2016 National Preparedness Report Released

The fifth National Preparedness Report has been released by FEMA.  The National Preparedness Report is based upon, as the report states, input of more than 450 data sources and 190 stakeholders, including 66 non-federal organizations (which would account for state preparedness report submissions and information from Urban Area Security Initiative regions).  The report is intended as a summary of where the nation stands in regard to each of the 32 Core Capabilities outlined in the National Preparedness Goal.

As mentioned, this is the fifth National Preparedness Report to hit the streets.  While they have some value and demonstrate that the data collection that is done is actually collated, I feel that through the years they are offering less meat and more potatoes.  I appreciate the highlighting of best practices for each mission area, but, to me, there is a missed opportunity if a report is simply providing data and not recommendations.  While it’s understood that the goal of the National Preparedness Report is not to provide recommendations (it would also take longer to publish the report, and the people pulling the data together do not likely have the expertise to create recommendations), I’d like to see FEMA (and stakeholders) have follow up efforts to provide recommendations in each mission area and not miss this valuable opportunity to then apply the findings and look forward.

Below, I’ve included their overall findings with a bit of my own commentary.  Overall, I will say that there is nothing eye opening in this report for anyone who pays attention.  It’s pretty easy to guess those Core Capabilities which are at the top and those which are at the bottom.

  • Planning; Public Health, Healthcare, and Emergency Medical Services; and Risk and Disaster Resilience Assessment are the three Core Capabilities in which the Nation has developed acceptable levels of performance for critical tasks, but that face performance declines if not maintained and updated to address emerging challenges.
    • My commentary: BULLSHIT.  If these Core Capabilities are at ‘acceptable levels’, then our standards must be pretty low.  Planning is the one that disturbs me most.  We continue to see plenty of poor plans that are not realistic, can’t be operationalized, and are created to meet requirements (which are typically met by formatting and buzzwords).  Have we improved?  Sure.  But I wouldn’t say we are at ‘acceptable levels’.  As for Public Health, Healthcare, and Emergency Medical Services, we are struggling in certain areas to simply keep our heads above water.  While we are fairly solid in some areas of public health, one only needs to look at the Ebola incident to view how fragile our state of readiness is.  The findings for Planning and Public Health, to me, are nothing but shameful pandering and we need to get realistic about where we are at and the challenges we face.  Gold stars won’t stand up to the next disaster.  As for Risk and Disaster Resilience Assessment I have admittedly less experience personally.  I do know that we have some pretty incredible tools available that can help us determine impacts of various hazards for any given area under a variety of conditions, which is an amazing application of technology.  My concerns here are that there are still many who don’t know about these tools, don’t use them, and/or don’t follow the findings of information from these tools in their hazard mitigation actions.
  • Cybersecurity, Economic Recovery, Housing, and Infrastructure Systems remain national areas for improvement. Two additional Core Capabilities – Natural and Cultural Resources, and Supply Chain Integrity and Security – emerged as new national areas for improvement.
    • My commentary: NO KIDDING. While we have made a great deal of progress on Cybersecurity, we are still far behind the criminal element in most respects.  It also needs to be fully recognized in the National Preparedness Goal that Cybersecurity is a Core Capability common to all five mission areas.  Economic Recovery will always be a challenge, as every community impacted by an incident has a certain way it heals, essentially along the lines of Maslow’s Hierarchy.  A strong local economy is important to this healing, ensuring that the community has access to the resources it needs to rebuild and a return to normalcy.  While I’m sure studies have been done, we need to examine more closely how the economic recovery process evolves after a disaster to identify how it can be best supported.  Housing is the absolutely most challenging Core Capability in the National Preparedness Goal.  While I don’t have a solution for this, I do know that our current approaches, philosophies, and ways of thinking haven’t moved us an inch toward the finish line on this one.  We need to change our current way of thinking to be successful.  As for Infrastructure Systems, I could go on for days about this.  I’ve written previously, several times, (as have many others) on the critically fragile state of our infrastructure.  It’s no big secret.
  • States and territories continue to be more prepared to achieve their targets for Response Core Capabilities, while they are least prepared to meet their targets in the Recovery Mission Area.
    • This is another NO KIDDING. While we must always have a greater focus on Response, as that’s where lives are saved and the immediate danger is addressed, we can’t lose sight of Recovery.  Some recovery activities are more clear cut than others, and FEMA often muddies the waters more by inadvertently intimidating state and local governments when it comes to disaster recovery, as the focus becomes centered more on reimbursable activities vs doing what needs to be done.  The report included some interesting findings (take a look in the Recovery Mission Area drop down on the web site) on ‘mixed trends in exercising recovery capabilities’.  Again, this is nothing earth shattering, but it’s nice to see the matter addressed.  Yes, we clearly need to exercise Recovery Mission Area Core Capabilities better and more often.

