Throwing money at technology

As part of California's effort in the war on terror, state legislators this year proposed that trucks hauling hazardous materials be fitted with technologies that would allow authorities to seize control of hijacked vehicles--a law that supporters said should be passed "on an emergency basis."

The bill, however, was voted down after critics contended that the communication signals used in the proposed system could be easily commandeered by the very people it was supposed to stop.

"Satellite or cell phone links can be jammed by even a dull terrorist with a $20 device," said California State University professor Bill Wattenburg, a Lawrence Livermore National Laboratory consultant and inventor of another kind of truck-stopping technology. "A smart hijacker can kill communications and make a truck go blind when he wants to move in."

The ill-fated legislation underscores the myriad problems facing the government agencies, law enforcement authorities and industry contractors charged with developing and purchasing technologies in the name of homeland security. As the nation rushes to spend billions of dollars on technology for domestic defense, the Department of Homeland Security remains mired in strategic conflicts, bureaucratic inertia, intra-agency rivalries and election-year politicking.

Since the attacks of Sept. 11, 2001, a pro-security stance has been a necessity for any national political platform, and the 2004 campaign has been no exception. President Bush has vowed to "continue to strengthen security at every identified vulnerability." Even Massachusetts Sen. John Kerry has departed from the traditionally tempered Democratic rhetoric on defense, saying he will do "whatever it takes to make America safe."

But how much is enough? As with any political initiatives that are relatively free of opposition, homeland security programs have the potential to spin out of control without adequate oversight. That, in turn, could slow the fight against terrorism by wasting crucial resources and distracting government bodies from the mission at hand.

To address these issues, CNET News.com recommends a three-point policy agenda that encompasses concerns raised in scores of interviews with government officials, industry executives, policy researchers and taxpayer advocates: Change the "target-based" strategies used to assess terrorist threats today; enforce stringent oversight of spending, especially when secrecy rules limit public knowledge of contracts; and ensure interoperability of technologies and communication networks at all levels of government.

In addition, the government must throughout these reforms address privacy concerns that consistently dog proposals for new surveillance, identification and data analysis tools. Technology projects must respect constitutional safeguards of privacy, even as greater levels of information are called for in the defense against terrorism.

"You can collect all the information that you want, but unless you can get the right information to the right people, it doesn't really matter," said Gilman Louie, chief executive of In-Q-Tel, a CIA-affiliated venture capital firm, and member of the Markle Foundation's task force on digital security. "Historically we are, as a government, good at big defense projects but not big information technology programs. IT is a much murkier area."

The numbers seem to reflect that ambiguity. In a June report, the nonprofit National Taxpayers Union estimated that more than half of new homeland security funding since 2001--$164 billion--is being spent on programs unrelated to defense or response to terrorist attacks. As an example, the organization cited the renaming of the Agriculture Act of 2001 as the "Farm Security Act" after Sept. 11.

"As if chickpeas, lentils and mohair have anything to do with national security. One congressman even stated that a peanut subsidy, with a $3.5 billion price tag, 'strengthens America's national security,'" the 335,000-member group said. "Members of Congress have been cloaking old-fashioned pork in the robes of 'security' for the 'homeland.'"

Making matters worse, local districts that receive such security windfalls often have no idea what they are supposed to do with the money. As a result, many state and regional agencies are simply buying ambulances, fire trucks and other equipment that can be used for public safety but are not necessarily earmarked for homeland security--an accounting sleight of hand known as "supplantation" in the language of procurement.

These concerns were brought into sharp relief last year in a Rand study based on interviews with 190 "first responders," or emergency workers, from 83 organizations across the country. The workers "felt they did not know what they needed to protect against, what protection was appropriate and where to look for it," according to the report, which was conducted for the federal Centers for Disease Control and Prevention.

In remarks to emergency workers and business leaders last month in Arizona, Homeland Security Secretary Tom Ridge acknowledged that improvements are needed in communication and direction but stressed his department's progress. "If you're thinking that there's more that we can do, you're right. But after three years, in every way possible, we've made a real difference in securing our people and our homeland. The successful integration of people and technology for a greater purpose has had a genuine result," he said.

