Fifth public hearing of the National Commission on Terrorist Attacks Upon the United States

Statement of Randall Yim to the National Commission on Terrorist Attacks Upon The United States
November 19, 2003

HOMELAND SECURITY: THE NEED FOR NATIONAL STANDARDS

INTRODUCTION

Are we better prepared to counter the threat of terrorism since September 11th and as a result of the start-up of the Department of Homeland Security in 2003? The answer is certainly "yes." Unfortunately, many believe that this is an inadequate standard by which to judge our success to date.

Judging our "success" will depend to a large extent upon what we identify and set as our homeland security goals. As a Nation we are unlikely to definitively "win the war against terrorism" since terrorist threats are subject to constant change, resources are finite, and it is simply impossible to be 100 percent secure in such an environment. Nor could our Nation definitively say that we are "doing enough for homeland security," since although much progress has been made, much more needs to be done, and like many of our Nation's complex issues, always more could be done.

Just as we continue to ask "how clean is clean" in complex environmental cleanup issues, we will continue to ask "how secure should we be" against terrorism. Thus success for homeland security may be better measured in terms of continual progress towards becoming better prepared. And since homeland security relies upon the coordinated actions of federal, state, local and private sectors, and in many cases upon "layers" of defenses, progress must be measured across numerous dimensions.

Standards, particularly systems and services standards and management standards, hold great potential to both improve coordination across such dimensions and enhance measurement of continued preparedness. Such standards, addressing performance and design and what an organization does to manage its processes and related activities, could help identify interdependencies, define roles and relationships, assign responsibilities, and link federal, state, local governments, not-for-profits, and the private sector in a measurable, dependable and reliable manner. The private sector already sets standards within various business chains, such as in the design, raw materials, supply, manufacture, sales, delivery, and customer support chain. Within homeland security process chains, standards will be essential to assure the stability and reliability of all links in the interdependent business chains of all involved parties responsible for homeland security.

Standards can aid in identifying and fixing fragile links that could lead to particularly catastrophic cascading events, such as widespread power outages or domino effect impacts on food supply or product distribution systems. Systems, services, and management standards can also help clarify the important roles each organization, level of government, and public or private sector plays in improving homeland security. Standards will factor in costs, legal, jurisdictional and other constraints, and identify ways to embed homeland security principles into business and government systems in ways compatible with other important social and economic goals. Standards will also enable more effective oversight by providing means to measure preparedness and guide resource investments.

STANDARDS WILL HELP DEFINE THE CONTEXT FOR STRATEGIC, LONG-TERM HOMELAND SECURITY DECISIONS

Recently the Comptroller General, David M. Walker, posed challenges for our Nation, and set an overarching agenda for GAO as a government accountability organization, in his address to the National Press Club entitled: "Truth and Transparency - the Federal Government's Financial Condition and Fiscal Outlook", on September 17, 2003.

He noted: "At the present time, the federal government is flying either blind or with inadequate instruments in many areas. We … need a government wide strategic plan and annual performance and accountability plans that are linked in some way to key [national] indicators and integrated into individual agency plans."

In particular Comptroller General Walker emphasized:

1. We must address the daunting fiscal realities that threaten the future of our Nation, and our children and grandchildren;
2. Deficits do matter, especially if large, structural and recurring in nature;
3. Tough choices must be made: the American people and our elected officials must have timely, accurate and useful information to make sound decisions;
4. How you keep measure and keep score matters; and
5. We must embark on a strategic education plan that identifies these problems and stimulates debate on solutions.

These concerns establish a context for determining how we can continue to become better prepared in homeland security. To answer this question, we must address four major issues: sustainability, balance, integration and accountability. Specifically,

1. How may we sustain our homeland security efforts in light of fiscal, human capital and other constraints upon resources at all levels of government and in the private sector?
2. How will we balance priorities to improve homeland security with other important national priorities, such as education security, health care security, environmental security, and economic security?
3. How will we integrate homeland security measures into underlying public and private business processes and government agency missions to balance priorities and sustain efforts?
4. How will we hold governments, not-for-profit, and private sectors accountable, both for the prudent investment of money, and for maintaining and enhancing the capabilities for which they are responsible?

