|
Part 2
What follows is a preliminary assessment of efforts made to date regarding homeland security and critical infrastructure protection initiatives. Several questions are raised here regarding the progress that has been made to date involving homeland security and critical infrastructure security and continuity. These questions include the following: Has the Administration made progress in implementing its efforts thus far? Is the implementation of these efforts likely to help ensure realization of the Administration's stated goals? Would a change in strategy and the implementation of other initiatives be more likely to ensure the realization of the Administration's goals? If, so what would those alternative or modified initiatives look like? Six of the initiatives just noted are viewed
here in light of these questions. The Initiative to Unify America's
Infrastructure Protection Efforts in the Department of Homeland Security In order to be successful in implementing this
initiative, adequate attention needs to be given to organizational culture
and change issues. This can be accomplished through providing education
and training for those in government who have responsibilities relating to
homeland security and critical infrastructure security and continuity,
including those in positions of greatest responsibilities. In order for
efforts to be maximized, there needs to be present both a common
understanding of the challenges being faced, as well as a common sense of
purpose. Reorganization is no guarantee that individuals from extremely
different professional backgrounds and organizational cultures, and
individuals from organizations that have had markedly different missions will
be able to collaborate effectively. Managerial skills, leadership, and
education and training may well be key to the success of reorganization
efforts. (Education and training initiatives that would address
these concerns are described in some detail in Paula D. Gordon, August
2002). Regarding the physical location of the
Department, there is an argument to be made for leaving the parts of new
Department where they are at present and using cybertechnology and
telecommunications to maintain a virtual organization. The
productivity of the Department might be enhanced greatly if there were no
major disruptions owing to physical relocation of various part of the
Department. If massive relocations take place, the Department would
likely lose numerous skilled and knowledgeable employees. The Initiative to Build and Maintain a
Complete and Accurate Assessment of America's Critical Infrastructure and Key
Assets With some exceptions, most infrastructure
sectors are only at the beginning stages of assessing infrastructure and key
assets. The National Strategy for the Physical Protection of
Critical Infrastructure and Key Assets (February 2003) provides a helpful
overview of the status of such efforts. It also provides a plan of
action. There appear, however, to be many unresolved issues including
the level of detail that is needed or sought when it comes to undertaking
such assessments. Some might refer to this initiative as a "boil
the ocean" initiative, owing to the daunting amount of data that would
be sought and processed. The costs of such undertakings are also in
question. Another question is the extent to which government will be
directing, facilitating, and/or controlling the process. In addition,
there is a question concerning the availability of individuals with the
knowledge, skills, experience, and expertise to carry out the
assessments. For those sectors just starting out, the
likelihood of achieving goals set by the Administration seems quite
problematic as of March 2003. Some additional reasons for this beyond
those just mentioned involve the technical, as well as practical feasibility
of completing assessments involving such an overwhelming amount of
information and requiring such extraordinary skills of research, synthesis,
analysis, and understanding. Another reason that the success of efforts is
problematic is that faulty assumptions are being made concerning the
"solvability' of the problem. One can also question the
usefulness of assessments that provide an overabundance of information, and
an amount that some would argue far exceeds the amount of information needed
to take effective action. The approaches to assessment that are
described in the National Strategy for Homeland Security
(July 2002), the National Homeland Security Act of 2002 establishing the
Department of Homeland Security (November 2002), and The National
Strategy for the Physical Protection of Critical Infrastructure and Key
Assets (February 2003) seem to be geared toward implementation of a
micromanaged strategy. Yet, micromanagement and crisis management are not
compatible since the former assumes a predictable environment. Crisis
management takes place in an unpredictable environment and calls on skills
and approaches that are quite different from those involved in
micromanagement. A major question that needs to be addressed is
this: Are we in an environment that is essentially predictable or are
we in a turbulent environment that calls for crisis management and
extraordinary flexibility and creative thinking and
problemsolving? The documents just mentioned seem to be based on
the assumption that we are in an essentially predictable and stable
environment, not a turbulent environment in which immediate and near term
actions to address problems are needed. The alternative approach that
will be described in this paper assumes that we are in the latter kind of
environment and that crisis management is needed to address immediate
problems, challenges, and threats. Assessments and Action Consider an analogous hypothetical situation
involving national health policy: How would national health policy be
