08-10-2002
NATIONAL SECURITY: Hardening the Targets If you start thinking like a terrorist, America presents so many targets
that it is hard to list them all. From movie theaters and sports stadiums
to car ferries and food supplies, this vast country has vulnerabilities
aplenty. The trick is figuring out which ones are more likely to be
targets than others and how much money is reasonable to spend to make them
safer. And those who think about these vulnerabilities also have to judge
how much freedom and liberty has to be surrendered for the sake of
security. It's not an easy task. But a lot of people, in government and in
industry, are working on it. And so far, the accomplishments are
uneven.
Air Transportation
Transportation Security Administration: C
Most aviation experts agree that the nation's airport security is much
better than it was before September 11. And a year from now, they say, it
will be much better than it is today. But the system is certainly not
perfect today-and unfortunately, it never will be.
One of the government's first post-9/11 actions was creating the
Transportation Security Administration last November to supervise security
for the nation's airways, railways, roadways, and waterways. Because of
the difficult airport security deadlines it faces later this year,
however, the TSA has spent most of its energy and resources on
aviation.
The new agency, originally placed within the Transportation Department,
has been on a constant bureaucratic roller-coaster ride. In July, its
chief, John W. Magaw, was forced to resign after complaints over lack of
progress in meeting deadlines and over his poor communication with
Congress and aviation interests. Adm. James M. Loy, the former commandant
of the U.S. Coast Guard, has replaced Magaw. In addition, it's quite
likely that the TSA will move from the Transportation Department into the
new Department of Homeland Security.
While experts give the TSA high marks for its attempts to bolster
security, they say the agency has come up short in many areas. For
example, government tests show that screeners are still allowing too many
prohibited items to get past airport security checkpoints. The TSA has
also been criticized for moving too slowly in implementing two key
provisions of last year's airport security legislation: federalizing the
workforce of screeners, and meeting the deadline to screen all passenger
bags through explosive-detection machines.
But those shortcomings aren't entirely the TSA's fault. The deadlines and
standards that Congress set for the agency were ambitious and
unprecedented. As James K. Coyne, president of the National Air
Transportation Association, put it, "They're trying to pass a course
that no one can pass."
Cockpit Doors: C
Immediately after the September 11 attacks, the Federal Aviation
Administration established a rule mandating that the airlines secure their
cockpit doors, through either a deadbolt lock or a steel bar. That,
however, was just a stopgap measure. In January, the FAA passed another
emergency rule, which required the airlines to install bulletproof-even
grenade-proof-cockpit doors by April 2003.
Yet things got off to a slow start. Peggy Gilligan, the FAA's deputy
associate administrator for regulation and certification, says initial
door designs created pressurization problems in the cabin. But that was
eventually solved, and the FAA has approved designs for some of the major
Boeing and Airbus models. Gilligan says that installation of these doors
has finally begun.
But not everyone is optimistic that the deadline will be met. Michael
Wascom, spokesman for the Air Transport Association, which represents the
major air carriers, says that the models certified by the FAA account for
only about one-third of the fleet of ATA member companies. With the
deadline approaching, he said, the delay in certification "has
greatly reduced the time available to install these essential
upgrades."
Another problem is the cost of the hardened doors, which is estimated to
be from $30,000 to $50,000 each. The airlines have complained that the
government hasn't given them enough money for the installation. Despite
these worries, the FAA's Gilligan says that the deadline will be met.
"We are not only optimistic," she said. "We are
sure."
Air Marshals: B
This is the one security effort that has seen the most progress. On
September 11, the number of federal air marshals stood at fewer than 50.
Today, their ranks have exploded to a reported 2,000; however, the
Transportation Department maintains that the actual number is classified.
Air marshals receive 12 to 15 weeks of training-in airports, at firing
ranges, and inside practice aircraft-and they have the highest shooting
qualification standards of all law enforcement agencies.
At a recent congressional hearing, Michael P. Jackson, the Transportation
Department's deputy secretary, said that the department had established an
ambitious goal in November to expand the air marshal program, and that the
target is being met. "We have nailed those goals to the wall,"
he said.
Despite this apparent progress and the air marshals' impressive shooting
skills, one glaring shortcoming remains: There still aren't enough
marshals. Indeed, these marshals-who usually work in pairs or in groups of
three or more-ride on just a fraction of the nation's 35,000 daily
flights. And that's one reason why many in Congress and the aviation
community have pushed to allow pilots to carry guns in the
cockpit.
Baggage Screening: D
Just two months after the airport security bill was signed into law, the
TSA had to meet its first big deadline: to be screening all passenger bags
by January 18, 2002. Despite Transportation Secretary Norman Mineta's
doubts about whether the TSA could meet that goal-after all, the airlines
had been screening fewer than 5 percent of bags before the law's
passage-the job got done through a hodgepodge of methods, such as positive
bag-matches, bomb-sniffing dogs, and screening by hand.
But the TSA now faces a tougher deadline: to ensure that all bags are
being checked through explosive-detection systems (EDS) or trace-detection
machines by December 31. To meet this goal, the TSA will need to deploy
1,100 EDS and 6,000 trace machines. The Transportation Department's
inspector general has noted that such an effort has never been attempted:
It represents three times the amount of such equipment currently deployed
at airports worldwide. As of July 9, only 215 of the EDS machines and 273
of the trace machines were in use.
Airports must be reconfigured to fit the SUV-sized EDS machines, a job
that costs time and money. And operating the labor-intensive trace
machines will require a checked-baggage workforce of 21,600, which could
crowd airport lobbies and cause delays. Consequently, most observers don't
believe the TSA will meet the deadline. "They are a year away,"
said one transportation lobbyist. "I don't think the equipment will
be in place" by December 31.
The good news for the TSA is that the House extended this deadline by up
to a year in its recently passed Homeland Security Department bill.
Whether that extension becomes law, however, is still anyone's
guess.
Passenger Screening: C
Despite the intense scrutiny on airport screening, the system still has
plenty of holes. From November to February, the DOT inspector general's
office conducted tests at 32 airports and discovered that screeners failed
to detect knives, guns, and explosives in 48 percent of the tests. In
another round of tests the TSA conducted in June, screeners still failed
to find these prohibited items 24 percent of the time.
The administration, however, has been quick to counter that the screening
workforce in those tests hadn't yet been federalized; in most cases, the
screeners who failed these tests were the same ones who were working
before September 11. That is correct. The airport security legislation
that was signed into law last fall transferred control of the screening
workforce from the airlines to the federal government. Under the law, the
TSA must hire and deploy this workforce-which is estimated to be 33,000
screeners and managers-by November 19, 2002.
Unfortunately, the TSA has been moving slowly. As of July 13, it had
hired, trained, and deployed only 2,475 screeners, just a fraction of the
workforce it envisions. To meet its goal, the TSA will have to hire and
train more than 7,600 screeners per month over the next four months. Yet
according to Mineta, the plan that DOT created to federalize this
workforce was designed to begin slowly, and it was understood that most of
the hires would come later in the process. In fact, the TSA says it has
already hired 8,000 screeners. "We are on schedule," Mineta
recently told Congress.
Crew Training/ Worker Security: C
Before September 11, terrorists had hijacked planes only to get to a
foreign country (such as Cuba), or to negotiate for something they desired
(such as release of prisoners). But the concept of a hijacking changed
when terrorists took control of American airliners and slammed them into
the World Trade Center and the Pentagon. Not surprisingly, pilots and
flight attendants have begun to rethink their approach to hijackings.