These reports are always worth looking through, even though much of the information is generally known by those of us in the profession.  There are always little nuggets of learning available, and data from the report may be used to support your own endeavors for additional funding or resources for your own program.

As always, I’m interested in your insights and thoughts on this post and the National Preparedness Report.

© 2016 – Timothy Riecker, CEDP

Emergency Preparedness Solutions, LLC – Your Partner in Preparedness

 

Several New CyberSecurity Efforts in the News

Over the past few days, there have been media releases about several new cybersecurity initiatives that should have broad reaching benefits.

Timothy Riecker

First, Govtech.com reported on New Jersey’s consolidated fusion center-style approach to cybersecurity.  About a year ago, the New Jersey Cybersecurity and Communications Integration Cell (NJCCIC) was formulated, following the model of the National Cybersecurity Communications Integration Cell (NCCIC).  Co-located with the NJ State Emergency Operations Center and with support from the NJ Office of Homeland Security and Preparedness intelligence resources, the NJCCIC is keeping a watchful eye on cybersecurity matters internal and external to state government and sharing information with the private sector. This is a model effort that will hopefully grow and change based on identified opportunities in both New Jersey as well as other states who have yet to build such a capability.

EDM Digest recently reported on an initiative from the National Governor’s Association to form a multi-state working group, or academy as they are calling it, to create strategies to fight the evolving cybersecurity threat.  States contributing to this effort include Connecticut, Illinois, Louisiana, Nevada, and Oregon.  While not states we would usually think of as being on the forefront of cybersecurity issues, each does have significant business and industry which will hopefully serve as partners and resources in this endeavor.

Lastly, US Representatives Richard Hanna (R-NY) (who represents my district) and Derek Kilmer (D-WA) introduced the Small Business Cybersecurity Act to help American entrepreneurs protect themselves from cybercrimes and create cybersecurity plans that meet their business’ needs.  Co-sponsors of the bill included a range of Representatives of both parties from across the nation.  The release states that three out of every five cyberattacks target small businesses, and with small businesses making up a significant portion of the US economy, it is vital to help protect them.  I couldn’t agree more!  The intent of the bill is to create no-cost legislation to leverage the expertise of Small Business Development Centers (SBDCs) around the nation as an information distribution point for cybersecurity preparedness.  Let’s hope this one passes!  Express support for the bill to your Congressional Representative!

All in all, it’s encouraging to see continued effort toward cybersecurity protection, preparedness, and response.  As with the preparedness efforts we see in emergency management, I hope soon these efforts in cybersecurity will become more unified and closely knit.  While they all technically fall under the President’s Cybersecurity Strategy, we need to ensure connectivity of these efforts to help prevent duplication of effort and minimize holes.  We also want to ensure that access to services and resources that are available are comprehensive and streamlined to the greatest extent.  Let’s keep cybersecurity in mind and continue this work!

© 2016 – Timothy Riecker, CEDP

7 Emergency Management Priorities for the Next Administration

Heritage.org recently published a piece outlining the top four homeland security priorities for the next administration, which can be found here.  It’s a thought provoking article that certainly identifies some important issues.  In the same spirit, I’d like to offer what I think are the emergency management priorities for the next administration.

1) Support an Effective FEMA Organizational Model

The Heritage.org model pointed out several issues with the DHS organization that need to be addressed sooner rather than later.  I’d like to add some FEMA-specific items to their suggestions, regardless of if FEMA is kept within DHS or not (honestly, I think that ship has sailed and FEMA is there to stay).

