on computers to provide safe, efficient, and reliable service. The banking and finance sector, too, keeps track of millions of transactions through increasingly robust computer capabilities. The overwhelming majority of these computer systems are privately owned, and many operate at or very near capacity with little or no provision for manual back-ups in an emergency. Moreover, the computerized information networks that link systems together are themselves vulnerable to unwanted intrusion and disruption. An attack on any one of several highly interdependent networks can cause collateral damage to other networks and the systems they connect. Some forms of disruption will lead merely to nuisance and economic loss, but other forms will jeopardize lives. One need only note the dependence of hospitals, air-traffic control systems, and the food processing industry on computer controls to appreciate the point. The bulk of unclassified military communications, too, relies on systems almost entirely owned and operated by the private sector. Yet little has been done to assure the security and reliability of those communications in crisis. Current efforts to prevent attacks, protect against their most damaging effects, and prepare for prompt response are uneven at best, and this is dangerous because a determined adversary is most likely to employ a weapon of mass disruption during a homeland security or foreign policy crisis. As noted above, a Directorate for Critical Infrastructure Protection would be an integral part of the National Homeland Security Agency. This directorate would have two vital responsibilities. First would be to oversee the physical assets and information networks that make up the U.S. critical infrastructure. It should ensure the maintenance of a nucleus of cyber security expertise within the government, as well. There is now an alarming shortage of government cyber security experts duc in large part to the financial attraction of private-sector employment that the government cannot match under present personnel procedures.' The director's second responsibility would be as the Critical Information Technology, Assurance, and Security Office (CITASO). This office would coordinate efforts to address the nation's vulnerability to electronic or physical attacks on critical infrastructure. Several critical activities that are currently spread among various government agencies and the private sector should be brought together for this purpose. These include: • Information Sharing and Analysis Centers (ISACs), which are government-sponsored committees of private-sector participants who work to share information, plans, and procedures for information security in their fields; • The Critical Infrastructure Assurance Office (CIAO), currently housed in the • The National Infrastructure Protection Center (NIPC), currently housed in the FBI, which gathers information and provides warnings of cyber attacks, and • The Institute for Information Infrastructure Protection (13P), also in the Commerce Department, which is designed to coordinate and support research and development projects on cyber security. In partnership with the private sector where most cyber assets are developed and owned, the Critical Infrastructure Protection Directorate would be responsible for enhancing information sharing on cyber and physical security, tracking vulnerabilities and proposing improved risk management policies, and delineating the roles of various government agencies in preventing, defending, and recovering from attacks. To do this, the government needs to institutionalize better its private-sector liaison across the board-with the owners and operators of critical infrastructures, hardware and software developers, server/service providers, manufacturers/producers, and applied technology developers. The Critical Infrastructure Protection Directorate's work with the private sector must include a strong advocacy of greater government and corporate investment in information assurance and security. The CITASO would be the focal point for coordinating with the Federal Communications Commission (FCC) in helping to establish cyber policy, standards, and enforcement mechanisms. Working closely with the Office of Management and Budget (OMB) and its Chief Information Officer Council (CIO Council), the CITASO needs to speak for those interests in government councils." The CITASO must also provide incentives for private-sector participation in Information Sharing and Analysis Centers to share information on threats, vulnerabilities, and individual incidents, to identify interdependencies, and to map the potential cascading effects of outages in various sectors. 10 The directorate also needs to help coordinate cyber security issues internationally. At present, the FCC handles international cyber issues for the U.S. government through the International Telecommunications Union. As this is one of many related international issues, it would be unwise to remove this responsibility from the FCC. Nevertheless, the CIP Directorate should work closely with the FCC on cyber issues in international bodies. include: The mission of the NHSA must include specific planning and operational tasks to be staffed through the Directorate for Emergency Preparedness and Response. These Setting training and equipment standards, providing resource grants, and encouraging intelligence and information sharing among state emergency management officials, local first responders, the Defense Department, and the FBI; • Integrating the various activities of the Defense Department, the National Guard, and other federal agencies into the Federal Response Plan; and • Pulling together private sector activities, including those of the medical community, on recovery, consequence management, and planning for continuity of services. Working with state officials, the emergency management community, and the law enforcement community, the job of NHSA's third directorate will be to rationalize and refine the nation's incident response system. The current distinction between crisis management and consequence management is neither sustainable nor wise. The duplicative command arrangements that have been fostered by this division are prone to confusion and delay. NHSA should develop and manage a single response system for national incidents, in close coordination The Chief Information Officer Council is a government organization consisting of all the statutory Chief Information Officers in the government. It is located within OMB under the Deputy Director for Management. with the Department of Justice (DOJ) and the FBI. This would require that the current policy, which specifies initial DoJ control in terrorist incidents on U.S. territory, be amended once Congress creates NHSA. We believe that this arrangement would in no way contradict or diminish the FBI's traditional role with respect to law enforcement. The Emergency Preparedness and Response Directorate should also assume a major resource and budget role. With the help of the Office of Management and Budget, the directorate's first task will be to figure out what is being spent on homeland security in the various departments and agencies. Only with such an overview can the nation identify the shortfalls between capabilities and requirements. Such a mission budget should be included in the President's overall budget submission to Congress. The Emergency