Taking stock two years later

After the Sept. 11, 2001, terrorist attacks, the United States embarked on a complex task: protecting an open society of 292 million people living in a nation with more than 200 ports of entry and 7,500 miles of borders.

And doing it in a way that does not unduly interfere with the free flow of ideas, people and commerce.

And devising terrorism prevention and response programs that not only work today but can also meet changing threats in a long-term effort.

The federal government is backing a multitude of domestic defense initiatives, many of which rely on information technology. The Homeland Security Department, created in November 2002, received $37 billion for fiscal 2003 and has a similar budget for this fiscal year.

Homeland security spending is the subject of much discussion among think tanks, industry groups, emergency responders and government officials. Whether the money spent on homeland security is sufficient, inadequate or overkill is an important question that's difficult to answer. Some homeland security initiatives have recently commenced, but others won't be fully deployed for years.

James Carafano, senior research fellow at the Heritage Foundation, likens the war on terrorism to the Cold War, in which the tools for addressing the conflict evolved over several years of trial and error. "That is the period we are in right now," he said.

The following sections assess IT-oriented homeland security efforts in six areas: entry/exit monitoring, transportation, emergency response, bioterrorism, critical infrastructure protection and business continuity. Investments in those fields are recent, and progress may be uneven at times, observers say.

Entry/exit system: High visibility, tight budget

The ability to screen people who enter the country is an important line of defense.

"The most important thing we can do in terms of homeland security is to make sure terrorists don't get into the country," said Charles Pena, director of defense policy studies at the Cato Institute. "All the hijackers on [Sept. 11, 2001,] came into the country through legal means. If you keep the bad guys out, you will have gone a long way toward protecting the homeland even if you do nothing else."

After the first World Trade Center bombing in 1993, the government started programs to track foreign visitors. The Student and Exchange Visitor Information System (SEVIS) debuted as a database for tracking foreign students. In another effort, the Justice Department launched the National Security Entry-Exit Registration System (NSEERS).

DHS' U.S. Visitor and Immigrant Status Indicator Technology (US-VISIT) is scheduled to supersede SEVIS and NSEERS. US-VISIT will use biometric technology to track foreign visitors. Industry executives have described US-VISIT as among the most crucial homeland security investments.

Pena questioned the amount of money set aside for a project of such importance. "With respect to US-VISIT, you would think that it would be a high-priority, big-budget item inside of DHS," he said. But of DHS' $330 million for fiscal 2004, US-VISIT is less than 1 percent of the budget, he said.

Ray Bjorklund, vice president of consulting services at Federal Sources Inc., said US-VISIT was reduced from its original fiscal 2004 budget submission. DHS officials, however, expect fiscal 2005 funding to be higher.

US-VISIT's challenges, however, aren't only financial. Shane Ham, a senior policy analyst with the Progressive Policy Institute, said US-VISIT may well inherit its predecessors' problems, noting difficulties with the SEVIS rollout and the utterly failed implementation of NSEERS.

Transportation: Funding for cargo security

The movement of goods and people falls under the scope of homeland security. The government's major homeland security investments are cargo-screening initiatives and a program to create a common identification credential for transportation workers, according to industry groups and analysts.

The security of shipboard containers, which could potentially harbor weapons of mass destruction, is particularly critical. About 90 percent of all cargo moves in containers, according to a Rand Corp. report on sea-container shipping security. The report cites estimates indicating that less than 2 percent of containers are checked to verify what is inside.

The DHS appropriations bill funds two programs aimed at boosting shipping security. The Container Security Initiative (CSI), granted $62 million, aims to boost container inspections at major ports worldwide. The Customs-Trade Partnership Against Terrorism (C-TPAT), which received $14 million, seeks to create a list of trusted foreign shippers. Manufacturers and shippers that meet supply chain security standards will have expedited port inspections.

"The Container Security Initiative has got to be implemented," Carafano said, noting the seaboard containers' dominance of world trade. C-TPAT, meanwhile, will help inspectors focus on suspect containers, he added.

Although CSI and C-TPAT are recent efforts, an IT system to monitor cargo security started before Sept. 11, 2001. IBM Corp. is building DHS' Automated Commercial Environment under a contract awarded in April 2001. ACE, which the former Customs Service initially conceived as an import information modernization program, has lately gained a homeland security role. For example, ACE includes a Web portal through which shippers will disclose what they are importing.

