Critical Releases in Homeland Security: November 22, 2017

"Project Responder 5 (PR5) is the fifth iteration in the Project Responder series of studies. The purpose of Project Responder is to identify, validate and prioritize capability needs for emergency response to critical incidents, including complex, multi-jurisdictional, large-scale, high-risk, high-probability or high-consequence incidents, or incidents that have important social or economic impacts. Capability needs are not static, but evolve as operating environments and organizations themselves change. This argues for a process of continuous assessment of these needs. Since the first Project Responder report was published, the U.S. Department of Homeland Security (DHS) has funded a periodic re-examination of capability needs based upon changes in the response environment and technological advances. The timing of PR5 is appropriate because the threat environment continues to change, requiring capabilities to address a wide spectrum of threats and hazards. Increased incidence of weather-related natural disasters, mass civil disturbance and riot events, violent acts against emergency response personnel and terror events emphasize the need for evolving capabilities. This document also describes how other factors, including the actions of bystanders, societal perceptions of mistrust, the growing involvement of traditional and social media and advances in technology, have changed how responders operate during routine daily events and on large-scale incidents."

"How is the theory behind critical infrastructure/key resources (CIKR) protection evolving? Practitioners who implement strategies should be confident their strategies are based on sound theory, but theory evolves just as strategy evolves. Many theories, techniques, and models/simulations for CIKR protection have been proposed and developed over the years. This paper summarizes several of these approaches and explains how they relate to basic risk concepts explained in the Department of Homeland Security (DHS) Risk Lexicon. We explain unique contributions of ways to model threat, vulnerability, and consequence, which have implications for how we assess risk. This work builds on previous work in the areas of operations research, prospect theory, network science, normal accident theory, and actuarial science. More specifically, we focus on deterrence measurement to characterize threat differently. We also explain work that models supply chains or 'transfer pathways' as networks and applies principles of reliability engineering and network science to characterize vulnerability differently. Next, we explain work to incorporate CIKR resilience and exceedence probability measurement techniques to characterize consequence differently. Finally, we conclude with implications of how CIKR risk may be treated. We anchor our exposition of these contributions with various terms from the DHS Risk Lexicon. Also, we present these ideas within a framework of three 'attack paradigms': direct attacks against a single CIKR with the intent to destroy just that target, direct attacks against a single CIKR with the intent to disrupt a system of infrastructure, and exploiting CIKR to move a weapon of mass destruction (WMD) through the global commons to its ultimate destination."

"This document describes the Vulnerabilities Equities Policy and Process for departments and agencies of the United States Government (USG) to balance equities and make determinations regarding disclosure or restriction when the USG obtains knowledge of newly discovered and not publicly known vulnerabilities in information systems and technologies. The primary focus of this policy is to prioritize the public's interest in cybersecurity and to protect core Internet infrastructure, information systems, critical infrastructure systems, and the U.S. economy through the disclosure of vulnerabilities discovered by the USG, absent a demonstrable, overriding interest in the use of the vulnerability for lawful intelligence, law enforcement, or national security purposes."