There are so many things that can be done, but it is unlikely that we can do them all. And certainly no one entity alone - federal, state, local, not-for-profit, or private - can do everything. Instead, it is increasingly apparent that homeland security will require strategic and shared capabilities and investments among the federal, state, and local government and not-for-profit and private sectors. These investments should emphasize the development, augmentation, maintenance, and linkage of "capacity" (inclusive of capability, processes, policies, and procedures) to respond to the three central missions of homeland security--prevent terrorism, reduce vulnerabilities, and respond and recover quickly in the event of an attack. Development of "capacity" to counter a range of potential threats (an "all hazards" approach) is critical due to uncertainty over specific terrorist tactics likely to be employed, and questions about sustainability of any other approach. Such a strategic approach will require addressing several core questions in a comprehensive and integrated manner:

1. What are the likely threat scenarios homeland security must address?
2. Who is in charge and who should be in charge under various scenarios where specific responsibilities are vital?
3. What should be done and who needs to do it?
4. Who pays for it, including how much does it cost and how is it paid for?
5. How do we assure accountability both in use of funds and meeting agreed upon responsibilities under the various scenarios?

Guiding principles and suggested practical implementation actions will be needed to link the concerted actions of numerous sectors, and to better target resource investments. There are and will continue to be many solution paths. One promising path is adopting a systems engineering approach, relying on systems and services standards and management standards.

STANDARDS CAN KEEP SCORE, DEFINE ROLES AND RESPONSIBILITIES, STRIKE BALANCES, LINK TOGETHER CAPABILITIES, AND INTEGRATE ACTIONS STRATEGICALLY TO HELP SHAPE AND IMPLEMENT THE NATIONAL STRATEGIES, AND EVALUATE THE COST EFFECTIVENESS OF HOMELAND SECURITY EFFORTS

Our ongoing work for Congress indicates that federal agencies, state and local governments, and the private sector are looking for guidance on how to better coordinate their missions and more effectively contribute to a comprehensive homeland security effort. For example, one local jurisdiction has asked for more specific guidance or "playbooks" that identify specific preventative or response actions in response to specific threats, tailored for specific geographical regions or sectors, particularly for scenarios which would quickly overwhelm local resources or require multi-jurisdiction actions, such as a weapons of mass destruction attack or an attack on distributive power grids.

CURRENT MANAGEMENT MECHANISMS DO NOT PROVIDE ADEQUATE CRITERIA FOR AND ASSESSMENT OF HOMELAND SECURITY EFFORTS

There are several management mechanisms and operational directives in place to address homeland security, but these are not adequate by themselves to present substantial criteria for homeland security efforts and their assessment for federal and non-federal partners. These mechanisms and directives include national strategies covering homeland security and combating terrorism, voluntary Information Sharing and Analysis Centers (ISACs), and state and local homeland security grant programs, which could benefit from the existence of national homeland security standards.

THE EFFECTIVENESS OF THE NATIONAL STRATEGIES FOR HOMELAND SECURITY COULD BE ENHANCED BY STANDARDS THAT CLARIFY ROLES AND RESPONSIBILITIES, ENCOURAGE SHARED INVESTMENTS, LINK CAPABILITIES, AND PROVIDE MEASURES OF EFFECTIVENESS

Shortly after the September 11, 2001 attacks, we testified that a national homeland security strategy should be developed based on a comprehensive assessment of national threats and risks. Crafting a strategy for homeland security involves reducing the risk where possible, assessing the nation's vulnerabilities, and identifying the critical infrastructure most in need of protection. In this and other work on homeland security and combating terrorism, we said the national strategy should (1) establish explicit national objectives, outcome-related goals, and performance measures to guide the nation's preparedness efforts, (2) clearly define the roles and responsibilities of federal, state, and local entities, the private and not for profit sectors, and the international community, (3) address budget priorities and implementation planning, and (4) address the integration and coordination of efforts across many organizations.