Still, when specific security technologies do receive government funding, law enforcement and other agencies have been known to spend large sums on products and services that are unproven or have shown dubious results. So-called biometric technologies such as iris-scanning identification systems have encountered problems in Britain, where test versions failed to work for people with contact lenses, long eyelashes and watery eyes.

Many states, airports and agencies have begun using facial-recognition technology despite concerns among law enforcement authorities such as the Tampa Police Department, which abandoned its system because it had not helped catch a single criminal. Chicago police recently announced plans to install thousands of cameras around the city that track unusual movements by individuals, even though this "content analysis" surveillance technology has yet to be proven.

"Facial recognition got a lot of hype after 9/11, but it has problems," said Steven Gish, senior research analyst at Roth Capital Partners. "They don't have one that can do one-to-many matches. It is really good at doing one-to-one matching--when you are at a counter to get a ticket--but not picking a face out of a crowd."

The government's withdrawal of the "Total Information Awareness" project, which would have linked databases to compile composite "signature" behavior of terrorists, was a significant setback for the large-scale use of such security technologies. Groups such as the Association of Computing Machinery told Congress that the massive system risked opening the door to identity theft or generating "false positives" from imperfect analytical tools.

Identifying the threat

Before the federal government can decide which technologies are valuable to U.S. security, officials must define the threat they are working against. To date, the White House has described domestic defense goals in only general terms in the seven strategic reports it has issued over the last two years.

"We found there was no commonly accepted set of characteristics used for an effective national strategy," wrote the authors of a February report by the Government Accountability Office (GAO), the investigative arm of Congress. "The seven national strategies related to homeland security and combating terrorism vary considerably in the extent to which they address the desirable characteristics that we identified."

In this absence of clear direction, homeland security officials approached their mission by identifying key landmarks and other potential targets for attack. That strategy quickly proved problematic when the list ballooned to more than 33,000 sites as every state and region lobbied to include specific buildings, bridges, stadiums, monuments and other structures, federal officials say. The list has been cut to about 1,700 sites, sources say, but it is still too long for any meaningful planning.

"You protect a bridge against what? An airplane, a boat, a bomb? It's not possible to plan for every possible contingency," said Randall Yim, formerly the GAO's managing director for homeland security issues and newly named director of the federally funded Homeland Security Institute. "If we have information about a specific threat, such as one against a particular financial institution, that's one thing. But it doesn't work if you don't have that kind of information, which is most of the time."

Rather than this type of "target-based" approach, as it is known, many security and antiterrorism experts advocate a strategy that can be used in a variety of emergency situations. This means strategies should be based on building certain capabilities instead of on defending against attacks on specific areas.

For instance, homeland security officials could decide that all local communities must be able to survive independently for the first 24 hours after a biochemical attack, until federal help can arrive. Their directive could outline requirements for everything from food and shelter to inoculations and medical care, using formulas based on population.

Similarly, a goal for national preparedness could be set for the first full day after a power grid is shut down. Every state could be required to restore power to a certain level that would allow hospitals and other critical facilities to operate at minimum capacity. Such direction, based on case studies of successful systems around the country, would give local authorities a better idea of how to make technology-purchasing decisions.

"In terms of capabilities, we are the best in the world in a lot of ways--people already have monitors and sensors and vaccines," said a staff member of one House committee that deals with homeland security issues. "The challenge is to wade through the soup where everyone's gadget is a homeland security gadget."

Critics say lawmakers have little incentive to change the target-based approach because it provides pork-barrel benefits that they might not otherwise get. The current budgeting process ensures that all states will get significant grants and government contracts, even though their vulnerability may differ widely.

The Department of Homeland Security guarantees that each state will get at least 0.75 percent of the funds available for grant programs, according to a May report by The Heritage Foundation, a self-described conservative think thank. This system automatically takes up 40 percent of all grants and leaves 60 percent for specific projects identified by the department.

"The formulas that drive the grant process are turning homeland security initiatives into state entitlement programs," the report said. "In this manner, California, clearly a 'target-rich environment,' received only 7.95 percent of general grand monies, even though the state accounts for 12 percent of the nation's population. Wyoming, receiving 0.85 percent, accounts for only 0.17 percent of the population. This translates to $5.03 per capita in California and $37.94 per capita in Wyoming."

