PrintPrint CiteCite
Style: MLAAPAChicago Close


2006 CFR Corporate Conference: The Role of the Private Sector in Homeland Defense [Rush Transcript; Federal News Service, Inc.]

Speakers: Kenneth Damstrom, Senior Vice President, Global Head of Security Operations, Lehman Brothers, Daniel B. Prieto, Research Director, Homeland Security Partnership Initiative, Belfer Center for Science and International Affairs, Harvard University Kennedy School of Government, and Nancy J. Wong, Director, Infrastructure Programs Office, Infrastructure Partnerships Division, Preparedness Directorate, Department of Homeland Security
Presider: Stephen E. Flynn, Jeane J. Kirkpatrick Senior Fellow for National Security Studies, Council on Foreign Relations
March 9, 2006
Council on Foreign Relations


Council on Foreign Relations
New York, NY

STEPHEN E. FLYNN: Well, good afternoon, everyone. We've got to get ourselves started here promptly, and since—maybe some others will drift in, but we're delighted to have you with us today.

I'm really thrilled to be here and being able to preside over this distinguished panel and talking about an issue that's been near and dear to my heart for quite some time and has been very much playing itself out of late, I think, with this whole controversy over DP World, which I found myself in the cross-hairs on.

I think there's a couple of things that I'll just say at the outset, as this is—just coming back from testifying this morning, and I was—got an opportunity before the House Armed Services Committee last week. And to say the mood on Capitol Hill on this issue was ugly would have been a mild understatement.

But I think certainly one of the things that the issue was highlighting relevant to what we're talking about today—and I think the stakes as well—is, Americans don't understand critical infrastructure. They don't understand how it works. They don't understand how it operates. They don't even understand who owns it.

It's come as a shock for most of the American people and most of the mainstream media and virtually elected official I've talked to that 80 percent of our port facilities on the West Coast are foreign-owned companies who lease the terminals. And it's about 60 percent here on the East Coast. That's a trend that's been building for about 40 years, as America basically gave up its Merchant Marine fleet, but (acceleratively ?) over the last 15. And people aren't aware of it.

If you can't—it's hard to secure something or make a case for securing something if people don't even understand it. And what we're really talking about when we're talking about security as a public good—we're often asking government to make decisions working with industry. Uniquely in the maritime transportation sector, there's almost an extra layer of complexity, because not only is it all in private hands, but the overwhelming majority is in foreign companies' private hands. And on—particularly on the ships that come in, we're talking 98 percent of all the containers that come into the United States are in foreign-flagged vessels. The other 2 percent are run through Alaska, Hawaii, and San Juan, Puerto Rico, under the old 1920s Jones act that you can't move between U.S. ports unless you're on a flagged vessel. Other than that, there isn't much of a fleet.

The second piece I would make a case—I would argue what we're seeing in terms of both the reaction of the American people, as well as the reaction of their elected leaders, particularly, in the media and how it's been reporting or trying or misreporting the story, however you feel on the situation—but it's animated a lot of my work, and I think all of those who are up here on the panel are certainly engaged on it—is not so much what terrorists do to us but the risk of what we do to ourselves when we're spooked.

And this was not a real security event. We basically have potentially a company, if we haven't done our homework right, who potentially could have an insider, who could potentially exploit that insider to have—a pretty complex conspiracy, by the way, to pull off—that could do us harm.

And when you mix both ignorance of how the system works and operates with a sense of public uneasiness that there aren't even baseline security measures within that whole sector, it almost certainly is going to lead to the kind of pull-up-the-drawbridge or other kinds of legislation that's kicking around. Some of the legislation is really quite imaginative that's—to put it charitably—that's out here now, as people jockey to get out ahead of this issue.

What I've been saying to industry, though, for most of the last three weeks, working with these sectors, is imagine if it were a real event, imagine if instead of three weeks ago it wasn't an expose "ports sold to Arab-based company," but it was actually a maritime terrorist attack that turned out to have been in a terminal that—shocked, shocked—was owned by a foreign company. You know, if it was COSCO, the Chinese shipping company, even, we could add an order of magnitude there.

So I just sort of propose that out in the current events, and we're going to go into a much more sort of focused dialogue about—or general dialogue about critical infrastructure protection in the role of private-public sector.

But I think one of the things that certainly means why this conversation needs to happen with folks like you is, we're needing at a minimum to be talking about educating a big sector of society about how these sectors work, how they operate. And you folks are basically owners and operators and designers, in some cases, of the system. We've got to get that out, that story out, about how that is and what can be done to secure it in reasonable terms.

We also have to realize we're in a race with time. When these systems are targeted, as they will be, the ability for us to control the response because the economics make sense is not something, in a way, it's been my experience, that Washington necessarily works. So some urgency is required here.

The council has been over the last year working with a very distinguished group of folks, with—looking at the whole issue of private-public cooperation. And that's how I think I ended up on this board here today as presider.

I've been working closely with Dan Prieto the last half a year on the report which we'll just be having out here quite shortly, within a couple weeks—it's in the publishing—the publisher's hands, the editor's hands—but looking at this whole issue of private-public cooperation when it comes to critical infrastructure protection and essentially trying to find what are the appropriate incentives we need to really get it moving forward, as we've basically found, I think, (in some early form ?), that there is real interest in the private sector to do things, particularly about protecting their own enterprises, but there's great uncertainty within the private sector about the competency of the public sector to play a robust role. And that's some issues, and that's what we're trying to still figure.

So we're going to ask Dan, who comes to us—Dan was an associate with the council, first as an international affairs fellow—that's how we ran into each other—and then actually worked on the Hill, so he knows insanity close-hand, as he—on the Select Committee of Homeland Security, of all places, ground zero for insanity—and then has recently been associated with the Belfer Center for Science and International Affairs. And just two weeks ago, you were deputy director of what?

DANIEL B. PRIETO III: Director of a new homeland security program at a group called the Reform Institute in Washington, D.C.

FLYNN: Bringing that up to date.

And then we also are very fortunate to have with us from the Department of Homeland Security Nancy Wong, who has been doing this long before it was fashionable. She actually participated—I think one of the first real good things that the government did on this issue. In 1997, President Clinton commissioned a Critical Infrastructure Protection Commission and involved private sector people, began to deal with primarily an IT focus, but it ended up sort of sprawling into all the sectors. But a recognition that increasingly our infrastructure was becoming a little more (brittle ?) than many of us expected, and the Y2-K issues and other stuff that came about here. And Ms. Wong was involved with that, coming out of industry. She was with the Pacific Gas and Electric Company, and I guess got the bug with policy issues, and trying to fix these messy problems, and ended up with the Department of Commerce as the director of the Critical Infrastructure Assurance Office, and now that got sucked up by the great beast of the Department of Homeland Security, which is her current home, where she serves as the director of the Infrastructure Protection Office in the Infrastructure Partnership Division in the Preparedness Directorate of the Department of Homeland Security. A long mouthful here. But all the point to say, she's just the right person for this conversation and we're so thrilled she could be here.

