Week 5 writing assignment

We're the ideal place for homework help. If you are looking for affordable, custom-written, high-quality and non-plagiarized papers, your student life just became easier with us. Click either of the buttons below to place your order.

Order a Similar Paper Order a Different Paper


Risk assessment,  threat management, and disaster response are critical elements across  all levels of government and the private sector. This partnership has  grown considerably since 9/11 and continues to evolve as it pertains to  manmade and natural disasters. For this assignment, you write a will  develop a response plan for the following scenario addressing the ten  questions below:  

Central City is fictional city that is part of Columbia County. The  Roaring River is located in Columbia County and runs through downtown  Central City. On March 8, after several days of unusually heavy rain and  melting mountain snow, the Roaring River overflowed, flooding Central  City’s downtown business area and the state’s utility complex. The  entire downtown area is underwater and without basic utilities (electric  and water). Business in the area has come to a standstill with many  small store owners fearing the worst once night sets in. Also affected  by the power outage is a nearby senior assisted living facility with  more than 500 elderly residents unable to leave and in need of medical  care. A low-income community located along the river’s edge has been  isolated from the rest of the city due to the rising floodwaters. Storm  and sewer drains are beginning to back up and garbage can be seen  floating in the streets.

Due to the lack of transportation, many city residents were unable to  leave the area when initial flood warnings were posted and are now  stranded. There have been numerous requests for medical attention in the  area, and several fires can be seen burning in the distance. Because  the river twists and turns throughout Columbia County, other cities  within the county are experiencing similar flooding conditions. The rain  is expected to continue for the next 12-24 hrs, followed by a drying  out and turning windy and cold.

  1. Who are the 1st responders? What are their responsibilities?
  2. What will be their biggest challenge?
  3. What will is an immediate concern and what can wait?
  4. What additional types of assistance (other than initial 1st responders) would be helpful here? How would they be used? 
  5. Does the fact that other Columbia County cities are also flooded and  experiencing similar problems affect Columbia County’s capabilities to  respond? What problems do you foresee? What are some solutions?
  6. How would you classify this incident? Is it a high likelihood-low impact or a low likelihood-high impact? Explain.
  7. Using the ICS, decide what type of command structure will be employed. Who will be part of your command structure?
  8. What two circumstances may turn this event from an emergency to a disaster and what are your options once that happens?
  9. What type of assistance can you expect from state? Describe the process for requesting state / federal assistance.
  10. Once the floodwaters recede and the conditions return to normal,  city council members will be looking for suggestions to avoid this type  of disaster in the future. What mitigation recommendations can you make?

Paper Submission Requirements

Resources for Assignment

This activity is matched to the following Learning Outcomes: Discuss  how protective measures are being implemented within public-private  partnerships within the homeland security sector. Analyze and discuss  the basic risk analysis principles. Examine and discuss the four phases  of disaster management.

Congressional Research Service ˜ The Library of Congress

CRS Report for Congress
Received through the CRS Web

Order Code RL32561

Risk Management and Critical Infrastructure
Protection: Assessing, Integrating, and Managing

Threats, Vulnerabilities and Consequences

Updated February 4, 2005

John Moteff
Specialist in Science and Technology Policy

Resources, Science, and Industry Division

Risk Management and Critical Infrastructure Protection:
Assessing, Integrating, and Managing Threats,

Vulnerabilities, and Consequences


The 9/11 Commission recommended that efforts to protect various modes of
transportation and allocation of federal assistance to state and local governments
should be based on an assessment of risk. In doing so, the Commission was
reiterating existing federal policy regarding the protection of all the nation’s critical
infrastructures. The Homeland Security Act of 2002 (P.L. 107-296) and other
Administration documents have assigned the Department of Homeland Security
specific duties associated with coordinating the nation’s efforts to protect its critical
infrastructure, including using a risk management approach to set priorities. Many
of these duties have been delegated to the Information Analysis and Infrastructure
Protection (IA/IP) Directorate.

Risk assessment involves the integration of threat, vulnerability, and
consequence information. Risk management involves deciding which protective
measures to take based on an agreed upon risk reduction strategy. Many
models/methodologies have been developed by which threats, vulnerabilities, and
risks are integrated and then used to inform the allocation of resources to reduce
those risks. For the most part, these methodologies consist of the following
elements, performed, more or less, in the following order.

! identify assets and identify which are most critical
! identify, characterize, and assess threats
! assess the vulnerability of critical assets to specific threats
! determine the risk (i.e. the expected consequences of specific types

of attacks on specific assets)
! identify ways to reduce those risks
! prioritize risk reduction measures based on a strategy

The IA/IP Directorate has been accumulating a list of infrastructure assets

(specific sites and facilities). From this list the Directorate is selecting assets that
have been judged to be critical from a national point of view. The Directorate
intends to assess the vulnerability of all the assets on this shorter list. According to
Directorate officials, vulnerability assessments and threat information are considered
when determining the risk each asset poses to the nation. This risk assessment is
then used to prioritize subsequent additional protection activities. The IA/IP
Directorate’s efforts to date, however, raise several concerns, ranging from the
process and criteria used to populate its lists of assets, its prioritization strategy, and
the extent to which the Directorate is coordinating its efforts with the intelligence
community and other agencies both internal and external to the Department. This
report will be updated as needed.


Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
IA/IP’s Responsibilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
A Generic Model for Assessing and Integrating Threat, Vulnerability,

and Risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Assessments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Using Assessments to Identify and Prioritize Risk Reduction

Activities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Status of DHS’s Implementation of Its Critical Infrastructure Protection

Effort . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Programming . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Progress . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Questions and Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Identifying Assets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Selecting High Priority Assets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Assessing Threat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Assessing Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Assessing Risks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Risk Mitigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Prioritizing Protection Activities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

1 The Intelligence Reform and Terrorism Prevention Act of 2004 (S. 2845, P.L. 108-458),
legislating some of the recommendations of the Commission’s report, included a
requirement to develop a National Strategy for Transportation Security that includes the
development of risk-based priorities.

Risk Management and Critical Infrastructure
Protection: Assessing, Integrating, and
Managing Threats, Vulnerabilities, and



As part of its chapter on a global strategy for protecting the United States against
future terrorist attacks, the 9/11 Commission recommended that efforts to protect
various modes of transportation and allocation of federal assistance to state and local
governments should be based on an assessment of risk.1 In doing so, the
Commission was affirming existing federal policy regarding the protection of all the
nation’s critical infrastructures. The Homeland Security Act of 2002 and other
Administration documents have assigned the Department of Homeland Security
specific duties associated with coordinating the nation’s efforts to protect its critical
infrastructure. Many of these duties have been delegated to the Information Analysis
and Infrastructure Protection (IA/IP) Directorate. In particular, the IA/IP Directorate
is to integrate threat assessments with vulnerability assessments in an effort to
identify and manage the risk associated with possible terrorist attacks on the nation’s
critical infrastructure. By doing so, the Directorate is to help the nation set priorities
and take cost-effective protective measures.

This report is meant to support congressional oversight by discussing, in more
detail, what this task entails and issues that need to be addressed. In particular, the
report defines terms (e.g. threat, vulnerability, and risk), discusses how they fit
together in a systematic analysis, describes processes and techniques that have been
used to assess them, and discusses how the results of that analysis can inform
resource allocation and policy.

While the IA/IP Directorate has been given this task as one of its primary
missions, similar activities are being undertaken by other agencies under other
authorities and by the private sector and states and local governments. Therefore,
this report also discusses the Department’s role in coordinating and/or integrating
these activities.


2 Office of Homeland Security, National Strategy for Homeland Security, July 2002.
3 Ibid. p. 33.
4 Ibid. p. 64.


IA/IP’s Responsibilities

The Homeland Security Act of 2002 and other Administration documents have
assigned the Department of Homeland Security specific duties associated with
coordinating the nation’s efforts to protect its critical infrastructure. Many of the
duties discussed below have been delegated to the Information Analysis and
Infrastructure Protection Directorate.

The National Strategy for Homeland Security,2 anticipating the establishment
of the Department of Homeland Security, stated:

! “… the Department would build and maintain a complete, current,
and accurate assessment of vulnerabilities and preparedness of
critical targets across critical infrastructure sectors…[This
assessment will] guide the rational long-term investment of effort
and resources.3”

! “… we must carefully weigh the benefit of each homeland security
endeavor and only allocate resources where the benefit of reducing
risk is worth the amount of additional cost.4”

Among the specific tasks delegated to the Undersecretary for Information
Analysis and Infrastructure Protection by Section 201(d) of the Homeland Security
Act of 2002 (P.L. 107-296, enacted November 25, 2002) were:

! “… identify and assess the nature and scope of terrorist threats to the

! “… understand such threats in light of actual and potential
vulnerabilities of the homeland;”

! “… carry out comprehensive assessments of the vulnerabilities of the
key resources and critical infrastructures of the United States,
including the performance of risk assessments to determine the risk
posed by particular types of terrorist attacks within the United States

! “… integrate relevant information, analyses, and vulnerability
assessments … in order to identify priorities for protective and
support measures ….”

! “… develop a comprehensive national plan for securing the key
resources and critical infrastructure of the United States ….”

! “… recommend measures necessary to protect the key resources and
critical infrastructure of the United States ….”


5 Office of Homeland Security, The National Strategy for the Physical Protection of Critical
Infrastructures and Key Assets, February 2003.
6 Ibid. p. 23.
7 Homeland Security Presidential Directive Number 7, Critical Infrastructure Identification,
Prioritization, and Protection, December 17, 2003.
8 The Clinton Administration referred to these as Lead Agencies in its Presidential Decision
Directive Number 63 (PDD-63, May 1998). HSPD-7 supercedes PDD-63 in those instances
where the two disagree.
9 The Department did not meet this deadline. A draft plan is still in review. The
Department intends to release elements of the plan in 2005. See, See CQ Homeland
Security, Jan. 28, 2005, “Still Waiting: Plan to Protect Critical Infrastructure Overdue from
DHS,”at [http://homeland.cq.com/hs/display.do?docid=1507251&sourcetype=31]. This site
was last viewed on February 4, 2005. It is available only by subscription.
10 Just as one example, the 9/11 Commission Report (released July 22, 2004, see page 396)
when discussing the basis upon which federal resources should be allocated to states and
localities, stated that such assistance should be based “strictly on an assessment of risks and
vulnerabilities.” Later, in the next paragraph, it stated “the allocation of funds should be
based on an assessment of threats and vulnerabilities.” In the next paragraph it stated that


The National Strategy for the Physical Protection of Critical Infrastructure and
Key Assets 5 stated:

! “DHS, in collaboration with other key stakeholders, will develop a
uniform methodology for identifying facilities, systems, and
functions with national-level criticality to help establish federal,
state, and local government, and the private-sector protection
priorities. Using this methodology, DHS will build a comprehensive
database to catalog these critical facility, systems, and functions.6”

Homeland Security Presidential Directive Number 7 (HSPD-7)7 stated that the
Secretary of Homeland Security was responsible for coordinating the overall national
effort to identify, prioritize, and protect critical infrastructure and key resources. The
Directive assigned Sector Specific Agencies8 the responsibility of conducting or
facilitating vulnerability assessments of their sector, and encouraging the use of risk
management strategies to protect against or mitigate the effects of attacks against
critical infrastructures or key resources. It also gave the Secretary to the end of
calendar year 2004 to produce a comprehensive, integrated National Plan for Critical
Infrastructure and Key Resources Protection.9 That Plan shall include a strategy and
a summary of activities to be undertaken to: define and prioritize, reduce the
vulnerability of, and coordinate the protection of critical infrastructure and key

The terms “vulnerabilities,” “threats,” “risk,” “integrated,” and “prioritize” are
used repeatedly in the documents cited above. However, none of the documents
defined these terms or discussed how they were to be integrated and used. Also, in
hearings, articles in the press, and other public discourse these terms are used loosely,
clouding the intent of what is being proposed or discussed.10 What might seem trivial


10 (…continued)
resources “must be allocated according to vulnerabilities.”
11 Roper, Carl. A. Risk Management for Security Professionals, Butterworth-Heinemann.

differences in definitions can make a big difference in policy and implementation.
The following section provides definitions and a generic model for integrating them
in a systematic way.

A Generic Model for Assessing and Integrating Threat,
Vulnerability, and Risk

Many models/methodologies have been developed by which threats,
vulnerabilities, and risks are integrated and then used to inform the cost-effective
allocation of resources to reduce those risks. For this report, CRS reviewed
vulnerability assessment models or methodologies, including some developed and
used, to varying degrees, in certain selected sectors (electric power, ports, oil and
gas). These are listed in the Reference section of this report. In addition, this report
draws upon information contained in a book by Carl Roper entitled Risk Management
for Security Professionals.11 Essential elements of these models/methods have been
distilled and are presented below. They may provide some guidance in overseeing
DHS’s methodology as it is developed and employed.

For the most part, each of the methodologies reviewed consist of certain
elements. These elements can be divided into: assessments per se; and, the use of the
assessments to make decisions. The elements are performed, more or less, in the
following sequence:

! identify assets and identify which are most critical
! identify, characterize, and assess threats
! assess the vulnerability of critical assets to specific threats
! determine the risk (i.e. the expected consequences of specific types

of attacks on specific assets)
Using Assessments to Identify and Prioritize Risk Reduction Activities
! identify and characterize ways to reduce those risks
! prioritize risk reduction activities based on a risk reduction strategy


Identifying Assets and Determining Criticality. The infrastructure of a
facility, a company, or an economic sector, consists of an array of assets which are
necessary for the production and/or delivery of a good or service. Similarly, the
infrastructure of a city, state, or nation consists of an array of assets necessary for the
economic and social activity of the city and region, and the public health and welfare
of its citizens. The first step in the process is to determine which infrastructure assets
to include in the study. The American Chemistry Council, the Chlorine Institute, and
the Synthetic Organic Chemical Manufacturers Association, in their Site Security


12 American Petroleum Institute and the National Petrochemical and Refiners Association,
Security Vulnerability Assessment Methodology for the Petroleum and Petrochemical
Industries, May 2003, p. 4.

Guidelines for the U.S. Chemistry Industry, broadly define assets as people, property,
and information. Roper’s Risk Management for Security Professionals (and DOE’s
Energy Infrastructure Risk Management Checklists for Small and Medium Sized
Energy Facilities) broadly define assets as people, activities and operations,
information, facilities (installations), and equipment and materials.

The methodologies reviewed do not provide a definitive list of such assets but
suggest which ones might be considered. For example, people assets may include
employees, customers, and/or the surrounding community. Property usually includes
a long list of physical assets like buildings, vehicles, production equipment, storage
tanks, control equipment, raw materials, power, water, communication systems,
information systems, office equipment, supplies, etc. Information could include
product designs, formulae, process data, operational data, business strategies,
financial data, employee data, etc. Roper’s examples of activities and operations
assets include such things as intelligence gathering and special training programs.
Many methodologies suggest considering, initially, as broad a set of assets as is

However, not every asset is as important as another. In order to focus
assessment resources, all of the methodologies reviewed suggest that the assessment
should focus on those assets judged to be most critical. Criticality is typically
defined as a measure of the consequences associated with the loss or degradation of
a particular asset. The more the loss of an asset threatens the survival or viability of
its owners, of those located nearby, or of others who depend on it (including the
nation as a whole), the more critical it becomes.

Consequences can be categorized in a number of ways: economic; financial;
environmental; health and safety; technological; operational; and, time. For example,
a process control center may be essential for the safe production of a particular
product. Its loss, or inability to function properly, could result not only in a
disruption of production (with its concomitant loss of revenue and additional costs
associated with replacing the lost capability), but it might also result in the loss of
life, property damage, or environmental damage, if the process being controlled
involves hazardous materials. The loss of an asset might also reduce a firm’s
competitive advantage, not only because of the financial costs associated with its
loss, but also because of the loss of technological advantage or loss of unique
knowledge or information that would be difficult to replace or reproduce. Individual
firms, too, have to worry about loss of reputation. The American Petroleum Institute
and the National Petrochemical and Refiners Association (API/NPRA) in their
Security Vulnerability Assessment Methodology for the Petroleum and Petrochemical
Industries also suggested considering the possibility of “excessive media exposure
and resulting public hysteria that may affect people that may be far removed from the
actual event location.12”


While the immediate impact is important, so, too, is the amount of time and
resources required to replace the lost capability. If losing the asset results in a large
immediate disruption, but the asset can be replaced quickly and cheaply, or there are
cost-effective substitutes, the total consequence may not be so great. Alternatively,
the loss of an asset resulting in a small immediate consequence, but which continues
for a long period of time because of the difficulty in reconstituting the lost capability,
may result in a much greater total loss.

Another issue which decision makers may consider is if the loss of a particular
asset could lead to cascading effects, not only within the facility or the company, but
also cascading effects that might affect other infrastructures. For example, the loss
of electric power can lead to problems in the supply of safe drinking water. The loss
of a key communications node can impair the function of ATM machines.

The initial set of assets are categorized by their degree of criticality. Typically
the degree of criticality is assessed qualitatively as high, medium, or low, or some
variation of this type of measure. However, even if assessed qualitatively, a number
of methodologies suggest being specific about what kind of consequence qualifies
an asset to be placed in each category. For example, the electric utility sector
methodology suggests that a highly critical asset might be one whose loss would
require an immediate response by a company’s board of directors, or whose loss
carries with it the possibility of off-site fatalities, property damage in excess of a
specified amount of dollars, or the interruption of operations for more than a
specified amount of time. Alternatively, an asset whose loss results in no injuries,
or shuts down operations for only a few days, may be designated as having low

For those sectors not vertically integrated, ownership of infrastructure assets
may span a number of firms, or industries. Whoever is doing the analysis may feel
constrained to consider only those assets owned and operated by the analyst or
analyst’s client. For example, transmission assets (whether pipeline, electric, or
communication) may not be owned or operated by the same firms that produce the
commodity being transmitted. Both the production assets and the transmission
assets, however, are key elements of the overall infrastructure. Also, a firm may rely
on the output from a specific asset owned and operated by someone else. The user
may consider that asset critical, but the owner and operator may not. Some of the
methodologies reviewed encourage the analyst to also consider (or at least account
for) the vulnerability of those assets owned or operated by someone else that provide
critical input into the system being analyzed. These “interdependency” problems
have been talked about, mainly in the context of inter-sector dependencies (e.g the
reliance of water systems on electric power), but they may also exist intra-sector.
The interdependency issue is both a technical one (i.e. identifying them) and a
political/legal one (i.e. how can entity A induce entity B to protect an asset).

