Friday, March 30, 2007

HSPD-19: Combating Terrorist Use of Explosives in the United States

The White House recently released Homeland Security Presidential Directive 19 (HSPD-19): "Combating Terrorist Use of Explosives in the United States."

Just a couple of notes here. First, the directive emphasizes explosives detection. One of its requirements is the development of a national strategy "on how more effectively to deter, prevent, detect, protect against, and respond to explosive attacks." Some of the specific requirements for the new strategy are:

  • an inventory and description of all current Federal Government assets and capabilities specifically relating to the detection of explosives or the protection against or response to explosive attacks
  • an inventory and description of current research, development, testing, and evaluation initiatives relating to the detection of and protection against explosives and anticipated advances in capabilities for reducing the threat of explosive attacks
  • recommendations for improved detection of explosive chemical compounds, precursor chemicals used to make improvised explosive chemical compounds, and explosive device components
  • an assessment of the effectiveness of, and, as necessary, recommendations for improving Federal Government training and education initiatives relating to explosive attack detection, including canine training and performance standards
Trying to detect explosives is a risky strategy. It assumes that someone has already made the bomb, or has acquired the precursors for it. There may not be much time between the making of the bomb and its deployment.

The HSPD also has some directives for information-sharing at all levels (and with the private sector), which is good to see. I'm a little leery of the "build it and they will come" philosophy which seems to underlie these instructions, though:
The Attorney General, in coordination with the Secretary of Homeland Security and the Director of National Intelligence, shall maintain and make available to Federal, State, local, territorial, and tribal law enforcement entities, and other first responders at the discretion of the Attorney General, a web‑based secure portal that includes information on incidents involving the suspected criminal misuse of explosives, including those voluntarily reported by State, local, territorial, and tribal authorities.

The Secretary of Homeland Security, in coordination with the Attorney General, the Director of National Intelligence, and the Secretaries of State and Defense, shall maintain secure information-sharing systems that make available to law enforcement agencies, and other first responders at the discretion of the Secretary of Homeland Security, information, including lessons learned and best practices, concerning the use of explosives as a terrorist weapon and related insurgent war fighting tactics ...
As experience with the old Homeland Security Information Network (HSIN) has shown, just building an IT network or portal doesn't guarantee that it will be used. Simply making the information systems available is usually not enough. (See these two posts.)

Updated: More Wrangling on Chemical Plant Security

The wrangling over chemical plant security isn't going away. One of the key issues - whether the federal government's rules can supersede state laws - has been revisited in the new supplemental spending bill. The Record (NJ) reports:

New Jersey's chemical plant security standards would be protected from possible dilution by the federal Department of Homeland Security under a bill the Senate approved Thursday.

Sen. Frank Lautenberg, D-N.J., lobbied aggressively for a provision in a $122 billion emergency war spending bill that allows states to implement chemical security standards that go beyond what DHS requires.

The American Chemistry Council worked to strip Lautenberg's provision, arguing it could delay implementation of DHS regulations proposed in December -- and leave the nation vulnerable to a terrorist attack on chemical plants.

Unlike the federal rules, New Jersey's rules require chemical plants to study whether "inherently safer technology" is available that would reduce the risk of an accident or potential harm from an attack.
Mostly this is a political turf issue (i.e., who gets to make the rules?), but there are real implications to this. Chemical plants are an attractive target. (See this post from last week.)

Why shouldn't states and localities have a say - or in some cases, just the information - about what's in their backyards and how the chemical industry should maintain safety and security? States and localities certainly have a legitimate interest in this.

Updated 2007-04-03: On April 2, DHS released its final rules on security at chemical plants. The rules permit the pre-emption of state laws, GovExec reported:
[DHS] tried to specify when state laws will be overridden.

"Some states have existing laws for regulating chemical facilities," the department said in a statement. "Only state laws and requirements that conflict or interfere with these regulations, or the purpose for the regulations, will be pre-empted. Currently, the department has no reason to conclude that any existing state laws are applied in a way that would impede the federal rule."

The department also maintains the authority to pre-empt state health, safety or environmental protections, according to the rules.
Sen. Lautenberg is continuing to push for legislation that would prohibit DHS from pre-empting state or local statues, except "when a clearly defined conflict exists."

Terrorist Financing 101

Over at the Counterterrorism Blog, there's a nice primer on terrorist financing. The whole thing is worth reading, but I thought the following excerpt was especially relevant to local efforts to prevent terrorism:

The unfortunate reality is that regardless of the level of vigilance and detection, terrorists will always have access to funds; however, the more robust the detective efforts, the greater the likelihood for disruption. Every disruptive success reduces the operational capability of terrorists. In this vein, one of the primary areas of vulnerability to terrorists is finance. It is critically important that financial and non-financial institutions understand this fact and the vital role they play in the process.

Two key areas where terrorists are vulnerable when dealing with financial institutions are with respect to Know Your Customer (KYC) practices and Suspicious Activity Reporting (SAR). Whether using their true names or false identities, terrorists are at risk of detection through KYC mechanisms.

Financial Institutions should incorporate terrorist financing specific training into their AML training programs. It is essential to understand and simplify terrorist financing as much as possible. It is equally important for individuals in the financial and business sector to understand that they are on the front line of the economic war on terrorism and are capable of playing a vital role through risk recognition, AML monitoring and mechanisms to include KYC and SARs.
This all gets back to the basic idea of collaborating and sharing information with others. If you work in a financial institution and notice something suspicious, you're more likely to report it if: A) someone has shared information with you about the threat, and B) your institution has a trusting relationship with law enforcement and other authorities.

Wednesday, March 28, 2007

Private Sector Emergency Recovery: What the HERC?

This story is a few months old, but I really like the idea. Business leaders in Hernando County, Florida, have teamed up to create the Hernando Emergency Recovery Council (HERC). It's a collaborative private group that will provide necessary resources in the event of a disaster:

Soon, if disasters strike, victims will be able to call the Hernando Emergency Recovery Council Inc. to get aid that is both immediate and local, said the organization's president, Robert Kanner.

"We hope to have businesses pledge plywood and roof shingles and labor so when the fictional Mrs. Smith contacts us, we're able to pool together our resources," Kanner said.

The key, county emergency management director Tom Leto said, is to round up local resources that can provide goods and services.

Already Kanner and HERC's board of directors have signed up some 20 individuals and businesses - "point people" - willing to respond with resources, whether they be physical, emotional or spiritual.

Said Leto: "The better you are at organizing resources in advance, the better you can respond to the disaster. It's difficult to organize resources at the last minute."