Many federal policies and plans addressing domestic and foreign efforts to combat terrorism changed in the aftermath of the September 11 terrorist attacks. A series of new national plans-called national strategies--were developed or updated to help guide U.S. policy. These include, for example, the National Security Strategy of the United States of America, issued in September 2002, the National Strategy for Homeland Security, issued in July 2002, and the National Strategy for Combating Terrorism, issued in February 2003. Other strategies provide further levels of detail on specific functions related to military operations, money laundering, weapons of mass destruction, cyber security, and protection of physical infrastructures.

These national strategies do identify goals, objectives and specific activities to achieve results. However, they generally do not discuss the importance of performance measures, priorities or milestones. None contain an explicit section on resources and investments needed, nor on risk management approaches. None of the strategies contain an explicit section on integration, and few explicitly address implementation.

Some strategies contain language on horizontal integration, that is, how strategies relate to each other, and cross-sector coordination, but most references are general. None sufficiently address vertical integration, that is, between federal, state and local governments and the private sector.

In past work we have noted that the National Strategy for Homeland Security's initiatives did not provide a baseline set of performance goals and measures for homeland security. Well over a year later, the nation does not have a comprehensive set of performance goals and measures against which to assess and upon which to improve prevention efforts, vulnerability reduction, and responsiveness to damage and recovery needs at all levels of government. At this point, there are few national or federal performance standards that can be defined, given the differences among states and lack of understanding of what levels of preparedness are appropriate given a jurisdiction's risk factors.

For example, in our work assessing The National Strategy to Secure Cyberspace and The National strategy for the Physical Protection of Critical Infrastructures and Key Assets, we observed that these strategies identified priorities, actions, and responsibilities for the federal government, as well as for state and local governments and the private sector. Both define strategic objectives for protecting our nation's critical assets. However, neither strategy (1) clearly indicates how the physical and cyber efforts will be coordinated; (2) defines the roles, responsibilities, and relationships among the key critical infrastructure protection organizations, including state and local governments and the private sector, (3) indicates time frames or milestones for their overall implementation or for accomplishing specific actions or initiatives; nor (4) establishes performance measures for which entities can be held responsible.

As another example, in our work highlighting additional actions needed to better prepare critical financial market participants, we found that the destruction of the World Trade Center towers revealed that many financial organizations' business continuity plans (BCP) had not been designed to address such wide-scale events. For example, 9 organizations had not developed BCP procedures to ensure that staff capable of conducting their critical operations would be available if an attack incapacitated personnel at their primary sites. Ten were also at greater risk for being disrupted by wide-scale events because 4 organizations had no backup facilities and 6 had facilities located between 2 to 10 miles from their primary sites. Although financial regulators have begun to jointly develop recovery goals and business continuity practices, regulators have not developed strategies and practices for exchanges, key broker-dealers, and banks to ensure that trading can resume promptly in future disasters. GAO recommended that the Securities and Exchange Commission Chair work with industry to develop goals and strategies to resume trading in securities markets, to determine sound BCPs needed to meet these goals, to identify organizations critical to market operations and ensure they implement sound business continuity practices, and test strategies to resume trading. Management standards would be extremely useful in implementing these GAO recommendations.

As we have testified, the national homeland security strategies by themselves, no matter how cohesive and comprehensive, will not ensure an integrated and effective set of programs to combat terrorism. The ability to ensure these things will be determined through time as the strategies are implemented. Standards are critical components of successful implementation. National systems, services, and management standards could more effectively implement strategic homeland security principles, and allow regional, sector specific and proprietary solutions to be created and maintained. These standards, in addition to product or service specific standards, can and should be an integral part of both the development and implementation of strategic homeland security approaches.

STANDARDS MAY ENHANCE THE EFFORTS OF PUBLIC-PRIVATE COORDINATING GROUPS CREATED TO IMPLEMENT THE NATIONAL STRATEGIES, SUCH AS INFORMATION SHARING AND ANALYSIS CENTERS (ISACS)

Federal critical infrastructure protection (CIP) policy, beginning with Presidential Decision Directive 63 (PDD 63) and reinforced through other strategy documents, including the National Strategy for Homeland Security, called for a range of activities intended to establish a partnership between the public and private sectors to ensure the security of our nation's critical infrastructures. To ensure coverage of critical infrastructure sectors, this policy identified infrastructure sectors that were essential to our national security, national economic security, and/or national public health and safety. For these sectors, which now total 14, federal government leads (sector liaisons) and private sector leads (sector coordinators) were to work with each other to address problems related to CIP for their sector . CIP policy also called for sector liaisons to identify and assess economic incentives to encourage the desired sector behavior in CIP. Federal grant programs to assist state and local efforts, legislation to create incentives for the private sector and, in some cases, regulation are mentioned in CIP policy.