affected if a decision were made to conduct a detailed health assessment
every child in the nation? Even if time and resources permitted
the completion of a health assessment of every child, how could such detailed
assessments be used in a timely way to determine what actions needed to be
taken? Isn't there a point at which you can gather more information
than you need in order to take action? It there a point at which you
can gather more information than you can possibly use? Looked at from a slightly different
perspective, what would the difference in policies and actions likely be if
we were to address health problems based on the needs that are already known
and obvious as opposed to waiting to address health problems until after an
extensive and comprehensive assessment were completed? Would
policies and actions be likely to be that much more effective if it were
possible to have perfect knowledge of the nature and extent of the
problem? Might it be possible to arrive at a sufficient assessment of
what needs to be done without undertaking a long term, time and resource
intensive assessment? Might it be possible to make a quick assessment
relying on an understanding of facts that are known or that are discernible
in the near term, based on common sense, experience, knowledge, wisdom, and
good judgment? Isn't that the approach that the best and most effective
leaders and managers have always used in a crisis situation? Indeed, in
a Federally-declared disaster, quick assessments of damage are required in
order to qualify for Federal assistance. The assessments need to
be quick so that action can be taken as soon as possible to minimize the
impacts of a disaster and to proceed with the response and recovery process. There is a need to recognize that a crisis
situation full of unknowns calls for common sense, experience, and wise and
courageous action that take into consideration that which is already
obvious. The alternative approach outlined in this paper emphasizes the
need for taking action in as timely a manner as possible while basing actions
on immediate or near term assessments of the situation. The Initiative to Develop a National
Infrastructure Plan The National Strategy for the Physical
Protection of Critical Infrastructure and Key Assets (February 2003) is a
major milestone in the development of a critical infrastructure protection
plan. This strategy document, along with The National Strategy
to Secure Cyberspace (February 2003) constitute the most fully
elucidated plans released by the government on infrastructure protection
since 9/11. A major emphasis of The National Strategy for the
Physical Protection of Critical Infrastructure and Key Assets is
assessment. The concerns just raised regarding assessment-related
initiatives are relevant here as well. There may need to be a reworking
of the approach if there is to be buy-in on the part of those in the private
sector who own and have responsibility for upwards of 85% of the critical
infrastructure. If the plan is to provide a basis for collaborative
efforts, that is one thing. If the focus is on government regulation or
centralized planning, then major resistance can be expected. In
addition to the question of "buy in", there are potential major
issues involving proprietary or closely-held information. There
are concerns regarding costs, accountability, and liability. The plan that is
detailed in The National Strategy for the Physical Protection of
Critical Infrastructure and Key Assets may be viewed in some ways as
a "one size fits all" approach. It also would seem to require
micromanagement to implement. It seems highly unlikely that such an
approach would find widespread acceptance even if the task were feasible and
resources were readily available. Instead an approach that
focused more on near term positive actions could be taken. Such an
approach could focus on enhancing preparedness, protection, security,
contingency planning, response and recovery capabilities, consequence
management, and continuity planning. This alternative approach would
seem more feasible, acceptable, and helpful than undertaking long term
assessments and waiting to determine what actions to take to enhance these
capabilities and preparedness efforts. If decisionmakers cannot
let go of their emphasis on long term, time and resource intensive
assessments, then it would seem extremely important to implement a second and
simultaneous strategy, one that focuses on addressing preparedness, security,
and continuity needs in the near term, while also focusing on constantly
improving near term readiness for dealing with challenges and problems that
might occur. The Initiative Aimed at Securing
Cyberspace A new national strategy for securing
cyberspace, The National Strategy to Secure Cyberspace, was
released in February of 2003. Efforts to develop a national
infrastructure plan and actions to secure cyberspace have been ongoing since
the issuance of PDD/NSC-63. Implementation efforts have been amplified
and taken on new dimensions since 9/11. However, even with the
release of The National Strategy to Secure Cyberspace in
February, efforts do not seem to include the same kind of pragmatic focus
that was apparent during Y2K. A difference between that time and the
present is that during the years preceding the Y2K rollover, there was
sufficient recognition and understanding of the threats and challenges posed
by Y2K-related failures, including cascading failures that could have been
triggered. At present, there is no comparable level of recognition and
understanding of the seriousness of the threats of cyberterrorism and
cyberwarfare and threats to cybersecurity and continuity. Plans of
actions are needed that are based on an understanding of the nature of the
threats and on an understanding of what needs to be done.