Kanner himself is a volunteer who approached Leto about helping the community in some way.

Now, the two want to tap into the business community, aiming to enlist them not just for humanitarian reasons, but also to help themselves get back in business and stabilize the county economy in the wake of a disaster.

HERC and the Emergency Management Office will work together, Leto said.

"If the Emergency Operations Center does encounter a need the county is short on, the county will go to HERC and we will ask if they can fill it," he said.
There is a lot to like here. The collaboration between local businesses and government; the holistic approach to providing resources (i.e., focusing on all of a victim's potential needs, not just the physical ones); the stronger bonds within the community.

These things are beneficial to the community even if a disaster never strikes.

Governor's Guide to Homeland Security

The National Governor's Association (NGA) recently released A Governor's Guide to Homeland Security, the purpose of which is:

...to provide governors with an overview of their homeland security roles and responsibilities and to offer some guidance on how to approach issues such as mutual aid, information sharing, obtaining assistance from the military, and protecting critical infrastructure.
Essentially the document is a primer on preparation and response. It assumes that the reader is generally unfamiliar with many planning and response mechanisms, so it spends a lot of time describing these. It's useful for anyone who wants an overview of emergency preparation and response from the state-level perspective.

Some portions of the guide are worth highlighting, though, mostly because they describe efforts to collaborate and share information. Most interesting is the description of some public-private partnerships. While the guide points out that ...
Partnering effectively with the private sector to improve disaster preparedness and response is an area of emergency management that has begun to receive attention only recently.
... and ...
Thus far, most public-private partnerships in the area of emergency preparedness and response exist at the local, rather than at the state, level.
... there is a real need, and some real benefits, to collaborating with the private sector - especially with owners of critical infrastructure assets:
Governors should work closely with the private sector to develop emergency response and risk communications plans for incidents affecting privately owned systems or infrastructure. Forging a trust-based relationship between emergency response officials and the private sector is essential to ensure effective security preparations, including accurate vulnerability assessments and the integration of private-sector emergency response plans with those of government agencies.

During the 2004 hurricane season, Florida utilities sent representatives to the state emergency operations center (EOC) and to local government EOCs. Other utility officials were available by telephone or other communications systems. As a result, emerging problems were capable of being solved at the local level by officials who felt empowered to make critical decisions and then report what they had accomplished.
Within government, the need for information sharing remains great:
A lack of information sharing can be an obstacle to implementing an effective homeland security strategy. The fragmented nature of data collection and incident reporting among state, local, and federal law enforcement agencies hinders their ability to connect information that may point to terrorist plots or other ongoing criminal activity, and the private sector—which owns a significant amount of data and an estimated 85 percent of the nation’s critical infrastructure—often is not connected to the homeland security intelligence and information-sharing networks.
So far, efforts to share information about potential threats and responses have largely been funneled through state fusion centers (which I've previously discussed here, here, here, here, here, and here). The guide briefly describes how a few of these fusion centers operate:
Arizona’s fusion center, known as the Arizona Counter-Terrorism Information Center (ACTIC), opened in 2004 as the state’s central analysis hub for real-time crime and terrorism-related intelligence and information. ACTIC is staffed with more than 200 detectives, special agents, analysts, and other personnel representing 34 state, local, and federal agencies. ACTIC also includes a complete integration of the FBI’s Joint Terrorism Task Force (JTTF).

Georgia’s Information Sharing and Analysis Center (GISAC) has an analytical and investigatory role. Each investigator is assigned an analyst, and officials report regular contact between investigators and their assigned analysts to share information.

The Illinois Statewide Terrorism Intelligence Center (STIC) includes analysts and representatives of agencies dealing with narcotics, sex offenses, violent crimes, andmotor vehicle theft. ... In 2005, the Illinois STIC colocated its facility with the state emergency operations center.

In 2006, North Carolina opened its Information Sharing and Analysis Center (ISAAC). The ISAAC serves as the focal point for collection, analysis, and dissemination of information on possible terrorist and criminal threats. ... ISAAC staff collaborate to analyze information from a variety of sources, including tips from the public, public records such as driver’s license and vehicle registration records, and national law enforcement databases.
Because collaboration among agencies is also vital, the guide also describes some of the intrastate mutual aid organizations that states have set up:
Several states already had, or have since developed, state-wide mutual aid programs. In April 2002, for example, Iowa introduced a voluntary statewide mutual aid program known as the Iowa Mutual Aid Compact (IMAC). Modeled on the national Emergency Management Assistance Compact, IMAC establishes a system through which political subdivisions can help each other during disasters that have been declared either by local officials or by the governor.

Kansas has a similar statewide mutual aid system, created in the 2006 Kansas Intrastate Mutual Aid Act. The act provides for a system of intrastate mutual aid between participating political subdivisions in cases of declared disasters as well as during drills and exercises in preparation for such disasters.

In Illinois, meanwhile, the fire service developed and implemented a mutual aid system that began in the northern part of the state but has since expanded to all of Illinois, southern Wisconsin, and parts of Indiana. The Mutual Aid Box Alarm System (MABAS) comprises hundreds of fire departments and provides an orderly system for dispatching fire and emergency medical service equipment and personnel to fires, accidents, or other incidents. ... The system is managed through geographic divisions by which local fire departments can access assistance. From its inception, MABAS included procedures for ensuring the integration of assisting personnel and equipment into the local command structure.
Also regarding mutual aid, the guide points out that all 50 states are now part of the Emergency Management Assistance Compact (EMAC):
The National Governors Association has endorsed EMAC and, in 2006, Hawaii became the 50th state to join the compact, which also counts District of Columbia, Puerto Rico, and the U.S. Virgin Islands among its members.
However, the experience of Hurricane Katrina shows that EMAC remains unfamiliar to some local and federal agency personnel:
Out-of-state teams were able to reach affected areas of the Gulf Coast efficiently through EMAC deployments. However, their integration with response crews already on the ground was complicated by the fact that many local officials, and some federal officials, were unfamiliar with EMAC and questioned or rejected the credentials of the EMAC-deployed teams.
In addition to intrastate mutual aid and EMAC, states
can also see benefits from regional organizations:
Similarly, governors should consider working together to develop strategies for managing events that affect regions of the country. In some regions, this already is taking place.The Pacific NorthWest Economic Region (PNWER), which comprises Alaska, Idaho, Montana, Oregon, Washington, and the Canadian provinces of Alberta, British Columbia, and the Yukon, created a partnership for regional infrastructure security to develop a regional protection, preparedness, and response plan for dealing with infrastructure-related emergencies.
In 2006, Arizona Governor Janet Napolitano signed a memorandum of understanding with California Governor Arnold Schwarzenegger, Texas Governor Rick Perry, and New Mexico Governor Bill Richardson that will enable the four southwest border states to share unclassified and classified intelligence information to provide better security along the border.
One thing that affects states' ability to choose various options for homeland security is the underlying structure of their homeland security organizations. The guide points out that states have chosen one of three main structures:

Homeland Security Advisor with Committee/Coordinating Council: Some governors have appointed homeland security advisors or directors to provide direct counsel to and speak on behalf of the governor on matters related to homeland security. [T]he advisor often chairs a committee — made up of representatives of relevant state agencies, including public safety, the National Guard, emergency management, public health, and others—charged with developing preparedness and response strategies. [Examples: Maryland, Nebraska, Washington]

Department of Homeland Security: [G]overnors are beginning to create state departments of homeland security that have the statutory authority to oversee operations as well as to develop all-hazards approaches to mitigation, preparedness, and response. [Examples: Alabama, Arizona, Delaware, Indiana]

Homeland Security Functions Under Existing Agencies: In many states, the homeland security functions have been assigned to an existing agency, such as public safety or the military department. Generally, these homeland security advisors, at a minimum, coordinate response resources and activities across the various state agencies, and in many cases, they have planning and budgetary authority. [Examples: Florida, Idaho]

Another Chlorine Bomb Attack in Iraq

Al Qaeda continues to work on the "chlorine truck bomb" attack:

Insurgents with two chlorine truck bombs attacked a local government building in Falluja in western Iraq on Wednesday, the latest in a string of attacks using the poisonous gas, the U.S. military said.

It said 15 Iraqi and U.S. soldiers were wounded in the blasts and many more suffered chlorine poisoning.

"Numerous Iraqi soldiers and policemen are being treated for symptoms such as labored breathing, nausea, skin irritation and vomiting that are synonymous with chlorine inhalation," a U.S. statement said.

U.S. commanders and the Iraqi government have blamed al Qaeda militants for several recent attacks using chlorine gas in Anbar.

The U.S. military said it discovered an al Qaeda car bomb factory last month near Falluja with chlorine tanks.
Given the wide availability of chlorine in the U.S., a chlorine attack may be attractive to jihadists if and when they decide to attack the U.S. again. They wouldn't have to import anything - they could just use what's already here, just as they did on 9/11. The fact that they keep trying chlorine attacks in Iraq suggests that they see a strategic benefit from this type of attack, and they want to refine their methods. They also share information on tactics and methods over the Internet, so any successes in Iraq could be replicated elsewhere.

Here are a few questions for local homeland security professionals:
  • Where are the stocks of chlorine or other dangerous chemicals in your area?
  • What healthcare resources are available if an attack like this were to happen?
  • Are first responders prepared for this type of event?
See this post and this post on the earlier chlorine attacks in Iraq.

Thursday, March 22, 2007

Foiled Maritime Terrorism in Morocco

Reuters is reporting today that a group of 12 would-be bombers have been foiled in Morocco. Their targets were foreign ships - an indication that jihadists continue to view economic targets as desirable, including maritime targets.

At least 12 would-be suicide bombers planned to blow up foreign ships at the Casablanca port and other Moroccan landmarks, top security officials were quoted as saying on Thursday.

They said at least six of the suspected bombers were still on the run, but others were arrested after their presumed leader blew himself up on March 11 to stop police taking him alive.

Abdelfattah Raydi, the 23-year suspected leader of the group of bombers, walked into an Internet cafe in Casablanca's Sidi Moumen slum on March 11 with another suspected bomber.

Raydi, who had worn an explosives belt for four days to avoid police catching him alive, detonated the device when the cafe owner shut the door and called authorities after he saw him consulting a jihadist Web site, newspapers said.

"Investigations showed that 12 suicide bombers among 30 terrorists linked to March 11's Casablanca plot were prepared to attack economic and security targets including blowing up foreign ships at Casablanca port and tourism facilities in Marrakesh, Essaouira and Agadir," wrote al Ahdath al Maghribia daily.
It's being called a "lucky accident" that the plot was prevented, but I'd say it's a good example of civic engagement in anti-terrorism. The Internet cafe owner could just have easily looked the other way, but he recognized a potential threat and decided to intervene.

The bad news out of the incident is that it provides further evidence of jihadists' attraction to the idea of mixing chemicals or biological agents with their bombs, as demonstrated on a number of recent occasions in Iraq.
The [Moroccan] papers also quoted officials as saying the would-be bombers planned to use "poison" in their planned attacks, showing a change in the country's home-grown terror.

Al Ahdath said the "poison" was a byproduct of tetanus pathogenic bacteria ...
These guys do a good job of sharing information via the Internet. If a tactic seems to work in one place, it begins to pop up in other places. So information sharing has to go on here, too, regarding vulnerability and risk.

Wednesday, March 21, 2007

Critical Infrastructure Protection Plans: An Update

There's new information regarding this post from December.

GAO has updated its survey of critical infrastructure planning and preparations. According to the National Infrastructure Protection Plan (NIPP), the various critical infrastructure councils (e.g., telecommunications, public health, etc.) were supposed to submit their protection plans at the end of December 2006.

The good news? They all made the deadline:

All the sectors met the December 2006 deadline to submit their sector-specific plans to DHS, although the level of collaboration between the sector and government councils on the plans, which the NIPP recognizes as critical to establishing relationships between the government and private sectors, varied by sector. Issuing the NIPP and completing sector plans are only first steps to ensure critical infrastructure is protected.
In its earlier reporting, GAO commented that sectors with long histories of collaboration and information-sharing, typically due to more significant regulation (e.g., banking, nuclear power) were much farther ahead than sectors without such a history (e.g., public health).

For those sectors, an ongoing problem has been a lack of trust - which is always the basis for effective collaboration and information-sharing:
Challenges most frequently cited included the lack of an effective relationship with DHS as well as private sector hesitancy to share information on vulnerabilities with the government or within the sector for fear the information would be released and open to competitors. GAO’s past work has shown that a lack of trust in DHS and fear that sensitive information would be released are recurring barriers to the private sector’s sharing information with the federal government...
Building trust takes time, of course. But on the other hand, you don't need permission from DHS to build relationships with others when you have a common interest.

So far, only one sector - transportation - has not formed a council. However, separate transportation modes had done so:
As of March 2007, the transportation systems sector had yet to form a sector council, but a DHS Infrastructure Protection official said each transportation mode—such as rail, aviation, and maritime—has established a sector council.
(On the subject of the transportation sector, it's worth noting that DHS itself has yet to produce a required risk assessment of the entire transportation sector, as indicated in this post from a couple of weeks ago.)