Identify, Characterize, and Assess Threat. Roper and the API/NPRA
define threat as “any indication, circumstance or event with the potential to cause loss


13 American Petroleum Institute, op. cit., p. 5.
14 Roper, op. cit. , p. 43.
15 This quote is taken from the Government Accountability Office testimony, Homeland
Security: Key Elements of a Risk Management Approach, GAO-02-150T, before the
Subcommittee on National Security, Veteran’s Affairs, and International Relations, House
Committee on Government Reform, October 21, 2001. It is used in several of the other
methodologies reviewed.

or damage to an asset.13” Roper includes an additional definition: “The intention and
capability of an adversary to undertake actions that would be detrimental to U.S.

To be helpful in assessing vulnerability and risk, threats need to be characterized
in some detail. Important characteristics include type (e.g. insider, terrorist, military,
or environmental (e.g. hurricane, tornado)); intent or motivation; triggers (i.e events
that might initiate an attack); capability (e.g. skills, specific knowledge, access to
materials or equipment); methods (e.g. use of individual suicide bombers, truck
bombs, assault, cyber); and trends (what techniques have groups used in the past or
have experimented with, etc.).

Information useful to characterizing the threat can come from the intelligence
community, law enforcement, specialists, news reports, analysis and investigations
of past incidents, received threats, or “red teams” whose purpose is to “think” like
a terrorist. Threat assessment typically also involves assumptions and speculation
since information on specific threats may be scant, incomplete, or vague.

Once potential threats have been identified (both generically, e.g. terrorists, and
specifically, e.g. Al Qaeda) and characterized, a threat assessment estimates the
“likelihood of adversary activity against a given asset or group of assets.15” The
likelihood of an attack is a function of at least two parameters: a) whether or not the
asset represents a tempting target based on the goals and motivation of the adversary
(i.e. would a successful attack on that asset further the goals and objectives of the
attacker); and, b) whether the adversary has the capability to attack the asset by
various methods. Other parameters to consider include past history of such attacks
against such targets by the same adversary or by others, the availability of the asset
as a target (e.g. is the location of the target fixed or does it change and how would the
adversary know of the target’s existence or movement, etc.). The asset’s
vulnerability to various methods of attack (determined in the next step) may also
affect the attractiveness of the asset as a target.

As an example of a threat assessment technique, the U.S. Coast Guard, using an
expert panel made up of Coast Guard subject matter and risk experts, evaluated the
likelihood of 12 different attack modes against 50 different potential targets (i.e. 600
scenarios). Attack modes included “… boat loaded with explosives exploding along
side a docked tank vessel,” or “… tank vessel being commandeered and intentionally
damaged.” The Coast Guard also considered scenarios where port assets could be
stolen or commandeered and used as a weapon or used to transport terrorists or
terrorism materials. Potential targets included various types of vessels (including
ferries), container facilities, water intakes, utility pipelines, hazardous materials


16 Roper, op. cit., p. 63.
17 American Petroleum Institute, op. cit., p. 5.
18 Federal Register, Department of Homeland Security, Coast Guard, Implementation of
National Maritime Security Initiatives, Vol. 68, No. 126, July 1, 2003, p. 39245.

barges, etc. The panel of experts judged the credibility of each scenario. For
example, using a military vessel for transporting terrorists or terrorism materials was
judged not to be credible given the inherent security measures in place, but an
external attack on a military target was considered credible. Each credible scenario
was assigned one of 5 threat levels representing the perceived probability (likelihood)
of it occurring, after considering the hostile group’s intent, its capabilities, prior
incidents, and any existing intelligence.

The Electricity Sector’s methodology uses a checklist which asks for the
specific attack mode (such as the use of explosives, truck bomb, or cyber attack) and
whether it is likely that such an attack would be carried out by: a) an individual; or
b) by an assault team of up to five members. In this case, the analyst is to identify
likely targets for each type of attack scenario and the objective that the adversary
would achieve by such an attack.

Likelihood can be measured quantitatively, by assigning it a probability (e.g. an
85% chance of occurring), or qualitatively, such as “Very High Threat Level,” which
might mean there is a credible threat, with a demonstrated capability, and it has
happened before. As with criticality, a number of methodologies suggested specific
criteria be used to define what would constitute varying threat levels.

A threat assessment need not be static in time. Threats (i.e. the likelihood that
an adversary may attack) may rise and fall over time, depending on events,
anniversary dates, an increase in capability, or the need for the adversary to reassert
itself. Intelligence may detect activity that indicates pre-attack activity or a lull in
such activity, or an explicit threat may be made.

Assess Vulnerability. Roper defines vulnerability as a “weakness that can
be exploited to gain access to a given asset.16” The API/NPRA expands this
definition to include “… and subsequent destruction or theft of [the] … asset.17” The
Coast Guard defines vulnerability as “the conditional probability of success given
that a threat scenario occurs.18”

Weaknesses, like criticality, can be categorized in a number of ways: physical
(accessibility, relative locations, visibility, toughness, strength, etc.), technical
(susceptible to cyber attack, energy surges, contamination, eavesdropping, etc.),
operational (policies, procedures, personal habits ), organizational (e.g. would taking
out headquarters severely disrupt operations), etc.

Existing countermeasures may already exist to address these weaknesses. A
vulnerability assessment must evaluate the reliability and effectiveness of those
existing countermeasures in detail. For example, security guards may provide a
certain degree of deterrence against unauthorized access to a certain asset. However,


19 Roper, op. cit., p. 73.
20 Federal Register, op. cit., p. 39245.
21 American Petroleum Institute, op. cit., p. 3.

to assess their effectiveness, a number of additional questions may need to be asked.
For example, how many security guards are on duty? Do they patrol or monitor
surveillance equipment? How equipped or well trained are they to delay or repulse
an attempt to gain access? Have they successfully repulsed any attempt to gain
unauthorized access?

Vulnerabilities are assessed by the analyst against specific attacks. API/NPRA
identifies three steps to assessing vulnerabilities: 1) determine how an adversary
could carry out a specific kind of attack against a specific asset (or group of assets);
2) evaluate existing countermeasures for their reliability and their effectiveness to
deter, detect, or delay the specific attack; and 3) estimate current state of vulnerability
and assign it a value. Specific types of attacks can be informed by the preceding
threat assessment.

The Coast Guard measured vulnerability of potential targets for each attack
scenario in four areas: 1) is the target available (i.e. is it present and/or predictable
as it relates to the adversary’s ability to plan and operate); 2) is it accessible (i.e. how
easily can the adversary get to or near the target); 3) what are the “organic”
countermeasures in place (i.e. what is the existing security plan, communication
capabilities, intrusion detection systems, guard force, etc.); and, 4) is the target hard
(i.e. based on the target’s design complexity and material construction characteristics,
how effectively can it withstand the attack). Each of these four vectors were
evaluated on a level of 1 to 5, with each level corresponding to a assigned probability
of a successful attack. By comparison, the electricity sector process measures
vulnerability as a probability that existing countermeasures can mitigate specific
attack scenarios (e.g. probability of surviving attack = 80%).

Alternatively, the analyst can value vulnerability qualitatively. For example,
a “highly vulnerable” asset might be one that is highly attractive as a target, for which
no countermeasures currently exist against a highly credible threat. An asset with
low vulnerability might be one that has multiple effective countermeasures.

Assess Risk. Risk implies uncertain consequences. Roper defines risk as the
“… probability of loss or damage, and its impact …19” The Coast Guard refers to a
risk assessment as “ essentially an estimate of the expected losses should a specific
target/attack scenario occur.20” “Expected” loss is determined by multiplying the
estimated adverse impact caused by a successful threat/attack scenario by the
probabilities associated with threat and vulnerability. API/NPRA defines risk as “a
function of: consequences of a successful attack against an asset; and, likelihood of
a successful attack against an asset.21” “Likelihood” is defined as “a function of: the
attractiveness of the target to the adversary [based on the adversary’s intent and the
target’s perceived value to the adversary], degree of threat [based on adversary’s


22 Ibid.
23 Consequences, too, could be uncertain. For example, it may be determined that in the
above scenario, a successful attack may cause a distribution of possible deaths between zero
and 500 people.
24 This formulation assumes that the uncertainties in this case are independent, which in
many cases is not accurate. The attractiveness of a target (an element in determining threat)
may very much depend on its vulnerability. Likewise, the consequence of an attack may
also depend on a target’s vulnerability. This complicates the calculation.

capabilities], and degree of vulnerability of the asset.22” An important point is that
risk, as defined here, is a discounted measure of consequence; i.e. discounted by the
uncertainty of what might happen (see the example given below).

As noted in the first step, impact can be categorized in a number of ways.
Impact or consequences may be measured more precisely at this point in the process,
however, to better inform the prioritization of risk reduction steps that follows.

The Coast Guard considered six categories of impact: death/injury; economic;
environmental; national defense; symbolic effect; and secondary national security
issues. Each target/attack scenario measured the potential impact in each of these
categories on a severity scale from 1 to 5 (from low to catastrophic). The assigned
scale value was based on benchmarks. The API/NPRA, which used a similar
construct, suggested the following benchmarks for its severity scale. The severity
of death and injury varied from high to low depending on whether they occurred off-
site or on-site, and whether they were certain or possible. The severity of
environmental damage again varied from high to low depending on whether it was
large scale (spreading off-site) or small scale (staying on-site). The severity of
financial losses or economic disruptions were valued on threshold dollar amounts and

The analyst can also try to measure risk quantitatively. For example, for a
specific target/attack scenario, the analysis may determine that there is a 50/50
chance (i.e. we don’t know) that the adversary will try to attack a particular
government building. But, if they did, there is a 75% chance that they would use a
truck bomb (i.e we are pretty sure that if they attack they would try to use a truck
bomb). If they try use a truck bomb, the vulnerability assessment determined that
they would have a 30% chance of succeeding (i.e. if they try, there is a good chance
that the current protective measures will prevent them from getting close enough to
the building to bring it down). The consequences of a successful attack (bringing the
building down) could be 500 people killed and $300 million in property damage.23

The risk associated with this scenario would be:

expected loss = (consequence) x ( probability that an attack will occur) x
(conditional probability that the attacker uses a truck bomb) x (the
conditional probability that they would be successful)24, or

(500 people killed + $300 million in damage) x (.5) x (.75) x (.3), or


25 Note: the risk in this scenario is not 500 people dead, but 56 expected deaths. That is not
to say that if an attack were actually successfully carried out only 56 people might die. In
fact, in this scenario, it has been judged that 500 people would likely die. If one chose to
use the 500 potential deaths in subsequent decisions, they would be called risk averse in this
construct. Taking a risk averse position is a legitimate policy option. See further discussion
on risk aversion below.
26 Again, dependencies between threat, risk, and consequences need to be considered.

risk = 56 expected deaths and $33.8 million in expected damages.25

Risk is often measured qualitatively (e.g. high, medium, low). Since

consequences may be measured along a number of different vectors, and threat and
vulnerability have been measured separately, a qualitative measure of risk must have
some criteria for integrating the number of different qualitative measures. For
example, how should the assessment decide what risk rating to give a medium threat
against a highly vulnerable target that would have a low death/injury impact, a
medium environmental impact, but a high short-term financial impact? Does this
scenario equal a high, medium, or low level of risk?

Using Assessments to Identify and Prioritize Risk Reduction

Identify Ways to Reduce Risk. Risks can be reduced in a number of ways:
by reducing threats (e.g. through eliminating or intercepting the adversary before he
strikes); by reducing vulnerabilities (e.g. harden or toughen the asset to withstand the
attack); or, by reducing the impact or consequences (e.g. build back-ups systems or
isolate facilities from major populations). For each potential countermeasure, the
benefit in risk reduction should also be determined.26 More than one countermeasure
may exist for a particular asset, or one countermeasure may reduce the risk for a
number of assets. Multiple countermeasures should be assessed together to
determine their net effects. The analyst should also assess the feasibility of the

The cost of each countermeasure must also be determined. Costs, too, are
multidimensional. There may be up-front financial costs with associated materials,
equipment, installation, and training. There are also longer term operational costs of
the new protective measures, including maintenance and repair. There may also be
operational costs associated with changes to overall operations. Costs also include
time and impact on staff, customers, and vendors, etc. Expenditures on the
protection of assets also results in opportunity costs, i.e. costs associated with not
being able to invest those resources in something else.

Prioritize and Decide In What to Invest. Once a set of countermeasures
have been assessed and characterized by their impact on risk, feasibility, and cost,
priorities may be set. Decision makers would have to come to a consensus on which
risk reduction strategy to use to set priorities.

Most of the methods reviewed suggest a cost-effective selection process (i.e.
implementation of the risk-reduction method(s) should not cost more than the benefit


27 Roper, op. cit., p. 88.

derived by the reduced risk). Cost-effectiveness could also imply that the country
invest in risk reduction to the point where the marginal cost to society equals the
marginal benefit. Alternatively, given a fixed budget, cost-effectiveness might imply
investing in protections that maximize the benefits for that investment.
Countermeasures that lower risk to a number of assets may prove to be most cost-
effective. Also, focusing attention on those assets associated with the highest risks
may yield the greatest risk reduction and be one way to implement a cost-effective

While cost-effectiveness is usually the recommended measure for setting
priorities, decision makers may use others. For example, decision makers may be
risk averse. In other words, even if the chance of an attack is small, or the potential
target is not particularly vulnerable, the consequences may be too adverse to
contemplate. In this case, decision makers may wish to bear the costs of additional
protection that exceed the “expected” reduction in risk. Roper notes, however, that,
in general, protection costs should not exceed a reasonable percentage of the total
value of the asset.27

Another measure by which to select protective actions might be to favor
maximizing the number or geographical distribution of assets for which risks are
reduced. Alternatively, decision makers might want to focus efforts on reducing a
specific threat scenario (e.g. dirty bombs) or protecting specific targets (e.g. events
where large numbers of people attend).

The electric utility checklist states that the ultimate goal of risk management is
to select and implement security improvements to achieve an “acceptable level of
risk” at an acceptable cost. The concept of acceptable risk is mentioned in a number
of methodologies, and it needs to be determined by decision makers.

After selecting which protective measures to pursue, programs, responsibilities,
and mechanisms for implementing them must be established. Many of the reviewed
methodologies conclude with the recommendation to revisit the analysis on a regular

Status of DHS’s Implementation of Its Critical Infrastructure
Protection Effort

Programming. The IA/IP Directorate’s FY2005 budget justification
document provided a glimpse into how DHS intends to implement its
responsibilities in critical infrastructure protection. Below is a list of budget
activities that most relate to the topic of this report.

! Threat Determination and Assessment: This activity involves the
development of tools and techniques to help model terrorist
organizations, to develop a terrorist capabilities baseline, and to
facilitate collaboration and fusion of intelligence information and the
coordinated analysis of that information.


! Critical Infrastructure and Asset Identification: This activity
involves identifying critical infrastructure and assets, assessing
potential risk of successful attacks to those assets, and prioritizing
protective measures.

! Critical Infrastructure Vulnerability and Field Assessments: This
activity supports specialized teams of experts that are sent to high
priority sites to assess their vulnerabilities.

! Infrastructure and Key Asset Protection Implementation: This
activity supports an array of services offered by the IA/IP Directorate
to assist state, local, and private stakeholders in risk mitigation
measures for high priority assets. These services include training,
protection and response planning, pilot programs, technology
transfers, and sharing of best practices.

! National Infrastructure Risk Analysis: This activity supports the
development of comprehensive risk and vulnerability analyses on a
national scale. These analyses are cross-sector in nature, focusing
on problems affecting multiple infrastructures. The goal is to
provide timely, actionable information that is more meaningful to
industry. It is not clear how this activity differs from the Critical
Infrastructure and Asset Identification activity mentioned above.

! Threat/Vulnerability/Asset Databases: This activity supports the
development, operation, and maintenance of an integrated data
warehouse of threat, vulnerability, and risks posed to specific
facilities and assets (including the probability of attack and
associated consequences). The description of this activity implies
that data would be located in disparate places, and technology would
be developed to allow access and integration of the information.

! Competitive Analysis and Evaluation: This activity supports
activities that evaluate the effectiveness of IA/IP products and
processes. This could involve “red teaming” to test, via exercises,
gaming, and alternate hypothesizing analyses, IA/IP assessments and
protective actions.

Progress. Testimony given by the Undersecretary for Information Analysis
and Infrastructure Protection, Frank Libutti, before the House Appropriations
Committee’s Subcommittee on Homeland Security, April 1, 2004, provided another
glimpse into the IA/IP Directorate’s process and progress in integrating threat,
vulnerability, and risk and using that information to set help set priorities. In that
testimony, the Undersecretary stated that the Directorate had 28,000 sites or facilities
in a national infrastructure database. A few days later, this number had grown to


28 The article cited below makes reference to testimony by the Undersecretary before a joint
hearing of the House Select Committee’s subcommittees on Cybersecurity, Science and
Research & Development and Infrastructure and Border Security held on April 21, 2004.
See, [http://www.fcw.com/geb/articles/2004/0419/web-assets-04-21-04.asp], “DHS needs
asset info.” This site was last visited on February 4, 2005.
29 See, “Terror Target List Way Behind,” USA Today, December 9, 2004. p.A1.
30 It is not clear if this number, too, has grown since the testimony was given.
31 Report language in the Senate Appropriations Committee’s report accompanying its
FY2005 Department of Homeland Security Appropriations bill (see reference below) stated
that 150 of these were expected to be completed in FY2004, with another 400 expected to
be completed in FY2005. This only would be about one third of the 1700 assets which
IA/IP had said it would like to assess by the end of the calender year, 2004.

33,000.28 By the end of 2004, the number of assets in the database has reportedly
reached 80,000.29 According to the testimony, these are sites, facilities, and assets
that state Homeland Security Advisers have identified as being critical. They include
public and private assets.