Leadership and facilitation of efforts appears fragmented and a common sense
of direction appears to be missing. There is also a question concerning
how priorities will be determined. In addition, there is another
question: How well will cross sector vulnerabilities be
addressed? While vulnerabilities involving digital control
systems (DCS) and Supervisory Control & Data Acquisition (SCADA) Systems
are discussed in The National Strategy to Secure Cyberspace,
the difficulties of implementing approaches that address such vulnerabilities
do not seem to be fully acknowledged or well thought through.
Vulnerabilities relating to the satellites and the Global Positioning System
(GPS) in particular seem to be overlooked. As regards actions needed to enhance
cybersecurity, the recommended guidance that existed prior to February 2003
did not seem to be reaching those who needed it, including those inside
government. (Witness the results of the report card for 24 Federal
agencies that Congressman Horn issued in 2002. This assessment will be
more fully described below.) Whether the latest guidance that can be
found in The National Strategy to Secure Cyberspace will
have the hoped for effect seems doubtful. It order for it to be
effective, it would need to be accompanied by exceedingly successful
awareness raising, education and training, and technical assistance
initiatives that equaled, if not surpassed approaches used for
Y2K. To be successful it would seem helpful that such approaches build
on Y2K legacies and lessons learned. (This topic is discussed more
fully in Paula D. Gordon, November 2001.) A comprehensive multi-pronged approach is
needed that includes a focus on a range of concerns:
The Initiative to Harness the Best
Analytic and Modeling Tools to Develop Effective Protective Solutions Efforts to date appear to be fragmented and a
variety of very different approaches appear to be under consideration.
These approaches reflect a wide array of problem definitions and implicit
values and purposes that are not necessarily in accord with the stated goals
of homeland security and critical infrastructure security and continuity
efforts. The kinds of tools envisaged by those
emphasizing the importance of this initiative may indeed be developed and
they may be used, but how useful can such tools be in advancing overall
homeland security and critical infrastructure protection efforts?
In order to have real utility they would need to be based on a realistic
understanding of the nature and scope of the problem that needed to be
addressed. For instance, modeling a response or an alternative response
to the anthrax attack of that kind that occurred in October of 2001 would
need to take into consideration the organizational, jurisdictional,
political, and cultural aspects involved in the situation.
Questions concerning who's in charge? and where are the resources coming
from? would be questions that need to be addressed in any modeling of a
possible approach. It might be equally if not more helpful to
focus on lessons that could be gleaned from other situations that bear some
similarity to the kinds of problems, threats, and challenges that we are
facing now and that we are likely to face in the future. Scenarios could be
considered. Simple as well as complicated scenarios can be effectively
used for educational and training purposes. Much can be gleaned from
the study of lessons learned in crisis situation that have occurred since
9/11, and all of these approaches may be of particular use to planners, crisis
managers, and decisionmakers. It would also be helpful to focus efforts on
creating and sustaining healthy organizational cultures. It would
be helpful to focus attention on building open lines of communication and
trust among those who have perhaps not worked too well in emergency
situations in the past, individuals who are likely to need to work together
in the future. Memoranda of understanding could be worked out amongst
the agencies, institutions, and jurisdictions that need to be working together
to plan and prepare for contingencies and take other actions aimed at meeting
homeland security and critical infrastructure protection goals. The Initiative to Guard America's
Critical Infrastructure and Key Assets Against 'Inside' Threats The National Strategy for the Physical
Protection of Critical Infrastructure and Key Assets has certainly been
the farthest reaching elucidation of a plan of action to date.
