June 25, 2008 | Testimony on Department of Homeland Security
Sub-Committee on Transportation Security and Infrastructure Protection, Committee on Homeland Security United States House of Representatives
June 24, 2008
James Jay Carafano,
Assistant Director of the Kathryn and Shelby Cullom Davis Institute for International Studies and a Senior Research Fellow for the Douglas and Sarah Allison Center for Foreign Policy Studies
The Heritage Foundation
My name is James Jay Carafano. I am the Assistant Director of the Kathryn and Shelby Cullom Davis Institute for International Studies and a Senior Research Fellow for the Douglas and Sarah Allison Center for Foreign Policy Studies at The Heritage Foundation. The views I express in this testimony are my own, and should not be construed as representing any official position of The Heritage Foundation.
Thank you for the opportunity to appear before the committee today to discuss the subject of this hearing "Ensuring our Nation is secure by developing a risk management framework for Homeland Security, How are they measuring risk? Are the risk management principles being followed uniformly?"
My testimony today will focus on the point that risk management is interwoven with the concept of resiliency. The current paradigm of "protecting" infrastructure is unrealistic. We should shift our focus to that of resiliency. Resiliency is the capacity to maintain continuity of activities even in the face of threats, disaster, and adversity. The concept recognizes that we cannot deter all threats or prevent all natural catastrophes. Effective resiliency strategy should:
Resiliency and Risk. Risk assessments and risk reduction are at the heart of a sound resiliency strategy. Although there are a number of risk assessment methodologies, they all consist of common components.
Since 9/11, however, the nature of shared public-private responsibility for risk assessment and risk reduction has been poorly understood. Establishing a common appreciation of rolls and responsibilities must be a priority.
Understanding this fundamental division of labor between the public and private sector is fundamental to developing sound public policies.
In order to achieve the goal of "resiliency" as well as to ensure effective risk management, Congress should focus on four initiatives:
1. Public-private models for risk management. Public-private models for risk
management are essential to the concept of resiliency. A model public-private regime would: (1) define reasonable roles for both government and industry through clear performance measures, (2) create transparency and the means to measure performance, and (3) provide legal protections to encourage information sharing and initiative.
Both government and industry must be given reasonable roles in order to ensure the effectiveness of these models. Understanding, communicating, and reducing threats is primarily a national responsibility, fundamentally a responsibility of government to ensure public safety and provide for the common defense. It is not the job of the private sector to defeat terrorists. It is the responsibility of the federal government to prevent terrorist acts through intelligence gathering, early warning, and domestic counterterrorism.
National Security and Resiliency. In terms of what is reasonable for the government, the role of national security instruments should be treated with caution. National security is not about trying to child-proof a country against every potential misfortune. It is the task of protecting people from their mortal enemies-that means other people. These enemies may be from states, trans-states or no states. They may be abroad or homegrown. What they have in common is that they are humans-and that they threaten the nation by preparing to attack its people for a political purpose.
We should be careful not to dilute the definition of national security to include a plethora of threats or use the proliferation of threats to scope a national resiliency strategy. The Government has many resources to deal with all kinds of problems. Resources, however, are not infinite. National security instruments should be reserved for the critical task of battling those people who plot how to kill citizens, undermine the society and destroy our individual freedoms.
A second reason not to label every "danger du jour" as a
national security threat concerns protecting the civil society. In
times of peril, the nation should rely on the government to provide
the common defense- providing the leadership and resolve needed to
deal with threats to the nation. That's why, for example, in the
United States the president is vested with the authority to conduct
foreign policy and act as commander-in-chief. The U.S. Constitution
envisioned an executive who could wield significant power to act
decisively in time of war or crisis. That said, the president's
national security powers should be reserved only for serious,
imminent dangers from America's enemies. Elevating other issues
like global warming, pandemics or energy supplies, to the level of
national security, only encourages government to bring the
extraordinary powers of the executive branch to bear on the
problem. For the most part, the parts of government involved
in national security should stick to hunting terrorists, thwarting
rogue states, and dealing with the other serious enemies who spend
their days and nights plotting against the state. In most cases a
strategy of resiliency should rely primarily on other
Criticality as a Shared Activity. Criticality, on the other hand, has to be a shared activity. In many cases the private sector owns or is responsible for managing both private and public infrastructure that provide the vital goods and services for the society. Meanwhile, only the national government has the overall perspective to determine national needs and priorities in the face disasters and catastrophic threats. Thus, they must work together to determine what is truly critical to keep the heart beat of the nation beating in the face of adversity.
