Reality and Perception: How the Russians Won an American Election


Americans really don’t get the Russians. We are a people who pride themselves on divided government, openness, and the exposure of corruption – almost to the point of obsession. The Internet has allowed those truly American attitudes an even greater sway in the its body politic. Now, everyone can be their own “loudspeaker of truth.” In Russia, the story is quite the opposite.

Russia has a 500-year history of oppression from their “leadership.” It started with Czar Ivan the Terrible and continues today under Czar Vladimir the First. Russia is country run by central control; a state that views opposition as criminal and traitorous. And one of the most important parts of state power is controlling what people “think” through the information they are provided.

Thanks to the Internet, the Russians can more easily manipulate information than ever before. And Moscow is now applying gleefully that ability to their overseas goals. Most recently, Moscow been accused by Washington of desiring to control and influence our Presidential elections. And to a limited extent, Moscow have succeeded by the very effort. In the domain of worldwide Internet, perception is reality.

This type of information manipulation for political result is not new. In the Cold War between the U.S. and Russia, perception was often reality. The United States used covert means to supply information to friendly overseas sources to reinforce its positions. Occasionally, such as in Vietnam, it even deluded itself and the American people into believing that a limited, winnable war was possible.

The KGB, Russia’s Cold War spy service, was expert at planting damaging information about the U.S. around the world. It was a way of undermining our influence and the perception of wrong doing was all that mattered in the war of minds. Sometimes it worked quite well and the damage persists to this day. For instance, it was the KGB that floated the idea that American experiments to dominate the Third World created AIDS.

And so it goes today. We deal with Russia relying on old habits reinforced and facilitated with new technologies. The Internet with its hidden corners of attribution is a hard place in which to fight rumor and innuendo. Instantaneous transmission makes it impossible to control or counter the initial message. The very fact the Russian are releasing information about American candidates is damaging to the perceived integrity of our elections. The idea they could fool with our vote count is even more upsetting to the legitimacy of an already spooked electorate.

So, the first game of perception management goes to the Russians. There will be a section of the U.S. population already unhappy with the election results that will forever believe the system is now vulnerable to massive rigging. The reality is that there are several thousand different voting systems – ranging from paper ballots to electronic voting gear rarely updated to the 21st century. Hacking on a mass scale is unlikely though some minor efforts may be made. But that does not really matter. Even a few hacking attempts could be enough to poison perceptions.

So, for this round, the Russians have won an American election. It will be up to a new Administration to make Moscow pay for this interference. The games have only just begun.

The Cyber Business We Have Chosen


For those of us of a certain age, The Godfather movies represented a cultural touchstone and an endless source of “tough guy” quotes. “Leave the gun, take the cannoli.” “I’ll make him an offer he can not refuse.” And, my favorite as one of the lead characters ruefully comments on another’s death, “this is the business we have chosen.”

When I heard about the Yahoo data breach of some 500 million accounts, I was expecting public outrage. What I’ve seen from the public so far is a shrug of the shoulders and a sigh. For cyberspace, leaked information seems to be the cost of doing business. And, so far, the public seems willing to accept it.

I think this dull reaction is a combination of three problems – two technical and one social. The first is the ubiquity of an Internet that was never meant to do what it is doing. Security was not a consideration because the original development was done in national security installations. Thus the issues of outsider break-in and insider threat were not really considered. We are retrofitting security, which makes people feel better – more complex passwords and anti-hacking systems galore. But they are expensive and it is hard to judge their effectiveness versus their cost. But it appears to be a panacea to many concerns for many concern for now.

There also remains in the socially powerful Silicon Valley – a producer of much security software — an interesting 1960’s attitude toward free sharing of information and anti-government interference. This has produced a generation of younger libertarian people who expect their information to be protected from government surveillance and is outraged at government efforts to “surveil” them. In consternation to my generation of national security types, the breaches don’t seem to bother them as much.

