Amy Sebring: On behalf of Avagene Moore and myself, welcome to the EIIP Virtual Forum! Unfortunately Ava cannot be with us today due to a schedule conflict, so Lori Wieber is standing in to assist us. Amy Sebring: Our topic today is "Homeland Security from the Business Perspective: U.S. Chamber of Commerce Homeland Security Policy." Amy Sebring: We thought it would be helpful to provide Emergency Management practitioners with some insight into the concerns and priorities of businesses, and most likely, there is a Chamber of Commerce in your own community that may serve as a local point of contact into this important sector. Amy Sebring: Now, first, for the benefit of any first-timers, we will go over the order of business. We will begin with a presentation and then we will proceed to your questions and comments. Amy Sebring: We will provide further instructions just before we begin the Q&A section, but you may wish to jot down your questions or comments as we go along. Amy Sebring: Please do not send private messages to our speaker or the moderator, as we will be busy with the presentation. If you need assistance, you may send a private message to Lori. Amy Sebring: An edited transcript of today's session will be available by later this afternoon--just check back on our home page or the background page (refresh the pages as needed). Amy Sebring: Now it is my pleasure to introduce today's speaker. Andrew Howell is the Vice President of Homeland Security policy for the U.S. Chamber of Commerce, the world's largest business federation. As such, he is the organization's principal spokesman and strategist on issues including ... Amy Sebring: transportation security; critical infrastructure protection; cyber security; and implementation of the SAFETY Act. Additionally, he is responsible for building and maintaining relationships with Administration and regulatory agency leaders with responsibility for homeland security. Amy Sebring: Prior to his current position, Andrew served as Senior Vice President of the National Chamber Foundation, the public policy research arm, where he was responsible for transforming the organization into a high-profile Washington non-profit, with a staff of 12 and an annual budget of $2.2 million. Amy Sebring: Please see the Background Page for further biographical information and links to related material. Welcome Andrew, and thank you very much for being with us today. I now turn the floor over to you to start us off please. Andrew Howell: Good afternoon (on east coast time), and thank you to Amy Sebring, Technical Projects Coordinator for the Emergency Information Infrastructure Partnership (EIIP) for hosting this forum today... Andrew Howell: I understand that EIIP explores how to use current information technology in its work to support emergency management and disaster response so I thought I would talk about the role that technology plays in homeland security. But before we get into that, let me tell you a little bit about the U.S. Chamber of Commerce... Andrew Howell: As many of you may know, the U.S. Chamber of Commerce is the world's largest business advocacy organization, counting as members global business and small enterprises; several thousand state and local chambers of commerce; nearly 1000 trade and professional organizations; and a network of some 100 American Chambers of Commerce around the world... Andrew Howell: We represent our members as their advocates before Congress, the Administration, the Supreme Court and all regulatory agencies whose seek to affect how business operates. As an organization, we have a truly global reach, which is terribly appropriate given the global economy that creates prosperity and economic growth around the world... Andrew Howell: Almost two years ago, the U.S. Chamber created its homeland security division, and began working with Congress and the Department of Homeland Security to find the best ways to balance global mobility of goods and increased security for our homeland. We believe that the right balance between these interests must be struck in order for us to win the war on terror around the world... Andrew Howell: We believe that homeland security is not about eliminating all risk but about risk management. We understand that the government does not have infinite resources and know that the government will need to be assisted by the business community in order to minimize risk. And we recognize that effectively enhancing homeland security requires public-private cooperation more than any other issue facing our nation today. Let me give you a few examples of some of the homeland security challenges facing us all today and talk a little bit about the role technology plays in meeting those challenges... Andrew Howell: Challenge 1 -- Security Screening Last year, we fought back against--and helped defeat--a legislative provision by Congressman David Obey that would have mandated 100% screening on all cargo in the belly of a commercial airplane. This would be difficult--if not impossible- -in the short term without putting some major bottlenecks into the global supply chain... Andrew Howell: But in Washington, policy debates are not always conducted with an eye toward the practical. And despite talk about a public-private partnership, some are reluctant to do more than give it lip service... Andrew Howell: That's not to say we shouldn't be pushing for