Tag Archives: Homeland Security Round Table

Homeland Security Questions #2

Last month I decided to try to tackle some of the questions raised by Christopher Bellavita in his article in Homeland Security Affairs.

Why are we unable to measure the relationship between homeland security expenditures and preparedness?

The problem, as seen by Bellavita, includes

I know of a half dozen pilot efforts to satisfy the HSPD-8 mandate and at least one experiment to meet the post-Katrina reform act requirement. Unless I have missed the results of these pilot efforts, none have been turned into an operational program. I have not seen anything even approaching an assessment of the nation’s preparedness, let alone a comprehensive assessment. And let alone even more assessments that link expenditures to preparedness.

Many smart people have worked this issue for years. In speaking with them, the difficulty seems (depending on who one speaks with) to rest with political will, technological capability, knowledge gaps, science, sociology, continuous change, and a host of other factors that turn an engineering-type task into complexity soup.  But assume for a moment that we can measure national, and state, and regional, and local preparedness. What do we do with the answers? What impact would that knowledge have on future resource allocation?

I don’t know, I’m a bit ambivalent about this question since it just seems like another excuse to whine about how sucky our resource allocation system is.  After all, the first question we discussed  that and I’m not sure there’s anything new to say here.

Well, maybe not.  First, I’m not sure there’s much value in making his assumption.  Is it likely, even assuming we could assume super amazing capabilities to measure preparedness, that those measurements would be only one (and probably not even a major) factor in terms of allocating resources.  After all, you don’t have to be a genius to know that it’s hideously inefficient to build a weapons system in 49 states yet it is the status quo now because that’s how you get broad political support.

So let’s say you could measure the effectiveness of X number of dollars on project Y in area Z.  What would you have?  Well, if it looked like the metrics didn’t justify the allocation of resources, I’m guessing you’d have a fight over the metrics themselves.  Don’t think that can happen?  How long has the tobacco industry fought the idea that smoking is harmful or addicting?  Decades past the point that it was firmly established.

So, why would we expect any different here?

Why are we unable to measure the relationship between homeland security expenditures and preparedness?

Because there are too many people who don’t want to measure that relationship or only want to measure it if it’ll produce certain results…

This post is far too cynical…I’m hoping someone out there will pull me out of this funk and give me some good ideas to chew on.

More on Risk-based decision making in homeland security

Simon addresses the topic in a post that I thought was so good it filled me with temporary self-loathing and jealousy for how poorly I organize my writing and get me ideas across (get ready for a post about that later).

Interestingly, he tackles the topic from a different perspective than I did and makes the point that, even though we often overlook it, risk-based decision making happens all the time among first responders.  I raise a couple of issues in the comments section but I’d like to take a second to go into a bit of depth with an analogy he uses to describe the difficulties in instituting a systemic risk-based decision making regime and slightly re-purpose it to make a semi-related point.

To use a household analogy, you used to have three dogs and a couple of cats that normally got on with each other. The causes of discord were well-known and it wasn’t too much of a task to prevent major conflict. Then Great Aunt Anastasia dies and left you her ant farm and  ’tame’ wasp hive; for various reasons, and as tempting as it is at times, investing in a couple of gallons of Raid is not a socially acceptable option. You’re stuck with it. You’re not impressed, the dogs and the cats aren’t impressed, and most likely the ants and wasps aren’t that thrilled either. Oh, and the boiler’s sprung a leak, taxes have just gone up, and old Mrs Grey next door has just lopped off her leg with a chainsaw. Welcome to the world of homeland security – please start your risk-based decision-making process HERE.

I’d like to riff off that analogy to explain how I see the problem.

In addition to the above, imagine your Aunt Anastasia’s home is 100 years old and she did no work on it the whole time she lived there.  Your know-it-all brother-in-law tells you that houses of that age usually have weak roofs and lead pipes which can cause all sorts of health problems.  In addition he points out some saw dust around the foundation which (he thinks) might be an indicator of termites.

