 And I'm very pleased today to be able to introduce and then follow on in a conversation with Assistant Secretary Alan Cohn from the Department of Homeland Security. Alan's relatively new expanded title of responsibilities is for strategy, planning, analysis, and risk. So I'm not sure what's left out of there, but there are other people at DHS. So presumably he's keeping other people employed beyond those areas. In addition to leading the QHSR, both the last one and this one, the first was the last one, he's also critically important for what comes after the QHSR and hopefully we'll talk a little bit about that today in terms of linking strategy and the department's processes for executing strategy. Alan and I have known each other quite a long time where we're fellow travelers on quadranial reviews, minor quadranial defense reviews of the past, but also we've worked together on interagency reform efforts both here at CSIS and through the Project on National Security Reform. Alan is a member of the career executive, senior executive service and he has been since 2007. And of note he has also served plenty of volunteer time as a first responder. He responded to the 2005 hurricane season September 11, 2001 attacks and the 1993 World Trade Center attacks. So with that, let me turn the mic over to Alan and let him provide us an overview of the QHSR and then we'll have some conversation. Thanks very much. Thank you so much, Kath, I appreciate that. And thank you all for coming today. It is a privilege to be here as Kath noted, we have worked together on many different issues and it's nice to be here to be able to talk to all of you in this environment and this forum about the review that we released. So what I wanted to do was take the opportunity today to talk to all of you about the review itself, some of the findings and also how it fits into the larger initiative on unity of effort within the Department of Homeland Security that Secretary Johnson initiated soon after he arrived at the department. So for those who don't know what the Quadrennial Homeland Security review is, it is a mandated review that the department undertakes every four years and it really has two dual purposes. Number one is to make recommendations regarding the strategy and long-term priorities of the nation for Homeland Security. So looking out nationally across Homeland Security. Second is to articulate guidance on the program's assets, capabilities, budget, policies and authorities of the Department of Homeland Security. The Department of Homeland Security has one part of the larger enterprise of federal and state, local, territorial and tribal, private sector, international partners of all types as well as individuals, families and communities that all have a place in keeping the American homeland safe and secure. The first QHSR we delivered to Congress in early 2010. And that QHSR, that first QHSR really answered the question, what is Homeland Security? It established a series of key concepts laid out of vision and a set of goals and objectives for Homeland Security. Some of the key things that were articulated in that first review were that number one, Homeland Security has a forward-looking vision and mission and responsibility. It is not a question of sitting and waiting for the next bad thing to happen. It is ensuring a safe, secure and resilient American homeland and doing that together with partners and stakeholders of all types. Following on that, Homeland Security is carried out through an enterprise. Again, the Department of Homeland Security is just one piece of the larger national puzzle looking at responsibilities and authorities' competencies and effective actions of a wide variety of organizations and individuals. Third was that Homeland Security is deeply rooted in American history. We think about Homeland Security, we think about the attacks of September 11th, but the concept of Homeland Security is really about the intersection of traditional governmental and civic responsibilities with new and emerging threats and challenges. And so we think about things like civil defense, customs, border responsibilities, law enforcement. These are things that go back in many instances, decades, if not all the way back to the founding of our republic, and they are foundational elements of any nation's ability to keep its population safe and secure and resilient. We articulated in the first review, and I want to talk a little bit more about how we furthered this in the second review, that Homeland Security is essentially about managing risks to the nation. And every secretary from Secretary Ridge, Secretary Chertoff, Secretary Napolitano, and now Secretary Johnson have highlighted that we face a range of threats and hazards, that they pose different degrees of risk, and that we need to look at managing that risk to a level that is acceptable to the nation. That is our charge as Homeland Security. Fifth, that domestic security is part of the overall national security establishment. This was something that President Obama articulated in his first national security strategy, and it's been a theme ever since, and that you see echoed in both quadrillion reviews. And then the last thing to note from the first review was the articulation of both cyber security and national resilience, including all hazards, emergency management, as core Homeland Security missions. All of these foundational elements, all of these key concepts, carry over to the second review and carry over to today's conception of Homeland Security. The purpose of the second quadrillion review, therefore, is different. It's not to repeat this exercise, but to build upon these key concepts, these key principles, and look deeper and more extensively at challenges. So we did three things in this review. First, we describe changes in the overall security environment that have occurred since the last review. And that's looking extensively at the strategic environment, looking at trends, future uncertainties, and in particular looking at it through the lens of risk, strategic, national level, Homeland Security risk. Second is to update the goals and objectives that sit underneath the five Homeland Security missions. Those five Homeland Security missions endure, but of course, changes over the last four years, as well as changes that we can anticipate in the future advise us to update and renew that five mission framework. And then third, this review takes the opportunity to articulate a set of strategic shifts necessary in key specific areas to best address the changed security environment. And again, in doing that, the review reflects a more focused, more collaborative, departmental strategy planning and analytic effort, and in that way takes an important foundational step for the Secretary's unity of effort initiatives. So a moment, just a word on that. Secretary Johnson saw very quickly that enhancing departmental unity of effort was going to be a key element of the success of our department and therefore needed to be a key element of his time as the leader of the department. In April, Secretary Johnson released a memo internally within the department on strengthening departmental unity of effort, outlining his priorities for how the department will manage itself in a more effective way, how the department will build upon the successes that we've had and the capabilities and competencies and unique perspectives and authorities of each of our entities to build an organization that's truly greater than the sum of its parts. And so that unity of effort initiative really takes not only a more disciplined and focused look at the development of policy and strategy, but also creates defined linkages in how we drive strategy and policy into execution, both on the investment side with respect to joint requirements and capabilities, programs and budgets and major investments, but also in operations. How do we plan jointly for operations? How do we conduct our operations individually and jointly? Ultimately all in the service of effectiveness. It results for the American people. And so the Quadrennial Review provides some of that strategic guidance and the underpinning analysis, a set of clear risk-informed strategic priorities to inform the department's path over the next four years. The process of conducting the Quadrennial Review will look familiar to anyone who's conducted a large-scale reviewer if you've followed large-scale reviews conducted across the international security space. But it basically had three phases. First was a preparatory phase where we assessed the environment, assessed roles, responsibilities and authorities, and got guidance from our senior leadership. We then carried out studies through terms of reference, a set of study groups and meetings and discussions to evaluate decision analysis and make decisions and then ultimately resulting in a document that hopefully all of you have had a chance to see, to download, to look through. And we have fact sheets on the table as you exit the room. They give you summaries of the report itself and some of the key findings. So let's talk for a minute about that examination of the strategic environment because this is one of the things that was a priority for this second review. How can we best assess the strategic environment from the Homeland Security perspective and draw conclusions about drivers of change and strategically significant risk? We did a series of examinations of both current and emerging risk, looking at trends, future uncertainties, systemic relationships, as well as threat, and a current picture of risk. And we synthesized that into a set of risk insights, not just risk insights about today because of course looking at risk insights today tempts us to think too much about what has already happened and not enough about what may happen going forward. But to synthesize our current understanding of risk with our view of trends and future uncertainties, systemic and causal relationships to understand what may the risk picture look like going forward, what might pose the most strategically significant risk going forward. And this resulted in our examination and our articulation of the Homeland Security strategic environment that you see set forth in the report. There's also an important nesting of the Quadrennio review, the five Homeland Security missions, and the risk priorities in the overall national security priorities and imperatives of the U.S. government. So if you've read any of the national security strategies going back through administrations, you see a repeated emphasis on foreign-during national interests, security and resilience of the U.S. homeland, our economic prosperity, the living advancement of our values, both here and abroad, and a strong and secure international order. Each of these interests is reflected in the activities and missions of Homeland Security and each of the mission responsibilities of Homeland Security ultimately works to advance each of those interests. And that leads to the set of Homeland Security missions, which again, were first established in the first Quadrennio review and carry over into this review. Preventing terrorism and enhancing security is the cornerstone of Homeland Security, securing and managing our borders, enforcing and administering our immigration laws, safeguarding and securing cyberspace and ensuring national preparedness and resilience, as well as maturing and strengthening the broader Homeland Security enterprise. These are enduring missions of Homeland Security. But this review recognizes that there needs to be a deeper look at strategic prioritization within the missions. And we're asked from time to time, well, what is the prioritization of the missions? But again, the missions all serve those national interests. So how do we prioritize our activities and create priorities within those missions? And again, the statements of every secretary going back to the first secretary of Homeland Security give us the direction on that. We need to look at strategic national level, Homeland Security risk to understand what those strategic priorities, those priorities over time need to be. What are the threats, the hazards, the challenges that face us as a nation within those mission responsibilities? What are the likelihood and consequences of each of those? And how do the trends and future uncertainties and those systemic causal relationships impact not only the threats and hazards and challenges themselves, but the likelihood and the consequences with directionality do those trends and future uncertainties and systemic relationships suggest? This is my favorite slide. What we've tried to do is to distill down the strategic environment into a set of six key drivers and six