new tools and technologies to enhance cargo screening--because we should. But at the same time, our approach should not impose new cost burdens on the private sector-- which already pays billions of dollars in security user fees--16 billion dollars at sea ports alone... Andrew Howell: Instead, we should, as a nation, adopt a well thought out and strategic view toward securing our supply chain. We should spend time and money investigating new technologies, and assess what economic benefit they would provide, in addition to any promised security improvement... Andrew Howell: Challenge 2 -- SAFETY Act Speaking of technology, we believe that it is essential for DHS to fully implement the SAFETY Act, which provides liability protections for private sector firms to deploy technologies that might otherwise not be broadly available... Andrew Howell: The Chamber fought for the liability protection of the SAFETY Act so that private sector innovators would have an incentive to take risks and put new anti-terrorism technology in the field quickly. DHS has been slow to certify technologies and services for SAFTEY Act but recently we have seen some improvement... Andrew Howell: We do however think it is important for the Department to link specific procurements to SAFETY Act designation. We know that some parts of DHS--including TSA--are in fact fighting to link some of their upcoming requests for proposals to the SAFETY Act--yet DHS leadership has yet to decide whether this is good or bad... Andrew Howell: The U.S. Chamber is clearly and firmly supportive of this linkage, for we believe that it is in the best interest of our nation's security to get those new and innovative services and equipment deployed to protect our nation. We expect that many vendors would benefit from SAFETY Act coverage, if only DHS would speed implementation... Andrew Howell: Challenge 3 -- Information Sharing I'd also like to talk a little bit about the relationship between the government and private sectors on the critical issue of information sharing. As you all can probably appreciate, there is widespread perception in both the public and private sectors that each side has a lot more information on threats and vulnerabilities than is currently being shared, and that we'd all be a lot better off if it were in fact shared... Andrew Howell: Some industries are making great headway in this regard--in the transportation world the Highway Watch program is a good example of some creative thinking to address this challenge. It is one of several initiatives in information sharing that has arisen from the sector specific Information Sharing and Analysis Centers model that is now operational as part of our nation's critical infrastructure protection effort... Andrew Howell: The Chamber fully supports these initiatives, and the sharing of information between state, federal and local governments with the private sectors. At the same time, we are eager to find ways to involve the broader business community, that is, those not defined by the Patriot Act as part of our nation's critical infrastructure... Andrew Howell: While it's easy to say you're for information sharing, implementation--even within the federal government alone--is a challenge, as current events have demonstrated. Collaboration between governments at all levels and with the private sector will take years; will require cultural change within our intelligence community; and will by necessity be a system built on trust, which takes time to develop... Andrew Howell: But we all must work to promote an enhanced dialogue between governments at all levels and the private sector. A critical part of this promotion is the necessary first step - setting up the legal framework that protects companies when they share information with the government... Andrew Howell: DHS has issued an interim rule to protect this information when it's voluntarily submitted to the Department, and we are hopeful that we'll soon see a good final regulation that sets the foundation for robust information sharing... Andrew Howell: As a compliment to this first step DHS is, we understand, drafting its thoughts on information requirements, that is, what information the government would like from the private sector. We hear again and again from those in government that our member companies have information that would be useful ... Andrew Howell: if only they would share it. From our perspective, we'd like to get beyond this rhetoric to a little more detail so that we can find a path forward in this critical area... Andrew Howell: Additionally, in this same vein, we are now beginning to advocate a government wide re-assessment of how information is classified, and for what purpose. Far too often, we hear that information cannot be shared with our members because it is classified. From our perspective, we're in a new era where robust sharing of intelligence information must be the norm, not the exception... Andrew Howell: We feel, therefore, an obligation to help the government modernize its intelligence capacity and shift the mindset from one of keeping all information close to sharing it more broadly as appropriate... Andrew Howell: By taking all these steps--setting the legal framework for information sharing, establishing information requirements and re-assessing how information is classified with the goal of classifying less and sharing more-- the