And then we have, representing you, I suppose—(inaudible)—but Ken Damstrom. Ken is the head of the Global Corporate Security at Lehman Brothers, where he's a managing director. He's held this current title since August 2005, but he's been at it with Lehman Brothers since January 2000. He's somebody that the government I know has real difficulty sharing information with because he's of suspect background. He protected President Reagan and George Bush, literally, when they were presidents as part of the Secret Service. So you got to be very careful about sharing information with this guy.

But in any event, Ken has been really an activist on trying to move forward primarily, obviously, with the financial sector, but private engagement in supporting protection.

So I'm delighted to be with this panel.

Our format here today is basically I'll do a little quizzing of our panelists to get the conversation rolling. I'm going to ask each a question, and then maybe a follow-up. And then we'll turn the program, after about 30 minutes over to all of you.

We are actually recording this for transcript purposes. It's an open event. And so if you ask a question, we don't have mikes here, so you need to speak up loud or else I'll have to repeat your question so the transcriber catches it.

But in any event, we'll, hopefully, invite you to do that here shortly.

Let me first then turn to you, Dan, and ask you a bit about the role of private-public cooperation, as we've learned it here at the council. What are some of the headlines, I guess, coming out of where you think we're at on this issue?

PRIETO: I think clearly 9/11 was a wake-up call to private industry when it comes to homeland security and thinking about their own businesses. Since that point, there's been a lot of talk about needing public-private partnership to increase the security of the country. I think, unfortunately, four and a half years after 9/11 we still have a real long way to go on this front.

And I want to focus at the outset here not just on the risks that industries face, but a couple other opportunities as well, then go through what—from our work in the council over the last year, some touch points on what we feel private industry has done, and ask the question as to whether that's good enough, and if it's not good enough, go further and see what we can do as a country and what the government in particular can do to move the ball forward.

So again, 9/11 is a wake-up call. Clearly, critical infrastructure in this country, whether it be chemical plants or nuclear plants or water facilities or transportation and things of the like, is at risk in a world of global terrorism. Companies have to think about continuity of operation, they have to think about liability issues. To the extent there are rules out there, they have to think about compliance. And to the extent that they decide to invest more in security, they have to think about competitiveness and also return on those investments.

I'll return to that target aspect of the private sector in a moment. But quickly also point out 9/11 has created opportunity for some companies. It's estimated that the homeland security market, the commercial opportunity is $200 billion. So certainly some folks are making money on this producing scanners, providing consulting on the intelligence front.

And also, I think Katrina pointed out there's a real opportunity to get the private sector involved as a partner in response and recovery. As you watched footage of Katrina, it became clear pretty quickly that some private companies ended up being a lot better at the logistics, material, security aspects and delivering that into the theater quickly and faster in many cases than the federal government.

So I put those two opportunities on the side just for folks to think about.

But I want to return to the target aspect. The national homeland security strategy for critical infrastructure protection—for protecting these targets, which was written, I think, in 2002, starts with the assumption that the private sector will provide sufficient incentives for companies themselves to provide sufficient security. And that, I think, has led in a lot of ways to the private sector seeking to do a lot of good things. But given our working group, when you asked them, I think they feel that they want there to be more leadership from the federal government on these things. As one top executive of a Fortune 50 company said, homeland security is not a natural act for a lot of these companies. If it's not a natural act, how do you get people to do this?

Well, let's look at what the private sector has done. According to a Conference Board report, it looks like the private sector has increased spending on security by about 3 to 4 percent per year since 9/11. In particular, take one industry that's frequently the whipping boy in the press for being insecure—members of large chemical manufacturers have spent $3 billion since 9/11. That is not an insignificant amount of money. At the same time, I think it's clear that those facilities could be better protected and that more needs to be done. And I think that is one of the most at-risk sectors.

And at the same time, I think in a story of man bites dog, a lot of these large manufacturers are actually seeking regulation, minimum standards for security at their facilities and at the facilities of folks that handle and not just manufacture chemicals because it creates a level playing field. If they are making investments in security, they are at a competitive disadvantage if competitors aren't making similar investments. So government action there, clearly, would provide a stable environment for them to make investments.

Transit—mass transit firms until about last year spent about a billion-and-a-half (dollars) on increased security, but relative to what they wanted to spend or would have spent if they'd had more money, they would have spent another billion-and-a-half (dollars). And if you ask now what they'd like to spend on, they envision the need—the short-term need for an additional 3 (billion dollars) to $6 billion, and the difference there is they're spending money mostly on extra people and gates, guards, guns, but they don't have the money, because of low-profit industries, to invest in new capital, better rail cars, better tunnels, better lighting. And that's one of those areas that they're desperately looking for additional government involvement, so another area where this public-private partnership really could be expanded.

Nuclear facilities regulated closely by the Nuclear Regulatory Commission have upgraded what they need to be prepared for. They're design basis threat is classified, but they need to be prepared for a certain type of attack, a number of attackers, an insider, a pick-up truck, but they stop short recently when they Nuclear Regulatory Commission and others wanted them to be ready for an attack with a rocket-propelled grenade.

So again, this is simply—the private sector has done something. Society probably wants them to go further—sort of how do you get the two to meet?

Oil and gas. I spoke to an Exxon executive. These facilities have been very—security has very much been thought about historically because of the explosive nature of the facilities, but they're getting to the point with some potential standards coming down the line and risk assessment, that they're being asked to look at scenarios that the same thing is happening. "Look, we're doing all we can, but that scenario is just too costly. It's just something we can't do."

And if you look at finance in Telecom, that industry in a lot of ways is a lot better protected than others because higher-growth industry, higher margins, more cash flow, more money to spend on a regular basis on improving security, shorter capital—cap—(inaudible word)—cycles; therefore, more opportunity to upgrade software, upgrade systems, upgrade phone lines. And also, they face threats of fraud and cyber attacks on daily basis, so having to deal with criminality on a regular basis means that they're better prepared than other industries.

So let's get back to the question. Clearly, industry has good will. Clearly, industry in many ways is acting responsible, but if there's a gap between what they can do and what society wants, it is at the end of the day the job of the government to provide for the common defense. And so if the market isn't getting it done, how does the government step in to lead?

Just a quick closure here. In terms of what the government has done—and Nancy will talk about this a lot—there have been a number of programs. There is no shortage of programs and efforts out of the Department of Homeland Security and other departments to look at these issues, and there's been a lot of activity. At the end of the day, however, a couple of things I think are missing. If you look on the (sweep ?) from 9/11 to now, there has been no sustained effort to create incentives to actually get the private sector to invest more than it otherwise would, that might come in the form of tax credits or tax breaks or anything of that sort. So while it's often spoken about, I've seen nothing.

The second thing is the reorganization in Washington has actually created a fair amount of disincentives for the private sector to work with government. It's been very complicated to figure out—who's my counterpart? They used to be over here. Now, they're in DHS, and in DHS, people are moving around all the time. And there's been a fair amount of personnel turnover and finding it difficult to find my regular partner here. So those are disincentives that one needs to get rid of.

