Page 1




d e t s Te

s t n o r f y n a m n o ed g n e l l a h c s e i c n Age CRITICAL RATION ION

GE NO SHORTA RS OF DISASTE s, Storms, wildfire hacking abound

IMMIG POLICIES Stricter orders forcing changes

EDUCAT Cybersecurity nd experts in dema











DHS at center of hot-button battles

Immigration protest at U.S. Capitol MARK WILSON/GETTY IMAGES










Efforts to contain radicals’ violent acts

Government, industry aim to prevent attacks

Getting to the bottom of Russian hacking

FEMA tested by storm trifecta





20 58

This is a product of



8 12

MANAGING EDITOR Michelle Washington

LEADING THE MISSION Q&A with acting Secretary Elaine Duke

U.S.-Mexico border fence between San Diego, Calif., and Tijuana, Mexico

COAST GUARD Commandant navigates service’s challenges


16 20 24

TSA Administrator addresses advances in airline safety

CUSTOMS AND BORDER PROTECTION Deputy chief maps out agency’s agenda

INSIDE DHS The departments in charge of protecting the homeland





DANGERS IN THE SKY Drones pose open-air risks


CYBERSECURITY DEGREES Colleges respond to critical need for experts


HIGH-TECH TOOLS Devices detect hidden dangers in public places


MAJORING IN EMERGENCY MANAGEMENT Graduates master planning and recovery


CLOUD COMPUTING Keeping data networks safe in the ‘new normal’

EDITORS Amy Sinatra Ayres Tracy Scott Forson Patricia Kime Debbie Williams Sara Schwartz ISSUE DESIGNER Miranda Pellicano DESIGNERS Amira Martin Gina Toole Saunders Lisa M. Zilka CONTRIBUTING WRITERS Matt Alderton, Brian Barth, Claudia M. Caruana, Dan Friedell, Carmen Gentile, Gina Harkins, Melanie D.G. Kaplan, Tamara Lytle, Nancy Monson, Adam Stone, Suzanne Wright

ADVERTISING VP, ADVERTISING Patrick Burke | (703) 854-5914 ACCOUNT DIRECTOR Justine Madden | (703) 854-5444



AUTONOMOUS VEHICLES Self-driving cars could be targets for criminals


Julie Marco ISSN#0734-7456 A USA TODAY Network publication, Gannett Co. Inc USA TODAY, its logo and associated graphics are the trademarks of Gannett Co. Inc. or its affiliates. All rights reserved. Copyright 2017, USA TODAY, a division of Gannett Co. Inc. Editorial and publication headquarters are at 7950 Jones Branch Dr., McLean, VA 22108, and at (703) 854-3400. For accuracy questions, call or send an e-mail to


PRINTED IN THE USA All prices and availability are subject to change. GETTY IMAGES; UBER







Acting Department of Homeland Security Secretary Elaine Duke gives a briefing at a news conference in September at Ellington Airport in Houston on response and recovery efforts in the region after Hurricane Harvey devastated the southern part of the state. Duke will continue to helm the agency until a permanent secretary is confirmed.

CONSTANT VIGILANCE Elaine Duke tackles tough issues in top job at DHS By Patricia Kime


AREER CIVIL SERVANT ELAINE Duke was sworn in as deputy secretary of the Department of Homeland Security in April and began serving as acting secretary in late July, when then-Secretary John Kelly moved to the White House as chief of staff. In her short tenure, Duke has overseen cleanup from three major hurricanes, the response to a terrorist

attack in New York City, an announcement to end temporary residency for 5,000 Nicaraguans living in the U.S. under a hurricane relief program and a new ban that restricts travel to the U.S. from eight countries. Duke spoke to USA TODAY in November to discuss these issues and others facing the 15-year-old department, which employs more than 240,000 people and is responsible for protecting the homeland from threats on the ground, in the air, along the borders and in cyberspace.





You have said that the Islamic State group, or ISIS, is planning an attack on the scale of 9/11, and they are supporting smaller strikes like the truck attacks in New York and London to raise money and remain in the news. Yet, some counterterrorism experts have said the reason they resort to small attacks is that they are on the run. Which is it? DUKE: We are gaining in the war on ISIS in terms of territory. ... (But) ISIS’ conviction against the West, against the United States, is as strong as ever. Whether they have capabilities (we are always learning more about their capabilities) ... their aspirations are stronger than ever. As you know, they have a very strong public affairs (machine), and as they know, we are making inroads against them in terms of taking back land; they have to do things that make them look strong, so they can retain their fighters and their prominence. We are shown they are more vigilant than ever in trying to find ways to launch any type of attack, but the major attack that is catastrophic and the attacks against aviation are what’s desired. So, are there new measures that need to be taken in terms of aviation security regarding this threat? We are in the midst of ‘raising the baseline’ of aviation security. Shortly after the laptop scare (prompted by a concern that the Islamic State was developing explosives that could be hidden in electronic devices) earlier this calendar year, we came up with a three-phased way to improve aviation security worldwide, in part to avoid a laptop ban. If we just banned laptops, that would only address that threat. We wanted to address the larger threat with many of our partners, our strongest partner being the U.K. We are implementing a wide suite of features in aviation security that will improve it — it’s technology, it’s people, it’s information security, being able to prescreen people, cargo and terrorists — so we have information before an incident or a boarding can occur. Canines are another feature of this — IED (improvised explosive device) canine screening. We are looking at a multipronged approach. Social media platforms are being used by enemies to promote their agendas. How do we confront this and how do we balance the First Amendment with national security? (In October), we had the G-7 (international summit) and this was the No. 1 topic — terrorist information on the internet. This is a major concern. ... Every country has different laws. For us, it’s the First Amendment. At the G-7, we had industry there — Microsoft, Twitter, Facebook. They are working with us to help keep the First


Duke and John Franck, vice president of European Union government affairs at Microsoft, attend the G-7 international summit in October along with other government representatives and members of the private sector in Sicily, Italy. The group discussed how to stem the flow of terrorist information on the internet, which Duke called a major concern.

“Immigration is one of the priorities — closing some of the loopholes in our immigration system so our fine men and women (at DHS) can enforce the laws ... and get rid of some of the issues that are causing some of the problems in our country today.” — Elaine Duke

Amendment rights and helping us have the technology and the processes to take down terrorist material. The speed of the internet makes it very challenging, but we are very pleased with how well they are working with us, and we want to be even faster in preventing it from getting on the internet, rather than taking it down. Some other countries have made that activity criminal, but in the U.S., we are relying on voluntary cooperation. And we are going to continue focusing on that. How prepared is the government to deal with cyberattacks from criminals and state agents? (DHS is) extremely focused on cyber; it’s an area that is expanding quickly, so it’s an area where we have to continue to expand our preparedness. We do that in many ways. One is with the government networks, another is the critical infrastructure. ... We are focusing on the electric grid, utilities, anywhere an asymmmetrical threat could be used against the U.S. — by a terrorist, by a traditional state actor or by a terrorism organization for money. There are different levels of sophistication. What we want to avoid is someone doing an intrusion that they might plant and have there to use in the future. We are looking at making sure there are no intrusions.


Cement barricades were placed along a bike path Nov. 3 in New York City days after a man in a rented truck, who police said studied ISIS propoganda, hit and killed eight people.

Let’s talk about the administration’s focus on immigration. Immigration is one of the priorities CO N T I N U E D





Duke and FBI Director Christopher Wray testify about potential threats to the U.S. before the Senate Committee on Homeland Security and Governmental Affairs in September. — closing some of the loopholes in our immigration system so our fine men and women (at DHS) can enforce the laws in a more systemic manner and get rid of some of the issues that are causing some of the problems in our country today. Can you be more specific about these loopholes? A lot of the programs we’ve had have been temporary. DACA (the Deferred Action for Childhood Arrivals program) was for two years at a time. Temporary protected status was up to 18 months at a time. We have to make a decision through Congress as to what do we want to do with these populations. I think it’s not compassionate at all to keep people in six-month, 12-month, two-year limbo. Similarly, there’s the illegal population. We have known for years that we have a large illegal immigrant population, estimated at about 11 million. We don’t have unanimity of what we want to do about our illegal population. Some have told us to ignore the law. We in DHS take an oath to the Constitution, so we must uphold the law. If Congress wants to change the law, then change it. But we have these populations that had not been dealt with. There’s been a lot of discussion about the wall, and there will not really be a physical wall “from sea to shining sea,” as Kirstjen Nielsen, the DHS secretary

nominee said during her Nov. 8 confirmation hearing. Are there places on the border that are more of a focus? There will be some wall construction. Customs and Border Protection recently completed a southern border comprehensive strategy. It’s a combination of wall infrastructure, people and technology. It depends on many factors, including topography and geography. It depends on what we call the ‘vanishing point.’ How long does Border Patrol have before they lose a person making an illegal entry? If it’s a highly populated area, seconds. If it’s a desert, where it’s 4 miles to the next road, there’s quite a bit of time. That’s driven by Border Patrol requirements. When we talk about a secure border, our goal is no illegal entries. What about border security in the North? We also are looking at a Northern border strategy, which is even more challenging because of the distance and geography. ... We don’t see the volume (we have in the South), but any number is a bad number. We are concerned about drug movement across the Northern border. We are seeing increases in the Northeast, New York and Vermont. We also are seeing people crossing illegally into Canada — people going across seeking (asylum) in Canada — so we are in talks with our Canadian counterparts.


White House Deputy Chief of Staff Kirstjen Nielsen speaks in the East Room of the White House on Oct. 12 after President Donald Trump nominated her to be the next homeland security secretary.

DHS SECRETARY NOMINEE KIRSTJEN NIELSEN A vote confirming Kirstjen Nielsen as Homeland Security secretary is expected by the end of the year, filling a vacancy left by White House Chief of Staff John Kelly. Nielsen, 45, had been serving as Kelly’s deputy at the White House when she was nominated. She previously worked as Kelly’s chief of staff at the Department of Homeland Security before following Kelly to the White House. An attorney with experience in cybersecurity and homeland security, Nielsen worked at the Transportation

Security Administration and on the White House Homeland Security Council under President George W. Bush. If confirmed, she would be the first former employee to run the department created in 2002. Nielsen holds degrees from Georgetown School of Foreign Service and the University of Virginia Law School. She was also a senior fellow at the Center for Cyber and Homeland Security at George Washington University. — David Jackson and Julia Fair







On Sept. 15, Adm. Paul Zukunft, commandant of the U.S. Coast Guard, visits the 8th Coast Guard District Area command in New Orleans to recognize members’ response efforts during Hurricane Harvey. The area command was established to oversee response operations in the areas affected by the hurricane.


By Patricia Kime

Coast Guard commandant balances modernization with emergency response

HE U.S. COAST GUARD is the smallest military service. Yet every day, it tackles nearly a dozen missions, including drug interdiction and maritime security, search and rescue and fixing the nation’s aging buoys. While maintaining a high operations tempo, it also responds to maritime disasters: This year, when three Category 4 hurricanes struck the U.S., the Coast Guard deployed 2,800 personnel, or slightly more than 6 percent of its forces, to the affected areas. Commandant Adm. Paul Zukunft spoke with USA TODAY about the service’s operations and challenges. CO N T I N U E D





COAST GUARD I’m planning (for sea-level rise) in all the infrastructure we build out. We’ve just seen with Hurricane Harvey and Irma, between Corpus Christi (Texas) and Charleston, South Carolina, where we have installations all along the coastal areas, we incurred $870 million in damage to our infrastructure and we haven’t even tallied up (Hurricane) Maria yet. We are exposed. But I have to look out 100 years. When we put down infrastructure, it’s usually there for at least 100 years. We need to think long term and plan.


Members of the Coast Guard’s deployable specialized forces from the Maritime Safety and Security Team from New Orleans, Miami and Houston, the Atlantic Strike Team and the Gulf Strike Team prepare to evacuate survivors of Hurricane Harvey in Houston on Aug. 29.


Coast Guard Petty Officer 2nd Class Ed Traver and Seaman Grayden Boad retrieve a net used to collect zooplankton Sept. 5 as part of research in the Arctic Ocean.


You are now serving under your second presidential administration. What are your top priorities and have they changed? ZUKUNFT: We set our agenda back in 2014 when I stood in as commandant. We would often describe to the administration, including the Department of Homeland Security, our 11 statutory missions. But what we didn’t provide was

context, so we put together a family of strategies that gave context (for key areas): The Western Hemisphere. We had unaccompanied minors flooding our borders in 2014. The administration was grappling with needing more beds and facilities and how we accommodate all these minors. I was looking (through) the lens of ‘Why are they leaving?’ They were primarily leaving three countries – Guatemala, El Salvador, Honduras. The flow of drugs, the cartels,

the violent crime, the homicide rates were really driving the illegal migration. (I thought) ‘We have all these authorities, so why don’t we try to stop this threat where it is most vulnerable, on the high seas?’ The Arctic. As sea ice retreats, we are seeing more and more human activity in the Arctic. Russia is playing an everincreasing role and now even China is spending a lot of time up there. Yet we as a nation had made little to no investment in the region, so we put an Arctic strategy (that involves improving awareness, broadening partnerships and modernizing governance) together. Inland waterways and ports. We started looking at all the maritime activity that takes place on inland waterways and ports, which generate $4.6 trillion in commerce each year. And the Coast Guard enables (this) by maintaining these waterways. Cyber. The Coast Guard has a very aggressive cyber program. The J6 (director of command, control, communications and computers) in the Pentagon is a Coast Guard three-star (Vice Adm. Marshall Lytle III) ... (the Joint Chiefs of Staff) were looking for someone who understands the .mil realm of the domains. We also have cyber protection teams ... that protect our cyber infrastructure, leverage cyber — (in) intelligence directing operations — ... and protect the maritime sector. The Coast Guard is stationed along U.S. coasts and waterways. How are you addressing sea-level rise?

Every now and then, someone floats the idea of privatizing Coast Guard missions like ports, search and rescue or aids to navigation. Are there any that could be privatized? Well, when you look at the aids to navigation (ATON) work right now, we have people steaming around the eye of a hurricane to arrive on scene (in the Virgin Islands or Puerto Rico). I don’t know that there are commercial vendors who would do that. And it’s not just doing ATON. We are resupplying Vieques and Culebra (Puerto Rico) with those platforms and if there’s a requirement for security or law enforcement, we can do that. The Navy has had a string of serious accidents that may be related to a high operations tempo and fatigue. How has the Coast Guard been able to handle an increase in demand? Are our folks tired? Yes. But if they are tired to the point where they can’t safely carry out their duties, they need to say no. In fact, I will reward you for saying no. I write a letter to every commander and officer in charge in the Coast Guard and tell them they have three ‘knows:’ You have to know your mission inside and out; you have to know your people — do they have special needs, what’s going on in their lives and are they qualified to do their missions; and the most important one is knowing when to say no, and only you can make that decision. ... It’s important to reward leaders who are entrusted (with) the safety of the crew. As commandant, what do you want to leave as your legacy? This isn’t about legacy, it’s about continuity. We need to think long term beyond the life of the administration. We need to think strategically. The number one priority is how do we recruit, how do we train, how do we retain the workforce we have today well into the 21st century? Because if we take our eye off that ball, all the modernization effort we are doing right now will become a hollow force if we lose sight of the value our people bring ... that’s first and foremost on my priorities as I turn over leadership to the 26th commandant.







Transportation Security Administrator David Pekoske is flanked by members of the Ronald Reagan Washington National Airport Honor Guard. The airport is among several across the country to begin using Credential Authentication Technology, which allows TSA officers to scan air passengers’ driver’s licenses to confirm their identity and scheduled flight.

SECURING THE SKIES TSA administrator addresses priorities for airline safety By Melanie D.G. Kaplan


AVID PEKOSKE WAS CONFIRMED in August as the seventh administrator of the Transportation Security Administration (TSA), where he leads a workforce of 60,000. A recognized expert in crisis management and port and maritime security, Pekoske previously served as the vice commandant of the U.S. Coast Guard. TSA was created within the Department of

Homeland Security in the aftermath of 9/11 to oversee the security operations at nearly 450 airports throughout the United States, the Federal Air Marshal Service and all modes of transportation, including aviation, mass transit, freight and passenger rail, highways, pipelines and ports. In October, Pekoske talked to USA TODAY about keeping airports safe in the face of constantly emerging threats. CO N T I N U E D







After two months on the job, what’s surprised you most about the agency? PEKOSKE: I’ve seen tremendous dedication from the TSA workforce and really smart partnerships with the airlines and airports. We all share the same goal of making sure that when people get on flights, they’re safe. I’ve also been impressed by the innovation that’s being implemented not only to improve security but to improve the traveler experience.

accordingly. On the planes, the cockpit doors are much stronger than they were pre-9/11, and federal air marshals, who are part of TSA, provide further protection. I’d underscore all of it by saying that the passengers are an important part of keeping everyone safe. DHS has had the campaign, “If You See Something, Say Something” for years. We ask passengers to be vigilant. If you see something out of the ordinary, report it to a gate agent or a transportation security officer.