The third problem is simply the problem of the public’s lowered expectations. The continuous drumbeat of breaches from OPM to Sony to Yahoo and hundreds of others have conditioned the public to accept this level of lax security. And until individuals are hit with some sort of personal cost – stolen credit card charges, fake bank accounts, and damaged credit – the cost does not really come home.

Some like former NSA head Michael Hayden have suggested a “high side” secure Internet. Many others are adopting forms of encryption – much to the pain of a government charged with national security in an Internet age when the bad guys use the Net.

So, unless there is some form of real and extensive public outrage, we are likely to continue in this pattern of a stream of security breaches and temporary wringing of hands. This may be the cyber business we have chosen, but paraphrasing The Godfather characters, it’s about time we make the illegal hackers an offer they can’t refuse.”

Cyber hacks & data dumps: How should the media respond?


The cyber hack of the Democratic National Committee, and the subsequent release of 19,000 e-mails by Wikileaks, is the leading political news story today, with the news media reporting on ignominious details from many of the e-mails, and the DNC Chairwoman resigning her position at least in part as the result of these e-mails. Moreover, numerous reports indicate that many experts and government officials believe that one or more Russian intelligence agencies are behind the hack, using Wikileaks as a cut-out to disseminate the e-mails.

This cyber hack and data dump is the latest in a series of similar such attacks against organizations and individuals over the past few years, including the Sony hack in 2014 (reportedly carried out by North Korea), the hack of CIA Director John Brennan’s personal e-mail account in 2015, and hacks and massive data dumps of informaion from private sector companies such as Stratfor, HBGary, and Hacking Team. In each of these cases, and especially with Sony, the news media reported not just on the fact of the hack but also on the contents of the stolen and leaked information. This reporting has magnified the impact of all of these hacks, helping the hackers and leakers to achieve the intended consequences of their efforts, and thus implicitly encouraging future hacks and data dumps.

This trend raises serious questions as to how the news media should act with respect to hacked information:

1. Should the news media be reporting at all on the content of stolen, hacked information? Would news media outlets report on materials that had been physically stolen from companies’ offices? If not, then why is cyber different?

2. If the answer to the question above is ‘yes’, are there limits on what should be reported on? Is “newsworthiness” enough? Should there be some standard of wrong-doing (criminal activity, corruption, etc.) as the basis for reporting, similar to standards for whistle-blowing within the US Government?

3. Should the news media exercise different degrees of restraint depending upon the target of the hack, i.e. whether it is a government agency, corporation, non-profit organization or individual?

4. How should information about the likely perpetrator of the hack influence decisions by the news media about what to publish? For example, with respect to the DNC hack, it appears probable that a foreign intelligence service is conducting an operation that is intended to undermine and influence the democratic process in the U.S. Does the U.S. news media really want to be in the role of facilitating such an operation?

5. How should the additional factor of a criminal investigation or indictment influence decisions by the news media to report on the leaked content from hacks?

These issues are as deserving of discussion within the news media as the content of the leaks themselves. While there is no feasible way to completely restrain dissemination of hacked information from such leaks, given the proliferation of blogs and independent news media outlets over the last decade, I would hope that mainstream news media outlets would develop a self-enforced code of conduct and set of policies for reporting on such hacked information, guided by the core principle that information from a cyber hack is the ill-gotten gain of a criminal act and should be treated with the same restraint as information purloined from the burglary of an office suite.

If we continue to see broad-based reporting by the media on hacked information, however, then there is a strong risk that this cycle of hack and leak will only grow worse, in a way that not only harms the hacked organizations but undermines American interests and values.

China and cybertheft, six months later


Last September, during his State Visit in Washington, China’s President Xi Jinping committed (see paragraph 48) to President Obama that China would not conduct or support cybertheft to benefit China’s economic competitiveness. President Xi then took that non-binding commitment with the United States on the road and became its primary advocate, culminating in the inclusion of similar language in the Antalya Communiqué agreed by the leaders of the G20 in November.

