Homeland Security Watch

Alex Wellerstein, historian of science and blogger at “Restricted Data: The Nuclear Secrecy Blog,” shares a great quote about the adverse effects of secrecy. In a post about “Cold War Sex, Cold War Secrecy” (in a nutshell: starting from recent news that Britain’s MI6 made public a dead officer’s somewhat unusual sexual practices with the idea that if they publicly acknowledge and accept (almost) any such practice it cannot be used as blackmail, Alex sketches the history of related-concerns during the Cold War), he includes what I consider a fantastic quote about the unforeseen dangers of excessive secrecy.

A few weeks ago I had the pleasure of getting acquainted with Avner Cohen, author of Israel and the Bomb and The Worst-Kept Secret, the books on the history of the Israeli nuclear program. He shared with me a quote from Mordechai Vanunu’s lawyer, Avigdor Feldman, that I’ve been coming back to a lot lately:

“If something is secret, and something else touches it, it too becomes secret. Secrecy becomes a disease. Everything around the secret issue becomes secret, so the trial became a secret, so I became a secret.”

Secrecy, as Avner puts it, is contagious. It spreads. It goes from something that we might all agree ought to be secret — how to make a weapon of mass destruction, to take the canonical example. But from that point of apparent agreement, it seeps out, worming its way into the lives of everyone who comes near it — even into the bedroom, that most private of places.

The one year anniversary of the raid that resulted in Osama Bin Laden’s death has brought with it a steady stream of analysis.  You have the stories about while what traditionally (if less than a decade can be considered “traditional”) is referred to as “Al Qaeda Central” is on the ropes and what Secretary of Defenese Leon Panetta called “within reach” of strategic defeat, the franchises persist:

The emerging picture is of a network that is crumpled at its core, apparently incapable of an attack on the scale of Sept. 11, 2001, yet poised to survive its founder’s demise.

“The organization that brought us 9/11 is essentially gone,” said the official, among several who spoke on the condition of anonymity to discuss U.S. intelligence assessments of al-Qaeda with reporters a year after bin Laden was killed. “But the movement .?.?. the ideology of the global jihad, bin Laden’s philosophy — that survives in a variety of places outside Pakistan.”

You have those concerned that despite it’s weakened state, the franchises are robust and many still hope to avenge Bin Laden’s death:

“It’s wishful thinking to say al-Qaida is on the brink of defeat,” says Seth Jones, a Rand analyst and adviser to U.S. special operations forces. “They have increased global presence, the number of attacks by affiliates has risen, and in some places like Yemen, they’ve expanded control of territory.”

By the numbers, al-Qaida’s greatest presence is still greatest in Iraq, where intelligence officials estimate up to a 1,000 fighters have refocused their campaign from striking now-absent U.S. troops to hitting the country’s Shiite-dominated government.

Yemen’s al-Qaida of the Arabian Peninsula (AQAP) is becoming a major draw for foreign fighters as it carves out a stronghold in the south of the country, easily defeating Yemeni forces preoccupied battling tribal and political unrest. The White House recently agreed to expanded drone strikes to give the CIA and the military greater leeway to target militant leaders.

Washington Post columnist David Ignatius puts forward the provocative idea that Bin Laden is winning, even from beyond the grave:

In the year since Osama bin Laden’s death, it has been a comforting thought for Westerners to say that he failed. And that’s certainly true in terms of al-Qaeda, whose scorched-earth jihad tactics alienated Muslims along with everyone else. But in terms of bin Laden’s broader goal of moving the Islamic world away from Western influence, he has done better than we might like to think.

So, a year on, it’s a time to think about bin Laden’s failures but also about the ways his fellow Islamists have morphed toward a political movement more successful than even bin Laden could have dreamed.

However, I think perhaps the most interesting analysis, and that which adds the most value long-term to homeland security in general, is the Time magazine cover piece (behind a pay-wall) by Harvard professor Graham Allison.  He examines the policy-making process behind the decision when and how to carry out the raid, as well as identifies lessons for future foreign policy challenges.  The bottom line, in his words, “is that American government worked.”

His lessons:

The first lesson this case demonstrates is that the US government is capable of extraordinary performance—in extraordinary circumstances. The challenge is to find ways to apply lessons learned here to improve performance in ordinary cases.

Second, sometimes secrets matter. And when they do, secrecy matters more. The bin Laden case demonstrates why success requires both discovering secrets and then keeping them, allowing a President time to reflect in private, and permitting him to reach a decision and act.

Third, secrecy comes with a price. Tightening the decision loop in order to prevent leaks means that important angles will not be adequately considered. If other officials had been brought in earlier and told to design an alternative storyline about imaginary Pakistani cooperation in the raid, that might have avoided humiliating the Pakistani military in their own backyard. The consequences of this for our prospects not only of finding an acceptable exit from Afghanistan, but also of securing Pakistan’s nuclear arsenal, are becoming clearer every day.

Fourth, the most troubling lesson from this case is the dog that has not barked. In the aftermath of Abbottabad, we are left with two possibilities: either the Pakistanis knew that bin Laden was there—or they did not. It is hard to know which is more frightening.

All readily applicable to homeland security challenges.

(Note: while the Time piece is currently behind a pay-wall, Professor Allison and others were interviewed on the most recent episode of CBS’ “Face the Nation.”  The video is available here: http://tiny.cc/chfkdw)

From Jason and the Argonauts (1963)

Late Thursday afternoon the Cyber Intelligence Sharing and Protection Act (CISPA) was passed by the House on a bipartisan vote of 248-168.  Forty-two Democrats voted for the bill and 28 Republicans voted against it. Senate approval seems unlikely.  The White House has raised the prospect of a veto.

Cybersecurity is a compound derived from cybernetics, a term coined in 1948.  Cybernetics is the study of biological and cultural systems of control adapted to mechanical or electronic devices.  Norbert Wiener based his neologism on the classical Greek kybernetike meaning helmsman, navigator, pilot and in some contexts: governor.  (Some will recall that Mao was called the “Great Helmsman”.)

As a matter of etymology, cybersecurity means “steering-to-be-carefree” or less literally, “navigating for open water.”

This week several members of the House, operating on a bipartisan basis, attempted to advance substantive cybersecurity legislation even in the shadow of a quadrennial election marked by especially sharp partisanship.  The proposals encountered bipartisan opposition.

It is worth acknowledging good faith on each side.  This was an example of our legislators attempting to navigate the ship-of-state through treacherous waters.  We can disagree with individual choices.  I don’t see cause to question individual intentions.

Nonetheless, such questions were deployed, accusations traded, and nefarious purposes perceived.  No great surprise in regard to cybersecurity or anything else.

Each side is attempting to steer between what many perceive as two great rocks: one threatening to turn our own government into a privacy-devouring monster while the other is already undermining our economic and military strength.  Which rock is more dangerous?  Toward which is the current pushing us?  Is there a safe way between? (To see the solution found by Jason and the Argonauts, check out this YouTube.)

–+–

Until the mid-19th Century students were usually introduced to Plato with First Alcibiades.  In this dialogue Socrates engages in his well-known method of inquiry with a promising young politician. The narrative explores the tension between decisions made for effect and decisions that are effective.

Below is a Reader’s Digest version of First Alcibiades.  For me it has implications for the current cybersecurity legislation, homeland security policy/strategy, and probably much more.

Socrates: Do you not see, then, that mistakes in life and practice are likewise to be attributed to the ignorance which has conceit of knowledge?
Alcibiades: Once more, what do you mean?
Socrates: I suppose that we begin to act when we think that we know what we are doing?
Alcibiades: Yes.
Socrates: But when people think that they do not know, they entrust their business to others?
Alcibiades: Yes.
Socrates: And so there is a class of ignorant persons who do not make mistakes in life, because they trust others about things of which they are ignorant?
Alcibiades: True.
Socrates: Who, then, are the persons who make mistakes? They cannot, of course, be those who know?
Alcibiades: Certainly not.
Socrates: But if neither those who know, nor those who know that they do not know, make mistakes, there remain those only who do not know and think that they know. (Bold highlight not in the original.)
Alcibiades: Yes, only those.
Socrates: Then this is ignorance of the disgraceful sort which is mischievous?
Alcibiades: Yes.
Socrates: And most mischievous and most disgraceful when having to do with the greatest matters?
Alcibiades: By far.
Socrates: And can there be any matters greater than the just, the honourable, the good, and the expedient?

Are our legislators asking authentic questions of those opposed to their proposals?  Are they listening carefully to the answers? Are we?  Do our answers acknowledge the reasonable and substantive concern of those asking questions?  Alcibiades was not so inclined.  He tended to see his political rivals as his enemy.  Socrates argued otherwise.

Socrates: And suppose that you were going to steer a ship into action, would you only aim at being the best pilot on board? Would you not, while acknowledging that you must possess this degree of excellence, rather look to your antagonists, and not, as you are now doing, to your fellow combatants?

