Business Versus Terror
America's best weapons in the war on terrorism will not be found in some musty Pentagon basement or arms manufacturer's warehouse. Rather, they will be found in the briefcases of corporate CEOs and venture capitalists and the cubicles of high-tech start-ups. These nimble private-sector players can deploy innovative technologies and unlimited financing to fortify U.S. cities, battle cyberthreats, track the movements of terrorists, and disarm biological weapons -- if only Washington has sense enough to let them.
Only a new kind of alliance can win the war on terrorism. This alliance will not be one between nations nor will it be bound by a treaty. Instead, it will be unconventional, involve millions of disparate actors, and be guided by rules that will be constantly rewritten. It will be an alliance of a motley army of horizontal partnerships, with a nontraditional leadership structure. Its best troops will be regiments of geeks rather than the special forces that struck the first blows against the Taliban in Afghanistan. These pocket-protector brigades live on rations of cold pizza and coffee, not mres (the military’s “Meal, Ready-to-Eat”). They take orders not from generals or admirals but from markets and stockholders.
The members of this fighting force are scientists and doctors, venture capitalists and corporate project managers—the private-sector army that is the United States’ not-so-secret weapon and best hope. These unlikely warriors will provide the software, systems, and analytical resources that will enable the United States to track terrorists. It is they who will develop the sensing systems to detect biological, chemical, and cyber threats. And it is they who will perfect the biometric devices, such as retinal scanners or thumb-print readers or facial-recognition technologies, that will be critical components of next-generation security systems and that will close the gaps Mohammed Atta and his associates revealed.
The Bush administration and terrorism experts know this group is critical. The enormous Pentagon acquisition apparatus has already begun to direct funds to new private-sector ventures that can satisfy immediate and longer-term tactical and strategic needs. Governor Tom Ridge, director of the Office of Homeland Security, has taken the first steps toward institutionalizing the public-private partnership that is absolutely critical to achieving U.S. domestic defense goals. Even smaller operations—such as the Central Intelligence Agency’s venture fund In-Q-Tel, Inc. (a private nonprofit created in 1999 to invest in information technology deemed critical to the intelligence community)—have begun directing their comparatively limited resources to addressing the burgeoning, boggling array of threats that Americans now must contemplate.
Nonetheless, many in the Bush administration acknowledge that these initial steps toward more effective public-private sector cooperation are inadequate at best. As a result, a vital resource in defending the nation remains underutilized. According to Fortune magazine, the private sector will spend over $150 billion on homeland security–related expenses such as insurance, workplace security, logisitics, and information technology—approximately four times the federal government’s announced homeland security budget. And private-sector organizations operate America’s transportation networks, power facilities, telecommunications and data networks, healthcare infrastructure, pharmaceutical companies, and most of the security services upon which U.S. critical infrastructures depend. But to date, these companies have been involved in very little of the coordinated planning, drilling exercises, threat evaluation, intelligence sharing, cooperative research, or any of the other steps a national defense strategy requires.
Most of the critical questions about how to achieve this public-private sector cooperation have yet to be asked. And even if we find the right answers, a cultural divide between government and business threatens this partnership. Bridging this divide is crucial because an important shift has taken place in U.S. national security. Once, it was almost entirely the province of the federal government to provide for that security by protecting the nation through overseas alliances, the five branches of the American military, intelligence assets, and other tools of U.S. policy. The war on terrorism, however, has changed all that. With an almost infinite number of threats and targets across the United States and in U.S.-owned facilities around the world, Washington cannot be solely responsible for homeland security. Just as winning this war requires international coalitions, intelligence sharing, and law-enforcement cooperation, so too does it require finding a new division of labor between the public and private sectors.
Soldiers of Fortune 500
The seeds of victory in the war against terrorism were planted long before the emergence of al Qaeda. During the Cold War, the Eisenhower administration—worried that traditional military-industrial partnerships were not producing the technologies essential to defeating the Soviets—created the Small Business Act of 1958, which allowed the predecessors of today’s venture capitalists (vcs) to leverage their private capital on a three-to-one basis with funds borrowed from the government at below-market rates. (This leverage was increased to four-to-one in the late 1970s.) Essentially, the government said, “If you’re willing to put some money behind risky but promising ventures, we’ll lend you three bucks for every one you put in. And we’ll lend it to you for less than any bank would, because we think this investment is good for the country.” This pledge mitigated the risk for investors and thus increased a pool of risk capital that could flow to entrepreneurial ventures.
The verdict is in: This government program has worked big time.
The subsequently growing pool of venture capital produced a number of success stories even before the tech boom of the late 1990s. Companies such as Minute Maid, Digital Equipment Corporation, Eastern Airlines, Federal Express, Apple Computer, and Genentech, Inc. provided the kinds of returns on investment that drew ever greater amounts of capital to the higher returns of venture investments. The connection to the government and, in particular, to the security establishment has been apparent in a number of instances since the very first days of this industry. Even Minute Maid was born from efforts during the Second World War to produce concentrated fruit juice for troops overseas.