As I noted on this blog (twice in September and again in December), accepting that non-binding commitment as progress delayed taking meaningful action–in the form of economic sanctions–to try and actively influence the cyber behavior of China’s state-sponsored hackers. My argument at that time, and still today, is that in adopting that non-binding commitment, the Chinese President was practicing the Art of War on the United States by making a rhetorical feint while continuing the cyber activities–state-sponsored and state-supported cybertheft of U.S. companies’ proprietary information–that violate that commitment and continue to undermine the U.S. economy.  

As alluded to above, the reason President Xi felt the need to send his high-level envoy Meng Jianzhu to negotiate the non-binding commitment appears to be the widely reported fact that the Administration was readying a package of sanctions against Chinese individuals and entities.  The Chinese President prefered to take on a commitment to which its government has no intention of abiding rather than face inconvenience and loss of face that sanctions would cause.  If the Administration had moved forward with sanctions last fall, China would have been the first country to have its entities and citizens targeted by sanctions under President Obama’s April 2015 Executive Order announcing a national emergency on cybersecurity and authorizing such sanctions.

Now just over six months after President Xi’s State Visit during which he endorsed the norm against cybertheft, that commitment appears to have done its job completely…for China.  This issue, which used to be very high on the list of difficult problems in communications between the two Presidents, barely got a mention last week when the Presidents met in Washington on the sidelines of the Nuclear Security Summit.  Based on the readout from that meeting, “[t]he President reiterated that we will continue to monitor whether Chinese actions demonstrate their adherence to the commitments.”  But has anything changed that would merit continued passivity in the face of China’s cybertheft?

The best source of such information is the federal government, but it is not forthcoming about its information for obvious reasons.  Still, we can look at the sources that told us there was no change toward the end of last year–both private sector and government–but there has not been much further discussion of whether this type of hacking continues through the first 3 months of 2016.  Discussion about the direction of China-based intrusion sets in CrowdStrike’s 2015 Global Threat Report, released in February 2016, asserted that “[t]he economic downturn and new Five Year Plan in China will continue to drive their state-sponsored cyber espionage activities.”  The report also details how the current economic cybertheft intrusion sets CrowdStrike has identified over time map to the priority economic sectors listed in China’s new Five Year Plan.  And in comments to Politico last week, counsel to the Intellectual Property and Technology, Media and Telecoms group in Hong Kong suggested that there may have been an increase in cybertheft.

The Intelligence Community provided additional information this year in the Congressional testimonies of both Director of National Intelligence Jim Clapper and the leader of Cyber Command and NSA Director Admiral Michael Rogers.  Both concluded, in identical language in their written testimonies that, “China continues cyber espionage against the United States.”  And Director Clapper further elaborated that, “China continues to have success in cyber espionage against the US Government, our allies, and US companies” (emphasis added).  Clearly, China has not stopped the conduct that nearly resulted in the imposition of economic sanctions last Fall.

On that basis, the time has come for the Administration to impose such sanctions on Chinese entities and individuals.  The testimonies of both IC officials, however, raises a troubling question about whether the Administration is making the situation worse for American businesses.  In both Director Clapper’s testimony and in responses to questions from the Senate Armed Services Committee by Admiral Rogers, the IC leaders suggested that without evidence of “…the use of exfiltrated data for commercial gain,” the jury would be out.  As Admiral Rogers put it this week, “The question I think we still need to ask is, is that activity then in turn shared with the Chinese private industry?”  

In fact, several reports have asserted attribution of intrusion sets focused on commercial information to Chinese state actors going back several yearsbut the additional burden of showing the stolen data used for specific commercial gain by Chinese industry adds a tremendous complication to any attempt to sanction Chinese cyber activities that threaten U.S. competitiveness.  Such a burden would delay any such sanctions until they were far too late to be of any use.  Perhaps more importantly, President Obama’s April 2015 Executive Order adopted a “reasonably likely” standard for imposing sanctions on persons or entities that engage in cybertheft.  Adopting the IC’s standard–putting the onus to detect, attribute, and trace the misappropriated information through to its use by a commercial entity–is far too generous to the hackers.  Combined with the reduced attention paid to the problem since President Xi’s State Visit, the adoption of this standard would render sanctions for hacking activity a dead letter.

