Gilmore Commission - Minutes
Panel to Assess the Capabilities for Domestic Response
to Terrorist Acts Involving Weapons of Mass Destruction
Friday, September 29, 2000
The Honorable James Gilmore, Chairman
James Clapper, Vice Chairman
L. Paul Bremer
Ellen Embrey, Department of Defense Representative
Michael Wermuth, RAND project director
M. Patricia Quinlisk
(The Honorable James Gilmore opened the second day of the meeting with a brief welcome and introductions, including the Honorable William H. Webster. Mike Wermuth then introduced the RAND Survey Group and the Marine Corps/Batelle Consequence Management Group for their presentations on nationwide survey efforts.)
Webster: If I forget to say anything else, it is that if you put a system together, you have to get everyone to exercise the system. That is important; if you don't exercise them, the systems don't work. There was a federal element in the LA crisis that was effective, but there was not substantial analysis as to who could help best where. Cyber-terrorism is important with CBRN because systems have to be tracked and secured. Security is always too much until the day it is not enough.
I couldn't help but think about how far we've come. Our first hostage crisis center was about half the size of this room. Now the FBI crisis management center occupies a whole floor and is designed to handle two crises at a time. I hope that is making us more effective.
We have done a good job to reduce the number of incidents, but the capacity to inflict harm has gone up. We have to get there before the bomb goes off; just finding the person is not much consolation.
The private sector is also worried about its own security -- computer crime and cyber attacks. Chances are the private sector will be a major source of helping the government tap in and solve its information protection problems.
I don't believe that everybody can be everything in this complicated and high-risk world. Prioritizing the threat and giving the resources to those people who need the resources, things of this kind are important. Local law enforcement needs to be properly trained and properly equipped to protect themselves and those around them. Good intelligence has always been a key element of this protection. The law enforcement community is a combination of systems and people; they are not looking for a lot of money or a lot of fame. How these people are led and encouraged is very important. We cannot afford the luxury of egos and attitudes.
VIII. Questions and Discussion for the Honorable William H. Webster.
Chairman: We are struggling with how to put together a framework for dealing with domestic preparedness and one aspect is the sharing of intelligence information. How would you assess the likelihood of successful communication between highly placed intelligence authorities in DC and local people who need to play a role in the overall response?
Webster: It is a matter of prioritizing information and elevating through the classification process people who can make that happen.
Chairman: So if we designated positions down in the states and then define the type of information they could use, next we would have to get the collectors used to letting that information "go" - I guess that's the administrative challenge.
Webster: I agree. You do not need to have every organization replicate certain skills.
Bremer: One of the things that we recommended in our commission that might be relevant here is the fact that, when the FBI gets information on an immediate threat it does disseminate it very well; it's the rest of the analysis that gets filed away by the agent and never becomes part of the larger picture. We recommended that the FBI take a lesson from the CIA who has a staff that is in charge of making sure it is sanitized and sent out to the people who need it, and we could recommend that it be further sanitized and gotten down towards the local level.
Webster: I agree.
Shine: We've been looking at the way domestic terrorism is evolving, for example 2-3 people rather than an organization, or religiously motivated terrorism; how in your view does that change the intelligence gathering activity and how does it change our report on how we emphasize the communication element?
Webster: We need to keep in mind that terrorism is always a moving horse. How far you take your search for what somebody believes might be there, is a big problem. We have to follow the (intelligence gathering) rules and accept the risk that goes along with a democracy. The community does itself more damage by avoiding these rules.
Foresman: It is our recommendation that states should have the capability to move within the classified system. Should there be a mechanism that encourages a second look?
Webster: Yes, I think the law enforcement community should submit itself to an objective analysis of the threat. You don't want the perception that a group is chasing its own agenda.
Wermuth: You made a strong statement that you think people ought to work within the AG guidelines. This panel is prepared to suggest that maybe these guidelines are not as clear as they should be, and need to be reviewed.
Bremer: The problem with FISA is that the DOJ FISA office has become the "judge," sending everything back until it is filtered to be sent to the court. They have added additional requirements not in the Act for getting to the FISA court.
Webster: I always favor clarity. They should be looked at from time to time, not in the light of a crisis, but in a period of calm to set the context and the capabilities of the enemy. We should not make it too difficult to do our job. Sometime these activities often get encrusted with rules that go way beyond what the Act requires.
Jenaway: Have you seen things developing that we need to address… fire, medical emergency, or law enforcement.
