05/5/13

The Origin of “Terrorism”

“Terror is nothing but justice, prompt, severe and inflexible; it is therefore an emanation of virtue.”

Maximilien Robespeirre, Report on the Principles of Political Morality, 5 February 1794

Robespierre made the case that his regime de la terreur of 1793-94 was “virtuous” in its restoration of order after the French Revolution. And it is from these beginnings, the “Reign of Terror”, that the term, “terrorism” has its roots. Since that time, the word has become a useful moniker to attach to those individuals, groups, or organizations that use fear and violence for political purposes or that for political reasons need to be vilified.*

Robespierre believed that terror was the most effective method of ensuring virtue, and he would have defended his tactics eloquently and with an argument based in a scholarly study of government. This is not meant as a defense of the Reign of Terror, but is intended to illustrate that as then, there is today little agreement on the concise definition of the word “terrorism”. One man’s terrorist is another man’s freedom fighter, as they say.

Similarly, there is little agreement on the definition of “homeland security”. While the federal act of the same name enacted in 2002 does provide a framework for defining the word in terms of the federal department, like “terrorism”, “homeland security” can mean different things to different people. It is important to understand the meanings (or potential meanings) of words used in the homeland security enterprise not because they explain homeland security, but because they expose some of the wicked problems of homeland security.

* – For more on the origins of “terrorism”, I recommend Bruce Hoffman’s book Inside Terrorism, available here.

02/20/13

New Presidential Policy Directive 21 (PPD 21) “Kicks the Can” on Critical Infrastructure Protection

On February 12th President Obama released Presidential Policy Directive 21 in conjunction with his State of the Union Address. PPD 21 directs the Department of Homeland Security to work with critical infrastructure owners and operators, federal agencies that oversee critical sectors (SSA’s or sector-specific agencies), and State, Local, Tribal and Territorial governments (SLTT’s) to protect critical infrastructure from attack or disruption. The new policy recognizes the importance of cybersecurity in critical infrastructure protection, which the 2009 National Infrastructure Protection Plan does not address as vigorously. It also establishes “national critical infrastructure centers” in the physical and cyber space designed to promote information sharing and collaboration. Additionally, the policy orders the State Department to be engaged with DHS on issues of international interdependencies and multi-national ownership, growing concerns of the global economy.

But PPD 21 is just as interesting for what it includes that isn’t new, and much of it is not new. It raises several questions about what progress has been made over the past 5-10 years, and why the Obama Administration feels the need to reset the timer.

For example, PPD 21 requires DHS to “identify and prioritize critical infrastructure” as an “additional role and responsibility”. But DHS has been doing this for years. In 2003 I received a phone call from a DHS contractor. As coordinator of state-owned infrastructure, I must have made some list of contacts given to a (probably Booz Allen) contract DHS employee. I was asked a series of questions regarding critical infrastructure in my jurisdiction. The information was needed, according to the contractor, because the Department of Homeland Security was compiling a state-by-state list of critical infrastructure. In the years since, I have submitted revisions and updates to my “Tier 1 and Tier 2″ lists of sites. The Government Accountability Office (GOA) describes this process this way in a 2010 report:

“The process of identifying these nationally significant assets and systems is conducted on an annual basis and relies heavily on the insights and knowledge of a wide array of public and private sector security partners. CIKR categorized as Tier 1 or Tier 2 as a result of this annual process provide a common basis on which DHS and its security partners can implement important CIKR protection programs and initiatives, such as various grant programs, buffer zone protection efforts, facility assessments and training, and other activities. DHS has other tiered categories of infrastructure whose destruction or disruption would not have a significant national or regional impact, though local impacts could be substantial.”

- GAO-10-296 Critical Infrastructure Protection: Update to National Infrastructure Protection Plan Includes Increased Emphasis on Risk Management and Resilience

DHS’ “additional roles and responsibilities” also includes the development of vulnerability assessments on CI/KR, which they have also done for years via their Protective Security Advisors. These efforts are aimed at meeting the risk management goals of prioritization and the establishment resource allocation priorities via programs such as the Buffer Zone Protection Program. The list of “additional roles” within PPD 21 for DHS goes on to include providing informational support, coordination with Federal departments on prosecutorial issues, and mapping. All of which are old news.

