Previous IFPA-Fletcher Conferences

National Security Strategy and Policy:
Planning for and Responding to Threats to the U.S. Homeland

October 28-29, 2004
Ronald Reagan Building
and International Trade Center
Washington, D.C.

Andrew Howell
Vice President for Homeland Security
U.S. Chamber of Commerce

Introduction By: Dr. Jacquelyn K. Davis

Andrew Howell: Thank you very much for the opportunity to be here today. As a Tufts grad, I'm particularly pleased to be at a Fletcher conference, given that I couldn’t really get into that many Fletcher classes while I was in Tufts; they were in high demand.

A lot of the previous speakers have focused on issues between the Department of Defense and Department of Homeland Security and who does what, who plays what role, and figuring that all out is extraordinarily critical, and then you’ve got the folks that I represent, hundreds of thousands of millions of companies around the world who do business globally, locally, who own what we now call critical infrastructures and secure them every day, secure their assets, secure their employees. And plugging my membership in to the processes of either or both of those organizations is a monumental task and quite a challenge, but something’s that absolutely critical, given so much of what we call critical infrastructure is in the hands of the private sector, and the private sector, each and every day, does what it does. It manages risk. And terrorism, natural disasters, all of those are risk that private enterprises face and must manage against. And finding a way to manage this additional and new risk within a framework of returning investment on your shareholders is the core of what I do and my office does each and every day.

I'm going to focus on three relatively granular issues, I think, as part of this whole conversation, and hopefully build off of some of the stuff that General Lowenberg talked about. The three things I'm going to focus on are: the role of the private sector in disaster planning and response, the role of the Guard and Reserve, and the private sector/public sector roles and responsibilities in homeland security and homeland defense. And then hopefully have some time for some interesting questions of the panel.

On the first one, the role of the private sector in planning and response at the federal, state or local level, from our perspective, doesn’t really matter. We need to be involved at all of those levels. Because, at the end of the day, what we have is a network of first responders. First responders are traditionally defined as police, fire, EMS. From our perspective, an insufficient definition, because if something happens to a private enterprise, the first responder tends to be, or is, the person in that private sector enterprise which is attacked or which is the victim of a flood or a fire. Therefore, we need to think about response capacity in that framework of preparing not only members of the private sector, but also the traditional first responder community, the Guard, the Reserve, what have you.

Gary Jackson who’s here from Northrop Grumman is one of the first people who began drilling this into my head at a conference when I spoke with one of Tim’s colleagues from the State of Virginia. George Foresman and I were on a panel and both of us were talking about response and planning, and we were talking a little bit past each other, and Gary got up and yelled at both of us and said, “Look, you guys are wrong; you’ve got to think of this as everyone being a first responder.” And since then, George and I have been, I think, on three or four different panels, and now we’re on the same page. It’s a good thing, because otherwise Gary would still yell at us, and you see Gary seated so everything is good. I made sure and figured out that he was here first.

But at the end of the day, a lot of what we need to do is we need to change the mentality for planning and preparation at the local, state and federal levels. Exercises in planning, which has traditionally been the jurisdiction of the traditional first responder community, from our perspective, needs to take place in conjunction with the private sector. Private sector can bring expertise and assets to the table, and expertise and assets that we’d like to have a conversation about before something happens. That door should be open in the planning stages, not in the response stages. Because what we’ve found, and what our members find is that once you're in the heat of a response, everyone is pointing fingers and looking for answers that no one necessarily has. Our members tend to think that the Guard and Reserve or the military or DHS has certain capacities and therefore they don’t bring them to the table. Same thing happens on the other end.

The surge capacity of hospitals and hospital beds and hospital bed manufacturing capacity in this country is a great example of a problem that I think we’re beginning to get our arms around. It’s taken three tabletop exercises, but we’ve finally begun to get some of the hospital association folks in the room with the bed manufacturers and trying to think through how we can create surge capacity in that one very, very vital area, because whether or not we have sufficient number of hospital beds, key question, but then you look at a sub-segment of that, burn beds; burn beds are in tremendous shortage in this country. And having some answer to those questions requires not only responder capacity, but also private sector capacity.

