particular, appropriate security measures, in order to protect such data,” does not provide the convincing assurance that such information would not be accessed by the ill-intended (like the State Department employees illegally accessing passport records) or the clumsy (like the case of the investment firm above).

But such assurances seem secondary in comparison to the apparent lack of connection between someone’s sexual orientation, political affiliation, or membership in a trade union to a criminal act. I can see why such things as previous travel destinations, the purchase of a one-way ticket, or the use of a suspicious credit card would be relevant to an investigation with cause, but knowing if the traveler is gay, a Republican, or a member of the American Federation of Teachers seems too much.

The Office of Emergency Communications (OEC) in the Directorate for National Protection and Programs at the U.S. Department of Homeland Security will soon be releasing the new National Emergency Communications Plan (NECP). OEC’s mission is, “to support and promote the ability of government officials and emergency responders to continue to communicate in the event of a natural disaster, act of terrorism, or other disaster, and to ensure and advance interoperable emergency communications capabilities nationwide.”

The NECP will provide recommendations for ensuring interoperable emergency communications nationwide. At the same time, the ongoing DHS grants process which is driving interoperability at the state and local level in particular has been in motion for many months. First responders, public safety and emergency management personnel are well down the road with respect to ongoing and well-funded interoperability planning, and training, along with related equipment purchases.

As a result, OEC must be careful to roll out an NECP that is consistent with, and supportive of, current decisions and guidance involving policies, procedures and protocols which in turn greatly influence planning and training. To not introduce what is in effect a truly user-friendly NECP means that OEC may end up disrupting or somehow impeding current state and local efforts to address established interoperability goals.

In its March 2008 report on FEMA preparedness, the DHS Office of Inspector General (OIG) emphasizes that, “there are no fewer than 10 federal interoperability initiatives underway. In light of the importance of interoperability and such large expenditures to strengthen it, the effective management of federal interoperability grants and programs is essential.”

The OIG report added that, “there is no single mechanism in place to link and orchestrate the numerous programs and initiatives underway, nor is there a clear line of accountability. Second, OEC is currently operating with a skeletal, full-time equivalent staff. OEC has assumed a large portion of responsibilities and programs directed at improving interoperable communications, and it requires additional staff and an adequate budget.”

The long-running interoperability program at DHS known as Project SAFECOM is now split between OEC which supports SAFECOM’s development of guidance, tools and templates, and the Office for Interoperability and Compatibility (OIC) in the Science and Technology Directorate which supports SAFECOM-related research, development, testing, evaluation and standards.

Under the Interoperable Communications Technical Assistance Program (ICTAP), for example, OEC addresses technical issues, policy-making and operational concerns. Assessing and updating existing Tactical Interoperable Communications Plans (TICPs) have been an important offshoot of this activity. Along with TICPs, all states and territories have Statewide Communication Interoperability Plans (SCIPs) that have already been approved by DHS.

Besides the above-mentioned TICPs, SCIPs and ICTAP-related work, there is a Public Safety Interoperable Communications (PSIC) program and Interoperable Emergency Communications Grant Program (IECGP). IECGP is jointly run by FEMA and OEC with over $48 million awarded to states in FY08. PSIC grants will total over $1 Billion.

Although it is doubtful that anyone would want to challenge the need for the NECP, due to an unfortunate sequence of events, state and local governments may in fact be way out ahead of OEC in this instance, thanks to all these IECGP and soon PSIC grants. And for this reason, the NECP must adapt to this set of circumstances or risk annoying and possibly alienating state and local stakeholders.

Charlottesville (VA) Fire Chief Charles Werner shares good news in this respect. He chairs the SAFECOM Executive Committee, and serves on both the International Association of Fire Chiefs Communications Committee and Virginia’s Statewide Interoperability Executive Committee.

“When you see the NECP, it will begin to make sense. The NECP does not do anything to diminish the progress that has been made by the states and the SCIPs but moreover builds upon them to further define, and direct the future development of the SCIPs through realistic and measurable performance outcomes (not methods or technology),” he says. “OEC Director Chris Essid, who was Virginia’s former Interoperability Coordinator, is very aware of the states’ efforts and the dynamics. OEC and SAFECOM have been working directly with the development, review and approval of the SCIPs. The fact that every state and territory has submitted a plan demonstrates that this program is working and should be recognized as a phenomenal accomplishment.”

He points out that, among other things, more money is coming that is specifically available for additional planning at the state and local levels.

In conclusion, Chief Werner’s assurances deserve attention, given that the OEC has been described as understaffed and perhaps underfunded. Clearly the OEC has its hands full as it completes and implements the NECP which must be a user-friendly document above all else. And as OEC moves ahead, effective partnering with state and local governments is essential to ensure that the NECP is successful, and that other interoperability goals are quickly and easily achieved.

Peter J. Brown, a freelance writer from Maine, writes frequently about the role of satellite technology in disaster response and emergency management operations.

The current issue of the journal of the Naval Postgraduate School Center for Homeland Defense and Security (CHDS), Homeland Security Affairs, includes an article by Christopher Bellavita, an instructor at NPS and director of academic programs at CHDS. The article invokes a long-standing challenge for the homeland security community: Just what is – and isn’t – homeland security?

Dr. Bellavita identifies seven core definitions of homeland security:

1. Terrorism. Homeland security is a concerted national effort by federal, state and local governments, by the private sector, and by individuals to prevent terrorist attacks within the United States, reduce America’s vulnerability to terrorism, and minimize the damage and recover from attacks that do occur.

2. All Hazards. Homeland security is a concerted national effort to prevent and disrupt terrorist attacks, protect against man-made and natural hazards, and respond to and recover from incidents that do occur.