According to the above testimony, the Directorate, working with state, local, and
private stakeholders, had identified 1,700 assets from the larger list on which it
intends to conduct, or lead, vulnerability field assessments.30 Presumably, these
assets have been identified by IA/IP as being the most critical. According to the
testimony, IA/IP intended to lead vulnerability assessments teams to each of these
1,700 assets in 2004.31 Based on these vulnerability assessments and the associated
risk (the Undersecretary did not elaborate on how risk would be determined), the
Undersecretary stated that IA/IP intends to follow-up with asset owners/operators to
help them develop “operational plans” for improving the security (both physical and
cyber) of these assets, if needed.

A statement by the Director of the Protection Services Division (a division
within the IA/IP Directorate), James McDonnell, before the House Government
Reform Committee’s Subcommittee on Technology, Information Policy,
Intergovernmental Affairs, and the Census on March 30, 2004 offered some
additional insight. According to his statement, the IA/IP Directorate identified those
sites or assets that may be most attractive as targets and have sent or plan to send a
team of specialized security experts to the site to assess its vulnerabilities and how
those vulnerabilities might be exploited. The IA/IP Directorate then maps threat and
vulnerability information to determine risk. Base on the risk information, the
Directorate then prioritizes the implementation of protective measures that address
vulnerabilities. No where in this statement are the criteria that govern these decisions
(assessing target attractiveness, mapping threat and vulnerability to determine risk,
prioritization) mentioned.

According to the Director, protective measures focus on near-term technical and
procedural changes that can harden the site against attack. The FY2005 budget
request referred to the type of protective measures that IA/IP may recommend. These
included 1) including the detection of weapons of mass destruction in the
development of protection plans; 2) measures to disrupt attack planning by making
information gathering and surveillance by terrorist difficult; and 3) ensure counter-


32 U.S. Congress, Senate, Appropriations Committee, Report accompanying S. 2537, S.Rept.
108-280, June 17, 2004.
33 Stephen McHale, Deputy Administrator, Transportation Security Administration,
Statement before the Subcommittee on Infrastructure and Border Security, House Select
Committee on Homeland Security, May 12, 2004. Also, Rear Admiral David S. Belz,
Assistant Commandant for Operations, U.S. Coast Guard, et.al., Statement before the House
Select Committee on Homeland Security, May 5, 2004.
34 See, “Terror Target List Way Behind,” USA Today, December 9, 2004. p. A1.

assault capabilities. The Senate Appropriations Committee’s report on DHS’s
appropriation bill32 made reference to Buffer Zone Protection Plans (BZPP) which
the Protective Services Division assists stakeholders in developing. The Director, in
the statement cited above, described the BZPP as being a community-based
approach, incorporating local law enforcement and emergency personnel into a
security plan that extends beyond the fence (i.e. outside the property limits of the site
or facility).

In addition to the above mentioned efforts, and as required by HSPD-7, the
IA/IP Directorate is in the process of developing a national plan for protecting critical
infrastructure. The national plan will use as its foundation sector-level plans, to be
developed cooperatively by Sector Specific Agencies and representatives of their
sector. According to testimony by DHS officials responsible for the transportation
sector,33 these sector level plans are in progress (at least within the Transportation
Security Administration and the Coast Guard). The IA/IP Directorate has prepared
guidance for developing Sector Specific Plans that contain many of the steps
discussed in the generic model above, and which require Sector Specific Agencies
to be specific about methodology, criteria, etc.

From the above discussion it appears the IA/IP Directorate is in the process of
carrying out the fundamental steps identified in the preceding discussion. However,
some questions and issues remain.

Questions and Issues

Identifying Assets

By the end of 2004, the IA/IP Directorate has compiled a list of 80,000 assets.
Policy makers, from both sides of the aisle, however, have raised several concerns
about this list.34 From where does the information for this list come? Is there a
systematic approach to generating this list? How comprehensive is it? How accurate
is the data? In what form does this information exist?

According to the testimony of the Undersecretary discussed above, the list is
populated by assets identified by state Homeland Security Advisors. The process by
which the states have provided this information is not discussed in the testimony.
However, according to Democratic members of the House Select Committee on


35 The letter, dated August 3, 2004, is available on the Democrat’s Select Committee on
Homeland Security website: see [http://www.house.gov/hsc/democrats]. The letter was last
viewed at this site on February 4, 2004 and can be found on the Critical Infrastructure link.
36 The Office of Domestic Preparedness (ODP) was transferred from the Department of
Justice to the Department of Homeland Security by the Homeland Security Act of 2002.
The ODP has since been integrated with the Office of State and Local Government
Coordination, established by the Homeland Security Act, into the Office of State and Local
Government Coordination and Preparedness (OSLGCP). The OSLGCP now administers
the grants programs.
37 According to the guidance, threat assessment determines the relative likelihood of a
known potential threat element attempting to attack using a weapon of mass destruction.
A potential threat element includes any group or individual in which there are allegations
or information indicating a possibility of the unlawful use of force or violence, specifically
the utilization of weapons of mass destruction. Threat factors include evidence of the
existence, violent history, intentions, motivations, targeting, and weapons of mass
destruction capability of a known potential threat element. For each potential target, the
vulnerability assessment is to consider factors such as target visibility, its criticality to the


Homeland Security, in a letter to the Secretary of Homeland Security,35 DHS’s
efforts to coordinate submissions by the states’ Homeland Security Advisors have not
included specific guidelines or a specific reporting mechanism, and in some cases,
state officials contend they were never contacted even though assets from their states
appear on the list.

There is a mechanism in place by which the IA/IP could received state and local
information on critical infrastructure assets. The Office of State and Local
Government Coordination and Preparedness (OSLGCP) administers two grant
programs that give states the opportunity to identify critical infrastructure assets: the
State Homeland Security Grant Program and the Urban Area Security Initiative
Grants, both of which are to be submitted through a state’s designated Homeland
Security Advisor. While both of these grant programs focus primarily on the needs
of first responders, they both also support activities related to critical infrastructure
protection, including the purchase of equipment such as chemical, biological,
radiological, nuclear, and explosive (CBRNE) detectors, physical security equipment
such as surveillance cameras, fences, cybersecurity hardware and software,
interoperable communications equipment, etc.

Allocation of funds through the State grant program is based on a formula
determined by Congress in the U.S.A. PATRIOT Act (P.L. 107-56). All states, the
District of Columbia, and U.S. territories receive funds. States must develop a State
Homeland Security Strategy before they can spend their funds.

Urban Areas grants (to which have been added Port Security Grants and Transit
System Security Grants) are allocated to cities, selected by DHS, based on a formula
developed by the Office of Domestic Preparedness (ODP).36 While the grant
application guidelines do not elaborate, the formula considers current threat
estimates, critical assets within the urban area, and population density. According
to the application guidelines, grantees must provide a risk assessment for review.
The risk assessment must also include threat and vulnerability assessments.37 The


37 (…continued)
jurisdiction, its impact outside the jurisdiction, the potential access of a threat element to the
target, the target’s population capacity, and the potential for mass casualties. Note that the
guidance on vulnerability assessment mixes vulnerability and consequence considerations.
38 DHS published its interim rule on the procedures associated with the sharing and
handling of information designated as Critical Infrastructure Information in February 2004.
Federal Register, No. 69, Vol. 34, pp 8074-8089. February 20, 2004.

risk assessment informs a capabilities and a needs assessment also required of the
states. The states must submit these assessments to qualify for the grant and to
justify their expenditures of grant resources.

Assets eligible for protection in either grant program include drinking water
systems; primary data storage facilities, stock markets and major banking centers;
chemical facilities located near large populations; major power generators generating
in excess of 2 gigawatts of power and whose disruption would affect a regional grid;
hydroelectric facilities and dams that produce in excess of 2 gigawatts of power and
could result in catastrophic loss of life if breached; nuclear power plants; electric
substations critical to service areas in excess of one million people; rail and highway
bridges and tunnels and whose loss would cause catastrophic economic loss and/or
loss of life; natural gas pipelines with throughput in excess of 3000 billion cubic feet;
liquified natural gas facilities; major petroleum handling facilities including
pipelines, ports, refineries, and terminals; and mass transit systems.

Nothing in the grant guidelines or in the testimony cited above indicates that
the IA/IP Directorate was involved in the development of the criteria for these grant
programs. Apparently the IA/IP Directorate did not generate its list using these grant
applications. Nor is it clear what role, if any, the IA/IP Directorate’s subsequent
vulnerability and/or risk assessments have informed the allocations of grant
resources. However, the Senate Appropriation’s Committee, in the appropriations
bill report cited above, stated that it was encouraged by the initial cooperation
between the IA/IP Directorate and ODP, and expected it to improve and for the IA/IP
Directorate to be a full partner in the grant award process.

There are other potential sources of information for identifying assets. Title II,
Subtitle B of the Homeland Security Act of 2002 established a new category of
information called Critical Infrastructure Information. Critical Infrastructure
Information is defined as “information not customarily in the public domain and
related to the security of critical infrastructure ….” It includes a broad range of
information, including information related to actual, potential or threatened
interference or attacks that could compromise or incapacitate a critical infrastructure,
the ability of a critical infrastructure to resist interference or attack, and any planned
or past operational problems. Such information, if voluntarily provided to the DHS
state, local, or private entities, either directly or indirectly through another agency,
is accorded a number of protections.38 The purpose for encouraging owners/operators
of critical infrastructures to supply this information is to help DHS assess
vulnerabilities and threat, mitigation strategies and to monitor the operational status
of the infrastructures. It is not known how much critical infrastructure information
has been submitted to DHS, and to what extent, if any, it has helped to populate the


39 For example, the Department of Energy for electric utilities, the Environmental Protection
Agency for drinking water, and Treasury for financial services.
40 Based on a personal communication with industry official, September 29, 2003.
41 See, CQ Homeland Security. July 29, 2004.
[http://homeland.cq.com/hs/display.do?docid=1278697&sourcetype=31]. This site was last
viewed on February 4, 2005. It is available by subscription only.

list of 80,000 assets. Nor is it clear how DHS uses the information it receives or if
it is helpful at all to IA/IP in accomplishing its mission.

Another source of asset information could be other agencies, especially the
Sector Specific Agencies, that have been tasked with helping their sectors assess their
vulnerabilities and to encourage them to use risk management techniques to set
priorities. While Sector Specific Agencies are apparently in the midst of developing
Sector Specific Plans for submission to the IA/IP Directorate, many of these
Agencies have already engaged in facilitating vulnerability assessments within their
sectors.39 It is not clear what the connection is between the specific sector planning
process and the on-going assessments associated with the list of 1,700 assets. Nor
is it clear to what extent, if any, the list of 80,000 assets generated by the IA/IP
Directorate, or any of the subsequent vulnerability assessments led by the IA/IP
Directorate, reflect or duplicate information accumulated by these Agencies. Does
the IA/IP Directorate use these outside analyses in lieu of doing their own
vulnerability assessments or does the Directorate use the information to help direct
its own separate analyses?

Other potential sources could be public (open source) and private databases. For
example, there are private databases used by U.S. industry that map and monitor the
operations of the nation’s systems of electric grids. Much of this information may
be proprietary.

Regardless of where DHS’s data comes from, the accuracy of the data is
important. For example, DHS compiled a preliminary list of critical infrastructure
in electric power and circulated that list to certain infrastructure owners for comment.
Among utilities operators, there was some confusion as to why certain assets were
included in the list, since some were not currently in use, while others which were
considered critical by industry standards were not on the list.40 The previously
referenced letter from the Democrats to Secretary Ridge also stated that IA/IP’s list
included sites that no longer existed. Reportedly, DHS initially had Disneyland in
California located in Los Angeles County, not Orange Country.41 For criticality and
potential consequences to be assessed accurately, location and utilization must be

Nor is it clear in what form the IA/IP Directorate has collected its information,
whether it is being entered into a single database, or if it exists in multiple databases.
If the latter, is it formatted consistently and is it accessible to all those who need to
use it? Also, it is not clear if the IA/IP’s current list of 80, 000 assets, or its refined
list of 1,700 assets, constitute the foundation of the integrated data warehouses
referenced in IA/IP’s budget justification above.


Selecting High Priority Assets

On what basis did the IA/IP Directorate select, in consultation with other
stakeholders, the 1,700 assets for further attention? According to the Undersecretary,
in his testimony referenced above, the 1,700 assets were ones with a credible
potential for loss of life and loss of citizen confidence and that these impacts would
be felt nationally. He described these assets as ones the nation cannot afford to lose.

Roper, and other methodologies reviewed for this report, recommended the
criteria for assessing the level of criticality be specific. For example, at what point
is the impact of an attack felt nationally versus one felt primarily locally or
regionally? How many casualties rise to the level of having a national impact?
What level of economic impact or what measure of reduced confidence would rank
an asset as nationally critical? Again, the answers to these questions would probably
require a consensus among decision makers.

The list of assets that qualify for Urban Area Security grants provides a little
more specificity for some of the assets. For example, power generating plants in
excess of 2 gigawatts, and whose disruption would affect a regional grid or electric
substations critical to service areas in excess of one million people, qualify for grants.
Presumably these thresholds were arrived at based on some assessment of the relative
impacts the loss of those assets would have. Other qualifying assets are less well
characterized, such as rail and highway bridges over major waterways that, if
destroyed, would cause catastrophic economic loss. What constitutes catastrophic?

An example of an analysis that provides more detail as to what might be
considered nationally critical can be found in a white paper entitled Interagency
Paper on Sound Practices to Strengthen the Resilience of the U.S. Financial System.
The authors of the white paper, the Federal Reserve Board, U.S. Security Exchange
Commission, and Office of the Comptroller of the Currency, determined that a
disruption in the services of certain “core clearing and settlement” organizations
could, by virtue of their market share, present a systemic risk to the smooth
operations of the financial markets they service. The paper defined “systemic risk”
as the risk that failure of one participant to meet its required obligations will cause
other participants to be unable to meet their obligations when due, causing significant
liquidity or credit problems and threatening the stability of financial markets. The
white paper identified a threshold market share, above which a firm’s plans
associated with back-up capacity, geographic location, and recovery would be subject
to review by the appropriate agency.

Another important issue is how to adjudicate disagreements about what should
and should not be on the list. What the IA/IP Directorate might, through careful and
accurate analysis, determine to be critical (or not) at the national level may not
necessarily agree with what other stakeholders or policy makers consider to be
critical or not (and even need not agree as long as the data analyzed is consistent,
accurate, and comprehensive).


42 Congressional Research Service. Homeland Security: Intelligence Support. CRS Report
RS21283, by Richard Best.

Assessing Threat

The Homeland Security Act assigned to the IA/IP Directorate the responsibility
of integrating all-source information in order to identify and assess the nature and
scope of terrorist threats against the homeland and to detect and identify threats of
terrorism against the United States. However, shortly after the act was passed, the
Bush Administration, in January 2003, established the Terrorist Threat Integration
Center (TTIC), within the intelligence community. Many observers felt that the
TTIC assumed many of the same responsibilities of the IA/IP Directorate. The
Homeland Security Act designated DHS a member of the intelligence community
and it has a seat at the TTIC. The issues and concerns associated with the division
of labor between TTIC and the IA/IP Directorate is beyond the scope of this report.
For information on this, see CRS Report RS21283.42 There are, however, two key
questions that are relevant to this report. Is there a consistent characterization of the
threat used throughout the intelligence community and made available to the IA/IP
Directorate and beyond to other stakeholders? Is that characterization used
consistently to inform the teams sent out to do vulnerability assessments or those
agencies and other stakeholders tasked with assessing the vulnerabilities of the
sectors for which they are responsible?

In a written response to a list of questions submitted by the House Select
Committee on Homeland Security, after its joint hearing with the Judiciary
Committee on July 22, 2003, the DHS gave a few examples of threat information that
has been passed on to stakeholders to inform their decision-making. These included
an advisory to the oil and gas industry that discussed recent terrorist behavior
overseas, including general characteristics of terrorist surveillance; and, an advisory
on how nitrocellulose could be used by terrorists to create a bomb. The answer did
not discuss if or how this information may have influenced subsequent vulnerability
or risk assessments.

Another issue is whether the IA/IP Directorate values all threats equally. For
example, Al Qaeda has demonstrated capabilities in a number of attack modes (e.g.
bombs, hijacking and piloting planes). But, their capability in other attack modes are
not necessarily as well developed. How does IA/IP consider this in their threat

Assessing Vulnerabilities

The testimony of IA/IP officials implies that the IA/IP Directorate will either
perform or lead vulnerability assessments in the field. However, much of the work
being performed by the IA/IP Directorate is being done by contractors or details from
other agencies until the IA/IP Directorate is more fully staffed. Also, as mentioned
earlier, it is not clear if the IA/IP Directorate uses the vulnerability assessments
performed by other agencies or stakeholders in lieu of doing their own. A key
question is whether or not contractors, details, or other agencies and stakeholders
follow a similar protocol in doing their vulnerability assessments? As discussed


43 For example, the Coast Guard considered six categories of consequences, including
death/injury, economic, environmental and symbolic impacts, all equally weighted, and
assigned a value of 1 to 5 to each of these, based on severity. An overall level of risk was
determined by the sum total value.

above, there are many models by which to assess vulnerabilities. It is not necessarily
important that all vulnerability assessments follow the exact same methodology.
However, Congress might want to ensure that certain general considerations are
included. For example, what vectors of vulnerability are examined? Are
dependencies on assets beyond the control of the immediate owner/operator
considered? As discussed above, is the threat sufficiently characterized?

Assessing Risks

As discussed above, risk is a function of threat, vulnerability, and consequences.
What consequences does the IA/IP Directorate consider when assessing risk? The
Undersecretary of Information Analysis and Infrastructure Protection, in the
testimony discussed above, mentioned that the criticality of an asset was measured
in part by loss of life and loss of citizen confidence, and the IA/IP budget justification
alludes to forecasting national security, economic, and public safety implications.

HSPD-7 lists the types of attacks that animate national critical infrastructure
policy. These are attacks that could: cause catastrophic health effects or mass
casualties; impair federal agencies’ ability to perform essential missions; undermine
the ability of state and local governments’ to maintain order and provide essential
services; damage the orderly function of the economy; or undermine the public’s
morale or confidence.