What do we really know about our cyber-antagonists: criminals, vandals, terrorists, and more?  Technically, tactically, strategically what are the capabilities and objectives of our adversaries?  What is our claim?  What is our case?  Does the evidence persuade? Do we sometimes — inappropriately, even self-destructively — see those who question our claims as adversaries rather than allies in a common cause?

Socrates: What art makes men know how to rule over their fellow-sailors,— how would you answer?
Alcibiades: The art of the pilot. (Palin: aretes kybernetike)…
Socrates: And what do you call the art of fellow-citizens?
Alcibiades: I should say, good counsel, Socrates.
Socrates: And is the art of the pilot evil counsel?
Alcibiades: No.
Socrates: But good counsel?
Alcibiades: Yes, that is what I should say,— good counsel, of which the aim is the preservation of the voyagers.
Socrates: True. And what is the aim of that other good counsel of which you speak?
Alcibiades: The aim is the better order and preservation of the city.

How do we take good counsel together? Is there any way other than asking questions, listening carefully — even sympathetically — to uncomfortable answers, and then asking uncomfortable questions before listening again?  Is this what we saw in the House this week?  Is this what you experienced in your home, neighborhood, workplace and city this week?

Socrates: O my friend, be persuaded by me, and hear the Delphian inscription, ‘Know thyself’— not the men whom you think, but these kings are our rivals, and we can only overcome them by pains and skill…
Alcibiades: I entirely believe you; but what are the sort of pains which are required, Socrates,— can you tell me?

If  Socrates’ claim — Know Thyself — seems off-topic, irrelevant to cybersecurity, and impractical for present purposes, please explain why.  Socrates, or probably Plato, makes this case:

Socrates: Consider; if some one were to say to the eye, ‘See thyself,’ as you might say to a man, ‘Know thyself,’ what is the nature and meaning of this precept? Would not his meaning be:— That the eye should look at that in which it would see itself?
Alcibiades: Clearly.
Socrates: And what are the objects in looking at which we see ourselves?
Alcibiades: Clearly, Socrates, in looking at mirrors and the like.
Socrates: Very true; and is there not something of the nature of a mirror in our own eyes?
Alcibiades: Certainly.
Socrates: Did you ever observe that the face of the person looking into the eye of another is reflected as in a mirror; and in the visual organ which is over against him, and which is called the pupil, there is a sort of image of the person looking?
Alcibiades: That is quite true.
Socrates: Then the eye, looking at another eye, and at that in the eye which is most perfect, and which is the instrument of vision, will there see itself?
Alcibiades: That is evident.
Socrates: But looking at anything else either in man or in the world, and not to what resembles this, it will not see itself?
Alcibiades: Very true.
Socrates: Then if the eye is to see itself, it must look at the eye, and at that part of the eye where sight which is the virtue of the eye resides?
Alcibiades: True.
Socrates: And if the soul, my dear Alcibiades, is ever to know herself, must she not look at the soul; and especially at that part of the soul in which her virtue resides, and to any other which is like this?
Alcibiades: I agree, Socrates.
Socrates: And do we know of any part of our souls more divine than that which has to do with wisdom and knowledge?
Alcibiades: There is none.
Socrates: Then this is that part of the soul which resembles the divine; and he who looks at this and at the whole class of things divine, will be most likely to know himself?
Alcibiades: Clearly.
Socrates: And self-knowledge we agree to be wisdom?
Alcibiades: True.

Let’s look each other in the eye, ask, answer, and listen carefully.  We depend on this dialogue — especially with those who disagree with us — to open the way to any sort of wisdom.

By the way: despite Socrates best effort, Alcibiades became a successful politician and a catastrophic helmsman. Athens suffered horribly from his persistent lack of self-knowledge. This did not dissuade Socrates from encouraging self-knowledge among others.  But this was not always well-received.  See the Apology.

One side compromised with the other, alleged deals were done, criticisms were leveled, a possible veto was signaled (threatened would be too strong in this case),  alleged deals unraveled, unprincipled behavior was alleged.  Further compromise was probably undermined. See Declan McCollough’s report  at CNET.

Yesterday was a typical afternoon on Capitol Hill.   A very similar summary might be written of your local City Hall, union hall, church board, or any place that decision making takes place.  Something like this has happened since we first gathered around pre-historic fire pits.

Unlike many of our challenges, differences of judgment on cybersecurity cross partisan and ideological divides.  This is a good thing suggesting the potential for actual thinking and creativity has not — yet — been extinguished.

There is also a widely shared judgment that something needs to be done.

Four Senators blogging at The Hill criticize the House legislation as insufficient, but also argue, “The system is already blinking red in warning. FBI Director Robert Mueller has predicted that, in the near future, cyberattacks will surpass terrorism as the country’s greatest threat, while Chertoff, who served in the George W. Bush administration, said cyber threats are “one of the most seriously disruptive challenges to our national security since the onset of the nuclear age.”

In a Statement of Administration Policy, unidentified authors at the Office of Management and Budget write:

The Administration is committed to increasing public-private sharing of information about cybersecurity threats as an essential part of comprehensive legislation to protect the Nation’s vital information systems and critical infrastructure. The sharing of information must be conducted in a manner that preserves Americans’ privacy, data confidentiality, and civil liberties and recognizes the civilian nature of cyberspace. Cybersecurity and privacy are not mutually exclusive. Moreover, information sharing, while an essential component of comprehensive legislation, is not alone enough to protect the Nation’s core critical infrastructure from cyber threats. Accordingly, the Administration strongly opposes H.R. 3523, the Cyber Intelligence Sharing and Protection Act, in its current form.

In an opinion piece Congressman Mac Thornberry writes, “We cannot let the quest for the perfect, overarching bill prevent us from achieving the good, a-step-in-the-right-direction bill. In cybersecurity, we cannot afford to wait any longer to get it done perfectly. We need to act now.”

For most of those engaged in this legislative process the question is not if, but how.   Would be remarkable if the contestants might recognize how much they agree.  I wonder what sort of legislation might emerge from such an epiphany?

The four pieces of cybersecurity legislation should be considered by the Committee of the Whole later today.  I will be offline, but will join you in watching and listening for what the process might say about cybersecurity and more.

LATE THURSDAY UPDATE: Late this afternoon the Cyber Intelligence Sharing and Protection Act (CISPA) was passed by the House on a bipartisan vote of 248-168.  Forty-two Democrats voted for the bill and 28 Republicans voted against it. Senate approval is unlikely.  The White House has raised the prospect of a veto.

Today and tomorrow will be big days for the cybersecruity package being moved through the House.  A Friday vote (or votes) is promised. Lots of ink and bytes are available on the issues.

The House Permanent Select Committee is providing access to the proposed bill and emerging amendments.

Here are two more sources for a deeper dive.

PRO CISPA et cetera:

See the Information Technology Council.   Don’t miss the links available via their twitter feed, page right.

CONTRA CISPA et cetera:

See the Center for Democracy and Technology.  Don’t miss the links available via their blog posts, page right.

–+–

PRO-POINT

… Dangerous economic predators, including nation-states like China, use the Internet to steal valuable information from American companies and unfairly compete with our economy. The cost is staggering. Years of effort and billions of dollars in research and development, strategic business plans, communications, and other sensitive data—all are lost in seconds. The victims span all sectors of our economy, from small businesses to large pharmaceutical, biotech, defense, and IT corporations. Additionally, our industrial control systems, utilities networks, and critical infrastructure are at risk of sabotage. We must all work together, government and private sector, to defend America against these predators, and we must do it in a way that does not compromise our core principles. The Cyber Intelligence Sharing and Protection Act allows us to take that first critical step of sharing information in a way that is effective but still protects our civil liberties. MORE (Representative Mike Rogers, Chairman, House Permanent Select Committee on Intelligence)

COUNTER-POINT

The latest assault on internet freedom is called the “Cyber Intelligence Sharing and Protection Act,” or “CISPA,” which may be considered by Congress this week.  CISPA is essentially an internet monitoring bill that permits both the federal government and private companies to view your private online communications with no judicial oversight–provided, of course, that they do so in the name of “cybersecurity.”  The bill is very broadly written, and allows the Department of Homeland Security to obtain large swaths of personal information contained in your emails or other online communication.  It also allows emails and private information found online to be used for purposes far beyond any reasonable definition of fighting cyberterrorism. CISPA represents an alarming form of corporatism, as it further intertwines government with companies like Google and Facebook.  It permits them to hand over your private communications to government officials without a warrant, circumventing well-established federal laws like the Wiretap Act and the Electronic Communications Privacy Act.  It also grants them broad immunity from lawsuits for doing so, leaving you without recourse for invasions of privacy.  Simply put, CISPA encourages some of our most successful internet companies to act as government spies, sowing distrust of social media and chilling communication in one segment of the world economy where America still leads. MORE (Representative Ron Paul, Chairman of the Subcommittee on Domestic and Monetary Policy, House Financial Services Committee)

Scroll below for more attention from HLSWatch.  A prior post on a related Senate proposal is available here. More to come.

