Strengthening Critical Infrastructure Resilience by Identifying and Redressing Recurring Gaps and Systemic Barriers

STRENGTHENING CRITICAL INFRASTRUCTURE RESILIENCE BY IDENTIFYING AND REDRESSING RECURRING GAPS AND SYSTEMIC BARRIERS:

LESSONS FROM A CROSS-CASE ANALYSIS AND SYNTHESIS OF THE U.S. DEPARTMENT OF HOMELAND SECURITY REGIONAL RESILIENCY ASSESSMENT PROGRAM

A dissertation presented

Russell E. Bowman

to The School of Public Policy and Urban Affairs

In partial fulfillment of the requirements for the degree of Doctor of Philosophy

in the field of

Law and Public Policy

Northeastern University Boston, Massachusetts April, 2016

STRENGTHENING CRITICAL INFRASTRUCTURE RESILIENCE BY IDENTIFYING AND REDRESSING RECURRING GAPS AND SYSTEMIC BARRIERS:

LESSONS FROM A CROSS-CASE ANALYSIS AND SYNTHESIS OF THE U.S. DEPARTMENT OF HOMELAND SECURITY REGIONAL RESILIENCY ASSESSMENT PROGRAM

Russell E. Bowman

ABSTRACT OF DISSERTATION

Submitted in partial fulfillment of the requirements for the degree of Doctor of Philosophy in Law and Public Policy in the College of Social Sciences and Humanities of Northeastern University April, 2016

Abstract

This dissertation explores the concept of disaster “resilience” in the context of homeland

security, in general, and critical infrastructure, in particular, as assessed at local and regional

levels. It features two related, but distinct research foci: (1) identifying and exploring recurring

“resilience gaps,” and (2) identifying and exploring systemic barriers that allow such gaps to

emerge, or to persist. It employs content analysis and cross-case synthesis of 33 in-depth case

studies generated by the Department of Homeland Security’s Regional Resiliency Assessment

Program (RRAP). In so doing, this research also explores the ability of – and challenges with

using – the concept of resilience as an operational construct for reducing “all hazards” risk and

improving homeland security more broadly.

Building on the work of those who study the resilience of communities and critical

infrastructure assets and systems, especially with respect to their interaction with the communities and larger systems within which they are situated, this dissertation validates prior research by applying similar analyses to “new” data (i.e., the RRAP case studies). In brief, the

RRAP data suggest that four recurring resilience gaps exist across many, if not most, infrastructure sectors and geographic regions. Specifically, these include: (1) a dependence on energy, aggravated by an insufficiency or complete absence of back-up power systems; (2) the fact that response and recovery plans and planning seldom include all relevant stakeholders necessary to address known hazards in a comprehensive manner; (3) the presence of numerous single or critical points of failure; and (4) a related lack of redundancy, insufficient system capacity, or both, that diminishes the resilience of many infrastructure systems.

Additionally, this dissertation’s analysis of 33 RRAP Resiliency Assessments affirms the

prevalence of five systemic barriers to improving resilience: (1) the nation continues to face

significant shortcomings in emergency response and recovery coordination efforts at the regional

and cross-regional levels; (2) there is a widespread lack of visibility or understanding of how

critical infrastructure components are inter-connected and how systems are dependent or

interdependent on one another; (3) there is a dearth of important critical infrastructure

information (beyond dependencies and interdependencies) that is available to cognizant

authorities and operators – either because they do not understand why they should seek or insist

on gaining access to information that would resolve certain “unknowns,” or because those in possession of relevant information are reluctant to share it; (4) there are insufficient incentives

(and funding, in particular) for investing in resilience; and, (5) efficiency is often valued over ensuring continuity of function.

Drawing on these findings, this work explains how there is clear benefit to adopting a systems-based, function-focused view of resilience that is hazard-agnostic. It also suggests the

importance of further study concerning the barriers that underlie resilience gaps to facilitate

broader understanding of the challenges we face, and proposes a framework for divining and

analyzing linkages between common gaps and barriers. In closing, this dissertation suggests

ways to further exploit the DHS program that is the focus of this research, the necessity of

sharing subsequent DHS Resiliency Assessments more widely, and the related need to make the

RRAP data on which the program’s assessments are based more accessible to researchers.

Acknowledgements

Like the dependencies and interdependencies noted in many of the infrastructure systems

studied in this research, this dissertation is closely intertwined with the work of many others, and

dependent on the insight and assistance of parties too numerous to mention. That said, I wish to

recognize several individuals without whom the present work would not have been possible.

First, I wish to thank Dr. Stephen Flynn, whose vision, mentorship, and longstanding

passion for improving national resilience continue to inspire my efforts. Second, I am indebted

to Dr. Matthias Ruth, Director of the School of Public Policy and Urban Affairs; and Dr. David

Alderson, Director of the Naval Postgraduate School’s Center for Infrastructure Defense; for

their patience, invaluable guidance, and timey and candid feedback throughout the research

process underlying this work. I owe a similar debt of gratitude to my colleagues at the U.S.

Coast Guard Academy whose staunch support, which included ensuring the time and space needed to think and write, enabled me to aggressively pursue this research. I also extend a

special thank you to Ms. Jamie Richards, Mr. Daniel Genua, Mr. William McNamara, Mr. Caleb

Slaton, Mr. Duane Verner, and the entire RRAP team at DHS and at Argonne National

Laboratory, on whose work the present effort builds. Finally, and most importantly, I wish to publicly thank my wife Sarah, daughter Sadie, and son Cooper, whose unfailing love and support provide the rock-solid foundation on which all else is built.

While each of the aforementioned individuals influenced this work, the views expressed herein are mine, and mine alone. They should not be construed as official, or as reflecting the views of the U.S. Coast Guard Academy, the U.S. Coast Guard, or the Department of Homeland

Security.

Table of Contents

Abstract ...... 2

Acknowledgements ...... 5

Table of Contents ...... 6

Chapter 1: Introduction - The Rise of “Resilience” ...... 7

Chapter 2: Literature Review - Defining and Assessing Resilience ...... 17

Chapter 3: Research Design and Analytical Methods ...... 54

Chapter 4: Results of RRAP Case Coding and Analysis ...... 83

Chapter 5: Conclusions, Areas for Future Research, Broader Implications ...... 135

Appendix A: Northeastern Institutional Review Board Documentation ...... 169

References ...... 173

Chapter 1

I. Introduction

Disasters – such as hurricanes and other extreme weather events, wildfires, oil and

hazardous chemical spills, pandemics, intentional acts of terrorism – are increasing in both

frequency and complexity (OECD 2003; National Academy of Sciences 2012). Superstorm

Sandy, yearly wildfires throughout California and the American Southwest, numerous recent rail

car explosions, record snowstorms, the 2014 Ebola outbreak, and the emerging Zika virus threat

immediately come to mind. As a result, crisis management, vulnerability and risk assessment,

and disaster research have deservedly received heightened political attention and intellectual

inquiry. Correspondingly, the field of disaster research has evolved substantially over the past

century.

Starting from the sociological orientation of Samuel Prince’s study of the devastating

1917 fire and explosion of the French munitions ship MONT BLANC in the Port of Halifax,

disaster research has grown to include efforts that incorporate an ever-growing variety of perspectives (Phillips 2014; Perry 2007; Scanlon 1988). These include the study of: phases of disaster (i.e., planning/preparation, prevention, mitigation, response, and recovery); hazard and agent types (natural, accidental / technical, intentional); systems theory (including studies of the built environment, physical domains, ecological systems, social networks, and the interactions among them), system complexity (including the original “Disaster Research Center typology” for organized disaster response1), and, increasingly in more recent years, the viewpoint of

1 What eventually came to be known as the Disaster Research Center (four part) typology was a simple means of classifying organized responses to disasters in terms of (1) the types of organizational entities involved (old or new), and (2) the types of tasks these entities were forced to undertake (regular or non regular) (Dynes 1970; Brouillette and Quarantelli 1971).

7 vulnerability and resilience (see generally Anderson, Kennedy, and Ressler 2007). These perspectives often utilized different meanings in different disciplines for the same terms, even within the context of just disaster research. The myriad conceptualizations of resilience, and its utilization in the context of disaster risk reduction and homeland security more broadly, are an important focus of this work.

Whatever the specific research orientation, longstanding collaboration among academics, first responders and emergency managers, as well as policymakers active in the disaster field, has led to intensive study of how humans can reduce the risk of loss posed by disasters (for a concise background, see Cutter et al. 2008). Importantly, since Dennis Mileti’s “Disasters by Design”

(1999), attention has slowly shifted toward a more proactive orientation to preparing for “all hazards,” including, most recently, terrorist attacks. Related initiatives, such as FEMA’s now- defunct “Project Impact: Building a Disaster Resistant Community,” and the subsequent efforts of the Subcommittee on Disaster Reduction (2005), further reinforced a growing disaster resilience orientation. Accordingly, today many modern disaster research initiatives involve the concept of disaster-resistant, resilient communities.

Relatedly, the tragic events of September 11, 2001 opened the door to greater use of resilience in the context of national, and later, “homeland” security. As a threshold matter, it is important to note that the term homeland security itself remains an evolving and somewhat amorphous concept. (See, e.g., Reese 2013 noting “ten years after the September 11, 2001, terrorist attacks, the U.S. government does not have a single definition for ‘homeland security’”; see also Kahan 2013; McCreight 2014) This dissertation views homeland security in terms of the five core mission areas identified by the Department of Homeland security itself: (1) prevent terrorism and enhance security, (2) secure and manage our boarders, (3) enforce and administer

our immigration laws; (4) safeguard and secure cyberspace, and (5) strengthen national

preparedness and resilience (DHS 2014b). These missions are inherently, and inextricably,

interrelated.

Importantly – and perhaps as a prescient prescription for how to address the challenge of homeland security, however construed – the 9/11 Commission dutifully noted the need to make

the country “stronger, safer, and more resilient” (National Commission on Terrorist Attacks

2004, emphasis added). As Jerome Kahan recently noted via a survey of relevant federal policy

documents since 9/11 (2015), however, the concept of resilience arguably did not “take hold” in the homeland security realm in earnest until 2007 when the Homeland Security Council issued its second National Strategy for Homeland Security. Therein, resilience was defined as the ability of a given infrastructure system to “absorb the impact of an event without losing the capacity to function,” including through the presence of redundant assets, the dispersal of key functions across multiple service providers and flexible supply chains, or “through the protection and physical survivability of key national assets and structures” (Homeland Security Coucil

2007, 28). Table 1-1, on the following page, provides a non-exhaustive list of subsequent policy innovations that together illustrate the growing incorporation of “resilience” through various aspects of homeland security policy.

With this “rise of resilience” has come a plethora of attempts to define, operationalize,

assess, and otherwise employ the concept at the community, regional, and critical infrastructure

sector-wide and individual asset levels. (Bruneau et al. 2003; Allenby and Fink 2005; Kahan,

Allen, and George 2009; Cutter, Burton, and Emrich 2010; Fisher et al. 2010; Longstaff et al.

2010; Renschler et al. 2010; Caldwell 2011; Linkov et al. 2013). Despite the growth of

resilience research, there remains little consensus on what resilience means in many specific

Table 1-1: The Rise of “Resilience” in Homeland Security Policy (adapted from Kahan 2015) Date Policy Instrument Key or New Use(s) of “Resilience” 2007 (Second) National Strategy for Mentioned the concept of resilience 14 times in the Homeland Security context of ensuring the resilience of key assets, critical infrastructure, and the economy, as well as noting the importance of ensuring “operational resilience” in the face of man-made and natural disasters. (Homeland Security Coucil 2007) 2008 DHS Strategic Plan for 2008-2012 Established the “DHS Vision” as “A secure America, a confident public, and a strong and resilient society and economy.” Also mentioned resilience six times in the context of critical infrastructure, transportation, and building “national resilience” through collaboration and partnerships (DHS 2008) 2010 National Security Strategy (NSS) The first use of “resilience” in this important policy document: “As we do everything within our power to prevent [terrorism, natural disasters, large-scale cyber attacks, and pandemics], we also recognize that we will not be able to deter or prevent every single threat. That is why we must also enhance our resilience—the ability to adapt to changing conditions and prepare for, withstand, and rapidly recover from disruption” (The White House 2010, 18). 2010 (First) Quadrennial Homeland Set forth “The Vision for Homeland Security” as: “A Security Review (QHSR) homeland that is safe, secure, and resilient against terrorism and other hazards, where American interests, aspirations, and way of life can thrive” (DHS 2010a, 4). 2010 Presidential Policy Directive 8: Set, as its goal, “strengthening the security and National Preparedness (PPD-8) resilience of the United States through systemic preparation… [for] terrorism, cyber attacks, pandemics, and catastrophic natural disasters” (The White House 2011). 2010 National Preparedness Goal Defined “success” as: “A secure and resilient Nation (NPG) with the capabilities required across the whole community to prevent, protect against, mitigate, respond to, and recover from the threats and hazards that pose the greatest risk” (DHS 2011, 1). 2012 DHS Strategic Plan for 2012-2016 Reinforced, as a key component of its “Department Mission,” “ensur[ing] resilience from disasters” (DHS 2012, 27). 2013 Presidential Policy Directive 21: (Re)defined resilience as the “ability to prepare for and Critical Infrastructure Security and adapt to changing conditions and withstand and recover Resilience (PPD-21) rapidly from disruptions. Resilience includes the ability to withstand and recover from deliberate attacks, accidents, or naturally occurring threats or incidents” (The White House 2013). 2014 (Second) QHSR Explained how national preparedness (a capacity) increases security and resilience (the desired outcome) (DHS 2014b, 72).

10 contexts, or how best to measure it (NIAC 2009; HSAC 2011; National Academy of Sciences

2012). Importantly for present purposes, few, if any, studies have attempted to synthesize the data already gathered by those who have made initial efforts to assess the resilience of communities and infrastructure. Moreover, few researchers have attempted to formally study the barriers to overcoming the resilience gaps such efforts have identified (but see Flynn 2015).

This dissertation seeks to fill these voids via two areas of inquiry, which constitute the two “focus areas” of this research. The first area of focus advances the work of the scholars who have developed initial analytic frameworks for evaluating the resilience of infrastructure assets and sectors, as well as communities and regions more broadly. Rather than developing and deploying new definitions, frameworks, and metrics – as has been the focus of much resilience research to date – this work takes a more inductive approach by conducting a comprehensive content (secondary) analysis of existing data. Specifically, it utilizes the in-depth case studies generated by the Department of Homeland Security’s Regional Resiliency Assessment Program

(RRAP).

According to DHS’s own description, the RRAP is

a voluntary, non-regulatory interagency assessment of critical infrastructure resiliency in a designated geographic region. Each year, the [National Protection and Programs Directorate’s (NPPD) Office of Infrastructure Protection (IP)], with input and guidance from Federal and State partners, selects several RRAPs focusing on specific infrastructure sectors within defined geographic areas and addresses all-hazard threats that could result in regionally and/or nationally significant consequences (DHS 2014c).

As of the start of the present research, DHS had completed 33 RRAP reports. Figure 1-1, on the following page, illustrates the geographic scope of this ongoing initiative. (Each dot - or date - represents a separate study. The line along the Southeast and Mid-Atlantic regions represents a

RRAP study of two inter-connected petroleum pipeline systems spanning 13 states. Resiliency assessment projects for which reports were not finalized or available at the inception of this

11 research are included in this depiction.) By taking a “step back” to analyze this existing, but largely underutilized source of information, this effort identifies and explores cross-case insights that can be used to improve theories of resilience, and measurement thereof, for application in the homeland security policy realm.

Figure 1-1: DHS Regional Resiliency Assessment Projects (through FY 2014)

Source: Department of Homeland Security

The second aspect of this research involves analyzing the same underlying data for a separate, but closely related purpose. Few individuals, companies, or communities profess a desire to be vulnerable or brittle. Yet, resilience “gaps” persist. This dissertation explores this disconnect by building on the recent work of Northeastern University’s Center for Resilience

Studies (the Center) to identify and understand recurring barriers to resilience.

Based on the Center’s work to date, these include challenges arising from (1) the failure

to recognize how unprepared we are to handle foreseeable risk or to handle uncertainties; (2) the

lack of a widely accepted construct for resilience itself, or a means of measuring it; (3) the lack

of policy incentives, as well as the current presence of actual policy-based dis-incentives, for resilience investment and improvement; and (4) impediments created by federalism and governance structures that are often misaligned with the infrastructure and regional communities that they seek to govern. This work attempts to validate and refine this aspect of resilience theory with empirical evidence from a larger, more diverse set of case data (i.e., the RRAP reports) than has been considered previously.

II. Objectives and Significance

The aforementioned research foci address two specific objectives: (1) Identify and better

understanding any recurring empirical resilience gaps that may exist within and across lifeline critical infrastructure sectors and geographic regions. (2) Identify and better understand any recurring empirical barriers to improving regional, and ultimately national, resilience.

Additionally, the overarching objective of this work is to further develop existing theories of

resilience. Specifically, this efforts seeks to facilitate a more complete understanding of the ability of – and challenges with using – the concept of resilience as an operational construct for reducing “all hazards” risk and improving homeland security more broadly.

In targeting these objectives, this effort is intended to contribute to the growing body of

resilience-related research. The core of this work is a cross-case qualitative analysis and

synthesis of data drawn from the Department of Homeland Security’s RRAP reports, heretofore

unutilized in academic research. The RRAP reports and their underlying data have been made

available – but have been largely limited – to the state, local, and private entities that participated

13 in each unique RRAP study. This dissertation involves a comprehensive content analysis of the

33 reports available at the start of this effort. By synthesizing and exploring resilience gaps and success stories in and across regions and lifeline infrastructure sectors that have been studied in the RRAP process from a pre-event (as opposed to the more common post-disaster) perspective, this research is designed to expand knowledge in the developing field of security and resilience studies. Additional academic disciplines that stand to benefit from my work include, but are not limited to: political science, public administration, public policy studies, behavioral economics, organizational decision-making, resilience studies, disaster sociology, security studies, and disaster and crisis management.

III. Key Concepts

This dissertation defines the following terms as indicated below.

Disaster Resilience: “The ability [of an entity, whether an individual asset, organization, community, region, or government] to prepare and plan for, absorb, recover from, or more successfully adapt to actual or potential adverse events” (National Academy of Sciences 2012,

16).

Critical Infrastructure: “Systems and assets, whether physical or virtual, so vital to the

United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters” 42 U.S.C. § 5195(c)(2).

Lifeline (critical infrastructure) Sectors: Those infrastructure sectors that provide the so- called “lifeline” functions of communications, energy (including electricity and fuel), transportation, and water (including wastewater) (DHS 2013).

Resilience Gaps: Observable conditions – often resulting from a lack of sufficient authority, capability, competency, capacity, partnerships, or a combination thereof – that impair an asset’s, organization’s, community’s, region’s, or government’s ability to prepare and plan for, absorb, recover from, or more successfully adapt to actual or potential adverse events.

Resilience gaps by definition are solvable; they can be mitigated or eliminated by undertaking resilience enhancement measures. [It is important to note, however, that the complexity and interdependencies of the nested systems frequently at issue are such that resilience

“improvements” for one asset or sector may negatively affect other components or systems (see also, Woods 2015 noting that “expanding a system’s ability to handle some additional perturbations [often] increases the system’s vulnerability in other ways to other kinds of events”).]

Barriers to Resilience: Systemic factors (e.g., governance structures, a lack of adequate policy-based incentives for improvement, the limitations of individual and group decision- making) that inhibit individuals, organizations, communities, or governments from effectively addressing resilience gaps.

Dependency: “The one-directional reliance of an asset, system, network, or collection thereof, within or across sectors, on input, interaction, or other requirement from other sources in order to function properly” (DHS 2013, 30).

Interdependency: A “mutually reliant relationship between entities (objects, individuals, or groups); the degree of interdependency does not need to be equal in both directions (DHS

2013, 31)

IV. Research Questions and Initial Hypothesis

With these objectives and definitions in mind, this effort addresses the following specific

research questions:

I. What, if any, recurring “resilience gaps” exist within and across geographic regions, and

critical infrastructure sectors?

II. To what extent and how do these gaps differ across regions, and sectors?

III. Are there any recurring, observable barriers to addressing these gaps (i.e., to improving

regional, and ultimately national, resilience)? If so, what are they?

IV. To what extent do the presence and significance of these barriers differ across geographic

regions and critical infrastructure sectors?

V. Format

The balance of this dissertation proceeds as follows. Chapter 2 considers the “rise of

resilience” in the context of homeland security and critical infrastructure, and then reviews the literatures for each focus area of this study, building upon the context set forth above. Chapter 3 provides an overview of the RRAP projects and data, and explains the underlying processes and analytic techniques used in their creation. This chapter also includes a full explication of the methodology followed in this adaptive, inductive/deductive research approach. Chapter 4 presents the analysis and ultimate findings for both focus areas of the multi-case study and cross cases synthesis. Finally, Chapter 5 provides summative conclusions, reviews the study’s limitations, discusses the broader implications of its results, and suggests ways to further this research.

Chapter 2

As this study involves two research emphases concerning distinct aspects of the disaster

resilience of critical infrastructure – recurring resilience “gaps” within and among infrastructure

assets, sectors, and regions; and persistent barriers to overcoming them – this chapter provides

overviews of relevant literatures in separate sections as they relate to each focus area. As a

preliminary matter, though, it explores the evolution of the concept of resilience – and disaster

resilience, in particular – to provide the larger context and emerging theory within which this

effort is situated. Accordingly, the first of this chapter’s three major sections reviews the evolution and application of resilience as a construct. The purpose in doing so is not to debate alternative definitions of resilience. Rather, this section presents diverse definitions and perspectives to provide an appreciation for the breadth of the concept as a prelude to discussing how and why it is used in this study. As Longstaff et al. aptly note, “[w]hile there is still much to debate about how to draft precise definitions of resilience and its attributes, and how to operationalize and apply resilience concepts within each discipline, overlap in the research of each discipline is significant enough to be instructive as to what makes systems resilient”

(Longstaff et al. 2010, 1–2; as cited in Kahan 2015).

I. The Rise of “Resilience” as a Homeland Security Imperative: The Challenge of Multiple, Conflicting Definitions

The concept of “resilience” is not new. Indeed, the idea has been incorporated and

operationalized into an ever-increasing number of fields of study and policy domains over at

least the past 50+ years (Martin-Breen and Anderies 2011). Unfortunately, mounting use of the

term variously as a theoretical construct, capability, or strategy across myriad disciplines (see

Norris et al. 2007), has brought with it confusion and debate about its meaning and usefulness in specific contexts, including those of disaster risk reduction and homeland security (Kahan 2015).

Perhaps the only aspect of resilience growing faster than this diversity of definitions is the

number of ways these varied conceptualizations can be catalogued. Such definitional typologies

are themselves instructive for present purposes to the extent that they illuminate the myriad

potential applications and aspects of resilience. Accordingly, the section that follows discusses

three such classification schemes: one based on definitions arising from within distinct

disciplinary fields of study, one developed from disaster and hazards research, and a final

scheme tied to homeland security in particular. The two sections thereafter present important

perspectives on resilience drawn from separate but related literatures: resilience engineering (i.e.,

safety management systems) and organizational and supply chain management as it relates to the

continuity of business operations.

A. Three Definitional Typologies of Resilience

1. Definitions from Disciplines

In a thoroughgoing literature Table 2-1: Martin-Breen and Anderies’s Frameworks of Resilience review conducted for the Rockefeller Framework Source Discipline Key Definitional Aspect(s) Engineering Engineering Bouncing back faster after Foundation, Martin-Breen and Resilience stress, enduring greater stresses, and being disturbed less by a given Anderies (2011) suggest that the amount of stress. Systems Economics Maintaining system concept of resilience has developed, Resilience (among others) function in the event of a disturbance. and can be roughly classified, in three Complex Ecology The ability to withstand, Adaptive recover from, and Systems reorganize in response to (arguably overlapping) frameworks of Resilience crises. increasing complexity, each growing out of separate disciplinary traditions and differing units of analysis: (1) Engineering Resilience, (2) Systems Resilience, and (3) Resilience in Complex

Adaptive Systems. In their engineering conceptualization, resilience is viewed as it relates to a specific asset or entity, and associated definitions variously capture the notion of “bouncing back

faster after stress, enduring greater stresses, and being disturbed less by a given amount of

stress” (Martin-Breen and Anderies 2011, 5). Systems resilience – which is related to the idea of

“robustness” as used in economics, and necessarily considers a larger array of forces –

encompasses definitions that center on “maintaining system function in the event of a

disturbance” (Ibid. 2011, 7). Martin-Breen and Anderies’s third and final framework, Complex

Adaptive Systems Resilience, is grounded in the ecological tradition where resilience is best viewed through a “system of systems” perspective in which definitions incorporate the “the

ability to withstand, recover from, and reorganize in response to crises. Function is maintained,

but system structure may not be.” (Ibid., 7). Importantly, these frameworks can be, and have been, applied across myriad disciplines, regardless of their respective origins. As discussed further below, the RRAP reports that serve as the primary source of data for this effort consider the concept of resilience from both individual asset and larger systems perspectives.

Accordingly, the differences highlighted in this definitional framework are relevant for present purposes. Ultimately, this dissertation adopts and employs a definition of resilience that

incorporates aspects of resilience from all three frameworks.

2. Definitions from a Disaster (Risk Reduction) Perspective

While Martin-Breen and Anderies’ work attempts to order definitions based on differing

scales of analysis, levels of complexity, and disciplinary perspectives; others have attempted to

structure and harmonize definitions of resilience by specific (albeit, often inter-disciplinary)

fields of study. Disaster research is an important case in point.

Unfortunately, a recent focus on resilience as a form of disaster risk reduction has not led

to agreement on what resilience means in this context. In a recent review of resilience theory

and application, the Decision and Information Sciences Division of Argonne National

Laboratory (Argonne) noted a “clear break in opinion concerning how resilience should be defined” that centers on whether it is appropriate to focus on what comes after a disaster or other disruptive event, or to include components and determinants of resilience that are also applicable

“left of boom” in the traditional phases of the disaster timeline (Carlson et al. 2012). In some sense, intense study of, and resilience definitions skewed toward, post-event response and recovery operations should not be surprising. Disasters and other unexpected, high-impact events are often referred to in political science and public policy circles as “focusing events”

(Birkland 2011; 2006; see also Kingdon 2011); so labeled for their ability to generate intense interest and action among a broad array of stakeholders and policy actors (Birkland 1997). This phenomena ultimately affects researchers as well, who must often follow the interests of those providing the funding necessary to conduct research. Regardless, Table 2-2, on the following page, provides an illustrative list of disaster resilience definitions sorted by Argonne according to this scheme.

While much of the disaster-related resilience research has been based on post-event disaster case studies (see., e.g., NIAC 2009; HSAC 2011; National Academy of Sciences 2012; but see Cutter, Burton, and Emrich 2010; Bruneau et al. 2003), the present effort incorporates data from in-depth case studies assessing resilience in a more holistic, “all hazards” sense, each gathered over a period of roughly one year, and independent of any specific adverse event(s).

Accordingly, in the current context at the very least, it is appropriate to utilize a conceptualization of resilience that contemplates activities in both anticipation of, and in response to, adverse events.

Table 2-2: Argonne’s Disaster-Related Temporal-Focus Definition Dichotomy

Resilience Definitions That Include Only Resilience Definitions That Include Both “After Event” Components “Before” and “After Event” Components

“[T]he capacity of a system to absorb disturbance, “[T]he ability to minimize the costs of a disaster, to return undergo change, and retain essentially the same to a state as good as or better than the status quo ante, and function, structure, identity and feedbacks” to do so in the shortest feasible time… Resistance is used to (Longstaff et al. 2010). mean the ability to withstand a hazard without suffering much harm. Resilience … include[s] resistance but … also “[A] process linking a set of adaptive capacities to include[s] the ability to recover after suffering harm from a a positive trajectory of functioning and adaptation hazard” (Gilbert 2010). after a disturbance…” (Norris et al. 2007). “[T]he aggregate result of achieving specific objectives in “The capacity of a system to survive, adapt and regard to critical systems and their key functions, following grow in the face of change and uncertainty” (Fiksel a set of principles that can guide the application of practical 2006). ways and means across the full spectrum of homeland “[T]he capacity of a system to maintain its function security missions… The objectives (or end states) of and structure in the face of internal and external resilience … are resistance, absorption, and restoration” change and to degrade gracefully when it must” (Kahan, Allen, and George 2009). (Allenby and Fink 2005). “[T]he ability to adjust to ‘normal’ or anticipated stresses “The ability of system to absorb changes… and and strains and to adapt to sudden shocks and extraordinary still persist” (Holling 1973). demands. In the context of hazards, the concept spans both pre-event measures that seek to prevent disaster-related damage and post-event strategies designed to cope with and minimize disaster impacts” (Tierney 2003)

3. Definitions by Homeland Security Domain

A third definitional typology that is informative for present purposes is one based on applications of resilience to different homeland security domains. As the concept of resilience has slowly permeated the homeland security enterprise – largely driven from the top down by the aforementioned policy instruments – its definition has been altered to better “fit” different areas.

Leaving aside continued disagreement on what exactly these domains (or, alternatively,

“subsystems”) can and should entail – different attempts to measure resilience have utilized divergent categorizations in doing so; several such approaches are discussed further below –

Kahan proposes a set of five areas within the homeland security arena to which resilience has been routinely applied: individuals, infrastructure, institutions (including governance), ecosystems, and communities. Table 2-3 provides representative definitions for each.

Table 2-3: Definitions of Resilience by Kahan’s Homeland Security-Related Domain Domain Definition

Individuals The capacity of [individuals who experience stressful conditions] to withstand such experiences and recover as rapidly as feasible to a state of personal well- being and social and professional functioning. (Kahan 2015; citing Torens Resilience Institute 2015)

Infrastructure Technical and structural improvements that enable “hard” systems to withstand adverse events without functional failure and rapidly return to a level of acceptable functionality (Kahan 2015; citing Flynn 2004).

Institutions [The capacity to ensure] continuity of operations and flexibility. (Kahan 2015; citing Sheffi 2007)

Ecosystems The capacity to adapt and change to different configurations within its inherent “state of being.” (Kahan 2015; citing Gunderson, Allen, and Holling 2009)

Communities The overall ability of a community to withstand threats and hazards, continue to function, and return to a state of well-being. (Kahan 2015; citing Cutter, Burton, and Emrich 2010; Longstaff et al. 2010)

Although the RRAP reports and case studies on which this research effort is based center on assessments of (1) “clusters”, or individual pieces, of critical infrastructure, (2) their interdependencies with other infrastructure sectors and, to a slightly lesser extent, (3) their interaction with the larger communities or regions within which they are located, this work adopts the conceptualization of resilience, proposed by the National Academy of Sciences (NAS), that is potentially broad enough to apply to all homeland security domains (whether Kahan’s proposed set or another formulation), all phases of the traditional disaster timeline (i.e., planning/preparation, prevention, mitigation, response, and recovery), and all levels of analysis and complexity (individual asset, systems, or whole-community complex adaptive systems).

Thus, for this work, resilience is construed as: “the ability [of an entity, whether an individual asset, organization, community, region, or government] to prepare and plan for, absorb, recover from, or more successfully adapt to actual or potential adverse events” (National

Academy of Sciences 2012, 16). This definition is consistent with that used by the international

disaster policy community (UNISDR 2011; as cited in National Academy of Sciences 2012), and

most recent federal policy documents, including Presidential Policy Directives (PPD) 8 –

National Preparedness (2011) and PPD 21 – Critical Infrastructure Security and Resilience

(2013).

At the same time, there is an argument that such a broad definition enables individuals and organizations to classify whatever they wish as resilience and, potentially, to talk past one another in doing so – a consideration this dissertation addresses later on. As suggested above, an

overarching objective of this effort is to assess the usefulness of this, or any, conceptualization of

resilience through study of the data utilized herein. Two other perspectives on resilience

thinking are particularly useful to this end: Resilience Engineering and supply chain management

(as contemplated in terms of the continuity of business operations more broadly). It is to these

separate but related literatures to which this dissertation now turns for additional useful

background.

B. The Resilience Engineering Perspective

Resilience Engineering represents an evolution from more traditional thinking about

incidents and accidents that focused on linear causal chains – such as the so-called Domino

model of failure (Heinrich 1931; see also Heinrich, Petersen, and Roos 1980) – and the study of

“latent conditions” that must align like the holes in a block of Swiss cheese (Reason 1990) for

systems to fail. Resilience Engineering, instead, adopts the view that failure arises from a

system’s temporary inability to cope (i.e., adapt) to real world complexity (Woods et al. 2010,

83; Hollnagel, Woods, and Leveson 2006). Viewed from this perspective, resilience is a

system’s or organization’s collective, dynamic ability (1) to know what types of disruptions to

look for (i.e., the ability to anticipate), (2) to know what functions are critical, (3) to know how

to respond to disruptions (to ensure continuity of system function), and (4) the ability to learn

from and adapt to the unexpected (Woods et al. 2010, 93). Importantly, resilience in this

conceptualization is not a characteristic a system “has,” but something it “does” (Hollnagel,

Woods, and Leveson 2006, 347).

To better understand how the Resilience Engineering perspective differs from other

conceptualizations already discussed, it is useful to consider Woods’s explanation of how

resilience – as a label used by “multiple observers from different disciplines” – can be thought of

as coming from one of four core “conceptual perspectives” (Woods 2015, 5). Research

undertaken from the last two of the following four approaches align better with the Resilience

Engineering view than those that precede them. The first of Wood’s fours core perspectives

views resilience as how systems rebound from disruption. Research undertaken from this

standpoint has focused on the capabilities and resources that enabled a given system to

successfully “bounce back” from some event (Woods 2015; citing Finkel 2011). The risk of this

approach, according to the Resilience Engineering view, is its over reliance on evaluating past

performance to predict adaptive capacity to future, potentially uncertain events (Woods 2015, 6).

A second core perspective essentially equates resilience with robustness: “an increased

ability to absorb perturbations” (Woods 2015, 6). Thus, under this view, a system becomes more

robust when it is able to handle a larger array of potential disruptions. Work in this area, such as

with robust control systems, however, is largely limited to where the disturbance in question is,

known, well defined, and well understood (Woods 2015, 7). The Resilience Engineering

literature, in contrast, views an adaptive capacity to cope with surprising unknowns as a key

component of resilience, which are not contemplated by the resilience-as-robustness perspective.

Another flaw of the robustness perspective is that does not adequately address the possibility that

24 increasing the ability to absorb some disruptions may simultaneously make that system more vulnerable to other types of attacks or events (Hollnagel, Woods, and Leveson 2007, 8).

A third core conceptualization of resilience, according to Woods, is resilience as

“graceful extensibility” (a play on the more familiar “graceful degradation”), which he defines to mean “how a system performs at or near its boundary” (2015, 7). The ability to avoid cascading or abrupt failure (i.e., to resist being “brittle” at the designed limits of a system), especially in the face of new and evolving threats and disruptions, is the essence of this perspective. This conceptualization embodies the Resilience Engineering approach, as it is focuses on a given system’s ability to predict, adapt, and learn from the unanticipated.

Relatedly, a fourth core conceptualization of resilience involves inquiry into the ability of complex “layered networks” to manage and regulate their respective and collective adaptive capacities (Woods 2015, 8). Research in this area seeks to divine common “architectures for sustained adaptability” (Ibid.). As with the “resilience as graceful extensibility” perspective, this newer line of inquiry is well aligned with the Resilience Engineering field; both seek to find systems that ensure continuity of function – at least some critical or core function – over long timelines and multiple iterations of change (Ibid.).

Additionally, it is important to note that in the Resilience Engineering literature, the concept of resilience involves the ability to recognize and mange an inherent tension between production (i.e., efficiency) pressures and the underlying need for safety (Woods et al. 2010, 95).

This perspective thus expressly incorporates a business mindset through consideration of market forces, which other resilience paradigms consider less directly, if at all.

C. Supply Chain Management and the Continuity of (Business) Operations

The consideration and use of resilience in business is not, of course, limited to the safety perspective of Resilience Engineering. Indeed, resilience, however defined, has been an increasingly “hot topic” among top business executives for over a decade (Coutu 2002). A series of articles in the Harvard Business Review, for example, has attempted to explain “What

Resilience Means, and Why it Matters,” (Ovans 2015); “Why Resilience is so Hard” (Snyder

2011); and why when “Surprises Are the New Normal; Resilience Is the New Skill,” (Kanter

2013). These articles, and many others like them (see, e.g., Gallardo 2013), variously propose organizational, management, and leadership attributes of companies, and their executives, that enable them to strive in the face of disruptions. As Coutu notes, the rise of resilience in business circles has given birth to a new area of specialization for consulting firms; one built on the belief that “[m]ore than education, more than experience, more than training, a person’s [or organization’s] level of resilience will determine who succeeds and who fails” (Coutu 2002 quoting Dean Becker, president and CEO of Adaptiv Learning Systems).