private sector will be better able to connect those dots and meet the threat of terrorism head on as partners with the government... Andrew Howell: Challenge 4 -- Cyber Security I also want to mention cyber security--how the business community is responding to the challenges of cyber security, and what we are doing at the U.S. Chamber to address this challenge... Andrew Howell: The U.S. Chamber is committed to increasing the awareness of cyber security in the business community and explaining cyber security in terms that businesses understand... Andrew Howell: While advances in information technology have brought tremendous productivity gains for businesses and information resources for everyone, these advances come with risks. The software that makes this information revolution possible operates based on a series of codes... Andrew Howell: An error in code affects the ability of the Internet in general, and your computer specifically, to operate. Humans make this code and all humans make mistakes... Andrew Howell: On a larger scale, entire segments of our economy are dependent on the Internet. As a result, bad actors are constantly looking for ways to launch an attack that could cripple the economy by bringing the Internet to a halt... Andrew Howell: For example, much of our power grid and financial services depend on the Internet for daily business operations. Internet dependent technology also is used to track packages, run trains and control dams... Andrew Howell: Therein lies the daunting challenge—our economy is propelled by complex, imperfect technology, and the average user of that technology does not understand the threat, let alone how to protect against that threat... Andrew Howell: Quite frequently in Washington, when there is a real, or even a perceived, problem the initial reaction of many is to either regulate or legislate a solution. However, for cyber security, there is no regulatory or legislative solution... Andrew Howell: Technology simply advances too quickly. Instead, ultimately the market is better able to respond to cyber security challenges since market forces propel companies to be flexible, innovative and customer oriented. Regulations, in contrast, are reactive and constrictive... Andrew Howell: We believe the market remains a powerful vehicle for increasing cyber security, but before this power is fully realized, we need to better inform consumers on why cyber security is an issue that matters to them. They will demand more secure products, and successful firms will deliver those products... Andrew Howell: One step in this process is the development of a cyber security guide for small businesses. Created in conjunction with the Internet Security Alliance and others, this guide outlines 12 cost effective steps that resource limited small businesses can take to better secure their networks... Andrew Howell: For those of you who are interested in downloading a copy of the guide, you can do so from the Chamber's website http://www.uschamber.com/default... Andrew Howell: We do not believe that raising awareness is the only solution to enhancing cyber security. Instead, it is one part of the solution. Enhancing cyber security requires the combined efforts of users, technologists, and senior executives—those that use software and hardware,... Andrew Howell: those that make software and hardware, and those who manage enterprises that rely on software and hardware to make the company operate. While technologists have a responsibility to make secure products, end users have a responsibility to use those products securely... Andrew Howell: Cyber security is everyone's problem and everyone can contribute to the solution. While we cannot expect to eliminate cyber risks, we can effectively manage them... Andrew Howell: Conclusion I'll just end by saying that while the challenges facing our nation generally are daunting, they are not insurmountable by any means. We can enhance our nation's homeland security while also continuing to have a global supply chain that moves goods effectively, efficiently, and with the speed we're all used to... Andrew Howell: It will take hard work. It will take patience. And it will take a commitment by both the public and private sectors to make policy choices as partners who need one another to succeed... Andrew Howell: In all cases, we must continue to push policymakers and regulators to incorporate the private sector in deliberations over policy so that we don't forget to think through practical implementation issues. In the rush to do something to enhance security in this political year, it's easy for people in our nation's capital to forget about those who would need to implement any new rules or regulations. We cannot--and will not--allow this to happen... Andrew Howell: Thank you all very much for your attention this afternoon. I'd be pleased to take questions. I now turn you back to our Moderator... Amy Sebring: Thank you very much Andrew. Now, to proceed to your questions. Our protocol for audience questions is to enter a question mark ? to indicate you wish to ask a question or make a comment. Amy Sebring: Then go ahead and compose your question or comment to have it ready, but do NOT hit your Enter key or click on the Send button until you are recognized by name. Please WAIT your turn. We will take questions in the order the question marks are sent to the screen. Amy