Webster: I'm not totally comfortable that the money from Nunn-Lugar has been spread appropriately. In these situations, readiness is everything.
Wermuth: This panel is prepared to say that the CIA HUMINT restrictions need to be revisited. Could you comment on that?
Webster: The effort now is an over-reaction, and you would be wise to think about straightening that out. Someone in a supervisory way does need to question specific judgments, but it doesn't have to be the director. The important thing is: Are you getting reliable information or helping somebody do something that is contrary to our value system?
(Chairman thanks Judge Webster for his time and valuable input)
Falkenrath: When are we going to talk about Strategic Goals and Objectives-Readiness Model?
Chairman: We'll see if we can't get some more discussion time in later.
IX. Health and Medical Issues Sub-Panel (Ken Shine reporting for the sub-panel).
Shine: I hope I'm representing the views of the group. What we are presenting to you is the general outline of how to deal with health and medical issues. We began with basic principles about health and medical response, and then we asserted some specific issues and the research agenda that we view as necessary.
We believe that the report should begin by recognizing distinctions between biological and chemical weapons and make these distinctions more clear. In addition, our recommendations should build on existing capacities. Our emphasis is on a multi-purpose approach. We recognize that some response requirements will be different, but in so far as possible these should be dealt with systems of care and nested in other emerging programs. In addition, our recommendations should emphasize the need for periodic testing and readiness exercises in the public health community.
The public health community needs to work with law enforcement and fire communities and be sensitive to evidence gathering requirements. This is particularly difficult because we based our discussions on the assumption that a lot still relies on the individual practitioners. Therefore we believe that a successful system must include mandatory recording, and what is recorded and under what circumstances needs to be standardized. This recording and communication should not just be electronic. Some rural general practitioner might not feel comfortable checking resources online. The correct people in the public health community need to identify the type of information necessary and where it needs to go.
Pre-Hospital Care: We see the care of these people as a continuum. There needs to be established protocols: What do you treat on the spot? What do you tell the receiving hospitals?
Public Health Systems: What in fact are state laws/rules for quarantine? There is no homogeneity as far as we can tell and again, we need to clarify these kinds of issues.
Hospitals: Re-certification should include WMD training for medical examiners, infectious disease specialists, EMT responders, pathologists etc. The interface needs to be nurses as well as doctors and other health professionals.
Research Agenda: How large should our stockpiles be? How long do those vaccines work? What about other agents besides anthrax? We need a more rapid diagnostic capacity. We also need better and better ways to deliver treatments. For example, for mass exposures it would be good to have inhalation procedures.
Chairman: This sounds like a fairly expensive proposal.
Shine: What we are saying is "use the existing system." Educate the various components of the system and have them talk to each other. We need to come up to fairly reasonable standards. There is nothing in this that requires a huge investment in any health component. Most of the investment would probably be in EMT, and emphasizing the importance of the public health system. And research should be coordinated and focused.
Maniscalco: It's more exploiting the current system and encouraging the private system to get involved. For example, we have various education boards and facilities that exist but none of them have stepped up to the plate and built this into their training system.
Chairman: This panel, in the first report, wanted to downplay the threat, and therefore resources ought to be thought about in that way. Is this initial assessment still accurate? No change in philosophy whatsoever?
Shine: The initial threat assessment is still valid. On the threat: a) it is real, b) it is likely to take place at a small level, c) our concern is in the spectrum of less dramatic: How to strengthen the current system to include an educational piece and protocols. We don't have protocols for what to do if you suspect that it may be a minor terrorist attack. In California, every healthcare system has disaster exercises periodically. Once in a while, this exercise should include a terrorist incident.
Maniscalco: It's some quick, down and dirty fixes… that don't cost so much.
Shine: It is a tough question trying to decide how much you should contract for. The question is how you model that on what you would need to vaccinate enough people to stop the epidemic. Some people don't agree with the model and want a lot more. The 40 million doses for smallpox is a reasonable stockpile. Remember, you still have to reproduce this every now and then.
Chairman: What I'm hearing your report say, is that if we have a system in place, alert devices etc., we can minimize the danger.
Jones: The largest failure is to bring in the public health and the hospital systems. Part of this problem is that much of the health care system is private and not public. You get into proprietary concerns of hospitals versus hospitals.
Shine: Yes, we should include something on hospitals and available beds for disasters, Mike.
Falkenrath: What is the goal of the preparedness level that we are looking for? What do we think of the current federal program - stockpiles, surveillance systems, R&D? That is the specific commentary I would recommend, an endorsement or criticism rather than a detailed plan.
