“We believe the 9/11 attacks revealed four kinds of failures: in imagination, policy, capabilities, and management.” – National Commission on Terrorist Attacks Upon the United States (The “9/11 Commission”)
Before retiring for a second time from a large federal consulting firm I had a conversation with a colleague regarding the use of the term “Cyber Pearl Harbor.” My counsel was to stop using the term. As we now know, the attack on Pearl Harbor should not have been a surprise. Similar to the 9/11 attacks, the “pieces to the puzzle” existed but were not shared, communicated, collated, or analyzed at the right levels to provide adequate warning of the Japanese intention. Likewise, no one should be surprised when a major cyber attack occurs, as we saw in the recent Colonial Pipeline attack. When ask how I would describe the threat, I responded that my biggest concern has been a “Cyber Desert One.”
“Desert One” was the designated staging area for U.S. armed forces participating in Operation Eagle Claw, the failed attempt to rescue American hostages held at the American Embassy in Tehran in 1980. Recommendations from the various reviews and investigations following the incident cited poor planning and command structure. They became drivers in an ultimate reorganization of the Defense Department and the creation of the Joint Special Operations Command (SOCOM) in the Goldwater-Nichols Act of 1986. Joint integrated war fighting has become a basic tenet of today’s military operations. It wasn’t achieved easily and that tenet is now being continually challenged by what Gen. Stan McChrystal calls evolving enemies and environments and “the technology of global connectedness” that allow adversaries to “operate in radically different ways.” My concern about a “Desert One”-type event is the ability of the federal government to mount an effective, integrated response to a large-scale cyber event or, for that matter, any other complex event – for example, events that cross horizontal and vertical boundaries and include the private sector. Events where existing legal frameworks, policies, operational plans, and tactics are insufficient. Events where existing paradigms need to be challenged by informed, innovative, and imaginative leadership to create unity of effort.
In short, we need to continually sense the threat environment and mitigate the risk of failures “in imagination, policy, capabilities, and management.” Our national response structure is in need of a tune-up. As we remember the attacks of 9/11, 20 years later, here are some thoughts.
Evolving Complexity and Risk
The Homeland Security Act and the Department of Homeland Security were part of the government’s response to the 9/11 attacks, as were changes to the intelligence community and legal authorities related to surveillance and privacy. The Act and the department’s mission focused mainly on border and aviation security, critical infrastructure and terrorist threats. The agencies that formed the new department brought their existing set of authorities and missions with them as well. As Stan McChrystal notes, a lot has changed since then. Threats are now increasingly agnostic to physical borders and traditional concepts of sovereignty (think weather, germs, and the Internet). National security threats can now include a broad spectrum of manmade disasters, natural disasters, pandemics, transnational criminal activity, nonstate actors and domestic/insider threats. What we are experiencing is a daunting fabric of complexity with multiple players and stakeholders with overlapping or siloed jurisdictions, resources, and command/coordinating structures. Complexity itself is now a risk aggravator.
There are few, if any events or problems of consequence that can be addressed by a single agency. Further, many of the capabilities and competencies to address these threats do not reside in governments. For example, the government does not own and operate the telecommunications infrastructure, the domain of cyber threats, or the offshore oil and gas industry. However, the government retains the responsibility to regulate these industries and provide oversight in responding to threats. Questions on the scope of government responsibility and relevancy continue to evolve as well. Cyber threats are now ubiquitous and test traditional lines of authorities, capabilities, and competencies across government agencies. Lack of attribution of the source of a cyber-attack necessarily involves any agency or military organization that has a potential responsibility. New technologies like autonomous systems, artificial intelligence, 3D printing, even genetic engineering present threats, but also opportunities for enhanced capabilities that improve mission performance.
