Preserving infrastructure: a 21st Century challenge

Parameters, Winter, 2008 by Michael Chertoff

As the United States marked the seventh anniversary of the 9/11 attacks and the fifth anniversary of the creation of the Department of Homeland Security (DHS), one of the most urgent tasks remained the continued protection of the nation's critical infrastructure. Since its principal function is to protect the nation, government has a vital role to play. But what kind of role should this entail?

Broadly speaking, there are two possible answers to this question. The first possibility is what might be deemed the government-alone answer. This approach calls for businesses that operate infrastructure to be intensively managed by officials in Washington, D.C., or state capitals. Those who endorse this view hold that the best way to reduce vulnerabilities is by placing government hands on all the control levers. They also believe that an optimal strategy for countering threats is to put "boots on the ground" in order to guard facilities.

With heavy concentrations of uniformed guards and detailed mandates being imposed from the top down, this approach hearkens back to the classic command-and-control model from the previous century. A number of people in Washington would like government to apply this philosophy to homeland security challenges. When it comes to cargo security, for example, they want Customs and Border Protection officers overseas to physically inspect every shipping container before it is sent to America. If we refrain from doing so, they argue, we are being dangerously lax in guarding against impending threats.

DHS has largely rejected this approach for a number of reasons. First, it is often based on the chimerical strategy of risk elimination. Eliminating every risk to the country's infrastructure is figuratively impossible. If implemented, the kinds of security measures required to pursue such a strategy could destroy what we are trying to protect, namely the normal, daily commerce of the United States. If our officers physically inspected every piece of inbound cargo, it could grind commerce to a halt, effectively handing the terrorists the victory they desire. A second reason to avoid such a strategy is the fact that the federal government does not have the financial resources to shoulder 100 percent of America's homeland security responsibilities. It is beyond Washington's means to assume the burden of micromanaging every critical business activity in the United States or supplying sufficient personnel to guarantee a reduction in the vulnerabilities of these activities. Third, DHS rejected this strategy because those who own and operate businesses have a natural incentive to protect them. These owners and operators are normally cognizant of the risks they face, including security threats. They do not need to be told that if a flood or cyber attack destroys their computer system, they might be out of business.

Consequently, rather than pursuing the government-only approach, DHS favors an alternative strategy that treats the business community as an equal partner in strengthening its security. We want to hold businesses accountable, but not micromanage them. This partnership model allows businesses to engage in the familiar task of risk management--creating security measures and channeling resources where the need is greatest--rather than being compelled to pursue the quixotic goal of risk elimination. Such a strategy seeks to have businesses share in the burden of security enhancement. Instead of requiring commercial enterprises to provide a greater degree of protection for assets they already value, this approach affords them the ability to design and implement systems that reduce vulnerabilities, while simultaneously providing the security information and guidance required, as well as the standards and metrics allowing evaluation of progress. The objective is to leverage private-sector capabilities and incentives with federal know-how in an effort to achieve maximum risk reduction based on the most efficient use of resources.

Applying the Partnership

Three prominent examples provide a glimpse of how this twenty-first century partnership can be successful. The first involves a set of chemical security regulations that Congress authorized the Department of Homeland Security to issue. They were issued in response to an obvious vulnerability at certain chemical facilities located in high-population areas, facilities that terrorists might exploit, re suiting in the catastrophic release of chemical agents.

In addressing this problem, the Department realized that the government-only solution was totally unrealistic. Placing guards at every chemical plant on a 24-hour basis while saddling the industry with a one-size-fits-all mandate would be prohibitively expensive to the government and the chemical firms. Such a strategy actually risked irreparable damage to the very industry DHS was attempting to protect. As an alternative to this strategy, DHS chose the partnership model. Working with Congress, industry, stakeholders, and academics, the Department developed a framework that focused on high-risk facilities, those with the most dangerous chemicals and surrounded by vulnerable population centers. The Department then established a hierarchy of risk. The facilities at greatest risk were in the top tier, while those facing lesser threats were ranked based on an analysis of their vulnerabilities and communities. Based upon the degree of risk, DHS directed companies to achieve specific performance measures. They were required to complete and submit security vulnerability assessments if they were in the high-risk category, develop site security plans, and implement risk-based measures that supported the performance standards.