By Tim Starks and Martin Edwin Andersen, CQ Staff
Source: CQ Homeland Security
© 2004 Congressional Quarterly Inc. All Rights Reserved

Almost from the moment the Department of Homeland Security came into being in early 2003, Congress had been pressuring the Information Analysis and Infrastructure Protection Directorate (IAIP) to come up with a comprehensive list, in order of priority, of the nation’s most critical assets.

It took more than a year for Congress to get it.

Late this spring, DHS’ Assistant Secretary for Infrastructure Protection Bob Liscouski began scheduling classified briefings to show House members the list of critical assets in their states - a list that includes more than 30,000 power plants, tourist attractions, stadiums and other facilities.

They were not impressed.

“In my district is Disneyland, which is a pretty big site. Not only that, but it’s a known attack site,” said Rep. Loretta Sanchez, the ranking Democrat on the House Select Homeland Security Subcommittee on Infrastructure and Border Security. “They had it listed in [Los Angeles] County. They didn’t even have it in my area.”

Fellow California Democrat Rep. Zoe Lofgren also did not like what she saw.

“When his assistant put it down on the desk, I literally wanted to laugh out loud.” she said. “There was nothing in there. I would have literally been better off with a phone book.”

The list, dismissed by Democrats and Republicans alike - Rep. Ernest Istook, R-Okla., thought it was “a joke” - is just the latest incident involving a directorate that, although widely believed to be the most important for the success of the Homeland Security Department, in many ways has been its most troubled.

The directorate, in fact, has been castigated regularly, if not unanimously, by Congress. Lawmakers such as Rep. Dave Camp, R-Mich., believe IAIP is doing a good job. But an April scolding from Rep. Harold Rogers, R-Ky., chairman of the House Appropriations Subcommittee on Homeland Security, is more typical.

“I understand the enormity and difficulty of the tasks you are facing - of identifying what infrastructure is indeed critical, what should qualify as a key asset, how to conduct meaningful surveys of critical sites, how to get the necessary cooperation from the private sector, how to evaluate the interdependencies between sites and sectors,” Rogers told directorate Undersecretary Frank Libutti. “However, it has been a year since the Department was formed, and I want to put you on notice . . . [that] ‘We are working on it’ is not an acceptable response - we need results, and we need them now.”

A spokeswoman for Istook said the congressman considered the critical infrastructure list “to be a joke, and he told them as much. He felt it was very unbalanced in what they regarded as significant, and they left off things that were.”

The frayed relationship extends to segments of the private sector, as well.

“I would argue the state of relations between the private sector and DHS when it comes to critical infrastructure is strained, clearly strained. And it’s sad,” said Paul Kurtz, the former senior director for critical infrastructure protection on the White House Homeland Security Council.

Kurtz is now the executive director of the Cyber Security Industry Alliance.

Senior officials with the industry-operated information sharing and analysis centers (ISACs), for example, left DHS out of weekly teleconference calls focusing on physical infrastructure after Liscouski attempted to “strong-arm” the organizations, telling an ISAC Council meeting that, as one participant at the meeting characterized it, “It would be his way or the highway.”

Problem Solving

Some experts say the root of many of IAIP’s problems can be traced to a lack of personnel and high turnover rates. But others in the business community and on Capitol Hill, many of whom have regular contact with the directorate and therefore spoke on condition of anonymity, point to management problems, including micromanagement, stubbornness and short-sightedness in the infrastructure protection division.

The directorate, they said, appears to be operating without a core strategy or a list of priorities. And the near-constant staff changes, they add, have led to communication problems.

When it first started, said Lynn Costantini, CIO of the North American Electric Reliability Council (NERC), “seemed like the organizational chart was changing on a daily basis”

A DHS inspector general report from February pointed out that, “during the past nine months, IAIP has been hampered by turnover of key management positions.” In the past three months, two of Liscouski’s eight division and office chiefs - Jim McDonnell at the Protective Security Division and Brenton Greene at the National Communications System - have departed.

A House Appropriations committee report from June scolded the department for having filled just 291 of its 737 positions as of May 2004.

A department spokeswoman, Michelle Petrovich, said she did not have figures for how many staff work on the infrastructure protection side of the directorate, nor target figures for how many staff would eventually work there, but the directorate won approval from the Office of Personnel Management in June to hire 490 intelligence-related positions, which many department observers expect will improve the quality of its work.

Department officials blame the staffing problems on competition with other agencies for intelligence jobs, and on slow security clearance processes, although the latter is a challenge faced by other agencies as well.

Lacking staff, the directorate has relied heavily on outside contractors and temporary employees.

That, Sanchez said, leads to the kind of flawed critical asset list that lawmakers disliked so much. “They still lack a lot of core expertise to make such a list meaningful,” she said.

Individual programs within IAIP have come under fire for many of the same management problems.

For instance, the House Select Homeland Security Committee wrote the department in April seeking a progress report on cybersecurity, urging Secretary Tom Ridge to pay greater attention to the issue and to contemplate giving greater authority to the National Cyber Security Division, currently overseen by Liscouski.

Many in the cybersecurity community have privately observed that cybersecurity czar Amit Yoran is struggling in his job because of micromanagement from upper ranks of the directorate.

They advocate elevating Yoran’s position to the assistant secretary level or higher, a move the department opposes.

Moving the office out of the infrastructure protection division would create the wrong impression that physical security and cybersecurity should be treated separately, wrote Pamela Turner, assistant secretary for legislative affairs at DHS, in a May letter responding to the House Select Homeland Security Committee’s April request.

Blind Trust

Meanwhile, a lack of trust between private industry and the department has led to a slow trickle of businesses taking advantage of the Protected Critical Infrastructure Information (PCII) program, officials in the business community have said.