As General Keith Alexander said at a panel we served on several years ago, “we are redefining what the phrase ‘provide for the common defense’ means today.” I would add that we are also redefining what the phrase “promote the general welfare” includes. Consider a cyber-attack on financial institutions that denies nationwide access to bank accounts and ATMs or the loss of the power grid that precipitates civil disorder. When does an attack on the “general welfare” rise to the level that threatens the “common defense”? The United States has historically been physically separated from our adversaries by oceans. That is no longer the case with cyber and other threats. How do we create the capacity to “imagine” and mitigate continually evolving threats?
The Case for a National Response Doctrine
McChrystal’s doctrinal approach based on successful special forces operations is focused on empowerment (a bottom-up structure as opposed to a command-and-control model), a shared consciousness (a common understanding and mindset), bonds of trust and a strong purpose, and a sense of the whole or awareness of the entire playing field. It takes a network of networks or a “team of teams” to confront the ambiguity and complexity of the threats we face today. My concern is our national response structure has not evolved with the threat environment and in the absence of a lack of imagination and innovation we will continue to fight the last war. For example, we responded to the Deepwater Horizon oil spill with the tools created to prevent a tanker accident after the EXXON VALDEZ spill, two radically different events. Last year the Business Executives for National Security (BENS) convened a “Commission on the National Response Enterprise: A Call to Action” to coincide with the presidential election. The Commission was co-chaired by Jeh Johnson, former U.S. Secretary for Homeland Security; Alex Gorsky, Chairman and CEO of Johnson & Johnson; and Mark Gerencser, former managing director of Booz Allen Hamilton and BENS Chairman of the Board. The Commission Report states, “Certain foundational principles informed the Commission’s work. Foremost, truly effective emergency response will only be possible when it is powered through a seamless partnership between government, business, civil society, and the American people.”
Whether it is McChrystal’s concept of a team of teams or the BENS call for a National Response Enterprise, the missing element to effectively executing national responses to crises or emergencies is a national response “doctrine.” Merriam Webster defines doctrine as “a statement of fundamental government policy especially in international relations.” More specifically, in military operations it is a statement of principles intended to guide decision making and operations. In international relations it is an expression of national principles and intent, expressed early in the nation’s history in the Monroe Doctrine. It is not tactical, day-to- day proscriptive direction. It is an expression of what we believe to be important and can be applied equally to the “common defense” and “general welfare.” Let me make a distinction here between the National Response Framework that FEMA employs in disaster response and a higher-level set of operating principles that can unify federal response to a broad set of known threats and that can adapt to new and novel situations.
Coast Guard Doctrine
Earlier in my career I was involved in the initial development of Doctrine for the U.S. Coast Guard (Coast Guard Publication One), which states, “Because this doctrine is rooted in history, it is enduring. But it also evolves in response to changes in the geo-political and strategic landscape, lessons from current operations, and the introduction of new technologies. Doctrine influences the way policy and plans are developed, forces are organized, trained and employed, and equipment is procured and maintained. It promotes unity of purpose, guides professional judgment, and enables Coast Guard active duty, reserve, civilian, and auxiliary men and women to best fulfill their responsibilities. Pub 1 tells us how we became – and why we are – the United States Coast Guard.” Coast Guard doctrine is distilled into seven basic principles of operations that guide how the Service executes its 11 diverse statutory missions: The Principle of Clear Objective, The Principle of Effective Presence, The Principle of Unity of Effort, The Principle of On Scene Initiative, The Principle of Managed Risk, The Principle of Flexibility, and, the Principle of Restraint.
When properly developed and deployed, doctrine undergirds and strengthens effective action. It is a means to address ambiguous situations where existing plans fail. I know. I have employed the concept on numerous occasions in the most complex responses this nation has faced. In some cases, my teams created new doctrine or principles of operations to guide the organizations I led where I had no legal authority to direct specific actions. I believe in it. There is an urgent and compelling case for a National Response Doctrine to address the broad and complex challenges we currently face. Here are some representative examples of “Principles of National Response” that could be considered.