I understand one of your priorities is ensuring adequate staffing to prevent The PreCheck screening program is long waits. How are you moving now in 200 airports with more than 5 forward with hiring and million people enrolled. training new staff? What are your goals for First, we want to ensure growing the program, and we manage the staff we have how would you rate its most effectively. If there’s a success thus far? known event — say the U.N. I think PreCheck has been General Assembly in New very successful. It allows us, York City — we can move with the traveler’s permisstaff from other parts of the sion, to conduct a background country to reinforce our check, which gives them an efforts there. Our training expedited screening. The used to happen at airports. average wait is 30 minutes Today, new staff goes through for regular lanes and 10 for two weeks of standardized PreCheck — that’s a signifitraining at TSA Academy, cant benefit to the traveler. David Pekoske which is at FLETC, Federal It’s a significant benefit to Law Enforcement Training us because we now have a Centers, in Glynco, Ga. At the airports, we population of travelers who have undertrain supervisors and experts, and they gone background checks, which improves train the staff. We explain the emerging security. Passenger traffic is growing 3 to 4 threat, tell them what to look for in an percent per year, so I’d like to see PreCheck X-ray scan and how to handle it if they see keep pace and ideally exceed that. something. The agency has faced criticism for long New regulations require passengers to lines and ineffective screening. How is remove any personal electronic devices TSA working to speed the flow of paslarger than a cellphone from their bags. sengers through checkpoints without The change was prompted by concerns affecting security? that terrorist groups now have the abilOver the past summer, we had the ity to fit miniaturized explosives into highest passenger volumes ever, since the electronic devices. In September, the beginning of screening 16 years ago. Given agency announced a new technology that volume, from my perspective, the that would allow passengers to keep wait time issue has been very successful. liquids and laptops in their carry-on The airlines tell us when they expect bags at the security checkpoint. When passengers, which allows us to manage our can we expect this technology? staff efficiently. The airlines and airports Computed tomography scanners are help us fill non-certified positions when already used in checked bags. The technolthings get busy. ogy shoots hundreds of images with an Regarding the effectiveness of screenX-ray camera to provide a 3-D picture, ing — it’s the most important thing our virtually unpacking and repacking your agency does. Screening is never 100 bag. If that technology is funded and fully percent. There’s always room to improve. deployed, passengers may not have to take It’s important to keep in mind that the out laptops and liquids. We’re at the very checkpoint isn’t the only place we do early stages. We’re looking five or so years vetting — it happens from the time the into the future. passenger makes a reservation to the time they board the aircraft and arrive It sounds like automated screening at their destination. We work with law lanes will really help reduce wait times. enforcement and also have within TSA the Explain how these work. Office of Intelligence and Analysis. Our I was just in Atlanta (in October). They understanding of and awareness of threats have 29 lanes in domestic travel, and is very good, and we adjust procedures


Pekoske talks to Transportation Security Administration inspector Dennis Hamilton, left, and federal security director Kerwin Wilson at Ronald Reagan National Airport in Washington, D.C. 22 are automated screening lanes. You approach the conveyor belts, and rather than having one spot for each of the 22 lanes, you have five spots, so it accommodates a lot more volume. It allows people who need more time to take more time. Seasoned travelers will move through the line faster. In addition to Atlanta, we have them at JFK, Newark, LaGuardia, Las Vegas, Miami, Chicago O’Hare, LAX, Dallas Ft. Worth and Minneapolis-St. Paul. This technology was largely funded by the airlines and the airports. What about biometric technologies, such as fingerprint scanning and facial recognition to verify passengers’ identities?

We are looking closely at it, so we can ensure a traveler is the person they say they are. Right now, we are testing Credential Authentication Technology. Rather than going up to the first person you see at the checkpoint and handing that person your driver’s license and boarding pass, you just hand your ID to a transportation security officer, who inserts your license into a reader, and the reader communicates directly with some programs we have that match you up with a flight. It’s operational at Dulles, Reagan National, Chicago O’Hare, Austin, Boston, Atlanta and Charlotte. Raleigh, Indianapolis and Miami are expected to go live in the next couple weeks. We are trying, wherever we can, to put technology to use.







In October, prototypes for a wall along the U.S. border with Mexico, requested in response to an executive order from President Donald Trump, were completed. What are the features of these prototypes? VITIELLO: We asked for specific elements, such as aesthetics, seethrough ability, connectivity and use of technology. Multiple companies (built) eight products; four are concrete and four are other materials. The 2006 Secure Fence Act called for almost 700 miles of barrier on the Southwest border. One of the best practices we learned from that project involved sensor technology. Sensors allow our agents to know when people are approaching the fence. It’s the wall that gets all the attention, but it’s actually a complex system that includes cameras, lights and agents who can make arrests.


U.S. Customs and Border Protection Acting Deputy Commissioner Ronald Vitiello, center, and U.S. Border Patrol Academy staff meet in June in Artesia, N.M.


Customs deputy chief outlines agency’s missions, challenges By Melanie D.G. Kaplan


ONALD VITIELLO, ACTING DEPUTY commissioner of U.S. Customs and Border Protection (CBP), began working on the U.S.-Mexico border more than

30 years ago as a border patrol agent in Loredo, Texas. Vitiello talked to USA TODAY about the priorities and challenges facing the 60,000-employee agency, which is responsible for keeping terrorists and their weapons out of the U.S. while enforcing lawful international travel and trade.

The agency has reported a decrease in illegal crossings at the southern border. What are the reasons for the lower numbers? The total number of people apprehended at the border for fiscal 2017 was 287,637, compared to 415,816 for 2016. The downturn can be affected by enforcement, the economy and conditions in other countries. Starting in November (2016), we saw people’s awareness change as to whether they could be successful getting into the U.S. illegally. I think they’ve changed their calculation based on their perception of how successful they’ll be at the border and beyond. If you’re in a place like Honduras and you sell everything you own and put your child or yourself into the hands of a smuggler, that’s a very big decision that has consequences. That’s led to a significant reduction of activity at the border. It doesn’t mean we’re done, but it allows us to concentrate more on other threats that exist. Are drug seizures also down? We’ve seen a marked reduction in marijuana seizures but an increase in hard narcotics and synthetic opioids, specifically Fentanyl. We need to get better at detecting these drugs at the ports. Fentanyl and the opioids are a danger to the workforce, so we need to have the right kind of tools to identify these substances without contacting them. The stuff is so powerful that even a small amount can incapacitate our workforce. CO N T I N U E D







U.S. Border Patrol Officer Tekae Michael stands near prototypes of President Donald Trump’s proposed border wall Nov. 1 in San Diego, Calif. The concrete and steel structures, erected in a remote area, are scheduled to be tested for 30 to 60 days to determine which design meets the needs to secure the border. people who apply and CBP has been are successful. recruiting at NASCAR “The total number races, bull-riding In October, DHS events, Spartan races of people apbegan collecting social and country music prehended at media and internet festivals. Why has search data on every it been difficult to the border for immigrant in the U.S., recruit, and what type fiscal 2017 was even those with green of individual are you cards. Why was this looking to hire? 287,637, compolicy implemented? We’re looking for The change is in people who want to pared to 415,816 response to a mandate serve, who don’t mind for 2016.” to do better at vetting. doing so outdoors and — Ronald Vitiello Social media gives you at night, in some rough insight to what people terrain. We’re looking care about. Using that for patriotic young men is a commonsense step and women who are to help add to our capacity to protect courageous. Almost 30 percent of (CBP’s) America. We’re trying to do everything workforce are former military members. we can to be more aware of the complete We want folks who understand as a law individual, so when they apply for a visa enforcement officer, they have a certain and use it to enter the U.S., we know as requirement to uphold the public trust, and much about them as we can. We want to people who in their own personal conduct facilitate entry for people who are legitihave high standards. We’ve struggled with mate travelers and immigrants, but the attrition and not hiring enough people fast reverse is also true. We want to understand enough for border control. But we’re trying people’s backgrounds to make sure we to get smart and learn from the data for


Maintenance staff of PAE aviation service and U.S. Air Force personnel offload CBP Black Hawks from a C-5 aircraft in October 2017 to deliver aid to victims of Hurricane Maria in Aguadilla, Puerto Rico.

don’t let someone in who is looking to do us harm. After Hurricanes Irma and Maria in September, CBP sent Predator B drones from its operational base in Corpus Christi, Texas, to assess damage. What did you learn? It’s not the first time we’ve used (drones) in response to a national disaster. Pre-storm, they can evaluate and map a coastline and give you a precise picture, so post-storm, they can fly the same track and give disaster preparedness folks a real good picture of the damage. We used them in Florida and a little bit in Puerto Rico. How else was CBP involved after the hurricanes? We have two missions in the post-storm events: Account for all our employees and rescue people as needed. In the medium and longer term, we help FEMA (the Federal Emergency Management Agency) respond to recovery efforts — bringing generators to hospitals, bringing medicines to doctors, rescuing people as required. We sent hundreds of people to each of

the areas impacted after Harvey, Irma and Maria. We helped get the workforce back on its feet and helped prepare for when international travel came back up. In the early days after Harvey and Maria, our aircraft (which normally monitor the coast for smuggling) spent hundreds of hours flying air traffic control missions until power was restored in the airports. What are some of the biggest overall challenges you face at CBP today? It’s hard to get the word out about the real service we bring to the country as it relates to security, international travel and legitimate trade. The good news, professionalism and the trust we hold with the public doesn’t get as much coverage as some of the mistakes that we might make, or the perception people might have about illegal traffic or immigration. A lot of people who don’t live on borders don’t know what CBP does. Once people realize what a valuable capability we bring to the government, they’re more apt to support it, and I think that will help us in the longer term as it relates to recruiting and attracting employees.






HOMELAND SECURITY AT A GLANCE The Department of Homeland Security’s 240,000 employees are responsible for keeping the nation safe from dangers, inside our borders and from abroad. Here’s a look at the divisions that power the agency:



Protects national and world leaders; investigates financial, currency and computer-related crimes, including counterfeiting and identity theft.


U.S. Customs and Border Protection: Provides security at U.S. borders; facilitates legal trade and travel across borders; enforces immigration and drug laws.

Transportation Security Administration: Screens luggage, passengers and cargo, primarily at airports; stations air marshals on planes; maintains watch list of people suspected as threats.


Directorate for Management: Handles budget matters, human resources, accounting, IT and procurement.



Office of Policy: Coordinates the development of agency policy.


U.S. Citizenship and Immigration Services: Handles applications for citizenship and visas for foreign nationals; runs E-Verify program that allows employers to check employees’ citizenship status.

Federal Emergency Management Agency: Supports state and local agencies that respond to disasters; provides financial aid to residents who have lost property in a federally declared disaster.

COAST GUARD The only military organization within DHS; defends maritime borders and rescues those in danger in U.S. waters.


U.S. Immigration and Customs Enforcement: Created from the U.S. Customs Service and the Immigration and Naturalization Service; enforces customs, immigration and trade laws.

OTHER COMPONENTS National Protection & Programs Directorate: Leads efforts to protect physical and cyber infrastructure; protects federal buildings; provides technology to collect, store and analyze biometric data.

Science and Technology Directorate: Researches, develops and provides products and technology solutions that help strengthen DHS security capabilities.


Office of Health Affairs: Advises the department on public health matters; manages systems for early detection of chemical and biological weapons; coordinates response to health threats.

Office of Intelligence & Analysis: Part of the national intelligence community — distributes information and intelligence to state, local and tribal officials; works with the Office of the Director of National Intelligence.

Office of Operations Coordination: Oversees the National Operations Center, which collects and distributes information from federal, state, local, private sector and other agencies to thwart threats.

Federal Law Enforcement Training Center: Has trained more than 1 million law enforcement officers since it opened in 1970.

Domestic Nuclear Detection Office: Detects and reports threats related to nuclear or other radiological weapons or devices.







This satellite image shows Hurricane Irma as it moved toward the Florida coast Sept. 8 as a Category 4 storm in the Caribbean Sea. GETTY IMAGES





2017 hurricane season tested resolve of nation’s natural disaster responders like never before Streets in Port Arthur, Texas, were inundated with flooding from Hurricane Harvey, which made landfall Aug. 25 on the state's southeast coast.


By Brian Barth


ARL LEE SOUNDED EXHAUSTED when he answered the phone at the Clark County Fire Department in Las Vegas, where he works as a logistics officer. He had good reason to be. It was Oct. 11, partway through what has easily been the most devastating succession of natural disasters in U.S, history: three Category 4 hurricanes in a four-week period — hurricanes Harvey in Texas, Irma in Florida (after it struck the U.S. Virgin Islands as a Category 5 storm)

and Maria in Puerto Rico — followed several weeks later by the deadliest wildfires in California history. Lee, a longtime first responder, is part of Nevada Task Force 1, one of 28 teams that make up the Federal Emergency Management Agency's (FEMA) National Urban Search and Rescue Response System (US&R) that are spread throughout the country. He deployed to Florida as Hurricane Irma approached, and then went to Puerto Rico, where he weathered Hurricane Maria. After 23 days on the frontlines of disaster relief, he returned home, just as the worst

mass shooting in U.S. history unfolded on the Las Vegas Strip. FEMA was not involved in the response to that tragic disaster, but as a local firefighter, Lee certainly was. “It’s been a long month,” he said, sighing. In Puerto Rico, Lee’s team was stationed in a San Juan hotel — along with the US&R’s standard 60,000-pound cache of equipment, including everything from jackhammers to motorboats — before Maria made landfall on Sept. 20. As soon as the winds abated, the team chainsawed its way through the CO N T I N U E D



INSIDE OUR BORDERS state and local agencies, tribal governments, debris that had piled up in the parking lot non-governmental organizations and and took to the flooded streets to assess federal entities that range from the Coast the damage. There were downed power Guard, National Guard and Army Corps of lines everywhere and mudslides in the Engineers to the departments of Health and hills outside of the city to contend with. A Human Services and Housing and Urban collapsed bridge had left residents on the Development that offer assistance. In early other side of a river stranded, so the group October, there were approximately 13,000 delivered food and water by boat. federal staff in Puerto Rico alone, while the Nevada Task Force 1 also provided Puerto responses to hurricanes Harvey and Irma Rico residents with a link to the outside were still in full swing. world in the days following the hurricane. By necessity, much of the labor force “We received a lot of requests for what we required during a disaster are not full-time call ‘welfare checks,’ ” recalled Lee. “For the FEMA staff. So how does one scale up first week or so, there was no phone service, at a moment’s notice when a hurricane no internet, no way for people to let each approaches, much less when three appear other know they were safe. With a satellite back to back? Suffice it to say that staying phone, we were able to send out a photo focused under pressure is a prerequisite for and say, ‘Here is your family member.’ That the job. was a very uplifting experience.” “This year will certainly be one for the While news reports focused on the history books,” said Kathleen political squabbles surrounding Fox, FEMA’s acting deputy the recent spate of natural administrator for protection disasters, such heartwarming and national preparedness, and stories — and the dogged one of the high-ranking officials determination of people like charged with overseeing this Lee — were commonplace human resources labyrinth — a behind the scenes across HARVEY monumental task even in the FEMA’s immense response Landfall: Aug. 25 calmest of times. FEMA plays apparatus during this difficult Category 4 the role of master delegator period. Texas during a ground response, assigning other agencies with A NIMBLE RESPONSE various missions, but also has Typically, when a disaster a built-in “surge capacity” of strikes, the nearest three IRMA personnel that can be drawn on US&R task force teams, whose Landfall: Sept. 10 when needed, explained Fox. members are often drawn Category 4 “FEMA has its own reserve from the ranks of local first Florida workforce, though we can also responder agencies, are use the surge capacity force at deployed within six hours of the Department of Homeland FEMA’s request. Members MARIA Security, as well as several arrive at a predesignated thousand people from across point where gear and enough Landfall: Sept. 20 the entire federal government supplies to last 72 hours are Category 4 who have said they would stowed. They then set off Puerto Rico be interested in volunteering into the unknown with the if something happens," she expectation that they must be said. Many of these folks have completely self-sufficient and regular jobs, but we also have temporary work around the clock in 12-hour shifts. workers who are on call for when we need Given the scope of disaster events this them.” Local hires round out the workforce year, a majority of the nation’s task force and provide a much needed boost in the members were called into action at one post-disaster economy. time or another, many for multiple backto-back missions. Between deployments to Texas, Florida and Puerto Rico, the members FUNDING AND FLEXIBILITY of Nevada Task Force 1 had worked more With all the news of cuts to the federal than 24,000 man-hours assisting hurricane government budget, Fox is often asked victims by the end of September. whether FEMA has the funds needed to The US&R task forces, which have up to do its job effectively. Lives are at stake, so 210 members each, are FEMA’s first boots she understands the concern. But she said on the ground. But they are only the tip of the reality is that Congress sets aside funds the iceberg. An army of field investigators that are available when disasters occur, (who assess damage), claims managers regardless of the political or fiscal climate. (who accept requests for federal support), As evidence of the agency’s operational and administrators (who keep the response strength, Fox said FEMA was in non-stop operation afloat) quickly descend on the “life-sustaining mode” for roughly two disaster area. FEMA’s biggest responsibility months this year. is to coordinate the work of other legions — “The administration has worked closely


An aerial image, top, shows homes in the Florida Keys destroyed by Hurricane Irma in September. Members of a FEMA Urban Search & Rescue team set up emergency operations in Orlando, Fla., before the hurricane made landfall.

with Congress to make sure that we have all the resources we need to be able to respond. That doesn’t mean that things aren’t stretched and that we haven’t had to be creative about making sure that we have enough folks to support our mission. But we are organized in a way that allows that (flexibility).” Another question she frequently fields: What are the lessons learned from previous disasters, such as Hurricane Katrina in 2005 and Superstorm Sandy in 2015, that are now coming into play? Having previously served as the director of both FEMA’s National Preparedness Assessment Division and Federal Preparedness Task Force, Fox




Federal, state and regional officials discuss Hurricane Irma recovery efforts during a FEMA command staff meeting in October in Orlando, Fla.