Federal CIP policy also encourages the voluntary creation of information sharing and analysis centers (ISACs) to serve as mechanisms for gathering, analyzing, and appropriately sanitizing and disseminating information to and from infrastructure sectors and the federal government through the National Infrastructure Protection Center (NIPC). The actual design and functions of the ISACs, along with their relationship with NIPC, are determined by the private sector in consultation with the federal government.

We have testified that the success of homeland security relies on establishing effective systems and processes to facilitate information sharing among and between government entities and the private sector. We have identified critical success factors and other key management issues that DHS should consider as it establishes systems and processes to facilitate information sharing. These success factors include establishing trust relationships with a wide variety of federal and nonfederal entities that may be in a position to provide potentially useful information and advice on vulnerabilities and incidents. Key management issues included ensuring that sensitive information is secured, developing secure communications networks, integrating staff from different organizations, and ensuring that the department has properly skilled staff.

NIPC has told us that in July 2002 an ISAC development and support unit had been created to enhance private sector cooperation and trust. Earlier this year, DHS reported that there are currently 16 ISACs and that DHS has formal agreements with most of the current ISACs. However, additional efforts are needed. All sectors do not have a fully established ISAC, and even for those sectors that do, our recent work showed that participation may be mixed and the amount of information being shared between the federal government and private sector organizations also varies. For example, efforts were still in progress to establish baseline statistics and sectors do not always coordinate with other sectors. In addition, some in the private sector expressed concerns about voluntarily sharing information with the government. Industry could potentially face antitrust violations for sharing information with other industry partners, have their information subject to the Freedom of Information Act, or face potential liability concerns for information shared in good faith.

A recently established ISAC Council may help to address some of these concerns. The Council activities include establishing and maintaining a policy for inter-ISAC coordination, a dialogue with governmental agencies that deal with ISACs, and a practical data and information sharing protocol (what to share and how to share). In addition, the Council will develop analytical methods to assist the ISACs in supporting their own sectors and other sectors with which there are interdependencies and establish a policy to deal with matters of liability and anti-trust.

The private sector, through ISACs or other mechanisms, must play a key role in shaping and implementing homeland security strategies, including any development of homeland security systems standards. Support for shared investments stems from shared participation in the development of the plans outlining such investments. Adoption of homeland security standards by government and private sectors will undoubtedly require shared input, cooperation, coordination of resources, and shared commitment. And it will require the investment of significant resources.

SYSTEM STANDARDS MAY ALSO ENHANCE THE EFFECTIVENESS OF FEDERAL GRANT PROGRAMS

Continuing to become better prepared will require significant resource investments. In November 2001, the Comptroller General observed that as the nation responded to the urgent priorities of today, we needed to do so with an eye to the significant long-term fiscal challenges the nation faces-long-term fiscal discipline is an essential need. Rapid action in response to an emergency does not eliminate the need for review of how the funds are used. As Congress moved ahead in the coming years, he observed there would be proposals for new or expanded federal activities, but that we must seek to distinguish the infinite variety of "wants" from those investments that have greater promise to effectively address more critical "needs."

A lack of clear standards or metrics to shape effective grant programs may tend to focus grant funding on acquisition of equipment - tangible and "countable" items - rather than upon strategic investment decisions such as whether such equipment is truly needed or of first order of magnitude priority to link together preparedness efforts, and whether capability to effectively operate such equipment exists or will continue to exist. For example, one local jurisdiction expressed some reluctance to accept federal grants, noting that the jurisdiction's efforts must be focused upon "fielding" equipment rather than simply "buying" equipment. "Fielding" recognizes that initial buying or acquisition costs are only down-payments. Significant costs for ongoing operations and maintenance, personnel training, and recapitalization of equipment at the expiration of its useful life, may not be covered by federal grants, shifting substantial and often unsustainable fiscal burdens to recipients. And as these local officials have commented, once equipment is there, local constituents expect local officials to have enhanced capabilities well into the future.