Preparedness and Response Directorate will also maintain federal asset databases and encourage and support up-to-date state and local databases. FEMA has adapted well to new circumstances over the past few years and has gained a well-deserved reputation for responsiveness to both natural and manmade disasters. While taking on homeland security responsibilitics, the proposed NHSA would strengthen FEMA's ability to respond to such disasters. It would streamline the federal apparatus and provide greater support to the state and local officials who, as the nation's first responders. possess enormous expertise. To the greatest extent possible, federal programs should build upon the expertise and existing programs of state emergency preparedness systems and help promote regional compacts to share resources and capabilities. To help simplify federal support mechanisms, we recommend transferring the National Domestic Preparedness Office (NDPO), currently housed at the FBI, to the National Homeland Security Agency. The Commission believes that this transfer to FEMA should be done at first opportunity, even before NHSA is up and running The NDPO would be tasked with organizing the training of local responders and providing local and state authorities with equipment for detection, protection, and decontamination in a WMD emergency. NHSA would develop the policies, requirements, and priorities as part of its planning tasks as well as oversee the various federal, state, and local training and exercise programs. In this way, a single staff would provide federal assistance for any emergency, whether it is caused by flood, earthquake, hurricane, disease, or terrorist bomb. A WMD incident on American soil is likely to overwhelm local fire and rescuc squads, medical facilities, and government services. Attacks may contaminate water, food, and air; largescale evacuations may be necessary and casualties could be extensive. Since getting prompt help to those who need it would be a complex and massive operation requiring federal support, such operations must be extensively planned in advance. Responsibilities need to be assigned and procedures put in place for these responsibilities to evolve if the situation worsens. As we envision it, state officials will take the initial lead in responding to a crisis. NHSA will normally use its Regional Directors to coordinate federal assistance, while the National Crisis Action Center will monitor ongoing operations and requirements. Should a crisis overwhelm local assets, state officials will turn to NHSA for additional federal assistance. In major crises, upon the recommendation of the civilian Director of NHSA, the President will designate a senior figure—a Federal Coordinating Officer to assume direction of all federal activities on the scene. If the situation warrants, a state governor can ask that active military forces reinforce National Guard units already on the scene. Once the President federalizes National Guard forces, or if he decides to use Reserve forces, the Joint Forces Command will assume responsibility for all military operations, acting through designated task force commanders. At the same time, the Secretary of Defense would appoint a Defense Coordinating Officer to provide civilian oversight and ensure prompt civil support. This person would work for the Federal Coordinating Officer. This response mechanism is displayed in Figure 2. To be capable of carrying out its responsibilities under extreme circumstances, NHSA will need to undertake robust exercise programs and regular training to gain experience and to establish effective command and control procedures. It will be essential to update regularly the Federal Response Plan. It will be especially critical for NHSA officials to undertake detailed planning and exercises for the full range of potential contingencies, including ones that require the substantial involvement of military assets in support. NHSA will provide the overarching structure for homeland security, but other government agencies will retain specific homeland security tasks. We take the necessary obligations of the major ones in turn. Intelligence Community. Good intelligence is the key to preventing attacks on the homeland and homeland security should become one of the intelligence community's most important missions." Better human intelligence must supplement technical intelligence, especially on terrorist groups covertly supported by states. As noted above, fuller cooperation and more extensive information-sharing with friendly governments will also improve the chances that would-be perpetrators will be detained, arrested, and prosecuted before they ever reach U.S. borders. The intelligence community also needs to embrace cyber threats as a legitimate mission and to incorporate intelligence gathering on potential strategic threats from abroad into its activities. To advance these ends, we offer the following recommendation: 4: The President should ensure that the National Intelligence Council: include homeland security and asymmetric threats as an area of analysis; assign that portfolio to a National Intelligence Officer; and produce National Intelligence Estimates on these threats. Department of State. U.S. embassies overseas are the American people's first line of defense. U.S. Ambassadors must make homeland security a top priority for all embassy staff, and Ambassadors need the requisite authority to ensure that information is shared in a way that maximizes advance warning overseas of direct threats to the United States. Ambassadors should also ensure that the gathering of information, and particularly from open sources, takes full advantage of all U.S. government resources abroad, including diplomats, consular officers, military officers, and representatives of the various other departments and agencies. The State Department should also strengthen its efforts to acquire information from Americans living or travelling abroad in private capacities. The State Department has made good progress in its overseas efforts to reduce terrorism, but we now need to extend this effort into the Information Age. Working with NHSA's CIP Directorate, the State Department should expand cooperation on critical infrastructure protection with other states and international organizations. Private sector initiatives, particularly in the banking community, provide examples of international cooperation on legal issues, standards, and practices. Working with the CIP Directorate and the FCC, the State Department should also encourage other governments to criminalize hacking and electronic intrusions and to help track hackers, computer virus proliferators, and cyber terrorists. Department of Defense. The Defense Department, which has placed its highest priority on preparing for major theater war, should pay far more attention to the homeland security mission. Organizationally, DoD responses are widely dispersed. An Assistant to the Secretary of Defense for Civil Support has responsibility for WMD incidents, while the Department of the Army's Director of Military Support is responsible for non-WMD contingencies. Such an arrangement does not provide clear lines of authority and responsibility or ensure political accountability. The Commission therefore recommends the following: 11 We return to this issue in our discussion of the Intelligence Community in Section III.F., particularly in recommendation 37. |