Tuesday, December 19, 2006

The "Other" Terrorists

It can be tempting to think primarily of terrorists as al Qaeda types. But a recent terrorist case in Tennessee demonstrates that other threats are still out there. The AP reported:

A white supremacist was sentenced Nov. 28 to 30 years in prison for attempting to acquire Sarin nerve gas and C-4 explosives that he planned to use to destroy government buildings.

Demetrius Van Crocker, 40, a farmhand from the small town of McKenzie, Tenn., near Jackson, was arrested in 2004 after an FBI undercover agent posing as an employee at the Pine Bluff Arsenal in Arkansas, delivered a water-filled Sarin canister and a small quantity of explosives.

Crocker appeared to be obsessed with poisonous chemicals and showed an above-average knowledge of basic chemistry, which he said he acquired while working in an electroplating factory.

"I ain't gonna quit trying," he said of his desire to acquire a dirty bomb.

When he talked about casualties, Crocker said they "can't be helped." In a separate conversation with an informant, he said, "Let God sort 'em out."

The online magazine Salon also reported on the story, although in a more politicized way. Their article provided some of the backstory on how local authorities found out about Crocker:
According to court documents, the investigation of Demetrius Crocker began in early 2004, around the time he told a man named Lynn Adams that Timothy McVeigh "[did] things right." Adams, who had met the Mississippi-born farmhand through a mutual acquaintance, began to hear from Crocker about his plans for mass murder.

Adams was a former sheriff's deputy and a confidential informant for the Carroll County drug task force. At first, Adams didn't take Crocker seriously, but as their relationship progressed, Adams began believing Crocker was more than just talk.

At that point, the Carroll County Sheriff's Department passed the case on to the FBI. Steve Burroughs, an FBI agent, began working undercover.

But tapes of the conversations between Crocker and Burroughs reveal that Crocker knew what he was doing. He had made a version of Zyklon B, the gas used in the gas chambers in Nazi concentration camps, and he accurately described its manufacture. He had made nitroglycerin. He had the ingredients for a rudimentary bomb in his home ...

The Crocker case was brought in by old-fashioned police work. A confidential informant passed on a tip and a sting was conducted by an FBI agent careful to make sure the plan was real and not a creation of the government.
One of the truths of today's terrorism is that technology is making it easier for small groups and "lone wolf" terrorists to do much more damage than they could in the past. This is true for both Islamist terrorists like al Qaeda as well as others.

Friday, December 15, 2006

"Ready or Not?" Report on Preparedness for Biological Threats

The Trust for America's Health has issued its fourth annual "Ready or Not?" report on the state of preparedness in protecting the public from biological threats. The report's major findings are:

  1. Only 15 states and two cities are rated at the highest preparedness level required to provide emergency vaccines, antidotes, and medical supplies from the Strategic National Stockpile (SNS).
  2. Eleven states and D.C. lack sufficient capabilities to test for biological threats.
  3. Four states lack sufficient laboratory experts trained to test for a suspected outbreak of anthrax or the plague.
  4. Four states do not test for flu on a year-round basis, which is necessary to monitor for a pandemic flu outbreak.
  5. Half of states would run out of hospital beds within two weeks of a moderately severe pandemic flu outbreak.
  6. Flu vaccination rates for seniors decreased in 13 states.
  7. The national median for vaccinating seniors for pneumonia is 65.7 percent, the national goal is to vaccinate 90 percent by 2010.
  8. Twelve states and D.C. are not fully compatible with the Center for Disease Control and Prevention’s (CDC’s) National Electronic Disease Surveillance System (NEDSS) to track disease outbreak information.
  9. Forty states and D.C. have a shortage of registered nurses.
  10. Six states cut their public health budgets between FY 2004-05 and FY 2005-06. As of FY 2005-06, the median state funding for public health is only $31 per person per year.
The report emphasizes that collaboration is needed among public health professionals and other responders. It argues that an effective response will require, among other things:
  • Pre-planned, safety-first rapid emergency response capabilities and precautions:
  • Tested plans and safety precautions to mitigate potential harm to communities, public health professionals, and first responders.
  • Immediate, streamlined communications capabilities: Coordinated, integrated communications among all parts of the public health system, all frontline responders, and with the public. Must include back-up systems in the event of power loss or overloaded wireless channels.
But because the public health system is distributed across all levels of government, some problems with coordination arise. Specifically:
  • Lack of clear roles for the various state, local, and federal agencies.
  • Limited coordination among the levels of government, including determination of how federal assets would be deployed to states and localities, and across jurisdictions, such as sharing assets and resources among states.
  • No minimum standards, guidelines, or recommendations for capacity levels or services required of state and local health departments. This results in major differences in services and competencies across state and local agencies.
The bulk of the report provides scores on preparedness in for each state. It's worth looking up for your state. (Oklahoma scored the highest.) It also makes some recommendations, although these are mostly at the federal level.

