Protection Money
n March, when the law firm Venable convened a briefing for potential clients on a proposed Food and Drug Administration rule, the firm's lawyers were hoping for a good turnout. But even they were surprised when top trade officials from more than 40 countries showed up at the firm's Washington office. Among the countries represented were major U.S. trade partners such as Canada, France, Germany and Australia. The purpose of the briefing was to discuss a proposed FDA rule that would require both domestic and foreign food companies-firms that manufacture, process, pack or simply store food-to register with the agency and to provide advance notice of any shipments arriving on U.S. shores.
The regulation has the potential to be costly not just for foreign firms, but also for U.S. companies that import goods from abroad. "No one would disagree that we need to ensure that food is not tampered with," says Jim Jatras, the Venable partner who organized the briefing. "But the way this regulation is written, it appears that every warehouse in the world is going to have to register with the FDA." And that, Jatras added, would impose immense burdens on businesses. "Everyone right now is talking about the public safety side, as they should be," says Jatras. "But at some point, considerations like facilitating global commerce will have to reassert themselves."
Since the Sept. 11 terrorist attacks, there has been enormous public pressure on government to spend more money on homeland security, to hire more federal workers, and to impose new regulations on at-risk businesses, such as food importers and airlines. But business executives, reluctant to spend more on security precautions, have begun to argue that sometimes the costs outweigh the benefits. And some highly placed government officials are starting to listen.
As the first head of the Office of Private Sector Liaison at the Homeland Security Department, Alfonso Martinez-Fonts is at the center of a battle between industry and Congress. He's gotten an earful from industry, which has resisted new security mandates from Washington. He's heard it from the other side too, with many Democrats in Congress insisting that industry will not take the necessary precautions without being required to do so.
On one point, everyone agrees: The security of the private sector, which owns 85 percent of the country's critical infrastructure, is crucial to the security of the nation. But Martinez-Fonts and John Graham, head of the Office of Information and Regulatory Affairs at the Office of Management and Budget, are struggling to determine whether new security measures are worth the financial cost to American businesses and the likely cost in limits to civil liberties and privacy. "We are in the midst of a decade-long federal effort to find the right approach to homeland security," Graham says.
In February, even before the Homeland Security Department officially came into being, DHS put out its "National Strategy for the Physical Protection of Critical Infrastructures and Key Assets." The report argues that, in contrast to national security, homeland security is a shared responsibility that involves government at all levels and the private sector. But on the thorny question of whether the Bush administration will impose new security rules on industry, the report says incentives will, in most cases, suffice to convince industry to protect itself. Additional regulations, the report says, "should only be necessary in instances where market forces are insufficient to prompt the investments necessary to assure critical infrastructure and key asset protection."
Martinez-Fonts echoes that point. "I think the government's role, and certainly DHS', is not a regulatory role," he says. After a career in banking, Martinez-Fonts is working his first government job. He likens his role at DHS to that of an ombudsman, or representative for industry within the department. "People keep asking why would industry spend money [to boost security] as if that would be frivolous," adds Martinez-Fonts. "But industry is concerned about self-preservation."
Some in Congress disagree. In a recent letter to Homeland Security Director Tom Ridge, Sen. Joseph Lieberman, D-Conn., expressed his doubts about relying too much on market incentives as opposed to regulation. "Businesses, including small businesses, may not have expertise in homeland security matters and may need guidance from the federal government as to the appropriate actions they need to take to effectively protect the infrastructure and assets under their control," he wrote. Incentives, in other words, may not always work.
Likewise, in a January report, Brookings Institution economist Peter Orszag, along with Geoffrey Heal, a professor at Columbia University's Graduate School of Business, and Howard Kunreuther, a professor at the University of Pennsylvania's Wharton School, argued that in many cases, businesses do not, in fact, have incentives to spend money on new security precautions. "Private markets will often not provide adequate protection against terrorist attack on their own, since individual citizens and businessmen tend to worry more about the immediate challenge of making a profit than about the extremely unlikely possibility that their properties or facilities will be attacked," they wrote. In fact, the scholars concluded that companies have a disincentive to invest in security when their competitors-or businesses on which they rely-are not also making such investments.