Late Wednesday Update: Politico has a good summary of the state-of-play as of dinner time.   PCWorld is providing good sustained coverage of both political developments and their technical implications.

Sunday and Monday’s Homeland Security Watch posts reminded me how little I know about cyber fill-in-the-blank issues.  I know more than I did a year ago. But every time I hear or read something from someone who actually understand cyber issues, what I believe I know becomes a much smaller fraction of what I think I could know.

This week’s posts also reminded my of a “cyber awareness” course syllabus a friend sent to me last June when I was trying to make sense of the cyber domain.  The best I can figure out, the 20 page syllabus came from someone named “Paul Herman” at Florida State University.  I have not been able to verify that.

I bring this up for two reasons.

First, this is cyber week on homeland security watch, and I agreed to write something about cyber, severely underestimating how much time it would take to write something coherent about Susan Brenner’s 2009 reminder that “Article I § 8 of the U.S. Constitution gives Congress the “Power To . . . grant Letters of Marque and Reprisal,” and how we might want to consider using that Constitutional authority to encourage “cyber-privateers to deal with cybercriminals.” (See also this related entry on the Morgan Doctrine blog; [and thanks for the idea, KS].)

Second, when I first saw “Paul Herman’s course syllabus” I remember being impressed with how much territory it covered, and how it actually included “learning objectives.”

The syllabus helped me map my own preliminary cyber learning agenda.  I pass a very small portion of it (topics and learning objectives) along today, with the hope it might help someone develop his or her own agenda for learning about (or maybe teaching) this still emerging homeland security issue.

Thank you, “Paul Herman,” whoever you are.

As Ms. Herrera-Flanigan introduced in her last post, it is “Cybersecurity Week” for the U.S. House of Representatives. I am going to go out on a limb and guess that it will neither be as popular as the Cherry Blossom Festival or as successful as the Washington Nationals’ pitching staff so far this baseball season.

The problem is not that cyber issues are not important or do not deserve attention.  Legislative action, though almost never the panacea perceived in Washington, would likely be helpful.  The larger issue is that cyber _____ (insert your favorite descriptor here: war, crime, espionage, terrorism, etc.) is terribly difficult to define.

Exactly what is the problem and who should be worried about it? What is the threat and the potential consequences of a successful…something?

Starting with the “hair on fire” group, you have national security mavens such as former Special Advisor to the President for Cyber Security (among other things) Richard Clarke, who is concerned about cybercrime:

FOR the last two months, senior government officials and private-sector experts have paraded before Congress and described in alarming terms a silent threat: cyberattacks carried out by foreign governments. Robert S. Mueller III, the director of the F.B.I., said cyberattacks would soon replace terrorism as the agency’s No. 1 concern as foreign hackers, particularly from China, penetrate American firms’ computers and steal huge amounts of valuable data and intellectual property.

But by failing to act, Washington is effectively fulfilling China’s research requirements while helping to put Americans out of work. Mr. Obama must confront the cyberthreat, and he does not even need any new authority from Congress to do so.

And cyberwar:

Congress should demand answers to questions like: What is the role of cyber war in US military strategy? Is it acceptable to do “preparation of the battlefield” by lacing other countries’ networks with “Trojan horses” or “back doors” in peacetime? Would the United States consider a preemptive cyber attack on another nation? If so, under what circumstances? Does US Cyber Command have a plan to seize control and defend private sector networks in a crisis? Do the rules of engagement for cyber war allow for military commanders to engage in “active defense” under some circumstances? Are there types of targets we will not attack, such as banks or hospitals? If so, how can we assure that they are not the victims of collateral damage from US cyber attacks?

More recently John Brennan, the President’s Counterterrorism and Homeland Security Adviser, took to the Opinion page of the Washington Post to make a similar argument about the threat of cyberattacks:

Before the end of the next business day, companies in every sector of our economy will be subjected to another relentless barrage of cyberintrusions. Intellectual property and designs for new products will be stolen. Personal information on U.S. citizens will be accessed. Defense contractors’ sensitive research and weapons data could be compromised.

Our critical infrastructure — power plants, refineries, transportation systems and water treatment centers — depend on the integrity and security of their computer networks. Approximately 85 percent of this infrastructure is owned and operated by the private sector. Last year alone, there were nearly 200 known attempted or successful cyberintrusions of the control systems that run these facilities, a nearly fivefold increase from 2010. And while most companies take proper precautions, some have unfortunately opted to accept risks that, if exploited, would endanger public safety and national security.

However, noted cyber scholar Evgeny Morozov would like to push down on the brake:

Both Messrs. McConnell and Clarke—as well as countless others who have made a successful transition from trying to fix the government’s cyber security problems from within to offering their services to do the same from without—are highly respected professionals and their opinions should not be taken lightly, if only because they have seen more classified reports. Their stature, however, does not relieve them of the responsibility to provide some hard evidence to support their claims. We do not want to sleepwalk into a cyber-Katrina, but neither do we want to hold our policy-making hostage to the rhetorical ploys of better-informed government contractors.

Steven Walt, a professor of international politics at Harvard, believes that the nascent debate about cyberwar presents “a classical opportunity for threat inflation.” Mr Walt points to the resemblance between our current deliberations about online security and the debate about nuclear arms during the Cold War. Back then, those working in weapons labs and the military tended to hold more alarmist views than many academic experts, arguably because the livelihoods of university professors did not depend on having to hype up the need for arms racing.

Markus Ranum, a veteran of the network security industry and a noted critic of the cyber war hype, points to another similarity with the Cold War. Today’s hype, he says, leads us to believe that “we need to develop an offensive capability in order to defend against an attack that isn’t coming—it’s the old ‘bomber gap’ all over again: a flimsy excuse to militarize.”

The main reason why this concept conjures strong negative connotations is because it is often lumped with all the other evil activities that take place online—cybercrime, cyberterrorism, cyber-espionage. Such lumping, however, obscures important differences. Cybercriminals are usually driven by profit, while cyberterrorists are driven by ideology. Cyber-spies want the networks to stay functional so that they can gather intelligence, while cyberwarriors—the pure type, those working on military operations—want to destroy them.

All of these distinct threats require quite distinct policy responses that can balance the risks with the levels of devastation. We probably want very strong protection against cyberterror, moderate protection against cybercrime, and little to no protection against juvenile cyber-hooliganism.

Perfect security—in cyberspace or in the real world—has huge political and social costs, and most democratic societies would find it undesirable

As you continue to dig deeper, one will find a vigorous continued disagreement about various aspects of the cybertopic.  For example, Foreign Policy published he said/he said articles on cyberwar.  On the “eh” side, Thomas Rid:

Time for a reality check: Cyberwar is still more hype than hazard. Consider the definition of an act of war: It has to be potentially violent, it has to be purposeful, and it has to be political. The cyberattacks we’ve seen so far, from Estonia to the Stuxnet virus, simply don’t meet these criteria.

Indeed, there is no known cyberattack that has caused the loss of human life. No cyberoffense has ever injured a person or damaged a building. And if an act is not at least potentially violent, it’s not an act of war. Separating war from physical violence makes it a metaphorical notion; it would mean that there is no way to distinguish between World War II, say, and the “wars” on obesity and cancer. Yet those ailments, unlike past examples of cyber “war,” actually do kill people.

Pushing back, noted RAND scholar and co-author of the influential book, “The Advent of Netwar,” John Arquilla:

Cyberwar is here, and it is here to stay, despite what Thomas Rid and other skeptics think.

But another notion arose alongside ours — that cyberwar is less a way to achieve a winning advantage in battle than a means of covertly attacking the enemy’s homeland infrastructure without first having to defeat its land, sea, and air forces in conventional military engagements.

I have been bemused by the high level of attention given to this second mode of “strategic cyberwar.” Engaging in disruptive cyberattacks alone is hardly a way to win wars. Think about aerial bombing again: Societies have been standing up to it for the better part of a century, and almost all such campaigns have failed. Civilian populations are just as likely, perhaps even more so, to withstand assaults by bits and bytes. If highly destructive bombing hasn’t been able to break the human will, disruptive computer pinging surely won’t.

Rid seems especially dubious about the potential for this form of strategic cyberwar. And rightly so. But there is ample evidence that this mode of virtual attack is being employed, and with genuinely damaging effects.

Returning to cybercrime, Melissa Hathaway, former acting senior director for cyberspace on the National Security Council,wants to take a “Byte Out of Cybercrime:”

This paper provides a brief overview of the cybercrime problem and examines five case studies to demonstrate that, while national and international law enforcement authorities are working together to address cybercrime, with additional tools they could make even more progress going forward. Today’s efforts are under-resourced and hampered by outdated laws. Nonetheless, by sharing actionable information and applying novel interpretations of the law, authorities around the globe are finding ways to address the cybersecurity problem. The recommendations that follow the case studies seek to build on the successes and lessons learned.