One may assume that the IA/IP Directorate considers these factors when
determining risk. But, are they all considered together? How are different
consequences integrated into an overall risk rating for a given scenario?43 Does IA/IP
weigh each category of consequence equally? HSPD-7 stated that the Secretary of
Homeland Security, when identifying, prioritizing, and coordinating the protection
of critical infrastructures, should emphasis those infrastructures that could be
exploited to cause catastrophic health effects or mass casualties comparable to those
from the use of a weapon of mass destruction. In this case, might preventing an
attack on the Super Bowl take precedent over an attack on one of those core clearing
and settlement facilities mentioned above, the destruction of which might
significantly disrupt national financial markets? To what extent, if any, is the
Directorate risk averse? The grant application guidelines for the State and Urban
Areas Security grants imply a risk aversion when it focuses on weapons of mass
destruction, even though the threat of this might be lower than the threat of
conventional attacks.

Another question is how are these consequences measured? Are potential
deaths based on experiential data or models or best estimates? How is confidence
or morale, and the impact on morale measured? Are economic models used to


44 The Senate Appropriation Committee, in its FY2005 appropriations bill’s report,
recommended continued funding for risk analysis activities that include evaluating second-
and third-order cascade effects associated with market interdependencies.
45 See, Office of Homeland Security, The National Strategy for the Physical Protection of
Critical Infrastructures and Key Assets, February 2003, p. 1.

determine economic impact? How are cascading effects due to interdependencies
determined? How far down the chain of reactions does IA/IP consider44?

Risk Mitigation

The risk associated with a specific attack on an asset can be reduced by reducing
the level of threat to it, by reducing its vulnerability to that threat, or by reducing the
consequences or impact of an attack should it happen. This parallels the Bush
Administration’s overall strategy for homeland security—1) prevent terrorist attacks,
2) reduce America’s vulnerability to terrorism, and 3) minimize the damage and
recover from attacks that do occur.45 The Department of Defense, the Central
Intelligence Agency, the Federal Bureau of Investigations, elements of DHS’s Border
and Transportation Directorate, and other law enforcement and intelligence agencies
(including the Information Analysis side of the IA/IP Directorate) have the primary
role of reducing threat, by disrupting, finding, detaining, or eliminating individuals
that threaten the United States. The DHS’s Emergency Preparedness and Response
Directorate is principally responsible for trying to mitigate the consequences of an
attack, through rapid response and quick recovery. The IA/IP Directorate’s primary
role is to reduce an asset’s vulnerability. As discussed above, it is doing so mainly
by hardening the asset against attack, by improving the ability of those protecting the
asset to deny access to the asset and to improve their ability to repulse an attack. This
begs the question, however, of whether or not, and by what mechanism, are the
various efforts to reduce threat (prevent), vulnerability (protect), and consequences
(prepare) coordinated both within DHS and between DHS and other agencies and to
what extent, and by what mechanism, are the allocation of federal resources to these
three areas influenced at all by comparing the risk reduction achieved by each? This
would likely require a level of risk management currently beyond the IA/IP
Directorate’s mandate.

Prioritizing Protection Activities

According to the statement of Director McDonnell, the IA/IP Directorate
conducts a risk assessment, mapping threat and vulnerability information. The risk
information is then used to prioritize the implementation of protective measures. It
is not clear, however, how the risk assessment is used by IA/IP to prioritize
subsequent activity. The implication is that the IA/IP Directorate ranks further its list
of 1,700 assets based on the risk. But several question remain. Does the IA/IP
Directorate rank assets as high, medium, and low risk and focus it subsequent efforts
on those ranked as high? Does it estimate the risk reduction associated with its
recommendations? Does it seek to maximize the risk reduction of the highest at-risk
assets or does it seek to maximize the risk reduction across all of the assets it has
identified as critical?


46 The National Commission on Terrorist Attacks Upon the United States, The 9/11
Commission Report, W.W. Norton and Company, 2004, p. 392.

HSPD-7 gives some guidance in addressing these questions. According to the
Directive, the Secretary will “identify, prioritize, and coordinate the protection of
critical infrastructure and key assets with an emphasis on critical infrastructures and
key assets that could be exploited to cause catastrophic health effects or mass
casualties comparable to those from the use of weapons of mass destruction.” This
implies that greater weight should be given to loss of life consequences than
economic impact, or continuity of government services, or loss of national morale or


The IA/IP Directorate has been tasked with a very complex problem. Security
oriented risk management is typically done at the site or facility level or at the
corporate level. The IA/IP Directorate is being asked to do this at the national level,
assessing and comparing at least 1,700 disparate sites and facilities it has judged as
being nationally important.

The IA/IP Directorate is also asked to consider not only economic impacts and
loss of life, but the possible impact on national morale and the ability of state and
local governments to maintain order and deliver essential services. None of these are
easy to measure and all are difficult to trade off one against the other, should the
analysis come down to that. To determine the economic impact of the loss of an
asset is more difficult than determining the effect on a company’s bottom line. The
IA/IP is being instructed to determine economic impacts two to three levels through
the supply chain. It is not clear how the Directorate can or intends to measure the
impact on national morale associated with the loss of an asset, especially a cultural
icon. Comparing the potential loss of life in one scenario with the potential loss of
life in another scenario, while sensitive, presents a direct comparison. However,
comparing the importance of an asset whose loss may result in a relatively small loss
of life with another asset the loss of which might result in a large economic impact
is much harder.

The exercise will be less than perfect and probably less than objective. The
Bush Administration and Congress are allocating resources in any event, so these
choices are getting made implicitly. If such processes were more transparent,
Congress could better oversee them and offer guidance if necessary.

The 9/11 Commission, in discussing a need for a layered security system for
public transportation systems, stated that the Transportation Security Administration
should be able to identify for Congress the array of potential terrorist attacks, the
layers of security in place, and the reliability provided by each layer.46 Expanding on
this, the IA/IP Directorate should be able to tell Congress what criteria it used to
select assets of national importance, the basic strategy it uses to determine which
assets warrant additional protective measures, and by how much these measures
could reduce the risk to the nation. It should also be able to tell how much these


additional measures might cost. Who pays for these measures is another issue,
beyond the scope of this report. The national plan called for by HSPD-7 could be a
good vehicle for presenting this information. Alternatively, the IA/IP Directorate
could develop a written protocol that outlines specifically the steps taken in the risk
assessment and risk management process and the assumptions, criteria, and tradeoffs
that are made. Such a protocol could not only help keep Congress informed, but
could also ensure consistency in carrying out assessments and in making decisions.
Some critics of this approach might suggest that each sector and each asset is
different and “one size can’t fit all.” However, while each sector and each asset
presents their own unique situations, a common set of consequences that measure
risk and by which to measure risk reduction will act to normalize the analysis across

Finally, Congress may choose to offer its guidance to the IA/IP Directorate on
some of these criteria or tradeoffs. To do so with the same systematic approach that
the IA/IP Directorate has been asked to do, the different committees with jurisdiction
over different infrastructures may want to consider coordinating their advice.



Carl Roper, Risk Management for Security Professionals, Butterworth-Heinemann,

U.S. Coast Guard, Implementation of National Maritime Security Initiatives, Federal
Register, Vol. 68, No. 126, July 1, 2003, pp 39240-39250.

American Petroleum Institute and the National Petrochemical & Refiners
Association, Security Vulnerability Assessment Methodology for the Petroleum and
Petrochemical Industries, May2003.

U.S. Department of Energy, Office of Energy Assurance, Vulnerability Assessment
Methodology, Electric Power Infrastructure (Draft), September 30, 2002.

National Communications Systems, Office of the Manager, Public Switched Network
Security Assessment Guidelines, September 2000.

Association of Metropolitan Sewerage Agencies, Protecting Wastewater
Infrastructure Assets: Asset Based Vulnerability Checklist for Wastewater Utilities,

Government Accountability Office, Homeland Security: Key Elements of a Risk
Management Approach, GAO-02-150T, October 12, 2001.

American Chemistry Council, the Chlorine Institute, and the Synthetic Organic
Chemical Manufacturers Association, in their Site Security Guidelines for the U.S.
Chemistry Industry.

Argonne National Laboratory, et al., prepared for the Office of Energy Assurance,
U.S. Department of Energy, Energy Infrastructure Vulnerability Survey Checklists,
February 22, 2002.

Public-Private Partnerships in Homeland Security:
Opportunities and Challenges

Nathan E. Busch and Austen D. Givens

Public-private partnerships are a major
issue of discussion in businesses and
government agencies concerned with
homeland security. However, this issue has
received a much less thorough treatment in
scholarly literature on homeland security.
This article begins to fill a gap in homeland
security scholarship by identifying the
e s s e n t i a l r o l e t h a t p u b l i c – p r i v a t e
partnerships are now taking in homeland
security and by examining opportunities
and challenges for this transformative shift
i n t h e f i e l d . T h e a r t i c l e b e g i n s b y
contextualizing our argument within recent
scholarship, and tracing the development of
public-private partnerships in homeland
security. The article then examines the
growing role of public-private sector
partnerships in homeland security. The
article concludes by discussing ongoing
challenges that will need to be considered
a n d a d d r e s s e d f o r p u b l i c – p r i v a t e
partnerships to be successful over the long

“…I want to just say this about the private

sector. In my mind, the government is incapable
of responding to its maximum ability without

private sector support…” 1
–Hon. Tom Ridge, Former Secretary, U.S.

Department of Homeland Security

April 20, 2010 had been an otherwise typical
day. At 9:49 p.m., however, the first of
several blasts shattered the night air over the
Gulf of Mexico, ultimately killing eleven
workers and crippling the Deepwater Horizon
oil rig.2 The explosion and subsequent oil
s p i l l e v e n t u a l l y b e c a m e t h e l a r g e s t
environmental catastrophe in US history. 3
Over the following months, hundreds of

government and private sector actors
convened around the Gulf of Mexico,
summoning an unprecedented amount of
equipment and technical expertise to stop the
oil flow from the Gulf’s floor. British
Petroleum (BP), the National Oceanic and
Atmospheric Administration, the US Coast
G u a r d , s t a t e g o v e r n m e n t s , l o c a l
governments, and hundreds of businesses
and public sector agencies collaborated in
response to the disaster. 4 British Petroleum
and local officials launched initiatives
enlisting local fishermen to assist in
waterborne cleanup efforts. 5 The federal
government used privately manufactured oil
d i s p e r s a n t s i n r e c o v e r y o p e r a t i o n s . 6
Throughout this process, the public and
private sector worked closely together to
restore a sense of normalcy in the Gulf.

The Deepwater Horizon incident provides
a large-scale illustration of an actively
growing trend in emergency management
and homeland security. 7 Public-private
partnerships are a major issue of discussion
in businesses and government agencies.
However, this issue has received a much less
thorough treatment in scholarly literature on
homeland security. This is surprising, as
public-private partnerships are perhaps the
most dynamic and important subjects for
homeland security practitioners today.

Public-private partnerships have been
defined as collaboration between a public
sector (government) entity and a private
sector (for-profit) entity to achieve a specific
goal or set of objectives. 8 This collaboration
results in government-business relationships
that include service contracts, supply chains,
ad hoc partnerships, channel partnerships,
information dissemination partnerships, and
civic switchboard partnerships. 9 These
partnerships have been discussed in narrow
ways in the scholarly literature in related
disciplines (such as public administration
broadly understood) and some of the various
subfields of homeland security (such as


e m e r g e n c y m a n a g e m e n t o r c r i t i c a l
infrastructure protection). 10 For example,
Y o s s i S h e f f i s u g g e s t s p u b l i c – p r i v a t e
partnerships are important for supply chain
security under threat of international
terrorism, a theme that David J. Closs and
Edmund F. McGarrell repeat. 11 Others
underscore that private sector participation is
integral in critical infrastructure protection
and homeland security. 12 Discussion of the
private sector’s role within other subfields,
s u c h a s i n t e l l i g e n c e , c y b e r s e c u r i t y ,
transportation security, public health, and
h a z a r d m i t i g a t i o n s h o w s i n c r e a s i n g
understanding of businesses’ impact on
homeland security. 13

Overall, however, the scholarly literature
has not yet caught up to the practitioner
understanding of public-private partnerships’
prominence in homeland security. 14 This
article begins to fill a gap in homeland
security scholarship by identifying the
essential role that public-private partnerships
are now taking in homeland security, and by
e x a m i n i n g t h e i m p l i c a t i o n s o f t h i s
transformative shift in the field. As we will
see, public-private partnerships hold great
promise, but also face significant obstacles
that will need to be overcome. The article
begins by tracing the development of public-
private partnerships in homeland security. It
t h e n e x a m i n e s m u l t i p l e s u b f i e l d s o f
homeland security and highlights the
g r o w i n g r o l e o f p u b l i c – p r i v a t e s e c t o r
partnerships in homeland security. The
article concludes by discussing ongoing
challenges that will need to be considered
a n d a d d r e s s e d f o r p u b l i c – p r i v a t e
partnerships to be successful over the long

G o v e r n m e n t a n d b u s i n e s s e s ’ r o l e s i n
homeland security can be traced back to
America’s founding. For example, in the
Federalist Papers, James Madison was
careful to underscore the importance of the
federal government in “times of war and
d a n g e r , ” w h i l e n o t d i m i n i s h i n g t h e
importance of the states in periods of “peace

and security.” 15 In 1803, following a
d e v a s t a t i n g f i r e i n P o r t s m o u t h , N e w
H a m p s h i r e , C o n g r e s s a u t h o r i z e d t h e
suspension of federal bond payments for
merchants affected by the disaster. 16 For the
first time, the US government provided
emergency relief for a community. Thus
b e g a n a n e s c a l a t i o n o f f e d e r a l – l e v e l
involvement that continues today, requiring
close working relationships among the
federal, state, and local levels of government,
non-governmental organizations, and the
private sector.

Public-private partnerships evolved in the
nineteenth century, as various disasters
prompted a re-calibration of government’s
role in emergencies. The Great Chicago Fire
of 1871 burned a four square mile area in the
southwestern part of the city, leaving one
third of the city’s population homeless.17
While difficult to fathom today, the federal
government’s role was limited in recovery
efforts. No appreciable amount of financial
assistance flowed from Washington, DC to
Chicago in the fire’s aftermath.18 Instead, the
majority of recovery financing came from a
combination of local and state governments,
as well as charities and businesses. 19 The fire
f a c i l i t a t e d a s h i f t i n g o v e r n m e n t a l
involvement in emergency management.
Subsequent twentieth-century disasters,
including the 1906 San Francisco Earthquake
and the 1927 Great Mississippi Flood,
ratcheted up government support for
response and recovery efforts. 20 Increasing
amounts of funding changed hands between
the public and private sectors to support
post-disaster reconstruction.

From World War II through the end of the
Cold War, public-private partnerships
remained an essential element in national
defense. Citizens were trained by the federal
government to watch for enemy aircraft,
assist in preparation for nuclear attacks, and
direct air raid drills in public spaces. 21 At the
same time, US manufacturing capacity
adapted to emerging needs. Firms recycled
and repurposed commercial products (e.g.
rubber, steel, wood) to support the materiel
needs of the armed forces. The private sector
modified production to fill new demands. The
Ford Motor Company, for example, built an
e n t i r e c o m p l e x t o c o n s t r u c t m i l i t a r y
aircraft. 22 Government and private sector



functions in national security evolved to meet
wartime priorities.

P u b l i c – p r i v a t e s e c t o r p a r t n e r s h i p s
continued to develop in the late twentieth
and early twenty-first century. The Federal
Emergency Management Agency (FEMA)
was created during the Carter administration
t o c o n s o l i d a t e d i s a s t e r m a n a g e m e n t
functions previously scattered across the
federal government. 23 Over time, businesses
began taking a more expansive role in
defense and security, from building out
information technology (IT) infrastructure, to
production of specialized equipment in law
enforcement, to contracting out job functions
in government offices. 24

The September 11, 2001 terrorist attacks,
Hurricane Katrina, and the Deepwater
Horizon oil spill all highlight the prominence
of public-private partnerships in what is
today called homeland security. In all three of
these disasters, the private sector worked
closely with local, state, federal, and non-
profit entities to respond to community
needs. For example, following the 9/11
attacks, Verizon assumed a pivotal role in
quickly rebuilding network infrastructure to
re-open the New York Stock Exchange
(NYSE). 25 In the aftermath of Hurricane
Katrina, FEMA, in cooperation with the State
of Louisiana, distributed $2.3 billion in
public assistance funding to residents
affected by the storm. 26 But Wal-Mart was
instrumental in providing relief supplies –
blankets, plastic tarpaulins, batteries,
flashlights, water, and non-perishable food –
to Gulf residents immediately following
Katrina’s impact. 27 Similarly, the Deepwater
Horizon disaster required close coordination
among government, non-profit, and private
sector entities. 28 The American Red Cross
sheltered and cared for displaced Gulf
residents, while the private sector hired local
fishermen to assist in cleanup efforts and
worked with government agencies to stop the
oil leak. 29 It is clear from these examples that
businesses, alongside numerous government
and non-governmental entities, now play an
increasingly integrated role in homeland

In the following sections, we examine
different initiatives and facets of homeland
security, highlighting the role of public-
private partnerships in each. Given the

current expansive scope of public-private
partnerships in homeland security as a
whole, we limit our discussion to select
federal-level public-private partnerships,
which have enjoyed varying levels of success.
However, it is important to note that
homeland security includes efforts at the
state and local levels, including fusion
c e n t e r s , n o n – p r o f i t s , c i v i c g r o u p s ,
professional associations, and individual
citizens. As an “umbrella” concept, homeland
security also touches on various subfields
apart from those we discuss below, including
immigration services, public health, and
intelligence. 30 A comprehensive treatment of
public-private partnerships in every aspect of
homeland security is beyond the scope of this
article. Nevertheless, the following discussion
identifies some of the most significant trends
in homeland security today.

With approximately 85 percent of the
nation’s critical infrastructure under private
sector control, alliances between government
and business are essential for homeland
security. 31 The US Department of Homeland
Security (DHS) creates coordination bodies
to facilitate information exchange, planning,
and situational awareness between the public
a n d p r i v a t e s e c t o r s . T h e O f f i c e o f
Infrastructure Protection (OIP) within DHS
works on threat and vulnerability analyses,
national and local-level coordination with
businesses and government agencies, and
risk mitigation. 32 The OIP is responsible for
coordinating information exchange and
collaboration among six sectors: chemical;
commercial facilities; critical manufacturing;
dams; emergency services; and nuclear
reactors, materials, and waste. 33 Given that
private sector companies operate most of the
facilities in these six sectors, public-private
sector partnerships are indispensable to the
OIP mission. The Critical Infrastructure
Partnership Advisory Council (CIPAC), a
strategic body, complements the OIP.