You get pretty quickly, for better or for worse, to some of the key questions that General Anderson raised and that Mr. Duncan raised -- who pays? It’s better to have that question after you have a conversation on what are the real challenges facing us all going forward.

We've seen some good progress from our perspective in the private sector in this area. The federal government, several states, Tim frankly leading the way in Washington on joining the private and public sectors on planning and response, leads us to be very encouraged that things are changing. General Anderson alluded to Top Off exercises, and Top Offs 1 and 2, one of the universal criticisms of both was that the private sector wasn’t involved from the get-go. Fortunately, due to our harping on DHS and DoD, and other government entities involved in Top Off, we have succeeded in having a national committee of private sector representatives involved in planning Top Off, and we have a seat at that table with four or five other trade associations, and it’s a good step in the right direction to get planning and exercising moving forward nationally and with the private sector at the table. That is done in conjunction with two local state committees on the Top Off exercise in the states that will be affected by the scenario that plays out early next year.

The national response plan, I believe it was General Anderson who alluded to that. For the first time, we have a national response plan with a private sector annex which recognizes the vital role of the private sector in response to emergencies. The Department of Homeland Security did, we think, an admirable job of working with the private sector to draft that annex, and we had multiple opportunities to provide input and once the final document is put in writing, I think the private sector will be very happy with how its role is identified and how we’ve got a good plan going forward, at least at the national level. Implementing it, taking it down to the local level, different question. Top Off is a good way to test it, and to test lots of the plans that we have in place, a good way to test the critical infrastructure information rule that gives us ... (inaudible) protection, a good way to test ... (inaudible), a good way to test a lot of the things that we have out there, which for the first time recognize private sector up front.

As you’ve got to remember, our membership, the private sector, generally speaking, wants to be involved in planning and response; we know we have a role to play, but we want to have that door opened at the beginning. We've got lots of great examples of what the private sector’s doing to provide capacity to state, local and federal authorities, the Business Executives for National Security Organization. I'm sure many of you are familiar with the New Jersey Business Force concept that they’ve got. Companies providing information on what they have, what the state first responder community needs, and matching up needs with capacities and needs with supplies, so that if something happens we have a quick answer to the question. In a lot of ways, it gets to the most basic issue of donations management which plagues crisis management around the country. The BENS model is going beyond New Jersey to Massachusetts, Georgia, California, Texas and other areas now. We think that’s a very positive development.

At the end of the day, the way to sell this to the business community from our experiences to talk about contingency planning and business continuity as a return on an investment basis, the private sector needs to understand how preparedness helps return invested capital so that shareholders are happy, so that management’s happy, so that we have a process and a program that continue moving forward. It isn't just done in the spirit of patriotism, but it’s done in the spirit of business operations. That’s why we have been active participants with the Department of Homeland Security and their recent creation of a Ready Business website. It provides especially small- and medium-sized companies with tangible information on things they can do to help prepare their operations for whatever hazard might come their way. It’s a very all-hazards approach, and we think it’s a very good step in the right direction, because companies at the end of the day want to know what they can do to enhance their preparedness, and therefore the preparedness of our nation. Giving them tangible things they can do is essential to having the private sector provide additional protection for this country.

Because the terrorist threat is very, very tough to relate to business owners, especially small- and medium-sized business owners, the 22 million small enterprises across this country really don’t believe that they are going to be attacked themselves. Therefore, selling to them the downstream effects of an attack somewhere else in the supply chain, or somewhere else geographically is where one needs to make the argument and make the case that they need to better prepare. And we’ve done that again and again.

In a lot of ways it also gets back to risk management. They need to understand what risks they're being asked to manage. And there’s and important role for the government there, in providing information to the private sector on the terrorist risks facing our country and what that means on an everyday basis for companies across the company.

I want to move in a little bit to the role of the National Guard. It’s an issue that we at the Chamber have taken on with increased vigor over the last two to three years, and we take it on because, from our perspective, members of the National Guard as a shared human resource. They are employed by the private sector and they also have a role to play with, obviously, the defense community. We don’t have a good answer on what the right role should be; the home team/away team analogy doesn’t necessarily matter to us. What really matters to the private sector and how the private sector wants to continue to be helpful in providing jobs for the Guard and Reserve community is predictability. The small- and medium-sized firms need to know what the deal is going to be, how often their employees are going to be gone, for what purpose, and when are they going to come back.