And even though the plans have been submitted, and are currently being reviewed by DHS, there is a long way to go:
Like the NIPP, these plans are only a first step; they are to lay out how the sector will identify its most critical assets and resources and what methodologies each will use to assess risks, but are not required to address how the sector is actually assessing risk and protecting its most critical assets.
I found this tidbit especially noteworthy:
Council members cited as a key facilitating factor the fact that some sectors had prior plans that they could update to satisfy NIPP requirements. For example, the energy sector had developed a protection plan in anticipation of the Year 2000 (Y2K) computer threat, and that process was beneficial in developing its sector-specific plan for the NIPP.
In other words, if you make risk management a part of what you do - and you establish relationships and share information with others who share common interests - when there is a need to band together and develop solutions, you will be much better prepared. This applies to more than just critical infrastructure sectors. This applies to everyone. Luck favors the prepared.

Tuesday, March 20, 2007

Critique of New Chemical Plant Regulation

Stephen Flynn's testimony before the Senate Committee on Environment and Public Works has been posted to the Council on Foreign Relations site.

Flynn is critical of the legislative changes regarding chemical facilities made in the 2007 Department of Homeland Security Appropriations Act, as well as the interim rule-making language issued by the Department of Homeland Security in Feb. 2007.

First, Flynn offers his opinion of the threat:

Like many students of terrorism, I believe that Al Qaeda or one of its growing number of radical jihadist imitators will attempt to carry out a major terrorist attack on the United States within the next five years. At the top of the list of likely targets is the chemical industry.
The new legislation is intended to improve the security at chemical facilities. But Flynn argues it impedes information-sharing between the chemical facilities and state and local officials:
[N]eighbors to dangerous chemical facilities have lived largely in the blind when it comes to the hazards they may be exposed to and are often unaware of the steps they should take to protect themselves in the event of a chemical release.

While there is legitimate reason to treat some security information as sensitive, the act goes too far by requiring DHS to treat vulnerability or security information under this section, "as if the information were classified material" and stipulating that this information be provided only to "State and local government officials possessing the necessary security clearances, including law enforcement officials and first responders."

This onerous requirement effectively places the overwhelming majority of state and local officials and emergency responders out of the loop when it comes to the security of plants nestled within their own communities. Few officials hold these clearances and there is already an extensive backlog in providing them.

As a consequence, the vast majority of emergency planners who are responsible for putting together the local response to disasters will have to make these plans without an understanding of the vulnerabilities and the existing security protocols that are in place at a facility.
He also delivers a strong critique of the provision in the act which allows DHS rules to supersede state legislation:
The excessive new protections of vulnerability and security-related information reinforces one of the most serious shortcomings of the act which is its failure to allow state governments to enact stronger security requirements than those adopted at the federal level when those states determine such requirements are appropriate to safeguarding their populations....

This is federalism turned on its head. While states and locals are responsible for dealing with the aftermath of a disaster associated with a chemical plant about which it has historically possessed more intimate knowledge than the federal government, the federal government is now maintaining that it alone has the authority to set the rules governing the security of these facilities.
The information-sharing aspect is troubling. Some secrecy is necessary, of course. You don't want to disclose the location of potentially dangerous chemicals. But why state and local officials are not on the "need to know" list - that's a good question.

Flynn is a generally respected expert on vulnerability. He's the author of America the Vulnerable and The Edge of Disaster: Rebuilding a Resilient Nation.

Early Warning Weather Radios

Residents who live downstream of a leaking dam in Kentucky are eligible to get free radios that would provide them with the earliest possible warning of a dam breach, the Lexington Herald-Leader reports:

Kentucky officials plan to begin distributing weather radios this week to residents downstream from Wolf Creek Dam to warn of any breach in the dam.

People and businesses in areas that would be flooded if the dam fails are eligible for radios provided by the Kentucky Office of Homeland Security.

The dam is leaking, which has caused concern downriver about the potential for a breach and flooding. However, state and federal officials have said it is highly unlikely the dam will fail and, if it does, there probably would be time for warnings and evacuations downstream.

The first alert of a failure or potential breach would be broadcast via weather radio. That's why the state is providing them.
Early warning is critical in any disaster. This is sort of a rural version of the text-messaging alert systems that some cities are adopting (e.g., Washington DC and San Francisco).

GAO Report on LNG Risk

The GAO has released a new report on the risk of liquified natural gas (LNG). It's created by supercooling natural gas to -260 degrees Fahrenheit. This turns it into a liquid and reduces its volume 600 times.

In its liquid state, LNG is not flammable or explosive, so it can be transported in tankers. Since 1959, there have been more than 40,000 shipments, without a major incident. There are concerns about it, though, fueled by two factors:

1. Natural gas demand in the U.S. is expected to grow
2. After Sept. 11 (or perhaps more appropriately, since the attacks on the USS Cole and the French supertanker Limburg), there is concern about how much damage terrorists could do by attacking an LNG tanker or terminal.

The GAO
examined a number of prior studies and consulted experts about the potential risks. They focused on three potential risks:

1. Leaking LNG forms a pool on the water. As the pool evaporates, it forms a cloud, which drifts onshore as an asphyxiation hazard.
2. The vapors from the LNG pool catch fire. This would burn hotter than oil.
3. The fire spreads to the LNG tanker, risking explosion.

Fortunately, none of these things has ever actually happened, so there are no real-world incidents to study.

Regarding the asphyxiation hazard, GAO found:

Only the Sandia National Laboratories’ study examined asphyxiation, and it concluded that asphyxiation did not pose a hazard to the general public.

Experts agreed that some hazards, such as freeze burns and asphyxiation, do not pose a hazard to the public.
Regarding the burn hazard, GAO found:
[T]he studies’ conclusions about the distance at which 30 seconds of exposure to the heat could burn people ranged from about 500 meters (less than 1/3 of a mile) to more than 2,000 meters (about 1-1/4 miles). The Sandia National Laboratories’ study concluded that the most likely distance for a burn is about 1,600 meters (1 mile).

Experts agreed that the most likely public safety impact of an LNG spill is the heat impact of a fire.
Regarding the explosion hazard, GAO found:
All three studies considered LNG vapor explosions unlikely unless the LNG vapors were in a confined space.

Experts agreed that explosions are not likely to occur in the wake of an LNG spill.
The Council on Foreign Relations also reported on the risk in February 2006, which provides good background and links to more resources on the subject.