FEMA’s biggest responsibility is to coordinate the work of other legions — state and local agencies, tribal governments, nongovernmental organizations and federal entities.

has spent much of her career answering this query. In fact, her professional bio indicates she oversaw the agency’s “lessons learned and corrective action programs, working to ensure that we incorporate these lessons into plans, policies and directives.” In 2010, she was responsible for compiling Perspective on Preparedness: Taking Stock Since 9/11, a report that looked at the “most appropriate way to collectively assess and measure our capabilities and capability gaps at a national level and streamline associated efforts, including policies, guidance and grants.”

Fox said the bottom line is that FEMA has stepped up deployment of personnel and supplies prior to a storm making landfall, positioning resources in strategic locations so they can be moved rapidly to high-impact areas. This shift, along with more stringent building codes that have been enacted in the stormprone regions of the country in recent years, may help to explain why the storms of 2017 were relatively low on casualties, despite their intensity. Harvey was responsible for 75 deaths, CO N T I N U E D




Urban Search and Rescue and disaster survivor assistance teams, left, arrive in Key West, Fla., after Hurricane Irma battered the area in September. Below, members of FEMA's Tennessee Task Force 1 unload supplies to aid residents.


HURRICANE IRMA Reached wind speeds of 185 mph at its strongest point

mostly in Texas, while Irma killed 87 people in the U.S. and its territories, and the official death toll from Maria in Puerto Rico is 51 (though the number is widely disputed to be much higher), compared with the widely cited 1,833 killed by Katrina and 147 deaths blamed on Sandy in the U.S., Canada and the Caribbean. Making this new mandate of preparation and predeployment a reality has required an unprecedented level of coordination with state and local authorities, said Fox. It has also required various congressional directives, she added, pointing to the Post-Katrina Emergency Management Reform Act of 2006 and the Sandy Recovery Improvement Act of 2013, in particular. “(The legislation) has changed how FEMA does business ... to make sure that we are able to go big for disasters, and work in support of survivors. We have a team of folks that operationalize lessons learned from past disasters, as well as from exercises that we have conducted with our partners at the local and state level. We are active consumers of lessons learned.”

FEMA will eventually publish after-action reports for the various response operations this year, Fox said, but she added that it was far too early to start analyzing the lessons of 2017: “We’re still in the life-sustaining mode in a lot of places.”


The phrase “It takes a village” has often been employed to describe the sort of cooperation necessary to achieve meaningful things in life. It could not be more true than in the context of disaster relief. And it’s certainly the ethos found in the joint field offices and other operations centers set up by FEMA wherever the agency is called to duty. Willie Nunn, the federal coordinating officer for the Hurricane Irma disaster response, which covered all 67 counties in Florida as well as parts of Georgia and South Carolina, said that spirit has prevailed since he arrived in Tallahassee to ride out the storm. Even though he CO N T I N U E D






FEMA workers assist volunteers seeking to help with recovery efforts in San Juan, Puerto Rico, after Hurricane Maria.

DEATHS BY STORM FEMA reports that stringent building codes and increased deployment of personnel has contributed to fewer casualties in natural disasters. KATRINA (2005) 1,833 casualties, mostly in Louisiana SANDY (2015) 147 casualties in the U.S., Canada and the Caribbean


serves as FEMA’s delegator in chief for the region, charged with directing thousands of federal employees, Nunn also was a member of the area’s ad-hoc, temporary community of survivors, rescuers and rebuilders, just like everyone else. One of the small but crucial ways he observed the “village” mentality in action was in the effort to restore electrical power. Approximately 60,000 individuals were dispatched from 250 electricity providers from across the United States and Canada to support power restoration after Irma, Nunn explained. Power was restored to 9 out of every 10 Floridians within two weeks after the hurricane made landfall. “When I got on the ground here, the power crews were everywhere I went,” Nunn said. “Some of them were even staying at the same hotel where I was staying.” Perhaps not surprising, it is the need for a roof over one’s head that really seems to bring people together during a disaster. Nunn said there were nearly 200,000 survivors housed in Florida shelters after the storm, a number that he proudly reported had dwindled to almost zero within a month after Irma


Florida Gov. Rick Scott discusses Hurricane Irma recovery operations with FEMA coordinating officer Willie Nunn in Marathon, Fla. barrelled up the state’s west coast. Every effort was made to get people back into their homes. The Army Corps of Engineers’ Operation Blue Roof program, for example, is designed to perform quick repairs (often involving blue plastic tarps) on homes with relatively minor damage so residents can move back in while they wait for permanent repairs. When such quick fixes are not possible, FEMA tries to connect people with rental housing or hotel rooms, offering up to $33,000 in

assistance to those who qualify. Of course, FEMA employees also need shelter while they are deployed in the field. While some staff are housed in hotel rooms, the priority is to keep those open for survivors — which means getting creative. At times, pop-up tent cities have been erected as first responder base camps. In Puerto Rico, several hundred staff made use of the Spartan accommodations aboard a U.S. Department of Transportation ship. Roughing it — and unconventional lodging — is par for the course during a disaster response. Karl Lee told of one such misadventure in Puerto Rico when he was sent on a reconnaissance mission to an outlying island. A lightning storm grounded the helicopter that was supposed to ferry the group back to San Juan and communications had been cut off with headquarters. The 10-person crew, which included members of Nevada Task Force 1 and Virginia Task Force 1, ended up hunkering down in the one dry place they could find: a single room in an abandoned resort. “We all slept on the floor, but it was a safe refuge for us,” he said. “That was a special moment.”

HARVEY 75 casualties, mostly in Texas IRMA 87 casualties in the U.S. and its territories MARIA 51 casualties in Puerto Rico

DONATE Find a national or local charity that you can contribute to for hurricane relief efforts at charity






More than 1,000 people participated in the March for Black Lives days after Dylann Roof, 21, was arrested and charged in the June 20, 2015, killing of nine people during a prayer meeting at the historic Emanuel African Methodist Episcopal Church in Charleston, S.C. CHIP SOMODEVILLA/GETTY IMAGES

EXTREME VIEWS DHS vows to tackle violence by radical groups

By Adam Stone


ONY MCALEER USED TO be a fascist. He recruited skinheads and was an organizer for the White Aryan Resistance. But today, as executive director of the group Life After Hate, he takes a different tack on the rise of right-wing extremism in America. McAleer, whose Chicago-based organization helps rehabilitate former members of extremist groups, pointed to Dylann Roof, a 21-year-old white supremacist who killed black parishioners in a Charleston, S.C., church in 2015, and to this summer’s violence in Charlottesville, Va., where one person died during white nationalist protests over the removal of a Confederate monument as examples of right-wing extremism in the U.S. These instances are the tip of the iceberg, he said.

“If you look at the body count, it obviously is a threat. These are not ISIS-style attacks, but they are killing people nonetheless,” McAleer said. Groups that track hate in America point to a range of metrics that show various forms of right-wing extremism are on the rise. Neo-Nazis and skinheads, Aryans, white nationalists and Sovereign Citizens — taken together, they pose a substantial threat to the homeland. Domestic extremists killed at least 372 people in the U.S. from 2007 to 2016, according to the Anti-Defamation League (ADL), an organization that fights anti-Semitism and bigotry. Of those, 74 percent died at the hands of right-wing extremists; 24 percent were killed by Islamic extremists; and the remainder were killed by left-wing extremists. Last year was the deadliest on record, with at least 69 deaths attributed to

extremism. That number includes 49 people killed on June 12, 2016, during a shooting spree at the Pulse nightclub in Orlando, Fla., by Omar Mateen, who claimed his attack in the name of the Islamic State group, although there are no known connections between him and that terror organization. “White supremacists are feeding off the divisive rhetoric which we saw during the presidential campaign,” said Oren Segal, director of ADL’s Center on Extremism. “They feel that they have an opportunity to make inroads with average people in a way that they hadn’t felt before.” The most recent act of what has been called a domestic act of terrorism occurred Oct. 31, when Sayfullo Saipov, a native of Uzbekistan, plowed through a busy bicycle path near the World Trade Center memorial in Lower Manhattan, fatally striking eight people and wounding 12 others. Saipov isn’t



INSIDE OUR BORDERS GOING RADICAL Do you know someone who is at risk of being swept up in the rising tide of political or racial extremism? Operation 250, a nonprofit that educates about online safety offers some signs to look for: People join radical groups when they: „ Feel ostracized and are looking for a place to belong. „ Are searching for their own identity. „ Are looking for a new thrill. Some common signs of radicalization include: „ Becoming much more political or religious. „ Surrounding themselves with new friends and ignoring old ones. „ Losing interest in school or old hobbies. „ Becoming socially isolated. „ Approving of the use of violence to support a cause. For tips on what to do if you suspect a loved one is being recruited to join an extremist group, go to operation250. org. Source: Operation250


People gather for a vigil at the spot where activist Heather Heyer, 32, was killed when a car plowed into a crowd during a protest against the white supremacists-led Unite the Right rally Aug. 13 in Charlottesville, Va. a skinhead or a neo-Nazi, but he’s been living in this country on a green card and had been “radicalized domestically,” according to New York Gov. Andrew Cuomo. Media reports have indicated that police found a note from Saipov in which he pledged allegiance to the Islamic State. Public opinion holds President Donald Trump at least partly to blame for the increase in radical rhetoric, according to a Quinnipiac University national poll that found 59 percent of those surveyed say the president’s decisions and behavior have encouraged white supremacist groups. But it’s too simplistic to say that white supremacists think Trump has given the “alt-right” a green light. Nonetheless, experts on all sides agree that such groups feel they are operating in a more permissive environment, and the Department of Homeland Security acknowledges there has been a shift. Increasing numbers of violent incidents by right-wing extremists “have made it necessary to leverage the tools we have been using for years to address foreigninspired terrorism, to use those to address domestic terrorist movements in a more concerted manner,” said David Gersten,

DHS acting director of the Office for Community Partnerships.


Headlines highlight attacks, but the attacks don’t tell the whole story. There is an entire subcontinent of hate lurking just below the surface, said Richard Cohen, president of the Southern Poverty Law Center (SPLC), a national civil rights advocacy organization. “There is a tremendous amount of organizing going on in the white supremacist world. People are being connected on the internet. There’s a feedback loop: People go on the net and get their views validated, they get connected with like-minded people, and they begin to feel more powerful,” he said. Right-wing groups have been emboldened to seek converts among young people. The SPLC found 159 incidents of racist fliers and numerous appearances by white supremacists on 110 American college campuses during the 2016-17 school year. But this proliferation of extremist visibility didn’t start with the election of Trump. Rather, experts say, it was the elec-

tion of President Barack Obama that lit a spark to the right-wing extremism catching fire today. While there’s no one simple explanation for the trend, Cohen attributes it largely to fear of a changing world, a fear that coalesced around the election of an African-American president. “There is a growing sense in white America that people are strangers in their own land,” he said. “They hear something like ‘Black Lives Matter’ (referring to the national movement protesting violence and racism against African Americans) and what they hear is that their lives don’t. They feel like they need to take back their country.” The manifestation of these sentiments makes this a homeland security problem — one that government agencies have been slow to address. A report published in April by the U.S. Government Accountability Office found DHS, the Justice Department, the FBI and the National Counterterrorism Center have implemented just 19 of 44 tasks called for in a 2011 national strategic plan for countering violent extremism. DHS acknowledges it is a difficult CO N T I N U E D





Communities in Orlando, Fla., continue to mourn more than two years after the deadly June 12, 2016, mass shooting at the Pulse Nightclub. Omar Mateen killed 49 people and wounded 53 others at the gay nightclub, and claimed the attack in the name of the Islamic State group, though there is no known connection. problem to tackle. “The U.S. government does not have a listing of domestic extremist organizations. We’ve never had a statute that identifies it as a criminal activity to belong to such a movement,” Gersten said. As a result, “domestic terror movements have a long history of exercising their First Amendment protections in ways that make it difficult for us.”


It’s a crime in the U.S. to belong to the Islamic State group, often referred to as ISIS. The government tracks individuals who affiliate with terror groups, and it keeps close tabs on the groups. The same isn’t true for neo-Nazis and skinheads who, as free citizens, enjoy considerable latitude. DHS is therefore looking to prevention as the most likely line of defense. Its chief tool is the Countering Violent Extremism grant program, a $10 million initiative to “counter terrorist recruitment and radicalization in the United States through community-driven solutions.”

The program has encountered some controversy, with critics charging that funds allotted by the Obama administration to fight right-wing extremists had been diverted to instead address Islamic threats. McAleer’s group, for instance, was denied promised funding, which critics say shows the Trump administration is more interested in Islamic terror than in white supremacy. DHS’ Gersten says the department remains committed to combatting domestic extremism in all its forms, whether from Islamic groups or white nationalists. He noted that as DHS secretary, retired Marine Gen. John Kelly laid out that mission, and with Kelly now serving as White House chief of staff, Gersten said those goals remain. Others are less certain. “This administration clearly has an agenda that it wishes to pursue. It would appear there is a focus mainly on ISIS and al-Qaidainspired extremism, and I think that’s a mistake,” McAleer said. However vigorously DHS may choose to pursue right-wing groups, its efforts are just part of a bigger picture.


The ADL focuses on education. The group reaches out to parents, encouraging them to notice signs of extremism in their children. The organization also conducts extensive training with law enforcement to help them understand the methods of radical groups. “We train law enforcement around the country about extremist threats, so they understand emerging tactics, ideologies, communications — the full lay of the land. The more that law enforcement is informed, the better off we all are,” Segal said. Smaller grass-roots groups do their part, too. To rehabilitate ex-skinheads and others, Life After Hate offers support groups and intensive one-on-one mentoring when people give up their identity within a hate group, McAleer said, they often need a new social core to fall back on as they try to rebuild their lives. With his previous experience as evidence, he argues that the problem with right-wing extremism is ultimately a personal problem: The movement

feeds on those who are scared, lonely, ashamed. Help and healing are needed if they are to change. “We are dealing with deep psychological needs,” he said. “We can’t arrest our way out of this problem. You need community partners to get into spaces where law enforcement can’t go.” DHS is funding some of those partners, while also backing a range of initiatives meant to build bridges between law enforcement and community groups. Programs like Tech Against Terrorism, for example, leverage DHS expertise to show technology leaders how they can deny extremists free rein over social media platforms, where recruiting often occurs and expressions of hate and bigotry circulate unfettered. “We want to work with specific targeted communities — those that are potentially the victims of terror and those that are the recruiting base for terrorist and extremist movements,” Gersten said. “We hope that just simply by playing matchmaker, we can help some of these community leaders to become much more effective.”