In building a bit of background for this article, I took a look at FEMA’s current strategic plan, knowing that the document already identifies some of their priorities.  Within in that list of priorities, they mention mission and program delivery, becoming an expeditionary organization, posturing and building capability for catastrophic disasters, and strengthening their organizational foundation.  To me, these four all directly relate to their organizational model.

Along with having a strong central administration of programs, FEMA needs to have agility in their program delivery.  This is best accomplished through the FEMA regional offices, which act as an extension of the ‘central administration’ by coordinating directly with states and neighboring regions to apply those programs in the best possible manner within the guidelines of the program.  While this is currently performed, it is not performed to the greatest extent possible.  John Fass Morton provides some great perspective on this approach in his book ‘Next-Generation Homeland Security’.  Info on the book can be found here.

2) Bolster Risk Reduction Programs

I write often about preparedness, as that has always been a focus of my career.  Risk reduction, however, is essential to eliminating or reducing the impacts of hazards on communities.  Risk reduction includes all aspects of hazard mitigation and resilience, which are ideally applied at the local level but supported by state and federal programs, policies, and resources.

While the National Weather Service has implemented and promoted the StormReady program, which encourages community resilience, the best program we have ever had in our field is Project Impact.  I’d love to see a revival of Project Impact (call it that or something else – I don’t really care), incorporating the concepts of StormReady as well as other best practices in risk reduction.  A big part of this program MUST be incentivization, especially access to funds that can be applied for in the present for hazard mitigation activities.

3) Build a Better Cybersecurity Program

This item was added to the list by a colleague of mine.  It’s also found on the Heritage.org list.  It must be pretty important, then.

Yes, there are a LOT of initiatives right now involving cybersecurity, but I think there can be more.  Jon, the same colleague who suggested this for my list has also stated repeatedly that cybersecurity is really a Core Capability that cuts across all mission areas – Prevention, Protection, Response, Mitigation, and Recovery.  The recent update of the National Preparedness Goal suggests this, but sadly doesn’t commit.

What do we need in regard to cybersecurity?  First of all, we need to demystify it.  There are plenty of people out there who have just enough tech savvy to turn on their computer, send some email, and post to Facebook.  While that may work for them, they are likely intimidated by talk of cybersecurity, hackers, and the like.  We need to continue programs in plain speak that will help to inform the average consumer about how to protect themselves.

Better coordination with the private sector will pay off heavily when it comes to cybersecurity.  Not only is the private sector generally better at it, they also have a tendency to attract experts through better incentives than the government can offer, such as higher pay.  Cybersecurity also impacts everyone.  We’ve seen attacks of all types of systems.  The only way to stop a common enemy is to work together.  Let’s think of it as a virtual whole-community approach.

4) Prepare for Complex Coordinated Attack

Another of Jon’s suggestions.  While terrorism is often quickly shoved into the category of homeland security, there is a lot that emergency management can assist with.  These types of attacks (think Mumbai or Paris) have a significant impact on a community.  They require a multi-faceted approach to all mission areas – again, Prevention, Protection, Response, Mitigation, and Recovery.  While law enforcement is clearly a lead, they must be strongly supported by emergency management as part of a whole-community approach to be successful. Preparedness across all these mission areas must be defined and supported by federal programs.

5) Infrastructure Maintenance

We have roads, bridges, rail, pipes, and other infrastructure that MUST be maintained.  Maintenance (or replacement) will not only prevent failure of the infrastructure as a disaster itself, but will also make it more resilient to impacts from other disasters.  Yes, these are projects with huge price tags, but what alternative do we have?

6) Continuity of Existing Model Programs

There are few things more infuriating than a new administration wiping the slate clean of all predecessor programs to make room for their own.  While every administration is entitled to make their own mark, getting rid of what has been proven to work is not the way to do that.  Eliminating or replacing programs has a significant impact all the way down the line, from the federal program administrators, to the state program people, to the local emergency managers who are often understaffed and underfunded to begin with.

Changing gears is not as simple as using a different form tomorrow, it requires research and training on the new program and costs time to re-tool.  While I would never say there is nothing new under the emergency management sun, as I believe we are still innovating, I’m pretty skeptical of some new appointee walking into their job and making wholesale changes.  While improvements can certainly be made, summary execution of successful programs does no one any good.  Let’s not make change simply for the sake of change.

