Throwing money at technology

The following article is from the CNet News.com looking at issues around homeland security. You can see the original article at http://news.com.com/2009-1009_3-5395361.html?tag=dasec1.

Throwing money at technology

By Robert Lemos and Mike Yamamoto

CNET News.com

October 18, 2004

As part of California's effort in the war on terror, state legislators this year proposed that trucks hauling hazardous materials be fitted with technologies that would allow authorities to seize control of hijacked vehicles--a law that supporters said should be passed "on an emergency basis."

The bill, however, was voted down after critics contended that the communication signals used in the proposed system could be easily commandeered by the very people it was supposed to stop.

"Satellite or cell phone links can be jammed by even a dull terrorist with a $20 device," said California State University professor Bill Wattenburg2, a Lawrence Livermore National Laboratory consultant and inventor of another kind3 of truck-stopping technology. "A smart hijacker can kill communications and make a truck go blind when he wants to move in."

The ill-fated legislation underscores the myriad problems facing the government agencies, law enforcement authorities and industry contractors charged with developing and purchasing technologies in the name of homeland security. As the nation rushes to spend billions of dollars on technology for domestic defense, the Department of Homeland Security remains mired in strategic conflicts, bureaucratic inertia, intra-agency rivalries and election-year politicking.

Since the attacks of Sept. 11, 2001, a pro-security stance has been a necessity for any national political platform, and the 2004 campaign has been no exception. President Bush has vowed to "continue to strengthen security at every identified vulnerability." Even Massachusetts Sen. John Kerry4 has departed from the traditionally tempered Democratic rhetoric on defense, saying he will do "whatever it takes to make America safe."

But how much is enough? As with any political initiatives that are relatively free of opposition, homeland security programs have the potential to spin out of control without adequate oversight. That, in turn, could slow the fight against terrorism by wasting crucial resources and distracting government bodies from the mission at hand.

To address these issues, CNET News.com recommends a three-point policy agenda that encompasses concerns raised in scores of interviews with government officials, industry executives, policy researchers and taxpayer advocates: Change the "target-based" strategies used to assess terrorist threats today; enforce stringent oversight of spending, especially when secrecy rules limit public knowledge of contracts; and ensure interoperability of technologies and communication networks at all levels of government.

In addition, the government must throughout these reforms address privacy concerns that consistently dog proposals for new surveillance, identification and data analysis tools. Technology projects must respect constitutional safeguards of privacy, even as greater levels of information are called for in the defense against terrorism.

"You can collect all the information that you want, but unless you can get the right information to the right people, it doesn't really matter," said Gilman Louie, chief executive of In-Q-Tel, a CIA-affiliated venture capital firm, and member of the Markle Foundation's task force on digital security5. "Historically we are, as a government, good at big defense projects but not big information technology programs. IT is a much murkier area."

The numbers seem to reflect that ambiguity. In a June report, the nonprofit National Taxpayers Union6 estimated that more than half of new homeland security funding since 2001--$164 billion--is being spent on programs unrelated to defense or response to terrorist attacks. As an example, the organization cited the renaming of the Agriculture Act of 2001 as the "Farm Security Act" after Sept. 11.

"As if chickpeas, lentils and mohair have anything to do with national security. One congressman even stated that a peanut subsidy, with a $3.5 billion price tag, 'strengthens America's national security,'" the 335,000-member group said. "Members of Congress have been cloaking old-fashioned pork in the robes of 'security' for the 'homeland.'"

Making matters worse, local districts that receive such security windfalls often have no idea what they are supposed to do with the money. As a result, many state and regional agencies are simply buying ambulances, fire trucks and other equipment that can be used for public safety but are not necessarily earmarked for homeland security--an accounting sleight of hand known as "supplantation" in the language of procurement.

These concerns were brought into sharp relief last year in a Rand study7 based on interviews with 190 "first responders," or emergency workers, from 83 organizations across the country. The workers "felt they did not know what they needed to protect against, what protection was appropriate and where to look for it," according to the report, which was conducted for the federal Centers for Disease Control and Prevention8.

In remarks to emergency workers and business leaders last month in Arizona, Homeland Security Secretary Tom Ridge acknowledged that improvements are needed in communication and direction but stressed his department's progress. "If you're thinking that there's more that we can do, you're right. But after three years, in every way possible, we've made a real difference in securing our people and our homeland. The successful integration of people and technology for a greater purpose has had a genuine result," he said.

Still, when specific security technologies do receive government funding, law enforcement and other agencies have been known to spend large sums on products and services that are unproven or have shown dubious results. So-called biometric technologies such as iris-scanning identification systems have encountered problems in Britain9, where test versions failed to work for people with contact lenses, long eyelashes and watery eyes.