Fire Preparedness: Needs Assessment Report

The First Response Coalition summarizes the new needs assessment report on fire preparedness, from the U.S. Fire Administration (USFA), DHS, and National Fire Protection Association (NFPA). One highlight:

Only 25% percent of fire departments in the United States can communicate with their Federal, state, and local partners, and 65% of fire departments do not have enough portable radios to equip all emergency responders on a shift.

Lieberman: Increase Federal Grants

Sen. Joe Lieberman is proposing increases in federal grants to state and local first responders, Federal Computer Week reports:

The chairman of the Senate Homeland Security and Governmental Affairs Committee proposed March 12 to add $3.4 billion in fiscal 2008 above the White House’s budget to bolster first responder programs in the Homeland Security Department.

Sen. Joe Lieberman of Connecticut, an Independent who caucuses with the Democratic party, said he wants to add $479 million for the Urban Area Security Initiative, which provides counterterrorism funding to major cities, which would bring that program's total to $1.2 billion.

Other increases proposed by Lieberman are:
  • Another $913 million for the State Homeland Security Grant Program.
  • Adding $913 million to the Emergency Management Preparedness Grants program.
  • Spending $777 million more for firefighters and $400 million more for interoperable communications.
It's just a proposal, of course, and the devil is in the details. But here's one thing: it appears to start addresssing the concerns in the First Response Coalition's recent report that said federal funding for interoperable communications is falling short. (Also see these two posts.)

Saturday, March 17, 2007

More Chlorine Attacks in Iraq

They did it again ... three times.

Three suicide bombers driving trucks rigged with tanks of toxic chlorine gas struck targets in heavily Sunni Anbar province including the office of a Sunni tribal leader opposed to al-Qaida. The attacks killed at least two people and sickened 350 Iraqi civilians and six U.S. troops, the U.S. military said Saturday.

The violence started about 4:11 p.m. Friday when a driver detonated explosives in a pickup truck carrying chlorine at a checkpoint northeast of the provincial capital of Ramadi, wounding one U.S. service member and one Iraqi civilian, the military said in a statement.

Two hours later a dump truck exploded in Amiriyah, south of Fallujah, killing two policemen and leaving as many as 100 residents with symptoms of chlorine exposure ranging from minor skin and lung irritations to vomiting, the military said.

Another suicide bomber detonated a dump truck containing a 200-gallon chlorine tank rigged with explosives at 7:13 p.m. three miles south of Fallujah in the Albu Issa tribal region, the military said. U.S. forces found about 250 local civilians, including seven children, suffering from symptoms related to chlorine exposure, according to the statement. Police said the bomb was targeting the reception center of a tribal sheik who has denounced al-Qaida.

Four other bombings have released chlorine gas since Jan. 28 ... The primary effect of the chlorine attacks has been to spread panic. Although chlorine gas can be fatal, the heat from the explosions can render the gas nontoxic. Victims in the recent chlorine blasts died from the explosions, and not the effects of the gas.
They haven't gotten big casualty counts out of these things - and when you use pickup trucks and dump trucks as your delivery vehicles, you're probably not going to get much. But the fact that they continue to use chlorine as a weapon may indicate a willingness to go through the learning curve.

It's worth noting that these three attacks took place in Anbar province, where al Qaeda has a well-documented presence. Also, two of the targets were al Qaeda opponents.

This is worth watching. (Also see this post.)

Friday, March 09, 2007

FRC Report on Interoperable Communications

The First Response Coalition (FRC) has a new report on the status of first-responder interoperable communications. The FRC looked at state programs for interoperable communications and found some success stories. The study has three main findings:

1. Funding is still the major hurdle to achieve interoperability, with creative state financing limited by insufficient federal commitments.
2. The numerous effective state programs illustrate an opportunity to improve the existing first responder communications system and upgrade networks with new technologies without drastically reallocating spectrum.
3. As various states pursue innovative and unique tactics, there is a distinct need for adherence to technical standards that better ensure equipment employed across jurisdictions is compatible.
Note: Another recent study also found that state and local governments are bearing more of the weight for financing the new systems, as indicated in this post. But DHS' baseline survey of disaster communications, released in December 2006, suggested that "governance" was the biggest hurdle to interoperable communications. (See this post.)

The FRC highlights the efforts of Colorado, Nevada, and Utah to create interoperable systems for first responders. Innovative practices were also found in Indiana, Texas, Washington DC, South Carolina, and Virginia. (The "governance" element was highlighted in Virginia.)

The FRC calls for more clarity and financial support from DHS:
Achieving full communications interoperability will require federal funding and leadership, state inventiveness and innovation, and local cooperation and coordination.
Cost is a considerable factor. States are not capable of providing funding at the levels required for full nationwide interoperability:
According to a recent survey conducted by the National Emergency Management Association, achieving statewide interoperable communications for first responders will cost approximately $7 billion. Even with anticipated increases in spending, it is unlikely that states will have sufficient funds to achieve full interoperability in the near future.
In response to the financial shortfall, some states have gotten creative with their financing:
Rather than relying solely on federal grants or appropriations, selected governors and state legislatures have developed unique financing arrangements for public safety communications.
  • In Minnesota, the state Department of Transportation financed half the cost of a state/local shared communications infrastructure, using general obligation bonds and money from the state’s highway fund.
  • Indiana maintains its Project Hoosier SAFE-T system through a $1.25 surcharge on transactions at the state Department of Motor Vehicles, which yields $15 million per year.
  • The Michigan state legislature approved funding to build a statewide communications system and promised to fund all equipment upgrades to attract local users who otherwise could not afford to connect to the network.
The three main case studies that the FRC features are Colorado, Nevada, and Utah. Following are a few highlights, starting with Colorado:
Funded through a state “Public Safety Trust Fund” as well as federal Homeland Security grants, the Colorado Statewide Digital Trunked Radio System (DTR) provides a seamless statewide wireless communications system. The network enables direct communications between all local governments that choose to (and can afford to) participate in the program.

A combination of state, federal, tribal and local government agencies currently use the system, totaling 600 individual agencies and over 27,000 subscriber units/radios. By the end of 2007, DTR Project Manager Mike Borrego estimates the network will cover 95% of Colorado’s geographic area, with over 30,000 radios in use.