Related to this, I fully support the efforts of FEMA in the last few years to gain comprehensive input on changes to documents and doctrine through the formation of committees and public comment periods.  This approach works!

7) Pull Together Preparedness Programs

NIMS, HSEEP, NPG, THIRA, etc… While each of these programs have their own purpose and goals, more  can be done to bring them together.  I’m not suggesting a merger of programs – that would simply make a huge mess.  What I’m suggesting is to find the connections between the programs, where one leads to another or informs another, and highlight those.  Things like better application of the Core Capabilities within HSEEP exercises to have a more effective evaluation of NIMS capabilities (I suggested this while being interviewed for a GAO report), or referencing the THIRA when building a multi-year training and exercise plan.  While some jurisdictions may already do this, these are best practices that should be embraced, promoted, and indoctrinated.  These links typically don’t add work, in fact they capitalize on work already done, allowing one project/program/process to be informed or supported by another, creating efficiencies and supporting a synchronization of efforts and outcomes.

There is my list of seven.  What are your thoughts on the list?  There are certainly plenty of other ideas out there.  If you had the ear of the next President, what would you suggest be their administration’s emergency management priorities?

© 2016 – Timothy Riecker

Emergency Preparedness Solutions, LLCYour Partner in Preparedness

FBI vs Apple – iPhone Security

The struggle over encryption and device security continues.  This time it’s more visceral, representing the most relevant case on the side of criminal justice yet.  In the wake of the San Bernardino shooting, the FBI is seeking to gain access to an iPhone discovered in the vehicle where the shooters made their last stand with law enforcement.  The FBI is hoping to find additional evidence on this phone – phone records, emails, texts, etc. that might lead them to information on other conspirators of the attack, other potential targets and attackers, and anything else that might lead to prosecuting those involved in this attack or stopping future attacks.  Gaining access to this information is obviously extremely important.

The problem – the phone is locked with a passcode, and the FBI doesn’t know what that code is. While trial and error is certainly a viable methodology, Apple’s architecture limits passwords attempts to 10.  Once the tenth attempt fails, the iPhone will go into a sort of self-destruct, wiping all data from the device.  The FBI needs help, and they are seeking it from Apple.  Apple declined requests and is now being compelled by a federal judge who ordered Apple to assist the FBI in gaining access to the phone.  Apple is fighting the order – but why?

First of all, Apple states there is no ‘back door’ into their system that will allow them to bypass a security code.  On principal, they decided not to create one since if it exists, it can be exploited.  Based upon this, the FBI has requested that Apple at least disable the 10 attempt fail safe in the iOS programming, allowing the FBI to press on with many more attempts to crack the code.  Apple continues to refuse, again citing the potential for someone with criminal intent exploiting this.  Essentially, Apple feels they are protecting their customers from criminal acts and loss of personal information.  The CEO of Google recently voiced support for Apple’s stand.

This debate poses two strong arguments, each pulling at our values.  On one side, we need to support the efforts of law enforcement to prevent, protect, and prosecute.  The evidence gathered from a situation such as this can potentially lead to finding co-conspirators in these horrible shootings, and can potentially stop other crimes from occurring.

On the other side, there is also concern over preventing future criminal activity by those who would steal information.  Keeping in mind that what we have on our phones is not only a browsing history and Disney World selfies, but also private information such as bank accounts, and even access to business information; the theft of which can be devastating to individuals and entire organizations.

There are valid arguments on both sides, and consequences to action and inaction all around, with implications much broader than this one case.  I’m interested in seeing how this shakes out.

What are your thoughts?

© 2016 – Timothy Riecker

National Preparedness Goal: Second Edition Just Released

Today FEMA released the second edition of the National Preparedness Goal.  This document, which only has a few substantive changes from the original, provides a vision for preparedness across the nation.  It is best known for identifying the five mission areas of Prevention, Protection, Mitigation, Response, and Recovery; along with the Core Capabilities.  Many thanks to my colleague Jon who brought this release to my attention.  The updated National Preparedness Goal and associated documents can be found here.