Relatedly, increasingly globalized supply chains, specialized factories, centralized distribution, increased reliance on outsourcing, reduced supplier bases, greater volatility in demand, and related technological innovations throughout many, if not most, commercial enterprises has driven increased attention to logistics, in general, and supply chains in particular

(Pettit, Fiksel, and Croxton 2010, 2; citing Cranfield University 2002). Definitions of what constitutes a “supply chain” vary, but one broad conceptualization characterizes it as “the network of companies involved in the upstream and downstream flows of products, services, finances, and information from the initial supplier to the ultimate customer” (Pettit, Fiksel, and

Croxton 2010; citing Christopher 2011; Lambert, García-Dastugue, and Croxton 2005; and

Mentzer et al. 2001). The field of supply chain management, for its part, typically applies traditional risk management processes – the steps of which typically include hazard identification, risk assessment, selection of appropriate risk management strategies, implementation, and review (see Manuj and Mentzer 2008; Pettit, Fiksel, and Croxton 2010, 4–

5) – for dealing with uncertainty as its relates the logistics activities of these supply chains

(Ponomarov and Holcomb 2009, 130).

Achieving resilience to supply chain disruptions (see generally, Sheffi 2007) – and

through it, a competitive business advantage – has come to be viewed as the desired end-state; a

higher priority than simply better managing risk (Christopher and Peck 2004). In this context,

resilience has been thought of as “the adaptive capability of the supply chain to prepare for

unexpected events, respond to disruptions, and recover from them by maintaining continuity of

operations at the desired level of connectedness and control over structure and function”

(Ponomarov and Holcomb 2009, 131). There is clear overlap between the theories of resilience

being advanced in the Resilience Engineering and Supply Chain Management literatures, and

with the broader conceptualization of resilience advanced by the National Academy of Sciences

with respect to disaster risk reduction. Importantly, perhaps owing to their inherent

consideration of underlying market forces, the Resilience Engineering and supply chain

perspectives provide a focus on (continuity of) function that is less prominent in many other

literatures. The importance of function as a cornerstone of resilience is a theme to which this

dissertation will return.

II. Identifying and Exploring Recurring Resilience Gaps: Frameworks for Assessing and Measuring2 Resilience

Utilizing the aforementioned conceptualizations of resilience as background, this

dissertation’s first area of focus seeks to develop a better understanding of any potentially recurring empirical resilience gaps across the United States. As with the numerous efforts to

define resilience, there have been various academic attempts to operationalize it into a

measurable form. The following section details key aspects of several such initiatives

undertaken from either a whole-community or more critical infrastructure focused perspective:3

(1) Longstaff et al.’s “Building Resilient Communities: Preliminary Framework for Assessment”

(2010); (2) Cutter, Burton, and Emrich’s “Disaster Resilience Indicators for Benchmarking

Baseline Conditions” (2010); (3) Linkov et al.’s “Measureable Resilience for Actionable Policy”

(2013); (4) the Community and Regional Resilience Institute’s (CARRI) “Community Resilience

System Initiative” (2011; 2013) (5) Bruneau et al.’s “Framework to Quantitatively Assess and

Enhance the Seismic Resilience of Communities” (2003); (6) Argonne National Laboratory’s

“Resilience Index” for DHS’s Enhanced Critical Infrastructure Protection Program (ECIP)

(Fisher et al. 2010); (7) the definitions and resilience assessment techniques that come from the risk management community, with particular attention to the work of Haimes (2006; 2009;

2011); and (8) Alderson, Brown and Carlyle’s Operational Models (using network interdiction) of Infrastructure Resilience (2015; 2014; 2013). Additionally, while not an assessment regime,

2 The term assessment is used here to refer to qualitative efforts, while measurement is used to refer to more quantitative analyses, understanding that at some level this is a false dichotomy. 3 Efforts to study ecological resilience are a critical component of any holistic assessment of a community or region. Most conceptualizations of community resilience include ecology or the natural environmental as a key domain or subsystem. Such resilience, however, is beyond the scope of this study, as it was for all of the studies and data from which this effort will draw (see, e.g., Cutter, Burton, and Emrich 2010; purposely excluding ecological resilience for data inconsistency and lack of appropriate proxies for large and diverse areas).

per se, Flynn’s recent work (2015) on bolstering infrastructure resilience is important in this

context.

Importantly, it is not the intent of this research to replicate any of these frameworks or

assessment techniques. As described further in the next chapter, this dissertation utilizes an

approach and coding scheme that is both inductive and deductive to better understand resilience

gaps, and the theory of resilience (in a homeland security context) itself. The components,

domains, and subsystems of resilience; along with the indicators and operational variables

proposed and utilized in the following studies inform that process.

Longstaff et al.’s work is premised on the idea that resilience – at a community level – is a function of resource robustness and adaptive capacity (2003, 5). Resource robustness, in turn,

is comprised of resource performance (“the level of capacity or quality at which an element or

element of a system performs an essential role”); diversity (“the different types of available

resources that perform a particular function”); and redundancy (“a quantifiable measure, or

count, of a single resource type that performs a specific function”) (2003, 5–6). Adaptive

capacity, on the other hand, is conceived of as a function of institutional memory (“the

accumulated shared experience and local knowledge of a group of people”); innovative learning

(“the ability of the group to use its information and experience to create novel adaptations to

environmental changes”); and connectedness (the internal and external links among (informal)

social and (formal) organization networks that “contribute to a community system’s ability to

exchange, store, and recall knowledge, and take collective action”) (2010, 7–8). Further, under

this proposed approach, resilience is assessed by evaluating the above elements across each of

five community subsystems: ecological, economic, civil society, governance, and physical

infrastructure (Ibid.).

Cutter, Burton, and Emrich (2010) provide a more quantitative take on evaluating community resilience. In their widely cited article, they argue that composite indicators that utilize existing governmental data can provide a useful approach for comparative analysis of resilience at the county government community level. Their framework is based on the proposition that disaster resilience is composed of social resilience, economic resilience,

institutional resilience (including governance), infrastructure resilience, and community capital

(the last of which they view as roughly analogous to the concept of social capital) (Ibid.).

These components are roughly equivalent, but not identical, to Longstaff et al.’s domains.

For each of these major components, the authors provide sub-components and corresponding

measurement variables. Infrastructure resilience, for example, is assessed in terms of the sub-

components, measures, and data sources noted in Table 2-4, below.

Linkov et al. Table 2-4: Cutter, Burton, and Emrich’s components alternatively suggest that and measurement variables for infrastructure resilience. Subcomponents Measure (Variable) Data Source resilience is more usefully Housing type Percent housing units that U.S. Census 2000 are not mobile homes. measured (at least, for the Shelter capacity Percent vacant rental units U.S. Census 2000 purposes of making practical, Medical capacity Number of hospital beds American Hospital per 10,000 populations Directory policy-based improvement Access / evacuation Principle arterial miles per GIS derived from potential square mile National Atlat.gov decisions) across the four Housing age Percent housing units not City and Country build before 1970 and after Databook 2007 functions of resilience inherent 1994 Sheltering needs Number of hotels/motels County Business in the NAS definition discussed per square miles Patterns (NAICS) 2006 above: (1) planning and Recovery Number of public schools Gnis.usgs.gov per square mile preparation, (2) absorption, (3)

recovery, and (4) adaptation (Linkov et al. 2013). Other measurement approaches, the authors

argue, fail to consider both the management aspects of resilience contained in the planning and

adaptation functions of the definition, and the performance dimensions represented by absorption

and recovery (Ibid.) Moreover, in a departure from the above two approaches, Linkov et al.

argue that military theory – the doctrine of Network Centric Warfare, in particular – provides an

appropriate suite of domains in which resilience should be assessed. Specifically, they propose a

matrix in which resilience functions are considered across physical (i.e., “sensors, facilities,

system states, and capabilities”), information (i.e., the “creation, manipulation, and storage of

data”), cognitive (“understanding, mental models, preconceptions, biases, and values”), and

social domains. Specific metrics, they contend, should be developed for each of the 16 cells of

the resulting 4x4 assessment matrix (Ibid.). Others have adapted this framework to specific

infrastructure sectors, including the cyber domain (see e.g., Linkov and Seager 2011).

Building on a variety of efforts such as those listed above, in 2010 the Community and

Regional Resilience Institute (CARRI) – at the time a component of the Oak Ridge National

Laboratory – undertook a comprehensive initiative to build a Community Resilience System

(CRS) that would provide “a concrete course of action [to] support communities in … resilience-

building efforts” (CARRI 2011, viii). The resulting six-stage, web-enabled process was designed so that communities could define and self-assess their respective levels of resilience, and then collectively identify and set appropriate resilience improvements goals. The CRS is based, at its core, on a consideration of assets, threats, gaps, and opportunities across each of 31 core community functions (i.e., the “services and qualities that collectively define a community”), which can be divided into four major functional domains: infrastructure,

economic, social, and cross-cutting (CARRI 2011, 13, 71).

Notably, each of the four foregoing resilience assessment and measurement approaches

include physical infrastructure in some form. The following resilience measurement regimes

focus more on this one aspect, while acknowledging that infrastructure resilience is inextricable

interconnected with community resilience, and vice versa.

Bruneau et al. conceptualize physical and social systems resilience through four “R’s”:

• Robustness (“strength, of the ability of elements, systems, and other units of analysis to

withstand a given level of stress or demand without suffering degradation or loss”);

• Redundancy (“the extent to which elements, systems, or other units of analysis exist that are

substitutable, i.e., capable of satisfying functional requirements in event of disruption,

degradation, or loss of functionality”);

• Resourcefulness (“the capacity to identify problems, establish priorities, and mobilize

resources when conditions exist that threaten to disrupt some element, system, or other unit

of analysis”); and

• Rapidity (“the capacity to meet priorities and achieve goals in a timely manner in order to

contain losses and avoid future disruption”) (2003, 737–78)

Under their admittedly earthquake-focused, engineering-centric conceptualization of community resilience, the “four R’s” are viewed across what have come to be called the “TOSE” dimensions: technical, organization, social, and economic (Ibid., 738). The technical dimension

“refers to the ability of physical systems (including components, their interconnections and interactions, and entire systems) to perform to acceptable/desired levels” (Ibid.). The organizational dimension is “the capacity of organizations … to make decisions and take actions that contribute to achieving …[ the four R’s outlined above] (Ibid.). The social component includes “measures specifically designed to lessen the extent to which … communities and

32 governmental jurisdictions suffer negative consequences due to the loss of critical services”

(Ibid.). Finally, Bruneau et al.’s economic dimension encompasses “the capacity to reduce both direct and indirect economic losses resulting from [adverse events]” (Ibid.).

In an approach similar to Bruneau et al.’s work, but intended for application across a broader range of hazards, Argonne National Laboratory developed a Resilience Index to guide comparative assessment of critical infrastructure assets that are part of the DHS’s Enhanced

Critical Infrastructure Protection Program (ECIP). (DHS describes the ECIP program as “a voluntary assessment that includes (1) outreach, which establishes or enhances [the

Department’s] relationship with critical infrastructure owners and operators and informs them of their facilities’ importance and need for vigilance; and (2) security surveys, which are conducted by DHS protective security advisors (PSAs) to assess the overall security and resilience of the nation’s most critical infrastructure sites.” (DHS 2014d). ECIP is an asset-focused initiative that is distinct from the broader RRAP effort at the heart of the present study. ECIP results, however, form an important part of the RRAP case studies as I explain in Chapter 3.)

Based in large part on the recommendations of the National Infrastructure Advisory

Counsel (NIAC 2009), Argonne’s Resilience Index is derived from measures across three key components of resilience [which incorporate two of Bruneua et al.’s four R’s of resilience]: robustness, resourcefulness, and rapid recovery. In the Resilience Index, robustness is defined as

“the ability to maintain critical operations and functions in the face of crisis” (Fisher et al. 2010,

6). Resourcefulness is taken to stand for the ability of those responsible for a given infrastructure asset “to skillfully prepare for, respond to, and mange a crisis or disruption as it unfolds” (Ibid). Rapid recovery is “the ability to return to and/or reconstitute normal operations as quickly and efficiently as possible after a disruption” (Ibid.)

Bruneau et al., separate robustness, recovery, and resourcefulness into 3, 2, and 7 “major” resilience components, respectively, (derived from the resilience components identified by

National Infrastructure Advisory Council in its 2009 recommendations for improving infrastructure resilience), each of which is further divided, and divided again, into five increasingly granular levels of measurement (Fisher et al. 2010, 11). Procedurally, data derived from security surveys and stakeholder interviews provide data on which each category and level of inquiry is scored (on a scale of 1-100). The various categories of data are weighted at each level (by panels of relevant subject matter experts) and “rolled up” in an additive fashion to derive the ultimate risk index score, which itself is expressed as number between 0 and 100. The

DHS Protective Security Advisors (PSAs) who deploy this index utilize multiple layers of review and quality assurance to ensure consistency across asset evaluations. As the designers of this system admit, an individual asset’s resilience index number can be difficult to interpret in isolation. The strength of this approach, they contend, is in comparative assessment across similar facilities (Fisher et al. 2010, 21).

The risk community offers additional perspectives on what resilience is and how it might be measured (and improved). Generically, risk can be viewed as a function of: (1) the probability of an adverse event occurring over time, and (2) the magnitude and direction (i.e., consequence) of any resulting effects if it does. In the context of terrorism, risk has been viewed more specifically as a function of the probability of a threat to an entity or system with certain vulnerabilities that can lead to specified consequences (i.e., adverse effects) on that target

(Haimes 2009, 498; Risk Steering Committee 2010). A threat, in the risk management literature, and in the larger Homeland Security Risk Lexicon (2010), is viewed as a function of the intent of

an adversary to do harm, and of that same adversary’s capability (i.e., the ability and capacity, or

lack thereof) to act on that intent (Haimes 2009, 498).

Building on this general risk framework, Haimes proposes a systems-based approach to

risk, vulnerability, and resilience in which vulnerability is viewed as the “manifestation” of the

“states of the system that can be adversely affected by specific types and levels of magnitude of

threats” (Haimes 2009, 499). Resilience also represents the states of any given system over time, but unlike vulnerability, “also represents the ability of the system to recover within an acceptable

time and composite costs and risks” (Haimes 2009, 499). Resilience then, under Haimes’ view,

is “the ability of a system to withstand major disruption within acceptable degradation

parameters and to recover within an acceptable time and composite costs and risks” (2009, 498).

To quantify resilience using this and related risk-based conceptualizations – which mirror

many aspects of the National Academy of Science’s definition of resilience discussed above –

one must consider both the magnitude of impact on the affected system’s function, and the length

of time it takes for the system to recover to an acceptable level (whether that is a pre-event or

“new normal” level of function). Importantly, under Haimes’ view, “the resilience of a system

can be measured only in terms of a specific threat (input) and the system’s recovery time and the

associated composite costs and risks” because “different attacks would generate different

consequence (output) trajectories for the same resilient system” (2009, 498; see also 2011).

Resilient systems can be characterized, in this systems-based approach, in terms of redundancy (“the ability of certain components of a system to assume the function of failed

components without adversely affecting the performance of the system itself”) and robustness

(“the degree of insensitivity of a system to perturbation or to error in the estimates of those

parameters affecting the design choice”) (Haimes 2009, 499). Relatedly, there is increasing

attention in the broader risk management literature to how different investments can be made to

improve a system’s redundancy, its robustness, or both. Invariably, such investments have different effects on resisting or reducing a potential loss in function versus shortening potential recovery times (MacKenzie and Zobel 2015, 1). Optimizing investments to maximize the two

separate, but interrelated aspects of resilience is a burgeoning area of research.

Haimes’ approach is not without its critics as the very notion of threat-specific (or,

perhaps threat-dependent) resilience stands in tension with the idea, expressed in the Resilience

Engineering literature and elsewhere, that resilience necessarily includes the ability to react and

handle surprising unknowns. Aven and Woods, for example, point out that adaptive ability is

exactly what distinguishes resilience from simple robustness in the first place (Aven 2011;

Woods 2015).

Similar to Haimes’ systems-based perspective, Alderson, Brown, and Carlyle argue for a

shift away from thinking in terms of individual assets or components – as is implicit in many

analytic schemes. They suggest that with respect to critical infrastructure, at least, resilience can

be conceptualized as “operational resilience,” which they define as “the ability of a system to

adapt its behavior to maintain continuity of function (or operations) in the presence of

disruption” (2015, 10). Thus construed, it is often not possible, let alone appropriate, to assess

the resilience of a system without considering the system’s function as a whole – including the

system’s dependencies and interdependencies with and among its set of components and with

other systems. This is so because the importance of any given component (i.e., its contribution

to the system’s function) depends on the contribution of other components. Thus, the impact on

function (i.e., operational resilience) of a given disruption necessarily depends on which, and

how many, system components are affected. This argument aligns with that proposed by the

Resilience Engineering literature, discussed above, that argues we must move from thinking in

terms of failure modes of components, to thinking in terms of “concurrences” through which a

system of systems loses its dynamic stability and becomes unstable (Hollnagel 2007, 17).

Building from these observations, Alderson et al. advance a methodology that utilizes

constrained optimization-based prescriptive network flow modeling where the resilience of a

system is considered through an analysis of the effects of the loss of function of one or more

finite system component parts (agnostic to the source of disruption). Importantly, such models

can be developed based on actual system characteristics such that the loss of a set of components

is “[not] simply the sum of the consequences associated with the loss of individual components”

(Alderson, Brown, and Carlyle 2015, 6).

Flynn, in a study of Superstorm Sandy (the “post-Sandy study”) discussed in greater detail in the last section of this chapter, furthers the focus on function through a proposed framework for prioritizing resilience design (2015). Specifically, he suggests that the resilience of critical infrastructure should be conceptualized in terms of elemental capacity, essential

function, and full (or normal) function. Under this trichotomy, elemental capacity is defined as

“the prerequisite system conditions that must be in place in order for the infrastructure to provide

its function to its users” (Flynn 2015, 24). Essential function is “the minimal level of function an

infrastructure needs to provide in order to meet the critical needs of its users, and to support the

infrastructure’s recovery” in the wake of disruption (Ibid., 25). Full function is that needed to

satisfy a user’s routine needs, and to ensure the economic viability of the infrastructure.

While not offered as “measures” of resilience, per se, Flynn suggests that these specified

levels of function – and through them, resilience more broadly – can be enhanced by designs that

enable one or more of five important “attributes” of resilience:

• Cushionability (“the capacity to support graceful degradation of non-essential function

during periods of stress”) (Flynn 2015, 24);

• Resistance (“measures that redirect a threat or hazard away from where it can cause damage

to elemental capacity or disrupt essential function”) (Ibid.);

• Robustness (“measures that harden or protect elemental capacity and essential function”)

(Ibid.);

• Redundancy (“backup systems or spare components [that] support immediate recovery of

elemental capacity and essential function”) (Ibid.); and

• Graceful extensibility (the capacity to “adapt to surprises and uncertainty associated with the

future risk environment”) (Ibid.).

Viewing the key aspects of the aforementioned approaches together, it is clear that the

current literature on resilience assessment in the community and infrastructure contexts presents

a morass of similar, yet importantly different approaches. All methodologies, however, break resilience into component aspects that are assessed across multiple domains, or, alternatively, levels of function. Table 2-5, on the following page, highlights these aspects, and the resulting

surface similarities and differences of these select approaches. These components, metrics, and

attributes of resilience serve at least three functions in the present effort. First, they inform the

review (and initial first-cycle coding) of the case evidence that is the subject of this study.

Second, they assist in assessing the appropriateness of various conceptualizations of resilience.

Third, they provide multiple perspectives to consider when identifying common themes (i.e.,

second-cycle coding) and challenges among and across the case data.

Table 2-5: Key Aspects of Select Resilience Assessment and Measurement Schemes Scheme Focus Area Components of Resilience / Domains of Assessment Aspects of Measurement Longstaff et al.’s “Building Community Resource Robustness Ecological Resilient Communities: - resource performance Economic Preliminary Framework for - resource diversity Civil Society Assessment” (2010) - resource redundancy Governance Adaptive Capacity Physical Infrastructure - institutional memory - innovative learning - connectedness Cutter, Burton, and Emrich’s Community Various Composite Indicators Social “Disaster Resilience Indicators for Economic Benchmarking Baseline Institutional Conditions” (2010) Infrastructure Community Capital Linkov et al.’s “Measureable Community Planning and Preparation Physical Resilience for Actionable Policy” Absorption Information (2013) Recovery Cognitive Adaptation Social CARRI’s “Community Resilience Community Assets Infrastructure System” (2011; 2013) Threats Economic Gaps Social Opportunities Cross-Cutting Bruneau et al.’s “Framework to Community / Robustness Technical Quantitatively Assess and Critical Redundancy Organization Enhance the Seismic Resilience of Infrastructure Resourcefulness Social Communities” (2003) Rapidity Economic Argonne National Laboratory’s Critical Robustness Critical Infrastructure “Resilience Index” (Fisher et al. Infrastructure - redundancy Asset 2010) - prevention /mitigation - maintaining key function Resourcefulness - training/exercises -response - awareness -new resources - protective measures -alternative sites - stockpiles - Recovery - restoration & -coordination Haimes’ systems-based approach Critical Resilience is a measured output Threat Specific to risk, vulnerability, and Infrastructure (or (vector) that is a function of a resilience (Haimes 2009). other) Systems given input (threat) vector, time, and the states of the system at that time. Resilience can be further characterized by a system’s redundancy and robustness. Alderson, Brown, and Carlyle’s Critical Flow/capacity characteristics and Continuity and “Operational Models of Infrastructure interdependencies of component Maximization of Infrastructure Resilience” (2015; parts in a given infrastructure Critical Infrastructure 2014; 2013) system. System Function Flynn’s Model for “Bolstering Critical Cushionability Elemental Capacity Critical Infrastructure Resilience” Infrastructure Resistance Essential Function (2015) Robustness Full Function Redundancy Graceful Extensibility

III. Identifying and Exploring Recurring Barriers to Enhancing Resilience

The second focus area of this research is designed to explore the presence and characteristics of any empirically evident barriers to addressing resilience gaps. It builds on the efforts of, among others, Northeastern University’s Center for Resilience Studies (“the Center”), which recently undertook a multi-year, multi-sector study of the New York metropolitan region’s planning for, response to, and recovery from Superstorm Sandy. That effort, entitled “After

Superstorm Sandy – Bolstering the Resilience of Metro-New York’s Infrastructure” included four research concentration areas: impacts on the (1) health, (2) energy, and (3) transportation sectors; and a consideration of (4) the presence (or absence) of economic incentives (or disincentives) for resilience investments in each (Center for Resilience Studies 2015; Flynn

2015). Each focus area was the subject of a dedicated symposium, co-organized and hosted by

Columbia University, New York University, the Steven’s Institute for Technology, and The

Wharton School at the University of Pennsylvania, respectively. Each convening utilized plenary sessions with panels of subject matter experts, senior policy makers, and infrastructure executives; as well as smaller, focused break-out sessions where all participants’ insights were captured.

The cumulative and common findings of these symposia suggest four specific barriers are impeding progress in overcoming resilience gaps. Namely, that as a society: (1) we do not recognize how unprepared we are to handle foreseeable risks and uncertainties; (2) we lack an integrative approach to addressing resilience, in part because we do not know how to measure resilience and because there is not yet consensus on how to create it; (3) there are organizational and governance barriers to creating resilience; and (4) we do not have sufficient incentives to create it (Flynn 2015).

The presence of these four barriers was affirmed by the comments of experts from across

government; various industries; standards-focused organizations, including the National Fire

Protection Association and the Insurance Institute for Business and Home Safety; academia; and

NGOs, including the American Red Cross; at the subsequent “International Resilience

Symposium,” hosted by the National Institute of Standards and Technology (NIST) (2015, 92–

103). These common barriers can also be seen, although not always as expressly, in the findings of several major studies previously conducted by the National Infrastructure Advisory Council

(2009), the Homeland Security Advisory Council (2011), and the National Academy of Sciences

(2012). The follow sections briefly describes each initiative, presenting their respective key findings, and how they align with the barriers identified in the post-Sandy study in Table 2-6 on page 43.

Building on its own earlier work, in 2009 the National Infrastructure Advisory Council

(NIAC)4 undertook a “Critical Infrastructure Resilience Study” with the objective of finding ways to better integrate the concept of resilience (and infrastructure protection) into a comprehensive risk-management strategy for the Nation. To this end, it conducted individual and panel interviews of numerous subject matter experts and senior executives from across an array of infrastructure sectors. Additionally, it reviewed over 100 government and private sector documents related to resilience practices. From these efforts, the NIAC released the five key findings reprinted in Table 2-6.

Similarly, after “resilience” was named as one of three key components of a comprehensive approach to ensuring “homeland security” in the 2010 Quadrennial Homeland

4 The National Infrastructure Advisory Council consists of up to 30 presidentially appointed advisors chosen from across industry, academia, and state and local government to advise the President and DHS on matters related to the security of critical infrastructure and the related information systems (DHS 2015c).

Security Review, DHS established the “Community Resilience Task Force” (CRTF) within the

Homeland Security Advisory Counsel (HSAC),5 and charged it with providing the DHS

Secretary “recommendations to enable the Department to establish and implement community- based resilience policies, programs, and practices throughout the Nation” (HSAC 2011, 34). To do so, the CRTF identified and engaged numerous subject matter experts regarding what it viewed as two separate but interrelated aspects of resilience: that stemming from individuals and communities; and resilience related to the built environment. Through this process, the HSAC produced four overarching findings, plus several related to each identified sub-component.

Those HSAC findings related to the barriers noted in the post-Sandy study are incorporated in

Table 2-6, below.

Concerned about the ever-risings costs of increasingly frequent disasters – in terms of dollars, but also in terms of social, cultural, and environmental losses – and at the request of eight similarly concerned federal agencies, in 2011 the National Research Council created a select committee – the Committee on Increasing National Resilience to Hazards and Disasters – to examine how the nation deals with disasters, and to recommend improvements to that approach. Building on a growing array of published studies, member expertise, and case studies of various locations that had recently suffered from disaster, the committee developed and published six actionable policy recommendations. While phrased as recommendations for action, each can be read as implying a barrier or shortcoming that the proposed activity is meant to overcome. All six recommendations can thus be viewed as aligning with at least one of the

“barriers” noted in the post-Sandy study, as highlighted in Table 2-6.

5 The Homeland Security Advisory Committee is composed of members representing state and local governments, first responder communities, the private sector, and academia who are selected by DHS to provide it with organizationally independent advice on homeland security policy (DHS 2015a).

Table 2-6: Correspondence between Flynn’s Barriers to Resilience and Key Findings of Prior Studies Barriers & Related Key Findings Barriers “[W]e do not recognize “We lack an integrative We lack appropriate “We do not have noted in the how unprepared we are approach to advancing frameworks for adequate incentives for Post-Sandy to handle foreseeable resilience across managing bolstering resilience” Study: risks or to respond to interconnected critical organizational and (Flynn 2015, 20). uncertainties” (Flynn infrastructure systems” governance issues on a 2015, 14) (Flynn 2015, 15). regional scale” (Flynn 2015, 17) Other Studies NIAC “Because definitions of “The current policy “Current market Infrastructure resilience vary, a framework for mechanisms may be common definition will infrastructure security is inadequate to achieve Resilience help guide policy fundamentally sound but the level of resilience Report development.” could be improved to needed to ensure public (2009, 10) better reflect principles health, safety, and of resilience.” security.” HSAC “Finding 1.4: The “Finding 1.1: Resilience “Finding 1.3: DHS “Finding 1.2: The Community requisite knowledge base is not yet commonly activities would benefit enhancement and needed to make understood by the from more effective sustainment of national Resilience resilience a true diverse stakeholder coordination and resilience is not yet Task Force foundational element for groups upon whom integration as uniformly motivated by Report homeland security does progress depends” organizational DHS via policies, not yet exist” (2011, 18) (2011, 12). components work to programs, or “Finding 2.3: “Finding 3.3: The build the resilience investment” (HSAC Complacency is a sector-focused approach foundation for homeland 2011, 14) serious threat to building that dominates critical security” (2011, 16) and sustaining national infrastructure planning at resilience; clear the federal level does not communications to effectively support increase public community-based awareness is a necessary resilience initiatives” first step, but individuals (2011, 29). must be motivated to take action” (2011, 22) NAS “Recommendation 3: A Recommendation 2: Recommendation 1: “Disaster national resource of The public and private Federal government disaster-related data sectors in a community agencies should Resilience: A should be established should work incorporate national National that documents injuries, cooperatively to resilience as a guiding Imperative” loss of life, property encourage commitment principle to inform the Report loss, and impacts on to and investment in a mission and actions of economic activity… [to] risk management the federal government better understand strategy ... (2012, 61). and the programs it structural and social Recommendation 6: All supports at all levels vulnerability to disasters. federal agencies should (2012, 205). (2012, 87) ensure that they are Recommendation 5: Recommendation 4: promoting and Federal, state, and local [DHS] in conjunction coordinating national governments should with other federal resilience in their support the creation and agencies, state and local programs and policies maintenance of broad- partners, and (2012, 194). based community professional groups resilience coalitions at should develop a local and regional levels National Resilience (2012, 151). Scorecard (2012, 130).

Despite the convergence of findings in these resilience reports, beyond the case studies

and interviews on which the NIAC, HSAC, and NAS efforts were based, there has been little

empirical study focused on the frequency and characteristics of barriers to enhancing resilience,

especially as they may be related to and among differing regions, communities, and

infrastructure sectors. Drawing on the diverse RRAP data, this dissertation furthers this

emerging theory through a larger and more diverse set of case studies than has been previously utilized. Through these cases this research explores subcomponents and contributing factors for each of the four noted barriers.

As further detailed in Chapter 3, the barriers and subcomponents that are articulated in the post-Sandy study – which are further supported and informed by the related literatures cited herein – provide a jumping off point, and initial coding scheme, for analysis of the RRAP cases with respect to this effort’s focus on barriers to improving resilience. The following discussion outlines the subcomponents of each noted barrier. Thereafter, this literature review chapter concludes with a very brief overview of the decision-making and organizational behavior literatures that inform many of the barriers and related subcomponents considered herein.

A. Four Noted “Barriers” to Enhancing National Resilience

1. “As a nation, we do not recognize how unprepared we are to handle foreseeable risks or to respond to uncertainties” (Flynn 2015, 14).

The first barrier to advancing national resilience noted in the post-Sandy can be thought

of as incorporating four related sub-components. First, as a society we tend to overestimate our

current capabilities to deal with catastrophes and disruptions (see generally National Academy of

Sciences 2012, 31; Kahneman 2013). Second, we are generally biased toward inappropriately

discounting the risks of aging infrastructure and the leading indicators of change (see, e.g.,

Kunreuther, Michel-Kerjan, and Pauly 2013). Third, we design, build, and manage based on

assumptions of stationarity (i.e., that a once-in-a-100-year event will always remain a 100-year event) when we should not (Milly et al. 2008). Fourth, our elected officials are loathe to look for, or acknowledge, community or infrastructure risks to the extent doing so without adequate resources to address them becomes a political liability (see generally Rabkin 2008; see also

National Institute of Standards and Technology 2015).

2. “We lack an integrative approach to advancing resilience across interconnected critical infrastructure systems” (Flynn 2015, 15).

The lack of an integrative approach to advancing resilience – a second observed barrier–

arises from the current lack of any widespread agreement on what resilience is, and how best to

measure it (as suggested in the prior portions of this literature review). This disagreement and

confusion, in turn, results in the absence of any agreed upon comprehensive, interdisciplinary,

network-of-systems-based approach to tackling this national challenge (NIAC 2009; HSAC

2011; National Academy of Sciences 2012). Advances in resilience-based engineering exist

(see, e.g., Hollnagel, Woods, and Leveson 2007), but are too often only applied within specific

disciplines and in response to limited, specific hazards (Flynn 2015, 16). In the absence of

common, performance-based standards, component-level managers of specific assets often make

decisions in the wake of a disruption that negatively impact inter-connected components and

inter-dependent systems on which they have little visibility or understanding (Ibid.).

3. “We lack appropriate frameworks for managing organizational and governance issues on a regional scale” (Flynn 2015, 17).

A third barrier to enhancing resilience arises, in part, from the fact that lifeline infrastructures are inherently regional systems, yet our nation is largely organized to manage them by specific sector, and through local, state, and federal constructs. This approach overlooks the interconnectedness and interdependencies among these systems (see, e.g., Birkland and

Waterman 2008; Birkland and DeYoung 2011; Schneider 2008). This leads to “critical

shortcomings” in regional coordination and collaboration (Flynn 2015, 19). Moreover,

organizationally, each jurisdiction tends to “fight the last battle” or, in the present context,

prepare for, and act (often independently), based on the last disaster (Birkland 1997; Birkland

2006; Donahue and Tuohy 2006; Flynn 2015).

4. “We do not have adequate incentives for bolstering resilience” (Flynn 2015, 20).

Included within this final “barrier” noted in the post-Sandy study are four inter-related notions. First, there are currently few rewards for investing in resilience. Indeed, there are frequently disincentives. Congress, for example, routinely authorizes funds above the default federal cost-share rate of 75% that is provided under the Stafford Act for presidentially declared disasters, often effectively providing 90-100% reimbursement to states and localities. Thus, as

Alice Hill, Senior Advisor (for Preparedness and Resilience) to the President’s Assistant for

Homeland Security and Counterterrorism, has observed, it is difficult to find anyone who is anti- resilience; but people increasingly believe that the federal government is going to bail them out

(see Flynn 2015). Overcoming this “moral hazard” is a significant barrier to improving resilience in many instances.

Second, routine efficiency and optimization (e.g., eliminating redundancy and utilizing just-in-time delivery) are often valued over continuity of function – excess capacity is intentionally removed from systems to make them “leaner” (Flynn 2015, 13). There is a

“business case” to be made for improving resilience. The United Nations Office for Disaster

Risk Reduction estimates that for every dollar spent on resilience improvements, when considered over an appropriate timeline,6 investors receive a 400% return on investment

6 The tendency of many cost-benefit analyses to use inappropriately short timelines is discussed further below.

(UNISDR 2013). Still, having recently held its fourth annual conference on resilience investment and on the importance of public-private partnerships to improve resilience at the individual business, sector, or regional levels, the U.S. Chamber of Commerce feels that many of the nation’s 30 million business entities simply have yet to get the message (Martinez-Fonts

2014).

Third, we are skilled at transferring risk to others but not at reducing or eliminating it.

Infrastructure owners and operators – as well as governments that permit (re)construction in hazard prone areas – necessarily accept a certain amount of risk in the decisions they make. The taxpaying and utility-using public, however, often misunderstands or is generally unaware of the hazards and vulnerabilities involved in these decisions (Flynn 2015, 94). Risks are thus transferred, but seldom transparently.

Finally, in addition to impairing our ability to see the depth of the challenges we face and to inhibiting integrative solutions thereto, the previously mentioned notion that we are still not sure how to measure resilience or what it means in various contexts undermines any scheme intended to incentivize its creation (see generally NIAC 2009; HSAC 2011; National Academy of Sciences 2012). Together, the four foregoing barriers provide a framework, subject to further expansion and development, for exploring the data on resilience that the RRAP reports provide.

B. Behaviors Underlying Resilience Barriers & Resilience Decision-Making

While few scholars have focused on exploring the aforementioned barriers and components thereto as such, there has been an increasing integration into the ongoing resilience dialogue of theories regarding the limitations imposed by human behavior and decision-making in the face of complexity and uncertainty (see e.g., National Academy of Sciences 2012, 38–43;

Shafir 2013; Kunreuther and Michel-Kerjan 2013); conditions clearly implicated when

considering disruptions to overlapping, interdependent critical infrastructure systems. These

theories serve to inform any review of resilience gaps and barriers. Accordingly, this final sub-

section briefly notes three important observations derived from tangentially related literatures on

decision-making “heuristics” and “biases.” Specifically, it reviews our collective tendency for

(1) employing simplified decision rules, (2) maintaining the “status quo” and (3) minimizing our

perception of risk by confining our consideration and analyses to inappropriately narrow timelines and issues. Each is discussed in turn.

1. Simplified Decision Rules

Three inter-related theories of how decisions are frequently simplified – those advanced

by Allison and Zelikow (1999), the cybernetic theory of decision making originally advanced by

Steinbruner (1973), and the work of Kahneman (2013) – together provide important insights into

the noted barriers to resilience. In their famous analysis of the Cuban Missile Crisis, Allison

and Zelikow utilized three “models” of decision-making to explain the narrative of what

happened. The first two models are most relevant for present purposes. “Model 1,” as they label it, is the classic “rational actor” model. This approach to decision-making, which is utilized throughout numerous literatures and disciplines, posits that decisions are based on a calculated evaluation of the potential costs and benefits association with various options for proceeding.

That is, decisions are made to produce what is rationally seen as the most efficient or optimal outcome. Under this model, organizations are composed of individual actors who effectively decide on a given course of action for the larger organization. As a contrast to this approach, the authors suggest that “organizational behavior” might provide a superior explanation as to how decisions are actually made. In their “Model 2” conceptualization, Allison and Zelikow assert that decisions are better understood as a function of the “purposes and practices common to the

48 members” of the involved organization (Allison and Zelikow 1999, chap. 3). Moreover, in the face of uncertainly or complexity, organizations default to their known “repertoires”.