PPD 21 does little to enhance the CI/KR resilience programs already in existence. And while movement toward cybersecurity and a nod to the national continuity directives are helpful, they are also kind of obvious. These are simple adjustments not grand new (State of the Union announcement!) plans. It will be interesting to see what comes of the “national critical infrastructure centers”, and we look forward to reading the annual reports. But in the end, PPD 21′s most significant contribution to improving the National Infrastructure Protection Plan might be the removal of the National Monuments and Icons and Postal and Shipping sectors. No one was quite sure what to do with those. Make Mount Rushmore more resilient or teach UPS how to manage emergencies?

01/28/13

New Congressional Report: Homeland Security Still Not Defined

We have said here that we are not quite sure what “Homeland Security” is, particularly at the local level. Now a new report from the Congressional Research Service (CRS) says that ten years after the 9/11 attacks the federal government still does not have a concise definition for homeland security. The brief report is unambiguous as it points out the strategic repercussions of the lack of agreement on the scope and function of homeland security. Consider this passage from the report’s summary:

“Varied homeland security definitions and missions may impede the development of a coherent national homeland security strategy, and may hamper the effectiveness of congressional oversight. Definitions and missions are part of strategy development. Policymakers develop strategy by identifying national interests, prioritizing goals to achieve those national interests, and arraying instruments of national power to achieve the national interests. Developing an effective homeland security strategy, however, may be complicated if the key concept of homeland security is not defined and its missions are not aligned and synchronized among different federal entities with homeland security responsibilities.” (p. 2)

The report discusses the evolution of the homeland security enterprise in the various strategies and reports that have been published since 2001 and discusses the implications of the lack of consistency on the nation’s overall homeland security strategy. A highlight of the report is a useful table on page 8 entitled “Summary of Homeland Security Definitions”. It provides an overview of the pertinent homeland security strategic plans and their associated definitions for “homeland security”. This table should be required reading in every Introduction to Homeland Security course.

An opportunity exists to augment this report by discussing the implications of homeland security ambiguity to state and local governments, universities and the private sector. States and local governments must implement programs related to homeland security in support of the national effort. State and local government officials need a thorough understanding of the stated goals of homeland security in order to provide that support. Further, colleges and universities are developing programs that provide degrees in homeland security. Without a clear understanding of what homeland security means, it will be difficult to fully prepare the next generation to fill strategically important roles in the enterprise. And businesses across the country are developing products and services to serve a discipline that could stimulate the economy. But to be successful these businesses need clarity of the mission.

The essential problem is summarized very concisely in the following passage from the analysis section of the report:

“Homeland security is essentially about managing risks. The purpose of a strategic process is to develop missions to achieve that end. Before risk management can be accurate and adequate, policymakers must ideally coordinate and communicate. That work to some degree depends on developing a foundation of common definitions of key terms and concepts. It is also necessary, in order to coordinate and communicate, to ensure stakeholders are aware of, trained for, and prepared to meet assigned missions. At the national level, there does not appear to be an attempt to align definitions and missions among disparate federal entities. DHS is, however, attempting to align its definition and missions, but does not prioritize its missions; there is no clarity in the national strategies of federal, state, and local roles and responsibilities; and, potentially, funding is driving priorities rather than priorities driving the funding.” (p. 13)

Our compliments to the CRS and analyst Shawn Reese for a hard-hitting report that doesn’t mince words. We at Homeland Security Roundtable hope it gets the attention it deserves.