Overall, the report provides more weight to the argument that better coordination between public health agencies – at all levels of government – and first responders is a must.

Wednesday, December 13, 2006

National Interoperability Baseline Survey

DHS recently released the results of a baseline survey on interoperability for first responders. They survyed "both fire response/emergency medical services (EMS) and law enforcement agencies in all 50 states and the District of Columbia," with 6,819 agencies responding. This means their findings are at the 99 percent confidence level.

The study assessed "the five critical elements—governance; policies, practices, and procedures; technology; training and exercises; and usage—that determine an organization’s capacity for interoperability." It took three levels of interoperability into account:

These levels include interoperability across disciplines (i.e., between law enforcement and fire response within the same jurisdiction), across jurisdictions (i.e., between agencies of the same discipline across local jurisdictions), and between agencies of the same discipline across state and local government.
Although the stated goal of the survey was to "create a national and statistically valid snapshot of the capacity for and use of interoperability," DHS was careful to point out that it's not possible to describe the nation's interoperability status with a simple, single national "score."
No one-dimensional scale can adequately define the current state of interoperability in the Nation, or the progress left to be made, because the capacity for interoperability is a complex issue that involves technological, political, operational, and human variables.
Here are a few key findings (though not all of them):
  • About two-thirds of agencies report using interoperability to some degree in their operations. According to our frequency of use and familiarity question, which addresses how often and in what situations interoperability are used, about one-third of agencies use interoperability primarily for out-of-the-ordinary events, and another third interoperate both for out-of-theordinary events and in their day-to-day operations.
  • The smallest agencies, as a group, tend to be at earlier stages of development than larger agencies.
  • Fire response/EMS and law enforcement agencies tend to show the same level of development in most areas of the Continuum.
  • Cross-discipline and cross-jurisdiction interoperability tends to be at a more advanced stage than state-local interoperability.
As of now, technological hurdles are not the main obstacle to interoperability:
Perhaps because technological issues have been placed at the forefront of interoperability problems, technology displays the highest level of development of any of the elements in the Continuum.
Of all the variables that determine interoperability, planning and governance is one of the most critical:
Interoperable communications cannot emerge on their own, nor can any single agency implement interoperability, without … collective leadership and support.

Moreover, the Government Accounting Office (GAO) has reported that, “The single greatest barrier to addressing the decades-old problems of interoperable communications has been the lack of effective, collaborative interdisciplinary and intergovernmental planning.”

Strategic plans for interoperability are the exception rather than the norm. Only 20 percent of agencies have strategic plans to ensure interoperability across disciplines, and 19 percent have plans to ensure interoperability across jurisdictions. For state-local interoperability, that proportion falls slightly, to 16 percent.
One of the interesting findings of the study is that, because of the nature of their work and the greater ability and need for cross-jurisdictional cooperation, fire and EMS agencies are more likely to have established decision-making groups and agreements with other agencies:
This question [of establishment of a public safety decision-making group] also showed the most dramatic instance of one discipline completely outdistancing the other in the advanced stage. SMEs reviewing these findings were not surprised to see fire response/EMS more likely to report in the advanced stage in this instance than law enforcement. One of the distinguishing characteristics of the advanced stage is reaching out to groups beyond traditional first responders, and it was agreed the fire response/EMS are often in contact with a wide variety of groups in their response efforts.

[Regarding cross-jurisdiction agreements] law enforcement is organized along political jurisdictions, and much of its operations across jurisdictional lines are codified in local law. Fire response/EMS agencies, on the other hand, are not organized according to political jurisdictions, and their cooperation is consequently not codified in law. They would thus have a greater need to establish agreements for working across political jurisdictions.
Another interesting finding is that collaboration breeds collaboration:
Several [agencies] expected improved interoperability would lead to faster response time—removing intermediary communications and ensuring that all responders could communicate to the incident commander. Various agencies also provided examples of interoperability improving response, from enhancing the safety of ambulance crews in high-crime areas to the prevention of secondary accidents at incidents. Others noted that reduced barriers to interoperability would lead to greater trust and improved working relationships between neighboring agencies—an interesting comment, given that an often-cited barrier to interoperability specifically is lack of working relations. These agencies are suggesting that simply working more regularly together could overcome barriers that tend to inhibit agencies from working together.
The thing that I take from this survey is that collaboration is an absolutely essential precondition to interoperability. And not only does collaboration aid in the development of interoperable systems, but it can also help in other ways, such as improved response time and greater unity of effort, even during the response to everyday incidents.

