Todd M. Keil was appointed in December 2009 to serve as the Department of Homeland Security’s (DHS) assistant secretary for infrastructure protection. He oversees the agency’s Office of Infrastructure Protection (OIP), which is responsible for protecting the assets of the United States essential to the nation's security, public health and safety, economic vitality, and way of life. He brings to the mission more than 22 years’ experience in global security operations and management, intelligence and law enforcement, threat assessment, and risk mitigation. His recent experience in private industry includes senior consulting in risk mitigation, executive and facility security, and worldwide threat management. Prior to entering the private sector in 2007, Keil held several key positions at the U.S. Department of State’s Diplomatic Security Service, including regional director for Western Hemisphere affairs, a position in which he managed protection of U.S. government facilities, personnel, and national security information. His responsibilities included oversight of criminal investigations, security training, and managing risks from terrorist, criminal, and intelligence threats at 56 U.S. embassies and consulates in the Western Hemisphere including the U.S. Mission to the United Nations. In Foreign Service positions in Indonesia, Ireland, and Austria, Keil provided a broad range of security and law enforcement management and risk-mitigation expertise, while advising U.S. ambassadors and served in primary liaison roles with law enforcement, intelligence, and counterintelligence agencies. From 1994 to 2000, he held a leadership position on the protective detail that provided personal protection for two secretaries of state.
Keil holds a Bachelor of Arts degree in political science and criminal justice from Ripon College in Ripon, Wisconsin. He has also studied at the University of Bonn in Germany and American University in Washington, D.C. His professional memberships include the Fraternal Order of Police, the American Foreign Service Association, and ASIS International. Keil is a native of Beaver Dam, Wisconsin, where he attended Wayland Academy.
This year DHS is issuing revised sector-specific plans (SSPs) under the National Infrastructure Protection Plan (NIPP). What is new to the revisions?
The NIPP is the framework that essentially we base everything off of, and it’s an outstanding framework. What we’re looking at now is an increased emphasis on all hazards. We’ve obviously looked since 9-11 at the threat of terrorism, but we’re looking at natural disasters and business continuity issues. The other key factor now that we’re moving into is resilience: robustness, the ability to respond, and recovery. That’s being factored into operationalizing the NIPP and hopefully into the SSPs.
Additionally we’re looking more at is interdependencies—cascading effects and cross-sector issues. Previously we would go look at one critical manufacturing facility. We’d work with them on how to buy down risk and how to increase their security posture, and then we’d go and we’d look at someone else. Now we’re looking—usually on a regional basis and sector basis or cross-sector basis—at those interdependencies. OK, inside your fence you’re really good, but there’s not a lot you can do without electricity. There’s not a lot you can do without water. There’s not a lot you can do if you can’t ship your product. There are a lot of interdependencies and there are a lot of cascading effects should just one of those things break down. So that’s what we’re assessing, that’s what our protective security advisors (PSAs) are doing during their site assistance visits (SAVs); we’re also looking at it as part of our regional resiliency assessment programs.
And back to the NIPP we’re going to start looking, through metrics, at how much we’re buying down risk within the sectors, across the sectors, and then obviously for the country.
Is DHS current emphasis on resilience a new approach, or an outgrowth of prior, traditional protection efforts?
I wouldn’t say it’s new; I’d say it’s the next step. One, we had to have the NIPP and we had to have the framework from which we’re operating, and then we had to have protection as a cornerstone, initially, and now the next step is resilience. You can look at it two different ways: Are protection and resilience separate issues or is protection actually part of resilience? Just because we’re focusing on resilience doesn’t mean true protection is changing or we’re putting less emphasis on that, that’s not the case. So we’re looking at resilience as a component of protection.
How is the agency working to assess interdependence as a factor in risk?
We do two things when we look at interdependencies. The really hard part is how you frame it, because literally when the national laboratories do massive computer models, they can grow to include everything in the entire country. A driver’s license station in Wisconsin suddenly becomes critical because when you turn 16 if you don’t get a driver’s license and the station isn’t there, you can’t drive, you can’t go to school, and if you can’t go to school you don’t get an education. If you don’t get an education you can’t get a job, and suddenly everything’s wrapped up in it. So we frame it somewhat so that it doesn’t grow to an unnecessary level of complexity.
