Rethinking the Homeland Security Enterprise
The 20th anniversary of the founding of the Department of Homeland Security looms in early 2023. What should the next Quadrennial Homeland Security Review study?
Published by The Lawfare Institute
in Cooperation With
The 20th anniversary of the 9/11 terrorist attacks on America passed in Sept. 2021. The 20th anniversary of the founding of the Department of Homeland Security (DHS) looms in early 2023. And yet it is fair to say that DHS (and more broadly the Homeland Security enterprise that spans across government) remains poorly appreciated and even ill-defined. A significant period of uncertainty and disruption was to be anticipated upon the establishment of DHS, but for nearly two decades to have passed without greater clarity is both surprising and, in many ways, dismaying.
To a large degree, this unfortunate circumstance is not through lack of effort or imagination. Spanning four administrations, most of the professionals who have considered the question of homeland security have done so with the best interests of the nation at heart and with a high degree of thoughtfulness and ability. (I concede that this is not universally true, but that circumstance is a problem of a different nature and outside the bounds of my remit for this assessment). What then accounts for the continued problems with the U.S. approach to homeland security?
DHS’s initial difficulty and confusion were, as I said, understandable. The first Secretary of DHS, Tom Ridge, is reported (probably apocryphally, but certainly accurately) to have likened the creation of DHS and the development of homeland security doctrine to an effort to build an airplane while getting shot at. In a moment of crisis, it is difficult to see past the next day—much less think strategically about a problem.
That is why one of the key improvements at DHS from the late-Bush era was the requirement for DHS (and the whole of government) to undertake a Quadrennial Homeland Security Review (QHSR). In the name of full disclosure: I was a strong advocate of this measure at the time. The QHSR was deliberately modeled on the successful structure of the Quadrennial Defense Review (QDR) undertaken by the Department of Defense every four years. The idea was to periodically force the government to review its overall strategic objectives and modify them as appropriate given changed circumstances.
One can see the value of that exercise in thinking about how the QDR (now called the National Defense Strategy) has evolved. A QDR exercise in the mid-1980s would have planned for a mobile battle against the Soviet army on the plains of Germany. One from the early 2000s might look to conflict in the Middle East and the terrorist threat. Today’s version of the Defense Department review (the 2018 National Defense Strategy) turns a lens toward the strategic need to provide a counterweight to Chinese expansionism. Once the “ends” of a strategy are properly set, the “ways” and “means” of achieving the objective can be identified, including any gaps that need to be addressed. The point of the QDR and the QHSR is to define those ends.
The first Homeland Security QHSR was a challenging bit of work for an organization that had never done strategic planning of this sort before. The 2010 QHSR identified the major strategic imperatives for DHS as preventing foreign terrorist attacks; managing the border; enforcing immigration law; securing cyberspace; and ensuring resilience to disasters. Given the context in which it was written, that is, at a time when no doctrine or baseline of strategic thought existed, the effort to particularize the homeland security problem was admirable. By any fair measure, it was a qualified success (and, indeed, given its focus on cyberspace as early as 2010, rather ahead of the curve in its predictive efforts).
It is fair to say that the 2014 QHSR was less transformative and more of an elaboration of prior thought. The five fundamental pillars were unchanged, though some of the emphasis was modified a bit. But the overall focus was the same—as is evident, for example, in its characterization of the strategic environment and its focus, again, on a changing, but continuing threat from foreign terrorism.
And, sadly the Trump Administration showed no interest in doing a QHSR. Despite a statutory mandate to conduct such a review, it skipped the exercise altogether in 2018. That gap contributes, substantially, to the continuing lack of focus in the homeland security enterprise.
But I think, as well, policymakers and national security thinkers have yet to come to grips with how the very concept of homeland security has changed over the years. It is time to rethink the question from the ground up. Evolution is a natural aspect of the threat environment; U.S. adversaries are adaptive and so U.S. responsive strategy must adapt as well.
Which brings us to 2022 and the QHSR that DHS will be expected to deliver later this year. What should it say? While it is possible (indeed, relatively easy) to simply take the 2014 QHSR and update it, that would be, in my view, a mistake. Too much has changed and too much has gone unsaid in the last eight years (or 12, actually, if you accept my characterization of the 2014 QHSR as simply evolutionary). The homeland security environment is vastly different today than it was in 2010. The upcoming QHSR is a time to ask big, important questions about what the government means today by homeland security and how to deal with it.
I should add that I write this list without concern for political expediency—fully recognizing that some of what I suggest is not in any way likely. But, in my view, the value of a zero-baseline strategic inquiry is to do so without preconditions. After that, one might consider the art of the possible—but the proper first ground is to ask what would be an idealized approach.
With that in mind, here are my own idiosyncratic thoughts on areas of consideration—others will offer different ones. Note, that while I have instincts about the proper answers to the questions, the goal at this point simply is to identify areas worth considering as part of a strategic review.
Is Immigration Really a Homeland Security Issue?
Immigration efforts occupy between 34 and 44 percent of DHS’s effort (depending on how you measure the allocation of resources). That’s a huge commitment of time, money and attention. And the broader U.S. focus on immigration issues will never go away. So, immigration is no doubt an issue of real significance.
It is worth stepping back, however, and asking whether immigration is a security issue in the same sense as, say, the threat of a terrorist attack on American soil. Initially, the instinct to include immigration in the homeland security enterprise seems to have made some sense. The first conclusions after 9/11 were that terrorist entry into the U.S. was, in part, a failure of our immigration vetting system, and that supported the structure we put in place.