Duane E. Woerth, president of the Air Line Pilots Association, says that
the pilots, flight attendants, and airlines have worked together to
develop a "common strategy" to respond to future suicide
hijackings. For security reasons, he won't reveal the specifics, but
Woerth explains that the strategy involves enhancing communication among
the pilots, flight attendants, and air marshals.
But according to Patricia Friend, president of the Association of Flight
Attendants, not enough has been done on the training front, particularly
when it comes to flight attendants. While the airport security legislation
addressed flight-attendant training, Friend says the language wasn't
specific enough to improve things. She argues that in some cases airlines
have offered only two or three hours of additional training, and that
"under the current system, we are no better prepared to fight off an
attacker in the cabin than we were on September 11, and that is
unacceptable." The Association of Flight Attendants is currently
supporting legislation in Congress that would set detailed requirements
for cabin crew training programs.
The TSA has mandated that all airport workers with access to secure areas
undergo criminal background checks. Having committed any of some 30-odd
crimes will disqualify workers from employment. The TSA has until November
to complete these checks, although the agency says that most of them are
already completed.
But Friend finds plenty of holes in the system. She explains that because
many airports have employee entrances that provide access to the gates and
lobbies, anyone who can get inside the employee entrance has access to the
entire airport. Because there are no magnetometers at the employee
entrances, she said, people can show up with a photo ID, but "no one
knows what they are carrying."
On the other hand, some airline employees complain they are subjected to
the same random searches and checkpoints that all passengers must go
through-even though these employees have undergone background checks and
have keys to the cockpits. Such indiscriminate searching is
"ridiculous," said Woerth. "We treat every citizen as [a
threat equal] to Mohamed Atta." The Air Line Pilots Association and
several airlines have been pushing the TSA to introduce some sort of a
universal ID card for airline employees that would incorporate a retinal
scan or fingerprint. The TSA has said it's considering the
proposal.
General Aviation/Small Airports: D
The TSA has established a classified security program for general aviation
operators. James Coyne, president of the National Air Transportation
Association, which represents general aviation interests, says his
industry has come up with its own security advice for operators in dealing
with the airport, the aircraft, and the people in the planes. In addition,
since September 11 general aviation operators have a heightened awareness
about security.
Still, the government hasn't been paying much attention to general
aviation. In testimony before the Senate Commerce, Science, and
Transportation Committee, the General Accounting Office noted that the TSA
has set only a few guidelines for GA security. Coyne doesn't think it
should be that big a priority, noting that the teenager who flew his plane
into a skyscraper in Tampa, Fla., in January didn't do much damage.
"I don't think people feel that GA is a significant threat," he
said.
In addition to America's 429 commercial airports, thousands of smaller
airports and landing strips are scattered across the country. Because of
the small size of these facilities, the federal government hasn't done
much to improve their security. But after the 9/11 terrorist attacks, even
these small strips do seem to have a new sense of awareness about
security.
Water Transportation
Cruise Ships and Ferries: B
Whether embarking from terminals in Hampton Roads, Va., Honolulu, Miami,
or New Orleans, cruise ship passengers today are witnessing a level of
security that would have been unthinkable before September 11. As their
ships pull away from the docks, passengers have noted the comforting
presence of Coast Guard escorts that enforce a 100-yard perimeter around
cruise ships entering or leaving port. Since 9/11, the Coast Guard has
escorted more than 6,000 vessels in and out of port. Cruise ships,
ferries, and any other large ships that are identified as possible
"high-risk" vessels under a classified threat matrix system are
also boarded by armed Coast Guard sea marshals, who ensure that the ships
are under authorized command-and-control. In the past year, sea marshals
have escorted 2,000-plus vessels.
Any suspicious boats that might pose a risk to cruise ships or ferries are
also far more likely to be boarded and investigated. Since 9/11, the Coast
Guard has conducted more than 35,000 port security patrols and more than
3,500 air patrols, boarding more than 10,000 vessels in the process. In
New York City harbor alone, the Coast Guard has boarded more than 2,000
vessels since September 11. If there's credible intelligence that a port
or vessel is the target of a specific threat, the security presence will
also likely include one of the Coast Guard's new Maritime Safety and
Security Teams-rapidly deployable, waterborne SWAT teams with
fast-response boats and heavy tactical weaponry.
The increased patrolling is part of the largest port security operation
since World War II. The Coast Guard's waterborne measures are being
matched dockside at many of the country's ports, some of which have taken
advantage of $93.3 million in seaport security grants authorized last year
by Congress. This year, the House and Senate also passed comprehensive
maritime security bills, which are expected to be reconciled soon in a
House-Senate conference.
Despite improvements, experts concede that with 361 ports and 25,000 miles
of rivers and coastal waterways to protect, America remains vulnerable to
waterborne terrorist attack. "After the 9/11 attacks, the
government's primary effort was rightfully focused on the aviation sector,
but now I think we as a nation need to take a very hard look at our
ports," said Coast Guard Commandant Adm. Thomas Collins. "Our
continuing concern is that the U.S. ports and waterways remain very
vulnerable."
Cargo Containers: D
In any inventory of America's vulnerabilities, container traffic entering
through U.S. ports is likely to top the list. The reason is a simple
matter of volume. Fully 95 percent of international goods shipped to the
United States enter through its seaports, and seaborne trade accounts for
25 percent of the U.S. gross domestic product. Of that cargo, 90 percent
moves in the 40-foot-long metal cargo containers that can be seen stacked
dozens of stories high at major ports throughout the world. More than 200
million such containers are now moving through the international trading
network, constituting the most critical component in the global trading
system.
If it was learned that terrorists were using a cargo container to smuggle
a weapon of mass destruction into the United States, experts estimate that
screening the roughly 6 million cargo containers in the country on that
day could take up to six months. During that half-year, global commerce
would all but grind to a halt.
The Customs Service can manually screen only 2 percent of the containers
that enter the country, but officials have worked hard over the past year
to improve the intelligence fed into a threat matrix system that
identifies "high-risk" cargo for close inspection. The Customs
Service has also deployed additional X-ray and gamma-ray inspection
devices for more-rapid screening of containers, as well as nearly 4,000
radiation detectors that its front-line agents use to check for nuclear
weapons and weapons-grade material.
By far the most ambitious plan to secure container traffic, however, is a
new Customs Trade Partnership Against Terrorism program that seeks to
establish a reliable "chain of custody" for all cargo. Such a
system would include assurances that a container was packed in a secure
environment; sealed so that its contents could not be tampered with while
under way; and was transported under the control of a certified and
responsible shipper.
Experts concede that effectively implementing such a system will likely
take years and a new dynamic in global trade that weighs security on a par
with efficiency. "In terms of awareness of the problem-and agreement
on a holistic solution that doesn't naively call for the inspection of
every container-I think we're light-years ahead of where we were before
9/11," said Stephen Flynn, a senior fellow at the Council on Foreign
Relations. "In terms of tangible measures to solve this
vulnerability, however, we haven't done much. I would thus give the
government a D, but with every hope that we're working hard toward a
better grade."
Land Transportation
Risk Assessment: C
Billions of dollars have been sunk into concrete, asphalt, and steel so
that people can move freely within the United States, and nobody wants to
impede that in the name of security. Yet transportation systems are an
increasingly popular target for terrorists across the globe, and
governments want to minimize vulnerabilities and maximize emergency
response capabilities.