Steinbruner alternatively frames this dichotomy of decision-making in terms of analytic versus cybernetic paradigms. Under his analytic model (a version of rational choice), decisions makers, individually or collectively, serve as “purposeful calculators” (Coulam 1977, 11) that undertake a series of assessments to determine the best outcome. In a slightly different approach from Allison and Zelikow’s Model 2, Steinbruner posits that decision makers can be viewed as acting based on “simplified images of complex problems” (Ibid.) In doing so, they are analogous to “servo-mechanisms,” such as a thermostat, that respond to a specific recognized stimulus (or one that has been interpreted as a recognized stimulus) by undertaking a set, prescribed action in response thereto (Steinbruner 1973, 51). Under this paradigm, decision- makers focus on the stimulus and act in routine ways – similar to Allison and Zelikow’s notion of “repertoires” – without necessarily evaluating the specific possible outcomes of the action.

Kahneman offers a third related dichotomy, which approaches decision-making from a more psychological, cognitive science perspective. Kahneman asserts that humans act via one of two specific “systems” of thinking. Under “System 1,” (alternatively termed the Automatic

System) people operate or decide “quickly, with little or no effort and no sense of voluntary control” (Kahneman 2013, 20). Under this intuitive model, people use simple associations and decisions rules, (2013, chap. 4) and tend to draw heavily on recent past experiences, which

Kahneman terms the “availability heuristic” (2013, chap. 12). This approach system is roughly analogous to Steinbruner’s servomechanism analogy and the “repertoires” of Allison and

Zelikow’s “Model 2.” Under Kahneman’s System 2 – sometimes referred to as our Reflective

System (Thaler and Sunstein 2009, 19) – humans undertake “effortful mental activities” for

complex circumstances that demand them (2013, 21). This second model represents how most

individuals would like to see themselves, and closely resembles the “rational actor” and

“analytic” models discussed above. Importantly, though, Kahneman’s study of human behavior

suggests that there are a large number of biases that continually drive individuals toward using

“System 1” thinking far more often; especially when they shouldn’t.

The synthesis of these three decision-making dichotomies is instructive with respect to the notion of our (in)ability to recognize the scope of the challenges we face. Taken as a whole, these theories suggest that there is at least a strong likelihood that any organization (however structured) that is confronted with a particularly messy, complicated issue will tend to interpret the problem or environment in ways that make it conform to more familiar settings or simpler problems. Moreover, decision makers, whether individual or collectively, are likely to default – at least in some circumstances – to known routines (or “repertoires”) for handling the now

“simpler” and “familiar” problems.

A critical consequence of this decision-making behavior is the importance of which individuals and agencies – and through them, what collective perspectives and experiences within a given environment – are “at the table” when dealing with resilience issues; whether in response to a specific disruption; or in a more proactive, planning posture. The set of participants is thus at least theoretically important in determining what decisions and actions a given response or planning organization is capable, let alone likely, of making as the collective experiences of those involved will shape how the organization perceives and acts on the challenge at hand.

Relatedly, Woods et al., suggest that the observable tendency toward mental

simplification also manifests itself in a “hindsight” bias (2010). Knowledge of the outcome of a

given disaster or accident, they explain, “biases our judgment about the processes that led up to

that outcome” (Woods et al. 2010, 15). In other words, we subconsciously use our knowledge of

the outcome to simplify and assume a causal chain of events that produced it. Accordingly, even

when disasters bring intense scrutiny and study of why and how (a) given system(s) failed, we

often fail to fully see and appreciate the complexity and nuance involved. In this way, these

theories collectively support and inform the first barrier noted above – as a society we often

don’t fully appreciate the very complexity we face.

2. Status Quo

A second relevant behavioral observation, originally termed the “status quo bias” by

Samuelson and Zeckhauser (1988), might be thought of as the rough mental equivalent of

Newton’s first law of motion. Barring some significant external force, humans tend to remain at

rest with their status quo, and, if moving, to keep to their existing course of action. Whether out

of convenience, custom, or conservatism, there is a strong tendency for humans to choose

options that leave current configurations, policies, and options intact. Relatedly, Kahneman

explains that our inherently greater desire to avoid losses than to achieve gains (even if the object

of value at issue is the same!) – an idea generally adopted and referred to as “loss aversion” in

numerous fields, including behavioral economics – reinforces our tendency to defend the status

quo (Kahneman 2013, 304–306). If change is required, we often operate in favor of cautious

incremental deviation therefrom (Kahneman 2013, 305; see also Lindblom 1959 and its

progeny). The basic premises of these related theories underlie many of the “default adjustment recommendations” for “improving health, wealth, and happiness,” made popular by Thaler and

Sunstein in their book “Nudge” (2009). To help Americans save more, for example, the authors recommend that employers automatically enroll their employees in tax-favored savings plans,

forcing them to go against the status quo and actually opt out if they prefer another approach to

investing for retirement (Thaler and Sunstein 2009, 109–110).

For present purposes, it is important to observe how the idea of a status quo bias may

help to explain the nation’s seeming reluctance, if not inability, to depart from the stove-piped,

infrastructure-specific disaster planning and response observed in the post-Sandy study. It also

suggests why we continue to “relearn” the same lessons after many disasters (Abramson and

Redlener 2012; Donahue and Tuohy 2006). These mental tendencies and limitations together

suggest that developing a truly integrative, holistic approach to enhancing resilience – the second

noted barrier to enhancing resilience – is difficult.

3. Perceiving Risk and Myopic Thinking

In opening their book “At War with the Weather: Managing Large-Scale Risks in a New

Era of Catastrophes,” (2009) Kunreuther and Michel-Kerjan succinctly articulate a third important behavioral observation that is relevant to exploring and understanding potential barriers to resilience: “there is a tendency for all of us, whether in the role of homeowner, decision maker in a private or public sector organization, or an elected official at the state, local, or federal level, to focus on short-term crises” (2009, xviii). In addition to the previously noted availability heuristic – which suggests that our understanding of any problem or probability is strongly shaped by personal, recent experiences – we also focus our limited attention on threats

we perceive as near term. Thus, how a given hazard, vulnerability, or threat is framed and

described matters. Individuals, for example, are more liable to insure against a flood risk if told

they face a greater than one-in-five chance of a given flood stage in the next 25 years, than if the

same condition is characterized as the probabilistically equivalent “100-year storm” (Kunreuther,

Michel-Kerjan, and Pauly 2013; citing Weinstein, Kolb, and Goldstein 1996). Moreover, our

tendency to focus on short-term expenditures (a “loss”), instead of the long-term returns on

investment (the “gain”) that they can bring over the life of a given asset or property, lead many

to forego risk mitigations measures (i.e., resilience investments) that, from a strict cost-benefit

perspective, ultimately make a great deal of sense. This tendency for myopic behavior with respect to risk illustrates the need for additional incentives for investing in and improving resilience – the lack of which form the fourth barrier detailed above.

The above literatures on barriers and their related sub-components, along with the supporting theories regarding behavior and decision-making that begin to explain them, provide a baseline understanding from which grows second focus in this inductive-deductive study. How these literatures contribute to the qualitative coding of the RRAP case data is appropriately the subject of a complete methods discussion, which appears in the next chapter.

Chapter 3

This chapter describes the data, overarching design, and analytic techniques used in this

research. It does so in two major sections. The first provides a history and description of the

Regional Resiliency Assessment Program (RRAP) implemented by the Department of Homeland

Security (DHS) from whose data this dissertation draws. In brief, the RRAP initiative evolved

from the “comprehensive reviews” of high-consequence Critical Infrastructure and Key

Resources (CIKR) conducted by DHS shortly after its formation in the wake of 9/11. Not

surprisingly, these initial efforts focused on improving physical security and asset protection via

studies conducted through a counter-terrorism lens. As these reviews became more ambitious,

and began to explore more sprawling subjects, such as California’s water system, DHS shifted its

approach to a system-based analysis of how a given asset or sector focus area is supported by,

and dependent upon, multiple lifeline infrastructures. The resulting resilience-centric RRAP

initiative, which has continued to mature since its inception to incorporate an increasing array of

data collection and analytic techniques, has undertaken over 33 year-long, in-depth studies

involving eight broad substantive areas of emphasis in 31 states. The first portion of this chapter

further details this program’s important, but largely underutilized, processes and products, and explains how they are used in answering my research questions.

The second section of this chapter explains the qualitative research approach and specific methodological techniques – including key features of the NVivo 10 for Mac software – used to derive the results and conclusions presented in the final chapters that follow. Specifically, this latter section explains why and how I use an inductive-deductive content analysis based on

Saldaña’s two-cycle coding method (2012), as implemented through a case study-based

adaptation of Tesch’s eight-step coding process (Creswell 2013, 198; citing Tesch 1990), to

identify and analyze recurring resilience gaps, and barriers to their elimination.

I. Data: The Regional Resiliency Assessment Program (RRAP)

As noted in Chapter 1, the Office of Infrastructure Protection (IP), an entity within DHS’s

National Protection and Programs Directorate (NPPD), describes its Regional Resiliency

Assessment Program as “a voluntary, non-regulated interagency assessment of critical infrastructure resilience in a designated geographic region” (DHS 2014c). Similar to CARRI’s

Community Resilience System, but unlike many of the other assessment regimes and indexes surveyed in Chapter 2, the RRAP process uses a standardized but flexible assessment framework designed to “identify[] threats, vulnerabilities, and potential consequences from an all-hazards perspective.” The scope and focus of each RRAP project varies based on the needs and desires of the communities, governments, and infrastructure sectors that volunteer to participate in the program. Moreover, the geographic scale of RRAP projects has varied considerably, ranging from studies involving specific communities within a set geographic region (e.g, the port community in Hampton Roads, VA); to larger cities and metropolitan regions (e.g., New York,

Chicago); to entire states (e.g., Maine, Wyoming), and one project involving an infrastructure sector (petroleum pipelines) spanning 13 states.

Regardless of the focus, scope, or geographic scale, to build awareness of vulnerabilities and threats the RRAP process seeks to “identify dependencies, interdependencies, cascading effects, resilience characteristics, and gaps; assess the status of the integrated preparedness and protection capabilities of critical infrastructure owners and operators, local law enforcement, and emergency response organizations; [and c]oordinate[] protection and response efforts to enhance resilience and address security gaps within [each targeted] geographic region” (DHS 2014c). To

55 these ends, each year IP selects – with input from state and local stakeholders, as well as from

IP’s Protective Security Advisors (PSAs) who serve as liaisons and advisors within these various regions and communities – a specified number of projects based on the funding available. Each

RRAP project takes roughly one year to complete. In fiscal year 2014, for example, DHS began

10 projects. RRAP reports are released to the primary state authority or other entity for whom they were conducted on a rolling basis as they are completed.

This research focuses on the first 33 RRAP project reports (termed “Resiliency

Assessments”) that had been completed by DHS at the inception of this work. (An additional project involving the Chicago Financial District was initially considered for inclusion in this research, but was excluded when the available report was not a Resiliency Assessment, but rather a Buffer Zone Protection Plan – a physical security-focused product that is one of the many sources of information used in producing the larger RRAP report.) The year, focus, and geographic area of interest for each RRAP project analyzed herein are noted in Table 3-1 on the following page. The RRAP reports do not expressly use the concept of “megaregions,” which may be broadly defined as clustered networks of metropolitan areas with, among other features, interconnected and inter-dependent transportation and infrastructure systems (see generally Lang and Dhavale 2005). However, they are included in Table 3-1 for the purpose of later comparative analysis amongst and between such regions. Specifically, this dissertation uses the

11 megaregions proposed by the New York metropolitan area’s Regional Plan Association

(2015).

Table 3-1: Regional Resiliency Assessment Program (RRAP) Case Studies Title Sector Focus Area(s) Released State Mega Region(s) Alabama Poultry Agriculture and Food 2013 AL Piedmont Atlantic Alaska Energy & Transportation 2012 AK None Arizona Water 2014 AZ Arizona Sun Corridor Atlanta Commercial Facilities 2011 GA Piedmont Atlantic California Dairy Agriculture and Food 2012 CA Southern California Chicago Transit Transportation 2014 IL Great Lakes Denver Commercial Facilities 2012 CO Front Range Florida Defense Industrial Base 2015 FL Florida Hampton Roads Transportation 2013 VA Northeast Las Vegas Commercial Facilities 2011 NV Southern California Maine Energy 2012 ME Northeast Massachusetts Energy 2011 MA Northeast Minnesota Commercial Facilities 2012 MN Great Lakes National Capital Region Energy 2013 DC Northeast Nebraska Energy 2014 NE None New Jersey Exit 14 Water 2010 NJ Northeast New Mexico Agriculture and Food 2014 NM Front Range New York Bridges Transportation 2009 NY Northeast North Dakota Energy 2014 ND None Northern Delaware Transportation 2014 DE Northeast Oklahoma Dams 2013 OK None Pittsburgh Transportation 2013 PA Great Lakes Puerto Rico Transportation 2014 PR None Regional Pipelines Energy 2014 Various Various Research Triangle Park Commercial Facilities 2010 NC Piedmont Atlantic Salt Lake City & Co. Healthcare & Public Health 2014 UT None Seattle Commercial Facilities 2011 WA Cascadia SE New Hampshire Energy 2014 NH Northeast Tampa Commercial Facilities 2012 FL Florida Texas Medical Center Healthcare & Public Health 2014 TX Texas Triangle Texas Panhandle Agriculture and Food 2011 TX None West Virginia Transportation 2012 WV None Wyoming Energy 2014 WY None

The Regional Resiliency Assessment Program reflects a continuing evolution in the way

the federal government has viewed and addressed critical infrastructure, and homeland security

more broadly. As the introduction of each RRAP report itself explains, the Department of

Homeland Security’s mission “has evolved in recent years from one focused primarily on

protective security to include a greater emphasis on resilience to disruptive events.” (As

discussed further herein, the Department’s view of resilience has also evolved over time.)

Correspondingly, the RRAP developed from the prior “Comprehensive Review” projects

initiated by DHS in 2004 to enhance the protection of designated “critical infrastructure and key

resources” (CIKR). Comprehensive reviews initially used an asset-focused approach to study

nuclear reactors (2005), high-consequence chemical facilitates (2006), and certain liquefied

natural gas facilitates (2008). In 2008, the program undertook a more systems-based approach to

study California’s state water system. That approach became the model for the RRAP’s broader

emphasis on the interdependencies across multiple lifeline critical infrastructure sectors that

support a sector of interest (i.e., the focus of a given RRAP project) in a given region. As its

very name implies, unlike its predecessors, the Regional Resiliency Assessment program focuses

on regional resilience, which has been viewed as “a function of resilience across several

subsystems, including but not limited to: [a studied region’s] economy, civil society, critical

infrastructure, supply chains/dependencies, and governance (including emergency services):

(Carlson et al. 2012, 22; DHS 2014c).

The RRAP process has continued to mature. Early RRAP project reports, for example,

studied resilience as a function of four components: robustness (“the ability of [Critical

Infrastructure and Key Resources, or “CIKR”] to maintain functionality at a level pre-determined

to be acceptable after an incident or attack”); redundancy (“the ability of the CIKR to back up or

reproduce its system’s critical functions either on site, or at another location”), response

(operations designed to “determine what is ‘wrong’ with CIKR and what needs to be done to

return it to an acceptable level of functionality”), and reparability (“a determination of the overall

ability to fix the damage done to CIKR resulting from natural and manmade hazard events”)

(DHS 2010b). Later reports embraced the National Infrastructure Advisory Council’s three-

component formulation. Under this model, resilience was considered as a function of robustness

(“the ability to maintain critical operations and functions in the face of crisis”), resourcefulness

(“the ability to skillfully prepare for, respond to and manage a crisis or disruption as it unfolds”),

and recovery (“the ability to return to and/or reconstitute normal operations as quickly and

efficiently as possible after a disruption”) (NIAC 2009, 8). Early RRAP project reports using either of these resilience formulations were structured around an eight-step RRAP Resilience

Management Framework, which itself drew heavily from the traditional multi-step risk management process of hazard identification, risk assessment, selection of appropriate risk management strategies, implementation, and review (see Manuj and Mentzer 2008; Pettit, Fiksel, and Croxton 2010, 4–5). Specifically, reports developed during the first two years of the program were structured around the first five steps of an eight-step process: (1) setting goals and objectives; (2) identifying critical assets, systems, and networks; (3) assessing (regionally relevant) hazards and risks; (4) assessing dependencies and interdependencies; (5) prioritizing resilience strategies.7

After the promulgation of Presidential Policy Directive-8 (PPD–8), “National

Preparedness,” in 2011, the RRAP program deemphasized analysis based on specific

7 By their very nature, the remaining steps in the early eight-step process – (6) submitting a [Vulnerability Reduction Purchase Plan] and evaluating grant programs that could be used to implement the prioritized resilience strategies, (7) implementing the approved grant programs, and (8) evaluating their effectiveness – were beyond the scope of the RRAP reports themselves.

59 components of resilience, instead simply employing PPD-8’s definition that emphasizes “the ability to adapt to changing conditions and withstand and rapidly recover from disruption due to emergencies.”

Moreover, while initial RRAP project reports present the general dependencies and interdependencies found among and between infrastructure sectors affecting a given project’s focus sector, more recent RRAP products provide far more detail-oriented findings and specific resilience enhancement options. For example, the 2010 New Jersey Exit 14 RRAP notes an apparent gap in understanding among state and local officials concerning the implications across interdependent infrastructure sectors of existing long-term recovery plans for specific hazards, and suggests the need to establish a better decision-making framework regarding the support required for various recovery efforts across these sectors. The later (2015) Florida Defense

Industrial Base (DIB) RRAP report details a similar concern, but with far greater specificity.

The Florida DIB Resiliency Assessment highlights specific communications gaps among named emergency management agencies and private companies with direct and real-time roles in defense and national security operations. Moreover, this recent RRAP report suggests specific characteristics for such companies that state and local agencies should become more familiar with. Early RRAP reports do include “gap tables” that provide very specific deficiencies, with recommendations for mitigating them. The types of details simply listed in these early tables, however, are more fully integrated into the main analysis of later reports. The implications of this shift toward a more holistic conceptualization and application of resilience, and later RRAP reports’ use of more pointed findings and recommendations are discussed in greater detail in

Chapters 4 and 5.

For present purposes, it is important to note that the evolution of the RRAP process over

time has also brought with it an increasing array of data collection strategies and analytic

techniques, including various types of stakeholder outreach, targeted interviews, and facilitated

discussions; as well as various assessment indexes and modeling tools (e.g., input-output, flow

rate, and supply chain modeling); many of which have been developed and executed by the

national labs on behalf of DHS specifically for the RRAP initiative (see Carlson et al. 2012).

Table 3-2, on the following page, provides a non-exhaustive list of data collection and analytic tools commonly used in RRAP projects. Again, the tools used in any given RRAP project vary.

Importantly, while the underlying data and specific complement of collection strategies and diagnostic devices employed for each RRAP project are unique, the resulting reports, which range in length from approximately 80-350 pages each, all address several common elements.

Specifically, they each contain (1) a review of the RRAP activities and instruments utilized for the specific project in question; (2) a detailed description of the subject operating environment

(i.e., the research setting); (3) a listing of “key findings” (sometimes characterized as “threats” in early reports), perceived “resilience gaps,” and recommendations for addressing the noted shortfalls (termed “resilience enhancement options” in more recent reports); and (4) a discussion of the empirical evidence and details on which these findings and recommendations are based

(most often through additional details provided in supporting appendices intended for more limited distribution). As explained in more detail below, this effort’s conclusions emerge from a careful coding and analysis of these case study reports, and their supporting appendices.

Table 3-2: Example Data Sources, Collection Techniques & Analytic Tools used in RRAP Projects

Activity, Source, or Tool Description Buffer Zone Plans A “DHS-administered grant program designed to increase security in the area outside of critical (BZP) Program infrastructure facilities and assets that can be used by an adversary to conduct surveillance or launch an attack. Assessments conducted under the BZPP are used to create BZPs, which provide the details of proposed security strategies and related planning and equipment requirements” (FEMA 2012). Computer-Based A “data collection and presentation medium that supports critical infrastructure security, special event Assessment Tool planning, and responsive operations.” The CBA “provides immersive video, geospatial, and (CBAT) hypermedia data of critical facilities, surrounding areas, transportation routes, etc., [and] integrates assessment data from Enhanced Critical Infrastructure Protection (ECIP) visits, Infrastructure Survey Tool (IST) and Rapid Survey Tool (RST) security surveys, and other relevant materials to create a video guide of a selected location” (DHS 2015e). Cyber Resilience “A no-cost, voluntary, non-technical assessment to evaluate an organization’s operational resilience and Review (CRR) cybersecurity practices. The CRR may be conducted as a self-assessment or as an on-site assessment facilitated by DHS cybersecurity professionals. The CRR assesses enterprise programs and practices across a range of ten domains. The assessment is designed to measure … organizational resilience as well as provide a gap analysis for improvement based on recognized best practices” (US-CERT 2015). Dependency Interviews DHS-led questioning regarding a given asset’s core function dependencies on lifeline infrastructure. RRAP-Specific A regional electrical system analysis of the high-voltage, high-capacity transmission network and a site- Electrical Infrastructure level assessment of the low-voltage infrastructure that supports the critical infrastructure system or Study assets under study. Such studies often include use of a load flow simulation tool, EPfast, developed for DHS by Argonne National Labs to simulate disruptions to transmission lines and substations. Emergency Services A facilitated discussion involving state and local emergency management and law enforcement Capabilities Assessment personnel that examines a region’s prevention, protection, and response capabilities in the context of a (ESCA) given natural or manmade incident. Enhanced Critical “[A] voluntary assessment that includes outreach, which establishes or enhances the Department of Infrastructure Protection Homeland Security’s (DHS) relationship with critical infrastructure owners and operators and informs (ECIP) Survey them of their facilities’ importance and need for vigilance, and security surveys, which are conducted by DHS protective security advisors (PSAs) to assess the overall security and resilience of the nation’s most critical infrastructure sites” (DHS 2014d). Infrastructure Survey “A voluntary, Web-based vulnerability survey conducted [by DHS] to identify and document the Tool (IST) overall security and resilience of a facility. The survey data, composed of weighted scores on a variety of factors for specific critical infrastructure, is graphically displayed in [an] IST Dashboard that compares the data against similar facilities and informs protective measures, resilience planning, and resource allocation …. In addition to providing a sector security and resilience overview, the Dashboards highlight areas of potential concern and feature options to view the impact of potential enhancements to protection and resilience measures” (DHS 2015d). Multi-Jurisdictional “[A] systematic process that fuses counter-improvised explosive device (IED) capability analysis, Improvised Explosive training, and planning to enhance urban area IED prevention, protection, mitigation, and response Device Security capabilities. The program assists with collectively identifying roles, responsibilities, capability gaps, Planning (MJIEDSP) and how to optimize limited resources within a multi-jurisdictional planning area” (DHS 2015b). Open Source Research RRAP projects frequently utilize data contained in publicly available sources. Petroleum Balance An analysis using data on fuel that quantifies the movement of petroleum products by transport mode. Site Assistance Visits “Voluntary, facility-based vulnerability assessments conducted by DHS personnel in cooperation with (SAV) Federal, State, and local agencies, as well as critical infrastructure owners and operators …to assess a facility’s security and disaster resilience posture as a means of understanding the site’s operational dependencies and interdependencies” (DHS 2010b, 3). Systems Recovery A “no-fault,” facilitated discussion among CIKR owners and operators, community first responders, and Analysis (SRA) other personnel responsible for systems management concerning the potential consequences of, and Workshop recovery from, a system-wide failure during a specified scenario.

Given the sensitive, and often propriety nature of the data on which the RRAP reports are

based, DHS has designated all RRAP Resilience Assessments “for official use only” (FOUO).

FOUO materials are subject to limited distribution (generally, in this case, to only those

jurisdictions and entities participating in the RRAP project in question) and are protected from

otherwise mandatory disclosure under the federal Privacy Act and analogous state laws.

Additionally, some data contained in RRAP assessment reports is Protected Critical

Infrastructure Information (PCII), access to which requires nondisclosure agreements from non-

federal personnel, and compliance with specific handling requirements set forth in 6 C.F.R. Part

29. I attained the necessary credentials and permissions to handle and maintain this data (in an

encrypted format with appropriate physical protections). I sanitized this dissertation of any PCII

to ensure this final product is suitable for public release. DHS reviewed a draft of this work prior

to its publication to ensure compliance with all conditions on which the RRAP data have been provided. (The continued need for, and advisability of, these limitations on access and

distribution is discussed further in Chapter 5).

I manually coded all 33 RRAP project reports listed in Table 3-1, constituting 4,466

pages of material, using the NVivo 10 for Mac qualitative data analysis software. In total, there

were over 3,683 individual blocks or “chunks” of text coded to one or more of over one hundred

separate thematic and “in vivo” codes pertaining to one or more of this project’s research

questions. The following section explains this methodology.

II. Methods

This dissertation adopts a qualitative research approach because of the research questions involved, the emergent nature of the field of security and resilience studies into which those questions fall, and the resultant need for further basic understanding and theory development (see generally Creswell 2013, chap. 1, 9). Qualitative research is used where, as here: (1) the researcher seeks to understand the complexities of a natural setting or condition, (2) multiple sources of data (e.g., case studies) are used, (3) both inductive and deductive analysis are contemplated, (4) the research design incorporates an adaptive process, and (5) the effort seeks to develop a picture of a complex problem (Creswell 2013, 185–186). As indicated in the prior

discussion of the myriad potential components and domains of resilience, the pending research

questions involve truly complex phenomena, especially when applied to specific “natural

settings” in the context of homeland security. Within the qualitative approach, case study

research designs are ideally suited for such situations (Yin 2014; Yin 2012; Creswell 2013).

More specifically, in attempting to better understand common characteristics and barriers within

and among different settings, a multi-case research design with cross-case analysis is appropriate

(Yin 2014, 164–168). The following section explains this effort’s specific design by discussing the key aspects of qualitative designs as outlined by Creswell (2013, chap. 9). Specifically, the following section details: (a) my role as a researcher, (b) the data collection and study boundaries, (c) the steps taken to enhance the validity and reliability of the research, and (d) the specific coding and analytic techniques employed.

A. The Researcher’s Role

A key aspect of qualitative research is a recognition that any such effort is influenced by the personal experience, views, and resulting biases of the researcher. My ongoing service as a

Coast Guard officer – and as such, a member of the Department of Homeland Security on whose data this effort is based – inevitably influenced my understanding of the case evidence and topic area. My prior experiences as a first responder to marine causalities and maritime pollution incidents, as well as my subsequent service as a legal advisor to those who do such work – including as a primary legal advisor to the National Incident Command for the government-wide response to the BP DEEPWATER HORIZON oil spill – assuredly shaped my understanding of how technical systems, communities, responder networks, and governance structures function (or don’t). While establishing a certain worldview of the professional response community, this knowledge and experience also strengthened my ability to analyze the present issues.

Additionally, my active duty military and DHS employee status facilitated gaining access to the sensitive (but unclassified) data, which has gone largely unutilized in academic research until now, from the appropriate DHS gatekeepers.

As detailed further below, the inductive-deductive coding strategy for studying resilience gaps within and across regions and sectors involved the use of an “index case” to help establish initial codes and types of “resilience gaps.” I intentionally selected an RRAP report focused on port infrastructure – the 2014 RRAP of Southeastern New Hampshire, which analyzed the receipt and distribution of petroleum products in that port – as the first case for manual coding, in part, to leverage my enhanced baseline understanding of this particular environment. By coding

DHS’s analysis of an environment with which I am very familiar through prior professional experience, it was possible to quickly establish a working set of “resilience gap” codes and

65 categories that could then be applied when considering RRAP analyses of environments with which I was (initially) less well-versed.

It is important to note that I undertook all possible efforts to remain objective in my analysis of what the case evidence suggests. The next section presents the specific design strategies employed to this end, such as member checking and periodic debriefings with my dissertation advisor and committee members, in a subsection on validity and reliability later in this chapter.

B. Data Collection and Study Boundaries

This study uses the data contained in 33 case study reports (also referred to as

“Resiliency Assessments”) generated by the DHS Regional Resiliency Assessment Program as outlined above and in Table 3-1. Each report represents over a year’s worth8 of research involving, among other methods: facilitated panel discussions, site visits, survey instruments; as well as modeling and various other analytic techniques, concerning varied infrastructure assets and sectors, within and across numerous geographic regions. The types of participants in the field work that lead to each report varied, but generally included technical experts, operators, and senior managers from the responsible companies or commissions for each of the specific assets and infrastructure sectors under study; similar representatives from interconnected lifeline infrastructure assets and sectors; members of cognizant regulatory, emergency response, law enforcement, and related security communities (often at local, state, and federal levels); as well as other government officials and citizens of the communities in which these studies took place.

DHS’s Protective Security Advisors (“PSAs”) serve as researchers, coordinators, and advisors in

8 The RRAP case studies contained in this research generally operated on a one-year timeline. According to RRAP personnel interviewed for this research, some recent Resiliency Assessments undertaken after the inception of this research (and therefore outside its scope) are being conducted as two or three-year projects.

the RRAP process, with support from RRAP and IP program staff who provide a Headquarters

Team Lead (“HTL”) for each project. Personnel from Argonne National Laboratory and Idaho

National Laboratory provide technical expertise and a designated Resilience Assessment Lead

(“RAL”) for each project. Together a “triumvirate” composed of a PSA, HTL, and RAL direct

each individual RRAP effort.

I employed a content analysis of all the Resiliency Assessments available at the inception

of this research. While additional reports have be finalized and “published” subsequent to the

start of my research, they are not included in this analysis.

I initially intended to conduct semi-structured interviews with key individuals who participated in the RRAP case studies whenever case evidence proved to be ambiguous with

respect to the research questions at hand. Ultimately, however, the ambiguity meriting further

clarification turned out to be the evolution of the RRAP process itself. Accordingly, I sought out

and interviewed the RRAP process owners in the Office of Infrastructure Protection, and at

Argonne National Laboratory, who have coordinated the program since its inception.

While the targeting and selection of interviewees differed from my initial plans, I

faithfully followed the specific protocol approved by Northeastern University’s Institutional

Review Board (IRB) for conducting the interviews themselves. That approval documentation is

included, as required, in Appendix A. The format of these semi-structured interviews varied

slightly based on with the role and longevity of each interviewee with the program. I recorded,

transcribed, and analyzed these interviews using the same coding techniques that I applied to

RRAP reports themselves, which are outlined further below.

C. Project Quality: Validity and Reliability

Before presenting the detailed coding and analysis scheme used in this dissertation, this

section describes other key aspects of the study design incorporated to enhance the quality of this

research. Scholarly debate persists over the best way to assess and ensure the overall quality of

qualitative research. Creswell, for example, suggests that qualitative studies should be evaluated

in terms of their qualitative validity and qualitative reliability. In this context, validity is

generally viewed as how accurately a given account reflects the reality of the individuals or

subjects involved, and reliability is considered in terms of the reproducibility and repeatability of

given research (2013, 201–204; Creswell and Miller 2000). Other authors promote credibility,

transferability, dependability, and confirmability as the appropriate qualitative analogs to the

quantitative research concepts of internal validity, external validity, reliability, and objectivity,

respectively (Trochim 2005; citing Guba and Lincoln 1992). Under this later framework,

credibility is meant to establish the validity of a study from the perspective of the actors (aka

subjects or participants) involved; transferability refers to the ability of the findings to be

generalized to other contexts; dependability is the extent to which the researcher accounts for

changing research context; and confirmability is the extent to which a study’s results could be

reproduced by others (Trochim 2005, 126). With respect to case study research in particular,

Yin advocates four principles for producing quality work: (1) using multiple sources of evidence,

(2) creating a case study database, (3) maintaining a chain of evidence, and (4) exercising care when using data from electronic sources (Yin 2014, chap. 4). This study uses the following seven widely recognized qualitative “validity strategies” (Creswell 2013, 201); the benefits of

each design element is discussed with respect to the most applicable of the aforementioned

quality concepts.

Member checking: RRAP program administrators were provided an opportunity to

validate (through review and comment) the interpretations developed in the research process outlined above. This feedback has been incorporated into this final report. This step bolsters the qualitative validity, in general, and credibility, in particular, of this research.

Debriefing: As is the norm in the dissertation process, I utilized an iterative chapter

submission, review, and re-writing process. This served as a form of debriefing. Chapter drafts

were submitted to my dissertation advisor as soon as they were completed. After incorporating

the feedback received, I then forwarded each draft to the other members of my committee for

further review and comment. Notably, this team collectively maintains expertize in the fields of

political science, public policy, geography, economics, civil and environmental engineering, and

operations research (among other disciplines). The interdisciplinary nature of this carefully

chosen team helped ensure that a broad audience will benefit from this research, arguably

enhancing the overall transferability of this effort. The iterative review of the research and

writing of this dissertation, as it was taking place, also bolsters the dependability and

confirmability of this research.

Triangulation: One the one hand, this dissertation utilizes primarily one source of data:

the case reports of the RRAP initiative. On the other, each “case” represents differing settings,

researchers, participants, and analytic processes. Collectively, then, these cases represent a wide array of research settings and sources. To the extent common themes arise across such diverse contexts, qualitative validity and transferability are enhanced.

Rich, thick description: To the extent applicable restrictions on the handling of

Protective Critical Infrastructure Information allow, the final chapters of this report incorporate

detailed descriptions of the data and settings from which the various results were derived. While

not amounting to the lengthy, detailed narratives that are the hallmark of ethnographies, I employ

a textually rich reporting style to enhance the qualitative validity and dependability of this

research.

Addressing researcher bias: In addition to using member checking and debriefing as a

check on inevitable researcher bias, I have included self-reflection and first person comments in this work in order to openly address how my background may shape my findings for better or for worse. This strategy is recognized (Creswell 2013, 201) as helping to enhance dependability by providing those who cite or otherwise build on this research insight into my specific potential biases.

Reporting negative discrepant information: Themes found within and across cases are

highlighted in the chapters that follow, along with an accounting of any notable exceptions to

these findings. The consequentially more complete picture enhances qualitative validity and

reliability in general, and confirmability in particular.

Documenting the emergent research process as it unfolds: I employed this final “validity

strategy” to ensure that consumers of this report and subsequent researchers, especially those

familiar with NVivo, will be able to understand exactly how I conducted this research, and how

to repeat it. Specifically, I utilized periodic analytic memoing (see Miles, Huberman, and

Saldaña 2013, 95) throughout my research to document my thinking about emerging themes

concerning resilience gaps and barriers, as well as their implication for the underlying theory of

resilience, and approaches to measuring it. NVivo provides the ability to create free-form

memos that can be attached to specific sources or nodes, or left freestanding to allow the

researcher to reflect and document their thoughts on any aspect of the research, analysis, or

general research design. By using the NVivo qualitative analysis software to conduct my coding,

70 memoing, and analysis, I essentially created and maintain a case study database and “chain of evidence”. Together, the above approaches help to ensure overall quality of this dissertation’s results and conclusions.

D. Data Handling and Analysis

This final section details the coding and analytic techniques used in this qualitative research. First, its explains the multiple coding schemes developed and employed to address each of this dissertation’s two central areas of inquiry – i.e., resilience gaps and barriers to resilience improvements. Then it details five additional coding schemes devised to glean and track additional information necessary for later intra and cross-case analysis.

1. Resilience Gap Coding

In general, this research followed Saldaña’s two-cycle coding process (2012). In this scheme, “first-cycle” coding involves assigning descriptive codes, “in vivo” codes, or both – i.e., using descriptive labels or actual words and phrases from the RRAP reports as codes (Miles,

Huberman, and Saldaña 2013, 74) – to various “chunks” of case report data in an inductive and deductive fashion (Ibid., 81). Thus, the first RRAP report reviewed served as an “index case” case for creating an initial “resilience gap” coding scheme. As noted above, prior Coast Guard field work in port settings made me especially comfortable in studying and classifying information gathered in this particular context. Accordingly, I chose a port-based study to begin my coding. The Resilience Assessment in question was also chosen because of its relatively recent release date in 2014. As previously mentioned, the continuing evolution of the RRAP process resulted in more recent reports containing more detailed and nuanced analysis with more specific recommendations. Starting with a relatively recent case report provided me a more robust set of initial resilience gaps and analyses to work with and build from.

More specifically, this research employed a case-based adaptation of Tesch’s eight-step coding process (Creswell 2013, 198; citing Tesch 1990). That process directs a researcher to: (1) get a sense of the whole by reading the case data (or interview transcripts); (2) concentrate on one document or case with a focus on its underlying meaning; (3) repeat step 2 for several cases or participants and make and sort a list of major topics; (4) abbreviate and employ these topics as an initial coding scheme; (5) group the resulting codes in descriptive categories; (6) finalize code abbreviations; (7) assemble all data associated with a given code in a given place to perform analysis; (8) recode existing data as necessary (Ibid.). For all coding, I used the “NVivo for

Mac” qualitative analysis software, applying NVivo’s functionality to the Tesch’s eight-step process as follows.