threats, hazards, and challenges that pose the most strategically significant risk over the next four years. So what are those drivers of change? And much of this won't be a surprise. You can observe many of these things in the strategic environment now and you know there are emerging issues in each of these areas. First, the terrorist threat is evolving. We know that the terrorist threat that we faced on 9-11 is not the same terrorist threat that we face today. The world is changing, the environment in which those who wish to do the United States and its interest harm are changing. And so Homeland Security needs to adjust and adapt to those changes. But there are other drivers of change that are important for consideration in the strategic environment. Information and communications technology, when 9-11 occurred, there were no iPhones, right? There were no iPads. There were no the interconnectivity and the speed of the transfer of information. We're nowhere near what they are today. And the pervasiveness of information and communications technology and the way that it interconnects all things in the world had advanced dramatically at the time of the first Quadrennial Review and had advanced dramatically again between that review and this. And as we look forward into the environment, we see more the interconnectedness of machine to machine, of a broader connectivity and automation. We see that change will continue to happen in that area in a rapid pace, driving not only threats, hazards, and challenges, but their likelihood, consequences, vulnerabilities. Natural disasters, pandemics, and climate change. We know that these drivers have great impact on the strategic environment. We can see from events over the last few years, the increasing, not only severity of natural disasters, but the unpredictability of their consequences. As our world becomes more interconnected, as disasters happen in different and unpredictable ways, and as they cause cascading impacts through our communities, through our societies, through our infrastructure. If you look at the Homeland Security strategic risk environment, the risk of pandemic stands out, even among those other risks that we see. And we'll talk about that in a moment, but a key driver of concern about threat and challenge and vulnerability in the strategic environment. Interdependent and aging critical infrastructure systems and networks. When 9-11 occurred, we thought the primary threat to our infrastructure was kinetic, was individuals wishing to do it harm, to bring harm to infrastructure through kinetic means. We now know that infrastructure is just as vulnerable to weather, to cyber intrusion, and to its own age and consequent vulnerability. And so both the interdependence and the age of our systems and networks provide questions and challenges for us going forward. They also provide opportunities as that infrastructure is updated and replaced. It gives us the opportunity to build in more resilience, more security, more forward-looking emphasis on the way that we construct and think about our infrastructure base. The volume of people and goods transiting through the flows that come in and out of the United States. If you look at the speed and the volume of flows coming in lawfully through our ports and our borders, that's increased at a dramatic pace and is only going to continue to increase. And so we need to be postured in a way that we can keep up with effectively with that flow of people and goods, which is so critical to our economic well-being. At the same time, increased flow of people and goods on the lawful side can also mean increased flow of people and goods on the unlawful side. As transnational criminal organizations and other seek to exploit lawful pathways and to create their own unlawful pathways for the introduction of dangerous or illegal goods and items. And then finally, budget drivers, fiscal environment, the overall national fiscal environment puts pressure on all elements of the Homeland Security Enterprise. Not only the federal government, but state government, local governments, territorial and tribal governments, most parts of the private sector, many of our international partners and most individuals, families and communities all feel the pressure of the current fiscal environment. And so how do we effectively ensure the security and resilience of our nation in that environment? So those six key drivers, which we've represented in kind of what we call any city, USA, and some of the key trends and the key statistics that you see on the slide drive us to a set of strategically significant threats, hazards and challenges. So what are those? First, the terrorist threat as we talked about is evolving and remains significant as attack planning and operations become more decentralized. The United States and its interests, particularly in the transportation sector, remain persistent targets. Second, growing cyber threats are significantly increasing risk to critical infrastructure and to the greater U.S. economy. Third, biological concerns as a whole, including bioterrorism, but pandemics, foreign animal diseases and other agricultural concerns endure as top homeland security risk because of both potential likelihood and their potential impact. Nuclear terrorism through the introduction and use of an improvised nuclear device while unlikely remains an enduring risk because of its potential consequences. Transnational criminal organizations are increasing in strength and capability, driving risk in counterfeit goods, human trafficking, illicit drugs and other illegal flows of people and goods. And finally, natural hazards are becoming more costly to address with increasingly variable consequences driven by trends such as climate change and aging infrastructure. So our look at the environment identifies a set of key drivers and that allows us to discern a set of strategically significant risks, threats and hazards that pose the most strategically significant risk over the next four years. Some of the guiding principles that we articulate in this second review. First, again, the cornerstone of homeland security is preventing terrorism, but homeland security must be multi-threat and all hazard. We talked about in the first review how all hazards emergency management was a fundamental element of homeland security. In this review, we recognize, again, what a reality that everybody who operates in this environment knows is that homeland security is multi-threat as well. Second, something equally apparent on its face to everyone who operates in this area, homeland security supports economic security through ensuring the safe and efficient movement of people and goods through lawful means across our borders in service of our economic well-being and our health as a nation. Homeland security and economic security are inextricably intertwined. Third, homeland security requires a networked community. In the first review, we talked about the homeland security enterprise. This review recognizes that we must continually strive to network that enterprise together, to share information, to share best practices, to build capacity, so that we can all work together towards common ends. Fourth, that homeland security relies upon the use of market-driven solutions and innovation. We must recognize the market nature of some of the threats and hazards and challenges that we face and recognize the vast potential of market solutions and partnership across public and private sectors in addressing threats, hazards, and challenges. Fifth, and though it should need no reemphasis, we do so here. Homeland security upholds civil rights and civil liberties, thinking about the national interests that have been articulated in successive national security strategies. Our homeland security activities serve all of those interests, including our values here and abroad. And sixth, again, homeland security is national risk management. And so this review makes the effort to evaluate the strategic environment, articulate those threats, hazards, and challenges that pose the most strategically significant risk, and articulate strategies, either new or shifts or reemphasis of things already done to address those most strategically significant threats, hazards, and challenges. With apologies for the eye chart, this is, again, the mission framework for homeland security. The five missions that we've discussed and their sub-elements and maturing and strengthening the Homeland Security Enterprise. Again, this review reemphasizes this mission framework and structure, updates the goals and objectives underneath to reflect changes over the last four years and changes that we foresee going forward. So what did we look at in this review as a result? There were five studies linked to findings in the strategic environment and to guidance from leadership. And then we recount and reemphasize the approaches that we are already taking to other pressing challenges, hazards, across the Homeland Security environment within this review. So this review talks about how we will secure against the evolving terrorism threat, how we will safeguard and secure cyberspace. It articulates a Homeland Security strategy for countering biological threats and hazards, building on all of the work that has been done before, but recognizing not only the enduring nature of this risk, but the increasing nature of this risk. The review articulates a risk segmentation approach to securing and managing flows of people and goods. What does that mean? It means that the different types of threats and challenges that base the country through the flow of people and goods are different. That just the volume and speed of lawful goods is different than the profit-motivated actions of transnational criminal organizations is different than the ideologically motivated or naturally occurring challenges that can come through the flows of goods and people entering and exiting our country. And finally, the review examined and articulates a basic way of thinking about executing our missions through public-private partnerships. Again, building on all of the work that's been done not only over the last four years, but since the inception of the department on public-private partnership in a number of different venues. Based on the strategic environment, our mission responsibilities, the review also discusses and reemphasizes the approaches that we are taking to countering nuclear terrorism using an improvised nuclear device, our approaches to managing the challenges and opportunities of immigration, and our approaches to national preparedness and our whole community approach. Okay, so what does the review say about each of these things? With respect to the terrorism threat, again, the nature of the terrorist threats in the United States has changed dramatically since the September 11th, 2001 attacks. Just since 2009 in the publication and the conduct of the first quadratic review, we've seen the rise of al-Qaeda affiliates such as al-Qaeda in the Arabian Peninsula, which has made repeated efforts to export terrorism to our nation. And that's one challenge, the external challenge coming into our homeland. But we also know that we face the threat of domestic-based lone offenders and those who are inspired by extremist ideologies to radicalize to violence and commit acts of terrorist violence against Americans and the nation. And so this second quadratic review outlines an approach to focus on countering violent extremism and help to prevent complex mass casualty attacks, building again on the strategies and policies articulated by the president and by the department in this area. The approach to counterterrorism and the shifting and evolving approach to preventing terrorist attacks prioritizes identifying, investigating, and interdicting threats as soon as possible, including providing support to international partners to increase their border management, customs integrity, and law enforcement capabilities and capacities and to use information received in advance to screen dangerous goods and people abroad based on risk, rather than waiting for arrival in the United States. These are concepts that have been instantiated in our approach to terrorism over successive administrations. We reemphasize these areas and articulate new and evolving ways to use these types of approaches to counter the terrorist threat as we see it today and as we see it evolving in the future. Safeguarding and securing cyberspace, each and every day, the United States faces a myriad of threats in cyberspace, from the theft of U.S. international property through cyber intrusions to denial of service attacks against public-facing websites and attempted intrusions of U.S. critical infrastructure. To