Sebring: ONE QUESTION AT A TIME please and please keep your questions or comments reasonably concise. If you have a follow up question or comment, please get back in the line with another question mark. Amy Sebring: We are ready to begin now. Ed Kostiuk: ? Amy Sebring: Ed, when you are ready please. Ed Kostiuk: In today's Washington Post an article appeared concerning truck drivers from Con-Way (a leading trucking firm here in the US)…it seems many of their drivers are upset about having background investigations done. According to the drivers they carry mostly household goods and see no reason for this intrusion. Is the Chamber working with these trucking firms to ensure they understand the need for these background investigations? My surveys show these types of complaints continue to erode the public's confidence in our ability to keep this nation safe. Andrew Howell: on this issue specifically, we have been working with the trucking industry, yes... Andrew Howell: as you saw in the story, it's hard for us to see fingerprinting and conducting background checks on drivers carrying coca-cola syrup and nail polish remover... Paul Beswick: ? Andrew Howell: not only are these not homeland security threats, it seems that this is an odd way to spend hundreds of millions of dollars... Andrew Howell: i would bet that all of you have areas where you'd rather see money spent than on these drivers... Andrew Howell: so, we're trying to work with DHS to find ways to more effectively target drivers that perhaps move materials that have the potential to be threats, and develop policies accordingly. Amy Sebring: Paul next please. Paul Beswick: What other industry trade associations are you working with on security issues? Do you have any forum for industry to present a united front on issues with DHS? Andrew Howell: as you saw in my intro, we have about 1700 trade and professional industry associations within our membership... Andrew Howell: among the most active in our homeland security work are the transportation associations, and then the associations representing critical infrastructurers... Andrew Howell: our corporate membership not only comprises those firms, but also their customers. so that puts us in a pretty unique place as an advocacy organization in Washington. Amy Sebring: More questions? You can also enter comments ... Amy Sebring: please put your question mark in at any time. Amy Sebring: Andrew, are you seeing any signs from the new DHS Secretary, Chertoff yet, for the future direction of relations with the business community? Lori Wieber: ? Andrew Howell: we're heartened by his review of the department; we think that's a good first step to continuing to build DHS. Andrew Howell: in fact, we have him coming over to meet with our members on Friday to discuss his priorities and our issues. Andrew Howell: that's next friday...29 april. Amy Sebring: Great. I suppose his legal background may be an asset as well. Lori next please. Isabel McCurdy: ? Lori Wieber: You mention protecting companies that voluntarily offer information. What about those who withhold information...like phishing victim counts? Andrew Howell: on the protected critical infrastructure information, we think it is essential to have companies provide information on vulnerabilities... Andrew Howell: for phishying victim counts, that's clearly two things--one, a criminal activity by the phisher, and two, the exploitation of a vulnerability... Andrew Howell: the challenge for the private sector arises when trying to decide what it means for the firm to voluntarily disclose information on vulnerabilities. will it be used in a future lawsuit? will this open a new round of questions? what if the firm doesn't have a good handle on the threats it faces?... Ed PearceCBCP: ? Andrew Howell: finding a way to give companies a way to protect their information is absolutely essential, given that so much of our critical infrastructure is in private hands. we want to incent good behavior...but right now, we don't have an entirely appropriate policy environment. Amy Sebring: Isabel next please. Isabel McCurdy: Andrew, is there collaboration done with Canadian Chamber of Commerce? Andrew Howell: yes, we have a very good partnership with the Canadian chamber, as well as the American Chamber of Commerce in Canada... Andrew Howell: and today, it just so happens that we are hosting a travel and tourism summit, which will feature the minister of tourism of Ontario, who will discuss that province's views on U.S. homeland security policy... Andrew Howell: and tomorrow, I'll be meeting with a 25 person business and government delegation from Ontario to discuss private sector issues, including trade and homeland security... Andrew Howell: and this is the tip of the iceberg...we've got very good ties wtih the CA embassy here in town too, as they are involved in a number of coalitions we work on relating to visa and travel issues. Amy Sebring: Ed Pearce next please. Ed PearceCBCP: I am a business continuity professional who has been working for private sector business for 15 years. Too few businesses have the capability to have a full time recovery planner or planners on staff. How can the chamber help them? Andrew Howell: we've been working on this issue on several levels. Andrew Howell: first, with membership input, we helped DHS draft their "READYBusiness" content for the website. that's a first step for a lot of our members, giving them basic "what should i do information."