The Department of Homeland Security (DHS) presented its 3rd Annual “Building Resilience through Public-Private Partnerships”,conference on July 30-31, in Washington D.C. Third party risk issues were discussed in depth around three themes: emergency management/preparedness, campus resilience, and cybersecurity.
Welcoming remarks came from both Jane Holl Lute, former DHS deputy secretary, and FEMA administrator Craig Fugate, who spoke strongly on behalf of the private sector’s reluctance to make investments in resilience “unless it’s in their interest and makes money.” He pointed out that most power utilities are investor-owned, with fiduciary requirements. He stressed the need to find what he called “our common interests,” given that public-private partnerships sometimes operate like a “big dysfunctional family.” He’s clearly a “whole of community” professional, who is looking for what he calls “teammates” rather than “more partners.”
The most inspiring speaker for the conference was Jacob Wood, founder of Team Rubicon, a disaster response veterans service organization, which provided 350 veterans over five weeks to assist with recovery from Hurricane Sandy. He pointed out that the organization is two pronged, helping disaster victims but also helping military vets deploy skills in situations where it’s clear that they help and that they “will change the world.” Teams are now engaged in learning the National Incident Management System (NIMS) and Internal Controls Service (ICS) “with a military flavor.”
One of the crispest panels focused on supply chain, and was organized by Bryan Strawser from Target. We met three new companies –Sears Holding Corporation, Global Food Exchange, and Menlo Worldwide Logistics—and learned more about the remarkable programs they have each put in place and continue to improve. Richard Jabara from Menlo made everyone’s point when he emphasized how important it is to physically map the supply chain, not just map it on paper. Stories abounded from Hurricane Sandy, including the realization that drivers of big trucks often had to offload their own trucks when they arrived at the destination; and on the inefficiencies in water filtration so that food delivered could be cooked. An earlier panel chaired by Russ Paulsen from the American Red Cross had elicited key resources for early stage recovery: transportation, credentials, and information needed to determine where to locate corporate generators (Target); and transportation as well as communications on where temporary facilities can be set up (Grainger).
On the second day of the conference, two panels in particular stood out. DHS Acting Undersecretary for the National Protection and Programs and Program Directorate, spoke at length on efforts underway to implement Presidential Policy Directive 21, on physical and cyber risks. She emphasized that cross sector and cascading consequences in physical security are now connected to the cyber side; that the NIST framework being developed has had significant private sector input; and that the group is also working on developing incentives for voluntary participation in the new framework for information sharing. On that same panel on enhancing cyber infrastructure security and resiliency, Marlene Allison from Johnson & Johnson Services, Inc. spoke highly of the valuable information sharing through the Overseas Security Advisory Council (OSAC) organization, created as a partnership between the Department of State and the private sector.
The final panel was the one I chaired, and all four panelists – Bill Raisch from NYU, Brian Tishuk from ChicagoFIRST, Alan D. Cohn from DHS, and Jim Thompson from the White House – spoke to several questions I asked: Are partnerships the best vehicle for enhancing and maintaining critical infrastructure resilience, or should the private sector be left to its own devices? (Yes and no.) Should regulation be employed to ensure the achievement of minimal levels of resilience and fair treatment across industries? (Better to try to accomplish without, but sometimes required.) Are sectors the proper focus of partnership activities, or would it be better to address interdependencies instead? (Sectors seem to be identifying the interdependencies.) If we continue down the partnership path, what natural limitations exist and how might their negative effects be mitigated? (It is still to be seen what progress the executive order on voluntary information sharing on cyber threats will yield, which is best example.) DHS is putting together an after action report which will be publicly available, and which will cover all the panels, not just the ones I selected here to discuss.
Annie Searle is Principal of ASA Risk Consultants, an independent consulting and research firm that provides confidential assessments of existing corporate plans, identifies gaps and offers customized road maps to increase resiliency. Searle is an affiliate faculty member at the University of Washington’s School of Information, where she teaches courses on operational risk, ethics, policy and law. She is a lifetime member of The Institute of American Entrepreneurs. She was inducted into the Hall of Fame for the International Network of Women in Homeland Security and Emergency Management in 2011.