The non-profit Consolidated Communications Network of Colorado (CCNC) was created in 2002 to manage the Statewide Digital Trunked Radio Network. The CCNC’s governing body is comprised of the agencies that participate on the digital trunked radio system. Representatives from each of the state’s five radio regions comprise the CCNC board. The governance model was developed with assistance from DHS/SAFECOM materials. Various subcommittees meet monthly to provide specialized guidance and insight as it relates to system performance and operational guidelines. In an interview with the FRC, Borrego said, “No matter if you’re a five-man department or a 500-man department, you get an equal voice in the management of the system.”
Utah:
The Utah Communications Area Networks (UCAN) is a public safety communications system that supports 15,000 users and 120 separate state, local and federal government agencies. Coverage has been achieved in 11 counties, constituting 85% of the state’s population, and a merger is underway with the Salt Lake County System. According to UCAN Executive Director Steven Proctor, the UCAN system took only 36 months to build, but it took six years of hard work, political compromise, and negotiations before the system equipment order was ever signed.

Today, the next generation of public safety communications interoperability in Utah is being developed with the Utah Wireless Integrated Network (UWIN) project. The state has placed a high priority on effective governance within the UWIN system.

By the end of 2004, UWIN had implemented mobile voice and data networks that allowed the state Law Enforcement System (LES), State Radio System (SRS), the Utah National Guard, and UCAN to interface seamlessly.
Nevada:
Nevada’s statewide public safety communications system is a hybrid public/private radio network used by all state agencies including the highway patrol, Nevada Department of Transportation (NDOT), the state university system, and by Nevada Power and Sierra Pacific Power. The two utility companies formed a partnership with the state and all have joint ownership of the network.

The Nevada interoperability plan connected the 4 major trunked public safety communications systems into a single “virtual” system. The system is in operation in all parts of the state, with varying levels of participation. The Las Vegas area is described as “saturated,” with any public safety entity in the metropolitan area able to use the system.

The Regional Communications Interoperability Pilot (RCIP) conducted by SAFECOM and the State of Nevada in 2006 contributed to the state’s ongoing interoperability success. The RCIP’s aim is “to improve emergency response communications capabilities by developing tools and best practices that states and communities across the nation can employ.” Over 14 months, local, tribal, state and federal emergency responders met with policymakers and other relevant stakeholders to refine the State’s existing statewide interoperability plan and strengthen planning processes.

DNI's New Info Sharing Steering Committee

The new Director of National Intelligence, Mike McConnell, is setting up a new Information Sharing Steering Committee. One piece of the story caught my attention:

The new body will be called the Information Sharing Steering Committee, (or ISSC), and it is intended to change the corporate philosophies of the 16 often competing U.S. intelligence agencies from their traditional "need to share" philosophy to a more open and cooperative "responsibility to provide" approach, the DNI's office said in a statement.
Five-and-a-half years after 9/11, they're setting up a new committee to change these agencies information-sharing "philosophies"? That was one of the major problems that the 9/11 Commission pointed out almost 3 years ago. Is this progress?

Cyberterror Risk

In January the Congressional Research Service reported that the risk of cyberterror may be growing:

Persistent Internet and computer security vulnerabilities, which have been widely publicized, may gradually encourage terrorists to continue to enhance their computer skills, or develop alliances with criminal organizations and consider attempting a cyberattack against the U.S. critical infrastructure.

Reports indicate that terrorists and extremists in the Middle East and South Asia may be increasingly collaborating with cybercriminals for the international movement of money, and for the smuggling of arms and illegal drugs.

To date, the Federal Bureau of Investigation (FBI) reports that cyberattacks attributed to terrorists have largely been limited to unsophisticated efforts such as email bombing of ideological foes, or defacing of websites. However, it says their increasing technical competency is resulting in an emerging capability for network-based attacks. The FBI has predicted that terrorists will either develop or hire hackers for the purpose of complimenting large conventional attacks with cyberattacks.
The integration of physical attacks with cyberattacks is important to consider. If cyberterrorists were to take down a communication network as an isolated incident, it would be annoying and costly - but not earth-shattering. But on the other hand, if cyberterrorists were to take down the same communication network in conjunction with a physical attack, it could hinder the response and amplify the effects of the attack:
Many security experts also agree that a cyberattack would be most effective if it were used to amplify a conventional bombing or CBRN attack. Such a scenario might include attempting to disrupt 911 call centers simultaneous with the detonating of an explosives devices.
Terrorist recruiting also relies on the Internet:
The Internet is now used as a prime recruiting tool for insurgents in Iraq. Insurgents have created many Arabic-language websites that are said to contain coded plans for new attacks. Some reportedly give advice on how to build and operate weapons, and how to pass through border checkpoints.
There are also links between more common criminal activity and terrorism. Most notably, drug trafficking:
Officials of the U.S. Drug Enforcement Agency (DEA), reported in 2003 that 14 of the 36 groups found on the U.S. State Department’s list of foreign terrorist organizations were involved in drug trafficking. ... Drug traffickers are reportedly among the most widespread users of computer messaging and encryption, and often have the financial clout to hire high level computer specialists capable of using steganography (writing hidden messages contained in digital photographs) and other means to make Internet messages hard or impossible to decipher.
Terrorists need money to fund their operations and often turn to illegal activities as sources of cash. This is an ongoing vulnerability for them.

Risk on the Rails: An Update

This is an update to this post from a couple of weeks ago:

The Government Accountability Office (GAO) released a new statement on rail security. They continue to prod DHS and the Transportation Security Administration (TSA) to complete the required risk assessment and strategic plans for rail security:

[A]s of March 2, 2007, TSA has not issued the required Transportation Sector Specific Plan and supporting plans for passenger rail and other surface transportation modes, based on risk assessments. Until TSA does so, it lacks a clearly communicated strategy with goals and objectives for securing the transportation sector, including passenger rail.
GAO reiterates its support of a risk-management approach to rail security. While acknowledging the complexity and difficulty of managing risk on the rails, due to the inherently open nature of the rail system itself, the number of stakeholders involved, etc., the GAO continues to point out that, despite making progress, DHS and TSA have not completed the required system-wide risk assessment and resulting strategy:
DHS has made progress in assessing the risks facing the U.S. passenger rail system, but has not issued a plan based on those risk assessments for securing the entire transportation sector and supporting plans for each mode of surface transportation, as required by and in accordance with the National Infrastructure Protection Plan.

TSA expects the 50 largest rail transit agencies to complete security self-assessments in early 2007. According to TSA, the agency is using the results of these assessments to set priorities, and has identified underground and underwater rail infrastructure and high-density passenger rail stations as assets at highest risk.
In short, there's progress but more is needed. TSA continues to assess risk on an ongoing basis (e.g., identifying underground and underwater rail and high-density passenger rail as high-risk assets) without an overall picture of the risk environment on the rails.