11/4/12

“Cybersecurity Is the New Homeland Security”

MS-ISAC Dashboard (http://msisac.cisecurity.org/apps/dashboard/)

In a recent conversation with a state/local homeland security professional, a discussion about the relationship between cybersecurity and homeland security began with a compelling story about the early days, when homeland security was just emerging from the ashes of 9/11. Tom Ridge was, like William “Wild Bill” Donovan in the early days of WWII, building a new government agency to defend the country. White powder near the coffee maker or on the table where the powdered donuts were eaten yesterday was resulting in calls to 911. And concepts like “critical infrastructure protection” and “public-private partnerships” were becoming popular priorities…

“…I was appointed my agency’s representative on our states “homeland security task force”, so I was doing that plus my regular job which at that time hadn’t changed much. I remember clearly getting an email (back in those days I didn’t get as many so I could actually remember them). The email said that my agency was being awarded a grant of $100,000.00 for homeland security projects. Just like that. Here’s a hundred grand. Spend it. A few years later I applied for and was awarded over $2 Million in one year for my agency’s projects. Then we had a process but it was manageable. A couple of years after that, the process started getting heavy. Lots of red tape, lots of detailed submittals. And there was more competition and a rigorous application and selection process. Around 2008 it began to get downright difficult to find time to get the regular job done. Now, the money is almost non-existent, but the hassle remains and then some. So if you want to know what is keeping us from pulling out of the homeland security enterprise all together, I’ll tell you. First, we want to remain at the table and have access to collaborative opportunities and information. Second, cybersecurity. Our networks are being attacked all day everyday and our systems are vulnerable. Cybersecurity is the new homeland security and we are afraid of missing out on opportunities to get help.”

The phrase “cybersecurity is the new homeland security” was the impetus for a brainstorming session that resulted in the following five ideas or concepts associated with the relationship between cybersecurity and homeland security. We did not necessarily set out to answer any questions or decide on any outcomes, but we found the conceptual discussion provided great opportunities for research and discussion:

Cybersecurity is a Part of Homeland Security – Cybersecurity may be a part of one sector of the homeland security enterprise. In the National Infrastructure Protection Plan it would likely fall somewhere within the Information Technology sector. However if that is true, it may be currently the only sector that matters. Toss out the sectors that haven’t been attacked today, or this week, or this month, and you are left with IT. And with all of the other sectors relying on IT systems to operate, why do we need the rest of the plan? (It’s a conceptual question.)
The Bad Guys Are in Cyberspace – With drones buzzing overhead waiting for the bad guys to look up or worse, make a phone call, what better way to keep up the attack on the US then staying underground and anonymous. No need to go to the airport with a thousand cameras watching your every move. The Israelis have you profiled before your bags are out of the trunk. Just pick a cool online handle and bounce your IP through Iran. You’ll be probing US drinking water systems or the power grid by lunch.
Cyberspace is All-Hazards – A few years into the homeland security enterprise “all-hazards” became a buzzword. It was followed by “resilience” and the current “whole community“. But homeland security should be an “all-hazards” enterprise, and cybersecurity certainly fits the bill. Cyberspace is rife with not just terrorists but, more abundantly, everyday criminals. Cybersecurity offers an unparalleled opportunity for the all hazards approach, and any agency involved in cybersecurity operations must operate to root out crime and terrorism. That’s worth funding with grants. And that’s why Director Mueller is focused on cyber.
Homeland Security is Still Vague and Nebulous, Cybersecurity is Not -We know it is a recurring theme here at HLSR but we still don’t completely understand what “homeland security” really entails or how well most homeland security degrees prepare students to enter the workforce. However give me a BS in Network Security from an accredited school and I’ll give you a job.
The Energy and Excitement Factor – The energy and excitement is in the Cybersecurity area today just as it was in the homeland security area in 2002. However the trends all point to a longer and more drawn out fight in cyber as computers become more and more a part of everything we do - cybersecurity may outlive homeland security. One litmus test is, “What is Congress currently unable to agree upon?” They have been most recently unable to pass some much needed cyber legislation, so states are getting more involved. That means that whether Congress acts or not lots of energy, excitement, money and jobs are in the field of cybersecurity, while the Homeland Security Grant Program fizzles and the Urban Area Security Initiative downsizes.

We’re not giving up on homeland security, and an “all-hazards”, “resilient”, “whole-community” approach is necessary in the long term. Tactics will evolve and too much focus in one sector will surely leave us vulnerable. But there is no denying the fact that thousands, probably millions of attacks occur daily on US infrastructure via the computer networks. If the Department of Homeland Security truly focuses on risk, there will be a laser focus on cybersecurity for years to come.

