Security Management interviews Todd M. Keil, assistant secretary for infrastructure protection at the Department of Homeland Security.
Todd M. Keil was appointed in December 2009 to serve as the Department of Homeland Security’s (DHS) assistant secretary for infrastructure protection. He oversees the agency’s Office of Infrastructure Protection (OIP), which is responsible for protecting the assets of the United States essential to the nation's security, public health and safety, economic vitality, and way of life. He brings to the mission more than 22 years’ experience in global security operations and management, intelligence and law enforcement, threat assessment, and risk mitigation. His recent experience in private industry includes senior consulting in risk mitigation, executive and facility security, and worldwide threat management. Prior to entering the private sector in 2007, Keil held several key positions at the U.S. Department of State’s Diplomatic Security Service, including regional director for Western Hemisphere affairs, a position in which he managed protection of U.S. government facilities, personnel, and national security information. His responsibilities included oversight of criminal investigations, security training, and managing risks from terrorist, criminal, and intelligence threats at 56 U.S. embassies and consulates in the Western Hemisphere including the U.S. Mission to the United Nations. In Foreign Service positions in Indonesia, Ireland, and Austria, Keil provided a broad range of security and law enforcement management and risk-mitigation expertise, while advising U.S. ambassadors and served in primary liaison roles with law enforcement, intelligence, and counterintelligence agencies. From 1994 to 2000, he held a leadership position on the protective detail that provided personal protection for two secretaries of state.
Keil holds a Bachelor of Arts degree in political science and criminal justice from Ripon College in Ripon, Wisconsin. He has also studied at the University of Bonn in Germany and American University in Washington, D.C. His professional memberships include the Fraternal Order of Police, the American Foreign Service Association, and ASIS International. Keil is a native of Beaver Dam, Wisconsin, where he attended Wayland Academy.
This year DHS is issuing revised sector-specific plans (SSPs) under the National Infrastructure Protection Plan (NIPP). What is new to the revisions?
The NIPP is the framework that essentially we base everything off of, and it’s an outstanding framework. What we’re looking at now is an increased emphasis on all hazards. We’ve obviously looked since 9-11 at the threat of terrorism, but we’re looking at natural disasters and business continuity issues. The other key factor now that we’re moving into is resilience: robustness, the ability to respond, and recovery. That’s being factored into operationalizing the NIPP and hopefully into the SSPs.
Additionally we’re looking more at is interdependencies—cascading effects and cross-sector issues. Previously we would go look at one critical manufacturing facility. We’d work with them on how to buy down risk and how to increase their security posture, and then we’d go and we’d look at someone else. Now we’re looking—usually on a regional basis and sector basis or cross-sector basis—at those interdependencies. OK, inside your fence you’re really good, but there’s not a lot you can do without electricity. There’s not a lot you can do without water. There’s not a lot you can do if you can’t ship your product. There are a lot of interdependencies and there are a lot of cascading effects should just one of those things break down. So that’s what we’re assessing, that’s what our protective security advisors (PSAs) are doing during their site assistance visits (SAVs); we’re also looking at it as part of our regional resiliency assessment programs.
And back to the NIPP we’re going to start looking, through metrics, at how much we’re buying down risk within the sectors, across the sectors, and then obviously for the country.
Is DHS current emphasis on resilience a new approach, or an outgrowth of prior, traditional protection efforts?
I wouldn’t say it’s new; I’d say it’s the next step. One, we had to have the NIPP and we had to have the framework from which we’re operating, and then we had to have protection as a cornerstone, initially, and now the next step is resilience. You can look at it two different ways: Are protection and resilience separate issues or is protection actually part of resilience? Just because we’re focusing on resilience doesn’t mean true protection is changing or we’re putting less emphasis on that, that’s not the case. So we’re looking at resilience as a component of protection.
How is the agency working to assess interdependence as a factor in risk?
We do two things when we look at interdependencies. The really hard part is how you frame it, because literally when the national laboratories do massive computer models, they can grow to include everything in the entire country. A driver’s license station in Wisconsin suddenly becomes critical because when you turn 16 if you don’t get a driver’s license and the station isn’t there, you can’t drive, you can’t go to school, and if you can’t go to school you don’t get an education. If you don’t get an education you can’t get a job, and suddenly everything’s wrapped up in it. So we frame it somewhat so that it doesn’t grow to an unnecessary level of complexity.
The way we’re approaching it is to help owner-operators identify nodes of dependence, which I think helps them on two fronts. It helps them determine if they need to develop some sort of independent or back-up capability—should it be power backup, wastewater, or supply chain issues. Plus it also helps them on the other side to side interact with their suppliers.
