4/20/05 EIIP Virtual Forum Transcript: U.S. Chamber of Commerce Homeland Security Policy

EIIP Virtual Forum Presentation — April 20, 2005

Homeland Security from the Business Perspective
U.S. Chamber of Commerce Homeland Security Policy

Andrew Howell
Vice President, Homeland Security Policy
U. S. Chamber of Commerce

Amy Sebring
EIIP Moderator

The following version of the transcript has been edited for easier reading and comprehension. A raw, unedited transcript is available from our archives. See our home page at http://www.emforum.org

[Welcome / Introduction]

Amy Sebring: On behalf of Avagene Moore and myself, welcome to the EIIP Virtual Forum! Today’s topic is "Homeland Security from the Business Perspective: U.S. Chamber of Commerce Homeland Security Policy." We thought it would be helpful to provide Emergency Management practitioners with some insight into the concerns and priorities of businesses, and most likely, there is a Chamber of Commerce in your own community that may serve as a local point of contact into this important sector.

Now it is my pleasure to introduce today's speaker. Andrew Howell is the Vice President of Homeland Security policy for the U.S. Chamber of Commerce, the world's largest business federation. As such, he is the organization's principal spokesman and strategist on issues including transportation security; critical infrastructure protection; cyber security; and implementation of the SAFETY Act. Additionally, he is responsible for building and maintaining relationships with Administration and regulatory agency leaders with responsibility for homeland security.

Prior to his current position, Andrew served as Senior Vice President of the National Chamber Foundation, the public policy research arm, where he was responsible for transforming the organization into a high-profile Washington non-profit, with a staff of 12 and an annual budget of $2.2 million. Please see the Background Page for further biographical information and links to related material. Welcome Andrew, and thank you very much for being with us today. I now turn the floor over to you to start us off please.

[Presentation]

Andrew Howell: Good afternoon (on east coast time), and thank you to Amy Sebring, Technical Projects Coordinator for the Emergency Information Infrastructure Partnership (EIIP) for hosting this forum today. I understand that EIIP explores how to use current information technology in its work to support emergency management and disaster response so I thought I would talk about the role that technology plays in homeland security. But before we get into that, let me tell you a little bit about the U.S. Chamber of Commerce.

As many of you may know, the U.S. Chamber of Commerce is the world’s largest business advocacy organization, counting as members global business and small enterprises; several thousand state and local chambers of commerce; nearly 1000 trade and professional organizations; and a network of some 100 American Chambers of Commerce around the world. We represent our members as their advocates before Congress, the Administration, the Supreme Court and all regulatory agencies who seek to affect how business operates. As an organization, we have a truly global reach, which is terribly appropriate given the global economy that creates prosperity and economic growth around the world.

Almost two years ago, the U.S. Chamber created its Homeland Security Division, and began working with Congress and the Department of Homeland Security to find the best ways to balance global mobility of goods and increased security for our homeland. We believe that the right balance between these interests must be struck in order for us to win the war on terror around the world.

We believe that homeland security is not about eliminating all risk but about risk management. We understand that the government does not have infinite resources and know that the government will need to be assisted by the business community in order to minimize risk. And we recognize that effectively enhancing homeland security requires public-private cooperation more than any other issue facing our nation today.

Let me give you a few examples of some of the homeland security challenges facing us all today and talk a little bit about the role technology plays in meeting those challenges.

Challenge 1: Security Screening

Last year, we fought back against, and helped defeat, a legislative provision by Congressman David Obey that would have mandated 100% screening on all cargo in the belly of a commercial airplane. This would be difficult, if not impossible, in the short term without putting some major bottlenecks into the global supply chain.

But in Washington, policy debates are not always conducted with an eye toward the practical. And despite talk about a public-private partnership, some are reluctant to do more than give it lip service. That’s not to say we shouldn’t be pushing for new tools and technologies to enhance cargo screening, because we should. But at the same time, our approach should not impose new cost burdens on the private sector, which already pays billions of dollars in security user fees, 16 billion dollars at seaports alone.

Instead, we should, as a nation, adopt a well thought out and strategic view toward securing our supply chain. We should spend time and money investigating new technologies, and assess what economic benefit they would provide, in addition to any promised security improvement.