Note: As others have done before, this report also describes the problems that resulted from a lack of interoperability on 9/11 and in the aftermath of Hurricane Katrina:
[L]ack of interoperability [has] continued to result in the unnecessary loss of lives and property. As the 9/11 Commission Report stated, many of the first responders that responded to the attacks in New York City “lacked access to a [common] radio channel on which the Port Authority police evacuation order was given.” As the catastrophic events of September 11, 2001 showed the entire Nation, direct correlation exists between effective communications interoperability and first responders’ ability to save lives.

In August and September 2005, the ramifications of the lack of communications interoperability were once more brought to national attention in the aftermath of Hurricane Katrina. The massive damage to communications infrastructure alone wreaked havoc on the ability of any single agency to coordinate its own relief efforts in the Gulf Coast area. Establishing simple internal operability compounded problems with achieving interoperability with other agencies. The House of Representatives report on the response to Katrina noted, “There was no voice radio contact with surrounding parishes or state and Federal agencies. Lives were put at risk and it created a direct operational impact on their ability to maintain control of a rapidly deteriorating situation within the city, carry out rescue efforts and control the evacuation of those who had failed to heed the call for evacuation.”

Monday, December 11, 2006

Response Structure for Nuclear Incidents

Catching up a bit here. This one is a couple of months old. The American Nuclear Society published a brief article in September that described the response for a nuclear incident. Not surprisingly, the response would be a complicated process involving many agencies.

Nuclear weapon incidents or accidents will involve a joint Department of Energy (DOE) and Department of Defense (DoD) response. Local responders and state agencies, who always have the primary responsibility for the protection of the public, will also be involved.

If the emergency involves a nuclear weapon, either the DOE or the DoD is the lead agency (whichever organization had custody of the weapon at the time of the incident/accident). If an RDD is the issue, the FBI becomes the lead agency representing the Department of Justice. An accident at a nuclear power plant will put the Nuclear Regulatory Commission (NRC) in the lead role.
The military response, alone, involves a number of elements:
A military response will involve the DoD and may include the Defense Threat Reduction Agency (DTRA), which coordinates DoD responders to a nuclear/radiological incident.

The National Guard Civil Support Teams (CSTs) are available through the states to assess the seriousness of radiological accidents, to predict the consequences, and to assist the Incident Commander in the management of the consequences.

A global radiological/nuclear field response is provided by the Air Force Radiation Assessment Team (AFRAT). … Its mission is to deliver radiological risk assessment to assist in the recovery of the affected area.

Worldwide medical assistance is provided by the U.S. Army through its Radiological Advisory Medical Team (RAMT).

The Medical Radiobiology Advisory Team (MRAT) … provides radiological and medical expertise to military commanders and medical providers.
The federal civilian response is similarly complicated:
The primary civilian government agencies responding to radiological incidents include the National Nuclear Security Administration (NNSA), which is a semiautonomous agency within the DOE, the Environmental Protection Agency (EPA), the Nuclear Regulatory Commission, the Department of Health and Human Services, the Department of Agriculture, and others.

One of the best-known civilian response organizations is the Radiological Assistance Program (RAP), which is administered by the NNSA. … The main mission of RAP is to provide information or deployable assets (DOE measurement equipment and personnel) in order to assess and mitigate a radiological incident.

If radiological materials become airborne, two NNSA response assets can be brought into operation: the National Atmospheric Release Advisory Center (NARAC) … and the NNSA’s Aerial Measuring System (AMS).

Another NNSA radiological response asset is the Radiation Emergency Assistance Center/Training Site (REAC/TS), which provides medical information, medical personnel, and patient care in the event of a radiological accident.

Responses to incidents involving nuclear weapons under DoD or DOE custody can involve the DOE’s Accident Response Group (ARG), whose expertise includes weapons designers, radiation health professionals, and nuclear scientists, so that knowledge of all weapons in the U.S. stockpile is at hand.

