UPDATED to provide a working link to the full report (original link to full report stopped working ...but then, we're talking about DHS, right?) Back in December of 2003, President Bush released a directive --
Critical Infrastructure Identification, Prioritization, and Protection -- which was basically intended to continue a Clinton Administration policy of getting federal agencies to identify and prioritize America's critical infrastructure and key resources
(CI/KR), in order to protect them from terrorist attacks. The task has fallen to that paragon of preparedness, the Department of Homeland Security.
Well, Here's The Outcome: Old MacDonald's Petting
Zoo ...The Mall at Sears ...The Bean Fest ...Nix's Check Cashing Place... Good Lord! If this is the way DHS keeps tabs on critical infrastructure and makes funding decisions to protect them (and us) from terrorists, then I gotta tell you ... we're not gonna make, folks. We're all gonna die. The Office of the Inspector General (OIG) just issued its report critiquing DHS's National Asset Database. A summary of the salient criticisms, after the jump.
President Bush tasked the Department of Homeland Security (DHS) to create a framework for protecting critical national assets. The framework DHS came up with consists, in main part, of an inventory of critical national assets and key resources, which DHS calls the National Asset Database
(NADB).
According to the OIG report:
In July 2002, the White House Office of Homeland Security released the National Strategy for Homeland Security (NSHS). Protecting the nation's critical infrastructure and key assets (CI/KR) was one of its six critical mission areas. Critical infrastructure was previously defined as "systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters...." The NSHS added to this concept a concern for key assets, "individual targets whose destruction would not endanger vital systems, but could create local disaster or profoundly damage our Nation's morale or confidence. Key assets include symbols or historical attractions, such as prominent national, state, or local monuments and icons." ....
First thing we do is ...make a list!
DHS came up with the National Asset Database, which is supposed to be a "comprehensive catalog that includes an inventory and descriptive information regarding the assets and systems that comprise the nation's CI/KR." By the time the DHS got through with it, though, the national asset database list included ...everything, and I mean everything.
4,289 malls, shopping centers, retail outlets, and stores. 2,232 racetracks, theme parks, amusement parks, water parks, and casinos. 514 religious meeting places (including revival tents, presumably). 4,164 schools, including kindergartens and Head Start programs. 257 gas stations and libraries. 25 golf courses and 24 swimming pools. Recreational centers. 159 cruise ships. 34 Coca Cola bottlers/distributors. 244 correctional facilities, 718 mortuaries, and 571 nursing homes.
But of infrastructure we think of as being truly critical? Less than 1,000 -- 335 petroleum pipelines, 217 railroad bridges, 140 defense industrial base assets, 224 national monuments and icons; and 8 wind power plants.
Mission creep run amok
The OIG report describes not just DHS mission creep, but mission creep run amok (OK, so 'creep' that 'runs amok' is an oxymoron. You get my drift, though.) In the summer of 2003, IP identified 160 nationally critical assets. That's manageable.
Later that year, IP identified assets in certain specific sectors-- chemical, hazardous material, nuclear, business and finance, electric, oil and natural gas, transportation, commercial, and government facilities--that it determined required additional protection against terrorist attacks. Called the Protected Measures Target List, it numbered 1,849 assets. Large list, but still manageable.
Then, DHS asked state and local governments to provide their own critical infrastructure data. By February 2004, that data was combined with the Protected Measures Target List, to become a national asset list of 28,368 assets. That's already too large to handle. But the list still did not adequately represent the nation's 13 critical infrastructures or 4 key resources, so DHS called a second time for states and territories to submit critical infrastructure and key resource information. By July 2005, states had submitted another 48,701 assets, for a combined NADB of 77,069 assets!
Lack of criteria for submission to NADB
In its first call for data, DHS gave only minimal guidance to the states, asking only that they "consider any system or asset that if attacked would result in catastrophic loss of life and/or catastrophic economic loss." They did suggest specific types of facilities that states could consider while identifying CI/KR. The point is, DHS did not require the states to stick to any particular criterion. Guidance to the states was so minimal that the NADB got -- and decided to include -- such 'critical' assets as:
Old MacDonald's petting zoo
Mall at Sears
Bean Fest
Nix's Check Cashing
Amer. Society of Young Musicians
Trees of Mystery
Car Dealerships
Kennel Club and Poker Room
Historical Bok Sanctuary
4 Cs Fuel and Lube
DPW Landfill
Kangaroo Conservation Center
Assyrian American Association
[state] Right to Life Committee
Association for the Jewish Blind
[university] Insect Zoo
Bourbon Festival
Theological Seminary
Jay's Sporting Goods
Nestle Purina Pet food Plant
Auto Shop
Veterinary Clinic
Groundhog Zoo
Sweetwater Flea Market
High Stakes Bingo
Petting Zoo
[state] Community College
[a] Restaurant
Frontier Fun Park
[a] Travel Stop
Mule Day Parade
Beach at End of [a] Street
Amish Country Popcorn
[a] Pepper and Herb Company
The second call did little better. In its second call for state data, DHS kept the criteria for reporting vague and general so as to encourage states to submit any asset they thought to be important. Thus, without any meaningful criteria for reporting, the second call yielded such additional 'critical' assets as:
Psychiatry Behavioral Center
Order of Elks National Memorial
Ice Cream Parlor
Bakery & Cookie Shop
Inn
Donut Shop
Sears Auto Center
Wine and Coffee Co.
Sports Club
Casket Company
Bass Pro Shop
Muzzle Shoot Enterprise
Several Wal-Marts
Property Owners Associations
Apple and Pork Festival
Rolls Royce Plant
Pepsi Bottlers
Yacht Repair Business
Anti-Cruelty Society
Tackle Shop
Elevator Company
Center for Veterinary Medicine
American Legion
UPS Store
Heritage Groups
Parcel Shop
YMCA Center
Brewery
Mail Boxes Etc
Night clubs
DHS asked states to identify their nationally significant assets, but at the same time, did not discourage them from submitting any asset at all. The upshot is that only 14 percent of the assets in the NADB are nationally significant. More than 32,600 assets (42 percent of the total) are not nationally significant, and the national significance of the remaining 33,419 assets (43 percent) remains unknown.
The criteria for submissions to the database were so unclear, and submissions were so erratic, that there is absolutely no consistency in the data sent in by the states.This is useless. In fact, it's less than useless ...it's dangerous.
For example, New York apparently took the notion of national criticality to heart in its reporting; its assets in the banking and finance sector account for only 2% of the nation's assets in the database. But North Dakota, which may or may not have taken criticality to heart, reported more banking and finance assets than New York did, so New York is now ranked below North Dakota in banking & finance assets!
According to the database, Indiana all by itself has 65% of the national public health sector assets -- not because it actually has more than other states do, but because it reported more assets than other states reported. (Among other things, Indiana included many nursing homes among its 5,456 public health facilities).
The database records New Mexico as having a whopping 73% of the nation's entire crucial information technology sector, simply because New Mexico reported having 553 assets, whereas Virginia, reporting the next-highest number, listed just 68 IT assets. And so on. This is just crazy.
For all the Bushco talk of a safer America, post-9/11, we're all at the mercy of the least competent government in memory. Ever, in fact.
But hey. I'm sure we all feel much, much safer knowing that 73% of homeland security grants to protect information technology infrastructure will be going to ...New Mexico.
Heckuva job, you guys.