In a number of industries that are the most dangerous, whether it's cargo shipping or chemicals, there have been no regulations in terms of creating a level playing field, very little integration of the private sector as an equal player in the response and recovery, and information sharing—as I think Ken's going to talk about—remains a big challenge.

So in closing, I'm sure everyone's familiar with the UPS slogan, which is, "Moving at the speed of business." Unfortunately, I think on public-private partnership, government and business are not moving at the same speed.

FLYNN: Okay. Very good.

Now, I'd like to turn to you, Nancy, to talk a little bit, I know, about—Dan was mentioning, of course, that there has been a number of initiatives under way. I think one of the things we most bumped into this, you know, there's an underlying assumption built in the president's homeland security tragedy that when it comes to critical infrastructure protection, that there is both sufficient market incentives for the private sector to safeguard itself. And what we have found I think in the course of enterprise, in many cases, that doesn't really exist because, in fact, the government is itself a market player. It sets the ground rules up front in many cases. I mean, industries can't do whatever they want on security because they have to work within a regulated environment in which some things that may make good sense from a security standpoint, they're limited by those regulators.

In terms of response, when they respond, you know, police will take over a scene. It may be tricky even getting access to places. There's issues that have to be worked out in the response side. But the biggest area would be in the post event since security is a public good. This is what I was saying at the outset, where we're seeing a bit of what the dry run from the port side—a(n) issue that we consistently ran into when I worked with the global terminal operators about trying to invest in capability to better secure a system that they all acknowledge is wide open and puts their enterprise at risk.

They are fearful about doing it themselves, only to have an incident come along and have Congress say, "Wrong answer—here's the new answer." So we just made a $1.5 billion investment to put a system we think makes sense. But because government wasn't bought into it, didn't essentially sanction it, post something going wrong, you'll redesign, we'll have the Beta version.

So I guess the real issue is the extent to which—one I'll certainly talk to—what your experience has been in engaging private sector. But have we reached a glass ceiling with the assumption about—that there is market incentives that exist across the board, is there a need for incentives, because that's what's we're looking at here, whether it's carrots or sticks, to bring us to the next level.

NANCY J. WONG: Well, I think that what Dan has presented and also what Dr. Flynn has discussed is nothing, from my perspective, new. I've been working the public/private partnership angle for a long time since I chose to move over to government from private sector.

I've spent most of my career in private sector. I've only spent about eight years in government. And what I've found in government when I came into government was such a different culture. I actually went into culture shock for about a year after I moved to government. The language is so different. The definitions are very different, and the understanding of what is going on inside the sector was very different as well. In fact, my observation, when I served on the commission, was that most of my colleagues in government who are very bright, very motivated people were still thinking about private sector and how it operated as if they were in the 1950s.

So you think about what that implication is when you talk about terms like public/private partnership; you talk about terms like security. I actually got asked a question—in the first six months that I was there, I came of the electric industry—was, "I can't"—and this was actually from a very senior person on the commission—was, "I can't understand why the electric system cannot be 100 percent reliable. Why does it ever have to fail at all?" And having been in operations in the electric sector, my answer was, "Acts of God, things break down." But what is the really important purpose here is that the system stays up and the lights stay on.

So there's a whole different perspective on what the end game is. What is the end game? So I actually chose to stay in government because I saw this huge gap, and because there were so few people at my acquaintance working in government who understand—who understood that there was this huge difference in understanding the world as it really was, and the language that you had to use to educate people.

So it isn't me working with private sector that has been so challenging in my time in government. It's actually me working with other government folks. So there's been a huge education process going on within the bureaucracy and understanding what partnership really means because it's a very overused and abused term. And I came out of private industry with a perspective that there's got to be mutual benefits, there's got to be complementary core skills that both parties bring something to the table, and both parties have skin in the game. This is not about selling things from one party to the other. To me, that has never been a true partnership. We're talking about strategic alliance here, where core competencies are brought together and core capabilities are brought together and core knowledge is brought together.

So there's a lot of education that has been going on, I believe, that we're beginning to get there. But it takes a long time. A real old hand in government told me—it was very, very wise—told me in my first year in government that it takes about 10 years to make change happen. I'm in my eighth year, and I'm beginning to see that change is beginning to occur.

The issues that Dan mentioned are—have been on the table a long time, from the days of the commission even in terms of potential incentives. But the problem that we have is defining what the end game is, and what the private sector understands to be the end game in terms of a secure, reliable system is very different than what the government understood the end game to be at the time.

Now I believe that with the new leadership that we've got in DHS, we're beginning to move to that understanding and a common understanding of what the end game is.

Security, in the end, is really all about risk management. The private sector understands managing risks. It's part of what they do in terms of day-to-day business is understanding and managing risks.

Security and terrorism is really another risk factor that needs to be taken into account. In fact, private industry is managing all kinds of risks all the time, and terrorism is not as well understood as a new element in their risk assessment picture, in their environmental scan of what has changed in our business environment, and what it's going to take to address it and how much risk does it really mean. And that's where you get into information sharing. And part of the issue in information sharing is defining what information sharing means. Okay, everybody thinks it's about threats, when in reality, information sharing is an enabler to produce action.

And so the outcome of prevention, protection, response and recovery is all about getting the right information that's appropriate to the decisionmakers who can get action to be taken. And it's taken a while for people in government to understand, and there are still a lot of people who don't get it, because you've got information-sharing in the middle saying this is what we need, without understanding what is the outcome you're trying to deliver, and the right information that goes along with that outcome is what we need to dialogue with private sector on.

So again, it's the same thing. Public-private partnerships or partnerships in private sector and strategic alliances are really a means to an end. It's not the end, it's really a means to an end. So, what is it you're trying to accomplish with the partnership? What are you trying to accomplish with information sharing? And the deliverable is what dictates what type of partnership you need and what type of information you need to share.

That education process is now, I believe, beginning to reach very high levels within government, and I believe that in the end, sometime this year we will probably have a breakthrough. In fact, many people in the critical infrastructure sectors have been organizing themselves in a comprehensive way to dialogue with government in a productive and meaningful way. And that is not—come out of Washington. It's still a Washington construct. I keep reminding people that this is something the sectors need to feel the need to do, not because government wants them to do it but because they feel there are benefits for them to organize themselves in such a way that they can have a meaningful dialogue with government from the beginning of even identifying what the end state is in terms of homeland security and critical infrastructure protection.

So that's kind of an update. Dan has heard me speak before. But we've had major shifts in terms of strategy around working with private sector. There's been a lot of lesson learned in the last eight years.

FLYNN: A quick follow-up on this, Nancy. It seems what like you just described is that a lot of your day is spent educating the public sector, giving your vast experience of private background, as we know. I came out of the public sector as a Coast Guard officer, and the pervasive view was, for most regulations, regulatory and enforcement agencies, is you'd have to drag the private sector kicking and screaming, by either threatening to arrest them or by dangling large sums of cash in front of them. It was sort of this bipolar view of this.