Shine: We thought we should first look at an ideal, then say how the federal program does or does not address these principles and issues. My own personal view is that you might want to condense this report. The report should not only instruct the Congress, but helping the working professionals solve these problems is also a useful outcome of this activity.
Clapper: We want to capture as much of this as possible.
Ralston: One of our problems is that each county has a county health office, and they are trying to figure out ways to get the training. It is a real challenge to try to re-teach them that these are main weaknesses.
Maniscalco: It is also going to take changes in attitudes and belief systems. It's hard to teach the crisis management community to bring public health into the system. C.A is a best practice state, but other states aren't dealing with this.
Williams: We might want to put a reference to some of these "protocols" in an appendix.
X. Strategic Goals and Objective-Readiness Models.
(Wermuth introduces the topic saying that the issue is how to address the strategic end-state goals that we are trying to achieve. Falkenrath argues for some form of preparedness numerical matrix)
Marsh: We need to avoid dealing with the "eaches." One of our dangers is producing an iron template. We want broad guidelines and we need to be careful of telling them exactly how to do their jobs.
Bremer: We need to keep the specifics clear, concise, and focused; that is what's going to have an impact on Congress. What are the three or four most important things we want to recommend?
Falkenrath: I think the starting point is that the administration does not have a strategy. Let's go a bit further and propose one. I think we as a panel could make a contribution if we layout a system of forming goals. I recommend we should create a "preparedness index."
This index should be simple, not a complex matrix, possibly on a scale of one to five like a military unit and its system of readiness. The leader could say, "I would like all of my agencies to be at level X." A major metro area's goals would be higher and large cities would not be as high and then plus it up in special situations. This is the sort of thing that if I were a single policy maker, I would want to know where I could get the country when it comes to readiness.
Chairman: I think that it's a good idea to come to a measurement scale, but wouldn't it be better to put it in terms of "goals" rather than scales? What if you "settle" on three and then the terrorist picks out twos? Then the public is going to hang the public official if there is an attack.
Williams: Maybe I'm not getting it. It looked to me that you were not focused on individual cities, but on areas. If the areas are rated according to the criteria, that would put pressure on areas to cooperate and it would alleviate the stress on one particular city.
Falkenrath: I was sort of neutral on the area that is evaluated or identified, but you suggest another idea. I envisioned this tool as primarily a federal tool, which is our mandate, so the federal policymaker would have this and his guidelines. It's entirely reasonable for some governors to have their own, for resource purposes.
Chairman: It seems to be that if you just set a goal, as opposed to a scale, then opponents can criticize the goal, but it is easier to defend.
Jones: The fallacy here is trying to define an "effective response." The fire community has been trying to struggle with this for 150 years. You may end up punishing people for being better. Let's put up general goals.
Bremer: The trouble is that it does not answer the main issues. For example, how do we know if that money is well spent? I don't think we are doing our job if we don't say "to do what?" and have at least federal level goals. At least Rich's matrix helps measure this.
Chairman: I wonder how much you can micro-manage that, does this panel want to address this?
Vice Chairman: I think we would be advancing the ball if we introduce a notional concept. I would suggest we consider introducing it as "an idea." In all the previous studies no one has even attempted to suggest a process. JB is right on we are spending a lot of money. But how to count up hospital beds… that is something that we don't want to do in this report.
O'Brien: We need to define outcome measurements or at least identify them. We should identify the characteristics, for example what does a "ready" community look like?
Reno: I hear Ken Shine say that you're not going to get credibility unless you have a quality section on healthcare. If you don't want a debate in the intelligentsia on whether the measurement model is right, go with the major objective of getting the organization right, and hit a few critical things; focus on the goals & strategies of getting the organizational model right. Write blueprints for next year on healthcare, measurement and readiness recommendations, and then hopefully you have a management structure to use those goals and objectives.
Chairman: We will probably discuss this issue next in a conference call.
Wermuth: I recommend that we get some of these people together and have a smaller group to talk specifically about strategic goals before the conference call.
(Break for lunch. Working lunch was then followed by presentations from the National Security Council (Jeffrey Hunker), Critical Information Assurance Office (CIAO) (John Tritak), National Infrastructure Protection Center (NIPC) (Leslie Wiser), Joint Task Force-Computer Network Defense (JTF-CND)(CAPT Bob West), and Lee Zeichner, consultant to CIAO.)
Hunker: Why is the threat of cyber-terrorism and cyber-attacks an important issue?