While two Microsoft researchers want us all to take a deep breath and point out some potential problems in trying to estimate the consequences:

We have examined cybercrime from an economics standpoint and found a story at odds with the conventional wisdom. A few criminals do well, but cybercrime is a relentless, low-profit struggle for the majority. Spamming, stealing passwords or pillaging bank accounts might appear a perfect business. Cybercriminals can be thousands of miles from the scene of the crime, they can download everything they need online, and there’s little training or capital outlay required. Almost anyone can do it.

Well, not really.

The harm experienced by users rather than the (much smaller) gain achieved by hackers is the true measure of the cybercrime problem. Surveys that perpetuate the myth that cybercrime makes for easy money are harmful because they encourage hopeful, if misinformed, new entrants, who generate more harm for users than profit for themselves.

Are you confused yet?  I am.  And noted political scientist Joseph Nye does not want to make it any easier by asking simple questions:

The United States may be ahead of other countries in its offensive capabilities in cyber, but because it depends so much on cyber, it is also more vulnerable. What, then, should our policy be? When it comes to thinking about cyber, we are at about the same place people were in 1950 when thinking about the nuclear revolution. We know it is something new and big and that it is transformative, but we haven’t thought out what offense means, what defense means. What is deterrence in such a world? What is strategy? How do we fit the pieces together? Can we establish rules of the road? Can we find an analogue in arms control, or is that an unlikely model for something that is apparently unverifiable? The first efforts at arms control didn’t bear fruit until twenty years after the first nuclear explosion and came about largely to deal with third parties (the Nuclear Non-Proliferation Treaty) or because of concerns with environmental fallout (the Limited Test Ban Treaty). Not until the 1970s, some thirty years after the technology emerged, were the first bilateral arms control agreements signed, and not until the 1980s did leaders of the two superpower nations proclaim that nuclear war cannot be won and must never be fought. Forty years were needed to develop a powerful basic normative agreement. In cyber, we are still around 1950. What this means is that we can no longer treat cyber and the other aspects of power diffusion as something to be left to the technocrats or the intelligence specialists.

We have to develop a broader awareness in the public and in the policy community to be able to think clearly about how we trade off different values and develop sensible strategies for cyber.

So where does this all leave us? With a whole bunch of questions:

What are the cyber threats we should worry about the most?

What cyber threats should be considered “homeland security,” “national security,” “economic security,” or something else entirely?

How can we delineate what are personal, business/NGO, or local/state/federal responsibilities for cybersecurity?

How can we divide up the responsibility pie between all the various actors at the federal level–DHS, DOD, State, etc.?

Will Hollywood do the right thing and resist any temptation to remake “War Games?”

So many questions and, at this point, so few answers.

Today marks the start of the self-declared “Cybersecurity Week” in the House.  Last Friday, the House Republican Leadership announced that four bills would be considered this week to “address the cybersecurity threat facing our country.”  In announcing the schedule, Speaker Boehner, Majority Leader Cantor, and the House GOP’s Cybersecurity Task Force Leader Thornberry, stated:

The focus of these bills is consistent with the recommendations released by the task force last October that address the central issue the federal government and industry have stated must be addressed now: updating existing cybersecurity laws to provide the legal authorities to allow for information-sharing and public-private partnerships. Information-sharing is crucial to stopping the persistent and aggressive threat facing all aspects of our economy, our critical infrastructure, our communications, and our nation’s security.

The focus of these bills is consistent with the recommendations released by the task force last October that address the central issue the federal government and industry have stated must be addressed now: updating existing cybersecurity laws to provide the legal authorities to allow for information-sharing and public-private partnerships. Information-sharing is crucial to stopping the persistent and aggressive threat facing all aspects of our economy, our critical infrastructure, our communications, and our nation’s security.

Overall, the bills enjoyed somewhat bipartisan support, though as discussed in a bit, much of the criticism has been focused on what was not included as what was.  Among the bills to be considered:

• Cyber Intelligence Sharing and Protection Act (H.R. 3523) – A Mike Rogers (R-MI)/Dutch Ruppersberger (D-MD) bill coming out of the Intelligence Committee.  The bill would allow the government to provide classified information to companies to allow them to to protect their networks.  The bill also authorizes private-sector entities to defend their own networks and to those of their customers, and to share cyber threat information with others in the private sector, as well as with the federal government on a purely voluntary basis.   This bill, which many consider the lynchpin of the House efforts, has garnered significant criticism from the privacy and civil liberties groups.  These interests have equated the bill to the doomed SOPA/PIPA bills, stating that it violates Constitutional rights.  The sponsors made significant changes last week to try to address the privacy concerns but still have met criticism.  Just last Friday, House Homeland Security Committee Ranking Member Bennie Thompson (D-MS) sent around a Dear Colleague stating that the bill “would create a “Wild West” of cyber information sharing, where any certified private entity can share information with any government agency.” Despite these criticisms, the bill has garnered the support of numerous companies and technology groups.
• Federal Information Security Amendments (H.R. 4257) – Introduced by Oversight and Government Reform Chairman Darrell Issa, this bill tackles the mess that is the Federal Information Security Management Act (FISMA).  It improves the framework for securing information technology systems, focusing on “automated and continuous” monitoring and dictates that OMB should play a significant role in FISMA compliance. The bill is relatively uncontroversial, as most agree that FISMA needs fixing.
• Cybersecurity Enhancement Act (H.R. 2096) – Another uncontroversial bill is Rep. Mike McCaul’s (R-TX) legislation tackles cyber R&D.  It strengthens NSF and NIST technical standards and cybersecurity awareness, education and talent development capabilities.
• Advancing America’s Networking and Information Technology Research and Development (NITRD) Act (H.R. 3834) - Introduced by Science, Space & Technology Chairman Ralph Hall (R-TX), this bill reauthorizes the NITRD program, including its efforts relating to cyber R&D. This is another bill that is uncontroversial.

Missing from the list above?  Rep. Dan Lungren’s  (R-CA) PRECISE Act, which the Congressman essentially gutted during the House Homeland Security Committee Full Committee mark-up last week so as to win the support of House Republican leadership for inclusion in cybersecurity week.  The bill, which provided for the creation of voluntary cybersecurity standards that would be created by DHS and the private sector, apparently was still too regulatory in nature for the House’s Leadership, which preferred to leave unaddressed how critical infrastructures are secured.  There is still a chance that Rep. Lungren’s bill will be offered during the week, though that is seen as unlikely given Democratic opposition to the scaled back version of the bill that passed out of Committee along partisan lines.

Other issues that are not being addressed this week but we might see legislation on in the coming months:

• cybercrime penalties and authorities. The House Judiciary Committee was expected to mark up legislation this past month but is reassessing its efforts in light of the 9th Circuit’s decision in U.S. vs Nosal a few weeks ago limiting the Computer Fraud and Abuse Act’s application in certain cases;
• electric grid security: House Energy & Commerce may look more closely at cyber efforts to secure smart grids and the like
• data breach/notification: Perhaps the issue that affects consumers the most in their day-to-day lives, it is unclear whether the House will move any legislation on this front, though Rep. Mary Bono Mack (R-CA) of the House Energy & Commerce Committee has mentioned that she is taking a close look at the issue and legislation.

Whatever happens in the House this week, the future of cybersecurity legislation remains unclear. The Senate has the Lieberman-Collins bill that has been awaiting action for months.  Whether the House’s decision to move forward on legislation will motivate the Senate to act is not known though it is clear that the issue of cybersecurity is not going away anytime soon.

In late 2009 the Pew Research Center asked a statistically valid sample of Americans, “whether or not they knew the names of the neighbors who live close to them and found that 19% said that they knew the names of all of their neighbors, and 24% said that they knew most of them. The remaining three-fifths of Americans know either some (29%) or none (28%) of their neighbors by name.”

To be sure you didn’t miss it:  28% of Americans do not know the names of any of their neighbors.

Many American communities are not whole.  Many places where many Americans reside are not what is traditionally meant by “community.”  In yesterday’s post Jessica wrote, “some communities are more about struggle than success and a Whole Community approach means little if there is little to nothing to build upon.”

The Pew Study highlights a meaningful correlation between economic well-being, educational attainment and social connectedness within residential areas.

It is worth noting that even among the most highly educated and affluent over 35 percent are almost entirely disengaged from those living near-by.

None of this is news. Robert Putnam has helped us understand the evolving nature of American communities.  With less optimism, so has Charles Murray.

If we accept the changing character of American communities (Putnam) or the veritable  collapse of some communities (Murray), does this invalidate the Whole Community strategy?