INSIDE OUR BORDERS DEALING WITH AN ACTIVE SHOOTER SITUATION According to the Department of Homeland Security, an active shooter is an individual actively engaged in killing or attempting to kill people in a confined and populated area. Victims are typically selected at random and the events that transpire tend to be unpredictable and evolve quickly.

A woman prays beside white crosses for the 58 victims killed in the Oct. 1 mass shooting by Stephen Paddock at the Route 91 Harvest country music festival in Las Vegas.

Here are some tips DHS suggests following when faced with an active shooter: „ Be aware of your environment and any possible dangers. „ Take note of the two nearest exits in any facility you visit. „ Attempt to take the active shooter down as a last resort .


How to respond when an active shooter is in your vicinity:

By Ken Ritter and Michael Balsamo, The Associated Press

1. EVACUATE „ Leave your belongings behind. „ Help others escape, if possible. „ Follow the instructions of any law enforcement officer. 2. HIDE OUT If evacuation is not possible, find a place to hide where the active shooter is less likely to find you. If the active shooter is nearby: „ Silence your phone. „ Hide behind large items. „ Remain quiet. 3. TAKE ACTION As a last resort, and only when your life is in imminent danger, attempt to disrupt and/or incapacitate the shooter by: „ Acting as aggressively as possible against him/her. „ Throwing items and improvising weapons. „ Yelling. 4. PROVIDE RELEVANT INFORMATION TO LAW ENFORCEMENT OR 911 OPERATOR „ Number, physical description and location of shooter(s). „ Number and type of weapons held by shooter(s). „ Number of potential victims at the location.


Police say they still have not determined a motive for gunman Stephen Paddock, who killed dozens of fans gathered at an outdoor country music concert in Las Vegas and injuring hundreds more before killing himself Oct. 6. Paddock, a reclusive 64-year-old high-stakes gambler, rained bullets on the crowd attending the three-day Route 91 Harvest festival from his 32nd-floor suite at the Mandalay Bay resort-casino, killing 58 people and wounding more than 500 others. Because Paddock’s motive is unknown, officials cannot neatly label the tragedy as a terrorist incident or an act of violence by a domestic extremist. But one thing is clear: With the high number of casualties, the incident is the worst mass shooting in modern American history. The prior mass shooting with the highest death toll was an attack at the Pulse nightclub in Orlando, Fla., in June 2016 in which 49 people were killed and 58 injured. Investigators have reviewed voluminous video from the casino and don’t think Paddock had an accomplice in the shooting, but they want to know if anyone knew about his plot beforehand. “Right now, we believe it’s a sole actor, a lone-wolf-type actor,” said Clark County Sheriff Joe Lombardo, adding that a motive for the shooting had yet to be determined. The sheriff also said

police had questioned a “person of interest,” Marilou Danley, the suspect’s girlfriend, and determined she was not involved in the shooting. It is unusual to have so few hints of a motive weeks after a mass shooting. In previous mass killings or terrorist attacks, killers left notes, social media postings and information on a computer — or even phoned police. “The lack of a social media footprint is likely intentional,” said Erroll Southers, director of homegrown violent extremism studies at the University of Southern California. “We’re so used to, in the first 24 to 48 hours, being able to review social media posts. If they don’t leave us a note behind or a manifesto behind, and we’re not seeing that, that’s what’s making this longer.” At a news conference, Aaron Rouse, chief of the FBI’s Las Vegas office, said the agency had yet to find any connection between Paddock and terror organizations. Earlier, Lombardo described Paddock as “a distraught person” intent on causing mass casualties. The Islamic State claimed responsibility immediately after the shooting, saying that the perpetrator was “a soldier” who had converted to Islam months ago. However, the group, which often claims attacks by individuals inspired by its message but with no known links to the group, provided no evidence to support its assertion. What officers have found is that Paddock planned his attack meticulously. He requested an upper-floor room

overlooking the festival; stockpiled 23 guns, a dozen of them modified to fire continuously like an automatic weapon; and set up cameras inside and outside his room to watch for approaching officers. Investigators said Paddock also took shots at jet fuel tanks and targeted police officers responding to the scene, portraying a killer who seemed determined to inflict even more carnage. “It is readily apparent to me that (Paddock) adjusted his fire and directed it toward the police vehicles,” Lombardo said. “No matter what his personal vendetta is against the police or not, maybe he was preventing the wolf from getting to his door sooner than later, but he chose to fire upon police vehicles.” A visual inspection of Paddock’s brain during a coroner’s autopsy found “no abnormalities,” Lombardo said. Paddock’s brain is being sent to Stanford University for study, Clark County Coroner John Fudenberg said. He added he would await findings of multiple forensic analyses, including a neuropathological examination of Paddock’s brain tissue, before issuing a finding on a cause and manner of his death. That ruling is not expected for several months, the coroner said. Associated Press writers Regina Garcia Cano, Josh Hoffner, Brian Melley, Jacques Billeaud, Don Babwin and Michael Tarm, and USA TODAY staff contributed to this report.






REFORM DEBATE DHS tasked with enforcing controversial immigration policies with broad impact By Dan Friedell


HE DEPARTMENT OF HOMELAND Security was caught in the middle of two of the most politicized policy debates of the year, both dealing with immigration. First, in late January, after President Donald Trump had been on the job for one week, he signed an executive order GETTY IMAGES





Thousands of protesters demonstrated at airports across the country, including Los Angeles International on Jan. 29, against a travel ban proposed by President Donald Trump.

called “Protecting the Nation From Foreign Terrorist Entry Into the United States.” The initial order temporarily suspended most travel into the U.S. from Syria, Iraq, Iran, Sudan, Libya, Somalia and Yemen. The order’s language focused on protecting the U.S. from terrorism and preventing “would-be terrorists” from receiving visas. Because the included nations were Muslim-majority, the administration’s action was widely labeled a “Muslim ban” or “travel ban.” Federal agencies, however, referred to the points in the order as “travel restrictions.” Thousands of people — many of them children of refugees — protested the travel ban at airports across the U.S., and hundreds of travelers were held by au-

thorities even after a federal judge placed a temporary stay on the order and ruled that all those held should be released. A federal appeals court blocked the executive order in February, citing the lack of evidence that anyone from the seven nations had committed terrorist acts in the U.S. The court’s action opened the door for thousands of foreign travelers to enter the country. On March 7, Trump signed a new order removing Iraq from the list of banned countries and suspending U.S. entry by all refugees for 120 days. The revised travel ban went into effect in late June. It restricted foreign nationals from Libya, Syria, Iran, Somalia, Yemen and Sudan from entering the U.S. for 90 days unless they could prove they needed

to work or attend school, or have a close family member living here. On Sept. 24, Trump signed the third version of his travel ban, often referred to as “Travel Ban 3.0,” restricting visitors from eight countries. Sudan was removed, while Iran, Syria, Libya, Somalia and Yemen remained. North Korea, Venezuela and Chad were added. DHS officials said the changes were due to a lack of traveler vetting and information sharing by the countries that remained on the list. Explaining the decision, acting DHS Secretary Elaine Duke wrote in a USA TODAY editorial published in September that the United States vets visitors and potential immigrants using information received from foreign governments,




North Korea Iraq Syria


Libya Saudi Arabia Chad


Yemen Sudan


United States Banned Banned/Removed from Ban


DREAM Act demonstration in New York City



including identity data, criminal and terrorist history and passport integrity. “The good news is that the vast majority of countries meet our new baseline. The State Department worked closely with nearly every foreign government to make sure they understand and comply,” she wrote. “Some that were not initially in compliance made important changes. We now receive terrorism information from countries that did not provide it before, and these countries stepped up their travel document security to prevent fraud. How-

ever, eight countries either have not made enough changes to meet our baseline for information sharing, or have proved unable to effectively and consistently cooperate with the U.S. and mitigate internal terrorist threats. Thus I recommended, and the president approved, restrictions for these countries until they comply or the threat from these nations is lowered.” In mid-October, two judges blocked the newest version of the travel restrictions. CO N T I N U E D



INSIDE OUR BORDERS Elvis Saldias, center, who came to the U.S. from Bolivia, discusses the DACA program with Sen. Rob Portman, R-Ohio, right.

U.S. District Judge Derrick Watson in Hawaii wrote that the ban “suffers from the same maladies as its predecessor.” However, a week later, government lawyers appealed the two judges’ orders. Immigration law expert Diala Shamas predicted this type of back-and-forth in an opinion piece published by The Washington Post in June titled “Lawyers alone can’t save us from Trump. The Supreme Court just proved it.” She argued that public sentiment against these kinds of wholesale immigration bans will be the strongest tool in making sure refugees have access to the safety of the U.S. She wrote that the executive order confirmed that “the fate of the nation cannot be left in the hands of the courts.” Shamas had been working as a lecturer at Stanford Law School, where she also supervised the International Human Rights and Conflict Resolution Clinic. She returned to practice this year with the Center for Constitutional Rights in New York City because she wanted to make sure “groups that are traditionally not served were not thrown under the bus.” As Trump’s rhetoric populates Twitter and newspaper headlines, Shamas warns people against thinking that his election signaled the start of constitutionally questionable actions against Muslims. “It’s just more bombastic and aggressive than it was before,” she said, noting that Muslims were also singled out by both the George W. Bush and Barack Obama administrations via no-fly lists and investigations. The Los Angeles Times reported in a Jan. 31 article that other presidents have used a provision of the federal Immigration and Nationality Act to block immigrants from predominantly Muslim countries from entering the U.S. because they believed certain groups posed a national security risk: Obama invoked it 19 times, Bill Clinton 12 times, George W. Bush six times and Ronald Reagan five times. George H.W. Bush invoked it once.


Also in September, Trump rescinded the Deferred Action for Childhood Arrivals (DACA) order, which shielded some undocumented immigrants from deportation. Obama had enacted DACA in 2012 with the goal of allowing approximately 800,000 people (mostly in their late teens and 20s) illegally brought to the U.S. as children, to



live and work without fear of deportation. Obama’s DACA executive order came after Congress failed to pass bills collectively known as the Development, Relief and Education for Alien Minors (DREAM) Act, which would have given these young people a path to becoming U.S. citizens. In rescinding DACA, Trump again put the burden on Congress to “resolve the DACA issue with heart and compassion — but through the lawful democratic process.” Using Twitter, he wrote: “Congress, get ready to do your job – DACA!” Announcing the decision together Sept. 5, Trump and Attorney General Jeff Sessions stated that DACA recipients are in the U.S. illegally

and gave Congress until March to act. “Enforcing the law saves lives, protects communities and taxpayers, and prevents human suffering,” Sessions said. “Failure to enforce the laws in the past has put our nation at risk of crime, violence and even terrorism.” One proposal — a DREAM Act sponsored by Sens. Dick Durbin, D-Ill., and Lindsey Graham, R-S.C. — has been on the books since late July. It would grant legal status to more than 1 million young people who are working, in college or the military and have passed security checks. Another more conservative proposal came from Republican senators in late September.

Known as the “Succeed Act,” it would give “conditional permanent residence” to “Dreamers” and require that, over 10 years, they earn a college degree, serve in the military for at least three years or be consistently employed to be able to apply for a green card. For those who were not able to renew their DACA paperwork in September, the clock is ticking. Their right to live and work legally in the United States could expire March 5, 2018, after which the program will end and coverage will lapse, putting the recipients at risk of deportation. But, in October, Trump said he would extend the March 5 deadline to end protections for young undocumented immigrants if Congress fails to find a solution by then. While most Dreamers are cautiously optimistic, they recognize Congress has struggled to pass much legislation since Trump took office. Elvis Saldias, 25, came to the United States from Bolivia 17 years ago. With DACA, he was able to go to college and get a good job with a large insurance company. He hopes to be able to continue his education, too, and perhaps one day become an immigration lawyer. But it is



INSIDE OUR BORDERS difficult for Saldias to focus too much on his future because he knows that sometime in 2018, his status may change. “My logic tells me that something (good) will happen,” he said on a fall morning from Columbus, Ohio, where he has lived since graduating from Ohio State University. But he knows that if Congress does not reach an agreement on the status of DACA recipients, he will have to re-evaluate his life. “I would lose my job. I wouldn’t be able to drive. Everything kind of just goes, and it’s back to where I was when I was 20 years old,” he said. “I was washing dishes. ... So it would be a different reality for me. I speak English much better than I speak Spanish. I don’t want to think about having to go back to Bolivia because I don’t feel at home in Bolivia. I’ve been here for the last 17 years, and I’ve been immersed in this culture since then.” Saldias is not waiting around for an anticipated outcome, either. Along with hundreds of other DACA recipients, he spent time in Washington, D.C., in early October meeting with congressional leaders, including one of his state’s senators, Republican Rob Portman. In September, Portman had released a statement that said those in the DACA program were in the U.S. through “no fault of their own” and that this is the “only country they know.” “I agree that Congress should act rather than continue the Obama administration’s unconstitutional executive action,” the statement read. “I support bipartisan efforts to find a permanent solution that will allow those in the DACA program to stay here and continue to contribute to our society.”

“I want (those working at DHS) to know about the profound impact these policies have on so many Americans’ lives,” Shamas said. “These are people who’ve built their lives here and just happen to be from the countries that have been listed (on travel restrictions).” The protests — at airports in January and on Sept. 5 in cities including Los Angeles, Denver, Phoenix, New York City

and Washington, D.C., in response to the DACA news — displayed the anxiety many people started feeling in the summer of 2016, when Trump became the Republican Party’s presidential nominee. The protesters included people with relatives in Iran and Syria and young DACA recipients who hoped to build their lives here. They are people who feel they are American and should not have to leave.


If DACA remains in place, Ilknur Eren, a native of Turkey, will be able to pursue her dream of going to college in the U.S.


A senior official within DHS said the past year has been the busiest, most productive and most relevant he has seen in the last decade. That says a lot about a department that just celebrated its 15th birthday. While much of the work DHS does makes headlines, the people working within the agency go about their jobs “with nothing but complete professionalism,” said the official, who spoke on condition of anonymity. “We execute the president’s guidance. We protect the American people. We don’t see people get too caught up in the political story of the day,” the official said. This antiseptic view can cause problems for civilians who may blame the department — perhaps unfairly — for disrupting their lives. Immigration control may just be part of the daily duty for DHS employees, but what the DHS does profoundly affects those trying to solidify their place in the U.S.


It is difficult for them to accept that the American experience the DHS works to protect might be taken away by the same agency. Ilknur Eren is a 25-year-old from Turkey who lives in New York. She came to the U.S. 16 years ago as her family sought better treatment for her autistic brother. “In 2012, when DACA was announced, that really changed my whole life,” she said. Eliminating DACA without a solid plan for what comes next “would be devastating,” Eren said. She is hoping that with a resolution, she can pursue her goal of learning computer programming, working on software that can help people with disabilities like her brother. As a DACA recipient, she is eligible for financial aid and opportunities to go to school she would not otherwise have. Eren said she wants those who are making decisions about DACA to know that she and the 800,000 other Dreamers are real people, with dreams and plans for the future: “We’re human beings.” Tyler Houlton, acting press secretary for DHS, said he knows that the actions of DHS can cause anxiety. “DHS can occasionally get caught up in political disagreements as the three branches of government wrestle with the sometimes controversial issues associated with protecting the homeland and the American people,” he said. The heightened concern among affected groups is palpable. Naz Ahmad is an immigration lawyer who works for the CLEAR (Creating Law Enforcement Accountability & Responsibility) project, an organization connected to the City University of New York law school. She said the 8-year-old group has put on more “Know Your Rights” presentations at mosques and community centers in the New York area than in previous years and that even green card holders who are fairly secure in the U.S. have questions. “People who were not concerned before felt compelled to do something about it,” Ahmad said. “They say, ‘If it’s that easy to prevent people from those six or seven countries from coming to the U.S., who is to say that’s not going to happen to me five months from now?’” Ahmad also agreed that the key to solving immigration issues in the U.S. rests not with lawyers, but with Congress. She thinks people in power who are coming up with proposals for immigration policy are not properly educated about what might cause a person to commit a terrorist act. Ideally, she would like to see an end to the tug of war between policymakers and immigration lawyers. “The push should be: Congress should stop this (from) happening,” she said.