The question the Obama Administration faces now, six months after it allowed President Xi to take the initiative, is how to regain the momentum in its fight against Chinese cybertheft.  As detailed in December, the indictments of five Chinese People’s Liberation Army (PLA) hackers by the Justice Department in May 2014 had a measurable effect on the PLA’s cybertheft activities.  If that is the case, indictments against hackers from the Ministry of State Security, China’s external intelligence agency, or the Ministry of Public Security, China’s domestic police agency, could be one way forward.  Indictments are not a great policy option because as a law enforcement action, it is insulated–appropriately–from the policy process.  As successful as those indictments were at sending a message, using that tool on a regular basis would be difficult for an Administration to control or direct.  The real hope is that the White House would look at the continued cybertheft conducted by China and revisit its decision not to impose sanctions on China immediately after President Xi’s State Visit.  With significant continued cybertheft originating from China, one hopes for that reversal very soon.

France and Counterterrorism: Recent developments


Since the November 2015 terrorist attacks in Paris, French officials have been pushing to undercut ISIS and other militant groups on a number of fronts. These measures reflect continuing concern with the threat level, as underscored in the recent Europol report on the changing tactics, techniques and procedures of ISIS.

In response to prevailing circumstances, France is working to minimize the seams between its inward and outward facing intelligence agencies. By upping information flows, the idea is “`to deepen coordination between interior and exterior intelligence services in France as well as overseas…particularly from transit zones and sanctuaries where terrorists gather who want to commit acts on [French] territory’…”. France is also walking the talk vis-à-vis partner countries, such as in West Africa, and is reported to have warned Ivory Coast and Senegalabout Islamist plans to attack cities there.

In addition to sharing information with partners in Africa, France persists in its counterterrorism activities there including Special Forces operations in Mali, and surveillance flights over Libya. While there is a definite logic to confronting militants abroad in order to help blunt their momentum, inclination and ability to attack the French homeland, continued investment in these overseas efforts is notable given the “state of economic emergency” in France declared by the President at the outset of 2016.

Invigorating the French economy is itself partly an exercise in building societal cohesion and combating violent extremism, as young people in diaspora communities within France experience relatively high levels of unemployment.

But this segment of the population is not the only one that is restive. Media reports indicate that French Jews are leaving the country “in record numbers.” There is also discontent within the broader populace, where some have called for a national commission to investigate the Paris attacks of 2015 in both January (Charlie Hebdo, kosher supermarket) and November, to better understand “what went wrong and…avoid a repeat.” The idea has yet to gain much traction within political ranks, however. And just days ago, the country’s Justice Minister stepped downbecause she disagreed with the government’s plan to amend the French constitution to allow for the revocation of citizenship from convicted dual-national terrorists.

Next steps for the bilateral relationship between France and the United States will unfold soon. Interior Minister Bernard Cazeneuve is scheduled to visit the United States in February to meet with Homeland Security Secretary Johnson and Attorney General Lynch, among others. Their discussion agenda is reported to include countering terrorist use of social media. The visit takes place in a broader context of challenge which French Defense Minister Jean-Yves Le Drian has described as “a new era in defense strategy,” marked by “a resurgent Russia[,]…a lack of European solidarity and war in the Middle East.”

New Jersey publicly releases its annual terrorism threat assessment


Yesterday the New Jersey Office of Homeland Security and Preparedness (NJOHSP) publicly released a report entitled “Terrorism Threat Assessment 2016”, a detailed assessment of the current terrorism threat in the state of New Jersey. The report is a solid analysis of the different dimensions of the terrorist threat to the state; it concludes that homegrown violent extremists pose the greatest threat to the state in 2016, and also assesses that there is a “moderate” terrorism threat from other groups (ISIS, AQAP, white supremacists, militia groups, and sovereign citizens).

