BookHill Partners

Book Hill analysis of market-based measures for homeland security featured in CQ Homeland Security report

CQ HOMELAND SECURITY
Jan. 9, 2008 – 10:33 p.m.
Without a Guard at Every Door, ‘Resiliency’ Becomes the New Buzzword
By Matt Korade, CQ Staff
On the night of Nov. 9, 2005, a man identified as 23-year-old Iraqi Rawad Jassem Mohammed Abed walked into the Grand Hyatt in Amman, Jordan, ordered a glass of orange juice, and blew himself up. Twenty-one people were killed, including Syrian-American Moustapha Akkad, a movie producer best known for the “Halloween” horror films, and his 34-year-old American daughter.

It was the first of three simultaneous al Qaeda bombings against Western hotels in Amman that night, which has become known as “Jordan’s 9/11.” In all, nearly 60 people died and 100 were injured in the attacks.

Speaking at a counterterrorism conference in Washington nearly two years later, Thomas Pritzker, chief executive officer of Global Hyatt Corp., said he made it a point to reopen as quickly as possible after the attacks, not for commercial reasons — only a few guests stayed at the hotel in that first week after the incident — but because Hyatt wanted to make a statement to the world that it would not be cowed by terrorism.

“Beyond building approaches to prevention,” Pritzker said, “to me, it’s critical that we build resilience into our own psychology. That is, we’re going to have these events. How quickly are we able to get back up, get back out of the house, get back to work, and do the things that we ought to be doing every day?”

Building a Resilient Society
It is a question that, in various forms, has been circulating in security quarters over the last few years. Consider this fact: Of the sectors of the nation’s infrastructure that the government considers critical to the operation of government and the economy following a catastrophic terrorist attack, hazardous event, or natural disaster, 85 percent to 90 percent are privately owned.

Government officials have worked to create a paradigm for securing the nation’s critical infrastructure. Following President Bush’s Homeland Security Presidential Directive 7, which provides federal agencies with a national framework for identifying and prioritizing critical infrastructure protection, the Department of Homeland Security has made progress on the mind-boggling task of collecting and categorizing data on the 17 identified critical infrastructure sectors, calculating the risks to and vulnerabilities of each.

The completion of these sector-specific plans and the designation of federal departments overseeing them was announced by Homeland Security Secretary Michael Chertoff in May. Protecting the country’s agriculture and food supply, for example, went to the Food and Drug Administration. Chemical facilities, communications networks and information technology, among other things, became the purview of the Department of Homeland Security.

In an interview, Assistant Secretary for Infrastructure Protection Robert Stephan said his office briefed Congress on its work in November and expects to release a tiered list of the nation’s critical infrastructure, called the National Assets Database, by Feb. 15, though the list will continue to be revised.

“What we’re trying to do is, absent any specific threat information and intelligence, if you were al Qaeda, what would you attack to get the biggest bang for the buck?” Stephan asked.

The database, he said, gives DHS a “ pretty well scrubbed, well boiled-down list of what those things are.”

“However, we’re facing a dynamic, flexible, very pragmatic adversary, and given the lack of specific intelligence that would direct us anywhere else on any given day, we focus on these things based on . . . potential consequences.”

The database, however, is used to manage incidents as well as to pinpoint vulnerabilities, Stephan said.

Last fall’s California wildfires provided a real-world example. Local infrastructure that isn’t considered a priority on a daily basis can quickly become critical, and the department needs the ability to shift its focus and resources accordingly.

DHS was able to analyze the collected data and get out in front of the approaching fires. Working with state and local emergency operations centers, the department helped first responders perform controlled burns around telecommunications hubs, water treatment plants, and power stations to protect them from the advancing flames.

“So for the first time we were able to identify, because of this massive data integration and compilation effort of the last several years, what was important,” Stephan said. “And we drilled down to even a tertiary level of detail there, because in the context of those fires, for the local communities, we had to know what was important to them as well as what was important to us nationally.”

Despite the tendency to think of protection as solely the job of government, the sector-specific plans put a premium on partnerships between government and private industry. Each sector has a pair of “coordinating councils” assigned to develop, maintain, and revise the plans — one council from the government, including state and local members, and one from the private sector.

Information on data, techniques, and best practices flows both ways, each company acting as a brick in the edifice of infrastructure security and each sector-specific plan as a blueprint. As companies become more secure, the theory goes, so does a given region and so does the nation itself.