We are suffering the hidden costs of the dependence on these Internet systems. A combination of dependence, vulnerability, and threat means that we really need to worry about this. It is the beginning of an exponential curve and history is not a good guide for the future in this area. You should also very directly be concerned about cyber-terrorism because national security systems rely on the Internet and phone systems.
(Discussion on the National Plan for Information Systems Protection.)
Tritak: Quite candidly, we are trying to translate PDD 63 into business terms. It was a bold gesture that the federal government decided not to regulate. Implicit is that the industry will do the prudent thing and that the government and the industry will work together. We have engaged Wall Street and the auditing community in which a case of action is presented to them emphasizing the fact that the implications of failure in a cyber attack go straight to operational survival and customer confidence. This is only the beginning for whatever we conclude of the advisability of regulation if the market fails the government has the obligation to regulate when the market fails. Until then, the CIAO is about promoting business responsibilities.
Wiser: CIAO is the policy maker and we are the investigative arm. The NIPC is an interagency center to provide the investigative response to cyber attacks.
We will publish a plan that will give law enforcement agencies "best practices" for how to defend themselves. We also have a public-private partnership. In this partnership we developed a program called INFRAGUARD in which we can engage in information sharing with private industry.
In addition to the INFRAGUARD, we have developed a "key asset" system to help people identify assets and find out what would happen if that was targeted and have established state/federal/local liaisons as well as foreign and private sector representatives.
West: We have to be careful when we equate cyber events to WMD, the effects are not the same. On the other hand, the state sponsored guy has access to intelligence capability that the individual hacker does not have access to, as well as the mental ability to get a synergy of affects with an attack. There is no silver bullet with intrusion devices or any other technology. Connectivity means risk and attribution online is difficult at best. The laws are restrictive and things are potentially getting worse. About your charter - in my view your charter is a reactive approach. We need to figure out how to be proactive and preventative. For example, it is not a crime to map our networks to the extent that they can as long as they don't penetrate beyond a designated barrier. Even if they do break this barrier, it takes months for attribution.
Zeichner: This panel can offer an enormous amount of good by raising this issue in the context of your charter. Technology has proceeded so quickly that the legal framework cannot handle it. Y2K has taught a number of lessons. Primarily, if we ask for laws to be changed, the consequence management community says "Why? We don't need it! Everything is under control." Yes, from this small box, but the larger picture needs more laws and changes.
Questions and Answers
(Administrative note, last panel minutes approved)
Chairman: Why is cyber-terrorism not a weapon of mass destruction?
West: We do not want to continue to say that this (cyber-terrorism) is a weapon of mass destruction. It does not make cities go away. It could bring a military to its knees, but WMDs are things that kill a lot of people quickly.
Chairman: It may, of course, be a weapon of mass "economic" destruction.
Hunker: Within 18 months to 3 years time you will have significant attacks on US national security, broadly defined. This is very real.
Wermuth: When used in conjunction with a conventional attack, you could inhibit the response services. Is there any entity that is doing or has been tasked with doing a comprehensive threat assessment on the nature of the threats, the probability of the threats, and the results of such threats, and does this get updated?
Wiser: We do provide updates and analysis with our sites and alerts.
Chairman: We can assess this in two aspects: 1) in support of an NBC attack, 2) and an "economic" weapon of mass destruction.
Chairman: We should look into a second briefing that is classified.
XI. First Responders and Law Enforcement Discussion.
Wermuth: Has anything bubbled to the top on this? Have we missed anything?
Jenaway: I think there are a couple of overriding themes that we need to keep in place. There are still numbers of people who have no idea what this is all about, so there is still an educational aspect.
Maniscalco: Eighty percent of first responders are volunteers. These people can't take time off from work to take part in trainings.
Jenaway: Physical resources are also still an issue.
Foresman: The philosophical response is 0 losses. If we are talking WMD, is it reasonable to assume there may need to be a philosophical change? Is it reasonable to say that we are going to give every major city a specific capability? Can we look at this more on a regional basis?
Vice Chairman: Also, there is an image that the CIA has all sorts of information and it's not sharing. But you at least need to create the concept of what information is there and you have people used to what it is and to access it and know what to expect.
Embrey: In the context of WMD and the Disney Worlds, what is their responsibility to this and how do they fit into the picture?
Chairman: If we get into public education, why wouldn't they communicate with their law enforcement communities?
Vice Chairman: Yes, the government definitely has the responsibility to educate the public sector.
(Discussion on further administrative matters and adjournment).