CNET también está disponible en español.

Ir a español

Don't show this again

Christmas Gift Guide
Tech Industry

Counter-terror: Too much, too little?

How far should businesses go to protect against terrorism? Experts at Wharton debate counter-terrorism choices and the implications of be over-prepared or under-prepared.

Amid the huge U.S. effort to guard against any future terrorist attack, the private sector faces particular challenges.

As custodians of an estimated 85 percent of the nation's infrastructure, businesses are faced with a daunting list of tasks and questions on how to protect their buildings, systems and employees from an assault that, in the current geopolitical atmosphere, seems increasingly likely.

Beyond headline issues such as the financial cost of counter-terrorism measures and the main areas of vulnerability lie a host of questions that further complicate management decisions on whether to invest time and money in anti-terrorist measures and that distract from the business of business.

Managers may ask themselves, for example, whether certain anti-terrorist measures will be mandated by the federal government and, if so, whether that investment should be deferred until a decision is known. They may also fear a loss of competitiveness stemming from over-zealous regulation or from anti-terrorist investment that isn't reciprocated by the competition.

Will a company have access to the best and latest thinking on protective measures if it is barred by antitrust laws from consulting with the competition? Is it getting the best advice from federal, state and local authorities?

If some businesses are dragging their feet in attempting to protect themselves against terrorism, some blame may lie with the federal government.
Among other headaches for business: Does management fully understand the interconnected nature of the systems that may be targeted by terrorists, and will any investment in them be pointless if other entities using those systems fail to install the right protections? If a company conducts a vulnerability risk assessment, will its stock price get punished by investors who fear it signals crucial weaknesses?

The private sector is faced with some $150 billion a year in increased costs related to terrorism, Fortune magazine estimated in a February 2002 article. Within that, improved workplace security--including more guards, new ID systems and video surveillance equipment--is expected to cost $18 billion. IT measures such as new backup systems for disaster recovery could set the industry back around $15 billion. Higher insurance costs are expected to total another $35 billion a year, according to the report.

Most of the spending has so far occurred in large corporations. Crucial industries such as utilities, transportation, IT and financial services have taken terrorism very seriously since Sept. 11, 2001, and have made some progress, while smaller companies have further to go.

"The private sector--energy, chemicals and financial services--is better prepared than it was two or three years ago," says Paul Kleindorfer, co-director of Wharton's Risk Management and Decision Processes Center. "Companies have begun to put in place global risk czars and they have done some work. But they haven't done enough rehearsal (for a terrorist attack). There is a gnawing sense that if (an attack occurs), we're in big trouble."

A 'Maginot Line' approach
That sense of vulnerability is only increased by the fact that businesses control most of the nation's infrastructure, a point made by Ron Taylor, director of the Naval Studies Board of the National Academies.

Fears that the private sector is not yet fully engaged in the anti-terrorism drive were further fueled by a September 2002 survey by the Council on Competitiveness, a Washington-based group of CEOs, university presidents and labor union heads. The survey found that only 70 percent of senior executives said they were concerned about a terrorist threat to their businesses and just half of those had done anything about it.

Of those who had recently improved security, many had invested in physical defense measures, such as hiring more security guards, but paid less attention to vulnerable areas such as transportation, telecommunications and IT, according to Debra Van Opstal, the council's senior vice president.

"Many were taking a 'Maginot Line' approach to their security," she said, in a reference to the French defenses that were relied on too heavily in World War II. "The biggest threat exists in the networks, and the proportion of managers who had looked at vulnerabilities in those areas was in the low teens."

Part of the problem, Van Opstal said, lies in a corporate culture that has traditionally assigned a low priority to security so that it's neither a boardroom issue nor an integral part of a company's mission. "Like quality in the 1980s, security needs to be embedded," she said. Now that it has shot to the top of the corporate agenda, security is becoming the legitimate concern of top management, she added.

Business may also be deterred from bolstering the security of their systems if the other parties in those systems aren't making the same improvements. In the case of Pan Am flight 103, for example, the bag containing the bomb was loaded on a connecting flight and then transferred to the jet that exploded over Scotland in 1988.

"The knowledge that investing in screening still leaves an airline vulnerable unless others do likewise reduces the attractiveness of investing in screening," according to a Brookings Institution paper co-authored by Howard Kunreuther, co-director of Wharton's Risk Management and Decision Processes Center.