I don’t think so.  From an emergency management, civil defense  or homeland security perspective Whole Community is a pre-event mitigation strategy designed to enhance readiness and self-reliance where this is achievable, identify where readiness is weakest, and better understand what outside help will be needed to address specific vulnerabilities emerging from this process.

The strategic short-hand is to preserve and enhance existing strengths while recognizing and engaging persistent vulnerabilities.

Whole Community is also, according to one homeland security wag who does not want to be named here, “a therapy to combat the call-911 pandemic.”   This “old codger” argues that the 911 system has had an insidious influence on the expectations of both the public and first-responders.

“The proliferation of public safety call centers has,” he claims, “caused a consumerist cancer” to transform the relationship between citizens and the public safety community. “I don’t mean to suggest 911 has not helped.  It has saved thousands of lives.  But the secondary and tertiary effects aren’t pretty.”

The growing — sometimes ridiculous and abusive — dependence on 911 by some “consumers” has been widely noted.

What I think is more interesting is the claim that the 911 system has redefined the role of police, firefighters, and others.  ”We are now subjected to time-and-motion studies that can be entirely contrary to the principles of community-based, citizen oriented, professional services.   Before 911 we never presumed, and the citizens seldom expected, we could respond quick enough to always save their bacon. Now we are public safety ‘barristas’ expected to respond with whatever exotic mix of services the consumer decides they need on demand.  Thing is, it works. At least on the small stuff it works really well. So we’re all being habituated to behaviors and expectations that will absolutely fall-apart when something really bad happens.”

In Whole Community efforts in which I have participated the single most empowering inputs have been from big, brave, smart, uniformed personnel telling their civilian neighbors, “If  (something unusually bad)  happens, you won’t see me for an hour, maybe two or three.  If (something really, really bad) happens, it may be a couple of days.”

The first reaction is surprise, and I have seen a few cases of sputtering, “Well, what do you mean?” But it does not take long for most folks to look hard at prospective natural, accidental, or intentional disasters and recognize reality: What can I do with my neighbors to increases the chances for my survival and recovery.  In a few cases I have observed as Whole Community engagement has taken a “place” and helped make it a “neighborhood.”

I absolutely agree with Mark and Jessica this will not happen everywhere.   I also agree with Arnold that there are public sector behaviors — especially a predilection for control and subverting collaboration — which undermine Whole Community potential in places where it could happen.

Chris Bellavita wrote, “How interesting would it be if homeland security’s Whole Community philosophy were mashed with a new pedagogy of self governing?”  I agree and suggest it would be as interesting and more effective if it was an andragogy of self governing.

Partly this is an inside joke, but pedagogy assumes an authority to transfer knowledge from those with it to those without it. Andragogy focuses much more on facilitating and serving the self-motivation, pre-existing experiences, and independent intelligence of the learner.

Pedagogy is for children. A vulgar form of pedagogy can be effective with consumers.  Andragogy is for citizens.

Whatever else, a Whole Community is made up of citizens with equal rights and complementary responsibilities.

A community is like a ship; everyone ought to be prepared to take the helm. – Henrik Ibsen, Enemy of the People (1882).

Conceptually, the Whole Community approach to emergency management that FEMA has been advocating and which is the focus on  A Whole Community Approach to Emergency Management: Principles, Themes, and Pathways for Action, December 2011, make sense. The premise is simple and as FEMA clearly and succinctly states: “A Whole Community approach to building community resilience requires finding ways to support and strengthen the institutions, assets, and networks that already work well in communities and are working to address issues that are important to community members on a daily basis.”

FEMA recognizes that big government is not the answer for emergency management. Homeland security, in and of itself, is a local issue. Disasters and attacks are not addressed by bureaucrats in D.C. but but by the local,state, and tribal law enforcement and first responders, affected families, NGOs and others who are on the front lines when either nature or bad actors strike.

That said, I join my fellow HLS Watch blogger Mark Chubb in being a little uneasy about the Whole Community concept. My concerns, though, stem from a different place than those he expressed. My concerns stem from the quoted premise above that we should be looking to find ways to support and strengthen those entities that “already work well” in communities.  As detailed in the December document, this premise is put into action through “Pathways for Action” that give simplistic suggestions for emergency managers to put into place as part of their Whole Community efforts. A few examples?

• Educate your emergency management staff on the diversity of the community and implement cultural competence interventions, such as establishing a relationship with a multi-lingual volunteer to help interact with the various groups.
• Identify a broad base of stakeholders, including scout troops, sports clubs, home school organizations, and faith-based and disability communities to identify where relationships can be built and where information about the community’s needs can be shared. Partner with groups that interact with a given population on a daily basis, such as first responders, places of worship, niche media outlets, and other community organizations. These groups/organizations have already established trust within the community and can act as liaisons to open up communication channels.
• Identify barriers to participation in emergency management meetings (e.g., lack of childcare or access to transportation, and time of the meeting) and provide solutions where feasible (e.g., provide childcare, arrange for the meeting to be held in a location accessible by public transportation, and schedule for after-work hours).
• Have an open house at your emergency operations center (EOC) and invite the public. Invite schools for field trips. Explain the equipment, organization, and coordination that are used to help protect the community.
• Leverage existing programs, such as the local Parent Teacher Association (PTA), to strengthen emergency management skills in the community. Offer Community Emergency Response Team (CERT) training to PTA members.

My struggle is with the premise that communities are essentially “successful, connected, and committed.”  Not all communities fit that profile.  Sadly, some communities are more about struggle than success and a Whole Community approach means little if there is little to nothing to build upon.  What do you do when there are few strengths on which to build? In many instances, those communities that struggle most are the ones that are with the most vulnerable populations who need the most assistance.

To be complete, the Whole Community concept and the approach advocated by FEMA in its document needs an appendix or a part II to discuss what should be done when communities fail. Who is at the helm then?  I’m not advocating that this be a federal government function per se but the alignment of how to help the most needy when the “community” cannot (or, in certain locations, will not) has to be effectively addressed if we are to address emergency management. Otherwise, chaos will certainly prevail in communities that have little capability to respond.

At the urging of fellow HLSwatch blogger Arnold Bogis, I’ve spent a little while this week reflecting on my unease about certain aspects of the FEMA Whole Community approach to disaster preparedness and community resilience. That’s proven quite difficult for me in one sense because I am generally in agreement that planning requires a lot more community engagement than we usually afford it.

Done well, community engagement contributes to resilience by encouraging the exchange of information and sharing of resources before a disaster, which builds relationships that not only endure in times of crisis but bolster our natural inclination to connect with others in need. That said, something about the whole community approach has always stuck in my craw.

Before I get to that though, I’d like to emphasize what I think works best about the whole community approach. First, it acknowledges that cities, disasters and efforts to make cities more resilient are all complex things in their own right. (This should not be taken to mean that rural areas or small towns are any less complex. They can be even more so, just in other ways.) Second, it acknowledges that improving community resilience begins by acknowledging and strengthening what people are already doing and what already works. And, third, it embraces the idea of bringing new individuals and groups into the discussion rather than relying on the expertise of those already interested. Doing so begins by meeting people and groups where they are instead of drawing them to us.

For too long, emergency management relied upon the old adage that “the world is run by those who show up.” If you were present then you were the right one to write the plan simply because you showed up and by doing so showed an interest. The unspoken assumption in all of this is that anyone interested enough to show up for the boring bits — plan writing and preparedness — can be relied upon for the difficult parts — response and recovery.

Sadly, this explains a lot of the dysfunction we see in emergency management. Too many of those who show up do so because they have a vested interest in seizing opportunities to show off their expertise or personal experience of having not been prepared. Consequently, they come to the task imbued with the white-hot intensity characteristic of the zeal of the newly converted.

This tendency leads to another problem that I think traditional approaches not only share in common with the whole community approach, but that FEMA may be taking to a whole new and unwelcome level. That is the notion that emergency planning and preparedness should be a “go big or go home” enterprise.

The coincident emphasis at FEMA on catastrophic risk planning — aka, Maximum-of-Maximums — strikes me as off-putting if not alienating. For starters, I am neither convinced you can adequately plan or prepare for catastrophic events nor compelled by experience to believe that it does that much more good than simply encouraging other forms of community engagement with efforts to address lesser hazards. ”It might be true that many hands make light work,” but who will join an effort to plan for what seems to many nothing short of “the end of the world as we know it.”

We do our communities a disservice, particularly in light of the good work many are already doing to forge stronger social ties and renew the infrastructure of civic life if we ask people to imagine a world in which the fruits or their labors are left in shambles. If we are truly committed to the first three principles I mentioned — working with complexity, acknowledging what works and meeting people where they are — it seems to me that a genuine effort to engage the whole community would not start by asking people to imagine and plan for the worst.

I am willing to admit that “everything can change in the blink of an eye,” but I also know that “Rome wasn’t built in a day.” Writing good plans, just like building great cities and strong relationships takes time.

