Former Department of Homeland Security official Paul Rosenzweig has issued a long-overdue call for wholesale revisions to US homeland security doctrine, in reaction to fundamental changes in the security landscape since the mid-2000s. This is an important and thoughtful piece by someone who was with DHS in the Chertoff era, and it should prompt a much-needed debate about where we go next in securing the nation. Writing for the Lawfare blog, Rosenzweig points to a mismatch between current realities and what he calls Homeland Security Doctrine 1.0, whose three foundational principles were (and mostly still are):
- Pushing border security out to overseas locations on the assumption that that’s where the threat actors originate;
- Employing layered defenses to reduce the chance of threats being successful; and
- Using risk-based approaches to allocate resources to address the highest-consequence events, based on the assumption that those foreign-born terrorists are bent primarily on spectacular attacks using nukes or weaponized airliners.
Regarding the third principle, Rosenzweig argues that because “our adversaries have more or less given up on the notion of grandeur” and have now shifted more towards “small-bore attacks” in everyday locations like Orlando and San Bernardino, the utility of a risk-based approach has diminished. I would argue instead that any sound Homeland Doctrine 2.0 should include a redoubling of efforts to employ risk analytics. While this approach has always been hard to execute in practice, the rapidly evolving and multi-faceted nature of the threat means that we need automated risk assessments more than ever. It is also worth noting that consequence is only one of three elements of risk – the other two being threat likelihood and vulnerability – and a proper analytic risk approach such as the kind Haystax has patented prioritizes all three elements of risk in specific, balanced and analytically defensible ways. As for the lingering focus on overseas security, Rosenzweig notes that, at least from a homeland security perspective, borders are fading in importance: cyber threats are borderless to begin with, and growing domestic radicalization means that threat actors don’t have to cross US borders to do harm. He makes special note of the fact that defending against threats from homegrown self-radicalized individuals “is deeply confounding in a society that values free expression.” Regarding the principle of layered defense he notes that “if everything is now a potential target, we can’t afford [it]” and that the chances of stopping all attacks from succeeding are beginning to approach zero, which should prompt a greater emphasis on resiliency. I like his analysis and prescriptions, and would emphasize in addition to resiliency that the US must better prepare to respond to events that we are unable to prevent or detect. Our concept of Agile Response addresses this need with smart software to coordinate rapid, efficient and ultimately life-saving responses from those on the front lines of homeland security. If our ability to prevent and detect is indeed limited, agile and intelligent responses will be all the more critical. It’s time for a public discussion centered around Paul Rosenzweig’s suggested Homeland Doctrine 2.0. Key questions include: How can we work to mitigate cyber threats when the concept of physical borders is irrelevant? And: Why do we always hear that there were advance indicators of radicalization only after horrible events take place? And finally, to paraphrase Rosenzweig: If we can no longer expect to succeed in preventing terrorism, what tactics can we develop to minimize its effects, and how do we recover from it more quickly?
Bryan Ware is CEO of Haystax Technology.