The Nuclear Regulatory Commission will respond to terrorist and emergency incidents at the nuclear, industrial, and medical facilities it licenses.
Besides those involved in direct response, other agencies are involved in coordination:
Coordination among federal and state agencies during the emergency phase of a nuclear/radiological incident may be handled by the NNSA’s Consequence Management Planning Team. This is an advance component of the Federal Radiological Monitoring and Assessment Center (FRMAC), [whose mission] is to coordinate federal and state/local radiological monitoring and assessment activities.
The article suggests that state and local first responders can improve their response capacity by developing relationships with federal and state responding agencies, as California did with the FRMAC:
To at least improve the coordination of response between FRMAC and the states, including local governments, a close working relationship must be developed between the two entities. The state of California has been cited as a good model for developing this working relationship. Building this federal/state bridge initially involved federal/state coordination in nuclear power plant emergency response drills. This allowed the state to study FRMAC procedures, and FRMAC team members became informed about California’s response procedures. … Other states are attempting to achieve a similarly firm handshake with FRMAC. It must be noted, however, that the California/FRMAC relationship took years to develop.
Even though the likelihood of a nuclear or radiological disaster is relatively low, compared to other threats, its consequences could be extremely serious. Even in the event of a "dirty bomb" attack that killed or injured relatively few people, the panic caused by a radioactive release could significantly complicate the response. The right time to learn about the responding agencies and how the response might be organized is now, rather than after the fact.

Friday, December 08, 2006

Agroterrorism: Local Law Enforcement, You're in Charge

The Department of Justice (DOJ) just published a really interesting 4-page research brief on agroterrorism. According to the report, one aspect of our preparedness is falling far short:

Many believe that public health officials would lead the response to an agroterrorism attack, but this might not be the case. The laws of most States require that such an event be handled as a crime scene investigation, giving law enforcement primary responsibility. Ill-equipped to handle the magnitude of responsibilities that would follow an act of agroterrorism, local police departments would be pushed to the limit.
For example, how many law enforcement agencies - especially smaller agencies in rural areas - are ready to do this:
Research points to the first priority of local law enforcement after an agroterrorist attack: establishing and enforcing a 6-mile radius quarantine (113 square miles) around the point of origin to control the spread of the virus. The second priority would be to set up statewide roadblocks to enforce stop-movement orders. Such a tremendous effort— requiring that all vehicles coming into or going out of the impacted State be stopped and inspected— would require a coordinated response by local, State, and Federal officials.
In the brief, DOJ points out that, by the USDA's estimate, the economic cost to taxpayers of a major foot-and-mouth outbreak could be $60 billion (and a DHS official recently estimated the cost would be in the hundreds of billions). Given this, the DOJ calls for action:
Because terrorists rely on a lack of preparedness, law enforcement agencies should start now to develop a plan for preventing an agroterrorism attack—and the interruption of basic services, civil and emotional stress, and public health concerns that likely would follow.
DOJ also provides some specific steps local law enforcement can take:
On the local level, law enforcement agencies bear a responsibility for intelligence gathering … Local jurisdictions are also in the best position to conduct vulnerability studies of area farms and feedlots.
And perhaps most importantly at the beginning - DOJ suggests whom to collaborate with:
Partnerships—the best way to prevent an agroterrorism attack and the only way to contain one—must be created among local farmers, truckers, feedlot owners, and other critical members of the food-supply chain. A working relationship between criminal investigators and veterinarians and animal and plant health inspectors must be established.
The brief is sort of a good primer for preparedness: There is a threat. We are not fully ready or organized for it. Dealing with the threat could be a massive undertaking. So to get ready, we need to work together and plan now.

Survey on Emergency Management at the County Level

The National Association of Counties recently released the results of a survey on emergency management. The survey describes the organization and preparedness of county emergency management organizations nationwide. Here are some of the survey's findings:

How is emergency management organized and staffed?

[R]espondents to this survey suggest that emergency management is, for the most part, now a separate unit within a department of public safety (38 percent) or a stand-alone unit of the county government reporting directly to the chief executive or governing body (40 percent), meaning that 78 percent of counties nationally have established emergency management units separate from the police/sheriff and fire departments.

