Wednesday, October 31, 2007

Gaps in Healthcare Preparedness

This has really been a week for examining public health and disaster medicine.

In that vein, PricewaterhouseCoopers Health Research Institute (HRI) released a study of the disaster preparedness of the healthcare system. Their report focuses on “the seams” in the state of preparedness and provided recommendations. There aren't a lot of surprises here. The gaps that exist have also been reported elsewhere. This study collects them nicely, though. HRI concluded:

We found that facility and staff resources are limited, public health and private medical sector plans are inadequately coordinated, communications and tracking systems are incompatible, and funding is not sufficient to support development of a sustainable infrastructure for an effective response.
The most stubborn of these problems may be a lack of surge capacity:
There is no federal or state requirement for communities to maintain a certain level of hospital capacity for disasters, and most health system resources are owned and operated by private organizations that are pressured to improve their operational efficiency and financial bottom line.

Funding benchmarks and reporting requirements are modified each year, causing recipients to shift rather than sustain focus. “The current funding forces the funds to be utilized on gidgets and gadgets because you need to liquidize the funds rather than hire and develop infrastructure for the long term,” said Jimmy Guidry, M.D., Louisiana’s state health officer.

Experts have estimated that hospitals could free up to 25% of their beds for emergency use during a disaster, but many are skeptical of how quickly and safely that could take place. ... HRI’s survey found that over 40% of health professionals lacked confidence in their ability to transfer patients to non-health facilities, and 25% lacked confidence in their ability to transfer patients to other health-related facilities.
Another potentially significant problem is a potential lack of staff. Staff levels are already low, and they are likely to suffer further in the event of a health emergency, as some healthcare workers may also be affected:
Availability of staff during a disaster is another major challenge. “Personnel are a major limiting factor and a critical need,” said Sally Phillips of AHRQ. The average hospital has an 8.5% vacancy rate among its nurses, and many have shortages in the physician specialists needed in an emergency.

The situation is not expected to improve. The federal government is predicting that by 2020, nurse and physician retirements will contribute to a shortage of approximately 24,000 doctors and nearly 1 million nurses.
And even if staff is available, training and other preparation may be insufficient:
Primary care physicians were substantially less knowledgeable than other health professionals surveyed regarding what to do in natural or manmade disasters. Fewer than 20% of primary care physicians said they were “well prepared” about what to do in a disaster, which was substantially less than other health professionals.

Coletta Barrett, head of hospital operations at the Louisiana Emergency Operations Center during Hurricane Katrina, explained that hospitals typically are underprepared. “At Charity Hospital, we knew we needed enough food and water to support the facility for three days. We didn’t take into consideration any of the staff that would remain in-house, or family members of patients or staff that would come and shelter in place.” Due to the effects of the disaster on the surrounding community, families of the injured and of hospital staff are likely to be present in the hospital, in addition to casualties.
HRI provides some recommendations. I'll focus not on the specifics, but on the general strategy:
Health and medical systems should adopt a systems-oriented approach and infrastructure for disaster response.

During a disaster, medical priorities must shift from focusing on individual patient-based outcomes to population-based outcomes.

Alternate care sites should be considered to alleviate the patient demand at hospitals and increase healthcare surge capacity within a community. Potential sites may include: shuttered hospitals, mobile medical facilities, ambulatory care centers, dormitories, and large public buildings.
One of the keys to planning, whether it involves solving the problem of capacity, pharmaceuticals, staff preparedness, communication - is to collaborate on solutions. Healthcare facilities compete in the marketplace, but in the event of a major disaster, they will be called on to share the load. A coordinated response will be more effective.

Given the wide range of needs that must be met during a healthcare emergency, advance planning that involves a wide set of stakeholders is essential.
The health system was not designed to address the complexity of disaster response, which often requires a public-sector response and coordination across multiple organizations and regions.

Communities should actively engage a wider range of stakeholders who have not traditionally been at the planning table, particularly primary care physicians, community clinics, and nursing homes.

Collaboration provides an opportunity for healthcare organizations to share resources, learn from one another, leverage best practices, and combine forces to achieve together what they each could not do alone. Disaster responders should work locally and regionally to organize resources, share expertise, and formalize mutual aid agreements.
But this doesn't happen automatically, just because there is a need:
Respondents to HRI’s survey indicated that coordination remains a concern. In particular, health professionals questioned the ability of their organizations to coordinate with physicians in private practice, federal agencies, clinics, and nursing homes.
Still, there have been some model programs for regional planning:
Collaboratives in New York, California, and Northern Virginia provide a template on the importance of regional planning. For example, the Greater New York Hospital Association created the Emergency Preparedness Coordinating Council, which includes hospitals as well as local, state, and federal public health and emergency management organizations.

California created the California Office of Emergency Services, which divided the state into six mutual aid regions. If requests for aid overwhelm a region, the state coordinates with other unaffected regions for resources. Local authorities have a span of control over local personnel and supplies, while the state can provide support from a larger pool of resources, if necessary. At the local, county, and state levels, medical health operation area coordinators communicate medical needs, collect and provide consistent information, and relay mutual aid requests.
Collaborative efforts play into our strength as a society. We are remarkably capable when we combine our various strengths to achieve a common goal. We can anticipate the kinds of health emergencies we may face in the future. We will succeed in responding to them only if we plan ahead and bring together all the resources available to us.


Disaster Preparedness Training for Healthcare Workers?

Bob Baylor of Cincinnati State Technical and Community College has started a nice blog, Losantiville, with homeland security as one of its emphases. (Welcome to the blogosphere, Bob!)

Today he argues, persuasively to my mind, that healthcare workers should receive basic training in the National Incident Management System (NIMS) and Incident Command System (ICS), as they may have to interact with these response structures in the event of a major disaster:

Healthcare workers, as opposed to first-responders, often do not receive training in ICS or NIMS. Many would be at a loss if suddenly assigned to a medical strike team or may even wonder why their skills would be needed.
Bob advocates a minimum of training, to establish familiarity with the organizational constructs involved:
The healthcare worker who has had some initial training in ICS or NIMS is able to immediately function in a multi-agency response involving not only other healthcare providers but other responders as well. ... The training need not be overly arduous, the majority of those working towards a degree in healthcare already have full course loads. The intent here is encourage all healthcare workers to obtain at least a basic familiarization with ICS or NIMS, not to become subject matter experts.

Healthcare workers that have been trained in the basics of incident management will more quickly grasp their role in a multi-agency response. Those who may have to work from a different location will be able to more quickly identify they equipment and supplies to take with them. The workers who have such preparation and training are able to quickly leave and report to their new work location.
Bob points out that an event such as pandemic flu could cause the conditions necessary for mass re-deployment of healthcare workers, since as much as 40 percent of healthcare workers could be absent due to illness. (I've also got a couple of prior posts on this.)

NIMS is not something you can just walk into and immediately comprehend. It's a system with its own terminology and internal structures. Given DHS' directive that all incident management in the U.S. - at all levels of government - must use NIMS to be eligible for federal disaster preparedness assistance, healthcare workers who are conversant with NIMS and ICS would be able to function in any disaster scenario, regardless of its scale or scope. It does make sense to give them this baseline familiarity.

I recall that many healthcare professionals deployed to New Orleans in the aftermath of Katrina. I haven't done any in-depth research on this aspect of the Katrina response, but no doubt there are some lessons learned from those experiences.

Update 2007-10-31: HHS' Hospital Preparedness Program requires hospitals to implement NIMS Compliance Activities for Hospitals. This includes implementing NIMS for the hospital and requiring designated staff members to complete four training courses on NIMS and the National Response Plan (NRP).


Preparedness and the Legal System

Just a short note on a brief paper by the American Bar Association, "Rule of Law in Times of Major Disaster," which lays out a set of principles to guide the preparation and response of the judicial system for a major disaster.