A focus on inventory rather than capabilities may also hinder an important national strategic goal of greater utilization of existing excess capacity to meet emergencies - including homeland security emergencies. Federal, state and local governments and most private businesses typically maintain an excess or surge capacity to handle the unexpected. A "reserve" of capability exists, shared among government and the private sector that could be mobilized effectively for homeland security - provided systems and strategies exist to identify such capabilities, to assure reliability, stability and predictability of response when needed, and to mobilize such capability in an integrated fashion during a crisis. Standards have proven extraordinarily useful in mobilizing reserve capacity, in applications ranging from manufacturing, retailing, military logistics, and now grid computing. Such standards enhance creation of an "all-hazards" approach that may integrate homeland security and natural disaster preparedness with the complementary focus on prevention, preparedness, response, and recovery.

Comprehensive "all-hazards" preparedness plans require money, both to initiate and to maintain. We have testified that there is a great deal of room for improvement in how the federal government provides assistance to state and local governments to enhance their levels of preparedness for terrorist acts. Substantial differences exist in the types of recipients, the allocation methods, and requirements for grants addressing similar purposes. For example, some grants go directly to first responders such as fire fighters while at least one goes to state emergency management agencies and another directly to state fire marshals. Some are formula grants while the others involve discretionary decisions by federal agency officials on a project basis. Some call for base amounts with the balance of funds distributed on a population-share basis. Grant requirements differ as well-some have maintenance of effort requirements while others do not.

In addition, there is considerable potential overlap in the activities that these grant programs support. The fragmented delivery of assistance can complicate coordination and integration of services and planning at state and local levels. Local governments are starting to assess how to restructure relationships along contiguous local entities to take advantage of economies of scale, promote resource sharing, and improve coordination on a regional basis. Our previous work suggests that the complex web of federal grants used to allocate federal aid to different players at the state and local level may continue to reinforce state and local fragmentation. Some have observed that federal grant restrictions constrain the flexibility state and local officials need to tailor multiple grants to address state and local needs and priorities.

Federal grants will be a central vehicle to improve and sustain preparedness in communities throughout the nation. At this time, it is difficult to know what impact the grant system has in protecting the nation and its communities from terrorism. We do not have clearly defined national standards or criteria defining existing or desired levels of preparedness across the country. The grant structure is not well suited to provide assurance that scarce federal funds are in fact enhancing the nation's preparedness in the places most at risk. Sustaining support for the necessary funding over the longer term will ultimately depend on rationalizing our grant system to streamline and simplify overlapping programs, promote appropriate targeting, and ensure accountability for the results achieved with scarce federal resources. Accountability needs to be built in on the front end, not after the funds are expended.

We have identified several alternatives to overcome problems fostered by fragmentation in the federal aid structure. Block grants are one way Congress has chosen to consolidate related programs and typically devolve substantial authority for setting priorities to state or local governments. They can be designed to facilitate some accountability for national goals and objectives. Another alternative to overcome grant fragmentation is the simplification and streamlining of administrative and planning requirements. This might include identifying all redundant and duplicative requirements or to better coordinate state and local planning requirements.

Another option for federal grant funding is designing grants that retain strong standards and accountability for discrete federal performance goals. State and local governments can be provided greater flexibility in using federal funds in exchange for more rigorous accountability for results. However, the challenge for developing performance partnerships for homeland security grants will be daunting because the administration has yet to develop clearly defined federal and national performance goals and measures. We have reported that the initiatives outlined in the National Strategy for Homeland Security often do not provide performance goals and measures to assess and improve preparedness at the federal or national levels. The strategy generally describes overarching objectives and priorities but not measurable outcomes. The absence of such measures and outcomes at the national level will undermine any effort to establish performance-based grant agreements with states.