In addition, you notice your neighbors seem to be expanding their yards into what you thought was your property.  Getting a surveyor in however will take significant money and attention.

Now, you could continue to focus on the myriad problems mentioned first.  The ants, wasps, dogs, cats, taxes, etc. will certainly keep you fully occupied.  The roof and foundation may hold up for another 20 years…or they may collapse tomorrow.  You simply have no information about them.

So, do you divert some of your scarce time and resources to find out about those things?  Things might (probably will) slip through the cracks.  But without some sort of understanding of all the problems your facing you really aren’t engaging in risk based decision making.  You’re engaging in hope based decision making.  Hopefully the most significant threats are the ones you’re already focused on.  As long as they are, you’re ok.  When they aren’t you stand by looking at your collapse roof and say to everyone who will listen “No one could have predicted this.”

I’d argue this is pretty close to what we have now, especially at the sub-federal level.  I’m not arguing that every Mayberry out there should been knee deep in tribal politics of Yemen and what threat that may pose but there are lots of places where there are threats right in an agency’s backyard that consistently avoid consideration.

An example:  In some immigrant communities (particularly those that have significant language barriers and cultural differences) criminal networks prey upon individuals knowing that individuals in these communities are loath to go to authorities (sometimes due to immigration, tax or cultural issues).  Because these communities are insulated and isolated from most political institutions they just don’t show up on anyone’s radar.  They (and the threats they face) are overlooked until it spills over into the ‘mainstream’ community.

And the big thing I have heartache over is that agencies (which do a good job taking care of most day-to-day emergencies) are forced to claim to do all that high speed risk assessment if they want to share in that pot of gold known as federal grant money.

And that is bad for everyone.

Lunghu over at Waking the Dragon takes yet another view of such decisions.  He raises the point that  “the risk being assessed by homsec functionaries is not (solely) the risk of harm to the homeland, but rather (primarily?) the risk to their own careers and reputations.”

Now all we need is someone to weave all this together to form a grand unified theory.

Threats, resilliance and strategy

I continue to work through the latest edition of Homeland Security Affairs and think about the question of risk management in the decision making/prioritization process.  Philip Palin describes the threat as inspired by the National Intelligence Strategy:

  1. [F]our nation-states that present a “challenge to U.S. interests.   These are Iran, North Korea, China, and Russia.
  2. Violent extremist groups, insurgents, and transnational criminal organizations
  3. The global economic crisis
  4. Failed states and ungoverned spaces
  5. Climate change and energy competition
  6. Rapid technological change and dissemination of information
  7. Pandemic disease

Two points that Palin makes and I think are quite valid is that in terms of ‘traditional’ threats (ones that threaten the existance of the current regime).  There just aren’t any.  Neither the four nation states or terrorists and other violent groups just don’t pose the same sort of potential threat that the Soviet Union did.  The biggest threats to our current order, in fact, are far different.  Economics, access to resources and environmental issues.

And yet, which receive the most attention when policy makers talk to the public.  Let’s face it, apart from global warming (where one major party continues to even doubt it’s existance), how much discussion is there about the long term security implications of China’s dominance of the rare earth market?

The second point is that this is a pretty broad list.

A colleague who served for many years in the intelligence community has critiqued the National Intelligence Strategy as fatally flawed because it is so far-reaching. In his view it is undisciplined in target-selection and thereby condemns the intelligence community to almost certain failure. Limited assets will be stretched too thin.  His operational concern is undeniable. Yet I perceive the greater flaw is too narrowly defining threats as externalities.

There’s good points on each side here.  I’ve often held up for derision the concept in homeland security (and frequently used in fusion centers) of ‘all threats all hazards’.  Four simple words but when put together in that way they mean absolutly nothing.  The fact of the matter is, when you try to accomplish everything with a small organization you tend to do nothing particularly well.  If you do manage to do a good job of fooling people into thinking that you are covering all the bases, you instill a bit of learned helplessness among the rest of the community who think you’ve watching everything.