There are no real surprises here, but the ABA's principles may be useful as a kind of checklist for planning. I'll just focus on a few of the 12 principles that ABA provides:

  • The rule of law must be preserved when a major disaster occurs.
  • The preservation of the rule of law requires proactive planning, preparation and training before a major disaster strikes.
  • All those involved in the justice system must work collaboratively to assure the ongoing integrity of the system in times of major disaster.
  • Federal, state, territorial, tribal and local governments should work with each other and with the private sector to plan, prepare and train for a major disaster. Such efforts should focus on means to preserve order, protect vulnerable populations, insure adequate communications and assure continuity of operations of business and government.
  • State, local and territorial Bars should educate their members to plan, prepare and train for a major disaster, including information enabling attorneys to assure the continuity of their operations following a disaster, while maintaining the confidentiality and security of their clients’ paper and electronic files and records.
There's a list of specific steps under Principle 10 that is particularly helpful (if a bit obvious), including:
  • Disaster risk assessment and planning should be integrated into government and private infrastructure and land use decisions.
  • Environmental assessments should include consideration of disaster scenarios and discuss mitigation measures.
  • Standing government procedures should be in place to assess prevention and response to all major disasters, rather than relying on ad hoc mechanisms.
  • Special attention should be given to the needs of vulnerable populations in planning disaster responses. Characteristics requiring special consideration include poverty, age (including both the elderly and children) and disability.
  • Legislation should insure that deadlines, whether found in state or federal rules or statutes or in private contracts such as insurance, can be modified or tolled in the event of a major disaster.
  • States should review regulatory statutes to insure that they contain appropriate waiver provisions for conditions resulting from a major disaster.
Again, no real surprises. But repetition is an important part of making a message stick.


Tuesday, October 30, 2007

Radiological Exposure Testing: A Wide Gap

Just a few days after the publication of HSPD 21: Public Health and Medical Preparedness and TOPOFF IV exercise, which focused on a radiological disaster scenario, the House Subcommittee on Investigations and Oversight - House Science and Technology Committee has released a brief report that should raise the eyebrows of anyone involved in disaster preparation at any level.

The report analyzes the ability of U.S. laboratories to test for radiological contamination among the population of those potentially affected by a radiological event. We have to point out that a "dirty bomb" is one of the more likely "mass effect" attacks. It is perhaps the least technologically sophisticated of these attacks, requiring a radioactive source and a conventional explosive (or another mechanism for releasing radioactivity). And the materials are out there. Earlier this year, the Canadian
Security Intelligence Service rated a dirty bomb attack as the most likely WMD attack. (See this post.)

Let's also recall that the Redefining Readiness Workgroup has found that, in the event of a "dirty bomb" attack, only about 59% of citizens would shelter in place (unless they were at home). This would make them more likely to become exposed to radioactive materials.

So reality suggests that such an attack is likely and that many people may be at risk of contamination. We should be prepared. Are we?

The Subcommittee found that in some key respects we are not. Most notably, the laboratory infrastructure for testing radiation is insufficient, despite the requirement found in the National Planning Scenarios:

One of the key assumptions in National Planning Scenario #11 is that all potentially exposed individuals (an estimated 100,000 people, including 20,000 victims with detectible contamination) will be tested for radiological exposure and/or contamination and that a valid method exists for testing these clinical specimens.

Yet, today validated methods to test clinical specimens in a radiological emergency exist for only six of the 13 highest priority radioisotopes most likely to be used in a terrorist scenario. For those isotopes for which “validated” methods do exist screening 100,000 individual clinical specimens in the wake of a radiological attack could take more than four years to complete due to the current shortfall in radiochemistry laboratories, personnel and equipment. Environmental sampling could take as long as six years to complete given the current capacity and capabilities of the U.S. radiochemistry laboratory infrastructure.
Picture the crisis of confidence that could result from this scenario: A dirty bomb explodes. Tens of thousands of people downwind fear or suspect they've been exposed to radiation. (It's worth remembering that in the immediate aftermath, it will not be clear whether the bomb was dirty. You can't tell the difference between an IED and a dirty bomb just by looking.) They sensibly want to get tested for exposure. And public officials have to tell them to wait in line - for months or perhaps years before the test can be run.

People will be likely to demand testing, and the only way to do it is with lab testing:
[Laboratory analysis] will be necessary for the thousands of “exposed” individuals to determine whether they suffer from internal contamination and to identify appropriate medical treatment. Clinical analysis may also be demanded by those medically unaffected, but fearful of contamination nonetheless.
As the subcommittee puts it:
[I]n any real world event the critical lack of a sufficient laboratory capacity will delay appropriate public health care actions and plans, increase public panic, degrade public trust in government officials and increase the economic losses due to delays in assessment and cleanup.

While the human health consequences from an RDD attack are likely to be small, the public outcry for detailed clinical health assessments confirming their lack of radiological contamination is likely to be tremendous. The need to provide these individuals – expected to number in the tens of thousands – with a clean bill of health will help to reassure them psychologically and emotionally that they have not suffered harm and will enhance their trust in the government’s ability to effectively recover from the incident.
So how have we gotten into this mess? The main problem is systemic:
[T]he only current method for determining internal contamination is through laborious laboratory analysis, often involving a 24-hour urine collection, days to process the results and still more time to interpret them accurately.
I should note, however, that researchers are working to speed the testing process, as noted in this post.

But at present the long, hard way is the only way. The CDC is supposed to do the testing, but it has insufficient capacity:
National Preparedness Guidelines released last month by the Department of Homeland Security call for the nation’s public health laboratory infrastructure to be able to rapidly detect and accurately identify chemical, radiological and biological agents and “produce timely and accurate data to support ongoing public health investigations and the implementation of appropriate preventative or curative countermeasures.”

The Centers for Disease Control and Prevention (CDC) is tasked with monitoring, assessing and coordinating follow up medical monitoring on people’s health as a result of exposure to or contamination with radiological materials in a national emergency.

The CDC, for instance, currently has no capacity to analyze seven of thirteen of the most likely radioisotopes that would be present in a radiological or nuclear incident, according to information provided to the Subcommittee. For some of the most likely “dirty bomb” or RDD scenarios the CDC is currently capable of processing only 65 human samples per day. At that rate it would take more than four years to process 100,000 clinical samples as called for in National Planning Scenario #11.
Other problems could plague the response to a radiological incident as well. For instance, environmental testing could be just as cumbersome if not moreso:
The U.S. ability to evaluate potential radiological contamination on the environmental side also lacks the resources to effectively respond to a radiological emergency. White House National Planning Scenario #11 demands that the EPA be capable of analyzing more than 350,000 environmental samples in the 12 month period following a radiological attack.

Depending on the radioisotope used in the attack, however, it would take two to six years to complete that task given the current available laboratory facilities today, according to a March 2007 draft EPA report.
And roles have not been fully defined:
A recent interagency (draft) report on responding to a radiological attack found that the specific roles and responsibilities of federal agencies tasked with responding to a radiological event have not been clearly defined in the National Nuclear/Radiological Incident Annex, upon which these agencies rely.
Which is kind of a big deal, as there are many agencies that can play a part in such a response. See this article in Nuclear News from Sept. 2006.

For local disaster planners, information like this provides an opportunity for improving preparations. Let's say that these systemic problems persist for the forseeable future. This is likely, given that you can't just spin up one of these laboratories at a moment's notice. What can a local disaster planner do? A few ideas:

Educate. Citizens who are prepared to shelter in place are less likely to become contaminated. Also, if they understand the health risks involved with a dirty bomb attack, they are likely not to panic and may be less likely to succumb to the "worried well" phenomenon. Depending on the amount of radioactive material and the effectiveness of its dispersal, it is possible that the health effects may be limited to a relatively small area. The better informed citizens are, the better they will be able to respond in the immediate aftermath.

Communicate. Ensure that communications plans are in effect for a radiological disaster. This is a different risk than most. Through experience, most people have a reasonable understanding of natural disasters. They can rationalize accidents. But radiation - unseen, unfelt - is something that scares people. They don't know what to do.