INSIDE OUR BORDERS ENTRY PORT TRAFFIC This graphic displays the volume of border crossings in 2016 at 26 southern entry ports. The data include the total number of train, bus and personal vehicle passengers, and pedestrians who entered the U.S. from Mexico. 1. San Ysidro, Calif.: 31,638,430 2. Otay Mesa, Calif.: 17,145,658 3. Tecate, Calif.: 2,584,086 4. Calexico, Calif.: 12,122,575 5. Calexico East, Calif.: 7,412,064 6. Andrade, Calif.: 1,914,153 7. San Luis, Ariz.: 8,046,759 8. Lukeville, Ariz.: 936,006 9. Sasabe, Ariz.: 42,102 10. Nogales, Ariz.: 10,671,081 11. Naco, Ariz.: 587,281 12. Douglas, Ariz.: 3,790,308 13. Columbus, N.M.: 1,019,137 14. Santa Teresa, N.M.: 1,531,370 15. El Paso, Texas: 6,274,683 16. Fabens, Texas: 686,609 17. Presidio, Texas: 1,480,650 18. Boquillas, Texas: 1,531,370 19. Del Rio, Texas: 3,295,698 20. Eagle Pass, Texas: 6,274,683 21. Laredo, Texas: 15,359,574 22. Roma, Texas: 1,763,922 23. Rio Grande City, Texas: 872,887 24. Hidalgo, Texas: 12,337,964 25. Progreso, Texas: 3,591,532 26. Brownsville, Texas: 12,025,855



As President Donald Trump pushes forward with his commitment to build a wall along the U.S.-Mexico border, an extensive USA TODAY Network project that produced the most current and comprehensive public map of the border shows huge swaths that are not fenced. About 650 miles of the 2,000-mile border is fenced, leaving 1,350 miles open. Of that 650 miles, about half is designed to stop only vehicles, not people. Here are more findings of the special report: „ Even where there’s a lot of fencing, it might not deter crossers. Only about 350 miles of the 2,000-mile border have fencing designed to stop pedestrians — usually steel posts up to 18 feet tall. The 300-plus miles of vehicle barriers, either X-shaped crossbars or short steel posts, are much more common. However, anyone on foot

can easily cross over, under or through those obstacles. „ Not all of the fencing along the border is maintained by federal officials. Some portions have been erected as ranch fencing, which generally is designed to stop vehicles and livestock.

„ Hundreds of miles of fencing has been built, so a wall could be built, too. But it would be difficult and costly to do so. „ Steel fencing has already been cut into steep hillsides and built deep into the harsh desert, but some prefer a structure that actually looks like a wall. If it is built of concrete, as Trump stated during his campaign, it will be far heavier and require different construction techniques. „ In August, Homeland Security officials announced they had chosen initial bidders to build prototypes that would be made of reinforced concrete, 30 feet long, up to 30 feet tall and incorporate see-through features. Eight prototypes were completed in October; half of them were built of concrete. The remaining four employ other construction materials, though they also incorporated concrete elements. The U.S. Customs and Border Protection agency is expected to put the prototypes through punishing tests, using the techniques that smugglers employ to get past the existing structures.

Pedestrian fences Vehicle fences Rivers

„ More than $2 billion has been spent on the construction of the current border.

BORDER FENCING Here is a look at the types of fencing that currently exists along the U.S.-Mexico border:

Pedestrian Fences Most of the pedestrian fencing is 12 to 18 feet high, typically anchored with a concrete foundation. There are three main types, with various combinations and hybrids. Landing mat: Solid metal, built from Vietnam-era helicopter landing mats. Bollard-style fencing: Tall, vertical steel slats, often buried in the ground. Some are “floating” on metal frames in sand dunes or on top of long rows of concrete in river basins. Metal mesh fencing: Woven metal wire or mesh mounted to frames.

„ Fencing starts and stops, seemingly at random when viewed from the air, leaving wide gaps for would-be crossers.

Normandy fences

„ Much of the fence was built on federally owned land or through private-property seizures.

„ In accommodating the Rio Grande, fencing can be close to the river or more than a mile away.

Metal mesh fencing

Vehicle Barriers

Source: U.S. Department of Transportation; U.S. Department of Homeland Security

„ Big chunks of property in the U.S. sit on the “other” side of a border point, leaving residents and land on the “outside.”

„ Much of Texas’ fencing sits far from the border.

Bollard-style fencing

Major highways U.S.-Mexico border State borders

„ Much of the border, including most of Texas, is not fenced.

„ The border is in a floodplain, limiting where fencing can go.

Landing mat

Normandy fences: Metal posts that resemble jacks or large X’s, usually cabled together.

i To read more about the USA TODAY Network’s The Wall interactive special report, go to border-wall.

Meant to bar vehicles, these are typically 3 to 4 feet high and are used to thwart drug-smuggling vehicles. There are two main types, and pedestrians can easily walk over or around them.



The U.S.-Mexico border is 2,000 miles long and includes 650 miles of fencing, including this section in Jacumba, Calif. Trump is proposing to build a wall along the entire corridor.

Post fences

Post fences: Vertical metal posts, just tall enough to keep out a vehicle.

Sources: USA TODAY Network reporting, United States Government Accountability Office






A CLEAR & PRESENT DANGER Businesses and government take action to thwart future attacks

By Nancy Monson


N A SINGLE HACK, 145.5 million people — almost half of the U.S. population — were exposed to potential identity theft. That’s how many people are estimated to have been affected by the recent Equifax cybersecurity breach. But the real number may never be known, and it may be years before consumers feel the true impact of the breach, which released Social Security numbers, names, addresses and driver’s license and credit card information to cyberthieves. How did this massive security breach occur? According to congressional testimony from now-retired Equifax CEO Richard F. Smith in October, the Department of Homeland Security (DHS) alerted the company to security issues with its Apache Struts software system in March 2017. But a lone employee in Equifax’s technology department neglected to apply a needed patch to fix the vulnerability. The company’s scanning system also failed to pick up the weakness, and the first breach occurred May 13. So, although the company had protocols in place for handling cybersecurity, those protocols were not

followed, allowing for the fatal hack of one of the United States’ major credit reporting bureaus. To compound matters, Equifax did not disclose the breach to the public until September — four months after the system was hacked. And while it has offered one year’s worth of TrustedID Premier, a credit monitoring and identity theft protection service, to affected consumers, overwhelming demand has made it difficult to apply. As Rep. Greg Walden, R-Ore., chairman of the House Energy and Commerce Committee, said after hearing Smith’s testimony and litany of Equifax errors, “How does this happen when so much is at stake? I don’t think we can pass a law that can fix stupid.” Smith testified before an Energy and Commerce subcommittee on digital commerce and consumer protection. In Smith’s testimony before the Senate banking committee, also in October, Sen. Elizabeth Warren, D-Mass., noted that Equifax has disclosed at least four separate hacks since 2013 in which sensitive personal data was compromised, and prodded Smith to acknowledge that Equifax’s profits had gone up during that CO N T I N U E D





INSIDE OUR BORDERS time. “Because of this breach, consumers will spend the rest of their lives worrying about identity theft,” she said. “Equifax and this whole industry should be completely transformed.” In mid-November, the Federal Trade Commission (FTC), Consumer Financial Protection Bureau, U.S. Attorney’s Office and the FBI were investigating Equifax.


Of course, Equifax is just the latest on a growing list of private companies and government agencies that have been hacked (see sidebar). “Data breaches have been a problem for as long as there have been interconnected systems, and they will continue to be a problem as long as we have interconnected systems,” said Brad Nix, deputy director for programs and executions in the Cyber Threat Detection and Analysis Division of the National Cybersecurity and Communications Integration Center (NCCIC) at DHS. “The only secure system is one that is turned off, disconnected and locked in a closet.” A 2016 Cyber Security Intelligence Index report by IBM found that in 58 percent of financial sector attacks, insiders were to blame. Most of those, 53 percent, were considered inadvertent actors — perhaps one lone employee who is careless with confidential information, doesn’t apply a needed patch to a system, as happened in the Equifax case, or doesn’t code correctly. The other 5 percent of insider attacks are considered malicious, where an insider purposely committed cybertheft. In other cases, a group of cybercriminals may spread malware in an attempt to infiltrate a company or government database. According to IBM, the five private sectors that are most vulnerable to attack are financial services, information and communications, manufacturing, retail and health care. The average cost of a breach: $3.62 million globally. But the toll isn’t realized just in financial terms: The hack of the Democratic National Committee email system is being assessed to determine if it swayed the 2016 presidential election in favor of Donald Trump, while National Security Agency breaches by former government contractors Edward Snowden, Reality Winner and Harold T. Martin III may have jeopardized American lives and international relationships. In addition, according to Nix, business productivity can be disrupted, the health industry can lose confidential patient information and research can be stolen from universities, financial data can be breached at banks and classified information can be stolen from the military and government. The problem is that “most companies aren’t taking cybersecurity seriously,”

Richard Smith, former Equifax chairman and CEO SHAWN THEW/EPA-EFE

“How does this happen when so much is at stake? I don’t think we can pass a law that can fix stupid.” — Rep. Greg Walden, R-Ore., during congressional testimony

“Until the Equifax data gets out there to hackers over the next 10, 20 and 30 years, we won’t be able to appreciate how serious this breach is,” said Knight. “You can’t change your mother’s maiden name. It’s a bell that can’t be unrung.”

WHAT IS GOVERNMENT DOING? explained Erik Knight, CEO of Simplewan, a cybersecurity business located in Phoenix. “Large companies can spend an infinite amount of money on it, so they decide that X amount of their budget is going to cybersecurity this year. And once they reach their limit, they say, ‘Hey, we did our best. We’re covered.’” What’s more, even small companies are vulnerable. “Most hackers are looking for anything and everything they can find,” said Knight, “because they can combine stolen data from different hacks.” One much-needed update to security systems: abandoning Social Security numbers as identifiers, since they can

now be assumed to be widely available to criminals. “We need a higher level of security for identification purposes,” said Knight, and probably some form of two-factor verification (such as when you receive a one-time code via text or email to access an account). For instance, the Equifax breach provided Social Security numbers and addresses. If thieves coupled that information with passwords and answers to security questions from the Yahoo breaches (the two largest hacks to date, affecting 1.5 billion users combined), they could open new credit profiles.

Substantial laws have been passed over the past couple of years that have put DHS in a better position to recognize cyber risks across the federal government and private industry, Nix said. The National Cybersecurity Protection Act of 2014, for instance, was enacted to give DHS, and specifically the NCCIC, the authority to more effectively detect, analyze and stop cybersecurity incidents. In addition, a directive issued by former President Barack Obama in July 2016 dictates the manner in which the federal government should respond to any government cyber incident, including conducting investigations and providing technical CO N T I N U E D







BIGGEST DATA BREACHES Data breaches have become a fact of digital life, and they seem to be getting bigger. USA TODAY has put together a list of the largest reported breaches since 2007. For purposes of this ranking, hacks that affected fewer than 1 million users, such as the Sony Pictures Entertainment breach, were not included. Also, the dates listed are when a breach was announced, not necessarily when it happened. Yahoo!




Sony PlayStation Network

September 2016

April 2011

December 2016

500 MILLION MySpace


aid, and offering assistance to private entities as needed.


Lastly, purchasing identity theft insurance can provide alerts and assistance if you’re hacked — but it won’t necessarily prevent your data from being stolen in the first place. On a larger scale, companies large and small and government agencies must begin to consider cyberthreats as public enemy No. 1. These entities can increase protection by funding their cybersecurity departments more heavily, implementing double checks on security alerts and responses, and tracking current and former employees’ access to organizational databases and digital information. “We have laws and regulations on the books — and we’re looking to see if those laws and regulations are adequate,” said Rep. Robert Latta, R-Ohio, co-chairman of the House Subcommittee on Digital Commerce and Consumer Protection. “Equifax did not do what they should have done. Companies must practice good cyber hygiene and make sure protocols are being followed.”

STOP. THINK. CONNECT. This global online safety awareness campaign (stopthinkconnect. org ) was created by DHS in 2010 to offer tips to government and private sectors about internet safety practices.

“As individuals, we need to make sure that the companies we engage with are taking, as much as we can assess, our information security seriously,” said Nix. “We also need to make an effort to improve our own cybersecurity awareness.” So far that’s not happening. Both businesses and consumers seem to be complacent in the face of these massive breaches of our personal information, in some cases having survived a number of major hacks already. To wit: A survey conducted by in October found that only 1 in 4 Americans (61 million) had checked their credit after the Equifax breach. The FTC recommends checking your credit reports yearly for free by going to If you see activity you don’t recognize, visit to start the recovery process and consider putting a freeze or fraud alert on your credit profiles.


May 2016 Equifax

February 2015

77 MILLION Home Depot

53 MILLION September 2014 TJ Maxx




Ashley Madison

September 2017





U.S. Office of Personnel Management

November 2013

July 2015

May 2014


August 2015



T-Mobile (via Experian)

May 2016

October 2015


15 MILLION Scottrade



JP Morgan Chase

UCLA Health

October 2007

83 MILLION October 2013

October 2015

4.5 MILLION July 2015

Source: USA TODAY research








DIGITAL INTERVENTION Suspected Russian influence in U.S. election highlights specter of cyber warfare

By Tamara Lytle


OVERNMENT AND BUSINESSES ARE trying, in response to Russia’s suspected meddling in last year’s U.S. presidential election, to fix the weaknesses Russian hackers exploited and prevent new tactics in cyber warfare. The solutions will require efforts by the government and citizens to keep up with the evolving threat. And in a world where more and more people are connecting to

the internet, imagination and vigilance are key to stopping enemies who would exploit digital engagement to harm the country. “We need to ensure the election system is secure,” said Jeanette Manfra, Department of Homeland Security assistant secretary for cybersecurity and communications. Although tactics like hacking into voter registration lists to alter them are new, using propaganda and subterfuge to disrupt CO N T I N U E D






U.S. Cyber Command, located on the National Security Agency campus in Fort Meade, Md., was elevated within the Department of Defense in August to help coordinate the U.S. response to global cybersecurity threats. another society is not. “The ability to manipulate communications and public opinion have been done for centuries,” said Mark Pollitt, a former chief of the FBI’s computer analysis response team and now head of a Maryland consulting firm, Digital Evidence Professional Services Inc. “What makes this interesting is they are weaponizing technologies at a very broad pace.”


During the 2016 presidential race between Donald Trump and Hillary Clinton, Russia is suspected of directing an extensive campaign to roil U.S. public opinion and influence the election by leaking hacked emails, setting up hundreds of fake Facebook accounts and circulating 3,000 Facebook ads to share misinformation and stir discontent. A report by the Office of the Director of National Intelligence in January found Russia orchestrated a campaign to help Trump defeat former Secretary of State Clinton. “We assess with high confidence that Russian President Vladimir Putin ordered an influence campaign in 2016 aimed at the U.S. presidential election, the consis-

tent goals of which were to undermine public faith in the U.S. democratic process, denigrate Secretary Clinton and harm her electability and potential presidency.” Pollitt said the Russians moved more nimbly than governments typically do with new technology, using the fake social media accounts and ads that resonated with Americans. “To be sensitive enough to figure out how to target specific populations in cultures other than their own is a little surprising and a little scary,” he said. Although social media has been around for a while, the Russians took advantage of evolving technology that makes it easy for companies — or shadow governments — to target ads based on users’ demographics, political beliefs and other information. Jessica Baldwin-Philippi, assistant professor of communications and media at Fordham University, said the fake personas persuaded real citizens to share questionable information with a broader audience. “The interesting thing was how well the messages got at existing social cleavages and preyed on existing biases,” said Baldwin-Philippi. “That’s the disappointing part — seemingly super-crazy or super-racist messages resonated with the

American people.” Pollitt said the Russians also used hacked data and emails and other cyber tools. “Using all these things in a coordinated fashion is the definition of cyber warfare,” he said. Government and private-sector cyber experts are now looking at what happened and what new tactics will emerge.


Although voting machines are not necessarily connected to the internet, and state and local governments use many different systems for balloting instead of one centralized target for hackers, Manfra said there is still cause for concern. “There was no manipulation of voting” in 2016, she said, but not because no one tried. Last year, hackers targeted voting systems in 21 states. Only a small number of those systems were compromised, she said, and defensive systems largely worked. But “it is appropriate to be concerned,” she said. Last summer, when DHS became concerned about possible hacking of elections systems, it started working with state and local elections officials and vendors to share information about attacks




algorithms to spread false information. “We think there will be an arms race,” of defenders trying to stop the bots and enemies trying to outsmart the defenses, he said.