Most top managers have duties beyond coordinating the county’s emergency preparedness and response units … More than three-quarters (77 percent) of top managers report responsibilities beyond emergency management … This leaves only about one-quarter of top administrators who spend all of their time on emergency management and administration.
How prepared are counties?
While most respondents (70 percent or more) believe that the police/sheriff and fire departments are prepared to a great or very great extent, most believe that other organizations are less prepared. Respondents felt that only about 59 percent of health care organizations, 42 percent of other agencies, and 48 percent of schools were prepared to a great extent, and their assessment of the preparedness of other government agencies and of faith-based groups was even lower, at 42 and 14 percent, respectively. A strikingly low 13 percent of respondents believe that the general population is prepared to a great or very great extent.
The survey also asks what the county emergency management units are prepared for. While almost of them have plans in place, one area that gets relatively little attention is evacuation.
[Fewer than 60 percent of counties had evacuation plans.] In light of the complications in evacuating New Orleans residents prior to and after Hurricane Katrina in 2005, counties should begin to develop thorough evacuation plans, including routes, alternative routes and modes of transportation, and notification systems.
Also, counties are particularly unprepared regarding the response for those with special needs.
During hurricanes Katrina and Rita in 2005, one of the most glaring weaknesses was the inability to respond quickly to the needs of persons residing in the hospitals and nursing homes located throughout the region, indigent persons, and those without personal transportation. The data in [this survey] suggest that in a similar disaster, many areas would experience the same problems as those experienced along the Gulf Coast. Only 59 percent of the counties report that they have arrangements in place for sheltering those with special needs, and not even half include plans for managing prison populations and serving the non-English-speaking community. Less than one-quarter of counties nationwide have specific plans for meeting the needs of minorities, indigent persons, and the homeless. Plans for managing sex offenders are in place in only about 5 percent of counties.
The issue of people with special needs was strongly brought to the fore after Katrina, with some good news coverage. First responders may find helpful this set of tips for responding to those with disabilities, created by the Center for Development and Disability at the University of New Mexico.

FBI Arrests Mall-Bombing Suspect

Just a news byte:

An informant's tip led the FBI to arrest a suspect who allegedly intended to set off hand grenades in a Rockford, Illinois shopping mall.

The Chicago Sun-Times reported that he was a Muslim convert who had aspirations of being a jihadist. The informant was a friend who tipped off the FBI.

Update Dec. 11, 2006: As CBS reported, it's clear that they arrested this suspect, Derrick Shareef, well before he could do any serious damage. He was acting alone, with scarce finances. In short, he didn't yet have the means of carrying out an attack, though he apparently had the desire:

As depicted by [U.S. Attorney for Northern Illinois Patrick] Fitzgerald, Shareef was predisposed to violence but devoid of cash; a dangerous man who freely chatted about bombing a county courthouse, a city hall, a federal building, and then the mall.

"He did not have the money to buy the grenades. He was gonna hock and barter two stereo speakers to the undercover to buy the grenades," Fitzgerald said, proof Shareef was not directed or financed from overseas.

So Shareef fits a pattern of indicted "wanna be" terrorists with big ideas but no apparent means or backing from our real enemies.
The FBI has been paying special attention to those inspired by al-Qaeda, like the London subway bombers:
The FBI's Special Agent in Charge of its Chicago field office, Robert Grant, standing next to Fitzgerald on Friday, explained the nation's shift from investigating al-Qaeda to al Qaeda–inspired plotters.

"We've been focused for about two years on those types of domestic cells that could develop or individuals," Grant said.

Wednesday, December 06, 2006

Communication, Communication, Communication

Disaster communication is in the news.

The CDC has released an online guide for disaster communications in the early hours after a major incident involving biological or chemical agents, radiation, or suicide bombings:

The guide provides message templates for local leaders to communicate with the public:

The messages were written to be used by federal public health officials and to be adapted for the use of state and local public health officials during a terrorist attack or suspected attack. Use these messages as follows:

  • To communicate with the public during a terrorist attack or a suspected attack
  • To adapt for a specific event (These messages were written for fictitious situations, so assumptions were made about an event.)
  • To provide information during the first hours of an event
  • To save precious moments during the initial response time and to buy the time necessary for public health leaders to develop more specific messages

My only complaint about the guide is that it isn't organized in a very user-friendly fashion. You have to click around a bit to find what you're looking for.

In other news, Government Technology reported on Washington D.C. mayor Anthony Williams' efforts to increase subscriptions for the city's text-message alert system, which would send them information and updates in the event of an emergency. (San Francisco recently created a similar system.)
In order to make the process easier, individuals can now sign up by simply texting 32362 (D-C-E-M-A) from any cellular device.