I first read a number of RRAP Resiliency Assessments without any attempt to “code” them in order to “get a sense of the whole.” Next, I carefully reviewed just the Southeastern

New Hampshire RRAP report. As a starting point, I turned each of that report’s three FOUO

“key findings” into in vivo resilience gap codes. The NVivo software refers to such coding labels as “nodes,” which essentially serve as a bin to which select information – whether a single word, a figure, or numerous pages of text – can be assigned or “coded.” Nodes can be, and were ultimately, organized in hierarchies, thus creating a nested set of thematic, parent, child, (and grand-parent, and grand-child in some cases) folders to which content can be tied.

I coded data in NVivo as follows. First, I the imported the material of interest into the software program as a “source.” In the present case, I uploaded each RRAP report as a PDF file.

To create codes in NVivo, I opened a source document, reviewed it on the screen, and simply highlighted the text or data of interest (in the initial instance, the subject headings for each of three “key findings”), and selected either the “Code in Vivo,” (for in vivo coding based on the

text itself) or “Create New Node” (to author a descriptive code not based on the text itself)

option from the program’s “analyze” menu, command ribbon, or corresponding right-click menus. Using this process, the very first “resilience gap” codes reflected challenges arising from

(1) limited fuel transportation options within a port community; (2) dependency on electricity for core function across multiple assets and sectors within the area of study, and (3) the potential cascading failures tied to the natural gas distribution system of that region.

As I parsed each report, I coded additional information that supports or further amplifies each of these initial “resilience gaps” (i.e., key findings) by “coding” it to its corresponding node. In NVivo, such coding can be accomplished, among other ways, by manually highlighting text and “dragging” it onto the appropriate node (or nodes) in a “List View” of all active nodes.

Data can be coded to any number of nodes. I configured NVivo such that data coded to a given child or grandchild node is also automatically coded to the corresponding parent (and grandparent, if applicable) node.

To help shape “the relevance, meaning, and interconnection of concepts in a way that simply reading the text does not” (Moynihan 2009, 900), I deductively analyzed subsequent

RRAP case reports with these initial resilience gap nodes in mind. A “Detailed View” screen in

NVivo shows the PDF image of the report under study adjacent to a “List View” of all available nodes to facilitate coding new material to these existing nodes, as is envisioned in step 4 of

Tesch’s coding process. At the same time, my coding process facilitated the inductive creation of new nodes when the evidence and themes in subsequent RRAP reports dictate (Miles,

Huberman, and Saldaña 2013, 81–81; see also Creswell 2013, 199). That is, for each RRAP report under study, I analyzed its respective key findings and supporting information for possible coding to existing, similar nodes – or, potentially, more specific sub (aka “child”) nodes thereof

– but also used NVivo’s functionality to create additional “resilience gap” nodes when new or

more nuanced themes emerged.

As the number of resilience gap nodes increased throughout this process, I reviewed the existing nodes for common themes and possible grouping, which is the essence of steps 5 and 6 in Tesch’s 8-step cycle. For example, through the process of coding the first four RRAP case reports chosen for analysis – specifically, the Southeast New Hampshire, Puerto Rico, Hampton

Roads, and (first) Alaska (transportation) RRAPs – four "gap areas" emerged. Existing nodes were placed within each of the following descriptive “parent” node categories that emerged as themes within the initial descriptive and “in vivo” nodes: Capability, Capacity, and Redundancy

(i.e., codes which involve physical asset or personnel limitations to supporting a given infrastructure function); Communication; Planning; and Dependencies and Interdependencies

(among and between different critical infrastructure sectors and services).

I simultaneously expanded this evolving “resilience gap” coding scheme to provide more detailed sub-nodes as the case evidence warranted. I accomplished this through additional second-cycle review (i.e., analysis) of the data coded to the various “resilience gap” nodes. For example, within the grandparent “Capability, Capacity, and Redundancy” node created through the process described above, were nodes for each of these related, but distinct topics. As I used the (lack of) “redundancy” node to code various discussions of single points of failure that were highlighted in the RRAP reports, I was able to classify the coded material into more detailed categories. Thus, within the (lack of) “redundancy” node, I created separate sub-nodes for data related to a lack of redundancy concerning fuel transportation infrastructure and water connections. I kept data that did not fit into any specific child node remained at the broader parent level until a given issue recurred with such frequency that it suggested a theme meriting

74 its own child (sub-) node. Given the variability in the language used from one RRAP report to the next, I did not establish a bright line rule for making the determination when something merited its own sub node. In general, an observed theme needed to appear several times, and in more than one context or research setting, before I would create a new gap or barrier coding sub- category. Thus, initial nodes served as containers for all “other” examples for which there were no more applicable descriptions and corresponding sub-nodes.

Steps 7 and 8 of Tesch’s coding scheme direct a researcher to “assemble all data associated with a given code in a given place to perform analysis” and to “recode existing data as necessary.” NVivo’s functionality greatly facilitated the initial analysis contemplated in these steps. Simply by selecting a given node in the program, all “chunks” of data that have been coded to that node can be displayed in a new window, or exported to a spreadsheet or text document, that is initially sorted by the specific source documents (i.e., specific RRAP reports) from which they were drawn. NVivo enables the researcher to display more or less context (i.e., the material surrounding a given coded “chunk” of data) on demand, and, for even greater perspective, provides a link back to the coded material in the PDF of the original source material for easy review. Reading, re-reading, and then re-coding the material coded under each given node in this fashion – a form of “second-cycle coding” (i.e., analysis) where coded material is evaluated for patterns and themes (Saldaña 2012) – enabled me to ensure all “chunks” had been properly attributed and re-coded as necessary to the appropriate node or nodes, sub-nodes, and parent nodes that were themselves continually refined throughout the inductive-deductive process.

To supplement this “manual” coding, I employed some of NVivo’s automated text search and quick coding functionality. Like most software programs, NVivo enables a user to query

source material (here, the RRAP reports and any corresponding interview transcripts) text or

data, including that already coded to a specific node (or nodes), and then to (re)code any

resulting search results. Beyond simple text searches, NVivo offers the ability to create “word

trees” where various “branches” show the divergent contexts in which a given word or phrase is

used. Additionally, NVivo can create “word clouds” to visually illustrate the frequency of

various terms and concepts. While I opted to rely primarily on the “manual” inductive-deductive

coding process set forth above, I selectively employed these automated techniques to essentially

double-check my manual coding. For example, during the coding of one case, two themes

emerged that lent themselves well to text-based queries: (1) repeated references to resilience gaps arising from “unknown” information, which inhibited the ability of various critical infrastructure owners and operators to plan for various contingencies; and (2) insufficient (i.e., narrowly focused) “business continuity plans” of certain private critical infrastructure owners and operators, which inhibited the ability of these entities to fully appreciate interdependencies that could lead to cascading failures. In coding that case, I ran text queries for “unknown,”

“unknown information,” and “information” and reviewed the results to ensure all aspects of that condition had been properly considered and coded. Similarly, text queries for “business,”

“business continuity,” and “continuity” were used to identify areas where such plans were discussed.

The “gap” node categories were continually revised through the above iterative,

inductive-deductive process until all RRAP reports had been coded. The resulting final list of

“resilience gap” nodes – i.e., the final gap “coding scheme” – is set forth on the following page.

Table 3-3: “Resilience Gap” Codes Derived from Iterative Inductive-Deductive Coding Process Age of Infrastructure (in general) Dependencies and Interdependencies Capability − Bridges − Access to Classified Information − Chemicals − Backup Power (no or limited) − Communications − Building & Engineering Design Issues − Critical Manufacturing − Communications − Dams (and Locks) − Emergency Response − Energy (in general)

− Energy & Fuel Transmission / Distribution o Electricity (for core function) − Integrated IT Platform (lacking) o Fuels − Modeling Capability (lacking) − Finance − Surveillance & Detection (inadequate) − Food / Feed − System Cross Connections (lack of) − Healthcare − Training (lack of) − Information Systems / Technology Capacity − Transportation − Debris Removal − Water or Wastewater − Decontamination Equipment − Workers / Personnel − Electric Planning − Emergency Response Assets − Business Continuity Planning (deficient) − Evacuation (Assets and Procedures) − Comprehensive Approach (lacking) − Fuel − Crisis Communications (lacking) − Hospitals and Healthcare − Emergency Action Plan (lacking) − Natural Gas Pipeline − Failure to Prioritize (below and other)

− Personnel & Inspectors o Ambulance / At-Risk Populations − Rail Line Capacity o Communications (restoration, access) − Spare Parts o Electric (restoration) − Threat Monitoring o Fuel Distribution − Water (or Wastewater) o Route Access (roadway restoration) Redundancy − Hazard not Identified or Planned For − in Fuel Transportation Options − Long-Range − in Water Interconnections − Security − Single Points of Failure Protective Measures − Cyber Security Deficiencies − Physical Security Deficiencies

2. Resilience Barrier Coding

I coded barriers to resilience in a similar fashion, but started from a different point.

Instead of using an index case to inductively create initial codes, I utilized the framework

established by the Center for Resilience Studies’ post-Sandy initiative, as outlined in Chapter 2,

with each of the four major barriers highlighted in that project report serving as “parent” nodes in the barrier coding scheme. Specifically, the initial parent barrier nodes were: (1) failure to

recognize foreseeable risks and uncertainties; (2) lack of definition or integrated approach to

addressing resilience; (3) organizational and governance challenges; and (4) lack of incentives

(or the presence of disincentives). To this initial coding scheme I added a “barrier behaviors”

node, with sub-nodes for each of the three common decision-making challenges recounted in

Chapter 2: (1) employing simplified decision rules, (2) a bias toward maintaining the “status

quo” and (3) minimizing our perception of risk by confining our consideration and analyses to

inappropriately narrow timelines and issues.

As with the process used for coding resilience gaps, I deductively applied this hierarchy

of nodes when reviewing the RRAP reports, but also allowed for the inductive creation of new

barrier nodes when themes that did not fit within the existing scheme emerged from the case

evidence. For example, Flynn’s four-pronged, multi-level framework of resilience barriers that

served as the initial coding scheme for the barrier component of this research does not

specifically list “unknown information” as sub-component or theme. Logically, such a condition underlies or results from poor coordination (i.e., communication), which is captured in Flynn’s construct. Accordingly, I was tempted to code such references to the node that corresponded with that condition. In conducting my iterative coding, though, I noted that the word “unknown”

itself recurs a total of 51 times, and appears in 19 of the 33 RRAP case studies scoped within this

research. Moreover, the broader idea of unknown information – information that the Resiliency

Assessments noted regional stakeholders or RRAP researchers desired, but did not have, and

could not readily attain – appeared (and was coded) 95 times across 27 cases. Given the

prevalence of this particular condition, I added it as a separate sub-theme within the “failure to recognize risks and uncertainties” parent node – the first of Flynn’s four-barrier scheme. The resulting final list of “resilience barrier” nodes is depicted in the Table 3-4, below.

It is important to note that I took special care when coding data to barrier nodes in

recognition of the fact that the primary Table 3-4: Resilience Barrier Coding Scheme purposes of the RRAP process was and Barrier Behaviors remains to identify resilience gaps and to − Narrow Timelines and Issue Framing − Simplified Decision Rules recommend potential mitigation − Status Quo Bias strategies thereto; not to identify the Failure to Recognize Foreseeable Risks & Uncertainties − Assumptions of Stationarity barriers that may be enabling them. − Inappropriately Discounting Risks (advantages to changing this approach − Overestimating Current Capabilities − Politically Risky to Acknowledge Gap are discussed in Chapters 4 and 5.) − Unknown Information Accordingly, I was careful to refrain Lack of Definition or Integrative Approach − Failure to Recognize Interdependencies from any attempt to “read into” or − Lack of Agreed Upon Standards or Measures “behind” the statement of gaps and Lack of Incentives or Presence of Disincentives − Confusion and Lack of Common Definition conditions themselves, and only coded − Disincentives

material to a specific resilience barrier − Efficiency Valued over Continuity of Function − Few Rewards (or funds) for Investing in Resilience nodes when the language and evidence Organizational or Governance Challenges − presented in a given Resiliency Coordination or Collaboration − Fighting the Last Battle Assessment strongly suggested the − Law or Regulation (lack of or mismatched)

presence of a specific barrier in

operation. For example, within the “lack of incentives” category of barriers to enhancing

resilience, I employed a node specifically designated to capture a demonstrated lack of monetary

rewards or funds for enhancing resilience. I did not presume statements or data concerning the

deteriorated or outdated condition of equipment to be a consequence of the lack of funding for its

maintenance or improvement (acknowledging that in most cases, additional resources almost

certainly facilitate enhancements). I coded specific statements concerning a lack of available

monies, however, to this specific barrier sub-node. In the context of discussing the locks and dams in and around one studied city, for example, one RRAP report detailed how the U.S. Army

Corps has a $400-$500 million operating budget to address a $10 billion backlog of waterway navigation infrastructure (DHS 2014a). I coded this reference to the “Few Rewards (or funds) for Investing in Resilience” node.

3. Other Coding Schemes Employed to Facilitate Analysis

In addition to coding for resilience gaps, and perceived barriers to overcoming them – the primary focus areas of this research – I developed five additional coding schemes, which were applied concurrently, to enhance and facilitate the subsequent analysis of data coded to these areas of interest. To better understand and account for the evolution of thinking about resilience, and developments in the RRAP process itself, I created (1) a coding scheme to help track the various RRAP activities and analytic techniques that were used in each project, and (2) a scheme that traces the definitions (and evolution thereof) of key terms used throughout the RRAP process. These methodological and definitional parent nodes facilitated quickly recognizing where a given concept, definition, or technique had been added or applied in a potentially new or different way.

To help clarify the specific focus of each RRAP project for later cross-case analysis – in terms of infrastructure areas of concentration and geographic regions involved – I coded any

80 expressly stated goals or “focus areas” to (3) a Goal/Focus node. Relatedly, to supplement this particular coding scheme, I utilized NVivo’s “source classification” function, which allows a researcher to assign to each data source (here, each RRAP report or corresponding interview) any number of specific characteristics or attributes that might be of interest for sorting information and employing automated cross-case queries. Using this functionality, I “classified”

(i.e., labeled) each RRAP report (i.e., NVivo “source”) regarding the city, state, and megaregion within which it was conducted, the primary infrastructure sector under study, and with the years the given project was initially undertaken and its final report released.

I developed two additional coding schemes to help me track and manage the case evidence contained in the RRAP reports. Many of the Resiliency Assessments noted “best practices” in their conclusions – either when highlighting strengths found in a given project’s area of focus, or by referencing other regions’ approaches to a given challenge or issue that might serve as a model for the region under study to follow. To the extent such practices are potentially instructive for their lack of resilience gaps, and seeming ability to avoid or overcome barriers to resilience, they were coded to (4) a “best practices” node for further study.

Additionally, I developed and initially used a (5) PCII node to “tag” and track PCII information to ensure compliance with applicable non-disclosure, marking, and storage requirements. This particular coding scheme ultimately proved untenable, however. The 2014

RRAP reports initially considered consolidated all PCII material into annexes expressly designated for such information. Within these annexes however, there is no delineation between those details that constitute PCII and those that do not; that is, the entire annex is labeled as PCII material regardless of what else is contained therein. The only apparent way – using the information to which I had access – to discern precisely which facts and information were

subject to PCII protections was to compare the discussions contained in the PCII-designated

annexes with the information and descriptions that appear elsewhere in the main body of the

RRAP reports. Any specific details, discussions, or information that appear in either a section

that is unmarked or marked merely as For Official Use Only that also appear, in identical form,

within an annex labeled PCII presumably would not constitute PCII.

This research does not attempt to undertake such an analysis, however, because without

accessing and reviewing all of the underlying surveys, source documents, and other submissions

used in creating each Resiliency Assessment, it is not possible to verify the validity of this approach. Moreover, many early (i.e., pre-2011) RRAP reports do not even contain PCII annexes. For these early reports, the entire Resiliency Assessments is marked as PCII, making any attempt to determine which specific portions are subject to that classification’s additional protections impossible. That being the case, I abandoned my efforts to “tag” PCII material formally. Instead, I proceeded based on my observation that the type of information that appeared in PCII-designated annexes and nowhere else generally included detailed vulnerabilities, clearly proprietary information, or potentially embarrassing insights tied to specific companies, assets, or procedures. I have refrained from using any such materials, even as illustrative anecdotes or examples, in this report. As discussed elsewhere in this chapter, I

also worked closely with RRAP program administrators and the Office of Infrastructure

Protection to ensure that I have not inadvertently included any PCII material in this public

document. The multiple coding schemes described above were used to collectively address the four principal questions that drive this research. The next chapter presents the results from applying these various schemes to the RRAP case data, and discusses the extent to which the results answer those questions.

Chapter 4

This chapter reviews the major themes that emerged from the iterative, inductive-

deductive coding and analysis of the RRAP case studies described in the preceding chapter. It

presents these results as they correspond to this effort’s four research questions: (1) What, if

any, recurring “resilience gaps” exist within and across geographic regions, and critical

infrastructure sectors? (2) To what extent and how do these gaps differ across regions and

sectors? (3) Are there any recurring, observable barriers to addressing these gaps (i.e., to

improving regional, and ultimately national, resilience)? If so, what are they? (4) To what extent do the presence and significance of these barriers differ across geographic regions and

critical infrastructure sectors? Each question is addressed in turn.

I. What, if any, recurring “resilience gaps” exist within and across geographic regions, and critical infrastructure sectors?

To answer this first research question, all of the data coded to each node and sub-node in

the resilience “gap” coding scheme set forth in Table 3-4 in the preceding chapter were first

considered. Table 4-1, on the following page, provides the number of discrete blocks of text or

data coded to each particular gap node (“coding references”), followed by a parenthetical

notation indicating the number of RRAP case studies with one or more references to that

particular gap (a “source count”).

The coding references and source counts for all 33 RRAP cases appear in Table 4-1. As

indicated therein, certain gaps appear with markedly higher counts than others. Not surprisingly,

all major “parent” nodes – i.e., capability, capacity, redundancy, dependencies and

interdependencies, planning, and protective measures – which include the counts of their

respective, more specific “child” gap nodes – contain comparatively high coding reference and

source counts. (Parent nodes do not necessarily reflect the sum of data coded in subordinate

Table 4-1: Resilience Gap Coding Results Number of Coding References to Gap (Number of RRAP Case Studies with Coding References to Gap)

Age of Infrastructure (in general) ...... 27(10) Dependencies and Interdependencies ...... 574(34) Capability (lacking or insufficient) ...... 312(30) − Bridges ...... 5(3) − Access to Classified Information ...... 1(1) − Chemicals ...... 19(11) − Backup Power (no or limited) ...... 173(24) − Communications ...... 44(20) − Building & Engineering Design Issues ...... 4(2) − Critical Manufacturing ...... 2(1) − Communications ...... 57(20) − Dams (and Locks) ...... 15(5) − Emergency Response ...... 28(7) − Energy (in general) ...... 220(32)

− Energy & Fuel ...... 9(3) o Electricity (for core function) ...... 127(30) − Integrated IT Platform (lacking) ...... 2(1) o Fuels ...... 96(22) − Modeling Capability (lacking) ...... 2(1) − Finance ...... 2(2) − Surveillance & Detection (inadequate) ...... 23(5) − Food / Feed ...... 3(2) − System Cross Connections (lack of) ...... 4(3) − Healthcare ...... 10(3) − Training (lack of) ...... 9(3) − Information Systems / Technology ...... 57(16) Capacity ...... 160(23) − Transportation ...... 106(27) − Debris Removal ...... 1(1) − Water or Wastewater ...... 97(20) − Decontamination Equipment ...... 6(1) − Workers / Personnel ...... 5(1) − Electric ...... 42(12) Planning ...... 496(31) − Emergency Response Assets ...... 5(4) − Business Continuity Planning (deficient) ...... 79(23) − Evacuation (Assets and Procedures) ...... 2(1) − Comprehensive Approach (lacking) ...... 218(25) − Fuel ...... 14(7) − Crisis Communications (lacking) ...... 20(6) − Hospitals and Healthcare ...... 34(3) − Emergency Action Plan (lacking) ...... 1(1) − Natural Gas Pipeline ...... 10(2) − Failure to Prioritize (below and other) ...... 55(12)

− Personnel & Inspectors ...... 20(7) o Ambulance / At-Risk Populations ...... 7(1) − Rail Line Capacity ...... 3(2) o Communications (restoration, access) ...... 3(3) − Spare Parts ...... 1(1) o Electric (restoration) ...... 30(7) − Threat Monitoring ...... 9(2) o Fuel Distribution ...... 2(1) − Water (or Wastewater) ...... 12(6) o Route Access (roadway restoration) ...... 6(1) Redundancy ...... 206(28) − Hazard not Identified or Planned For ...... 114(22) − in Fuel Transportation Options ...... 31(4) − Long-Range ...... 6(2) − in Water Interconnections ...... 3(3) − Security ...... 10(4) − Single Points of Failure ...... 122(25) Protective Measures ...... 160(19) − Cyber Security Deficiencies ...... 36(7) − Physical Security Deficiencies ...... 123(17)

child nodes, however, to the extent parent nodes also contain coding references to gap conditions

for which the coding scheme did not have a more specific child node in the inductive-deductive

coding process.) Importantly, within the parent nodes eight specific gaps appear with

particularly high count coding references. As highlighted in boldface in Table 4-1 above, these are: (1) the absence or lack of back-up power capabilities; (2) the presence of single points of

failure; (3) a strong dependence on energy for core function and, to a slightly lesser extent, a

dependence on (4) transportation and (5) water; (6) the lack of comprehensive plans and

planning, which (7) often omit key hazards; and (8) the presence of physical security

deficiencies.

It is critical to note that the number of “chunks” of data coded to any given node only begins to answer the question of what gaps recur most strongly across infrastructure sectors and geographic regions. Indeed, the number of blocks of text or data coded to any specific node is potentially influenced by a number of largely irrelevant factors. For one, choices about how data is portioned or “chunked” while coding (i.e., using smaller segments of data while coding, as opposed to coding entire paragraphs or numerous pages at once) affects the number of coding references that results. Relatedly, as noted in the preceding chapter, many RRAP reports present

PCII material in a separate annex that repeats observations presented elsewhere in the report, only in greater detail. This redundancy increases the number of blocks of data or text coded to corresponding gap (and barrier) nodes, especially where the added detail provided by the PCII material did not alter the assessment of what gap (or barrier) is at issue; and thus, to which

node(s) such material is coded or recoded.

The source counts for the gap nodes are useful to the extent this metric gives another

rough sense of how pervasive (or not) a given gap might be. This metric is not subject to the

extraneous influences on coding reference counts set forth above. On the other hand, as even a

fleeting reference that is coded to a specified gap in a given RRAP report adds that case study to

the corresponding source count, this count metric is also insufficient by itself to fully illuminate

what gaps are most pervasive, and in what ways they appear in and across various infrastructure

sectors and regions. It was through reading and re-reading the underlying descriptive text

associated with each of the coding references that I was best able to discern some clear themes, which illuminate and suggest relationships among some of the aforementioned high-count gaps.

Accordingly, the coding reference and source count information represented in Table 4-1

was used primarily to guide the subsequent qualitative review of the substance of the text or data

underlying each coding reference. Through doing so four major themes emerged. The sections that follow provide representative examples of the case data to provide a richer description of these four gap themes. To ensure compliance with the regulations for handling Protected Critical

Infrastructure Information, and material designated “For Official Use Only,” the case evidence in

these examples is aggregated, generalized, and cited such that it cannot be traced to a specific study, region, or asset. Citations to specific RRAP reports are intentionally omitted, with direct quotes attributed instead to the 33 Resiliency Assessments used in this research as a group. This approach was a condition for gaining access to the complete RRAP files, and for publicly releasing the information below.

A. A dependence on energy, aggravated by an insufficiency (or absence) of backup power systems, is the most pervasive resilience gap noted in the RRAP cases.

An initial review of the coding reference and source count information reproduced in

Table 4-1 revealed that the highest counts for any gap node were associated with the

“dependencies and interdependencies” parent node. This is not surprising to the extent the stated

86 purpose of the RRAP program centers on identifying and better understanding such infrastructure system characteristics. (In other words, the RRAP program found what it was looking for.). Importantly, a study of the associated case evidence, including that contained within the various child gap nodes, reveals that the most frequently recurring resilience gap, evinced in all but one9 of the coded Resiliency Assessments, is the dependence of key assets and infrastructure systems on the energy sector, in general, and on electricity in particular. While there are 27 cases that document significant reliance on the transportation sector (often arising from multiple sectors’ reliance on just-in-time delivery, as discussed later in this work), and 20

RRAP cases that detail gaps arising from an interdependence or dependence on water; this review of the coded material confirmed that no one specific resilience gap is more prevalent (in the RRAP case evidence, at least) than our dependence on the energy sector for core function.

Interestingly, the associated case data reveals that, more often than not, evidence documenting a given asset or system’s dependence on the energy sector also identifies a lack of sufficient organic or readily available back-up power systems to maintain desired system function for any prolonged period of time. 10 The following representative selections of coded material illustrate how these conditions manifest themselves throughout the RRAP case studies.

The coded case data shows that the energy dependency gap is prevalent across all sector focus areas and geographic regions represented in the studied RRAP projects. For example, in a

9 Interesting, I did not find any significant evidence of this energy dependency gap in the 2014 Chicago Transit Resiliency Assessment. This is likely only the case, however, because of that project’s careful scoping to explore a specific hazard – contamination of the transit system by an industrial accident or terrorist attack using biological weapons, or similar – which left significant portions of the transportation system beyond the scope of the underlying discussions and research conducted for that project. 10 In most cases, I could not discern from the RRAP data whether or not cognizant authorities had determined a desired level of essential function or had established target restoration timelines. The importance of doing so is discussed further in Chapter 5.

87 representative regional study involving the food and agriculture industry, one RRAP team noted how

[e]lectricity and back-up diesel fueled generators are key infrastructure dependencies to every element of the industry production and distribution process. Loss of electricity to [certain buildings] can trigger “massive [animal] losses within minutes” a result of insufficient ventilation. While backup generators are deployed widely throughout the industry, they have proven to be unreliable for post-disaster operations (i.e., 2011 tornadoes) for a variety of reasons, ranging from inadequate maintenance to insufficient access to diesel fuel (DHS 2014a).

Similarly, in a study focused on the transportation systems, another RRAP team reported that

[a]ll sites visited [in the specific region under study] use electric power to support their core operations. For most of the sites visited, backup generators cannot support the full facilities’ core operations… Five of the 18 sites visited would be significantly affected with a minimum of two thirds of their operations impacted by the loss of the main electric power supply (DHS 2014a).

In a separate port-focused project, the RRAP researchers noted that while a “loss of power could impact all of the gantry cranes simultaneously,” resulting in a “significant” impact on “core Port function,” as a whole, the port “lacks emergency power capability and other contingencies to improve core function resilience and strengthen [the port’s] role in disaster relief” (DHS 2014a).

Likewise, in a RRAP study of one major metropolitan city, the RRAP report authors note that “the continuous availability of electricity is critical to power business, information technology, and life safety systems in high-capacity commercial facilities, and a worst-case scenario electric power outage would directly affect all commercial facilities in a service area”

(DHS 2014a). This statement will not surprise anyone familiar with commercial facilitates. The number of times, and diversity of contexts, in which a dependence on power appears throughout the RRAP data, however, is noteworthy.

Additionally, as one representative RRAP focused on water and waste water systems explains:

Dependency on external sources of electricity is critical to core operations; loss of grid power will cause immediate shutdown of core operations, and thus the ability to recover and treat raw water or deliver finished water will be compromised. Backup power is provided to both treatment plants via a UPS (batteries) and secondarily by diesel-fueled emergency generators. However, onsite backup power capacity is only sufficient to support graceful shutdown and to maintain leak detection systems and release abatement capabilities (DHS 2014a).

In a separate water-focused study in a more rural setting, RRAP researchers observed that:

“[e]mergency power at the [water] facilities assessed as part of the RRAP is usually used for safe shutdown of operations rather than business continuity. Consideration should be given to a more robust use of emergency generators” (DHS 2014a).

The coded material from these diverse cases suggests that energy dependency gaps were almost always tied to additional case evidence suggesting an under-appreciated dependence on

(and in many cases interdependence with) the availability and means to transport the petroleum products or natural gas necessary to sustain energy production (for both major energy generation and distribution systems, and smaller, asset or system-specific backup systems). This “systems ignorance” of dependencies and interconnections is discussed later in this chapter’s review of barriers to improving resilience.

B. Response and recovery plans and planning seldom include all relevant stakeholders necessary to address known (or foreseeable) hazards in a comprehensive manner.

The second most commonly recurring category of resilience gaps in the coding references and source counts were those related to planning. As noted in Table 4-1, there were 496 instances of planning deficiencies of some variety coded across 31 RRAP cases.11 More

11 The two case studies in which there were not find planning-related deficiencies as such were the 2014 Southeast New Hampshire RRAP, and the 2014 North Dakota RRAP. In the former, the RRAP authors simply recommend that any changes made in accordance with the resilience enhancement options provided in that report be added to existing plans, which were generally characterized as multi-jurisdictional and comprehensive. Similarly, the 2014 North Dakota RRAP advises that key points of existing plans should be made higher priorities, but does not highlight any deficiencies with the planning process or plans themselves.

specifically, roughly three-quarters (25) of all RRAP cases studied contained evidence of a

noteworthy lack of comprehensive emergency response and recovery plans and planning. In the

study of material coded in these 25 cases two important themes emerged.12 First, there is ample

evidence suggesting that, in general, government disaster response and recovery plans are rarely

integrated across agencies within and across federal, state, and local governments, and often do

not incorporate the needs and resources of the private sector. Second, there is recurring case

evidence suggesting that commercial business continuity and contingency plans often do not

consider a given company’s reliance on anyone outside of its direct supply chains, and frequently

fail to consider dependencies on government-provided response and recovery services. The following representative selections of data from a cross-section of the 25 implicated RRAP cases further illustrate the nature and prevalence of this particularly pervasive problem.

In three separate 2010 and 2011 RRAP projects that focused on commercial facilities, study participants themselves agreed that a “lack of coordinated planning between the security programs [of the facilities under study] represents the greatest overall vulnerability to the focus area” (DHS 2014a). According to senior RRAP officials interviewed for this research, the attention to security planning, in particular, that is noted in these particular reports may be a

reflection of the special emphasis placed on physical security and protective measures (and a

corresponding predominance of first responder and law enforcement participants) in the early

12 The coding references and source counts related to planning indicate an additional and related high-count gap: the failure to identify or plan for a known (or foreseeable) hazard (or vulnerability). The review of material coded to this node suggests that this gap appears with high frequency for two reasons. First, early RRAP reports include an exhaustive risk assessment and catalogue of regional vulnerabilities. Thus, the early report format drives up the number of hazards that are considered when reviewing relevant plans. Second, later RRAP reports focus in on one particular hazard or scenario, often simply to prompt discussion about larger system dependencies and challenges. In choosing these hazards, RRAP personnel often work with each project’s “clients” to identify a hazard for which the involved parties feel less prepared, so that those involved in the project can be challenged. Together these approaches appear to drive up the number of items coded as hazard-related planning deficiencies.

iterations of the RRAP program.13 Importantly, as the following examples illustrate, planning

sufficiency concerns routinely extend beyond security.

In all four studied RRAP projects that focused on agriculture and food systems,14 study

participants remarked specifically on a lack of comprehensive planning. As one report

succinctly stated, “despite the industry’s heavy reliance on electric power, water, wastewater,

and transportation lifelines, there is a dearth of contingency/business continuity plans and

provider priority restoration agreements” (DHS 2014a). Some of these planning deficiencies are

tied to specific hazards. For example, one report noted how “[p]lanning is inadequate for a

foodborne contamination event” (Ibid.). Other documented planning gaps in this infrastructure

sector, however, appear to be more general in nature. One RRAP report broadly notes,

“contingency and post-disaster recovery planning [for the studied region] lacks coordination and

a unifying strategy” (Ibid.)

Surprisingly, port communities – often held out as a model of inter-agency planning –

fared no better in RRAP projects where planning is concerned. One port-focused study found

that “infrastructure owners and operators have not comprehensively evaluated impact scenarios,

defined system vulnerabilities, or developed contingency plans” (DHS 2014a). After recounting

numerous specific port planning challenges, another study concludes, “emergency planning for an incident at the Port [] is not coordinated among stakeholders.” The relative size of the ports

(or focus areas) under study does not seem to matter. In a smaller port setting, another RRAP

13 This early emphasis on security also likely explains the 123 coding references to “physical security deficiencies” which were initially flagged as a high-count gap when reviewing the coding references and source counts. underlying case data, however, suggests that the high coding count for this gap is due, in large part, to the number of asset-specific security-related gaps (e.g., the absence of a closed circuit television or other intrusion detection system) that appear in detailed gap tables that were used in the earlier RRAP reports. 14 Attempts to further discern gap trends by sector are discussed in the following section concerning the second research question.

team documented a lack of “coordinated” plans for several likely hazards, including abandoned

barges with hazardous material onboard.

RRAP research involving land-based transportation systems document similar planning deficiencies. Here, there are some hazard-specific shortcomings. One RRAP report, quoting a

U.S. Transportation Security Administration after-action report for an Intermodal Security

Training and Exercise Program (I-STEP) event, observed that “the transportation sector does not currently have a comprehensive, interagency plan for the response to and recovery from a biological attack on transportation infrastructure in the United States” (DHS 2014a). In a separate transportation-focused assessment, RRAP researchers found that “the [studied area] lacks a comprehensive approach that addresses transportation system resilience to storm surge inundation” (Ibid.) As with port assessments, however, many land-based transportation planning gaps appear to be general in nature. The case evidence in three non-transportation-focused projects, for example, led to the repeated observation from RRAP authors that, “state and local agencies lack an integrated and formal post-disaster transportation recovery plan.”

In the study of material coded to the “(lack of) comprehensive planning” gap, a second strong theme emerged: the lack of integration between public and private sector entities. One statewide RRAP project found that “state and local government agencies do not consider many critical [private sector] providers in their emergency management and restoration plans” (DHS

2014a). A separate statewide study from a different megaregion recommends that the state

“consider ensuring that both public and private sector response and recovery plans reflect realistic restoration times that take into account manufacturing and delivery constraints of the commercial interests in the region” (DHS 2014a). As that same report went on to observe, “a key step to improving regional resilience is to establish a common operating picture of cascading

92 effects associated with critical infrastructure failure and of how these interactions affect response operations and recovery planning and prioritization efforts” (Ibid.). Such common operating pictures must necessarily reflect public and private resources and needs to ensure informed prioritization decisions can be made.

RRAP personnel acknowledge that private sector plans designed to maximize profits by ensuring the continuity of business operations will likely never be fully integrated with government plans designed to meet potentially broader, and likely divergent, government purposes, which inherently call for prioritizing restoration and recovery of some assets and industries over others in the interest of the greater public good. Still, as one Resiliency

Assessment argues, better “plan integration” will ensure “compatibility, shared public and private sector priorities and objectives, and appropriate distribution of effort and resources that derives from a mutual understanding of how best to expedite an area’s full recovery from disruption” (DHS 2014a). Stakeholders can develop more comprehensive plans, that report’s authors suggest, through “a series of actions and interactions that lead to an understanding by all parties of the salient elements of all response and recovery plans, and a commitment by all parties to amend their individual plans where possible, to eliminate incompatibilities, while still preserving the autonomy of the private [and public sector stakeholders] to develop a plan consistent with [their respective interests and obligations]” (Ibid.). The prevalence of the planning gaps noted throughout the RRAP data suggests that far greater attention should be given to such integration strategies.

C. The presence of single or critical points of failure is a frequently recurring resilience gap across all infrastructure sectors and geographic regions represented in the studied RRAP data.

In 25 of the 33 RRAP cases, evidence emerged concerning critical components among interconnected infrastructure systems whose failure or comprise had the potential to drastically

93 affect one or more core functions of the various systems under study. This effort’s coding scheme captured evidence where the removal of a given component would shut down its associated system or core function as a “single point of failure.” A component whose loss would create significant, but not total, system disruption is often described in the RRAP data as either a

“critical” or “high consequence” point of failure. Despite being technically distinct, these situations were coded as “single” points of failure as well for later analysis. In studying the material coded to this gap node, both “single” and “critical” failure points could be seen in reports from all regions and sectors as indicated in the following representative data.

The pervasiveness of single points of failure is particularly well stated in one rural

Resiliency Assessment. That report’s researchers noted how the agriculture and food sector “is vulnerable to single points of failure throughout its supply chain. The loss of electrical power, communications, natural gas, roads, water, or wastewater at any one of [the 12 representative facilities visited during the project] will result in a 100 percent business disruption” (DHS

2014a).

