‘The Homeland’ is bringing you a series of candid, intimate interviews with former Secretaries of the Department of Homeland Security throughout the month of October.
DHS was born out of 9/11, when 23 different agencies were pulled into one department in an effort to provide greater organization and communication in the government’s ability to address threats to the homeland. It’s a different world today than when DHS was created, and the threats today are now more varied, complicated and digital, than they were when the department was formed. And with the evolution of cyber threats from criminal groups and nation states, DHS’ ability to work with the private sector is even more important.
Cipher Brief CEO & Publisher Suzanne Kelly talked with former Department of Homeland Security Secretary Michael Chertoff, who now serves as Executive Chairman of The Chertoff Group. Chertoff served as DHS Secretary from 2005-2009.
Kelly began by the conversation by asking about the one fateful day that changed everything about the way the U.S. government focuses on threats.
The Cipher Brief: What do you remember about 9/11?
Chertoff: I had become the head of the criminal division at the Department of Justice as an assistant Attorney General in June, so I had been on the job for about three months. Back in those days, the responsibility for dealing with domestic incidents was with the Department of Justice, because there was no Homeland Security. I was driving into work - I had one of those old car-phones - I was on the phone with my deputy and he told me that the TV just said that a plane had hit the World Trade Center. I had a reaction, initially, that some small plane pilot must have gotten confused and hit the building. And as we were talking, my said that a second plane had just hit the World Trade Center, and he and I both said, ‘this is not an accident’.
A few minutes later, I arrived at the Department of Justice, and we went across the street to the FBI operations center, which is where domestic incident management would be run, and Bob Mueller was there. He was very new on the job – I’ve known Bob for 35 years, we’ve been friends – and as I went over, I learned about the plane hitting the Pentagon. Once I was over there, I watched us track the plane that was ultimately taken down over Shanksville, Pennsylvania, but looked to be headed toward Washington and really, that day, and the next several days and weeks afterward were about stopping further attacks.
Many people don’t realize that we had some false alarms on 9/11. There was a transponder in another airplane that went off, signaling a hijacking, that turned out to be a mistake. There were rumors that taxi cabs had bombs in them that were going to be detonated, and there was a fire alarm that went off at the State Department, while we were talking to them on video-conference, people thought a bomb had gone off. So, it was a very real concern about what was coming next, and we were scrambling to figure out who the hijackers were and then to track all of their connections to see who else in the United States might be part of the plot.
The Cipher Brief: And the question of what was coming next was really one of the reasons why the Department of Homeland Security was created, to better identify threats and be able to address them. Given that the threat landscape has changed, do you see the department adjusting overall to new threats as quickly and efficiently as it should?
Chertoff: The threat landscape has changed in a number of ways. We’ve done a good job building an architecture to protect against foreign operatives coming into the U.S., like they did on 9/11. We’ve done that in terms of better collection of intelligence, the National Targeting Center, and other capabilities that we use to identify people who might be risks to the United States. But what has also changed is that, first of all, we’re now dealing with what I call “Terrorism 2.0 and 3.0”. Not necessarily the big attack like a 9/11, or like the plot in August 2006 to blow up a dozen airliners, but rather small-scale attacks like we saw in Paris at the nightclub or in Mumbai, or what I call “3.0” - which is inspired attacks: people who are radicalized and get behind the wheel of a car to run people over, or to pick up a gun or a knife, and those are very hard to detect. The key in those cases is often how quickly and effectively you respond. So, I think those threats have changed. I also have to say that I believe the possibilities of ideologically-motivated violence are now, not only jihadi violence, but extremists of the right and the left. We could see a return to the days of the late 50s/60s when we had very left-wing or very right-wing extremists carrying out attacks against Americans.
The Cipher Brief: And now today, of course, we have something that you didn't really focus on back when 9/11 happened, and that is the cyber threat and the evolution of that threat. DHS plays a lead role in protecting the homeland from those threats, along with the FBI. DHS plays a leading role now in working with the private sector, which finds itself under constant cyber threat. Is DHS still the right place to house that main point of interacting with the government?