The venture-capital boom of the 1990s provided yet more proof that the partnership between the security and venture-capital communities has had a circular, self-reinforcing quality. The Internet and many fundamental breakthroughs in computer and software development emerged from research-and-development (r&d) organizations within the defense establishment, such as the Defense Advanced Research and Projects Agency. Entrepreneurs, in turn, used funds from vcs to develop the companies that enhanced those technologies, which in turn enabled the creation of the commercial World Wide Web. Today, the military is upgrading its systems by using many of the software, switching and routing technologies, and content innovations developed by the private sector in its process of reinventing and spurring the worldwide growth of the Internet.
The success of this technological development cycle has produced not only an explosion in new technologies but also spectacular growth in the amount of money that is now available to entrepreneurs via vcs. During the last half of the 1990s, U.S. venture investment increased 20-fold, reaching a peak of $102.3 billion in 2000. By that year, over 5,000 companies had tapped this pool. Though the amounts fell dramatically in 2001 to approximately $38 billion, this sum of money is still vastly greater than many of the federal budget’s most significant new technology development programs. For example, efforts to counter terrorism involving weapons of mass destruction only garnered $1.7 billion in the fiscal year 2002 budget. Furthermore, government r&d efforts are built to serve existing plans and are slowed and guided by ubiquitous, lumbering bureaucracies. These megaprojects are not the source of much of the out-of-the-box thinking that can come from smaller, less constrained operations. Consequently, it is not surprising that while the defense budget will continue to drive important new technologies, vc financing is still going to be a vital player in the r&d world for some time to come.
And it will be a very agile player. Since the boom of the late 1990s, the United States has moved away from the r&d model that drove most of its growth in the second half of the 20th century, wherein funds flowed from corporate budgets into owned-and-operated corporate laboratories like Bell Labs (where researchers developed telecommunications and information processing technologies such as the transistor that helped trigger the Information Revolution) or Xerox’s Palo Alto Research Center (famous for developing technologies that led to the icon-driven operating systems common in today’s Windows systems). Instead, the new model has entrepreneurial-minded technologists leaving the corporate nest, raising venture capital, test flying their ideas, and then, if they are successful, cashing out by selling those ideas back to large corporations. What has happened, in effect, is that the corporate world has outsourced many of its r&d functions by letting others take the risks.
Today, given the enormous demands for new technologies linked to fighting the war on terrorism and preserving homeland security, vcs are beginning to sense an opportunity. Once the nearly $38 billion earmarked for homeland security in Bush’s fiscal year 2003 budget is divided among the 40 federal agencies involved in combating terrorism (not to mention the 50 states and thousands of localities lining up for cash), the amounts for technological development will be comparatively minuscule. Furthermore, the private sector is quickly realizing that impossibly huge demands are being placed on federal, state, and local authorities who must manage their existing “homeland security–related tasks”—such as patrolling borders, processing immigrants, policing streets, and administering the law in an environment where the number of credible and increasingly complex threats has grown in a very short period.
Consequently, the private sector has begun to take care of matters on its own. One example of how the invisible hand of the marketplace is more agile than the heavy hand of bureaucracy comes from the financial sector. Despite the destruction of 17 acres of lower Manhattan last September—including much of the critical infrastructure on that part of the island and the offices of many major players in the financial community—the markets themselves reopened within four days. The reason for this quick recovery was that in the wake of the first bombing of the World Trade Center in 1993, many institutions developed redundant back-office systems and emergency-response plans that were then implemented within hours of last year’s attacks on the Twin Towers. Now, of course, many industries are seeing the merits of such an approach and are developing their own standards and systems for coping with such catastrophes.
Companies are not only concerned about physical security but also cybersecurity, and with good reason. According to the cert Coordination Center (formerly known as the Computer Emergency Response Team) at Carnegie Mellon University’s Software Engineering Institute, the number of security incidents on the Internet has increased at an alarming rate. Over 20,000 incidents were reported to cert in 2000. That number increased to more than 52,000 in 2001. As such, corporations and the U.S. government find themselves sharing the same foxhole as they seek to defend the critical functions of the national infrastructure. One important initiative that has already emerged is the Critical Infrastructure Protection Board chaired by Richard Clarke, the nation’s cybersecurity czar. Clarke has been among the government’s most effective architects of public-private partnerships in part because he was the driving force behind the government’s y2k efforts. This precedent-setting project was based on the idea that the y2k bug—which many feared could cause critical computer systems to fail when the calendar hit the year 2000—was a national threat that could not be addressed by the government acting alone.
