Mike Dayton is the acting secretary of the California Emergency Management Agency and is the second person to lead the agency, which was formed in 2009 after the merger of the governor’s offices of Homeland Security and Emergency Services. Dayton had worked at the state’s Office of Homeland Security since its inception in March 2003. Prior to joining California government, he was a congressional staffer in Washington, D.C., for 13 years.
Question: Discuss the state’s efforts since the National Infrastructure Protection Plan (NIPP) was released in 2006 to identify and protect critical infrastructure.
Answer: Right after 9/11 we had identified a list of all the critical infrastructure sites in California using the CARVER [Criticality, Accessibility, Recuperability, Vulnerability, Effect and Recognizability] method, and we also had the California National Guard do the first cut of assets in the state. Once the NIPP was out, it was easy to go out and match our existing list with what the DHS [U.S. Department of Homeland Security] considered critical. So we’d like to think that the DHS looked at us to say, “OK, how did you guys develop your list and what can we learn from you?”
It seems like a really difficult process to compile that list.
In terms of criticality, at first the guiding factors and metrics were: What are the high-profile targets? What is it that al-Qaida, other terrorists and criminals would be interested in? What have actual threats been against in the past, since we know that terrorists like to return to the same target and the same types of targets?
We can look abroad and see the systems that terrorists are attacking — mass transit systems, aviation and the consequence side of the chemical facilities. We put all that together and determined a list that would have high consequence, highly symbolic targets and would also fit the pattern of known threats.
Are there other targets that you can mention?
It has become more and more apparent that soft targets — anywhere there are mass gatherings — are important to pay special attention to. It’s clear that the initial emphasis was on inflicting as may causalities as possible. But after Mumbai, the national and intelligence community consensus is that we have to be prepared for small arms. We’ve put a lot of effort into training our [California Highway Patrol] officers and our local first responders and police officers on small arms tactics after those events. We want our critical infrastructure structure program to be intelligence driven and by that, we really wanted our efforts and investments to be focused on where the threats are. We rely on the fusion centers to provide us with that information. So we’ve got a really strong nexus in California between our fusion centers and our critical infrastructure protection program.
How do the fusion centers factor in?
Early on we embedded a critical infrastructure analyst in all our fusion centers — we have five in California. We put analysts in there to outreach with the critical infrastructure sectors and to monitor the threat stream coming in on critical infrastructure, so they’d be able to provide us a strategic assessment in the domains as well as statewide and say, “These are sectors that we think are highest at risk based on intelligence.” So then we can match that and the high-consequence targets. We are making our investments much more wisely because we are intelligence-led.
On the list of critical infrastructures that need protecting, where do dams fit in?
Dams are obviously very high consequence, so that puts them very high on the list. In California, the population is in the south and the water is in the north, so we were one of the first states to do an assessment of a system of infrastructure, and we focused on water. We also rely on the fusion centers and the CIKR [Critical Infrastructure and Key Resources] to help us develop relevant training, exercise programs and scenarios. There were a few instances after Mumbai where our analysts [looked at] how terrorists carry out these attacks, suspicious activity, and the indicators that people in our neighborhood could have picked up on.
They developed a tabletop exercise for the hotel owners and operators and said, “This is what we really need. How would our local hotel security guards report suspicious activity?” So it is a quick turnaround on some of the training that we do, and through that process, we identify the gaps in the security. It makes us much more agile to the relevant threats out there.
We have the terrorism liaison office, but that’s the template that the rest of the nation uses. [We also have] CLOs, or community liaison officers, who go out into a specific sector, whether it’s water, financial intuitions, soft targets, malls or transit, and say, “Here is the suspicious activity that you need to be aware of and here is what you need to report. If you see something, this is who you need to report it to, this is your fusion center and this is where you will be getting information from.” Those officers are responsible for reaching out to the private sector, which actually owns all these assets.
What’s the cost of all the training and programs the state has?
Our investment in training and exercises is probably in the neighborhood of $4 [million] to $5 million annually. Our responsibility is to get the training program certified by the DHS and by California’s post standards so the officers get credit for their state training, but can also use federal funds to go to DHS-certified training. We’re responsible for more than 40 percent of the courses that have been certified by the DHS. We represent more than 12 percent of the population, so we’re doing a lot of course development, investment and training. We also added an additional condition onto our state grants — which I’m very reluctant to do, but we have done it in training — that 10 percent of investments at the local level must be spent on training.
What’s the state of communication between government agencies and private-sector entities concerning threats to critical infrastructure?
That’s an area that needs more work, and it’s really about clarifying who’s responsible for the communication and the governance, because there are a couple different players. It’s getting them into the room and mapping out, with input from the private-sector entities, who do you want to receive information from, and more importantly, what type of information is needed from the national intelligence community. We’re kind of the filter of the national intelligence community and information coming up from the locals to the private sector.
What makes that so difficult?
Different mission directions from the very top. Unfortunately they have not deconflicted the missions at the national level. We’re trying to bring them together at the operator level so that it makes sense to the private sector. My greatest fear is not getting any information at all, which I don’t think is the case. However, if we blanket them with information that’s not useful, are they going to pay attention to the information that they really need?
Can you talk about the challenges to protecting all of these sites, since California is such a huge state?
The challenge is the scope of assets in California — the breadth and diversity. That’s really why we rely more on intelligence-led efforts for protecting critical infrastructure. If you protect everything, then you really are protecting nothing. We are well aware of the high-consequence targets. We have to know the type of targets terrorists are likely to attack, but we can’t be so locked into those two things that we suffer from a lack of imagination on what else could be out there. It’s a hard mix, but I think if we rely on the intelligence and the common sense of people who know the areas best at the local level, then we are going to do a good job. Also key is investing heavily on prevention into the fusion centers — we want to disrupt the plots before they happen, so we’re banking a lot on that.