Fifth public hearing of the National Commission on Terrorist Attacks Upon the United States

Statement of Dennis J. Reimer to the National Commission on Terrorist Attacks Upon The United States
November 19, 2003

My name is Dennis Reimer and I am the Director of the National Memorial Institute for the Prevention of Terrorism (MIPT) in Oklahoma City. I have been in this position for the past 42 months and prior to that I spent 37 years as a soldier, retiring as the 33rd Chief of Staff of the United States Army. MIPT is the third component of the National Memorial and our roots are buried deep in the rubble of the Murrah Building bombing that took place on April 19, 1995. The family members and survivors of that tragedy felt strongly about having an organization that looked to the future and tried to prevent what happened in Oklahoma City from happening again. The ultimate method of mitigation is prevention; however, should that fail a robust response capability is essential. MIPT primarily focuses on the emergency responder community to assist them in both terrorism prevention and response, emphasizing a national perspective. Support from Congress through four different appropriations, has enabled us to concentrate our efforts which date back to pre-9/11, on a number of worthwhile programs that I look forward to discussing with the Commission.

On behalf of MIPT I am honored to be able to provide our views concerning the critical subject – Private/Public Sector Partnership in Emergency Preparedness – you are addressing today. I believe that having served both in the military and as the director of MIPT gives me a unique perspective on combating terrorism on U.S. soil. I will address the five specific questions the Commission raised in your letter, identify some of our efforts that I believe are high payoff activities and should be leveraged, and provide my perspective on the challenge the nation faces in terms of combating terrorism on U. S. soil.

Much has been said about the impact of 9/11 on our lives and very little of what I have read and heard is overstated. Whether 9/11 was a defining moment in our history or not can best be judged by historians at a later date but it has changed the way we live our lives now and for the foreseeable future. There has also been much discussion about why 9/11 occurred and could it have been prevented; however, that is not the subject of this hearing and I will keep my remarks focused on trying to make tomorrow better and not on making yesterday perfect. In order to do that I believe that the nation must recognize that it faces a unique challenge that will require fresh thinking and innovative approaches to develop a truly national effort to prevent future 9/11s.

At the center of this fresh thinking is partnerships – the nation needs partnerships amongst federal, state and local levels of government, between the public and private sector and between civilian emergency responders and the military. Today these partnerships do not exist to the extent necessary to provide a coherent and efficient national effort designed to save lives and mitigate damage from catastrophic terrorist attacks. There are numerous reasons why these partnerships do not naturally occur. Our Constitution, which I believe is the great strength of this republic, describes specific roles and responsibilities for each level of government. For example, the federal government is responsible for national security, the state level has primary responsibility for the protection of its citizens, and we all know that all disasters start out local. Consequently, in our efforts to mitigate the damage caused by disasters, either manmade or natural, there is no one level of government that is in charge from initial response to restoration of normalcy.

With approximately 85% of the critical infrastructure in the United States in private sector hands, we simply must have improved cooperation between the private and public sector; yet there is no forcing function that requires that and to date efforts to promote voluntary, private and public sector cooperation have been totally inadequate. One emerging example of a voluntary effort at public/private partnership, under the auspices of the Business Executives for National Security (BENS), is being implemented here in New Jersey. This initiative needs to be closely monitored and evaluated in order to leverage success.

We know from previous experience – Oklahoma City, World Trade Center, Pentagon, as well as numerous natural disasters – that any large scale disaster will require a healthy dose of Military Support to Civilian Authorities (MSCA). Without an operational framework and national standards, asking the military to support potentially 87,000 local jurisdictions across this great country is indeed a daunting task. Currently this issue is among those being addressed in part through the vetting of the National Response Plan (NRP) and the National Incident Management System (NIMS) which are described in Homeland Security Presidential Directive-5 (HSPD-5). These efforts are steps in the right direction, but acceptance of these efforts has not been achieved and, even if accepted, there is much to be done in terms of turning plans into action.