But, as Congress’ mandate of chemical security regulations in 2006 shows, the private sector is sometimes reluctant to absorb the costs of protecting critical infrastructure. Congress resorted to requiring DHS to implement a regulatory framework for high-risk chemical facilities in the fiscal 2007 Homeland Security spending bill (PL 109-295) only after years of relative inaction on the part of the chemical industry, said P.J. Crowley, director of Homeland Security for the Center for American Progress and a former special assistant for national security affairs in the Clinton administration.

“The chemical security regulatory framework that’s come into place in the last year is a testament to the failure of the market to come into play when the impact to the bottom line is negative and not positive,” Crowley said.

The chemical industry, which does not have a history of federal regulation, resisted being told what to do by the government, he said. It was willing to install security measures such as fencing and lighting but not inherently safer technologies, such as shipping chlorine in the form of liquid bleach rather than easily dispersed, potentially lethal chlorine gas.

In regulating the aviation industry, on the other hand, Congress came up with a different solution: After Sept. 11, Congress passed an aviation security bill (PL 107-71) that federalized security at the nation’s airports and established new security rules for airlines, in part because airlines were in a fragile financial state and there was little confidence the industry would take appropriate measures on its own.

And yet, despite measures taken — hardening cockpit doors, hiring air marshals, and more intensive passenger screening — much still needs to be done in the area of cargo screening on passenger airplanes, which companies have resisted on the belief it will add friction to the supply chain, Crowley said.

The SEC as Hammer
The situation in the chemical and aviation industries is emblematic of the knotty problem government often faces in attempting to improve security in the private sector: How do you convince companies to invest in security without raising concerns about causing undue financial burden?

Experts from government, the corporate world, think tanks and academia have tried to address the issue in recent years, discussing an array of tools the government has at its disposal, everything from enacting new regulations to enforcing those already on the books, from subsidizing security improvements with tax cuts and government grants to relying on market-based incentives.

But just as a hammer is not the right tool for every job, no one solution is right for every type of industry.

Regulations on their own can impose high costs on companies and freeze innovation, said Robert Housman, a principle with Book Hill Partners, a D.C.-based lobbying firm, and a former Clinton administration official.

On the other hand, it is not fiscally possible for the government to subsidize security improvements at every critical infrastructure facility around the nation as it did at airports. Market-based measures can offer the private sector some flexibility and even promote innovation as companies compete to provide improved security at the lowest cost. But without enforcement, some companies might simply choose to ignore the incentives, or disincentives, that market forces provide.

According to Housman, however, there is already a market-based solution on the books that could easily be used to improve critical infrastructure security and would not require a major investment of federal dollars: enforcing disclosures under existing securities laws.

As the overseer of securities markets, the Securities and Exchange Commission is responsible for protecting investors and facilitating the flow of capital information. As such, it is concerned primarily with promoting the disclosure of important, market-related information.

Under the Securities Act of 1933 and the Securities and Exchange Act of 1934, companies offering securities for private investment dollars are required to tell the public the truth about their businesses, the securities they are selling, and the risks involved in investing. This includes “material” information, such as a description of business activities and assets, pending litigation and liabilities, any changes that could affect profitability, and realistic analyses of trends and uncertainties.

These regulations seem to require companies to disclose homeland security measures as well as other kinds of risks, Housman said. But the companies that do so are few and far between.

Microsoft, for example, is one of the companies that mentions terrorist and cyber attacks in its disclosures. The following is from its June annual report:

“A disruption or failure of our systems or operations in the event of a major earthquake, weather event, cyber-attack, terrorist attack, or other catastrophic event could cause delays in completing sales, providing services or performing other mission-critical functions.”

Outlining the measures the company takes to address security vulnerabilities, the report goes on to explain that the corporate headquarters in Seattle and other business operations in California’s Silicon Valley are located near major earthquake faults and that the threat of armed conflict or terrorist activity around the world could endanger business operations.

Other global companies — including retailers, delivery services, real estate trusts and even insurers — make only brief or no mention of similar threats in their 10-Ks. This inconsistency could act as a market disincentive to disclose security issues, Housman said, because those companies that reap investment benefits by not publicly revealing threats could gain an unfair advantage over those that do.

