ZIFFPAGE TITLEDHS Must Clean itsBy Larry Dignan | Posted 2005-08-04 Email Print
Modernizing Authentication — What It Takes to Transform Secure Access
Almost four years after the Sept. 11 attacks, gaps remain in the nation's safety net. Some are closing quickly, some aren't closing at all. Here's a snapshot of the Department of Homeland Security's systems for keeping terrorists at bay.Own House">
DHS Must Clean its Own House
As Chertoff starts assessing risks, he'll also have to get internal information systems up to snuff. Details about the role of those systems in the agency's restructuring are sparse. Chertoff said on June 9 that the agency isn't finished consolidating applications, although the department has cut 22 different human-resources systems to seven, eight payroll systems to two and 19 financial management systems to 10.
Challenge: Share information with private industry and first responders.
Solution: Work with private industry groups and first responders to share meaningful intelligence.
Progress: The DHS works fairly well with private industry. First-responder communication a concern.
One spot where Homeland Security has received high marks is cooperation with the private sectorat least for protecting physical infrastructure such as water plants and oil refineries.
"Early on, the DHS recognized that private industry held most of the infrastructure and created a liaison office," says Bill Raisch, executive director of the International Center for Enterprise Preparedness (INTERCEP) at New York University, a think tank devoted to private-sector crisis management.
The department shares security information such as vulnerable points in the railroad network, chemical supply chain and electric grid with industry groups and companies via 15 information sharing analysis centers (ISACs). Is extra security training worth the time and expense? Check out: Calculator: The Return on Security Training
Raisch, also the private-sector adviser to the 9/11 Commission, says the DHS faces two challenges. The first: convincing companies to secure plants, computer networks and other facilities. INTERCEP is urging insurance companies to give breaks based on the level of disaster preparedness. "The hang-up is the money," Raisch says.
The other challenge for the DHS is delivering information to security officers at companies more efficiently. Today, non-classified security information is delivered via e-mail in bulk. All recipients in all industries get all disclosures. Ultimately, a chemical industry executive should receive alerts only in areas where the company has a plant.
Sharing intelligence with local authorities is underway. In April 2004, Homeland Security awarded a contract worth $350 million to Northrop Grumman to build the Homeland Secure Data Network, which went online in April and allows intelligence personnel at the DHS and Department of Defense to share data based on their security clearances. The network will expand to allow local law enforcement officials and, potentially, private industry groups share intelligence, says Payton Smith, an analyst at research firm Input.
To Jody Westby, managing director of PricewaterhouseCoopers' Security and Privacy Practice, the DHS has to improve communication with local officials soon. "Washington has to understand that security comes from Main Street, not Pennsylvania Avenue," she says.
Challenge: Gain assistance from international authorities.
Solution: Use U.S. trade heft to inspect cargo before it hits U.S. ports.
Progress: Not enough people to ensure foreign ports are actually conducting inspections.
Homeland Security has made progress developing X-ray and other radiation technology to inspect containers, and getting more containers inspected at foreign ports before they leave for the U.S.
In 2004, the department screened all incoming cargo and physically inspected 6% of it based on the risk of it being a threat. As of October 2004, 40% of cargo came from suppliers deemed secure by the DHS; the remainder came from uncertified supply chains.
But it must do more to secure U.S. supply chains, says Global Trade Security Consulting's O'Brien. He notes the DHS does not have enough agents to inspect every port or foreign manufacturer that says it meets standards for the Customs-Trade Partnership Against Terrorism program, a way for Customs to prioritize cargo from "secure" organizations. "At some point, somebody has to come in and see that security gate to make sure it's working," O'Brien says.
Also key is international intelligence sharing. Today, if the DHS stops a suspect at a border point, that person's fingerprints can't be immediately run through a database in the United Kingdom to see if he was rejected at two borders and why. "We have to find ways to enhance connectivity to get them connections into our databases," Chertoff said.
To be sure, the DHS is a work in progress, and Wilmot says it could take a decade to truly evaluate the department.
The problem: The U.S. may not have a decade to get it right.
David Heyman, director of the Center for Strategic and International Studies' Homeland Security Program, a think tank, says Al Qaeda takes years to plan attacks. Sept. 11 took five years to plan, Madrid took more than three, and attacks on U.S. embassies in East Africa took four years. "It's not even four years since 9/11that's within their planning window," Heyman says.
First responder Moore agrees that a big attack is inevitable. But he has confidence in the DHS. "Look, I think we do this 'less worse' than anyplace else in the world," he says.
The big question is whether "less worse" is enough.