The Principle of Unity of Effort and Co-production of Outcomes
We need to first understand that any national response to a complex problem, disaster, or novel threat to homeland or national security is an exercise in applied civics. There will rarely be clear lines of authority. Gaps and overlaps are inevitable. Strict adherence to prescribed roles and rigidity will not promote trust and effective networks. There are few activities of national interest that can be addressed by a single agency, entity, person, or private sector firm. Any meaningful outcome that meets the expectations of the American public is necessarily “co-produced.” The overarching goal or overarching principle should be unity of effort. Where role clarification is needed it should be provided by political leadership to remove ambiguity. That is because events don’t happen in isolation and the world doesn’t stop waiting for a solution. We should also expect and plan for hybrid events that will create ambiguity regarding which agency has primary jurisdiction or how the federal response should be organized. I note that presidents are loathe to subordinate one cabinet officer to another without clear legal authority. Every current response is a hybrid event because we are concurrently managing the pandemic response at the same time. Similarly, a cyber-attack that results in damage to critical infrastructure becomes a hybrid event.
The Principle of Continuity: Building and Maintaining Capacity and Competency
Political leaders need to become more willing and adept in delegating authority to experienced practitioners, providing appropriate guidance, and then holding those subordinates accountable for results. The intellectual capital to solve problems is resident in career professionals and must be retained across changes of administration. Doctrines and procedures should be sustained and constantly evolved to meet changing conditions. To that end, elected leaders need to discern the difference between campaigning and governing. Presidential transition should be an exercise in the continuity of government with the intent to improve it, not a rejection of accumulated experience. I have been involved in presidential transitions at varying levels in the Coast Guard and following my retirement since the Bush-Clinton transition in 1992. I have observed a concerning and deepening trend with every transition that followed. A growing inability to distinguish campaigning from governing. Transition should not be an afterthought following victory. It should be a demonstrated competency of campaigns. Political discord and lost institutional memory threaten our readiness and resiliency. As I noted in a Washington Post opinion piece following the last election, “This is a time for intense cooperation, not a stiff arm.”
“The intellectual capital to solve problems is resident in career professionals and must be retained across changes of administration”
The Principle of Clarity: Defining Roles and Removing Ambiguity
Another doctrinal and legal gap that is widening is the general expectation of the role of the federal government in relation to the responsibilities of state and local governments.
The Tenth Amendment to the Constitution states, “The powers not delegated to the United States by the Constitution, nor prohibited by it to the States, are reserved to the States respectively, or to the people.” The Commerce Clause in the Constitution also plays a role.
The Cornell Law School Legal Information Institute comments, “Congress has often used the Commerce Clause to justify exercising legislative power over the activities of states and their citizens, leading to significant and ongoing controversy regarding the balance of power between the federal government and the states. The Commerce Clause has historically been viewed as both a grant of congressional authority and as a restriction on the regulatory authority of the States.”
It is time for a serious national discussion regarding the shared roles and responsibilities the federal government and states have to the American public. The COVID-19 response is replete with conflicts, finger-pointing, and accusations of failure, and the ambiguity continues. During the Ebola response I had a very direct conversation with an administration official over the action of the Louisiana attorney general to block the transportation of ash debris from the incineration of the personal effects of an Ebola victim in Texas to a waste management facility in Louisiana. This was clearly an interstate commerce issue in conflict with the self-espoused rights of the state. We need to anticipate that these issues will continue to arise and will need to be accounted for in planning and execution of operations. Each event and response will involve specific authorities of the federal agencies that will vary with the event. For example, natural disasters are the primary responsibility of state and local governments, with federal assistance available. Oil spill responses, such as the Deepwater Horizon spill, are by law a federal responsibility, but state and local governments must be involved in the planning and response. A doctrinal principle of an early and clear legal definition of the event and the associated roles of federal, state, and local governments should frame the overall response and remove ambiguity and create clarity. This is essential in communicating with the American public.