Your experience on the private-sector side over the last few years is—is it what we saw in our group here, which is in fact that there's a tendency for them to be reasonably—(inaudible)—with, as you characterize here, to be helpful on this, but it's catching the government up, or is it there is a lot of work for the private sector to get caught up to?

WONG: It depends on the sector. The sectors are extremely diverse. There's some key sectors that were defined by—(inaudible)—presidential directive. Fifteen of those have private owners and operators. Of those, there's a wide range of sectors that truly understand.

And you know what? It takes time. The electric sector's a really good example of that. I came out of the electric sector. I speak their language. So I spent a lot of time with them when I first went to government explaining and educating them in their language what the issues were for the electric sector. And from day one, they understood it was a risk management issue, and that's because that's the way I presented it to them, because they can't keep the system—every piece of the system up.

So what they do is they look at managing their risks of reliability of that system, and that's all this ends up being, is keeping that system up and the lights on, over a range of actions, is can they deter it; in other words, help the government prevent an incident from happening? What is it going to take for them to do that? Secondly, what do they need to protect their facilities that will then assure that an incident will not affect the reliability of the system as a whole. And then third, they already have very good incident response and recovery capabilities in place, and they were so relieved when they figured out, well, if what we're doing is building on what we already have, we do this every day when we run the electric system; why is this any different, other than that the character of the hazard is different? So that it's really an all-hazards activity for them.

And so what someone said—in fact, there was a gruff old engineer in one of the meetings I was at, got up and said, "Hey, guys, guess what? This is something we do every day of our lives when we run our business. So why is this any different? Why are we fighting this? It's just another hazard. We need to understand what this is."

And that's one of the first sectors, I believe, that kind of moved forward with this, because they incorporate it into their reliability issues as opposed to thinking of it as something off to the side that they needed to do. But what did it take to do that was being able to communicate in their language, communicate it in their own business terms, helping them to understand why it mattered to them. For them, that was a first set of incentives.

Now, we don't know—in government what we have to do is figure out how much investment is enough, you know, based on what we know about threat. And that's really the government's role, is to figure out our understanding of what the threat is and then work with the industry, because they know more about their infrastructure than we do and their operating processes and their whole management of that risk-management spectrum. There are choices that they've made in that risk-management spectrum in order to determine is the level that we're seeing enough, are the actions that they're taking enough. And we don't know unless we work very closely with them.

So that's a major, major, major initiative, which is one—the reason shy we have a new division called Infrastructure Partnerships Division, which just came into being early this year—late last year—I'm sorry.

FLYNN: Let me now turn to Ken Damstrom. Ken has been—was actually a member of our task force—Randall Ford (?) who is here—(inaudible)—Goldman Sachs, have been real leaders on trying to advance the partnership issue within the financial sector.

And, Ken, I wonder if you'll offer your observations, I guess, from having worked this issue a while, and ideas about how we move this forward.

KENNETH DAMSTROM: It's really interesting to hear Nancy's comments. I think—I do partner fairly regularly with Randy, and we've been beating this drum for over five years.

9/11—to Dan's point—was a paradigm shift in this whole concept of security, safety, and this public-private partnership.

I will say to Nancy, though, that in this risk-management cycle, traditionally—and if you look at financial services industry, you know, credit risk, market risk, we can get the information for our risk managers to develop the risk models, the risk spectrums that we can make our investments under. The critical element in this model around terrorism is that for us to get the information, the only place we can get it is government.

FLYNN: Let me now turn to Ken Damstrom. Ken has been—was actually a member of our task force—(Randall Ford ?), who is here—(inaudible)—Goldman Sachs, have been real leaders on trying to advance the partnership issue within the financial sector.

And, Ken, I wonder if you'll offer your observations, I guess, from having worked this issue a while, and ideas about how we move this forward.

DAMSTROM: It's really interesting to hear Nancy's comments. I think—I do partner fairly regularly with Randy, and we've been beating this drum for over five years.

9/11—to Dan's point—was a paradigm shift in this whole concept of security, safety, and this public-private partnership.

I will say to Nancy, though, that in this risk-management cycle, traditionally—and if you look at financial services industry, you know, credit risk, market risk, we can get the information for our risk managers to develop the risk models, the risk spectrums that we can make our investments under. The critical element in this model around terrorism is that for us to get the information, the only place we can get it is government.

In that cycle that you talked about, that dynamic cycle of prevention, detection, response and recovery, private industry, even one as far advanced, I would say, as the financial services industry because of all the regulatory oversight that we have, and I would say that we are probably even more advanced in this concept of creating a safe environment than the electric industry or energy industry because of the Securities and Exchange Commission, and the Securities Act of '34 requiring background checks on individuals, and things like that.

But the government is in possession of the commodity we need, and that's information, and we can't build our risk models without that. But we know what the threat is. So to define the level of information we need, we have a sense of what that is. We're not looking for below the tail line. So people like myself, who had secret clearances before, because I was in the Secret Service, I'm not interested in the sourcing, I'm not any longer. That's somebody else's job. That was my old job, not any longer. I'm not interested in the methodology. I'm interested in the context of the threat, and government has that. And I'm interested in the analysis of that threat, and government has that. Because ultimately where corporate America has landed, and financial services specifically, is on a strategy of self-resilience. We understand that if the incident doesn't happen directly to us, whether it's man-made, natural, environmental, criminal of some sort—you can just sort of rattle off these potential all hazards concept because really that's the foundation building blocks that we put together in the all-hazards way—if it doesn't happen directly to you, the general assumption that we jump off from in planning our self-resilient strategy is: Have something built that you can take care of it yourself, because government is not helping. First responders need to go somewhere else, not to you.

The second assumption we build is that there is no perfect defensive system. And so under that cycle of detection, prevention, response, recovery, we're a little bit, in the private sector, in the prevention aspects of things. Certainly on the cyber aspects we're heavily involved in that. On the physical security side, less capability there, unless we have good intelligence with which to build good physical security models around, even though we do have some real understanding of what the threat is and whether it's the truck's a bomb, the plane is a bomb, an individual is a bomb, or something around the weaponization of CBRN kinds of devices, and we all think about those on a fairly regular basis.

But we truly are in the detection, response and recovery business. And the government doesn't see us as force multipliers, yet we can take stress off municipal, state and federal infrastructure if they saw us that way. And it goes back to trust, it goes back to a trust model. And Steve brought it up earlier. Most of the folks that end up sort of in my role, whether it's across those 17 industries, come out of some intelligence agency or some municipal, state or federal law enforcement agency, and they all had some clearances. And so we struggle with the challenges, why is government struggling with sharing the information with us around context and analysis so that we can go back and protect that 80 percent of critical infrastructure that's in our hands.