The cornerstone of all three partnerships is information sharing. While this is a difficult challenge for a number of reasons and is at the center of the issue this Commission is addressing today, information sharing is not strictly a technical challenge. We have the technology necessary to share pertinent information with all concerned. In my opinion it is much more of a cultural issue that requires new policy and guidance—and perhaps some new/revised laws to change mindsets amongst those who use this information. While this is starting to be addressed there is much ground to cover if we are to realize the true potential of this partnership.

Cultural and legal issues are an even a greater challenge than resources. Much has been made of the shortages that exist at the local level, yet I have seen little effort to prioritize these shortages against a multi-disciplinary approach to address the “all hazards” threat we face. States in general have not done a good job of developing an operational framework that meshes with a regional or national approach to multiple attacks. Most states are at least working on this but without an approved national operational concept that is consistent with the National Response Plan, there is no way that local entities can optimize their prioritization process. Finally, federal grants are absolutely critical in this resource constrained environment and monies have been slow to be broken loose and grants not fully coordinated. While this is being addressed now, the allocation of federal funds promised almost immediately after 9/11 has been slow to materialize and there are too many cases where grants were so restrictive that the equipment could be purchased but the people to operate and maintain the equipment could not be trained with the same grant money. Consequently, taxpayers have not received an optimum return on investment and more importantly, lives could be lost unless this is corrected prior to the next attack.

The National Memorial Institute for the Prevention of Terrorism recognized early on, well before 9/11, that a number of these issues needed to be addressed. Consequently, we set out to develop a system to identify capabilities needed by emergency responders called PROJECT RESPONDER and a system to share BEST PRACTICES/LESSONS LEARNED information amongst the emergency responder community. Both of these projects are described in detail below but the philosophy behind these projects is important to understand.

Without a set of requirements, the research and development community will not be able to focus the considerable technological advantage we enjoy as a nation on developing and enhancing the right capabilities. PROJECT RESPONDER is an attempt to bring together subject matter experts (SME) to identify these requirements and take a look at technologies available (or basic research required) to enhance these capabilities over time. We have sought and obtained valuable input from the user and technology communities and those efforts are approaching fruition. We believe that this project will contribute enormously to leveraging the high payoff technologies needed by our emergency responders and help inform the Science and Technology effort. A second part of our Project Responder is creating a responder knowledge base that will help simplify the daunting task of responders knowing what kind of equipments—by function and hazard—that they need and providing them with a single source of information about this equipment. This knowledge base will include everything from knowing whether the equipment is available for funding by federal grants, to testing and certification results against standards where they exist, and vendor lists and product information. This knowledge base, while still being populated, became operational and accessible to the responder community at MIPT’s website, www.mipt.org, on October 31st of this year.

My experience with the Army convinces me that there is much to be gained from sharing lessons learned. I also know that this is easier said than done and if an effective system is desired certain criteria must be met. First, people have to “buy in” to this concept and accept it as a valuable source of information. Second, users must view lessons learned not as a “pass-fail” evaluation but as an information sharing assessment that improves everybody. These two principles are the pillars of the BEST PRACTICE/LESSONS LEARNED project that will be called ReadyNet.

This leads me into the first of the five questions the Commission has posed:

1) What has your institute been doing regarding best practices/lessons learned database and do you see this expanding to the private sector?

ReadyNet best lends itself to the issues this commission is addressing at this meeting. How can we get the public and private sector to share valuable information that will benefit both? Although our initial focus has been on the emergency response community, I believe that ReadyNet can be expanded to include the public/private sector interface. These expansion efforts will, however, require an innovative approach in a couple of areas: personal liability protection and freedom of information requirements. No local responders or their elected supervisors will be willing to candidly share unfavorable information that may threaten their job or result in judicial action against their municipality. Yet, as we found in the Army, the best way to improve our skills is to train as realistically as we can, to be honest with each other and to learn from our mistakes. A way of doing this without putting individuals or their jurisdictions at risk to punitive action must be found if we want to fully leverage this program. Resources will continue to be constrained and this will force better prioritization of requirements and better return on investment. ReadyNet can assist in both areas by sharing best practices and lessons learned across the community and precluding each community from having to conduct “discovery learning”. ReadyNet works on the principle that a rising tide of information will raise all boats fast and efficiently.