Emergency managers and public safety officials tend to think in short times frames, often too short. This is emotionally appealing, but often leads us to stop short when it comes to considering others’ points of view, especially when they run counter to conventional wisdom.

Time is of the essence when working to save lives, but disaster planning and community resilience are about saving whole communities. As such, they take more time than most officials are willing to give them.

This tendency to get in a great big hurry not only compromises efforts to get people involved and get the best out of them while they’re engaged, it also tends to suggest to them that response and recovery should be done at double quick-time too. This, of course, leads to all sorts of insidious problems, not the least of which is the “ready, fire, aim” mentality that overtakes many elected officials in times of crisis.

Instead of agitating by aphorism and pedaling platitudes, emergency managers should take the time to get to know their community in new ways. Take it slowly. Learn what people value. Listen to what they know. Ask what they need. Hear what they want. Then sit down and discuss how these things shape the two elements essential to any form of resilience: what we believe and what we are prepared to do.

The Past

In the days immediately after the beginning came the 2002 National Strategy for Homeland Security and the list of 84 things to do to achieve three missions.

Then came the target capability list, the universal task list, the 15 scenarios, and the universal adversary.

That led, sort of, to several dozen HSPDs and related implementation guidelines, national grant crack, investment justifications, and an elegant homeland security management system that found its way to page 44 of the 2007 National Strategy, but not much further.

People asked are we safer, are we more secure, what did the billions buy?  How can we measure something?  Anything? Can we afford to keep spending?

Prevention as job one morphed into a culture of preparedness then to resilience.

The National Homeland Security Strategy half-heartedly melded into the QHSR and then all but vanished into the National Security Strategy, giving birth to talk of whole nation and whole community.

The push now, at least in part of the homeland security enterprise, is to shift from program to philosophy, from trying to bribe every community in America to talk and act alike, to recognizing that’s not the kind of nation we have.

Plus the effort to get everyone marching in lock step didn’t work.

The Present

“Plan for the real,” says FEMA in its 2011 monograph “A Whole Community Approach to Emergency Management: Principles, Themes, and Pathways for Action”

“Meet people where they are,” it says.

“Create space at the table” for community interests not easily connected to emergency management.

So, what is whole community?

“Whole Community is a means by which [community members] can collectively understand and assess the needs of their … communities and determine the best ways to organize and strengthen their assets, capacities, and interests.” [3]

“In an all-hazards environment, individuals and institutions will make different decisions on how to prepare for and respond to threats and hazards; therefore, a community’s level of preparedness will vary.” [p.3]

“Ideas that work well in one community may not be feasible for another….” [19] “…. It is important to remember that one size does not fit all.  The definition of success will vary by community.” [22]

The whole community idea, as I understand it, is radical — by which I mean going back to the root. It claims that paying attention to what a community says it needs leads to a better prepared and more resilient community.

That’s a claim still to be supported by evidence.  But what if the philosophy is correct?  What if the whole community idea works as intended?  What if — as the stories in “A Whole Community Approach to Emergency Management” suggest — working to improve the lives of people in communities across the nation generates a level of preparedness and resilience only dreamt of in the days of UTL, TCL, and One Team, One Mission?

Read these Whole Community principles and strategies and convince yourself this isn’t radical stuff (radical in the good sense of course):

1. Understand and meet the actual needs of the whole community

2. Engage and empower all parts of the community

3. Strengthen what works well in communities on a daily basis

4. Understand community complexity

5. Recognize community capabilities and needs

6. Foster relationships with community leaders

7. Build and maintain partnerships

8. Empower local action

9. Leverage and strengthen social infrastructure, networks and assets

This isn’t your grandfather’s homeland security or emergency management.

OK, it might be if your grandfather was Saul Alinsky .

Not the bad Alinsky, oozing like Lucifer’s excrement from the pages of The Evil Genius Behind Obama.  I mean the other Alinsky, the one whose strategies and tactics were praised and practiced by the political left and right, by Tea Party and Occupy Party.

“The second rule [of power] is: Never go outside the experience of your people.” says Alinsky

“If people don’t think they have the power to solve their problems, they won’t even think about how to solve them.” says Alinsky

The key word in both of those aphorisms is power — meaning, in Bertrand Russell’s words, “the ability to produce intended effects.”

Bogis and Palin wrote yesterday and last week about power.  Whole Community acknowledges, although softly, the importance of power in creating its intended effects — prepared and resilient communities:

“Leveraging and strengthening existing social infrastructure, networks, and assets means investing in the social, economic, and political structures [my emphasis] that make up daily life….” [16]

And a few pages later,

“Know where the real conversations and decisions are made.  They are not always made at the council levels…. Tap into … opportuities to listen and learn…about the community. [19]

Understanding power will be the central ingredient in any success of the whole community philosophy.

How are Americans doing with that understanding?

The Future

Eric Liu wrote an article in The Atlantic last week called Why Civics Class Should Be Sexy.

The article is about power, and the failure of schools to talk about what power is “and the ways it is won and wielded in a democracy.”

Liu envisions a school curriculum that:

would focus on a host of hard skills often ignored in procedural or fact-centered civics lessons:

• How to see the underlying power dynamics beneath every public controversy.
• How to read the power map of any community.
• How to organize and mobilize people to achieve an objective.
• How to force certain issues into public discussion.
• How to challenge entrenched interests.
• How to apply pressure on elected officials.

Liu felicitously calls this ” a pedagogy of the self-governing,” something that is best “learned and taught by doing. A power civics curriculum should be hands-on and project-based, giving students the chance to move people and catalyze action.”

How interesting would it be if homeland security’s Whole Community philosophy were mashed with a new pedagogy of self governing?

That might enliven a few Emergency Management Institute classes — to say nothing about the congressional hearings it would trigger.

Who knows what such a national effort could do to help homeland security evolve beyond its emergency management and terrorism focus.  The Whole Community philosophy suggests the quickest and most effective path to a prepared and resilient population may be through a detour into what communites actually want: safe streets, jobs, a clean environment, good schools, affordable medical care.

David Tucker makes a related point about civics in his 2012 book “Illuminating the Dark Arts of War: Terrorism, Sabotage, and Subversion in Homeland Security and the New Conflict”.

“We have argued [in this book] that the decentralized, federal nature of our political institutions will help preserve our political way of life, much as the decentralized nature of our infrastructure makes it resilient. We have no one centralized political point[,] the failure of which [could doom] us….  But we will reap the benefit of this advantage only to the degree the American people…are prepared…. [This] preparation is not best left to government.  Perhaps the best immunization from the harms of a catastrophic attack is citizen involvement in civic and political life….  This would be a boon to our political well-being, whether the attack ever comes or not.  All the more reason, then, for the government to see the American people and, above all, for the people to see themselves not as subjects requiring protection but as citizens participating in the risks and rewards of citizenship.”

I hope the whole community approach to emergency management works.  If it does, it may infect the rest of the homeland security enterprise.  Infection in a good way of course.

“Whole of Community” has become a popular catch phrase in homeland security.  Not quite as revered or misused as the term “resilience,” but proving a strong second.

Beginning as a simple, yet powerful, idea in FEMA (I think–if anyone can point to another origin, please share), the concept is that citizens, NGOs, and the private sector not just have a stake but a substantial role to play in all facets of homeland security. The operating paradigm within government had been that all such activities, besides a few important outliers such as the Red Cross, would be planned and carried out by government entities at some level.

In other words, government plans were for government folk.  And if you don’t like it, tough–here’s a FOUO designation for those planning documents you were hoping to review. Whole of Community held out the promise of changing that mindset, and at least it has spread to other departments and the White House–in word if not deed.

While I’ve heard skeptics of the federal government’s embrace of the effort characterize it as a way to push back against the growing role the federal government plays in both physical and monetary response to disasters, I am of the opinion that it has the potential to overtime radically re-direct homeland security thinking away from federal centralization.  However, recent items/events have suggested possible obstacles to that becoming a reality.

Like many things in life, it comes down to power and money. Power in terms of secrecy–who decides what information is shared with the Community.  Money spent to support planning by all members of the Community, or perhaps just a select few depending to which opinion you listen.

Secrecy in the context of U.S. national security is usually thought of as protecting vital information from our adversaries (or potential adversaries, or even friends).  The term “sources and methods” is often used to explain why you shouldn’t read a particular report–it could reveal from where or how the government gathers information.  Yet secrecy is often used to leverage position and power over others through the control of access to information.  In homeland security there are true secrets and then there is “For Official Use Only” (FOUO).

When government officials want to prevent a document from being widely distributed or made available to the general public, their friend is the FOUO designation.  I’m confused to how homeland security information can be used non-officially (fun at parties?), but that is not the point.  Power through control of information is often the goal, if not always an explicit one.  Even if accomplished at the margins when a substantial number of law enforcement, first responders, and other officials receive documents that technically shouldn’t be released to the public.

