The security week that was: 03/07/08

DHS - Five Years Later

It was five years ago this week that our government created the Department of Homeland Security. Tom Ridge, the first DHS Secretary, was tasked with the monumental job of creating a new government department and bringing together disparate groups (TSA, CBP, etc.) under one budget. Then, when Ridge deemed his work done (he's now a regular speaker and a CEO of a global consulting firm), Michael Chertoff joined the team. Chertoff had some very big shoes to fill and apparently the guy has big enough feet. Like what Ridge did or not, you have to admit that he was one heck of a manager, and for all the criticism aimed toward him, you have to also realize that there is simply no way an integration of diverse agencies is ever going to be a smooth transition that makes everyone happy.

So let's review the last five years and look at both some of the accomplishments and failures of DHS.

Accomplishments:

1. Forming DHS. This in itself was a monumental accomplishment. You've heard of Microsoft's attempt to buy Yahoo. Or maybe the UTC pitch to buy Diebold. Picture the difficulty of integrating each of these two firms. Then multiply that by 100. Maybe you're starting to understand the scale of difficulty.

2. Developing a border plan. Some might also call this a failure based on recent tribulations with the Project 28 program and because it's been very contested in terms of goals and funding, but slice it how you like it. The accomplishment is that a directional plan was created. Maybe it's pointed at the wrong vector, or a bit too ambitious, but the plan was created and border security is now a national issue.

3. Air security was standardized. I don't know any business travelers who would say they're particularly happy with TSA, but they are at least happy enough that they're willing to trust their safety and continue to fly. Even after 9/11 there was still some lack of standardization in aviation security. You'd take your laptop out at this airport, but not at this one. Shoes off here, but not there. Now, for the most part, the inspection process of aviation security has been standardized – you are getting the McDonald's experience: Everyone's hamburger (and security line experience) tastes the same. Even if it still doesn't taste great…

4. Chemical plant regulations. Kicking and screaming, this finally happened. There is now a method in place for review of chemical plant security processes/plans by the DHS. The smart thing here is that the DHS isn't setting specific minimum standards and technology requirements, but is looking at the overall risk-positioning and response of these chemical plants. Rather than saying "Every plant must have 2 cameras at the gate, 1 armed guard, infrared perimeter detection systems, encrypted drives, etc.", the DHS is allowing this to be risk-based. Smart.

5. Moving money away from state/local security funding. I'm going to be very unpopular for saying this, but I don't think we need to spend national tax dollars on buying the newest command truck for each town's firefighters. If the local citizens want that, then they should "buck up" and buy it with local tax money. Chertoff is trying this year to move money to national level issues. You know what state and local governments can't do effectively? National intelligence programs. Big databases to track terror suspects. That's where the national role comes in.

But because this isn't a puff piece, let's talk DHS flops:

1. TWIC. Government shouldn't be prescribing technology, in my humble opinion. They should be setting minimum requirements/procedures and letting vendors, integrators and others beat those requirements. Yes, national-level interoperability can be a requirement. Otherwise you get the TWIC program, where the focus seems to have been more on technology than a vision for national roll-out. Two of the biggest card/ID systems vendors (who are very in touch with government policies) have told me in the last year that TWIC has been one heck of a tough moving target. Can you imagine if the government got to define what it wanted in a computer operating system? It wouldn't be pretty...

2. Container security. We may now have widespread scanning of containers, but that's not the end-all of container security. We have the technology to secure containers individually and to manage that automatically (and this is true no matter which camp you are in: RFID, GPS, Comp/wireless, etc.).

3. Real ID: There's no coalition building here, and in fact, Chertoff is stooping to scare tactics to try to sell this project, which would have to be footed by the states and ultimately you and me. The scare tactic du jour is that "Your state's citizens won't be able to fly on airplanes unless you adopt the Real ID proposal." Ok, so if a big state didn't adopt Real ID, they don't think the airlines would pressure DHS to allow traditional driver's licenses as approved identification? Economy has always trumped security (that's why Zippos were allowed aboard planes but Bic lighters weren't -- bizarre as it was).

4. Europe's air security partnerships. Guess what? We're looked at as Big Brother. We're the country wanting sovereign nations to turn over specific aviation user information to the U.S.. Maybe we don't understand that EU countries hate terrorists as much as we do, but that they aren't willing to turn private information over to another nation and give up information control forever. Maybe we'll overcome that objection, but I'm not seeing the needed traction here.

5. Cybersecurity. I don't even know where to start. High turn-over of government cyber-security staff is one indicator. The word on the street is that this is changing and DHS is getting better at realizing that information systems are just as important as chemical plants, but you wouldn't know it from past DHS actions.

6. Katrina and FEMA. I don't even need to explain this one. Homeland security isn't just protecting against Osama bin Laden. Let's hope the lessons were learned.

All in all, I'd give the DHS a grade of a "B". What they've managed to do isn't perfect, but it's well above average considering the hurdles. I'm not going to armchair pundit them to death, because we all know how slow security is to change, and yet they have made security changes happen relatively quickly. If you want to comment on their changes, we have a homeland security discussion forum set up, you can join and lambast them or praise them all you want. If you want to hear what Chertoff and Ridge are happy about, you can read their column here.

Quick bites in the news
UTC goes for Diebold, new leaders at GE Security, more

UTC made what many are calling a hostile take-over bid for Diebold. After being repeatedly turned down and being somewhat ignored by the board of Diebold, UTC came out with a per-stock price offer for Diebold that was aimed at shareholders. … Pennsylvania-based security and monitoring firm Select Security has purchased SecurityNet, another Penn. firm. … GE Security named new general managers and president for the Americas. Those GE names are ones you probably already know well from other prominent firms.

Finally, we close with a look at the most read stories of the week:

Loading