The Principle of Delegation and Accountability
I was personally accountable to President Bush and Homeland Security Secretary Michael Chertoff to oversee the unified response to Hurricane Katrina in 2005. I was again accountable to President Obama and Secretary Janet Napolitano for the unified response to the Deepwater Horizon oil spill in 2010. They were radically different events but the complexity in each demanded unity of effort and co-produced outcomes. No single actor or entity solves a complex problem or confronts a major crisis alone. But at the same time, it is important to have a single point of accountability for coordination, an individual focused solely on the problem at hand 7/24 in a bipartisan manner. That individual should direct and represent the response in an honest and transparent manner that creates and maintains credibility with the public. That individual necessarily becomes the interface between the professional responders and political actors, focused on fixing the problem but politically accountable as well. The demand signal for such leaders is clear and should be the focus of government leadership development programs.
Doctrine and the Department of Homeland Security
The Homeland Security Department was created in the Homeland Security Act signed by President Bush on Nov. 25, 2002. The original intent was to have the legislation signed on the first anniversary of the 9/11 attacks, but the Senate delayed passage until November. The Act called for the establishment of the department 60 days after enactment and the relocation of agencies into the department by March 1, 2003. I was the lead executive for the Commandant and managed the transfer of the Coast Guard. This occurred between sessions of Congress and the middle of Fiscal Year 2003. The department did not receive its own appropriation until Fiscal Year 2004. As mandated by law, Gov. Tom Ridge was sworn in as the first Secretary of Homeland Security on Jan. 24, 2003. He operated from a contracted space a block from the White House and the Coast Guard issued him a government credit card for travel. Thus, the department was formed. Just over 90 days after the bill passed, agencies being transferred from other executive departments became part of the department.
In its 18th year, DHS is still trying to catch up with happened in those 90-plus days. Initial attempts to establish department-wide financial and human resource systems failed and only recently has a common appropriations structure been implemented, and implementation of a core financial accounting system is in progress. Similarly, from a mission perspective, the mandated Quadrennial Homeland Security Reviews required by law have never gained traction as a vehicle to inform and drive both policy and resource decisions. Operations within the department have been generally executed at the agency/component level. As mission demands have evolved and become more complex (involving multiple internal and external entities), attempts to create a departmental-level operational planning and coordinating capability remain a work in progress as does the department’s National Operations Center. Early attempts to create this capacity faced resistance from departmental components and were not sustained across presidential transitions. Similar efforts to create unifying or coordinating structures for operations such as task forces have not gained traction to become standard operating practices. While there is ample authority in the department’s enabling legislation and various presidential directives, such Homeland Security Presidential Directive 5, the department lacks a cohesive operational doctrine to unify planning and coordination at the departmental level and unity of effort in mission execution.
Heroic efforts are made daily by component agencies in executing their missions but the ability to create unified and synergistic responses to evolving threats remains a challenge, one that would benefit from an effectively deployed DHS Doctrine. For example, lessons learned from the ongoing implementation of authorities contained in recent FAA legislation regarding unmanned autonomous systems should inform that development. Another example is the DHS Task Force that existed for years to address a mass migration from Cuba or Haiti. Despite the tyranny of the present and political issues that drive DHS daily operations, it is time to create a process utilizing the QHSR that drives the development of a “Doctrine for the Department of Homeland Security.”
The Needed Commitment
So, as we look back 20 years to that awful day in September when “the world stopped turning,” we should acknowledge the significant accomplishments that have prevented a reoccurrence of that attack. We also need to understand the world and threats to homeland have evolved. I said when I assumed the duties of Commandant in 2006 that “the Homeland Security Act is the promise.” It is not self-executing. It requires dedicated, continual forward-looking effort and some painful change when required. The department was created to help prevent failures of “imagination, policy, capabilities, and management.” That remains the required and unending task we must be about.