A separate commercial facilities-focused case study provides further evidence of just how common single points of failure are. The assessment in question notes that while one particular facility is “fed by six water pipelines that pull from separate points along the water main … a single point of failure [exists due to the reliance on a single] pumping station that supplies this water main” (DHS 2009.) With respect to the delivery of electricity to this very same asset, another single point of failure was identified: “the single transformer that steps down power entering the facility” (Ibid.) Additionally, in the broader surrounding power infrastructure, another single point of failure results from the fact that the power lines from the nearby, but separate, substations “all terminate at the same service connection point” (Ibid.). Regarding

wastewater service to the same region, the RRAP researchers found “no redundant facility or

overlapping service that could provide the same service if [a specified water treatment plant] was

disabled” (Ibid.).

Beyond the representative failure nodes within the power, fuel distribution, water, and

wastewater systems noted above, there was RRAP case evidence detailing critical choke points

in communications, healthcare, and transportation systems as well. For example, in another

commercial facilities-focused study, researches found several instances in which “all

telecommunications pass through servers and switches in [one] room” such that the “IT room

itself is a single point of failure” (DHS 2014a). Similarly, as one public health-focused case

study noted, “area hospitals are likely to have single points of failure in their supply chains (i.e.,

mass distribution centers and warehouses). Severe damage or destruction of these critical nodes

or the routes they typically utilize to make deliveries could disrupt healthcare....” (DHS 2014a).

In sum, the case study data yields ample evidence to support the notion that all types of lifeline

critical infrastructure systems suffer from the presence of this particular resilience gap, and that

this system architecture problem is truly pervasive.

The dangers of such gaps, wherever they are found, are succinctly summarized in one of

the program’s initial projects:

Though the single points of failure vary, any one of them could lead to disastrous results. Single points of failure for critical components and systems and for critical dependencies diminish [resilience]. Single input and intake components for critical services – power, water, and communications – exist, some of which are aging, and these are a priority. Some of these important components and systems are located in areas that are not under surveillance or protected, making them more vulnerable. Single points of failure are more problematic because of the lack of redundancy for critical components and systems. (DHS 2014a).

Before turning to the related, and compounding, problem presented by the lack of system

redundancy (as suggested in the quote above), it is important to note another type of critical node

that emerged from the coded data: the point-of-failure gap that arises from “geographic

interdependency” (Rinaldi, Peerenboom, and Kelly 2001; Pederson et al. 2006). In 11 (i.e., one

third) of the studied RRAP projects, which together represent a diverse array of regions and

sector focus areas, there is evidence of vulnerabilities tied to the co-location of lifeline

infrastructure assets in common rights-of-way. Grouping critical infrastructure assets often

minimizes installation, access, and other maintenance costs – not to mention the costs of

procuring the rights-of-way themselves, if applicable. Inevitably such grouping also ends up

increasing the potential for cascading failures. As one Resiliency Assessment explains:

These geographical interdependencies are complex, and the involved systems regularly interact with one another. These interactions can create vulnerabilities when a failure in one system cascades into other systems, creating widespread consequences much greater than the impact to the original system. For example, the failure to repair a deteriorating water main could lead to a break in the main; the broken main could then flood the adjacent area; and since utilities often share physical rights-of-way, underground power cables could become saturated and a short-circuit could occur, culminating in the loss of power for a large community and causing a cascading failure rather than just a loss of drinking and fire suppression water. (DHS 2014a).

Whether arising from more familiar physical (input-output) dependency nodes, or those based on

geographic interdependencies, the prevalence of this condition underscores a continued need for

broader awareness of the system dependencies and interdependencies which these nodes

represent, and the need for greater planned redundancies wherever practical to avoid or minimize

the effect of their loss.

D. A lack of redundancy, insufficient system capacity, or both, impairs the resilience of many infrastructure systems.

The case data coded to each of the categories and specific types of resilience gaps just

discussed also contains significant related evidence concerning the lack of redundancy,

insufficient capacity, or both, inherent in many systems. In the present context this dissertation

considers redundancy as it is defined by DHS itself in its Resiliency Assessments: “the ability of

[an infrastructure asset or system] to back up or reproduce its system’s critical functions either on site or at another location.” Relatedly, when reviewing the case data, I viewed capacity as the

ability of a specified asset or system, regardless of whether or not it has redundant components,

to fulfill the demand for its given function. While separate ideas, these two system

characteristics are related, at least where a given system can function through redundant, parallel

supply, transmission, or delivery mechanisms.

Throughout the RRAP cases, there are pervasive capacity and redundancy-based gaps,

which compound the vulnerabilities created by other gaps. As indicated in Table 4-1, there is

evidence of a lack of redundancy in infrastructure systems 206 times across 28 case studies, and

there is evidence of insufficient system capacity 160 times in 23 different case reports. Given

the frequency with which these gaps appeared, the following section provides further detail

concerning their nature.

In general, non-single-point-of-failure redundancy issues are less prevalent than

conditions described as directly resulting from single (or “critical”) points-of-failure themselves.

These closely related conditions could have been coded together as a single point of failure

exhibits, by definition, a lack of redundancy. To the extent a lack of sufficient redundancy may

exist even in the absence of a single point of failure, however, the coding scheme was designed

to make the single-point-of-failure node a child node within the redundancy parent. It is worth

better understanding what types of additional redundancy gaps exists. Accordingly, I removed

the single-point-of-failure data from the redundancy parent node and noted 87 coding references

across 19 RRAP reports.

With respect to these 87 coding references to system redundancy gaps in particular,

collectively, the RRAP cases contain evidence concerning everything from the frequent lack of

any backup communications systems for many critical infrastructure systems, to the absence of

alternate roads, bridges, or tunnels in certain key transit areas; to the frequent reliance on one

type, and often one source, of fuel for primary and emergency power generation.

Interestingly, there is evidence of impaired systems resilience resulting from limited

capacity in a wider array of contexts. Over two-thirds (23 separate cases) of the RRAP projects

included in this analysis detail resilience gaps arising from an insufficient amount of one or more

of the following categories of assets and capabilities: electric generation, transmission, or

distribution; fuel distribution; sufficiently trained personnel (including first responders, security

specialists, specialized technical professionals such as HAZMAT teams, and qualified

infrastructure inspectors), emergency response assets (including for debris removal,

decontamination, and critical care transportation in mass causalities); hospital bed capacity; and

on-site water and wastewater storage.

The existence and omnipresence of each of these gaps is not surprising. Indeed, system

redundancy and capacity sufficient to absorb disruption (which again, in some ways, are the very

antithesis of having single points of failure) are key aspects of most every conceptualization and

study of resilience. These critical characteristics are widely acknowledged weaknesses in many

modern systems. Importantly, though, as documented in the preceding discussion, the coding

and qualitative review of the RRAP case materials suggest that our dependence on energy, as aggravated by the lack of sufficient backup power systems; and the prevalence of under-

inclusive (i.e., not comprehensive) public and private response, recovery, and continuity plans

and planning are far more prevalent problems.

II. To what extent and how do these gaps differ across geographic regions and infrastructure sectors?

To advance this dissertation’s objective of better understand resilience gaps, I next explored the conditions noted above (and others that emerged in the RRAP cases, albeit with less frequency) to determine the extent to which they might vary across critical infrastructure sector focus areas and geographic regions. NVivo’s coding query functionality enables a researcher to

query material coded to any selected node or combinations of nodes, or node(s) and

combinations of source characteristics. Accordingly, I ran a series of coding queries using each

of the major nodes and sub-nodes in the respective “gap” (and later, “barrier”) coding schemes to

explore potential correlations with the nine geographic megaregions15 and eight different critical

infrastructure sector focus areas16 represented in the RRAP projects included in this research.

(The final portion of this chapter examines differences in resilience barriers within and across

different sectors and regions.) NVivo returns the number of coding references and source counts

for each selected combination of nodes in a spreadsheet style cross tabulation screen.

Table 4-2, on the following four pages, depicts the coding references and source counts

that NVivo produced for each of the gap codes in the final coding scheme, broken out by the designated infrastructure sector-focus area of the coded RRAP case studies. As with the study of the overall prevalence of gaps within and across infrastructure sectors and regions, the coding reference and source count information represented in Table 4-2 guided a qualitative review

15 The 33 RRAP analyzed herein involved projects that fell within the following megaregions: Arizona Sun Corridor, Cascadia, Florida, Great Lakes, Northeast, Piedmont Atlantic, Northern California, Southern California, and Texas Triangle. Notable, 10 RRAP projects fell outside the confines of any defined megaregion. 16 As indicated in Table 3-1 in the preceding chapter, the RRAP Reports on which this dissertation is based focused on the following sectors: Agriculture and Food, Commercial Facilities, Dams, the Florida Defense Industrial Base, Energy, Healthcare & Public Health, Transportation, and Water.

Table 4-2 – Resilience Gap Coding by RRAP Report Infrastructure Sector Focus Area Cross Tabulation # of Coding References to Gap (# of RRAP Case Studies with Coding References to Gap)

Infrastructure Sector Focus Area of Resiliency Assessment

(2)

(1)

Coded Resilience Gap Agriculture and (4)Food Commercial (7) Facilities Dams Defense Base Industrial (1) Energy (9) & Healthcare Health Public (2) Transportation (7) & Water Wastewater (33) Cases All Age of Infrastructure (in general) 0 5(2) 0 0 7(3) 1(1) 13(3) 1(1) 27(10) Capability 30(4) 101(7) 2(1) 3(1) 73(8) 33(2) 53(5) 17(2) 312(30) − Access to Classified Information 0 1(1) 0 0 0 0 0 0 1(1) − Backup Power (no or limited) 9(3) 70(6) 2(1) 0 32(7) 15(2) 34(4) 11(1) 173(24) − Building & Engineering Design Issues 0 3(1) 0 0 0 1(1) 0 0 4(2) − Communications 2(1) 7(5) 0 3(1) 17(5) 15(1) 8(5) 5(2) 57(20) − Emergency Response 0 8(3) 0 0 16(2) 0 3(1) 1(1) 28(7) − Energy and Fuel Transmission / 0 0 0 0 8(2) 0 1(1) 0 9(3) Distribution − Integrated IT Platform (lacking) 0 0 0 0 0 2(1) 0 0 2(1) − Modeling Capability (lacking)) 2(1) 0 0 0 0 0 0 0 2(1) − Surveillance and Detection Systems 16(2) 1(1) 0 0 0 0 6(2) 0 23(5) (inadequate) − System Cross Connections (lack of) 0 4(3) 0 0 0 0 0 0 4(3) − Training (lack of) 1(1) 8(2) 0 0 0 0 0 0 9(3)

100

Table 4-2 – Resilience Gap Coding by RRAP Infrastructure Sector Focus Area Cross Tabulation (Continued) # of Coding References to Gap (# of RRAP Case Studies with Coding References to Gap)

Infrastructure Sector Focus Area of Resiliency Assessment

(2)

(1)

Coded Resilience Gap Agriculture and (4) Food Commercial (7) Facilities Dams Defense Base Industrial (1) Energy (9) & Healthcare Health Public (2) Transportation (7) & Water Wastewater (33) Cases All Capacity 27(4) 29(6) 0 0 47(4) 43(2) 14(4) 0 160(23) − Debris Removal 0 0 0 0 0 1(1) 0 0 1(1) − Decontamination Equipment 6(1) 0 0 0 0 0 0 0 6(1) − Electric 2(1) 5(3) 0 0 27(6) 1(1) 7(1) 0 42(12) − Emergency Response Assets 1(1) 2(1) 0 0 0 0 2(2) 0 5(4) − Evacuation (Assets and Procedures) 0 0 0 0 0 2(1) 0 0 2(1) − Fuel 0 6(3) 0 0 5(3) 0 3(1) 0 14(7) − Hospitals and Healthcare 0 2(1) 0 0 0 32(2) 0 0 34(3) − Natural Gas Pipeline 0 0 0 0 10(2) 0 0 0 10(2) − Personnel & Inspectors 9(3) 5(2) 0 0 2(1) 4(1) 0 0 20(7) − Rail Line Capacity 0 0 0 0 1(1) 0 2(1) 0 3(2) − Spare Parts 0 1(1) 0 0 0 0 0 0 1(1) − Threat Monitoring 9(2) 0 0 0 0 0 0 0 9(2) − Water (or Wastewater) 0 7(4) 0 0 2(1) 3(1) 0 0 12(6) Redundancy 19(3) 56(6) 2(1) 4(1) 58(9) 16(2) 27(4) 24(2) 206(28) − in Fuel Transportation Options 0 1(1) 0 0 20(2) 0 10(1) 0 31(4) − in Water Interconnections 1(1) 1(1) 0 0 0 0 0 1(1) 3(3) − Single Points of Failure 13(3) 46(6) 1(1) 4(1) 26(7) 3(2) 11(3) 18(2) 122(25)

101

Table 4-2 – Resilience Gap Coding by RRAP Infrastructure Sector Focus Area Cross Tabulation (Continued) # of Coding References to Gap (# of RRAP Case Studies with Coding References to Gap)

Infrastructure Sector Focus Area of Resiliency Assessment

(2)

(1)

Coded Resilience Gap Agriculture and (4)Food Commercial (7) Facilities Dams Defense Base Industrial (1) Energy (9) & Healthcare Health Public (2) Transportation (7) & Water Wastewater (33) Cases All Dependencies and Interdependencies 56(4) 128(7) 9(1) 5(1) 191(9) 25(2) 125(7) 35(2) 574(33) − Bridges 0 1(1) 0 1(1) 0 0 3(1) 0 5(3) − Chemicals 0 8(4) 0 0 7(3) 1(1) 2(2) 1(1) 19(11) − Communications 2(2) 15(6) 0 1(1) 13(5) 1(1) 7(4) 5(1) 44(20) − Critical Manufacturing 0 0 0 0 2(1) 0 0 0 2(1) − Dams (and Locks) 0 1(1) 1(1) 0 0 0 13(3) 0 15(5) − Energy (in general) 18(4) 42(7) 3(1) 3(1) 101(9) 9(2) 32(6) 12(2) 220(32) o Electricity (for core function) 14(4) 24(6) 1(1) 3(1) 55(9) 3(2) 17(5) 10(2) 127(30) o Fuels 4(2) 15(5) 2(1) 0 51(6) 6(2) 14(4) 14(2) 96(22) − Finance 0 2(2) 0 0 0 0 0 0 2(2) − Food / Feed 3(2) 0 0 0 0 0 0 0 3(2) − Healthcare 0 7(2) 0 0 3(1) 0 0 0 10(3) − Information Systems / Technology 3(2) 10(4) 3(1) 0 16(3) 0 13(4) 12(2) 57(16) − Transportation 11(4) 17(5) 1(1) 0 44(7) 4(2) 25(7) 4(1) 106(27) − Water or Wastewater 21(4) 25(6) 2(1) 0 12(3) 10(2) 13(3) 4(1) 97(20) − Workers / Personnel 0 0 0 0 0 0 5(1) 0 5(1)

102

Table 4-2 – Resilience Gap Coding by RRAP Infrastructure Sector Focus Area Cross Tabulation (Continued) # of Coding References to Gap (# of RRAP Case Studies with Coding References to Gap)

Infrastructure Sector Focus Area of Resiliency Assessment

(2)

(1)

Coded Resilience Gap Agriculture and (4)Food Commercial (7) Facilities Dams Defense Base Industrial (1) Energy (9) & Healthcare Health Public (2) Transportation (7) & Water Wastewater (33) Cases All Planning 76(4) 121(7) 1(1) 7(1) 115(7) 57(2) 98(7) 21(2) 496(31) − Business Continuity Planning (deficient) 16(4) 18(6) 0 1(1) 13(5) 4(2) 21(4) 6(1) 79(23) − Comprehensive Approach (lacking) 55(4) 48(6) 1(1) 6(1) 53(4) 18(2) 26(5) 11(2) 218(25) − Crisis Communications (lacking) 3(1) 8(3) 0 0 0 0 9(2) 0 20(6) − Emergency Action Plan (lacking) 0 1(1) 0 0 0 0 0 0 1(1) − Failure to Prioritize (below and other) 2(1) 17(4) 0 0 22(4) 13(2) 1(1) 0 55(12) o Ambulance / At-Risk Populations 0 0 0 0 7(1) 0 0 0 7(1) o Communications (restoration, access) 0 1(1) 0 0 1(1) 0 1(1) 0 3(3) o Electric (restoration) 2(1) 14(3) 0 0 14(3) 0 0 0 30(7) o Fuel Distribution 0 2(1) 0 0 0 0 0 0 2(1) o Route Access (roadway restoration) 0 0 0 0 0 6(1) 0 0 6(1) − Hazard not Identified or Planned For 1(1) 18(6) 0 0 28(4) 19(2) 44(7) 4(2) 114(22) − Long-Range 0 2(1) 0 0 0 4(1) 0 0 6(2) − Security 0 10(4) 0 0 0 0 0 0 10(4) Protective Measures 27(3) 71(6) 2(1) 0 12(3) 8(1) 23(3) 17(2) 160(19) − Cyber Security Deficiencies 0 19(3) 0 0 1(1) 0 4(1) 12(2) 36(7) − Physical Security Deficiencies 27(3) 51(6) 2(1) 0 11(2) 8(1) 19(3) 5(1) 123(17)

103

of the substance of the text or data underlying these coding references. The following discussion

explains how.

As before, I began by simply looking for comparatively high coding reference and source

counts in the cross-tabulation cells. The counts reflected in Table 4-2’s columns associated with the commercial facilities, energy, and transportation-focused cases are generally more numerous than coding references in other sector focus areas. A closer look at the distribution of cases

(parenthetically noted in the column headings for each sector), however, reveals the challenge of drawing any meaningful inferences from this observation. The designated sector focus areas are not equally distributed among the coded RRAP case studies. Indeed, the nine energy, seven transportation, and seven commercial facilities-focused cases collectively constitute two thirds of the RRAP projects coded in this research. Accordingly, higher counts are to be expected for these sectors.

The availability of count data for gaps (and barriers) across the various infrastructure sectors (and regions) naturally invites the calculation of rudimentary statistics (e.g., percentages, relative frequencies, etc.). Using this approach, the data in Table 4-2 reveals apparent anomalies, highlighted in bold, associated with the commercial facilities-focused case studies. Specifically, these cases contain a disproportionately high percentage of gap coding references concerning the lack of back-up power, single-points-of-failure, and physical security deficiencies. Table 4-3, on the following page, highlights the specific counts (drawn from Table-4-2) and relevant percentages for these three anomalous gap categories. To determine why the RRAP studies of commercial facilities, which include casinos, universities, and other private sector buildings, accounted for approximately ~40% of the coding references to each of these three gaps (despite

104

this sector constituting Table 4-3: Commercial Facilities Resilience Gap Anomalies % Attributable to only 21% of the RRAP Coding References Commercial Facilities Commercial All Coding Source cases studied), I Gap Facilities (7) Cases (33) References Count Capability 70(6) 173(25) 40% 24% - Backup Power scrutinized the Redundancy 46(6) 122(25) 38% 25% - Single-points-of-failure Protective Measures underlying material 51(6) 123(17) 41% 35% - Physical Security coded to each of the associated coding references.

This review revealed two reasons that might explain the heightened coding percentages.

First, the commercial facility-focused RRAP projects considered more individual buildings and

assets than projects in other sector-focus categories. Second, commercial facilities, especially

those in which humans are situated, typically require greater service (and connections) from all

lifeline critical infrastructures sectors. For one or both of these reasons, it is reasonable to expect

that asset-specific gaps (such as back-up power and security deficiencies), as well as single-

points-of-failure would be more prevalent in the commercial facilitates cases.

The above findings notwithstanding, percentages and relative frequencies proved

analytically problematic in this research for at least four reasons. First, as the many zeros

throughout Table 4-2 attest, many gaps do not appear at all in certain sector’s cases. The

absence of a count, however, does not necessarily reflect the absence of its corresponding gap.

This is true because, as discussed in Chapter 3, the scoping of each RRAP case study depends in

large part on the desires of each unique project’s “client” and what participants choose to

contribute to this voluntary program. Thus, a given gap may not appear simply because it fell

outside the scope of what was those participating agreed to help study.

Second, half of the infrastructure sector focus areas included in the studied RRAP

projects (dams, defense industrial base, public health, and water and wastewater) are the subject

105

of only one or two case studies. As Table 4-2 reveals, the number of coding references and case

counts available for many gaps – in general, but especially for those associated with these

sparsely covered sector focus areas – is relatively small. Thus, a change of (or error in) a single count or case would change associated percentages markedly.

Third, the number of coding references to any given node is influenced by a number of coding factors not related to the presence or absence of its associated gap. As previously detailed, the way data was portioned while coding (i.e., using smaller segments of data or coding entire paragraphs) affects the number of coding references. Additionally, the evolving nature of the RRAP report format, and the program’s use of multiple annexes in some reports to document the same gaps, but with more sensitive information and in greater detail, creates redundant coding that artificially inflates the number of coding references for some, but not all, gaps and cases.

Finally, a deeper dive into cross-sector themes and differences – involving a methodical review of the underlying coded information, cell-by-cell, sector-by-sector – reveals a more troublesome analytic challenge to discerning sector-based differences. As described elsewhere in this work, each RRAP project focuses on a specific infrastructure sector. Each project also analyzes numerous lifeline infrastructure sectors that support that focus sector. Accordingly, a water sector-focused report may contain a good deal of information (including resilience gap information) on a given region’s power grid, for example. Because the cross-sector queries executed with NVivo were based upon each project’s designated focus area, however, gaps concerning the electric grid documented in a water-focused case, which may or may not concern the water system under study directly, appear in the “water” column of Table 4-2, not in the

106

“energy” case column. This complication is an inescapable consequence of the messy interconnectedness of these systems and the discussion of multiple lifeline sectors in each report.

For all of the foregoing reasons, the focus of this analysis is on the substance of the coded

material, not on the numbers of sources or coding references in the cross tabulations; although

the latter proved indispensible in structuring the exploration of the data in an orderly fashion.

Through a methodical reading and rereading of the data coded to each cell of the cross

tabulation, sector by sector, it was possible to look for inter-sector gap trends and distinctions.

The material coded to the lack of comprehensive planning node across the different

sectors-focus areas revealed an interesting disparity with respect to the energy sector.

Specifically, the previously discussed widespread lack of comprehensive plans and planning is

surprisingly less prevalent, if anywhere, in RRAP studies in which energy (to include electricity,

natural gas, coal, ethanol and petroleum fuels) was a designated focus of the study. Of the eight

RRAP projects for which the lack of comprehensive planning was not coded as a significant gap,

five focused on the energy sector.17 This is not to say there are no planning deficiencies in case

evidence coded within the energy sector. There are. Indeed, the coded case data reveals a lack of prioritized asset lists that could be used to inform power restoration efforts as a problem in numerous cases. As indicated in Table 4-2, this lack of prioritization appeared in 14 coding references across three of the nine energy-focused case studies alone. A closer sector-by-sector look at the material coded to the (lack of) comprehensive planning node, however, shows that when the energy sector itself was the focus of a given RRAP case study, there was generally less evidence concerning deficient planning as such. That is, the lack of planning involving energy

17 These five energy-focused case studies in question are the 2012 Maine RRAP, the 2013 National Capital Regional RRAP, the 2014 Nebraska RRAP, the 2014 North Dakota RRAP, and 2014 Southeast New Hampshire RRAP.

107

issues was more prevalent when viewed from the perspective of other sectors. Phrased another

way, the dependence on energy, and the need for more comprehensive plans to account for it,

surfaced more readily when viewing the issue from the demand versus supply side.

It could be that the inherently sprawling, transboundary nature of the energy industry,

combined with the regionally and nationally based regulatory spheres in which it operates, leads

to necessarily greater coordination and planning within this particular sector, especially for

electricity providers in the wake of the Northeast blackout of 2003 and the systems

improvements implemented thereafter. It may be that all elements of the energy sector are

generally more attuned to energy issues, include their own dependencies on power and fuel.

Thus, it could be that the energy sector is comparatively better at planning within its own sector,

but that other sectors and governmental coordinating bodies need to better integrate energy

considerations more fully into their respective planning efforts. This analysis did not yield

further insight. Accordingly, this observation merits further study.

Next, I considered the extent to which resilience gaps vary across geographic regions.

Table 4-4, on the following pages, depicts the coding references and source counts that NVivo

produced for each of the gap codes contained in the final coding scheme, as broken out by the

megaregion (or presence outside of any megaregion) in which the coded RRAP projects fall. As before, the coding reference and source count information represented in Table 4-4 was used to structure the qualitative analysis. Unfortunately, as the column headings in Table 4-4 show, the

RRAP cases are not equally distributed geographically. Only three megaregions – Northeast,

Great Lakes, and Piedmont Atlantic – had three or more of the RRAP projects conducted within them. Three of the nine megaregions represented in this research had only one

108

Table 4-4 – Resilience Gap Coding by Regional Plan Association Megaregion Cross Tabulation # of Coding References to Gap (# of RRAP Case Studies with Coding References to Gap)

Regional Plan Association Megaregion of Resiliency Assessment

(10)

(2)

(8) (1)

(2)

(3) (2)

Coded Barrier to Resilience Not Assoc. w/ Region Mega Arizona Sun Corridor Cascadia Florida Front Range (2) Lakes Great Northeast Northern & Southern Calif. (2) Piedmont Atlantic (1) Triangle Texas (33) Cases All Age of Infrastructure (in general) 1(1) 0 4(1) 0 0 8(1) 12(5) 0 1(1) 1(1) 27(10) Capability 106(10) 2(1) 39(1) 4(2) 6(2) 5(1) 66(7) 40(2) 31(3) 13(2) 312(30) − Access to Classified Information 0 0 0 0 0 0 0 1(1) 0 0 1(1) − Backup Power (no or limited) 42(8) 0 27(1) 1(1) 4(2) 2(1) 43(7) 22(1) 20(2) 12(1) 173(24) − Building & Engineering Design 0 0 3(1) 0 0 0 0 0 0 1(1) 4(2) − Communications 32(6) 2(1) 2(1) 3(1) 2(1) 1(1) 11(6) 1(1) 3(2) 0 57(20) − Emergency Response 17(2) 0 4(1) 0 0 0 3(2) 3(1) 1(1) 0 28(7) − Energy/Fuel Transmission / Dist. 5(2) 0 0 0 0 0 4(1) 0 0 0 9(3) − Integrated IT Platform (lacking) 2(1) 0 0 0 0 0 0 0 0 0 2(1) − Modeling Capability (lacking)) 2(1) 0 0 0 0 0 0 0 0 0 2(1) − Surveillance and Detection Systems 4(2) 0 1(1) 0 0 0 5(1) 13(1) 0 0 23(5) − System Cross Connections (lack of) 0 0 1(1) 0 0 2(1) 0 0 1(1) 0 4(3) − Training (lack of) 1(1) 0 2(1) 0 0 0 0 0 6(1) 0 9(3)

109

Table 4-4 – Resilience Gap Coding by Regional Plan Association Megaregion Cross Tabulation (Continued) # of Coding References to Gap (# of RRAP Case Studies with Coding References to Gap)

Regional Plan Association Megaregion of Resiliency Assessment

Coded Barrier to Resilience

Not Assoc. w/ Region Mega (10) Sun Arizona Corridor (1) Cascadia (1) Florida (2) Range Front (2) Great Lakes (3) Northern Calif.(2) Piedmont (3) Atlantic Texas Triangle (1) All Cases (33) Northeast (8) Southern Capacity 48(6) 0 9(1) 0 3(2) 6(3) 38(5) 7(2) 20(3) 29(1) 160(23) − Debris Removal 0 0 0 0 0 0 0 0 0 1(1) 1(1) − Decontamination Equipment 6(1) 0 0 0 0 0 0 0 0 0 6(1) − Electric 12(3) 0 2(1) 0 3(2) 2(1) 22(4) 0 0 1(1) 42(12) − Emergency Response Assets 2(2) 0 0 0 0 1(1) 0 0 2(1) 0 5(4) − Evacuation (assets and procedures) 0 0 0 0 0 0 0 0 0 2(1) 2(1) − Fuel 4(2) 0 2(1) 0 0 0 4(2) 3(1) 1(1) 0 14(7) − Hospitals and Healthcare 10(1) 0 0 0 0 0 0 0 2(1) 22(1) 34(3) − Natural Gas Pipeline 2(1) 0 0 0 0 0 8(1) 0 0 0 10(2) − Personnel & Inspectors 10(2) 0 1(1) 0 0 0 2(1) 1(1) 6(2) 0 20(7) − Rail Line Capacity 1(1) 0 0 0 0 2(1) 0 0 0 0 3(2) − Spare Parts 0 0 1(1) 0 0 0 0 0 0 0 1(1) − Threat Monitoring 1(1) 0 0 0 0 0 0 0 8(1) 0 9(2) − Water (or Wastewater) 0 0 3(1) 0 0 1(1) 2(1) 2(1) 1(1) 3(1) 12(6) Redundancy 71(10) 5(1) 8(1) 4(1) 14(1) 12(2) 48(6) 9(2) 33(3) 2(1) 206(28) − in Fuel Transportation Options 24(2) 0 1(1) 0 0 0 6(1) 0 0 0 31(4) − in Water Interconnections 0 0 1(1) 0 0 0 1(1) 0 1(1) 0 3(3) − Single Points of Failure 21(8) 5(1) 6(1) 4(1) 12(1) 9(2) 31(5) 7(2) 25(3) 2(1) 122(25)

110

Table 4-4 – Barrier Coding by Regional Plan Association Megaregion Cross Tabulation (Continued) # of Coding References to Gap (# of RRAP Case Studies with Coding References to Gap)

Regional Plan Association Megaregion of Resiliency Assessment

(2)

Coded Barrier to Resilience Front Range (2) Lakes Great (3) Cases All (33) Not Assoc. w/ Region Mega (10) Arizona Sun (1) Corridor Cascadia (1) Florida (8) Northeast & Northern Southern Calif (2) Piedmont (3) Atlantic Texas Triangle (1) Dependencies and Interdependencies 180(10) 13(1) 25(1) 15(2) 28(2) 61(3) 159(8) 41(2) 44(3) 8(1) 574(33) − Bridges 0 0 0 2(2) 0 0 3(1) 0 0 0 5(3) − Chemicals 3(3) 0 2(1) 0 0 1(1) 7(3) 3(1) 2(1) 1(1) 19(11) − Communications 8(6) 0 1(1) 3(2) 2(2) 1(1) 18(5) 8(2) 3(2) 0 44(20) − Critical Manufacturing 0 0 0 0 0 0 2(1) 0 0 0 2(1) − Dams (and Locks) 3(2) 0 0 0 0 9(1) 2(1) 0 1(1) 0 15(5) − Energy (in general) 82(10) 6(1) 7(1) 6(2) 13(2) 15(2) 64(8) 11(2) 14(3) 2(1) 220(32) o Electricity (for core function) 43(10) 5(1) 3(1) 4(2) 10(2) 10(1) 38(8) 7(2) 6(2) 1(1) 127(30) o Fuel 43(8) 1(1) 4(1) 2(1) 3(1) 5(1) 28(4) 4(1) 5(2) 1(1) 96(22) − Finance 0 0 1(1) 0 0 0 0 0 1(1) 0 2(2) − Food / Feed 1(1) 0 0 0 0 0 0 0 2(1) 0 3(2) − Healthcare 0 0 0 0 0 0 0 2(1) 0 2(1) − Information Systems / Technology 21(5) 7(1) 1(1) 0 2(1) 11(2) 13(4) 1(1) 1(1) 0 57(16) − Transportation 44(10) 0 6(1) 0 5(1) 8(3) 29(6) 4(2) 9(3) 1(1) 106(27) − Water or Wastewater 25(6) 0 4(1) 0 7(2) 19(2) 10(3) 15(2) 13(3) 4(1) 97(20) − Workers / Personnel 0 0 0 0 0 5(1) 0 0 0 0 5(1)

111

Table 4-4 – Resilience Gap Coding by Regional Plan Association Megaregion Cross Tabulation (Continued) # of Coding References to Gap (# of RRAP Case Studies with Coding References to Gap)

Regional Plan Association Megaregion of Resiliency Assessment

(10)

(3)

(8) (1)

(1)

(3) (2)

Coded Barrier to Resilience Not Assoc. w/ Region Mega Arizona Sun Corridor Cascadia Florida Front Range (2) Lakes Great Northeast Northern & Calif.(2) Southern Piedmont Atlantic (1) Triangle Texas (33) Cases All Planning 168(9) 15(1) 29(1) 27(2) 33(2) 51(3) 60(7) 30(2) 56(3) 27(1) 496(31) − Business Continuity Planning 27(6) 6(1) 7(1) 1(1) 9(2) 9(2) 8(3) 3(2) 7(3) 2(1) 79(23) − Comprehensive Approach (lacking) 78(7) 6(1) 7(1) 15(2) 16(1) 12(3) 20(4) 23(2) 34(3) 7(1)` 218(25) − Crisis Communications (lacking) 4(2) 0 3(1) 0 0 8(1) 0 1(1) 4(1) 0 20(6) − Emergency Action Plan (lacking) 0 0 1(1) 0 0 0 0 0 0 0 1(1) − Failure to Prioritize (below & other) 15(5) 0 0 12(1) 2(1) 0 15(1) 1(1) 4(2) 6(1) 55(12) o Ambulance / At-Risk Pop. 0 0 0 0 0 0 7(1) 0 0 0 7(1) o Comms (restoration, access) 2(2) 0 0 0 0 0 0 0 1(1) 0 3(3) o Electric (restoration) 5(2) 0 0 12(1) 2(1) 0 9(1) 1(1) 1(1) 0 30(7) o Fuel Distribution 0 0 0 0 0 0 0 0 2(1) 0 2(1) − Route Access (roadway restoration) 0 0 0 0 0 0 0 0 0 6(1) 6(1) − Hazard not ID’d or Planned For 46(6) 3(1) 8(1) 0 2(1) 21(3) 17(5) 2(1) 6(3) 9(1) 114(22) − Long-Term Recovery 0 0 2(1) 0 0 0 0 0 0 4(1) 6(2) − Security 0 0 1(1) 0 5(1) 3(1) 0 0 1(1) 0 10(4) Protective Measures 23(5) 8(1) 17(1) 0 11(1) 9(1) 32(4) 19(2) 33(3) 8(1) 160(19) − Cyber Security Deficiencies 1(1) 8(1) 0 0 9(1) 6(1) 8(2) 4(1) 0 0 36(7) − Physical Security Deficiencies 22(4) 0 17(1) 0 2(1) 3(1) 24(4) 15(2) 32(3) 8(1) 123(17)

112

RRAP conducted in each. Moreover, ten of the coded Resiliency Assessments involved areas outside of any defined megaregion. According to the RRAP personnel interviewed for this research, this allocation of projects reflects an intentional effort by DHS to spread the benefits of the RRAP initiative throughout the country (and across infrastructure sectors.) The relatively small numbers of RRAP projects falling within any given megaregion (aside the from the eight falling within the Northeast region), combined with the different focus sectors associated with each, make it difficult to disentangle potential differences associated with specific regions from those potentially arising from the different sector foci of these reports. Perhaps this is why

RRAP administrators have not attempted to classify or analyze the RRAP projects by geographic region to date. It could also be that the more persistent gaps that emerged through my coding methodology do not vary to any significant18 degree by region.

Not surprisingly, a review of the underlying data shows that gap differences are often tied to specific hazards that are considered more likely in certain regions, or that emerged because of the unique focus of a given study. For example, RRAP projects conducted in coastal regions more frequently contained resilience gaps directly related to storm surge inundation. There are limits to drawing inferences from these observations, however. While the coded RRAP case data would suggest that Alaska is the only region with noted resilience gaps related to possible disruption from space weather events, this is, in part, because it was the only case study reviewed in this research that explores that particular hazard. There is more evidence of planning deficiencies and capacity gaps related to a chemical incident or biological attack in the transportation-focused Chicago Resiliency Assessment than in any other case study, but this is

18 The use of the word “significant” here is not meant to imply any test for statistical significance. Given the nature of the coding, and the redundancies inherent in the RRAP report format, any such test would be dubious at best.

113

because it was the only project that focused on that particular hazard in great detail. (An RRAP

official indicated that this was done at the request of the client specifically because it was not a

hazard that region’s transportation sector had given much attention to previously.)

More recent RRAP reports, including some undertaken since the inception of this

research, have occasionally employed a more hazard-agnostic approach to exploring a region’s resilience. The following chapter discusses the extent to which resilience can or should be considered threat-dependent or hazard-agnostic. For present purposes, any threat-specific or hazard-based analysis of resilience gaps and barriers was beyond the scope of this research.

(Such might be an interesting focus for future research using the RRAP data, however.) Beyond hazard-based distinctions noted across regions, no meaningful correlations to regional characteristics emerged from the review of the coded case evidence. If anything, the gap-region cross tabulation reinforced subtle differences noted concerning the energy sector itself, as previously detailed above.

The gaps that have been the focus of this chapter thus far are only part of the resilience picture. This dissertation now turns to an exploration of the systemic conditions that enable them to develop, or to persist.