And so in detection, prevention, response, we are doing things like looking at radiological sensing devices and deploying them ourselves. The private sector is looking at what's out there from a biohazard detection capability, what's out there from a chem-sensing capability. What are the best technologies around biometrics, around facial recognition—all the same space that government is in, we know we need to be in because we understand that we've built a strategy of self-resilience. And so we're pushing that strategy of self-resilience to an area of convergence. And pre-9/11, if you looked at most private sector organizations, there were these huge silos—corporate security was one; business continuity and corporate security barely touched one another; information security sat in the IT department; human resources and the EAP program, Employee Assistance Programs, only barely touched one another at the time of incident. Well today it's all about preparedness, because that cycle that we're talking about is wrapped up in an umbrella of preparedness. And so there's a real energy and traction and momentum in corporate America around convergence, and it's at the very senior level. It's not being built from the ground up, it's not being built from the individual department leaders, it's being sort of led at the senior-most levels of the organization. The chairmen and the presidents of these organizations are answering to their boards about these topics today. And therefore, the paradigm shift as well has shifted into communications both horizontally and vertically in an organization.

And I will say that one of the biggest shifts has been—in private sector—that no longer do you build these capabilities of detection, response, recovery and some levels of prevention in a vacuum and only show them to your organization at the time of incident, you're actually building a model of transparency. And I think that's what's critical in this dialogue with the public-private partnership—there absolutely is not enough transparency in this exercise. And transparency will come in the form of sharing, which we can go back and build our risk models. I've had my CEO several times, and others in the financial services sector, say to many different agencies in the government: How can we help? There's no definition back to private sector so it falls off the table. There's been no definition five years later. There has been some exercise, I will say, around the terrorist financing piece. And I'm wondering why that terrorist financing public-private partnership hasn't extended further than it should be today because we are in possession of the critical infrastructure.

And I just want to pick up, as well, on one point that Dan brought to the table—actually two. One is the incentive piece. What we're looking for, once again, the definition of the incentives, maybe some tax incentives, some legal incentives, some regulatory incentives, some insurance incentives. It's not that hard to describe what these are, especially when in some industries they see to spend on these issues of creating a community of safety as competitive disadvantage.

I know if you talk to Randy, and—you know, he works closely with the council—we've been sharing for many years now, even before 9/11, but the pace of sharing in the private sector has taken on a new niche. We share fairly regularly. We don't see any competitive disadvantage or advantage for Goldman Sachs, Morgan Stanley, Credit Suisse First Boston and the other financial services firms. And this is not just on a New York-centric basis. This is on a global basis—how we are thinking about things; what have we turned from the information we have, what has turned actionable? Quite a bit has turned actionable, as I spoke about before, in terms of the blend of human assets with the technologies that are out there to create good information gathering tools so that we can make good decisions on our employees, which ultimately will take the stress off of municipal, state and federal services.

And in closing, I'd like to say that in my vernacular, this isn't about bricks and mortar. It used to be about bricks and mortar. It's not about physical structures any longer. It is about human continuity. The firms—whether it's energy, whether it's financial services, whether it's agricultural—you—organizations are about the power of their people. You can have great technology. If you don't have great people operating that or thinking about it or creating those new applications, it's useless. It is about human continuity, and it's about continuity of operations tied to human continuity.

And I think one of the amazing things that's coming our way—there's been a tremendous amount of discussion at multiple levels of government and the private sector—is, you know, something that's not blowing up. You know, it's not the train is a bomb, the car is a bomb and so on, but it is this whole concept of pandemic, and we haven't really dealt with a threat that has a cycling window of danger to our people in this human continuity.

Even 9/11, the window of danger was several hours. The bombings of July 7th and July 21st in London on the tube system—the window of threat to the citizens and people, the citizens and their workplaces has a window of opportunity.

The pandemic structure that they're talking about is there's a mutation where we can sit in this room and there can be human-to-human transmission is a much different threat. And I think in terms of that, when you think about the ramifications of the numbers that they're talking about—25 percent of the population will be infected, 50 percent absenteeism rate in different industries across the landscape of firms—how are we going to keep our economy running? Well, we do need—at least in our industry—we need regulatory relief. Today, we don't make markets from home. Do we have the technology for traders to trade from home? Yes, we do. Do we have the regulatory relief to do that? No, we don't. We need those kinds of public-private partnerships, and we really do need the Department of Homeland Security to be at the forefront of that dialogue.

So thank you very much.

FLYNN: Thank you, Ken. I think it was very helpful.

I think one of the things that we saw coming out as a theme with both Nancy's talk and your finishing point on the pandemic, which is going on in the next room over, if you want to flee—that's their conversation, but—is that—this certain sense out of our group that some of the things that are probably most threatening, from an enterprise standpoint, for business continuity and so forth are not likely to be acts of terror, but may well be more predictable disasters like earthquakes and major hurricanes and other things.

QUESTIONER: Blackouts.

FLYNN: And these blackouts. And what we saw is obviously with Katrina is that when we all get focused on one narrow set of threats, the terrorism threat, you may not have all the capability you want to deal with what may be a more predictable and more destructive series of events.

While the private sector is moving, in the case you mentioned, Nancy, the (electrical ?), and they're saying, "Wait a second; this is what we already do; whenever storms come through, power lines go out; we have to go and fix them"—what the difference is—somebody blew it up and caused to do that, or Mother Nature does it, but we have a skill set here and we can harness that. But when you talk about the kinds of efforts to build business continuity in dealing with the pandemic issue, that's clearly going to give an enterprise resilience.

But the federal role has been very much—it's not a federal responsibility to get into anything but the terror issue. That's where the money comes from. And that's our—we do only security. If it gets into other areas, that's a state/local issue, or that's an issue to be resolved somewhere else.

Are we capitalizing—I know there's leaders here; I want—inside the audience here—but are we capitalizing on the true synergies that are actually out there by so narrowly focusing as the federal role as war on terror, and we can only provide funding and support when we do that, around that narrow, select threat, versus building real multiplier capabilities?

I'm going to put it out there, but I want to draw our audience in here now, so go ahead. Yes, go ahead. And please tell us who you are and where you're from and—

QUESTIONER: All right. John Stammreich.

And we are in a different situation—(off mike).

FLYNN: And if you could speak up loud for me here as well and for everybody else, it would be helpful for—

QUESTIONER: One of the reasons why the critical infrastructure is looking for money is because the 535 civil aviation experts on the Hill have all decided where the money's going to go. And so we're at the other end of the stick. We—four years ago, five years ago, Congress felt safe with a situation where there was a lot of people wanting to throw regulations and money at the civil aviation business. And so Boeing, being the only U.S. manufacturer of civil aviation, saw our industry being threatened by—pardon the expression—overregulation. So we took a look at this and decided the only way we could help the government sort through all of these well-meaning but maybe sometimes, you know, unintentioned low-hanging fruit things that turn into things that just don't work or some that do—we decided to put together a public-private partnership, a significant one.