The CIPAC is the basic organizational
framework in which government and private
sector representatives exchange information
a n d c o o r d i n a t e c r i t i c a l i n f r a s t r u c t u r e



protection activities at the federal level. The
CIPAC membership roster reads as a
veritable “who’s who” of government agencies
and industry leaders nationwide. Firms in the
CIPAC include such companies as BASF
Corporation, the Trump Organization,
Verizon, the Boeing Company, Google, and
the US Oil and Gas Association. Government
entities in the CIPAC include the United
States Environmental Protection Agency,
Department of Commerce, and Department
of Justice. 34

The CIPAC demonstrates substantial
cooperation between public and private
entities at the federal level related to critical
infrastructure protection in homeland
s e c u r i t y . T h e e x i s t e n c e o f m u l t i p l e
coordination groups, as well as the presence
of leading US businesses within them,
underscores that public-private partnerships
are integral to achieving homeland security
o b j e c t i v e s i n c r i t i c a l i n f r a s t r u c t u r e

Despite the clear need that the CIPAC is
designed to address, however, there are
legitimate criticisms that can be leveled
against this group. For example, some firms
may sense that they are expected to share a
significant amount of information with
g o v e r n m e n t , b u t d o n o t g e t t i m e l y
information back from government. One
could also claim the CIPAC is overly
government-centric, and does not give due
c o n s i d e r a t i o n t o b u s i n e s s c o n c e r n s .
Moreover, firms may feel pressured to
participate in order to avoid regulations that
will force them to alter their business
strategies.35 Without diminishing the
relevance of these concerns, the CIPAC
nonetheless provides an important example
of how public-private partnerships are
enhancing critical infrastructure protection.

Information technology (IT) firms are
essential in achieving national cybersecurity
objectives. Well-known companies routinely
p a r t n e r w i t h g o v e r n m e n t t o s h a r e
information and collaboratively address IT
c h a l l e n g e s w i t h h o m e l a n d s e c u r i t y
implications. For example, the National
Cyber Security Alliance (NCSA) is an

organization that raises awareness about
cybersecurity issues and empowers computer
users to protect themselves against electronic
threats. 36 Public-private partnerships are
critical to the NCSA mission. 37 The NCSA
b o a r d i n c l u d e s r e p r e s e n t a t i v e s f r o m
numerous national firms, including AT&T
Services, Inc., Cisco Systems, Lockheed
Martin, Microsoft, Google, Facebook, Bank of
America, SAIC, and Visa. 38 Demonstrating
linkages between the NCSA and federal
government, the White House and DHS
promoted the most visible NCSA initiative,
known as National Cyber Security Awareness
Month (NCSAM), in 2010. 39 The NCSA is an
e x c e l l e n t e x a m p l e o f p u b l i c – p r i v a t e
partnerships at work in the cybersecurity

A r e c e n t h a c k i n g i n c i d e n t f u r t h e r
highlights the interconnectedness of the
public and private sectors in cybersecurity. In
June 2011, Google publicly disclosed that
individuals in China illegally accessed the
personal email accounts of several senior US
government officials. 40 This was allegedly
done through use of “phishing,” a method of
fraudulently obtaining a user’s information
t h r o u g h f a b r i c a t e d e m a i l s a s k i n g f o r
usernames, passwords, and related data.
Google notified the FBI about the incident.
The White House National Security Council
(NSC), as well as DHS, followed up with
Google to assess the incident’s impact. 41
Understanding this attack’s sources and
methods provides greater knowledge of
cybersecurity threats to public and private
sector organizations. As this incident
d e m o n s t r a t e s , p u b l i c – p r i v a t e s e c t o r
partnerships, as well as information sharing,
are critical to effective cybersecurity.

America’s ports are vital hubs of economic
activity. In 2010 alone, nearly 263,000
metric tons of products passed through the
port of Houston-Galveston, Texas. 42 During
the same period, approximately 30 million
passengers flew in and out of LaGuardia
airport in New York City. 43 With such a high
volume of goods and persons moving through
US ports of entry, port security is an urgent
priority. Against this backdrop, the Customs



Trade Partnership Against Terrorism (C-
TPAT) is a government-business sector
initiative that was created to enhance
worldwide supply chain security.44 Over
6,000 firms are certified through the C-TPAT
program, meaning they enjoy close working
relationships with United States Customs and
Border Protection (CBP), are able to obtain
government risk assessments of their supply
chain, and can attend special government-
sponsored supply chain security training
sessions. 45 Programs like the C-TPAT are
useful to homeland security in providing a
broad administrative framework for regular
public-private sector coordination.

On-the-ground security initiatives also
impact this critical area of economic activity.
The Transportation Worker Identification
Credential (TWIC) program pre-screens
workers with unescorted access to sensitive
areas of America’s ports to ensure they do not
pose a security threat.46 This arrangement
enhances supply chain security, and helps
achieve port security objectives. As of 2009,
over 500,000 workers were enrolled in the
TWIC program. 47

Technologies in use at America’s ports
underline the importance of public-private
sector partnerships. Consider the SAIC
Vehicle and Cargo Inspection System
(VACIS). The VACIS is a device that emits
low-level radiation, providing a rapid view of
cargo containers’ contents – not unlike an X-
r a y m a c h i n e . 48 T h e V A C I S p e r m i t s
government and private sector officials to
quickly evaluate if a given container poses a
threat. Similarly, new luggage and passenger
screening machines produced by L-3 and GE
Security bolster protection in US airports. 49
While the latter continue to be the subject of
vigorous public debate, it is worth noting that
the so-called “full body scanners” are a
private sector response to a governmental
need – a clear example of public-private
partnerships at work in homeland security.

Another public-private partnership in US
airports is the Screening Partnership
Program (SPP). Under this initiative,
screening companies that meet certain
qualifications carry out TSA-like duties at US
airports. Additionally, individual airport
executives may petition TSA for private
sector employees to work as screeners in
their facilities. 50 While the program’s scope is

l i m i t e d – o n l y s i x t e e n a i r p o r t s a r e
participating – the SPP is proving a helpful
alternative to TSA screening. 51 Mark VanLoh,
Director of Aviation for Kansas City,
Missouri, noted in Congressional testimony
that the SPP enhances flexibility in personnel
use, allows for greater employee cross-
training, and is more effective in dealing with
non-performing workers. 52 Like the use of
new, privately manufactured screening
technologies in airports, the SPP illustrates
the increasing presence of public-private
partnerships in port security.

Emergency managers are increasingly
engaged in all aspects of homeland security,
including the previously discussed areas of
c r i t i c a l i n f r a s t r u c t u r e p r o t e c t i o n ,
cybersecurity, and port security. 53 But there
is still a distinct area within emergency
management that stands apart from these
subfields: immediate, near-term response
and recovery activities.54 In such activities,
FEMA has widely embraced the essential role
of public-private partnerships. 55 Hurricane
Katrina and the BP Deepwater Horizon oil
spill illustrate why FEMA has embraced these

Hurricane Katrina provides emergency
management scholars and practitioners with
a powerful lesson in what not to do. While
popular blame for inadequate response
initially fell upon FEMA, today researchers
acknowledge systemic failures at all levels of
government. 56 Despite these shortcomings,
the private sector helped to address various
government deficiencies in response and
recovery efforts.57 As the world’s largest
employer, Wal-Mart is proficient in logistics;
that is, efficiently moving and distributing
large quantities of goods over a wide
geographic area. In anticipation of the
storm’s impact in 2005, Wal-Mart deployed
trucks full of relief supplies to the Gulf
region. 58 Clothing, diapers, toothbrushes,
bottled water, ice, and non-perishable food
items began rolling off Wal-Mart’s fleet of
trucks as the storm passed. 59 Government
leaders took notice. A local official even
suggested that FEMA use Wal-Mart’s
response as a model for its own efforts.60 In



the midst of a significant disaster, Wal-Mart
filled governmental gaps in disaster recovery

Like Katrina, the 2010 Deepwater Horizon
oil rig explosion and spill affected a vast
geographic area in the Gulf of Mexico. The
initial response involved hundreds of local,
state, and federal government actors, as well
as representatives from the non-profit and
private sectors. British Petroleum, which was
a responsible party for the spill, worked with
the federal government and veterans of the
Exxon Valdez oil spill to assess its impact and
facilitate cleanup efforts. 61 The public sector
l a c k e d t h e n e c e s s a r y c o m b i n a t i o n o f
equipment and technical expertise to shut off
the flow of oil from the Gulf floor. 62 Thus BP,
which drilled the leaking undersea oil well in
the first place, cooperated with the public
sector in carrying out the work of halting the
spill. Public-private sector partnerships were
integral to the overall response and recovery

F E M A h a s m a d e p u b l i c – p r i v a t e
partnerships a high priority, and leads a
major national initiative to forge closer ties
with the business community. The agency’s
regional offices, which cover all fifty states
and US territories, house a private sector
liaison officer charged with building alliances
with firms. 63 FEMA Administrator Craig
Fugate underscored the importance of the
private sector for emergency management in
recent public remarks:

The private sector, from Fortune 500
companies to your local grocery store, is an
essential member of the team…. The faster
we can help stores and businesses get back
on their feet [after a] disaster, the more
effective the rest of the team can be in
focusing our resources on helping disaster
survivors in areas that don’t yet have access
to those goods and services. Growing
strong working relationships between
emergency managers and the private sector
is a good business decision for everyone – it
helps us better serve survivors, rebuild our
communities and boost local economies.64

These comments illustrate the degree of
buy-in within FEMA oriented toward
building relationships with businesses.
Public-private partnerships are beneficial in
enhancing firms’ preparedness for disaster,
as well as connecting them with government

p a r t n e r s i n a d v a n c e o f a l a r g e – s c a l e
emergency. From FEMA’s leadership team to
personnel in regional offices, public-private
sector partnerships carry tremendous
importance. This emphasis has real-world
impacts in disaster response.

Public-private partnerships can enhance
hiring, resource utilization, specialization,
c r o s s – s e c t o r t r u s t , a n d t e c h n o l o g i c a l
innovation. They are often able to cut across
traditional bureaucratic divides within
government. And they can enhance public
p r o t e c t i o n i n w a y s n o t p o s s i b l e f o r
g o v e r n m e n t o r b u s i n e s s e s a c t i n g
independently. In this section, we will discuss
each of these advantages, which suggest
public-private partnerships will make
ongoing contributions in homeland security.

The private sector helps the public sector fill
personnel needs more effectively than the
g o v e r n m e n t a c t i n g i n d e p e n d e n t l y .
Background checks for security clearances –
a widespread requirement for prospective
employees in the homeland security arena –
are notoriously sluggish, sometimes taking
years to complete. 65 This can create a
significant time lag effect between an
applicant being offered a position, and
a c t u a l l y a s s u m i n g t h a t p o s i t i o n .
Compounding the issue, separate human
r e s o u r c e s – o r i e n t e d a c t i v i t i e s a r e a l s o
necessary to bring a new employee into the
h o m e l a n d s e c u r i t y w o r k f o r c e . T h e s e
b a c k g r o u n d i n v e s t i g a t i o n a n d h u m a n
resources processes frequently overlap.
Businesses operating within the homeland
security space are often able to bring in new
employees faster, and more efficiently, than
the public sector. 66 This, in turn, creates
value for the public sector. This arrangement
serves firms’ business interests, as well as
governmental personnel needs.

Today, firms like SAIC, Booz Allen
Hamilton, Northrop Grumman, and General
D y n a m i c s a s s i g n e m p l o y e e s t o w o r k



shoulder-to-shoulder with government
counterparts in public sector homeland
security offices. 67 As a result, the homeland
security workforce benefits from the hiring
speed of the private sector. These private
sector employees perform traditionally
government functions, from intelligence
a n a l y s i s , t o e m e r g e n c y p l a n n i n g , t o
protecting critical infrastructure. Thus,
businesses can augment the total homeland
security workforce faster than government
acting alone. This provides a swift, cost-
effective solution to the need for more
personnel in homeland security positions.

Firms have a fixed amount of human and
physical capital with which to achieve
business objectives. Resource utilization
refers to these assets being directed toward a
specific aim, and in so doing, forgoing other
opportunities. By orienting resources toward
homeland security applications, businesses,
government, and the public can benefit.
Firms’ sales increase. Government gains from
privately produced products and services,
and public safety is enhanced. Private
companies forge an advantageous triangular
relationship among these stakeholders by
using their resources for homeland security

A case from aviation security illustrates
how focused resource utilization can benefit
businesses, government, and the general
public. In 2008, the Transportation Security
Administration (TSA) announced that it
would permit airline passengers to keep
laptops in bags at security checkpoints,
provided the bags adhere to a certain x-ray
transparency standard.68 TSA subsequently
released a Request for Information (RFI)
about bag requirements: they should have no
metal components, such as zippers, buttons,
or snaps that could interfere with the ability
of an x-ray to “see” the laptop’s components.
To this end, Aerovation – a luggage producer
– responded by designing a “checkpoint
friendly” laptop bag.69 In public-private
partnerships such as this, a firm re-allocates
research and development resources in order
to meet government homeland security
objectives, while at the same time serving its

business interests. In theory, this would
increase operational efficiency and reduce
wait times for airline passengers in security
queues. For this innovation to be effective,
however, TSA personnel would need to
r e c e i v e t r a i n i n g t o r e c o g n i z e t h e s e
“ c h e c kp o i n t f ri e n d l y ” b a g s a n d a l l o w
passengers to keep their laptops in the bags.
This training may not have sufficiently
occurred yet. But through these and similar
efforts to maximize resource utilization,
public-private partnerships can work to
achieve homeland security objectives.

By participating in homeland security
activities, private sector actors develop
specializations in functional areas, enhancing
public sector performance. 70 This process, in
turn, can permit government agencies to
f o c u s m o r e u p o n m i s s i o n – e s s e n t i a l
activities. 71 For example, in 2009, TSA
announced the award of an IT services
contract to CSC, a firm based in Falls Church,
Virginia. 72 The $493 million, five-year deal
i n c l u d e s p r o v i s i o n s f o r d e s i g n i n g ,
maintaining, and upgrading TSA’s IT
infrastructure over time. 73 Serving one
agency’s IT needs in such a comprehensive
way means that CSC develops increasing
familiarity with TSA systems, software,
hardware, and requirements. This knowledge
creates efficiencies over time. On the one
hand, CSC is able to anticipate TSA’s needs in
a more effective fashion. On the other hand,
TSA is freed to devote personnel and
r e s o u r c e s t o o t h e r c r i t i c a l a c t i v i t i e s .
Increasing specialization by CSC increases
aggregate effectiveness, serving both private
sector and public sector interests in a
mutually beneficial manner.

Communication between the public and
p r i v a t e s e c t o r c a n d e c r e a s e o f f i c i a l s ’
skepticism and mistrust of one another. Over
time, repeated interaction and collaboration
m a y a c t u a l l y b u i l d t r u s t a c r o s s t h e
g o v e r n m e n t – b u s i n e s s d i v i d e . W h e t h e r
d e v e l o p i n g p l a n s f o r t h e f u t u r e , o r



responding to an emergency, trust is
invaluable in fostering effective, mutually
beneficial outcomes. 74 So public-private
partnerships have what might be called a
“softer” benefit – the construction of
relationships themselves. It is challenging to
quantify the value of a public-private sector
relationship in the same way one might
appraise a house or a car. But having
excellent working relationships in place
during routine operations, as well as crises, is

Public-private partnerships can also serve as
catalysts for new technological innovations. 76
Two growing DHS initiatives stand out in
their promotion of private sector innovation
for homeland security-related challenges: the
System Efficacy through Commercialization,
Utilization, Relevance and Evaluation
(SECURE) program, and its sister program,
FutureTECH. 77 The SECURE program
provides a pathway for private sector
research and development (R&D) to occur
without DHS financing the process itself.
This departs from the traditional model of
government-funded R&D, in that DHS
provides clear requirements and design
specifications to prospective vendors via
public announcement. Firms, in turn, design
technologies using their own resources, and
attempt to sell them to the government at a
competitive price. 78 This achieves public
sector budgetary savings, permits firms to
focus their R&D activities in a more effective
way, and strives to deploy solutions in the

T h e F u t u r e T E C H p r o g r a m a i m s t o
enhance existing technologies to meet
anticipated needs, taking a longer view of the
innovation process. DHS identifies specific
focus areas in which firms can continue to
update and improve homeland security tools.
These areas include detection of homemade
explosives and waterborne improvised
explosive devices. 79 By entering into a
Cooperative Research and Development
Agreement (CRADA) with DHS, firms can
benefit from public sector subject matter
experts who help to shape the design of a
given product to meet precise requirements.

I n t h i s s e n s e , C R A D A r e q u i r e c l o s e
coordination between a DHS Science and
Technology (S&T) officer and business
representatives. 80 Both SECURE and
FutureTECH can advance innovation for
homeland security by focusing private sector
R&D activities to meet public sector needs.
Despite the great promise of public-private
partnerships in homeland security, they also
have a number of shortcomings. The article
next addresses some of the ways in which
public-private partnerships can fail, and
outlines areas of governance in which public-
private partnerships cannot function.

Public-private partnerships can provide
tremendous advantages for both government
and businesses and can help the United
States to meet its national security needs.
There are, however, instances in which
public-private partnerships are inappropriate
due to the unique mandates of government.
There have also been cases in which public-
private partnerships fail to meet expectations
or businesses do not comply with government
recommendations. These issues demonstrate
that while public-private partnerships are an
i m p o r t a n t d e v e l o p m e n t i n h o m e l a n d
security, they are imperfect, and there are
certain roles that must be retained exclusively
by the public sector.

There are certain functions that must remain
squarely within the public sector domain. The
decision to hire and fire government
e m p l o y e e s i s c l e a r l y a p u b l i c s e c t o r
responsibility – and must remain an
authority of the public sector. To be clear,
private sector-contractors can assist public
sector entities in human resources-related
processes, providing operational assistance,
information, and expertise. But the actual
decision to grow or shrink the workforce
affects government in a deeply rooted way,
and requires a government employee’s
signature. To do otherwise would risk
undermining the political process, and would



create severe conflicts of interest in the very
contracts that are approved for the private
sector. This would present an unacceptable
and unethical quandary for government.

