What follows is a preliminary assessment of efforts made to date regarding homeland security and critical infrastructure protection initiatives. Several questions are raised here regarding the progress that has been made to date involving homeland security and critical infrastructure security and continuity. These questions include the following: Has the Administration made progress in implementing its efforts thus far? Is the implementation of these efforts likely to help ensure realization of the Administration's stated goals? Would a change in strategy and the implementation of other initiatives be more likely to ensure the realization of the Administration's goals? If, so what would those alternative or modified initiatives look like?
Six of the initiatives just noted are viewed here in light of these questions.
The Initiative to Unify America's Infrastructure Protection Efforts in the Department of Homeland Security
In order to be successful in implementing this initiative, adequate attention needs to be given to organizational culture and change issues. This can be accomplished through providing education and training for those in government who have responsibilities relating to homeland security and critical infrastructure security and continuity, including those in positions of greatest responsibilities. In order for efforts to be maximized, there needs to be present both a common understanding of the challenges being faced, as well as a common sense of purpose. Reorganization is no guarantee that individuals from extremely different professional backgrounds and organizational cultures, and individuals from organizations that have had markedly different missions will be able to collaborate effectively. Managerial skills, leadership, and education and training may well be key to the success of reorganization efforts. (Education and training initiatives that would address these concerns are described in some detail in Paula D. Gordon, August 2002).
Regarding the physical location of the Department, there is an argument to be made for leaving the parts of new Department where they are at present and using cybertechnology and telecommunications to maintain a virtual organization. The productivity of the Department might be enhanced greatly if there were no major disruptions owing to physical relocation of various part of the Department. If massive relocations take place, the Department would likely lose numerous skilled and knowledgeable employees.
The Initiative to Build and Maintain a Complete and Accurate Assessment of America's Critical Infrastructure and Key Assets
With some exceptions, most infrastructure sectors are only at the beginning stages of assessing infrastructure and key assets. The National Strategy for the Physical Protection of Critical Infrastructure and Key Assets (February 2003) provides a helpful overview of the status of such efforts. It also provides a plan of action. There appear, however, to be many unresolved issues including the level of detail that is needed or sought when it comes to undertaking such assessments. Some might refer to this initiative as a "boil the ocean" initiative, owing to the daunting amount of data that would be sought and processed. The costs of such undertakings are also in question. Another question is the extent to which government will be directing, facilitating, and/or controlling the process. In addition, there is a question concerning the availability of individuals with the knowledge, skills, experience, and expertise to carry out the assessments.
For those sectors just starting out, the likelihood of achieving goals set by the Administration seems quite problematic as of March 2003. Some additional reasons for this beyond those just mentioned involve the technical, as well as practical feasibility of completing assessments involving such an overwhelming amount of information and requiring such extraordinary skills of research, synthesis, analysis, and understanding.
Another reason that the success of efforts is problematic is that faulty assumptions are being made concerning the "solvability' of the problem. One can also question the usefulness of assessments that provide an overabundance of information, and an amount that some would argue far exceeds the amount of information needed to take effective action. The approaches to assessment that are described in the National Strategy for Homeland Security (July 2002), the National Homeland Security Act of 2002 establishing the Department of Homeland Security (November 2002), and The National Strategy for the Physical Protection of Critical Infrastructure and Key Assets (February 2003) seem to be geared toward implementation of a micromanaged strategy. Yet, micromanagement and crisis management are not compatible since the former assumes a predictable environment. Crisis management takes place in an unpredictable environment and calls on skills and approaches that are quite different from those involved in micromanagement. A major question that needs to be addressed is this: Are we in an environment that is essentially predictable or are we in a turbulent environment that calls for crisis management and extraordinary flexibility and creative thinking and problemsolving? The documents just mentioned seem to be based on the assumption that we are in an essentially predictable and stable environment, not a turbulent environment in which immediate and near term actions to address problems are needed. The alternative approach that will be described in this paper assumes that we are in the latter kind of environment and that crisis management is needed to address immediate problems, challenges, and threats.
Assessments and Action
Consider an analogous hypothetical situation involving national health policy: How would national health policy be affected if a decision were made to conduct a detailed health assessment every child in the nation? Even if time and resources permitted the completion of a health assessment of every child, how could such detailed assessments be used in a timely way to determine what actions needed to be taken? Isn't there a point at which you can gather more information than you need in order to take action? It there a point at which you can gather more information than you can possibly use?