We have a very unpredictable environment, and it’s very unpredictable for DoD now with the use of the Guard and Reserve abroad. However, until we find a way to flatten out that unpredictability, we are going to have increasing challenges, from our perspective, especially with the small- and medium-sized business community, because at the end of the day having that predictability of human resources is one of the key measurement challenges of any size operation, and it is absolutely critical to continuing to have the private sector to provide jobs for members of the Guard and Reserve, and have companies continue to do the right thing in hiring members of the Guard and Reserve, because at the end of the day we have skill training that we do in the private sector, the military has skill training that it does, and if you have the right mix of talents in your Guard and Reserve pool, there are lots of interesting things that you could theoretically do in terms of recruiting, because you jointly recruit skilled individuals that the Guard and Reserve believes it needs that the private sector also needs and is actively recruiting for.

A lot of people in DoD tell us that Guard and Reserve tends to be a relatively raw recruit. It comes in and the military shapes them how they need them. Maybe that’s not necessarily the way forward. Just some ideas to kick around: I don’t think there’s any idea from our perspective that it should be off the table in how we enhance predictability, but a lot of it gets to a very basic point of what do we know about the human resources within our Reserve component. How are they going to be used moving forward? What skill sets do we need in that component? What do they do in their private sector jobs, and how can we jointly build careers for them moving forward? These are some very, very basic issues for us and our membership.

The final area I want to touch on is private sector responsibilities and government responsibilities. Because so much of the critical infrastructure, as I said earlier, is in private sector hands, the private sector has been protecting it for years and knows how to do that protection. From our perspective, the core challenge in critical infrastructure protection is risk management. The Department of Homeland Security does a good job of talking about risk management, yet practicing it is an entirely different matter because it’s a very, very difficult set of questions that we have to jointly ask and answer. At their most basic, they are: how much risk is the public sector willing to take on in helping protect those assets? And you have to ask the question of how much risk the private sector’s willing to take on in protecting those assets. And then inevitably there will be a delta. And how do you mitigate that delta? Which gets us to the question that everyone else asked, who’s going to pay, because at the risk management end of things, who’s paying for that delta is the key question here.

At the same time, we have lots of good public/private partnership and cooperation to help get to the root of some of those challenges. We have good information sharing and analysis centers, ISACs, in the critical infrastructures, good first step in the right direction. At the same time, we need to do more in information sharing between the public and private sectors. We need to create more incentives for the private sector to share information. Several of the speakers in the panel right before lunch talked about, essentially they assumed that private sectors actors would hand over information. One analogy was a 7-11 clerk reporting someone; another was either a rental truck clerk or a feed store clerk reporting someone. We've also got to remember on the private sector side there are real liability challenges out there for reporting some of this information. And we need to be able to understand how to create incentives for the private sector to provide information to help protect our homeland, given the many impediments, obstacles or legal challenges which exist today.

I think I’ll stop at that, and then I'm sure we’ll have a little more to talk about going forward. But again, I’ll just leave you with a reminder that the private sector does want to be helpful and does have a key role to play here in protecting the assets it owns, whether it’s DoD, DHS, or a combination therein, we have to come through this and work through this collectively in order to truly be effective on an ongoing basis. Thank you very much. [Applause]

Questions and Answers

LARS WARKENTIEN: Lars Warkentien, Battelle National Security Division. My question is to the panel. There’s been a lot of discussion today about deterrence as a primary measure in homeland security/homeland defense. Those of us who have worn the uniform know that through the anti-terrorism force protection program with the DoD 2000 directives and instructions, there is a program referred to as Random Antiterrorism Measures. And for the panel, I'm wondering whether or not those procedures that we use in the military to do RAM could also be applied across the civilian sector in private and public.

GENERAL ANDERSON: I think yes. The obvious answer is certainly yes. Whether or not they would be the same elements, certainly somebody would have to take a look at that. But the concept, I think, is absolutely the right concept, is an element of deterrence. Now, I don’t want to suggest that’s the total piece that constitutes deterrence, because it is not; there should be much more. But it is random activities, as I suggested in my comments, that do anything that can help offset the advantage that the adversary has in his planning process. One of the things I think that is fairly well established has been that the adversary we are working against holds as the supreme element of success is success, and so anything that can be done to introduce some element of the possibility of not achieving success, it can be effective in random measures, absolutely.