Meanwhile, corporate spending on security measures has been low over the years. A year after Sept. 11, corporate spending on security increased an average of only 4 percent, measured in the five-month period from October 2002 to February 2003, according to a survey by the Conference Board, a business research group. By 2005, another of the organization’s reports showed nearly half the companies contacted had not increased security spending.

Housman, who co-wrote a report on taking a market-based approach to private-sector security, says he believes corporate complacency will only increase as more time passes without another major terrorist attack on U.S. soil.

Requiring disclosure of security risks would force these companies to treat homeland security as a core concern of theirs and bring the issue into the corporate boardroom, he said. The failure to disclose, on the other hand, could result in investor litigation — another market force.

Given that most companies aren’t disclosing security risks voluntarily, the government probably would have to resort to some form of enforcement, preferably through the SEC, he said.

That’s what happened with environmental regulation in the 1960s. Back then, businesses saw such regulation as an economic detriment and fought it at every turn. Today, environmental concepts are more often blended into corporate business models.

“As oil tops $100 a barrel, they not only see value, they see efficiency,” Crowley said.

While some say environmental disclosures aren’t as effective as they could be, they have had the effect of formalizing and standardizing knowledge throughout the industry, Housman said.

“The more important issue is, it forces companies to take a hard look at this issue at the senior-most levels, it sets up an internal auditing process,” he said. “And that’s a process that’s valuable even if the disclosures themselves are of lesser value.”

A spokesman for the SEC declined to comment on whether the commission is considering requiring corporations to disclose security measures.

Darryl Moody, president and chief operating officer of Resilient Corp., a Washington, D.C.-based security consulting firm, agrees that there is a need to improve corporate awareness and openness.

“What I have seen in the marketplace, as soon as you say it’s a homeland security initiative, they tighten up. They don’t want to hear it,” Moody said.

Building a Buzzword
Companies operating outside of the nation’s financial and government centers typically view security measures as overhead, and overhead squeezes the bottom line, he said. Some simply opt to buy terrorism insurance instead of making the investment.

To solve this problem, Moody has proposed creating a market index based on corporate “resilience,” or the ability to maintain operations or recover from a detrimental event — not unlike what Wall Street has done in rating corporations on their levels of ethical and social responsibility. His plan provides benchmarks for company comparisons and provides more intelligence than such indices often do. For example, it goes beyond merely examining a company’s security measures. Instead, each business receives a composite score based on a detailed analysis of several business functions, including an accounting of its risk-management plans, supply chain management, financial stability, and compliance with established legal guidelines, among other things.

Companies that score well typically perform well on the stock market, he said. For example, one portfolio of 70 highly resilient companies produced by Columbia Partners, a Chevy Chase, Md., management consulting firm, showed a nearly 100 percent improvement in stock performance over less resilient businesses, Moody said.

“The fact is that companies that have disruptions underperform, and what we’ve been working on is turning it around to understand those factors that lead to resilience,” said Dunlop Scott, Columbia Partners’ president and chief operating officer. Although the model, which focuses on companies with resilient supply chains, will need more work before any investment claims can be made, he said, “preliminary work shows the companies that seem to demonstrate resilience significantly outperform their peers.”

Members of Congress, including House Homeland Security Committee Chairman Bennie Thompson, D-Miss., are looking into the issue.

“We need to create incentives to encourage the private sector to secure and protect itself without affecting the flow of commerce,” Thompson said. “I have directed my committee staff to thoroughly examine this. Creating resiliency within critical infrastructure appears to be an effective way to bolster both security and economic prosperity. We can — and we must — secure our infrastructure and ensure commerce at the same time.”

Hyatt CEO Pritzker agreed. Speaking at a Center for Strategic and International Studies conference in Washington in late October, he said his task after the Nov. 9, 2005, attacks in Jordan was to develop a viable security strategy for his company and employees without being overly disruptive to business.

Pritzker wants the U.S. government to maintain a similar mindset.

“Being in the business I’m in, I sometimes wonder whether the U.S. is involved in a war on terrorism or a war on tourism,” Pritzker said.

“We see the effects of the approach of the government and worry that it’s developing too tight a screen in terms of visitors coming to the U.S. I know that homeland security people, Secretary Chertoff, are very aware of this, they’re very concerned about it, and they’re trying very hard to strike an appropriate balance. But whether it’s in the U.S or in Europe or in Asia, that economic consequence is one that needs to be grappled with and dealt with in a balanced fashion.”