Adfero Group HSPI

As the Boston area recovers from the tragic and unprecedented events of the past week, the lessons learned will be far reaching. Emergency management professionals, like their counterparts in law enforcement, are pretty good culturally at pulling together “after-action” reports that chronicle what they did right and what they can do better next time. Those lessons learned will offer new chapters to study and consider in terms of planning and preparations for any future incidents of this magnitude but in terms of the private sector, there are a number of lessons learned that need to be studied as well.

There are few spots left around the world without Internet access, and few people who cannot reach out to access it. It has been relatively free of state interference and American dominated. However, the Net has had mounting problems, and 2012 has marked the end of the old Internet as we knew it. The days of an American-controlled freewheeling Internet with unlimited access and relatively cost-free access are over.

Over the past several days, we’ve seen some remarkable examples of leadership in times of challenge. For as good as all of these efforts may be, however, there is one decision that makes no sense to me. The decision to proceed with the New York City Marathon this weekend is the wrong decision. Let’s put a few things on the table here first.

On the day before the Labor Day weekend, the White House released the President’s latest “National Preparedness Month” Proclamation. Like last year’s, the proclamation employs the term “resilience.” Yet, the White House remains unwilling to act to establish resilience as the nation’s preparedness objective and daily operating condition. Rhetoric is not results.

I recently wrote a piece for the Washington Examiner’s monthly education section. Using the recent East Coast storms as an example, I highlight how education can make the nation more resilient for future disasters.

With the recent heat waves and storms that have impacted millions of people throughout the United States, much is being written about the nation’s inability to prevent and recover quickly from destructive events. I am not yet ready to start placing blame – there are lots of things I should have done to be prepared. Individual responsibility leads to community preparedness. Here are some thoughts the disruptions bring to mind.

Once again, America is officially under attack. According to multiple reports, including an “incident response” report from the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), U.S. natural gas pipeline companies are at the center of a major cyber attack campaign. While I’m certain that some in Congress will use this latest cyber attack campaign as fodder to further their cyber security legislation, I do not believe we can legislate our way out of this problem.

A significant part of America’s homeland security efforts is preparing to resist, mitigate and recover from disasters manmade and natural. With the private sector owning the vast majority of U.S. infrastructure, as well as the critical role businesses play in the community and the economy, private sector preparedness has long been a priority, since the 9/11 Commission issued its final report. It has taken a long time, however, for DHS’ Voluntary Private Sector Preparedness Program to gain momentum.

It is always difficult to fully absorb the lessons from wide-scale crises in the wake of the catastrophe. Information is often incomplete or contradictory, or still evolving. Learning these lessons, however, provides an opportunity to address the shortfalls of catastrophic disaster response.

I have to admit, when I got the e-mail notice that DHS Secretary Napolitano had established the Rick Rescorla National Award for Resilience, I went, “Huh? What’s this about?” I drew a complete blank at the name, but then remembered – Rick Rescorla was an American hero long before he safely evacuated over 2,700 Morgan Stanley employees from the World Trade Center on the morning of September 11, 2001. DHS and the Secretary got this absolutely right when they selected Rick Rescorla as the namesake for the resilience award.

Last week, Homeland Security Secretary Janet Napolitano, speaking before the Senate Homeland Security and Governmental Affairs Committee, made a “dire prediction.” She warned the Senate that if Congress does not give DHS “the authority to designate critical infrastructure and set risk-based cyber security standards for it” [in] “a year or 18 months…we would have suffered a major infiltration or attack, and we will find that some part of our critical infrastructure was a gap.” The Secretary’s prediction and roundabout effort to foist responsibility on the Congress for her Department’s obvious lack of progress in assuring, beyond their protection, the operational resilience of America’s interdependent cyber and physical infrastructure challenges is — at best —ill-conceived.

Ten years from now, global water shortages are likely to threaten U.S. security interests. Ask the Director of National Intelligence, the Defense Intelligence Agency or someone from the Central Intelligence Agency; better yet, read the most recent National Intelligence Estimate. According to a senior U.S. intelligence official who briefed reporters on this issue (on condition of anonymity), there is an increasing likelihood that water will be “potentially used as a weapon, where one state denies access to another.”

Major disasters are relatively rare in Cyprus. Other than a magnitude 6.8 earthquake in 1996 that did not result in any casualties (but was the largest since 1953), annual wildfires and droughts, the island nation has generally avoided the brunt of manmade or natural disasters. But alas, tranquillity breeds complacency. In 2011, 98 containers of improperly stored explosives exploded in Cyprus with devastating impacts on human life, infrastructure and the Cypriot economy. Now is the time for Cyprus to address the hazards it faces.

Today’s reality is the Internet is the repository of a huge and growing amount of code (including malware) whose origin and ultimate purpose are unknown. Yet, well-intentioned, repeated government calls for action have not and will not fix a problem enabled by globally deployed technologies. There has been (and continues to be) a great deal of rhetoric and staff activity on the subject, rhetoric is not results and activity is not accomplishment. The current approach to ensuring the operation of America’s critical infrastructures can only be characterized as lessons-observed because we have failed to change our behavior.