Decontaminate. Set up decontamination stations - as large as possible - so that those who suspect that they might be contaminated can take action and get cleaned up. In the aftermath of a major incident, it is important for people to be able to take positive action and improve their situation.


Monday, October 29, 2007

Notes on HSPD 21: Public Health and Medical Preparedness

Last week the White House released the new Homeland Security Presidential Directive (HSPD) 21: Public Health and Medical Preparedness.

In terms of national preparedness, this is an extremely important HSPD. Many potential catastrophes, both natural and man-made, are capable of creating major public health emergencies. You just have to imagine the health impacts of a pandemic illness, bioterrorism incident (or other WMD attack), major earthquake, or west coast tsunami to imagine how quickly existing resources could be overwhelmed.

Our healthcare system has been built with efficiency in mind. If you're running a hospital, unfilled beds and unadministered medications cost you money, so you don't build a lot of excess capacity into the system.

But of course, as HSPD 21 notes, excess capacity is exactly what's needed during a major healthcare catastrophe. This is a significant shortcoming of our current preparedness regime. HSPD 21 does some sensible things to address the problem, but there are a couple of areas where I'm skeptical.

First things first. The directive is based on sensible principles:

This Strategy draws key principles from the National Strategy for Homeland Security (October 2007), the National Strategy to Combat Weapons of Mass Destruction (December 2002), and Biodefense for the 21st Century (April 2004) that can be generally applied to public health and medical preparedness. Those key principles are the following:

(1) preparedness for all potential catastrophic health events;
(2) vertical and horizontal coordination across levels of government, jurisdictions, and disciplines;
(3) a regional approach to health preparedness;
(4) engagement of the private sector, academia, and other nongovernmental entities in preparedness and response efforts; and
(5) the important roles of individuals, families, and communities.
It is very nice to see an acknowledgment of both the nature and severity of the problem:
The assumption that conventional public health and medical systems can function effectively in catastrophic health events has, however, proved to be incorrect in real-world situations. Therefore, it is necessary to transform the national approach to health care in the context of a catastrophic health event ...
To deal with the problem, HSPD 21 suggests the creation of an entirely new discipline:
Ultimately, the Nation must collectively support and facilitate the establishment of a discipline of disaster health.
Interesting...

On a more strategic level, HSPD 21 emphasizes 4 elements of public health:
Currently, the four most critical components of public health and medical preparedness are biosurveillance, countermeasure distribution, mass casualty care, and community resilience.
And sets goals for each of these 4 elements:
Biosurveillance: The United States must develop a nationwide, robust, and integrated biosurveillance capability, with connections to international disease surveillance systems, in order to provide early warning and ongoing characterization of disease outbreaks in near real-time. ... A central element of biosurveillance must be an epidemiologic surveillance system to monitor human disease activity across populations. ... State and local government health officials, public and private sector health care institutions, and practicing clinicians must be involved in system design, and the overall system must be constructed with the principal objective of establishing or enhancing the capabilities of State and local government entities.

Countermeasure Stockpiling and Distribution: In the context of a catastrophic health event, rapid distribution of medical countermeasures (vaccines, drugs, and therapeutics) to a large population requires significant resources within individual communities. Few if any cities are presently able to meet the objective of dispensing countermeasures to their entire population within 48 hours after the decision to do so. Recognizing that State and local government authorities have the primary responsibility to protect their citizens, the Federal Government will create the appropriate framework and policies for sharing information on best practices and mechanisms to address the logistical challenges associated with this requirement.

Mass Casualty Care: The structure and operating principles of our day-to-day public health and medical systems cannot meet the needs created by a catastrophic health event. Collectively, our Nation must develop a disaster medical capability that can immediately re-orient and coordinate existing resources within all sectors to satisfy the needs of the population during a catastrophic health event.

Community Resilience: The above components address the supply side of the preparedness function, ultimately providing enhanced services to our citizens. The demand side is of equal importance. Where local civic leaders, citizens, and families are educated regarding threats and are empowered to mitigate their own risk, where they are practiced in responding to events, where they have social networks to fall back upon, and where they have familiarity with local public health and medical systems, there will be community resilience that will significantly attenuate the requirement for additional assistance.
None of these are easy fish to fry, but some are a bit more straightforward than others. The Department of Health and Human Services is in charge of implementation (though it's not clear from this document whether they would be in charge of response - or if DHS would):

The specific plans regarding Biosurveillance indicate that:
The Secretary of Health and Human Services shall establish an operational national epidemiologic surveillance system for human health, with international connectivity where appropriate, that is predicated on State, regional, and community-level capabilities and creates a networked system to allow for two-way information flow between and among Federal, State, and local government public health authorities and clinical health care providers.
Comparatively speaking, the biosurveillance is one of the more straightforward elements of the plan. It has the virtue of primarily involving health professionals, and it involves a defined set of threats. It should be simpler to develop this type of information-sharing system, as opposed to an all-hazards system such as the Homeland Security Information Network, which has been fraught with complications.

The problems get a little thornier at the next stage in the plan, Countermeasure Stockpiling and Distribution. The plan lays out a fairly ambitious logistical objective, especially considering the potential transportation obstacles that might accompany some types of disasters:
[T]he Secretary of Health and Human Services, in coordination with the Secretary of Homeland Security, shall develop templates, using a variety of tools and including private sector resources when necessary, that provide minimum operational plans to enable communities to distribute and dispense countermeasures to their populations within 48 hours after a decision to do so.

The Secretary shall also assist State, local government, and regional entities in tailoring templates to fit differing geographic sizes, population densities, and demographics, and other unique or specific local needs.
Of course, moving medicine is relatively easy. Moving people, and then finding suitable space for their treatment, is harder. The next component of the plan, Mass Casualty Care, addresses this issue:
Within 180 days after the date of this directive, the Secretary of Health and Human Services, in coordination with the Secretaries of Defense, Veterans Affairs, and Homeland Security, shall:

(a) build upon the analysis of Federal facility use to provide enhanced medical surge capacity in disasters required by section 302 of PAHPA to analyze the use of Federal medical facilities as a foundational element of public health and medical preparedness; and

(b) develop and implement plans and enter into agreements to integrate such facilities more effectively into national and regional education, training, and exercise preparedness activities.

Here's where I start becoming skeptical. The call here is to use federal facilities for excess capacity. That's sensible, of course, but it begs the question: "Just how much excess capacity might we need, and are these federal facilities capable of providing it?" The question is unanswered but vital.

One way the plan intends to limit the need for bedspace is by (sensibly) anticipating and attempting to mitigate the problem of the "worried well."
The impact of the “worried well” in past disasters is well documented, and it is evident that mitigating the mental health consequences of disasters can facilitate effective response. ... [T]he Secretary of Health and Human Services, in coordination with the Secretaries of Defense, Veterans Affairs, and Homeland Security, shall establish a Federal Advisory Committee for Disaster Mental Health. The committee shall ... submit to the Secretary of Health and Human Services recommendations for protecting, preserving, and restoring individual and community mental health in catastrophic health event settings, including pre-event, intra-event, and post-event education, messaging, and interventions.
That's good. But what if actual healthcare needs exceed current capacity?

When it comes to Community Resilience - creating a well-prepared public that is ready for a major health catastrophe - the strategy devolves into wishful thinking. To some extent this is understandable, as preparing the public for disaster - any disaster - is always a struggle. Here's the entire plan:
The Secretary of Health and Human Services, in coordination with the Secretaries of Defense, Veterans Affairs, and Homeland Security, shall ensure that core public health and medical curricula and training developed pursuant to PAHPA address the needs to improve individual, family, and institutional public health and medical preparedness, enhance private citizen opportunities for contributions to local, regional, and national preparedness and response, and build resilient communities.