Still, there does not seem to be the kind of focus on the need for immediate
and near term action that was apparent during Y2K. This may be owing in
part to the fact that there is no universal recognition of the nature and
scope of the threat. In addition there is no widespread understanding
of steps that need to be taken. The costs associated with taking action
may also slow the decisionmaking and implementation process. Leadership
and facilitation of efforts to address challenges appear fragmented and a
common sense of direction appears to be missing. Relevant guidance does
not appear to be reaching those who need it. Well-coordinated efforts
to get the message out, including the strategies released in February of
2003, are not evident. Much needs to change in order to achieve a
higher level of security and to ensure that efforts to meet security and
continuity challenges are maximized. A more effective course of action
is needed, one that helps ensure that guidance and technical assistance
reaches those who could use it and one that also helps ensure that guidance
and technical assistance are made available in a variety of inexpensive and
easily deployable forms, including online. (See Paula D. Gordon,
January 2002 for recommendations concerning uses of e-technology to advance
homeland security efforts; January 2003 for current references and resources;
and November 2001 regarding relevant Y2K lessons to be learned. Also
see 1998 and 1999 for an overview of specific actions recommended for Y2K
that would also maximize many of the kinds of efforts needed post-9/11.) Overall Critical Infrastructure
Protection Efforts Prior to the release of The National
Strategy to Secure Cyberspace and The National
Strategy for the Physical Protection of Critical Infrastructure and Key
Assets, the nature and extent of efforts seemed less focused, less
well defined and less well coordinated than Y2K efforts. With the
release of these two strategic action documents, efforts do seem to be better
focused and better defined than they had been previously.
Implementation of the strategies described in The National Strategy
to Secure Cyberspace (February 2003) would seem dependent on the
emergence of individuals with leadership and managerial skills and resources
who are able to help facilitate implementation of those strategies. The
strategies described in the National Strategy for the Physical
Protection of Critical Infrastructure and Key Assets (February 2003)
will face similar challenges, plus some additional ones. That strategy
document appears to be prescribing a micromanaged approach to critical
infrastructure protection and security, a kind of approach that could well
prove unworkable on several levels. First of all there is a likely
reluctance on the part of the private sector (and even parts of the public
sector) to go along with the approach being prescribed. The
approach would likely meet with considerable resistance if it is perceived as
being ill-fitting and/or top down. The approach might also be difficult
to implement owing to the need for considerable expertise to undertake a
micro-level assessment effort and then develop and micromanage the
implementation of the plans that would presumably follow from such an
assessment effort. Sector efforts in which notable headway has
been made in the area of critical infrastructure protection and security
include: air and marine transportation, banking and finance, electric power
(the North American Electric Reliability Council), telecommunications; and
oil and gas (the National Petroleum Council). The cross sector efforts
of the Partnership for Critical Infrastructure Security (www.pcis.org) have also made
promising strides. In order for goals to be achieved in our
current crisis environment, efforts need to be undertaken that reflect
a broad and realistic understanding of the problem as well as a realistic
assessment of current challenges and threats based on what is already readily
known. At present, the initiatives as they have been developed do not
seem to reflect such a focus, They do not seem to recognize that there
is a need to be ready, prepared, and protected with contingency plans in
place "yesterday". Current efforts also seem to
be based on faulty assumptions regarding the potential usefulness of
micro-oriented analytic approaches and tools. Current efforts do not
seem to be based on an adequate understanding of qualitative and
non-quantifiable factors. They also seem to be based on faulty
assumptions concerning the "solvability' of the problem, including
especially the solvability of current problems and challenges using
traditionally used methods. In addition, there seems to be a failure on
the part of many to understand the implications of the crisis that we are
in. There seems to be a failure to come to grips with the fact
that we are in a situation that is full of unknowns, a situation that calls
