Since the U.S. Department of Homeland Security's (DHS) inception in 2003 to protect the United States from terrorist attacks, Congress and the DHS have overseen a funding formula for each state and congressional district, as well as for designated high-risk cities.
State and local governments were once given federal funds based on a formula of population and broad categories of risk assessment. The formulas have varied generally according to credible threat, presence of critical infrastructure, vulnerability and population density
In January 2006, the process changed significantly, and disbursements are directly tied to need and risk assessment.
Now officials at all levels face much stiffer competition for homeland security dollars, and must present specific risk assessments, strategies and budget breakdowns. This year's grant assessment requires analysis of threat and vulnerability, and the extent of mutual aid cooperation. Governments seeking grants must explain allocation on strategic priorities such as IT for homeland security preparedness and the expected results.
This change in procurement has short- and long-term implications for IT initiatives that support homeland security around the nation.
Washington Pays Attention
IT and cyber-security at the state level now get more attention from Washington, D.C. than in past years. There is greater focus on the possibility that breaks in cyber- security can affect key industries and financial security. IT security solutions, firewalls and intrusion systems are increasingly seen as crucial to disaster preparedness, emergency management and prevention of more mundane cyber-attacks that, in the right combination, could knock a city out cold. Improved technology to remove the lags in communication when one system goes down is becoming a top priority countrywide.
In a short period of time, all levels of government have had to adjust their approach to risk management. "Officials may be inclined to treat cyber-related risks as an afterthought, or not at all," noted John A. McCarthy, director of the Critical Infrastructure Protection Program at the George Mason University School of Law. "When measured against a dirty bomb, for example, senior managers have a hard time entertaining discussion on cyber-issues. But we learned during Katrina that communications and situational awareness are essential, and so public-sector information professionals must then enter the fray."
Marcus Sachs, deputy director of the DHS's Cyber Security Research and Development Center at SRI International and former White House staff member on the National Security Council, agrees.
"The underpinning of our economy is electronic," he said. "Disruption to this system will make ripples in the physical world. Since the 9/11 attacks, the national reaction has been more a physical response. An electronic attack could be just as devastating as a biochemical attack. A cyber-attack on a computer network that runs the physical networks would disrupt the physical structure and cause a cascade effect."
Nonetheless, misperception that homeland security funds are primarily to be used for fighting what is widely understood as terrorism has been widespread. "Obviously those tools are important, but we have other things to contend with, such as animal and human safety during the aftermath of a disaster of any kind -- bio-terrorism, natural disasters, you name it," observed Denise Moore, chief information technology officer of Kansas, and chair of the executive committee of the National Association of State Chief Information Officers (NASCIO). "These risks are different, but nevertheless very important."
In the years and months since 9/11 and Hurricane Katrina, perception has grown that collaboration in IT is essential to physical preparedness. "Every government uses IT equipment in some way, and it must be used during any crisis or disaster," Moore said. "There is always a technology component behind every agency, and that has been very important to this whole effort. As an IT community we have to be alert and aware of any possible attacks on communications. We've been in a good position through NASCIO, through information sharing and interaction to hear what is happening with the states. As an example, the numbers vary from state to state, but thousands of cyber-attacks take place every day on state networks."
Seattle Seeds IT Security
Some areas have been leaders in the drive to use IT to achieve homeland security goals. Seattle's 2003 simulation of a dirty bomb attack involved most governments in western Washington, and measured regional and federal response. An unpublicized component was a simulated attack by hackers on government networks and radio, and computer communications systems -- all essential for conveying information among agencies and to citizens. "This was the seed event we used in developing programs and seeking funding for cyber-security in our urban areas," said Bill Schrier, Seattle's chief technology officer.
"Cyber-security is one piece of how we've spent the money on information technology. One of the pieces of software we acquired from homeland security funds protected us from the recent Microsoft browser virus," said Schrier. "We had 20 to 50 hits a day infected with this virus, but $100,000 in software we acquired protected us. This demonstrated one of the ways we used the funds to actually protect city government. Last year we didn't have a single outbreak of a virus or worm in city government."