That’s what I was talking about when I talk about putting Guard troops down in a subway station in New York for a period of a week, or something like that; that’s a random measure. But there are others as well.

MR. HOWELL: I guess the one thought that I have on the random measures piece is I would remind everyone about the caveat of random measures, the caveat that General Anderson made, being knowing there is a looming threat, because random measures just for random measures’ sake is destabilizing in a lot of ways. I can envision a way in which random measures for random measures’ sake would be economically destabilizing.

You would need from the private sector perspective to not necessarily do them in conjunction, but have a shared vision on how such a random measures strategy would work, because you would want the private sector to employ such random measures as well, and you would theoretically want to find a way to incent the private sector to, in shopping malls, increase guard presence on a Wednesday as opposed to a Thursday of an odd-numbered week and an even-numbered month, for example,

You’d also want to know what the strategy is. You’d want to know there is a strategy and that there is a plan, and that it’s developed collectively. That would be my reaction or my caveat.

__: Thank you again, gentlemen, for your statements today. I'd just like to pick on the most recent statement, which was that there is skills transfer. Right now the American Society of Industrial--

END OF TAPE 4
TAPE 5

--a strategic security thinking with multinationals. We heard this morning that the most vulnerable parts of the United States are the commercial infrastructure. I would just like to ask for the full panel’s comments on how to truly address in the short term the American corporations’ focus on return on investment during a period of war. Thank you.

MAJOR LOWENBERG: One of the things we talk about a great deal with the private sector in our state is the vulnerability to IT attacks, and when we have the State Department of Information Services folks sit down and talk to them about the millions of attempted penetrations each and every month into the state system, and they're well aware of the attempted penetrations into the banking and finance system, whatever sector they may come from, and then they look at the relatively, shockingly low percentage of their operating resources that are devoted to information assurance. Sometimes it’s a process of elevating an awareness of the threat. Presidential Decision Directive 63 recognized that not only the military but the private sector economy is increasingly interdependent upon information technology, and that it’s our greatest strength as we go into the information age, but it’s potentially our greatest vulnerability.

So I focus not only on physical security, perhaps, but an even greater level of attention on information assurance and IT security. And that’s particularly compelling and important to the private sector.

MR. HOWELL: I agree wholeheartedly with that. Elevating the awareness of the threat is the key issue here, because companies have to understand what the threat is to their operations. There isn't going to be a one-size-fits-all approach. The 20% number reporting to the board of directors, I don't know that a security director needs to report to the board of directors, and I don't know that that’s appropriate for any particular corporate cultures or particular company sizes, particular types of companies.

I think the most important thing is to, number one, raise the level of awareness of the threat; number two, help companies understand how they can mitigate and manage that risk to their operations. There is going to have to be a collaborative approach here, and it is going to take time, because companies have to return capital to their shareholders. Companies have to throw off a profit in order to-- companies have to pay dividends, they have to meet payrolls. There has to be a role for both the public and the private sector here in order to enhance security. There has to be a very basic first conversation about risk management and what level of risk the government’s willing to accept and what level of risk the private sector’s willing to accept and the critical infrastructures, and that conversation still hasn’t taken place to a large degree, and it absolutely most, and it has to be initiated by the government and the critical infrastructure areas.

I know that there are some states at the state level that are doing significantly more than others. Tim’s got a great example of a program in Washington that’s engaged the private sector. The State of Virginia, fantastic work engaging the private sector there. Maryland, same thing. Those are just some of the states that we’ve been most actively working with. It is a process that demands high level leadering and demands a good plan on communicating the threat and what that means for the enterprise.

MR. HOWELL: Man, am I glad I don’t have to work on Posse Comitatus. That is, fortunately for us, not an issue that we spend any time working on. The other homeland security issues are more than enough to fill our plate.

So I would just end by reiterating the point that the private sector has a key role to play in homeland security and homeland defense, and the incentives to do so all revolve around business continuity and continuity of operations, and the incentive to maintain those operations while also helping protect the nation from real threats facing us, both within our country as well as from abroad. So thank you very much.