Not all infrastructure should be deemed critical. Indeed, the national designations of "critical" infrastructure and key assets have been detrimental to the effort to prioritize national efforts. The "failure is not an option" mentality with regards to protecting infrastructure has led to an over-zealous approach to "critical" infrastructure. The designation has become increasingly pointless driven by politics and stakeholder interests rather than rationale assessments.If everything is critical, nothing is critical.
Vulnerability as a Private Sector Function. Vulnerability should be largely the responsibility of the entity that owns, manages, and uses the infrastructure. It is largely the private sector's duty to address vulnerability and to take reasonable precautions, in much the same way as society expects it to take reasonable safety and environmental measures.
Resiliency and its role in protecting society actually transcend
homeland security and other national security concerns. Resiliency
is about building strong, cohesive societies in that can prevail in
the face of many challenges whether the malicious acts of
terrorists or the heartless whims of Mother Nature.
Indeed, rather than national security instruments, the most common tool to be used in building resiliency is establishing an appropriate legal regime the will allow the private sector and the market place adapt and innovate, to provide a robust, redundant capacity to provided goods services everyday-and especially in times of crisis.
Armed with these assessments and a common sense division of roles and responsibilities, public-private partnerships can set about instituting practical measures that will reduce risk and enhance resiliency.
2. Encourage bilateral cooperation addressing liability issues. Addressing concerns of liability may be the most vital contribution government can make to implement a strategy of resiliency. The recent bitter debate in the United States between Congress and the administration over extending immunity against civil suits to telecommunications companies that cooperated with a classified government surveillance program highlights one of the knotty challenges in promoting public-private cooperation in combating terrorism. Congress can promote private sector participation and alleviate liability concerns by:
The Safety Act as a Model for Liability Concerns. A great example of the ability of government to handle these concerns over liability decisively and with good effect was addressed in the Support Antiterrorism by Fostering Effective Technologies (SAFETY) Act. This Act lowered the liability risks of manufactures that provide products and services for combating terrorism. Passed in 2002, the Act protects the incentive to produce products designated as "Qualified Anti-terrorism Technologies" (QATTs) by the Secretary for Homeland Security. The Department of Homeland Security (DHS) has made a concerted effort to implement the program and a number of companies have availed themselves of the opportunity to obtain SAFETY Act certification.
By addressing liability concerns, Congress intended the SAFETY Act to serve as a critical tool for promoting the creation, proliferation and use of technologies to fight terrorism. The act provides risk and litigation management protections for businesses that produce QATTs and other providers in the supply and distribution chain. The act included a limitation on liability with regards to third parties claims for losses resulting from an act of terrorism where the technologies were deployed to help prevent or mitigate the danger of a terrorist attack. In turn, the promotion and deployment of new technologies help make the society more resilient in the face of terrorist threats.
3. Develop national and international forums for
collaboration on resiliency issues.
Both within the United States and with international partners, the United States should begin to establish regular forums to promote the resiliency concept, share best practices and facilitate joint action.
State-Based Regional Response Network.
Within the United States, these forums could be structured around a
regional homeland security structure that promotes voluntary
cooperation among states, local communities, and the private
sector. The Homeland Security Act of 2002 mandated that DHS
set up a regional structure--though the department did follow
through on this mandate. State-based regional programs would focus
on ensuring that states are prepared to sustain themselves.