address these threats, we've identified four strategic priorities. Strengthen the security and resilience of critical infrastructure by leveraging the work, being done pursuant to executive orders 13-6-36 on improving cybersecurity critical infrastructure and presidential policy directive 21 on critical infrastructure security and resilience, each of which build on previous efforts, U.S. government and national efforts to strengthen safeguard and secure cyberspace. Securing the Federal civilian government information technology enterprise by helping Federal civilian agencies manage cyber networks, advancing law enforcement, incident response and reporting capabilities through close coordination with our partners across the law enforcement, incident response, and reporting community, and strengthening the broader cyber ecosystem by collaborating with communities domestically and abroad, standardizing information sharing practices and developing a skilled workforce. With respect to biological threats and hazards, as we noted, again, the strategic environment assessment and the assessment of strategically significant risk continues to point us towards biological threats and hazards, not just bioterrorism, but emerging infectious disease, again, born animal disease, agricultural concerns, as a top risk that we currently face and a risk that's only growing over time. So how can we best build on the work that's been done to date, the lessons that have been learned and implemented from previous events, previous exercises? Our approach is to stop incidents involving priority biological threats and hazards before they escalate to overwhelm state, local, tribal, and territorial partners, while ensuring that those partners have the capabilities and capacities necessary to manage and respond to mid-range biological incidents. And so what does that mean? Prevent those biological incidents from occurring where possible, improve risk-informed decision-making, identify biological events early, improve confidence to act, not just within our department, not just within the Federal Government, but across the whole Homeland Security Enterprise. Respond and recover effectively from biological incidents and maintain vital services and functions during and after biological incidents. Maintain our ability to continue to function not only as a society or infrastructure, our critical services should an event of this type occur. With respect to managing flows of people and goods, again, the movement of people and goods around the world has expanded dramatically in recent years. As the volume of global trade and travel increases, the potential for illegal transport of people and goods across our borders also increases. The Department of Homeland Security and our partners continue to secure and manage flows of people and goods to ensure economic prosperity and minimize risk. So based on an in-depth look at the flows of people and goods, we see three distinct but interrelated types of flows, each of which requires a different risk-based approach by DHS and our partners, different but inherently interrelated. First, the legal flows of people and goods. How do we stay ahead of increasing flows and increasing volumes, increasing demands, and not only safeguard but expedite the flow of lawful, the lawful flow of people and goods into and out of the United States? Second, market or profit-driven illicit flows of people or goods. Transnational criminal organizations and others engage in wide-scale activities to bring illicit goods into the United States and reap profits from those activities, but they do this for profit. And so how can we tailor our approaches to best approach those activities, which are different than lawful challenges and different than ideologically-driven challenges? And then third, terrorism and other non-market concerns. Ideologically-driven threats and challenges or naturally-occurring threats and challenges, how do we ensure that these neither disrupts lawful flows of people or goods nor exploit them for ill purposes? Segmenting flows of people and goods in this way permits more focused strategies and more efficient allocation of resources. Strengthening the execution of our missions through public-private partnerships. Many of you are probably familiar with the National Infrastructure Protection Plan and our overarching framework of cooperation and coordination with our private sector partners through now the 16 critical infrastructure sectors and the network of sector-specific agencies across the Federal Government and sector-coordinating councils made up of our private sector partners across industries. This is a very strong and important set of public-private partnerships for Homeland Security, but it's not the only set, whether it's the Coast Guards captain of the Port Relationships with Shippers, State and Local Law Enforcement, our partnerships across the movement of people and goods across the U.S. Government with the private sector and with other partners. There are many examples across Homeland Security and across the U.S. Government of governmental relationships and agreements with private sector partners to enhance security and safety and ensure national resilience. Although each of these partnerships emerge from unique circumstances and specific challenges, there are important commonalities, models, lessons learned and best practices that can be applied to a range of other Homeland Security challenges. And so the QHSR provides a structured way of thinking about partnerships that focuses on a couple of key things. First of all, what is the partnership aimed to do? Second, what are the interests that are at play? What are the public interests? What are the private interests? And how do they align? Where are the shared outcomes? What are we together trying to do? Whether that's on a day-to-day basis, whether that's in the event of a contingency or a crisis, or whether that's meant to be a relationship that can span through both, that we use on a day-to-day basis and then can scale up to work effectively in crisis. And then finally, so thinking about shared outcomes, aligned interests, what are the models, the archetypes, the ways that we might structure public-private partnerships to do things? Obviously, information sharing sits at the heart of public-private partnership, but there are other models that go beyond information sharing. And in the review and a companion document soon to be released, we talk about the different models and archetypes, the ways of thinking about interests and outcomes and aligning them under common archetypes and models. And we do this as a tool not only for ourselves, but for the entire enterprise to think about how we can use public-private partnerships most effectively to reach our common ends. In addition to these areas, we also emphasize, again, our continuing approaches, our renewed emphasis on countering terrorism using an improvised nuclear device, on advancing rational common sense, comprehensive immigration reform, and advancing national preparedness and resilience. Under the mechanisms of the national preparedness system, the Post-Catrina Emergency Management Reform Act, the Presidential Preparedness Directive 8, all of which set up a comprehensive national preparedness system for prevention, protection, mitigation, response, and recovery. A key element of this Quadrennio Review and every Quadrennio Review is engagement with stakeholders. In the first review, we engage with stakeholders through a variety of manners. In this review, we sought to strengthen and deepen the engagement with the Homeland Security community in informing the studies and the conclusions of the review. To that end, we conducted extensive engagement with three sets of key and critical partners. First, we sought to use this exercise as an effort to bring greater unity within the Department of Homeland Security. So reaching across all of our operational components, our offices, and our directorates and leveraging subject matter expertise from across the organization. But that's only the starting point. We looked also across all of our federal partners, speaking with Congress, with entities within the executive office of the President, including the National Security Council staff and other essential offices within the executive office of the President. And of course, our key and critical partners across the Federal Interagency, whether that's the Departments of Defense and Justice, State, Health and Human Services and a wide array of others in discussing and arriving at the conclusions for how we address Homeland Security threats and challenges. And then beyond that, Homeland Security communities of interest. Again, we wanted to deepen our engagement with those people in the communities of practice, those people on the front lines of conducting Homeland Security activities day after day to engage and receive their input and advice. And we did that primarily through two online venues, a platform for submitting ideas called IdeaScale, and the first responder.gov community of practice administered through our Science and Technology Directorate. And through all of that, not only that enabled us to gain greater input from the broader Homeland Security Enterprise, but it allowed us to ask targeted questions to gain input and provide the opportunity to comment, agree and disagree, add new ideas. Through that engagement, we had over 2,000 unique registrants on the IdeaScale and community of practice sites. We had submitted nearly 250 new ideas, again, over 2,500 comments, and over 11,000 votes on different targeted questions, issues, comments, and other issues raised on the site. And that input and analysis, those questions, ideas and comments were tracked, brought back into our studies and incorporated into the analysis that led to the final decision-making. So where do we go from here? Again, a strategic review is an important thing. A strategic review allows an organization and its partners to examine its principles, its missions and its goals to look at the strategic environment, to engage together in a discussion, sometimes difficult, about priorities, about approaches, and a way to communicate that to the broader community as a whole, in particular to our Homeland Security communities of interest. But it's only as good as the execution that follows it. Again, Secretary Johnson, through his unity of effort initiative, has laid out a number of different ways in which the department will be taking steps and is already taking steps to improve our ability to survey the strategic environment, to set policy, to define strategy, and then to take policy and strategy and drive it into execution, into the way that we do investment. Again, through the examination of capabilities and requirements, through a close examination of our programs and budgets and the ways and manner in which we invest and make our major investments. And also in the ways that we operate, in the ways that we communicate and coordinate with our partners, in the ways that we plan for operations, both individually and together, and the way that we execute our operations. Because ultimately Homeland Security is an operational activity. It is about the execution of activities to keep our nation safe, secure, and resilient. So this Quadranting Review forms an essential element and an underpinning element of the Secretary's unity of effort activities. So in conclusion, let me just say thank you for the opportunity to walk you through what we've done in this review, to talk to you a bit about the findings that we've reached and to open to you the opportunity for dialogue and discussion. I know that we will have a discussion about questions and then you will hear from an outstanding panel of individuals who have a long history in this area and will have deep insights for you on the findings of the review and other thoughts about Homeland Security. So with that, let me conclude my remarks. Sit down for questions. Thank you very much, Alan. And as you said, I neglected to mention at the beginning that we do have a fantastic panel following. So we'll try to get you out on time. I know you have to leave here right around 10. And I know the audience has some questions. I do wanna raise a few myself. The first is from your perspective, having done the first QHSR in 2010 and now this one in 2014, what do you think has really changed the most evolved and matured inside the Department of Homeland Security or across the broader Homeland Security sector that really affected the way in which this review was put together or its implications? That's an excellent question. And I think that this second review reflects a maturing in a number of ways. Number one, that the Homeland