Before the howls of protests begin, I am not a believer that all information deserves to be free.  Refueling schedules for nuclear research reactors shouldn’t be posted in the local newspaper, nor should potential security weaknesses of critical infrastructure be reviewed on the internet as easily as yesterday’s baseball scores. However, the reflex to label everything FOUO is a detriment to moving forward with the Whole of Community approach.  For example, see Phil’s recent post on a study of a terrorist nuclear attack on Washington, DC. He has a good point that it garnered greater attention due to the attempt to not make it public.  However, this is exactly the type of event where a Whole of Community approach is not only beneficial but required.  When weighing the pros and cons of making it FOUO, what is the best argument for not sharing it widely with the public?  What sources or methods could be exposed?  What could “the adversary” (the label du jour in Washington, DC for any man-made threat) learn which would make it easier for them to carry out a nuclear terrorist attack?

Is there a better way to balance legitimate security concerns with what Phil pointed out as “not a need to know, it’s a duty to share?”  If the public is asked to say something if they see something, shouldn’t authorities do a better job describing that something? I concede these are not simple questions to answer, but firmly believe that the reflex toward not sharing still prevails within homeland security circles.

Money, money, money…even in the best of times it is a contentious issue.  During times of constrained funding, especially at the state and local level, it is an even more fraught topic. What does this have to do with the Whole of Community? A lot. The rest of the “Community” outside of government is expected to contribute to all phases of homeland security, yet those parts outside of government are provided little, if any, in the way of financial support. One could argue it is in their best interest to include participation in these activities in their own budgeting processes, but one rarely sees similar flexibility in government planning at any level.

This all ultimately results in fights.  And I don’t mean just some strongly worded statements released by local/state officials directed toward the federal government, or NGO workers grumbling about grant distribution.  I’m talking Ultimate Fighting, smash mouth hockey, son/mother-in-law types of rumbles.  They just seem a little more civilized on the surface.

For example, take the recent dust up in regards to the potential shift in language in the upcoming Emergency Management Performance Grant (EMPG)  fund that suggested that non-profits might be eligible to participate.  Eric Holdeman at Emergency Management’s “Disaster Zone” blog reported on this story:

Alliances are being formed and warning letters are being sent.  No, I’m not talking about Syria, but the potential for Emergency Management Performance Grant (EMPG) funds to be shared with non-profits.

I blogged on this earlier this week and I hit a nerve on several fronts.  Now the National Association of Counties and the International Association of Emergency Managers (IAEM) have sent a joint letter, dated March 6th, to the FEMA Administrator asking that any proposal to share EMPG funds with nonprofits be withdrawn.

State and local emergency managers were celebrating the expansion of EMPG funding while other Homeland Security grant programs were contracted significantly in the 2012 budget.  Now they see the “potential” for this funding to be reduced significantly because there are more faces to feed at the grant table.

Eric titled his posts the “Six Day EMPG War” and it concluded just as decisively:

As noted in my earlier blog posts on this subject there was a quick reaction by emergency management, led by the International Association of Emergency Managers (IAEM) and supported by the National Association of Counties.  There were also direct questions of FEMA Administrator Fugate when he appeared before Congress.

Combined, these actions put pressure on FEMA to change the grant guidance language.

Where I disagree with Eric, despite his lifetime of emergency management experience compared to my lifetime of enjoying vanilla ice cream, is that this is a greater win for preparedness in general.  It does placate emergency management offices and stakeholder groups, succeeding in making them happier with officials in Washington.  Yet in my mind it reverses a potential brick in building a true Whole of Community architecture.  It’s nice that officials are being driven to invite non-traditional partners to the planning table, but those partners will not feel like partners if felt to be regulated to the Thanksgiving dinner kiddie table.  In other words, they are expected to participate, contribute, and take ownership of parts of this issue….but don’t expect to get any official support for your efforts.

This general phenomena, taking different forms at different levels of government and among different professions, has earlier been posted on by Mark and Phil.  In an effort to keep this blog post from becoming a long-form magazine article, I’ll let their words speak for themselves and hope that you can see similar issues emerging from the circumstances they describe.

At the end of the day, I am still a believer in the general mantra of the Whole of Community approach.  I just hope that those responsible for its various moving parts begin to think more broadly about the effects that policies toward secrecy and funding have on the long term chances of this idea’s success.  As I noted in my last post, local efforts can greatly contribute to this type of approach to homeland security.  Yet concerns about secrecy/power—starting at the top in the federal government, but certainly trickling down to state and local officials who guard their newfound access by denying information to the rest of the Community—and money are a real threat that do not seem to have been recognized by advocates of this approach.

To get the obvious out of the way first, I realize I’m indulging in what has become a nearly annual exercise of self-promotion by pointing out that I once got an op-ed published about how the City of Boston and the surrounding region treats the Boston Marathon every year as a “planned disaster.” Though it really gets me nothing personally by continuing to point it out, I’ll continue to do so since I believe it is a best practice that other regions should emulate.  And perhaps an example of a “Whole of Community” approach to preparedness and response that started before anyone came up with that phrase.

According to BEMS chief Richard Serino, his department considers events like the marathon and the Fourth of July celebration as “planned disasters” – safe, controlled environments that present “an opportunity to test some things you would never want to test in a real disaster.”

Although the principal goal during such events remains the safety of everyone involved, organizers have realized that these annual gatherings of hundreds of thousands of people present the perfect opportunity to evaluate new technologies, exercise disaster plans, and build vital relationships between public safety agencies and the private sector.

[You can tell the piece is a little old...as "BEMS Chief Richard Serino" has been the Deputy Administrator of FEMA since 2009...]

This year it is especially pertinent as temperatures in and around Boston are expected to soar into the eighties, resulting in a heavier than normal workload for medical personnel:

Along with the large number of volunteers, from the medically trained to those simply handing out water, it is these connections forged in a cooperative year-long planning process and an intense day of “exercising” that pull a community together and prepare it for unforeseen events.

Update: Juliette Kayyem strains to support my argument in her latest Boston Globe article:

Behind those familiar words lies a fundamental tenet of emergency management: Systems to protect the public need to be practiced and validated. As it is, first responders constantly test their response plans. These efforts can be small tabletop exercises, like those performed in the buildup to the Boston Marathon today, or large simulations of catastrophic events with people acting the parts of victims. Some of these exercises are helpful, others a waste of time. But in the end, they don’t fully suffice because everybody knows it is just a test.

Most scholars in disaster management acknowledge that the truest evaluation of any response system is one that gets as close to a catastrophe as real life allows, but falls short of real damage. What can we learn from a bad thing that didn’t happen, but that, for a brief while, everyone thought would?

Okay….I’m stretching it a little bit.  She actually goes on to analyze the response to the most recent Indonesian earthquake and the importance of educating the public about threats.

I was just desperate for affirmation…

Last week FEMA released it’s Threat and Hazard Identification and Risk Assessment (THIRA) Guide.  This is a key element in implementation of PPD-8, the achievement of the National Preparedness Goal, and for justifying grant requests under the newly consolidated DHS grant program.

As otherwise explained by FEMA administrators, the THIRA includes a five step process for identifying top priorities:

• Identify the threats and hazards of concern - What could happen in my community?

• Give the threats and hazards context - Describe how a threat or hazard could happen in my community, and when and where it could happen.

• Examine the core capabilities using the threats and hazards - How would each threat or hazard affect the core capabilities identified in the National Preparedness Goal?

• Set capability targets - Using the information above, set the level of capability a community needs to prevent, protect against, mitigate, respond to, and recover from its risks.

• Apply the results - Use the capability targets to decide how to use resources from the Whole Community.

This is a gross simplification, but a jurisdiction — or much better, collaborative jurisdictions — can use the THIRA to identify threats, vulnerabilities, and consequences.  Then using the 31 core capabilities in the National Preparedness Goal, the jurisdictions can think through what they need, what they have, and any capability gaps they want to fill.  Then they make their case for federal funding to preserve current capabilities or fill current gaps.  Presumably they will also decide where to focus priorities with or without federal funding.

Pretty reasonable all-in-all.  But if you are anywhere around this process you already know many are not happy (to be understated).

Unhappiness was probably guaranteed.  There’s a lot less money to distribute.

The Department and OMB amplified the unhappiness by eliminating most of the the individual grant programs (buckets, rice bowls, etc.).  Ever read,  Who Moved My Cheese?

I perceive — on absolutely no authority — that someone decided if the states and locals are going to scream and shout anyway, let’s go ahead and rationalize the process.  Instead of DHS dividing up the cheese, let’s devolve this process to the states so that key strategic decisions are made holistically by those closest to the vulnerabilities, threats, and options.

No one asked my opinion, but I might well have offered such advice.

Glad no one asked for my advice.