What is especially notable about the report is the fact that the state is releasing it publicly on its website, a contrast to the previous practice of marking such reports “For Official Use Only” (FOUO) and restricting their distribution narrowly to law enforcement officers, other public safety officials, executives at critical infrastructure companies, etc. This decision seems to reflect a deliberate recognition of the value in directly informing the American public about the terrorist threat, and appropriately enlisting them in efforts to detect and prevent terrorism, instead of treating them as passive bystanders. As the director of the NJOHSP notes in the foreword to the report, “Security is a collective responsibility and we are all in this fight together.”

The decision to release this report publicly warrants praise, and is a practice that the federal government and other states should emulate. For example, the Department of Homeland Security and the Federal Bureau of Investigation jointly release dozens of Unclassified/FOUO intelligence reports each year, the contents of which are rarely sensitive; in many instances, their findings are copied and pasted nearly verbatim from official statements about terror-related indictments. Given that these reports are already widely disseminated to state and local law enforcement and other stakeholders, there is little justification for not making them public at the outset, rather than allowing them to eventually leak to the news media, as they often do. The revised National Terrorism Advisory System (NTAS), which I wrote about last month, may also provide a basis for such broader dissemination of threat information. Many state fusion centers also produce similar reports to New Jersey’s assessment, which could be publicly released.

A shift toward issuing such analyses publicly could improve the American public’s understanding about the terrorism threat, leading to several tangible benefits. As noted earlier, well-informed citizens are more likely to play a role in detecting and reporting suspicious activity and potentially then preventing the next attack. Well-informed citizens are also less likely to make inappropriate reports about activity that should not be deemed suspicious, which wastes law enforcement agencies’ time with false leads. Finally, an American public that develops a sober, fact-based understanding of terrorism threats from professional non-partisan analysts (instead of from other filtered sources: cable news, social media, Hollywood, politicians, etc.) is more likely to react in a measured and resilient way to terrorist attacks and periods of elevated threat.

By no means is such public dissemination of threat information a panacea: but if such efforts lead to an improved public understanding of the terrorism threat even among a small percentage of the U.S. population, these efforts will be more than worthwhile.

New DHS report provides data on visa overstays


Earlier today the Department of Homeland Security publicly released a Congressionally-mandated report entitled “Entry/Exit Overstay Report, Fiscal Year 2015.” The report presents detailed country-by-country information on visa overstays for Fiscal Year 2015: data that I don’t recall being compiled or publicly released in previous years.

Two key insights from the report:

1. VWP vs. non-VWP overstay rates. Overall, the report calculates the in-country visa overstay rate for Visa Waiver Program (VWP) countries at 0.65% and non-VWP countries at 1.60%. But it is notable, in taking a granular country-by-country look at the data, that many large non-VWP countries have lower overstay rates than some of the VWP countries. For example, non-VWP country China’s overstay rate is calculated at 0.89% – lower than Austria’s at 1.28%. Indonesia’s overstay rate is 1.21% – lower than Spain’s at 1.40%.

It is of course noteworthy that these are not apples to apples comparisons: the non-VWP countries’ travelers are all people applied for and were approved for visas (whereas many of their compatriots were likely rejected for visas); but travel is permitted freely (pursuant to an ESTA approval) for the vast majority of citizens of VWP countries. But in spite of this fact, it is worth looking more closely at why certain lower and middle-income countries have relatively low overstay rates, and whether there are other non-economic factors (e.g. political stability, social cohesion) that influence overstay rates and should be considered in assessing countries’ applications to join the Visa Waiver Program.