The program, launched in February, allows companies to voluntarily submit data on their critical infrastructure vulnerabilities in exchange for guarantees that the information will be kept confidential, and other protections.

As of late July, the department had received only 20 submissions through the program, according to department officials.

In written comments on the program submitted in May, industry groups complained that there are still too few assurances that the information will truly be protected.

“We need to, as a first step, get a good PCII into place,” said Andrew Howell, vice president of homeland security for the U.S. Chamber of Commerce. “A good PCII rule allows the public and private sectors to begin the information exchange process, to begin creation of the trust process. People have to learn to trust one another.”

On the opposite side of the debate are open-government watchdog groups that view the PCII program as a sheer corporate giveaway that could be abused to shield potentially embarrassing information from the public view.

But a lack of trust in the private sector, justified or not, creates a fundamental problem for the directorate. The philosophical underpinning of the directorate’s approach to critical infrastructure is the public-private partnership, particularly with the ISACs.

Some observers question whether an excessive focus on public-private partnerships and voluntary cooperation can produce much in the way of results.

The partnerships, said Hank Chase, director of homeland security at ITS Corp., a consulting firm, “is just a lot of talk.

“As federal lead, DHS wants to in some cases send out teams to help look at vulnerabilities and make reports. But it’s voluntary whether industry accepts those teams. They hear ‘public-private partnership’ and say, ‘That’s great,’ but unless it’s in their own self-interest, they won’t do it.”

While DHS officials talk up the public-private partnership in public appearances, congressional and business sources said officials like Liscouski are occasionally different behind closed doors, to the point of bullying.

IAIP also has ruffled congressional feathers for smaller offenses, but the kind lawmakers do not take lightly - obfuscating budget requests and failing to provide testimony far enough in advance of hearings to allow members time to develop questions.

“Mr. Secretary, your budget justifications need immediate improvement,” Rogers told Libutti in April. “Because you have used what I guess you call a ‘theme-based’ budget, its about as clear as mud what you are doing with these funds this fiscal year, and the prospects for next year aren’t much better.”

Lofgren scolded Liscouski in April for violating the customary rule for submitting testimony 48 hours before a hearing and for delayed answers to questions she had submitted for follow-up.

Late answers have been endemic.

DHS sent a hiring report to appropriators in April; it had been due in December 2003.

All of this has fed an impression among some observers that the department has done next to nothing to protect critical infrastructure.

A July Government Accountability Office (GAO) review of progress DHS had made on seven years’ worth of GAO recommendations vital to homeland security found that every directorate had implemented at least one of the suggestions - except IAIP.

The directorate was 0 for 12, sometimes providing no detail at all on how far along it was in implementing the recommendations or explaining why it had not implemented them, and sometimes arguing that it had implemented them, but not to the satisfaction of the GAO.

Looking at the critical asset list, Lofgren said, “makes you wonder what they’re doing over there.

“I am actually somewhat frustrated at the information provided by the department,” she said. “I’ve been trying to get a clearer picture by going out to the country and finding out from the private sector as well as the public sector what kind of outreach has occurred. It doesn’t look to me as if much has occurred.”

The difficulties with the critical asset list are particularly frustrating considering a George Mason University graduate student put together a map of the entire country’s infrastructure as part of a dissertation last year - using publicly available data.

Insurance companies and consulting firms have done much the same, as have various states and activists using online mapping services such as mapquest.com.

Measured Improvement

The infrastructure protection operation does have its defenders. Camp, the Michigan Republican, said the flaws in the critical asset list in many cases can be blamed on states, which provided much of the data that composed the DHS list.

Others note that the infrastructure protection side is heavily dependent on the information analysis side of the directorate, and argue that until that operation sorts out its problems, infrastructure protection will continue to lag.

In a telephone interview, Liscouski said IAIP is working hard to build relationships with the private sector and with Congress.

“In the U.S., the private sector has got a fairly cautious opinion of dealing with the U.S. government,” he said. “You can never please the entire private sector, and of course you can’t put your finger on one set of expectations that any one private sector entity has, so you have to go with a collective approach. To deal with the private sector one has to first develop a significant amount of trust.

“The model we are implementing is much more a community of interest, and lets the private sector and the sectors themselves figure out how they need to develop their relationships and organize themselves,” he added.

And, he said, relations with Congress are not as bad as they sometimes seem.

“Congress is working hard at this,” he said. “Sometimes it may appear that we are on opposite sides of the table in terms of our perspectives.”

Addressing complaints from lawmakers about the critical asset list, Liscouski offered a different picture from the one painted by lawmakers.

“When you sit down with them one on one and we go over these lists,” he said, “there’s clearly understanding around it.”

And some members of Congress said they have noted some improvement at IAIP, starting late last year and continuing through 2004. Sanchez, for instance, said the mere existence of a critical asset list - however flawed - constitutes progress.

Costantini, the NERC official, said communication with the department has improved since a meeting with businesses in December. Additionally, the hiring of Jim Caverly to head the Infrastructure Coordination Division has given industry a better idea of who, exactly, it should be dealing with.

Two business community officials with close contact with the directorate and administration said it appears that IAIP is getting pressure from Ridge and the White House to show results. But two other sources close to the administration said IAIP has a history of brushing back direction from the White House.

“I have no doubt that eventually IAIP is going to be right,” said one source who has worked closely with the directorate and the administration. “But it may take a while longer.”

Time, however, is not on the department’s side. As Rogers told Libutti in April, “If your people are not getting the job done, in effect the rest of the Department is operating with one hand behind its back.”

The reprinting of this article is for informational purposes only and in no way implies Congressional Quarterly’s endorsement of EWA Information and Infrastructure Technologies or any of the ISACs.