Within 270 days after the date of this directive, the Secretary of Health and Human Services, in coordination with the Secretaries of Defense, Commerce, Labor, Education, Veterans Affairs, and Homeland Security and the Attorney General, shall submit to the President for approval, through the Assistant to the President for Homeland Security and Counterterrorism, a plan to promote comprehensive community medical preparedness.
That's it? Include more community-focused subject matter in public health curricula and submit "a plant to promote comprehensive community medical preparedness"? This sounds like the classic case of the boss having a clear idea of the goal, but no clue how to get there - so he tells the subordinates, "You solve this."

Again, I sympathize. It would be easier if we still lived in a 19th-century world, where most health care was administered at home. People would be better prepared to deal with problems themselves. (Though more people would become more ill and more people would die.) But we're not. We live in a world where, when you get really sick, you expect to be able to go to the doctor - or the hospital.

It's a huge job to try to prepare citizens for a major health emergency. Just changing the public health curricula and "developing a plan" doesn't seem like it's going to cut it.

Update 2007-10-31: Over at In Case of Emergency, Jimmy Jazz (who knows more about these things than I) provides his first impressions of HSPD 21. His eyebrows are deeply furrowed:
My first reaction after reading it? It’s completely undo-able. I commend the drive, no doubt, but the timelines are totally pie-in-the-sky.
Jimmy plans to review the document in much greater detail in coming days and weeks, which will be worth keeping an eye on.


Students of Homeland Security

Homeland Security is growing as an academic field, with the usual associated pains:

Homeland security as an academic discipline is gaining recognition, according to a new report by ... John Rollins, a specialist in national security at the Congressional Research Service, and Joseph Rowan, senior technical adviser for intelligence systems and architectures to the Marine Corps’ director of intelligence.

[T]he researchers found that 227 schools offer degree or certificate programs in homeland security, comprising about 1,800 courses.

However, the programs still lack standard coursework or core teaching areas, the researchers concluded.

"At this stage of the homeland security academic maturation process, it appears programs and accompanying courses will provide dissimilar and inconsistent learning opportunities for the foreseeable future," they said.

Student interest in homeland security programs is increasing; collaboration among academic institutions is becoming more frequent; student recruitment and retention numbers in the field are rising; and the first homeland security graduates have recently entered or returned to the workforce, they said.
Nothing surprising here. All academic disciplines undergo a period of uncertainty before they get their feet under them.

Thursday, October 25, 2007

The Local Need for Preparedness

This commentary in Domestic Preparedness provides some nice perspective on the need for local communities to be fully prepared for disasters. The writer is MaryAnn Warren, the County Commissioner of Susquehanna County, Pennsylvania, which suffered extensive damage from a flood in June 2006 after 8-10 inches of rain fell in six days.

This should be required reading for local officials, as it illustrates the pain of not being fully prepared. You've got to understand the process:

The first and one of the most important guidelines to understand is that state and federal disaster resources usually are deployed only when the magnitude of an event exceeds local capabilities – and then only at the request of a local government.
You've got to speak the language:
If local elected officials and their emergency-management staff cannot quantify the damages suffered and/or articulate the community’s needs – using the unique language spoken in the emergency-management arena – a community will suffer.

Susquehanna County learned that lesson the hard way – because state emergency-management officials did not immediately realize the severity of the situation we were trying to report to higher levels of government, it was assumed that we were not as bad off as the counties surrounding us in our part of the state.

It cannot be stressed enough how important it is to communicate through proper channels, using correct terminology, to access help.
And you've got to have your ducks lined up ahead of time, or your response will suffer. You can't just freelance it:
One might think that decisions made and/or actions taken during a disaster are executed swiftly, but that would be wrong. Over and over, residents expressed a desire to jump into creek beds with backhoes to clear debris or dredge channels, all in violation of the environmental laws and regulations of the Commonwealth of Pennsylvania. Although it boggles the minds of flood victims (and of elected officials as well), the fact that a disaster has occurred does not mean that permits or processes are waived or accelerated.
The recovery process will also be a headache:
In 2000, Congress passed a law requiring all of the nation’s various governmental jurisdictions to develop hazard-mitigation plans as a condition of receiving certain disaster-recovery funds. Susquehanna County had no such plan in place at the time of the flood, and therefore had to act very fast to redress this oversight – or risk losing recovery funds for those residents left homeless by the flood. There was no getting around this requirement, and residents were justifiably angry.

Fortunately, as it turned out, FEMA’s programs provide for an administrative allowance that may be used to hire experts to support recovery projects. FEMA also offers other grant programs that can be used to fund the development of mitigation plans. Recognizing the need for an expert fluent in FEMA’s programs, Susquehanna County hired a disaster-recovery specialist, a former FEMA employee, to steer the county through what to most local officials was unfamiliar terrain.

The disaster-recovery specialist, drawing fees mostly from administrative allowances, has cost the county very little out of pocket – and, in addition to preparing the county’s all-hazards mitigation plan, has secured more than $2 million in grants and appeals for the county.

The lesson is obvious: When in doubt, find an expert to navigate the disaster-recovery process.
Most disasters are to some degree predictable. Natural disasters have a history that is knowable. Certain industries involve recognizable hazards (e.g., chemical plants, refineries, nuclear power plants). Potential targets for terrorism can be identified, and likely modes of attack can be inferred from past events.

In short, no community should ever be in the dark about the threats facing it. No community should ever be not ready.

Monday, October 22, 2007

Review: National Strategy for Homeland Security (Revised)

I've had a chance to review the new National Strategy for Homeland Security. In many respects, the document suggests that we will continue the present course. But there are a few surprises at the end.

As a strategic guide, it tends to vacillate between being overly specific and not specific enough. In some sections, such as those dealing with terrorism, it is often more specific than a strategic guide would typically be, in that it identifies specific tactical and operational aspects to the fight against terrorism (e.g., the Real ID Act, the US VISIT program, the Container Security Initiative, Megaports Initiative, and Secure Freight Initiative, etc).

But in other sections, such as those focusing on responding to natural disasters, it is less specific than it could have been. It outlines useful goals and objectives, but it tends to be less clear about how we will achieve them (e.g., "...we must better articulate how roles, responsibilities, and lines of authority for all response stakeholders are fulfilled across all levels of government and among the private and nonprofit sectors so that each understands how it supports the broader national response.").

It's as if, where the sense is that things are perceived to be working well (i.e., we haven't had a terrorist attack in 6+ years), we're being very clear about what we'll continue to do. But in areas where things haven't gone so well (i.e., Katrina), we acknowledge that changes need to be made, but we're less clear about what needs to happen now.

Further muddying things is the new "all-hazards" aspect of the new Strategy (or, rather, the "almost all-hazards" emphasis in the new Strategy). Let's go back to the 2002 Strategy, which we can see was clearly focused on terrorism:

The purpose of the Strategy is to mobilize and organize our Nation to secure the U.S. homeland from terrorist attacks.
Compared to this, the 2007 Strategy seemingly adopts a more all-hazards approach:
Our National Strategy for Homeland Security recognizes that while we must continue to focus on the persistent and evolving terrorist threat, we also must address the full range of potential catastrophic events, including man-made and natural disasters, due to their implications for homeland security.

The purpose of our Strategy is to guide, organize, and unify our Nation’s homeland security efforts.
And yet ... in defining Homeland Security, the new Strategy copies - verbatim - the same terrorism-centric definition found in the 2002 version:
Homeland Security is a concerted national effort to prevent terrorist attacks within the United States, reduce America’s vulnerability to terrorism, and minimize the damage and recover from attacks that do occur.
It's odd, isn't it, that we define Homeland Security only in terms of terrorism, but then develop a homeland security strategy that addresses all hazards?

So we have a Strategy for Homeland Security (i.e., terrorism) that also addresses our vulnerability to natural hazards. Here's how the Strategy explains this:
Indeed, certain non-terrorist events that reach catastrophic levels can have significant implications for homeland security. The resulting national consequences and possible cascading effects from these events might present potential or perceived vulnerabilities that could be exploited, possibly eroding citizens’ confidence in our Nation’s government and ultimately increasing our vulnerability to attack.