Facebook general counsel Colin Stretch, Twitter acting general counsel Sean Edgett and Google law enforcement and information security director Richard Salgado testify in October about Russian influence in the 2016 U.S. election before a Senate subcommittee. and vulnerabilities. DHS offered teams of “white hat” hackers to try to break into states’ systems to find vulnerabilities. Only one state, which Manfra would not name, took them up on it. Now, more states are working with DHS. The department is identifying best practices (such as how to keep voter rolls safe from tampering), helping state and local governments prioritize the steps to protect their systems and sharing technological information with them and with vendors to thwart hackers. “Our government, our military, our private sector are not sitting on their hands,” Pollitt said. “They are recognizing this is a new chapter in global strategies and we need to learn to deal with it defensively and offensively.”


Part of the government’s job, Pollitt said, is getting to the bottom of what happened last year so the country can better protect itself in the future. Former FBI Director Robert Mueller was appointed special counsel to investigate Russian election tampering. And intelligence committees in the Senate and House have ongoing probes. The first major developments in Mueller’s investigation came Oct. 30, when a federal grand jury charged Trump’s former campaign chairman Paul Manafort and campaign associate Rick Gates with multiple counts, including money laundering and conspiracy, related to their work

for a foreign government. Both men have pleaded not guilty. Also, George Papadopoulos, a former foreign policy adviser to Trump’s presidential campaign, has pleaded guilty to making false statements and “material omissions” to the FBI about the nature of links between the Trump campaign and the Russian government. The Pentagon’s U.S. Cyber Command, which Trump elevated within the Department of Defense in August, is an important recognition of the military investigatory role, Pollitt said. Citizens can also help thwart foreign cyberattacks. They need to be critical consumers of media and not spread information until they evaluate where it comes from and what evidence there is that it’s true, Pollitt said. In addition, citizens need to look at information they don’t agree with because echo chambers of agreement are dangerous targets for manipulators, said Nicolas Christin, associate professor of public policy, computer science and engineering at Carnegie Mellon University. Meanwhile, automated programs, called bots, are getting better at using computer

Companies like Facebook, Twitter and Google have an incentive to try to win the arms race because their credibility is at stake. Baldwin-Philippi said those companies need to stop hiding behind the argument that they are technology platforms as more people get their news from social media and realize they have responsibilities as a media company. Facebook, for instance, needs more human editorial control, she said. Jennifer Stromer-Galley, professor at the Syracuse University School of Information Studies, agrees. “Humans still have to do this. When it comes to fake news, there is not yet an algorithm, and believe me I’ve been trying,” she said. Facebook said in an April 27 report that it is beefing up its defenses against the sorts of fake personas used last year: “We have had to expand our security focus from traditional abusive behavior, such as account hacking, malware, spam and financial scams, to include more subtle and insidious forms of misuse, including attempts to manipulate civic discourse and deceive people.” Facebook ought to come under laws that require disclosure of campaign ads, said Stromer-Galley, who was part of a team of researchers that conducted a study of social media use during the 2016 election. “We don’t want foreign governments meddling in our campaigns and policy making and political decisions. Right now they can. It’s not being regulated.” Pollitt and Christin warn that Russia does not have a monopoly on the ability to attack the U.S. through technology. North Korea, for instance, has been ramping up its cyber-warfare tactics, according to the think tank Center for Strategic and International Studies. “If you have enough smart people with computers, you don’t have to be a superpower to cause problems,” Pollitt said.

Companies like Facebook, Twitter and Google have an incentive to try to win the arms race because their credibility is at stake.



Irresistibly innovative. Download our free app, now with virtual reality. Open your world to self-driving cars and drone deliveries, reviews on the must have gadgets, and the latest games that transport you to another dimension.





DRONES 58 Keeping an eye

on potential dangers from devices in the sky

INNOVATIVE THE CLOUD TOOLS 62 69 Experts offer DHS invests in technology that protects the public

advice on keeping networks safe


Taking steps to secure data in self-driving cars

CYBER DEGREES EMERGENCY MANAGEMENT 76 Colleges 82 answer Higher education in

urgent call for experts in cybersecurity field

disaster prep and response






Drones are useful tools for public and private sectors, but cyberthreats loom By Carmen Gentile


HE BUZZING THRUM OF drones cruising our skies is growing louder every day. Soaring over cities and battlefields, unmanned aerial systems (UAS) provide images and information to civilians and soldiers alike. One day soon they’ll be used en masse to deliver goods right to your doorstep. Commercial entities, including Amazon, Google, 7-Eleven, Domino’s Pizza and UPS, have experimented with deliveries by drones with varying success. “Everything from pizza to Amazon products will be delivered by drone,” said Francis Brown, a managing partner at the security consulting firm Bishop Fox. “The skies are going to get really crowded quickly.” Federal Aviation Administration (FAA) regulations already limit civilian-owned drones to a 400-foot flight ceiling and prohibit them from flying at night and over populated areas. But President Donald Trump signed a memorandum in October that could allow exemptions from current safety rules so states, communities and tribes can test drones for various uses. With increased drone usage comes additional concerns about the safety of those on the ground and the security of drones overhead. In addition to the prevalance and proximity of drones, there’s the threat of would-be criminals targeting the devices with cyberattacks aimed at pilfering the CO N T I N U E D






TECHNOLOGY & JOBS goods they carry. “The vulnerability of drones to hacking and cyberattacks is huge,” said Matt Scassero, director of the University of Maryland UAS test site. The program examines off-the-shelf drones for weaknesses that would make them easy to hack. According to a 2016 report by McAfee Labs, a provider of cybersecurity threat analysis, the delivery drone of tomorrow will be a “realistic target for a criminal looking to make a quick buck.” “Someone looking to ‘dronejack’ deliveries could find a location with regular drone traffic and wait for the targets to appear.” Once a package is overhead, the drone could be grounded, “allowing the criminal to steal the package,” the report stated. One way to ground a vehicle is by using a readily available GPS jammer that allows someone to interrupt a signal to a drone, causing it to drop to the ground, explained Tim Bennett, a program manager with the Department of Homeland Security’s Science and Technology Directorate (S&T). Another dronejack method involves sending a delivery drone “false information” like alternative coordinates, which “essentially hijacks your vehicle, causing it to deliver a package to the wrong location” without alerting the drone user, said Bennett. In addition to these “crimes of opportunity,” which are likely to be abundant as companies move ahead with delivery options, drones could also be used as weapons by those aiming to commit crimes, said Brown. Drones have already proved adept at providing images of sensitive sites such as the set of the 2015 Star Wars film The Force Awakens, which was menaced by drone operators trying to get an advanced glimpse of the production. A more technical use of drones for spying is a UAS capable of hacking into a company or private user’s Wi-Fi by flying next to a building and commandeering its signal. Brown said hacker drones like these use what’s called a “Raspberry Pi,” a small computer about the size of a cigarette pack attached to the drone. “The end result is a hacker’s laptop that can fly,” said Brown, who noted that the cost of this kind of cybersecurity menace has dropped considerably in the past few years. “That’s the difference from it not being a reality then to a real concern now,” said Brown. Drone usage by military and other federal entities is also under increased scrutiny amid concerns about cybersecurity threats. In response to these concerns, the DHS’ S&T launched its Program Executive Office (PEO) for Unmanned Aerial Systems last year. The PEO examines future drone threats, conducts tests and evaluations, and


A drone is demonstrated at the 2017 Consumer Electronics Show in Las Vegas. President Donald Trump signed a memorandum in October permitting states, localities and tribes to craft their own pilot programs to test drones.


Amazon’s Prime Air service, which is being tested in the United Kingdom, is designed to use drones to deliver packages to customers in 30 minutes or less.

produces consumer reports on various classes of commercially available UAS platforms and sensors. It also works with international and domestic partners, helping to detect unauthorized drones over such high-profile events as the 2016 Democratic and Republican national conventions, Trump’s inauguration and the 2017 Super Bowl. With the recent uptick in domestic attacks on soft targets, weaponizing drones may prove even more devastating than merely catching a sneak peek of a movie set or committing corporate espionage by way of Wi-Fi hacking, said Scassero. One such scenario he envisioned was a drone being used to deliver an airborne, biological agent over a crowded area like a sports stadium. Such a potentially catastrophic event has experts exploring ways to counter weaponized drones with hacking techniques. DHS has implemented its own testing of drones for potential use in a variety of scenarios, including the search for wouldbe terror suspects or other high-value targets, search-and-rescue operations after natural disasters and enforcing border security. U.S. Customs and Border Protection (CBP) uses the MQ-9 Predator B drone in its operations, “to identify and intercept potential terrorists and illegal cross-border activity,” according to the agency. Beyond CBP, Bennett said UAS are not widely utilized by DHS. But that could change in the near future. In partnership with Mississippi State University, DHS is testing numerous types of drones at Camp Shelby in Mississippi. And the Coast Guard is also looking to expand its drone fleet. “Instead of calling in a manned helicopter or small aircraft, you can throw up a UAS with a small camera for monitoring needs,” said Bennett. “The idea would be that we would do similar things as (the Department of Defense),” he added, referring to the use of drones on battlefields in places like Afghanistan and Iraq, though he stressed usage would have very different limitations on U.S. soil. “We don’t have the same authority, and there are constitutional issues,” Bennett said. As for the private-sector entities actively addressing the potential threats to the cybersecurity of their drones, Scassero said they are playing catch-up to government agencies, but “are not very far down the road. “There is some awareness,” he said. Looking ahead, citizens and government need to be aware of the rising risk drone use will pose and the cybersecurity threats that come with it. “You shouldn’t walk around fearing drones dropping something on you,” Scassero said. “But it is one more threat.”






High-tech systems can help security officials protect the public. DEPARTMENT OF HOMELAND SECURITY SCIENCE AND TECHNOLOGY DIRECTORATE


Tech-focused unit uses groundbreaking tools to protect Americans By Gina Harkins


ROTECTING COMMUTERS FROM TERROR attacks, training first responders to thwart mass shootings and preventing people from driving into flash floods. Those are just some of the ways researchers with the Department of Homeland Security’s Science and Technology Directorate (S&T) are using cutting-edge innovations to protect Americans. “We go out to the people on the front lines of the security mission and say, ‘What is it that you need? What are your biggest challenges? How can you do things better, safer, faster?” said John Verrico, an S&T

spokesman. The team collaborates with universities, private-sector companies and other government agencies to develop tools that protect people and infrastructure from natural or manmade disasters. Here’s a look at some of their highprofile projects:


Subway and train stations are some of the most vulnerable terror targets, said Don Roberts, a program manager with the Homeland Security Advanced Research Projects Agency’s Explosives Division. “With such an open system and high throughput as far as number of people

moving through, it’s a daunting challenge,” he said. Most people riding trains or subways are commuting to and from work, so Roberts and his team need to find ways to detect explosives without slowing commuters down at rush hour, “even for a second,” Roberts said.“Nobody’s going to show up two hours early to ride the subway to work every day.” The team saw an opportunity to use the video cameras already installed atrail stations. They worked with the Massachusetts Institute of Technology’s Lincoln Laboratory to use state-of-the-art video analytics to spot unattended luggage. When a bag is left behind, FOVEA, or Forensic Video

Exploitation and Analysis, quickly reconstructs its path across the station, pairing it with images of the person who left it. Authorities can then immediately track the person’s movements to determine whether it was an accident or poses a threat. The Washington (D.C.) Metropolitan Area Transit Authority and Amtrak have been testing FOVEA for about two years and providing feedback that Roberts and his team have used to improve the tool. They hope to create a product that can be rolled out nationwide by 2019, he said. More new tools are still in the conceptual stage, including standoff sensors located on station walls, columns or turnstiles that use low-level electromagnetic waves to quickly




“We go out to the people on the front lines of the security mission and say, ‘What is it that you need? What are your biggest challenges? How can you do things better, safer, faster?” — John Verrico, S&T Directorate spokesman

detect and re-create images of dangerous items hidden in bags or underneath clothing. Over the next two or three years, Roberts and his team will determine whether the sensors are something that will work in real life. If so, they’ll be developed and placed throughout stations. “What we want to emphasize is the layered approach,” he said. As a passenger arrives, the sensors watch the person and their baggage and notice when something needs an additional look. Because the tools are still being tested and developed, Roberts said he can’t accurately predict the cost to outfit a CO N T I N U E D

These images show technology that the DHS Science and Technology Directorate is developing to detect potential threats in mass transit environments without negatively affecting the speed of travel. The Surface Transportation Explosive Threat Detection Program would use sensors, which are still being tested, on subway and train station walls and turnstiles to determine whether passengers are carrying explosives or other dangerous materials. DEPARTMENT OF HOMELAND SECURITY SCIENCE AND TECHNOLOGY DIRECTORATE



TECHNOLOGY & JOBS A police officer uses a laptop to command an avatar, left, during an exercise in Sacramento, Calif., where the Enhanced Dynamic Geo-Social Environment technology was first tested in 2013. In the virtual exercise below, law enforcement and firefighters work to battle a fire and subdue an active shooter.


“You can play any part of the event back through the perspective of any participant. That gives you the opportunity to go back and say, ‘These were your options. ... here are the consequences.” — Milt Nenneman, S&T First Responders Group

station with these new security measures. But his team is cognizant of cost, he said, as they want partners to be able to afford and use the technology. Eventually, the sensors and video tools could also be used to protect large crowds in places like stadiums, convention centers or amusement parks, he added.


Active-shooter scenarios are some of the

most challenging events first responders deal with, and they require a coordinated response from a host of players, including law enforcement, firefighters and paramedics. But shrinking budgets and operational demands mean agencies don’t always get the chance to train together, said Milt Nenneman, manager of first responder coordination with S&T’s First Responders Group. “That’s where a lot of confusion happens,” he said.

S&T now has a way to bring those agencies together for training — virtually — to fill that gap. Enhanced Dynamic Geo-Social Environment, or EDGE, is a video-gamestyle tool released in June that allows first responders from multiple departments to train simultaneously in a virtual 26-story hotel, complete with a lobby, kitchen, loading dock, elevators, guest rooms and more. First responders can choose their training scenario — anything from an active shooter to a massive fire or hostage situation. Nothing is scripted, and the event unfolds based on trainees’ real-time decisions, Nenneman said. “You can play any part of the event back through the perspective of any participant,” he said. “That gives you the opportunity to go back and say, ‘Right here at this point, these were your options. This was your decision; here are the consequences.’” EDGE is modeled after the hyper-realistic virtual training tools the military has been using for years. S&T teamed with the U.S. Army Research Laboratory’s Simulation and Training Technology Center and Cole Engineering Services, Inc., in 2013 to develop the tool, leveraging some of the technology the Army already owned and investing about $4.3 million in the project. In the first three months EDGE was available, more than 400 local agencies requested access to it, Nenneman said. In early 2018, EDGE will offer a new virtual school environment that will include a cafeteria, classrooms, an auditorium and a gymnasium. The tool gives teachers, school administrators and first responders the chance to train for emergencies; teachers can order students to barricade doors, escape through windows or follow other instructions. Also in the works is an environment resembling a small town, said Tami Griffith, science and technology manager for the Army Research Lab, Simulation and Training Technology Center. There, first responders can train inside theaters, apartment complexes or industrial areas, she said.

and monitor flooding,” Alexander said. “They capture information on the conditions at that location.” In the future, the sensors might connect to the Emergency Alert System to warn people to stay away from the flooded area. The sensors could also alert local public works departments if repairs are needed to certain roadways or bridges. The Lower Colorado River Authority in Texas, one of the nation’s largest public service utilities, has been testing some of S&T’s sensor prototypes. The feedback has been positive, and they hope to implement the first sensors in the summer of 2018, Alexander said. “I think we’ve found that there’s a known gap in current capability and that we’re on the right path in delivering a solution,” he said. In March, the Virginia-based Progeny Systems Corporation received a $749,882 contract to design and build 100 sensors over the next two years that “can measure ever-changing flood conditions and report them back to an operations center,” according to a contract award announcement. S&T is also testing the use of high-definition satellite imagery to detect whether flooding has left behind debris or damaged buildings or infrastructure, Alexander said. The Flood Apex sensors can also be modified to detect other types of disasters, such as wildfires or droughts, Alexander said. The sensors could also be used on roadways to identify flooding or icy conditions. Data about the state of the road could even be sent to smart cars or transportation departments, he added, so drivers can adjust their speeds and roads can get the appropriate treatments.

