Fifth public hearing of the National Commission on Terrorist Attacks
Upon the United States
Statement of Richard A. Andrews to the National Commission on Terrorist Attacks Upon The United States
November 19, 2003
Chairman Kean, Vice Chairman Hamilton, members of the Commission, thank you for the invitation to provide testimony and to assist, in a small way, in furthering your important work.
The National Strategy for Homeland Security and the companion documents, The National Strategy for the Protection of Critical Infrastructures and Key Assets and The National Strategy to Secure Cyberspace each clearly recognize that America’s security in the post-September 11, 2001 world requires new arrangements – policies, procedures, processes, protocols, understandings, relationships – in both the public and private sector, and between and among groups that, traditionally, have had little incentive or reason to work together. Each document also states that information sharing is fundamental to developing these new relationships. Information sharing alone won’t serve as a guarantee of the collaboration and coordination that is needed to attain the goals set forth in the national strategies, but it is a fundamental prerequisite to building the shared understandings of risk, prevention, preparedness and coordinated response that, ultimately, will serve as the cornerstones of
effective public/private partnerships.
Forging these new relationships remains a work in progress. Clearly change is occurring and, from my perspective, discernable progress is being made. New arrangements are emerging, some promising, some duplicative and redundant, some under funded or not funded at all, some grandiose in their vision and scope.
My sense is that no one has a clear understanding of all of the initiatives underway across the nation. A recent General Accounting Office report (GAO-03-760), that focused on information sharing initiatives within the public sector, noted that most of the efforts have occurred largely haphazardly, involving arrangements between local, state and federal agencies on what is frequently an ad hoc basis. The report cautioned that: “While these initiatives may increase the sharing of information to fight terrorism, they are not well coordinated and consequently risk creating partnerships that may actually limit some participants’ access to information and duplicating efforts of some key agencies in each level of government. Moreover, while beneficial to these participants, the initiatives do not necessarily integrate others into a truly national system and may inadvertently hamper information sharing. . . .”
No level of government expressed satisfaction with the current results of these initiatives. Issues of timeliness, accuracy, and relevance of the information being received were common concerns of local, state and federal authorities. Federal officials expressed frustration with the level of information they were receiving from state and local authorities; similarly, state and local agencies criticized the flow of information from federal agencies and largely dismissed the concerns of federal officials that information sharing was hampered primarily by the limited security clearances and inadequate document security protocols at the local and state level.
Recognizing that the GAO report dealt only with public agencies, one could easily conclude that efforts to include the private sector in this mix would be even more problematic. While some elements of the private sector – especially aerospace and defense contractors – have a long history of working within national security structures, the range of private sector firms that must now be involved in homeland security preparedness makes the task of developing effective public/private partnerships a daunting challenge.
Indeed, the task of developing effective public-private partnerships is complex. Some of the same barriers that inhibit effective sharing of information within the public sector – traditional “stovepiped” structures, incompatible data systems, cultural suspicion and mistrust – similarly influence the private sector. Many companies, especially those involved in critical infrastructure sectors are heavily regulated by government and, as a consequence, wary of “cooperation” with public agencies. Some surveys suggest that corporate executives, after an initial flurry of activity in the immediate aftermath of September 11, now view additional investments in security related initiatives with skepticism as months pass without new attacks occurring in the United States. And, finally, competition among firms in each of the critical sectors is a reality that must be factored into strategies for implementing effective partnerships in preparedness within and between the public and private sectors.
The experiences of The National Center for Crisis and Continuity Coordination (NC4) suggest some of the challenges and strategies that can be used to foster a “climate of knowledge sharing” between the public and private sectors to enhance emergency preparedness. NC4 is a division of Candle Corporation, an El Segundo, California based technology company.
Candle initially became interested in public/private collaboration during the preparations for Y2K when we noted that while government and companies were paying great attention to issues within their organizations and at the national level, little was being done to ensure that local coordination occurred. Following September 11, when many of Candle’s clients within the financial services sector were directly impacted by the attacks, Candle formed a new corporate division, NC4, specifically focused on enhancing coordination between the public and private sectors on issues related to prevention, preparedness, response and recovery for natural and made-made emergencies.
Over the past 18 months NC4 has focused its attention in New York City and Los Angeles, working with the business communities and local governments in the nation’s two largest metropolitan regions. Our objective is to address the gaps in local coordination between the public and private sector. The important word here is “local”. The private sector has their offices, their processing facilities and manufacturing plants in local communities. Not only are all disasters local, it is also true, as has been often pointed out, that the homeland will be made secure only as the nation’s hometowns achieve a new level of security. NC4’s view, therefore, is that it is imperative that efforts to build partnerships between the public and private sectors be rooted in local communities. Unless solutions are forged at the local level, it is our experience that sustainable partnerships between the public and private sectors are unlikely to be realized.