2) What are the areas where the public and private sectors should develop partnerships?

We believe there are two areas where public-private partnerships are needed – disaster planning and preparedness and critical infrastructure protection. When it comes to natural and man-made disasters, pre-incident planning and exercising is the most cost-effective way to improve the chances of saving lives and mitigating damage. Not only do written plans provide a straightforward way to describe who does what, but the planning process itself is crucial in forging meaningful relationships among response agencies and the community at large. Exercises bear out the value of these connections. This was one of the lessons we learned from our Oklahoma City: Seven Years Later project that captured the reflections of the community’s experience with the Murrah Building bombing. The private sector must be part of this planning, because buildings surrounding government facilities are also likely to be affected by terrorist attacks. Indeed, more than 300 buildings were damaged during the Oklahoma City bombing, and over 7,000 people were left without a workplace. Copies of OKLAHOMA CITY: SEVEN YEARS LATER have been forwarded to the commission.

The USA Patriot Act defines critical infrastructures as “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.” As previously noted, the private sector controls about 85% of the national infrastructure, and it also employs 85% of the national workforce. There are inherent interdependencies between the public and private sectors in ensuring the security of the national workforce and infrastructure. One MIPT project in the area of critical infrastructure involves protecting the Public Telephone Network from cyber terrorists, who might seek to aggravate a conventional terrorist attack with a virtual one. By targeting 911 systems or the Government Emergency Telecommunications Service, terrorists may disrupt the nation’s ability to respond to a terrorist incident. The public sector depends on the ingenuity of industry in the War on Terrorism. Though the business of business is business and not homeland security, the private sector remains the first line of defense for much of our critical infrastructure. Indeed it might be argued that the “first responders” are the employees who are in the impact zone of the attack. If a plan to deal with catastrophic events does not already exist when the attack occurs then lives will be lost and damage incurred that could have been prevented with a good plan and training. This is more than an economic issue. Stockholders expect the company to do everything possible to mitigate damage; employees expect the company to do everything possible to provide a safe working environment; and all of us want to do everything we can to protect the lives of friends and fellow employees.

3) What do you see as the key private sector responsibilities in homeland security in working with the public sector?

There are three key areas in which the private sector can play a major role in working with the public sector in assisting homeland security—sharing information on private sector “targets,” improving internal security measures, and creating resilient and robust systems. The majority of targets that terrorists may choose to attack resides in the hands of the private sector. While the private sector may not be able to prevent these attacks from taking place, they can through the implementation of sound precautionary measures make attacks by terrorists more difficult and they can work with local and federal agents now on providing information on how to best respond to an incident at their site, should one occur. In addition to providing an opportunity to identify vulnerabilities and threats, the TERRORISM EARLY WARNING model that MIPT is working with DHS to expand throughout the nation also provides a mechanism to pass information back and forth between the public and private sector. It facilitates a sense of cooperation amongst the private sector proactively working with local emergency responders in identifying security issues to help prevent attacks, as well as key information to facilitate a more organized and effective response. Not only can establishing a working relationship with the public sector help improve security and response, but it creates a network for information sharing should the private sector have issues of concern that can be forwarded on to the public sector.

The private sector can also take some very important and fundamental steps in terms of security initiatives. They should conduct a detailed risk assessment and follow through on what they learn from such an initiative. By following best practices of operational security, both physical and cyber, the private sector can help prevent a terrorist event from taking place or be able to better withstand the subsequent damage. In this way, the private sector can become a stronger link in the realm of homeland security. Ultimately, this risk assessment should be meshed with the public sector threat assessment and complementary plans to provide a more comprehensive approach to providing security for our citizens should be developed so that both public and private sectors can train against those plans.

The private sector should build resilience and robustness into their day-to-day operations. Not only does the public rely on key services provided by the public sector, but local, state and federal agencies depend on these same services in providing continuity of life as well as possible surge capacity in the wake of a terrorist event. Should a terrorist incident take place, the private sector would not only need to provide the initial response to protect their employees and property, but also to interface with public emergency responders in implementing a coordinated and coherent response to this tragedy.