Security Enterprise as a whole has a greater understanding of itself and of the threats and hazards and challenges that it faces. So as we conducted analysis and evaluation of trends, uncertainties, systemic relationships, threat, risk, we were able to draw on not only the subject matter expertise across our department and across the federal government, but reports and studies, data and analysis that's collected across the Homeland Security Enterprise. And that only strengthened our ability to look at ourselves and ask these difficult questions. Second, is the ability of our department to wrestle with these questions ourselves. I think that this review reflects an enhanced ability of our department, not only our subject matter experts, but our leaders to really grapple with these issues together and to look at shared and joint approaches. And I think you see a maturing of the way that the overall Homeland Security Enterprise can grapple with these issues. Obviously, as we talked about with the strategic environment, the environment has changed. The threats and hazards and challenges have evolved. And so we need to be in constant dialogue with each other about not only what is changing, but how we change our approaches with respect to those. And I did want to, it gets very directly to the next question, which is about the changes in the threat environment, some of which you walked through. One that sort of popped out as we looked at it here at CSIS is the increased emphasis and reframing on the bio threat. So I'm interested on how that's evolved in the thinking, if you think the threat has evolved or just the thinking about the threat has evolved. And then more generally, given the rapid evolution of the threat environment and the changing nature of how the risks lay out, how challenging do you think that is to have a risk framework tied to an annual budget process, but with a rapidly changing environment that's something the entire national security community is grappling with. And if you have lessons learned from the work that you all have done on risk management, it would be great to hear. Well, I think that using a risk lens and conducting a national risk assessment is absolutely essential to thinking about Homeland Security. Again, Homeland Security is an exercise in national risk management. It's an exercise we all engage in and it's a thought process that we all go through. Conducting that strategic national level risk assessment is one element of that. And we're aided in that by lessons learned from some of our international partners who have been conducting these types of assessments and finding very similar results in particular, finding similar things about the risk of pandemic disease and biological challenges. We're also aided by the growing network and ability of localities and states and regions to conduct threat and hazard identification and risk assessment processes on their own with assistance and support through FEMA as part of the Department of Homeland Security. And so communities all over the country, states and regions are conducting their own threat and hazard identification and risk assessment processes can be married in to that strategic national look at risk. Now risk isn't the only way that we prioritize our actions, right? It can help us from a strategic national perspective identify strategic national risks, but those aren't the only types of priorities we need to grapple with. There are shorter and closer in challenges, emergent issues, but a risk approach allows us to set strategic priorities and to look to reach them over time. Now specifically with respect to biological challenges, I do think that the challenges posed by biological threats and hazards as a whole are things that are known by the community. At different times, since the inception of the department, we've grappled with challenges posed both by bioterrorism events, and particularly the malicious use of anthrax, but also with a series of different naturally occurring events that had the potential to cause human pandemic, whether it was SARS or different varieties of influenza. Each of those has illustrated the challenge. We took the opportunity in this review to look both from a risk perspective and a strategy perspective at those challenges as a whole because we understand that while the motivations and causes may be different, in many ways, not only the ways that we would detect or otherwise know that such an event was occurring and the steps that we would take to address it as a nation are largely the same. And so the Quadranial Review gives us the opportunity to do things not only to be able to identify such a risk, but to lay out a strategy that we can seek to implement over time as part of a larger set of priorities to address that risk and not have to wait for an event to occur for us to take action to address the risk. Okay, thank you. In the interest of time, because we are running short, what I'm gonna do is have a couple people ask questions, we'll collect those for Alan, he can answer them. I do ask that you make it a question because we really are short on time. No statements, please, and give your name and your affiliation, and we have folks with microphones, so go ahead and raise your hands if you have questions. One here. We'll keep going after the question. Good morning, ladies and gentlemen. My name is Rosemary Segero, I'm Segero's International Group. Thank you very much for your presentation. How, looking at the report, how are you working with the International Public and Partnership with the government, private sectors, and the communities? Because when it comes to traveling, to transfer people and goods, terrorism are maybe from Africa, or they change passports, they change names, and they change, and how do you work with this, with the international communities to make this a priority of homeland security? Protect the country. Other questions? So you're one right here. Thank you. My name is Jeanine Weng, with Roy's of Vietnamese Americans. In your assessment of the threats, would you tell us which one, how percentage-wise the state actors and the non-state actors? And also, have you been able to utilize all of our networks, including Congress, the Department of State, Department of Defense, all that together to share information and to mitigate the fact to prevent it, prevention is important. And have you seen the relationship between our foreign policy with fast-raising inside the country? Okay, and then I have one back here, and then I'll stop, I promise. Loin Solace University of Maryland. You made mention of our aging infrastructure. Just in case another huge earthquake would happen, especially in the Pacific side of the country, like California, all the way up to Alaska, and because our infrastructure are aging, just how resistant are our infrastructures on that side of the country, just in case a strong magnitude earthquake would happen? Thank you. Okay, so the three questions are essentially, how well are you partnering internationally to execute the missions at DHS, and presumably also when you're outreach for stakeholders on the QHSR? The threats of state versus non-state, the relative threats, and then also how well are you sharing information on mitigating threats across the interagency and then infrastructure? Well, good. Now, those are an excellent set of questions. On our international partners, this was something that was recognized early on and that each of our secretaries has emphasized together with our other partners across the federal government is that, and at the state and local level as well, engagement with our international partners is critical to addressing these threats and hazards and challenges. And we have a wide range of cooperative relationships with counterpart entities across the globe, as well as relationships with non-governmental organizations and civic organizations, aimed at addressing this wide range of threats and hazards and challenges. So international engagement is extremely important to fulfilling Homeland Security mission responsibilities and reaching the ends that we really wish to reach. In terms of the percentage of state actors versus non-state actors in our threats, I think it varies across the strategic environment and I would add some other categories to that. There may be state actors, there may be non-state actors, transnational criminal organizations, individual actors, natural phenomena. It's difficult to put a percentage on those things. What's most important to recognize is that threats and hazards and challenges emanate from all of those different sources and that can fluctuate over time based on trends and uncertainties and other types of drivers and so it illustrates and highlights the importance of looking across the strategic environment as we think about the range of threats and hazards and challenges. To go to build on the question about our international partners and really all of our partners, information sharing underpins almost everything that we do. Information sharing enables the vast network of partners within our department across the Federal Interagency within state, local, territorial and tribal governments, non-governmental organizations, the private sector to act on their own and in concert with each other and other partners to effectively address challenges. No organization, be it a Federal Cabinet Department, a local police department, a non-governmental organization, a private sector entity can take on these challenges alone and so we all must work in concert with each other and the sharing of information underpins all of that. The last point and I think it's a very good one and it's one that we highlight in the report on the review itself is that the aging nature of our infrastructure does cause concern, I think nationally, about its resilience and it is why when the President issued Presidential Policy Directive 21, we evolved our approach, our national approach, to thinking just about critical infrastructure protection, to think about critical infrastructure security and resilience and not only resilience against human cause challenges, but resilience across the range of challenges. You mentioned earthquakes, other types of naturally occurring events, other types of vulnerabilities and the vulnerabilities that come just simply from its age and to try to drive to think about how do we better design in security and resilience to our infrastructure as one of the key ways that we will achieve the type of risk management that we're trying to achieve and achieve our homeland security goals. If I can indulge you on one more quick round of questions and then we'll wrap up with Secretary Cohen, come over here to this side of the room, so start here. As you know, during the Cold War, the public didn't have much of a role in deterrence, but you mentioned before about the looming threats of new kinds of technologies or synthetic biology and individual actors acting along, possibly sometime in the future, deploying and making weapons and infrastructure. Have you looked at how to engage the public? What is the public's roles, a plural, and it had to be international because the US does everything perfect, it's not enough. So that goes back to the international cooperation, but not just nation-state, but how do you, what's the public's role? And just remember to give your name and affiliation. I'm Jerry Glenn with the Morning Project. Thank you. John Hurley, I teach at Catholic University. In all of the presentations, I didn't see any indication at all about religion and certainly extremist fundamentalists, while adherents of religion have played a big role in this whole problem as it has developed. Does the department have any particular section or focus into this area, whether both domestically and internationally? Okay, and one more right here. I'm Mark Rockwell, I'm with Federal Computer Week. How is the nature of the cyber threat changed as the last QHSR? Good, let me take those in order. It's interesting, the statement in the Cold War that the public didn't have much of a role in deterrence. In a sense, though, the entire civil defense mechanism in which individuals were taught what to do and what to act was both for a protective, from a protective perspective, but also to create something of a deterrent effect. And so there were efforts to engage the public in civil defense efforts during the Cold War. Today, with the distributed nature of threats and challenges, the pervasiveness of information and communications technology, every person has a role and an opportunity to make decisions about actions that can impact the security and resilience of the United States. And so efforts like, if you see something, say something campaign