What is the status of the agency’s efforts to assess risk comparatively across sectors, by making assessment methodologies interoperable with one another?
The one thing that we’ve definitely found is that the “one size fits all” definitely doesn’t work. So I think there have to be some common definitions that we use. Even though there are differences between sectors and differences between critical infrastructures, there have to be some common definitions and some common methodologies that we use so that we’re all speaking the same language. Our current approach looks at the criticality of the different components and tries to weight the criticality of the different components. And when you talk about resilience there are things that you can recover from rather quickly, and there are things that are going to take a much longer lead time to recover from. So that’s what we’re trying to identify is the criticality of those different assets and their resilience as far as robustness and recovery capability.
And going forward, comparative assessments will grow out of the methodology were using in the different sectors/ We validated a lot of our methodologyby talking to the private sector, and we’re incorporating that into our assessments so that we have a validated understanding of what’s crucial and critical across the sectors, and then we put that into our process as we’re doing our assessments.
What threat trends does OIP see?
Essentially we see the terrorist threat to the homeland evolving to smaller scale attacks, and by folks who are more difficult to detect, in some cases because they have legal residence, or they are American citizens. At al Qaeda and those groups would still like to do the large-scale attacks that have such a big impact like 9-11. I believe we’re fairly successful in working to disrupt or prevent those. They still would like to do it; that’s not off the table. But we’re seeing that they’ve evolved to the smaller scale attacks, which although not as dramatic, may be just as effective psychologically at and keeping the country a little off balance. We saw it with Najibullah Zazi who was planning on attacking the New York subway system, and now with Faisal Shahzad, the Times Square bomber. Their ties back to al Qaeda are there but they’re sometimes not as direct. So a lot of the indicators that we used to use to pick up on; their activity, a lot of foreign travel, contact, preoperational surveillance, a lot of those things aren’t happening in this dynamic threat environment, so they’re much more difficult to detect. Zazi indicated that he didn’t have to do a lot of preoperational surveillance on the New York subway system because he knew it; he knew where he was going to go. The same with Shahzad. He knew Times Square. He didn’t have to do a lot of preoperational surveillance that may have been detected.
Are these guys smart enough now to know that surveillance will be detected?
As an individual, that’s hard to judge, but generally I think the way this is going, the adversary is a lot smarter and they’re much more nimble and adaptive, and they watch what we’re doing, and they learn from what we’re doing and the actions we’re taking to disrupt or prevent an attack on the homeland, and they’re able to adapt quickly. A lot of them, in a sense, are operating semi-independently. They know what they need to do, and so there’s not necessarily a lot of contact, which again might afford us an opportunity to detect what they’re trying to do. And they’re looking for small-scale that might impact or injure or kill 10, 20, or 40 people. And we see this as a continuing and growing trend. It’s definitely a concern for us.
We’re also, in a sense, operating under the premise that there are people in the United States who would carry out these sorts of attacks. You look at the major at Fort Hood, again Zazi, Shahzad, and Muar Farouk Abdulmutallab who was the Dec. 25th bomber. He wasn’t American but he had an American visa and was a younger fellow—not a lot of history that intelligence agencies and law enforcement agencies would pick up on. And I think the bottom line to all this is again some of the things we talked about before. Because it’s so difficult to detect this sort of activity because they’re acting semi-independently—they’re fairly nimble, they can act quickly, they don’t necessarily need to do a lot of preoperational surveillance—that’s where we need the partnership to work. The federal government is going to continue to do what it can.
The state and local governments will continue to do what they need to do, but we also need the private sector, and we need the American public to be aware of what’s going on, hence DHS’s “See Something, Say Something” public awareness campaign, which is based on a concept first developed by the City of New York. That’s becoming more critical as we’re facing this evolving threat. It’s much more difficult to detect and it’s going to take almost that “gut check” where, for example, somebody had a point-of-sale in a retail store or a home and garden center and says, “You know what? This just isn’t right. This guy has been in here five days in a row and he’s buying unusual quantities of fertilizer.” Or, when you’re barbecuing and your propane tank runs out, you take it to the store to exchange it and you see someone buy five tanks. It’s those sorts of situations where you say, “This just doesn’t seem right.”
What is OIP’s message to security professionals working for critical infrastructure owner-operators?
I think to be honest one of the things is just awareness. Awareness not from security and threat awareness, but awareness of what OIP is, what our tools and capabilities are, what we can offer to critical infrastructure owners and operators, and clearly, know who your PSA is, understand that the partnership is the foundation of what we do. It’s crucially important. And as the secretary says, we can’t do this alone. DHS can’t do this alone, the federal government can’t do it alone, state, local, territorial and tribal governments can’t do it alone, and critical infrastructure owner-operators can’t do it alone. We’re facing a dynamic threat environment that’s evolving. It’s a dynamic threat environment, and we have to leverage federal strength and tools and capabilities, those of our state and local partners and those of the critical infrastructure owner-operators to come out of this stronger and wield the biggest strength against this evolving and dynamic threat environment.
What are OIP’s major goals looking forward?
The focus on resilience is crucial for us. We’re also working right now on what we call “Infrastructure protection (IP) in a box,” a project where we’re working with state, local, and regional fusion centers around the country to bring IP to them, so the fusion centers can be a central point of contact for our critical infrastructure owner-operators and our stakeholder partners. There is a lot of information that flows through the fusion centers. It’s a convergence of DHS, state and local governments and efforts. Ideally IP is going to be represented there and it’s going to be a one-stop shop.
What we would like to do is put an IP analyst at the fusion centers. We haven’t done that yet, but that’s one of our goals is to again bring all of this together at the fusion centers. They’re out there, they’re not in Washington, and we want a regional, field focus so we understand what’s happening in the regions, what’s happening with the critical infrastructure owner-operators and stakeholders, and the only way you can do that is be out in the field with them, projecting our tools and capabilities outward, rather than keeping everything back here in Washington. We have a regional information sharing pilot going on using five fusion centers. The first one is going on in Northern California for starters, just so we have a test bed for how this can all come together, how we can use fusion centers and other networks to communicate effectively.