IMPROVING STORM ALERTS Flooding is the nation’s most frequent and expensive disaster, said David Alexander, a chief geospatial scientist with S&T. At least 80 people die in floods in the U.S. each year, he said, and the events typically cause $7.9 billion in damages annually. That’s what prompted S&T to develop the Flood Apex program in 2015, at the request of the Federal Emergency Management Agency. The five-year program uses a mix of innovations to reduce flood fatalities and property damage, including barriers, sealants and high-tech water sensors. “This is a (low-cost) device that can be put out in the environment that can detect

Sensor prototypes like this one are being tested to detect flooding.





Give them tomorrow Premature birth is the #1 killer of babies. Every baby deserves a fighting chance. DO SOMETHING TODAY © 2016 March of Dimes Foundation

Shop to support our partners








SECURING THE CLOUD Experts suggest boosting efforts to keep data safe in the ‘new normal’ By Suzanne Wright


HE SUMMER OF 2017 was filled with cloud activity — and not just the weather-related kind. Week after week, anxiety mounted among IT professionals and the general public as headlines blasted news of another high-profile, cloud-centered data breach. Whether perpetrated by individual hackers or nation-state actors, respected companies in nearly every sector, including Deloitte, Equifax, HBO, Verizon and Whole Foods, were targeted, resulting in the exposure of sensitive data belonging to millions of Americans, including credit card and Social Security

numbers. With more cloud centralization — whether private, public or hybrid — comes greater exposure, leaving cloud providers, companies and government agencies scrambling to bolster their cybersecurity defenses. Attacks are both prevalent and expensive; think “when,” not “if.” According to a June 2017 study sponsored by IBM Security and conducted by Ponemon Institute, 1 in 4 organizations will experience a data breach; the average cost per incident is $3.62 million. Michael Bahar leads the U.S. cybersecurity and privacy practice team at the legal services firm Eversheds Sutherland in Washington, D.C., and is a former deputy legal adviser to the

National Security Council and former minority staff director and general counsel for the U.S. House Intelligence Committee. “Particularly this summer, we’ve (seen) attackers going further — to extortion, data manipulation, disruption and even destruction,” said Bahar. “What is increasingly critical is to respond to the rapidly evolving new normal.” Bahar says cyber plans and policies crafted in 2016 to protect against ransomware may be out-of-date based on current threats such as the WannaCry ransomware attack in May that crippled more than 200,000 computers in 150 countries. Hospitals, banks, telecommunicaCO N T I N U E D






TECHNOLOGY & JOBS Michael Bahar Eversheds Sutherland

Sara Mosley DHS

Peter Tran RSA Security

Valecia Maclin Raytheon

SAFEGUARDING YOUR DATA “Tools exist to protect all organizations against cyberattack,” says Manuvir Das, senior vice president and general manager for Dell EMC’s unstructured storage division. His tipsheet includes four best practices that should be implemented across the enterprise.


tions companies and warehouses were locked out of their data and perpetrators demanded they pay a ransom or lose everything. “Regulators, such as the SEC, are trying to emphasize to entities a continuous culture of updating policies,” he said.


In response to growing threats, President Donald Trump issued an executive order in May outlining plans to bolster cybersecurity among federal agencies to safeguard critical U.S. infrastructure. Since 2010, agencies have transitioned hundreds of locally hosted applications and data center resources to commercial cloud providers, including mission-critical applications, such as email and publicfacing web services, to commercial cloud platforms. Sara Mosley, acting chief technology officer in the Department of Homeland Security’s Office of Cybersecurity and Communications, said with so many federal departments and agencies utilizing a shared cloud environment, there are challenges centering around the security, ownership and location of data, and this paradigm shift. “While some agencies may have had a contractor-owned, contractor-operated operating model, they were in control of the requirements driving the security architecture of the data center,” Mosley explained. “Cloud introduces the concept of shared tenancy and with it, the relinquishing of specialized requirements by each and every tenant.” In a cloud model, the infrastructure is owned and operated by the Cloud Service Provider (CSP). Depending on the service model of the CSP, the responsibility of the operating system and even the application could be owned by the CSP as well. While the CSP is the “operator” of the


infrastructure, the security risks are still owned by the end customer — in this case, the government agency. Mosley says the choice to use cloud technologies is largely up to the individual departments and agencies. “The decisions are normally based on the security requirements for the data and the risk appetite for that department or agency,” she said. So how does the U.S. government safeguard data? “The General Services Administration’s (GSA) Federal Risk and Authorization Management Program (FedRAMP) has provided a baseline for the CSPs offering services to the federal government,” said Mosley. “FedRAMP is a governmentwide program that provides a standardized approach to security assessment, authorization and continuous monitoring for cloud products and services.”


According to a 2016 report from RSA Security, a Bedford, Mass.-based computer and network security company, 90 percent of organizations are dissatisfied with their threat detection and response time. Bahar says an attack on one organization is an attack on all. But the upside is that it catalyzes information sharing. “Each cyberattack is the equivalent of a wakeup via a heart attack,” said Bahar. “When the attack is in your industry, everyone improves security.” Experts agree that a multipronged approach is necessary. When it comes to assessing the threat landscape, Peter Tran, general manager and senior director at RSA Security’s Worldwide Advance Cyber Defense Practice, advocates a 360-degree, business-driven approach to security decisions. They can be distilled as the three Rs. “We can retire outdated security



technology and stop playing whack-a-mole with patching; realign monitoring to highvalue areas of the business; and reinvest dollars to balance security visibility across people-process-technology,” Tran said. Bahar counsels companies’ top leaders to instill the importance of “cyber hygiene” throughout their organization’s culture, imbedding threat education into daily operations. “It’s like washing your hands frequently during cold season,” he said. “These attacks are remarkably unsophisticated and deeply human. You don’t need to be technically savvy to adopt good practices, like not clicking on suspicious links.” Bahar says organizations can also augment internal IT expertise with external consultants who have experience in the frequently targeted energy, financial, health care and high-tech industries. Valecia Maclin is the director of cybersecurity and special missions for Raytheon’s government customers. “We should not fear the cloud; in many instances it provides more resiliency for data. But it’s important to establish a baseline for your cyber risk. What are your assets? What is the state of your risk? What steps are you taking to move to a more resilient environment tomorrow?” Both Bahar and Maclin stress the importance of improving the depth of cyber talent moving forward. “When designing software, we can’t just be great coders or innovators,” Bahar said. “We must move from more of a craft to a discipline.” He offers an analogy. “We have a beautiful bridge, but will it withstand vehicular traffic and crosswinds?” Maclin is encouraged by the level of information sharing between the public and private sectors to protect our economic and national stability. “We are stronger together when we leverage our expertise,” he said.

AUTHENTICATION “Prove to me you are who you claim to be with a username and password for first-level security prompts.” Secondlevel safeguards include codes texted to mobile phones, Social Security numbers or date of birth.

AUTHORIZATION How much access should an individual have to data? Can she create files, or read-only? Only those in her department? “You need to set a policy and permissions for every person across an enterprise.”

AUDITING No system is foolproof. That’s why it’s important to create a record of who accesses data, so it can be reviewed forensically if a breach occurs. “Think of it like security cameras in the subway.”

ANOMALY DETECTION Closely related to auditing, this is where you track patterns of typical activity. Did a staffer open a file, then start doing something else? How many files did he copy over what period of time? “If activity doesn’t match, bells should start ringing.”

— Suzanne Wright




DRIVERLESS DANGERS Experts work to ensure autonomous vehicles are as safe from cyberattacks as they are from collisions By Matt Alderton


HE IDEA OF CRUISING in the driver’s seat of a car that you don’t have to control is neat. But autonomous driving can also seem unnerving. Anyone whose vehicle has adaptive cruise control knows this firsthand. With the press of a button, the car assumes control. At up to 75 miles per hour, it traverses a crowded highway, automatically braking and accelerating as other vehicles enter and exit its path. As the driver, your only job is steering. And soon, you’ll relinquish even that responsibility, according to automakers like Ford and BMW, both of which plan to release fully autonomous vehicles by 2021. Such a helpless feeling is one reason many people are skeptical of self-driving cars, according to a 2017 survey by the Massachusetts Institute of Technology (MIT), which found that nearly half of consumers (48 percent) say they’ll never

purchase an autonomous vehicle. Their top reasons, MIT reported, are “loss of control” (37 percent), “I don’t trust it” (29 percent), “it will never work perfectly” (25 percent) and “it’s unsafe” (21 percent). In reality, driverless cars may be the safest kind, according to the National Highway Traffic Safety Administration (NHTSA), which noted that human error causes 94 percent of serious car crashes. Case in point: As of December 2016, Waymo, formerly Google’s self-driving car, had driven more than 2 million miles on U.S. streets but caused only one accident; its at-fault crash rate, HuffPost reported earlier this year, is 10 times lower than that of the most experienced drivers. The real cause for concern might not be autonomous vehicles’ safety — it might be their security. Their cybersecurity, to be exact. “Folks need to think about cars — especially autonomous vehicles — as complex computer systems and treat them as

such,” said Chase Garwood, cyber physical systems security program manager in the Homeland Security Advanced Research Projects Agency, within the Department of Homeland Security’s Science and Technology Directorate. Government and industry are doing exactly that, he said. Ahead of their release, they’re thinking about autonomous vehicles’ vulnerabilities and working diligently to address them.


Understanding what makes autonomous vehicles vulnerable requires looking under the hood. There, engines cohabitate with central processing computers known as engine control units, or ECUs. “Cars today ... are no longer just analog with a carburetor and mechanical systems,” said Garwood, whose office conducts scientific research that supports the development of commercial cybersecurity solutions. “They have onboard

software that controls everything from airbag deployment, seatbelt performance and braking to entertainment systems, steering and parking.” Unfortunately, all software has the same Achilles’ heel, whether it’s installed on a computer, smartphone or car: bugs. “The software for premium connected and autonomous vehicles’ ECUs contains up to 60,000 bugs — including 5,000 security defects. These bugs potentially allow malicious hackers to take over the ECU, which is connected to the internet and external networks,” explained David Barzilai, co-founder and chairman of Karamba Security, an Israeli start-up that develops cybersecurity solutions for driverless vehicles. “Autonomous cars must be connected to the internet, to other cars and to infrastructure in order to enable complete autonomy. Each of those communication channels represents an CO N T I N U E D



TECHNOLOGY & JOBS Waymo’s self-driving cars, including a Chrysler Pacifica Hybrid minivan, left, and the Firefly, right, feature a panel of controls for riders to operate the vehicles.


Uber is testing self-driving vehicles in San Francisco, Pittsburgh and Tempe, Ariz. GETTY IMAGES; UBER



TECHNOLOGY & JOBS facturers will power their products with QNX, an operating system for automotive infotainment systems that BlackBerry acquired in 2010 and is currently modifying for use in driverless cars. Starting at the foundation with a security system also makes it easier to segregate threats, which limits their impact. “If you look at the majority of new vehicles, there’s a change in the vehicle network architecture,” said Timo van Roermund, security architect at NXP Semiconductors, which supplies computer chips to the automotive industry. “Rather than having a big open network, you now have isolated domains and a context-aware firewall, or filter, that controls which information can flow from one domain into another.” Simply put: A threat that enters an autonomous vehicle through its infotainment system is contained there.


This illustration shows how different components interconnect in today’s vehicles. NXP

attack surface through which hackers can infiltrate the car and take control.” In 2015, researchers Charlie Miller and Chris Valasek demonstrated that capability when they hacked the internetconnected entertainment system of a Jeep Cherokee to bring it to a standstill on a St. Louis highway. Fiat Chrysler subsequently recalled 1.4 million Cherokees, all of which shared the same security vulnerability. “One of the big concerns is that you can potentially take control of not just one vehicle, but, in theory, hundreds, thousands or maybe even millions of vehicles at once,” said Charles Covel, senior analyst in the Office of Cyber and Infrastructure Analysis (OCIA), within DHS’s National Protection and Programs Directorate. In August, OCIA published an analysis of the national security risks posed by autonomous vehicles and concluded that hackers could not only seize control of selfdriving cars — and potentially weaponize them by causing fatal collisions — but also use them to violate privacy and steal data. “If connections aren’t secure, somebody who is able to access your vehicle can also access all your personal information,” Covel said.

“Rather than having a big open network, you now have isolated domains and a context-aware firewall ... that controls which information can flow from one domain into another. ” — Timo van Roermund


Before dismissing autonomous driving as ominous driving, one should know that self-driving cars are being designed to withstand their inherent risks. Like cruise control and air conditioning, cybersecurity comes standard. “Autonomous vehicles are some of the most secure vehicles around because of what’s at stake,” said Hudson Thrift, security operations lead at Uber, which is currently testing autonomous driving in San Francisco, Pittsburgh and Tempe, Ariz. “We’re building these things from the

ground up with security in mind.” To understand the benefits of a groundup design, consider BlackBerry. Although its popularity has plummeted, its mobile phones have long set the standard for security, according to CEO John Chen. “Have you ever heard of a BlackBerry being hacked?” he asked. “The answer is no, and the reason for that is the way we build our devices.” With the same layered-security approach it uses with its devices in mind, BlackBerry is pivoting from smartphones to autonomous vehicles. It’s hoping manu-

Ultimately, security hinges as much on teamwork as technology. “The automotive industry traditionally has been rather closed, but that’s starting to change,” said van Roermund, who noted that in the past, automakers have been reluctant to share knowledge for fear of losing their intellectual property. With cybersecurity, however, there’s a recognition that automakers are better off united than divided. Manufacturers are therefore establishing groups like the Automotive Information Sharing and Analysis Center, a consortium of global automakers and suppliers whose purpose is enhancing cybersecurity awareness and collaboration. “The top companies in this space get together and we talk about what we’re doing and how we can help one another,” said Uber’s Thrift, who chairs the Technical Steering Committee for Future of Automotive Security Technology Research, a similar group established in 2016 by Aeris, Intel and Uber. “One of us being bad at security doesn’t help the others; we’re all better off if we’re all better at security.” Government has a role, too. Along with DHS, those studying autonomous vehicle security include the U.S. Department of Transportation and Congress, both chambers of which have introduced legislation requiring automakers to create and execute a written plan for detecting and responding to cyberattacks. Although the House passed its bill in September, the Senate is still mulling its version. Meanwhile, automakers are keenly focused on developing driverless cars that are simultaneously high-tech and hightrust.“Autonomous features have huge safety advantages that are hopefully going to save a lot of lives,” Garwood said. “By talking about the risks, we’re trying to be preventive instead of reactive.”



Irresistibly turbo-charged.

Download our free app, now with virtual reality. Get revved up for the cars to watch and the ingenuity that will change the way you drive, only in the Money section.



EDUCATION By Claudia M. Caruana




Advanced educational offerings grow with critical need for experts

HE HEADLINES ARE FILLED with examples that show a lot of work needs to be done to crush ongoing cyberthreats to individual Americans as well as threats to businesses, infrastructure and the U. S. government. In five simple words: Cybersecurity experts are in demand. Eye-catching statistics from CyberSeek, a project supported by the National Initiative for Cybersecurity Education in the U.S. Department of Commerce, show that from October 2016 through September, there were nearly 286,000 jobs in cybersecurity that were unfilled. This demand is not abating anytime soon, as employment opportunities in cybersecurity are expected to soar in the coming years. According to the Occupational Handbook, published by the U.S. Department of Labor, the job outlook for information technology security analysts is expected to grow by 28 percent by 2026. At the fourth annual Cyber Security Conference for Executives, sponsored by Johns Hopkins University in Baltimore in late September, retired Air National Guard Brig. Gen. Guy Walsh, who served as an adviser to the deputy commander for U.S. Cyber Command, stressed it is important to recruit information technology professionals and “white hat” hackers to protect the integrity of systems from cybercriminals. “We have this huge, interconnected world at work, and our next Pearl Harbor will be cyber-related,” he said.


Finding one’s way into the cybersecurity field is not necessarily a straight line, as there are many points of entry. Some individuals earn undergraduate degrees in computer science or IT, often with a concentration in cybersecurity; others may work for a while in a related field, develop expertise and continue their education with a master’s degree in cybersecurity. Certificates from various programs and vendors also factor into the mix. Rich Tehrani, CEO of Apex Technology Services in Norwalk, Conn., says his firm, which provides cybersecurity services for the assets management industry, law firms and general markets such as media, government, health care and education hires both CO N T I N U E D







An undergraduate student works in a computer science lab at Michigan Technological University. Similar courses are required to earn a master’s degree in cybersecurity.