But experience in the last 20 years suggests that security vulnerabilities in the immigration system are relatively few and of relatively little significance compared to other aspects of the problem. One now might think (as some argued back then) that immigration issues are more significantly cultural, economic and geopolitical in nature. It is worth at least asking the question whether or not characterizing immigration as a security issue (and housing it at DHS) does not distort the U.S. approach to the question. And, it likewise may distort or distract from the government's approach to other security matters by diverting attention and resources.
Is Cybersecurity Cross-Cutting and Worth Centralizing?
Today, the main locus of domestic non-military cybersecurity preparedness and response resides in the Cybersecurity and Infrastructure Security Agency (CISA), a component of DHS. Other parts of the federal government have significant related responsibility—the Justice Department does cybercrime prosecution; the Commerce Department looks at domestic cyber competitiveness policy; DOD protects military networks; and the list goes on. It is fair to say that almost every component of the federal government (and almost every state and local entity) has some governmental responsibility for cybersecurity.
That structure has grown up organically. And it reflects the distributed and dynamic nature of the cyber environment. To a very large degree, CISA has been remarkably effective and successful in the first few years of its existence, a result that suggests leaving well-enough alone. But it seems at least worth asking whether or not the current state of connectivity and dependency on information technology warrants creating a stand-alone governmental structure with greater centralizing authority.
At a minimum, it does strike one that the U.S. lacks, so far, any centralized source of ground truth about cyber risks in the nation. But my own instinct is that a distributed response capability is inevitable. Now is as good a time as any to try and re-think these questions: what is it that the government can do best in the cyber domain and which parts of it are best left to the private sector?
Is DHS a Ministry of Interior?
Or, more broadly speaking, is there a way to rationalize domestic law enforcement, both within DHS and more broadly across the entire federal government?
Currently, domestic law enforcement spans the gamut of interests from small specialty organizations (like the criminal investigation units at Environmental Protection Agency and Fish & Wildlife) to broad generalists like the FBI. And, though little known, DHS has the largest law enforcement contingent in the federal government. Yet DHS’s efforts have been controversial, as we saw, for example, in Portland and are sometimes characterized as operating with limited transparency and oversight. At least, to some degree, DHS is starting to look more and more like a traditional European ministry of the interior.
Perhaps that resemblance is a good thing, though I personally suspect not. But whether for good or ill, the trend toward a larger domestic federal law enforcement presence is relatively clear. And it behooves policymakers to consider it dispassionately. To date, the federal government seems to be drifting toward a more centralized federal law enforcement operation. Is that a good thing?
What about Domestic Terrorism?
DHS was born in the fires of the World Trade Centers, the Pentagon and the open fields of Pennsylvania. As such, its primary focus was on foreign terrorism. That focus was confirmed (or so it seemed) by other early plots, like the Christmas shoe bomb plot.
The focus then mutated. Instead of foreign terrorists coming from overseas, homeland security grew to encompass domestic threats—but they were still threats, like the Boston Marathon bombing and the Times Square bomb plot, that involved radicalization in place with ideas from overseas. Even though the physical threat originated domestically, the ideologies for the threats were still foreign.
Today, perhaps not so much. It seems clear that at least to some degree threats to homeland security are now exclusively domestic in nature—both originating here and motivated by domestic ideology. To the extent that is the case, many of the lessons we’ve learned from combatting foreign terrorism are likely inapplicable. And that, in turn, suggests at least a partial strategic re-thinking of the homeland security enterprise. It makes less sense, for example, to devote significant resources to nuclear security at the border if the predominant threat inside the country is from white supremacist gun violence. This is not to say, of course, that the foreign threat has been eliminated—but it is to suggest the need to at least think about re-evaluating relative priorities.
Is Disaster Response a Homeland Security Function?
The U.S. response to the disaster caused by the 9/11 attacks was chaotic and incomplete. This is unsurprising—the government had neither planned for nor practiced responding to terrorist events of this sort. Though the government had ample experience responding to natural disasters, those charged with setting up DHS felt as though that experience did not translate readily to responding to terrorist incidents. And so, the Federal Emergency Management Agency (FEMA) was made a part of DHS.
Experience over the past 20 years suggests that this was unnecessary and perhaps even counter-productive. Since 9/11, virtually all of U.S. disaster preparedness and response has continued to be in response to natural events. And there is some suggestion (with modest evidence to support it) that FEMA’s placement in DHS has perhaps even degraded some of our response capabilities. Meanwhile, my own view is that it is likely that by including terrorist incidents in our planning scenarios we can more readily translate our natural disaster expertise to other incidents, perhaps rendering coordination concerns moot. In short, there is modest evidence that disaster response is actually a security function or, perhaps more accurately, significant of evidence that it mostly is not a security function. Here, too, one might consider what the implications of that realization are.
* * * * * *
Ultimately, my own assessment is that the U.S. is prisoner of the past in its conceptions of homeland security. The initial conception of homeland security, and what it means for the nation, is bound up in a singular event—the attacks of 9/11. U.S. homeland security structure was designed to respond to that event and prevent it from recurring. But foreign terrorism is not the only homeland security concern—and today it may not even be in the top-three of what most threatens our “domestic tranquility.” To the extent that is so, the current homeland security enterprise is mis-aligned with true need. And if that’s the case, then the forthcoming QHSR review is the perfect time to rethink our strategic priorities.