The federal government, I’d argue, can (operative word:  can) be different.  It’s certainly big enough and broken down into enough organizations that you should be able to address all of these concerns with an adequate degree of coverage.

It might require a reorganization of some of the intelligence agencies (which, while highly unpopular within the community I’m sure, might be worth a look since they were all structured to address the problem that was the Soviet Union) but hey, nobody said this’d be easy.  As Palin points out, our entire intelligence system was based on the premise that the Soviet Union was a predictable actor that had an ideology which led it to consistent behavior.  Our current threat environment is made up of so many threats, many of them not directed by human actors (pandemics) or, at least, not intentionally so (economic conditions).

Side note:   Palin says:  “We are undoubtedly the most powerful nation on the planet. But it sure doesn’t feel like it.”  Do we not feel most powerful because of the myriad of threats or because various decision makers have a vested interest in making us feel threatened?  Discuss.

Sounding a similar note to KR’s recent post:

No complex system can be fully controlled. Can goals be cultivated? Certainly. Encouraged?  Absolutely. Influenced? Yes. Guaranteed? No – even the effort will amplify tragic consequence.

So rather than chasing every kook and always focusing on the last crisis, terrorist attack or disruption, Palin argues for a resilient system which he defines as:

(1) the ability of a system to absorb or buffer disturbances and still maintain its core attributes; (2) the ability of the system to self-organize, and (3) the capacity for learning and adaptation in the context of change.

Our current inability to do those things today presents a set of behaviors in the homeland security environment which Palin describes as neurotic (which I really like).

So what has our neurosis brought us?

If any consistent strategy can be discerned it has much more to do with suppressing the likelihood of turbulence and responding to the messy consequences of turbulence, rather than accommodating the possibility (probability) of turbulence. In homeland security we have been much more focused on resisting change than adopting resilience.

Of course, that quote has applicability beyond homeland security.  I’ve argued here before that our approach to some criminal environments is similar.  Our tactics are all about resisting change rather than adapting, minimizing harm and channeling energy to our advantage.

And we kind of end where we begin.  The question ‘why don’t we develop a resilience based strategy’ seems to merit the same answers as ‘why don’t we adopt a risk management based strategy’ and they’re probably closely linked (Perhaps even synonymous?  Could you  have a risk management strategy that wasn’t resilience based or vice versa?).

Risk Managment…what you see is what you get?

In discussions about risk management in homeland security I think two recent events and their aftermath are worthy of study.

The first is the Ft. Hood shooting by Malik Hasan.  In the wake of the shooting there was a lot of talk about the need to step up security in a variety of ways.  Some of those were reasonable (if you see a soldier demonstrating strange or dangerous behavior you better report it) while others were a bit loopy (let’s be suspicious of all Muslim soldiers).  A few days after the shooting I was supposed to go to Ft. Dix and expected a lengthy wait at the front gate and a host of new security procedures.  To my surprise, I zipped right through the entrance and to this day have seen no evidence that there has been any significant change to procedures to enter the base.

So why would that be?

Well, either

  1. the military is asleep at the wheel and not paying attention (which I doubt),
  2. they recognize a threat but feel that safety measures to counter a similar attack (extensive vehicle searches, increased roving armed patrols, etc.) are too costly (in terms of resources and the impact on normal operations) to be practical
  3. they consider the likelihood of a repeat attack to be so low that there is no need for additional measures so long as current procedures are followed

I can’t say with any certainty which of these (or some other one) drove the response to the shooting but I think one can take away that the military didn’t follow the path we see in homeland security (specifically airport security) decisions where we always implement measures to defeat the last plot, regardless of whether it was realistic or not.  Usually those responses appear (at least to me) to be knee-jerk reactions stuck onto existing procedures without a lot of thought about developing a comprehensive security response.  It’s like they have an excess of duct tape and just figure it’s better to patch up problems as they go rather than examine the whole system.

