Private Efficiency, Public Vulnerability: Who Will Protect Critical Infrastructure?

Private Efficiency, Public Vulnerability: Who Will Protect Critical Infrastructure?

September 13, 2006

With book editors:
Philip Auerswald, Assistant Professor, School of Public Policy, George Mason University; Director, Center for Science and Technology Policy
Lewis Branscomb,Director Emeritus, Member of the Board, Belfer Center for Science and International Affairs, Kennedy School of Government, Harvard University
Todd M. La Porte, Associate Professor, School of Public Policy, George Mason University
Erwann Michel-Kerjan, Researcher, Wharton School of Finance; Researcher, École Polytechnique

And an introduction from:
Phil Lacomb, Senior Vice President and General Manager of the Integrated Systems and Security Business Unit, SAIC; former Director of the President's Commission on Critical Infrastructure Protection

The Program on Science, Technology, America, and the Global Economy hosted a discussion with the editors of Seeds of Disaster, Roots of Response: How Private Action Can Reduce Public Vulnerability on September 13, 2006 in a session moderated by STAGE Director Kent Hughes. The discussion featured Philip Auerswald; Assistant Professor, School of Public Policy, George Mason University; Director, Center for Science and Technology Policy, Lewis Branscomb; Director Emeritus, Member of the Board, Belfer Center for Science and International Affairs, Kennedy School of Government, Harvard University, Todd M. La Porte; Associate Professor, School of Public Policy, George Mason University, and Erwann Michel-Kerjan; Researcher, Wharton School of Finance, and Researcher, École Polytechnique.

Phil Lacombe, former Director of the President's Commission on Critical Infrastructure Protection, introduced the discussion. His Commission argued in 1996 that "protecting critical infrastructure was a shared responsibility between the private sector and the public sector", especially since 85% of these assets "necessary to national security and economic health" are owned by business. He contended that federal, state, and local governments must lead security efforts, with implementation assistance from the private sector, and generation of new policy ideas from the academic community. That assumption of a shared charge and the search for the proper relationship between government and business in this vital domain of homeland security formed the basis of Seeds of Disaster.

Prof. Lewis Branscomb, formerly of the Kennedy School of Government, was the first of four editors of Seeds of Disaster to speak. Branscomb observed that even though the risk to critical infrastructure is now recognized, ten years after Lacombe's Presidential Commission and five years after the 9/11 attacks, neither government nor business has taken the initiative to make the difficult policy choices and large investments to protect many of the nation's most vital assets. Each waits for the other to make the first move. The government hopes that market forces will motivate industry to protect itself, while those same market forces deter businesses from spending the capital or retooling practices that will make them safer but also less competitive. Businesses also argue that they cannot adequately estimate the risk to their assets and have little incentive to imagine the societal consequences of a disruption to a key service they provide, and therefore they cannot justify the expenditures for protection to shareholders. They point out, too, that the term "War on Terrorism" implies a federal response. The government bears the responsibility to lead, coordinate, and inspire industry to act to prepare for low-probability, high-impact scenarios, such as terrorist attacks, which traditional risk management does not adequately address.

Branscomb explained that this book concentrates not only on terrorism, but takes an "all hazards" approach to the subject. Todd LaPorte of George Mason University found that modern day infrastructure was vulnerable to natural disasters, deregulation, and technological disruptions, in addition to terrorism. Today's society and economy operate in increasingly complex networks, running at real time and with minimal "slack." This "optimization of efficiency" has "reduced redundancy, concentrated assets, and centralized control points" and thus brings with it new vulnerabilities. For instance, New York City has only a 6 hour food supply. LaPorte, who led the study on how organizations have dealt with the issues of crisis mitigation and preparedness, suggested seeking a balance between strategies of anticipation, which he likened to creating a protective exoskeleton to preempt mostly predictable threats, and resilience, the antibodies held in reserve against unpredictable hazards. The book argues for a return to some of the redundancies and flexibility that build resilience into infrastructure and services, and suggests government must play a role in mitigating the costs of these added inefficiencies to American business. Also, organizations, including those that manage infrastructure that is highly reliable, yet whose loss would be extremely disruptive, must invest in continuous and intensive training and reserve long term political support for their efforts.

George Mason's Philip Auerswald exposed the inconsistencies in the administration's current efforts backing public-private protection of critical infrastructure. Department of Homeland Security Michael Chertoff in a recent speech called for regulatory authority to make sectors such as the chemical industry safer (with sensitivity to individual firms' competitiveness) but DHS action has not yet met its rhetoric. This discrepancy, explained Auerswald, is partly the fault of an outmoded understanding and classification of the threat. While Chertoff sought to differentiate between environmental and security threats, Auerswald classified today's modern dangers under a new domain of policy problems called security externalities. For Auerswald, security externalities involve "high uncertainty (where the probability may or may not be low, but the scale and timing of the threat are unknown), high impact events" whose effects could reach extremely far both spatially and temporally from its source. Auerswald pointed to the Department of Defense and its studies of climate change as a security issue (studying the potential "war" in "global warming") as an example of this new domain.

Erwann Michel-Kerjan of the Wharton School of Finance and the École Polytechnique observed another incongruity within the disaster community: the bodies tasked with preventing and mitigating risks (the intelligence and security agencies, military, and first-responders) mostly ignore the insurance community, which has a significant financial role in helping the nation recovery from a catastrophe. A June 2006 DHS report on infrastructure protection does not mention the word insurance, although private insurance firms (which he noted was the world's largest industry) paid 90% of $23 billion in insured losses in Florida after 2004 hurricanes. Two thirds of the $33 billion in insured losses after 9/11 were ultimately shouldered by reinsurance companies, who are mostly European, highlighting the shared burden of terrorism and disasters. However, with the dynamic uncertainty of terrorist attacks and the large scale of modern disasters (ten of the 20 most costly catastrophes in history happened in the past five years), it is hard to create a sustainable market for terrorism risk insurance. As a result, insurance companies are pulling out of risk-heavy environments, such as Florida. Here too one finds need for government leadership, such as with the 2002 Terrorism Risk Insurance Act (a temporary measure providing federal support through public and private compensation for insured losses from acts of terrorism).
During the discussion, Patrick Lagadec, Director of Research at the École Polytechnique, France, and Daniel Prieto of the Reform Institute, contributing authors to the book, stressed the need for clear strategies, guidelines, and grammars to deal with a new "risk world" where "even a Category 2 event can evolve rapidly into a Category 5". Prieto debunked the myths that the only tool for government to engage the private sector was through regulation, and that regulation was automatically harmful to business. He suggested that tax policy (or a creative interpretation of the Sarbanes-Oxley Act) could be a vehicle to motivate industry to act. He also noted that contrary to the "political correctness surrounding critical infrastructure," not all infrastructure is equally threatened or disruptive. He proposed examining both the vulnerability of an industry and its ability to respond and recover without government intervention when designing much needed strategies.

The Q&A also featured discussion of the need for information sharing between all levels of government and industry, of the rising risks involved with the trend for business models dependent on ever-increasing economies of scale (850 passenger Airbuses, 6000 passenger cruise liners, etc.), and the transboundary nature of today's critical infrastructure.

Kent Hughes, Director, Program on Science, Technology, America, and the Global Economy Ext. 4312
Drafted by Alton Buland, Program Assistant, STAGE