"This new rapid enrollment feature means people who want to register for the system don't need access to the Internet or e-mail to sign up for alerts," said Williams. "Signing up for emergency alerts is as easy as using a cell phone -- and it can really pay off when there is any kind of emergency in your neighborhood."

DC Text Alert allows citizens to receive emergency messages about an event on any text-capable device -- cell phone, computer -mail, pagers, and PDAs. ... Currently, 23,000 individuals have registered for the system, which was inaugurated in June 2004.
On another subject, the National Emergency Management Agency (NEMA) released its biennial report (available for purchase only) . In a press release, NEMA summarized some of the survey's main findings:
Unfortunately, these growing [state] responsibilities that are mandated by the federal government are not supported by adequate funding.

There are positive findings as well. An overwhelming majority of states – 46 – are making use of established standards to assess capabilities and address shortfalls in their state emergency management programs. ... Standards would result in a more comprehensive emergency management program at the local level, which would mean greater capability when a disaster occurs.

The Biennial Report shows that the mutual aid system in the U.S. continues to strengthen. The Emergency Management Assistance Compact (EMAC), a national mutual aid agreement that allows support across state lines when a disaster occurs, played a key role in the Hurricanes Katrina and Rita response. By spring 2006, the compact had deployed nearly 66,000 people from 48 states, at a cost of more than $830 million.

Thirty-five states now have established similar structures within their own borders. These intrastate agreements allow jurisdictions to help one another while having provisions in place to address reimbursement, liability and workers compensation issues. Thirty-six states also have a regional mutual aid mechanism in place. This bodes well for faster, stronger and more efficient disaster response and recovery.
Government Computer News reported that the full NEMA survey estimated that the full cost of statewide systems for communication interoperability will be about $7 billion:

The National Governor's Association also tackled the issue of interoperability, in its recent issue brief: "Strategies for States to Achieve Public Safety Wireless Interoperability." The short report is worth reading, if only for the best practices that it found among the states for promoting interoperable communications (an example of the federal system at work). But generally, the NGA found that there is a lot of important work to do:
The lack of interoperable communications continues to be a serious, pressing public safety problem that severely undermines the ability of first responders to operate effectively during an mergency situation.

Five key issues underlie the current status of interoperability among public safety agencies in this country:
  • incompatible and aging communications equipment;
  • limited and fragmented funding;
  • limited and fragmented planning;
  • a lack of coordination and cooperation; and
  • inadequate and fragmented radio spectrum.
But here's one good thing: The NGA emphasizes that local agencies should be closely involved in any state effort to promote interoperability:
Providing local representation on the governance body and in interoperability planning is a critical. The state governance board that oversees the development of public safety wireless communications should include local public safety agency requirements for emergency communications. Local officials should be included in planning and decision making early.
Generally, anything that improves communication, either among first responders or between first responders and the public, can only be a good thing. Communication problems were significant in the aftermath of Katrina and 9/11. It's a problem that has lingered too long.

Tuesday, December 05, 2006

GAO: Critical Infrastructure Protection Progress Status

The GAO recently released a review of the nation's critical infrastructure protection plans. The plans are generally not as comprehensive as they really ought to be at this point.

One of the big problems is that the National Infrastructure Protection Plan (NIPP) was released 18 months late, in June 2006.

The NIPP is a base plan that is to serve as a road map for how DHS and other relevant stakeholders should use risk management principles to prioritize protection activities within and across sectors in an integrated, coordinated fashion. The NIPP also requires the individual sector-specific agencies to submit plans to DHS by the end of December 2006 detailing the application of the national plan’s core elements to each of their respective sectors.
With only 6 months to work with the NIPP, a number of infrastructure sectors have not been able to develop their plans at a high level of detail or specificity. The GAO found that all of the sectors are working on it, but their work varies widely. The NIPP relies on a collaborative model in which sector councils and government councils guide the sharing of information and development of plans to manage sector risks, but at this time, not all councils are created equal:
Each of the infrastructure sectors has established government councils, and voluntary sector councils have been formed in response to the recommended NIPP partnership model for all sectors except transportation systems. The characteristics and levels of maturity vary significantly across the sectors.
In general, the GAO found that the sectors in which there is a long history of regulation and sharing information have done by far the best job of organizing themselves and developing plans.
The more mature councils, including banking and finance and telecommunications, were able to focus on strategic activities, such as developing plans on how to resume operations as soon as possible after a disaster. In contrast, the newer councils—including public health and healthcare and commercial facilities—were still focusing on identifying key stakeholders and members, developing charters, and getting organized.