This Strategy therefore recognizes that effective preparation for catastrophic natural disasters and man-made disasters, while not homeland security per se, can nevertheless increase the security of the Homeland.
Sooo ... the aspect of homeland security that is affected by natural disasters is that terrorists could take advantage of our increased vulnerability in the wake of a natural disaster to strike us. Do I have that right?

The assumption is that we have to be prepared for natural disasters because al Qaeda might decide to strike us in a moment of opportunity, following a catastrophic disaster. (?)

Question: What's the harm in including natural hazards in the definition of Homeland Security? Why do we have to link natural disasters to "homeland security" in this convoluted fashion?

Doing so seems especially odd, given that DHS is explicit in taking an all-hazards approach; the agency is responsible for preparedness and response for natural disasters. And there's no question at all that a major natural disaster can cause as much destruction - and more - than a catastrophic terrorist attack. If you replayed the three massive New Madrid earthquakes of 1811 and 1812 in today's United States, you would see destruction on a scale we've never seen.

So, why muddy the waters? Why not simply be absolutely clear about whether Homeland Security includes natural and accidental disasters? Why not say that Homeland Security addresses all hazards?

Like I said, it muddies the waters. But on to the review. My intend here is just to quickly review the general outlines of the strategy without much additional analysis.

The first major emphasis of the Strategy is to "Prevent and Disrupt Terrorist Attacks." This involves:
  • A special emphasis on preventing terrorists from acquiring, transporting, and using WMD.
  • Impeding the ability of terrorists to enter the U.S. or to move weapons material into the U.S. This involves both border security and port security.
  • Disrupting the ability of terrorists to function in the U.S. This involves intelligence-gathering and information-sharing to gain "domain awareness" of the (local) environment, so that anomalous behaviors are easier to spot. (There is a special emphasis on Intelligence-Led Policing.) It also involves disrupting terrorist activities such as recruiting, fundraising, training, etc.
The next major emphasis of the Strategy is to "Prevent Violent Extremist Radicalization in the United States." This involves:
  • Engaging key communities - especially the U.S. Muslim community regarding violent jihadism.
  • Identifying the environments where radicalization is most likely (e.g., prisons)
  • Further study into the process of radicalization
Next, the Strategy points to the need to "Protect the American People, Critical Infrastructure, and Key Resources." This involves:
  • Altering terrorists' risk calculus by hardening targets
  • Mitigating the vulnerabilities and enhancing the resilience of critical infrastructure and key resources
  • Ensuring medical preparedness
  • Minimizing the consequences of disasters by ensuring adequate warning
The nation's ability to "Respond and Recover from Incidents" are covered next. This involves:
  • Clarifying roles among various agencies and levels of government in response and recovery
  • Strengthening the response doctrine (e.g., NIMS)
  • Quickly assessing the scale of a disaster
  • More efficiently coordinating the requests for support
  • Conducting immediate, short-term response and recovery actions
  • Effecting a smooth transition from response to recovery
Finally, the last section of the Strategy - and the most important, in my opinion - focuses on the long-term direction that our Homeland Security efforts will take. This is the most strategic part of the document as I see it. It involves:
  • Applying a risk-management framework to all homeland security activities
  • Creating a culture of preparedness
  • Establishing a Homeland Security Management System, which extends the National Preparedness Guidelines and involves four phases: Guidance, Planning, Execution, and Assessment and Evaluation:


  • Focusing on incident management, including applying it to prevention activities
  • Applying advances in science and technology to homeland security
  • Leveraging connections among public and private institutions, as well as between government agencies. This includes sharing information.
  • Streamlining the operations of Congress
I think the ideas in this last section are sound, though the Homeland Security Management System has the potential to be a boondoggle. The strongest strategic emphasis, I think, is in leveraging the connections among various homeland security professionals. This is admittedly a bias of mine - I tend to see the best problem-solving systems arising when people build, nurture, and employ interpersonal and societal structures.

Friday, October 12, 2007

Countering Terrorist Networks and Technologies

The revolution in information technology, like all revolutions, can be used for good or evil. Anytime there is a shakeup in the way things work, there is an opportunity to better the world or make it worse.

With that in mind, it's interesting to review the recent RAND report entitled Network Technologies for Networked Terrorists. With RAND's usual thoroughness, the report outlines the potential ways that terrorist organizations can exploit new information technology and provides suggestions for addressing the threat.

There is, of course, good news and bad news:

Global consumer demand for new capabilities or products has fueled an explosion of new or enhanced technologies, many of which terrorists could use to make their operations more efficient or effective. However, technology can be a double-edged sword: As it boosts effectiveness or efficiency, it might also introduce new vulnerabilities.

Although these technologies can aid terrorist organizations by enabling military functions like command and control (see, for example, Whine, 1999), they can also provide capabilities that increase terrorists’ effectiveness in other necessary activities such as raising money or persuading people to join their causes.
One of my interests is in terrorist recruiting, which I perceive as presenting one of the more significant vulnerabilities of any terrorist group. Generally speaking, the conventional wisdom has been that successful terrorist recruiting involves one-on-one "grooming," bringing a potential recruit into the social sphere of the group and eventually cutting off ties with all other social groups. RAND argues, though, that advanced communication technologies can facilitate this process, making it easier to prime the pump and get recruits into the terrorist mindset at a distance and with more limited personal interaction:
Historically, recruiting for terrorist organizations has been a clandestine process. The need for security and secrecy heretofore has necessitated a low profile and often required that it be conducted face to face. ... Face-to-face recruiting limits the number of individuals who can be contacted. Moreover, small-scale recruiting coupled with the need for secrecy generally has meant a longer recruitment process, as the process must take place unobserved by security (often at a single site or in a few locations). Finally, recruitment into terrorist groups has frequently involved a lengthy proving period. In such circumstances, the technology available and the nature of the recruiting activity both worked to keep the cause local and the pool of potential recruits limited.

Today, forms of recruiting enabled by network technology greatly expand the scope, effectiveness, and efficiency of previous recruitment activities. First, recruiting can be done remotely. With recruiting materials on the Internet available from almost anywhere, face-to-face contact is not a necessity. This can facilitate recruiting by making a broad audience aware of a group’s existence and cause. Second, remote recruiting is efficient because a single recruiter can develop many candidates at the same time. Terrorist recruiters may now simultaneously work with audiences in many parts of a single country or in many far-flung countries, expanding the pool of potential recruits.
The idea is that recruiters can use distributed media (e.g., the Internet) for some recruiting purposes, generally early in the recruitment process, and then use other media (e.g., videos, which can be easily copied and shared) in a more personal context:
Recruiting normally involves employing a wide variety of communication methods—videos, pamphlets, Web sites, sermons, friendly news media, personal friends, and other influential people—in a number of locations: private homes, schools, religious sites, paramilitary camps, prisons, and so on. These aspects can be used to define two basic dimensions of recruiting:

Public versus private channel. Is the interaction taking place in or out of the public eye? The prevailing laws of the region, rules of the local institutions, and attitudes toward the group all will greatly affect where recruitment efforts fall on this spectrum.

Proximate versus mediated contact. Is the source of the recruitment effort physically close to the target audience? Cultural, technology, and economic circumstance are some of the variables that influence how the recruiting message can be passed to the intended target audience.

The rapid proliferation of network technology greatly increases the opportunity for interactions in mediated recruitment and for effective interactions in proximate recruiting efforts.
This can present challenges for prevention professionals:
Limiting a terrorist’s ability to recruit new members is already difficult. However, some technological advances might make countering terrorist organization recruiting harder still. Recruiting could be made more effective and efficient by the transfer of all or most of the indoctrination process into a virtual setting (e.g., online, videos). Although much recruiting may already be done virtually, indoctrination is more problematic, since many of the techniques used in indoctrination typically require immersion and proximity. Carrying out indoctrination processes through virtual channels would require that individuals be willing to isolate themselves, even in the absence of direct control over their actions by group leaders.
I think that last bolded bit is somewhat encouraging. Generally, a person who seeks to join a group (any group) is not looking for more isolation. They are looking for social interaction. They want to become a part of something. While it is possible that isolated immersion into a virtual world, with a virtual social sphere, could give a recruit this kind of social contact, from the perspective of a terrorist recruiter it may be simpler and more straightforward (albeit slower) to recruit the old fashioned way. The one-on-one, personal method also allow a recruiter to size up each recruit on an individual basis. Recruiting an online persona in a virtual world is riskier from the standpoint of operational security, because as the saying goes, "anyone on the Internet could be a dog."