09/21/12

The Next War

“This is the way the world ends. Not with a bang but a whimper.”

~ T.S. Eliot, The Hollow Men

_________________________________________________

“Portland Tower, NW flight 337 heavy”

“Flight 337, Portland Tower”

“Portland Tower, flight 337, we are experiencing instrument inconsistencies. Could you give us your read on our altitude and location?”

“Flight 337, are you declaring an inflight emergency?”

“Negative Portland, we just want to validate what are instruments are telling us.”

“Flight 337, we have you at 4-7-thousand about 100 miles west of Boise, at 490 knots.”

“Portland, be advised, we will need your assistance until otherwise notified. Instruments have us at mach 3 entering Canadian airspace.”

Not the only problem noted, but one of the first recorded. Aircraft throughout the west coast begin reporting similar instrument failures. The Air Traffic Controllers quickly push the issue up the chain, and the FAA, in consultation with the DHS and the President, grounded all flights over California, Oregon, Washington, Idaho, Montana, Utah, Arizona, Nevada, Alaska and Colorado.

Verizon, AT&T, and Sprint, became flooded with notices that cellular phones were inoperative. All carriers receive similar reports. The same collection of western states is now plagued with lack of wireless service, and land-based communications are soon overwhelmed.

Many hospitals began reporting that their medical paging systems were no longer operational. ATM’s all over the west coast were no longer amenable to giving you your hard earned cash. The ports of Los Angeles, Long Beach, San Diego, Seattle/Tacoma, and San Francisco lose the ability to track ship traffic, and cargo had to stay ocean bound while a low tech solution was used to allow ships to safely enter and leave the ports. On ship gyroscopes were giving ship’s navigators inaccurate readings, as the gyros are calibrated using GPS. Many cargo ship captains choose to stay far out at sea for fear of hitting other vessels. Anti-collision digressed to visual spotters and binoculars.

Rail traffic slowed to 10% of capacity, as the presidentially mandated Positive Train Control (PTS) caused collisions and near collisions by reporting train location data incorrectly.

Rolling blackouts began to occur as electrical grid operators were no longer able to synchronize power with other grid dwellers. To make matters worse, some of the smaller electrical suppliers began suffering Aurora Vulnerability failures.

Likewise, water and sewer operators began suffering catastrophic failures of large electric pumps, again from Aurora Vulnerability. Domestic water service was spotty, and waste water began exploiting emergency overflow plans, causing contamination and potential disease issues.

Industry officials reported that the software addressing Rockwell International Programmable Logic Circuits (PLC), the most common PLC in use in America and commonly used in SCADA (supervisory control and data acquisition) controls had malfunctioned. The result was physical destruction of the pumps and generators.

Social media spreads the word about inaccessible ATM machines. By the time banking hours rolled around, people fearing their lack of ATM access to their cash began drawing out large sums. Retailers start moving towards cash only transactions. Civil disturbance became a potential issue for local law enforcement.

The military began a flurry of activity to mitigate the impact of these occurrences on their Power Projection capabilities. A Power Projection Platform (PPP) is “an Army installations that strategically deploy one or more high priority active component brigades or larger and/or mobilize and deploy high priority Army reserve component units.” This disruption has taken out PPP for three key locations: San Diego, Tacoma, and Colorado Springs. Even the remaining 12 platforms were degraded, as the cascading effect of crippled west coast rail traffic slowed rail traffic to east coast sea ports.

The Air Force was concerned about air sovereignty for a significant portion of the US land and sea border. The Navy was repositioning ships, but cautiously due to the increase of directionless cargo ships. As the military scrambled to find answers, they discovered that five (5) GPS satellites had been “spoofed” which alters the satellite’s transmission from their internal atomic clocks. The result is inaccurate positioning data. Much worse, the GPS clock data is used for cell phone tower coordination, electrical grid synchronization, gyroscopic system validation, stock market fraud prevention, and many other infrastructure systems. Just knowing you are being spoofed does not provide immediate relief. Since the GPS signal is spoofed after it leaves the satellite, the fix is not at the satellite. The spoofing has to be stopped.