... Andrew Howell: second, we've been providing DHS with input into the National Response Plan, which as you know is the basis for a national reaction--- including private sector--to an incident... Andrew Howell: third, we were actively involved as an organization in the recent TOPOFF 3 exercise... Andrew Howell: not only did we play as an organization, but we also recruited corporate members to participate. as you may know, over 300 private sector entities joined in this effort... Andrew Howell: having said all of that, it's hard for many firms to understand what the threat is to their particular company. it's hard to make tangible to people outside areas where there are recurring natural disasters... Andrew Howell: so, we've joined with DHS again this year and will be promoting business preparedness as part of National Preparedness Month this september. we'll use our website and membership magazine to make the case that business continuity planning matters to companies of all sizes, across the country. Amy Sebring: More questions? Comments? Amy Sebring: We are at the end of the line .... Amy Sebring: I have a follow up on the previous one ... Amy Sebring: Andrew, do I understand correctly that the business community supports voluntary standards for business emergency/ disaster preparedness, referring to the recommendations of the 9-11 Commission and to what we know as NFPA 1600, now an ANSI standard, and if so, do you plan to do any outreach for voluntary compliance? Andrew Howell: not entirely...it's a tough question... Andrew Howell: it would be an easier sell if there were some incentive--or liability protection--for firms that follow standards... Andrew Howell: right now, there are cases where firms meeting standards have been successfully sued for flaws despite following accepted standards... John Laye: Came late, so perhaps this has been answered. What does the corporate membership of the US CofC look like? Rough gauge might be annual gross revenue. Andrew Howell: in the homeland security space, since the threat is so unknown, people have a hard time accepting unlimited liability for protecting themselves... Andrew Howell: so, we're hoping that standards setting organizations will work to get SAFETY Act approval for their standards, which will then, we believe, either incent companies to comply, or remove the disincentive from not applying... Andrew Howell: so, we'd like to see these standards have some degree of protection for those of follow them, given the unknown nature of the risk and the threat. Andrew Howell: john--the answer to our membership question is up above. John Laye: Apologize for the premature "send" on that question. Amy Sebring: No problem John, will be in transcript ... Amy Sebring: also on their Website I am sure ... Amy Sebring: but it is VERy big! Amy Sebring: Other questions comments? Isabel McCurdy: ? Amy Sebring: Can we hear from some who have not yet participated? Amy Sebring: Isabel, go ahead please when you are ready. Isabel McCurdy: Andrew- how does one go about promoting trust? Andrew Howell: yeah, that's a challenge... Andrew Howell: one area where we think trust begins is in joint exercising and planning... Andrew Howell: for example, we'd like to see more of the state homeland security community reach out to the local business community as plans are written, as exercises are conducted... Andrew Howell: we see a bit of a precedent in the recent TOPOFF exercise; as i noted earlier, we had lots of private sector participation... Ed PearceCBCP: ? Andrew Howell: the challenge is that reaching out to companies isn't second nature yet to many in the homeland security or intel space... Ed PearceCBCP: Reachout is happening in St. Louis. Private sector is working on regional committees under STARRS. Andrew Howell: clearly, that's a culture issue..but one that absolutely must be broken down. from our view, a good start is planning and exercising plans. Amy Sebring: Ed I assume that was your comment. What is STARRS? Ed PearceCBCP: St Louis Area Regional Response System a DHS partner Andrew Howell: Ed--yeah, there are pocket of good work--St. Louis, State of NJ, Atlanta, Boston, Houston, LA, Washington State...but not nearly enough. Amy Sebring: ? Amy Sebring: In the Critical Infrastructure Protection area, is DHS moving away from the ISAC concept? Is the Chamber involved in helping them move forward with their strategy? Lori Wieber: ? Andrew Howell: yeah, this is a fun question... Andrew Howell: DHS seems worried that the ISACs don't reach deep enough into critical infrastructure industries... John Laye: Agree, about outreach from local emergency managers to local business community, which are their economic drivers. There are several bright spots (Carson, and Milpitas in Calif examples), but we don't train local EM people to do that. On the other hand, maybe the approach could come from US CofC members just as well? Andrew Howell: so, they are trying to convince the ISACs to organize a little differently...but not all are on board with this new plan...which was, frankly, kind of handed down from on high, and ignored the investment that so many compnies have made in their ISACs. John Laye: ? Amy Sebring: Please go ahead and address John's issue of the local participation role ... Amy Sebring: John did you wish to