Looked at from a slightly different perspective, what would the difference in policies and actions likely be if we were to address health problems based on the needs that are already known and obvious as opposed to waiting to address health problems until after an extensive and comprehensive assessment were completed? Would policies and actions be likely to be that much more effective if it were possible to have perfect knowledge of the nature and extent of the problem? Might it be possible to arrive at a sufficient assessment of what needs to be done without undertaking a long term, time and resource intensive assessment? Might it be possible to make a quick assessment relying on an understanding of facts that are known or that are discernible in the near term, based on common sense, experience, knowledge, wisdom, and good judgment? Isn't that the approach that the best and most effective leaders and managers have always used in a crisis situation? Indeed, in a Federally-declared disaster, quick assessments of damage are required in order to qualify for Federal assistance. The assessments need to be quick so that action can be taken as soon as possible to minimize the impacts of a disaster and to proceed with the response and recovery process.
There is a need to recognize that a crisis situation full of unknowns calls for common sense, experience, and wise and courageous action that take into consideration that which is already obvious. The alternative approach outlined in this paper emphasizes the need for taking action in as timely a manner as possible while basing actions on immediate or near term assessments of the situation.
The Initiative to Develop a National Infrastructure Plan
The National Strategy for the Physical Protection of Critical Infrastructure and Key Assets (February 2003) is a major milestone in the development of a critical infrastructure protection plan. This strategy document, along with The National Strategy to Secure Cyberspace (February 2003) constitute the most fully elucidated plans released by the government on infrastructure protection since 9/11. A major emphasis of The National Strategy for the Physical Protection of Critical Infrastructure and Key Assets is assessment. The concerns just raised regarding assessment-related initiatives are relevant here as well. There may need to be a reworking of the approach if there is to be buy-in on the part of those in the private sector who own and have responsibility for upwards of 85% of the critical infrastructure. If the plan is to provide a basis for collaborative efforts, that is one thing. If the focus is on government regulation or centralized planning, then major resistance can be expected. In addition to the question of "buy in", there are potential major issues involving proprietary or closely-held information. There are concerns regarding costs, accountability, and liability. The plan that is detailed in The National Strategy for the Physical Protection of Critical Infrastructure and Key Assets may be viewed in some ways as a "one size fits all" approach. It also would seem to require micromanagement to implement. It seems highly unlikely that such an approach would find widespread acceptance even if the task were feasible and resources were readily available. Instead an approach that focused more on near term positive actions could be taken. Such an approach could focus on enhancing preparedness, protection, security, contingency planning, response and recovery capabilities, consequence management, and continuity planning. This alternative approach would seem more feasible, acceptable, and helpful than undertaking long term assessments and waiting to determine what actions to take to enhance these capabilities and preparedness efforts. If decisionmakers cannot let go of their emphasis on long term, time and resource intensive assessments, then it would seem extremely important to implement a second and simultaneous strategy, one that focuses on addressing preparedness, security, and continuity needs in the near term, while also focusing on constantly improving near term readiness for dealing with challenges and problems that might occur.
The Initiative Aimed at Securing Cyberspace
A new national strategy for securing cyberspace, The National Strategy to Secure Cyberspace, was released in February of 2003. Efforts to develop a national infrastructure plan and actions to secure cyberspace have been ongoing since the issuance of PDD/NSC-63. Implementation efforts have been amplified and taken on new dimensions since 9/11. However, even with the release of The National Strategy to Secure Cyberspace in February, efforts do not seem to include the same kind of pragmatic focus that was apparent during Y2K. A difference between that time and the present is that during the years preceding the Y2K rollover, there was sufficient recognition and understanding of the threats and challenges posed by Y2K-related failures, including cascading failures that could have been triggered. At present, there is no comparable level of recognition and understanding of the seriousness of the threats of cyberterrorism and cyberwarfare and threats to cybersecurity and continuity. Plans of actions are needed that are based on an understanding of the nature of the threats and on an understanding of what needs to be done. Leadership and facilitation of efforts appears fragmented and a common sense of direction appears to be missing. There is also a question concerning how priorities will be determined. In addition, there is another question: How well will cross sector vulnerabilities be addressed? While vulnerabilities involving digital control systems (DCS) and Supervisory Control & Data Acquisition (SCADA) Systems are discussed in The National Strategy to Secure Cyberspace, the difficulties of implementing approaches that address such vulnerabilities do not seem to be fully acknowledged or well thought through. Vulnerabilities relating to the satellites and the Global Positioning System (GPS) in particular seem to be overlooked.
As regards actions needed to enhance cybersecurity, the recommended guidance that existed prior to February 2003 did not seem to be reaching those who needed it, including those inside government. (Witness the results of the report card for 24 Federal agencies that Congressman Horn issued in 2002. This assessment will be more fully described below.) Whether the latest guidance that can be found in The National Strategy to Secure Cyberspace will have the hoped for effect seems doubtful. It order for it to be effective, it would need to be accompanied by exceedingly successful awareness raising, education and training, and technical assistance initiatives that equaled, if not surpassed approaches used for Y2K. To be successful it would seem helpful that such approaches build on Y2K legacies and lessons learned. (This topic is discussed more fully in Paula D. Gordon, November 2001.)