Schrier added that the public safety communications network in the county was dated prior to 9/11. Also, the radio communications interoperability networking police, firefighters and other emergency services were funded by several sources, including Washington state. "With new Seattle area homeland security funds, we have integrated services with other counties and the state of Washington," he said. Some state and local governments have been using homeland security funds for IT initiatives, and will continue to do so. But as more jump on the bandwagon, they are being called upon to demonstrate just how they will use that money.
Onus on the Protected
Previously the DHS Office for Domestic Preparedness (ODP) established guidelines for distribution of money to states. States then followed those guidelines and tied their projects to ODP risk categories. For example, Kansas set up a prevention goal in its guidelines for protecting all critical state-owned facilities from weapons of mass destruction.
"Our DHS-funded project allowed for a totally recoverable data center that keeps all critical applications and data systems running in the event of a disaster," said Moore.
Kansas is no exception. Transparent spending and accountability on all governmental levels have been common, despite memorable news reports of homeland security purchases such as snake tongs, bulletproof vests for all professional canines and polo shirts. For example, the committee that reviewed grants in Virginia is very strict about the projects as they relate to homeland security, noted Virginia CIO Lemuel Stewart. "I would be surprised if anything unrelated got through," he said.
The DHS, however, decided more transparency was needed; hence, a more rigorous application process for money.
Under the new arrangement, applicants must detail how funding will be spent; why a purchase supports the homeland security mission in their town, county or state; and even detail management or oversight initiatives for the projects they wish to fund. The urban grant program now requires evidence of regional aid cooperation in the form of mutual aid agreements across jurisdictions, regional planning structures, training and preparedness efforts, and IT collaboration across government levels.
Since 9/11, homeland security funds allocated across the states have typically been focused on first responder equipment, or "boots and trucks," in the words of Stewart. Some think that funding only scraped the surface of IT and training needs in the last two fiscal years, especially in large cities. "Our biggest frustration has been that they have funded equipment, not people," said Jane Campbell, former mayor of Cincinnati.
Indeed, the formula's changes have been ongoing. Homeland security funding numbers for urban areas have varied annually. When DHS first began to allocate funds for at-risk areas, it identified seven cities as the most vulnerable: New York; Washington, D.C.; Los Angeles; Seattle; Chicago; San Francisco; and Houston. The Urban Areas Security Initiative (UASI) subsequently expanded to 50 cities, but later contracted to 35 metropolitan areas.
Now officials in remaining areas must apply for funding and demonstrate how those funds will be used.
Some cities previously designated high-risk were removed from the fiscal 2006 list, and given a one-year grace period for transition and to reapply. Las Vegas and San Diego were among the cities on the list of ineligibles, a decision that raised questions from government officials in both cities. California Gov. Arnold Schwarzenegger publicly expressed concern about the new risk-based funding assessments now required by the DHS, noting that high-security military installations in San Diego had been overlooked.
Meeting New Requirements
There is no question that DHS Secretary Michael Chertoff's new funding requirements are more bureaucratic and require top-down approval of how money will be spent at each level. Previously local governments had more freedom to channel the uses of money from funds received. For instance, agencies in the Seattle area decided which areawide projects would be funded and the specific amount to be allocated to Seattle. Cyber-security expenses typically came directly from city UASI funds, said Schrier.
Now jurisdictions are expected to meet these new requirements as a condition of receiving federal preparedness funding assistance. States are still responsible for distributing federal funds for non-UASI programs to localities. Each state has an administrative agency responsible for application and distribution of funds. Some funding may be provided to counties for further distribution.
The process, although paperwork-heavy, may have potential for greater efficiency. Before 2006, grant funds had to be drawn down in a few days. "This process proved to be disorganized and created a delay in disbursing funding to localities and sometimes prevented disbursement of funds entirely," said Deepak Bhat, state and local manager at INPUT, a market intelligence research firm in Reston, Va. "Grantees are permitted to draw down funds up to 120 days prior to expenditure."
That way, states and localities don't have to front costs and use federal funds.
