|
|
|
Editor's Note
| | |
February 2013
Sequestration & Risk Management
The looming threat of sequestration -- automatic, across-the-board spending cuts that will slash $85 billion from the federal budget starting on March 1 -- is no longer just a theoretical threat. With only one week to go before the cuts begin, homeland security professionals are planning for the worst.
If Congress fails to prevent the spending cuts, which were established under the Budget Control Act of 2011, the Department of Homeland Security will be forced to find new, innovative ways to accomplish its broad mission while absorbing about $4 billion in cuts. And while that doesn't sound like a lot, DHS is warning about significant practical impacts to security.
According to Secretary of Homeland Security Janet Napolitano, sequestration will result in the loss of about 5,000 border patrol agents over the next year. At ports of entry, the department will be forced to implement 12 to 14 day furloughs of port officers.
In addition, the department can expect a seven-day furlough for airport security officers at the Transportation Security Administration (TSA), a 25 percent cut in surface operations at the US Coast Guard and a loss of more than $1 billion from the Disaster Relief Fund administered by the Federal Emergency Management Agency (FEMA).
"Even in this current fiscal climate, we do not have the luxury of making significant reductions to our capabilities without placing our nation at risk," Napolitano warned in a letter to members of the House Homeland Security Committee. "We simply cannot absorb the additional reduction posed by sequestration without significantly negatively affecting frontline operations and our nation's previous investments in the homeland security enterprise."
And it gets worse.
State and local law enforcement would see more than $120 million in cuts to state and local homeland security grants. They also would lose more than $100 million in law enforcement grants from the Justice Department.
In her letter, dated Feb. 13, Napolitano said the cuts to her department would cripple many operations and totally wipe out other initiatives, particularly those designed to coordinate the activities of separate DHS components as one agency.
Sequestration will be painful. But it could be made worse by another looming deadline that few are talking about -- March 27. That's when the fiscal 2013 Continuing Appropriations Resolution expires. And without Congressional action on that front, the entire business of government will come to an abrupt halt.
If sequestration does happen and if all of the dire predictions are accurate, then all Americans will get an up-close and personal look at what risk management is really all about. Choices will have to be made. And while many will find those choices hard to accept, we have to remember that the process of making tough choices is the essence of managing risk.
Perhaps it is time for the security and risk management community to educate Congress on the basics of risk management and to remind our elected leaders on both sides of the aisle of their responsibilities.
Dan Verton
Editor, The Risk Communicator
|
|
In The News
| | |
The Department of Homeland Security (DHS) can make the best use of taxpayer dollars, and thus potentially save money in a fiscally constrained environment, by improving its prioritization of risk-based security measures, experts told a House panel recently.
Rep. Jeff Duncan (R-SC), chairman of the House Homeland Security oversight subcommittee, called the first hearing of his panel on Feb. 15 to survey several outside experts and congressional agencies as to how well DHS is spending money 10 years after its creation.
Duncan questioned if DHS could do more to prevent waste and duplication of effort in its operations, citing reports from the DHS inspector general at that the department could improve its financial management, information technology consolidation and acquisition processes.
While experts testifying before his panel agreed with those points and raised others, they often returned to the common theme that DHS should prioritize missions based on risk and even abandon missions that do not currently address any threats to the United States.
President Barack Obama on Feb. 12 signed the long-awaited executive order designed to enhance the security posture of the nation's critical cyber infrastructure. Obama made the announcement during the State of the Union address.
"America must also face the rapidly growing threat from cyber-attacks," Obama stated. "We know hackers steal people's identities and infiltrate private email. We know foreign countries and companies swipe our corporate secrets. Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions, and our air traffic control systems. We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy."
The White House released a summary of the order on Tuesday, but the full details have not been made public.
The central component of the new order, the so-called Cybersecurity Framework, remains a voluntary initiative for critical infrastructure operators. The National Institute of Standards and Technology (NIST) will manage the Cybersecurity Framework effort, which will focus on establishing a framework of cybersecurity practices based on "existing international standards, practices, and procedures that have proven to be effective," according to the White House.