Interestingly, RAND focuses on one potential avenue for distributed recruiting, the massively multiplayer online game (MMOG). "The SIMS" may be the best-known example of such a game.
The latest generations of computer-based, massively multiplayer online games (MMOGs), in which many individuals interact in a common virtual world, constitute a step toward the conditions in which such indoctrination might take place.

However, as intriguing as the games are and the possibility is that they could be used in ways to help in some serious applications such as reinforcing principles learned in conventional training situations, they represent a fairly modest enhancement to the terrorist repertoire of communication techniques. The communication enabled inside the game does not differ not significantly from other Internet-enabled communication,

A more interesting element of MMOGs, however, is that they might be a means by which groups may begin associations that they take offline, and thereby become a means of helping in recruiting processes.
Given the investment that has to take place to develop one of these games, my sense is that it's something of a long-shot to imagine terrorist groups making widespread use of them, especially when they would have to take their activities offline eventually anyway.

I'll briefly cover one other potential terrorist use of information technology - the planning of a terrorist attack. RAND points out that online information (as we all know) is generally not reliable enough to make final planning decisions. On-hand reconnaissance is necessary. This, of course, presents another vulnerability for any operational terrorist group.
Some useful planning information may be acquired from the Web, but recent studies indicate that, in most instances, it is not of sufficient resolution or reliability for terrorists to use it in final planning because of the risk from flawed or incomplete data to an operation’s success (Baker et al., 2004). It may, however, allow groups to focus their physical observations and thus lower the amount of exposure associated with reconnaissance.
In general, I agree with RAND's suggested strategy for countering the terrorist threat, which is to focus efforts on exploiting terrorist uses of information technology, rather than attempting to deny them the ability to use the technology. In a wired world, it's a lot harder to keep the technology out of their hands than it is to work in the background and exploit the vulnerabilities they expose themselves to, by virtue of using the technology:
The analysis suggests that the approach to countering terrorist groups’ use of network technology should focus primarily on the use of the technology as an efficiency-enhancing mechanism rather than one that allows dramatic new operational effects.

In developing such a strategy, security force decisionmakers should consider not only denial countermeasures—that is, measures that preclude the technology’s adoption, prevent its use, or degrade an adversary’s ability to use it as intended—but also exploitive countermeasures that enable security force operations that disrupt a terrorist organization more directly through offensive operations or arrests.

Security forces would do well to consider a countermeasure strategy based on terrorist organizations’ preference for exploiting the use of network technologies, rather than seeking to counter them directly. ... From a technical perspective, the approach suggested here, which can include allowing terrorists to use a given technology in order to exploit it, may seem counterintuitive, but may be the most effective (and practical) option in some circumstances.
Successful exploitation of a resource can also serve as a deterrent. If a terrorist group suspects that their information network has been compromised, they may give up use of that technology on their own. A well-known case of this is the abandonment of cell phones by al Qaeda operatives in Afghanistan when it became known that their calls could be monitored.
The best use of resources for those attempting to counter terrorist operations would seem to be developing ways to exploit the network technologies that terrorists will continue to use and that offer the highest payoff. ... Such exploitation can support direct action, such as arrests, and, because it threatens a key operational imperative of terrorist organizations, their security, it can also deter the use of the technology.


Drive-Thru Flu Shots

This is not a new idea, of course, but it's nice to see smaller communities thinking ahead, preparing for potential future disasters by changing the way they deliver the good old annual flu shot. Here's what they're doing in Boonville and Newburgh, Indiana:

Warrick County residents who want a flu shot this year can help out the county’s health department and participate in a disaster preparedness drill. On two Saturdays, flu shots will be given at drive-through clinics, one in Boonville and the other in Newburgh.

It will test our disaster plan and our ability to give a large number of vaccines to a large number of people in a limited time,” said Sharon James, a Warrick County Public Health Nurse. “If we’d have an outbreak, we might be called upon to give medicine or a vaccine for whatever is out there.”

The only way to know if we can do this is to practice,” said James. “And the only way to practice is to get people to come."

The idea of having drive-through clinics is a new one for the Warrick Health Department.

The idea, said James, came from a local hospital that tried the tactic last year. Patients will be directed to locations to fill out paperwork and get the flu shots without ever leaving their vehicles.

“People will pull into the parking lot, and there will be traffic controllers to direct them,” said James. “They will fill out their paperwork, be given an information statement and pay their money. Then they will drive forward under a tent, and there will be nurses on either side of the car, so we can do the driver and passenger at the same time.”
Another idea for emergency distribution of medicines that I find intriguing is to enlist the help of restaurants with drive-thru windows to serve as distribution points. Decentralizing the distribution can help speed the process and raise public confidence in the public health system. The trick is to work out the logistics and the record-keeping.

Thursday, October 11, 2007

Information Sharing in Reluctant Neighborhoods

The latest issue of Officer.com has a nice article on encouraging information-sharing between police and citizens, especially in neighborhoods where residents are generally hesitant and may be distrustful of the police. The article focuses on recruiting volunteers who will regularly help police, but the advice is sound in any case.

Police officers are advised to think like marketing executives, paying close attention to the needs of their "customers" (i.e., those who may share information with them):

[T]hought should be given to how your volunteers will be perceived by their fellow citizens.

When faced with troubled areas of your community, a different approach to marketing your volunteer unit to soften the perception could be as simple as a name change. Choosing a unit name such as Neighborhood Assistance Volunteers or Community Support Team removes what could be viewed as negative words.

At some point, your volunteers will speak with their peers in the community, at which time they can explain their purpose.

Not feeling singled out by their peers as "police in hiding" may also provide an incentive for members of the community to step up and perhaps join the team or at least pass on information that may help your agency to solve and prevent crimes.
Projecting an image of helping the community - being supportive and assistive - extends beyond just words:
Some simple resources to consider would be providing your volunteers with a list of community agencies that offer help to folks who may be having problems paying their utility bills, resolving disputes with neighbors and landlords, finding educational programs to increase their self-worth and more.

Other ideas may include providing your volunteer units with donated child safety car seats, and/or bicycle helmets for families that may not otherwise be able to afford them.

Other items to consider may be new donated basketballs, footballs and games to give children in the community something constructive to do, rather than just hanging out on the street corner. Doing so will help your volunteers "walk the walk" if challenged by their peers to demonstrate how they are "assisting and supporting" the community versus "working for the police."
This is all part of building a trusting relationship. In the end, we freely share information with those we trust.

Pandemic Flu: Europe Not Prepared?

Just a brief note on this article regarding European preparedness for pandemic flu:

The study of 29 European countries by scientists at the London School of Hygiene and Tropical Medicine highlighted shortcomings in preparation for vaccine and antiviral drug distribution, insufficient stockpiles, and incoherent plans for border controls.
None of that sounds very good - but this is a pretty brief list. Some other issues are potentially more important. For example, it's likely that in the early stages of a pandemic, no vaccine will be available, as it will take time to develop a vaccine that targets the pandemic strain. Communities and nations have to be prepared for that phase of a pandemic.

In the absence of vaccine, social distancing is one of the best tools for slowing the progress of pandemic flu, so the planning needs to take into account healthcare resources, economic necessities such as food and water, and schools.

The full WHO report on Europe is here.

(Hat-tip to H5N1.)

Tuesday, October 09, 2007

Revised Homeland Security Strategy

The White House has formally released the revised National Strategy for Homeland Security. Also see this fact sheet.