Current laws make the first task difficult: Federal and state disclosure
and liability laws provide an inherent disincentive for government
agencies to conduct thorough vulnerability assessments. "You don't
want the results of the assessment to become public information,"
says Ron Diridon, the executive director of the Mineta Transportation
Institute, a congressionally chartered research organization. "But
information provided by consultants to those facilities is, under law,
public information." Meanwhile, liability laws allow an agency to be
sued if it fails to address everything identified in an assessment and
somebody gets hurt. Both barriers can be worked around, Diridon notes, but
solutions make it harder to share important information quickly.
Because American society is so open, experts say, it is almost impossible
to fully protect transportation systems against terrorism. Rather, the key
to improving security seems to be in improving the system's emergency
responses. The important thing, Diridon stresses, is to make sure that any
disaster response program is up-to-date and regularly practiced by all
local responders: transportation, fire, police, and emergency medical
services.
Transit: B
Transit agencies began buzzing about disaster preparedness after the 1995
chemical attack in Tokyo's subway, but they put their plans into high gear
after September 11. The Federal Transit Administration made $50,000 grants
available for emergency drills, and it has conducted vulnerability
assessments for the country's 32 largest agencies. Most municipalities
have taken simple steps, such as removing station lockers and trash bins,
as well as increasing surveillance on buses and trains. Metro in
Washington is piloting a new chemical-detection system at 12 stations, the
first of its kind anywhere in the world.
In general, though, old-fashioned people-watching remains the best
prevention tactic, says Paul Lennon, security chief of the Los Angeles
Metro. "There's a heightened awareness within each of the transit
agencies, from their front-line employees through top management, of their
vulnerabilities, and what each and every person can contribute to enhance
security."
The sheer number of people streaming in and out of any subway station
during a typical morning or evening rush hour makes it impossible to
conduct individual screenings of passengers and bags, Lennon says.
"For a dollar, dollar-and-a-half ride, they're just not going to
tolerate it," he adds.
Amtrak: C
Amtrak has started running quick background checks on all of its
passengers and requiring a photo ID for everyone boarding a train, but the
national rail service's budget woes mean there's not a lot of money for
restructuring and upgrading existing security systems. Some Amtrak police
officers are pulling 12-hour shifts to provide increased surveillance. New
York Gov. George E. Pataki recently offered the state's National Guard to
help out. Amtrak has tried to increase visual checks on the heavily
traveled Northeast Corridor but, as was shown by the recent derailment of
an Amtrak train in Maryland-which resulted from problems with the track
and not from terrorist actions-there is a lot more track than there are
eyes to watch it.
Roads: B
Getting on a train or a bus requires going through at least one
checkpoint-the place where you buy your ticket. Getting on almost any
highway, road, bridge, or tunnel simply requires foot power or turning a
key. "Highways have always been considered invincible, and we hadn't
worried about terrorists," says Tony Kane, director of engineering
and technical services for the American Association of State Highway and
Transportation Officials.
Today, concrete and steel seem a lot less invincible. State transportation
departments have been running new vulnerability assessments during the
past year. The country has about 600,000 transportation structures, from
two-lane country bridges to the Golden Gate Bridge, and about 500 are
considered significant. States are using various devices to protect these
structures, from surveillance cameras to new supporting columns in
tunnels. The states are also considering building protective structures
around bridge piles to forestall a water attack.
In general, though, officials worry most about responding properly to a
disaster. That, says Kane, depends on good communication, not roads.
"A lot more emphasis has to be spent on the emergency response
system," he says. The association estimates that the nation's highway
systems need $4 billion to strengthen road and emergency communication,
and another $2 billion on physical protection measures.
Energy
The nation's energy infrastructure, which the White House identified
shortly after September 11 as dangerously vulnerable, has begun to adopt
new safeguards. Companies have boosted security at nuclear power plants,
oil refineries, and electricity-generating facilities. And President Bush
has increased the oil supplies that the federal government holds in
reserve, a move that could lessen the economic impact of an oil supply
disruption in the Middle East.
But serious shortcomings remain. The nation's electric power grid and its
oil and natural gas pipelines remain precariously vulnerable to attack,
and some observers say that little can be done to protect them as they
crisscross the nation. The Bush administration says that transferring
nuclear waste to one central storage location will make the nuclear power
industry safer, but putting that solution into action will taken another
decade-and 9/11 has exacerbated safety concerns about transporting the
waste over the nation's highways and rail lines. The U.S. energy sector is
safer than it was when terrorists attacked New York City and the Pentagon,
but significant additional improvements are needed.
Nuclear Power: B-
Within an hour after the 9/11 terrorist attacks, officials at the nation's
104 commercial nuclear power plants tightened security. Then, in February,
the Nuclear Regulatory Commission ordered plant owners to beef up security
even further. The commission's order, much of which was kept secret,
required plants to increase patrols, widen security zones, and toughen
security checks on visitors and employees-steps that industry officials
say many firms have now taken. "The level of security at nuclear
power plants is the highest it's ever been," said Mark Findlay,
director of security at Nuclear Management, which provides security at
several facilities.
The NRC has offered to provide states with potassium iodide tablets,
which, if taken immediately by those exposed to a radiation release, can
prevent thyroid cancer. In the event of such a disaster, the pills are to
be made available to citizens living within 10 miles of the
plants-although critics say the danger zone can extend 50 miles.
Nuclear-industry officials are touting a recent study indicating that a
large commercial jetliner deliberately flown into a nuclear plant would
not crack the reactor vessel or cause a radiation leak. But watchdog
groups argue that a plane could do serious damage to a reactor's safety
systems. Critics note that the study neglected to consider the impact of a
shoulder-fired missile. Despite the industry's assurances, Congress is
considering legislation that would force the commission to get tougher on
nuclear facilities. Congressional critics object that the NRC allows
companies to assume that an attack on their plants would be carried out by
a few terrorists who are not heavily armed and not suicidal. "Since
September 11, we have to assume that those assumptions are seriously
wrong," said Rep. Edward J. Markey, D-Mass.
Nuclear Waste: D
The Bush administration boasts that nuclear power plants will be much
safer after the Energy Department transfers 45,000 metric tons of
radioactive waste from 104 commercial nuclear power plants and 14 closed
facilities to an underground repository in Nevada's Yucca Mountain. Some
161 million Americans live within 75 miles of those power plants. Earlier
this summer, Congress and the White House authorized the Yucca Mountain
waste dump. Nevada state officials are continuing to fight that
decision.
But the Nevada repository, which the Energy Department spent 20 years and
$4 billion studying and beginning to build, won't open until 2010 at the
earliest. And critics of the plan charge that moving the waste to Nevada
would create serious new safety threats, because the material would be
moved on rail lines and highways close to major cities. Only a few tests
have been conducted on what could happen if terrorists attacked a
nuclear-waste shipment, and the results of those tests are disputed.
Opponents say the shipments would be vulnerable to accidents and terrorist
attacks. "There are great questions about the government's ability to
guarantee the security of transporting this material through communities
and states across the country," Markey argued. Meanwhile, each year,
the nation's nuclear power plants produce roughly 2,000 metric tons of new
waste, which remains too radioactive to move off-site for five years.
Nuclear power now produces 20 percent of the nation's electricity. As long
as nuclear reactors continue to operate, a substantial amount of
radioactive waste will have to be stored near them.
Markets and Strategic Supplies: B
Experts generally agree that the biggest threat of terrorism against the
U.S. energy sector is not a violent attack on some facility but a
coordinated sabotage effort that drives up energy prices and imperils the
U.S. economy. Soon after the 9/11 attacks, the United States increased the
"fill rate" of the Strategic Petroleum Reserve, the
government-owned cache of crude oil that is stored in underground salt
formations in the South. The reserve now holds about 600 million barrels.