that originated with the New York City Transit Administration and that has been used by the Department of Homeland Security and brought to a number of different partnerships with jurisdictions around the country are important ways that we engage the public on specific challenges. But I think the underlying point is the important one is that the public must be engaged in all of these activities. And one of the key ways that we do that is to share information, to provide ways of acting, and also to engage in activities like the review. One of the things that we wanted to make sure that we did was not conduct a review in a vacuum that was only for a small set of decision makers, but rather could we do a review of the strategic environment, of the risk environment, of challenges and strategies and then make that as public as we can, provide that information to people across the nation so that they can understand the challenges that we face, the opportunities that exist in the strategic environment and the ways for individuals to be involved, whether that's through organized activities, volunteering, becoming part of civic organizations, non-governmental organizations, or just in the actions we take each day, either through structured processes like if you see something, say something, or just individually on their own in their communities. With respect to motivations, there's a wide variety of motivations that motivate people to engage in violent acts. Obviously, ideology is one of those and it's a focus, not just for the department, but for the US government as a whole. One of the things that we do note in the review though, and it's an important finding and something that we want to learn from and that we want to help jurisdictions around the country learn from, is that there are certain aspects of this challenge that depend on the ideology or what ideology is motivating violence. But in many ways, acts of mass violence present themselves in similar ways. They present similar challenges to communities and to law enforcement and emergency response organizations and they present similar indicators and stressors. And so what can we learn from events of mass violence, those that are motivated by particular ideologies and those that are not motivated by ideology but are motivated by other means or by nothing at all, to look for common indicators, common intervention points, and common ways that we can prepare to most effectively respond. On the last question in terms of the cyber threat landscape, and I would broaden that out to the cyber risk landscape. I mean, I think the changes have been dramatic since the last Quadrantial Review and they're gonna be dramatic between now and the next Quadrantial Review. The pervasive, again, going back to the pervasiveness of information and communication technology, connecting people, the nature of that has changed remarkably over the last four years and the connection of and the use of those technologies to drive the way that we conduct our daily lives or we conduct business, we operate our infrastructure, has created huge opportunities but it has led to an increased threat as greater and greater numbers of malicious actors seek to exploit that mechanism. It's led to increasing numbers of vulnerabilities. You can't go a week without opening the paper and seeing another perhaps previously unknown vulnerability emerge that needs to be addressed and the interconnected nature of our populations and our infrastructure have increased consequences, both direct consequences and the potential for cascading consequences. As we begin to move to an industrial internet and to an internet of things connected to things, machines connected to machines doing work, that will only increase, again, vast opportunities but also increasing vulnerabilities and increasing potential for consequences. So this is one of the most dynamic areas that we look at in Homeland Security and will continue to be a top challenge and a source of strategically significant risk going forward. Secretary Conn, you've been more than generous with your time. I wanna thank you for coming out to CSIS this morning and I wanna congratulate you on getting another quadrennial review out. I know the feeling and as I joked with Alan beforehand, often when you finish one of these reviews, people say, what are you gonna work on now? And I know very well that all the challenges, the big challenges remain ahead in the execution and that is a daunting challenge for the Department of Homeland Security. So we appreciate your time and if we give a round of applause, I'll then introduce Paul Stockton. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. If you'll excuse the informality, I'm going to introduce our panel moderator from my chair here. We're very fortunate to have former Assistant Secretary Paul Stockton who is also a senior advisor here at CSIS. Here to moderate our panel, Paul was the Assistant Secretary for Homeland Defense and America's Security Affairs in the Department of Defense. He also led importantly in September, 2013, he was asked by Secretary Hagel to co-chair the independent review of the Washington Navy Yard shootings. He began his career with Senator Dan O'Patrick Moynihan, which is one of my favorite facts about him. Paul is incredibly accomplished in all of his government service but also currently serves as the Managing Director of SonCon, LLC. And he's going to introduce the panel here today. So please join me in welcoming Paul. Thank you, Cath, for that generous introduction and to CSIS for hosting this very important event. It is true that as Assistant Secretary of Defense, I had the privilege of bringing DOD capabilities to bear in support of the Department of Homeland Security and Superstorm Sandy on the Southwest border, many other occasions. I'll be candid with you. In many cases, when we provided support to the Department of Homeland Security, we found that sometimes the left hand did not know what the right hand was doing. One component of the Department of Homeland Security was not well integrated with another. It made not only support to the department more difficult but reflected a broader lack of cohesion across an absolutely vital part of the federal government. That's why Secretary Johnson's Unity of Effort initiative is so vital. It's historic. It's transformational. Unity of Effort is going to enable department decision making to be much more transparent and much more cohesive, better integrated across planning, programming, budgeting, and budget edged execution in the Department of Homeland Security. That's an absolutely vital enterprise and the Quadrennial Homeland Security Review is gonna provide the analytic and strategic foundations that's gonna help turn the vision of the Unity of Effort initiative into reality. And in a moment, I'm going to introduce my colleagues and they'll take on particularly important issues that the QHSR illuminates. Before I do that, I want to leave you with one thought and that is although Secretary Johnson's Unity of Effort initiative is absolutely vital and just what the department needs at this moment, it's also insufficient. Let me talk about the distinction between Unity of Effort and what we really need in the department which is Unity of Command. Unity of Effort is great when no one's in charge. Let me give you a prime example from the Homeland Security Enterprise and that is disaster response. Governors don't work for the president. Governors are sovereign, they're the independently elected chief executives of their states. And so when there's a catastrophe like Superstorm Sandy, the challenge is how do you bring cohesion together between state capabilities and federal capabilities? For example, state national guard forces under the command of governors and federal military forces under the command of the president. You do it through Unity of Effort. And I have to say, Unity of Effort is precisely what the Department of Homeland Security needs today when cohesion is so lacking and when such great opportunities for progress are now underway thanks to the leadership of Secretary Johnson. Necessary but not sufficient because ultimately one person really is in charge of the Department of Homeland Security. That is the secretary of the department. And I look forward to the day when Unity of Effort has been successfully accomplished, when thanks to the QHSR, we've made progress in the next few years towards Unity of Effort. I look forward to the day and I look forward to engaging all of you in helping to make this happen. Some day there'll be Unity of Command in the Department of Homeland Security and the secretary of the department will exercise the kind of authority that routinely the Secretary of Defense and the Secretary of State and the heads of other federal departments routinely exercise. Now let me turn to the introduction of the panel. First, David Bertot, David, it's wonderful to see you again. David is the Senior Vice President and Director of the CSIS National Security Program on Industry and Resources. He's also an adjunct professor at Georgetown University and at the Lyndon B. Johnson School of Public Affairs and served in the Department of Defense under four secretaries, geez. You think you'd wise up at some point? Anyway, David, it's an honor to sit on the panel together with you. Thanks. Thank you, Paul, for that very kind introduction. You get to serve under a lot of secretaries if you choose those who turn over rapidly in the cycles, if you will. I wanna look at three things in my comments this morning. One is how this QHSR is a step or whether it's a step in the right direction in maturing and strengthening the department's risk assessment and planning capabilities, if you will, and in looking at the resources that are aligned with that. I wanna compare it a little bit to other quadrennial reviews because we seem to have a lot of them these days and they're very convenient as a massive comparison. And I wanna talk a little bit about the unity of effort comment that you made at the end there. Since its inception, though, the department has had challenges that included a lot of what I would refer to as boundary struggles. Now, this is not border issues, but this is bureaucratic boundaries, if you will. It's useful to remember that somewhere between a fourth and a third of the Department of Homeland Security spending is not on Homeland Security. It's on government functions that existed long before DHS was created and that just came with those entities when they moved into DHS. So there's an automatic tension, if you will, on that boundary inside DHS itself. In addition, roughly a third, sometimes more than a third of total U.S. government spending on Homeland Security is not inside the Department of Homeland Security. A big chunk of it's in DOD, some of it's in the State Department, a big chunk of it's in Health and Human Services and other agencies across the federal government. And then finally, of course, as has been mentioned both by Secretary Cohen and by Secretary Stockton is large parts of Homeland Security don't belong to the federal government at all. They're part of state, local, tribal, et cetera. And they never let you forget that because that's the first responder part of it, if you will. Forgetting that the real first responders generally are actually members of the general public who happen to be first on the scene. So each of those requires attention to boundary issues, if you will, and to questions of is a particular program or is it support for resources or funding or personnel for a particular program in or out of DHS as well as where inside DHS it fits. So even Unity Command inside Department of Homeland Security is still gonna leave you with a host of boundary condition issues with which you have to deal. And the QHSR I think has to fit inside that. One of the things we do at CSIS in my program is we look at DHS spending and in particular we look at DHS spending on contracts and grants. I would refer you to a report we released on that just a couple of weeks ago. And somewhere around 40 to 45% of all of the Department of Homeland Security spending is on contracts or grants. So it penetrates into those boundary conditions, if you will. So I think this QHSR does a reasonably good job of thinking inside those contexts, if you will. It's also useful, I think, to reflect back on history. Many of you were around when the department was first stood up and when the administration proposed creating a department. Actually Congress of course proposed it first but the administration had a better idea so it put its own proposals on the table. And it was compared to the Defense Department quote the largest reorganization in the US government