His message was simple: The country and people are still in danger, and that unless the federal government can guarantee there will not be another terrorist attack on the United States in the next few years, the federal monies required by local governments should be disbursed as soon as possible.
Today, he remains cautiously optimistic that the federal government will release the funds in a timely manner. However, even if funds were to flow, the challenges facing all levels of government are many.
Within the 50 states, there are 3,000 counties and 18,000 cities that must be protected. The job of getting law enforcement, emergency services, public-health agencies and private enterprises coordinated and working together at local, state and federal levels is a daunting task. Technology exists to make sophisticated information sharing possible, to safeguard information systems from intrusion and to recover information after a disaster.
Since Sept. 11, its been widely reported that information on the hijackers' activities was available on various databases. Critics have made a case against the intelligence community claiming that if they had been sharing information with other agencies and institutions, alerts would have been triggered to warn local law enforcement and public safety officials of the peril.
On the flip side of the coin are issues surrounding the privacy and security of the information itself. This involves structuring information access so that security is not compromised and the privacy rights of individuals are not violated.
While the political discussion continues concerning the dissemination of information and individual rights to privacy, the focus of attention is on the best technologies to deploy in defense of the homeland.
Human Resources
Among the first changes observed in state governments in the post 9/11 era was in the area of human resources. "Most states have hired ex-FBI and intelligence personnel to head their new homeland defense offices," said Vincent Steckler, public-sector vice president for Symantec. "It is their job to figure out the risks that states have, which includes cyber security."
Counties have also addressed these security issues. Gonzales was appointed chairman of the NACo's Task Force on Homeland Security after Sept. 11. The task force contains a cross section of professionals in law enforcement, public health, emergency services, communications and supervisors from throughout the United States. Its purpose is to advise the federal government of the role counties play as first responders in the event of a terrorist attack.
"Before 9/11, we had very little interaction with the federal government -- normally just with FEMA to assist administratively after a natural disaster," Gonzales explained. "Now we are in a position to advise the federal government on the role that the first responders play and help identify some of the challenges and best practices out there."
Finance
The president's budget earmarks a total of $38 billion for homeland security. Of that, $21 billion is set aside for five major homeland security goals: supporting first responders to emergencies; defending against biological attacks; protecting the nation's borders; improving information sharing among federal agencies; and protecting critical infrastructures.
Although access to the federal funds depends upon planning that meets the federal criteria, some states are starting to receive money from Washington. As a result, governments are reaching out to the private sector for security solutions.
"Symantec saw its state and local business nearly double last year," Steckler said. Other vendors also report significant increases in government requests for information, and considerable new business pending budget approvals.
Secure Systems
A basic concept of computer security is the protection of information, including preventing information from being damaged or falling into the wrong hands. Another element of security is detection -- technology that alerts users of damage, theft or alteration of information. Finally, should an intrusion be successful, computer security requires effective data-recovery systems.
Veritas Software provides storage-management software for data protection, application availability and disaster recovery. Paul Smith, vice president of government sales for the company says that since the terrorist attacks, there is an urgency surrounding IT solutions at the executive level of government that was not there previously.
"They have a heightened awareness of what it takes as far as investment, not only in devising policy but also technology to support the policy. But developing the policy and defining the requirements has become job one," said Smith.
"Every CIO that I talk to mentions a couple of things as most urgent to them right now," he said. "One was a new buzz phrase for me: COG, meaning continuity of government. In some states, like Florida, which I recently visited, there are now statutes for critical systems stating that a COG or disaster recovery plan must exist. This has all happened since 9/11."
Smith added that governments are also making critical adjustments to existing systems. "The states are telling us that they need things like disaster recovery solutions to provide failover; network upgrades -- many states don't have the bandwidth to synchronously replicate the data, so they are upgrading their infrastructure," he said. "And the other thing we are seeing is a lot of server consolidation. There is a trend of moving from smaller Sun boxes to larger Sun boxes and consolidating them to make the management of systems easier and more centralized."
According to Smith, the enhanced focus on security not only has favorable economic impacts on vendors, but promises to build benefits for a nation on alert. "It is a positive trend for companies in our space because our primary business is disaster recovery and the primary mission of the homeland defense office is to make sure that our state of readiness is high," he observed. "Those two marry up with each other well. They are creating better firewalls and better virus protection and they are planning for high availability. The other positive thing is that real legislation is happening regarding mandating continuity of government."
Stateside View
Mel Mireles, director of the Texas Department of Information Resources' Office of Information Security, said the state is better positioned than others in regard to homeland security because of the statewide infrastructure protection council initiated by the Texas Attorney General two years ago.
"Leaders in government and industry sat on the task force. [They] looked at information assurances, cyber threats and information sharing. They also looked at the legal issues involved and law changes necessary for effective information assurance and information sharing," Mireles explained. "They issued a report in January 2001, which was a real eye-opener in terms of our vulnerabilities. We've come a long way since then, but we've still got some way to go."