Government has a responsibility, they argued, to shift corporate incentives toward security by enacting some security regulations. Another way to shift corporate incentives, they say, would be to require firms in critical sectors to buy terrorism insurance. Insurance companies presumably would offer lower rates to companies that take greater precautions against terrorism, thus providing incentives for companies to do so. A bill to ensure federal assistance to insurance firms wary of offering terrorism insurance became law last year, and most insurers now provide coverage. But according to a March survey by the Council of Insurance Agents and Brokers, an insurance industry trade group, most firms aren't buying. "Many [firms] are opting not to buy it, because they don't think they are at risk," says council President Ken Crerar. At the same time, he added, some firms that are clearly potential targets have not purchased coverage because of the high cost.
And last October, the Council on Competitiveness-a Washington association representing companies in an array of trades-found that industry as a whole is reluctant to address the possibility of terrorism. In a survey of 230 top executives at different firms, the council found that 92 percent did not fear that their businesses could be terrorist targets. Less than half said they had spent additional money on security since the Sept. 11 attacks.
The General Accounting Office took the chemical industry to task in a March report (GAO-03-439). The industry's Washington trade group, the American Chemistry Council, has asked members to follow a set of security guidelines, which the council has developed. But, according to GAO, "No agency monitors or documents the extent to which chemical facilities have implemented security measures." Neither does the chemistry council itself, and as a result, "the extent of security preparedness at U.S. chemical facilities is unknown." On Capitol Hill and in the Bush administration last year, reluctance to regulate sunk a chemical plant security bill sponsored by Sen. Jon Corzine, D-N.J. A group of 11 Democratic senators, led by Corzine, hope to move the bill again this year.
Similarly, in a December report (GAO-03-334), GAO criticized the Transportation Security Administration's efforts to secure air cargo. The agency urged TSA to adopt a "risk management approach" to ensuring cargo security. "Without a comprehensive plan that incorporates a risk management approach, TSA and other federal decision-makers cannot know whether resources are being deployed as effectively and efficiently as possible" to reduce the risk of a terrorist attack, GAO found. Sen. Kay Bailey Hutchinson, R-Texas, introduced a bill last year to boost security requirements for air cargo companies. The Senate passed it, but the House did not.
In a few instances, DHS' national strategy suggests that new regulations might be appropriate. The blueprint says, for example, that DHS will pursue legislation that would require chemical facilities producing "large quantities of hazardous chemicals in close proximity to population centers" to undertake vulnerability assessments and take steps to reduce any weaknesses. New security precautions might also be required of pipeline firms, oil and gas producers, and telecommunications companies, the plan says. As yet, however, DHS has revealed no new proposals, and an agency spokeswoman would not comment on any that might be forthcoming.
In a few instances, regulations are already in place. The airlines have suffered the most obvious new burdens, facing a wave of regulations since Sept. 11. They continue to seek billions in federal relief. But other industries have been affected as well. And in each case, the outcry from business has come fast and furious. Universities are up in arms about new rules restricting foreign students' access to visas. The rules that business advocates are lobbying to scale back include:
- A new customs requirement that requires importers to provide manifests 24 hours prior to the arrival of goods at U.S. ports.
- New immigration restrictions that have slowed the entry of business travelers to the United States.
- A proposed FDA rule requiring food importers to keep records identifying the source of food imports, as well as the immediate subsequent recipient of them.
Kim Dougherty, vice president for national security at the U.S. Chamber of Commerce, says she can "agree in theory and principle with the need to push out our borders as far as possible." But, she warns, "If we aren't careful, we are going to dilute or negate completely our competitive edge in the global marketplace." Dougherty is collecting data on the economic impact of the new regulations on industry. Her expectation, she says, is that her findings will be "alarming." So in a recent meeting with Martinez-Fonts, Dougherty argued that the onus for ensuring the private sector's security should be on the government, not industry. Thankfully, she says, Martinez-Fonts "gets it," adding that he understands the "delicate balance" between increasing security and protecting commerce.
It seems, in at least some quarters, that the cost-benefit approach to new security regulations is making headway. The business community, for example, has another friend in the OMB's Graham. OMB reviews all federal regulations and can block or alter them under certain circumstances. Last February, OMB asked the public to comment on how to measure the tangible and intangible costs of new domestic security regulations. "We're hoping the comment process will stimulate some public deliberation on how to strike the right balance in homeland security regulation," Graham says.