since the creation of DOD. Well keep in mind, it took 11 years between the original National Security Act of 1947 and the Defense Department evolving to the structure that it basically has today with combatant commands in charge of forces and the military services in charge of training and equipping and providing those forces. It actually took nearly 40 years before the structure that's in place today resulting from the Goldwater-Nickels Defense Reorganization Act of 1986 was passed and took root. So it's useful that when you're reviewing DHS to keep that kind of a timeframe in mind, if you will, in terms of assessments. In comparing the QHSR, both this one and the previous one to other quadrennial reviews and there's been five inside DOD, six if you count the one that wasn't called the QDR, the bottom-up review in 1993. We've had one in the State Department, they've kicked off another and other agencies are picking up the idea that it's useful to do this. One of the basic tensions that's in place here is how much attention do you pay to funding constraints? And in fact, you'll have the Defense Department will say that their QDR was informed by budgetary constraints but not constrained by budgetary numbers. Now this becomes difficult for some. In fact, one of my favorite quotes is a Wall Street analyst who says, I can't read this report referring to the 2014 QHSR. It doesn't have any numbers in it. I'm an English major, so I'm used to reading things without numbers but in fact, there's a grain of truth to that. If it doesn't connect to the budget, then you have to ask what's the impact, if you will. But the important question is not whether the review or the report is constrained by the budget but in fact, what's the important question is how do the budgets and programs and resources take the trade-offs that are either explicit or implicit inside the QHSR and reflect those trade-offs in the budget? And we, for that, I think we'll have to wait until the FY16 budget is submitted next February or March. The good news is that this QHSR, whether by design or result of inertia doesn't matter, is perfectly timed to affect that 2016 budget. The OMB guidance has already been issued, DHS is assembling that budget. They'll be submitting it for OMB for the Office of Management and Budget Review in the next few months and ultimately the president will submit it. That budget, by the way, I would point out is the only one that Secretary Johnson in his tenure as Secretary of Homeland Security, assuming that it only goes to the end of this administration, January 20th, 2017, it's the only budget that he will build, defend before the Office of Management Budget and the Congress, and then actually get to execute. It's the only one. If he's there for the full two, three years of his term, that's the only budget he'll get to do in to end, if you will. So the timing is perfect and the capability that the QHSR provides is useful input to that. So the value will be how this helps shape the trade-offs and arrange the priorities in those budgets, right? And maybe potentially even in the FY15 appropriations, the House has marked up their Homeland Security appropriations bill. The Senate is marking up theirs this week. They'll reach some kind of agreement eventually. We'll have an appropriation, if you will. So it's possible that some of the priority trade-offs implicit or explicit in the QHSR will be reflected in the 15 budget, but the place where the department really has to bring it to bear is in the 16 budget. I would note though that it's not good enough guidance. You can read this QHSR and it doesn't tell you all you need to know to make those trade-offs. There will be additional guidance required inside DHS in order to reflect that in the budgets. I would also note that one of the things that I look for in this QHSR and did not find much of is testing those priorities in trade-offs and all of the risks that were highlighted in Secretary Cohen's remarks against the real world through exercises and through what we call in the military war games, although they're much more than a game, obviously. There was not much attention to that. I would hope and assume that that's gonna be reflected in what the implementation shows there, but I think here is where that unity of effort approach becomes critical because it provides a structure in which that kind of guidance if issued and those kinds of exercise testings if applied can be done appropriately and in a timely way to be reflected in the 2016 budget. The last thing is what surprised me the most about this QHSR. I have a disclosure here. I was a consultant on the first QHSR. I worked on the study group in Homeland Security Planning and Capabilities Development. And that study group looked at how each part of DHS did its own planning and how it used the results of that planning to translate into both resources and the expenditure of those resources to develop capabilities. And we did a very nice report. I brought it as a prop here. It sort of meets the bulk requirement. This is printed both sides about 200 pages here as input to the QHSR. I believe that the final 2010 QHSR itself had maybe one paragraph that it took from this effort, if you will. So if you judge effort to result, you could be discouraged at that part of the process. It was still worthwhile because what it did for probably the first time was it got all the different parts of DHS to talk to one another about how they do planning, how they turn planning into capabilities, if you will. So I thought it was worthwhile even then. But then I picked up the new QHSR last week when it was issued. And in fact, what I saw was this did not just sit idle for four years. DHS was actually using the input from the previous QHSR, not just in planning and capabilities development, but in management issues and a host of other areas and actually flowed those into the 2014 QHSR. I frankly was, first of all, I tend to be a cynic when it comes to government taking advantage of prior work. And I was astonished not only to see it, but to see it done very, very well. And I'm not sure that I've seen that in any other quadrennial review in any other department. So the bottom line is that this QHSR is a step in the right direction. It's real value though, will be tested by how it translates into budgets and plans and implementation. And I think the unity of effort approach offers some positive opportunity in that regard, but we'll really see the results in nine months when the FY16 budget goes to the Congress. I would also submit that DHS being able to use the risk approach that was outlined in the QHSR as part of its defense of that budget should help a lot in terms of defending the budget, both on the Hill, perhaps even more importantly, inside the Office of Management budget. And so I'm really, I could say I can't wait until the FY16 budget comes out. I know all of you share that with me here this morning. So thank you. Thank you, David. Thanks, David. And now I have the honor of introducing Matt Fleming. Matt is a fellow with the Homeland Security Studies Analysis Institute, and let me say, one of the nation's leading scholars, experts on cybersecurity. It's great to have you here on the panel. He worked on cyber issues in the United States Department of Defense, directed a number of cybersecurity programs in the past. He's an adjunct professor at Georgetown University and has just a terrific background. So Matt, please take it away. Well, thanks, Paul. That's an extremely kind of you to say. And good after, good morning, I suppose we're still good morning. I'd like to thank CSIS for the kind invitation to be here today and say that it's a pleasure to see so many familiar faces on the panel here and in the audience. Before I begin, I should say that my views here today are mine alone, do not represent DHS, one of my employers. But I'm here to talk a little bit about cyber and cyber in the QHSR. And so I should say that for those who don't follow cyber, these continue to be exciting times in the field of cyber. We've had some really interesting policy developments in the last year plus with the executive order 13636. Presidential policy directive 21, both of which are relating to critical infrastructure and cybersecurity. We've seen this cybersecurity framework developed by NIST. We've seen an update of the national infrastructure protection plan and all of these things somehow mention or touch on cyber directly or indirectly. Certainly there have been many high profile events. Many of us may have been victims of such events, perhaps Target, the Target breach, any other breach. There seem to be breaches every day. The heart bleed issue, which may mean something to some people, but it was certainly seen as one of the most significant events in recent history. Snowden, of course still hangs around the implications of Edward Snowden and his release of information. And I think we live in a world and Alan touched on many of these things. We live in a world in which the internet of things is here-ish, is certainly coming in which we will have sensors and actuators deployed everywhere in our fridge. We'll talk to our toaster and our jet engines. They already talked to the front of the plane, but they'll talk to the mothership and tell the guys on the ground that the starboard engine number two is a little hot and maybe you need a new part in flight. And so what that means is this rapid expansion of the attack surface. And then of course we've seen this indictment of five Chinese PLA operators, whether this goes anywhere is, we'll see, but it's a very exciting time in cyber. And I suppose that's both a good thing and a bad thing. So I'm here to talk a little bit about what I see as what does a QHSR say about cyber? Where do I think we've seen the biggest changes since the last QHSR? And I do have a couple of mild criticisms which I may leave until questions. I'd like to start though by saying that I'd like to congratulate DHS and what I think is a really thoughtful document. And it's the kind of document that at least I know I will be using and digesting and reading over the course of the next several years as I do my own research for DHS and on Homeland Security issues. Some of you may know Chris Belavita from the Naval Postgrad School and he's posted some comments on this version, essentially saying throwing praise to DHS and I'd like to align myself with his views. But in terms of cyber, so Alan put up the four main goals of this QHSR on cyber and they're about things like strengthening the security and resilience of critical infrastructure, securing the dot-gov domain, advancing law enforcement and incident response and reporting capabilities and strengthening the ecosystem. Now, none of this is necessarily new. These are issues that the department has been working on for several years but it certainly is a perhaps more detailed overview of what the department is doing. And so, you know, in this, just in thinking about strengthening critical infrastructure, I mean we're talking about increasing information sharing, a very popular phrase but extremely important idea in cyber, increasing situational awareness and there's discussion some of you may have seen about the idea of a weather map, sort of a real-time weather map for cybersecurity that DHS talks about. We hear about ensuring the provision of essential services, right? And this is for those who work in the critical infrastructure world, this is really the point. We don't label something critical infrastructure because that makes us feel good. The importance is that we have a need in our society for electricity, for telecommunications, for various other things and what we care about and the reason that we protect critical infrastructure is so that we continue the provision of these essential services. So I think the QHSR brings out this importance in cyber of continuing the provision of essential services. And there's discussion of interdependencies and cascading effects, very important in cyber. You know, we live in a world in which we have very obvious interdependencies but also quite non-obvious interdependencies and so much attention needs to be paid to understanding these things better and their cascading effects. And I think this was also highlighted in the National Infrastructure Protection Plan, the new version, and so I think this is a real positive. There's some discussion securing the dot gov about coordinating purchasing across the federal government. Seems like a good idea perhaps to our budgeting, earlier mention of budgeting, this will save us some money. Deploying cyber tools, if you follow cyber at all and DHS you will have heard things like words like Einstein or phrases like continuous diagnostics