Has Resilience Become the New Protection

The recent release of the first Quadrennial Homeland Security Review (QHSR) marks a key milestone in the evolution of homeland security.  Like most strategic documents, it provides a valuable framework for long-term action by first defining the issue and then articulating the missions, goals, and objectives for improving homeland security.  But on a more basic level the QHSR gives a snapshot of current thinking about the definition of homeland security and its guiding principles.  As the latest entry in the constellation of homeland security doctrine, the QHSR allows the community to start to discern trends that have emerged during this first decade of what in the future may accurately be described as the homeland security era.  The perspective provided by the QHSR shows not only how far the United States has come in its thinking about homeland security, and what debates have been settled to date, but also what major issues must still be resolved.

An important example of the latter involves the missions of critical infrastructure protection and resilience.  Protection is defined as the actions or measures taken to cover and/or shield from exposure, injury, or destruction.  Resilience refers to the ability to resist, absorb, recover from, and/or successfully adapt to adversity or a significant change in previous conditions.  Within the overall field of homeland security, the policy focus to date has been primarily on the protection of the critical infrastructure assets and systems that provide essential services.  But resilience has rapidly emerged as a still relatively new theme in homeland security, setting up a debate on how the closely intertwined but very different concepts of protection and resilience relate to one another.

The first National Strategy for Homeland Security included protection and security as core pillars of its initial framework.  That seminal document, issued less than one year after the 9/11 terrorist attacks, defined – for the first time – what homeland security really means and what it would and should become.  Understandably, terrorism was the principal focus of the National Strategy – which spelled out in considerable detail the primary national objectives centered on: (a) preventing additional terrorist attacks within the United States; (b) reducing the nation’s vulnerability to such attacks – and to terrorism in general; and (c) recovering from any future attacks that might nonetheless occur.  In what was perhaps a telling sign of the times, the word “resilience” did not appear anywhere in the first iteration of the national strategy – an absence that seems rather strange in today’s environment, where resilience has become a popular buzz word.

Moving Forward – In an Era of Constant Change 

Today, in 2010, resilience is suddenly everywhere, both as a mission and as an organizing framework.  This shift in public awareness was undoubtedly driven in part by the long road to recovery experienced after Hurricane Katrina, and will be further shaped by the lessons learned from last month’s earthquake in Haiti.  Earlier this year, the QHSR cited resilience as one of three key concepts that form the general foundation for a comprehensive approach to homeland security, and in September 2009 the National Infrastructure Advisory Council delivered a report to the President on critical infrastructure resilience and offered a series of policy recommendations on the issue.  Moreover, several recent books – e.g., The Age of the Unthinkable by Joshua Cooper Ramo, The Edge of Disaster by Stephen Flynn, and The Unthinkable by Amanda Ripley – also dissected the issue of resiliency, and, of perhaps greater importance, framed several possible strategies for making the critical U.S. infrastructure, the American people, and the nation at large more resilient. 

But the relationship between protection and resilience in homeland security has yet to be fully defined or explained. And a major question has yet to be answered: Is one mission a subset of the other, or are they equals? The latest version of the National Infrastructure Protection Plan (NIPP) describes protection as covering a range of activities, including not only traditional security functions – such as improving security protocols, hardening facilities, and installing security systems – but also actions that are more resilience-focused  (e.g., building resiliency and redundancy, and business continuity planning). 

Assembling this rather broad spectrum of activities under the same umbrella, protection, implies at first glance that resilience is a component of the overall protection mission. However, protection and resilience also can be framed as complementary elements of a broader approach to managing risk, as the NIPP also begins to suggest.  Rather than seeing one as a subset of the other, they can be viewed as linked concepts: infrastructure protection covers what is done to stave off an event and/or limit its damage, while resilience is about minimizing the disruptions that follow the event. Viewed in this context, they become reinforcing components of a holistic approach to managing risk that involves deterring threats, reducing vulnerabilities, and mitigating the consequences associated with a terrorist attack or other incident.  Seeing protection and resilience as equals may help foster better integration of critical infrastructure in traditional preparedness activities – planning, training, and exercises – that help build resiliency.

Regardless of how these complementary relationships are ultimately defined – in official or unofficial terms – the reality is that both protection and resilience must continue to be part of the homeland security business model moving forward.  There is no way to effectively protect the United States, or the American people, against every possible adverse event. For that reason alone, public agencies at every level of government, businesses both large and small, and everyday citizens must be able to absorb, adapt to, and recover from both major disasters and temporary disruptions.  In short, the threshold of what must be withstood through improved resilience can be lowered through the application of smart protection and security actions – ahead of time, in the places that matter most.