Each of these steps would help assist the private sector whether they confront a man made attack, such as a terrorist incident, or a natural catastrophe. In preparing for a terrorist attack, the private sector should follow a lesson from the public sector in attempting to take an “all-hazards approach,” rather than focus solely on preventing and responding to a terrorist attack.

A straw man Homeland Security Roadmap that lays out one way this cooperation could be enhanced is provided as an enclosure (Enclosure 1). Obviously there are other ways this complex issue could be addressed, but the important thing is to get the process started.

4) What lessons has your center learned that would be applicable to the private sector (such as SILENT VECTOR) and how could these be shared?

SILENT VECTOR, an exercise that posited a credible but unspecific threat against the energy infrastructure in the Northeastern United States, yielded a number of lessons of value to the government sector. Following the actual exercise, MIPT partnered with the Center for Strategic International Studies (CSIS) to conduct a series of roundtable discussions that more fully engaged the private sectors in the dilemmas of public/private cooperation. Following the roundtables, CSIS produced a monograph with some well-reasoned policy recommendations. Their concluding observations highlighted a number of “crosscutting” issues. The first related to striking a balance between the public’s “right to know” with the government’s and industry’s “obligation to protect.” On the one hand, Americans want to know that government and local industries will protect them against terrorist acts. On the other, Americans have come to expect a right to know what is happening in neighborhood enterprises that pose a potential risk in an emergency. Private industry “outreach programs” need to find a balance between the need to block knowledge that could help terrorists with the need reassure citizens that their safety is being actively addressed by managers of critical facilities. The second issue dealt with the good business practices used by the private sector to protect their facilities over and above the safety procedures required for accidents or natural disasters. Terrorist acts are different in that they are intentional, focused and designed for maximum impact. It is not practical or logical to anticipate every method of attack and protect against them absolutely. Businesspeople will manage predictable risk, but are understandably wary of making significant investments to mitigate intentional unpredictability. Careful risk assessment can lead to a disciplined mitigation plan that sometimes may accept some (remote possibility) risk but is usually categorized and arrayed against a mix of facility construction, process design, operating procedures and indemnification. Copies of the Silent Vector monograph, “Issues of Concern and Policy Recommendations,” have been provided to the commission.

5) What steps can be taken to foster a “culture of knowledge sharing” between the public and private sector?

In order to foster a “culture of knowledge sharing,” we must take stock of good models in use today and we must remove perceived barriers to partnership. Perhaps the best national example of a model program sharing knowledge between business and government is the National Infrastructure Protection Center’s Information Sharing and Analysis Centers (ISACs). Previously based in the Federal Bureau of Investigation, NIPC is intended to bring together representatives from federal, state, and local governments and the private sector into a partnership, serving as the “focal point for threat assessment, warning, investigation, and response for threats or attacks against our critical infrastructures.” The design and function of the ISACs are determined by the private sector, in consultation with federal agencies, not imposed from above. The centers are aimed at gathering, analyzing, sanitizing, and disseminating information. Care has been taken to ensure the recording of vulnerabilities, threats, intrusions and anomalies is protected. The ISAC provides a suitable model for public-private information-sharing, though their capabilities could be greatly enhanced by developing advanced analytical capabilities. Each ISAC is at a different level of maturity and sophistication, and more work needs to be done to move them beyond development of memoranda of understanding to full-fledged conduits of critical infrastructure information.