DHS' New Intel-Sharing Coordinating Group

According to a brief article in Federal Computer Week, DHS has a new coordinating group that's focused on sharing intelligence with state, local, and tribal officials.

Starting [March 1], state, local and tribal law enforcement officials will receive federal intelligence through a new coordinating group established to focus the information in a way that meets those officials’ needs and to unify federal policy on threats to public order.

Lora Becker, incoming director of the interagency federal state and local threat reporting and assessments coordination group, said the group would not generate alerts, warnings or updates on homeland security threats. Its analysts will provide strategic assessments of threats and disseminate them through established routes, such as the FBI's Joint Terrorism Task Forces and the dozens of technology-rich state information fusion centers.

The new coordinating group is a policy initiative established under the federal intelligence reform law that established the Information Environment project. That law, known as the Intelligence Reform and Terrorism Prevention Act, also consolidated the federal intelligence community under the director of national intelligence.

Becker noted that the coordinating group would obtain intelligence from the Department of Homeland Security, FBI, the Defense Department, the CIA, the State Department, the National Counterterrorism Center and other intelligence agencies.

The group's organizers plan to exchange staff members with the partner agencies on one-year assignments.
Are the partner agencies participating in the exchanges are limited to federal agencies, or state and local as well? They're likely to have a better understanding of state and local needs if the staff exchanges extend across levels of government, and not just within federal agencies.

The fact that they're working, in part, through the state fusion centers further reinforces the importance of these centers, which are increasingly the focus of federal efforts to share information in the new Information Sharing Environment. (See previous blog entries like this, this, this, this, and this.)
DHS officials have previously stated that their department’s intelligence officers assigned to the state fusion centers have terminals linking to the department's top-secret network.

Michael Mines, FBI deputy assistant director for the intelligence directorate, described bureau policy toward the fusion centers, saying "the FBI sees these [fusion] centers as a natural bridge to the joint terrorist task forces. We have over 100 analysts assigned to the 42 fusion centers."

Mines said the bureau had obtained security clearances for more than 300 state, local and tribal law enforcement officials to facilitate information sharing.
Within the fusion centers, there's also integration with the private sector - an especially good idea, especially regarding critical infrastructure - since about 85 percent of critical infrastructure assets are under private control:
Jeff Wobbleton, Maryland Coordination and Analysis Center watch coordinator for the Maryland State Police, described how his center has framed a policy for integrating the private sector into its activities. Wobbleton's fusion center has integrated about 150 private sector organizations into its procedures for gathering and sharing information.

"You have to understand that [private company employees] are our eyes and ears," Wobbleton said.

Monday, March 05, 2007

Updated: Arizona's "Homeland Security Force"?

The Yuma Sun reports that the Arizona State Senate has passed a bill authorizing the formation of an all-volunteer homeland security force, which would be separate from the National Guard:

But exactly who could join and what they would do remains unspecified.

SB 1132, given preliminary approval [March 1], would create what essentially amounts to a state militia, under the control of the governor. Sen. Jack Harper, R-Surprise, who crafted the measure, said they would be able to respond, on Napolitano's orders, to any natural or human-caused disaster.

Harper said they also would be available to be deployed along the border to help spot people coming into the country illegally.

Harper said the state needs a Homeland Security Force because Congress last year authorized the president to commandeer any state's National Guard in times of emergency, even without permission from the governor.
It sounds to me like this would muddy the waters in terms of disaster preparation and response. Surely they're not suggesting a "parallel National Guard," simply because in a few limited cases, the president can take control of a state's National Guard forces. Or are they?

And what about disaster preparation? You would have another agency in the mix, and responsibilities would become further diluted.

Seems like a bad idea to me - setting out to establish an agency without specifying what its function or purpose is.

Update 2007-03-06: I need to do some reading. Justin at The Logbook points out that Arizona is seeking to establish a State Guard, which is distinct from the National Guard. About half the states currently have them, though we don't in Illinois. Anyone with info on how the State Guard and National Guard work together - feel free to share.

New Flu Planning Documents

Two new planning documents have recently been issued regarding pandemic flu:

First, the APHA doc: The APHA "prescription" describes some of the problems that are likely to arise in the event of a flu pandemic and offers recommendations for dealing with them. Most of the APHA suggestions apply at the federal level (e.g., actions that Congress and/or federal agencies should take in preparation for a flu pandemic), but some of them can apply at the state or local level as well. A few highlights:

The report points out that public health agencies are generally understaffed now, and that this problem would be greatly exacerbated during a flu pandemic:
[P]rojections estimate that up to 40 percent of the active workforce may be seriously ill and therefore unable to work during some portion of a flu pandemic.Therefore, if staffing levels remain stagnant, the current health care workforce cannot be depended on in event of a flu pandemic.
To deal with the problem, the APHA recommends legislative changes to increase public health staffing levels, as well as other steps, including:
  • Public health officials plan for improving surge capacity of the public health workforce to engage in core public health activities during a pandemic. Advance registry systems should be developed to coordinate volunteer health professionals, as these are preferable to relying on ad hoc or spontaneous volunteers.
  • Existing voluntary entities such as the Medical Reserve Corps be utilized to facilitate an adequate workforce surge capacity.
  • Training programs be developed for volunteers listed on registry systems.
Schools are a major concern:
Schools and school systems are critical to improving our nation’s readiness for and response to pandemic influenza, as planning efforts anticipate that illness rates will be highest among school-aged children (about 40 percent). In fact, school closures are being considered as a primary containment strategy early on in a flu pandemic in order to slow the spread of the disease.
The history of the 1918 Spanish flu suggests that schools are critical to slowing the spread of a pandemic flu, as evidenced by this presentation from the Financial Services Sector Coordinating Council for Critical Infrastructure Protection and Homeland Security and this story in the Washington Post, which included this nugget
St. Louis closed its schools at a time when flu was causing 21 more deaths per 100,000 people per week than what had been seen in previous years. That step -- the earliest taken by any of 33 cities analyzed so far -- appears to have reduced St. Louis's flu mortality by 70 percent.
Businesses must also be prepared, though many are not:
Most businesses do not have pandemic preparedness plans in place. ... APHA recommends [that] businesses be intimately involved in planning efforts for pandemic flu on the local and state level, in collaboration with state and local health departments, schools and government.
The APHA "prescription" also finds that communication is critical to the response. Among other steps, APHA recommends that:
  • Uncomplicated, empathically informed information on normal stress reactions be disseminated widely, which can serve to normalize reactions and emphasize hope, resilience, and natural recovery. The public be informed about the rationale and mechanism for distribution of limited supplies (e.g., Tamiflu).
  • Federal, state and local public health partners plan at societal, local and individual levels for the psychological and behavioral responses of the health demand surge, the community responses to shortages, and the early behavioral interventions after identification of the pandemic, and especially during the time frame prior to availability of vaccines.
  • Good safety communication be disseminated, as promoting clear, simple and easy-to-do measures can be effective in helping individuals protect themselves and their families.
The new OSHA Guidelines, which are only advisory, come to many similar conclusions, specifically regarding business preparation for pandemic flu. The Guidelines point out that a flu pandemic is likely to occur in 6-8 week waves, over the span of a year or more. Different geographic areas will be affected at different times. Challenges for businesses will include:
  • Absenteeism - A pandemic could affect as many as 40 percent of the workforce during periods of peak influenza illness.
  • Change in patterns of commerce - During a pandemic, consumer demand for items related to infection control is likely to increase dramatically, while consumer interest in other goods may decline.
  • Interrupted supply/delivery - Shipments of items from those geographic areas severely affected by the pandemic may be delayed or cancelled.
To deal with these problems, OSHA suggests many obvious steps, such as planning to minimize employees' contact with one another; maintaining stocks of soap and towels, and preparing for supply line disruptions. But a few suggestions are worth highlighting, such as the call for collaboration with state and local officials:
It is important to work with community planners to integrate your pandemic plan into local and state planning, particularly if your operations are part of the nation’s critical infrastructure or key resources. Integration with local community planners will allow you to access resources and information promptly to maintain operations and keep your employees safe.