Take electricity. If a substation is identified as being a single point of failure, an assessment can help that owner-operator go to its electrical utility and say, “We have some concerns here. We’ve identified this through our interdependencies assessment as a potential single point of failure. We’re going to look at backup systems so that we have some other avenues of protection, but we’d also like you to look at making this facility more secure or more robust or more redundant, so that ideally it’s not going to go down.” And we do this directly with the utilities as well—identifying those locations and help them where they can best spend their money.
It all comes down to business at the end of the day. The utilities want to generate power to sell to other critical infrastructure owner-operators. And if they have single points of failure that nobody’s paying attention to, then there are some issues there with their business plan. And if a manufacturing company needs electricity, they need to know where those potential single points of failure and interdependencies are so that they can work with the utilities to ensure a robust supply of electricity, just to use electricity as an example. Or they need to look at other backup alternatives. So it helps at both ends.
How do the PSAs inform this process through their work with owner-operators? How have their tools evolved?
There are two major developments on that front: The first is a new, validated risk assessment methodology our office developed in partnership with Argonne National Laboratory in Illinois. Our guys put a lot of brain and computing power into it and you see that’s one of the equations they use to try to pull all this together. It’s very complex, and we spend a lot of money to ensure that this is all valid and credible from that aspect, and verifiable. And it’s based on criteria that we validated with the sectors. We’re actually using risk and resilience scores determined with that methodology, grouped and analyzed, to assess resilience regionally.
The methodology is also obviously modified for different sectors. We talked to the critical infrastructure owner operators in the sectors, and said, “What’s important to you?” In some sectors, just a high fence might be really important. In other sectors, high fences, access control don’t matter so much, but technical systems do. And again, everything we do is about the partnerships. We don’t want to guess what’s important to the chemical sector; we don’t want to guess what’s important to the dam sector. What’s crucial for the dam sector may not be crucial for the chemical sector. And we’re incorporating that into our assessments so that we have a validated understanding of what’s crucial and critical across the sectors, and then we put that into our process as we’re doing our assessments.
The second tool, also developed with Argonne, is a risk and resilience dashboard tool that incorporates that methodology. After an SAV, the owner-operator receives a 50-100 page report on our assessment plus a 1MB, e-mailable file that incorporates our results into the dashboard. The tool not only indexes a site relative to 36 similar, unnamed locations around the country, but also, whatever sector the company may be in, it shows across the sector how you’re doing compared to the folks in your same sector.
Most important, the tool allows the owner-operator to select hypothetical protective measures on a very granular basis, from higher fences to added guards, and see immediately how those measures would affect the site’s risk and resilience scores. And that is where the rubber meets the road. It helps the CSO make his business case to the folks who are ultimately going to make the decisions to spend security money, and they’re going to have the metrics to understand the impact, the risk they’re buying down by spending this money. They can go to whoever makes the final decisions on spending money at the company, and say, “I’m, as chief security officer, not just making this up. I am working with DHS, we’re using a DHS tool, this is showing how we’re mitigating risk and how much we’re buying down by spending this money. So it’s not a guess. And he resiliency index is crucially important here because that plays into the broader business case of how resilient the business is in general, not just the operations of the security office.
This process allows them to base their limited resource judgments and decisions off of our assessments and our tools, and they see where they need to go. So they make the final judgment on the resilience side, and at least for publicly owned companies, they’re responsible to their shareholders and building resilience makes good business sense. If you’re robust you’re able to protect yourself, you’re able to respond, and then ultimately should something happen, you can recover as quickly as possible. That’s not a security program, that’s a program that makes good business sense.
What is the status of the agency’s efforts to assess risk comparatively across sectors, by making assessment methodologies interoperable with one another?
The one thing that we’ve definitely found is that the “one size fits all” definitely doesn’t work. So I think there have to be some common definitions that we use. Even though there are differences between sectors and differences between critical infrastructures, there have to be some common definitions and some common methodologies that we use so that we’re all speaking the same language. Our current approach looks at the criticality of the different components and tries to weight the criticality of the different components. And when you talk about resilience there are things that you can recover from rather quickly, and there are things that are going to take a much longer lead time to recover from. So that’s what we’re trying to identify is the criticality of those different assets and their resilience as far as robustness and recovery capability.
And going forward, comparative assessments will grow out of the methodology were using in the different sectors/ We validated a lot of our methodologyby talking to the private sector, and we’re incorporating that into our assessments so that we have a validated understanding of what’s crucial and critical across the sectors, and then we put that into our process as we’re doing our assessments.
What threat trends does OIP see?