How, for example, does a regulator weigh the costs to U.S. colleges of delaying or blocking thousands of foreign students eager to study here, against the cost of allowing one member, or 100 members, of al Qaeda into the country? "That's a major concern for the university community," Graham says, "and hence we want to have a good rationale for how this regulation will help reduce the chance of a terrorist attack." In addition, Graham points out, we can't expect terrorists to always hit the obvious targets. "Terrorists will choose new targets, and that creates a significant analytic burden." That's what Carnegie Mellon University professor H. Keith Florig calls the "Jell-O problem"-if government boosts security in one critical sector, terrorists will look for a different one.
But what are the costs if the government just throws up its hands? That question, it would seem, is impossible to answer. Florig, for one, has studied the 2001 anthrax attacks and the government's response to them. He contends that if the cost of sanitizing 200 billion pieces of mail is $700 million, the program would have to save 100 lives a year to be cost-effective when compared with spending on other government programs aimed at saving lives. The 2001 anthrax attacks killed five people.
A strange bedfellows coalition of activists also is urging regulatory restraint. Conservatives often have used cost-benefit analyses in attacking environmental regulation. This time around, liberal activists are siding with the critics of regulation. These activists, who include Ralph Nader and the American Civil Liberties Union, have joined forces with conservative privacy activists in promoting a cost-benefit approach. And the federal government is starting to listen. Last month, GAO employees heard a presentation from Elisabeth Pate-Cornell, a Stanford University professor who is studying methods of gauging the costs and benefits of new security regulations.
In lieu of stringent regulation, the Bush administration is moving forward with several initiatives to boost information sharing between the government and private industry. The hope is that absent a fear of costly new rules, businesses will more freely acknowledge vulnerabilities. To that end, last year's legislation creating the Homeland Security Department included language exempting certain information revealed voluntarily by companies from the federal Freedom of Information Act. That's a source of consternation for environmental activists and good-government groups. The provision supersedes state and local FOIA laws, and also bars the department from disclosing information divulged by the companies in civil court proceedings. In a March report, the government watchdog group Common Cause called the exemption part of an "agenda for secrecy" that will enable companies to hide corporate wrongdoing. Business advocates say the proposal was necessary. Otherwise, they argue, companies would be reluctant to reveal information that might open them up to liability or give their competitors an unfair advantage.
It's too early to know whether the law has convinced companies to open up, but Martinez-Fonts' information sharing effort continues. Representatives of the major business trade groups in Washington-the Council on Competitiveness, the Business Roundtable, the U.S. Chamber of Commerce and the National Association of Manufacturers-all have had meetings with Martinez-Fonts. The Business Roundtable, which represents top corporate CEOs, also has set up a secure communications link between its members and DHS and has used it on several occasions.
At the same time, the Homeland Security Department's National Infrastructure Advisory Council-a group of business community advisers to the department-is coordinating information sharing with a dozen industry groups. These information sharing and analysis centers, known as ISACs, are industry-specific business councils set up by President Clinton in 1988 to facilitate communication about threats to and vulnerabilities of critical infrastructure. Currently, 12 ISACs are functioning, each representing members in a specific industry.
In a February report (GAO-03-223), the General Accounting Office gave the ISACs a mixed review. The ISAC representing information technology firms conducts daily information exchanges with the FBI on vulnerabilities, computer viruses and hacker attacks, GAO reported. But the energy sector ISAC told GAO that it has not provided reports to the government for fear the information might be revealed publicly, and such sharing would spark antitrust concerns. Likewise, because participation is voluntary, the ISACs represent only a fraction of U.S. companies, making the information they share less than comprehensive. Another formal information sharing project is the Customs-Trade Partnership Against Terrorism. Operated by the DHS Bureau of Customs and Border Protection, it reduces customs inspections of importers who agree to work with the bureau to boost supply chain security. Customs launched the partnership after Sept. 11, and importers have embraced it enthusiastically.
Even so, "the [information sharing] problems are mind-boggling," says John Pavlick, a partner with Venable, who has clients involved in the ISACs. "Companies don't want to share information. They are afraid that the regulators are going to get it, that their competitors are going to get it."
That's why Martinez-Fonts says it's important for him to strike a cooperative stance. "I'm the private sector guy here. I'm trying to push the flow of goods and keep the economy going," he says. The business community has engaged in a "certain amount of griping" about regulation, he explains, adding that he takes any and all concerns seriously. The question for DHS, he says, is: "Can we work closely with businesses to make sure that what the department is imposing on them, and what businesses are saying to us, can be reconciled?"
NEXT STORY: Gearing Up For War