"To enable technical innovation, the Cybersecurity Framework will provide guidance that is technology neutral and that enables critical infrastructure sectors to benefit from a competitive market for products and services," said the White House statement on the order.
The order also opens the Defense Industrial Base Information Sharing Program to other critical infrastructure sectors, such as the electric grid and financial services, to enable what the White House called "near real time sharing of cyber threat information." The order also requires federal agencies to produce unclassified reports of cyber threats for distribution to the private sector companies that own and operate more than 85 percent of the nation's critical infrastructure.
How Effective Are TSA's Bomb-Sniffing Canines? Homeland Security Today (2/5/13)
Homeland security officials and lawmakers alike have praised the use of bomb-sniffing dogs for detecting explosives and other contraband. But the jury is still out as to how effective canine teams are in screening air passengers, congressional investigators said recently. The Transportation Security Administration (TSA) has not completely analyzed data to determine the effectiveness of its bomb-sniffing dogs and also has not deployed them to airports rated as highest risks, according to a new Government Accountability Office (GAO) audit report. TSA runs the National Canine Program, collecting data on the use of 760 canine teams in the Canine Website System, a central database of information on the program. But TSA does conduct analyses of that data to figure out program trends and to address any weaknesses, GAO said in its report, TSA Explosives Detection Canine Program: Actions Needed to Analyze Data and Ensure Canine Teams Are Effectively Utilized. "Such analyses could help TSA to determine canine teams' proficiency, inform future deployment efforts, and help ensure that taxpayer funds are used effectively," the report stated.
|
|
Analysis
| |
Risk Management and the Cyber World
By: Captain Andrew Tucci, U.S. Coast GuardIn 1964, the science fiction author Arthur C. Clarke wrote the short story "Dial F for Frankenstein". In the story, reports of chaos in banking, transportation, military, and industrial systems follow an unexplained event where every phone on earth rang at the same time. Clarke's protagonist discovers the truth: as satellites linked the world's communications systems, those connections reached a critical threshold similar to that of the billions of synapses in the human brain. The previously independent systems had achieved what we would today call artificial intelligence. While the World Wide Web has not, to our knowledge, developed into a malevolent artificial intelligence, Clarke was spot on in his understanding of the implications of a globally linked system of communications and computers. While we celebrate every clever new app or web-based innovation, we are only now beginning to understand that the darker side of these systems goes beyond e-mail spam, momentary losses of connectivity, or the loss of private information to hackers. Cyber attacks have and will continue to damage private sector and government systems. In the past few weeks alone, there have been widely reported attacks on U.S. power plants, and on the New York Times, Wall Street Journal, and the Washington Post. Historically, our nation has approached critical infrastructure protection through a focus on physical and human security systems. We must now include cybersecurity into that process. Cybersecurity has some unique challenges, including its technical nature and the fact that attacks can originate from thousands of miles away. Perhaps most importantly, threat vectors and vulnerabilities change with every new device, software update, and innovative hacker. We must therefore recognize that cyber security is a process, and incorporate it into an overall culture of security alongside our physical and human factor security processes. American ports, terminals, ships, refineries, and support systems are vital components of our nation's critical infrastructure, national security, and economy. Cyber attacks on industrial control systems could kill or injure workers, damage equipment, expose the public and the environment to harmful pollutants, and lead to extensive economic damage. The loss of ship and cargo scheduling systems could substantially slow cargo operations in ports, leading to backups across the transportation system. A less overt cyber attack could facilitate the smuggling of people, weapons of mass destruction, or other contraband into the country. In short, there are as many potential avenues for cyber damage in the maritime sector as there are cyber systems. While only some cyber attack scenarios in the maritime sector could credibly lead to a Transportation Security Incident[1], we must identify and prioritize those risks, take this threat seriously, and work together to improve our defenses. Fortunately, the process for doing so is parallel in structure to that of other security and safety efforts: assess risk, adopt measures to reduce that risk, assess progress, revise, and continue. These processes, taken together, can significantly improve an organization's risk reduction efforts and increase resilience through continuity of business planning. Looking specifically at cyber security, consider the following steps: - Conduct a Risk Assessment - Begin by assessing what parts of your enterprise are controlled or supported by computer systems. What are the consequences should those systems become inoperable, controlled by outside parties, or misused by internal parties?