Procuring resources, managing crises, and
securing contracts are clear public sector
responsibilities that should not be placed in
private sector hands. For accountability
reasons, businesses cannot control public
sector budgets. Firms can provide advice on
budgeting decisions for government, but they
cannot actually approve them. In order to
avoid conflicts of interest, signatures on
procurement orders must remain those of
government employees. The public sector
also relies on contracts for provision of goods
and services, and government employees
must sign those contracts. Outsourcing this
function effectively places control of public
dollars in private hands, undermining
society’s trust in government’s stewardship of
tax revenue. Similarly, crises often call for
public safety-related decisions about the
movement of people and resources. The
democratic state’s first duty is to protect its
citizens, and it naturally follows that these
types of choices – sending another police
officer, opening and closing evacuation
shelters – must ultimately be directed by
government employees.

Without proper management, contractual
public-private partnerships can fail for many
reasons, including unmet expectations and
cost overruns. One component of the DHS
Secure Border Initiative, widely known as the
“Virtual Fence,” provides an excellent
example of how this can happen. This
initiative was to consist of a series of
surveillance radars, cameras, and sensors to
monitor the United States-Mexico border. 81
But the region’s harsh terrain caused the
equipment to malfunction, and the different
technologies that made up the Virtual Fence
were challenging to integrate. 82 These issues
would be problematic enough on their own,
but the project also ran into cost overruns.
Estimates for 2005 showed it would cost $7
billion for the fence to cover the entire 2,000-
mile US southern border. 83 But a pilot test of

Virtual Fence technology cost $1 billion to
cover fifty-three miles of the border – just 2
percent of the total project. 84 In January
2011, DHS canceled the Virtual Fence project,
noting that it “‘did not meet current
s t a n d a r d s f o r v i a b i l i t y a n d c o s t
effectiveness.’” 85 The Virtual Fence project
demonstrates how contractual partnerships
between government and business can fall
apart. Unmet expectations, poor execution,
and spiraling costs doomed the initiative.
This underscores the importance of effective
and transparent management of contracts in
public-private partnerships.

In 2008, teams of government scientists
identified a cyber vulnerability in the US Bulk
Power System (BPS), drafted a list of
remedies to address the vulnerability,
distributed the list to electrical companies,
and provided a timeline for implementation.
Despite these proactive steps, and despite the
apparent mutual interest in addressing these
vulnerabilities, in reality there was minimal
p r i v a t e s e c t o r c o m p l i a n c e w i t h t h e s e
recommendations. 86 This example shows
differences between public and private sector
approaches to cybersecurity. It also suggests
that, despite the appearance of public-private
s e c t o r c o o p e r a t i o n o n c y b e r s e c u r i t y
initiatives, actual cooperation may be less
common than one imagines. 87

D i f f e r i n g a p p r o a c h e s t o c r i t i c a l
infrastructure protection can also be a source
of discord between the public and private
sectors. Marc de Bruijne and Michel van
Eeten point out that while government and
business both agree on the importance of
critical infrastructure protection, this
consensus can be remarkably shallow. 88
Another scholar notes that any business
executive who suddenly announced he was
increasing security spending by 25 percent
for the good of the nation would almost
certainly be fired.89 Government appeals to
morals, patriotism, or civic responsibility
quickly lose their luster when they begin to
eat into a firm’s bottom line. 90 Businesses
may publicly promote their commitment to
security, but behind closed doors, there is an



upper limit to firms’ security expenses.
Beyond that limit, genuine (rather than
rhetorical) investment in security can be
difficult to come by.

These examples provide a cautionary tale
for the public and private sectors. Public-
private partnerships provide great value for
both government and businesses. But there
are fundamental limits to what public-private
partnerships can do, and they sometimes fail
to deliver as expected. In the following
section, we discuss ongoing challenges for
public-private sector partnerships for
homeland security.


As the examples in the previous sections
d e m o n s t r a t e , p u b l i c – p r i v a t e s e c t o r
partnerships are transforming the entire
discipline of homeland security, but there are
potential pitfalls from such partnerships as
well. This trend toward public-private
p a r t n e r s h i p s c a n t h e r e f o r e p r o v i d e
tremendous benefits, but it can also create
o r g a n i z a t i o n a l p a t h o l o g i e s , l o n g – t e r m
challenges, and many uncertainties. Several
of the challenges discussed below are already
emerging, while others may arise as public-
private partnerships continue to evolve in
h o m e l a n d s e c u r i t y . S c h o l a r s a n d
practitioners will need to be mindful of these
issues as the discipline of homeland security

In public-private partnerships, traditional
hierarchy yields to collaborative engagement.
In addition to more traditional skills in
overseeing and directing, managers will
increasingly need to connect and coordinate
t h e s h a r e d a c t i v i t i e s , r e s o u r c e s , a n d
capabilities of a host of new organizations
and individuals. This arrangement suggests a
shift in management and organizational
accountability, raising salient legal and
ethical questions.

Management and Accountability
Over time, public-private partnerships will
undoubtedly affect the skill sets required for
public sector managers. As noted, supervisors
will be more valued for their ability to foster
c o l l a b o r a t i o n a m o n g p e r s o n n e l a n d
o r g a n i z a t i o n s t h a n f o r h i e r a r c h i c a l
management skills. This transition toward a
more coordinated public sector management
is known as “networked governance.” 91 Like
most organizations broadly concerned with
public safety, homeland security agencies
h a v e h i s t o r i c a l l y s e l f – o r g a n i z e d i n a
paramilitary-style, top-down structure.
Networked governance suggests a flattening
of this organizational structure over time.

In this sense, the need for collaborative
management will ultimately drive changes in
hiring and promotion practices. The spoils
w i l l g o t o t h o s e w h o c a n e f f e c t i v e l y
communicate and coordinate the actions of
many disparate actors – not to those who can
simply command. The coordination-oriented
manager’s skills, values, and outlook then
trickle down into the rest of the organization,
eventually changing it from within. This
adjustment from a hierarchical to a more
horizontal organization would require
excellent planning and execution by both
public and private sector leaders to ensure
continuing effectiveness. These potential
organizational changes also connect with
questions of accountability.

Who is calling the shots now? With more
firms entering the homeland security space,
delicate management questions become
salient: is it ever appropriate for a private
sector employee to direct a government civil
servant to perform specific work functions?
Under what circumstances might this hold
true? Two members of Congress recently
v o i c e d r e s e r v a t i o n s a b o u t t h i s i d e a ,
underlining that it is government, not
business, that must be ultimately be “in
charge” of homeland security. 92 Is this always
the case? What protections can government
devise to ensure that it continues to direct
homeland security operations, even with a
substantial private sector presence? None of
these questions are easy to answer. As the
field of homeland security moves forward,
these issues will continue to present difficult



challenges for governmental and private
sector specialists.

Legal and Ethical Challenges
Government can expand its presence and
influence via public-private partnerships in
homeland security. This carries legal
implications worth considering. Jon D.
Michaels refers to a phenomenon he calls
“deputizing,” in which the private sector,
along with citizens and other organizations,
serve as a force multiplier for homeland
security purposes. He holds that this
arrangement can place homeland security
activities on ambiguous legal and regulatory
ground. 93 For example, private security
officers now outnumber police officers three
to one in the United States.94 Retaining
private security firms can be financially
advantageous for government. Guarding
federal buildings or large-scale events
increases long-term fixed costs for law
enforcement agencies. Retaining firms to
temporarily perform these duties saves time
and money. It permits law enforcement
agencies to reallocate resources to other
priorities. Despite these benefits, this type of
public-private partnership also raises serious
constitutional questions.

There is a vigorous debate related to the
legal powers of private security officers. 95
Private security firms may or may not act as
government agents. Depending upon context,
they may conduct limited searches of
persons. It is not yet clear if these searches
are uniformly constrained by the US
C o n s t i t u t i o n ’ s f o u r t h a n d f i f t h
amendments.96 Similarly, there are concerns
about the chain of command within private
security companies. To whom do private
security officers ultimately report, and to
whom are they ultimately accountable – a
government authority or a business? And
how does this distinction affect the way they
carry out their duties? These issues blur the
legal boundaries between business and
government. The implications here are
significant. Use of private firms for law
enforcement-like functions raises legal and
organizational questions that must be
balanced against financial advantages. 97

Despite these challenges, proponents of
public-private partnerships can point to a

number of strategic advantages. Government
can exert its influence through businesses in
a beneficial way. Putting aside discussion of
private security firms, consider that privately
produced technologies scan citizens for
explosives and contraband in airports.
Scholars in emergency management, public
administration, operations management, and
urban affairs highlight the benefits of private
sector participation in disaster response. 98

Skeptics, however, can be apprehensive
about the degree to which the state intrudes
o n p r i v a t e l i v e s v i a p u b l i c – p r i v a t e
partnerships: surveillance cameras can
capture one’s every move in public; cell
phone intercepts erase the notion of private
information exchange; and invasive airport
security screening is often interpreted as
eroding individual liberties and initiating a
slow shift toward more widespread draconian
security measures. These are valid sources of
concern and require clear responses from
government and businesses.

T h e s h i f t i n g o f o r g a n i z a t i o n a l a n d
technological responsibilities to the private
sector also prompts related questions about
liability. If private sector technologies do not
deliver, what does this mean from a legal
perspective? For example, let us assume a
sophisticated network of chemical sensors
f a i l s t o d e t e c t a t o x i c a g e n t i n t h e
Washington, DC-area Metro system. Who
gets the blame? Absent indemnification
agreements, can government sue the firm? Is
it more appropriate for citizens’ litigation to
be directed toward government or the
business itself? Joint action means sharing
accountability for successes and failures in
homeland security. Security, however, is the
state’s first duty. It is government, not
business, that must ultimately make critical
decisions and take decisive actions in
homeland security. How to reconcile these
p o s i t i o n s ? D o e s p u b l i c – p r i v a t e s e c t o r
collaboration mean mutual or individual
culpability for mistakes? These lines of
i n q u i r y r e q u i r e f u r t h e r i n v e s t i g a t i o n .
Additional liability questions arise when the
public sector lacks the knowledge to make
informed judgments and decisions.

The Deepwater Horizon oil rig explosion
and spill show what can happen when
government regulation breaks down. No
public sector agency had a complete view of



t h e p r o b l e m , n o r t h e e x p e r t i s e a n d
equipment needed to solve it. Might the
privatization of airport security functions
create a similar dilemma? For instance, what
happens if an explosive device slips through a
security checkpoint, ultimately downing a
commercial airliner? Will government be able
to adequately explain to the public why the
lapse occurred, and how to remedy it?
C o n t r a c t u a l c o n s e q u e n c e s u n d e r t h i s
scenario prove worrisome, as well. If
government homeland security capacity is
“hollowed out” via outsourcing to private
firms, then homeland security can be held
hostage to the private sector. 99 Public sector
agencies must guard against this possibility
through diversifying contracts, incentivizing
competition among private sector actors, and
maintaining a minimum baseline of expertise
in core competencies.

Increasing Need for Transparency
Public-private partnerships also raise
concerns related to transparency, which
refers to two distinct, yet related concepts.
The first is governmental transparency,
specifically agency reporting to Congress. The
second is agency and business reporting to
t h e g e n e r a l p u b l i c . B o t h a r e a s o f
transparency pose significant challenges.
Legislative oversight is problematic for DHS.
As of July 2012, over 100 committees or
subcommittees address matters related to
departmental operations.100 Businesses in the
homeland security space compound this
challenge. For example, are private sector
representatives held to the same standards of
ethics and accountability as their public
sector counterparts? If Congressional
oversight of DHS is fractured, how effective is
oversight of firms’ activities? Robust
monitoring of public and private sector
homeland security actions is essential.
Lawmakers will need to ensure that oversight
evolves in parallel with the trend toward
public-private partnerships in homeland

A second challenge relates to decreasing
transparency in the privatization of national
security functions. 101 Among the many
volumes on the evolution of homeland and
international security since 9/11, Dana Priest
and William M. Arkin provide the most

expansive treatment of this topic. 102 They
raise several salient observations about the
expansion of post-9/11 government contracts.
Under the Bush administration, they argue
that Congress was able to substantially grow
government for national security reasons via
private contracting. 103 At the same time, they
note that Congress tried to create the
appearance government was not growing –
presumably for political reasons. 104 There is
also a span of control issue; top government
officials admit the number of national
security programs involving businesses has
become unmanageable.105 Cozy relationships
b e t w e e n g o v e r n m e n t a n d b u s i n e s s
representatives are uncomfortable for Priest
and Arkin. These are best exemplified in the
lavish conferences in which public and
private sector officials mingle over expensive
drinks, dinner, and entertainment. 106 The
purpose of these conferences is to build
business relationships between the public
and private sectors. 107 To Priest and Arkin,
though, they appear to erode the sense of
accountability and due diligence needed in
government contracting. They argue that
these trends are ultimately damaging to
national security.

To a limited extent, we agree with Priest
and Arkin’s thesis. It is true that ineffective
program management is fiscally irresponsible
and is conducive to misdirection and error. It
is also important for the public to know that
program oversight is in place and that
o u t c o m e s a r e b e i n g m e a s u r e d i n a
meaningful way. But the suggestion that
there is something sinister here is unfounded.
Priest and Arkin gloss over the efficiencies
that public-private partnerships can create.
As we have argued in this article, public-
private partnerships can improve hiring,
resource utilization, specialization of labor,
and technological innovation. In public-
private partnerships, firms seek profits, and
government scales in a way that would be
impossible if acting independently. In this
sense, public-private partnerships enhance
efficiencies in ways that government cannot
produce on its own. This is not foul play; it is
a case of rational action by both the public
and private sectors.

In light of these challenges, the public and
private sectors would be well served by
s h o w i n g w h y g o v e r n m e n t – b u s i n e s s



partnerships are necessary, and how their
existence benefits homeland security. A
positive example of such efforts would be the
work of Thomas Cellucci, former chief
commercialization officer at DHS, who
publishes extensively on the benefits of
public-private partnerships for government,
businesses, and taxpayers. 108 For example, he
m a k e s t h e c a s e f o r p u b l i c – p r i v a t e
partnerships, particularly in the context of
the DHS SECURE program:

The products that are developed through
[the SECURE program] (even the ones that
were not purchased by DHS) can be offered
to other private sector entities, such as
airport security, school and university
security, and security for professional
sports and concerts, many of whom support
the defense of critical infrastructure and
key resources nation-wide. There is then an
increase in public safety and security, all
while the private sector, public sector and
taxpayer benefit from the partnership.109

In clear language, Cellucci demonstrates
the benefits of public-private partnerships for
businesses, government, and the public.
S i m i l a r g o v e r n m e n t r e p o r t i n g a n d
explanation will help allay concerns over the
necessity of public-private partnerships.

Public-private partnerships are easy when
both government and business immediately
benefit. In a service contract, for example,
government is able to procure a needed good
or service, and a company’s bottom line
i n c r e a s e s . B u t w h a t h a p p e n s w h e n
government needs the private sector – such
as in obtaining data on critical infrastructure
vulnerabilities – but the private sector lacks
incentives to cooperate with government?
Working with public sector officials, while
helpful for homeland security purposes, eats
into firms’ overhead expenses. Collecting
data on a business’ vulnerabilities requires
time, labor, and material costs that are not
p r o f i t – o r i e n t e d . T h e r e i s a f i n a n c i a l
d i s i n c e n t i v e f o r b u s i n e s s e s t o a s s i s t
government in this case. This problem can be
compounded if a company’s competitor
decides not to cooperate with government in

the same way. The competitor can potentially
provide services at a lower cost than the
company that decides to “play ball.” 110

Public-private partnerships can also create
proprietary and legal risks for companies.
What assurances, for example, do firms have
that government will protect proprietary or
sensitive information? The WikiLeaks
scandal underlines that classified national
security information can quickly enter the
public domain, damaging the national
interest. 111 It is reasonable to suggest that
firms’ confidential information could be
subject to similar disclosures while in
government custody. Such leaks can rapidly
erode a business’ competitive edge. Other
firms offering similar products or services
gain valuable business intelligence from these
data. Private sector actors may find their
trust in government undercut by information
leaks. In extremis, private sector cooperation
with government on critical infrastructure
protection could lead to a business’ outright
failure through breaches of confidentiality. 112

Regulatory questions become salient in
exchange of sensitive information. Can
businesses be targeted for punitive measures
if they unwittingly turn over damaging
information about their activities? There is a
potential moral dilemma in businesses
providing the government information on
facilities and operations. Countless firms are
subject to government regulation. In
cooperating with government for homeland
security purposes, firms potentially risk
shining a light on unsavory or illegal business
practices. Government and businesses may
n e e d t o d e v e l o p c l e a r g u i d e l i n e s o n
exchanging potentially damaging information
for homeland security purposes. 113

H o w t o p r o m o t e p r i v a t e s e c t o r
e n g a g e m e n t u n d e r t h e s e c h a l l e n g i n g
circumstances? Orszag argues tax breaks
make bad policy; they can provide benefits to
firms that would have invested in security
measures anyway, increasing the firms’
budgetary costs but not actually providing
extra security. 114 Moreover, he argues that tax
credits do not distinguish between high-risk
and low-risk sectors – for example, chemical
plants versus shopping malls – when they
logically should. 115 Similarly, James A. Lewis
points out that voluntary cooperation from
f i r m s i n t h e c y b e r s e c u r i t y a r e n a i s



inconsistent with other sectors of homeland
security that require strict government
regulation, including banking, commerce,
and transportation. 116 Both of these examples
show the difficulty of balancing regulatory
tools and market forces to engage businesses
in homeland security efforts. Scholars, public
sector practitioners, and private sector
representatives therefore aid homeland
security by seeking new ways to encourage
businesses’ participation. Developing a menu
o f p o l i c y o p t i o n s t o i n c r e a s e f i r m s ’
involvement in homeland security will be an
important priority for the years ahead.