We joined with TSA, all the airlines through ATA, all the airports through ACA and—(inaudible)—and ACI, and DHS policy was—(off mike)—office, and we created USCAP, the United States Commercial Aviation Partnership. And the first goal of that to see if we could bring our economic models together and create an economic model of the entire civil aviation business for the purpose of helping the government understand what the unintentional financial consequences were of various proposals—counter-MANPADS on airplanes, you know, 100 percent screening, all those kinds of things. So you know, this has all—has been self-funded. Each of the people bring their own money to the table. (I've ?) so far invested more than $9 million of bonus money in this by—

MR. FLYNN (?): A drop in the bucket.

QUESTIONER: A drop in the bucket, right. A drop in the bucket when you consider that if the airlines get well enough to be able to buy two more Triple Sevens, I've made far more money than I would by just donating all this money plus more.

So early on we worked with the TSA modelers and the DHS modelers. And the biggest issue, as you brought up, was how do you create an economic model and the issue of how you do a risk model is that the main—the first issue you come up with is, who owns the data and what data do you have? And there are a lot of universities around that can create a wonderful economic model, but they always fall short because what they don't have in them is they don't have the proprietary information that is current and to the industry and to the government, and what's the mechanism for sharing it.

So we had to create a contractual arrangement across all these constituencies—the government, the trade associations, the industries and the manufacturers. And we did an OTA, you know, other than—you know—Other Transaction. It's a contracting method that basically gets out of the procurement—(word inaudible)—procurement, and we create a situation where our economists could share highly proprietary information together.

And we created a model. It's a model that basically is a combination of subject matter experts and a structural model in USCAP. The first challenge we took on, what could we do with the impact of more or less screeners as a test case. That was done in `03, and that was used by Admiral Stone to defend, why he needed more screeners to Congress. In Congress right now it's called the Boeing model, even though there's a lot of people involved with it.

It's—USCAP is very mature right now and is being used to—right now on a regular basis by Secretary—Assistant Secretary Hawley to help answer questions like, what's the cost of putting counter-MANPADS on airplanes, and things like that.

The middle of last year we decided that we wanted to move up the food chain as a group. Just doing the cost impact, we felt wasn't (close ?) to what was Ken was talking about. How do you get industry involved with the issues of deciding risk prioritization? Where do you put your money? You know, what's the biggest bang for the buck?

We formed a group called RMAP, and we extended the partners to Airbus to DOD, NASA and more groups within DHS, DOT and ALPA, the cargo people, and several other organizations. And what we did was we started looking at all the available risk models. We went through the (RAM CAP ?) model that (ASME ?) is using for the power industry and quite a few other models. And speaking of which, those models did not take into account the asymmetric threat part of this whole issue.

And so Boeing had a model that we've been using with the missile defense people coming out of SCI that we've proposed, and that was chosen by the team. And we are—we will be delivering that model for testing in July, and that goal there is to look at these different threats and to prioritize them in a classified environment and prioritize them from an (impact ?) standpoint, from a whole variety of standpoints, and then to play them up against all the different countermeasures you would do for those. And we're already having some effect because we're already seeing some of the congressmen jumping up in Congress saying, "Yeah, but regardless of how your model comes out, you're not going to not do my favorite—(off mike)." (Light laughter.) It's getting some traction.

So let's see. So a lot of lessons learned the last four years on how to do public-private partnership, and how to create the legal structure for sharing the information. But I grant you that we're at the other end of the spectrum in that, unlike trying to get people lined up to put money into ports, which is clearly a major issue, but it's probably a bigger issue for those congressmen who have fortune in their constituent—in their constituency.

Civil aviation being the, you know, at the pointy end of the stick of 9/11, it got a lot more attention, and so we find ourselves trying to fend off investments not because we don't want to accept the investment. We just want to make sure it's in the right place. Some of the investments—some of the things like the (EU 0609 ?), in which you're proposing to turn all of the airports into armed camps and basically make them into Army forts, are things that the U.S. government agreed to do because—(inaudible)—the fans on airplanes at Christmas time two years ago, and said, "Oh, yeah, we'll do those (0609 ?)" and then Admiral Stone read it and said, "Oh my God. What did I sign up to?"

And so—anyway, I'm giving more than you want to know.

FLYNN: It seems you've offered us a very good sort of case study—(inaudible)—to the pointy end of the sword because (you've had ?) also unique attributes of being such a dominant industry player, federally regulated, and trade association's reasonably robust. There's a lot of you that evolved here. What we have found in our—course there are other sectors that have a long way to go. But no question, we need to sort of draw from the, quote, "successful" experiences and go there.

MR. STAMMREICH : I wanted to comment.

FLYNN: Sure. Quickly, so I can get somebody else in here too.

MR. STAMMREICH : They've come to us and said, "Can we do other sectors," and we say no. We've told them they have to come back to you all and understand—because know civil aviation. Our stakeholders are different from those stakeholders.

FLYNN: So some things are not readily—(inaudible)—look—Roger?

(Cross talk.)

QUESTIONER: Roger Kubarych-- (inaudible)—Group and Council on Foreign Relations. I'll ask a question, but then I want—(inaudible)—because Ms. Wong is afraid first to come to New York and talk about the electrical power industry in a (friendly town ?). We have Con Edison. I spent five days without electricity after the windy weather about six weeks ago. Dealing with them made working with the Soviet government seem like—(off mike). (Laughter.) Do not talk about the extent of the incompetence of Con Edison here because we could go on forever.

The simple question is, there are 17 critical infrastructures; we are clearly as a nation not best practice. You don't go to major European countries and have electricity lines on telephone polls, for example, so when it gets windy in Munich, 200,000 people are not out of power for five days.

We were not best practice in airports. (Stephen, I ?) travel a lot. I travel all over the world, and our airports were lousy before 9/11. Our planes were not best practice. We did not have cockpit doors which kept out (bad guys ?)—(off mike)—built that for everybody that didn't.

Of those 17, we have four—(off mike)—here. Which are we really world class, and which are we really struggling of the 17 critical? I know—(off mike).

MR. FLYNN: But I will say that I think a real issue here, the next topic we're working on here, are the old analog stuff, the hardware things for the industrial versus the post-industrial side that we inherited as legacies from our forbears who over-engineered it many times because they wanted to be immortal. What we've been—a big part of the industry certainly has been in the electrical industry, and let's go back and look at the substance and sap out whatever extra capacities (are ?) in there. But it's not about building and rebuilding—(off mike), it's, that's passe, now we're into the new era. So many of these sectors, which are very capital intensive, are really struggling. We've milked out some of the—(inaudible word). But then when you look at the services industry—

MR. DAMSTROM: Let me just say one thing, though, to Roger's question, and that is that there's so much interdependency that a risk borne by one is shared by all, so the financial services sector or the energy sector, the electrical sector, could be out in front, but if you look at what happened on 9/11, the telco companies were not. So therefore, all the great things that financial services might do failed because of the interdependency between energy, telco and the other kinds of 17 infrastructures that exist.

We live in a world of just-in-time supply because that makes good cost-effective management. In every company it's about what is—you know, run rates, operating expenses, (NTE ?) dollars, and we do just-in-time. We're not long anything. We don't store anything. We do it just in time. Well, in the kind of environment we're talking about, that means more interdependencies and more potential failures. So, while we think we're somewhat ahead of the curve, maybe, in financial services, we're not sure, and that's why we need homeland security to help us understand where telcos are, where energy is, where some of these other 17 critical infrastructures are, so that if there is another problem, all the things that we've done are actually going to stay up and alive.