2. Assessment of pilot projects and studies. The report also provides detailed information on current and planned projects at Customs and Border Protection (CBP) that are intended to enhance efforts to reduce overstay rates. Notably, the report discusses CBP’s Biometric Exit Mobile pilot, and notes that it “has afforded a small amount of biometric departure data and provided a significant law enforcement benefit for existing outbound operations.” The report does not quantify what is meant by a “significant law enforcement benefit,” but if such biometric data collection provides a valuable means to detect fugitives and absconders, in addition to its value from a border security standpoint, then an investment to scale up such a pilot project into a nation-wide capability may be warranted.

The Cyber Odd Couple of DC and Silicon Valley


Playwright Neil Simon wrote a play called “The Odd Couple.” It was the story of very different two men trying to share a NY apartment. Oscar was a total slob who was a top sports reporter. Felix was a total neat freak who was a top photographer. Yet, somehow they arrived at an accommodation though living in constant disagreement. In cyber world, Oscar is Silicon Valley and Washington is Felix. And, paraphrasing the opening of the Odd Couple – can they share cyber world without driving each other crazy?

If you had to pick two nearly opposite cultures, Silicon Valley and DC are it. The former is new, entrepreneurially brash, libertarian and a child of the open and easygoing lifestyle of the West Coast. It also strongly internationalist and driven by money as a metric and has loads of money made sometimes too easily in a market less devoted to results than “flipping a company” to gain more money. Still, it has become the creator and driving force of arguably one of the greatest technological and innovative bursts in mankind’s history.

In contrast, Washington is a staid place that is hugely powerful – arguably the capital of the most powerful nation on the planet for 70 years. It is filled with people drawn from around the country who are lawyers, social and hard scientists that do their best not to “stick up” from their surrounding fellows. Well established, it is a place of bureaucracy and order. Progress is not measured in money and quick results. It is measured in holding office and position – both of which provide power. It is also measured in compromise and a balancing of different interests for what is determined to be for the “public good.” Speed of decision is not its forte.

Not unexpectedly the first 15 years of the 21st century have constituted a long, drawn out sniping war between the two places. Washington pursues its national interests and Silicon Valley pursues its international interests. Washington thinks in terms of regulation and regards cyberspace as a public utility to be overseen. Silicon Valley loathes the DC oversight and fears the damage to its international business and independent spirit.

As time moves forward, however, the Oscar and Felix are beginning to see some common ground. While they argue vehemently over the use of encryption to secure cyber space, both DC and Silicon Valley recognize the constant barrage of cyber attacks as bad for public confidence.

Moreover, despite their internationalist viewpoint, Silicon Valley is beginning to feel the pinch overseas from nations who are not so happy about the free sharing of information or lack of control over content. As Facebook and Twitter are finding, for instance, China, Russia, Brazil, and UAE are not as welcoming to their efforts. Even India – the largest open market in the world now that China has stepped hard to regulate cyberspace – is balking at various proposals by Silicon Valley to break open India’s cyber world. These are arenas where the US government can help, if not necessary solve the challenges by pushing for international standards of openness and trade.

From the US Government standpoint, it is woefully behind the rest of the world – indeed the country – in terms of its own cyber security. The largest data leaks in the world have taken place in the US Government – from NSA’s Snowden to the Office of Personnel Management leak. Moreover, nation states and non-nation states — like China, Russia and innumerable private hackers with various agendas – have stripped sensitive technological information out of our most important projects. It needs Silicon Valley’s expertise to move beyond its 20th century, hide bound hierarchical structure and comprehensively adapt Silicon Valley’s new technologies and some of its spirit.

The Obama Administration’s recent high-level outreach to Silicon Valley is a good start to bridge that gap. Silicon Valley is also beginning to understand that it must better present its case in Washington.

Perhaps like Oscar and Felix, both sides can understand they live in the same cyber world and need each other.

The REAL ID Act: Time for a re-examination


Late last Friday afternoon, the Department of Homeland Security announced a set of new deadlines for final implementation of the REAL ID Act, postponing the date when TSA would stop accepting certain non-compliant states’ drivers licenses for aviation screening purposes until January 2018. It had previously been expected that such a deadline would be set for mid-2016 for a number of non-compliant states. This delay to the aviation screening deadline is not unexpected, given the likely disruption to air travel that would have resulted from TSA no long accepting many states’ ID’s as an acceptable form of identification.