Once the news of the spoofing leaked out, unscrupulous stock traders tried to exploit the time inaccuracy to leverage advantageous stock purchases. If you know in advance a stock is going up, and you can use the time inaccuracy to “back date” your purchase, you can win every time. The New York Stock Exchange closes until the vulnerability can no longer be exploited.

The net result is economic crisis, transportation gridlock, much of the west coast population is challenged by a lack of water, power and sewer, degraded military capability, crippled supply chain, disrupted crop cycles (irrigation), and lack of capacity for just-in-time perishable commodity delivery.

___________________________________________________________________________________________________________

In designing this scenario, I limited myself to existing technology, capabilities, and conditions. I have cited references for those who disbelieve or want more information. An attack of this magnitude would require the sophistication and resources of a nation state. I assert this is the same formula that describes the STUXNET attack on the Iranian nuclear centrifuges. The technology in the scenario already exists, and is, generally speaking, readily available. One of the additional advantages of a cyber-based attack is that none of the cited technologies allows for easy attribution. Against whom do we retaliate?

GPS spoofing has already occurred, both intentionally and unintentionally. Allegations were made that North Korea jammed the GPS signals near the North/South border. Although denied by the North, the following advisory came out to pilots operating in the area:

CAUTIONARY INFORMATION FOR AIRCRAFT OPERATING IN INCHEON FIR:

PILOTS HAVE REPORTED THAT GPS SIGNALS ARE UNRELIABLE OR LOST INTERMITTENTLY IN INCHEON FIR.

EXERCISE EXTREME CAUTION WHEN USING GPS. 28 APR 00:32 2012 UNTIL 03 MAY 15:00 2012 ESTIMATED.

CREATED: 28 APR 00:34 2012.

Of course the criminal element would not want to miss out. Here is a quote describing the economics GPS spoofing: “Criminals could also spoof GPS timing for profit. The US National Association of Securities Dealers requires financial traders to time-stamp transactions with an accuracy of within 3 seconds. The bad guys would spoof the timing at their preferred site and, watching an upward trend, buy stock a few seconds in arrears,’ says Humpreys. ‘Those three seconds could be worth a lot of money.”

Another GPS disruption impacted the San Diego area. Traced to a US Naval exercise, it impacted GPS navigation, ship tracking, ATMs, cell phones, and emergency medical paging. GPS jamming on a smaller scale is both cheap and easy, thanks to internet retailers. Truck drivers who don’t want their bosses to know where they are can jam the signal coming from their truck. Some toll roads use GPS as part of the toll system. Jammers can provide a free pass through the toll gate.

We have become very reliant on GPS, not just for navigation, but for that precise internal atomic clock that is necessary for GPS to work. The technologies that rely on that clock are varied. For example, the ability of electrical grid operators to synchronize the electricity on the grid from multiple generation sources is essential for inter-system electricity distribution. This synchronization is done with GPS.

There is a system that provided an alternative to GPS navigation. Called eLORAN, it is still used in many countries, but is being abandoned in the US, leaving us no alternative to GPS.

GPS is also an essential part of the Positive Train Control system (PTC). The Rail Safety Improvement Act of 2008 (RSIA) (signed by the President on October 16, 2008, as Public Law 110-432) has mandated the widespread installation of PTC systems by December 2015.

Let us not forget that many of the precision weapons the military now uses rely upon GPS to insure they hit the right target. These include several of our rockets, bombs, and torpedo systems. Spoofing the GPS would render these weapons inaccurate, thereby mostly unusable. Viewed from a cost benefit perspective, the US spends about $18,000 for each of a particular kind of GPS guided bomb. Imagine how many cyber hackers can be trained for that same $18,000. Multiply that by an order of magnitude in the thousands, and you can see the advantage for the developing nation. Buy one bomb versus train and employ a team of hackers.