There are not many changes in this update, and the changes that are included should be of little surprise if you reviewed the draft released for public comment several months back.  Up front, the update provides some editorial clarification on the definitions and relationships between the federal government and tribes as well as US territories.  It also provides more emphasis on the concept of whole community and the special populations within the whole community which may require additional protections and actions.

Perhaps the most significant changes are reflected in the Core Capabilities, of which there are now 32.  In the preamble to the Core Capabilities which discusses the concept of Risk, it is interesting to note that the Core Capability of Cybersecurity was specifically highlighted as having applicability across all Mission Areas – a concept which I fully agree with.  I’m left wondering, then, why it was not re-defined as a common Core Capability.

NPG 32 Core Capabilities

NPG 32 Core Capabilities

Other changes to the Core Capabilities include the renaming of the On-Scene Security and Protection Core Capability to On-Scene Security, Protection, and Law Enforcement; and the Public Health and Medical Services Core Capability to Public Health, Healthcare, and Emergency Medical Services.  Additionally, the Public and Private Services and Resources Core Capability was renamed to Logistics and Supply Chain Management, which seems to provide better recognition of the intent of that Core Capability.  Finally, a new Core Capability was added – Fire Management and Suppression.

Three of these changes seems to revolve around a stronger recognition and inclusion of the traditional first responder services of Law Enforcement, Fire Service, and Emergency Medical Services; all of which seemed to get lost in the bigger picture of the earlier capability discussions.  I’m hopeful these changes will help bring these services to the table in more communities when capabilities are discussed.  I’m a firm believer that the Core Capabilities provide a consistent, scalable, foundation for discussion of preparedness for every community.

© 2015 – Timothy Riecker

Emergency Preparedness Solutions, LLC

WWW.EPSLLC.BIZ 

What is the Top Sector at Risk for Cyberattacks?

3D Electric powerlines over sunrise

According to this article in the Insurance Business America magazine, it’s the energy sector.  This is no surprise, even without the statistics provided in the article; although the statistics are pretty staggering.  The article states that according to DHS “more than 50% of investigated cyber incidents from October 2012 to May 2013 occurred within the energy sector”.  The advice in the article is pretty sound and coincides well with what I’ve suggested many times in this blog… be prepared!  Not only do power utilities need to have their own cybersecurity experts and the policies, plans, and infrastructure to prevent cyberattacks, they also need to be prepared for the potential success of the attackers.  They need to know who to notify (and how), and what actions to take.  Further, those that depend on electricity should have an alternate means of obtaining electricity to meet essential needs.

Threats to our infrastructure show just how interconnected we are and how interconnected our critical infrastructure is.  This is the primary reason why our energy infrastructure, which touches every other sector, is so essential.  We must ensure that we have in place prevention and protection plans, such as cybersecurity plans; hazard mitigation plans to lessen the impacts; response plans to address critical issues; and recovery plans to return to operations.  Business continuity is also an essential component of this – even if you are an NGO or government entity (continuity of government).

Along with proper planning, training, and exercises, we need to continue to promote legislation which requires measures for cybersecurity and protection of our critical infrastructure.

What are your major critical infrastructure concerns?

© 2015 – Timothy Riecker

EMERGENCY PREPAREDNESS SOLUTIONS, LLC

WWW.EPSLLC.BIZ

Cybersecurity, Encryption, and Backdoors… the debate rages on

If you aren’t up on the debate regarding data encryption, you should be.  It’s an interesting debate with strong positions on either side.

Eric Geller with The Daily Dot authored an interesting article last week on the subject.  It’s quite in depth and lengthy, but worth the time to read.

http://www.dailydot.com/politics/encryption-crypto-war-james-comey-fbi-privacy/

What are your thoughts on encryption?

– TR

Chinese Government Cyber Attacks

Homeland Security Today just linked to two related articles on Chinese government fueled hacker attacks.  The first article is ‘Report ties 100-Plus Cyberattacks on US Computers to Chinese Military’ and the second article is ‘China: Aiding Hacker Attacks on West’.

As mentioned in my most recent post on Cybersecurity, these attacks, intended to steal information, harm our infrastructure, and destabilize our economy need to be classified as acts of war.

How should we respond to these acts???