"Distributing funding based on general characteristics did not hold recipients accountable for how monies were spent, it only determined who might need DHS assistance. There was no assurance the funding would be spent on homeland security-related equipment or services," said Bhat. "Under the new arrangement, applicants must detail how funding will be spent, provide justification for funding, and even detail management or oversight initiatives for the projects they wish to fund."
For some areas, it may be physical security, or more equipment for first responding, said Sachs of SRI International. "It was previously up to the localities, and now is an interesting windfall with a lot of strings attached," he said.
One possible advantage of this new risk assessment is that it encourages more regional coalescence of IT resources. "Of course we will be seeking more funds, but knowing strength comes from collaboration, we'll work to secure funds that can be used regionally," said Virginia CIO Stewart.
Many states have been working toward a regional focus that streamlines emergency response systems and increases interoperability. Virginia, the first state to have a statewide interoperability plan, has had a statewide effort with creating IT services in the event of disaster, said Stewart. "We've achieved this in 85 percent of agencies thus far, fusing local, state and county governments," he said. Virginia's regional emergency service center, located in Roanoke, serves multiple counties.
Solutions shown as used regionally for legitimate risks may be perceived as more effective. "The applicant that best demonstrates catastrophic loss of life or catastrophic economic loss stands a better chance at winning grant money than one that does not," according to a report by INPUT.
What George Foresman, who was recently appointed as the DHS's first Undersecretary for Preparedness, calls a "robust risk formula that considers three primary variables: consequence, vulnerability and threat" has inspired myriad reactions. James Jay Carafano of the Washington, D.C.-based Heritage Foundation said the new guidelines are a step in the right direction, and have transformed the grant program into an effective security tool.
Some believe the DHS has not been doing enough to fulfill its obligation to initiate nationwide cyber-security. Reports from NASCIO, House Democrats and the Government Accountability Office all noted the department should be doing more to work with the public and private sectors.
Moore pointed out that NASCIO advocated incorporating the cyber-security element and making it integral to the whole homeland security process. "We have met with legislators and expressed our concern," she said. "The new grant process now has a component for cyber-security, and it's more defined than in the past, more comprehensive, and states are paying more attention to that. We've been pushing to tie data together for better use of cyber-security funds. The new requirements are better for cyber-security because in the past, they did not pay as much attention to it."
In late January 2006, the U.S. Conference of Mayors met in Washington, D.C., to vent their frustrations over the changes in federal homeland security initiatives. During their emergency meeting with Chertoff on emergency response and homeland security, they recommended improving communications interoperability. Mayors complained that the new process was rigid, overly complex and difficult to follow by the March 2 deadline.
The mayoral group noted a need for urgent front-line funding to address the problem of "limited availability of spectrum for public safety that continues to force first responders to operate on several different and incompatible and congested voice channels," according to a January 26 press statement. The conference conducted its own homeland security funding surveys of the process, and found that money was not reaching the cities quickly. "And when it did, it often came with federal restrictions and rules that made it very difficult to spend on what was needed most."
Seattle has received money in all the rounds of funding, but this year the whole methodology is changing, according to Schrier. "It's a pretty fundamental change in how we're going to do business, and will require us to put together how we will use the IT funds ahead of time," he said.
Moore said there will probably be more accountability with the program this year. "We don't yet know the effect on our state and the group, but as long as you have a valid need and it's recognized by the homeland security community, you have a good shot."
Washington, however, is emphasizing funding that results from better preparation for the inevitable. In the new grant application, evaluators would like to hear more about the process of using the funds, policy issues, and how states and cities decided on their top priorities, said Foresman. "Information-sharing about the process helps us all become better prepared," he said.
"We take into account the homeland security needs of each state," Foresman said. "The question is not if something happens. Something will happen. We live with crises in our environment all the time: blackouts, floods, fires and threats to cyber- security. In risk management, there is a difference between treating someone fairly and equally. Our solution is to treat the funding recipients fairly. We'll have to make some tough choices in an atmosphere of transparent coalescence between all levels of government."