Federal failures
If some businesses are dragging their feet in attempting to protect themselves against terrorism, some blame may lie with the federal government, which has not done a good enough job communicating the gravity of the terrorist threat and has failed in some cases to offer guidance to businesses that it regulates, analysts say.

In the electricity industry, for example, some companies are at a loss on how to proceed because regulators have not told them what to do, said Lewis Branscomb, professor of public policy and corporate management emeritus at Harvard University's John F. Kennedy School. Branscomb co-chaired the National Academies' committee on science and technology for countering terrorism, whose report, "Making the Nation Safer," was published last summer.

Overall, the federal government has so far failed to provide an adequate lead to the private sector because it is preoccupied with Iraq and appears to be leaving business to make its own decisions on terrorist protection, Branscomb said. "My concern is that the principle fields of battle are privately owned and that as far as I can tell, the federal government has taken the view that this is the private sector's problem and no guidance has been offered. The government has failed to engage the relevant sectors of private industry in high-level discussions on vulnerabilities."

Business may also be deterred from bolstering the security of their systems if the other parties in those systems aren't making the same improvements.
According to Branscomb's report, massive government subsidies and draconian regulations won't succeed in persuading private industry to reduce its vulnerabilities to terrorism. That goal is more likely to be achieved, it stated, by encouraging industry to develop technologies that can be applied to both security and commercial use.

The food industry, for example, may be able to develop technology that would guard against terrorist attempts to contaminate food supplies as well as enhance the industry's ability to detect bacteria and other naturally occurring contaminants. In the shipping industry, a security system that allows companies with certified secure loading facilities to gain faster clearance at certain ports could also reduce the use of containers for escaping customs control and increase the industry's efficiency.

In addition, the report calls on government to ease antitrust regulations to allow competitors in critical industries, such as electricity generation and chemical manufacturing, to share information on protecting their facilities and systems. "Supervised antitrust exceptions may be needed in a variety of industries," it stated.

Fears of an avalanche
Private investment in counter-terrorism technologies could, the report argues, confer a competitive advantage on companies that undertake it. And that's part of the "business case" for investing in security, said Alfonso Martinez-Fonts, special assistant to Tom Ridge, secretary of the 170,000-employee Department of Homeland Security. "People are apprehensive about buying something that the government mandates," said Martinez-Fonts, whose job is to head the department's relationship with the private sector. "It's got to make business sense."

After dealing with government auditors during 30 years as a banker, Martinez-Fonts said he understands why businesses fear being swamped by new regulations. He welcomes a dialogue with the private sector and hopes to have a staff of 30 to facilitate that process.

The department will be working mostly through trade associations to communicate recommended counter-terrorism measures. Government money generally won't be available for protective investment but will be for services whose job it is to immediately respond to any attack, Martinez-Fonts noted.

Business is indeed fearful of an avalanche of government mandates and wants better representation in the policy-making process, according to Kim Dougherty, vice president for national security affairs at the U.S. Chamber of Commerce. "We want to make sure that whatever measures the government decides on are placed against business trying to make a buck."

So far, the business community has not been represented to the extent that it ought to be, Dougherty said, and this has resulted in some regulation that will hurt business. For example, U.S.-bound cargo ships preparing to leave any foreign port must now file a manifest with U.S. customs inspectors certifying the contents of every container. The new regulation, designed to prevent bombs entering the U.S. in containers, will add costs, delay shipments and may result in the shutdown of next-day delivery services, Dougherty warned. It could also put a strain on businesses whose lean inventories leave them heavily dependent on timely deliveries from suppliers.

"The government is trying to accomplish a lot, but they don't understand what the consequences are of some of these regulations for business," she said. "We are asking for an open dialogue so that the business community can help government come up with workable solutions."

Whatever security improvements emerge from the government's discussions with the private sector, officials are under no illusion about the magnitude of the task faced by the new department, said Martinez-Fonts. Border security staff members, for example, are charged with preventing terrorists entering among the 500 million people who come into the country every year. The security staff has "to be right 100 percent of the time. The terrorists only have to get it right once," he said. "The odds are not attractive."

 
To read more articles like this one, visit Knowledge@Wharton.

All materials copyright © 2003 of the Wharton School of the University of Pennsylvania.