Politics, budgets, and long-term planning are
interconnected in the homeland security
context. The electoral process can impact
homeland security in significant ways.
Representatives’ thinking about homeland
security leads to adjustments in budgets and
policies. While hawkish elected officials may
choose to funnel more resources toward
homeland security, others might elect to trim
budgets and focus more narrowly on specific
strategic priorities. These shifts can alter, or
even undermine, long-term planning in
homeland security. The ongoing global
financial crisis also impacts government and
businesses’ approaches to homeland security.
In this dynamic environment, the public and
private sectors must effectively plan for
future threats and challenges in homeland

Politics affect public-private partnerships.
For example, Connecticut Senator Joseph
Lieberman recently expressed concern that
private employees, rather than government
officials, are making critical decisions at
DHS.117 After TSA halted an initiative in 2011
to expand businesses’ roles in airport
security, Florida Congressman John Mica
vowed to investigate the decision, noting
“Nearly every positive security innovation
since the beginning of TSA has come from the
contractor screening program.” 118 When
politics challenges businesses in this way,
firms can become increasingly reluctant to
enter the homeland security space. Winning
government contracts comes at significant

overhead cost; research and development,
labor, and negotiation expenses come out of
firms’ bottom lines. It makes little sense for
firms to invest in homeland security if elected
officials (vis-à-vis bureaucrats, with whom
those firms routinely interact) can abruptly
restrict or halt business. When companies
hesitate to enter the homeland security
arena, this reduces the size of the private
sector homeland security market. With less
competition in the game, firms that stay at
the table can charge higher fees for
government contracts. The public sector is
left with a diminishing pool of choices for
outsourcing, becoming increasingly beholden
to a small number of businesses for products
a n d s e r v i c e s . O f c o u r s e , w i t h s t i f l e d
competition, any cost increases are passed on
to taxpayers. Political forces can profoundly
change government-business partnerships in
homeland security.

Global financial markets influence agency
budgets. Recently, the worldwide economic
recession reduced the number of private
c o n t r a c t o r s p e r f o r m i n g t r a d i t i o n a l l y
governmental functions. A 2009 DHS
initiative began to examine the appropriate
b a l a n c e o f g o v e r n m e n t w o r k e r s a n d
contractors within the department. 119 By
April 2011, DHS cut 3,200 contractor
positions, converting them into 2,400
government jobs.120 The DHS 2012 fiscal
budget includes provisions to convert another
1,881 positions from the private sector to the
public sector. 121 Current trends away from
private contracting are not limited to DHS. In
January 2011, then-Secretary of Defense
Robert Gates announced an initiative to
drastically thin the ranks of contractors
within the Department of Defense, as well:

[As] I have said before, this department has
become far too reliant on contractors to
perform functions that should either be
done by full-time employees or, in some
cases, to staff activities that could – and
should – be discontinued…. Overall, we will
cut the size of the staff support contractor
cadre by 10 percent per year for three years
and realize nearly $6 billion in total
savings. 122

Reduced budgets affect public-private
partnerships in homeland security, and will



continue to change amidst efforts to revive
the world’s economies.

Businesses now face an uncertain future.
Some firms find themselves in “survival
mode,” trimming staff because of operating
costs. In 2011, icons of American industry
with links to homeland security, including
G M ( o f f i c i a l v e h i c l e s ) , C a t e r p i l l a r
( c o n s t r u c t i o n a n d d e b r i s r e m o v a l
equipment), Sprint Nextel (communications),
and Home Depot (disaster recovery supplies)
cut thousands of positions. 123 When firms
trim budgets, they have fewer resources
(human and physical capital) to produce
products and deliver services. This means the
range of possible business relationships for
homeland security narrows. Complicating
matters, when government budgets shrink,
firms can find it difficult to plan for the
future; revenue streams become dynamic,
and this year’s homeland security cash cow
m a y n o t b e t h e r e n e x t y e a r . T h e s e
circumstances create a vicious circle effect for
b u s i n e s s e s . G o v e r n m e n t b u d g e t c u t s
eliminate business for the private sector,
forcing firms to scale down. This trimming
could restrict the ability of companies to
operate in the homeland security space. For
both the public and private sectors, then,
there is an aggregate shrinking effect in
homeland security capacity. This creates
hardships for both sectors. Government may
not be able to guarantee a consistent level of
public protection, while businesses may find
it difficult to sustain operations and grow
effectively. Both sectors are burdened by the
global financial crisis.

In light of these trends, government and
businesses must effectively plan for the
future of homeland security. Converting
private sector jobs to public sector positions
r e q u i r e s f o c u s e d g o v e r n m e n t e f f o r t .
Competencies, skills, and knowledge must
s m o o t h l y t r a n s f e r f r o m b u s i n e s s t o
government hands. Yet there is little financial
incentive for businesses to cooperate in this
process. Doing so contradicts their self-
interests. After all, firms in the homeland
security space make money from government
contracts. For its part, government may find
it has lost the capacity to perform in certain
areas of homeland security. This may be due
to over-reliance on the private sector – the
“hollowing out” of government mentioned

above. Further complicating this picture,
there is a continual flow of homeland security
officials between the public and private
s e c t o r s . F i r m s ’ e m p l o y e e s m a y j o i n
government to gain excellent benefits,
promotion potential, and predictable work
schedules. Public sector employees can
gravitate toward the private sector for
substantially higher salaries and fewer
bureaucratic constraints. Downplaying or
ignoring these trends hinders effective long-
t e r m p l a n n i n g i n h o m e l a n d s e c u r i t y .
Business and government officials should
carefully consider these factors in their
respective plans for the future.

This article shows that public-private
partnerships are now integral to homeland
security as a whole – not just its subfields.
Government and business cooperation can
provide distinct advantages in hiring,
resource utilization, specialization, and
technological innovation. These partnerships
also have significant implications for
management practices, legal and ethical
challenges, transparency, building private
sector participation, politics, budgeting, and
long-term planning. Future studies will need
to examine other critical issues that become
relevant as public-private partnerships

For example, what is the effect of
decreasing the number of private contractors
working in homeland security? This may
increase cost savings, but also degrade
operational efficiencies. In an era of
shrinking budgets and rising demands on
security officials, it may be that reducing the
privatization of homeland security also
diminishes effectiveness. This may be fiscally
healthy, in other words, but damaging from a
security standpoint. Scholars can benefit
from critically examining the effects of
private sector personnel reductions on
homeland security.

As public-private partnerships continue to
grow, there is also a compelling need for
s c h o l a r l y i n v e s t i g a t i o n o f e f f e c t i v e
management and successful outcomes in
public-private partnerships. Moreover,
academics can make valuable contributions



in studying actions, initiatives, and special
projects that add value to public-private
p a r t n e r s h i p s i n h o m e l a n d s e c u r i t y .
Researchers can work with industry leaders
to enhance tools to share best practices. For
example, an existing DHS website designed
for sharing best practices – Lessons Learned
Information Sharing – could provide an
excellent starting point for this cross-sector
collaboration. 124 Scholars are in an ideal
position to make analytical connections and
p r o v i d e a t h e o r e t i c a l f r a m e w o r k f o r
successful management of public-private

From a theoretical perspective, public-
private partnerships also raise important
questions. Our understanding of homeland
security is increasingly linked with concepts,
rather than agencies. Flexibility, adaptability,
and resilience have become hallmarks of
homeland security programs at all levels of
government. Incorporating these concepts
into agencies’ plans and operations helps to
produce favorable outcomes. But do public-
private partnerships sufficiently align with
these concepts? Some might argue this is
clearly true – contracting represents a
“flexible” way to expand homeland security
staffing. However, others could demonstrate
that this is hardly the case; contracting can
increase government dependency on the
private sector, reducing organizational
flexibility. These questions merit additional

There is an enduring need to maintain
capabilities in homeland security. From 9/11,
to Hurricane Katrina, to the 2011 Joplin,
Missouri tornado, natural and man-made
disasters continue to loom large in the
national conscience. The private sector will
continue to play a major role in addressing
similar threats in the future. Public sector

a g e n c i e s b e n e f i t f r o m w o r k i n g w i t h
businesses to strengthen US resilience. There
will be an ongoing need for scholars to
provide insights as these trends continue to

Dr. Nathan E. Busch is an associate professor
o f g o v e r n m e n t a t C h r i s t o p h e r N e w p o r t
University (CNU) and co-director of the CNU
Center for American Studies, where he is lead
coordinator of CNU’s annual Symposium on
Homeland Security. He is author of No End In
Sight: The Continuing Menace of Nuclear
Proliferation (University of Kentucky Press,
2004), and editor of Combating Weapons of
Mass Destruction: The Future of International
Nonproliferation Policy (University of Georgia
P r e s s , 2 0 0 9 ) . H e c a n b e r e a c h e d a t
[email protected].

Austen D. Givens teaches graduate courses on
terrorism and emergency management at Utica
College in Utica, NY. He previously served as
d i r e c t o r o f e m e r g e n c y m a n a g e m e n t a t
Christopher Newport University (CNU) in
Virginia. Austen is a fellow with Virginia
Commonwealth University’s (VCU) National
Homeland Security Project, holds a master’s
degree in Homeland Security and Emergency
P r e p a r e d n e s s f r o m V C U , a n d s t u d i e d
international relations in the Woodrow Wilson
Department of Politics at the University of
Virginia. He has worked with the Department of
Homeland Security, the Office of the Secretary of
Defense at the Pentagon, and the Virginia Fusion
C e n t e r . H e c a n b e r e a c h e d a t
[email protected].

The authors wish to thank Joe Giordano, Shanna
Van Slyke, and Greg Walsh for their helpful
comments on earlier versions of this article.



1 Homeland Security Television, Public-Private Partnerships for Homeland Security, (Washington, DC: August 3,
2011) online video, http://www.youtube.com/watch?v=ka6dgMxLrJI.

2 British Petroleum, Deepwater Horizon: Accident Investigation Report, September 8, 2010, 29; National
Commission on the BP Deepwater Horizon Oil Spill and Offshore Drilling, Deep Water: The Gulf Oil Disaster and
The Future of Offshore Drilling – Report to the President, January 2011, http://www.oilspillcommission.gov/sites/

3 National Commission on the BP Deepwater Horizon Oil Spill, Deep Water, 173.



4 Ibid., 1-398.

5 Ibid., 140.

6 Ibid., 145.

7 Throughout this article, the term “homeland security” refers to “actions taken at every level (federal, state, local,
private, and individual citizen) to deter, defend against, or mitigate attacks within the United States, or to respond to
other major domestic emergencies.” See Dave McIntyre, “What Is Homeland Security? A Short Story,” n.d., accessed
April 12, 2012, http://www.homelandsecurity.org/bulletin/ActionPlan_WhatIsHLS.htm.

The International Association of Emergency Managers (IAEM) defines emergency management as “the managerial
function charged with creating the framework within which communities reduce vulnerability to hazards and cope
with disasters.” Our use of the term “homeland security” also includes emergency management.

See International Association of Emergency Managers, Principles of Emergency Management Supplement,
(September 11, 2007), 4, http://www.iaem.com/publications/documents/PrinciplesofEmergencyManagement.pdf.

8 Robert A. Beauregard, “Public-Private Partnerships as Historical Chameleons,” in Partnerships in Urban
Governance: European and American Experience, ed. Jon Pierre (London: MacMillan Press, 1997), 52–70; Pauline
V. Rosenau, ed., Public-Private Policy Partnerships (Cambridge, MA: MIT Press, 2000); Peter V. Schaeffer & Scott
Loveridge, “Toward an Understanding of Types of Public-Private Cooperation,” Public Performance & Management
Review 26, no.2 (2002): 169–189; Bonnie L. Regan, Enhancing Emergency Preparedness and Response: Partnering
with the Private Business Sector (master’s thesis, Naval Postgraduate School, December 2009), 14–15.

9 Stephen Goldsmith and William D. Eggers, Governing By Network: The New Shape of the Public Sector,
(Washington, DC: Brookings Institution, 2004), 69–70.

10 Goldsmith and Eggers, Governing By Network; Beauregard, “Public-Private Partnerships as Historical
Chameleons,” 52–70; Regan, Enhancing Emergency Preparedness and Response, 14–15; Yossi Sheffi, “Supply Chain
Management Under the Threat of International Terrorism,” International Journal of Logistics Management 12, no. 2
(2001): 1–11; David J. Closs and Edmund F. McGarrell, “Enhancing Security Throughout the Supply Chain,” Special
Report Series (IBM Center for the Business of Government, 2004)

11 Sheffi, “Supply Chain Management Under the Threat of International Terrorism,” 1–11; Closs and McGarrell,
“Enhancing Security Throughout the Supply Chain,” 1–56.

12 Stephen E. Flynn and Daniel B. Prieto, “Neglected Defense: Mobilizing the Private Sector to Support Homeland
Security,” Council Special Report No. 13 (Council on Foreign Relations, March 2006); Phillip Auerswald, Lewis
Branscomb, Todd La Porte, and Erwann Michel-Kerjan, eds., Seeds of Disaster, Roots of Response: How Private
Action Can Reduce Public Vulnerability (New York, NY: Cambridge University Press, 2006); Myriam Cavelty and
Manuel Suter, “Public-Private Partnerships Are No Silver Bullet: An Expanded Governance Model for Critical
Infrastructure Protection,” International Journal of Critical Infrastructure Protection 2, no. 4 (2009): 179–187.

13 Ashton B. Carter, “The Architecture of Government in the Face of Terrorism,” International Security 26, no. 3
(2001–2002): 5–23; Charles A. Stone and Anne Zissu, “Registered Traveler Program: The Financial Value of
Registering the Good Guys,” Review of Policy Research 24, no. 5 (2007): 443–462; Crystal Franco, Eric Toner,
Richard Waldhorn, Thomas Inglesby, and Tara O’Toole, “The National Disaster Medical System: Past, Present, and
Suggestions for the Future,” Biosecurity and Bioterrorism: Biodefense Strategy, Practice, and Science 5, no. 4
(2007): 319–325; Mary C. Comerio, “Public Policy for Reducing Earthquake Risks: A US Perspective,” Building
Research and Information 32, no. 5 (2005): 403–413.

14 Government documents, vis-à-vis the homeland security literature, place great emphasis upon the role of the
private sector in homeland security operations. This reflects a greater understanding of public-private partnerships’
importance for homeland security in the practitioner domain than in the scholarly domain, where knowledge is more
limited. See The White House, National Security Strategy (Washington, DC: May 2010); U.S. Department of
Homeland Security, National Response Framework (Washington, DC: 2008), 18–20; —-, National Incident
Management System (Washington, DC: 2008), 15-16; —-, National Infrastructure Protection Plan (Washington,
DC: 2009); —-, National Cyber Incident Response Plan [Interim Version] (Washington, DC: September 2010); —-,
National Disaster Recovery Framework (Washington, DC: September 2011).

15 James Madison, No. 45: “The Alleged Danger from the Powers of the Union to State Governments considered for
the Independent Journal,” in The Federalist Papers (Yale Law School: The Avalon Project, 2008), http://



16 Suburban Emergency Management Project, “History of Federal Domestic Disaster Aid Before the Civil War,” July
24, 2006, http://www.semp.us/publications/biot_reader.php?BiotID=379.

17 Elizabeth Witham and Steve Bowen, Financing Recovery from Catastrophic Events: Final Report (Washington,
DC: Homeland Security Institute March 30, 2007), http://www.homelandsecurity.org/hsireports/
Financing_Recovery_HSI_final_report.pdf, 22.

18 Ibid., 24.

19 Ibid., 21–26.

20 Ibid., 27–38.

21 Homeland Security National Preparedness Task Force, “Civil Defense and Homeland Security: A Short History of
National Preparedness Efforts,” (Washington, DC: FEMA, September 2006), http://training.fema.gov/EMIWeb/edu/

22 Jenny Nolan, “Willow Run and the Arsenal of Democracy,” The Detroit News, January 28, 1997, http://

23 Federal Emergency Management Agency, “FEMA History,” August 11, 2010, http://www.fema.gov/about/

24 For example, see Apptis, Inc., “About Us,” accessed March 4, 2012, http://www.apptis.com/about/default.aspx;
Taser, “About Taser,” accessed March 12, 2012, http://www.taser.com/about-taser; Raytheon, “Raytheon Homeland
Security,” accessed March 12, 2012, http://www.raytheon.com/capabilities/homeland/.

25 Verizon, “World Trade Center – A Year Later,” accessed January 27, 2012, http://newscenter.verizon.com/kit/

26 Federal Emergency Management Agency, “Louisiana Katrina/Rita Recovery,” n.d., accessed June 8, 2012, http://
www.fema.gov/pdf/hazard/hurricane/2005katrina/la_progress_report_0810.pdf, 1.

27 Michael Barbaro and Justin Gillis, “Wal-Mart at Forefront of Hurricane Relief,” The Washington Post, September
6, 2005, http://www.washingtonpost.com/wp-dyn/content/article/2005/09/05/AR2005090501598.html.

28 Austen Givens, “Deepwater Horizon Oil Spill Is An Ominous Sign for Critical Infrastructure’s Future,” Emergency
Management, May 27, 2011, http://www.emergencymgmt.com/disaster/Deepwater-Horizon-Oil-Spill-Critical-

29American Red Cross, “Gulf Coast Beach Safety,” June 21, 2010, http://www.redcross.org/portal/site/en/menuitem.
Restorethegulf.gov, “Technical Assistance: Guide to Private/Non-profit programs,” accessed June 6, 2012, http://
www.restorethegulf.gov/node/4621#redcross; Robbie Brown, “Fishermen Sign On to Clean Up Oil,” New York
Times, April 30, 2010, http://www.nytimes.com/2010/05/01/us/01marsh.html.

30 Dale Jones and Austen Givens, “Public Administration: The Central Discipline in Homeland Security,” in The
Future of Public Administration, Public Management, and Public Service Around the World: The Minnowbrook
Perspective, eds. Rosemary O’Leary, David Van Slyke, and Soonhee Kim (Washington, DC: Georgetown University
Press, 2011), 67–78.

31 “Critical Infrastructure Sector Partnerships” (Washington, DC: U.S. Department of Homeland Security, 2011),

32 Ibid.

33 “More About the Office of Infrastructure Protection” (Washington, DC: U.S. Department of Homeland Security,
2010), http://www.dhs.gov/xabout/structure/gc_1189775491423.shtm.