A comprehensive multi-pronged approach is needed that includes a focus on a range of concerns:
The Initiative to Harness the Best Analytic and Modeling Tools to Develop Effective Protective Solutions
Efforts to date appear to be fragmented and a variety of very different approaches appear to be under consideration. These approaches reflect a wide array of problem definitions and implicit values and purposes that are not necessarily in accord with the stated goals of homeland security and critical infrastructure security and continuity efforts.
The kinds of tools envisaged by those emphasizing the importance of this initiative may indeed be developed and they may be used, but how useful can such tools be in advancing overall homeland security and critical infrastructure protection efforts? In order to have real utility they would need to be based on a realistic understanding of the nature and scope of the problem that needed to be addressed. For instance, modeling a response or an alternative response to the anthrax attack of that kind that occurred in October of 2001 would need to take into consideration the organizational, jurisdictional, political, and cultural aspects involved in the situation. Questions concerning who's in charge? and where are the resources coming from? would be questions that need to be addressed in any modeling of a possible approach.
It might be equally if not more helpful to focus on lessons that could be gleaned from other situations that bear some similarity to the kinds of problems, threats, and challenges that we are facing now and that we are likely to face in the future. Scenarios could be considered. Simple as well as complicated scenarios can be effectively used for educational and training purposes. Much can be gleaned from the study of lessons learned in crisis situation that have occurred since 9/11, and all of these approaches may be of particular use to planners, crisis managers, and decisionmakers.
It would also be helpful to focus efforts on creating and sustaining healthy organizational cultures. It would be helpful to focus attention on building open lines of communication and trust among those who have perhaps not worked too well in emergency situations in the past, individuals who are likely to need to work together in the future. Memoranda of understanding could be worked out amongst the agencies, institutions, and jurisdictions that need to be working together to plan and prepare for contingencies and take other actions aimed at meeting homeland security and critical infrastructure protection goals.
The Initiative to Guard America's Critical Infrastructure and Key Assets Against 'Inside' Threats
The National Strategy for the Physical Protection of Critical Infrastructure and Key Assets has certainly been the farthest reaching elucidation of a plan of action to date. Still, there does not seem to be the kind of focus on the need for immediate and near term action that was apparent during Y2K. This may be owing in part to the fact that there is no universal recognition of the nature and scope of the threat. In addition there is no widespread understanding of steps that need to be taken. The costs associated with taking action may also slow the decisionmaking and implementation process. Leadership and facilitation of efforts to address challenges appear fragmented and a common sense of direction appears to be missing. Relevant guidance does not appear to be reaching those who need it. Well-coordinated efforts to get the message out, including the strategies released in February of 2003, are not evident.
Much needs to change in order to achieve a higher level of security and to ensure that efforts to meet security and continuity challenges are maximized. A more effective course of action is needed, one that helps ensure that guidance and technical assistance reaches those who could use it and one that also helps ensure that guidance and technical assistance are made available in a variety of inexpensive and easily deployable forms, including online. (See Paula D. Gordon, January 2002 for recommendations concerning uses of e-technology to advance homeland security efforts; January 2003 for current references and resources; and November 2001 regarding relevant Y2K lessons to be learned. Also see 1998 and 1999 for an overview of specific actions recommended for Y2K that would also maximize many of the kinds of efforts needed post-9/11.)
Overall Critical Infrastructure Protection Efforts
Prior to the release of The National Strategy to Secure Cyberspace and The National Strategy for the Physical Protection of Critical Infrastructure and Key Assets, the nature and extent of efforts seemed less focused, less well defined and less well coordinated than Y2K efforts. With the release of these two strategic action documents, efforts do seem to be better focused and better defined than they had been previously. Implementation of the strategies described in The National Strategy to Secure Cyberspace (February 2003) would seem dependent on the emergence of individuals with leadership and managerial skills and resources who are able to help facilitate implementation of those strategies. The strategies described in the National Strategy for the Physical Protection of Critical Infrastructure and Key Assets (February 2003) will face similar challenges, plus some additional ones. That strategy document appears to be prescribing a micromanaged approach to critical infrastructure protection and security, a kind of approach that could well prove unworkable on several levels. First of all there is a likely reluctance on the part of the private sector (and even parts of the public sector) to go along with the approach being prescribed. The approach would likely meet with considerable resistance if it is perceived as being ill-fitting and/or top down. The approach might also be difficult to implement owing to the need for considerable expertise to undertake a micro-level assessment effort and then develop and micromanage the implementation of the plans that would presumably follow from such an assessment effort.
