Updated White House homeland security strategy criticized

The White House released this week its updated plan for protecting the nation from terrorism and responding to disasters, but it received a chilly response from members of Congress and security experts, who criticized the document as light on specifics.

The architects of the update to the National Strategy for Homeland Security say it provides more details on a common framework for public and private sector organizations to follow in their homeland security efforts, as outlined in the first version released in July 2002. The latest report emphasizes four goals: Combat terrorism; protect the American people, critical infrastructure and key resources; respond quickly and appropriately to threats; and strengthen foundation principles, systems, structures and institutions that help secure the homeland.

"This strategy is a national strategy, not simply a federal strategy, and articulates our . . . approach to secure the homeland over the next several years," said Fran Townsend, assistant to the president for counterterrorism and homeland security, during a press briefing Tuesday. "If you go back and look at the 2002 strategy, it talks about preventing terrorist attacks, reducing vulnerability and then minimizing damage. It is a much more . . . operational-level document. This document . . . steps back from that and says, having built many of those capabilities, what additional actions over the long term do we need to build to ensure the strength and continuing vitality of the homeland security effort in this country."

But some members of Congress said the update fell short of that goal. Rep. Bennie Thompson, D-Miss., chairman of the House Homeland Security Committee, said in a statement that the document is a roadmap of broad principles, with little new describing how the administration will improve on its homeland security efforts. "When the U.S. government releases a strategy document, people take notice," he wrote. "Sadly, any anticipation leading up to the release of this report may have been more exciting than the information contained within it."

In September, the House committee presented Homeland Security Secretary Michael Chertoff a list of six action items for improving security. Two were mandated by laws, including the Implementation of the Recommendations of the National Commission on Terrorist Attacks (commonly known as the 9/11 Bill), the SAFE Port Act of 2006 and the Intelligence Reform and Terrorism Prevention Act of 2004. Those laws require regulations and procedures to be developed for securing shipping containers and providing explosive detection equipment at passenger checkpoints at airports. The document gave little detail on implementing those recommendations or any of the other four suggested, according to Thompson.

Neither the House nor the Senate committees were given advance copies of the document for review, and members of the Senate Homeland Security and Governmental Affairs Committee did not comment on the strategy because they had yet to fully review it.

Even some of the security experts DHS had consulted with while updating the strategy were unimpressed. Frank Cilluffo, director of the Homeland Security Policy Institute at George Washington University, whom DHS' Townsend said was one of the experts consulted to help develop the new strategy, said the final document does little to advance the plan outlined in the first report five years ago.

"This reads more like a legacy document than a forward reading strategy with ways, means and ends," Cilluffo said. "There's no solid sense of how it fits into the bigger puzzle. It's not tactical enough to be a plan."

Others said they believe that the strategy is designed to be a high-level document that highlights progress made and big-picture plans.

"Did the strategy need to be updated? Absolutely," said Andrew Howell, partner at Monument Policy Group and former homeland security head for the U.S. Chamber of Commerce. "This puts on paper what [the administration] has been thinking and doing to make sure the doctrine lives on."

One area of the strategy that did provide some detail, however, deals with the process that agencies will follow when responding to national threats, said Penrose "Parney" Albright, managing director of the security consulting firm Civitas Group and the former assistant secretary for science and technology at DHS. The strategy establishes the Homeland Security Management System, a four-phased approach that provides policy guidance, coordinated planning, execution and assessment and evaluation of operations and exercises -- all led primarily by the White House.

"What is being proposed is a far more muscular White House process, which would begin with an assessment of risk, then policy guidance for managing that risk, and an assignment of programmatic responsibilities to agencies, which would respond with programs designed to satisfy the risk management policy," Albright said. "Those programs would have to be synchronized across the agencies, and then resources applied through the president's budget. The cycle would then start all over again.

"The broader question is how to deal with the panoply of potential risks and decide how to apply what are ultimately limited resources to them in a manner that is defensible [from leadership changes] and executable."

But on the whole, security experts said the document was thin on details. For example, cybersecurity was mentioned in passing as a "special consideration," with reference made to two previous reports: the 5-year-old National Strategy to Secure Cyberspace and the National Infrastructure Protection Plan released in 2006.

The president is expected to release new policy statements this month in response to the hearing this summer on widespread cyberattacks on federal networks, including those operated by DHS. The number of reported cyberattacks on federal systems has increased sharply, according to Greg Garcia, cybersecurity and communications assistant secretary at DHS. In fiscal 2007, the U.S. Computer Emergency Readiness Team (US-CERT) reported 37,006 security incidents in federal agencies, a 54 percent increase from the 23,993 reported the year before. Most of the increase was attributed to better reporting of incidents.

Patrick Howard, chief information security officer at the Housing and Urban Development Department, said the increase in cyberattacks is not as concerning as the number of successful attacks.

"As long as they fail to penetrate the network, it's business as usual," Howard said. "Security is sophisticated, and will do its job as long as the proper baseline protection is in place. The bigger concern is the zero-day attacks that no one has seen before. That's when we scramble and turn to US-CERT to coordinate efforts and vendors to develop the necessary software patches."