But the challenges of working at the local level are many. For businesses, the complexities of local governments, especially in metropolitan regions like New York and Los Angeles, can be overwhelming. A company’s facilities are often spread across several jurisdictions, employees live in many different communities, transportation networks cross county or state boundaries, and multiple agencies may have responsibility for varying aspects of a company’s operations.
For government, the private sector can be equally mysterious. Organizational structures are often poorly understood. The functions of corporate security, business continuity, facilities operation or emergency management offices may not be clearly recognized.
What is needed, and an initial role that NC4 has played, is to facilitate the process of bringing business and government together to initiate a dialogue regarding what steps need to be taken to develop workable relationships that are mutually beneficial. There is a need for very basic discussions to occur. For example, what information is available from what government agency and in what format? Can that information be shared with businesses and, if so, under what circumstances? What are the cultural, procedural, policy or legal barriers to information sharing? The dialogues have been carried out through facilitated discussions and tabletop exercises that focus on specific public safety problems that have the potential to impact both government and business. Because neither government nor business are able to have full-time staff dedicated to promoting the interaction between the two sectors, NC4 has served, in effect, as a program manager to bring government and business groups together to
initiate this exchange.
As noted in the GAO report referenced above, timeliness, accuracy and relevancy are crucial to building a culture of information sharing. This is true for both the public and private sectors. Everyone seeks “actionable” information specific to their circumstances. Information overload, i.e. the receipt of volumes of information that is only marginally relevant to a specific company or function, tends to get lost amid the pressures of daily work. Conversely, when information exchange occurs only at the time of infrequent, major events, processes and protocols for managing the information are likely to be either ignored or forgotten. Without resolving this problem -- finding the right scale and method for the regular exchange of information -- the inclination in both business and government is to rely on informal, personal relationships. While sometimes effective, these informal networks are too random to provide assurance that the public safety needs of a community are being met.
One challenge NC4 has faced is defining what we call the critical “heartbeat” of community information. Accessing and structuring this information stream in a usable format has been a major part of the NC4 effort. In New York City we have worked with the Office of Emergency Management (OEM) to develop an application – Activity Center -- that refines the processes used by Watch Command, a 24/7 operational arm of OEM responsible for monitoring events throughout the city that have the potential to impact public safety. By using the NC4 Activity Center application OEM staff is able to rapidly and consistently enter, log, update and, as appropriate, disseminate timely information to the private sector as well as appropriate public agencies.
Four additional elements have proven crucial to promoting a culture of information sharing in NC4’s work in New York. First, we have been able to build on initiatives in public/private interaction that began in 2000 within both OEM and the NYPD.
Second, we have found that daily use of the information feeds is essential. Even apparently minor events like a water main break have the potential to impact business operations. By providing reports to businesses on seemingly routine events, processes are steadily being developed where accessing the NC4 system becomes part of a regular routine. My experience in emergency management suggests that daily use is essential to building an understanding of the processes and protocols required at the time of major events, be they terrorist related or natural caused emergencies.
Third, providing a mechanism for the bi-directional flow of information is essential. NC4 provides a means for businesses to keep New York OEM apprised of the status of their facilities and personnel or advise them of actions being taken that might impact a specific area. As events unfold, OEM is interested in learning from the business community of significant issues they are facing, resources that may be needed, or decisions – evacuation of a building for example – that a company may be considering.
The fourth element addresses the key issue of information relevancy. Each business that is part of the NC4 network can register its essential facilities by address and define the perimeter within which they want to receive information about occurring events. In turn, OEM is able to geo-locate each event that they enter into the NC4 Activity Center, enabling businesses to be alerted only to those events that have the potential to impact their facilities and operations. This ability to provide relevant alerts to corporate security, business continuity, facilities managers and human resources professionals within a company provides significant value to the participating firms.
Supplementing the information feeds through the NC4 network will further enhance the effectiveness of the public-private information sharing. For example, adding additional information on the status of the transportation network as well as information from New Jersey will enrich the culture of information sharing that is occurring.
In Los Angeles the challenges are equally complex. The demographics of the region are different, jurisdictional boundaries – city, county, special district – are intricate -- and the potential sources of information more fragmented. No single agency has the responsibility for aggregating information about events occurring throughout the region.