“With the increasing number and complexity of cyberattacks, and as technology becomes increasingly sophisticated, the demand for an experienced and qualified workforce to protect our nation’s networks ... will only continue to grow.” — Lauren Blakeney, DHS spokeswoman

IT and cybersecurity experts. “One click on a computer can lock up an entire company, so we need experienced people with many skills and knowledge of computer and software systems to protect the interests of our clients.” Reaching the point where your skills are in demand by private industry or government usually starts with a strong computer and cybersecurity education. Jesse Goldhammer, associate dean for business development and strategic planning at the University of CaliforniaBerkeley School of Information, said, “We strongly believe that cybersecurity degree programs should require integrated, multidisciplinary courses. That is why technical courses, such as cryptography, are required for our students.” Courses from a select set of core topics, such as operating systems, mobile and web security are also required, Goldhammer added. Berkeley also requires students to take non-technical courses such as cybersecurity in context, “which teaches them the fundamental legal, ethical, political and

behavioral factors that influence cybersecurity,” he said. Jean Mayo, head of Michigan Technological University’s master degree program in cybersecurity, said that software security is an essential component of any degree. “Attacks on computer systems most commonly exploit vulnerabilities in the programs that they run,” she said. The M.S. cybersecurity degree at Michigan Tech includes courses in computer science, electrical and computer engineering and computer and network system administration, which, according to Mayo, “allows students to focus in any of three areas — trusted software engineering, critical infrastructure protection and network security management.”


It doesn’t take a rocket scientist to know that the government needs professionals with cybersecurity expertise, and the Department of Homeland Security (DHS) is one of the largest employers of these

experts. Lauren Blakeney, a spokeswoman in the office of the Under Secretary for Management in DHS, said IT and cybersecurity jobs at the department do not necessarily require advanced degrees. “Candidates can often acquire the skills required for these jobs through other ways, such as community college, military service or online training. The level of education needed for any DHS job opportunity depends on the knowledge, skills, ability, experience and requirements of the position.”

AN IDEAL CANDIDATE FOR DHS? According to Blakeney, “A balance of experience and a diverse skill set make a candidate marketable and attractive to DHS. Experience lets the employer know a candidate can do the work, and certifications confirm what a candidate knows. A candidate should start by laying the foundation in school and seek opportunities to gain valuable knowledge CO N T I N U E D






FINDING A SCHOOL THAT FITS Many colleges offer cybersecurity and ancillary degree and certificate programs. Here are 10 U.S. institutions that have received certification from the National Security Agency and Department of Homeland Security as national centers of academic excellence in information assurance education, cyber defense education or cyber defense research:

Retired Air National Guard Brig. Gen. Guy Walsh speaks at the fourth annual Cyber Security Conference for Executives in Baltimore in September. HOMEWOOD PHOTOGRAPHY

and applicable skills via cyber competitions, internships, volunteer work/shadowing professionals, etc. Internships are a great way to develop a skill set and increase exposure to industry software and hardware.” She adds that since DHS has 18 components with cyber missions, many opportunities are available. “Like all organizations, DHS bases advancement on several factors, including individual merit, mission critical objectives and business needs. With the increasing number and complexity of cyberattacks, and as technology becomes increasingly sophisticated, the demand for an experienced and qualified workforce to protect our nation’s networks and information systems will only continue to grow.” Although every university cybersecurity program is different, Joe Giordano, chair of the cybersecurity and information assurance undergraduate program and the graduate intelligence and forensics program at Utica College in New York, has strong views on a cybersecurity curriculum. He said any program should include a computer hardware course that introduces students to computer systems, a detailed network course addressing network protocols, network structure and network topology, computer programming courses and courses dealing with vulnerability assessment and penetration testing. He added that a course in malware and malware analysis would be a “solid addition to a quality academic program,” and courses that address non-technical issues such as policy, risk, compliance, and legal and ethical issues are critical.

OVERSEAS EDUCATION POSSIBILITIES Although most Americans will get their cybersecurity training and degrees in the U. S., there are study opportunities with international universities or American schools working with overseas academic partners. In Israel, for example, Mordechai Guri, head of research and development at the Cyber Security Research Center at the Ben-Gurion University of the Negev, who specializes in attacks in air-gapped networks — highly secured, isolated networks — said researchers work in various areas in the university, including the department of information systems and software engineering and computer science. The research center accepts students from the United States and other countries in fellowship programs. An example of collaborative international work is the National Cybersecurity R&D Laboratory (NCL) at the National University of Singapore, a partner of the cyber Defense Technology Experimental Research (DETER) group from the Information Sciences Institute at the University of Southern California and University of CaliforniaBerkeley. NCL collaborates with DETER to develop platforms for the testing of cybersecurity solutions. No matter what path an aspiring cybersecurity professional takes, there is consensus that their skills will be put to good use. “A cybersecurity workforce shortage exists and students possessing a degree in cyber or STEM-related fields are in demand,” said DHS’ Blakeney.

1. Capella University Capella, a for-profit, online university headquartered in Minneapolis, offers a Master of Science in information assurance and cybersecurity program designed to prepare information security professionals to assess, develop and implement solutions to safeguard the information assets of an organization. „ 2. Fairleigh Dickinson University The new Center for Cybersecurity and Information Assurance at Fairleigh Dickinson offers 10 cybersecurity-related Bachelor of Science degrees, four Master of Science programs and several graduate-level certificates. Students take advanced courses in network security administration, computer forensics, secure software development and more. „ 3. Florida A & M University Courses offered in the Department of Computer and Information Sciences under the Cyber Defense Certificate Program at the undergraduate and graduate levels are used to satisfy the NSA/ DHS designated 22 cybersecurity-related knowledge units. „ 4. New York University NYU has a one-year Master of Science degree in cybersecurity risk and

strategy for executives, offered jointly between the School of Law and Tandon School of Engineering, for professionals who want to deepen their understanding of cybersecurity risk. Faculty teach classes on topics including network security and systemssecurity engineering. „ 5. Northeastern University In the Master of Science in Information Assurance and Cybersecurity program, students learn about issues in information security and how technology can help resolve them. Courses include applied cryptography, white-collar crime, cyber law and digital rights. „ 6. Purdue University In addition to a Bachelor of Science in cybersecurity, the Purdue Polytechnic Institute has a one-year Information Security for Computing Professionals program, leading to a Master of Science degree in computer science. The program has a strong focus on data security. „ 7. Texas A&M University The degree programs at the Texas A&M Cybersecurity Center include a cybersecurity undergraduate minor and cybersecurity designations as well as a Master of Engineering with a specialization in cybersecurity and certificate programs. „

8. Tuskegee University Tuskegee offers several Committee on National Security Systems (CNSS) security certifications, including information systems security, NSTISSI-4011, National Training Standard for information systems security professionals and CNSSI-4012 for senior systems managers. „ 9. University of Maryland University College The three Bachelor of Science and five Master of Science degrees in areas including cybersecurity technology, cloud computing and digital forensics at the University of Maryland University College draw from fields such as technology, management, law, science, business and psychology to provide current knowledge and skills for protecting critical cyber infrastructure and assets. Students can also earn four undergraduate and graduate certificate programs. „ 10. University of Pittsburgh The university’s School of Computing and Information has an interdisciplinary undergraduate program for cybersecurity that also includes legal and policy issues. There also are Master of Science and Ph.D. programs in information science available for graduate students. „ — Claudia M. Caruana






MAJORING IN DISASTER Grads with emergency management degrees can help cities cope in crises

By Amy Sinatra Ayres


URRICANE HARVEY DUMPED MORE than 50 inches of rain on Houston in late August. Hurricane Irma slammed into the Florida Keys in September, and forced millions to evacuate coastal areas as it threatened the whole peninsula. And Hurricane Maria quickly followed, devastating Puerto Rico, where most of the population remained without power for weeks. As each of these disasters unfolded, Crystal Chambers watched closely from across the country. Chambers has been an emergency management coordinator for the city of Los Angeles for the last two years, since earning her master’s degree in emergency services administration from

California State University-Long Beach. “That (proactive observation) is a part of the emergency management field as a whole — not just waiting until something happens in your backyard to learn from it and grow from it but also taking all those lessons that we’re seeing ... in Puerto Rico, in Houston, all of those places,” Chambers said. “What’s happening there? What does that mean potentially for us if we had a similar situation or even a different hazard that results in the same functional challenges? We’re not going to have 50 inches of rain come down in L.A., but concerns about public information and warning, communicating with the public ... we can learn from that in every disaster.” Steve Jensen, who heads the onlineonly master’s degree program Chambers

completed at CSU-Long Beach, has had a decades-long career in the field, starting with managing refugee camps abroad. “When I first started out almost 40 years ago, there was very little guidance in how you would actually do this work,” he said. “Now we understand the systems. We have much better developed systems; we understand how they work; we understand how people interact with these things, how people are affected by disaster. It’s rapidly been professionalizing.” In the last 20 years, colleges around the country have started to offer emergency management degree programs at the undergraduate, graduate and doctoral level. Some of the programs are offered on CO N T I N U E D

Since Steve Jensen first entered the emergency management field nearly 40 years ago, it has undergone many improvements. GETY IMAGES; AMERICAN RED CROSS






WHERE TO GET AN EMERGENCY MANAGEMENT DEGREE FEMA’s Higher Education program lists scores of bachelor’s, master’s and doctoral degree programs in emergency management at colleges across the U.S. Here’s a look at some of them: Arkansas Tech University Bachelor of Science in emergency management; Master of Science in emergency management and homeland security „

University of Central Florida Graduate certificate in emergency management and homeland security; minor in emergency management and homeland security „

California State University Long Beach Master of Science in emergency services administration „

University of Central Missouri Bachelor of Science degree in crisis and disaster management „

Embry-Riddle Aeronautical University (Florida) Bachelor of Science in emergency services; Bachelor of Science in homeland security „ North Dakota State University Bachelors of arts and science in emergency management; minor in emergency management; Master of Science degree in emergency management; Ph.D in emergency management „ State University of New York at Canton Bachelor of Science in emergency management; Bachelor of Technology in homeland security „

University of Delaware Master of Science in disaster science and management; Ph.D in disaster science and management „ University of North Texas Bachelor of Science in emergency administration and planning; Master of Public Administration with specialization in emergency administration and planning; Ph.D in public administration and management with concentration in emergency administration and planning „ Upper Iowa University Bachelor of Science in emergency and disaster management; Master of Public Administration with emergency management and homeland security emphasis „



FEMA’s National Emergency Training Center in Emmitsburg, Md., offers first responders, educators and other professionals courses and degrees that can bolster their career experience in emergency management. campus only, and many are also offered online, allowing people who may already be working in the field in public safety, law enforcement, the military or in public health, among other disciplines to take the courses at their convenience — even if that means logging on at 2 a.m. after coming back from fighting a wildfire, Jensen said. The Federal Emergency Management Agency (FEMA) launched its Higher Education Program at the Maryland-based Emergency Management Institute in 1994, to promote collegebased emergency management education. Arkansas Tech University’s (ATU) first emergency management undergraduates completed the program in Decmeber 1998, but degree programs nationwide became more prevalent after the Sept. 11 terrorist attacks. “I would say 9/11 really pushed the button,” said Sandy Smith, head of the emergency management department at ATU, which offers bachelor’s and master’s programs, both on campus and online. FEMA’s Higher Education office now lists more than 100 degree programs on its


Sandy Smith says more emergency management professionals are needed. website ( hiedu), including many at the associate’s and bachelor’s degree levels, as well as more than 40 master’s degree programs and several doctoral programs. Still, not everyone is aware of the opportunities in the relatively new academic field. “This is a discovery major,” Smith said. “There’s very few who come here saying, ‘I want to be an emergency management major,’ and they’ve just graduated from high school. It would be our hope that that culture is changing, partly because the need is so great to have people in the field who have the

education to do what’s needed in emergency management.” Jessica Jensen (no relation to Steve at CSU-Long Beach) said she knew she wanted to study emergency management even before she knew what it was called. But when she started looking at colleges in the 1990s, there were only two programs available, so she majored in political science instead. Later, she “looked out at the horizon again — this was in the post-9/11 era — and I saw that there were not only undergraduate programs in emergency management but that there were graduate degree programs.” Jensen moved from Los Angeles to Fargo, N.D., and earned her master’s and doctoral degrees from North Dakota State University (NDSU). Now, she heads the emergency management department at NDSU, which she considers a huge opportunity to shape the degree field by deciding which courses to offer and instructors to hire, she said. NDSU is a research institution that offers undergraduate, graduate and doctoral degrees CO N T I N U E D





EDUCATION in emergency management, on campus only. Available electives include a course in assessing vulnerability and risk, business continuity and the role of nonprofits in the field. Emergency management coursework emphasizes preparedness, mitigation, response and recovery, said Arkansas Tech’s Smith, who holds a Ph.D. in nursing. Those courses include training students how to respond to natural disasters and other emergencies. “We take what we call an all-hazards approach,” said Steve Jensen. “We focus primarily on natural disasters, but the kind of systems we put in place have a bearing on” other emergencies, too. “We’re doctors for cities. We try to figure out what’s going in the city, what’s causing the disaster and help the cities to make the corrections,” he said. “We shouldn’t be in a situation where we’re continually getting knocked over by floods, earthquakes and hurricanes. We should be moving towards getting out of those situations.” The educators emphasized that emergency management is an interdisciplinary field. “We’re drawing from all kinds of academic disciplines — and the knowledge that they’ve produced about these things — to develop a comprehensive understanding of what happens and why and what we can do about it,” Jessica Jensen said. Master’s degree programs in emergency management tend to emphasize research. “The need for research, evidence-based research, is great — I mean, it’s huge,” said Smith. “On our master’s level, a third of our classes are research-based. We’re needing our master’s-level students to help in the field, producing new knowledge.” Educators work closely with FEMA and local agencies, and are also combining higher education with practical experience by including internship requirements in their programs, which can help students gain credibility within the field and land jobs, Jensen said. “I would argue strongly that an education such as the one we offer here, grounded deeply in research, is very useful to developing professionalism in the field,” said Jensen, who is part of a training and education committee for the International Association of Emergency Managers. “Now, that said, there still is a real enduring truth and that is that people in practice look with weariness at the value of educational degrees in emergency management, and I would suggest that the demand from the practitioner’s side is not always very high. I think it will change and is changing slowly as more people with degrees go out and get jobs.”




Jessica Jensen, head of the emergency management department at North Dakota State University, works with students in a classroom on the school’s Fargo, N.D., campus. By getting both academic and practical experience, emergency management graduates are finding positions at FEMA and, more broadly, the Department of Homeland Security, as well as at state and local government agencies — and an increasing number of graduates are finding work in the private sector. “That’s one of the big areas where people are really starting to find a lot more opportunity,” Steve Jensen said. According to the most recent numbers from the U.S. Bureau of Labor and Statistics, there were 10,500 emergency management director jobs in 2014. Employment was projected to grow 6 percent from 2014 to 2024, which is about as fast as the average for all occupations, and the median pay was $70,500 annually. At NDSU, 67 percent of the students who earned bachelor’s degrees in emergency management this year had jobs on graduation day, and 80 percent had jobs within three months of graduation, Jessica Jensen said. There were about 20 graduates in the class. “In general, there’s a need for (people with these degrees), and an increasing need and an increasing number of available positions, as long as one is looking at the available career paths within emergency management broadly,” she said. That means looking beyond the practitioners’ side to hospital, business and nonprofit settings. More banks are bringing in emergency managers, and some large corporations hire them, too. Several Arkansas Tech graduates work for Walmart, which is headquartered in the state, contributing to business continuity plans for issues like fires in their stores, and helping the company

respond to natural disasters by sending food or water to devastated areas when needed, Smith said. FEMA’s Higher Education program PROVIDED BY JESSICA JENSEN also publishes a weekly Jensen wanted to receive newsletter that often emergency management includes leads on jobs at training at the college level the agency, in the field in the 1990s, but very few in general and in the programs were available. academic setting. Jessica Jensen also highlighted the importance of students in other majors taking a minor in emergency management. Those who want to work in politics, engineering, construction, hospital or as school administrators “need to be studying this stuff, too,” she said. Jensen added these professionals, who make important decisions in communities, need a background in emergency management to guide their thinking and help avoid disasters when possible. No matter how shored up and prepared a region is, future disasters are inevitable. The need for trained emergency management professionals isn’t going away. “We’re going to continue to have hurricanes. Unfortunately, I think we will continue to have lone wolves and terrorists, active shooters,” Smith said. “We’ll continue to have tornadoes and wildfires — and the need for people who know how to work in those areas or plan and try to mitigate against them.”