"ACE will provide the IT platform to enable and implement the tenets of C-TPAT," said Scott Campbell, a senior communications consultant with Robbins-Gioia LLC, which provides program support for customs' modernization effort.

The DHS fiscal 2004 appropriations bills provides $318.7 million for the project but with several provisions. Funds can't be allocated until the project complies with Office of Management and Budget capital planning requirements and undergoes a General Accounting Office review, for example.

Jack Legler, director of trucking security and operations at the American Trucking Association, said it is too early to tell if the funding for cargo security is too much or too little. The top homeland security-related priority for his organization is the Transportation Worker Identification Credential. TWIC would provide a common credential for workers with access to secure areas of transportation systems.

The human factor, not technology, is the most important element of transportation security, because "cargo is in the hands of line employees," Legler said. "Bad people can undo good systems." TWIC received $50 million in funding from DHS appropriations.

First responders: Underfunded

on the front lines?

When defensive measures fail, first responders — police, fire and other emergency personnel — deal with the aftermath.

The Council on Foreign Relations reported in June that emergency responders are dramatically underfunded. "Many of our cities would agree," said Deborah Rigsby, senior legislative counsel at the National League of Cities. She said local jurisdictions find it financially draining to prepare for higher national terrorism alert levels, among other homeland security duties.

Specifically, the Council on Foreign Relations stated that additional funds are desperately needed in two IT-related areas: 911 systems and first responder communications systems. The council said more money is needed to extend 911 systems nationally "to foster effective emergency data collection and accurate local dispatch."

In Oregon, a public/private partnership has expanded Portland's 911 system into the Regional Alliances for Infrastructure and Network Security, or RAINS-Net. The system uses the 911 system to provide emergency incident alerts to schools, hospitals and building managers. Participants refer to RAINS-Net as a grass-roots effort, citing private company sponsorships and only $60,000 in Oregon state grants.

"We want to keep a grass-roots quality to it," said Charles Jennings, RAINS-Net chairman. "All homeland security is local in the end."

But when it comes to federal funding, RAINS-Net "is a little more grass-roots than what we would like," Jennings said. He said it has been difficult to get federal dollars, in part because DHS is just getting started itself. He expressed confidence, however, that RAINS-Net would be able to get federal support this fiscal year.

As for emergency communications systems, the Council on Foreign Relations advocates interoperability "so that those on the front lines can communicate with each other while at the scene of an attack," according to the council's report. Radio systems used by different police and fire departments are notorious for being incompatible.

DHS' SafeCom program, one of the Bush administration's 24 e-government initiatives, is the key federal program on the interoperability front, according to industry executives. SafeCom aims to promote efficient wireless emergency communications.

Alan Caldwell, director of government relations at the International Association of Fire Chiefs, based in Fairfax, Va., said SafeCom has been around for more than a year but has only recently become an active organization. He said it is an ambitious program that will be helpful in funding interoperable communications systems.

Wireless communications programs, in general, fared well in DHS' fiscal 2004 appropriations bill. Bjorklund said the bill included more than $100 million for wireless technology.

Bioterrorism: Public health

gets more dollars

Public health officials recognize and react to disease patterns in a given community. In that context, they occupy the front lines as emergency responders in any bioterrorist attack.

Before Sept. 11, 2001, however, investment in the public health information infrastructure was sporadic at best. "Public health officials have been sorely lacking in IT support for years and years," Bjorklund said.

The IT infrastructure projects that did come to fruition typically were built for specific disease programs, said Dave Ross, executive director of the Public Health Informatics Institute. But those single-purpose infrastructures failed to provide "much of an enterprise foundation on which a more complex information capture and transfer can take place," said Ross, who retired from the Centers for Disease Control and Prevention in 1998.

In the late 1990s, Congress began allocating money for such public health IT initiatives as CDC's Health Alert Network (HAN) and the National Electronic Disease Surveillance System (NEDSS). But the real infusion of money came after the terrorist attacks of September 2001 and the anthrax attacks, observers say.

The nation seeks to build an effective information infrastructure for public health, linking local, state and federal authorities and private health entities, Ross said. CDC officials, he added, are in the process of assembling an architectural framework, the Public Health Information Network, to support such national interoperability.

PHIN will capitalize on existing systems such as HAN and NEDSS, providing a national network for detecting, monitoring and responding to diseases. Ross said PHIN is an important step but insufficient by itself given the investment still required at the local level.