This ongoing cooperation was easily translated into a response to the war on terrorism after September 11. At that time, business leaders with whom Clarke worked closely—such as Microsoft’s Bill Gates and Oracle’s Larry Ellison, not generally seen as highly cooperative with one another—announced plans to make security a higher priority at their companies. Gates even circulated a memo to Microsoft staff mandating the establishment of security-related issues as the company’s top priority.
The Creative Edge
The culture of innovation that is prevalent in the United States has produced an overwhelming response from the private sector in the aftermath of last year’s terrorist attacks. One Pentagon office, the Technical Support Working Group (created to help coordinate interaction with private-sector technology developers), received 12,405 proposals for new technologies in the war on terrorism between October 2001 and January 2002. Similar requests for proposals have in the past garnered 900 to 1,000 responses. At In-Q-Tel, Inc., applications for funding have gone from approximately 700 during the first 30 months of the organization’s existence to over 1,000 during the last six. But the Technical Support Working Group funds only about $70 million in such projects a year. And In-Q-Tel, Inc., which is interested in a broad range of technologies—such as Internet search engines, analytical software, and security and privacy technologies—has only funded more than 20 ventures in its short lifetime and allocates only about $30 million a year for investment purposes. Clearly, more such programs are needed if the United States is to tap its rich technological resources. And in addition to providing more financing, the government must be willing to get over the “not-invented-here syndrome” and to share new technologies broadly across agencies.
Again, market forces come to the rescue. In this security-minded environment, demand for these new products is engendering enormous sales potential for innovators even if the government cannot or will not fund them. International Data Corporation, an industry consultant, projects that the global market for information security services will triple from today’s levels to over $21 billion by 2005. Similarly, even where relatively new technologies such as biometrics are concerned, growing demand will produce money for new r&d. It is estimated that between 500,000 and 700,000 identity thefts—one of the fastest growing modern crimes—occurred in the United States in 2000. Consequently, the International Biometric Group expects biometric sales to grow from some $500 million this year to almost four times that by the end of 2005. Homeland-security experts have shown particular interest in advanced id cards with biometric identifiers stored on smart chips. The debate at the federal level about the appropriateness of creating a U.S. national id card continues. But a market-driven alliance between state motor vehicle administrators (through the American Association of Motor Vehicle Administrators), biometric companies, and manufacturers of sophisticated databases is likely to produce a de facto national id card by adopting common information standards for driver’s licenses.
Given that many bioterrorism experts consider the U.S. food supply to be especially vulnerable to terrorist attacks, there is also a high premium on new bioanalytical devices that can determine whether pathogens reside in food. Taking 30 minutes rather than hours to determine whether a food product has been spiked with a bacterium or some poisonous chemical can mean the difference between life and death for potentially large groups of consumers. To speed the process along, the Washington, D.C., law firm Buchanan Ingersoll has proposed creating an antibioterrorism technology development venture capital fund that would put government dollars in the hands of venture professionals to help locate the most promising technologies for identifying and containing potential biological attacks. The objective would be to accelerate the development of a competitive antibioterrorism industry so that the government could use the technologies while the companies could benefit from other sales of the products developed—much as what happened with the computer, biotech, and Internet development efforts that took place within and in partnership with the government.
Unleashing the Market
Just as it is impossible for government to win this war alone, so too is it impossible for businesses to do the same. Businesses can protect, to some degree, their own assets. They can develop useful new technologies. They can finance innovation and dissemination of cost-effective tools for identifying, reducing, or containing threats. But they cannot wage war overseas, cannot conduct international diplomacy, and most importantly, cannot create a national strategy where one is lacking. Finally, if their willingness to work with the federal government is not reciprocated (right now many companies that have called the federal government with homeland-security ideas have been met with “We’re not ready yet” or “We’re too overwhelmed”) or the potential impact of their ideas is limited (because one government agency grabs them and puts a lid on them), all they can do is wait until another cataclysm drives home the message that the public-private coalition requires a new attitude, outlook, and structure.
The U.S. government can take a range of new approaches that will allow it to further harness the power of this army of gray flannel allies. For starters, lawmakers and regulators need to precisely codify the extent to which privacy rights should be modified to enhance security. Otherwise, corporations will be extremely reluctant to share their databases with the appropriate government agencies. For example, had there been a more effective system in place for sharing data among car rental companies, flight schools, airlines, credit card companies, and federal visa and state driver’s license records, U.S. authorities could have had a much easier time identifying and perhaps stopping the terrorist activities of September 2001. However, if the wrong individual ends up being harassed by the government because of a record a private company handed over, how long will it be before lawyers file suit against that company?