3. Terrorism and Catastrophes. Homeland security is what the Department of Homeland Security — supported by other federal agencies — does to prevent, respond to, and recover from terrorist and catastrophic events that affect the security of the United States.

4. Jurisdictional Hazards. Homeland security means something different in each jurisdiction. It is a locally-directed effort to prevent and prepare for incidents most likely to threaten the safety and security of its citizens.

5. Meta Hazards. Homeland security is a national effort to prevent or mitigate any social trend or threat that can disrupt the long-term stability of the American way of life.

6. National Security. Homeland security is an element of national security that works with the other instruments of national power to protect the sovereignty, territory, domestic population, and critical infrastructure of the United States against threats and aggression.

7. Security Über Alles. Homeland security is a symbol used to justify government efforts to curtail civil liberties.

A good deal of Dr. Bellavita’s treatment of these definitions is familiar terrain. That he has cogently organized these into a dispassionate analysis showing both sides of each argument makes this a critical read. Importantly, he takes on the often misunderstood concept of “all hazards,” explaining the difference between addressing those consequences common to multiple threats and the “anything’s possible” approach to securing the homeland.

As this blog is known to do, we should highlight how the definition of homeland security is broader than convention usually permits. Bellavita describes the way in homeland security is interconnected with most of our society’s other great challenges as “meta hazards.” These are generational developments that pose risks on a significant scale, but are slow-moving and often regarded as distinguishable and independent of one another. Bellavita casts a wide net here and does not spend time explaining how each of the following are exactly related to HLS:

1. Growing federal fiscal debt
2. Global warming
3. Inferior math, science, and engineering education
4. Decaying physical infrastructure
5. The privatization of government services
6. Dependence on foreign energy
7. Aging population
8. Inadequate health care
9. Drug-resistant disease
10. Food security
11. Open borders
12. Mass immigration
13. Cyber security
14. Pandemics
15. Foreign ownership of U.S. debt

These long-term concerns can undermine America’s competitiveness, independence, and overall societal coherence. Some are obvious connections to HLS (i.e. cybersecurity, pandemics, food security), but this is because they can be brought on by adversaries. The critical point here is that a number of these risks are self-inflicted – and therefore self-remedied.

Congress last month received the pre-release draft of a new report focused on managing DHS through the coming presidential transition. The final public report is now available by its authors, the National Academy of Public Administration (NAPA), which had undertaken the study at the request of Congress to prepare the Department for the management challenges – as well as security vulnerabilities – it will face between November and January 20, 2009.

Given that we’ve seen spikes in terrorist attacks at times of political transition, such as the terrorist attacks in Madrid in 2004 and London in 2005, the presidential transition carries with it an added challenge for DHS. It must manage the institutional flux that occurs with any change in the presidency while also maintaining, if not bolstering, the ability to defeat, deter, defend against, or respond to a terrorist attack seeking to exploit such a symbolic window of time.

The policy community has embarked on a number of ongoing transition studies that aim to inform the next team’s policy slate as it takes over DHS. I participate in two of them, and there are at least two others I’m aware of. For the most part, these efforts do not address the management challenge of keeping DHS running during this key timeframe. This is where the NAPA study comes in.

The report suggests that, while the ratio of political appointees to career leaders is typical at DHS given the rest of the Executive branch, DHS should shift more executives to field operations and convert deputy slots to career positions. This process is well underway, but we are seeing cases where political appointees are getting the deputy jobs as career positions.

In all, NAPA offers a transition plan in 22 steps. Among them are the following:

June through the Democratic and Republican conventions:
• Appoint a full-time transition director.
• Develop a comprehensive transition plan.
• Enhance current transition initiatives and a transition training plan.
• Fill vacant senior executive service positions quickly.

Between the conventions and the election, DHS should:
• Ask the presidential candidates to name a potential Homeland Security transition team.
• Expedite security clearances for all transition team officials.

Between election day and inauguration the president-elect should designate, and Congress should vet, a new DHS secretary to be sworn in on Inauguration Day

After the election:
• Other key political appointees should be approved no later than December.
• DHS should offer training for likely presidential appointees.
• DHS should continue joint training exercises with career and non-career executives.

As with nearly all such reports, the NAPA panel calls for Congress to consolidate its oversight of DHS. However, the focus it gives to the less exciting, but equally vital, management imperatives makes this study unique. I have no doubt the current DHS leadership is committed to carrying out the NAPA report’s recommendations. But let’s hope that all the concern over security vulnerabilities during the transition proves to be unnecessary.

Carol Haave will be named the next DHS Assistant Secretary for International Affairs on (or around) July 7, 2008. While it may at first seem ironic that our Homeland Security agency has an international affairs portfolio, this is perhaps one of the more interesting and valuable position in the DHS leadership. Readers will be familiar with proposals made here and elsewhere for an elevated role for the A/S for International Affairs at DHS. The previous occupant, Marissa Lino, is a former diplomat. (She left unexpectedly after only months on the job.) The new A/S has a decidedly different background on the international scene.

Haave served as Deputy Under Secretary of Defense for Counterintelligence and Security and as Deputy Assistant Secretary of Defense for Security and Information Operations. In those positions, she led the development of the Iraq National ID Card program. Additionally, she led a cross-DOD team to develop policies, process, and procedures for sharing counterterrorism information with coalition partners.

Prior to joining DOD in 2001, Haave spent more than 15 years as a consultant to Defense Advanced Research Projects Agency. There she focused on transitioning technology into the military and commercial markets, and was a team leader for the House Appropriations Committee Surveys and Investigations Staff.

She received a direct commission as a military police officer in the Army and was one of the first female Army officers to attend airborne school.

Last week the