III. Are there any recurring, empirically evident barriers to addressing resilience gaps? If so, what are they?

The second objective of this work, which distinguishes it from many of the current efforts

devoted to developing better metrics and models for assessing resilience, is to identify and better

understand any recurring, systemic barriers to improving it. To this end I developed and

employed a resilience barrier coding scheme based on the previously discussed Post-Sandy

Study (Flynn 2015), which itself synthesizes ideas previously developed by the National

Infrastructure Advisory Council (2009; 2013), the Homeland Security Advisory Council (2011),

114

and National Academies work with Disaster Resilience (2012). Even though resilience barriers are not a specific focus of the program, there is evidence in the RRAP case data substantiating the presence of each of the four major types of barriers presented in the Post-Sandy Study: namely, as a society: (1) we do not recognize how unprepared we are to handle foreseeable risks and uncertainties; (2) we do not know how to measure resilience because there is not yet consensus on how to create it; (3) we do not have incentives to create resilience; and (4) there are organizational and governance barriers to creating resilience.

Table 4-5, on the following page, presents the coding references and source counts for each of these barrier nodes, which, as conceptualized by Flynn, include multiple (child) subcomponents. As indicated in this table, there is evidence of all but one of the barrier subcomponents.19 As with the results derived from applying my resilience gap coding scheme to the

RRAP cases, the “parent” barrier nodes, which aggregate the counts of their respective sub-

components, generally contain the highest numbers of coding references and source counts.

Importantly, the counts produced by coding the 33 RRAP projects with this barrier

coding scheme indicate that four of Flynn’s sub-components in particular (and a related fifth

“child” barrier not articulated by Flynn as such) recurred routinely. These top five coding

references and case counts among non-parent barriers are highlighted in bold in Table 4-5 for ease of reference.

19 One subcomponent of the broader notion that as a nation we do not recognize how unprepared we are to handle foreseeable risks or to respond to uncertainties, is the idea that elected officials are loathe to look for, or acknowledge, resilience gaps to the extent doing so without adequate resources to address them creates a political liability (see generally Rabkin 2008; see also National Institute of Standards and Technology 2015). There was not any evidence in the RRAP cases that appeared to support this specific barrier. To extent elected officials and other politicians were not primary participants in the RRAP case studies, the lack of evidence on this point is not necessarily surprising.

115

Thus, the specific (non-parent) Table 4-5: Resilience Barrier Coding Results # of Barrier Coding References (# of RRAP Sources) barriers to improving resilience that Barrier Behaviors ...... 8(5) appear most strongly in the case data − Narrow Timelines and Issue Framing ...... 6(5) − Simplified Decision Rules ...... 1(1) are: (1) the nation continues to face − Status Quo Bias ...... 1(1) critical shortcomings in emergency Failure to Recognize Risks & Uncertainties ...... 138(28) − response and recovery coordination Assumptions of Stationarity ...... 9(5) − Inappropriately Discounting Risks ...... 19(5) and collaboration efforts; (2) “systems − Overestimating Current Capabilities ...... 15(9) − ignorance,” (i.e., the lack of visibility Politically Risky to Acknowledge Gap ...... 0 − Unknown Information ...... 95(27) or understanding of how critical Lack of Definition or Integrative Approach ...... 76(24) − Failure to Recognize Interdependencies ...... 47(16) infrastructure components are inter- − Lack of Agreed Upon Standards or Measures .... 25(10) connected and how systems are Lack of Incentives or Presence of Disincentives ...... 82(27) − Confusion and Lack of Common Definition ...... 1(1) dependent or interdependent) is − Disincentives ...... 6(5) widespread; (3) there is a paucity of − Efficiency Valued over Continuity of Function .. 33(14) − important critical infrastructure Few Rewards (or $) for Investing in Resilience . 41(18) Organizational or Governance Challenges ...... 300(33) information cognizant authorities and − Coordination or Collaboration ...... 233(33) − Fighting the Last Battle ...... 32(12) operators need to know, but do not − Law or Regulation (lack of or mismatched) ...... 32(14) (either because as a society we do not understand why it is important, or because those in possession of it are reluctant to share); (4) there are insufficient funds (or incentives more broadly) for investing in resilience; and, relatedly, (5) efficiency is often valued over ensuring continuity of function. The following sections presents representative RRAP case evidence to help further describe the prevalence and nature of these recurring systemic conditions.

116

A. The nation continues to face shortcomings in emergency response and recovery coordination at the regional and cross-regional level.

The most prevalent barrier that emerged from the RRAP cases, appearing in over 233

instances across all 33 of the analyzed Resiliency Assessments, is the lack of coordination

among all relevant stakeholders in a given region. This particular systemic problem arises

among government agencies and officials, across adjoining jurisdictions and levels of

government, and between public and private entities. There is evidence of this barrier in each

type of infrastructure focus area, and across all geographic regions studied.

One repeatedly noted shortcoming within this barrier is simply who is included in (or excluded from) various coordinating entities. As explained in Chapter 2’s brief exploration of challenges that result from humans’ cognitive limitations and tendency toward simplified decision-making, the structure of organizations – including who is “at the table” and thus, what collective perspectives and experiences can be brought to bear – can have a dramatic impact on how effectively any given community or organization can respond to a particularly messy, complicated issue. The RRAP data shows a clear need for greater inclusiveness in local and regional coordinating (and planning20) bodies.

For example, an energy and water-focused RRAP project found that one state’s emergency council, “which makes recommendations to the Governor on the assignment of responsibilities to [] state agencies relative to emergency planning, does not include as a member the [state’s] regulatory body for electric and water utilities” (DHS 2014a). A separate study

involving national defense-related infrastructure assets highlighted a similar shortcoming. That

report noted a clear need to “improve communication and coordination among electric power

20 The inherent and close relationship between coordination and planning is discussed in the following chapter.

117

and water utilities … to share information about single points of failure” (DHS 2014a). A port-

focused RRAP documented how one regional Emergency Operations Center included one port

authority and the local Coast Guard, but excluded other ports in the same region, and all private

sector port entities (DHS 2014a).

Regarding public and private coordination deficiencies, several RRAP studies

specifically highlighted the need for state stakeholders “to improve their situational awareness of

the fuel supply network by building or reinforcing permanent relationships with the private

sector; becoming knowledgeable about the business continuity plans of fuel supply network

facilities within their jurisdictions; developing compatible disaster response policies; and

incorporating knowledge gained into official response and recovery plans” (DHS 2014a).

In many instances, the RRAP case evidence documents useful informal relationships,

especially between individual asset owners or operators and local law enforcement or emergency

management officials. There is a clear need, however, to formalize and broaden such networks.

The hazards of failing to do so are well stated in one Resiliency Assessment as follows: “Lack of coordination and documentation of multijurisdictional response activities based on individual agency assumptions concerning critical infrastructure within impacted areas can lead to ineffective emergency management during a large-scale incident” (DHS 2014a). Moreover, the broader common operating picture that comes from increased coordination will enable cognizant authorities to better prioritize response and recover efforts by considering the dependencies and interdependencies of the lifeline critical infrastructures on which they depend. As another

Resiliency Assessment explained, “[w]ithout a predefined list of critical assets, each lifeline sector will determine the restoration order for customers on the basis of its procedural and organizational guidelines” (DHS 2014a). Such actions may not further overarching needs.

118

Greater coordination is needed to develop the enhanced situational awareness on which effective

response and recover efforts depend.

This challenge, of course, is not new. Emergency management officials and scholars

have noted the need for more effective coordination for decades (see, e.g., Donahue and Tuohy

2006). The case evidence amassed on this point while coding the RRAP cases simply suggests

that this problem persists, especially with respect to the interaction between emergency

management personnel and critical infrastructure owners and operators.

B. “Systems ignorance” is a pervasive condition.

The coded information for this second prolific barrier, which appeared 47 times across 16 case studies, indicates a widespread lack of visibility and understanding among policymakers, other government officials, and private sector interests of how critical infrastructure components

are inter-connected and how the lifeline infrastructure systems on which they depend are

dependent or interdependent on one another. This “systems ignorance” arguably flows, in part, from the lack of coordination (and the consequent lack of information sharing) discussed above.

On the one hand, whenever “systems ignorance” appears, the RRAP case evidence suggests it is often extensive. The following selections from the case data illustrate this point.

“Stakeholders are insufficiently aware of the complexities of the energy-water nexus” (DHS

2014a). The “lack of awareness of the dependencies and mitigation capabilities of [the studied food industry] impact the response, recovery, and restoration decisions” (Ibid.). As one

healthcare-focused RRAP noted, emergency response plans that were studied in that project “do not consider cross-sector dependencies or test priority lifeline restoration and recovery scenarios and timelines with key stakeholders” (DHS 2014a). Perhaps a Northeast-based RRAP report best characterizes the nature of this barrier:

119

While baseline data on dependencies and interdependencies of the critical infrastructure in the region has been compiled through [this] RRAP study, no detailed analysis has been executed that describes external critical needs required for response and recovery from specific all-hazards events. State and local leadership lack a decision-making framework regarding the specific support required in these recovery efforts. There exists a lack of understanding of the implications of each of these decisions on the recovery effort as a whole as well as on the surrounding dependent and interdependent infrastructure (DHS 2014a).

On the other hand, each Resiliency Assessment helps to address this barrier by increasing

awareness to, and understanding of, system dependencies, interdependencies, single points of

failure, and the potential for cascading failures. The program’s (and others’) ability to do so,

however, is arguably limited by the (in)ability to share and widely publicize such information.

Indeed, the prevalence of “unknown information” was an unexpected theme that emerged in the

RRAP data. It is to this third barrier that this dissertation now turns.

C. There is a dearth of important critical infrastructure information cognizant authorities and operators need, but do not know.

In the second-cycle coding and analysis of data coded to this third prevalent barrier,

which appeared 95 times across 27 RRAP case studies, several insightful themes emerged. The

RRAP case data suggest that some information is unknown because of the sheer age of the

infrastructure assets in question.21 This is especially common in the context of water and wastewater systems. (One studied city, for example, reportedly does not have documentation for nearly one third of its water pipes!) The word “unknown” is frequently used in the RRAP data to

21 It is surprising that the (old) age of infrastructure did not emerge as a more prevalent resilience gap in the RRAP data. (As noted in Table 4-1, above, specific evidence of this condition appears only 27 times in 10 cases.) RRAP officials interviewed for this dissertation indicated that project regions and substantive focus areas were generally selected and designed to explore and discover unknown issues, not well-documented conditions. To the extent the problem of America’s aging infrastructure is widely understood, it ended up a lesser component of the studied cases. In one notable counter-example, the 2013 Pittsburgh project, which reportedly was selected expressly because of the age of the lock and dams in the study area, asset “age” features prominently throughout the case report. Other age- related gaps typically were documented tangentially in the context of water and wastewater systems, and some nature gas distribution pipelines that supported other areas of focus.

120 describe “unknown” attackers or assailants in malicious activities catalogued in the descriptive threat assessment background sections of some reports, as well as in other irrelevant contexts.

Importantly, the data coded to the (lack of) coordination barrier previously discussed suggests that much of the unknown information noted in the RRAP cases is tied to the lack of inclusive coordinating bodies and cooperation among stakeholders. A RRAP project from the

Great Lakes megaregion provides a representative example of this condition. It notes how “[a]n information-sharing mechanism, comprising both a forum or steering group and protocols for sharing cybersecurity information, has not been defined at the regional, local, or organizational levels. Without such a mechanism, lessons learned, operational threats, and other relevant information cannot routinely be shared, coordinated, or brought to a level of cyber-related community awareness” (DHS 2014a).

The coded material also contains evidence suggesting that stakeholders often do not know critical infrastructure information because they do not understand why it is important, and thus worth knowing; or because those in possession of it are reluctant to share it, if not actually prohibited from doing so. This first of these two sub-themes is closely tied to, and highlights the ramifications of, the systems ignorance barrier discussed above. Other RRAP case data suggests policymakers, infrastructure owners and operators, and emergency and first responders sometimes “don’t know what they don’t know” largely because they do not have a broad, systems-based understanding of their environment. As a water sector-focused RRAP project explained, the “lack of demand and supply information from water systems [available for the region under study] could affect the ability of State and local emergency responders to prioritize recovery actions effectively during a significant event, such as a long-term electric outage” (DHS

2014a). Yet emergency managers and first responders in that case had apparently not sought out

121

this vital information. In another related example, a regional water treatment plan in the

Piedmont Atlantic megaregion was unaware of where it fell on any prioritization lists (to the

extent they might exist) for the restoration of natural gas service on which its emergency pump

generators run. Unknown information appears to feed systems ignorance, and vice versa.

Perhaps not surprisingly, the proprietary nature of much infrastructure information, and the regulatory protections placed thereon, further aggravate this information blindness. This theme appears most clearly in case data concerning the communications sector. As one energy- focused RRAP report noted, “information about the Communications Sector’s architecture elements is proprietary; collecting information about network access architecture, usage, location, and functions at the customer level can therefore be challenging. The ever-changing nature of communications technology further complicates the process. As a result, sector owners and operators must rely on each customer to identify customer-level critical assets” (DHS

2014a). Another case study from the same region contained a similar observation: “limited data regarding the locations, interconnectedness, and resilience of voice and data communication networks in the study area were available” (Ibid.)

Ironically, the protections afforded to Protected Critical Infrastructure Information

(PCII), which limit access and distribution of materials so-labeled to those specifically cleared by

DHS to handle such information, stand in tension with the RRAP’s own efforts to address the very systems ignorance and unknown information barriers suggested by its data. Numerous

Resilience Assessments contain the following disclaimer: “Because of the sensitive, site-specific nature of this key finding, resilience enhancement options are limited to the PCII section of this report.” While the program has taken steps to facilitate wider distribution of its products, including by placing PCII information in annexes to its Resiliency Assessment so that it can

122

release the main reports under the For Official Use Only label (which allows state clients to

decide what additional actors can have access to any given Resiliency Assessment that state

holds), the prevalence of “unknown information” reflected in the RRAP case evidence

underscores the need for a wider distribution and greater awareness of how infrastructure

systems are interconnected and interdependent

D. There are insufficient funds (and incentives) for investing in resilience.

In general, the RRAP data provides far greater insight into resilience gaps, than into

barriers to removing them. This is not surprising to the extent the program’s design and efforts

are not focused on exploring how or why current system configurations and conditions came to

be. Accordingly, much of the case evidence providing insight into the barriers noted thus far in

this chapter is anecdotal, and appears in background details or recommendation justifications that

are tangential to the Resiliency Assessments’ main findings. An exception to this, however, is

the prevalence of evidence directly addressing a lack of funding for needed improvements. No

other resilience barrier was addressed as expressly in the RRAP reports as financial constraints

that enabled substandard conditions, or that hinder improvements thereto. The following representative examples illustrate the directness with which this subject is addressed in the

RRAP case studies.

In one agriculture and food-focused RRAP, the report authors succinctly note, “State [] budget cuts are impacting disease response operations” (DHS 2014a). In a commercial facilities- focused case report, one facility representative is quoted as explaining how “budget constraints often impede the implementation of protective measures to mitigate identified security gaps”

(Ibid.). Similarly, in an energy production-focused RRAP project, the authors note that “due to

[poor] economic conditions, plants often have less money to spend on improving resilience, including improving planning, installing backup generators, implementing cyber-security

123

enhancements, maintaining response equipment and procuring mobile transloading equipment”

(Ibid.). Relatedly, a water-focused Resilience Assessment recounts how, “preparedness practices

that increase resourcefulness are expensive to implement and/or maintain; furthermore, training

can be costly and time-consuming. Recently, within the region’s Water Sector, there has been a

lack of support for security and preparedness initiatives; this remains a significant barrier”

(Ibid.). Similarly, both healthcare-focused RRAP projects scoped within this research note the

negative effects of tight budgets in that sector. As one detailed, “all hospitals visited during this

RRAP identified that diminishing security budget issues were a concern, as that reduces their

ability to properly monitor healthcare operations or provide a direct deterrent to adversaries.”

While there are only 41 express references to the lack of funds as the reason for a

specified condition, which appear across 18 (i.e., just over half) of the RRAP cases studied, the

clarity and strength of these statements suggests – albeit not likely to be surprising to anyone

familiar with infrastructure – that the scarcity of financial resources remains a significant barrier

to improving resilience.

E. Efficiency is often valued over ensuring continuity of function.

A final related, but potentially under-appreciated, barrier to resilience merits discussion as the fifth most prevalent barrier to emerge from the RRAP data, appearing 33 times. As Flynn explains, the decision by many commercial entities to use just-in-time delivery systems often effectively eliminates redundancies in order to make these systems “leaner” (Flynn 2015, 13). It simultaneously makes them less resilient, however, as excess capacity – capacity and redundancy that would be useful in response to disruptions – is intentionally removed. Just under half (14) of the RRAP cases, representing a range of sectors and regions, contained evidence of this phenomenon. The following representative examples illustrate the prevalence of this preference.

124

As one RRAP report explains:

Over the last fifty years the U.S. broiler industry has moved toward commercialization and consolidation under a business concept known as “vertical integration.” This means one corporation has ultimate ownership or tight contractual control over every aspect of production, including the breeding and hatching of young birds; all intermediate steps in the growth cycle; provision of feed; transportation; slaughter; and consumer marketing. Ninety-five percent of broiler operations are controlled by vertically integrated (breeder to slaughter control) operations, while 5% of farmers raise their chickens on company owned farms. …. This time-sensitive, tightly controlled system allows broiler companies to birth, raise, and slaughter chickens according to “just-in time” domestic and international consumer demands. ...[T]his controlled system can make the same broiler companies vulnerable to certain hazards. (DHS 2014a).

As another Resiliency Assessment describes:

Ethanol production relies on the “almost just-in-time” delivery of raw products and shipment of refined products. Ethanol plants often have a limited ethanol storage …; without rail to transport the ethanol away from the plant to its next destination, production would stop. In addition, the plants may not be capable of storing byproduct for more than a few days to a week, owing to space limitations or the potential for it to rot; therefore, the loss of road transportation to truck it offsite to feedlots would also cause a facility to stop production. Any delay in transportation might have cascading effects on the entire ethanol supply chain, from farmers sending corn to the plant, to ethanol being shipped to blender customers, and to byproduct being shipped to feedlots. (DHS 2014a).

Liquid fuel systems similarly suffer from this “lean” approach to business. As one RRAP found, “[m]ost bulk fuel terminals operate on a “just-in-time” basis. Those markets which rely heavily on pipelines to supply terminals will experience fuel shortfalls from interruptions of pipeline deliveries lasting longer than the replenishment cycle...” (DHS 2014a).

Even hospitals are vulnerable to disruption because of this preference for efficiency.

While they generally “have mature emergency response and medical surge plans,” hospitals often “lack recovery plans that address the catastrophic loss of key dependencies such as … disruptions to vital transportation routes that support their ‘just in time’ supply chain delivery

125

systems” (DHS 2014a). This potentially shortsighted premium placed on the efficiency of

operations is truly pervasive.

As each of the five strongly recurring themes found in the cases data suggest, there are

deep-seated systemic challenges to recognizing, understanding, and communicating resilience

gaps, and to creating the broader culture of resilience necessary to address them. A necessary

step to confronting these barriers is better understanding them. The fourth and final research

question, to which this dissertation now turns, was designed to advance this issue.

IV. To what extent do the presence and significance of these barriers differ across regions and critical infrastructure sectors?

This dissertation’s attempt to delve into regional differences and sector-based barrier

correlations was impaired by the limits of the RRAP case data, and its distribution, in much the

same ways that it was for exploring potential cross-sector resilience gap distinctions. As

explained above, the relatively few RRAP case studies undertaken in any given megaregion (or other geographic area, for that matter), combined with DHS’s intentional distribution of substantive areas of emphasis in each, made it difficult to detect any strong correlations between the observed systemic barriers and any given geographic locale or infrastructure sector. These

difficulties were further aggravated by the relative scarcity of evidence in the case studies

directly substantiating barriers to resilience. As discussed further in the following chapter, there

is only one third as much case evidence in the case studies concerning observable barriers to

resilience as compared to the amount of data concerning specific resilience gaps.

Table 4-6, on the following two pages, depicts the coding references and source counts

produced with an NVivo coding query with the nodes from the barrier coding scheme and the

eight infrastructure sector focus areas from the coded RRAP projects.

126

Table 4-6 – Barrier Coding by RRAP Infrastructure Sector Focus Area Cross Tabulation # of Coding References to Barrier (# of RRAP Case Studies with Coding References to Barrier)

Infrastructure Sector Focus Area of Given Resiliency Assessment

(2)

(1)

Coded Barrier to Resilience Agriculture and (4)Food Commercial (7) Facilities Dams Defense Base Industrial (1) Energy (9) & Healthcare Health Public (2) Transportation (7) & Water Wastewater (33) Cases All

Failure to Recognize 7(4) 14(4) 0 7(1) 39(8) 16(2) 38(7) 11(2) 132(28) Foreseeable Risks and Uncertainties − Assumptions of Stationarity 0 0 0 0 4(3) 0 5(2) 0 9(5) − Inappropriately Discounting Risks 0 0 0 0 0 10(1) 9(4) 0 19(5) − Overestimating Current Capabilities 0 2(1) 0 0 2(2) 1(1) 8(3) 2(2) 15(9) − Politically Risky to Acknowledge Gap 0 0 0 0 0 0 0 0 0 − Unknown Information 7(4) 13(4) 0 7(1) 32(7) 6(2) 20(7) 10(2) 95(27)

Lack of Definition 9(3) 18(5) 0 1(1) 18(6) 6(2) 15(5) 9(2) 76(24) or Integrative Approach − Failure to Recognize Inter/dependencies 5(2) 13(3) 0 1(1) 8(5) 2(1) 11(3) 7(1) 47(16) − Lack of Agreed Upon 4(2) 4(2) 0 0 9(2) 4(1) 2(2) 2(1) 25(10) Standards or Measures

127

Table 4-6 – Barrier Coding by RRAP Infrastructure Sector Focus Area Cross Tabulation (Continued) # of Coding References to Barrier (# of RRAP Case Studies with Coding References to Barrier)

Infrastructure Sector Focus Area of Given Resiliency Assessment

(2)

(1)

Lack of Incentives 12(4) 14(6) 0 0 25(8) 10(2) 18(6) 3(1) 82(27) or Presence of Disincentives − Confusion and Lack of Common Definition 0 0 0 0 0 0 0 1(1) 1(1) − Disincentives 1(1) 0 0 0 1(1) 1(1) 3(2) 0 6(5) − Efficiency Valued 5(2) 1(1) 0 0 14(7) 7(2) 6(2) 0 33(14) over Continuity of Function − Few Rewards (or funds) 6(3) 12(5) 0 0 10(3) 3(2) 7(4) 3(1) 41(18) for Investing in Resilience

Organizational 34(4) 65(7) 1(1) 8(1) 71(9) 24(2) 79(7) 18(2) 300(33) or Governance Challenges − Coordination or Collaboration 25(4) 54(7) 1(1) 7(1) 58(9) 13(2) 60(7) 15(2) 233(33) − Fighting the Last Battle 0 5(3) 0 1(1) 2(1) 8(2) 15(4) 1(1) 32(12) − Law or Regulation (lack of or mismatched) 9(2) 6(4) 0 0 11(5) 1(1) 5(2) 0 32(14)

128

Comparing Table 4-6’s coding references with Table 4-2’s counts, the relative scarcity of barrier

evidence as opposed to gap evidence is clear. Nevertheless, as with the study of gaps within and

across infrastructure sectors and regions, I attempted to use the coding reference and source

count data to guide the qualitative exploration of barrier-sector relationships.

Ultimately, however, with respect to sector-based barrier distinctions, themes emerged

more strongly during the review of the case data when considering the gaps and barriers

previously noted. For example, gaps related to dependencies on the communications sector are

attributed more than once to end users’ lack of (i.e., “unknown”) information about their service

provider’s limitations, which arises from the proprietary nature of many portions of the

telecommunications industry. It is not possible to quantitatively substantiate a sector-barrier

correlation (i.e., a recurring link between the communications sector and “unknown”

information) in Table 4-6, however, as communications is not a designated focus sector for any

of the studied RRAP reports. To further investigate this theme, I re-read all matter coded to the

communications dependency gap node, and then re-read the materials coded to the “unknown

information” node (across all sectors and regions). In doing so I found that these references

actually came from two energy sector-focused cases, which discussed communications dependencies. While these few references to the proprietary nature of the communications

industry cannot substantiate a barrier-sector relationship, this example underscores the

difficulties encountered in quantitatively exploring such linkages.

Similarly, the previously reviewed gap-coded case data associated with healthcare and

public health-focused cases contained several statements suggesting a lack of incentives for

investing in resilience frequently impair the resilience of hospitals. The ten barrier coding

references noted in Table 4-6 on this broader point do not support the notion that this type of

129

barrier is appreciably more or less prevalent in the healthcare sector, as compared to others. As

the observations concerning hospitals were based on only two RRAP cases, and a few coded

textual references therein, there is arguably insufficient evidence to support a larger sector- barrier correlation. This problem was prevalent in finding sector-based differences in other

contexts as well given the distribution of the RRAP cases. Ultimately, neither the second-cycle coding and analysis, nor the coding queries and NVivo cross tabulations yielded clearly discernable, empirically supportable barrier distinctions based on infrastructure sectors.

This effort’s exploration of the extent to which barriers vary by geographic region was slightly more enlightening. Table 4-7, on the following pages, depicts the results of another coding query based on all barrier nodes and the megaregions represented in the coded RRAP cases. In reviewing the underlying barrier-coded data represented in this table in a structured region-by-region fashion, an interesting theme emerged.

The Regional Resilience Assessment Program itself does not use the Regional Plan

Association’s (RPA’s) 11 megaregion scheme (2015) to sort or analyze RRAP case studies geographically. This dissertation did so to explore differences between these inter-connected major metropolitan areas. A closer look at the coded data reveals a barrier-based difference between RRAP projects that fell within any of these regions, and those that were conducted outside them. The Resiliency Assessments for cases undertaken in more remote regions,22 in

general, contained case data and descriptions that lent themselves better to barrier coding. That

is, the data and discussion in RRAP cases studies that were undertaken outside of designated

megaregions provide clearer insights concerning barriers than cases falling squarely

22 I classified the RRAP case studies form the following areas as falling outside of the designated megaregion: Alaska, Denver, Nebraska, North Dakota, Oklahoma, Puerto Rico, Salt Lake City, Texas Panhandle, West Virginia, and Wyoming.

130

Table 4-7 – Barrier Coding by Regional Plan Association Megaregion Cross Tabulation # of Coding References to Barrier (# of RRAP Case Studies with Coding References in Barrier)

Regional Plan Association Megaregion of Resiliency Assessment

(2)

(8) (1)

(2)

(3) (2)

Coded Barrier to Resilience

Not Assoc. w/ Region Mega (10) Arizona Sun Corridor Cascadia Florida Front Range(2) Lakes Great Northeast Northern & Calif. Southern (2) Piedmont Atlantic Triangle Texas (1) (33) Cases All

Failure to Recognize 34(8) 6(1) 0 11(2) 3(1) 12(3) 44(8) 3(2) 5(2) 14(1) 132(28) Foreseeable Risks and Uncertainties − Assumptions of Stationarity 2(1) 0 0 0 0 0 7(4) 0 0 0 9(5) − Inappropriately Discounting 3(2) 0 0 0 0 0 6(2) 0 0 10(1) 19(5) Risks − Overestimating Current 3(2) 1(1) 0 2(1) 0 1(1) 7(3) 0 0 1(1) 15(9) Capabilities − Politically Risky to 0 0 0 0 0 0 0 0 0 0 0 Acknowledge Gap − Unknown Information 25(8) 5(1) 0 10(2) 3(1) 12(3) 28(7) 3(2) 5(2) 4(1) 95(27) Lack of Definition 22(7) 7(1) 1(1) 9(2) 4(1) 7(3) 17(5) 2(1) 3(2) 4(1) 77(24) or Integrative Approach − Failure to Recognize 8(5) 7(1) 1(1) 8(2) 4(1) 6(2) 13(4) 0 0 0 47(16) Inter/dependencies − Lack of Agreed Upon 13(4) 0 0 0 0 1(1) 2(1) 2(2) 3(2) 4(1) 25(10) Standards or Measures

131

Table 4-7 – Barrier Coding by Regional Plan Association Megaregion Cross Tabulation (Continued) # of Coding References to Barrier (# of RRAP Case Studies with Coding References in Barrier)

Regional Plan Association Megaregion of Resiliency Assessment

(2)

(8) (1)

(2)

(3) (2)

Coded Barrier to Resilience

Not Assoc. w/ Region Mega (10) Arizona Sun Corridor Cascadia Florida Front Range(2) Lakes Great Northeast Northern & Calif. Southern (2) Piedmont Atlantic Triangle Texas (1) (33) Cases All

Lack of Incentives 28(7) 0 4(1) 1(1) 4(2) 7(3) 19(8) 2(1) 12(3) 5(1) 82(27) or Presence of Disincentives − Confusion and 0 0 0 0 0 0 1(1) 0 0 0 1(1) Lack of Common Definition − Disincentives 3(2) 0 0 0 0 0 1(1) 1(1) 0 1(1) 6(5) − Efficiency Valued 14(6) 0 0 0 1(1) 1(1) 11(4) 0 4(1) 2(1) 33(14) over Continuity of Function − Few Rewards (or funds) for 12(5) 0 4(1) 0 3(2) 6(3) 5(2) 1(1) 8(3) 2(1) 41(18) Investing in Resilience

− Organizational 97(10) 8(1) 11(1) 23(2) 11(2) 16(3) 67(8) 18(2) 33(3) 16(1) 300(33) or Governance Challenges − Coordination or Collaboration 78(10) 8(1) 7(1) 22(2) 11(2) 14(3) 49(8) 14(2) 22(3) 8(1) 233(33) − Fighting the Last Battle 10(3) 0 1(1) 1(1) 0 1(1) 9(4) 0 3(1) 7(1) 32(12) − Law or Regulation 8(4) 0 3(1) 0 0 1(1) 7(2) 4(2) 8(3) 1(1) 32(14) (lack of or mismatched)

132

within the clustered networks of cities and interconnected transportation hubs. This did not

result in more gaps being identified or coded in non-megaregion case studies, although that was the case for some RRAP reports. (The Puerto Rico and Wyoming Resiliency Assessments have

among the most barrier coding references of any of the RRAP reports, ranking first and fourth,

respectively.) As a group, the non-megaregion RRAP cases provide 181 of the 592 barrier

coding references (approximately 30%), which generally aligns with this sector’s overall

representation (ten of 33 cases) within the studied projects.

The case evidence does not itself suggest a clear answer as to why the non-megaregion

cases provide clearer evidence of systemic barriers to resilience. The ten coded RRAP projects that fall outside the RPA’s designated megaregions cover five of the eight sector focus areas represented elsewhere in this study, such that an over or under-representation of sector focus areas outside the megaregion studies is not likely the cause. It may be that the megaregions inherently provide a more complicated research setting due to the more numerous and more interconnected infrastructure systems they, by definition, contain. In other words, it may simply be easier to identify, articulate, and understand barriers to resilience when the subjects under study are more remote. To be clear, case studies conducted outside of the RPA megaregions are replete with interconnected and interdependent infrastructure systems. It is certainly possible, if not likely, however, that the scale of those systems, and their potential interaction with even larger sets of systems, affects a given operator’s understanding and (potentially subconscious) articulation of why those gaps exist. To the extent future RRAP projects, or other research efforts, desire to better understand systemic barriers to improving resilience, this apparent distinction is worthy of further investigation.

133

Despite the noted limitations of this research, and the lingering questions just discussed, there are broader implications to be drawn from my findings. It is to these bigger picture issues that this dissertation now turns in the following, final chapter.

134

Chapter 5

The ultimate findings of this effort’s coding and analysis, as detailed in the preceding chapter, can be succinctly summarized as follows. Four recurring resilience gaps appeared most clearly in the RRAP data across many, if not most, of the studied infrastructure sectors and geographic regions. These recurring gaps are: (1) a dependence on energy, aggravated by an insufficiency or complete absence of back-up power systems; (2) the fact that response and recovery plans and planning seldom include all relevant stakeholders necessary to address known hazards in a comprehensive manner; (3) the presence of numerous single or critical points of failure; and (4) a lack of redundancy, insufficient system capacity, or both, that diminishes the resilience of many infrastructure systems. The limitations of the data used in this effort – including the limited distribution of RRAP projects among infrastructure sectors and megaregions – impaired the ability to detect strong regional or cross-sector difference in these

(or other) gaps, with a possible exception related the comprehensiveness of planning efforts involving the energy sector.

With respect to systemic barriers that likely enabled these resilience gaps to develop or persist, the coding and analysis of the RRAP case evidence affirmed the presence the four major barriers, and numerous sub-components thereof, noted by Flynn’s Post Sandy Study (2015).

More specifically, the cross-case analysis of the RRAP data revealed that five specific barriers are particularly prevalent: (1) the nation continues to face significant shortcomings in emergency response and recovery coordination efforts at the regional and cross-regional levels;

(2) there is a widespread lack of visibility or understanding of how critical infrastructure components are inter-connected and how systems are dependent or interdependent on one another; relatedly, (3) there is a dearth of important critical infrastructure information (beyond

135

dependencies and interdependencies) that is available to cognizant authorities and operators –

either because they do not understand why they should seek or insist on gaining access to

information that would resolve certain “unknowns”, or because those in possession of relevant

information are reluctant to share; (4) there are insufficient incentives (and funding, in particular)

for investing in resilience; and, (5) efficiency is often valued over ensuring continuity of

function. As with the efforts to detect regional or infrastructure sector-based resilience gap

differences, the limitations of the data, compounded by a comparative scarcity of evidence

concerning barriers as such – which are admittedly not a focus of the RRAP’s efforts – leave the

last of this effort’s four research questions largely unanswered. The ability to discern barrier conditions more easily in RRAP case studies conducted outside of designated “megaregions,” however, raises an interesting issue that merits further study.

This final chapter considers the broader implications of this research and suggests ways

to advance and improve upon this work, related resilience research, the Regional Resiliency

Assessment Program, and homeland security itself. It does so in five major sections. First, it

draws on the findings set forth in Chapter 4, and on the evolution of the RRAP process, to

reconsider the various theories of resilience and ways to assess it as set forth in the current

literature. It suggests why there is clear benefit to adopting a systems-based, function-focused

view of resilience that is hazard-agnostic. The second section argues the importance of further

study concerning systemic barriers to improving resilience gaps to facilitate broader

understanding of the challenges we face. Relatedly, the third section proposes a framework for

divining and analyzing linkages between common gaps and barriers. Next, it suggests ways to

further exploit the RRAP program data, and the need to make it more available to researchers.

The final section then moves beyond considerations based on specific findings and draws on the

136

fuller array of experiences and insights gained from conducting this research. It proposes (1) ways to leverage the mixed quantitative and qualitative methodology adopted for this dissertation in conducting other public policy research; (2) insights from the research experience gained throughout this effort that might inform ongoing interdisciplinary initiatives to better understand and advance critical infrastructure (and other types of) resilience; and (3) options for enhancing

DHS’s strategic approach to resilience, and homeland security more broadly.

I. The RRAP Process and Data Affirm the Utility of Resilience as a Construct for Improving Homeland Security, and Suggest Three Practical Considerations for How It Might Be Best Conceptualized and Applied.

The overarching objective of this research has been to facilitate a better understanding of the potential for – and challenges with – using the concept of resilience to improve homeland security. The common gaps and barriers that emerged from the RRAP data, as detailed in the preceding chapter, provide a useful context with which to reconsider, and potentially cut through, the morass of resilience definitions and components recounted in Chapter 2. Indeed, this data, and the evolution of RRAP process itself, provide several practical insights that should be considered if the concept is to facilitate tangible homeland security improvements. Three such key insights are highlighted here: (1) the importance of approaching resilience from a functional, adaptive, systems-based orientation; (2) the need to think, design, and plan, in terms of tiered levels of function and acceptable timelines for restoring them in response to disruption, and (3) the ability, and utility, of approaching resilience in a hazard-agnostic fashion.