for common sense, experience, and wise and courageous action. Many seem to have difficulty grasping the fact
that predicting the behavior of homicidal/suicidal terrorists with any degree
of certainty is not within the realm of possibility. Many also
seem to have difficulty grasping the full implications that the presence and
persistence of so many homicidal/suicidal terrorists have for the security of
the nation and the world, as well as the future stability of
civilization. In addition, many seem to have difficulty
recognizing how essential near term actions are and how essential it is that
near term actions are taken now to maximize preparedness, mitigation,
protective measures, security, contingency planning, crisis response and
management capabilities, consequence management and recovery capabilities,
and continuity of operations planning. These are key to
maximizing efforts to address present threats and challenges. There are similar difficulties in recognizing
that actions that are taken to maximize preparedness, mitigation, protective
measures, security, contingency planning, crisis response and management
capabilities, consequence management and recovery capabilities, and
continuity of operations planning need to designed to serve multiple purposes
at once. Through using ingenuity and common sense, it is possible to
design actions that serve multiple purposes, actions that serve
simultaneously to strengthen national, economic, and individual and societal
security. It should be noted that the government's Ready
Campaign (www.ready.gov) that was launched
in February 2003 represents a major step forward when it comes to preparedness,
but these efforts do not begin as yet to equal Y2K preparedness efforts
provided for during 1999 by the Federal Emergency Management Agency (FEMA)
and the American Red Cross. Unlike Y2K preparedness efforts, there are
no well publicized community-based efforts as yet. There are also no
phone hot lines that the public can use to address questions to information
specialists. There are also no hotlines that the public can use to
check out rumors. There are not specialized hotlines that State and
local officials can use to get responses to their questions. The Ready Campaign that was launched in
February 2003 provides guidance information in print and online. These
encourage the public to stock three days of supplies. Such a stock of
supplies would of course be helpful in a wide range of emergency situations,
including man-made and natural disasters. Guidance that was issued in
1999 close to the Y2K rollover emphasized the need for 7 - 10 days of
supplies. Older FEMA material had recommended two weeks of
supplies. There is no reason that such initiatives could not be
urged now. There is also no comparable online policy
forum, such as the one that the General Services Administration had hosted
during 1998 and 1999 for Y2K. Such a forum might be helpful in
surfacing and sharing valuable suggestions concerning ways to improve current
efforts and build on the expertise and insight of those who may not presently
be in roles of public responsibility. The need for clearinghouse efforts is noted in
the strategy documents released in February 2003. Such efforts include
providing for the dissemination of information concerning lessons learned and
best practices. They need to do so both reactively and
proactively. They also a need to provide education, training, and
technical assistance. In sum, there are many ways that current
efforts could be improved or augmented. Copious amounts of
far-sightedness are needed in our current situation. Efforts need to be
informed by self honesty, common sense, understanding, ingenuity, good will,
humanity, belt-tightening, selfless service, and commitment to addressing the
extraordinary challenges and threats facing us. Last, but not least, the nation is still
recovering from 9/11 and subsequent attacks. The fact that these
impacts are still very much with us needs to be fully acknowledged and
addressed. Elements that the Current Approaches
and the Alternative Approach Share In his book, Silence, John
Cage tells a story about Arnold Schoenberg, the composer. Schoenberg
was teaching a class on music composition at UCLA. He posed a musical
composition problem to the class and asked the class to come up with a
solution. A solution was offered. Then he asked for
additional solutions and the class came up with additional solutions.
Finally, he asked the class what did all the solutions have in common? Perhaps Schoenberg's questions can be applied
to the problem of homeland security and critical infrastructure
protection. What common elements can be found in approaches that are
needed to address the homeland security and critical infrastructure problems,
challenges, and threats?
Return to Paula Gordon's Homeland Security Page or to Part 3 |