Europe and Japan together hold the same amount.
Energy economist and consultant Philip Verleger said that might sound like
a lot but really isn't. "It represents about four months of imports
from Saudi Arabia," he said. Verleger emphasized that there are many
terrorism scenarios in which the reserve could prove inadequate. For
example, an Iraqi attack might disable Saudi Arabia's oil production for
far longer than four months. And if a U.S. attack on Iraq involved Israeli
participation, that could easily trigger a broader Middle Eastern oil
embargo.
The good news is that global oil production is much more diverse than it
was during the oil crises of the 1970s. The bad news is that U.S.
production has continued to lag behind demand and that conservation
efforts were set back by the low prices and good times of the 1990s.
However, U.S. oil production will never be able to sustain the American
economy, so there is no substitute for a foreign policy that protects
shipping and keeps Middle Eastern oil flowing to the United
States.
Oil and Gas Pipelines: B
Early on, the Bush administration identified oil and natural gas pipelines
as critical links in the nation's infrastructure that would be natural
targets for a terrorist attack. Rather than seeking more regulation, the
government has asked for industry input about how to improve safety and
has been reviewing that information since last fall. Industry and
government have earned good marks for getting this process moving and for
working together. Yet the voluntary, decentralized nature of the process
does not ensure that all pipeline operators will observe the highest
standards. And the government has not yet issued its safety
guidelines.
Two notable acts of sabotage have damaged the Trans-Alaska Pipeline
System, which carries 1 million to 2 million barrels of crude oil every
day from the state's North Slope to refineries in southern Alaska. In
1978, shortly after the pipeline opened, vandals used a small amount of
conventional explosive to blow up a section of the line, causing a
700,000-barrel spill.
The pipeline's second-largest spill, in October 2001, seems laughably
small by comparison. Only 6,800 barrels were lost. But in its way, it was
even more disturbing than the first because it was caused by a lone gunman
firing a single bullet through the double-walled steel of the pipeline.
Daniel Carson Lewis, 37, was arrested, but it took 36 hours to stop the
leak. Afterward, security experts, including former CIA Director James
Woolsey, testified that the Alaska pipeline and others in remote locations
are very vulnerable to terrorist sabotage, since patrolling the thousands
of miles of petroleum pipelines that crisscross North America is
impossible. In densely populated areas, most pipelines are underground,
making them more difficult to attack.
Oil Refineries, Tank Farms: B-
U.S. oil refineries process huge volumes of volatile and toxic chemicals.
Mishaps at refineries have caused some of the nation's worst industrial
accidents, and these facilities would be a logical target for terrorists.
Fortunately, oil refineries have faced the risks of accidents and sabotage
before-and they generate enough profits to prompt their owners to invest
in expensive safeguards. But the self-regulatory approach to safety that
dominates federal oversight of the industry makes it impossible to assess
the security of these thousands of facilities. Clearly, oil companies have
taken some independent actions since September 11, but a comprehensive
list of government recommendations is still being compiled.
Back when he was chief executive of Halliburton, Vice President Cheney
headed up a cyber-security task force of the industry-sponsored National
Petroleum Council. The task force found that cyber-technologies posed
significant new risks for the oil industry and that an entire new level of
security was needed to protect against them. Oil companies stepped up
their pace in adopting these measures after 9/11, but it is not clear how
extensive and intensive the changes have been. After the terrorist
attacks, the Department of Transportation had to use the telephone to
contact 1,000 oil and gas companies and those working with hazardous
materials. Since then, the use of e-mail for communicating alerts from the
Office of Homeland Security has increased, but the phone system still
plays an important role.
Electric Utilities: C
Keeping the lights on in America means protecting against both physical
attacks on the electric grid and cyber-attacks on the computers that
operate the system. The physical grid, which includes everything from the
high-voltage wires that stretch across the countryside to the electric
substations crammed into cities, was not built with sabotage in mind.
"We all have electric systems that we built in the sunshine, in a
country built in the sunshine," said John M. Derrick Jr., CEO of
Pepco Holdings, which supplies power to 1.8 million customers from New
Jersey to Virginia. "Now all of a sudden, it's a
concern."
A National Research Council report warned this June, "The most
insidious and economically harmful attack would be one that exploits the
vulnerabilities of an integrated electric power grid." To prevent
such an attack, electric-industry officials say they have boosted
surveillance and installed new physical barriers. Meanwhile, experts are
improving ways to reroute electricity around an outage. Critics say the
industry should also lessen the potential impact of an attack by taking
the costly steps of expanding the nation's transmission system and
maintaining backup emergency power plants.
On the brighter side, before the new millennium, the industry had made
massive investments in protecting its computer equipment, in response to
fears that software systems would fail when their internal calendars
switched from 1999 to 2000. Now, the Energy Department's national
laboratories are testing the cyber-security at some electric companies and
are recommending further improvements. Nonetheless, Derrick said, computer
hackers are sure to continue to try to break into the computer systems
that run the nation's electric grid.
Infrastructure
Agriculture: C
This summer, seven states took part in a disaster drill to see what would
have happened if a hypothetical Missouri farmer had accidentally brought
foot-and-mouth disease in from Argentina on July 10. If the farmer had
infected, and then sold, his bulls, animals in 28 states would have been
exposed to the disease within 12 hours of the sale. Within 48 hours, the
first reports of limping and drooling livestock would have trickled into
state veterinarian offices. By July 21, only 11 days after the disease had
hypothetically crossed the border, the Agriculture Department's
foreign-disease laboratory on Plum Island, N.Y., would have confirmed the
first outbreak of foot-and-mouth disease on American soil in 70
years.
If the scenario of the Missouri farmer had been real, most of the $90
billion American livestock industry would have been wiped out by
now.
The drill, which was run by the Central States Animal Emergency
Coordinating Council, with USDA emergency funds, showed just how easily
chance or malice could devastate U.S. agriculture. Many security actions
taken over the past year, such as strengthening border inspections and
making it harder for strangers to wander onto farms, reduce the odds of an
attack-but not by much.
Destroying a nation's farm industry is "technologically simple to
execute and doesn't need to be successful to have a [significant] economic
impact," according to bioterrorism expert Rocco Casagrande, who
designs and tests detectors for biological warfare agents with Surface
Logix, a private research company.
The key, Casagrande says, is in the country's procedures for handling and
containing attacks. But the July drill showed that American protections
are still haphazard. At the time of the drill, only one state, North
Carolina, had procedures in place that called for notifying all other
states the moment the state's veterinarian suspected a case of
foot-and-mouth disease. In the exercise, some of the other states remained
silent until it was too late to control the outbreak.
To be sure, some procedures have been improved since September 11. New
labs coming on line are expanding the country's testing capacity, and the
USDA has accelerated a plan to help protect ranchers against quarantine
losses, thereby encouraging faster reporting of disease. But key steps,
such as developing a shared communications network for use by the states
and the USDA, and increasing the frequency of the USDA's training in
identifying foreign diseases, have yet to be taken.
Food: B
Using food to kill people is very difficult, because processing your
dinner through cooking, salting, or irradiating destroys most bacteria.
Any critters that make it onto your plate might cause gastrointestinal
unpleasantness, but they are unlikely to kill you.
The food industry has become much more vigilant about securing its
ingredients and its machines from outsiders, and the number of USDA food
inspectors has increased from last year.