Successful regional programs would focus not on federal structures
in each region, but rather on regional emergency management
programs and capabilities that are developed, coordinated, and
managed by the states. Similar small-scale programs that use a
regional model, such as the Emergency Management Assistance Compact
(EMAC), have already proven successful. DHS regional offices
should be required to strengthen state and local preparedness
capabilities; facilitate regional cooperation among governments,
the private sector, and non-governmental organizations; and
plan and exercise with federal entities that support regional
disaster response. Such offices would enable regions to access and
integrate their capabilities quickly and improve preparedness
and resiliency initiatives.
Internationally, the United States can use both current international institutions and new multi-national and bilateral partnerships to create resiliency forums. For example, the NATO Industrial Advisory Group (NIAG) solicits industry advice on how to promote public-private and transnational cooperation in defense production. This group or other NATO forums might serve as opportunities to discuss resiliency issues.
4. Resiliency's Building Blocks -- Promote the
development of resilient 21st century
public infrastructure. In the end, public-private partnerships must produce the kind of infrastructure necessary to sustain 21st century societies against 21st century threats. Within the U.S. much of the national infrastructure is aging and not keeping up with the demands of a growing population. Additionally, for all of the focus on U.S. critical infrastructure, equally vital is the resiliency of the global economy.
What is required is more innovation and experimentation as a means of speeding the development of modern infrastructure. One option to consider is encouraging public-private partnerships (PPP) that invest in public infrastructure. The U.S. has utilized the PPP model for its public highways and other infrastructure projects. Creating opportunities for governments and private firms to work together on improving the infrastructure should be further explored.
Rather than relying heavily on subsidized public funding of infrastructure, investments should focus on "project-based" financing that shifts the risks and rewards to the private sector. Project-based financing focuses on obtaining stand-alone investment from private investors and could include multiple investors, each with a different level of investment, varying rate of return, and different timelines for realizing those returns. Such strategies not only shift risk to the private sector, but should also lead to improved decision-making about needed infrastructure investments.
Resilience is the right strategy. Resiliency is the right strategy for the United States and its allies in facing the dangers of the 21st century. Congress and the Administration can promote this approach both within American communities and across all free nations by means of the initiatives mentioned in my testimony. These initiatives offer a more reasonable and cost-effective means for ensuring the continuity of services and processes, but all for building a more resilient civil society, one prepared to face the future with confidence and surety.
The Heritage Foundation is a public policy, research, and educational organization operating under Section 501(C)(3). It is privately supported, and receives no funds from any government at any level, nor does it perform any government or other contract work.
The Heritage Foundation is the most broadly supported think tank in the United States. During 2007, it had nearly 330,000 individual, foundation, and corporate supporters representing every state in the U.S. Its 2007 income came from the following sources:
|Publication Sales and Other||0%|
The top five corporate givers provided The Heritage Foundation with 1.8% of its 2007 income. The Heritage Foundation's books are audited annually by the national accounting firm of McGladrey & Pullen. A list of major donors is available from The Heritage Foundation upon request.
Members of The Heritage Foundation staff testify as individuals discussing their own independent research. The views expressed are their own, and do not reflect an institutional position for The Heritage Foundation or its board of trustees.
See, for example, the debate over container security in "Container
Security at U.S. Ports: The Heritage Foundation's Research,"
WebMemo #1260, November 27, 2006, at
 See, James Jay Carafano, Robert Alt, and Andrew Grossman, "Congress Must Stop Playing Politics with FISA and National Security," Web Memo #1791, January 31, 2006, at http://www.heritage.org/Research/LegalIssues/wm1791.cfm.
 For specific recommendations, see James Jay Carafano, Jonah J. Czerwinski, and Richard Weitz, "Homeland Security Technology, Global Partnerships, and Winning the Long War," Heritage Foundation Backgrounder No. 1977, October 5, 2006, at www.heritage.org/Research/HomelandSecurity/bg1977.cfm.
U.S. Department of Homeland Security, Final Rule of the
Implementation of the SAFETY Act, Vol. 71, June 2006,
 See, Jill Rhodes and James Jay Carafano, "State and Regional Responses to Disasters: Solving the 72-Hour Problem," Backgrounder #1962 (August 21, 2006) http://www.heritage.org/Research/HomelandSecurity/bg1962.cfm.