And finally, the scenario’s PLC attack is an echo of what was seen with the Stuxnet worm. After Stuxnet was isolated and identified, the rest of the world (i.e. those not responsible for its creation) was able to learn of its etiology. Stuxnet was designed to find a specific type of Siemens controller that the Stuxnet creators knew was being used in Iran to control their nuclear centrifuges. Although Siemens has much of the market worldwide, Rockwell International is very common in the US market. Now that Stuxnet is out in the wild, it would be easier for an antagonist nation to reverse engineer the capabilities of Stuxnet, and point them at the programming for a Rockwell control. If this worm could be used to knock the power out of phase for a larger electric motor or generator, then you get an Aurora Vulnerability. Like the Stuxnet attack in Iran, an Aurora Vulnerability causes physical destruction of the asset, not just destruction in the virtual world.

Although there is nothing available that specifically tells the story of how Stuxnet got into the Iranian centrifuge control system, it might be relevant to point out that the Iranian system is “air gapped” which means that it is not directly connected to any external network, including the internet. Using an air gap is a common method of foiling internet based intrusions. To illustrate vulnerability, refer to an experiment conducted by DHS. This experiment was designed to see what government employees would do if they found a disc or USB memory stick in their parking lot. 60% of employees plugged the found device into their work computer. If the device had an official seal on it, that number rose to 90%. Keeping this study in mind, how hard would it be to infect the host network (i.e. the municipal network, the company network)? Once the common network is infected, how long would it take before someone crossed the air gap with a now infected USB device, or how long before the laptop used on the common network is later used on the control network? Before you know it, the worm is in the control, awaiting action.

America is the only remaining super power in the world. As a result, it would be fool hardy to attack the US with traditional tools of war. Our enemies already recognize this, and are planning accordingly. The scenario outlined here does not require jet fighters, destroyers, helicopters, technological superiority, or even rifles. The war begins without firing a single shot.

09/17/12

New Contributor, Scott Winegar, Has Diverse Background in Homeland Security!

We are pleased to welcome a new contributor to HLSR who has seen the evolution of security from the military, police and now homeland security education angles. Scott Winegar comes with experiences from a varied background. Scott has a BA from Portland State University in Administration of Justice. He was later selected by Department of Homeland Security to attend the Center for Homeland Defense and Security at the Naval Postgraduate School. There he was awarded an MA in Homeland Security.

Scott retired from the Portland Police with more than 27 years of service, achieving the rank of Police Captain. During his tenure with this agency, he served in a variety of roles, including patrol operations, investigations, gangs, hostage negotiation, personnel, and emergency management.

Scott also served 34 years in the military, most of which in the National Guard. He started his military career as a military policeman. Upon receiving a commission as a second lieutenant, he attended the Army’s Engineer School. During his years of service, he commanded a humanitarian aid mission to Jamaica, where his team built schools for several of the underprivileged villages in the country’s interior. He finished his years of service at National Headquarters in Washington DC. While there, he worked on a variety of issues, including critical infrastructure protection and intelligence. His duties also included deployment as the National Guard representative to almost all of the National level disasters occurring over the last few years. He helped coordinate the response for 4 hurricanes, 2 major wildfires, and finished by working at the Deepwater Horizon oil spill.

After retiring from the Portland Police, he accepted a job as second in command of the Portland Bureau of Emergency Management. He retired from that job to join the faculty at Concordia University-Portland, where he is Director of the Homeland Security degree program. We are thrilled to have Scott as a new contributor. The only problem will be deciding what sector with which to associate him! Welcome Scott!

09/16/12

HLSR Upgraded! – New Look and Feel, Better Mobile Device Support

Welcome to Homeland Security Roundtable! If you have been here before, you will notice that the site has changed. We have altered the look and feel of the site to enhance the overall viewing experience and to add some features for mobile devices. We have exciting new content on the way with new contributors and posts! We would appreciate any comments on the finish and functionality of the site. We will consider any adjustments necessary to provide our readers with a pleasant experience. Thank you!