Case in point is the second example I want to talk about.  The recent breach of security at Newark Airport.  The facts of the actual breech or the negligence of the TSA employee aren’t an issue here but rather the mixed messages sent to the public about security that contributed to the breech.  We’re more than 8 years past 9/11 now and airport/airplane security has been a top priority for that entire time.  Everyone knows that and has seen increase in guards and patrolling soldiers, have taken their jackets and shoes off and have had all sorts of items confiscated.  So why would they use a puny theater rope as a barrier to prevent people from crossing into ‘sterile’ areas?

The same sort of barrier people see (and cross over/under all the time) in theaters, amusement parks and other places.

In that case, I’d argue the barrier sends a message that it’s not as important as the other aspects of airport security where you see more robust security measures.

Also, there was no redundancy in the system.  If the guard was distracted or left his post (as happened) there was essentially nothing to stop someone from crossing the line.  A sizable barrier that would have required some effort to breach would not only have made attempts to cross it more conspicuous and difficult but would have sent a stronger message that “Hey, we mean it!  Don’t cross here!’.

So, what sort of risk assessment/management procedure was done at the airport?  Who knows but at least in that instance it didn’t seem to jive with pronouncements and concerns for how vulnerable we are and how determined terrorists are to attack there.

Guest Post – Why is it so difficult to make risk-based decisions in homeland security?

Today this post is by guest blogger KR who addresses the first question of the Homeland Security Round Table centering around an article in the recent issue of Homeland Security Affairs.

Ok, first I should introduce myself I am not a security, military or defense professional. I am a certified financial planner who, as an American citizen has a vested interest in this dialogue. My objective here is to broaden my knowledge on these subjects,  explore and clarify my opinions and hopefully, share some thoughts of a lay person with the more educated members of the group.

As a financial planner, I’d qualify a large part of my job as risk management. I do this by seeking both concrete and anecdotal information about variables that contribute to an overall premise on market, sector and specific holding performance expectations. This is a top down assessment starting at the economic level, eventually reaching the local or company-specific data. It seems remarkably similar to the risk management associated with anti-terrorism activities and threat assessment. There however, are some significant differences which tie in directly with Mr. Bellavita’s questions (numbers 1 and 5 in particular).

Axiom or law, I think we have to start with the premise: Risk is either held, shared or transferred, increased or decreased. It is never, ever eliminated.

In financial risk management, we have a firm concept of acceptable losses. There is never an expectation of only gains or zero losses. That’s understood to be unrealistic and in fact, pursuing those misinformed objectives actually incurs significant risk and expense. Fortunately, in my business, many theories and actual practices are tested, retested and back-tested to measure effectiveness. Quantifiable results are just that, quantifiable. Part of the issue confronting homeland security is the non-quantifiable nature of success, failure and ongoing performance. Politics, psychology and general culture play heavily into those definitions.

I’ve heard more than once, that, “Counter-terrorism activities have to be successful all of the time, terrorists only have to succeed once.” Frankly, I find that concept dangerous and misleading. It sets up everyone involved for failure. That statement is true when considering the execution of a terrorist act. But it would be unwise to consider that completion to be a failure of a homeland security system. By leading people to believe that any terrorist activity is a failure, and the converse, that the only success of homeland security is zero terrorist activity, we create an environment that ironically benefits the terrorists. By mismanaging their expectations, our population is more susceptible to fear and disappointment. The professionals are subject to criticism, policy shifts and general turnover (typically as a result of political responses).   Homeland security is a defensive, reactive activity. That’s not to say it’s passive. Merely that it’s goal is to counter the objectives of those engaged in hostile, terrorist acts agains the US. So what is success for a terrorist? I think the real definition of success by a terrorist is the changing of a culture or general set of policies to coincide with the specific goals of the terrorist organization. It is not the death or destruction of a particular target for its own sake. These groups and individuals want to have impact, whether by spreading a message, changing our attitudes and ways, or actually changing US policies. If that is true, success for homeland security should be the disruption or mitigation of enough activities to prevent those cultural or policy changes.