The way we’re approaching it is to help owner-operators identify nodes of dependence, which I think helps them on two fronts. It helps them determine if they need to develop some sort of independent or back-up capability—should it be power backup, wastewater, or supply chain issues. Plus it also helps them on the other side to side interact with their suppliers.
Take electricity. If a substation is identified as being a single point of failure, an assessment can help that owner-operator go to its electrical utility and say, “We have some concerns here. We’ve identified this through our interdependencies assessment as a potential single point of failure. We’re going to look at backup systems so that we have some other avenues of protection, but we’d also like you to look at making this facility more secure or more robust or more redundant, so that ideally it’s not going to go down.” And we do this directly with the utilities as well—identifying those locations and help them where they can best spend their money.
It all comes down to business at the end of the day. The utilities want to generate power to sell to other critical infrastructure owner-operators. And if they have single points of failure that nobody’s paying attention to, then there are some issues there with their business plan. And if a manufacturing company needs electricity, they need to know where those potential single points of failure and interdependencies are so that they can work with the utilities to ensure a robust supply of electricity, just to use electricity as an example. Or they need to look at other backup alternatives. So it helps at both ends.
How do the PSAs inform this process through their work with owner-operators? How have their tools evolved?
There are two major developments on that front: The first is a new, validated risk assessment methodology our office developed in partnership with Argonne National Laboratory in Illinois. Our guys put a lot of brain and computing power into it and you see that’s one of the equations they use to try to pull all this together. It’s very complex, and we spend a lot of money to ensure that this is all valid and credible from that aspect, and verifiable. And it’s based on criteria that we validated with the sectors. We’re actually using risk and resilience scores determined with that methodology, grouped and analyzed, to assess resilience regionally.
The methodology is also obviously modified for different sectors. We talked to the critical infrastructure owner operators in the sectors, and said, “What’s important to you?” In some sectors, just a high fence might be really important. In other sectors, high fences, access control don’t matter so much, but technical systems do. And again, everything we do is about the partnerships. We don’t want to guess what’s important to the chemical sector; we don’t want to guess what’s important to the dam sector. What’s crucial for the dam sector may not be crucial for the chemical sector. And we’re incorporating that into our assessments so that we have a validated understanding of what’s crucial and critical across the sectors, and then we put that into our process as we’re doing our assessments.
The second tool, also developed with Argonne, is a risk and resilience dashboard tool that incorporates that methodology. After an SAV, the owner-operator receives a 50-100 page report on our assessment plus a 1MB, e-mailable file that incorporates our results into the dashboard. The tool not only indexes a site relative to 36 similar, unnamed locations around the country, but also, whatever sector the company may be in, it shows across the sector how you’re doing compared to the folks in your same sector.
Most important, the tool allows the owner-operator to select hypothetical protective measures on a very granular basis, from higher fences to added guards, and see immediately how those measures would affect the site’s risk and resilience scores. And that is where the rubber meets the road. It helps the CSO make his business case to the folks who are ultimately going to make the decisions to spend security money, and they’re going to have the metrics to understand the impact, the risk they’re buying down by spending this money. They can go to whoever makes the final decisions on spending money at the company, and say, “I’m, as chief security officer, not just making this up. I am working with DHS, we’re using a DHS tool, this is showing how we’re mitigating risk and how much we’re buying down by spending this money. So it’s not a guess. And he resiliency index is crucially important here because that plays into the broader business case of how resilient the business is in general, not just the operations of the security office.
This process allows them to base their limited resource judgments and decisions off of our assessments and our tools, and they see where they need to go. So they make the final judgment on the resilience side, and at least for publicly owned companies, they’re responsible to their shareholders and building resilience makes good business sense. If you’re robust you’re able to protect yourself, you’re able to respond, and then ultimately should something happen, you can recover as quickly as possible. That’s not a security program, that’s a program that makes good business sense.