Still, says David Siegrist, the director of the Potomac Institute's
Studies for Countering Biological Terrorism, our food supply remains
vulnerable. "A large fraction of U.S. fruits and vegetables come in
from abroad," he says, "where not even the safeguards that we
have here would apply." Furthermore, he points out, accidental
contaminations, such as the one that triggered last month's ConAgra beef
recall, prove that the U.S. system is still vulnerable to diseases.
"If you're doing it inadvertently, then it stands to reason that if
somebody intended to do it, they could."
Water: B
A violent extremist group known as The Covenant, the Sword, and the Arm of
the Lord surrendered to the FBI in 1985, giving up 30 gallons of cyanide
and a vague intention to poison a city's water while praying that only
"those who were meant to die would be poisoned." If the
extremists had succeeded in dumping the poison into a reservoir, some fish
might have been hurt, but that's about it.
U.S. water supplies are difficult to attack directly. The stuff streaming
out of your faucet comes from reservoirs, which are already large virulent
cesspools, and tipping in a few more chemicals wouldn't have much impact.
Reservoir water goes through extensive, and redundant, treatment processes
before entering underground pipes for distribution. It's difficult, but
not impossible, to introduce a contaminant after purification, but even
then, it would be diluted by the sheer volume of water coursing through
the pipes.
All U.S. water authorities have begun vulnerability assessments since
September 11. The big plants will finish their assessments by December
2002, and the smaller plants should be finished by December 2003. In
addition, most plants have significantly tightened security by ending
tours, installing new alarms and gates, screening drivers, hiring more
guards, and tightening access points and procedures. But these steps just
address the obvious risks, says Milwaukee's water superintendent, Carrie
Lewis. "The smart terrorists know all this now, and the water
utilities are smarter than the dumb terrorists," she says.
In testimony before a House subcommittee last summer, U.S. Assistant
Attorney General Michael Chertoff suggested that the risk of a
cyber-attack opening a dam's floodgates was graver than the risk of a
physical attack. He said that a juvenile hacker had broken into the
computers controlling Arizona's Roosevelt Dam.
Jack Hoffbuhr, executive director of the American Water Works Association,
says officials are trying to figure out the extent of the industry's
electronic vulnerabilities now. "A lot of water utilities wouldn't be
impacted, because they run internal loops," he says, "but other
water utilities use systems that connect to other networks," and so
could be accessed by a hacker.
The bottom line, says David Dobbins, a water expert at security consulting
firm Black and Veatch, is that nobody has a good handle on how vulnerable
the nation's water infrastructure is. "We don't have a history to
gauge this on," he says.
Public Places
Protecting Against Suicide Bombers: D
Security measures in public places have been stepped up since September
11-including more uniformed security officers, tighter controls over
ventilation systems, and new parking rules near sensitive buildings-but
our public places remain extremely attractive targets for terrorists.
Because Americans want openness as well as safety, almost no one
recommends surrounding every shopping mall, sports arena, and office
building with a cordon of metal detectors and bomb-sniffing
devices.
Michael Swetnam, a terrorism expert at the Potomac Institute for Policy
Studies, believes that overall, the country is less safe than before the
terrorist attacks. "September 11 demonstrated to everyone in the
world how easy it is to slip into a sports facility or an entertainment
venue and cause us grave harm," he says.
If a flurry of individual, Palestinian-style suicide bombers struck the
United States, America's public spaces could become exceedingly dangerous,
analysts say. Experts such as Swetnam and former CIA Director James
Woolsey don't foresee a wave of suicide bombings in the United States.
Groups such as Al Qaeda have specialized in spectacular attacks on
symbolic targets, preferring, it seems, to topple the Washington Monument
and cause only a few casualties, than to incinerate hundreds of people in
an anonymous movie theater.
Woolsey added that suicide bombings "require a subculture that
encourages and trains people.... I think that would be very hard to do in
this country."
Other experts, however, worry about the threat of suicide bombers
sponsored by groups other than Al Qaeda. John Cohen of PSComm, a security
consulting firm, notes that attacks on malls, restaurants, and other
places where people gather could "injure or kill a large number of
people, will make a statement critical of American consumer life, and
cause widespread fear and disruption."
Cohen says that the state and local officials he works with are
unimpressed by the federal government's efforts and have begun to set up
their own information-sharing alliances. For personnel and budgetary
reasons, many cities rely more on private security forces than on their
police departments to protect major gathering places, said Frank
Fairbanks, the city manager of Phoenix, Ariz. And Mortimer Downey, who
served as deputy Transportation secretary under President Clinton, said,
"There are no simple technologies for securing big public
spaces."
Shopping Malls: C
Shopping malls have taken a number of steps to improve security, said
Malachy Kavanagh, a spokesman for the International Council of Shopping
Centers. Though the upgrades vary, uniformed patrols by both police and
private security have generally increased, and barriers to stop car bombs
have become more common. Mall owners have also installed more surveillance
cameras, instituted more-restrictive parking rules, locked down
ventilation systems and internal corridors, and required tenants to abide
by stricter rules governing the delivery of goods and packages, Kavanagh
said.
Yet shopping malls remain one of the softest targets imaginable for an
industrious terrorist. A chemical or biological attack could spread
quickly there. And while casualty rates from a single bomb might be low,
preventing even one attack would be hard: The flow of pedestrians can
never be monitored very closely; each mall includes many exits and
entrances; and most visitors carry bags that could easily conceal an
explosive device. And because virtually all Americans visit malls, the
terror factor from a single attack would be multiplied greatly.
Skyscrapers: B
Owners of large buildings-who have already seen their properties targeted
by terrorists on several occasions-have been among the most active in
setting higher security standards. A survey conducted for the Building
Owners and Managers Association International and the Urban Land Institute
found that most owners of commercial buildings have added security
cameras, increased security personnel, and either installed or more
rigidly enforced card-access systems.
Interest in security within the industry has been high: An October
conference call on security attracted 3,500 participants, said Ron Burton,
BOMA's vice president of advocacy and research. The most common
improvement has been a tighter leash on vendors, including requirements
for background checks, identification, and check-in procedures.
Protecting skyscrapers isn't easy, however, because many have shopping
malls or atriums, forcing security personnel to keep tabs on the general
public, not just employees. Many big buildings also have underground
parking garages, which carry the risk of car bombs. High-profile
"trophy buildings" such as Chicago's Sears Tower pose special
risks, but the 1995 Oklahoma City bombing proved that nondescript
buildings can be targets, too.
In the wake of the collapse of the World Trade Center's twin towers,
building-evacuation procedures are also getting a hard look. Historically
in high-rise fires, the practice has been to evacuate one floor below the
fire and four above it, to allow for an efficient evacuation. But now,
building and fire officials are rethinking that standard. Studies by the
National Institute of Standards and Technology and other organizations are
under way, but it's too early to come up with answers, said Randy
Bruegman, the president-elect of the International Association of Fire
Chiefs.
Ultimately, much of the responsibility for protecting skyscrapers falls to
those other than building owners, such as aviation security officials.
"The only way to do it is to prevent the attack in the first
place," Swetnam said.
Stadiums: B-
Measured purely by the scope of potential casualties, sport stadiums
packed with people are seen as a prime target for terrorists. But other
factors work against this logic. Psychologically, stadiums are more like
airports than shopping malls for most Americans; because a trip to a
stadium is a special event, most people feel it's worth putting up with
extensive security checks. Another factor is that stadiums are designed to
help a mass of patrons exit as quickly as possible. And short of a
nuclear, biological, or chemical attack, stadiums are sufficiently
sprawling that a conventional explosive might not kill many
people.