Thus, the day of reckoning for REAL ID is postponed for another two years, for a new leadership team at DHS to confront. But it is unclear what will change in the next two years to alter the current status quo, where many states are reluctant to implement elements of REAL ID, the detailed statutory mandates from the 2005 law remain in place, and DHS is still charged with implementing the Act but retains the authority to delay its enforcement of the Act – authority that it has used repeatedly since 2007. While some states are likely to make progress on the REAL ID requirements in the next two years, it is hard to envision that the current impasse over full implementation will end in the next two years, and the next Secretary of DHS will likely be announcing additional delays in late 2017. And meanwhile, more than ten years have already passed since REAL ID was signed into law.

Given this reality, leaders in Congress, the executive branch, and the states have a choice to make. They can allow this dynamic of delay, confrontation, impasse, and further delay to cycle through the system one more time, resulting in gradual (but perhaps outdated) improvements to the security of state-issued identification. Or they can do what I believe is called for now: a serious re-examination of the requirements of the REAL ID Act.

Such a re-examination would include a detailed inquiry into the following questions:

1. What have been the demonstrable security benefits of the REAL ID Act to date, particularly with respect to counterterrorism, but also with respect to other national priorities (e.g. immigration enforcement, fraud prevention)? What elements of the REAL ID Act requirements (of which there are nearly 100) have delivered security benefits, and which have not, from a cost/benefit standpoint? (This would be a good question for a new GAO request by Congress, building off the findings of this 2012 GAO report).

2. Given the development and maturation of other counterterrorism capabilities in the past decade, how relevant and valuable is REAL ID (and secure identification generally) today with respect to domestic counterterrorism? For example, I would assert that it is much more difficult for would-be foreign terrorists (like the 9/11 hijackers) to travel to the United States today and engage in lengthy pre-operational activity than it was before 9/11, given investments in aviation pre-screening, watchlisting, visa security, information-sharing, domestic investigative capabilities, etc. Given how these other layers of security have been enhanced, has the marginal value of REAL ID today from a counterterrorism standpoint diminished or otherwise changed?

3. The terrorism threat facing the United States is significantly different than it was a decade ago, due to factors such as the increase in homegrown terrorism and the rise of ISIS and other new terrorist groups. How have these shifts in the terrorism threat changed the value of the REAL ID Act from a security standpoint? Have we seen changes in terrorist tradecraft with respect to the potential use of drivers’ licenses and other forms of identification?

4. How has technology involved in the past decade with respect to secure identification? Is the REAL ID Act mandating things in law that are now obsolescent from a technology standpoint? For example, what is the significance of digital identification technologies (which are being adopted now in many countries) for REAL ID? What is the significance of recent developments in areas such as biometrics and encryption? How do these technological developments affect the value of current REAL ID requirements?

5. In light of these external factors, how can the dynamics of governance over secure identification be changed so that state and federal actors are working together towards shared objectives, rather than in opposition to each other? Would it be helpful to move toward legislation that is focused on outcomes (similar to many other regulatory models), rather than the checklist approach that is codified in law today? Are there new coordination structures or funding mechanisms that can be used to align incentives?

Given these changes over the past decade, it is time for policy-makers (particularly in Congress) to be asking these questions, rather than allowing the status quo to prevail and REAL ID to continue on its current slow trajectory. A re-examination of REAL ID, and subsequent legislation based on the findings of such a review, would improve our homeland security and help to ensure that state and federal funds are being spent effectively and in a way that addresses today’s threats, instead of in response to yesterday’s threats and outdated requirements.