Nevertheless, the model that NC4 is using in Los Angeles mirrors that of New York. We are currently working with a variety of public agencies in law enforcement, fire services, transportation, emergency management and economic development to assist them in defining what information can be shared with the business community and in what format. Concurrently, NC4 is facilitating the dialogue with the business community about what information they want to receive from government and what information they are prepared to share. NC4 is in effect functioning as an intermediary between the public and private sectors to move the region toward an objective that both sectors agree is desirable – providing a single location where both business and government can share public safety related information.
NC4’s experience suggests that there are at least three areas where the public and private sectors should develop enhanced partnerships: between corporate security and law enforcement officers, between business continuity professionals and local economic development officials, and between emergency management officials. These functional areas provide initial entry points in developing information sharing processes between the public and private sector.
Strong informal networks generally exist among corporate security officers. Many of them began their careers in law enforcement and they represent a significant “force multiplier” of eyes and ears to support law enforcement. Prevention of future terrorist attacks is clearly the top priority in homeland security. By formalizing the processes by which corporate security officers can provide information that may serve as pre-incident indicators to law enforcement, both public and private sector safety can be enhanced. A renewed effort should also be undertaken to expand participation in programs like Infragard. In turn, law enforcement should agree to provide “law enforcement sensitive” information to properly vetted representatives from the private sector. The basic system is in place, but additional effort is needed to more effectively market the program to the private sector.
The role of business continuity professionals is expanding in the new post-September 11 environment. Once centered largely on ensuring the integrity of corporate data systems and networks, business continuity professionals need to work more closely with local economic development and public safety officials to develop a shared understanding of what is needed by each sector to enhance the economic vitality of the local business community, especially in the aftermath of major disasters and emergencies.
Emergency management officials in both the public and private sector need to develop shared protocols and processes to more effectively utilize their skills and resources. An important development is the effort to define a business Incident Command System that can, like the National Incident Command System, being developed by the Department of Homeland Security, provide a common structure for more effective coordination during emergencies and enhance the likelihood that the entire resources of a community can be mobilized to respond to disasters.
These groups represent valuable points of entry in developing a culture of information sharing between the public and private sectors. As information sharing becomes a more institutionalized feature of the processes in both the public and private sector, we should envision a time when there is both peer-to-peer communication, as well as collaboration and coordination between the various organizational levels and functions in the corporate world as well among governmental entities at the local, state and federal levels. Indeed, part of NC4’s success has come in providing a more effective means for large, complex corporations to share information internally between units and facilities that have, in the past, often operated largely in isolation from one another.
NC4’s basic premise is that the new times of the post-September 11 era necessitate the development of new teams to work together to achieve a new readiness for either terrorist or natural disasters. Central to achieving this vision is promoting public/private partnerships.
This task begins with developing more effective means of sharing information, and NC4 is working to identify and navigate the hurdles that stand in the way of achieving this objective by facilitating dialogue between the public and private sectors and developing systems that facilitate information sharing. Our experience suggests that while there is general consensus regarding the desirability of sharing information, progress is achieved by targeting specific audiences and developing mechanisms that allow for the delivery of authenticated timely, relevant information, beginning at the local level.
Communication between the public and private sector is but the first crucial step. Next should come collaboration between the public and private sectors where issues of common protocols and processes can be developed, leading to coordination between the sectors when emergencies threaten communities.
These activities need to occur on many levels – within the federal government, between the federal government and state and local agencies and officials, and between the public and private sector. Our experience suggests, however, that it will be at the local level that this effort will be won or lost and that while there are no easy or quick answers to developing the trust and understandings that will enable collaboration and coordination to occur, small successes can set the stage for achieving the level of protection and preparedness demanded in the current environment.
Richard A. Andrews is senior director, homeland security projects at the National Center for Crisis and Continuity Coordination (NC4™), a division of Candle Corp. that is focused primarily on advancing crisis management and business-continuity readiness through public-private sector collaboration. In June 2002, President Bush appointed Andrews to the President's Homeland Security Advisory Council, which assists the Office of Homeland Security in developing and coordinating the implementation of a comprehensive strategy to secure the United States from terrorist attacks or threats. From 1991 to 1998, Andrews served as director of the Governor's Office of Emergency Services (OES) for California. As director of OES, he managed the emergency response and recovery efforts for 19 presidential and 24 gubernatorial disasters. He also guided the development of California's Standardized Emergency Management System, an integrated, statewide operational management system used by all public agencies.
Since the August 1999 earthquake in Turkey, Andrews has been a member of the World Bank's Disaster Management Operations Group. He is a former president of the National Emergency Management Association (NEMA). He holds a Ph.D. from Northwestern University.