Challenge 2: SAFETY Act

Speaking of technology, we believe that it is essential for DHS to fully implement the SAFETY Act, which provides liability protections for private sector firms to deploy technologies that might otherwise not be broadly available. The Chamber fought for the liability protection of the SAFETY Act so that private sector innovators would have an incentive to take risks and put new anti-terrorism technology in the field quickly. DHS has been slow to certify technologies and services for SAFTEY Act but recently we have seen some improvement.

We do however think it is important for the Department to link specific procurements to SAFETY Act designation. We know that some parts of DHS, including the Transportation Security Administration (TSA), are in fact fighting to link some of their upcoming requests for proposals to the SAFETY Act—yet DHS leadership has yet to decide whether this is good or bad. The U.S. Chamber is clearly and firmly supportive of this linkage, for we believe that it is in the best interest of our nation’s security to get those new and innovative services and equipment deployed to protect our nation. We expect that many vendors would benefit from SAFETY Act coverage, if only DHS would speed implementation.

Challenge 3: Information Sharing

I’d also like to talk a little bit about the relationship between the government and private sectors on the critical issue of information sharing. As you all can probably appreciate, there is widespread perception in both the public and private sectors that each side has a lot more information on threats and vulnerabilities than is currently being shared, and that we’d all be a lot better off if it were in fact shared.

Some industries are making great headway in this regard. In the transportation world the Highway Watch program is a good example of some creative thinking to address this challenge. It is one of several initiatives in information sharing that has arisen from the sector specific Information Sharing and Analysis Centers (ISAC) model that is now operational as part of our nation’s critical infrastructure protection effort.

The Chamber fully supports these initiatives, and the sharing of information between state, federal and local governments with the private sectors. At the same time, we are eager to find ways to involve the broader business community, that is, those not defined by the Patriot Act as part of our nation’s critical infrastructure.

While it’s easy to say you’re for information sharing, implementation, even within the federal government alone, is a challenge, as current events have demonstrated. Collaboration between governments at all levels and with the private sector will take years, will require cultural change within our intelligence community, and will by necessity be a system built on trust, which takes time to develop. But we all must work to promote an enhanced dialogue between governments at all levels and the private sector.

A critical part of this promotion is the necessary first step--setting up the legal framework that protects companies when they share information with the government. DHS has issued an interim rule to protect this information when it’s voluntarily submitted to the Department, and we are hopeful that we’ll soon see a good final regulation that sets the foundation for robust information sharing.

As a complement to this first step DHS is, we understand, drafting its thoughts on information requirements--that is, what information the government would like from the private sector. We hear again and again from those in government that our member companies have information that would be useful if only they would share it. From our perspective, we’d like to get beyond this rhetoric to a little more detail so that we can find a path forward in this critical area.

Additionally, in this same vein, we are now beginning to advocate a government wide re-assessment of how information is classified, and for what purpose. Far too often, we hear that information cannot be shared with our members because it is classified. From our perspective, we’re in a new era where robust sharing of intelligence information must be the norm, not the exception. We feel, therefore, an obligation to help the government modernize its intelligence capacity and shift the mindset from one of keeping all information close to sharing it more broadly as appropriate.

By taking all these steps--setting the legal framework for information sharing, establishing information requirements and re-assessing how information is classified with the goal of classifying less and sharing more--the private sector will be better able to connect those dots and meet the threat of terrorism head on as partners with the government.

Challenge 4: Cyber Security

I also want to mention cyber security: how the business community is responding to the challenges of cyber security, and what we are doing at the U.S. Chamber to address this challenge. The U.S. Chamber is committed to increasing the awareness of cyber security in the business community and explaining cyber security in terms that businesses understand.

While advances in information technology have brought tremendous productivity gains for businesses and information resources for everyone, these advances come with risks. The software that makes this information revolution possible operates based on a series of codes. An error in code affects the ability of the Internet in general, and your computer specifically, to operate. Humans make this code and all humans make mistakes.

On a larger scale, entire segments of our economy are dependent on the Internet. As a result, bad actors are constantly looking for ways to launch an attack that could cripple the economy by bringing the Internet to a halt. For example, much of our power grid and financial services depend on the Internet for daily business operations. Internet dependent technology also is used to track packages, run trains and control dams. Therein lies the daunting challenge; our economy is propelled by complex, imperfect technology, and the average user of that technology does not understand the threat, let alone how to protect against that threat.