(Hat tip to Jonah at
HLS Watch)



Fight the Network, Not the Terrorist

Douglas Farah's post, "Why the Suicide Bomb Network Must be Dismantled," made me think more about a few recent incidents in which potential terrorist bombings have been prevented at more-or-less the last minute (e.g., London/Glasgow, Austria).

While it's comforting that no innocent lives were lost in these incidents, this is no way to fight a terrorist network. Farah also takes this view:

It is true that it is virtually impossible to halt the actual suicide bomber on his mission. But there are vulnerabilities in the network that create these human weapons. These areas can be far more easily attacked than the final product.

As Bob Baer, formerly of the CIA, recently wrote ... "this is an ideological battle that will be won, or lost, at the local mosque, at the family dinner table or between friends across the Islamic world."
Baer makes an important point here. Outsiders will not be able to "win" an ideological war between jihadists and nonviolent Muslims. But Jihadists are vulnerable in this ideological war, as the U.S. Military Academy's "Militant Ideology Atlas" pointed out:
The Jihadis lose credibility among mainstream Muslims when they attack women, children, and the elderly; damage the sources of a nation's wealth (such as tourism and oil); kill other Muslims; and declare other Muslims apostates.
(Also see my post on the Atlas.)

Evan Kohlmann also made a similar argument at the Counterterrorism Blog yesterday, pointing out that Algerian jihadists in the 1990s overreached and suffered backlash from the non-extremist population:
These men adopted a new philosophy that was, in short, "you are either with us or against us." According to Abu Hamza, "They classed the [faithful] Mujaahidin doing proper Islam as apostates. This was because they did not label every single person as a kaafir [infidel]… Anyone who differs with them, they call him a kaafir [infidel]."

In reflection, Abu Hamza al-Masri was deeply critical of these actions, referring to them as the equivalent of "shooting ourselves in the head": "This gave the enemies of jihaad a gun that they had never dreamed of having, ready pointed at us and loaded... This had far reaching consequences that sent an earthquake of instability among the adherents [of the mujahideen] and [their] aims. This worked beautifully for the enemies of Islam who were searching for a doorway or any angle to help them...in hopes that many people will leave the jihaad principles and the path of jihaad, only to seek reform through other means that are un-Islamic, like Democracy, Socialism, etc."
So there is an avenue for undermining the ideological legitimacy of the jihadists.

On the policing side, Farah goes on to argue, as I've also noted before, that some of the most vulnerable elements of a terrorist network are found in the recruiting and fundraising functions.
Imams that drum up volunteers-a key element. One that is often undertaken by mosques associated with the Muslim Brotherhood, particularly in Europe, and most noticeably in Great Britain.

Forgers almost always operate in networks, with different types of expertise working together. Another choke point.

Any of these chokepoints, from radicalization in mosques to radicalization in prison to cutting off the criminal enterprises that convey the suicide bombers to Iraq, are more efficient that hoping to stop the young person once they are one their way with a vest packed with explosives.
That's absolutely right.


Monday, October 08, 2007

Complications of a Regional Approach

I like the regional approach to security. A number of states have taken regional approaches, from Massachusetts, to Virginia, to Missouri. DHS has encouraged regional and multistate approaches; so has the National Governor's Association.

Many potential threats - both natural and man-made - are regional in scope. Regional approaches foster collaboration between neighboring jurisdictions, even those across international boundaries, such as

But there is a trick. We have existing government structures for local communities, states, and the nation. But for regions - not so much.

The Altoona Mirror reported that Pennsylvania has experienced problems defining ownership of assets that had been acquired for regional task forces:

The South Central Mountain Counter-Terrorism Task Force stopped its financial operations this summer because of concerns raised about who owns the federally funded equipment distributed throughout the eight-county region.

"The task force equipment wouldn’t have been locked up, and we wouldn’t have been told, 'You can’t use it,'" said Dave Cubbison, director of the Bedford County Department of Emergency Services.

Ownership became an issue when Centre County was advised by its auditor last year that it should list itself as the owner of all equipment bought for the task force. Centre is the task force’s financial agent.

The county disagreed with the finding because the equipment had been distributed throughout the eight counties.

"It was never clarified by the state," Nichols said.

The clarification came in a June e-mail from PEMA, which buys the equipment. The county that receives the equipment through the U.S. Department of Homeland Security grant is considered the "owner," Centre County Emergency Management Director Randy Rockey said.

Financial operations resumed in September after the task force received clarification from the state and federal governments, said task force chairman David Nichols, also Snyder County’s emergency management director.
Pennsylvania has also experienced problems with keeping inventory of available assets.
Another problem identified in the state report is the lack of a centralized database to manage resources on the municipal, county, task force and state levels.

Each county in the task force keeps track of its equipment, mostly on spreadsheets.
If you don't know an asset is available, it might as well not be available. It's critical to share this information.

Port Security Shortfall

Just taking note:

The Coast Guard faces budget challenges in obtaining the $260 million it estimates is needed to upgrade its command centers to meet the requirements of the Safe Port Act of 2006, according to a new report from the Government Accountability Office.

[A]ccording to the Coast Guard, none of the existing 35 sector command centers currently meets the requirements of the act, the report states.

However, four joint operations centers the Coast Guard has established with the Navy are a significant step in meeting these requirements, the report states.
There's nothing new about funding shortfalls, of course. Ports are such critical links in our economic system and critical nodes in our domestic security system, that I continue to be amazed by any shortfalls in securing them.

Friday, October 05, 2007

Bird Flu - Taking Note of the News...

This may not mean anything, but due diligence requires that we take note:

The H5N1 bird flu virus has mutated to infect people more easily, although it still has not transformed into a pandemic strain, researchers said on Thursday.

The changes are worrying, said Dr. Yoshihiro Kawaoka of the University of Wisconsin-Madison.

"We have identified a specific change that could make bird flu grow in the upper respiratory tract of humans," said Kawaoka, who led the study.

"[U]sually the bird flu doesn't grow well in the nose or throat of humans," Kawaoka said. This particular mutation allows H5N1 to live well in the cooler temperatures of the human upper respiratory tract.

"Clearly there are more mutations that are needed. We don't know how many mutations are needed for them to become pandemic strains."
The next pandemic flu might be next week, might be next year, might be in 20 years. The pandemic flu might not come from birds, either.

As Hamlet said, "The readiness is all."

(Related item: The California Association of Health Facilities has issued a new pandemic flu workbook for long-term care providers.)

Update Oct. 8, 2007: A bit of perspective from Effect Measure:
This is pretty scary sounding but it isn't new scary sounding. Kawaoka confirmed and filled in the picture about a mutation we already knew about, which is why he looked at it more closely in this paper. As far as we know the suspicion that a mutation in the PB2 gene at position 627 that substitutes lysine for glutamic acid (the mutation is written E627K in shorthand) goes as far back as 1992 when Subbarao, London and Murphy showed it was needed for a bird virus to infect mammalian cells. The idea that temperature is important was reported by Massin and colleagues in 2001.


Can We Count on Overseas Interdiction? Maybe Not So Much

Just a brief note on a new GAO statement on the effectiveness of U.S. law enforcement agencies' work with foreign governments to prevent terrorism. The report focuses on federal agencies such as DHS, the FBI, Immigration and Customs Enforcement, etc.