The terrorist attacks brought about the creation of a Homeland Security Task Force for the state. "It was composed of people from all walks of life, from retired FBI to senators and legislative-type people who were familiar with the criminal justice committees," said Mireles. "Their job was to look at the physical defense of the state and what we need to do to make it more secure. It reviewed weapons of mass destruction and those types of issues. Primarily they looked at issues related to physical structures and weapons of mass destruction and what the state needed to do in regards to assessing those issues."
Reactive or Proactive
According to Mireles, there is both a reactive and proactive approach to homeland security. "The reactive is your redundancy, your backups, making sure that you have some redundant data stored somewhere and it is current and up to date," he said. "The proactive approach is getting the alerts out so you can avoid having to recover from some disaster. You do need to have some kind of disaster recovery plan but mostly what we are trying to do in this state is be proactive by nature."
Mireles believes that other states are treating homeland security in a similar fashion. "More and more you are seeing a proactive approach because you are seeing a lot of organizations pushing to get information out, whether it be physical or cyber," he said.
Gonzales sees a similar situation developing at the local level. "The greatest challenge for local government is the need to integrate our databases so we can gather, share information and use it in the manner that will minimize the risk to our communities," he said. "That's a big challenge, especially since in communications and the IT area systems remain very fragmented. So the real challenge is going to be integrating these systems and building interoperable communications channels so that we can mitigate any type of risk that might occur."
Proactive Solutions
Steve Cooperman, director of Oracle Home and Security Solutions sees three major trends at the state and local level. "First, there is a renewed focus on advanced security techniques as far as information protection or what we call information assurance," he said. "Things that used to be 'nice to have' are now 'have to have' in terms of a database's advanced security features.
"The second is to have the continuity of operations and the ability both to scale existing systems during a crisis as well as have redundancy of information," Cooperman continued. "In this way, if your system is destroyed you can maintain existing operations and still service your citizens while dealing with the crisis.
"The third is the area of collaboration. That consists of new Web-based portals that bring both information and organizations together. Really, the notion of homeland security is bringing together information communities and bringing together a myriad of federal, state, local and private-sector organizations which may need to react to a homeland security threat or incident," he said.
Terrence Atkinson, director of solutions marketing for Cognos echoes the necessity of collaboration. "One of the big things that responding organizations discovered after 9/11 was that there was a discord in coordinating their activities and this traces back to a lack of coordinated information" he said.
Atkinson also stresses the importance of how the data is assimilated once it has been collected. "In the past, government agencies have been very good at accumulating vast amounts of data. What they have not been very good at is sharing the information across other organizations that may have requirements for integrated data," he said. "As you build up information in the database you need some way to understand what it means. Business intelligence products are then used to analyze and report on and understand the information. This can then be turned into something from which to make intelligent and well informed decisions."
Atkinson also emphasized the critical need for data sharing. "Information consolidation and sharing is very important to all levels of government," he said. "They are getting information now made available to them from other agencies and they need some way to consolidate this and make sense of it."
Best Practices
Oracle's Cooperman sees the government leaning toward evaluated and best of breed solutions. "We are finding that people are interested in repeatable solutions," he said. "They want to see what others have done. So if we are working on an anti-terrorism database in California, New York and other states want to see it. We are seeing that people want to leverage best practices because the time of implementation is key."
It is sometimes challenging for states to assess which products and solutions are effective. Cooperman said some are looking to the federal sector. "The federal government has established legislative policy to only buy products that are evaluated," he explained. "There is a lot of interest from the state and local level as well to go along with this policy."
Meanwhile, Glenn Taylor, Symantec's director of state and local government, has found the situation with smaller organizations and agencies to be different. "They have anti-virus in most cases, but it's a wide-ranging assortment of products that are in use," he said. "They likely have some firewalls, but not necessarily everywhere that they are needed. The smaller agencies have a mix of intrusion detection systems and very few have any vulnerability assessment."
No Magic Bullet
"There is no magic bullet," said Mireles. "There are a lot of precautions you can take, but it is a never-ending battle. You just have to be prepared. If you take a proactive approach, you should be able to avoid recovery situations."
Mireles advises governments to consider the value of the information they are trying to protect. "Security is security. It doesn't matter what level or what type of business that you are doing. It matters what you are trying to secure. I don't want to put up a $15,000 fence to secure a $500 horse," he said. "Once I define that, it gives me the ability to say how much I want to spend and where to put the emphasis."
NACo's Gonzales underscores the importance of IT in homeland defense strategy. "Technology is going to play just as important a role as our fire engines, our communications equipment, even the men and women who are out there. It is an important tool for the first responders and it's going to be essential to any kind of defense," he said. " But, unless we at the local level fully integrate and embrace technology as part of the framework of how we do business, then we are not going to fully realize the benefits of what technology can offer.
Gonzales returns to the common thread in homeland security. "More importantly, we now understand that part of a strong homeland security plan is the ability to share information, to utilize communication channels so that when we are responding to events that we all are on the same frequency," he said. "City, state, federal, tribal police and emergency personnel are all on the same page when they are responding to any kind of disaster. So IT and technology has got to be woven into the fabric of any kind of defense system."
Jim Meisler is a Sacramento-based writer specializing in technology and current affairs.