On March 20 there was a hearing of the House Homeland Security Committee, Subcommittee on Emergency Preparedness, Response, and Communications.  It was an old-fashioned sort of hearing. Authentic questions were asked. Complicated answers were accepted without attack.  Democrats and Republicans were civil to each other and often agreed with each other. They especially agreed that consolidation of DHS grant programs was a bad idea.

The strongest testimony of the day was probably that of Michael Nutter, Mayor of Philadelphia, following is an excerpt of his prepared testimony, very close to what he said aloud:

We are very concerned about the increased role which states will play in determining where and how funds would be spent:

With increased authority, the Commonwealth will likely augment the already bureaucratic processes required to purchase equipment. Even now, prior to increased oversight and authority, the Commonwealth has added additional layers to the equipment acquisition process thus limiting the ability of local jurisdictions to spend down their grant funds and obtain much needed equipment

Further, the Commonwealth already has a track record of re-distributing funding away from urban areas and re-allocating that funding to other areas of the Commonwealth. For example, in FY2011, PEMA reallocated the State Homeland Security Grant Program (SHSGP) funding away from the Philadelphia Urban Area to other Task Forces within the Commonwealth.

The SHSGP distribution is historically based on population index, economic index, and critical infrastructure points. Based on this formula alone, the Philadelphia Urban Area was slated to receive the largest award amount. While we were bracing for a 50 percent cut due to an overall decrease in funding, we actually received an 85.46 percent reduction in the SHSGP grant.

There are nine Task Forces in the Commonwealth. One received a 50 percent SHSGP cut and the others received 25 percent reductions. This demonstrates a disproportionate impact on Philadelphia that does not align with the historical grant allocation guidelines.

Subcommittee members seemed unanimous in their concern and amazement at such behavior by Pennsylvania.  Evidently antipathy to the executive branch — either federal or state — can be especially effective at bringing legislators to common cause.

I was reminded of a meeting last month with public safety leaders in a city overlooking the Pacific.  When someone (not me!) suggested seeking State support for a homeland security measure the immediate response was raucous laughter.  It was the sort of laughter that renewed itself, grew stronger, and actually caused one firefighter to laugh himself into tears, which of course prompted even more laughter.

About three months ago I was in an urban county’s Emergency Management Agency listening to one complaint after another aimed at FEMA.  Perhaps sensing some impatience on my part, the Director said, “Oh, don’t think we’re being too tough on FEMA.  They’re our best friends compared to (insert name of state capital).  We actively hate (insert name of state EMA). FEMA wants us to focus where we don’t want to focus, even though we sometimes should (latter phrase probably inserted only for my benefit).  The state is just pure incompetent.”

The picture at the top shows a 30 foot statue that stands in a plaza between Philadelphia  City Hall and the Municipal Services Building. Conceived  in bronze by Jacques Lipchitz,  it shows several human figures entwined in each other, holding each other, perhaps lifting each other up (or is it holding each other down?). It’s convoluted, even confusing.  The statue is called “Government of the People”.

Who says modern art isn’t allegorical.

I was happy to see a copy of an April 3, 2012 Congressional Research Service (CRS) publication called “Defining Homeland Security: Analysis And Congressional Considerations.” (Thanks JM)

I like CRS reports.  I think CRS does some of the best policy analysis in the country.

Shawn Reese is given credit as the Defining Homeland Security author.  (I understand CRS reports are often a group product.)  I think the document makes a contribution to the sprawling “What is homeland security” literature, and related topics.  It’s worth reading.

The report summarizes the evolution of homeland security as a concept, and reviews the main strategy documents from the 2002 Strategy up through the 2011 National Strategy for Counterterrorism.

It notes the various definitions of homeland security imbedded in the strategies, and does a service to homeland security students everywhere by summarizing those definitions and identifying common themes among them.

The report outlines where homeland security spending goes (at least half of it does not go to DHS or its missions), and describes the importance of risk:

“Homeland security is essentially about managing risks. The purpose of a strategic process is to develop missions to achieve that end.”

I hope to write more about the opinion that homeland security is about managing risk. It’s a mantra that has been around more than a decade. John Mueller and Mark Stewart point out in their brutally impressive 2011 book, Terror, Security, and Money, the mantra still has no clothes.

But that’s for another post.

I want to get back to the CRS report.

——————————————————

The main claim in the report is

“the US government does not have a single definition for homeland security.”

This is considered to be a problem because

“Varied homeland security definitions and missions may impede the development of a coherent national homeland security strategy, and may hamper the effectiveness of congressional oversight.”

I like words and definitions as much as any academic, but I’m still looking for a significant policy domain where having a single definition contributes to policy effectiveness.

Last time I checked, there were over 100 Congressional committees and subcommittees that had some oversight responsibility for homeland security. I’m guessing that unique structural feature of the homeland security enterprise may be a greater impediment to coherence than the lack of a single definition.

One of the characteristics of a wicked problem is the presence of multiple definitions (of problems and solutions), generated by multiple stakeholders. If homeland security is seen as an aggregation of wicked problems, the absence of a single definition is not a problem to be solved. It is a terrain feature to be acknowledged.  Policy prescriptions that are appropriate for tame problems turn effete in the presence of wicked problems.

——————————————————

The CRS report asserts that “policymakers continue to grapple with the definition of homeland security.”

I’ve been around homeland security policymakers. I have not heard them spending much time grappling with definitions.

Typically, they tend to hang out with people who subscribe to the same general definition of homeland security they do. And if they run into somebody with a different definition – “it’s about terrorism;” “no it’s about all hazards;” “no it’s about national security;” “no it’s about slow moving disasters;” “no, it’s about….– they’ll either argue for a while, or get another drink and go back to people who speak the same language they do.

Richard Rorty believed “truth is what your colleagues let you get away with.” There may be too many different collegial tribes in homeland security to reach a consensus definition.

But I do like the image of grappling policymakers.

——————————————————

The CRS document evokes a wistful specter of how public policy is made:

“Policymakers develop strategy by identifying national interests, prioritizing goals to achieve those national interests, and arraying instruments of national power to achieve the national interests.”

And later in the report:

“In an ideal scenario, there would be a clear definition of homeland security, and a consensus about it; as well as prioritized missions, goals, and activities. Policymakers could then use a process to incorporate feedback and respond to new facts and situations as they develop.”

Ignore for the moment who these “policymakers” are who think and act like this, even in scenarios. Do we have enough — or any — examples of policy domains where this kind of process exists?

——————————————————

The CRS report refers to how well (apparently) the Quadrennial Defense Review identifies “national security and U.S. Military priorities and [guides the] priorities through a process ‘…from objectives to capabilities and activities to resources’.”

I think we’ve already tried — in the early 2000s — injecting Department of Defense logics into homeland security. Civilians, governors, mayors, agencies, associations, corporations and other members of the enterprise preferred — in their small f federalist and small p populist way — to make their own decisions.

Maybe there are some non-military public policy examples where interests lead to goals, missions etc. … all the way down to activities and resources: Education? Health? Environment? Criminal Justice? Transportation? International Relations? Congress?

The literary critic John Leonard once wrote this about how policy is made:

“Understand that national policy – any policy – is arrived at by the accretions of hunch, conviction, compromise, fatigue and exhibitionism.”

In my experience that’s a more accurate description of the policy process than strategists sitting around the room identifying national interests, prioritizing goals, and arraying instruments of national power.

——————————————————

The CRS report suggest developing an effective homeland security strategy:

“may be complicated if the key concept of homeland security is not defined and its missions are not aligned and synchronized among different federal entities with homeland security responsibilities.”

I hear grappling in those words.

I hear grappling between Newton and Darwin. Adherents of a Newtonian worldview long for a universe where all the parts fit together like a machine. Darwinians muck around in John Leonard’s accretion stew, struggling to do a little bit here, a little bit there.

Good luck to the machine people. I too would like to live in a world where all the parts fit together. I think homeland security is messier than that.

The CRS report – reluctantly – might also agree:

“Some degree of evolution of the homeland security concept is expected. Policymakers respond to events and crises like terrorist attacks and natural disasters by using and adjusting strategies, plans, and operations. These strategies, plans, and operations also evolve to reflect changing priorities. The definition of homeland security evolves in accordance with the evolution of these strategies, plans, and operations.”

Yes.

Darwin could not have said that better himself.

——————————————————

This very worthwhile CRS report treats an important topic. But I don’t think it’s about definitions.

“As deficit reduction causes demand for reduced federal spending, Congress may [sic] pay more attention to homeland security funding…. Limited resources heighten the importance of prioritization and need for efficient and effective federal spending…. [There] is no clarity in the national strategies of federal, state, and local roles and responsibilities; and, potentially [sic], funding is driving priorities rather than priorities driving the funding.”

If funding is driving priorities, I wonder who is driving the funding.

I’d like to ask them how they’re able to do all that driving without having a single definition of homeland security.