Changing Expectations for the Private Sector: Redefining Corporate Security Post-911
May 02, 2018 10:51PM
By Makayla Gay
By Dr. Daniel Ostergaard
Redefining public-private boundaries is essential to successful counterterrorism efforts, but an understanding of the systemic context in which firms exist is the basis from whence policy and strategy are developed. The business operator is not an individual cog in a wheel. Rather, the individual business is a system within a system within a system. The real challenge is that from an economic logic perspective, the evolution of the modern international trading system and its subset of intermodal transportation has developed with efficiency and the ability to conduct “just in time delivery” throughout the world. However, retrofitting that system with security-integrated logics is the next challenge. After all, if the firm is truly a system of systems, it is not sufficient that one country has resilient firms while other countries do not. The nature of the supply chain is such that each link becomes essential to the overall success. Thus, each link would have to be resilient for the entire system to truly be considered resilient at an individual level as well.
Often times the private sector desires clearer definitions and boundaries and a more clearly articulated delineation between the security roles of the public and private sector. In the aftermath of major terror incidents around the world, public codification of security requirements is often borne by private sector firms. This can result in a series of negotiations – sometimes over many years – as the public-private boundaries are redefined.
For example, federal legislation passed in the wake of 9/11 required the Transportation Security Administration and the U.S. Coast Guard to introduce a national identification card for seaport workers. This Transportation Worker Identity Card (TWIC) would include biometric data and would ensure that every card holder had received a background check from the government. However, as the TWIC program evolved, it quickly became apparent to the private sector that the burden for checking TWIC holders at seaport access points would not be a government function. In essence, the private sector became the front line of defense for checking federal TWIC cards at seaport access points. Additional security measures, equipment to read the biometric data, extra security guard training, and the inherent time delays associated with TWIC checks at the points of entry meant an increase in firm responsibility and increased costs for operations.
Thus, one of the unintended consequences for the original legislation was a newfound role that many firms found themselves playing. For these firms, providing the enhanced security operations required to process TWIC holders resulted in new firm responsibilities and costs. Arguably, it is one thing for a seaport terminal to hire a night watchman to keep an eye on the warehouse and something else entirely for the public sector to require the firm to serve as the frontline check of nationalized identification credentials and then expect the firm to detain transgressors until the public sector agents arrive to investigate.
And so, has security become akin to other corporate social responsibilities? Is the expense of additional security measures seen by the public sector as investments in the public good, even if counted on the expense side of the private sector’s balance sheet, or as potential liabilities if the firm failed to live up to its newfound responsibilities? This becomes even more pronounced for firms owning and operating critical infrastructure. The public good guaranteed by the continued existence of that critical infrastructure may become a liability if the firm has not properly prepared a resilient defense against a terror attack. Not only must the firm contend with a possible direct attack, but the firm may incur liability if caught in the cascading effects of a terror attack in another industry that happens to indirectly impact the firm. Either way, the firm has likely assumed new security responsibilities than it would have had prior to 9/11.
While the security measures thrust into the spotlight after 9/11 were recognized immediately within the aviation industry, we also see a slow extension of these implications over time across other sectors. Perhaps not as quickly—or with as much investment—as the aviation industry, but we do see redefinition of public-private responsibilities across other critical infrastructures and, in the case of the TWIC card, the maritime industry.
However, this extension of corporate security is not without limits. Over time, we have seen increased private sector frustration with various security programs, including the TWIC. For instance, as recently as March 2016, the Coast Guard published the long-awaited guidance on TWIC reader requirements for seaports. Afterward, one senior leader at a national trade association told me that his organization would support expansion of the TWIC, but that its future was in doubt. “We definitely see value in the program… it had all kind of gone into a black hole and now it’s stuck.”
The historical narrative of long-term institutional change at firms suggests that the delineation of public and private security responsibilities is constantly being renegotiated by various stakeholders. For instance, one corporate officer in a recent interview captured this need for additional understanding of the changing public-private interface in the following manner:
“What we need to do… is recalibrate the public perception of what security is and also the private sector’s view of what security is. I dismiss the idea that these are tradeoffs. That you have to [trade] security with efficiency. That you have to [trade] security with privacy. There are tensions here that have to be worked out, but it is not a zero sum game. That’s how it has often been portrayed, so it often reinforces the clash of norms that you are looking at here. There are important opportunities for these things to be mutually reinforcing. Part of it is stepping back and looking at what is the end we are trying to achieve. What are we trying to secure? For many in the law enforcement perspective and the national security side, that is easy: we have to keep loss of life to a minimum or keep any risk of violence in check. We have to do whatever it takes to prevent the loss of life or destruction of property. And these are the protective measures one must do to mitigate those risks.
“But what is misguided about that [mindset] is that it misunderstands the role that the maritime transportation industry and other critical infrastructure sectors provide, which is: they are not just assets that pose risk – they are systems and networks that provide enormous benefits that are central to the way our society functions, and if we do not have mobility and the ability to connect with markets around the world, the United States with just five percent of the world’s population – obviously a much larger share of the world’s economic activity – is largely an island nation when it comes to how the global economy is working today. And its umbilical cord to the economic life or the international community is the maritime transportation system.”
This framing of seaports as part of a larger system is absolutely essential to the long-term development of effective and sustainable governance structures. Reflecting on the cascading effects of critical infrastructure failures, seaports in the modern age have never been more important both from a security perspective and an economic perspective. The same is true for many other types of firms in many different industries. The connected global supply system means each piece is critical to the overall success of the system.
Understanding private firms as part of an extended system of systems also emphasizes the fallacy of creating security policy in a vacuum like that of the Beltway in D.C. A complex system requires the integration and strengthening of public-private partnerships that share mutual long-term interests. Simply outsourcing security from the public to the private sector is not a long-term solution without an articulated, shared vision for the future.
Dr. Daniel Ostergaard is an international business professor at the University of South Carolina. The views and opinions expressed in this article are those of the author and do not necessarily reflect the official policy or position of any other agency, organization, employer or company.