09/16/12

The Role of Public Private Partnerships in Mass Prophylaxis Campaigns

The hallmark of the 2009 H1N1 Pandemic was the dependence on the private sector to assist public health with both the logistics of vaccine distribution and access to priority groups for its vaccination campaign. The irony was that federal planning guidance during the formative years of public health preparedness directed state and local departments of health (DOH) to focus on public health operated mass vaccination clinics and assume responsibility for vaccine distribution. Much of this guidance dated back to the 20th century so it caught public health planners by surprise when a “blended” model was rolled out by the Centers for Disease Control & Prevention (CDC). The blended model was defined as a mix of DOH operated mass vaccination clinics supplemented with physician practices that could reach at-risk priority groups and protect them against the H1N1 novel virus.

The most prominent role the private sector assumed was that of logistics. In the days following the World Health Organization’s announcement in April 2009 that H1N1 had reach pandemic proportions, the CDC learned from its conferences with state DOH that the logistics function of vaccine storage and distribution in most states had been disassembled resulting from budget cuts in the 1990s. Thus, CDC had to find a way to get vaccine from manufacturer to medical providers without the benefit of a state’s driven logistics infrastructure. Given a declared public health emergency HHS/CDC had to act and construct an alternative distribution and administration infrastructure to replace a system that had eroded over two decades.

This led CDC to reach into its toolkit and look to its partnership with McKesson Medical Specialties whose core competency was centralized distribution. McKesson was already known to CDC since it had managed vaccine distribution for the CDCs Vaccines for Children (VFC) program but on a much smaller scale. McKesson responded by proposing that centralized distribution depots be setup to receive vaccine from manufacturers, package and ship vaccine from those locations to medical providers. Consequently, the Department of Health & Human Services (HHS) contracted with McKesson to distribute vaccine to 90,000 registered providers. In six weeks, McKesson had four depots setup and running. H1N1 vaccine was ordered from five different manufacturers, four of which were offshore and shipped to one of the four McKesson depots strategically located around the country. From each depot, vaccine orders were filled, packaged and shipped to both private and public providers. The ability of McKesson to scale up and accommodate vaccine distribution was impressive considering initially, orders for vaccine were estimated at 220 million doses. Thus, the logistics function of vaccine distribution was contracted out to McKesson, a private sector entity and redefined the public private relationship for public health emergencies.

The private sector was also engaged for vaccine administration by not only medical providers, but chain pharmacies, and big box in-store clinics to reach priority groups as mentioned previously. Priority groups included pregnant women and children 18 years of age and younger. Public Health’s role was to “qualify” each provider. Providers agreed to serve CDC priority groups as a condition of receiving H1N1 vaccine. Thousands of memorandums of agreements were processed to network private sector providers into a mass vaccination public private infrastructure with the local and state DOH, CDC and McKesson.

Roll forward to 2011 and HHS/CDC had challenged all jurisdictions to expand mass prophylaxis plans to meet the HHS goal. These plans must be capable of dispensing operations that can reach 100 percent of the jurisdiction’s population in 48 hours in the event of a declared public health emergency that requires dispensing medications. Originally, the Cities Readiness Initiative (CRI), a biosecurity project for major metropolitan cities, had to develop these plans to meet the HHS goal as a grant deliverable. But project scope was expanded to incorporate all CDC grantees. Public Health’s non-CRI projects were now expected to meet the goal. As a result, jurisdictions find themselves exploring alternative options in terms of staffing and facilities to meet the HHS goal. The success of the 2009 H1N1 Pandemic and its partnership with the private sector provides a base of experience and points to recruitment of local private sector entities in dispensing operations.

A survey of retail executives revealed a willingness by those executives to support public health emergencies. Public Health represents 3,036 local and tribal departments of health. In contrast, Walgreens reports 7,100 pharmacies and CVS boasts another 3,000 pharmacies, most of which give flu shots. This illustrates the scalability and power of the private sector to assist with a public health emergency. With diminishing resources, Public Health must continue to explore and nurture these public private partnerships to support emergencies where mass prophylaxis is the mitigation strategy.