Generally it finds that, in spite of some recent successes, the effort is not organized as well as it could be:

Law enforcement agencies (LEAs) have increased efforts to help foreign nations identify, disrupt, and prosecute terrorists. However, we found that because most LEAs, with the exception of the FBI, have not been given clear guidance, they lacked clearly defined roles and responsibilities on helping foreign nations identify, disrupt, and prosecute terrorists. In one country we visited, the lack of clear roles and responsibilities between two U.S. LEAs may have compromised several joint operations intended to identify and disrupt potential terrorist activities, according to the U.S. and foreign nation LEAs. In addition, we found LEAs generally lacked guidance on using resources to assist foreign nations in addressing terrorist vulnerabilities and generally lacked performance monitoring systems and formal structures for sharing information and collaborating.
It's not like they haven't been doing anything; they have, especially the FBI. It's just not coordinated. One result has been a lack of information sharing that is especially disheartening:
In three of the four embassies we visited, we found that the embassies generally retained pre-9/11 structures for information sharing among LEAs. Although embassies generally use law enforcement working groups to share information, we found they were not focused on joint investigative or operational efforts to identify and disrupt terrorist acts. For example, in one country we visited with an extremely high terrorist threat, an FBI official told us that the law enforcement working group had never been asked to try to identify or disrupt any of the terrorists on the most wanted lists of the departments of State or Defense, or of the foreign nation itself.
Of course, for local officials this doesn't really change anything. Local officials need to be vigilant. But it would be better to hear that overseas efforts - to stop them "over there" - are better organized.


Thursday, October 04, 2007

The Nuclear Threat: A Close Look

The Nuclear Threat Initiative (NTI) has just released the Securing the Bomb 2007 report on the threat of nuclear terrorism. The report focuses on the risk of detonation of a nuclear weapon, primarily by terrorists. It pays little comparatively attention to other nuclear risks such as "dirty bombs" or attacks/accidents at nuclear power facilities.

NTI makes clear, early on, that the risk is real. There are two main scenarios: Either a terrorist group steals or buys a nuclear weapon on the black-market (perhaps stolen from Russia or Pakistan), or a terrorist group acquires nuclear material (either highly enriched uranium [HEU] or plutonium) with the intent of making a nuclear weapon. For technical reasons, HEU would be the more likely choice, as HEU can be used in a simpler "gun" type device.

NTI makes clear that the risk is realistic, even if it's remote compared to other risks such as conventional explosives.

A terrorist's first problem would be acquiring the material. The good news is that they can't make it on their own - it's too technically difficult. But it may be possible to acquire it, especially through three potential avenues:

[I]t appears that the highest risks of nuclear theft today are in Russia, Pakistan, and at HEU-fueled research reactors.

Russia has the world’s largest stockpile of nuclear weapons and materials, and remains the only state in the world where authorities have confirmed that terrorists have been carrying out reconnaissance at nuclear warhead storage sites.

[I]n February 2006, Russian citizen Oleg Khinsagov was arrested (along with three Georgian accomplices) with some 100 grams of HEU enriched to 89% U-235. The arrest was part of a sting operation in which a Georgian government agent posed as an Islamist buyer for a “serious organization.”
The risk of theft is real:
Today, security for the world’s vast and widely distributed nuclear stockpiles varies enormously, from excellent to appalling.

[A] substantial number of incidents of actual theft of weapons-usable nuclear material have occurred. ... The IAEA database on nuclear smuggling includes 15 incidents of real theft and smuggling of separated plutonium or HEU confirmed by the states involved.

In Russia, Chechen terrorists (some of whom have close links to al Qaeda) have carried out reconnaissance at nuclear weapon storage sites.
Locally, the greatest risk comes from research reactors:
More than 140 research reactors around the world are still fueled by HEU (though usually in forms that would require modest chemical processing before the material could be used in a bomb), and many of these facilities have modest security in place—no more than a night watchman and a chain-link fence in some cases.

A majority of research reactors are either in the United States or Russia.
Even at U.S. research reactors - especially at universities - security is relatively low:
Nuclear Regulatory Commission (NRC) security rules for research reactors are remarkably weak. ... U.S. HEU-fueled research reactors regulated by the NRC continue to have only the most modest security measures in place.

[As of the end of 2007] there will be 19 remaining HEU-fueled research reactors in the United States, of which 8 are licensed by the NRC.


Most civilian research reactors have very modest security. Some are located on university campuses, where providing serious security against terrorist attack would be virtually impossible—and where many of the operators are students, who cycle through frequently, making it extraordinarily difficult to provide serious checks of potential insider thieves.

In mid-2005 an investigation by ABC News documented conditions ranging from sleeping guards to security doors propped open with books at nearly all of the 26 U.S. university-based research reactors, including those with HEU.


None of the U.S. NRC-regulated HEU-fueled research reactors should be considered adequately secured against plausible terrorist and criminal threats (though several have either very modest amounts of HEU on-site, or HEU that is quite radioactive).
Once weapons-capable nuclear material has been stolen, especially HEU, it's virtually impossible to detect and locate. Unlike many nuclear materials (such as the fuel for a nuclear power plant), HEU gives off relatively little radiation, making it possible to transport with only minimal shielding.
[O]nce nuclear material has been stolen, it could be anywhere, and all the subsequent layers of defense, unfortunately, are variations on looking for needles in haystacks.

Moreover, the radioactivity from these materials is weak and difficult to detect from any substantial distance. ... You still can’t detect a nuclear device unless you are close to it.

Radiation detectors ... would have essentially no chance of detecting “clean” HEU with even modest shielding.

Even the expensive new Advanced Spectroscopic Portals now being developed would not substantially improve the ability to detect shielded HEU.
As drug smugglers and illegal immigrants have amply shown, it is not hard to sneak into the United States:
The myriad routes across the world’s scantily protected borders make nuclear smuggling almost impossible to stop. ... Attempting to protect the United States from nuclear terrorism by detecting and stopping nuclear contraband at the U.S. borders is like a football team defending at its own goal line.
And although terrorists could not enrich uranium themselves, it is conceivable that they could develop and transport a crude weapon:
Terrorists would need about 50 kilograms (110 pounds) of HEU for the simplest gun-type bomb—an amount of material roughly the size of a six-pack.

Even before the Afghan war, U.S. intelligence concluded that “fabrication of at least a ‘crude’ nuclear device was within al-Qa’ida’s capabilities, if it could obtain fissile material.”

Even a fully assembled bomb of the crude type terrorists might make could fit in a truck, a fishing boat, a small plane, or the hold of a yacht.
So there is some level of realistic threat, despite the technical difficulties involved and the challenge of acquiring fissile material.

How to solve the problem? A lot of the potential solutions would be in the jurisdiction of agencies such as the Department of Energy and Nuclear Regulatory Commission, along with the State Department and International Atomic Energy Agency (IAEA) for international efforts.

However, there is a local element to solving this problem. Police work is extremely important:

Almost all of the known interdictions have resulted from good police or intelligence work—from sting operations, or from people who became aware of the conspiracy deciding to inform the authorities. There are a wide range of steps that can and should be taken to strengthen international police and intelligence cooperation, to pursue additional demand stings (posing as buyers of nuclear material or expertise) and supply stings (posing as sellers), and to encourage the semi-feudal chieftains who control some of the world’s most dangerous borders to let us know about transports of nuclear material.
Some local police agencies have even provided security for local research reactors:

At the reactor at the Massachusetts Institute of Technology (MIT), since 9/11, there have been 1-2 Cambridge police officers with side-arms on-site to provide security—though these are not required by NRC rules. (Prior to the 9/11 attacks, the facility had no armed guards on-site, relying on response from off-site campus police of-ficers in the event of a problem.)
Other law enforcement activities, such as preventing recruiting and curtailing financial activities, may also be effective:
Terrorist efforts to recruit people with relevant expertise—such as nuclear physicists, metallurgists, or uranium machinists—may be one of the more detectable activities associated with a nuclear weapons effort. To increase awareness of this potential problem (and increase the chance that such recruitment attempts would be reported), police and intelligence agencies should seek to build relationships at locations that may pose particular opportunities for such recruiting efforts.

[I]t is worth making a major effort to change the conditions that make it easier for extreme Islamist terrorist groups to recruit and raise funds—to reduce the dangers of all forms of terrorism, not just nuclear terrorism.
Given the global nature of the threat, as well as the technical expertise required for dealing with nuclear materials, local officials may have relatively limited options to deal with the threat of nuclear terrorism; but that's not the same thing as having no options.