Quite frequently in Washington, when there is a real, or even a perceived, problem the initial reaction of many is to either regulate or legislate a solution. However, for cyber security, there is no regulatory or legislative solution. Technology simply advances too quickly. Instead, ultimately the market is better able to respond to cyber security challenges since market forces propel companies to be flexible, innovative and customer oriented. Regulations, in contrast, are reactive and constrictive.

We believe the market remains a powerful vehicle for increasing cyber security, but before this power is fully realized, we need to better inform consumers on why cyber security is an issue that matters to them. They will demand more secure products, and successful firms will deliver those products.

One step in this process is the development of a cyber security guide for small businesses. Created in conjunction with the Internet Security Alliance and others, this guide outlines 12 cost effective steps that resource limited small businesses can take to better secure their networks. For those of you who are interested in downloading a copy of the guide, you can do so from the Chamber’s website http://www.uschamber.com/default.

We do not believe that raising awareness is the only solution to enhancing cyber security. Instead, it is one part of the solution. Enhancing cyber security requires the combined efforts of users, technologists, and senior executives; those that use software and hardware, those that make software and hardware, and those who manage enterprises that rely on software and hardware to make the company operate. While technologists have a responsibility to make secure products, end users have a responsibility to use those products securely. Cyber security is everyone’s problem and everyone can contribute to the solution. While we cannot expect to eliminate cyber risks, we can effectively manage them.

Conclusion

I’ll just end by saying that while the challenges facing our nation generally are daunting, they are not insurmountable by any means. We can enhance our nation’s homeland security while also continuing to have a global supply chain that moves goods effectively, efficiently, and with the speed we’re all used to. It will take hard work. It will take patience. And it will take a commitment by both the public and private sectors to make policy choices as partners who need one another to succeed.

In all cases, we must continue to push policymakers and regulators to incorporate the private sector in deliberations over policy so that we don’t forget to think through practical implementation issues. In the rush to do something to enhance security in this political year, it’s easy for people in our nation’s capital to forget about those who would need to implement any new rules or regulations. We cannot--and will not--allow this to happen.

Thank you all very much for your attention this afternoon. I’d be pleased to take questions. I now turn you back to our Moderator.

Amy Sebring: Thank you very much Andrew. Now, to proceed to your questions.

[Audience Questions & Answers]

Question:
Ed Kostiuk: In today’s Washington Post an article appeared concerning truck drivers from Con-Way (a leading trucking firm here in the US) it seems many of their drivers are upset about having background investigations done. According to the drivers they carry mostly household goods and see no reason for this intrusion. Is the Chamber working with these trucking firms to ensure they understand the need for these background investigations? My surveys show these types of complaints continue to erode the public’s confidence in our ability to keep this nation safe.

Andrew Howell: On this issue specifically, we have been working with the trucking industry. Yes, as you saw in the story, it's hard for us to see fingerprinting and conducting background checks on drivers carrying Coca-Cola syrup and nail polish remover. Not only are these not homeland security threats, it seems that this is an odd way to spend hundreds of millions of dollars. I would bet that all of you have areas where you'd rather see money spent than on these drivers. So we're trying to work with DHS to find ways to more effectively target drivers that perhaps move materials that have the potential to be threats, and develop policies accordingly.

Question:
Paul Beswick: What other industry trade associations are you working with on security issues? Do you have any forum for industry to present a united front on issues with DHS?

Andrew Howell: As you saw in my intro, we have about 1700 trade and professional industry associations within our membership among the most active in our homeland security work are the transportation associations, and then the associations representing critical infrastructures. Our corporate membership not only comprises those firms, but also their customers. So that puts us in a pretty unique place as an advocacy organization in Washington.

Question:
Amy Sebring: Andrew, are you seeing any signs yet from the new DHS Secretary, Chertoff, for the future direction of relations with the business community?

Andrew Howell: We're heartened by his review of the department; we think that's a good first step to continuing to build DHS. In fact, we have him coming over to meet with our members on Friday April 29th to discuss his priorities and our issues.

