July 22, 2011 by David Olive
It is all but impossible for DHS to fulfill its mission of protecting the homeland when the bureaucratic processes they must work with fail to recognize that sometimes a partial solution is better than a delayed solution. That thought rattled around my brain last week when the House Homeland Security Subcommittee on Investigations, Oversight and Management, chaired by Rep. Michael McCaul (R-TX), held a hearing on technology acquisition. If I heard the testimony correctly, it was the first time DHS Undersecretary for Management Rafael Borras and Undersecretary for Science and Technology Tara O’Toole have appeared before the committee.
Because of House votes, which came less than an hour into the hearing, both Borras and O’Toole escaped with very limited questions from the few committee members who showed up. It is a shame that other committee members did not attend as there were many interesting things that came out of the testimony – including the creation of a new DHS Center of Excellence on Requirements, something that should greatly improve coordination and communications regarding acquisition and procurements.
Representatives from the Government Accountability Office (GAO), the DHS Inspector General and three private sector representatives also testified. They did not provide much support for the way DHS has interacted with the private sector concerning the acquisition of technology and services over the past year or so. That is not surprising given the inept way DHS headquarters has handled many private sector relationships since the current administration came into office. Too many DHS employees are under the misimpression that talking with private sector stakeholders is forbidden – a myth that needs to be destroyed as quickly as possible.
To his credit, Borras talked about his effort to cultivate supporters by having regular meetings with industry and public-entity stakeholders and he announced the creation of a Center of Excellence for Requirements within DHS, which he claimed would help expedite acquisitions, not delay them.
Dr. O’Toole explained that S&T was doing as best it could to reach out to private sector interests but due to the many demands upon her staff and a limited time and budget for meetings with the private sector, they could not meet with everyone who wanted to meet with them.
To illustrate his frustration with these answers, Chairman McCaul said that he had made several requests in writing to DHS for meetings with technology companies, and he had not gotten a response to any of his requests. McCaul is right to be concerned, of course, and U/S O’Toole’s response in particular did not mitigate his concerns. Still, there is a hopeful feeling that DHS headquarters and S&T are slowly addressing the issue.
I have less hope, however, that GAO will ever understand the real-world environment in which homeland security acquisition ought to occur. The GAO report released to coincide with the hearing shows me that they just don’t “get it.”
Perhaps it is the GAO culture or it is simply the nature of what GAO believes it is supposed to do, but to listen to GAO witnesses is to believe that any amount of risk is too much. The GAO report on DHS’ deployment of Advanced Spectrographic Portals (ASPs) for detection of radiological and nuclear materials criticized DHS for failing to do extensive testing and evaluation before deployment.
I understand the need to do testing and evaluation and no one would condone spending money on a system that does not work. But that is not what I see developing in the GAO “mindset,” which seems to identify ANY level of risk as questionable, if not outright unacceptable.
When has there been a GAO report about DHS or a DHS program that said, for example, “A 70 percent solution is better than what was previously done?” When will GAO accept Navy Rear Admiral Wayne E. Meyer’s “Deploy a Little, Test a Little, Learn a Lot” approach?
Homeland security, as almost everyone acknowledges, is about layered defenses and layered systems that in the aggregate, serve as a deterrent to a potential terrorist attack. When GAO testifies as they did last week and when they evaluate technologies without looking at where they fit into a layered system, they risk sending the message that individual components must always work perfectly, that “improved solutions” are suspect unless they are “perfect solutions” and that no deployments should occur – irrespective of the threat level – until a TRL8 status is achieved.
The harsh reality, as we found out from the terrorist attacks in Norway this past Friday, is that the evildoers in the world will not allow us to play by the rules that GAO espouses. Would that the threat we face waited until our detection systems met all of the requirements of GAO’s bureaucratic babble about full operational testing.
The American public will accept a level of risk, and less-than-perfect technology, if our government tells them the truth and doesn’t set false expectations.
Nor should we promote the atmosphere within DHS that buying and deploying systems that are somewhat less than perfect is a risk that should be avoided, which seems to be the opposite of what GAO and some members of Congress have adopted. We should not be tied down to deploying only those systems that have received full operational field testing. The threat is too real, too immediate and too deadly to wait for check-the-box exercises that please the GAO.
Doing homeland security business at the speed of federal bureaucracy is just plain wrong. Using common sense, taking responsibility for our individual and collective actions, and recognizing that all risks cannot be eliminated by technology best describes the mindset that will keep us safe and secure and, yes, more resilient in the event of a catastrophic attack.
Just once I’d love to hear someone stand up to GAO, instead of being intimidated by them, and make GAO accountable for the risks of delayed deployment. Just once I’d love to see GAO explain how the recommendations they make will save more lives. But GAO doesn’t have to provide an ROI analysis of their recommendations and that affects their credibility – at least from where I sit.
We cannot do homeland security at the speed of bureaucracy, nor should we.
Originally posted in Security Debrief.