- Identify and Adopt Best Practices - What information technology security standards are most applicable to your systems? Are your systems meeting those standards, are your employees familiar with them? When were they last updated? What backup systems, redundancies, or replacements are available?
- Secure Your Supply Chain - As with just-in-time inventory and production systems, consider the cyber vulnerabilities and practices of your suppliers, customers, and other organizations critical to your company's profitability. Discuss cybersecurity with those organizations and consider incorporating good cyber practices into marketing and contracting.
- Measure Your Progress - Test your cyber practices through drills and exercises. Identify any gaps or lessons learned, and set specific goals with timelines for making needed improvements.
- Revise and Improve Security - Review your latest risk assessment, evaluate any new cyber systems you may have added since that time, incorporate lessons learned and revise your cyber security policies and procedures accordingly.
One way to start this process is to take advantage of the Department of Homeland Security's Industrial Control Systems Cyber Emergency Response Team (ICS-CERT). ICS-CERT provides a wide range of information, tools, and services that can help companies assess their security, identify recommended practices, and improve their cyber security. http://ics-cert.us-cert.gov/ The men and women of the United States Coast Guard take our responsibility to protect the nation from threats seriously. As in other areas, we will work with the private sector, and with other federal, tribal, state, and local agencies to address this new threat. The President's recently signed cybersecurity Executive Order sets requirements for executive branch agencies to address cyber risks. We have started that work already, and will keep the private sector informed of our progress. We will also be asking for advice and cooperation. In Clarke's story, humanity faced a threat from its own creation. Today, it is not a singular super intelligence that threatens us, but simply other human beings, seeking to exploit existing systems to their own evil ends. If we address this threat with the resolve, innovation, and determination we have employed for other threats in the past we will continue to preserve our economy, our lives, and our freedom.
[1] As defined in 33 Code of Federal Regulations Part 101.105
Captain Drew Tucci, U.S. Coast Guard, is the Chief, Office of Ports and Facilities, CG-FAC, and a SARMA member.
Bonus Feature
The State of the Homeland Security Market 2013
A Special to SARMA
By Dan Verton, Homeland Security Today
President Barack Obama on Feb. 12 warned the nation and Congress about the debilitating impact that $1 trillion in automatic spending cuts -- scheduled to go into effect on March 1 if Congress does not come to an agreement on a budget -- would have on government programs across every agency and on the nation's fragile economic recovery.
"These sudden, harsh, arbitrary cuts would jeopardize our military readiness," said Obama during his State of the Union address. "They would certainly slow our recovery, and cost us hundreds of thousands of jobs."
These across-the-board automatic budget cuts, also known as sequestration, were put in place by Congress in the Budget Control Act of 2011. And while many lawmakers on Capitol Hill are warning that the cuts are likely to happen, the impact they will have on homeland security spending and contracting opportunities in 2013 remains unclear.
But in exclusive interviews with Homeland Security Today for its exclusive on-demand "Futurecast," Homeland Security Market Forecast 2013: Looking Beyond the Fiscal Cliff, analysts from McLean, Va.-based immixGroup Inc. said although some contract awards are likely to be delayed, there are still plenty of opportunities throughout the federal homeland security market for those companies that are patient and understand the new spending and contracting decisions facing agencies. Watch Now - (HD)Produced and Edited by Dan Verton  | | Homeland Security Forecast 2013 |
|
|
Key Reports
| |
GAO analysis of canine team training data from May 2011 through April 2012 showed that some canine teams were repeatedly not in compliance with TSA's monthly training requirement, which is in place to ensure canine teams remain proficient in explosives detection.