Question:
Lori Wieber: You mention protecting companies that voluntarily offer information. What about those who withhold information, like phishing victim counts?

Andrew Howell: On the protected critical infrastructure information, we think it is essential to have companies provide information on vulnerabilities. For phishing victim counts, that's clearly two things: one, a criminal activity by the phisher, and two, the exploitation of vulnerability. The challenge for the private sector arises when trying to decide what it means for the firm to voluntarily disclose information on vulnerabilities. Will it be used in a future lawsuit? Will this open a new round of questions? What if the firm doesn't have a good handle on the threats it faces?

Finding a way to give companies a way to protect their information is absolutely essential, given that so much of our critical infrastructure is in private hands. We want to provide incentives for good behavior, but right now we don't have an entirely appropriate policy environment.

Question:
Isabel McCurdy: Andrew, is there collaboration with the Canadian Chamber of Commerce?

Andrew Howell: Yes, we have a very good partnership with the Canadian Chamber, as well as the American Chamber of Commerce in Canada. Today, it just so happens, we are hosting a travel and tourism summit, which will feature the minister of tourism of Ontario, who will discuss that province's views on U.S. homeland security policy. Tomorrow I'll be meeting with a 25-person business and government delegation from Ontario to discuss private sector issues, including trade and homeland security. This is the tip of the iceberg. We've got very good ties with the Canadian embassy here in town too, as they are involved in a number of coalitions we work on relating to visa and travel issues.

Question:
Ed Pearce CBCP: I am a business continuity professional who has been working for private sector business for 15 years. Too few businesses have the capability to have a full-time recovery planner or planners on staff. How can the chamber help them?

Andrew Howell: We've been working on this issue on several levels. First, with membership input, we helped DHS draft their READYBusiness content for the website. That's a first step for a lot of our members; giving them basic "what should I do information." Second, we've been providing DHS with input into the National Response Plan, which as you know is the basis for a national reaction--including the private sector--to an incident. Third, we were actively involved as an organization in the recent TOPOFF 3 exercise. Not only did we play as an organization, but we also recruited corporate members to participate. As you may know, over 300 private sector entities joined in this effort.

Having said all of that, it's hard for many firms to understand what the threat is to their particular company. It's hard to make tangible to people outside areas where there are recurring natural disasters. So, we've joined with DHS again this year and will be promoting business preparedness as part of National Preparedness Month this September. We'll use our website and membership magazine to make the case that business continuity planning matters to companies of all sizes, across the country.

Question:
Amy Sebring: Andrew, do I understand correctly that the business community supports voluntary standards for business emergency/disaster preparedness, referring to the recommendations of the 9-11 Commission and to what we know as NFPA 1600, now an ANSI standard, and if so, do you plan to do any outreach for voluntary compliance?

Andrew Howell: Not entirely. It's a tough question. It would be an easier sell if there were some incentive or liability protection for firms that follow standards. Right now, there are cases where firms meeting standards have been successfully sued for flaws despite following accepted standards. In the homeland security space, since the threat is so unknown, people have a hard time accepting unlimited liability for protecting themselves. So, we're hoping that standards setting organizations will work to get SAFETY Act approval for their standards, which will then, we believe, either provide an incentive for companies to comply, or remove the disincentive from not complying. We'd like to see these standards have some degree of protection for those of follow them, given the unknown nature of the risk and the threat.

Question:
Isabel McCurdy: Andrew, how does one go about promoting trust?

Andrew Howell: Yeah, that's a challenge. One area where we think trust begins is in joint exercising and planning. For example, we'd like to see more of the state homeland security community reach out to the local business community as plans are written, as exercises are conducted. We see a bit of a precedent in the recent TOPOFF exercise; as I noted earlier, we had lots of private sector participation. The challenge is that reaching out to companies isn't second nature yet to many in the homeland security or intel space. Clearly, that's a culture issue but one that absolutely must be broken down. From our view, a good start is planning and exercising plans.

Comment:
Ed Pearce CBCP: Reach out is happening in St. Louis. Private sector is working on regional committees under St Louis Area Regional Response System (STARRS), a DHS partner.

Andrew Howell: Ed, yes, there are pockets of good work--St. Louis, State of NJ, Atlanta, Boston, Houston, LA, Washington State, but not nearly enough.