Systems, services, and management standards, focusing on performance, design, and management of processes and activities, could provide a more useful and reliable set of criteria for assessing the value of specific investments, and the effectiveness of numerous federal grant and stimulus programs. Certification, whether done by a certification body or self-certification by an organization to national standards provides an effective mechanism for Congressional and Executive Branch oversight of federal homeland security strategies and programs.

The process of developing standards inherently identifies priorities for action, reconciling key needs with available resources, and mitigating unintended consequences such as competitive disadvantage or impacts upon business model viability and mission accomplishment. In this sense, the standards setting process may both help refine national strategies as well as devise specific initiatives to implement such strategies through enhanced public-private partnerships and more effective federal grant and stimulus programs.

HOW COULD WE DEVELOP HOMELAND SECURITY STANDARDS TO ENHANCE THE EFFECTIVENESS OF NATIONAL STRATEGIES, AID IMPLEMENTATION THROUGH COORDINATED ACTIVITIES OF BOTH THE PUBLIC AND PRIVATE SECTORS, AND INCREASE THE IMPACT OF GOVERNMENT INVESTMENT PROGRAM?

Other areas requiring stable, reliable, and multi-faceted participation have established collaborative protocols and systems, services, and management standards including performance and capacity standards that might serve as a model for homeland security. A particularly successful approach has been that of the International Organization for Standardization, known as ISO. ISO was established in 1947 to promote standards in international trade, communications, and manufacturing. It is a network of the national standards institutes of 147 countries, with a Central Secretariat in Geneva. ISO is the world's largest developer of technical standards for industrial products and processes. The American National Standards Institute (ANSI), a private, non-profit organization, is the US ISO representative and coordinates the US voluntary standardization and conformity assessment system. Since its inception, ISO has published more than 13,700 international standards. Certification to the standards is voluntary, but has been considered both best business practice and standard of care in some circumstances.

The most common kind of standard relates to some type of measurement, such as dimensions or weights. Another kind of standard has to do with processes as to how things are done. One example of the latter is a quality management system conforming to the ISO 9000 standard. Another is an environmental management system conforming to ISO 14000. These standards deal not with absolutes, but with how the quality or environmental management system is established and executed. For example ISO 9000 standards for a quality management system include identifying the processes needed for the quality management system and their application throughout the organization and to determine the sequence and interaction of the identified processes. ISO 14000 covers standards for an environmental management system, such as top management defining an organization's environmental policy and that the policy is appropriate to the nature, scale, and environmental impacts of its activities, products, or services. Unlike the far more common absolute standards covering product and material characteristics, ISO 9000 and ISO 14000 are generic standards, usable by virtually any organization regardless of products or services.

As an example of application, the automobile industry used ISO 9000 standards and protocols to assure efficiency, reliability, and stability throughout the entire set of business processes including the design, manufacture, and sale of cars. Auto manufacturers relied on suppliers of raw materials and parts to meet certain capacity or performance standards, such as steel tensile strength or minimum number of operations before failure on selected parts, so cars would operate as designed. ISO "certifications" became required of suppliers and distributors, and contributed significantly to improved performance of the entire interlinked supply chain. Similarly, users of materials with potentially toxic characteristics required ISO 14000 certification of components to minimize liability associated with the use and/or incorporation of chemical components into a larger product or system.

Achieving ISO certification against standards requires considerable effort and expense. However, ISO certification provides organizations a scientifically based and widely accepted family of standards. Consensus-based, these standards specifically factor costs, difficulty of implementation, impact upon the underlying process being standardized, and cost competitive advantages/disadvantages that adoption of standards may impose. Moreover, the standards allow innovative or proprietary methods to achieve such standards and is silent on specific vendor solutions or designs. Success is measured against the widely known, understood and accepted standards, and the standards extend to any department or activity that has an impact on the quality of the product or service.

DO WE NEED AN ISO 15000 SERIES FOR HOMELAND SECURITY [OR AN ADAPTATION OF EXISTING ISO STANDARDS TO HOMELAND SECURITY]?