In my business, I determine a targeted risk level, or concept of ‘acceptable losses’ for each client. My worst client is one who expects to never lose a penny. I cannot help that client and can either educate them or fire them. I admit, it can be difficult to do the prior, but when it works, the change is usually dramatic. Instead of focusing on the occasional losses, we focus on their financial goals. Those in reality are their priority.   In the homeland security arena, it seems the American citizens are being trained to expect perfection. I think that is a product of both our political environment and our cultural belief that we can have everything, all the time, at no cost, now. I’ll summarize that notion simply as ‘short sightedness’ for simplicity sake. While we cannot ‘fire’ our way out of this relationship with our fellow citizens, we absolutely hav eto edicate them on the follow of that false expectation.

Homeland security is a process, not an event. It needs to be viewed similarly to our national education system, the population’s general health and wellness, our overall transportation infrastructure or similar issues of long term, national importance which may be subject to event risk, but are actually systems, not discrete events, locations or organizations. Instead, our national discussion seems focused on the granular level  how did which person get onto what plane. By looking so closely without the larger context we seem to repeatedly miss the forest for the trees.

Similar to my own risk management processes, when considering the homeland security situation, I again approach from a top down perspective. At a high level there is the question: what can be done to prevent terrorism. At a lower, more tactical level, there is the question of how do we prevent terrorist acts. I do believe that addressing the first question is fundamental to a long term American solution. Obviously, the better we do there, the fewer incidents we will have to address at the lower level. However, the reality of the present situation calls for us to address them both simultaneously. Mr. Bellavita seems focus primarily on the tactical level.   I think the first step in dealing with risk-based decsion making, and all decision making for that matter, is to accept the situation. The real, honest situation. These acts will be attempted. And some, despite our best efforts, will be executed as planned. We also must realize, that is very different from saying that the terrorists have succeeded.   And, in my opinion, therein lies part of the difficulty in making risk-based decisions. That very acceptance is untennable from a political standpoint. It is far better for any individual’s career to pretend that perfection exists, despite how stunting it is to our capability to address the situation, than to speak plainly about costs, consequences and long term goals with the American public.   ===============================   Here are a couple questions for those more educated that I on these matters. Please forgive me if they are not directly related to the first question on our list.   We’ve had extremist, militant groups in this country for quite some time. We’ve investigated and  infiltrated them, tracked their leadership, mapped their organizations and, at times, taken direct actions against them. We’ve had some terrible events such as the 1993 World Trade Center and 1995 Oklahoma City bombings. Are the strategies and methods of dealing with these homegrown radicals so different than the ways we should approach terrorists from outside of the country? I realize that the specific agencies and resources employed, and degrees of local cooperation and competence will impact implementation, but my question is regarding the actual practices. If we consider our domestic counter-terrorism activities to be successful (even without a 100% event-free history), shouldn’t we map those activities (and definitions of success) to the global scene?

As a lay person, I see homeland security largely as a police activity. That is not to say it should be performed solely by police departments, rather it is more similar to police work than say, military or emergency response work. Activities center around information gathering, investigation, analysis, apprehension, prevention and disruption. It seems that the inclusion of emergency response functions are a separate matter that only get involved when a threat is identified or action has taken place. Is that a gross oversimplification?

Risk based decisions in homeland security issues

Christopher Bellavita’s recent article “Changing Homeland Security: Twelve Questions From 2009” says:

In 2009, U.S. residents were threatened by border violence, pandemics, violent extremists, improvised explosive devices, a dirty bomb (or at least the possibility of one), random shootings, cyber attacks, threats to the food supply, severe winter storms, tornadoes, fires, floods, old American dams, and radioactive Canadians.  Is there an appropriate way to think about and prioritize those risks?

He asks the question:  Why is it so difficult to make risk-based decisions in homeland security?

Now, it’s worth noting that he didn’t ask ‘Are our homeland security decisions risk based?’