QUESTIONER (MR. KUBARYCH): What do you think are in the worst shape? You're saying they're all in bad shape because they're all interdependent.

MR. PRIETO: I appreciate the question, because it gets to, I think, there's been a big problem the last couple years that there is this lack of prioritization. Everyone talks about them as if they're all equally risky and equally dangerous and equally likely to kill people or create dollar effects, and I don't think that's right.

QUESTIONER: (Off mike)—that's my question.

MR. PRIETO: That's very much the point.

And to be honest with you, because every congressman or woman thinks their homeland issue is whatever they have in their backyard, I personally am frustrated by the fact that I think there is this political correctness that has come up around critical infrastructure that everything's equally the same. I don't agree with that. I think the ones that are worst off—and to your point, I want to broaden your question a little bit. It's not just practice, but it's practice relative to risk. Right?


MR. PRIETO: So I think sort of accepted, among the worst-off, chemical sectors. I mean, they tended to not—they weren't built secure, unlike nuclear plants, from inception. They're not hardened. A lot of them tend to be close to urban areas. And there's a whole bunch of them that can kill tens of thousands to hundreds of thousands of people. So chem is one.

For—(inaudible)—that's a bodies-on-the-ground sector. That will kill people. For cascading effects, I think the electric grid's a real problem. In terms of ease of hitting it, transport—and this is both HAZMAT transport as well as mass transit—that's a really difficult one to solve because those systems have to be open, but I think—and then ports for cascading effects as well—I think those are the worst.

Among ones that I believe are a little bit overblown, nuke can always get better, but they've been heavily regulated for a long time, the facilities have thick concrete walls and—you know, it can always get better, but I do worry less about that one? Yes, I worry less about it. Oil and gas I worry less about because, while highly explosive, companies like Exxon and Mobil, they are very expert at protecting this stuff and they've very much thought about protecting this stuff for a long time. And then on the last one, I think, reasonably well prepared, finance and telco because they deal with the crime issues on a daily basis.

FLYNN: Thank you.

Nancy, do you want to give a reaction to that from your—somebody whose seen all these sectors go through?

WONG: Well, I tend to support what Dan is saying. He's done a good analysis on the consequential, because you start analyzing risk based on what consequences are you not willing to accept. And people's lives are one of the main consequences that you want to avoid.

I think one of the things that we need to go back to think about is that many of our critical infrastructures have been very robust or resilient in the past, to the point where many people in this country have started—had started taking it for granted. So some of the things that you have to look at, you know, as you have new hazards coming into environment, like terrorism, is what is going on with those infrastructures because they have been so robust and resilient in the past.

If you look at the electric sector and what has been going on with the capacity, there's been a major market restructuring going on in the electric sector—in fact, it started before I left private industry—that in many ways have sucked the capacity for several years—the margins out of the electric sector.

So what does that do in terms of—how does that change the risk profile of the sector when your margins have dropped from 20 percent to 5 percent? And I don't know that that is accurate, but those are the numbers that I've heard in the past.

I don't know what that means. I mean, I don't know what the sector has done, and that's part of why we have to work with them to understand what they've done, to assure reliability.

The other thing is, our sectors—our private sector is not homogeneous within the sector. So it may be that in 9/11 Con Ed did an excellent job in terms of keeping the lights on everywhere within Manhattan, outside of the target site. But where is it today? And what drove it to be where it is today in terms of the acceptance of risk?

So there's a lot of factors that go into the performance of any individual institution, and it is going to be different from community to community. And it's one of the reasons why DHS is now beginning to focus on a community-based risk management—understanding, each community, what its risk is.

And so if critical infrastructure is a foundation for the economic (viability ?), the public safety and public confidence in that community, then what—as a community, does it know what its risk profile is, against all hazards, not just terrorism? But terrorism is one of them.

FLYNN: We have a lot of folks who want to get in here. Let me get—(inaudible)—over here, and then I'll try to do my best on as many—(inaudible).

QUESTIONER: (Off mike.) Maurice Sonnenberg .

FLYNN: If you'd speak up for us—

QUESTIONER: Yeah. You mentioned before information. You mentioned information sharing. (Off mike)—subject of human beings and the people that you're dealing with, which then reminds me that in the mid-90s, when the banks were having trouble—(off mike)—was emptying Citibank of 100,000, or Bank of America, no one would report it, because they were afraid if they reported it, the clients would say, "My God," put the money in the bank here, and I don't have to go on.

So my question basically is this. What have you done about information sharing, not from the standpoint of the intelligence community giving you-all information, but the data banks that you're collecting, which I believe you should, the material you collect—how many individuals do you think might be risk individuals, and the (sense of risk ?) for taking that information and getting it to a central bank—a central government agency like the Department of Homeland Security?

And the second part of that is, what are you doing about your own intelligence units within there to help work with these other agencies on a regular basis to keep up with the data banking that—(off mike)?

FLYNN: Well, I guess it's about—are we tapping the full intelligence generation from the private sector and are we making sure that analysis gets shared with other players, or we draw from—

QUESTIONER: (Off mike)—people—

FLYNN: Right.

QUESTIONER:—(off mike)—that example I mentioned—they wouldn't reveal—

FLYNN: Right.

QUESTIONER:—and they didn't want to reveal their inadequacies, so they wouldn't go into—(off mike)—individual people, because—(off mike)—prevention—(off mike)—the involvement of people—(off mike). And sometimes these people—(off mike)—I remember one firm, one of the big companies in Texas, we found—(off mike)—who was planted in the company to get as much information—that was military information, not information to prepare a terrorist attack, but the idea—(off mike)—go in there. Now that was never reported by this company. (It was too embarrassed ?)—(off mike). And when are you going to mandate the information to come in when these things occur?

FLYNN: Is there such a thing—

WONG: Well, you've got all kinds of issues related to privacy and civil liberties under those circumstances.

QUESTIONER: I know. (Off mike.)

WONG: So that's why the—and that is the reason why it's going to take a while to figure that one out, because you've got a lot of balancing acts. There's a lot of balancing that you have to do between what we value as a country, in terms of privacy and civil rights, versus our need to address the potential criminal acts or terrorist acts.

MR. PRIETO: Just a quick response. At the same time, a lot of industries actually are sharing data with it, and I think the government is experimenting with how much it can use private data. And you know, they are getting manifest data from airlines. They are getting shipper data from cargo carriers. They are getting individual data from FedEx. The telcos played a big role in this NSA wiretapping thing.

So to the extent that data is moving from the private—into the government, it's happening. It's happening on a sector-by-sector basis. And it's—to be honest, it's getting testbedded that way. I think some companies may end up getting in trouble because there are restrictions on what they can share. But I think this government at this time has not been—this administration has not been shy about gathering private data and trying to get intelligence off it.