Essentially we see the terrorist threat to the homeland evolving to smaller scale attacks, and by folks who are more difficult to detect, in some cases because they have legal residence, or they are American citizens. At al Qaeda and those groups would still like to do the large-scale attacks that have such a big impact like 9-11. I believe we’re fairly successful in working to disrupt or prevent those. They still would like to do it; that’s not off the table. But we’re seeing that they’ve evolved to the smaller scale attacks, which although not as dramatic, may be just as effective psychologically at and keeping the country a little off balance. We saw it with Najibullah Zazi who was planning on attacking the New York subway system, and now with Faisal Shahzad, the Times Square bomber. Their ties back to al Qaeda are there but they’re sometimes not as direct. So a lot of the indicators that we used to use to pick up on; their activity, a lot of foreign travel, contact, preoperational surveillance, a lot of those things aren’t happening in this dynamic threat environment, so they’re much more difficult to detect. Zazi indicated that he didn’t have to do a lot of preoperational surveillance on the New York subway system because he knew it; he knew where he was going to go. The same with Shahzad. He knew Times Square. He didn’t have to do a lot of preoperational surveillance that may have been detected.
Are these guys smart enough now to know that surveillance will be detected?
As an individual, that’s hard to judge, but generally I think the way this is going, the adversary is a lot smarter and they’re much more nimble and adaptive, and they watch what we’re doing, and they learn from what we’re doing and the actions we’re taking to disrupt or prevent an attack on the homeland, and they’re able to adapt quickly. A lot of them, in a sense, are operating semi-independently. They know what they need to do, and so there’s not necessarily a lot of contact, which again might afford us an opportunity to detect what they’re trying to do. And they’re looking for small-scale that might impact or injure or kill 10, 20, or 40 people. And we see this as a continuing and growing trend. It’s definitely a concern for us.
We’re also, in a sense, operating under the premise that there are people in the United States who would carry out these sorts of attacks. You look at the major at Fort Hood, again Zazi, Shahzad, and Muar Farouk Abdulmutallab who was the Dec. 25th bomber. He wasn’t American but he had an American visa and was a younger fellow—not a lot of history that intelligence agencies and law enforcement agencies would pick up on. And I think the bottom line to all this is again some of the things we talked about before. Because it’s so difficult to detect this sort of activity because they’re acting semi-independently—they’re fairly nimble, they can act quickly, they don’t necessarily need to do a lot of preoperational surveillance—that’s where we need the partnership to work. The federal government is going to continue to do what it can.
The state and local governments will continue to do what they need to do, but we also need the private sector, and we need the American public to be aware of what’s going on, hence DHS’s “See Something, Say Something” public awareness campaign, which is based on a concept first developed by the City of New York. That’s becoming more critical as we’re facing this evolving threat. It’s much more difficult to detect and it’s going to take almost that “gut check” where, for example, somebody had a point-of-sale in a retail store or a home and garden center and says, “You know what? This just isn’t right. This guy has been in here five days in a row and he’s buying unusual quantities of fertilizer.” Or, when you’re barbecuing and your propane tank runs out, you take it to the store to exchange it and you see someone buy five tanks. It’s those sorts of situations where you say, “This just doesn’t seem right.”
What is OIP’s message to security professionals working for critical infrastructure owner-operators?
I think to be honest one of the things is just awareness. Awareness not from security and threat awareness, but awareness of what OIP is, what our tools and capabilities are, what we can offer to critical infrastructure owners and operators, and clearly, know who your PSA is, understand that the partnership is the foundation of what we do. It’s crucially important. And as the secretary says, we can’t do this alone. DHS can’t do this alone, the federal government can’t do it alone, state, local, territorial and tribal governments can’t do it alone, and critical infrastructure owner-operators can’t do it alone. We’re facing a dynamic threat environment that’s evolving. It’s a dynamic threat environment, and we have to leverage federal strength and tools and capabilities, those of our state and local partners and those of the critical infrastructure owner-operators to come out of this stronger and wield the biggest strength against this evolving and dynamic threat environment.
What are OIP’s major goals looking forward?
The focus on resilience is crucial for us. We’re also working right now on what we call “Infrastructure protection (IP) in a box,” a project where we’re working with state, local, and regional fusion centers around the country to bring IP to them, so the fusion centers can be a central point of contact for our critical infrastructure owner-operators and our stakeholder partners. There is a lot of information that flows through the fusion centers. It’s a convergence of DHS, state and local governments and efforts. Ideally IP is going to be represented there and it’s going to be a one-stop shop.
What we would like to do is put an IP analyst at the fusion centers. We haven’t done that yet, but that’s one of our goals is to again bring all of this together at the fusion centers. They’re out there, they’re not in Washington, and we want a regional, field focus so we understand what’s happening in the regions, what’s happening with the critical infrastructure owner-operators and stakeholders, and the only way you can do that is be out in the field with them, projecting our tools and capabilities outward, rather than keeping everything back here in Washington. We have a regional information sharing pilot going on using five fusion centers. The first one is going on in Northern California for starters, just so we have a test bed for how this can all come together, how we can use fusion centers and other networks to communicate effectively.