Calling All Companies

n April, about 20 senior officials from the Homeland Security Department, the U.S. Surgeon General's Office, and state and local governments quietly gathered in downtown Washington with an equal number of private sector CEOs. They were there to play a war game involving a frightening scenario: Terrorists had hacked into the computer systems of two large financial institutions in New York, causing investors around the world to panic and threatening to deal a huge blow to an already ailing U.S. economy. Meanwhile, reports out of Chicago warned that a biological contagion was spreading rapidly through the local population. The two events were taking place simultaneously-a hallmark of previous al Qaeda attacks against U.S. interests both at home and overseas-leaving little doubt that a major terrorist operation was under way.

With the initial damage already done, the challenge was to avoid the kind of panic-driven, self-inflicted wounds that historically have conspired to compound terrorism's destructive effects. Because panic feeds on irrationality and fear, the best way to contain it is through the fluid exchange of information-and not just among relevant federal agencies. With investors fleeing New York's markets in droves and hospitals in Chicago quickly filling up with terrified patients, leaders of the financial and information services industries would need to be kept closely informed, as would officials in the public health system, if the response was to succeed.

Players at the tabletop war game-sponsored in part by the Business Roundtable, a consortium of CEOs from the nation's 150 largest corporations-grappled with the innumerable risks and uncertainties involved in managing a crisis of this scale. During two stressful days in Washington, information was sometimes scarce. But according to war game participants, one device worked remarkably well at bringing the right people-both inside and outside the federal government-together at the right time, and it wasn't some new high-tech gadget invented at great expense by a secretive federal agency. It was the telephone.

In November 2001, even as the underground fires still smoldered in Manhattan, then-Homeland Security Adviser Tom Ridge met with a group of about 40 Roundtable executives in Washington. Out of that meeting came the idea for a system that would allow high-level federal and private sector officials to quickly and effectively share information in the event of another terrorist attack. The result was the Critical Emergency Operations Communications Link, known as CEO COM Link. The system is shrouded in mystery, due largely to the reluctance of Homeland Security and Roundtable officials to discuss its operational details. Numerous requests for interviews to the Homeland Security Department went unfulfilled, and Roundtable executives contacted for this story declined to comment on basic details, such as the system's cost, staffing requirements and the types of information shared among COM Link users.

But the details that are known-gathered from interviews and news media accounts-make it clear that COM Link is, in essence, a secure conference call. As such, it borrows heavily from pre-existing technologies and requires little additional investment aside from the creation of caller authentication procedures-procedures developed by AT&T and paid for by the Roundtable, which has assumed this and all other related costs.

Before COM Link, no formal system existed that would allow federal officials to contact their private industry counterparts in times of crisis. Since its creation, COM Link has been used at least four times (and probably many more) to give corporate officials advance warning of increases in the terrorist threat level. But in the wake of any future terrorist strikes, Ridge, within minutes, will be able to speak directly with the Roundtable's entire CEO membership, whose companies oversee a significant amount of U.S. critical infrastructure and collectively account for an estimated $3.5 trillion in annual revenues.

The system's architecture is simple. Ridge and a few other high-level officials at Homeland Security and the Business Roundtable have the authority to initiate a COM Link call. Once the decision is made, word goes out to CEOs through a series of telephone calls and e-mails requesting that they dial into the system. Each CEO-pre-screened and credentialed-calls into COM Link and undergoes a series of validations before being permitted to join in the conversation. Assuming that phone lines are clogged, as they were following the attacks on Sept. 11, CEOs can access the Government Emergency Telecommunications Service (GETS) with a card that grants them priority access to congested phone lines.

KNOWLEDGE IS POWER

According to C. Michael Armstrong, chairman of Comcast and head of the Business Roundtable's security task force, Com Link has already proved its value. Speaking at the McGraw-Hill Homeland Security Summit and Exposition in Arlington, Va., in May, Armstrong raved about COM Link's performance in the April war game. "The difference between doing it [using COM Link] and not doing it saved over a million lives in the war game," Armstrong said.

Armstrong's claim, viewed with some skepticism by sources contacted for this article, cannot be independently verified, as the official war game results remain unavailable to the public. But almost everyone agrees that connecting federal and corporate decision-makers in times of crisis is a good idea. The experience of Sept. 11 convinced many people inside and outside the federal government that such a connection could be critical in mitigating both the human and financial costs of terrorist attacks. When the Federal Aviation Administration closed the skies on Sept. 11, a four-day shutdown that ultimately cost the American economy about $1.3 billion, commercial airlines and air freight companies such as FedEx and UPS had no idea whether they should lock their airplanes away in secure hangars or prepare them for use in disaster relief missions. "People just didn't know how long airspace would be up or down," Roundtable spokeswoman Marian Hopkins says. "There was just no good way of communicating [with federal officials] or getting answers to critical questions."

