The most important failure was one of imagination. – 9/11 Commission Report
In the years immediately after 9/11, the imagination needed to prevent the next attack flourished, was embraced and funded, creating an environment for innovation. Some of the changes made are very well known – like the creation of the Transportation Security Administration, the rapid federalization of airport screening, and the creation of the Department of Homeland Security. Some of the changes seem all the more impressive now, such as the sheer amount of bipartisan legislation that passed, including the Implementing 9/11 Commission Act, the Maritime Transportation Security Act, the Enhanced Border Security and Visa Entry Reform Act, and many others.
Given the abundance of imagination, across an array of threats, perceived vulnerabilities, and potential solutions that materialized in this era, we also needed to adopt an analytic framework that could channel and prioritize our focus. Of note for this discussion:
- Risk is a function of threat, vulnerability, and consequence. Just because terrorists are interested (high threat) in certain operations doesn’t mean we are automatically at high risk.
- The decision to invest in a solution to a given risk depends on the assessed return on that investment. Decisions to mitigate a threat or risk aren’t based solely on understanding them.
This analytic framework let those of us in the homeland and national security arena prioritize which of the prevention efforts we chose to invest in to counter the threats, vulnerabilities, and risks we faced. It also enabled us to explain why, in some cases, the right decision was to invest in our ability to respond should the risk materialize, rather than trying to prevent. Accurately assessing risks and determining whether to invest in solutions can be particularly challenging when you are attempting to evaluate them across multiple cooperating organizations, with differing decision-making cultures, access to information, risk appetites, and/or access to funds, however.
As a result of these changes, the U.S. was able to make a variety of investments in technology and processes changes, including not only enhancements to how the U.S. government screens people and cargo crossing our borders and carried on domestic transportation, but in a community and infrastructure dedicated to evolving our approach building capability and skills as new threats and solutions emerged.
About a decade after 9/11, the pace of innovation implementation slowed. Not because of return to the prior restrictions on imagination, but due to three major factors.
First, many of the solutions needed became more complex. The policy determinations now are more difficult, as most of the easier choices had already been made. They now often involve a greater number of entities across government and the private sector, such as increasing threats to critical infrastructure. Second, the threat has changed. Where we once focused on a relatively limited number of terrorism and organized crime entities, we now face a range of actors, from those loosely affiliated with an ideology to unaffiliated individuals, as access to information that incites someone to violence and explains how to carry out that violence became commonplace. Third, the funding sources traditionally looked to for support to make those changes flattened. As just one example, the grant funds administered by DHS for state and local entities to increase security for surface transportation dropped from $253 million in 2010 to $88 million in 2020.
We need another breakthrough in imagination.
One of the breakthroughs I have been most interested in is the renewed interest in public-private partnerships (P3). Although P3s are not new, there has been increasing interest in how they could be brought more intentionally to a wider variety of security investment needs. Traditionally, P3 constructs were prevalent across infrastructure projects, such as toll roads and bridges. They are now expanding globally, and into new frontiers, including space travel, healthcare, and community resilience. This is an area with a lot of opportunity – and one that I believe will only increase in the coming years as interests align.
“Although P3s are not new, there has been increasing interest in how they could be brought more intentionally to a wider variety of security investment needs”
It is important to note, however, that just labeling something as a P3 doesn’t automatically make it work. Some (inside and outside government) have seen “public-private” as just code for using private sector funding instead of an appropriation to fund agency investments. This view increases the closer the parties are to those areas where the administration or Congress decided to “transition” activities over the last decade that had been paid for by agencies previously, by cutting agency budgets. In the most concerning instances from a security perspective, the private-sector entities have chosen to hold off on investments with the aim of forcing Congress to restore funds. Lack of standards or direction from the government can also be a hinderance, as private-sector entities may be hesitant to invest until such time as the regulatory entity sets the minimum requirements.
But most often, there is a disconnect in one of the calculations I listed above. Two examples come to mind. When we used to look to explain threats to critical infrastructure entities, whether new types of physical threats, like unmanned arial systems, or cyber threats, we would often hear that the overall risk was low (e.g., state-sponsored cyber actors would only take proportionate action), or that even if the event occurred (e.g., if a section of pipeline was blown up or an airport IT system was taken offline) there was such redundancy in the system that it wasn’t worth spending the money to close the gap. These calculations can flip just as fast, however. After Gatwick airport and the airlines lost millions in revenue to an unmanned aerial system incident, airports worldwide have been looking at investments to protect against a similar incident. Similarly, the Colonial Pipeline ransomware attack has fundamentally shifted the understanding of the risk, and what level of investment is appropriate to insure against that risk. And – most frustrating – sometimes neither the federal government nor the non-federal entities involved have access to the needed funding, or legal framework, and don’t have the political clout needed to sway the entrenched interests.
But there have also been some impressive accomplishments. Why do they work when others don’t?
- Strong relationships and sharing of information that leads to an agreed upon understanding of the risk, as well as agreement on how to mitigate the risk.