Chertoff: I think so, because the way we’ve organized the government now, which is what we envisioned back under President Bush, was the responsibility rests with three agencies to deal with cyber threats. Cyber warfare and the protection of the military is Department of Defense. Investigation of cyber criminals is the Department of Justice and then protection of infrastructure is DHS and that includes protection against bombs and also against cyber attacks. We’ve got the lanes in the road marked and the issue now is promoting close relations with the private sector to help them raise their capability and their level of awareness.
The Cipher Brief: Since leaving DHS, and co-founding The Chertoff Group, you’ve worked closely with private sector businesses and I assume you understand their risks pretty well. Is the private sector getting what it needs fast enough when it comes to cyber threats?
Chertoff: I think there are two issues here. One is, of course, there is always a concern about whether the government is sharing quickly enough. In many cases, I think actually there is quite a bit of sharing, and that’s particularly true with sophisticated sectors of the economy like the financial sector or the electric utilities. But in some instances, delays or difficulties in getting people cleared and a kind of parsimoniousness about granting clearances means that you can’t really convey information that’s actionable in a ready fashion, and I think we need to basically become a little bit more willing to treat the private sector as ‘needing to know’ so that once we’ve cleared their backgrounds, we can actually bring them into the tent. I think that’s one issue.
I think another issue that the private sector has now, is that there are so many solutions, that we are inundated, and we have no idea what to do, and we could bankrupt ourselves if we do everything. What we try to do at The Chertoff Group is help CEOs and boards sort through what’s out there in terms of threats, understand what is relevant to them, and build a tailored strategy where they don’t simply try to buy everything, but they understand exactly what their key assets are, they build an architecture that allows them to do their business, but protect those assets, and then we help them acquire the tools that they need to execute on that strategy. That’s one issue that I’m hearing from the private sector.
Another thing the government could do is - in the area of terrorism - we passed the Safety Act about 10 years ago, which basically creates a liability cap for people who are developing technologies that are approved to avert terrorist attacks or mitigate them. And that creates a financial incentive for people to develop those capabilities. I think we need a Safety Act for cyber so that enterprises that are willing to invest intelligently in technologies and processes to protect their assets from cyber attacks, will get some sort of financial incentive in the form of liability caps or liability protections.
The Cipher Brief: Where do you think DHS will be, or should be, focused five or 10 years from now? In other words, I'm asking you to lean ahead a little bit. Do you see some other dramatic shift coming that is just not on our radar, given that we're dealing with so much right now?
Chertoff: I don’t think we’ll see something that you can’t see the seeds of now. But I think the threats will be amplified. I think we may see more violence - as I say, the extremes of the right and left – I think artificial intelligence will both be a threat in terms of the ability to increase what cyber terrorists or cyber criminals can do, but it’ll also be part of the solution. But the other thing I think we’ve always looked at, but it’s kind of fallen back a little bit, is the idea of a biological event or a biological weapon. We spent a lot of time on that when I was in office. After I left, I felt it became a little bit of a back burner issue for a while, although I think now the current secretary is beginning to again raise the focus on that, because particularly with some of the genetic engineering and CRISPR and some of the other technologies, we could have to deal with what would truly be a catastrophic event. Also, I think we’re going to have to deal more with natural disasters because climate change - whatever the source - is beginning to reflect itself in some very extreme weather trends, and I think that means we’re going to have to think about what the security element of that is.
The Cipher Brief: When you talk about the bio threat - and you and I have talked about that a number of times over the past several years – what is the worst case scenario for you
Chertoff: I think if you had a communicable disease that was fabricated and disseminated, that would be a very, very difficult thing to respond to and you would get panic, there would be an impact on the economy, an impact on life. We have countermeasures for a lot of things but getting them out there quickly is challenging and I actually think we ought to distribute a lot of the countermeasures in advance to local authorities. That was discussed while I was in office. Ironically, the FDA rejected it because they said “well these countermeasures require a prescription, and therefore you shouldn’t give them out unless someone’s seen a doctor.” I hate to say this, but if you have hundreds of thousands of people facing the threat of infection, there aren’t enough doctors to see everybody and examine them, so you better get this stuff out there quickly. So I do think the planning and the preparation is the key to dealing effectively with a biological event.
The Cipher Brief spoke with Secretary Chertoff in an extended interview. We will feature the full interview in an upcoming episode of the State Secrets podcast. This transcript has been edited for flow and clarity.