By the same token, corporations that cooperate with the government will require indemnification against potential lawsuits by individuals who suffer damages as a consequence of a terrorist attack that succeeds despite the company’s best efforts, or worse, because of a failure of their systems and services. Imagine what would happen if it could be proved that 250 people on a plane died because a new piece of expensive technology did not sniff out a bomb on board. Again, instant lawsuits would follow.
Moreover, the U.S. government must be the insurer of last resort in the event of catastrophic attacks, unless we want to see a major rollback in the high-profile, economically important development efforts that also produce high-risk potential targets. Urban areas in major U.S. cities would suffer the greatest losses, as is evidenced by this year’s decline in construction of high-rise buildings and megaprojects. Insurance companies would also be forced to raise rates to stratospheric levels in the absence of such protection, thereby undermining the ability of the market to play an optimal role in the partnership.
Another vital step is to clarify exactly what the federal government means by “homeland defense.” Is it defense of borders? Defense of the population? Defense against all threats? The answers to these questions will be crucial to developing a clear federal strategy for homeland security. There will be pitfalls if the government offers too broad a definition or too ambitious a set of objectives. The government cannot possibly hope to defend every potential target in the United States from every potential threat. Consequently, the definition and strategy must focus on areas that absolutely require the federal government’s participation—specifically, those areas in which threats to national security portend massive physical or economic devastation. Thus, the focus should be on weapons of mass destruction (nuclear, biological, and chemical), weapons of mass disruption (cyberattack and coordinated conventional attacks), and organizations with the inclination either to undertake such attacks or to wage extended war on U.S. citizens or assets. Further clarification in other areas that guide federal action is also necessary: The definition of “first responders” needs to be broadened to include certain public and private healthcare workers. The definition of intelligence must be broadened so that it includes open-source and other unclassified forms of information sharing.
Such information sharing won’t work, however, unless all participants have access to the best intelligence available. Only a comparative few will have access to classified components of this information, but tens or hundreds of thousands will need unclassified versions of this data. Even that unclassified information will require the latest encryption technologies to prevent it from falling into the wrong hands. Rather than relying on the traditional, stove-piped approaches in which agencies communicate up and down their organizational charts but not with others in the government who have similar missions, the system needs to have a more decentralized architecture and should offer end-users raw data for their own interpretation. The key will be to harness the more than 1 million pages of new data that appear on the Internet each day. The failure to deliver that intelligence to those who need it will only produce insecurity, doubt, and failure.
In addition to disseminating intelligence, it is vital to foster the dissemination of innovation. While the term “incubator” (in which a company offers space, resources, back-office services, and sometimes management expertise to multiple start-ups simultaneously) lost its former appeal among the tech crowd following the industry’s shake-out, the idea of offering government facilities, technology, and potential markets to would-be entrepreneurs will give the U.S. government more mileage for its money and will bring in clusters of talented, market-trained innovators that it might not otherwise be able to attract. Similarly, groups of scientists and technology specialists might donate a week or two a year to participate in simulations of crises that are designed to reassess capabilities and stimulate new strategic or technical thinking about solutions.
Finally, as September 11 recedes into memory, complacency might emerge in the private-sector and among local agencies. To preempt this possibility, private-sector firms with requisite expertise should publish objective evaluations of readiness. Such ratings would be controversial, but they would also motivate states, localities, and companies to optimize their efforts. No city would want to be ranked at the bottom of a “National Homeland Security Readiness Index” lest it deter investment and growth. Nor would political or business leaders want to be seen as falling behind their peers in terms of this critical measure. Creating information products that promote innovation and vigilance is essential to maintaining readiness.
Balance Sheets of Power
The calculus of the war on terrorism is different from that of previous wars. In an instant, the United States can lose more people than died in over a decade in Vietnam. Five grams of anthrax in the heating and ventilation system of an office tower or a mall can kill thousands. A single successful attack using a briefcase-sized nuclear device or a dose of smallpox in an airport could kill tens of thousands or many more. A single vial of hoof-and-mouth disease or bovine spongiform encephalopathy (“mad cow disease”) spread around a feedlot in Texas could shut down U.S. beef exports to the world.
But the guards at the feedlot and the mall are rent-a-cops and have neither the training nor the intelligence support to identify or respond to terrorist threats. The sensors that could contain such attacks have yet to be deployed, due to liability issues and cost factors. To stop an attack from a weapon of mass destruction will require a marriage of good intelligence and solid police work, sensing technologies and effective drills, and public and private resources. The government cannot do it alone, and the private sector is not only ready to help but has already made great strides in that direction. The opportunity is strikingly clear: The United States can defeat terrorists by drawing on the very attributes that inflame its enemies. The World Trade Center was a monument to American enterprise, American capital, American technology, the hard work of the American people, U.S. reliance on the marketplace, and the role of the individual. The towers may be gone, but the forces they embodied remain and stand ready to wage war on those who brought the towers down—if only the American people and the U.S. government will let them.