Even so, sports leagues aren't taking the threat lightly. While specific
upgrades have been left to local stadium authorities, the National
Football League has put security near the top of its agenda, said Greg
Aiello, the NFL's vice president for public relations. The league called
in an outside consultant, Guardsmark, to assess every team's stadium
security measures, and established a task force to establish and
distribute best-practices guidelines on such matters as pat-downs of
patrons, bans on coolers and large bags, uniformed security staffing,
tighter controls on concessionaires and deliveries, and a closer lookout
for possible intruders in the days before a game. In conjunction with
Major League Baseball and the Division 1-A Athletic Directors Association,
the NFL has been lobbying the Federal Aviation Administration to ban
overflights by private planes.
Swetnam says the risk of a stadium attack is relatively low, but he
describes current security measures as "hit-and-miss." He
concluded, "Very large events like the Super Bowl are done very well,
but routine events strike me as spotty at best."
Movie Theaters: F
In theory, movie theaters shouldn't be too hard to protect from
conventional bombs: There's just one way to get inside a theater, and
patrons would probably accept a metal-detector check if they began to fear
for their safety. In practice, though, theaters appear to have done little
to boost their safety level. Specifics are slim; the National Association
of Theatre Owners referred all calls to member companies, and none of the
companies returned reporters' calls. But outsiders say that the theater
business muddles through with low profit margins and tight constraints on
the timing of shows, making expensive changes and potential delays
unpopular within the industry. And because there has been no terrorist
incident in an American movie theater, the impetus for change-at least for
now-is weak.
New York City Targets: B
Since taking over as New York City police commissioner in January, Ray
Kelly has taken several steps to increase security in the Big Apple. He
created a counter-terrorism bureau headed by retired Marine Corps Lt. Gen.
Frank Libutti and named 35-year CIA veteran David Cohen to run the police
intelligence unit. The department now has personnel proficient in more
than 40 languages, including Pashto, Urdu, and Arabic. All uniformed
officers must go through counter-terrorism training-lessons that are also
offered to civilians. "Hercules" units-heavily armed officers
riding in armored SUVs-roam throughout the city. Perhaps most important,
the NYPD hired 2,500 recruits who are in training and slated to hit the
streets by January 2003.
Michael Swetnam, who has been advising New York City officials, said the
city has made significant strides. Still, he points out that, even more so
than previously, New York's landmark buildings represent the symbolic
heart of America. Moreover, between 1 percent and 2 percent of the city's
population at any given time is made up of temporary residents from
foreign countries. On the upside, Swetnam said, New York has taken the
right approach to gauging the risks and acting on them. "The city has
done a very good job-because it feels threatened," he said.
The Federal City
The Shadow Government: ?
A parallel government operates at two bunker locations in Virginia and
Pennsylvania. The people there are tasked with managing the country's
food, water, and energy supplies, as well as transportation needs, medical
and health emergencies, communications networks, and civilian peacekeeping
during any catastrophic incident that disables federal operations in
Washington. Reconstructing the constitutional government after destruction
or maiming of the capital would also be the task of the staff and
officials assigned to the bunkers. "You have to have people there who
really know the functions of government," explained one
administration official.
The Bush administration has assigned 75 to 100 senior civil servants and
some political appointees to staff the bunker locations on a rotation
basis, pulling shifts of about 90 days, indefinitely. In general, the
administration's continuity-of-government (COG) plans envision three
phases: activation and relocation within 12 hours; operation of the
alternative facilities after about 12 hours, until a threat to governance
ends; and the reconstitution of government, followed by normal federal
operations. As a result of the new emphasis being placed on COG
operations, the Bush administration is making improvements to the
facilities and their technology.
One Washington consultant who spoke with a Bush appointee while the
official was tucked away doing his time in one of the secure locations
said the administration contact described "a lot of people who looked
like they had been there for 30 years and were so happy to have
company!"
All funding for and operations of COG are considered classified.
"Unfortunately, we're not commenting ... for reasons of national
security," said FEMA spokeswoman Deborah Garrett. FEMA coordinates
the COG, primarily through its National Preparedness Directorate.
During the Clinton administration, under FEMA's direction, the
1950s-vintage shadow-government bunkers were updated with computers,
videoconferencing and improved telecommunications, new paint, and daybeds
to replace sleeping cots, said former FEMA Director James Lee Witt in an
interview. "It was like doom and gloom in there. We redid the entire
thing," Witt said, recalling one of the bunker locations, which was
equipped with manual Underwood typewriters. "We replaced the
water," he added. "There was still the water [President] Johnson
had put in there, bottled water in glass bottles from Mountain Valley
water, from Hot Springs, Ark.... It was unreal."
White House, Pentagon, and CIA Headquarters: ?
In making federal facilities safer, say White House, Pentagon, and CIA
officials, it's important not to discuss security. So they won't.
"That's not something I can help you with," said Paul Nowack, a
CIA spokesman.
At the White House, deputy press secretary Scott McClellan said, "If
you see something, we might comment." Otherwise, mum's the word. In
the aftermath of September 11, the vice president and the president did
not work in the same place at the same time. The president's daily
schedule was closely held. White House public tours were initially halted,
then resumed for student groups and guests escorted by a member of
Congress or congressional staff, but not for everyone else. Extra
precautions were taken against anthrax or other contamination in mail or
hand-delivered packages destined for the White House complex, which
includes buildings other than the iconic residence itself. Secret Service
agents and officers-on foot, on bikes, in cars, on roofs, around the
president-are now not the least bit reluctant to be visible at all
times.
White House staff members have improved emergency response procedures for
themselves, and worked out destinations and communications should they be
forced to evacuate their offices on foot again. The White House offices
along the 17th Street side of the Eisenhower Executive Office Building
have been vacated under recommendations of the Secret Service because of
presumed vulnerability from the air; those employees must work in modern
office quarters on 18th Street, a block away. All visitors to the White
House complex now must be escorted from the point of the Secret Service
check-in. No stragglers or wanderers are allowed.
At the Pentagon, a new, reinforced section of the building will soon be
completed, replacing the area where the hijacked airplane crashed and
burned. Admission of vehicles and people into the building is even more
restricted than it once was, and Metrobuses arriving at the Pentagon
subway hub must pick up and drop off passengers at a spot more distant.
Security vehicles, with lights flashing, linger at I-395 turnoff lanes, to
provide a visual deterrent. Military police officers are
everywhere-checking bags, standing guard.
Monuments: B
Of the 385 sites managed by the National Park Service, only four have seen
security appreciably upgraded since September 11, NPS officials report.
The four are the Washington Monument, the Statue of Liberty, the Liberty
Bell Pavilion in Philadelphia, and the Arch of St. Louis.
"Essentially, we have airport security at those locations," says
David Barna, chief of public affairs for the NPS. "Visitors go
through the magnetometers, are subject to searches with handheld wands,
that sort of thing."
At those four sites, as well as at all the downtown Washington monuments,
the U.S. Park Police have also beefed up the presence of uniformed
officers. All the downtown D.C. monuments, as well as the Smithsonian
museums, are surrounded by the kind of concrete "Jersey"
barriers that began showing up around the White House and other Washington
sites after the deadly 1983 bombing of the U.S. Marine barracks in
Lebanon. Following 9/11, they sprouted like flowers and are deployed along
the Mall-in rings-to prevent a truck attack.
The unsightly barriers have become an aesthetic issue, so the National
Capital Planning Commission has undertaken a swift study on how to
incorporate security into the design of the monuments. The public comment
period was set to end on September 9, but there is talk of extending it.