and mitigation. These are fairly important programs, if not extremely important programs to the department and so of course they're called out in this QHSR. We see a little bit more in this version about advancing law enforcement and incident response on reporting capabilities, deterring and disrupting cyber crime and then of course this idea of strengthening the cyber ecosystem. How DHS can perhaps work to drive innovation and cost effective solutions throughout the cyber ecosystem, conducting research and development and transitioning the findings of R&D efforts into practice, obviously quite important. I would say that in this version of the QHSR we see perhaps a clear articulation of the cyber mission. A lot of this stuff was in the last version but it just seems to be a bit more direct. In this version I think that's a great thing. And then we see of course as Alan mentioned this discussion of public-private partnerships, very important in information sharing and other aspects of cyber. To draw out a little bit more of the differences between this and the last QHSR, I think one of the most welcome developments is this greater emphasis, more explicit emphasis on critical infrastructure. And perhaps this is not surprising given the policy environment with these executive orders and presidential directives. But certainly I for one, and I work in this field so perhaps I would say this, but I for one applaud this focus on critical infrastructure and understanding interdependencies and this idea of cyber physical convergence, right? That physical harm can be caused through the cyber vector and of course cyber harm can be caused through the physical vector, all very important. There's a greater discussion of roles and responsibilities particularly with DHS, DOJ and the Department of Defense. I alluded to this greater emphasis on law enforcement and I would think there's, I find it as I read it a clearer and deeper articulation of the threat and vulnerability. And in the interest of time I have a couple criticisms but I'll leave those to questions, thanks. Thanks Matt. And next we have Dr. Mark Frey. Mark is a senior associate with the CSIS Homeland Security and Counterterrorism Program. He's also senior director in the Washington office of Steptoe and Johnson, LLP. Previously Dr. Frey held senior positions at DHS including chief of staff for the Office of Policy Development and most notably director of the Visa Waiver Program, that was really something. Great achievements Mark and welcome this morning. Thanks Paul and it's a pleasure to be here particularly on this distinguished panel. I'll note before I start I may be the only person on the panel is actually an alumnus of DHS and not of DOD. So at some point you may find me rising to defend the honor of my former organization as we go. I was also involved at least to a relatively small degree in the formation of the first QHSR. And so I'm gonna talk a little bit about that and a little bit about how this new one differs much the way that Matt did. My focus is going to be on the border flows issue that Alan highlighted and in some ways that's the easy one in that and this is where I go back a little bit to the first QHSR process. That's one of the areas perhaps in opposition to cyber and then to counter terrorism that Ozzie will be talking about where that's a pretty core DHS mission that doesn't have a lot of other players in the space that they have to fight some of these boundary battles with that Dave mentioned border security, managing the flow of people and goods into another country, that's DHS and it was components of DHS before DHS was established. And so a lot of the time we spent in the first QHSR was fighting with some of, fighting is probably on the right word, discussions with some of our inter-agency partners on proper roles and responsibilities for things like counter terrorism and in particular cyber security and some of those debates are still ongoing. So borders a little bit easier there. And it's also worth saying before getting into what this document says that that's also an area where DHS has had a tremendous amount of success. There is now a unified face at the border. There are now programs, particularly these trusted traveler programs that do what Alan noted the QHSR is supposed to do which is risk segmentation, so-called shrinking the haystack. It's very difficult to find one bad guy or one bad cargo container in the flow of millions upon millions of people or goods. And so risk evaluating these based on the provision of advanced information, information sharing, international cooperation, that's all to the good. Trusted traveler programs like Global Entry and Relatedly Pre-Check and on the cargo side CTPAT also all very much to the good. And so operationally DHS has had a lot of success in doing this work. So to transition to the current QHSR and whether it can continue this success or build upon this success, I think the good news is first that a lot of that role setting debate is largely over and DHS now has these five core missions and a key role to play in them and in particular it's got the lead role in this border security issue. But I also think that it's become a, more complicated is not the right word but it's one of the things that the QHSR does not touch on enough but that I think DHS really needs to do more of in practice is this international engagement that Alan talked about. It's there, it's providing some lip service to it in a sense but actually how that happens and how DHS leverages its large international footprint and some of its programs whether it's offering global entry membership to partner countries whether it's establishing pre-clearance facilities in countries. There hasn't been to my view as much rhyme or reason as to how those things are established. If you look for example at the list of global entry member countries I defy anyone to find a pattern as to why these countries were chosen. Why is Panama a member? Well I'm not sure, does Germany make sense? The UK makes sense? Yeah, I can see that but some of these other things don't make sense and why some countries aren't included also doesn't make sense. So I think to the extent that QHSR can help drive a more coherent and holistic look at how DHS approaches international partnerships I think that would be a good thing and that's probably one of my main criticisms about how the border section and the flow section is addressed. I also want to follow up a bit on the point that David made in that the proof really will be in the pudding, right? The document sets out a very interesting and useful analytical framework particularly with respect to borders dividing the different flows into these three categories that the market driven, the non-market driven, the ideological and the lawful is a very useful way of thinking about it and will help drive responses. On one hand the proof will be in how these budgetary decisions are made and it won't surprise anyone that if you look at the record of the previous QHSR budget decisions and spending decisions did not track very closely with that document. Now maybe we've learned from that and hopefully with that under our belt we'll have better success this time but that's where this matters. If not it's just a document. It's actually a fairly compelling document. It's a well-written document particularly for a government document that was the process of God knows how many inter-agency processes and revisions and so it will always be useful but it will only really be effective if it drives these budgetary decisions that David mentioned. It will also only be useful if it drives operational decision-making and to that point I wanted to touch a little bit on a follow-on memo that I think was up there when Alan was concluding his presentation but it's about a DHS-wide campaign plan for the U.S. Southern border. So this was actually a follow-on memo issued in I think May so just a couple months ago following the secretary's unity of effort memo which has gotten quite a bit of attention during the talk and during this panel in which I agree is a good start because DHS certainly needs more cohesion although I'm not sure maybe I'm just too pessimistic if they'll ever get to a unity of command or maybe even need to get to a unity of command but that's a separate discussion but I think the key part about this memo on the DHS-wide inter-component campaign plan for the Southern border is that it explicitly ties this plan to the QHSR and the analytics and the themes addressed in the QHSR and in fact it assigns Alan as the assistant secretary as co-lead for the development of the border plan and how to set outcomes and targets for the border flows as they map back to the QHSR. And I also note and I'm sorry Alan left because it would have been great to ask him that review is supposed to be approved by June 30th so it'd be great to know if that's actually taking the place but the broader point is that not only see budgetarily but hopefully we'll begin to see operationally if the way the QHSR starts talking about is talking about thinking about these issues is actually put into practice by the various component agencies in DHS and I'll make two quick other points and then I will turn it over to Ozzy to conclude and this harkens back actually to a previous CSIS discussion on border metrics and technology. I also think a potential value of the framework established by the QHSR in the border sense is that if it's done right it can actually help provide us with the metrics that we actually need in this larger border debate. One of the things that's bedeviling the entire community forever is how do we measure control of the border? What does operational control of the border mean? What does border security mean? And that has implications both operationally it has implications legislatively for this immigration debate that we're involved in and all sorts of other reasons. And so if you think about things the way the QHSR directs us to I think that can lead us to coming up with better metrics with respect to these different border flows and that would be a very, very good thing for the wider DHS enterprise. And then the final comment I'll make and maybe this will be something we can talk about during the discussion is that obviously the QHSR is looking strategically it's not down in the weeds on these issues and it's not easily applied to issues that pop up that you don't expect or that you haven't prepared for. But I'd be interesting and I would have asked Alan this as well as he said how you would apply the QHSR principles for example to the current unaccompanied minor issue that we're experiencing on the southern border and how the way the QHSR analytical framework would inform what is now a crisis on the border and what policy and operational decisions and budgetary decisions should be put forward to solve that and with that I'll happily take questions when we're done. Thanks. Thank you Mark. And now it's my pleasure to introduce Ozzie Nelson the excellence of the CSIS program in Homeland Security. Ozzie, you're responsible for much of that. Congratulations and Ozzie is now Vice President for Business Development at Cross Match Technologies which you've accomplished so much in your distinguished career. Ozzie, welcome today. Thanks Paul, I appreciate it. It's good to be back. So batting cleanup, you usually have bases loaded or nobody's on, right? So I think that my colleagues here have cleaned the bases already so I'll try to keep this short and I appreciate the opportunity to be here. The document, I think Secretary Cohen captured it accurately is a demonstration of the maturation of the department and after only 10 years it is quite remarkable. It's a pretty impressive document. When I sat down to read it I thought it would be underwhelmed, it was the opposite. However, there's still a lot to be done and often these documents are the target pinatas for the media and for pundits to talk about how fluffy they are, what they don't accomplish but they really are table stakes to have a coordinated unity of effort. It's the point from which all other actions can take place. I'm here to focus on the counter-terrorism section and I was thrilled to see that counter-terrorism is gonna remain the cornerstone of Homeland Security. Very important, I think with the killing of Bin Laden that there has been a desire by many to put this nuisance of terrorism behind us and press forward onto the larger issues of national security. But terrorism unfortunately is here for us to stay. In 2011 the US spent more on its military than the next 13 nations combined. Building and maintaining conventional military force is just no longer viable for nations or entities that