One practical insight arising from this study’s work is the benefit of exploring resilience first and foremost through a focus on function; as opposed to a sterile or stove-piped study of which attributes “make” a given asset, system, or community resilient. This observation is a tangential outgrowth of the idea, expressed in the Resilience Engineering literature, that

137

resilience is not something a system "has," but something it "does" (Hollnagel, Woods, and

Leveson 2006, 347). The RRAP’s data collection activities, especially its facilitated stakeholder

discussions, table top exercises, and affiliated interviews, carefully guide participants to thinking

beyond a given asset’s or system’s physical boundaries and characteristics (i.e., “beyond the

fence line”), to exploring its dependencies and interdependencies with lifeline infrastructure

systems, and ultimately the corresponding vulnerabilities, dependencies, and interdependencies

among those supporting systems. The ability to consistently produce specific key findings and

actionable enhancement options suggests that RRAP participants were able to effectively assess

their respective abilities to “prepare for, adapt to, withstand, and recover from” an adverse event

simply by considering the essence of what their respective asset or sector does (i.e., what its

outputs are), and by then thinking about the supporting systems on which it depends to do so

(i.e., its required inputs). The case evidence suggests that this approach proved productive, at

least to some degree, regardless of how many, and which specific, “R” components of resilience

(i.e., robustness, redundancy, reparability, recovery, response) were employed. As the RRAP

process evolved, and less emphasis was placed on specific components or characteristics of

resilience in favor of simply using PPD-8 and PPD-21’s broader definition of the concept, key

findings actually became more focused. As explained by senior RRAP coordinators, DHS

Headquarters Team Leads, and other RRAP process owners, the sharpened “key findings” were

due, in part, to a conscious shift to more customer-focused final products. Beyond that, however, the case reports and supporting interviews suggest that the broader conceptualization of resilience provided by PPD-8 and PPD-21 proved more useful to the infrastructure asset owners and system operators participating in the RRAP projects, as they were freer to explore and define for themselves what resilience meant in their respective domains. Given the ample cross-case

138

evidence documenting rampant unknown and under-appreciated interconnections with and among lifeline infrastructures – e.g., the repeatedly under-estimated dependency on electricity

for core function; and the electric system’s corresponding interdependency with fuel and

transportation systems that support electric generation and distribution – any conceptualization

of resilience that gets communities, infrastructure owners and operators, and government

regulators thinking about how their interests and domains intersect with one another is useful

from the perspective of improving homeland security. (Indeed, a senior RRAP program official

noted, anecdotally, that nearly half of the RRAP project “customers” to date have viewed

participating in cross-sector discussions of dependencies and interdependencies as one of the

most important benefits of the program.) By approaching resilience in terms of inputs and

outputs – the hallmark of a systems approach – and thinking about how these systems “behave,”

the RRAP program has generated numerous practical paths to improvement that are grounded

more in facilitating broader understanding than on applying precise metrics and measurement.

This growing body of work and its numerous actionable “resilience enhancement options” is a

testament to the value in this functional approach.

To be sure, the many assessment and visualization tools, dashboards, and resilience

indexes that underlie each RRAP project provide useful quantitative data for comparative

analysis. The key findings and actionable resilience enhancement options, however, flow more

from the program’s overarching systems-based, function-focused methodology to studying

resilience than from any one specific metric. The ongoing inter-disciplinary academic debate

over the best way to conceptualize and operationalize resilience through multiple components

across multiple domains remains important for developing a means of conducting further

quantitative cross-case analysis. It is also vitally important for developing tools that can help

139

policymakers and asset owners better visualize interdependencies. That debate tends to

overlook, however, the benefits to be gained from further qualitative comparative analysis, made

possible by the growing body of knowledge created by the RRAP, as further analyzed in this

dissertation, and from society’s growing appreciation and interest in understanding the dependencies and interdependencies among critical infrastructure systems.

A second broader insight that emerged from the RRAP case data is the importance of

identifying and then designing to, or otherwise implementing, tiered levels of function and

acceptable recovery timelines for critical functions and systems. Doing so allows communities

and operators (who themselves are ultimately a part of the systems and functions under study) to

better allocate scarce response and recovery resources in the wake of a disruption and to better target limited enhancement monies even before an adverse event occurs. Over two-thirds of the

33 Resiliency Assessments used in this study contain specific evidence documenting a widespread lack of understanding of what assets or sectors in a given study area were positioned to operate independently on organic resources, whether at full or reduced capacity, and which needed to receive priority attention post-disruption to restore critical function for themselves, and for assets that depend on them. This “systems ignorance” significantly impeded response and recovery operations in RRAP capstone tabletop exercises and in historic event operations recalled by RRAP participants.

Relatedly, 12 of the Resiliency Assessments studied noted a lack of any attempt, in emergency response and continuity planning (whether public or private sector), to prioritize the restoration of one or more critical infrastructure services. Program leaders interviewed for this research indicated that the absence of such evidence in early RRAP reports is, in part, a reflection of “how much we didn’t know we didn’t know,” and the evolution of the RRAP

140

process itself. That is, those conducting assessments in the early years of the program did not

know to inquire as deeply into planning and coordinating processes as they do today.

Accordingly, the lack of prioritized planning schemes is likely much more pervasive than the

studied cases suggest.

Not surprisingly, the case evidence revealed that the frequent failures to triage response

and recovery activities in advance (a repeatedly noted planning gap) is often tied to evidence

suggesting a systemic lack of understanding of system dependencies and interdependencies (a

prevalent barrier). Successful prioritization, however, is also contingent on better understanding

which systems can operate independently at reduced levels, and for how long. Theories of

resilience that expressly incorporate notions such as graceful degradation, and graceful

extensibility are well suited to promoting further consideration of this important component.

Fortunately, this aspect of resilience is already being addressed in government planning

documents to some degree. As part of its six-step process, the National Institute of Standards and Technology’s recently released “Community Resilience Planning Guide for Buildings and

Infrastructure Systems” prompts communities to “establish desired recovery performance goals for the built environment at the community level based on social needs, and dependencies and cascading effects between systems” (2015). This guidance squarely addresses the lack of such information that is noted in numerous RRAP reports. It dovetails with federal efforts such as the critical infrastructure risk management framework and sector-specific plans contemplated by the

National Infrastructure Protection Plan, as well as the Threat and Hazard Identification and Risk

Assessment (THIRA) process required by the Post-Katrina Emergency Management Reform Act for those states seeking DHS federal preparedness grants (the later of which is designed to prompt communities to identify their core capabilities, as set forth in the National Preparedness

141

Goal (DHS 2011; DHS 2015f), and the resources needed locally to achieve and maintain them).

This increasingly prolific preparedness assessment and planning approach underscores the strength and practicality of those views of resilience (see, e.g., Bruneau et al. (2003), and Haimes

(2009)) that advance the idea of a “resilience curve” that emphasizes both maintaining functionality and minimizing recovery times for any degradation in capability.

What is less clear, from this study of the RRAP data, is the necessity of any express link between risk – or its familiar components: threat, vulnerability, and consequence – and resilience. That is, a third practical insight for leveraging the concept of resilience for improving

Homeland Security suggested by this study of the RRAP cases is the potential, and utility, in approaching resilience from a hazard-agnostic perspective. As recounted in Chapter 2, Haimes argues that resilience, like robustness, is a function of a specific threat vector, and as such, cannot be measured outside the context of a specific threat. While such may be the case for the purposes of precisely modeling and quantitatively measuring resilience in certain fashions, recent

RRAP reports suggest that approaching resilience from a hazard-agnostic perspective is nonetheless a very productive exercise. The earliest RRAP reports spend a good deal of ink cataloguing the threats and hazards a given region or sector focus area is likely to face, and the consequences of various associated scenarios, before exploring gaps to successfully maintaining function in the face of such threats. This is not at all surprising given the federal government’s longstanding risk management-based approach to homeland security. Some later reports, however, depart from this orientation somewhat and place greater priority on fostering and exploring a better understanding of how the major systems under study will behave when subjected to a given disruption, regardless of its cause. Even without considering the probability and consequences of a specific disruption, these later, threat-agnostic RRAP projects developed

142 just as much practical insight into the workings and weaknesses of the focus sector under study and its supporting critical infrastructure systems, and yield just as many specific resilience enhancement options for addressing them as those tied more expressly to specific threats and hazards.

It is true that the RRAP projects universally use some hazard or threat to prime discussions about possible, if not likely, systems disruptions. Moreover, risk analysis principles will always play an important role in helping to identify which improvements will provide the probabilistically greatest return on investment. Deemphasizing the threat or vulnerability aspect, however, and disabusing stakeholders of the notion that resilience discussions are necessarily risk-based assessments is useful for a least two reasons. The first is related to the National

Academy of Sciences’ 2010 review of the Department of Homeland Security’s use of risk analysis in executing that agency’s missions. Importantly, that study concluded that:

[a] fully integrated analysis that aggregates widely disparate risks by use of a common metric is not a practical goal and in fact is likely to be inaccurate or misleading given the current state of knowledge of methods used in quantitative risk analysis. The risks presented by terrorist attack and natural disasters cannot be combined in one meaningful indicator of risk, and so an all-hazards risk assessment is not practical. The science of risk analysis does not yet support the kind of reductions in diverse metrics that such a purely quantitative analysis would require. (National Research Council 2010)

If the Academies’ assessment remains valid, pending further advances in the science of risk analysis itself, any true all-hazards comparative risk prioritization must necessarily include a combination of quantitative and qualitative approaches, using multiple metrics (see e.g.,

Lundberg and Willis 2015). With the overall comparative risk of natural hazards and terrorist threats thus somewhat unclear, if not unobtainable, tightly tying resiliency assessments and improvement efforts to first determining the perceived “riskiest” disruptions and vulnerabilities

143 is inherently problematic. Fortunately, as the viability of the more recent, threat-agnostic RRAP projects indicate, it is also generally unnecessary.

Second, if, as many scholars and a growing number of definitions suggest, resilience is construed to include the ability to adapt and react to the unforeseen and unknown (see, e.g., The

White House 2011; Alderson, Brown, and Carlyle 2014; Woods 2015) focusing analyses and discussion of resilience exclusively around predictable events, let alone probabilistically likely ones, seems illogical.

II. Future Resilience Research Should Incorporate Greater Consideration of the Barriers to Enhancing Resilience that Underlie Noted Gaps.

Another broader insight that emerges from this dissertation’s work with the RRAP cases is the importance of further study concerning the barriers to enhancing resilience. While over

1,800 chunks of data proved useful in developing and populating an intricate scheme of descriptive, recurring resilience gap nodes, only 611 snippets of information from over 4,000 pages of RRAP reports provided clear insights into the barriers that either facilitated such gaps in the first place, or allowed them to remain over time. This disparity is not surprising to the extent the mission of the RRAP program is to “identify dependencies, interdependencies, cascading effects, resilience characteristics, and gaps; assess the status of the integrated preparedness and protection capabilities of critical infrastructure owners and operators, local law enforcement, and emergency response organizations; [and c]oordinate[] protection and response efforts to enhance resilience and address security gaps within [each targeted] geographic region” (DHS 2014c).

Notably absent from this statement of purpose is any tasking to discern how and why such conditions came to be, or why they persist. While there was sufficient data to code resilience barriers – and lessons to be learned therefrom – the information and comments used to do so

144

were largely anecdotal. (The fact that I coded only one third as many chunks of case evidence

regarding barriers to enhancing resilience than I did for resilience gaps is also likely due, at least

in part, to the care I took to avoid “reading too far” into data or comments or otherwise inferring

causation based on descriptions of a given asset’s or actor’s state, as explained previously in

Chapter 3.) Interestingly, many of the insights into why a specific resilience gap existed (or

persisted) surfaced in text concerning proposed resilience enhancement options aimed at

addressing a particular gap. The report authors apparently felt the need to explain the context

and background in greater detail when suggesting changes, investments, or resilience

enhancement strategies to better justify their specific recommendations. This confirms that

information as to “why” and “how” a gap came to be is in fact obtainable, at least in some

instances; it was just not the focus of the RRAP research.

While this contextual information is certainly useful in making the case for specific

improvements, better understanding the underlying barriers to resilience has the potential to

bring far broader benefits. Efforts focused on highlighting gaps, and on recommending specific

fixes (i.e., resilience enhancement options), facilitate removal of the specific gaps identified.

Indeed, as suggested by the very eight-step “Resilience Management Framework” used in the first RRAP reports, and as confirmed by the RRAP process owners interviewed for this research, a selling point of the RRAP process for many state and local governments was, and remains, its ability to generate a “punch list” of items, that at the same time serves as supporting documentation when seeking various grant monies to implement the very enhancement options the RRAP products propose. Such improvements, especially those noted in early RRAP reports targeting specific assets and technical deficiencies associated therewith (e.g., the inability of a given back-up generator to run on more than one type of fuel; the lack of CCTV systems, or the

145 lack of the personnel capacity to monitor them in real time), often only improve resilience in a very specific, limited sense. To prevent similar gaps from developing over time, however, and to achieve more systemic improvement – i.e., to engrain a broader “culture” of resilience, as is called for in the National Security Strategy (The White House 2010), the National Preparedness

Goal (DHS 2011), the National Infrastructure Protection Plan (DHS 2013), and by the National

Academy of Sciences (2012), and the National Infrastructure Advisor Council (2009), among many others – it is important to understand and communicate the cognitive, organizational, governance, policy, and incentive-based barriers that we face. If the concept of resilience is to facilitate practical, systemic solutions to improving preparedness and homeland security more broadly, our conceptualization and study of it must expressly include greater inquiry and consideration of the barriers to its improvement.

Of course, some of the “gaps” and “barriers” noted in this research turn out to be two sides of the same coin. As suggested above, the pervasive planning gaps detailed in the previous chapter that emerged from the case evidence regarding the lack of a comprehensive approach to planning (e.g., where regional or state-wide governmental response plans were not adequately integrated with agency-specific or smaller jurisdictions’ plans, or failed to include non- governmental actors; or where private business continuity plans either stopped at the boundary of a given company’s property, failed to consider all of the lifeline infrastructures on which they depend, or failed to incorporate the role of governmental actors in the continuity of their private business operations) corresponded, in most instances, to additional evidence of a “failure to recognize system dependencies and interdependencies” - a key barrier repeatedly identified in the data.

146

Similarly, gaps, to include a failure to identify or adequately plan for a specific hazard or vulnerability, surfaced in the same context as information implicating the general barrier node

“failure to recognize foreseeable risks and uncertainties.” Indeed, the case evidence suggests that many such planning-related resilience gaps are strongly tied to assumptions of stationarity, inappropriately discounting risks, overestimating (or simply not understanding) current capabilities, a general lack of information, or some combination of these conditions; all conditions noted in Flynn’s post-Sandy study (2015).

In these areas of tight gap-barrier overlap and interaction, the RRAP reports generally contained more detailed information as to why and how a problem came to be. In such cases, the path to more systemic improvement through recommendations with potentially longer-lasting effects (as opposed to targeted, asset-based fixes) were more prevalent. This underscores the value of considering the barriers to resilience enhancement more broadly.

III. Further Resilience Research Is Needed On How Specific Barriers are Related to Specific Gaps.

Beyond the need for further scholarly inquiry into the systemic barriers to improving resilience, a related take-away arising from this effort’s focus on both gaps and systemic barriers to addressing them is the need for a structured framework for better analyzing and understanding the relationships between these two dimensions. The interplay between various gaps and barriers to removing them was not always as strong or obvious as the examples provided in the preceding section may suggest. In many cases such linkages were barely discernable from the case data, if at all.

A potential remedy might be to adopt the Authority, Capability, Competency, Capacity,

Partnership (“ACCCP”) construct. As a Coast Guard Duty Attorney, I have been called on

147

repeatedly to help discern the best way to address complex, multi-agency problems. Based on

that experience23 I believe this approach can be helpful when pondering the possible interrelationships among documented resilience gaps, DHS-recommended resilience enhancement options for addressing them, and any recurring systemic barriers to resilience suggested by the case evidence.

The ACCCP construct is presented, among other places, in Coast Guard Publication 7-0; that agency’s doctrine for strategically managing its overall “capability,” which it defines as the

“ability to execute a specified course of action” to fulfill any of its many statutorily imposed missions or other responsibilities (USCG 2013, 1–5).24 For present purposes, I adapted this

construct when considering a given infrastructure asset or system’s ability to execute its intended

core function. According to the ACCCP framework, ensuring the existence and continuity of

this ability requires having appropriate authorities, capabilities, competencies, capacity, and

partnerships. The following discussion briefly reviews each concept as applied here.

Authority is simply the legal or regulatory power to undertake a certain act or function.

(It is often considered alongside jurisdiction: the substantive, personal, and geo-political domains

in which authority may be lawfully exercised.) In considering a given resilience gap or barrier, I

found it useful to consider what entities or agencies had, or perhaps should have, the authority to

address the identified gap or systemic roadblock to improvement. In some cases a lack of

23 Elements of this construct appear in the definition of resilience gaps that I adopted for this work (in the absence of any clear definition of “gap” in the RRAP reports themselves), and in the parent nodes of my resilience gap coding scheme. 24 The exact origin of the ACCCP framework is unclear, although many attribute the construct to Brad Kieserman, then-head of the Coast Guard Operation’s Law Group within the Office of Maritime and International Law (CG- 0941). Mr. Kieserman later went on to serve as Chief Counsel for FEMA, and most recently as that agency’s Deputy Associate Administrator for Federal Insurance before leaving that post to serve as Vice President of Disaster Operations and Logistics with the American Red Cross.

148 authority, or overlapping authorities, was itself a governance-related barrier to improving resilience.

Capability, within the Coast Guard’s ACCCP construct, “refers to platforms or systems that are physical assets, such as planes, ships, buildings, information systems, etc.” (USCG 2013,

1–5). Clearly, many resilience gaps are asset-focused. Quickly distinguishing whether something was an asset-based or authority-related issue proved useful in considering and evaluating the case evidence for indications of what types of barriers might have led to (or perpetuated) the gap.

The competency component of the ACCCP construct brings in the human dimension, and refers to the presence (or absence) of operators and technicians, first responders, etc. who are appropriately suited to perform a specified function or role. Numerous gaps in the case evidence involved the inadequate training of first responders, or the lack of knowledge or awareness of facility owners and operators. Looking for evidence as to why a lack of competency issue existed raises fundamentally different questions than those prompted by a noted lack of authority or capability.

Capacity, the third “C” in the ACCCP construct, is related to both the capability and competency components. It refers to the relative depth and ability of these resources compared to the demand. Furthering the previous examples, a capacity problem arises when there are some first responders who are sufficiently trained to deal with a given contingency (e.g., qualified

HAZMAT personnel), but not enough of them for the scope of the situation at hand. Capacity issues also surfaced in the context of physical assets such as available hospital beds, sufficient electric transmission and distribution lines, alternative sources of water. Importantly, viewing a given identified gap as a capacity issue often implicates different barriers than an overall lack of

149

capability or competency in the first place; the later potentially implicating more troublesome

awareness and cognitive issues more so than simple ever-present resource constraints.

The partnerships component of the ACCCP construct is meant to trigger thought about

the broader field of potential players, resources, and the dependencies/interdependencies among

them that are implicated in a given situation. This component has clear relevance for resilience,

especially when it is viewed from a systems perspective.

This ACCCP model served as my mental crosswalk when looking for barriers underlying

noted gaps. That is, it proved useful in framing my thoughts and inquiries in the iterative

inductive/deductive coding and analysis process. As such, it could also serve as a useful

construct for divining, or confirming the appropriateness of any suggested, resilience

enhancement options. If a given gap arises from a lack of authority, and is thus perpetuated by a

governance barrier, asset or personnel-based resilience enhancement options may be ineffective

in removing the underlying systemic barrier, at least in the long term. Moreover, “fixing”

authority issues – or any governance issue – implicates a different set of necessary actors than

simply hardening an asset, or increasing the number of redundant components. This ACCCP is

but one possible way to discern which systemic barriers might underlie any noted resilience gap.

Whatever systems are developed or refined to this end, better understanding this linkage is an

important step to advancing the value of resilience-related research for improving homeland

security.

IV. Additional RRAP Data should be Exploited to Further this Effort; Greater Access to PCII Information Would Facilitate This Needed Research.

According to the RRAP program managers interviewed for this research, less than ten people have read all 33 RRAP reports coded and analyzed in this research, let alone studied them

150 in any detail. These cases – the only ones available at the time this effort began – enabled me to discern and share the numerous findings and broader implications set forth above. It is appropriate to pause here to reiterate and acknowledge three important limitations of this data.

First, the included RRAP reports focused on only eight of the 16 categories of critical set forth in the National Infrastructure Protection Plan: agriculture and food, commercial facilities

(including port facilities), dams, defense industrial base, energy, healthcare and public health, transportation, and water. This effort’s assessment of “common” gaps is thus limited to commonalities associated within this relatively narrow field. The “member checking” process – which, as detailed in Chapter 3, involved several group conference calls and four individual interviews with key RRAP process owners and administrators – bolsters this effort’s findings to some degree. The RRAP officials interviewed for this research confirmed, to a person, that they are seeing the same key gaps (and barriers, while admittedly still not an official subject of their inquiry) identified in this cross-case study in subsequent RRAP projects involving additional sectors (and regions) not considered here. Still, further research is needed to confirm the pervasiveness of the gaps highlighted in this work in other infrastructure sectors and regions (i.e., to test the transferability of these findings to other research settings).

Second, the over-representation of energy, transportation, and commercial facility- focused projects, which collectively account for nearly 75% of the RRAP projects studied in this research, limited the robustness of this study’s intra and cross-sector analyses. Public health, water and wastewater, dams, and the defense industrial base were each the focus of only one or two studied RRAP projects. While numerous critical infrastructure sectors are addressed in each project in some fashion, they are not necessarily the focus of attention.

151

Third, while the coded RRAP projects covered nine of 11 mega regions (and ten

geographic areas that fell outside of these conglomerations of interconnected metropolitan areas),

the distribution of sector focus areas researched within these regions was far from uniform and

limited by the small number of projects with the limited focus areas noted above. Future

research can address the threats to validity imposed by these limitations by simply adopting the coding schemes and methodology developed in this work, and applying them to future RRAP projects, including the 15 (and counting) that have been finalized since this research began.

In addition to considering a broader swath of data, there is an opportunity, if not need, to dig deeper into the RRAP body of work. As explained in Chapter 3, this research is based on a line-by-line coding and analysis of the RRAP Resilience Assessments (i.e., each project’s final product). As this was the first attempt to explore this body of work in a systematic fashion, it made sense to develop a process that could be employed consistently across all past case studies.

(An implied objective of this research was to assess the potential value of the RRAP data itself.)

Accordingly, this effort did not explore the various underlying interviews and assessment tools, which vary in number and type for each project, that provide the raw data on which the final

RRAP reports are based. Future researchers should mine this underlying field of information for additional insights into the gaps and barriers noted herein. To the extent barrier evidence often surfaced anecdotally in text justifying specific proposed resilience enhancement options, it is likely that this underlying material contains valuable evidence that was excluded from the final reports, especially as the final products were honed down over time to provide more tightly written analyses targeted to the needs of each project’s client. Such data was simply beyond the scope of the present effort.

152

Of course, any further analysis of additional RRAP reports, or the underlying data

collected to support them, depends on researchers having access to this valuable information. As

critical insights were often embedded in sections of the Resiliency Assessments labeled as

Protected Critical Infrastructure Information – the distribution of which is closely controlled –

the Department of Homeland Security should continue to carefully evaluate how RRAP products

are marked to ensure that only that information meriting enhanced protections is so labeled.

To the extent the program itself sees value in the present work, or in the promise of future

related efforts, it should look for ways to grant other researchers similar access, with the

understanding that cross-sector and cross-region themes discerned from sensitive information

can be generalized and shared with a broader audience with appropriate review. (Ensuring the

present work was devoid of Protected Critical Infrastructure Information, for example, took only

three weeks from submission for review.)

The RRAP personnel interviewed in this effort acknowledged the value of a more open

and accessible approach to resilience research. It is to this, and similar broader recommendations

that this dissertation now turns.

V. This Research Provides Important Insights for Academics Concerning Policy-Focused Research Methodologies and the Study of Resilience itself; as well as for Senior Policymakers interested in Strengthening Resilience, and through it, Homeland Security.

The lessons and insights this research provides extend beyond those, set forth above, that are tied to specific research questions and findings. This final section builds upon the conclusions and recommendations set forth above by considering the broader experience of the entire research process and the underlying literatures on which it is based to offer suggestions for: (1) expanding policy-relevant research through similar qualitative study of diverse

153

government case studies and reports; (2) improving interdisciplinary efforts that seek to better

understand and advance the concept of critical infrastructure (and other forms of) resilience; and

(3) enhancing the Department of Homeland Security’s approach to strengthening resilience and

homeland security more broadly. Each is discussed in turn.

A. DHS and other researchers should consider wider use of qualitative, cross- case research methodologies to analyze the expanding universe of extant, but under-studied, homeland security assessments and reports.

As explained in Chapter 3, this research project adopted a qualitative, case-based research design to discern common characteristics and barriers to resilience that might be captured, but

not readily apparent or fully explored, in a series of multi-year government case studies produced

by an evolving voluntary assessment program. While the limitations of the cases – namely, the

relatively small number of projects available for study, their disparate focus, and their

intentionally wide geographic distribution – limited the ability to fully answer every research question of interest, the underlying data nonetheless yielded many important themes and findings. Future research should employ similar methodologies to analyze other underutilized government case studies and reports. This effort’s ability to pull useful themes from the RRAP case data affirms that there is value in secondary analyses of the ever-growing number of

existing government reports being generated to inform resilience and homeland security

improvement efforts. All too often, the government simply has not found the time or resources

to analyze and integrate the data already in its possession.

For example, a recent Government Accountability Office (GAO) study concerning

critical infrastructure protection found that DHS offices and component agencies frequently

require or invite critical infrastructure owners and operators to undertake numerous assessments

154 of the same assets and systems (Caldwell 2014). This fragmented,25 overlapping,26 and sometimes duplicitous27 approach to studying critical infrastructure has led to what some have called “federal fatigue” – a “weariness among [critical infrastructure] owners and operators who have been repeatedly approached or required by multiple federal agencies and DHS offices to participate in or complete assessments” (Ibid., 30). Table 5-1, below, reproduces a figure created by the GAO to illustrate the degree of overlap among ten critical infrastructure assessment tools deployed by DHS offices and component agencies from 2011-2013.

Table 5-1: Overlap of DHS Voluntary or Required Critical Infrastructure Assessments (adapted from Caldwell 2014) DHS Office or Component U.S. Coast Guard National Protection & Programs Directorate TSA Infrastructure Protective Federal Security Security Protective Compliance Coordination Critical Infrastructure Sector Service Division Division Chemical x x x Commercial Facilities x x x x Communications x x Critical Manufacturing x x x Dams x x Emergency Services x x Information Technology x x x Nuclear Reactors, Material, and Waste x Food and Agriculture x x x x Defense Industrial Base x x x x Energy x x x x x Healthcare and Public Health x x Financial Services x x x Water and Wastewater Systems x x x Government Facilitates x x x x Transportation Systems x x x x

25 The GAO uses the term “fragmentation” to describe a situation where more than one office or agency “is involved in the same broad area of national interest” (Caldwell 2014, 12). 26 The term “overlap” is used in this context to indicate “when multiple programs have similar goals, engage in similar activities or strategies to achieve those goals, or target similar beneficiaries. Overlap may result from statutory or other limitations beyond the agency’s control” (Ibid., 12). 27 Duplication exists, in the GAO’s classification scheme, “when two or more agencies or programs are engaging in the same activities or providing the same services to the same beneficiaries” (Ibid., 12).

155

Importantly for present purpose, an overarching conclusion of the GAO’s investigation was that the lack of common standards, definitions, and metrics in the Department’s various infrastructure assessment instruments makes it difficult for DHS to integrate the findings of these various reports to look for common themes. It is unclear to what extent DHS has attempted to do so. Regardless, the methodology in this research is ideally suited to this end.

As discussed elsewhere in this dissertation, the RRAP process that produced the data on which this research was based is changing and continues to mature through time. That maturation, which includes different areas of emphasis, participants, and reporting formats, did not preclude the ability to conduct a productive cross-case analysis. It was possible to track the progression of RRAP processes by developing supplemental coding schemes for key definitions and research activities used in each case study. After re-reading the material coded to these schemes, which provided a sense of the evolution itself, I interviewed RRAP process owners to further explore and understand the program’s changes through time. The qualitative analysis of gap and barrier coding references reflected an enhanced understanding of this evolution. (A true longitudinal study of the Regional Resilience Assessment Program across a longer span of time would be a worthwhile subject for future research.)

If academia can be granted greater access to the broad range of vulnerability reports and critical infrastructure assessments that DHS already produces – subject to appropriate controls – academic researchers could provide DHS (and wider audiences) important insights into underappreciated cross-case and cross-program themes that are buried in existing government data. As documented in this dissertation, there are challenges with attempting to compare diverse studies that involve differing settings, researchers, participants, and analytic processes.

For example, Chapter 4 shows how the relatively few RRAP case studies undertaken in any

156

given geographic area, combined with the program’s intentionally wide distribution of

substantive areas of emphasis for each, makes it difficult to detect any strong correlations

between the observed systemic barriers and any given geographic locale or infrastructure sector.

Moreover, the comparatively higher percentage of law enforcement and security participants in

the first RRAP projects yielded – as is referenced later in this chapter – a disproportionately

greater number of physical security-based resilience gaps in the early project reports.

Additionally, the differing report formats – from long narratives structured around a changing definition of resilience; to shorter, more client-focused key findings – provide differing levels of insight into the underlying data. Despite such complications, strong themes emerged in a diversity of contexts, making them all the more legitimate. They are also potentially more generalizable to other contexts as a result. Such “hidden” insights are worth seeking in similar bodies of understudied DHS work, such as the waterfront and chemical facility assessments required by the Marine Transportation Security Act (MTSA) and the “Protecting and Securing

Chemical Facilities from Terrorist Attacks Act of 2014 (“the CFATS Act”), which are produced

by the Coast Guard and the National Protection and Programs Directorate, respectively. The

methodology in this dissertation can help to do so.

Numerous agencies outside of DHS conduct infrastructure assessments that could be

targeted for future research using this, or similar, methodologies as well. Table 5-2, on the following page, provides a representative list of instruments – developed by the GAO – that

likely also contain prevalent, but currently underappreciated resilience (and security) gap and

barrier themes. Moreover, the research design in this dissertation has potential application

beyond the myriad critical infrastructure assessments that GAO found (although there is clearly

ample work to be done in that particular context).

157

Table 5-2: Infrastructure Assessments Conducted by Agencies External to DHS That Could Be Further Exploited By This Dissertation’s Secondary Analysis Methodology (portions reprinted verbatim from Caldwell 2014, Table 9) Agency Assessment Tool Description Environmental Vulnerability Self- VSAT is a risk assessment software tool for water, wastewater, and Protection Assessment Tool combined utilities of all sizes to assist owners and operators in performing Agency (EPA) (VSAT) security threats and natural hazards risk assessments, among other things. Climate Resilience CREAT is a self-assessment tool that allows users to evaluate potential Evaluation and impacts of climate change on their utilities and to evaluate adaptation Awareness Tool options to address these impacts using both traditional risk assessment and (CREAT) scenario-based decision-making. CREAT includes a database of drinking water and wastewater utility assets (e.g., water resources, treatment plants, and pump stations) that could be affected by climate change, possible climate change-related threats (e.g., flooding, drought, or water quality), and adaptive measures that can be implemented to reduce the impacts of climate change. Federal Energy Dam Assessment DAMSVR is a vulnerability assessment methodology for dams developed Regulatory Matrix for Security by FERC in association with state dam safety officials. It is one tool that Commission Vulnerability and can be used to meet FERC regulatory requirements. FERC requires (FERC) Risk (DAMSVR) owners and operators of the higher criticality-ranked dam facilities to complete a vulnerability assessment of their facility and update it periodically. U.S. Vulnerability The Vulnerability Assessment Software Tool uses the CARVER+ Shock Department of Assessment methodology to identify areas that may be vulnerable to an attacker. Health and Software Tool CARVER is an acronym for the following six attributes used to evaluate Human the attractiveness of a target for attack: Services • (HHS) Criticality – measure of public health and economic impacts of an attack Food and Drug • Accessibility – ability to physically access and egress from target Administration • Recuperability – ability of system to recover from an attack (FDA) • Vulnerability – ease of accomplishing attack

• Effect – amount of direct loss from an attack as measured by loss in U.S. production Department of Agriculture • Recognizability – ease of identifying a target (USDA) • A seventh attribute, Shock, has been added to the original six to assess the combined health, economic, and psychological impacts of an attack within the food industry. Department of Radiological Under this program, security experts from DOE’s national laboratories, led Energy (DOE) Voluntary Security by NNSA staff, provide security assessments, share observations, and Enhancements make recommendations for enhancing security at facilities that house high-risk radioactive sources. National Research and Test NNSA conducts site visits and makes recommendations for voluntary Nuclear Reactors Voluntary security enhancements at research and test reactors. Security Security Security enhancements are jointly determined by NNSA and the facility owner and Administration Enhancement operator and are funded by NNSA. (NNSA) Program

158

The close relationship between resilience and preparedness28 suggests that much could be learned from further detailed study of the Threat and Hazard Identification and Risk Assessments

(THIRA) and annual State Preparedness Reports required of those seeking DHS grants. Even the grant applications tied to these reports themselves potentially could be mined through this research’s methodology to discern cross-sector and cross-region trends and themes. Many of the

RRAP personnel interviewed for this research expressed regret that the “tyranny of the present,” and the lack of appropriations to undertake cross-case or longitudinal studies of their own work prevented them from doing so. Rather than risk further “federal fatigue” by simply deploying additional assessment tools, DHS should also invest in leveraging this study’s methodology and in utilizing the abundant resources that academia can bring to bear to further exploit its existing data and refine future analyses.

B. To advance national understanding and application of resilience, future research efforts must incorporate a broader array of academic disciplines and professional backgrounds.

The absence of comprehensive plans and planning, the pervasiveness of “systems ignorance,” and the prevalence of unknown information documented in this work together suggest that future research, planning, and public-private partnership efforts – including, but not limited to, the Regional Resiliency Assessment Program itself – must incorporate more disciplines and perspectives if we are to better understand and advance infrastructure, regional, and, ultimately, national resilience. As the review of various definitions of resilience and

28 The Community and Regional Resilience Institute (CARRI) distinguishes resilience from preparedness by noting that resilience includes more activities that are further “upstream” (or, “left of boom”), to address chronic conditions within communities that many conceptualizations of preparedness omit (CARRI 2011, 13). Kahan, for his part, suggests that the current emphasis on preparedness set forth in PPD-8 and the National Preparedness Goal will ultimately lead to improved resilience. Interestingly, he suggests that “too much of a focus on operationalizing resilience would have the effect of putting the resilience cart before the preparedness horse” (2015, 11). However this relationship is conceptualized, there is sufficient overlap to make study of THIRA and state preparedness reports valuable to resilience researches, if not for its own sake.

159

associated measurement and assessment schemes in Chapter 2 made clear, the concept of

resilience, however defined, is consistently conceptualized as having multiple component aspects

that must be viewed and assessed across multiple domains. Whether adopting Bruneau et al.’s

“TOSE” dimensions (technical, organization, social, and economic) (2003) or Cutter, et al.’s

five-dimension formulation involving social, economic, institutional, infrastructure, community,

and capital aspects (2010), scholars agree that resilience cannot be effectively studied, or

improved, exclusively through focusing on a specific infrastructure asset or system. The

numerous gaps and barriers noted in the RRAP cases that are tied to the human interactions with

these systems, our failure to understand them, and the planning and coordination deficiencies

that impair our ability to restore system function in the wake of disruption underscore this point.

The need to consider multiple domains when researching resilience is made all the more

critical in light of our cognitive limitations with handling the complexity and uncertainty

associated with critical infrastructure. As detailed in Chapter 2, the work of Kahneman (2013) and others (see, e.g., Steinbruner 1973; Allison and Zelikow 1999; Kunreuther and Michel-

Kerjan 2013; Woods et al. 2010) collectively suggests that decision makers – and researchers –

will have a natural tendency to interpret messy, complicated issues through frameworks with

which they are most comfortable or familiar. (This tendency can be clearly seen in the

disproportionately high presence of physical security-focused “resilience” gaps in the earliest

RRAP reports in which law enforcement and security personnel were the primary study

participants.)

One way to overcome these challenges and limitations is to rethink which individuals and

agencies are included – and through them, what collective perspectives and experiences can be

brought to bear – in future research. To do this, researchers must carefully consider the scope of

160 subjects and perspectives that should be incorporated in future inquiries. Future RRAP projects, for example, should include a broader array of participants to supplement the perspectives of infrastructure owners, operators, and regulators that have been traditionally included. The growing literature on disaster resilience supports this approach and is instructive to this end.

Longstaff et al. (2010); Cutter, Burton, and Emrich (2010); and the Community and Regional

Resilience Initiative’s “Community Resilience System” (2011; 2013) all suggest, in some form or fashion, that to understand the resilience of any given region, the concept must be considered across several key domains: critical infrastructure, economics (to include the viewpoint of commercial business interests), institutions (i.e., governance), and society (e.g., social organizations and other members of civil society). Future RRAP projects should be sure to include representatives from each of these domains given the inextricable link between infrastructure, its surrounding environment, and human interactions with each. The additional perspectives of community groups and non-governmental organizations – including but not limited to churches, chambers of commerce, economic development organizations, parent- teacher associations, and local chapters of the American Red Cross, United Way, and Salvation

Army – as well as the perspectives of citizens and policymakers are critical to understanding the essential functions and capabilities that a given region or community needs, and for determining the acceptable levels of degradation and recovery timelines that should be incorporated into truly comprehensive planning efforts.