More immediate federal efforts related to standard development have been focused on quantitative, absolute product or service specific standards for emergency preparedness and response countermeasures, rather than inter-dependent system and capacity standards applicable to a broader range of organizations. The Homeland Security Act of 2002 set up a Homeland Security Institute to, among other duties, identify instances when common standards and protocols could improve the interoperability and effective utilization of tools developed for field operators and first responders and to design metrics and the use of those metrics to evaluate the effectiveness of homeland security programs throughout the federal government. The National Strategy for Homeland Security includes a science and technology initiative to set standards for homeland security technology. DHS, along with other federal agencies, is to work with state and local governments and the private sector to build a mechanism for analyzing, validating, and setting standards for homeland security equipment. DHS is to also develop comprehensive protocols for certification of compliance with these standards.

In February 2003, ANSI initiated a Homeland Security Standards Panel (HSSP) to catalogue, promote, accelerate, and coordinate the timely development of consensus standards within the national and international voluntary standards systems. HSSP will identify existing consensus standards, or if none exists, assist the Department of Homeland Security and those sectors requesting assistance to accelerate development and adoption of consensus standards critical to homeland security. HSSP's immediate focus is to respond to the most immediate measurement/quantitative standards needs of DHS; for example, initial efforts seek to identify existing standards for biometric technologies, which can be applied to devices used to identify and find terrorists.

For homeland security, expanding into management standards, particularly those including performance and capacity standards, based on ISO 9000 and ISO 14000, could support homeland security prevention, vulnerability reduction, and response and recovery missions in balance with other legal, policy, and investment requirements. These management standards would be in addition to quantitative, product or service specific standards, and would link together capacities of federal, state, and local governments and the not-for-profit and private sectors. Such standards could help prevent unnecessary duplication of effort and investment in resources, so that each key actor does not do the same thing, but rather slightly different things that can be more efficiently linked together into a comprehensive homeland security "system".

Management standards may become "best practices," scalable and replicable across geographical regions. For example, excess capacity to respond to emergencies is already being developed and maintained by various entities. ANSI/ISO standards could help link this excess or surge capacity owned by different entities of different sizes in different locations together in practical, useful and more cost-effective ways that can actually and reliably be mobilized in times of emergency.

CURRENT OR POTENTIAL APPLICATION TO HOMELAND SECURITY INCLUDE MANY MISSION AREAS

For homeland security, ISO standards could support homeland security prevention, vulnerability reduction, and response and recovery missions in balance with other legal, policy, business efficiency and investment requirements. Current or potential examples include:

• CT-PAT (Customs Trade Partnership against Terrorism) protocols for container cargo shipping essentially is an ISO analogous consensus approach to facilitate collaboration and set minimum security standards;
• U.S. Fire Marshals set a performance goal of responding to fires anywhere within its jurisdiction within a fixed time. Crash, fire and rescue operations at Federal Aviation Administration-certified airports must be able to respond to emergencies in certain specified categories within certain time parameters;
• Minimum training and personnel requirements;
• Capacity of hospitals to triage and/or isolate potentially infectious patients;
• Capacity of communication systems to withstand certain attacks and provide certain bandwidth service for minimum periods of time;=
• Ability to notify and activate existing emergency operations centers upon the occurrence of certain contingencies;
• Ability of financial market information technology systems to withstand specified attacks for minimum periods of time;
• Ability of energy distribution infrastructures to identify certain events that may be precursors or indicators of possible attack and/or prevent cascading impacts;
• Capability of critical systems (such as power or water; fire, police or hospitals) to continue to operate despite power outages, using certified backup systems; and
• Collection and reporting of data in uniform categories or format to allow creation of normative models; deviations from norm may be cause for further investigation.

ADVANTAGES OF AN ISO-LIKE APPROACH FOR HOMELAND SECURITY

An ISO standards approach to homeland security has considerable advantages. First, the approach would anticipate likely scenarios that should guide minimum homeland security standards. These standards would be developed in a consensus process based on science and not the lowest common denominator that might result from a purely voluntary approach. This also would help resolve tensions between a federal prescriptive approach and a "market-driven" approach to defining homeland security standards.