- A positive return on investment for both the public- and private-sector entities. This return on investment can be in terms of direct financial benefit. But it can also be in cost avoidance, such as an investment to insure against a shutdown. It can also be in the ability to provide an improvement in customer experience or the ability to increase capacity – which in turn can result in future revenue for a private-sector entity.
- Access to funding needed, at regular, predictable, and reliable intervals.
- Public recognition of the value from, and acceptance of, the government-private delivery model.
While I could cite a number of examples of emerging technology P3s, I’d rather note examples where government and industry identified process enhancements that made their operations more efficient, as well as meeting security objectives. Critical to the following examples was that the agencies leveraged their existing regulatory authorities in creative ways. Through those regulatory processes they first set an overall security program goal, then offered flexibility in how to achieve that goal, enabling private-sector action and investment.
The first example is TSA’s Third Party Canine (3PK9) program for screening of international, outbound air cargo. As TSA and the air cargo industry considered how to meet an international screening standard change, there was a strong interest in having the option to use canine explosive detection in addition to X-ray and other traditional technology, because of their ability to better integrate into existing air cargo processes, creating process efficiency. Recognizing that TSA could not use its existing limited canine resources for this purpose, TSA and the industry advocated for, and in October 2018 Congress approved, new statutory authority for TSA to establish the 3PK9 cargo program. TSA was able to update its existing regulatory program in a matter of months to enable the change, through a less-intensive regulatory process specifically authorized for TSA. Under this updated regulatory program, an air cargo entity can choose to contract with a certified third-party provider, able to meet TSA detection and process standards. TSA ensures quality through its ongoing regulatory oversight of both the air cargo operator and the third-party canine provider. Most importantly, the U.S. met the June 2021 deadline for the international standard change.
The second example is Customs and Border Protection’s Automated Passport Control. Between 2006 and 2019, the number of international air passengers grew by 75 percent, to more than 250 million annually. By 2010, CBP, airports, and airlines recognized that they needed options that would enable CBP to process the entry to meet this demand. While an increase in CBP staffing was part of the solution, they also needed to identify options to improve efficiency. The collaboration amongst CBP, the airline industry, and third-party technology providers resulted in a new option – implemented through an addition to CBP’s existing international airport standards, rather than through a traditional regulation or procurement. In 2013, CBP’s APC program officially launched. Under APC, U.S. citizens submit their entry information through a third-party kiosk, paid for and maintained by the airport, to CBP. CBP conducts checks, and interacts with individuals of concern or with special circumstances, while monitoring the process as a whole for compliance. CBP estimates that it saves more than 30 seconds per passenger using this process, enabling a significant increase in throughput, and eliminating the need for the airport to provide additional space for traditional CBP officer stations.
I picked this second example in part because I think passenger experience innovation is one of the areas that has continuing immediate near-term potential, providing new options for travelers, efficiencies for the airlines and airports, and improvements in security. As I wrote in an article in HSToday in May, we should consider how to enable an environment conducive to aviation passenger innovation investment, by both government and industry, that will serve the U.S. and its partners well for the next 20 years.
As we consider what’s next, I would like to see us proactively invest in our ability to enable successful P3s – across a diverse set of use cases – making imagination persistent and sustainable. Options could include:
- Authorizing legislation that encourages greater collaboration between agencies, regulated parties, and third-party solution providers. This type of legislation could direct the convening of stakeholders (like the ISACs) or require promulgation of standards.
- Rethinking procurement and acquisition rules to decrease “vendor lock” and solution obsolescence and increase government and industry collaboration. Creative uses of existing authorities, such as NASA’s use of Other Transaction Authority and Small Business Innovation Research to advance commercial space flight, should be used as examples to train personnel, and expanded to other agencies.
- Investing in federal organizational structures, processes, and the necessary workforce to build a critical mass well versed in P3s, and with the capacity to support them.
- Building more healthy private sector markets that address security needs and private-sector interests. The best markets have multiple skilled solution providers, who are incentivized to continuously improve upon their products and services, including opportunities for small businesses.
- Providing timely access to investment funding. There are a number of unfortunate examples where everyone agrees a security issue should be addressed, but neither the federal entity nor the operator has the funds, such as instances where the owner/operator of critical infrastructure is a state or municipality and the fees charged are not set to allow for reinvestment. Appropriations could be made available to support pilots, where they will provide assurances to investors of a potential return, if they provide the needed capital.
- Establish new and expand existing structures that enable multiple agencies, or agencies and stakeholders, to collaborate financially to develop solutions. One of the most known examples in this space is In-Q-Tel. Established by the Intelligence Authorization Act for FY 2000, In-Q-Tel brings detailed knowledge of U.S. intelligence community and other government agency needs to early stage research and development, working with private-sector companies and other investment organizations. Statutory language could authorize additional shared investment strategies, such as jointly managed incubators, that would work on broadening markets and changing processes, beyond technology.
As we reflect on how far we’ve come in the 20 years since 9/11, I believe it is worth our time to think about how to invest more regularly in processes and structures to create programs and policies that incentivize experimentation and innovation. Working through these options will effectively position us for the next 20 years of innovation, channeling the best of our imagination into action, and positioning us to meet the security and other needs that we will encounter.