COM Link is designed to meet that need. While it is intended primarily to serve as a crisis management tool for use during or after a terrorist attack, COM Link's design leaves open the possibility that officials at Homeland Security could use it to disseminate threat information in advance of an attack. But companies are unlikely to get specific information about impending attacks. "If you ever have hard information, the likelihood is that the FBI, the intelligence community, a hybrid of both, or DHS would directly reach out to that constituency," says a former high-ranking federal official involved with homeland security-related issues, who requested anonymity. "If we knew when and where, we wouldn't have a communications issue. We would prevent [the attack] and pre-empt it."

COM Link is more likely to be used for generalized warnings, such as advance notice of changes in the national terrorism threat level. This has already happened on at least one occasion. In February, the St. Petersburg Times reported that an hour before a news conference at which Ridge publicly raised the threat level from yellow (elevated) to orange (high), he activated COM Link to convey several messages to the Business Roundtable's membership: hire more guards, secure entrances and exits to vulnerable facilities, pay added attention to trucks and parking garages, and take whatever steps are necessary to protect ventilation systems from chemical or biological contamination.

Some people are unconvinced such messages are much help. After all, unless the information relayed over COM Link relates to specific industries or targets, it probably has limited value beyond what business leaders could gather through news reports or good old-fashioned common sense. And in any case, although the system allows Ridge to communicate quickly with Roundtable members, it doesn't grant him broader access to companies that fall outside the group's membership. "Why should the Business Roundtable or any other exclusive group be the ones to reap any potential benefit?" asks Charles Pena, director of defense policy studies at the Cato Institute, a Washington think tank. "It's clear how [the Roundtable] would determine who should participate [in COM Link] for their own market-driven reasons. But in the event of a real emergency or terrorist attack, should the Business Roundtable be dictating where the information flows?"

The Roundtable's Hopkins acknowledges that COM Link's users are primarily member CEOs, but she is quick to defend the system's integrity as a crisis response tool. "It was never intended for the exclusive use of the Business Roundtable," she says, adding that the organization has already partnered with the financial and chemical industries' trade associations and intends to expand COM Link's membership further. Hopkins offers no further details, however, on when these expansions might occur or which companies or industries they might involve.

WORK IN PROGRESS

Sharing information about potential terrorist attacks is a hot-button issue in Washington these days, but it is not a new idea. In the mid- to late 1990s, the federal government took several steps to protect critical infrastructures from attack. An estimated 85 percent of these infrastructures-telecommunications, electricity, energy, water and transportation systems, to name just a few-fall under the immediate control of the private sector, meaning that federal agencies must encourage the free flow of information from corporations if they hope to protect them.

President Clinton's Commission on Critical Infrastructure Protection issued an influential report in 1997 calling for the establishment of industry-specific councils that would collect and analyze vulnerability information and serve as clearinghouses for the dissemination of this material to both federal agencies and other industries. Sixteen of these National Infrastructure Advisory Councils (ISACs) were subsequently created, but with mixed success. A May 2003 General Accounting Office report (GAO-03-715T) found that many ISACs are faltering because companies are loath to share with federal officials information that could be used as evidence in antitrust suits or be released to their competitors or the public under the 1966 Freedom of Information Act.

The 2002 Homeland Security Act suggests limits on how federal, state and local governments use critical infrastructure information voluntarily provided by industry. Earlier this year, DHS issued a call for comment on its proposed rules for how such information might be protected under FOIA exemptions. At the time of this writing, however, the details of any new provisions remained unclear, as was their likely effect on the willingness of industry to share potentially sensitive information with the federal government.

Ultimately, the success or failure of information sharing will rest on the federal government's ability to foster trust among companies. But whether agencies are up to that challenge remains an open question. By bringing federal officials and corporate CEOs together to exchange information in real time, COM Link's backers hope it will set the stage for a broader dialogue. After all, according to the former high-ranking federal official, "You can't tell the private sector what to do, and you can't tell them what steps to take. What you can do is provide some information and provide some guidance in terms of guidelines and steps that they may want to consider. The question is how do you build that partnership, and you can only build [it] by opening up communication."