While it is in the best interests of private industry to enhance its own security, the public sector needs to explore other means to induce and/or compel security improvements. A combination of new regulations, tax incentives, audit standards, insurance provisions, and changes in liability laws may be required to provide the necessary stimulus for more invigorated partnerships. While the advantages of engaging in public-private partnerships are numerous, some companies have suggested major barriers exist to effective participation, including the Freedom of Information Act. FOIA requires all federal agencies to uphold certain standards of disclosure to the public, including agency organization and holdings, rules of procedure and general applicability, policies, and records. Companies engaged in a public-private partnership, they argue, may be acting in the capacity of a government agency, making them subject to the rules outlined in FOIA. Not only might they face FOIA disclosures of sensitive data, but they may be exposed to antitrust laws by sharing information among private sector companies. If companies express knowledge of a vulnerability and then make no moves to safeguard it, then there may be a potential for legal liability. Inadvertent releases of trade secrets or proprietary information are also a concern because they could hurt competitiveness, lower consumer confidence, and damage reputations. Additionally, companies currently engaged in public-private partnerships have voiced complaints concerning numerous requests for sensitive information – such as lists of critical facilities – from federal, state and local authorities. If such lists were released publicly through a FOIA request or through accidental disclosure, it could provide terrorists with a roadmap directing them to critical and at-risk locations. FOIA does provide a national security exception that could protect critical infrastructure partnerships and prevent public disclosure of sensitive information, but the perceived risk of disclosure may be enough to keep companies away. Similar concerns have been voiced regarding state level sunshine laws, open meetings acts, and open records acts. Better clarification of the applicability of theses statutes is needed to convince companies they are protected in these situations.

Conclusion:

I appreciate the opportunity to share some thoughts with the National Commission on Terrorism concerning this important subject. I believe if we are serious about defending the homeland we must build strong partnerships and in that regard the partnership between the public and private sector is extremely important. Without a strong partnership in this area we remain vulnerable. While nothing can assume a risk free environment, we must find a way to overcome the obstacles to pertinent information sharing between the public and private sector. The public sector is often concerned about the sharing of classified information with those who do not have the proper security clearance. This is not an insurmountable obstacle. Private sector is naturally reluctant to share competitive information and possibly lose a significant business advantage or to make available to potential terrorists information concerning vulnerabilities in their company. This may be more perception than reality but in this case perception is reality and as long as that perception exists, the true power of information sharing between public and private sector will never be realized.

Many of the issues the commission has addressed and will address are extremely complex. They involve strategy, doctrine, training, organizing and equipping that must fit together in a true national operational concept. I believe that we as a nation know how to put together the basic elements of this operational concept and need not start with a blank sheet of paper. Developing a good operational concept is not that difficult if we are willing to make the right policy decisions. The straw man roadmap provided is a good starting point that could be expanded and refined in order to improve our readiness to combat terrorism on U. S. soil. It rightfully places a premium on partnerships and the need to develop a national operational concept.

Much discussion concerning who are the first responders has taken place. Fundamentally they are the people caught in the attack. They were the people in the immediate vicinity of the Murrah Federal Building, the World Trade Center, the Pentagon – a combination of ordinary citizens and professional workers. Providing them the training and tools to enhance their chances of survival is certainly a productivity issue for the private sector but more importantly, it is a moral issue for all of us. It is the right thing to do. That is why finding a way to enhance public and private sector cooperation is important.

General Dennis J. Reimer (Ret.) assumed his duties as Director of the National Memorial Institute for the Prevention of Terrorism in Oklahoma City on April 1, 2000. The Institute is dedicated to preventing, reducing and mitigating the effects of terrorism with particular emphasis on the role of first responders. Prior to that, General Reimer served 37 years in the U. S. Army, retiring on August 1, 1999.

General Reimer became the 33rd Chief of Staff, U.S. Army on June 20, 1995. Prior to that, he was the Commanding General of the United States Army, Forces Command, Fort McPherson, Georgia. Born on July 12, 1939, he is a native of Medford, Oklahoma. Graduating with a Bachelor of Science degree from the U.S. Military Academy in 1962, he began his career as a Field Artillery Officer. He holds a Master of Science degree from Shippensburg State College.

During his military career he commanded soldiers from company to Army level. Reimer served in a variety of joint and combined assignments, as well as two combat tours in Vietnam. He also served in Korea as the Chief of Staff, Combined Field Army and Assistant Chief of Staff for Operations and Training, Republic of Korea/United States Combined Forces Command.

He served three other tours at the Pentagon as aide-de-camp to the Army Chief of Staff General Creighton Abrams, as the Deputy Chief of Staff for Operations and Plans for the Army during Desert Storm, and as Army Vice Chief of Staff.

General Reimer is married to the former Mary Jo Powers. They have a son, Michael, and a daughter, Ann Marie.