wanna have power in this space. They're gonna do it asymmetrically. It's a greater return on your investment and asymmetrically means terrorism and militancy, it means cyber, it means WMD which happened to be three of DHS's core missions that I've identified. So put on top of that DHS's mandate of going across 22 departments and agencies from the federal to the state and local and then having to protect an infrastructure of which they don't really own. And then do it under the auspices of you're the departments and you're the agencies that interact with the American public more closely than any other department agency in the US government. It's an incredibly difficult mission. What has made this even more difficult in the realm of terrorism is that we've kind of been a victim of our success. In many ways the dismantling of al-Qaeda core, which we all agree has pretty much occurred, has pushed this threat back down to the regional and even the local levels, which is where we want it. The brilliance of bin Laden was that he was able to bring all those entities together into a formulated strategy. Now we've pushed it back down. Negative of that is it makes it much more difficult. In allergy I use it's like dropping, breaking a glass on the floor. You can pick up the big pieces, you see where the general breaks are but where are the other pieces that you missed and how do you track those and they're really difficult to see until you step on them. And that's what DHS now has from a counter-terrorism perspective. The threat remains, again, not just we see that with regional groups in Africa but we see this issue of lone offenders as DHS calls it inside the United States. And the question was brought up early is what motivates these individuals? It doesn't matter. It can be today, it can be a radical interpretation of a religion and tomorrow it could be a domestic group or it could be something else. We just don't know and you can't single those types of things out not when you have DHS. You have to be able to protect and prepare for however the threat may unfold. And that's one of the things that I think is good about this document is they talk about how these terrorists are going to potentially attack the United States or how can they threaten us? They talk about the issue of active shooters, about IEDs. They talk about the importance of the transportation sector and they also bring up back to the forefront of the issue of an IND and improvised nuclear device. If we think that 9-11 changed our view of the world you can only imagine what a nuclear device in Washington, D.C. or in New York City how it would change our view of the world. And so they have a very difficult mission. I'll talk a little bit about the risk security. I think the risk-based security approach is a brilliant. We all have done it in our lives. We, DOD has done it. DHS actually is trying to codify it and as documents said they really are leading the U.S. government in this field. We cannot protect all people from all things all the time. We have to figure out how to do that. And DHS has implemented a bunch of programs recently to get that done. One thing with risk-based security that we all have to understand as the American people is that one risk-based security means we're going to assume risk. We're not going to get it all. And it means we're going to have priorities which means there's going to be in the budget cycle haves and have nots. The highest priorities are going to get the money, the lower ones aren't. Just a couple and so I was very happy to see the document take that on. One is a former pilot. I like lists. We were in the life of checklist. So I'm just going to wrap up and find out how five things I liked about the QHR and five things that I didn't like about it. I love the thoughtfulness and the complexity of the document. I like the fact that they took on the hard issues. They mentioned community policing. They mentioned things like diffusion centers. Those are hard issues and they didn't shy away from them. I like the fact that they tried to put some definition behind their taxonomy which has been some would say intellectually lazy in the past. We're going to have partnerships and we're going to have information sharing. Now they're starting to define what a partnership means and what are both sides going to get out of that. I think it's forward thinking. I talk about the black swans in there and they mentioned things that they don't know. They realize they don't have it right and that this is only a snapshot in time. I love the document in the back. It talks about basic roles and responsibilities. I think we should start every inter-ainency meeting in DC with that on the table. And then last, I think it talks about actually consolidation, consolidating things like diffusion centers and screening centers. They're saying we need to make internal changes. Things I didn't like about it. The document is too complex in many ways. They covered everything. It was still thorough and there's still some lingering DHS language in there. My counterterrorism perspective, I do not like the term lone offenders. They are terrorists. They're not offenders. Fenders are people that don't pay their parking tickets. I don't answer the questions about how and my panelists have talked about that. And lastly, the biggest issue of keeping the department to be the department that we want it to be is congressional oversight. And they didn't mention that in the document. Thank you for the opportunity to be on the panel. Thank you, Ozzy. I promise that we'll end promptly at 11. All of you are busy, important people. But that does leave us with some time for questions. I had one in my back pocket but I'm gonna defer to all of you if we could start right up in front. Good morning, Adam Teal. I'm a Deputy Secretary of Public Safety and Homeland Security for the Commonwealth of Virginia and I appreciate and perhaps exemplify the mentions of state and local governments as part of the Homeland Security Enterprise. I'm interested in some concrete examples perhaps from you all. There's some concrete suggestions for how we can strengthen unity of effort for those of us occupying the middle and the bottom of the space depending on how one's perspective is calibrated. Thanks for your leadership in Virginia too. Who'd like to answer that? I'm gonna turn to the mission framework in depth which is this chart towards the back of the QHSR that essentially takes the missions and breaks them down into sub-goals if you will. This is the place where I was particularly saying we need additional guidance on how this is gonna translate into actual resource decisions. I was focusing in terms of the internal federal budget but I think the same thing is true what I would do if I were you is look for the places where that goal aligns with where Virginia for instance in your case needs to have better federal interface and better federal visibility and effort or focus or resources and go from the bottom up inside that mission framework and that's how I would take this document and turn it into what you would do. Oh, very quickly. Yeah, really quickly so I think that I have four criticisms of the document I may or may not get to them but one of them is this issue of there's a discussion of roles and responsibilities but cyber as Mark noted is a team sport perhaps less so than border security and I think that that thread could have been pulled a little bit more to expand on what is it that actually we want state and local even private citizens to do. I really would have liked to see more of that. Thanks Matt, who else has a question? Jessica, you introduce yourself please. Good morning, my name's Jessie Iannotti. I'm currently working international issues with the Department of Homeland Security previously worked in the Pentagon for Dr. Stockton in the office of HD and ASA. I actually share the perspective of one of the panelists on there are some tremendous successes that DHS has had in the years since its creation yet I think we all acknowledge that there are still significant challenges particularly in the unity of effort. As I was hearing the commentary I just jotted down a few of the challenges that I've noted being a little bit behind the scenes now everything from the logistical to multiple different sites dispersed real estate across the area personnel challenges we don't have a cadre of Homeland Security professionals yet. We don't have a goldwater nickels that's encouraged really the jointness and the structures that DOD has had the advantage of or really a culture of sort of that purple born purple sort of approach. As well as some capstone guidance documents that DOD has had things like the Gaff and the JSCAP that really direct components in a way that DHS hasn't quite gotten to. So as a long lead up to my direct question to this distinguished panel which is of those and perhaps others that you would know what do you see as the biggest challenge and were you in the Department of Homeland Security right now what would be your focus for improving? Thanks, who'd like to take that one on? This is I guess we're being the DHS guy comes back and bites me the other guys though we don't have that. Well I think it is easy to talk about the problems. I think it's worth as maybe it was David or maybe it was Paula said that we do have to keep some perspective on the problems particularly in the timeline right? We are a little over 10 years into this reorganization and in the beginning it was pretty fitful and it took several years for folks to stop saying I'm legacy customs, I'm legacy INS and after you say no I'm CBP now and things like that and then even when those issues are solved you then have other inter-agency issues with what is the proper cyber role for DHS for example vis-a-vis the NSA or what is the proper CT role for DHS vis-a-vis the FBI and others and in fact what is the proper role of DHS international programs vis-a-vis the Department of State. So those things are all there as is the fact that you can spend your entire day going from meeting between TSA and the NAC and everywhere else. So all that being said I actually think that the biggest problem that DHS is facing is not this cohesion because I think it's getting there particularly if you put it in historical context. I think the problem is that there just hasn't yet been enough of the internal institution building. Things at DHS, a lot of things that are successful are successful in part because senior leadership including the secretary but also the assistant secretaries that are down are focused on them and if they're not focused on them they tend to just sort of happen or not happen and there's not a strong institutional framework that perhaps some of these more mature departments have to make things run on autopilot in a sense when senior leadership is actually not asking for daily updates on those issues. Thanks, Dave. Okay, we have time for one more question. Who's got one? Yes ma'am. Yes, thank you again for your time. I'm with the Center for the Study of the Presidency in Congress, my name is Summer Fields. Mr. Fleming, I had a question for you. You used the phrase we have sort of less specific interdependencies and I was wondering what you were thinking when you were saying that if you go more into that when it comes to cyber. So I might have said we have obvious and non-obvious interdependencies so I think we know that, I mean, we all have iPhones, it's like an Apple convention here but I need power, I know I need power but there may be other things and I need comms, right? Or this is just a brick but there may be times when I don't realize that actually there's something going on in the background a connection that I haven't thought about or as we see services roll out for example that ride the internet, that I have an internet protocol, the internet of things, I'm focusing on the internet of things right now, lots of services, you can have your home locks and your nest thermostat. Well, do we realize that actually, so that means we need comms perhaps to turn on our thermostat, we need how, in ways that we perhaps hadn't thought about and that others who are doing the planning hadn't thought about. So as we move to buy it to medical devices that are sort of also part of this internet of things, are we thinking that wow, somebody's glucose monitor or some pacemaker might actually require not just a battery on its own but connectivity in certain ways and we need to think about those non-obvious and of course they're much more important in critical infrastructure, hope that helps. Well, thanks to the distinguished members of the panel, thanks for CSIS and thanks for all of you, your citizens, your partners in Homeland Security.