add? Andrew Howell: John---we are looking to develop such a plan now, in fact, working with our state and local chambers...we just want to be sure that if we offer to walk through the door, the state and locals agree to let us in... Isabel McCurdy: ? Andrew Howell: the challenge is where to start. and we ' Andrew Howell: ...oops...we'll hopefully have a plan that DHS and some state and locals buy into over the next month or so. stephenmelvin: ? Amy Sebring: Lori next please. Lori Wieber: I have seen a few examples of county governments addressing Business Emergency Response Teams in their plans, BERTs are employees trained for a workplace disaster much like Community Emergency response Teams (CERT). Will BERT be an element of the preparedness materials planned in September? John Laye: ? Andrew Howell: don't know...but let me make sure that we put that out there as an issue for September. Amy Sebring: Isabel next please. Isabel McCurdy: Andrew- TSA is? ISAC is? Amy Sebring: We had ISAC spelled out earlier Isabel ... Amy Sebring: TSA=Transportation Security Administration, is that right? Andrew Howell: TSA is Transportation Security Administration. ISAC is Information Sharing and Analysis Center...privately run critical infrastructure organizations, some paid for by companies alone, some paid for in part by DHS. Amy Sebring: Stephen next please. stephenmelvin: Andrew - as a followup to Lori's question, do you see businesses doing anything to train their people to be more aware of security-type issues both at work and away from work, to help instill in them a security mindset? Similar to companies that have safety programs that help them prepare at home as well as at work? Andrew Howell: addressed this a bit earlier, but let me talk some more... Andrew Howell: small firms tend to think they are not at risk...don't believe that any terrorist would attack them specifically. large firms--and even small companies in areas that are generally believed to be high-threat--tend to have a better grasp on the challenge... Andrew Howell: using September as National Preparedness Month, to raise awareness of practical steps firms can take to protect themselves--and make the case of why they should do it--will be a significant undertaking for us. Amy Sebring: John next please. John Laye: Good news about the US CofC developing that plan. And I'm not sure the local EM s understand the economic and political support importance of their communities' businesses . Maybe DHS should look at incorporating that into existing training for them? Could US CofC help develop materials for such training? Andrew Howell: there's lots of training material out there..don't know that we need to develop more. i'd argue that we need local emergency response and econ develoment at the table, as well as transportation management community, to have the best sense of how to adequately plan, train and exercise. Amy Sebring: ? Lori Wieber: ? Isabel McCurdy: ? Amy Sebring: What info have you been getting regarding National Preparedness Month and from whom. Was not sure they were planning to do this year? Andrew Howell: actually, the first organizing meeting was called by DHS for next week...26 April in fact. Amy Sebring: I see. Good. Expect we may be hearing more after that ... Amy Sebring: Lori next please. Avagene Moore: ? Lori Wieber: Comment: Michigan State Police Emergency Management Division produced a down to earth 7 minute video entitled Recognizing the Seven Signs of Terrorism (or something close to that title). We have placed that on our company intranet and have had great reaction from employees. It shows how citizens and employees can really help with awareness and reporting things. Andrew Howell: lori--that's fantastic. if you don't mind, shoot me an email with the link---ahowell@uschamber.com. Amy Sebring: Isabel next please. Isabel McCurdy: Andrew- how do we contact you for further information? Amy Sebring: Ok, there is his email. Andrew Howell: 202-463-3100 if office number Amy Sebring: Avagene has joined us. Last question Ava please. Avagene Moore: I agree with John's statement. Years ago, I heard a State Director say that he thought the local jurisdiction and the EM office were missing a great opportunity by not working closely together. What is offered from the national level to encourage closer interaction at the local level? Andrew Howell: yeah, there's not much yet... Avagene Moore: That is the local COC. Andrew Howell: but we're working with DHS to find a way to encourage those who get training money from DHS to coordinate planning, training and exercising with their local private sector. it's just not intuitive yet... Andrew Howell: clearly, we don't want to force this on people, but we do want to strongly encourage. Amy Sebring: That's all we have time for today. Thank you very much Andrew for an excellent job. You are now officially an expert chatter! We hope you enjoyed the experience. Please stand by a moment while we make a couple of quick announcements .... Amy Sebring: Again, the formatted transcript will be available later today. If you are not on our mailing list and would like to get notices of future sessions and availability of transcripts, just go to our home page and click on Subscribe. Amy Sebring: Thanks to everyone for participating today. We stand adjourned but before you go, please help me show our appreciation to Andrew for a fine job.