Be aware of and review federal, state and local health department pandemic influenza plans. Incorporate appropriate actions from these plans into workplace disaster plans.
The list of all State pandemic flu plans can be found here, and a local planning checklist is here.

Other suggestions include planning for downsizing services "but also anticipate any scenario
which may require a surge in your services." This is notable, because the first assumption for many businesses may be to think that activity will only slow down.

And of course communications are critical. OSHA's suggestions include:
Organize and identify a central team of people or focal point to serve as a communication source so that your employees and customers can have accurate information during the crisis.

Assist employees in managing additional stressors related to the pandemic.
A flu pandemic on the order of the 1918 flu could be truly catastrophic, and it could break out at any time. Preparing for the flu is the only responsible course of action.

Friday, March 02, 2007

Info Sharing - Some Good News But More Is Needed

A brief article in GovExec describes some information-sharing efforts among the various levels of government. Fusion centers continue to be the standard-bearer for successful information-sharing enterprises, and more needs to be done:

Homeland Security Chief Intelligence Officer Charles Allen said he is working on information-sharing outreach to state and local governments. "We have made progress," but we need to move faster, he said.

In 2006, authorities created 38 [fusion] centers, which, according to DHS, "blend relevant law enforcement and intelligence information analysis and coordinate security measures in order to reduce threats in local communities."

Homeland Security has provided hundreds of millions of dollars to support the centers.

The department said in 2006 that it would have tailored "multidisciplinary teams of intelligence and operational professionals in major fusion centers nationwide by the end of fiscal year 2008."
It's good to hear someone in Allen's position acknowledging that more needs to be done to share information among local, state, and federal officials.

Incident Response in St. Louis: Better Communications Needed

In August 2006, first responders in St. Louis ran a drill which tested the response to a major chemical incident at Busch Stadium. In the scenario, a terrorist group blew up a chlorine truck on Interstate 64, which passes just a few feet from the new stadium - as you can see in this photo.

The St. Louis Post-Dispatch reports that communications were sometimes poor during the exercise. The Fire Department was especially disorganized, according to a confidential report:

The document saves its strongest criticisms for the Fire Department, whose reluctance to cooperate with the numerous other agencies involved would have, according to the report, led to a higher death toll.

Specifically, the Fire Department was cited for refusal to participate in a "unified command" — disaster lingo for sharing control with other agencies.

The Fire Department was so isolated, according to the report, that a runner had to relay messages between the department and other agencies.

Fire Chief Sherman George blamed the delay in part on the organizers of the test. He said they forced fire officials to take part in a predrill briefing at Soldiers Memorial, not giving them time to set up.

George says now that during the incident, there was never any clear indication that unified command was necessary.
On the one hand, drills are designed to expose flaws in the response, so that when a real incident happens the response is better organized. But it's still disappointing that there wasn't more coordination and better information sharing between the agencies.

Sports arenas are obviously attractive targets to terrorists, although they are also vulnerable to many types of hazards. For example, in the one year of its existence, the new Busch Stadium has already seen a major storm that rolled through just before a game, injuring dozens of fans - a few of them seriously. Also, before a game of the 2006 National League Championship Series, a biohazard detector found tularemia in the air near Busch Stadium before a postseason game, although nothing came of it.

Oil as a Target

Global Terror Alert recently published a translation of a new issue of al Qaeda's "magazine," Sawt al-Jihad. In the issue's one article, the jihadists reiterate their intention to target the U.S. economy, specifically through attacks on the oil industry.

Al-Qaeda has a long history of attacking oil interests, including

Al Qaeda's reason for attacking the oil industry is simple: They see it as one of our biggest vulnerabilities:
Bush's [State of the Union] speech proves that the targeting of oil [interests] constitutes the biggest threat to the United States . . .
Anyone responsible for local homeland security should take note of the writer's exhortation to attack oil interests everywhere in the world, not just in the Middle East or against countries that supply Middle Eastern oil. Domestic oil is a target, as well as oil from Canada and Mexico:

Nevertheless, we must not forget that the U.S. has spent a great deal on alternative energy technology, and will spend even more and in earnest. This indicates that America might become independent of the Middle East, or at least lessen its reliance on the region in the long term, while sufficing with oil from Canada, Mexico, Venezuela, and several new collaborators, as well as domestic energy sources. That is why it is imperative that we strike petroleum interests in all regions that the United States benefits from, and not only in the Middle East. The goal is to cut off its imports or reduce them by all means.

The targeting of oil interests includes oil production wells, export pipelines, loading platforms, tankers – and anything else that will deprive the United States of oil, force it to make decisions that it has avoided having to make for a long time, disrupt and stifle its economy, and threaten its economic and political future.
DHS Secretary Chertoff downplayed the threat, saying, "I don't think I would characterize it as a specific threat." Which is true enough. But prevention requires forward thinking - as Chertoff knows. You don't want to wait until a specific threat has emerged.

This may have been stated best al Qaeda themselves:
Our principle: If you are taking action, then you are the victor.
Which is an overstatement, of course. But on the other hand, there's no doubt that if you're doing nothing, you're losing.