• United States



DHS: Scare and Scare Alike

Sep 01, 20038 mins
Critical Infrastructure

The DHS has been around for more than 100 days now. Where do you fit in?

OK, so weve all adjusted to the color alerts put out by the government. But what do they really mean to us? And, more to the point, what do we really mean to them?

By them, of course, Im referring to the new Department of Homeland Security. I dont think the guys in Washington understand that CSOs have a serious place at their table. As owners of 85 percent of the critical infrastructure of this country, the private sector is an important constituency for the DHS. When it comes to cyberspace, product diversion, financial crime and a host of other domestic threats, the private sector operates the safeguards. It is no longer feasibleor preferablefor the public sector to single-handedly control the protective apparatus of this nation.

However, the legislation that created the DHS never clearly identified the private sectors role in homeland protection. Nor did it balance the strengths, weaknesses, needs and resources of government and business in protecting critical infrastructures. It merely acknowledged the need to share information in unspecified ways with the private sector as well as with state and local governments.

I must say, Im disappointed. I really thought our government was going to get busy developing a new way to engage the private sectorand CSOs as the accountable parties in such a partnership. The post-9/11 months have certainly demonstrated the private sectors need for more accurate and actionable information from the government so we can make more focused security decisions. And CSOs may have information critical to the public sectors timely awareness of threat and risk, precisely because we are on the front lines.

CSOs have been busting their butts to get someone in the DHS to recognize that they exist as a constituency. Its long past time for a meaningful dialogue among the DHS, the FBI, other government agencies and Americas CSOs.

Before writing this piece, I searched for information to counter my own concerns. I found a quote in Government Executive magazine from Alfonso Martinez-Fonts Jr., the assistant secretary for Private Sector Coordination at the DHS. Seems hes been making the rounds in Washington, meeting with the U.S. Chamber of Commerce, the National Association of Manufacturers, the Council on Competitiveness and The Business Roundtable. Im glad Alfonso is venturing so far from the office; clearly, hell get the real poop from that proximity.

Hes talking to the same organizations that have recently reported no appreciable increase in security funding due to terrorism

or other concerns, for that matter. And Martinez-Fonts conclusion from these meetings? Differences between the department and the business community can be reconciled. Boy, am I relieved. Who Do You Trust?or ought to havethe ability to share with the private sector information on emerging and immediate threats. I know that its early in the life of the DHS, and I recognize the challenge Secretary Tom Ridge has in consolidating so many government agencies to focus on domestic terrorism. But aside from some high-level engagement of selected sector ISACs and the newly announced initiative targeting money laundering, I havent seen any effort to engage CSOs or to address the risks confronting the private sector. The DHSs outreach has been to state and local governments that are screaming about the alert process and resulting overtime costs of their police departments.

Im not one to mince words. The DHS and our national security apparatus have

I dont know exactly what a multisector information-sharing network with CSOs and the DHS would look like, but I know that the homeland security mission begs for a new paradigm of information-sharing. Of course, legal impediments abound for sharing information at a level of detail that is truly actionable. The other real constraint in sharing information is trust.

However, the government says it hesitates to hand out information because it doesnt know the CSOs. What a bunch of hooey! They owned our clearances. Still, the issue of non-U.S. ownership is a complicated one, and the question of how to protect the information granted to a cleared corporate individual is a fair one. Look to the defense establishment for that answer. Big companies with the highest classifications of sensitive information are sufficiently compartmentalized, while noninvolved company business goes on outside the cone of silence.

Perhaps a bigger issue is in sharing information that could be used by competitors or headline-seeking U.S. attorneys. While my experience in sharing sensitive information with my competitor counterparts has been positive, I recognize that we dont want to open our kimonos as an unconscious act.

For those who say it cant be done, I point to the State Department Overseas Security Advisory Council as a model for a public/private partnership that works unbelievably well and with a spirit of collaboration. We also occasionally

I repeat, occasionallysee a concerted effort at proactive sharing by enlightened Agents-in-Charge of the FBI and Secret Service field offices. The DHS needs to learn from those models and establish protocols for real, substantive information-sharing. Invitation to Dance, Etcetera

So here I am in a homeland security state of mind, when I get an invitation to be granted immediate certification in homeland security (limited time only!) if I have significant military, law enforcement or other experience that interfaces with homeland security. Theyll automatically give me 100 points toward a Level I Certification in homeland security and provide an easy-to-follow questionnaire to tally up my experience.

I start with my military experience: 30 points if I was a captain, 60 if I was a colonel, and 75 if I was a general. No, no and no. I get credit for experience with explosives ordinance disposal, etcetera. Unfortunately, I was just a bohunk GI. On this scorecard, run-of-the-mill soldier types get nada. I knew I should have stayed in.

The questionnaire also gives credit for law enforcement experience, so I pick up a few points for time spent too many years ago.

Then it reviews private security experience. Yup, a decade of CSOing along with more than 20 years in homeland-related experience. Were gaining on it now.

But with medical and health profession experience, I get nuthin. I can also consider other homeland experience such as psychology (huh?), treaty inspection, accounting, cybersecurity, EMT, transportation and, of course, good old etcetera.

In the final stretch, we round out the exercise with education, knowledge (Im sure Ive got some of that somewhere) and an opportunity to make a plea for skills they may have missed, such as (you guessed it) etcetera. Pray with me.

All told, I amass 475 points. Holy certificate! I can be granted immediate certification in homeland security! Wait a minute. Whats this? Ive got to join an association that Ive never heard of and plunk down $480 for a membership fee and my certificate. For that, I get a subscription, networking opportunities, a referral service and the opportunity to attend conferences (sponsored by none other than the guys who have granted me this new certification) and hear from acclaimed folks who have no apparent relationship to the practical problems I face on a daily basis. Etcetera. Guess Ill pass on this one.

These grandfathered certifications really stick in my craw. But its more the gall to capitalize on this whole homeland security thing that really offends.

The other thing that bothers me about this homeland security certification process is what it says about the sponsoring organizations perceptions of security as a profession. Look at the emphasis on prior military and law enforcement for accreditation. Human resources and headhunters fall prey to this ideathat this type of public-sector experience makes for an effective CSO. Dont get me wrong, I did my time and am blessed with knowing a great many fellow CSOs who come from law enforcement, and they have done very well within their corporations. But it is also true that client businesses often think of the function as the corporate cops versus an integrated element of business process. I guess I understand the CISOs who see themselves as more business-process-oriented than the ex-fed who is perfectly satisfied to limit his practice to investigations or executive protection. While corporate anxiety has clearly waned, a sustained concern for domestic terrorist threats may reinforce these backgrounds as primary hiring criteria.

But I seriously question if this is the future. Todays risk environment is driving expectations in many companies and will do so in others as we look ahead. A cursory review of risk management literature of just a few years ago fails to find any real concern for terrorism, reputational risk or other security risks. Look at what cybercrime, 9/11 and Enron have done to your risk managers vocabulary. A dark side to that trend is the soaring cost of risk-related insurance. The board of directors is focused more than ever on the proactive protection of the technical environment, business continuity and corporate ethics, issues they see as far more threatening to their survivability than terrorism.

Sure, my nose is bent out of shape a bit because security is now a big deal in Washington. And weve been out here protecting our part of the homeland since Tom Ridge was an assistant DA. Frankly, if he can get all those agencies he now owns to talk to one another, I guess I shouldnt be so damn puffed up about what info I have that he could use.