The general impression, said one federal official who sat in on the
meetings, is that the temporary measures being taken are "reasonably
adequate" for security purposes, but utterly inadequate from the
artistic standpoint.
Martha Droge, a landscape architect with the Baltimore firm of
Ayers/Saint/Gross, gives high marks to the National Capital Planning
Commission's long-term blueprint-and she may be uniquely qualified to
judge. She was a special agent with the State Department's Diplomatic
Security Bureau before making a career change. "That report is an
excellent example of how a new design can incorporate security upgrades
while still making a positive contribution to public space."
It won't come cheaply. The plan envisions the government spending up to
$800 million in what it calls "a worst-case scenario." But only
deeper study will determine whether that guesstimate is even close to
correct. The commission expects to ask Congress for $32 million just do to
this study.
"We can have both good urban design and good security, but now we
have neither," said Richard L. Friedman, the Boston-based developer
who chaired the task force that put together the blueprint.
Safety of Federal Employees: C
One of the painful lessons of September 11 is that if famous buildings
become targets, so do the men and women who work in them. This is true of
government buildings in Washington and around the nation. "Capitol
buildings are symbols of government, and the people who inhabit them are
symbols, too," says Tony Beard, chief sergeant at arms for the
California state Senate. In Sacramento, the Legislature is spending $4
million to $5 million to make the state Capitol more secure after a
suicidal ex-convict with a history of mental problems rammed his rig into
the edifice at 45 miles an hour.
Here in Washington, unfettered access to government buildings is all but a
remnant of another time-even in buildings designed to be tourist-friendly.
The Old Post Office on Pennsylvania Avenue, for instance, was refurbished
as a shopping mall and reopened amid fanfare during the Reagan
administration. Today, entry to that building is so restricted that
tourists are becoming scarce. "It's gotten quite tight, so much so
that it's become quite difficult for the merchants to operate," says
Martha Catlin, program analyst for the Advisory Council on Historic
Preservation, which is housed there.
Officials of federal employees unions say that they appreciate the
upgraded security but cite a few caveats. One is that there doesn't appear
to be much uniformity. "I travel a good deal, and some federal
buildings I just walk right in, while in others they won't let me past the
front desk without being escorted," says Colleen Kelley, national
president of the National Treasury Employees Union.
Another caveat, as always, is money. "More thought and attention is
being paid to making federal workers safe than ever before, but in some
cases the problem is going to be funding," Kelley says.
"Hopefully, the focus will stay on this without it taking another
tragedy."
Capitol Hill: B
Take one walk across Capitol Hill and you can clearly see that new
security measures have been put in place since September 11-funded by $613
million provided in fiscal 2002 emergency spending bills. Vehicles no
longer can drive on streets around Hill office buildings, and most truck
traffic has been barred from the area. The Capitol plaza is a mess, with
new blockades in place and construction beginning on the new Capitol
Visitor Center. While the center had been planned before 9/11, it gained
new urgency after the attacks; Congress decided to provide additional
federal funds for the project, rather than relying on a private
fundraising effort. The visitor center, which will allow the Capitol
Police to funnel all visitors though a three-story underground facility,
is scheduled to be completed in 2005-at a cost of as much as $300
million.
Until then, temporary buildings have been constructed on the House and
Senate sides for receiving visitors. New restrictions have been placed on
visitors. Tourists can no longer wander unescorted through much of the
Capitol, but must be escorted on guided tours. Gas masks are being
distributed to members and staff, and as a result of the anthrax letters
sent to the Hill last year, all mail is being irradiated-causing delays in
mail distribution. Capitol Police have been directed to examine staff and
press credentials more closely when people enter buildings, although based
on anecdotal evidence, those inspections vary in thoroughness.
D.C. Evacuation Plans: D
The District has an evacuation plan in place, although few people know it.
The city has not yet publicized it-even though people attempting to leave
the District on September 11 ran into huge traffic jams, and it was never
clear which mass transit services were still operating. The District's
Internet site states that 14 "corridors" have been identified to
funnel traffic out of the city to the Beltway and beyond. During
emergencies, traffic lights on those roads will be retimed, and police
will be stationed at some 70 intersections.
While signs have been placed along the evacuation routes, the plan has not
yet been publicized, according to a spokesman for the District's
transportation department. Officials want to ensure that all area
governments are aware of the plan before it is publicized in a brochure,
which will be distributed throughout the area. "It just takes
time," the spokesman said, adding that District officials will
attempt to ensure that all residents and workers are informed of the
evacuation plan within the next few months.
Mass transit also will play a large role in any evacuation, although
again, final plans have not yet been adopted. Transportation officials
must ensure that all area transit services can be coordinated, so that
commuters do not find themselves stranded. For instance, officials must
ensure that bus service is available for commuters at the end of each
Metrorail route. Discussions among the various transit services are
continuing, a District official said, conceding that plans are not 100
percent in place yet.
Business and Industry
American business gets a grade of C, based on the potent and largely unmet
threat of a catastrophic attack on the facilities of the U.S. chemical
industry, and the increasingly complex problems of cyber-security. The
banking industry does a little better, probably because of the federal
government's efforts soon after September 11 to plug holes that had
allowed the financing of Al Qaeda's global terror network.
Business Cyber-Security: C
Opinion is split on the question of whether U.S. businesses are better
prepared to deal with widespread hacker attacks now than they were a year
ago. In a survey of 602 professionals in the information-technology
business, 52 percent said that corporate defenses have improved a little,
while 36 percent said little has changed. Five percent said defenses are
much better, and 4 percent said they were worse, according to the survey,
released July 24 by the Business Software Alliance, a trade association of
software companies, including Microsoft. "We are not devoting the
kind of resources" that are needed, said Robert Holleyman, BSA's
president.
But other Washington-based experts say that senior business leaders are
now paying much greater attention to the terrorist-hacker problem, and
that results will be seen over the next few years. "They are looking
at it in a much more global way than before," said Robert McNamara, a
partner at Manatt Jones Global Strategies, an international consulting
group. Under pressure from administration officials, corporate leaders
have set in motion a number of efforts that will take years to generate
results-top-level auditing of security threats, new software to weigh
security vulnerabilities, tougher pressure on subcontractors to bolster
their own information security-but business has not yet achieved obvious
improvements in anti-hacker defenses, nor significantly increased spending
on security. Congress may soon give industry more leeway to cooperate with
law enforcement officials, by allowing the government to keep some
sensitive or embarrassing corporate information secret. An effective
national cyber-defense network will grow from companies' individual
actions "as soon as three to five years" from now, if nothing
distracts senior managers, predicted Charles Le Grand, director of
technology practices for the Institute of Internal Auditors, based in
Altamonte Springs, Fla.
Banking and Finance Cyber-Security: B-
The 9/11 atrocity shifted banks' focus from individual self-defense
against high-tech thieves to a more ambitious communal defense against
malicious terrorists intent on destroying the banking infrastructure and
the public's faith in the financial system.
"It made us think differently about security," said Catherine
Allen, chief executive officer of BITS, or the Banking Industry Technology
Secretariat, which is the financial industry's nonprofit clearinghouse for
information-security practices and technology. "It made us realize
how interdependent we are on other industries, like
telecommunications." Since then, she said, "the industry has
looked at how it can work together with other critical industries ... on a
global basis." BITS is funded by major U.S. banks, insurance
companies, and securities firms, as well as by major overseas financial
companies.
