The risk-based approach: Prevent what you can, and improve resiliency.

So if you don't like this post, blame Steve Jobs (or you could blame fake Steve Jobs, since he's not real and is therefore less likely to seek retribution. Then again, he's Steve Friggin Jobs, how much time can he have for the little people?). Why? It all starts with my iPod. Yeah, I love that I can hold every album I've ever bought (and some that I just checked out from the library for a couple of hours -- that's ok, right?), but I have become a total podcasting geek. Every couple of days I'm checking iTunes for the latest podcasts by the Harvard Business Review, the Wall Street Journal, TED and Pop!Tech, the BBC Documentary Archive (a personal fave), and yes, occasionally The Economist. The Economist is a fantastic periodical, but I'm not as attached to their recent podcasts (though some of their older ones, particularly those on blogs and other social software like this one with Jerry Michalski, are probably to blame for the fact that I am now inflicting my opinions on you, gentle reader).

So yesterday as I'm driving to pick up takeout food (mmmmm, mexican) I listened to a podcast under their Democracy in America section on Homeland Security. They had a discussion with Jeremy Shapiro of the Brookings Institution. This is one that I feel like I have to comment on.

Now Jerry Shapiro is obviously very smart, and probably someone I'd get along well with socially, but his recommendation as discussed with The Economist misses on several counts. He recommends a threat-based approach -- focus homeland security resources only on those areas where we have specific threat information. According to Shapiro:

As far as I'm aware, there has never been a plot against a seaport. Well, why is that? It's because they're really not interested in blowing up seaports. They're not interested.... in attacking things that matter to us. They're interested in attacking things which matter to their constituencies: symbolic targets, civil aviation targets. From their perspective, the idea of blowing up a container ship, which wouldn't even be on television, is not the kind of thing they want to do.

Sounds reasonable, right? Except it's not. There's a couple of problems with this:

• This assumes that our current threat intelligence is airtight. I'm a former intelligence officer and in my opinion this is a big assumption. We never put the intel together on the 9/11 plot -- clearly intelligence capabilities and coordination has been improved since then, but I think even intelligence professionals would be hard pressed to guarantee that there are no gaps in our current assessment of the terrorist threat.
• And if you believe Nassim Nicholas Taleb, this problem is compounded by the fact that we're actually not very good at predicting the likelihood that something highly improbable, Taleb's 'black swan', will happen.
• Using the logic above (i.e., Al Qaeda will not attack a seaport in the future because they've never attacked a seaport in the past), I guess what we've learned from 9/11 is that Al Qaeda is very interested in blowing up the World Trade Center -- and now that that's gone we can all rest easy. Whew! (This reminds me of the logic used by Dana Carvey impersonating George H.W. Bush making a speech on the eve of the first Gulf War: "I can assure you that this will not be another Vietnam. Because we have learned well the simple lesson of Vietnam: (wait for it) STAY OUT OF VIETNAM!")
• What about the USS Cole in the Port of Aden? Ok, so that was a military vs. civilian target, but who doesn't remember the gaping hole in the side of the Cole as brave sailors worked to save it from going to the bottom. A port could make a compelling target.

Shapiro makes a good point that when resources are finite, you can't make everything invulnerable, nor should you try. So how does the private sector deal with this? Yes, you focus resources on threats that you know about, that happen all the time, whether that's once a day or once a year. But you also focus resources to address vulnerabilities or exposure, especially those low probability/high impact events where the impact would be so devastating that you'd lose the farm (or the firm) if something that calamitous came to pass.

You can't ignore vulnerability or exposure just because you lack specific, actionable threat information -- instead you set up tripwires to monitor the threat, you put mitigation measures in place to try to prevent it, and if you're really thinking you build either flexibility or redundancy into your operations to make your enterprise more resilient (thank you, Yossi Sheffi).

So, in sum...threat + vulnerability or exposure = risk. You can't do the calculation without considering both.

So, given the above, I'd argue that as part of the country's critical infrastructure, port and supply chain security fall into this high vulnerability category. We might not have specific threat info, but an attack on the country's supply chain would be so devastating, we have not choice but to manage the risk. So what kind of impact would an attack have? A wargame conducted by Booz Allen Hamilton and the Conference Board in 2002 involving a weapon of mass destruction in the supply chain was estimated to cost the U.S. economy $58 Billion. For a historical example, take a look at the 2002 West Coast port lockout -- everyone knew it was coming and the shutdown still cost $20 Billion. Let's say that again, we knew it was coming and the shutdown still cost us $20 Billion. Yeah, it's not the World Trade Center falling down, but you can't tell me that doesn't represent a vulnerability that's worth protecting.

To be fair to Mr. Shapiro, the rest of his recommended strategy to manage homeland security is sound, especially his focus on resiliency.

The Bottom Line: Supply chains are so integral to the U.S. economy that we can't afford not to protect them against natural or manmade disruptions -- protection both in the form of preventive security measures and system-level resiliency.