Question:
Amy Sebring: In the Critical Infrastructure Protection area, is DHS moving away from the ISAC concept? Is the Chamber involved in helping them move forward with their strategy?

Andrew Howell: Yeah, this is a fun question. DHS seems worried that the ISACs don't reach deep enough into critical infrastructure industries, so they are trying to convince the ISACs to organize a little differently. But not all are on board with this new plan, which was, frankly, kind of handed down from on high, and ignored the investment that so many companies have made in their ISACs.

Question:
John Laye: I agree, about outreach from local emergency managers to local business community, which is their economic driver. There are several bright spots (Carson and Milpitas in California as examples), but we don't train local EM people to do that. On the other hand, maybe the approach could come from U.S. Chamber members just as well?

Andrew Howell: John, we are looking to develop such a plan now, in fact, working with our state and local chambers. We just want to be sure that if we offer to walk through the door, the state and locals agree to let us in. The challenge is where to start. And we'll hopefully have a plan that DHS and some state and locals buy into over the next month or so.

Question:
Lori Wieber: I have seen a few examples of county governments addressing Business Emergency Response Teams in their plans. BERTs are employees trained for a workplace disaster much like Community Emergency Response Teams (CERT). Will BERT be an element of the preparedness materials planned in September?

Andrew Howell: I don't know but let me make sure that we put that out there as an issue for September.

Question:
Stephen Melvin: Andrew, as a follow-up to Lori's question, do you see businesses doing anything to train their people to be more aware of security-type issues, both at work and away from work, to help instill in them a security mindset? Similar to companies that have safety programs that help them prepare at home as well as at work?

Andrew Howell: I addressed this a bit earlier, but let me talk some more. Small firms tend to think they are not at risk; don't believe that any terrorist would attack them specifically. Large firms--and even small companies in areas that are generally believed to be high-threat--tend to have a better grasp on the challenge. Using September as National Preparedness Month, to raise awareness of practical steps firms can take to protect themselves, and make the case of why they should do it, will be a significant undertaking for us.

Question:
John Laye: Good news about the U.S. Chamber developing that plan. And I'm not sure the local EMs understand the economic and political support importance of their communities' businesses. Maybe DHS should look at incorporating that into existing training for them? Could U.S. Chamber help develop materials for such training?

Andrew Howell: There's lots of training material out there. I don't know that we need to develop more. I’d argue that we need local emergency response and economic development at the table, as well as transportation management community, to have the best sense of how to adequately plan, train and exercise.

Question:
Amy Sebring: What info have you been getting regarding National Preparedness Month and from whom? Was not sure they were planning to do this year?

Andrew Howell: Actually, the first organizing meeting was called by DHS for next week, 26 April in fact.

Comment:
Lori Wieber: Michigan State Police Emergency Management Division produced a down-to-earth, 7-minute video entitled "The Seven Signs of Terrorism." We made it available to our employees and had great reaction. It shows how citizens and employees can really help by being aware and by reporting small things.

Andrew Howell: Lori that's fantastic. If you don't mind, shoot me an email with the link.

Question:
Isabel McCurdy: Andrew- how do we contact you for further information?

Andrew Howell: My email is ahowell@uschamber.com and my office number is 202-463-3100.

Question:
Avagene Moore: I agree with John's statement. Years ago, I heard a State Director say that he thought the local Chamber and the local EM office were missing a great opportunity by not working closely together. What is offered from the national level to encourage closer interaction at the local level?

Andrew Howell: There's not much yet but we're working with DHS to find a way to encourage those who get training money from DHS to coordinate planning, training and exercising with their local private sector. It's just not intuitive yet. Clearly, we don't want to force this on people, but we do want to strongly encourage.

[Closing]

Amy Sebring: That's all we have time for today. Thank you very much Andrew for an excellent job. You are now officially an expert chatter! We hope you enjoyed the experience. Please stand by a moment while we make a couple of quick announcements.

Again, a transcript will be available later today. If you are not on our mailing list and would like to get notices of future sessions and availability of transcripts, just go to our home page and click on Subscribe.

Thanks to everyone for participating today. We stand adjourned but before you go, please help me show our appreciation to Andrew for a fine job.