"Local health departments are being asked to implement an information infrastructure capable of using state-of-the-art technologies and emerging communications and data standards," Ross said. "That is going to require technical staffing and, undoubtedly in many places, a new technology base."

So, public health presents a mixed investment bag. On the upside, more money is flowing to public health organizations relative to past expenditures. But that flow has only recently begun. "It's going to take a while before we see the benefit of that investment put in place at the state and local levels," Ross said.

Critical infrastructure: Industry takes the investment lead

Protecting the nation's critical infrastructure — water systems, power plants and oil pipelines, for example — is a vast undertaking. The keepers of those assets had a running start on security and disaster recovery. The Year 2000 computing problem forced organizations to assess their vulnerabilities and create contingency plans. Industry sectors such as electricity started planning for potential terrorist strikes years before Sept. 11, 2001.

"Industry itself has been carrying the ball down the field so far," said Michael Hyland, director of engineering services at the American Public Power Association, which represents community-owned electric utilities.

He pointed to efforts such as the North American Electric Reliability Council's Critical Infrastructure Protection Advisory Group. The organization came into existence following a Clinton administration directive seeking government and industry cooperation on a national protection plan. The advisory group provides guidelines to utilities on physical security and cybersecurity.

Industry, though, will need federal funding if the government requires additional security measures, he said. If there were a requirement to have a guard constantly monitor a closed-circuit television system, for example, the cost would greatly burden smaller utilities, he said.

As for cybersecurity, Bernard Cowens, vice president of security services at Rainbow Technologies Inc., said he sees increased interest in securing the supervisory control and data acquisition (SCADA) systems utilities use. In such systems, a master station sends control commands to a remote terminal unit, which in turn controls a particular instrument, such as a valve in the case of a water facility. The units can also send data back to the master stations. The security task is to authenticate those communications.

Cowens said he is seeing more emphasis on this facet of critical infrastructure protection but additional funding would help.

"The issue of SCADA systems is an important one," said Shannon Kellogg, director of government affairs at RSA Security Inc. "There clearly has to be more focus on updating these outdated systems that control a variety of


Business continuity: COOP becomes an item

Business continuity, or continuity of operations planning (COOP) in government parlance, has been a catchphrase among federal information technology managers since the terrorist attacks of 2001.

The push for COOP, however, predates Sept. 11, 2001. A Clinton administration directive issued in 1998 directs agencies to develop COOP plans for essential functions. OMB's Circular A-130 Appendix III requires contingency planning for major applications. The Year 2000 problem also inspired agencies to consider their disaster response.

Although the COOP mandate was clear, the money was discretionary, said Chris Alvord, chief executive officer of COOP Consulting LLC. "Unfunded mandates don't get a lot of attention," he said.

The situation is beginning to change. With the fiscal 2004 funding cycle, agencies have made COOP a line item in their budget submissions, Alvord said. Computer security was given its own line item last year, he added, noting that "this year, COOP is the line item of choice."

To make sure they get their COOP budget requests, agencies should present a strong business case to justify the investment, said Bill Johnston, president of Alinean LLC, a return-on-investment consulting firm. In the public sector, the justification must go beyond the traditional private-sector measure of revenue lost per minute of downtime. Johnston suggested constituent perception, meaning confidence in government, as an important consideration.

"The trend is agencies using these business cases

to secure larger shares of limited or decreasing budgets," he said. l

Moore is a freelance writer based in Syracuse, N.Y.


Disciplined investment

Although funding for homeland security projects is starting to flow, no one is calling it a torrent.

And that may be a good thing, according to some


"We need to fund for a long war," said James Carafano, senior research fellow at the Heritage Foundation. "Rushing out and spending a lot of money on defense measures — when you don't have a good plan for that — is not only wasteful, it's counterproductive."

The government's homeland security spending should rest on "a clear set of priorities based on standards, so we spend the money on the right thing," he added.


  • Management
    shutterstock image By enzozo; photo ID: 319763930

    Where does the TMF Board go from here?

    With a $1 billion cash infusion, relaxed repayment guidelines and a surge in proposals from federal agencies, questions have been raised about whether the board overseeing the Technology Modernization Fund has been scaled to cope with its newfound popularity.

  • IT Modernization
    shutterstock image By enzozo; photo ID: 319763930

    OMB provides key guidance for TMF proposals amid surge in submissions

    Deputy Federal CIO Maria Roat details what makes for a winning Technology Modernization Fund proposal as agencies continue to submit major IT projects for potential funding.

Stay Connected