Q: When you were assistant secretary for infrastructure protection, you developed a plan to protect critical infrastructure from attacks and natural disasters. How would you assess the development in terms of the nation’s ability to predict critical infrastructure and respond to threats since then?
A: This is a long road, this is a very long journey that we’re on in terms of how we protect critical infrastructure. There are a number of steps in the process, but I think we’d have to consider an interactive approach. 9/11 focused everyone on the immediate vulnerability we had in the U.S. to low-tech attacks with high consequences. There were some immediate vulnerabilities with some significant consequences that have to be addressed. There are some long-term vulnerabilities and consequences that have to be addressed.
This became looking at the entire infrastructure of the U.S. and interdependency in the infrastructure components, transportation systems and the supply chain systems — all those things that would comprise a threat or vulnerability to our national infrastructure had to be addressed. I would say, that right now, they’re just trying to figure out what a private-public partnership looks like.
We’ve gone through extensive analysis of where the intersections between the government and private sector are and how we gauge the private sector. I think overall, the government has done an OK job at it. The private sector has done a lot, and has always done a lot, but it has never gotten recognized. More appropriately, the private sector needs to get recognized for and worked with to take advantage of the things it’s doing. So then you have to figure out how to align what the private sector is doing with what the government sees as a priority.
Q: Are we on target in terms of defining critical infrastructure and what the future targets might be?
A: The government has not made any kind of business case for the private sector to modify its approach to developing a plan. By that I mean there are some missed opportunities here, for instance, with the economic stimulus. We could tie the economic stimulus plan to certain milestones and goals that would also achieve homeland security strategies because economic stimulus, long-term economic vitality and stability is going to be tied to how we build our infrastructure to be more resilient.
The opportunity that’s missed is the fact that there are some really straightforward ways we could have tied certain infrastructure protection goals to the economic stimulus package that would have said: “OK, here’s fundamentally how we want to see things go. We want to see better governance metrics being imposed. We also want to see better infrastructure resilience goals met, and here are the following categories of things you should be doing to meet those goals and report back to us to make sure you’re on track spending the money the way we think it should be spent.”
For whatever reason, whether Congress never wanted to focus on that because it didn’t want to confuse it or it just never thought it was important, that was never addressed. Although it had been suggested by a number of folks, including myself, and I shouldn’t say that it fell on deaf ears, but it just never got any action.
Q: Is it because those projects are not what they would call “shovel ready”?
A: I don’t really know what that means. The projects we’re talking about aren’t shovel-ready types of projects to begin with. They’re also not necessarily so sophisticated and complex that they can’t be incorporated in the economic stimulus plan.
Q: Can you elaborate on that a little bit?
A: One area I think is right for being addressed for economic stimulus is the IT sector and IT security alone. Cyber-security initiatives could be addressed through the economic stimulus. We could use the economic stimulus program to address vulnerabilities in our supply chain.
We also could achieve better governance and information sharing that the government desperately wants. Achieving certain efficiencies, that would enhance trade. There are a number of areas they could have considered with very little pain. There are good ideas out there now that could have married up with the economic stimulus program to provide some incentives to achieve some homeland security goals.
Q: Those opportunities are not lost. There may be more money coming down and with the withdrawal from Iraq, if that happens, is there going to be more money available to do this sort of thing?
A: The opportunity isn’t lost entirely. Congress can clearly go back and make certain provisions to spending the money in certain areas. I don’t want to get political about it, I just don’t think Congress is really thinking about that, and they’re not tying economic stability to a homeland security problem.
I would argue that economic stability is the counterpoint of our homeland security and national security when we talk about where our systems are most vulnerable. I would argue that we are probably the most vulnerable we’ve been in quite a long time. Particularly if we look at how attacks could be effected against the financial [sector].
If you combined an attack on the financial sector with attacks on the communication sector and you deny people the ability to get to their funds, you cause people to have a lack of confidence in the financial sector. If you just take our ability to conduct trade away, we’ll have some problems.