I think it’s generally accepted that our decision making process with regards to homeland security is a bit screwy.  It could have been the prohibitions against butter knives in the months after 9/11 or the identification of a mini-golf course as worthy of being placed on a list of potential al-Qaeda targets.  But…is the current situation really that strange?  Should we be shocked that many decisions aren’t risk based?  I would argue no. Why, you ask?

First, let’s begin at the beginning.  Risk management wasn’t a part of the national security process prior to 9/11 and agencies resisted attempts to have it integrated into their decision making process.  Remember, we’re talking about bureaucracies here that have their own interests and goals (self-preservation, accumulation of power, promotion of those who support the organization).  They strive for maximum freedom and chafe at being forced to do things which limit their freedom of action.  Monkeying around with their decision making processes (how they allocate resources) strikes right at the heart of institutional prerogatives and requires a significant shock to the system in order to gain acceptance.

Secondly, when we’re talking about risk management we’re looking for “a means to mitigate or “buy down” risk over time by
developing certain capabilities across the country
.”  More often than not, that means money.  Every other part of the budget process is marked by demands to spread the wealth so that elected officials can demonstrate to their constituents that they’re bringing home the bacon.  If risk management can be circumvented in the defense budget to promote systems that aren’t needed, why should we expect different in the Homeland Security field?  At least through 2007, only 60% of DHS grant funding was based on risk assessments.  The rest?  Called ‘statutory mandated’ funds, it generally can be considered to be the money that had to be paid off to various low-risk districts and states for their representatives and senators to approve the release of the rest of the money.

Thirdly, our general CYA mentality which, as KR points out, asserts that any successful attack (and after the underwear bomber apparently even an unsuccessful attack) has to be viewed as a complete systematic failure and someone will have to be held accountable.  Every Just about every elected official and government employee, no matter how tangentially involved in homeland security is going to want to ensure that it isn’t them who ends up in front of a congressional committee or on the 6 o’clock news and will therefore go to extremes in order to limit their risk.  Movie plot threats will have to be countered even if they’re impossibly complicated and highly unlikely while passing up more likely threats.  But we’ve now conditioned the public to expect 100% perfection and collapse into hysteria whenever a guy with a tan yells ‘boo’.

So, how do we get to risk management?  Certainly, the process is known so that’s not it.  I think there are few ways to actually get all of the actors (institutions, public officials and public) to change their orientation sufficiently to totally accept something like this, much beyond current levels.  The more time that passes without a serious attack, the more the homeland security process will fade into the background of regular operations, subject to the same pressures as every other large money spigot.

I think many people agree that the wrong way to get people to accept risk management in the decision making process would be in the wake of more attacks.  Certainly they would focus our collective mind but the cost clearly makes such a line of reasoning unacceptable.  And, of course, even that wouldn’t be a guarantee of positive change.  It’s just as likely that we could end up with a system that’s even more panicky and knee-jerk in fashion (water-boarding for everyone!).

I was going to suggest the release of more information to the public and some real, adult conversations between our national (and I guess state and local as well) decision makers and the population about risk and what where as a people we want to go.  It is, after all, 2010 and I still don’t think we’ve had this conversation, at least in a sustained concerted way to engage a large part of our population.

When some bonehead talks about the threat of anthrax killing tens of millions, it’d be nice to have some official information to explain why, exactly, that’s nonsense and really, really unlikely.

    But I must be a bit more cynical than normal today.  Let’s face it, you could put all the information you want out there (and I still think it’s a good idea) but there’s just no way that’ll be able to compete with CNN’s latest reporting of ‘What if…’ or Glen Beck’s Doom Room.  Panic sells.  Money (or votes) in your pocket today is better than reducing the risk of a possible future tomorrow (provided it doesn’t happen and if it does happen, it’s not on your watch).

    So maybe our system is the best we can hope for.  Are homeland security decisions that are 60% risk based better than the other possible alternatives?  Is 100% (or 80%) risk management too much to hope for in our system?