34 “Council Members, Critical Infrastructure Partnership Advisory Council” (Washington, DC: U.S. Department of
Homeland Security, 2012), http://www.dhs.gov/files/committees/editorial_0848.shtm.

35 The authors thank an anonymous reviewer for this suggestion.



36 “About the National Cyber Security Alliance,” National Cyber Security Alliance, n.d., accessed January 26, 2012,

37 Ibid.

38 National Cyber Security Alliance, “Board Members,” n.d., accessed April 4, 2012, http://www.staysafeonline.org/

39 “National Cyber Security Awareness Month 2010 Results in Brief” (National Cyber Security Alliance, January 14,
2011), http://www.staysafeonline.org/sites/default/files/resource_documents/NCSAM%202010%20Short

40 Cecilia Kang and Ellen Nakashima, “Google Says Hackers Based in China Accessed U.S. Officials’ Gmail Accounts,”
Washington Post, June 1, 2011, http://www.washingtonpost.com/business/technology/google-says-hackers-based-

41 Ibid.

42 “U.S. Waterborne Foreign Trade 2010: RANKING OF U.S. CUSTOMS DISTRICTS BY VOLUME OF
CARGO” (American Association of Port Authorities, November 23, 2011), http://aapa.files.cms-plus.com/Statistics/

43 “LaGuardia Airport Facts and Information” (Port Authority of New York and New Jersey, 2012), http://

44 “C-TPAT Overview” (U.S. Customs and Border Protection, December 13, 2007), http://www.cbp.gov/xp/cgov/

45 Adboulaye Diop and David Hartman, “Customs-Trade Partnership Against Terrorism Cost-Benefit Survey” (U.S.
Customs and Border Protection, August 2007), 3, http://www.cbp.gov/linkhandler/cgov/trade/cargo_security/
ctpat/what_ctpat/ctpat_cost_survey.ctt/ctpat_cost_survey.pdf; C-TPAT Overview.

46 “Federal Port Security Credential Now Available Nationwide” (Transportation Security Administration, September
17, 2008), http://www.tsa.gov/press/releases/2008/0917.shtm.

47 Testimony of Maurine Fanguy, Program Director, Transportation Security Administration, Before the U.S. House of
Representatives Committee on Homeland Security, Subcommittee on Border, Maritime, and Global
Counterterrorism, Transportation Security Administration, September 27, 2008, http://www.tsa.gov/press/

48 “Borders and Transportation Security” (SAIC, 2012), http://www.saic.com/natsec/homeland-security/border-

49 Joseph Straw, “New Views on Airport Screening,” Security Management (2012), http://

50 House Committee on Homeland Security, Subcommittee on Transportation Security, Screening Partnership: Why
Is A Job Creating, Public-Private Partnership Meeting Resistance at TSA?, 112th Cong., 1st sess., February 16, 2012.

51 Transportation Security Administration, “Screening Partnership Program,” n.d., accessed June 8, 2012, http://

52 House Committee on Homeland Security, Screening Partnership, 12.

53 William L. Waugh and Gregory Streib, “Collaboration and Leadership for Effective Emergency Management,”
Public Administration Review 66, no. S1 (2006): 131–140. Comprehensive emergency management means all of a
community’s hazards are considered in mitigation, preparedness, response, and recovery activities.

54 Naim Kapucu, “Interorganizational Coordination in Dynamic Context: Networks in Emergency Response
Management,” Connections 26, no. 2 (2005): 33–48.



55 Elaine Pittman, “What Big-Box Retailers Can Teach Government About Disaster Recovery,” Government
Technology, November 28, 2011, http://www.govtech.com/policy-management/Big-Box-Retailers-Teach-Disaster-

56 Eric Bonabeau and W. David Stephenson, “Expecting the Unexpected: The Need for a Networked Terrorism and
Disaster Response Strategy,” Homeland Security Affairs 3, no. 1 (February 2007), http://www.hsaj.org/?

57 Barbaro and Gillis, “Wal-Mart at Forefront of Hurricane Relief.”

58 Ibid.

59 Ibid.

60 Ibid.

61 Harold F. Upton, The Deepwater Horizon Oil Spill and the Gulf of Mexico Fishing Industry (Washington, DC:
Congressional Research Service, 2011), 8-9, http://www.fas.org/sgp/crs/misc/R41640.pdf.

62 Givens, “Deepwater Horizon Oil Spill.”

63 “About Industry Liaison Program” (Federal Emergency Management Agency, 2010), http://www.fema.gov/

64 Federal Emergency Management Agency, “FEMA Administrator: Business Community is Critical Partner in
Disaster Response and Recovery,” November 4, 2011, http://www.fema.gov/news/newsrelease.fema?id=59308.
Fugate is FEMA’s top official.

65 For example, see Edward T. Pound, “Security Clearance Challenges Defy Easy Fixes,” Government Executive,
August 14, 2007, http://www.govexec.com/welcome/?zone=welcome&rf=http%3A%2F%2Fwww.govexec.com
%2Fdailyfed%2F0807%2F081407nj1.htm; “Personnel Clearances: Key Factors for Reforming the Security Clearance
Process,” Statement of Brenda S. Farrell, U.S. Government Accountability Office, May 22, 2008, http://www.gao.gov/
assets/130/120165.pdf; Letter to U.S. Senators Daniel Akaka and George Voinovich from Brenda Farrell, Director of
Defense Capabilities and Management, U.S. Government Accountability Office, July 14, 2008, http://www.gao.gov/
new.items/d08965r.pdf; “Security Clearance Reform: Upgrading the Gateway to the National Security Community,”
Subcommittee on Intelligence Community Management, Permanent Select Committee on Intelligence, ASIS
International, September 25, 2008, http://www.asisonline.org/councils/documents/govt_secclearance.pdf;
“Personnel Security Clearances: An Outcome-Focused Strategy Is Needed to Guide Implementation of the Reformed
Clearance Process” (Washington, DC: U.S. Government Accountability Office, May 2009), http://www.gao.gov/
new.items/d09488.pdf; Letter (with attachment) to Steven Aftergood, Federation of American Scientists from Dionne
Hardy, FOIA Officer, U.S. Office of Management and Budget, May 20, 2011, http://www.fas.org/irp/dni/

66 George Boyne, “Public and Private Management: What’s the Difference?,” Journal of Management Studies 39, no.
1 (2002): 97–122; Mary K. Feeney and Hal G. Rainey, “Personnel Flexibility and Red Tape in Public and Nonprofit
Organizations: Distinctions Due to Institutional and Political Accountability,” Journal of Public Administration
Research & Theory 20 (2010): 801–826.

67 See “Homeland Security,” Booz Allen Hamilton, accessed October 3, 2011, http://www.boozallen.com/consultants/
civilian-government/homeland-security-consulting; “Homeland Security,” SAIC, accessed October 3, 2011, http://
www.saic.com/natsec/homeland-security/; “Homeland Security,” Northrop Grumman, accessed October 3, 2011,
http://www.is.northropgrumman.com/by_solution/homeland_security/index.html; “Homeland Security,” General
Dynamics C4 Systems, accessed October 3, 2011, http://www.gdc4s.com/content/detail.cfm?item=a96ae1cb-

68 “‘Checkpoint Friendly’ Laptop Bag Procedures,” Transportation Security Administration, August 15, 2008, http://

69 “Aerovation Products,” Aerovation, n.d., accessed January 26, 2012, http://aerovation.com/; “Laptop Bags:
Industry Process and Guidelines,” Transportation Security Administration, July 29, 2008, http://www.tsa.gov/press/

70 Goldsmith and Eggers, Governing by Network, 25–39.



71 Ibid.

72 “TSA Awards Contract for Information Technology Infrastructure,” Transportation Security Administration,
September 28, 2009, http://www.federaltimes.com/article/20110131/DEPARTMENTS03/101310303/1050/

73 Ibid.

74 Danny Peterson and Richard Besserman, “Analysis of Informal Networking in Emergency Management,” Journal
of Homeland Security and Emergency Management 7, no. 1 (2010): 1–14; Kathleen M. Kowalski-Trakofler, Charles
Vaught, Michael R. Brinch Jr., Jacqueline H. Jansky, “A Study of First Moments In Underground Mine Emergency
Response,” Journal of Homeland Security and Emergency Management 7, no. 1 (2010): 1–28.

75 The authors thank an anonymous reviewer for this suggestion.

76 Goldsmith and Eggers, Governing by Network.

77 Thomas A. Cellucci, ed., Innovative Public-Private Partnerships: Pathway to Effectively Solving Problems (U.S.
Department of Homeland Security Science and Technology Directorate, July 2010), 17–20, http://www.dhs.gov/

78 Ibid.

79 “FutureTECH,” U.S. Department of Homeland Security, accessed January 27, 2012, http://www.dhs.gov/files/

80 Thomas A. Cellucci, FutureTECH: Concept of Operations (U.S. Department of Homeland Security, n.d., accessed
January 27, 2012), http://www.dhs.gov/xlibrary/assets/st_commercialization_office_futuretech_conops.pdf.

81 Julia Preston, “Homeland Security Cancels ‘Virtual’ Fence After $1 billion Is Spent,” New York Times, January 14,
2011, http://www.nytimes.com/2011/01/15/us/politics/15fence.html.

82 Daniel B. Wood, “Janet Napolitano Halts Funding for Virtual Border Fence,” The Christian Science Monitor, March
17, 2012, http://www.csmonitor.com/USA/2010/0317/Janet-Napolitano-halts-funding-for-virtual-border-fence;
Robert N. Charette, “Napolitano Cancels the US $1 billion SBINet Virtual Fence Project,” IEEE Spectrum (March
2011) http://spectrum.ieee.org/telecom/security/napolitano-cancels-the-us-1-billion-sbinet-virtual-fence-project.

83 Preston, “Homeland Security Cancels ‘Virtual’ Fence.”

84 Ibid.

85 Ibid.

86 Hon. John D. Dingell, “Protecting the Electrical Grid from Cybersecurity Threats,” testimony before the
Subcommittee on Energy and Air Quality, of the Committee on Energy and Commerce, U.S. House of
Representatives, 110th Cong., 2nd Sess., September 11, 2008, 128.

87 U.S. Chamber of Commerce, Business Software Alliance, TechAmerica, Internet Security Alliance (ISA), Center for
Democracy and Technology, Improving Our Nation’s Cybersecurity through the Public-Private Partnership: A
White Paper (Center for Democracy and Technology, March 2011), https://www.cdt.org/files/pdfs/
20110308_cbyersec_paper.pdf. This co-authored white paper supports the assertion that public-private partnerships
can be strengthened in multiple dimensions.

88 Mark de Bruijine and Michel van Eeten, “Systems That Should Have Failed: Critical Infrastructure Protection in an
Institutionally Fragmented Environment,” Journal of Contingencies and Crisis Management 15, no. 1 (2007): 18.

89 Bruce Schneier, Beyond Fear: Thinking Sensibly About Security In an Uncertain World (New York, NY:
Copernicus Books, 2003), 41. See also de Bruijne and van Eeten, “Systems That Should Have Failed.”

90 de Bruijne and van Eeten, “Systems That Should Have Failed,” 18.

91 Goldsmith and Eggers, Governing by Network.



92 Gregg Carlstrom, “Senator: DHS Budget Begins ‘Turnaround’ Away from Contracting,” Federal Times, February 24,
2010, http://www.federaltimes.com/article/20100224/CONGRESS03/2240304/1055/AGENCY; Stephen Losey,
“TSA halts expansion of privatized airport screening,” Federal Times, January 31, 2011, http://

93 Jon D. Michaels, “Deputizing Homeland Security,” Texas Law Review 88, no. 7 (2010): 1435–1473.

94 Kai Jaeger and Edward P. Stringham, “Private Policing Options for the Poor” (National Center for Policy Analysis,
December 15, 2011), http://www.ncpa.org/pub/ba763.

95 For example, see Cooper J. Strickland, “Regulation Without Agency: A Practical Response to Private Policing in
United States v. Day,” North Carolina Law Review 89 (2011): 1338–1363.

96 Ibid., 1340.

97 For one of the first of many studies on this subject, see P.W. Singer, Corporate Warriors: The Rise of the Privatized
Military Industry (Ithaca, NY: Cornell University Press, 2003).

98 Ross Prizzia, “Coordinating Disaster Prevention and Management in Hawaii,” Disaster Prevention and
Management 15, no. 2 (2006): 275–285; Naim Kapucu, “Public-Nonprofit Partnerships For Collective Action in
Dynamic Contexts of Emergencies,” Public Administration 84, no. 1 (2006): 205–220; Camilla Stivers, “‘So Poor and
So Black’: Hurricane Katrina, Public Administration, and the Issue of Race,” Public Administration Review 67, no. 1
(Special Issue, December 2007): 48–56; Geoffrey T. Stewart, Ramesh Kolluru, and Mark Smith, “Leveraging Public-
Private Partnerships to Improve Resilience in Times of Disaster,” International Journal of Physical Distribution and
Logistics Management 39, no. 5 (2009): 343–364; Susan A. McManus and Kiki Caruson, “Emergency Management:
Gauging the Extensiveness and Quality of Public and Private-Sector Collaboration at the Local Level,” Urban Affairs
Review 47, no. 2 (2011): 280–299.

99 For a classic treatment of this phenomenon, see R.A.W. Rhodes, “The Hollowing Out of the State: The Changing
Nature of the Public Service in Britain,” The Political Quarterly 65, no. 2 (1994): 138–151.

100 House Judiciary Committee Hearing on Oversight of the Homeland Security Department, 112th Cong., 2nd Sess.,
July 19, 2012, accessed September 13, 2012, http://www.micevhill.com/attachments/immigration_documents/
TranscriptOfHouseJudiciaryCommitteeHearingOnOversightOfTheHomelandSecurityDepartment.pdf; House
Judiciary Committee Hearing on Homeland Security Oversight (Washington, DC: C-SPAN, July 19, 2012), online
video, http://www.c-spanvideo.org/program/307135-1#.

101 To date, the most comprehensive and illuminating work on this topic is Dana Priest and William M. Arkin, Top
Secret America: The Rise of the New American Security State (New York: Little, Brown and Company, 2011).

102 Ibid.

103 Ibid., 180.

104 Ibid.

105 Ibid., 187–188.

106 Ibid., 194–201.

107 Ibid.

108 For example, see Thomas A. Cellucci, Partnership Program Benefits Taxpayers as well as Public and Private
Sectors (Washington, DC: U.S. Department of Homeland Security Science and Technology Directorate, 2008).

109 Thomas A. Cellucci and James W. Grove, Leveraging Public-Private Partnership Models and the Free Market
System to Increase Speed-of-Execution of High-Impact Solutions Throughout State and Local Governments (U.S.
Department of Homeland Security, August 2011), 10.

110 For a similar point, see Stephen Flynn, “The Brittle Superpower,” in Auerswald et al., Seeds of Disaster, 30–31.

111 Scott Shane and Andrew Lehren, “Leaked Cables Offer Raw Look at U.S. Diplomacy,” New York Times, November
28, 2010, http://www.nytimes.com/2010/11/29/world/29cables.html?pagewanted=all.



112 See Auerswald et al., Seeds of Disaster, for a thorough examination of public-private sector cooperation for critical
infrastructure protection.

113 Ellen Nakashima, “Cybersecurity Bill Promotes Exchange of Data; Critics Say Measure Could Harm Privacy
Rights,” Washington Post, November 11, 2011, http://www.washingtonpost.com/world/national-security/
rights/2011/11/30/gIQAD3EPEO_story.html. Recent legislation seeks to limit firms’ liability for sharing data with
government. This is an example of an incentive for firms to exchange information with the public sector.

114 Peter R. Orszag, “Homeland Security: The Problems With Providing Tax Incentives to Private Firms,” Testimony
Before the House Committee on Small Business Subcommittee on Rural Enterprise, Agriculture, and Technology,
108th Cong., 2nd Sess., July 21, 2004.

115 Ibid.

116 Ibid. See also James A. Lewis, “Aux Armes, Citoyens: Cyber Security and Regulation in the United States,”
Telecommunications Policy 29 (2005): 821–830.

117 Carlstrom, “Senator: DHS Budget Begins ‘Turnaround’.”

118 Losey, “TSA halts expansion of privatized airport screening.

119 “Mature and Strengthen the Homeland Security Enterprise,” U.S. Department of Homeland Security, March 14,
2011, http://www.dhs.gov/xabout/gc_1240838201772.shtm.

120 “Over Reliance on Contractors,” Department of Homeland Security Appropriations Bill, 2012, Committee Reports
(112th Congress), Senate Report 112-074, September 7, 2011, http://thomas.loc.gov/cgi-bin/cpquery/?
&sid=cp112YCOmu&r_n=sr074.112&dbname=cp112&&sel=TOC_56275&. The 2012 Department of Homeland
Security Appropriations Bill notes that DHS includes 110,000 private employees, vis-à-vis 221,000 federal employees.
This effectively means that approximately one third of DHS is privatized.

121 Ibid.

122 Robert Gates, “A Statement on Department Budget and Efficiencies,” U.S. Department of Defense, January 6,
2011, http://www.defense.gov/speeches/speech.aspx?speechid=1527.

123 “Big U.S. Companies Announce Massive Job Cuts,” MSNBC, January 26, 2009, http://www.msnbc.msn.com/id/

124 U.S. Department of Homeland Security, “Lessons Learned Information Sharing,” n.d., accessed June 8, 2012,

Title Page


Copyright © 2012 by the author(s). Homeland Security Affairs is an academic
journal available free of charge to individuals and institutions. Because the purpose
of this publication is the widest possible dissemination of knowledge, copies of this
journal and the articles contained herein may be printed or downloaded and
redistributed for personal, research or educational purposes free of charge and
without permission. Any commercial use of Homeland Security Affairs or the
articles published herein is expressly prohibited without the written consent of the
copyright holder. The copyright of all articles published in Homeland Security
Affairs rests with the author(s) of the article. Homeland Security Affairs is the
online journal of the Naval Postgraduate School Center for Homeland Defense and
Security (CHDS).





Do you need academic writing help? Our quality writers are here 24/7, every day of the year, ready to support you! Instantly chat with a customer support representative in the chat on the bottom right corner, send us a WhatsApp message or click either of the buttons below to submit your paper instructions to the writing team.

Order a Similar Paper Order a Different Paper