Second, the ISO approach would consider responsibility, costs, and impacts. It would assign specific responsibilities to organizations or groups of organizations that would help answer questions such as "who is in charge" and "what should be done." It would consider cost implications, unintended consequences upon underlying business system or agency processes, and the cost competitive advantages or disadvantages of adopting standards. Additional costs may be offset by the increased reliability and stability of systems.

Third, the ISO approach introduces and encourages flexibility in meeting the standards and measuring progress. It would allow individual or regional variation in methodologies to achieve or finance compliance under the standards and leverage partnerships in addressing homeland security. It also allows both security and efficiency to be improved simultaneously-weaving homeland security principles into underlying business systems or agency processes. The approach provides a basis to measure improvements in homeland security preparedness through the certification process. In addition, use of standards can create opportunities to build capacity for both homeland security and non-homeland security priorities.

Fourth, at the national level, the ISO approach aids the Congress and Administration in assuring accountability, stability, and reliability of national homeland security programs dependent upon collaboration between the federal, state, local, and private sector organizations. Standards and the certification process build a mechanism for meaningful oversight that can directly affect policy and funding decisions. Improvement in capacity allows for assessment of the effectiveness of federal grant programs or other stimulus programs and creates vehicles for directing and implementing national strategies. Moreover, since the ISO approach is international in scope, it can also present a recognized and familiar approach to homeland security that would facilitate international cooperation.

CONCLUSION

Homeland security demands a non-linear, comprehensive approach that combines general principles with specific actions in a manner that links together all necessary parties. And as with any complex program, the ability to measure progress and hold parties accountable is instrumental in sustaining efforts and providing relevant information to policy makers to conduct effective oversight and assure continuous program improvement. Standards, often viewed as latter stage requirements, can and should be instead developed upfront to both shape and implement effective national homeland security strategic approaches.

Standards, particularly management standards, can and have historically been utilized effectively to answer key questions such as:

1. Who is in charge?
2. What should be done and who should do it?
3. Who should pay for it and how should it be paid for?
4. How do we hold people accountable for use of limited resources and for fulfilling their expected and assigned responsibilities?

Standards may also be used effectively to provide the "playbook" guidance to anticipated likely terrorist scenarios, to prioritize actions based upon threat risk analysis, and to provide visibility to key policy makers. Such standards enhance stability and reliability in complex systems, a value added that helps offset the costs of meeting the standards. Standards are sensitive to cost implications, and practical difficulties in implementation. Such standards enable the identification and emergency mobilization of relevant excess capability already resident in different sectors over different geographical regions. Standards inherently attempt to reconcile and balance homeland security with other important priorities, such as economic security and business system viability. Standards can help us answer the fundamental question: How can we continue to become better prepared?

Randall Yim is a Director in Defense Capabilities and Management at the General Accounting Office headquarters in Washington, D.C. He leads GAO's National Preparedness Team, serving as the central focal point for GAO's multi-disciplinary work on homeland defense and national preparedness, including coordination among all levels of government and collaborations with private sectors, community groups and individual citizens. Mr. Yim was formerly the Deputy Under Secretary of Defense for Installations, responsible for oversight and policy guidance for the management of the Department's installations worldwide, occupying more than 46,000 square miles, with 600,000 structures valued at over 600 billion dollars. He was responsible for directing the Department's privatization and outsourcing initiatives; ensuring greater reliance on commercial products and practices; and managing the Department's infrastructure budget and policies, including housing, energy, base closure and reuse, and economic development.

Prior to his appointment as Deputy Under Secretary of Defense for Installations, Mr. Yim served as the Principal Deputy Assistant Secretary of the Army for Installations, Logistics, and Environment. He is a graduate of Stanford University (B.A., 1974) and the University of Pennsylvania's School of Law (Doctorate of Jurisprudence), 1977.

In August 2000, Mr. Yim was awarded the Senator David Pryor Special Achievement Award for Outstanding Lifetime Achievement and Dedicated Public Service, presented by the National Association of Installations Developers, for his work on behalf of base closure communities. In January 2001, Mr. Yim was awarded the Department of Defense Medal for Distinguished Public Service, the highest civilian award from the Secretary of Defense.