DHS gets Hill approval for a common appropriations structure


Buried within the omnibus appropriations bill signed into law in December 2015 is a provision (Section 563 of Division F, the Department of Homeland Security Appropriations Act) that allows DHS to establish a common appropriations structure, starting with the FY 2017 budget request that will be released in early February. This is something that DHS Secretary Johnson originally requested as part of the FY 2015 DHS budget request, as described in this testimony from March 2014:

As part of this agenda we are tackling our budget structure and process. DHS currently has 76 appropriations and over 120 projects, programs or activities, and there are significant structural inconsistencies across components, making mission based budget planning and budget execution analysis difficult. We are making changes to our budget process to better focus our efforts on a mission and cross-component view.

In the reports that accompanied the FY 2015 and FY 2016 DHS appropriations bills, the appropriations committees were mixed in their support for a transition to such a common appropriations structure in report language. In FY 2015, the House Appropriations Committee (HAC) believed that “DHS would benefit from the implementation of a common appropriation structure across the Department,” but the Senate Appropriations Committee (SAC) remained silent on this proposal.

In the FY 2016 bills, the HAC included bill language to establish a common appropriations structure, and noted emphatically that “implementing this methodology is a strategic imperative and must move forward with haste.” But the SAC was lukewarm to the proposal in its Committee report for FY 2016. The Committee acknowledged the DHS leadership team’s reasons for considering such a shift: “the goal of following funds from planning through execution is critical to departmental oversight of the components as well as establishing a capability to make tradeoffs in resource allocation and budget development decisions.” But it expressed concern about the potential harm to transparency and congressional oversight from such a shift, and expressed concerns about being unable to compare prior years’ appropriations following such a restructuring. It urged DHS to “tread carefully in this area and work closely with
the Committee.”

The provision included in the final omnibus appropriations bill is a modified version of the House provision, changing the word “shall” to “may” in a few places to soften the mandate for DHS to implement a common appropriation structure for the forthcoming budget request, and requiring that DHS provide a detailed report by April 1, 2016 to the committees on the transition to a common appropriations structure, as a precondition for getting the full authority to implement these changes. These minor changes are not likely to inhibit the ability of DHS to move forward with carrying out this transition, consistent with the intent of the Department’s leadership.

As the new language specifies, and as illustrated in the report “A Common Appropriations Structure for DHS: FY 2016 Crosswalk” (made public on the DHS website late last year), all DHS appropriations will now be allocated in one of four top-level categories: (1) Operations & Support, (2) Procurement, Construction and Improvements, (3) Research and Development, and (4) Federal Assistance. These top-level categories are similar to the structure used by the Department of Defense, where funds are primarily allocated with the categories of (1) Personnel, (2) Operations and Maintenance, (3) Procurement, and (4) Research, Development, Test and Evaluation.

The primary intent of this structure is to facilitate the ability of DHS leadership and Congress to develop greater insight into how funds are being allocated and spent across the Department. Currently, in many of the Department’s components, funds for day-to-day operations (salaries, rent, etc.) are mixed together in budget accounts with long-term capital investments (new ships, screening equipment, etc.), making it difficult to assess whether the right balance is being struck between present-day needs and future requirements. The new structure should also make it easier to identify and compare similar investments being made in different DHS components, and hopefully then find savings and efficiencies, consistent with the stated objectives of the Department’s Unity of Effort Initiative.

A secondary benefit of this reorganization is that it should enhance the ability of authorizing committees to pass authorization bills for DHS on a regular basis. The information provided to Congress in budget requests under a common appropriations structure can be used as a basis for authorizing funds, in a similar way to how the Armed Services Committees use information from DOD budget requests and the Future Years Defense Program to inform their annual authorization bills. The new common appropriations structure would not eliminate the jurisdictional issues that have made it difficult for Congress to pass DHS authorization bills over the past decade, but it would provide a basis for authorizing funds on a cross-cutting basis that is not wholly tied to the fragmented component-level jurisdiction over DHS in the House and the Senate.

Overall, this shift to a common appropriations structure is an encouraging development for the ongoing maturation of DHS, and if executed successfully in the coming year will be a significant accomplishment for Secretary Johnson and his team.