We must also broaden the range of academic specialties and research methodologies that are included in resilience research. My research findings and broader experience suggest that improving infrastructure, and ultimately, national resilience, will require expertise and insights drawn from a much larger array of academic disciplines and professional backgrounds than were

161 included in any of the projects examined in this work. The RRAP projects themselves reflect a growing incorporation and appreciation for the perspectives of emergency managers and contingency planners in resilience research. More recent RRAP projects, for example, have involved far more detailed planning analyses that build on a given region’s system dependencies and interdependencies by evaluating response and restoration prioritization for individual assets and systems in emergency management and business continuity plans. Such professional perspectives help communities to shift their efforts “left of boom” to be better prepared to respond effectively and recover faster from disruptions. The insights of city managers, urban planners, and architects; as well as civil, environmental, and resilience engineers could be leveraged in resilience research in a similar fashion to shift analysis and efforts even further

“upstream” (CARRI 2011, 13). These disciplines would shed greater light not only on how existing infrastructure systems could be made more resilient, but on how communities themselves might be reconsidered and potentially redesigned to remove critical points of failure, or a region’s (over)dependence on some systems entirely.

C. DHS should explore ways to be more open and transparent with it processes and information, create incentives to ensure broader participation in resilience enhancement efforts, and shift its emphasis from sector-focused studies to more inclusive, regional, multi-sector projects.

The foregoing observations collectively suggest the need for DHS to rethink its approach to resilience and homeland security in at least three areas. First, DHS must address the need for more inclusive research, planning, and partnerships, as outlined above, by finding ways to make its overall approach to resilience and homeland security more open and transparent. It could start by lessening the barriers to research associated with how the Department handles For Official

Use Only (FOUO) and Protected Critical Infrastructure Information (PCII). We cannot afford the indiscriminate release of critical infrastructure vulnerabilities that could potentially be

162 exploited by terrorists. The nature of the RRAP data used in this research project however, suggests that there has been a frequent and reflexive tendency to over-classify information. The difficulty in parsing out precisely what information should be protected from public release is a solvable problem that has not received sufficient attention.

As outlined elsewhere in this work, access to critical infrastructure information is frequently impaired by the Department’s routine practice of labeling entire reports, or large sections thereof, as either PCII or FOUO without any attempt to delineate the specific information contained therein that merits the associated handling and dissemination restrictions.

Two simple changes to this practice would provide more open access to less sensitive, but potentially insightful information. First, DHS should adopt an information-labeling regime similar to that used for “classified” national security information (i.e, “confidential,” “secret,” and “top secret” materials). In that system, every individual sentence or paragraph is generally marked with its corresponding level of classification. This approach dramatically eases the process of redacting sensitive data to produce derivative documents with lower classification levels that are suitable for wider audiences. Second, using the aforementioned labeling scheme,

DHS should routinely make publicly releasable versions (or summaries) of its resilience studies and related reports. To my knowledge, there are no such versions of any RRAP reports. Much of the government’s invaluable research data has not been fully exploited simply because few people outside of (and within) DHS, beyond those entities that have participated in a specific project or program, know it exists. Taking these two simple steps will ensure sensitive data remains appropriately protected, while providing regional stakeholders, interested researchers, and concerned citizens a better sense of the programs that exist, and their respective bodies of work, that may merit further study and engagement.

163

A more open, transparent approach aligns with, and would facilitate, the “whole community” concept set forth in the National Preparedness Goal. Proper planning and preparedness – and through them, greater infrastructure understanding and resilience – are dependent on eliminating systems ignorance and unknown information. In order for more perspectives and disciplines to be better leveraged in addressing the messy, complex problems of homeland security, a larger array of personnel must be trusted to be “at the table.” In addition to making public summaries of its reports available, DHS should grant more researches access to its protected critical infrastructure information. As a Coast Guard officer, I was able to leverage my federal status to gain access to all RRAP data. To the extent federal contractors are routinely granted access to far more sensitive information, the Department should explore an analogous academic credentialing program that grants researchers (whether at federal, public, or private institutions) access to PCII and FOUO material.

It will always be individually “safer” for government employees to over-classify and retain information than to sign off on its release or to share it. (The RRAP management team should be commended for their willingness to do so for this work; they saw the value of an external, objective review of their work.) As the National Commission on Terrorist Attacks against the United States (the “9/11 Commission”) famously pointed out, it may not be “safer” for the nation in the long when agencies retain information. Senior executives and political appointees within DHS and beyond should engage on this issue to continually re-evaluate the costs and benefits of the current balance between information protection and sharing and the process used to achieve it. The documented prevalence of infrastructure systems ignorance, the pervasive lack of comprehensive planning and poor coordination suggest the need to strike a new

164

balance. Ultimately, the government must decide the extent to which it trusts the very people it

exists to protect.

Beyond ensuring researchers have greater access to its infrastructure resilience data, DHS should leverage existing grant programs to generate greater interest and participation in its critical infrastructure protection and resilience enhancement activities. The voluntary nature of

the RRAP, and many other DHS assessment initiatives, impairs the ability to draw certain cross-

sector or cross-case conclusions from these growing bodies of work. As a 2013 GAO study of the Regional Resiliency Assessment Program highlighted, the ability to have meaningful

measures of resilience for any given sector is largely dependent on the willingness of, and extent

to which, critical infrastructure stakeholders within that sector agree to engage with DHS

(Caldwell 2013, 27). The RRAP management team’s tendency, if not need, to adjust the scope

of its projects to the stated desires of its “clients” is perfectly understandable given the voluntary

nature of the program. Moreover, there is great value in ensuring any federal funds that are

expended to study regional resilience are used to address those needs identified by the state and

local entities that know them best.

This approach, however, undermines the program’s, and other potential researchers’,

ability to draw inferences from the absence of gaps or barriers in any specific study. For this

research, the drastically different scoping of RRAP studies, among other factors, significantly

limited the ability to conduct further quantitative analyses of the coding counts. In the

qualitative evaluation of coded RRAP case data, the absence of an otherwise common gap or

barrier in any one case could often be attributed to the limited inquiry of the project in question.

More consistent scoping of future projects would enable a broader resilience picture while also

facilitating deeper secondary, cross-case analysis. Given the tendency for “federal fatigue” noted

165

above, creating unfunded mandates to garner increased participation in such programs may be counter-productive. Instead, DHS should consider other ways to incentivize participation to ensure future projects benefit from the broadest sector representation possible while avoiding the

need to drastically scale the emphasis and depth of inquiry to entice cooperation. An obvious

start would be to consider making any number of DHS preparedness grants contingent on

participating in one or more resiliency assessments. The Department should also work with

other cabinet departments and agencies to link other federal infrastructure improvement funds,

such as those administered by the Departments of Transportation, Energy, and Housing and

Urban Development, to the resilience enhance options the RRAP and related programs produce.

Finally, the challenges and shortcomings to studying resilience through the perspective of

one, or a select few, of 16 specified critical infrastructure sectors, underscore the need to attempt

more ambitious, regionally focused, multi-sector studies. By design, each RRAP case focuses on

one or more of the critical infrastructure sectors outlined in the National Infrastructure Protection

Plan. Unlike many other DHS assessment initiatives, each RRAP project also explores that

sector’s dependencies, and interdependencies, with the lifeline critical infrastructure sectors that

support it. This broader perspective is important, but it only begins to reveal the full picture of

how these systems are connected with others in a given community, region, or megaregion.

The sector-based approach of the National Infrastructure Protection Plan (NIPP), which

includes Sector-Specific Agencies (SSAs) and Sector Coordinating Councils (SCCs), arguably

stems from a desire to find common challenges and best practices within each sector. To some

extent, this framework simplifies the challenge of infrastructure protection by partitioning it into

familiar, more manageable chunks. Given the unavoidable, messy interconnections of these

166

sectors and systems, however, this approach inevitably leads to the fragmentation, overlap, and

duplicity of assessment initiatives discussed above.

To address this inevitable interconnectivity, the NIPP also provides for cross-sector

coordination structures such as the Critical Infrastructure Cross-Sector Council, which includes

the chairs and vice-chairs of the various SCCs. DHS should employ a similar cross-sector

approach in its regional assessments of resilience by including more sector perspectives in each

project. That is, for at least some future projects, rather than undertaking regional resilience

assessments that focus on one or a few designated sectors and the lifeline systems that support

them, DHS should attempt to include the perspective of as many sectors as possible that are operating in any given region. The Coast Guard’s Area Maritime Security Committees

(AMSCs), which bring together all stakeholders within a given port community to identify and address its threats and vulnerabilities, could serve as a potential model. Adopting a true a multi- sector approach to addressing regional resilience will facilitate better understanding of how each of the 16 sectors place different demands on the supporting lifeline systems, and through them, each other. While the increased number of participants and analytic complexity associated with such more encompassing projects would surely require greater funding and manpower, this is the type of investment we must make to become a more resilient nation.

Conclusion

This research identified and explored recurring “resilience gaps” and systemic barriers that enable them in the hope that a greater awareness and understanding of such widespread

shortcomings and systemic challenges will facilitate their removal. The limitations of the data

scoped within this effort, the complexities of the systems involved, and the prevalence of

167 unknown (or unshared) information ultimately made some aspects of this dissertation’s four research questions difficult to fully answer. At the same time, these very conditions suggest areas for future research and policies (including those related to the disclosure of critical infrastructure information and lessons learned) that merit further review. Importantly, the four recurring resilience gaps, and five pervasive systemic barriers to their removal that emerged in this effort’s cross-case analysis of the RRAP data, as detailed above, provide a critical contribution to better understanding the homeland security and critical infrastructure-related challenges we face as a nation. It is my hope that the continuing work of the Regional

Resiliency Assessment Program, and research, such as this, that builds thereon, will indeed enable deeper and wider understanding of infrastructure systems, and spur the associated policy improvements needed to enhance homeland security, minimize property damage, and, ultimately, save lives.

168

Appendix A

References

Abramson, David M., and Irwin Redlener. 2012. “Hurricane Sandy: Lessons Learned, Again.” Disaster Medicine and Public Health Preparedness 6 (04): 328–29. doi:10.1001/dmp.2012.76.

Alderson, David L., Gerald G. Brown, and W. Matthew Carlyle. 2014. “Assessing and Improving Operational Resilience of Critical Infrastructures and Other Systems.” In Tutorials in Operations Research: Bridging Data and Decision, edited by A. Neuman and J. Leung, 180–215. Hanover, MD: Institute for Operations Research and Management Science.

———. 2015. “Operational Models of Infrastructure Resilience.” Risk Analysis 35 (4): 562–86. doi:10.1111/risa.12333.

Alderson, David L., Gerald G. Brown, W. Matthew Carlyle, and Louis Anthony Cox. 2013. “Sometimes There Is No ‘Most-Vital’ Arc: Assessing and Improving the Operational Resilience of Systems.” Military Operations Research 18 (1): 21–37. doi:10.5711/1082598318121.

Allenby, Brad, and Jonathan Fink. 2005. “Toward Inherently Secure and Resilient Societies.” Science 309 (5737): 1034–36.

Allison, Graham, and Philip Zelikow. 1999. Essence of Decision: Explaining the Cuban Missile Crisis. 2 edition. New York: Pearson.

Anderson, W. A:, P. J. Kennedy, and E. Ressler. 2007. Handbook of Disaster Research. Edited by Havidan Rodriguez, Enrico L. Quarantelli, and Russell Dynes. 2006 edition. New York: Springer.

Aven, Terje. 2011. “On Some Recent Definitions and Analysis Frameworks for Risk, Vulnerability, and Resilience.” Risk Analysis 31 (4): 515–22. doi:10.1111/j.1539- 6924.2010.01528.x.

Birkland, Thomas A. 1997. After Disaster : Agenda Setting, Public Policy, and Focusing Events. Washington, DC: Georgetown University Press.

———. 2006. Lessons of Disaster: Policy Change After Catastrophic Events. Georgetown University Press.

———. 2011. An Introduction to the Policy Process: Theories, Concepts, and Models of Public Policy Making. Armonk, NY: Sharpe.

Birkland, Thomas A., and Sarah E. DeYoung. 2011. “Emergency Response, Doctrinal Confusion, and Federalism in the Deepwater Horizon Oil Spill.” Publius 41 (3): 471–93.

173 Birkland, Thomas A., and S. Waterman. 2008. “Is Federalism the Reason for Policy Failure in Hurricane Katrina?” Publius 38 (4). doi:10.1093/publius/pjn020.

Brouillette, John R, and E. L Quarantelli. 1971. “Types of Patterned Variation in Bureaucratic Adaptations to Organizational Stress.” Sociological Inquiry 41 (1): 39–46.

Bruneau, Michel, Stephanie E. Chang, Ronald T. Eguchi, George C. Lee, Thomas D. O’Rourke, Andrei M. Reinhorn, Masanobu Shinozuka, Kathleen Tierney, William A. Wallace, and Detlof von Winterfeldt. 2003. “A Framework to Quantitatively Assess and Enhance the Seismic Resilience of Communities.” Earthquake Spectra 19 (4): 733–52. doi:10.1193/1.1623497.

Caldwell, Stephen. 2011. “Critical Infrastructure Protection: An Implementation Strategy Could Advance DHS’s Coordination of Resilience Efforts across Ports and Other Infrastructure.” GAO-13-11. Government Accountability Office. http://www.gao.gov/products/GAO-13-11.

———. 2013. “Critical Infrastructure Protection: DHS Could Strengthen the Management of the Regional Resiliency Assessment Program.” GAO-13-616. Government Accountability Office. http://www.gao.gov/products/GAO-13-616.

———. 2014. “Critical Infrastructure Protection: DHS Action Needed to Enhance Integration and Coordination of Vulnerability Assessment Efforts.” GAO-14-507. Government Accountability Office. http://www.gao.gov/products/GAO-14-507.

Carlson, L., G. Bassett, W. Buehring, M. Collins, M. Folga, B. Haffenden, F. Petit, J. Phillips, D. Verner, and R. Whitfield. 2012. “Resilience: Theory and Applications.” ANL/DIS-12-1. Argonne National Laboratory, Decisions and Information Sciences Division. http://www.dis.anl.gov/pubs/72218.pdf.

CARRI. 2011. “Community Resilience System Initiative (CRSI) Steering Committee Final Report — a Roadmap to Increased Community Resilience.”

———. 2013. “Building Resilience in America’s Communities: Observations and Implications of the CRS Pilots.” http://www.resilientus.org/wp-content/uploads/2013/05/CRS-Final- Report.pdf.

Center for Resilience Studies. 2015. “After Superstorm Sandy - Bolstering the Resilience of Metro-New York’s Infrastructure.” Center for Resilience at Northeastern University. Accessed March 18. http://www.northeastern.edu/resilience/programs/sloan-foundation/.

Christopher, Martin. 2011. Logistics and Supply Chain Management. 4 edition. Harlow, England ; New York: FT Press.

Christopher, Martin, and Helen Peck. 2004. “Building the Resilient Supply Chain.” The International Journal of Logistics Management 15 (2): 1–14. doi:10.1108/09574090410700275.

174 Coulam, Robert F. 1977. Illusions of Choice: The F-111 and the Problem of Weapons Acquisition Reform. Y First edition edition. Princeton, N.J: Princeton Univ Pr.

Coutu, Diane. 2002. “How Resilience Works.” Harvard Business Review. May. https://hbr.org/2002/05/how-resilience-works.

Cranfield University. 2002. “Why Companies Need To Constantly Build Their ‘Survival Mode’ Skills.” Cranfield, UK: Cranfield School of Business.

Creswell, J. W. 2013. Research Design: Qualitative, Quantitative, and Mixed Methods Approaches, 4th Edition. 4th edition. Thousand Oaks: SAGE Publications, Inc.

Creswell, J. W., and D. Miller. 2000. “Determining Validity in Qualitative Inquiry.” Theory Into Practice 39 (3): 124.

Cutter, Susan L., Lindsey Barnes, Melissa Berry, Christopher Burton, Elijah Evans, Eric Tate, and Jennifer Webb. 2008. “Community and Regional Resilience: Perspectives from Hazards, Disasters, and Emergency Management.” CARRI Report 1. Community and Regional Resilience Initiative. http://www.resilientus.org/publications/research-reports/.

Cutter, Susan L., Christopher G. Burton, and Christopher T. Emrich. 2010. “Disaster Resilience Indicators for Benchmarking Baseline Conditions.” Journal of Homeland Security and Emergency Management 7 (1). http://www.degruyter.com/view/j/jhsem.2010.7.1/jhsem.2010.7.1.1732/jhsem.2010.7.1.1 732.xml;jsessionid=42EE6FE88F6C463F298F91D6CDECF3DB.

DHS. 2008. “Department of Homeland Security Strategic Plan FY2008-2013: One Team, One Mission.” https://www.hsdl.org/?view&did=235371.

———. 2010a. “2010 Quadrennial Homeland Security Review (QHSR).” http://www.dhs.gov/publication/2010-quadrennial-homeland-security-review-qhsr.

———. 2010b. “New Jersey Exit 14 Integrated Protective Measures Analysis.” Resiliency Assessment.

———. 2011. “National Preparedness Goal.” http://www.fema.gov/national-preparedness-goal.

———. 2012. “Department of Homeland Security Strategic Plan FY2012-2016.” http://www.dhs.gov/strategic-plan-fiscal-years-fy-2012-2016.

———. 2013. “National Infrastructure Protection Plan: Partnering for Critical Infrastructure Security and Resilience.” http://www.dhs.gov/national-infrastructure-protection-plan.

———. 2014a. “Regional Resiliency Assessment Program: 33 Resiliency Assessments.”

———. 2014b. “2014 Quadrennial Homeland Security Review (QHSR).” June 18. http://www.dhs.gov/publication/2014-quadrennial-homeland-security-review-qhsr.

175

———. 2014c. “Regional Resiliency Assessment Program.” October 8. http://www.dhs.gov/regional-resiliency-assessment-program.

———. 2014d. “Enhanced Critical Infrastructure Protection.” December 4. http://www.dhs.gov/ecip.

———. 2015a. “Homeland Security Advisory Council.” April 20. http://www.dhs.gov/homeland-security-advisory-council.

———. 2015b. “Multi-Jurisdiction Improvised Explosive Device Security Planning (MJIEDSP) Program.” April 28. http://www.dhs.gov/mjiedsp.

———. 2015c. “National Infrastructure Advisory Council.” May 12. http://www.dhs.gov/national-infrastructure-advisory-council.

———. 2015d. “Enhanced Critical Infrastructure Protection Visit and the Infrastructure Survey Tool Fact Sheet.” https://www.dhs.gov/sites/default/files/publications/ecip-ist-fact-sheet- 508.pdf.

———. 2015e. “Computer-Based Assessment Tool.” July 23. http://www.dhs.gov/computer- based-assessment-tool.

———. 2015f. “National Preparedness Goal (Second Edition).” http://www.fema.gov/media- library-data/1443799615171- 2aae90be55041740f97e8532fc680d40/National_Preparedness_Goal_2nd_Edition.pdf.

Donahue, Amy K., and Robert V. Tuohy. 2006. “Lessons We Don’t Learn: A Study of the Lessons of Disasters, Why We Repeat Them, and How We Can Learn Them.” Homeland Security Affairs II (July): 1–28.

Dynes, Russell Rowe. 1970. Organized Behavior in Disaster. Lexington, Mass.: Heath Lexington Books.

FEMA. 2012. “Buffer Zone Protection Program (BZPP) Guidance and Application Kit.” February 29. https://www.fema.gov/media-library/assets/documents/20601.

Fiksel, Joseph. 2006. “Sustainability and Resilience: Toward a Systems Approach.” Sustainability: Science, Practice and Policy 2 (2): 14.

Finkel, Meir. 2011. On Flexibility: Recovery from Technological and Doctrinal Surprise on the Battlefield. Stanford University Press.

Fisher, R.E., G.W. Bassett, W.A. Buehring, M.J. Collins, D.C. Dickinson, L.K. Eaton, R.A. Haffenden, et al. 2010. “Constructing a Resilience Index for the Enhanced Critical Infrastructure Protection Program.” ANL/DIS 10-9. Argonne, Illinois: Argone National Laboratory, Decision and Information Sciences Division. http://www.ipd.anl.gov/anlpubs/2010/09/67823.pdf.

176 Flynn, Stephen. 2004. America the Vulnerable: How Our Government Is Failing to Protect Us from Terrorism. New York: HarperCollins.

———. 2015. “Bolstering Critical Infrastructure Resilience After Superstorm Sandy – Lessons for New York and the Nation.” Boston, MA: Center for Resilience Studies. http://www.northeastern.edu/resilience/programs/sloan-foundation/.

Gallardo, Luis. 2013. “Why Companies Need To Constantly Build Their ‘Survival Mode’ Skills.” Business Insider, March. http://www.businessinsider.com/the-case-for-resilience- redefining-the-terms-for-success-and-survival-2013-3.

Gilbert, S. W. 2010. “Disaster Resilience: A Guide to the Literature.” NIST Special Publication 1117. National Institution of Standards and Technology. http://www.nist.gov/manuscript- publication-search.cfm?pub_id=906887.

Guba, Egon G., and Yvonna S. Lincoln. 1992. Effective Evaluation: Improving the Usefulness of Evaluation Results Through Responsive and Naturalistic Approaches. San Francisco: Jossey-Bass.

Gunderson, Lance H., Craig Reece Allen, and C. S. Holling, eds. 2009. Foundations of Ecological Resilience. 2 edition. Washington: Island Press.

Haimes, Yacov Y. 2006. “On the Definition of Vulnerabilities in Measuring Risks to Infrastructures.” Risk Analysis 26 (2): 293–96. doi:10.1111/j.1539-6924.2006.00755.x.

———. 2009. “On the Definition of Resilience in Systems.” Risk Analysis 29 (4): 498–501. doi:10.1111/j.1539-6924.2009.01216.x.

———. 2011. “Responses to Terje Aven’s Paper: On Some Recent Definitions and Analysis Frameworks for Risk, Vulnerability, and Resilience.” Risk Analysis 31 (5): 689–92. doi:10.1111/j.1539-6924.2011.01587.x.

Heinrich, H. W. 1931. Industrial Accident Prevention: A Scientific Approach. McGraw-Hill book Company, Incorporated.

Heinrich, H. W., Dan Petersen, and Nestor R. Roos. 1980. Industrial Accident Prevention : A Safety Management Approach. 5th ed. New York: McGraw-Hill.

Holling, C. S. 1973. “Resilience and Stability of Ecological Systems.” Annual Review of Ecology and Systematics 4: 1–23.

Hollnagel, Erik. 2007. “Resilience - the Challenge of the Unstable.” In Resilience Engineering: Concepts and Precepts, edited by Erik Hollnagel, David D. Woods, and Nancy Leveson, 410. Ashgate Publishing, Ltd.

Hollnagel, Erik, David D. Woods, and Nancy Leveson, eds. 2006. Resilience Engineering: Concepts And Precepts. Aldershot, England ; Burlington, VT: Ashgate Pub Co.

177 ———. , eds. 2007. Resilience Engineering: Concepts and Precepts. Ashgate Publishing, Ltd.

Homeland Security Coucil. 2007. “The National Strategy For Homeland Security.” http://www.dhs.gov/national-strategy-homeland-security-october-2007.

HSAC. 2011. “Community Resilience Task Force Recommendations.” Homeland Security Advisory Council. http://www.dhs.gov/xlibrary/assets/hsac-community-resilience-task- force-recommendations-072011.pdf.

Kahan, Jerome H. 2013. “What’s in a Name? The Meaning of Homeland Security.” The Journal of Homeland Security Education 2: 1–18.

———. 2015. “Resilience Redux: Buzzword or Basis for Homeland Security.” Homeland Security Affairs 11 (February). doi:10.2202/1547-7355.1675.

Kahan, Jerome H., Andrew C. Allen, and Justin K. George. 2009. “An Operational Framework for Resilience.” Journal of Homeland Security and Emergency Management 6 (1). doi:10.2202/1547-7355.1675.

Kahneman, Daniel. 2013. Thinking, Fast and Slow. Reprint edition. New York: Farrar, Straus and Giroux.

Kanter, Rosabeth Moss. 2013. “Surprises Are the New Normal; Resilience Is the New Skill.” Harvard Business Review. July 17. https://hbr.org/2013/07/surprises-are-the-new-normal- r.

Kingdon, John W. 2011. Agendas, Alternatives, and Public Policies. Second. Boston: Longman.

Kunreuther, Howard, and Erwann Michel-Kerjan. 2013. “Overcoming Decision Biases to Reduce Losses from Natural Catastrophes.” In Behavioral Foundations of Policy, edited by Eldar Shafir. Princeton University Press.

Kunreuther, Howard, Erwann Michel-Kerjan, Neil A. Doherty, Martin F. Grace, Robert W. Klein, and Mark V. Pauly. 2009. At War with the Weather: Managing Large-Scale Risks in a New Era of Catastrophes. Cambridge, Mass: The MIT Press.

Kunreuther, Howard, Erwann Michel-Kerjan, and Mark Pauly. 2013. “Making America More Resilient toward Natural Disasters: A Call for Action.” Environment: Science and Policy for Sustainable Development 55 (4): 15–23. doi:10.1080/00139157.2013.803884.

Lambert, Douglas M., Sebastián J. García-Dastugue, and Keely L. Croxton. 2005. “An Evaluation of Process-Oriented Supply Chain Management Frameworks.” Journal of Business Logistics 26 (1): 25–51. doi:10.1002/j.2158-1592.2005.tb00193.x.

Lang, R. E, and D. Dhavale. 2005. “Beyond Megalopolis: Exploring America’s New ‘megapolitan’geography.” Metropolitan Institute Census Report Series 5 (01).

178 Lindblom, Charles E. 1959. “The Science of ‘Muddling Through.’” Public Administration Review 19 (2): 79–88.

Linkov, Igor, Daniel A. Eisenberg, Matthew E. Bates, Derek Chang, Matteo Convertino, Julia H. Allen, Stephen E. Flynn, and Thomas P. Seager. 2013. “Measurable Resilience for Actionable Policy.” Environmental Science & Technology 47 (18): 10108–10. doi:10.1021/es403443n.

Linkov, Igor, and Thomas P. Seager. 2011. “Coupling Multi-Criteria Decision Analysis, Life- Cycle Assessment, and Risk Assessment for Emerging Threats.” Environmental Science & Technology 45 (12): 5068–74. doi:10.1021/es100959q.

Longstaff, Patricia H., Nicholas J. Armstrong, Keli Perrin, Whitney May Parker, and Matthew A. Hidek. 2010. “Building Resilient Communities: A Preliminary Framework for Assessment.” Homeland Security Affairs 6 (September). https://www.hsaj.org/articles/81.

Lundberg, Russell, and Henry Willis. 2015. “Assessing Homeland Security Risks: A Comparative Risk Assessment of 10 Hazards.” Homeland Security Affairs 11 (December): Article 10.

MacKenzie, Cameron A., and Christopher W. Zobel. 2015. “Allocating Resources to Enhance Resilience, with Application to Superstorm Sandy and an Electric Utility.” Risk Analysis, August, n/a – n/a. doi:10.1111/risa.12479.

Manuj, Ila, and John T. Mentzer. 2008. “Global Supply Chain Risk Management.” Journal of Business Logistics 29 (1): 133–55. doi:10.1002/j.2158-1592.2008.tb00072.x.

Martin-Breen, Patrick, and J. Marty Anderies. 2011. “Resilience: A Literature Review.” Rockefeller Foundation. http://www.rockefellerfoundation.org/blog/resilience-literature- review.

Martinez-Fonts. 2014. U.S. Chamber of Commerce Efforts to Promote Resilience.

McCreight, Robert. 2014. “A Pathway Forward in Homeland Security Education: An Option Worth Considering and the Challenge Ahead.” Homeland Security & Emergency Management 11 (1): 25–38.

Mentzer, John T., William DeWitt, James S. Keebler, Soonhong Min, Nancy W. Nix, Carlo D. Smith, and Zach G. Zacharia. 2001. “Defining Supply Chain Management.” Journal of Business Logistics 22 (2): 1–25. doi:10.1002/j.2158-1592.2001.tb00001.x.

Miles, Matthew B., A. Michael Huberman, and Johnny Saldaña. 2013. Qualitative Data Analysis: A Methods Sourcebook. Third Edition edition. Thousand Oaks, Califorinia: SAGE Publications, Inc.

Mileti, Dennis. 1999. Disasters by Design: A Reassessment of Natural Hazards in the United States. Washington, D.C: Joseph Henry Press.

179 Milly, P. C. D., Julio Betancourt, Malin Falkenmark, Robert M. Hirsch, Zbigniew W. Kundzewicz, Dennis P. Lettenmaier, and Ronald J. Stouffer. 2008. “Stationarity Is Dead: Whither Water Management?” Science 319 (5863): 573–74. doi:10.1126/science.1151915.

Moynihan, Donald P. 2009. “The Network Governance of Crisis Response: Case Studies of Incident Command Systems.” Journal of Public Administration Research and Theory 19 (4): 895–915. doi:10.1093/jopart/mun033.

National Academy of Sciences. 2012. Disaster Resilience: A National Imperative. National Academies Press. http://www.nap.edu/catalog/13457/disaster-resilience-a-national- imperative.

National Commission on Terrorist Attacks. 2004. The 9/11 Commission Report: Final Report of the National Commission on Terrorist Attacks Upon the United States. New York: W. W. Norton & Company.

National Institute of Standards and Technology. 2015. “International Resilience Symposium: Understanding Standards for Communities and Built Infrastructure Resilience.” NIST GCR 15-917-37. Gaithersburg, MD: National Institute of Standards and Technology. http://dx.doi.org/10.6028/NIST.GCR.15-917-37.

National Research Council. 2010. Review of the Department of Homeland Security’s Approach to Risk Analysis. Washington, D.C.: National Academies Press. http://www.nap.edu/catalog/12972.

NIAC. 2009. “Critical Infrastructure Resilience, Final Report and Recommendations.” Washington, D.C.: U.S. Department of Homeland Security. http://www.dhs.gov/xlibrary/assets/niac/niac_critical_infrastructure_resilience.pdf.

———. 2013. “Strengthening Regional Resilience.”

NIST. 2015. “Community Resilience Planning Guide for Buildings and Infrastructure Systems.” National Institute of Standards and Technology. http://dx.doi.org/10.6028/NIST.SP.1190v2.

Norris, Fran H., Susan P. Stevens, Betty Pfefferbaum, Karen F. Wyche, and Rose L. Pfefferbaum. 2007. “Community Resilience as a Metaphor, Theory, Set of Capacities, and Strategy for Disaster Readiness.” American Journal of Community Psychology 41 (1- 2): 127–50. doi:10.1007/s10464-007-9156-6.

OECD. 2003. Emerging Risks in the 21st Century: An Agenda for Action. Paris: OECD Publishing.

Ovans, Andrea. 2015. “What Resilience Means, and Why It Matters.” Harvard Business Review. January 5. https://hbr.org/2015/01/what-resilience-means-and-why-it-matters.

180

Pederson, P., D. Dudenhoeffer, S. Hartley, and M. Permann. 2006. “Critical Infrastructure Interdependency Modeling: A Survey of U.S. and International Research.” Idaho National Lab. www.inl.gov/technicalpublications/Documents/3489532.pdf.

Perry, Ronald W. 2007. “What Is a Disaster?” In Handbook of Disaster Research, edited by Havidan Rodriguez, Enrico L. Quarantelli, and Russell R. Dynes, 1–15. Springer.

Pettit, Timothy J., Joseph Fiksel, and Keely L. Croxton. 2010. “Ensuring Supply Chain Resilience: Development of a Conceptual Framework.” Journal of Business Logistics 31 (1): 1–21. doi:10.1002/j.2158-1592.2010.tb00125.x.

Phillips, Brenda D. 2014. Qualitative Disaster Research. Oxford University Press.

Ponomarov, Serhiy Y., and Mary C. Holcomb. 2009. “Understanding the Concept of Supply Chain Resilience.” The International Journal of Logistics Management 20 (1): 124–43. doi:10.1108/09574090910954873.

Rabkin, Norman J. 2008. Strengthening the Use of Risk Management Principles in Homeland Security. Washington, D.C. http://www.gao.gov/assets/130/120506.pdf.

Reason, James. 1990. Human Error. 1 edition. Cambridge England ; New York: Cambridge University Press.

Reese, Shawn. 2013. “Defining Homeland Security: Analysis and Congressional Considerations.” R42462. Congressional Research Service. http://fas.org/sgp/crs/homesec/R42462.pdf.

Regional Plan Association. 2015. “Megaregions - America 2050.” Accessed March 18. http://www.america2050.org/megaregions.html.

Renschler, C.S., A.E. Frazier, L.A. Arendt, G. Cimellaro, A.M. Reinhron, and M. Bruneau. 2010. “A Framework for Defining and Measuring Resilience at the Community Scale.” NIST GCR 10-930. National Institute of Standards and Technology. http://peoplesresilience.org/references.

Rinaldi, S.M., J.P. Peerenboom, and T.K. Kelly. 2001. “Identifying, Understanding, and Analyzing Critical Infrastructure Interdependencies.” IEEE Control Systems Magazine, December. http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=969131.

Risk Steering Committee. 2010. “DHS Risk Lexicon.” DHS. http://www.dhs.gov/xlibrary/assets/dhs-risk-lexicon-2010.pdf.

Saldaña, Johnny. 2012. The Coding Manual for Qualitative Researchers. Second Edition edition. Los Angeles: SAGE Publications Ltd.

Samuelson, William, and Richard Zeckhauser. 1988. “Status Quo Bias in Decision Making.” Journal of Risk & Uncertainty 1 (1): 7–59.

181 Scanlon, T. Joseph. 1988. “Disaster’s Little Known Pioneer: Canada’s Samuel Henry Prince.” International Journal of Mass Emergencies and Disasters 6 (3): 213–32.

Schneider, Saundra. 2008. “Who’s to Blame? (Mis) Perceptions of the Intergovernmental Response to Disasters.” Publius 38 (4).

Shafir, Eldar, ed. 2013. The Behavioral Foundations of Public Policy. Princeton: Princeton University Press.

Sheffi, Yossi. 2007. The Resilient Enterprise: Overcoming Vulnerability for Competitive Advantage. Cambridge, Mass.; London: The MIT Press.

Snyder, Steven. 2011. “Why Is Resilience So Hard?” Harvard Business Review. April. https://hbr.org/2013/11/why-is-resilience-so-hard.

Steinbruner, John D. 1973. The Cybernetic Theory of Decision: New Dimensions of Political Analysis. With a New Preface by the Author edition. Princeton University Press.

Subcommittee on Disaster Reduction. 2005. “Grand Challenges for Disaster Reduction.” National Science and Technology Council.

Tesch, Renata. 1990. Qualitative Research: Analysis Types and Software. 1 edition. New York: Routledge.

Thaler, Richard H., and Cass R. Sunstein. 2009. Nudge: Improving Decisions About Health, Wealth, and Happiness. Revised & Expanded edition. New York: Penguin Books.

The White House. 2010. “National Security Strategy.” http://www.whitehouse.gov/sites/default/files/rss_viewer/national_security_strategy.pdf.

———. 2011. “Presidential Policy Directive 8: National Preparedness.” http://www.dhs.gov/presidential-policy-directive-8-national-preparedness.

———. 2013. “Presidential Policy Directive 21: Critical Infrastructure Security and Resilience.” http://www.whitehouse.gov/embeds/footer.

Tierney, Kathleen J. 2003. “Conceptualizing and Measuring Organizational and Community Resilience: Lessons From The Emergency Response Following The September 11, 2001 Attack on The World Trade Center.” http://udspace.udel.edu/handle/19716/735.

Torens Resilience Institute. 2015. “Resilience of Individuals.” Accessed March 3. http://www.torrensresilience.org/resilience-of-individuals.

Trochim, William. 2005. Research Methods: The Concise Knowledge Base. 1 edition. Cincinnati, Ohio: Atomic Dog.

UNISDR. 2011. “Terminology.” http://www.unisdr.org/we/inform/terminology.

182 ———. 2013. “Global Assessment Report on Disaster Risk Reduction: From Shared Risk to Shared Value – The Business Case for Disaster Risk Reduction.” Geneva, Switzerland.

US-CERT. 2015. “Cyber Resilience Review (CRR).” Accessed July 28. https://www.us- cert.gov/ccubedvp/self-service-crr.

USCG. 2013. “Coast Guard Publication 7-0: Capability Management.”

Weinstein, Neil D., Kathryn Kolb, and Bernard D. Goldstein. 1996. “Using Time Intervals Between Expected Events to Communicate Risk Magnitudes.” Risk Analysis 16 (3): 305– 8. doi:10.1111/j.1539-6924.1996.tb01464.x.

Woods, David D. 2015. “Four Concepts for Resilience and the Implications for the Future of Resilience Engineering.” Reliability Engineering & System Safety, Special Issue on Resilience Engineering, 141 (September): 5–9. doi:10.1016/j.ress.2015.03.018.

Woods, David D., Sidney Dekker, Richard Cook, Leila Johannesen, and Nadine Sarter. 2010. Behind Human Error. 2 edition. Farnham ; Burlington, VT: Ashgate Pub Co.

Yin, Robert K. 2012. Applications of Case Study Research. Third. Thousand Oaks, CA: SAGE Publications, Inc.

———. 2014. Case Study Research: Design and Methods. Fifth. SAGE Publications, Inc.

183