Following the money

The sheer magnitude of homeland security budgets alone demands extraordinary oversight. Spending on domestic defense has soared from $5 billion in 2000 to $85 billion in 2004, according to Homeland Security Research, a consulting firm that helps companies win federal security contracts.

The potential for uncontrolled spending will be particularly high this fall, with the dual events of the election and the end of the federal fiscal year, when government agencies typically try to use all the money in their budgets before they expire.

"The last half of September is an absolute feeding frenzy, as vendors swarm contract funds like sharks to chum," said Keith Bickel, chief executive of industry consultancy FedLeads. "A significant portion of IT funding is one-year money that has to be obligated. If it isn't, the agencies lose it, management is questioned about its ability to manage both money and projects, and the agency must negotiate that much harder for future funding."

It is in this chaotic spending environment that mistakes are invariably made. After Carnegie Mellon University received a $35.5 million antiterrorism research grant in 2002, a computer science professor began hosting a Web site that provided bomb-making instructions on the grounds that he was "acting in the public interest" under the First Amendment, according to NBC affiliate WPXI-TV in Pittsburgh.

Washington veterans say many aspects of the nation's homeland security programs and policies are reminiscent of the Pentagon equipment scandals of the 1980s, which produced such icons of government waste as the Navy's $436 hammer and the Air Force's $7,622 coffee brewer. But watchdog groups say today's counterterrorism laws allow the potential for much greater abuse than anything exposed during the Cold War era--with far fewer ways to find out about it.

Revelations of the Department of Defense's liberal spending in previous decades were made possible only with the help of whistleblowers who worked within the agencies responsible for purchases. If today's stringent classified-information policies were in effect at that time, the Pentagon controversies may never have come to light.

That, at least, is the opinion of Dina Rasor, who uncovered the first Pentagon purchase scandals while working at the nonprofit Project on Government Oversight, which she founded in 1981 to expose waste and corruption. "In 20 years of doing this, I have never seen the Pentagon more locked down. There's such a climate of fear," said Rasor, now principal investigator at the Military Money Project, which is sponsored by the National Whistleblower Center.

"Back in the '80s, there were checks and balances. Today, homeland security people have to sign an oath that has more criminal sanctions than ever before for leaking information," Rasor said. "Homeland security procurement is a quasimilitary thing without any checks and balances. It's the DOD's dream come true--the Pentagon unplugged."

She and other investigators point to agencies such as the Federal Emergency Management Agency, or FEMA, whose program funding information had been accessible to the public before it became part of the homeland security apparatus. Now, they say, much of its budget has "gone black," or become classified, under the category of "continuity of government"--how federal operations will continue in the event of a catastrophic attack.

Throwing money at technology

(continued from previous page)

Homeland security projects can also avoid public scrutiny under a procurement category known as "OTA," or "Other Transaction Authority," which critics say has been used to skirt the regulatory process. This designation, which Congress initially granted the Pentagon for "advanced research," has been used for projects that "generally are not subject to federal laws and regulations applicable to procurement contracts," according to a GAO report in 2002.

"A lot of Defense Department programs need to be classified and provide limited knowledge. But classifying emergency preparedness? That's bull," one congressional official said. "There is no independent knowledge to make the right policy decisions."

Fusing the fiefdoms

The disparate projects and strategies undertaken at various levels of government can be attributed directly to inadequate communication at the federal level.

Random glitches are inevitable in the creation of a governmental behemoth that merges 22 federal agencies and 180,000 employees. But critics say problems within the Department of Homeland Security go well beyond internal integration, confounding the local officials and the technology companies expected to buy and sell equipment that is critical to national defense.

"Information sharing, or the lack of it, has been a big stumbling block," said Ray Bjorklund, senior vice president and chief knowledge officer of Federal Sources Inc. (FSI), a consulting firm that specializes in government contracts. "It could be something as fundamental as land radio systems that can't talk to each other or, on the grander scale, the ability to exchange pieces of information that could help solve a crisis."

Communication problems persist even within the Department of Homeland Security itself, in no small part because of its labyrinthine structure.