This is a major shift for the finance industry, and the consequences will
emerge only slowly. For example, banks are changing their standard
contracts to require that subcontractors-telecommunications companies and
power companies, for example-have backup facilities and use anti-hacker
software. The banks are also automatically and anonymously sharing data
about computer-security problems with their information security and
analysis center, operated by an outside contractor. This arrangement-which
was facilitated by a provision in the 2001 USA-PATRIOT anti-terror
law-gives banks some ability to quickly detect widespread, surreptitious
hacking.
Chemical Industry: D
The Environmental Protection Agency has identified 123 chemical plants
that, if hit by a serious explosion, could each harm at least a million
people. In addition, more than 5,000 facilities across the nation each
store more than 100,000 pounds of chemicals that EPA ranks as extremely
dangerous, including chlorine, hydrochloric acid, and ammonia. A June
National Research Council report described toxic chemicals as
"weapons of choice for terrorist attacks."
But in the months since September 11, the Bush administration has not
imposed any new security measures on the companies that make, use, store,
or transport hazardous chemicals, or on the businesses that handle
hazardous waste. Instead, federal regulators have allowed the chemical
industry to develop its own safety program. Immediately following 9/11,
chemical companies temporarily stopped transporting hazardous chemicals.
Since then, many firms say they have tightened security and lowered the
volume of hazardous chemicals they store on site. In addition, the
American Chemistry Council, which represents 180 of the nation's largest
chemical manufacturers, recently adopted a plan requiring its members to
boost the security at their most vulnerable facilities by 2003.
Environmental activists argue that the industry actions do not go far
enough to protect the public from potential terrorist attacks. They charge
that the ACC's plan fails to encourage the use of safer chemicals and
applies to only a small fraction of the companies that make, use, or
transport hazardous substances.
In July, a Senate committee agreed that tougher government action is
needed. The Environment and Public Works Committee unanimously backed
legislation that would require the administration to assess the
vulnerabilities of the plants that house the most-dangerous chemicals and
to push businesses to adopt safer technologies that use lower levels of
hazardous chemicals. Proponents want to add the measure to the Homeland
Security Department bill. The American Chemistry Council, however,
contends that government mandates would actually slow down its efforts to
improve security at plants that are most susceptible to terrorist
attack.
Telecommunications: C
The telecommunications industry has worked with the federal government for
decades to shield the phone networks from physical attacks, mostly by
increasing the number and geographic distribution of phone exchanges.
Redundancy paid off on 9/11, when the new cell phone networks allowed many
people to communicate in New York City despite the damage to the telephone
systems. But the new cyber-threat comes from terrorist hackers determined
to infiltrate and wreck the computers that control the nation's varied
telecommunications networks.
In the early 1990s, the companies' new computer exchanges were repeatedly
attacked by hackers for amusement. The resulting publicity, and the
parallel pressure from Pentagon officials worried about large-scale hacker
attacks, pushed industry officials to increase the security of their
systems. In 2000, a joint government-industry data-sharing center was
established in Arlington, Va. Since 9/11, according to industry officials,
the center has greatly increased information-sharing about possible hacker
threats among its telecommunications companies, and with other industrial
sectors, such as the information-technology firms. This cooperation is
aided by the National Security Telecommunications Advisory Committee,
established in 1984. The membership now includes top executives from
telecommunications, computer, and Internet companies.
But deregulation and the Internet's boom and bust have put these companies
under great economic pressure, reducing their capability to invest in
security. Widespread investment is required, say experts, because
terrorist hackers might be able to use small security gaps to wreck
critical computer systems that control vital services, including
telecommunications networks.
Mail Safety
U.S. Postal Service: B-
Bill Lewis, president of the American Postal Workers Union local in
Trenton, N.J., doesn't hesitate when asked whether he feels safer today
than during last fall's anthrax attacks. If someone were to send an
anthrax-tainted letter through the mail today, Lewis says, "we would
have some dead people."
Last fall, four letters laced with anthrax were sent from the Trenton
processing facility to New York City and Washington. Four New Jersey
postal workers survived after contracting anthrax, but two Washington
colleagues died.
In the aftermath of the attacks, the Postal Service bought for its
employees 4 million facemasks that are able to filter out 95 percent of
microbes in the air and 86 million pairs of gloves. It also spent $245
million on vacuums and filters, and it is planning to install sensors to
detect biological agents within 18 months. But these safeguards are aimed
at hand-mailed letters, not the 150 billion pieces of bulk mail processed
every year.
Thus far, Congress has appropriated more than $750 million to boost mail
safety, but the Postal Service has asked for an additional $800 million
for fiscal 2003 and $5 billion over several years to deal with new safety
concerns.
Meanwhile, the Postal Service is working to implement new safety
procedures and equipment. Eight irradiation machines that cost a total of
$40 million are being used to zap mail in Washington ZIP codes beginning
with the numbers 202, 203, 204, and 205. Postal employees are using
vacuums to clean mail-processing machines, but they still rely on air
blowers for hard-to-reach areas.
Safety seminars urge postal workers to use gloves and masks. Few do,
however, because the gear is uncomfortable, Lewis says. Individual pieces
of mail receive no additional scrutiny beyond what was done before the
anthrax attacks, he says.
The Postal Service videotapes transactions at some of its retail
facilities and is testing new technologies that may be able to detect
biological agents in the mail. In an effort to deter bombings, it has
removed thousands of mailboxes near airports, military installations,
schools, and other public facilities.
Private Package Shippers: D
Representatives of both the United Parcel Service and FedEx-the two
largest private parcel carriers-said they would not reveal new steps taken
to improve mail safety for fear of endangering their employees. "The
problem is that if you discuss the specifics of what you are doing, you
make those counterproductive," said UPS spokesman Bob
Godlewski.
But parcel shippers and some employees say that little has been done. Last
November, for example, the FedEx Pilots Association asked company
management to take a number of actions: to test aircraft filtration
systems for spores; to create emergency response mechanisms for infected
employees; to bag and seal U.S. Postal Service mail that FedEx planes
carry; to make anthrax vaccinations available to Federal Express personnel
on a voluntary basis; and to acquire machinery to irradiate mail. In
response, FedEx "basically did nothing," said union spokesman
Kevin Scheiterlein.
FedEx has trained some employees as "dangerous-goods"
specialists, and it requires that one be present at every mail-processing
facility, employees say. And FedEx says it is providing extra scrutiny for
packages from shippers unknown to the company. Regular clients receive
less scrutiny, the company says, because their packages can be easily
traced.
But last fall, dozens of FedEx packages filled with white powder reached
Planned Parenthood facilities around the country, although the powder
turned out to be not hazardous. In January, FedEx delivered radioactive
material from Paris to a company in New Orleans. The 300-pound package was
not monitored for radiation, and two employees were exposed. But in May,
FedEx employees in Columbus, Ohio, discovered a package leaking white
powder, and alerted authorities.
A spokesman for the Teamsters union, which represents United Parcel
Service employees, said the union was satisfied with steps taken by UPS
management, although he declined to elaborate. In the past year, UPS has
not faced any public controversy surrounding its mailings, unlike the
mixed record at FedEx.
Last fall, UPS did begin allowing its drivers and handlers to pull any
suspicious package for examination by employees trained in handling
hazardous materials. Previously, only packages that were leaking or showed
other indications of containing hazardous materials could be
pulled.
Mark Murray, James Kitfield, Corine Hegland, Margaret Kriz, John Maggs, Louis Jacobson, David Baumann, Carl M. Cannon, Alexis Simendinger, Neil Munro, Shawn Zeller
National Journal
|