Representatives from 13 government and 10 sector councils agreed that having prior relationships—either formally between the federal government and the private sector based on regulatory requirements, or informally within and across industries—facilitated sector-specific plan development.
Some councils have struggled with sharing information, mostly due to distrust:
Representatives with six government and five sector councils noted that the private sector continues to be hesitant to provide sensitive information regarding vulnerabilities to the government as well as with other sector members due to concerns that, among other things, it might be publicly disclosed.

This report, as well as our past work, demonstrates that many private sector partners do not trust the government enough yet to share information on their security vulnerabilities.
DHS has set up an advisory council to deal with the sectors' hesitance in sharing information, but it's not yet clear if the new council is working:
To address this concern about public disclosure of sensitive information and to enhance information sharing, in March 2006 DHS created the Critical Infrastructure Partnership Advisory Council—open to members of all councils—that is exempt from the Federal Advisory Committee Act, but it is too soon to determine if this council has promoted more sharing.
Trust is significant, as has been widely documented. The GAO correctly focuses on personal relationships:
We reported that trust was critical to overcome members’ reluctance to disclose their weaknesses, vulnerabilities, and other confidential or proprietary business information, but that trust had to be built over time and through personal relationships.
For local first responders, these principles apply as well. Recognizing the threat to critical infrastructure is something that may take time, but it is effort well spent if the result is better preparedness and response.

CSIS Survey on Bioterrorism

The Center for Strategic and International Studies (CSIS) recently released the results of a survey that addressed the threat of bioterrorism. In October and November 2006, CSIS polled 52 senior U.S. government officials and legislators, former senior officials, and nongovernmental experts, asking them to evaluate the threat of bioterrorism, the effectiveness of U.S. bioweapons nonproliferation efforts, and proposed policy options for reducing the threat.

For the most part, the survey reinforces some commonly held observations about the bioterror threat.

The survey found that risk of a mass-casualty bioterrorism incident is currently considered to be relatively low, but growing. Although terrorists are increasingly inclined toward mass-casualty incidents, two major obstacles stand in the way: 1) The difficulty of obtaining and weaponizing biological agents that are capable of creating mass casualties; and 2) The difficulty of disseminating them so that large numbers of people are affected.

A more likely scenario is that of a "lone wolf" or a smaller-scale terrorist incident:

Those survey viewed occasional small-scale attacks designed to make the public lose confidence in the ability of government to handle such events as the most likely scenario.
The most catastrophic attacks were seen as the least likely:
Ranking dead last [in likelihood] among the scenarios presented was the development of novel biological agents that are more lethal, more transmissible, and/or able to defeat existing medical treatments.
Still, the threat is seen as substantial and growing:
A combined fifty-two percent of the survey participants saw the biological weapons threat as greater than or equal to the threat of nuclear weapons ... When measured against chemical weapons, the survey results were quite pronounced, with seventy-four percent seeing biological weapons as the greater threat.

At some point, perhaps taking advantage of advanced technologies, terrorists may be able to overcome routinely the technical obstacles to a mass casualty biological attack. At that juncture, the number of injuries and deaths from bioterrorist attacks, which are negligible in comparison to the huge casualties accumulating from suicide bombings, could skyrocket.

Over half of the survey participants, fifty-eight percent, were of the opinion that the biological weapons threat is increasing somewhat, while twenty-five percent of those polled said that the threat was increasing significantly.

The survey participants shifted toward a higher likelihood of a major biological attack for the ten-year timeframe, with one respondent forecasting that a mass casualty bioweapons was certain to occur. The bulk of opinion, fifty-four percent, was that a major attack was somewhat likely [within the next 10 years]. Twenty-seven percent of those surveyed viewed an attack as very likely. A nongovernmental expert thought that it “may take years before there is a successful attack, but that one successful attack will likely lead to several.”
For local first responders, the risk of bioterrorism is worth spending some time and effort on, especially in light of RAND's recent findings that coordination could be improved between first responders and public health officials on the state and local levels (also see my blog entry from yesterday). Questions include:
  • What collaborative efforts can be made?
  • What information can be shared?
  • What joint preparations and/or training can be completed?
It is also important to note that most preparatory activities for a bioterrorism attack would also be applicable in the case of a naturally occurring pandemic.