GAO analysis of TSA's cargo-screening data from September 2011 through July 2012 showed that canine teams primarily responsible for screening air cargo placed on passenger aircraft exceeded their monthly screening requirement. This suggests that TSA could increase the percentage of air cargo it requires air cargo canine teams to screen or redeploy teams.
Download the Full Report http://www.gao.gov/assets/660/651725.pdf
Government Accountability Office (GAO) Since the Department of Homeland Security (DHS) began operations in 2003, it has implemented key homeland security operations and achieved important goals and milestones in many areas to create and strengthen a foundation to reach its potential. As it continues to mature, however, more work remains for DHS to address gaps and weaknesses in its current operational and implementation efforts, and to strengthen the efficiency and effectiveness of those efforts.
In its assessment of DHS's progress and challenges 10 years after the terrorist attacks of September 11, 2001, as well as its more recent work, GAO reported that DHS had, among other things, developed strategic and operational plans across its range of missions; established new, or expanded existing, offices and programs; and developed and issued policies, procedures, and regulations to govern its homeland security operations. However, GAO also identified that challenges remained for DHS to address across its missions. Examples of progress made and work remaining include the following:
Download the Full Report http://www.gao.gov/assets/660/652219.pdf
Cybersecurity: National Strategy, Roles, and Responsibilities Need to Be Better Defined and More Effectively Implemented Government Accountability Office (GAO) Threats to systems supporting critical infrastructure and federal operations are evolving and growing. Federal agencies have reported increasing numbers of cybersecurity incidents that have placed sensitive information at risk, with potentially serious impacts on federal and military operations; critical infrastructure; and the confidentiality, integrity, and availability of sensitive government, private sector, and personal information. The increasing risks are demonstrated by the dramatic increase in reports of security incidents, the ease of obtaining and using hacking tools, and steady advances in the sophistication and effectiveness of attack technology. The number of incidents reported by federal agencies to the U.S. Computer Emergency Readiness Team has increased 782 percent from 2006 to 2012. GAO and inspector general reports have identified a number of key challenge areas in the federal government's approach to cybersecurity, including those related to protecting the nation's critical infrastructure. While actions have been taken to address aspects of these, issues remain in each of these challenge areas. Download the Full Report: http://www.gao.gov/assets/660/652170.pdf |
|
Jobs
| |
Acquisition Security Analyst
U.S. National Security Agency (NSA)
Job Description:
NSA's Security and Counterintelligence organization is seeking motivated Acquisition Security Analysts to join our team of supply chain risk management experts.
Responsibilities include performing all-source research to identify and in turn, mitigate risks faced through procurement and integration of IT products into critical infrastructure.
This challenging position provides a broad overview of the Agency's mission and acquisitions, insight into the security and risk management fields, and the opportunity to apply risk management processes in the development of mitigation strategies to protect the Agency infrastructure.
View Job Posting: http://ow.ly/hR7Rd
Director, Corporate Security
Energy Future Holdings (Dallas, Texas)
Job Description:
This position plans, directs and is accountable for the administration of security programs and contracts relating to the protection of EFH company personnel, property and assets. Position directs and is accountable for the conduct of investigations relating to the EFH Code of Conduct. Also, serves as the primary EFH contact person for law enforcement and regulatory interface including but not limited to Department of Homeland Security (DHS), Electric Reliability Council of Texas (ERCOT) and North American Electric Reliability Council (NERC), relating to critical infrastructure protection activities conducted by federal, state and local government entities. Accountable for gathering and assessing information related to the wide range of security related events specific to the company and its various operations. Position is responsible for security incident response, management and recovery. This position reports to the Vice President, Associate General Counsel and Corporate Secretary.
View Job Posting: http://ow.ly/hR8Ps
More Career Postings Available at SARMA Careers Online
|
|
|
|
|
