The Bottom Line: More Security

Our relief that the massive blackout of 2003 was not the work of terrorists and our present focus on vulnerabilities in the power grid should not divert our attention from the core question raised by the episode that left 49 million Americans without power: Have we done enough since Sept. 11 to protect our nation’s critical infrastructures from potential terrorist attack?

There are literally hundreds of thousands of targets that terrorists could strike, including chemical and nuclear plants, commercial transportation and mass transit, power systems and utilities, skyscrapers and sports and concert venues. Eighty-five percent of these are privately owned.

There are more than 3,000 chemical facilities in the United States where a worst-case toxic release could put more than 10,000 people at risk. An accident at any of more than 120 of those facilities could threaten more than 1 million people. In 1984, an accidental toxic chemical release by a U.S. firm in Bhopal, India, killed 2,500 people and made more than 50,000 seriously ill.

The risk of a terrorist-created Bhopal in places like Baltimore and Houston is real. Dangerous chemical production and storage facilities are not required to assess their security vulnerabilities or implement security improvement plans under government oversight. Chemical plant security legislation in the Senate supported by the administration would do little to change the status quo, requiring chemical facilities to draft security plans but not submit them for review or oversight.

Tens of millions of Americans who travel on roads, rails and subways daily are potential targets, especially at concentrated points like bridges, tunnels and subway stations. They are further at risk from the trucks and rail cars that carry toxic cargo and are, in effect, potential bombs on wheels.

We have taken few initiatives to markedly improve truck and rail car inspections, especially near large population centers. Nor are we anywhere near fully utilizing our technological capabilities to improve the safety of trucks carrying hazardous materials.

As the blackout made clear -- both to us and to our enemies -- our electrical systems are vulnerable to key failures, need better fail-safe mechanisms to isolate outages and lack sufficient redundancy.

In addition, our major utilities are not safe from cyber attacks. The Code Red worm in 2001 and the Slammer worm in January disrupted computer-based safety and control systems at nuclear power facilities that were previously thought to be secure.

At large structures where thousands of people congregate, including skyscrapers and indoor arenas, terrorists could easily access ventilation and air-handling systems and introduce toxic chemical or biological agents.

Despite this catalog of vulnerabilities, the Bush administration’s strategy to protect critical infrastructure relies largely on voluntary private-sector action to improve our national security. But as the Brookings Institution pointed out a year ago, corporations accountable to their shareholders to maximize profits do not have the economic incentives to voluntarily make the investments necessary to raise security levels to where they need to be. Good business practice and patriotism will result in corporations raising security somewhat, but businesses will be unlikely to make substantial voluntary investments in security for fear that they would be at a competitive disadvantage with those who declined to take such steps.

President Bush and Congress share a commitment to protect the American people. But when it comes to securing critical infrastructure, this administration’s strategy is not equal to the urgency and gravity of the threats we face. It still has not produced a comprehensive national threat and vulnerability assessment for critical infrastructure, which is the starting point for a serious effort to improve homeland security. And the administration’s reluctance to require businesses to share the burden of homeland security has led to an underinvestment in infrastructure protection.

Our government has a duty to protect us. It need not do so through the heavy hand of direct regulation, but rather can achieve positive outcomes through targeted incentives or assistance to owners of vulnerable critical infrastructure. Setting higher standards, pushing faster timelines and -- where absolutely necessary -- exploring mandates and regulation are not undue interference but rather the exercise of a constitutional duty to provide for the common defense of our nation.

Our reaction to the blackout cannot be limited to seeking improvements in our electricity grid. This episode should put us on notice that we remain extremely vulnerable as a nation and that our government at all levels, together with the private sector, must harden our infrastructure against a potential terrorist attack.