Executive Summary
In recognition of potential bioterrorist threats, President George W. Bush issued Homeland Security Presidential Directive 10 (HSPD10), “Biodefense for the 21st Century,” on April 28, 2004.1 This directive, as well as the National Strategy for Homeland Security,2 published by the White House Office of Homeland Security in 2002, required assessments of the biological weapons threat to the nation and assigned the Department of Homeland Security (DHS) responsibility for conducting these assessments, in coordination with other appropriate federal departments and agencies. The first DHS bioterrorism risk assessment was completed on January 31, 2006, and the report documenting the assessment was published on October 1, 2006.3
THE COMMITTEE’S PRELIMINARY ASSESSMENT
The National Research Council (NRC) was asked by DHS to carry out a study to recommend improvements to the methodology used for DHS’s first bioterrorism risk assessment. The NRC study will issue two reports: interim (this report), focused on near-term improvements that can begin in federal Fiscal Year 2007 (FY2007), and final, to recommend longer-term improvements.
On August 28-29, 2006, the NRC Committee on Methodological Improvements to the Department of Homeland Security’s Biological Agent Risk Analysis met with representatives of DHS, its National Biodefense Analysis and Countermeasures Center (NBACC), Battelle Memorial Institute, the White House Homeland Security Council, and the Homeland Security Center for Risk and Economic Analysis of Terrorism Events (CREATE). The briefings at this meeting described a probabilistic risk assessment (PRA) of 28 bioagents. For each of the 28 pathogens, it used a 17-step event-tree analysis of paths (sequences of events and actions) that could lead to the deliberate exposure of civilian populations. The recommendations and discussion below are based solely on those briefings; DHS’s bioterrorism risk assessment was not made available to the committee in time for this interim report.
This interim report provides DHS with overall near-term guidance and direction for the further development of its risk analysis models. The committee’s final report will address longer-term issues in the development of risk analysis capabilities for DHS. Because the topics discussed here will be studied in more depth and with a view toward the longer term, the committee’s final report will be more detailed and may modify the conclusions presented here. The committee is confident, however, that the recommendations included in this interim report are appropriate and necessary in the near term.
The committee recognizes that the development of this comprehensive suite of techniques used for the PRA is a logical extension of previous risk analysis methods used for natural and technological hazards and engineering design.4 The implementation of the selected PRA framework appears, for the most part, to be consistent with well-accepted practice in other fields of risk analysis such as nuclear reactor safety and chemical safety. The committee also notes that DHS and its NBACC have sought ways to refine and improve this new capability.
1 |
Homeland Security Presidential Directive 10, “Biodefense for the 21st Century,” April 28, 2004, available at http://www.fas.org/irp/offdocs/nspd/hspd-10.html. Accessed Nov. 1, 2006. |
2 |
See www.dhs.gov/xlibrary/assets/nat_strategy_hls.pdf. Accessed Nov. 1, 2006. |
3 |
Bioterrorism Risk Assessment. 2006. Biological Threat Characterization Center of the National Biodefense Analysis and Countermeasure Center. Washington, D.C. |
4 |
See, for instance, http://www7.nationalacademies.org/aseb/stamatelatos_nasa_presentation.pdf and http://www.ans.org/pubs/magazines/nn/docs/2000-3-2.pdf. Accessed Nov. 1, 2006. |
THE COMMITTEE’S INTERIM RECOMMENDATIONS FOR FY2007
Based on its August 28-29, 2006, briefings, the committee’s main concerns are about the overall purpose and directions of DHS’s risk analysis, the challenges involved in structuring and predicting the actions of determined adversaries, and the need to provide policy makers with a sound foundation for DHS’s ongoing risk analyses. Following are three critical interim recommendations.
Recommendation 1: DHS should establish a clear statement of the long-term purposes of its bioterrorism risk analysis.
A clear statement of the long-term purposes of the bioterrorism risk analysis is needed to enunciate how it can serve as a tool to inform risk assessment, risk perception, and especially risk-management decision making. Criteria and measures should be specified for assessing how well these purposes are achieved. Key issues to be addressed by such a statement should include the following: who the key stakeholders are; what their short- and long-term values, goals, and objectives are; how these values, goals, and objectives change over time; how the stakeholders perceive the risks; how they can communicate their concerns about these risks more effectively; and what they need from the risk assessment in order to make better (more effective, confident, rational, and defensible) resource-allocation decisions. Other important issues are who should perform the analyses (contractors, government, both) and how DHS should incorporate new information into the analyses so that its assessments are updated in a timely fashion.
Recommendation 2: DHS should improve its analysis of intelligent adversaries.
Event-tree methodology was not developed to model the possible actions of intelligent adversaries. Traditional event-probability assessment and elicitation techniques for these assessments are not sufficient for modeling the actions of intelligent adversaries made in response to their opponents’ defensive actions and/or in response to initial successes or failures in their own plan execution. Alternative techniques—including red teams (i.e., individuals, including both technologists and those with experience in targeting and strategy, whose purpose is to simulate adversarial decision making) and attack-preference, decision-tree, attack-tree, or attack-graph models5—might be more suitable to complement elicitation.
Recommendation 3: DHS should increase its risk analysis methodology’s emphasis on risk management.
It is unclear how the event-tree probabilistic risk assessment will support DHS’s design and evaluation of alternative risk management strategies. The computational engine being developed by Battelle does not permit, let alone encourage, risk managers to explore “if resource allocation, then
5 |
Attack trees and attack graphs are modeling techniques for understanding risk in complex situations. Both are graphical representations showing all ways to attack or damage a system. Decision trees are event trees with decisions represented as possible events. Attack-preference models examine decisions from the viewpoint of the attacker rather than the defender. See http://csdl2.computer.org/persagen/DLAbsToc.jsp?resourcePath=/dl/proceedings/&toc=comp/proceedings/itcc/2004/2108/01/2108toc.xml&DOI=10.1109/ITCC.2004.1286496. Accessed Nov. 1, 2006. |
probable consequence” scenarios for evaluating alternative risk management strategies.6 DHS needs to determine how strategies involving specific investments of resources in protection and countermeasures translate to changes in risk and impact terrorist plans and actions. Moreover, the model should have an interface and visualization component that makes its results and limitations easier to understand and be used by decision makers.
The committee encourages DHS to continue to build on, refine, and improve the probabilistic risk assessment foundation already laid down. The committee will continue to pursue these and additional topics in its review over the coming year.