E-Notes

Protecting Critical Infrastructure

by Stephen Gale

November 2007

Stephen Gale is co-chair of FPRI’s Center on Terrorism, Counter-Terrorism, and Homeland Security.

Analysts of the war on terror have recently come to see just how tempting America’s economic infrastructure is to our enemies. What has proven to be problematic for America and Americans is understanding the sources of the vulnerabilities, as well as the kind and level of protection required, and setting the priorities for protection.

Osama bin Laden has declared that disrupting the “joints of the American economy” (December 2001) and “bleeding America to the point of bankruptcy” (November 2004) should be the key objectives for the mujahideen. But as yet we have made only very limited investment in effective security measures. Worse still, given the fact that roughly 85 percent of the nation’s critical infrastructure—electricity, oil, water, and a variety of hazardous materials, including nuclear and chemical wastes—are privately owned and operated, it has proven to be a major problem even to determine who is directly responsible for organizing our defenses.

To the owners and the managers of the nation’s critical infrastructure, the improvement of the security for their facilities is clearly of great import—at least in the abstract. When questioned about the relatively slow pace of security improvements for the nation’s infrastructure, however, the facilities’ owners and managers repeatedly pointed to two major concerns: the “bottom line” and potential liability resulting from security failures. In short, various economic, legal, and insurance-related issues have turned out to be major obstacles that have thus far deferred the realization of major improvements in security.

There are three fundamental problems with the current policies for improving the security of the nation’s critical infrastructure:

  1. There are no standard procedures for either assessing the risks with respect to potential terrorist attacks or making recommendations for security improvements.
  2. The nation’s private sector risk management companies—principally the insurance industry—use actuarial assessment methods unsuited to the threat of terrorism.
  3. There are no agreed upon priorities for scheduling the improvements in the security of those infrastructure facilities that are most likely to be the targets of terrorist attacks.

By instituting modest changes in the procedures used for security due diligence reviews and the standards that are used to set priorities for security improvements, the nation could better deal with these problems and thereby manage risks ranging from operational continuity to potential catastrophic losses in financial markets. These changes would signal to Al Qaeda and the world’s jihadis that the U.S. is taking significant steps to protect itself both at home and abroad. Moreover, the changes can be implemented in a largely self-funding way.

The core change required is the development and application of a Security Impact Statement (SIS). This would be analogous to the Environmental Impact Statement (EIS) that is already an effective part of federal laws protecting the environment. Like the EIS, the SIS is designed as a means for both identifying vulnerabilities and determining the standards and methods used in protection and remediation.

The SIS would be derived from the application of a method for threat and risk developed by the U.S. Department of Energy and Exxon/Mobil to analyze security investments related to low probability-high consequence events.[1]

This Value-Added Model for Security Management system (VAM) is designed to (i) provide quantitative estimates of risks and vulnerabilities from expert information related to a wide variety of attack and protection scenarios; (ii) provide clear indicators of priorities for investments in security; and (iii) identify standards for making specific, effective, and efficient improvements in security. Supported by a grant from the Commonwealth of Pennsylvania, members of the FPRI Center on Terrorism, Counterterrorism, and Homeland Security, some of whom worked on the early development of VAM, have been refining the method for specific application to the post-9/11 threat environment.

Unlike the actuarial methods currently used by insurers and other risk managers—methods that are designed to deal principally with the financial consequences of security—the VAM system employs professional security expertise to estimate both the likelihood of specific terrorist attack scenarios and the impacts of alternative security measures. Furthermore, rather than focusing solely on the financial consequences of potential attacks, VAM is designed as means for driving the process of investing in security improvements. The VAM system thus sidesteps the need for actuarial methods by using information on national security, current intelligence data, and expert assessments of the value of alternative protection measures. In effect, experts are used as the basis for information on both the likelihood of specific threat scenarios and the likely outcomes of such threats (economic and otherwise). In addition, the VAM system also provides a method for assessing the potential outcomes of attacks and identifying the investments that result in operational standards for effective and efficient security.

Thus, the VAM methodology and its outputs, the SISs, could provide improvements in the uniform risk assessment that, if widely used by both public and private sector corporations, would stimulate greater protection for critical infrastructure. This benchmark could thus be an immediately effective way around the obstacles now impeding such improvements.

What It Would Take

  1. Adoption by the Department of Homeland Security. DHS’s adoption of VAM/SIS would require those using the system to undertake due diligence reviews for protecting infrastructure. Extensive consultation with industry associations would be a critical step in arranging acceptance of this system.
  2. Tax Incentives. As terrorism is a nationwide threat, and infrastructure a “common good,” it is justifiable and fair to share the tax burden that insurers and reinsurers currently bear with the public. Companies in compliance with the VAM-SIS plan might receive tax credits as partial cost relief in recognition of their improvements in terrorism risk minimization. Such a tax incentive would also restore confidence in the insurance industry’s ability to actually pay claims if and when an attack occurs, i.e., by providing support to the supply side, which would then generate an increase in demand for terrorism insurance.
  3. Bring Insurance Expertise into the Process. In recognition of the longstanding proficiency of insurance carriers to assess risk, the VAM/SIS scheme should be coordinated with existing insurance procedures. In fact, in some cases insurers already use information-based methods similar to the VAM analysis. The property and casualty insurance industry, for example, often faces problems similar to the terrorism threat: in many cases there is no substantial precedent from which one can extrapolate a probabilistic model. Instead, the right questions need to be asked by the right people. This specialization is due to the complexity and diversity of risks in the field of property and casualty insurance—a situation akin to the risks associated with terrorism. Both Lloyd’s of London and FM Global are examples of insurers that use non-actuarial guidelines in assessing such unusual risks.
  4. Best Practices. In addition, a “best practices” program would assist in reducing the costs associated with redundancy. Once the VAM-SIS scheme is up and running, security models can be documented and then applied to new entities and facilities with comparable terrorism vulnerabilities without having to repeat the process. For example, if a specific security proposal was successfully executed by oil refinery A, an analogous oil refinery B would logically merit the same or only slightly varied security improvements. Learning by doing would allow for economies of scale to emerge and thus be beneficial to all interested parties, including insurance companies.

Conclusion

This proposal offers the best answer to the problem insurers and their clients face in the post-9/11 world. In the absence of a dependable probabilistic framework to assess terrorism risk, VAM’s reliance on relevant expertise and continual access to intelligence data is the optimal solution. VAM and the SIS could also stabilize the terrorism insurance market by deflating premiums to reasonable levels and thereby bolstering confidence on both the supply and the demand side. Most significant, it will result in greater protection for the privately owned infrastructure central to America’s survival after disruptive attacks.

Due diligence on the domestic front is a logical extension of the wars we are currently fighting abroad. With a standardized risk mitigation program headed by the Department of Homeland Security, we can simultaneously lessen our susceptibility to terrorist attacks and improve our ability to recover if an attack is carried out.

Notes

  1. The General Accounting Office (GAO) described the method in its 1998 Report, “Combating Terrorism: Threat and Risk Assessments Can Help Prioritize and Target Investments,” http://www.gao.gov/archive/1998/ns98074.pdf . [back]

You may forward this email as you like provided that you send it in its entirety, attribute it to the Foreign Policy Research Institute, and include our web address (www.fpri.org). If you post it on a mailing list, please contact FPRI with the name, location, purpose, and number of recipients of the mailing list.

If you receive this as a forward and would like to be placed directly on our mailing lists, send email to FPRI@fpri.org. Include your name, address, and affiliation. For further information, contact Alan Luxenberg at (215) 732-3774 x105.