Many states, airports and agencies have begun using facial-recognition technology10 despite concerns among law enforcement authorities such as the Tampa Police Department, which abandoned its system11 because it had not helped catch a single criminal. Chicago police recently announced plans to install thousands of cameras around the city that track unusual movements by individuals, even though this "content analysis" surveillance technology has yet to be proven.

"Facial recognition got a lot of hype after 9/11, but it has problems," said Steven Gish, senior research analyst at Roth Capital Partners. "They don't have one that can do one-to-many matches. It is really good at doing one-to-one matching--when you are at a counter to get a ticket--but not picking a face out of a crowd."

The government's withdrawal of the "Total Information Awareness12" project, which would have linked databases to compile composite "signature" behavior of terrorists, was a significant setback for the large-scale use of such security technologies. Groups such as the Association of Computing Machinery told Congress13 that the massive system risked opening the door to identity theft or generating "false positives" from imperfect analytical tools.

Identifying the threat

Before the federal government can decide which technologies are valuable to U.S. security, officials must define the threat they are working against. To date, the White House has described domestic defense goals in only general terms in the seven strategic reports it has issued over the last two years.

"We found there was no commonly accepted set of characteristics used for an effective national strategy," wrote the authors of a February report14 by the Government Accountability Office (GAO), the investigative arm of Congress. "The seven national strategies related to homeland security and combating terrorism vary considerably in the extent to which they address the desirable characteristics that we identified."

In this absence of clear direction, homeland security officials approached their mission by identifying key landmarks and other potential targets for attack. That strategy quickly proved problematic when the list ballooned to more than 33,000 sites as every state and region lobbied to include specific buildings, bridges, stadiums, monuments and other structures, federal officials say. The list has been cut to about 1,700 sites, sources say, but it is still too long for any meaningful planning.

"You protect a bridge against what? An airplane, a boat, a bomb? It's not possible to plan for every possible contingency," said Randall Yim15, formerly the GAO's managing director for homeland security issues and newly named director of the federally funded Homeland Security Institute. "If we have information about a specific threat, such as one against a particular financial institution, that's one thing. But it doesn't work if you don't have that kind of information, which is most of the time."

Rather than this type of "target-based" approach, as it is known, many security and antiterrorism experts advocate a strategy that can be used in a variety of emergency situations. This means strategies should be based on building certain capabilities instead of on defending against attacks on specific areas.

For instance, homeland security officials could decide that all local communities must be able to survive independently for the first 24 hours after a biochemical attack, until federal help can arrive. Their directive could outline requirements for everything from food and shelter to inoculations and medical care, using formulas based on population.

Similarly, a goal for national preparedness could be set for the first full day after a power grid is shut down. Every state could be required to restore power to a certain level that would allow hospitals and other critical facilities to operate at minimum capacity. Such direction, based on case studies of successful systems around the country, would give local authorities a better idea of how to make technology-purchasing decisions.

"In terms of capabilities, we are the best in the world in a lot of ways--people already have monitors and sensors and vaccines," said a staff member of one House committee that deals with homeland security issues. "The challenge is to wade through the soup where everyone's gadget is a homeland security gadget."

Critics say lawmakers have little incentive to change the target-based approach because it provides pork-barrel benefits that they might not otherwise get. The current budgeting process ensures that all states will get significant grants and government contracts, even though their vulnerability may differ widely.

The Department of Homeland Security guarantees that each state will get at least 0.75 percent of the funds available for grant programs, according to a May report16 by The Heritage Foundation, a self-described conservative think thank. This system automatically takes up 40 percent of all grants and leaves 60 percent for specific projects identified by the department.

"The formulas that drive the grant process are turning homeland security initiatives into state entitlement programs," the report said. "In this manner, California, clearly a 'target-rich environment,' received only 7.95 percent of general grand monies, even though the state accounts for 12 percent of the nation's population. Wyoming, receiving 0.85 percent, accounts for only 0.17 percent of the population. This translates to $5.03 per capita in California and $37.94 per capita in Wyoming."

Following the money

The sheer magnitude of homeland security budgets alone demands extraordinary oversight. Spending on domestic defense has soared from $5 billion in 2000 to $85 billion in 2004, according to Homeland Security Research17, a consulting firm that helps companies win federal security contracts.

The potential for uncontrolled spending will be particularly high this fall, with the dual events of the election and the end of the federal fiscal year, when government agencies typically try to use all the money in their budgets before they expire.

"The last half of September is an absolute feeding frenzy, as vendors swarm contract funds like sharks to chum," said Keith Bickel18, chief executive of industry consultancy FedLeads. "A significant portion of IT funding is one-year money that has to be obligated. If it isn't, the agencies lose it, management is questioned about its ability to manage both money and projects, and the agency must negotiate that much harder for future funding."

It is in this chaotic spending environment that mistakes are invariably made. After Carnegie Mellon University received a $35.5 million antiterrorism research grant in 2002, a computer science professor began hosting a Web site that provided bomb-making instructions on the grounds that he was "acting in the public interest" under the F