Monday, December 04, 2006

The State of State and Local Preparedness: RAND Survey

RAND recently released a report titled, "Combating Terrorism: How Prepared Are State and Local Response Organizations?"

The report covers a range of issues confronting state and local response agencies. And although it presents data that are 3 years old, a lot of the issues are still relevant. The report indicates that the researchers were not able to summarize their findings and state whether our preparedness is generally "better" or "worse," but they were able to identify some specific areas of potential improvement in preparedness.

In information-sharing, there is some improvement in the way the FBI and state/local law enforcement are working together, but the guidelines for sharing information are still not consistent or clear:

Threat information appears to be reaching the right organizations, but given the central role law enforcement plays in receiving and sharing threat information, it is of some concern that only half of the U.S. law enforcement agencies in 2003 had received guidance from the Federal Bureau of Investigation (FBI) about what information to collect and pass on. Further, very few law enforcement agencies had applied for security clearances; rather, they relied primarily on the FBI and other sources for threat information.

Current trends suggest that law enforcement also may play an increasingly important role in investigating terrorist-related incidents (Davis et al, 2004). These trends underscore the importance of improving coordination between the FBI and law enforcement.
By contrast, the amount of information-sharing and preparedness activity with the private sector is seriously lagging:
There is limited interaction with the private sector, either in sharing threat information or in participation in joint preparedness activities (e.g., planning, training).
This could be a serious gap, in that most of the nation's critical infrastructure is owned and controlled by private entities.
[V]ery few organizations indicated that they would contact the private sector to share threat information.

Only about one-third of the local and state OEMs and one-fifth of the other organizations said they had formal agreements with private companies, businesses, or labor unions to share information or resources in the event of an emergency or disaster.
Not sharing information with the private sector is not the only problem. There has also been a general lack of preparation activities with the private sector:
Utilities (e.g., water, power companies) and transportation organizations (public and private) are important components of the U.S. critical infrastructure. Only about 20 percent of law enforcement agencies and paid/combination fire departments had participated in joint preparedness activities for terrorism response with these entities following 9/11, and only about one-half of state offices of emergency management (OEMs) and one-third of local OEMs had done so.
Another serious area of concern is the coordination of public health officials with other first responders. This could become a serious issue in the case of a major bioterrorism, chemical terrorism, or pandemic incident.
During a public health emergency or a bioterrorist attack, law enforcement and other emergency response organizations might be called on to enforce quarantines, manage crowds, or participate in joint investigations with public health officials. Many have expressed concern about the lack of integration between the public health and medical communities and other local emergency responders to address preparedness for bioterrorism or other acts of domestic terrorism (Hamburg, 2001).

We found that following 9/11, only one-quarter of law enforcement agencies and one-third of paid/combination fire departments had participated in joint preparedness activities with local public health agencies.
One special area of concern was the preparedness of volunteer fire departments, who receive less preparedness training than their colleagues in paid/combination fire departments:
[V]olunteer fire departments reported lower levels of involvement in terrorism-specific preparedness activities. However, given that the majority of fire departments in the United States are volunteer rather than paid/combination departments, their limited participation in joint preparedness activities and training should raise some concerns; this suggests that attention will need to be given to finding ways to ensure increased participation in the future.
Also, while many local responders have participated in training exercises with their local counterparts, fewer have done so with state or federal agencies. In the aftermath of Hurricane Katrina, this seems like a potentially dangerous oversight:
We asked survey respondents whether their organizations had participated in joint preparedness activities for terrorism response since 9/11 and, if so, with whom. Many local organizations had participated in such activities with other response organizations within their locality; fewer had participated with state or federal agencies.
Coordination with the National Guard and military is also an area of concern for many local agencies.
Although expectations of the military were high, only one-quarter of local organizations (with the exception of paid/combination fire departments) had conducted joint preparedness activities for terrorism response with their state’s National Guard or the federal military (e.g., local bases) following 9/11, whereas most state organizations had done so.
And although the researchers themselves were not able to make a general judgment on the nation's preparedness, the study subjects did give themselves a grade:
In general, only a little more than half of the local organizations and local public health agencies rated their overall preparedness to respond to their top-ranked incident type as being somewhat adequate or better ...
So, to summarize: Collaborate. Share Information with a wide network of local stakeholders. Identify threats. Prepare for a variety of likely scenarios. Coordinate. Train. Evaluate your preparations. Repeat.