Sector efforts in which notable headway has been made in the area of critical infrastructure protection and security include: air and marine transportation, banking and finance, electric power (the North American Electric Reliability Council), telecommunications; and oil and gas (the National Petroleum Council). The cross sector efforts of the Partnership for Critical Infrastructure Security (www.pcis.org) have also made promising strides.
In order for goals to be achieved in our current crisis environment, efforts need to be undertaken that reflect a broad and realistic understanding of the problem as well as a realistic assessment of current challenges and threats based on what is already readily known. At present, the initiatives as they have been developed do not seem to reflect such a focus, They do not seem to recognize that there is a need to be ready, prepared, and protected with contingency plans in place "yesterday". Current efforts also seem to be based on faulty assumptions regarding the potential usefulness of micro-oriented analytic approaches and tools. Current efforts do not seem to be based on an adequate understanding of qualitative and non-quantifiable factors. They also seem to be based on faulty assumptions concerning the "solvability' of the problem, including especially the solvability of current problems and challenges using traditionally used methods. In addition, there seems to be a failure on the part of many to understand the implications of the crisis that we are in. There seems to be a failure to come to grips with the fact that we are in a situation that is full of unknowns, a situation that calls for common sense, experience, and wise and courageous action.
Many seem to have difficulty grasping the fact that predicting the behavior of homicidal/suicidal terrorists with any degree of certainty is not within the realm of possibility. Many also seem to have difficulty grasping the full implications that the presence and persistence of so many homicidal/suicidal terrorists have for the security of the nation and the world, as well as the future stability of civilization.
In addition, many seem to have difficulty recognizing how essential near term actions are and how essential it is that near term actions are taken now to maximize preparedness, mitigation, protective measures, security, contingency planning, crisis response and management capabilities, consequence management and recovery capabilities, and continuity of operations planning. These are key to maximizing efforts to address present threats and challenges.
There are similar difficulties in recognizing that actions that are taken to maximize preparedness, mitigation, protective measures, security, contingency planning, crisis response and management capabilities, consequence management and recovery capabilities, and continuity of operations planning need to designed to serve multiple purposes at once. Through using ingenuity and common sense, it is possible to design actions that serve multiple purposes, actions that serve simultaneously to strengthen national, economic, and individual and societal security.
It should be noted that the government's Ready Campaign (www.ready.gov) that was launched in February 2003 represents a major step forward when it comes to preparedness, but these efforts do not begin as yet to equal Y2K preparedness efforts provided for during 1999 by the Federal Emergency Management Agency (FEMA) and the American Red Cross. Unlike Y2K preparedness efforts, there are no well publicized community-based efforts as yet. There are also no phone hot lines that the public can use to address questions to information specialists. There are also no hotlines that the public can use to check out rumors. There are not specialized hotlines that State and local officials can use to get responses to their questions.
The Ready Campaign that was launched in February 2003 provides guidance information in print and online. These encourage the public to stock three days of supplies. Such a stock of supplies would of course be helpful in a wide range of emergency situations, including man-made and natural disasters. Guidance that was issued in 1999 close to the Y2K rollover emphasized the need for 7 - 10 days of supplies. Older FEMA material had recommended two weeks of supplies. There is no reason that such initiatives could not be urged now.
There is also no comparable online policy forum, such as the one that the General Services Administration had hosted during 1998 and 1999 for Y2K. Such a forum might be helpful in surfacing and sharing valuable suggestions concerning ways to improve current efforts and build on the expertise and insight of those who may not presently be in roles of public responsibility.
The need for clearinghouse efforts is noted in the strategy documents released in February 2003. Such efforts include providing for the dissemination of information concerning lessons learned and best practices. They need to do so both reactively and proactively. They also a need to provide education, training, and technical assistance.
In sum, there are many ways that current efforts could be improved or augmented. Copious amounts of far-sightedness are needed in our current situation. Efforts need to be informed by self honesty, common sense, understanding, ingenuity, good will, humanity, belt-tightening, selfless service, and commitment to addressing the extraordinary challenges and threats facing us.
Last, but not least, the nation is still recovering from 9/11 and subsequent attacks. The fact that these impacts are still very much with us needs to be fully acknowledged and addressed.
Elements that the Current Approaches and the Alternative Approach Share
In his book, Silence, John Cage tells a story about Arnold Schoenberg, the composer. Schoenberg was teaching a class on music composition at UCLA. He posed a musical composition problem to the class and asked the class to come up with a solution. A solution was offered. Then he asked for additional solutions and the class came up with additional solutions. Finally, he asked the class what did all the solutions have in common?
Perhaps Schoenberg's questions can be applied to the problem of homeland security and critical infrastructure protection. What common elements can be found in approaches that are needed to address the homeland security and critical infrastructure problems, challenges, and threats?