Published in the IAEM Bulletin, Vol. 29, No. 8, August 2012

07/28/12

Guest Contributor: Homeland Security Disciplines and the Cycle of Preparedness

Earlier this month I published a post about the disciplines of homeland security. The lists of disciplines were based on the work of Dr. Bill Pelfrey, a scholar and staff member at the Naval Postgraduate School’s Center for Homeland Defense and Security. Dr. Pelfrey has published a number of articles in his distinguished career in academia and has served in a number of administrative and teaching positions at prestigious institutions, including as Professor and Department Chair of the Department of Justice and Risk Administration at Virginia Commonwealth University (Dr. Pelfrey’s son, Dr. William Pelfrey Jr. also teaches at VCU). Dr. Pelfrey Sr. is also the author of The Evolution of Criminology.

After writing the July 2nd blog I contacted Dr. Pelfrey and asked permission to publish his article in its entirety, which he has graciously granted. The work from which I drew the disciplines of homeland security is thus attached.

Homeland Security Disciplines and the Cycle of Preparedness by Dr. William V. Pelfrey Sr.

Thank you Dr. Pelfrey!

07/2/12

What are the Disciplines of Homeland Security?

In previous posts, we have explored the question “what is homeland security” with the goal of understanding what homeland security means, particularly at the state and local level. Comments I have received both on and off of the blog suggest a number of views on this subject, many of which relate to the issue of the core disciplines of homeland security and interdisciplinary collaboration.

It is widely agreed that certain public safety disciplines have a nexus to homeland security, and that individuals that are trained in and or practice these disciplines may (or may not) engage with partners in other agencies in a manner that can be described as homeland security, or what some have described as what homeland security might be. I have suggested in previous posts that the issuance of HLS degrees in higher education should be focused in the core disciplines of homeland security. Yet others have made the point, a valid one I believe, that homeland security is a discipline itself that by its very nature “binds together” the various disciplines for the purpose of responding to “all-hazards”. These points are great material for future posts. First, let us look at what disciplines have been or are often referenced as being associated with homeland security.

Researcher Dr. William V. Pelfrey developed a study in 2004 that described the disciplines related to “preparedness”. Pelfrey bases this summary on activities conducted by the former Office of Domestic Preparedness (ODP) in which focus groups were used to identify the key preparedness-related disciplines. The ODP identified ten key preparedness disciplines, the first four of which were considered primarily responsible for response and recovery. I believe that Dr. Pelfrey’s research provides one of the best supported listings of the disciplines of preparedness (Pelfrey, 2004):

Initial Disciplines
Law Enforcement	Emergency Dispatch
EMS	Health Services
Fire Service	Emergency Management
HAZMAT	Government Administrative
Public Health	Public Works

In an effort to further define disciplines, Pelfrey identified additional categories, or as he refers to them “loose collectives of functional emphases,” that were identified as being related to preparedness (2004, p. 1). The disciplines or activities in this second group were identified as:

Secondary Disciplines
Business Continuity	Red Cross, Volunteer and NGO’s
Conveyances	Public Information
Cyber-security and IT	Media Management
Infrastructure Protection	Public Warning / Alerts
Homeland Security	Public Places / Major Facilities
Educational Institutions	Private Sector
Private Security, Loss Prevention	Financial Institutions
Major Event Security and Public Safety	Risk Management
Prosecutor	Transportation Services
Skilled Trades	Military

This second group provides some insight into the issue of the wide range of homeland security-related activities. If it is possible to meet homeland security professionals from any of these disciplines, one can understand the difficulty in developing a common, specific definition of homeland security, which is why homeland security is often described in terms like “enterprise”, such as in the 2010 Quadrennial Homeland Security Review.

In my own research, I interviewed more than 20 individuals from Michigan that may be described as state and local homeland security professionals. Based on the results of these interviews, it appears that at the state and local level the homeland security core disciplines tend to align with law enforcement, fire, EMS, emergency management, public health, and government administration.

Homeland security professionals often have focused expertise in one or more of these disciplines. Over the next several years as homeland security evolves, it will be interesting to see if homeland security continues to emerge as a separate discipline despite dwindling grants and the emergence of cybersecurity and other novel threats.

Pelfrey, W. V. (2004). Homeland Security disciplines and the cycle of preparedness. Unpublished Manuscript.