Q: Have we adequately assessed vulnerabilities? Or are we still looking at fighting the last war, if you will?
A: We know the vulnerabilities pretty well. I’ve had more of a pragmatic approach to it, and I think we have a tendency of falling back on analysis as a way of putting off our ability to do something. Whereas if we accept the fact that we’re never going to get it perfect, our analysis should lead our actions and we should always be willing to adjust our actions as we get new information. I think that’s the right approach. I think there is a tendency of overanalyzing problems and always looking for perfection before we decide we’re going to implement something. As a consequence, we don’t do anything. We know our vulnerabilities. I think we can kind of just get off on that and start working on fortifying and mitigating the risks we have from those vulnerabilities.
Q: What scares you the most?
A: Honestly the things I think are the biggest challenges we have are supply chain-related — the lack of our ability to have visibility and transparency — into goods that come into the U.S. And I don’t mean from the weapons of mass destruction perspective, but the contaminated goods, the contaminated food, the counterfeit drugs-scenario coming into the supply chain, a bunch of things I think are particularly seriously types of threats. Of course, you have the IT threat. At a national security level, these things are critical. The other type of threat that is very persistent, and I think one significant threat, is a bio threat — the classic kind of anthrax attack. It’s a significant threat because our ability to detect and react to it, I think we still have a long way to go in our health-care systems to be able to respond adequately to a mass casualty type of attack.
Q: You mean a hospital search type of situation?
A: I think our health-care system and hospital certification is awfully inadequate. And our ability to detect bad things coming into the emergency care facilities is fully inadequate. I’m not a health-care expert, but that is a vulnerability. The other one that I look at is the ability for very low-tech type of attacks like suicide bombers. … We have a tendency of focusing on suicide bombings because of the sensational impact it has when somebody blows himself or herself up. But the reality of it is [improvised explosive devices (IEDs)], in general, are a specific threat here in the U.S. that would significantly disrupt our daily life for which there would be nothing but some measures you’d have to impose to be able to secure yourself against that.
Q: Is that maybe the most likely scenario? The IED?
A: It is the easiest to carry out, and I think it is the most likely scenario because we see them all the time. We see them more from a low-level type of criminal thing, but the ability to use the same methods and have a significant impact is pretty trivial. It is a significant threat. It’s not like the government isn’t paying attention to it, it’s a difficult one to counter, to protect against. The government has been spending a lot of money, and they need to beef it up. But they’ve been trying to look at the transition of IED technology in Afghanistan and Iraq over to the U.S., and they’ve been working on some of those numbers for a while and providing training awareness. But you know as well as I do, you just take a walk through a crowded shopping mall or anywhere else people gather and the ability to do that the first time is going to be pretty easy to do. Admittedly after you do the first one, there will be a lot more attention to it, people’s focus on that will be a lot different. Right now we have a tendency to not even consider that as a threat.
A: I know we’ve put emphasis on bio threat too, it’s less likely, but might have a more chilling effect. Has there been enough emphasis on trying to learn how to detect that sort of thing?
Q: Well it’s a hard problem, so there has been a lot of research and development money put on the detection of bio threats and early detection. It’s a difficult science problem because of the types of things we’re trying to detect with a degree of confidence. It’s not that you can’t detect stuff; the ability to detect things in general has been well established. It’s the management of false positives and the impact you have once you detect something. Now you’ve got a set of protocols you have to set in place, and it probably speaks right to the area that you’re focusing on, but the protocols for emergency management that allow you to respond to the detection of an event is what you really have to do.
A: Is there any additional information you’d like to share?
Q: One parting thought here. There has been no focus by the DHS or federal government at large to include Congress on making a business case for any of these things. Now this is sort of a self-serving comment because this is what I do, but I would argue that there are ways to tie good activity around infrastructure protection with a business case. You can do this. I don’t think the government has done this. We look at, like I said earlier, the economic stimulus package as being one area that we have some influence. There are other tax credits that could be applied, although this administration may not be interested in tax credits for this stuff, there are other ways for the private sector to engage, and those things need to be done.