FLYNN: (Inaudible.)

QUESTIONER: Can I—I would like to try to sharpen the difference—

FLYNN: And you've always been a critical guy of our group, and it always helps to sharpen. So please, as we move to the—towards the close of our time here—yeah.

QUESTIONER: This has been a very balanced panel. I congratulate you on doing that. And a number of correctives were provided already. Ken in effect corrected Dan, I think, on—

FLYNN: I always know there's a shoe to drop here. (Laughs.)

QUESTIONER: I think Ken, in effect, corrected Dan on this question of liabilities and competitive advantage; that we weren't so focused with finding, I think, in this working group that there was such a great concern about competitive advantage. It was much more concerned about liability and the risk management insurance, the questions as to what the private sector can do and not get itself in trouble and not be held liable and responsible when there are no guidelines, there's no clear regulation, and so forth. So just to try to sharpen one point.

One impression I think that emerged from our working group was that the government was more preoccupied with the appearance of security, and the private sector was more preoccupied with security in fact. And the government was busy off-loading the costs for the last five years of that security in fact onto the private sector, but without guidelines, without providing the necessary insurance or helping manage the risk.

And I offered this point—the reason I want to sharpen this point is because I want to come back to your initial point, Steve, as to leadership. It is true, I think, that the group found that it's looking—the private sector, broadly speaking, with all of the appropriate exceptions, and so on—is looking for the government to provide leadership. But then Nancy made a critical point: But to what end? What's the leadership for? And in the private sector I think it's for security in fact. And the question on the minds of the private sector is: Is it for security in fact in the government, or is it the 535 experts in aviation, and is it the funds going into each constituency, is it the appearance of security with the real costs off-loaded to the private sector?

And so I offer that question really principally for Nancy, but it's not exclusively for Nancy if you'd like to jump in.

WONG: Well, I'm not a politician, I'm a civil servant. And there's a whole bunch of us working on this issue in fact. The real question, and the reason why public-private partnership becomes so important is what is that end, and does it accomplish what this nation needs? And we can't do that unless the private sector is at the table with us, particularly in the critical infrastructure arena.

So I think that your answer is a good one. But—and given what Washington is like—and I learned, to my—you know, through my deep education as to how my government really works, that it is in two parts. One is what needs to be done in terms of elections, and the other one is deep seriousness, and even those who have been elected, there's a vein that runs through this which is we are dead serious about this. What do we need to do to get this done? So I think what you see is two parts; one is the form and the other is the substance, and both of them are there.

FLYNN: I think we're—actually the last we saw, you know, a program that would do that at the very outset, the Customs-Trade Partnership Against Terrorism is a Customs approach to get companies to take responsibility for their supply chains. But as a practical matter, essentially it puts the cost of securing the supply chain on the private sector, which is basically signing a deal with the devil—if you want to be facilitated in, you take care of that. It therefore allows Customs to focus its limited resources and feel comfortable that they can screen that which doesn't fit in the matrix. But it basically shoves all the liability onto the private sector's back if something goes wrong, because it will be the private sector who failed to secure it, not the Customs agent, because you signed up to this. And the problem is the bar is very high. No private company of major size with 110,000 different vendors, like Target, can guarantee security of every one of those supply chains at every moment in time. So the partnering is—we found was nuanced here. There are certainly some areas where government itself is trying to avoid liability to exposure.

We're down to our last—yeah?

QUESTIONER: (Off mike)—disagree with that. Under no circumstance, having been at Treasury—(off mike)—and under no circumstances—(off mike)—to try to help—(off mike)—in any way, shape or form the reason why—(off mike). It had nothing to do with it.

FLYNN: I won't say that that was the intention at all, but that would certainly involve a lot of us here.

QUESTIONER: It had nothing to do with it.

FLYNN: As a practical matter, that's what's happening. All I'm saying is as a practical matter, that's—

QUESTIONER: That was the not the reason. For the record, the reason was Paul O'Neill sat there and he talked with people in Customs, and people on the border in Canada and the United States in particular, were afraid in the (30 ?) days after September 11th that the—(off mike)—grind to a halt. And that is when the—(off mike)—were put in, and that is when the deal was struck. So I think that—

FLYNN: Let me get Jim Zirin in here. We're running out of time.

Yeah, and this is—we're going to wrap up the group with this one.

QUESTIONER: (Off mike)—you can't have a partnership unless the participants in the partnership, the partner is going to enter into a relationship with trust and confidence. And you visualize a relationship with trust and confidence evolving where the partner in the private sector, if you will, is a foreign entity operating a high-risk point of infrastructure, namely, our ports, where that foreign entity has a terrible record on terrorism and in fact is a supporter of terrorism itself. And shouldn't that be a factor to be taken into consideration if you're emphasizing protection?


FLYNN: I think what we—(inaudible)—may be coming full circle and why this is the Council on Foreign Relations. Again, one of the practical realities is that where does critical infrastructure start and stop? There is legislation by Duncan Hunter being put out here, the head of the Armed Services Committee, saying that all critical infrastructure should be U.S. owned. Well, we need the pipelines from western Canada to run our power plants. When you try to control this problem, we're going to have to do it in Dubai because that's where the most likely problem arises. Is the plan that we buy the Port of Dubai in order to be able to manage that?

And so the challenge we are faced with is the fact that we do have primarily privately owned, a lot of public owned, some in very scary neighborhoods, some with people that may not share our same value system in the mix. I think what jumps forward out of this here is the ownership is an issue that's going to stay murky in an era of globalization. But there clearly needs to be agreed upon requirements between the public and private sector about what adequate security is, and there has to be adult supervision to make sure that everybody's playing by these rules.

And that's going to have to be done both in a national and a globalized context. But at the end of the day, the challenge is often with homeland security—I think in Nancy's mind as well—in government most of the agencies there are seeing this mainly with a domestic perspective. They don't necessarily see where these connections come from, so these assessments may not be made in the way that we would like them to be made. And we're also struggling in terms of building that trust in the confidence along the way.

And we set wonderful examples and we found them, and there certainly are, like, the part that—(inaudible)—it was a big step forward by getting the incentives there, and that was clearly motivating. But it's almost calcified around not taking to the next level because of some of these concerns of finding out where the liability lies, both with the private sector's concerns as well as the legitimate concerns of public-sector players who often get dragged out in front of green tables when things go wrong, even though they weren't given the resources or capabilities to do things well.

It's a complicated issue. I really commend all of you for coming here today to talk about critical infrastructure protection. I mean, we've got to come up with a sexier term. That's probably the bottom line here. (Laughter.) You can't fill a room talking about this. And you know, and it's redundant to say it's critical, but it certainly is. It's a recognition that we are increasingly living in potentially more brittle lives in a globalized state, and the intersection between public and private comes to a forefront when we're talking about issues of security. And we've got to really, as Americans, and those in both sectors, wrap our minds about how we can move forward because the alternatives are pretty ugly.

Thank you for your time today. I really appreciate your—(applause).







More on This Topic