Case in point: The department's top cybersecurity official is two levels removed from Homeland Security Secretary Tom Ridge, a situation believed to have been responsible for the October resignation of Amit Yoran, who held the post over the past year. Lawmakers are trying to correct this organizational flaw with two House bills. Elsewhere in the agency, the chief information officer is not a member of the senior management team and does not have departmentwide authority over technology assets and programs.

"In some instances, the directorates do not involve or apprise the DHS CIO of their individual IT projects or initiatives," according to a July report by the department's own Office of Inspector General. That could lead to a situation where directorates put their staff to work on programs that directly contradict or interfere with initiatives laid down by the Department of Homeland Security's CIO, the report noted.

Intramural conflicts arise for reasons beyond organization as well, such as the kind of internal politics and competition that characterize any enterprise inside the Washington Beltway. Federal sources say even Inspector General Clark Kent Ervin, charged with overseeing the Department of Homeland Security's operations, was initially pressured to limit the criticism in his office's reports.

"There are elements of Justice not happy working with FEMA guys, bioterror types conflicting with Health and Human Services. Tension is always there," one government official said. "Prosecutors have a very different perspective from response guys, who just want to help people, not preserve crime scenes. Then you have prevention guys who are very different from the responders. Even within the same department, such as immigration, there are differences between the service culture and enforcement side."

Perhaps for reasons such as this, the American public appears cynical about the effectiveness of government programs on homeland security in a nationwide survey conducted by CNET News.com and Harris Interactive. The poll, which surveyed more than 1,000 people in August, showed wide support for new technologies, such as eye and hand scanners. However, the survey found little faith in the government's ability to use the tools already at its disposal.

Nearly 53 percent of the respondents said the government was not doing enough to use technology to improve security, according to the CNET News.com-Harris Interactive Poll. A similar majority said they thought the government's technology initiatives to date either were having no effect or had made things less secure. About 45 percent said they believed that the government's technology initiatives on the security front were working.

"Money wasted on political projects means more effective uses are not being met," said Pete Sepp, vice president of communications at the National Taxpayers Union. "The political establishments of both parties agreed from the outset that virtually any effort to hold people accountable amounted to not worrying about national security."

Among those who should be called on to contribute, others say, are companies. As the threat of terrorism increasingly becomes a fact of life, domestic security can be viewed legitimately as a cost of doing business, along with such factors as worker safety and product liability.

James Jay Carafano, a senior fellow at The Heritage Foundation, points to Operation Safe Commerce--the Transportation Security Administration's program to inspect cargo shipments--as a "classic waste of money" on a function that should be left to the businesses concerned. "Turn it over to the industry--make them figure out the best way to do it," he urged.

Others caution against overreliance on the private sector, saying that only the federal government can adequately formulate industrywide standards.

"One reason that governments promulgate building codes, for example, is that it would be too difficult for each individual to evaluate a building's structural soundness before (deciding) to enter it," according to a report from The Brookings Institution's Project on Homeland Security. "Since it would also be difficult for the individual to evaluate how well the building's air intake could filter out potential bioterrorist attacks, the same logic could suggest that the government should set minimum antiterrorism standards for buildings."

Moreover, the corporate world's track record on compliance with safety regulations in general is less than stellar. In cases where the government deems the private sector to be responsible for security measures, the institute recommends that companies be required to carry insurance and that the government provide subsidies for counterterrorism measures and other legislated incentives for industries to protect themselves.

Nevertheless, such regulatory authority raises a fundamental question: Who will supervise the supervisors?

At the very least, the Senate and House should each create a permanent special committee to handle homeland security, as it has done to address intelligence oversight, simply to centralize knowledge and authority. From January to July of this year, The Heritage Foundation found, homeland security officials testified in 126 hearings--the equivalent of 1.5 appearances for every day of the congressional session.

"The government wants to make sure they're spending enough, and in that process, you can be sure that there's money that's going to be wasted," said former Rep. Rick White, a former Republican congressman who is now chief executive of the bipartisan lobby TechNet and a member of the Markle Foundation's task force on digital security. "When Congress is your overseer, you're already in trouble. Congress needs an overseer itself."