As previously hinted at, President Obama has ordered a review of a Defense Department program that distributes surplus military equipment to state and local law enforcement agencies. This review, triggered by the civil disturbances in Missouri, will examine not only whether the equipment distribution was appropriation, but also whether proper training and oversight has concurrently been administered. In all likelihood, the review will expand to examine whether other federal programs, including the $2 to $3 billion in grants handed out annually by the Department of Homeland Security, have resulted in an "over-militarization" of police departments across the country.
I won't go into the merits of these programs, and whether the distribution/funding of military-type equipment has led to abuses of civil authority. The only comment I would make here is that it is often useful to remember why these programs came into existence (typically the result of concerns about police capability gaps following a traumatizing event like a terrorist attack or school shooting).
Regardless of the motivation for the review I do think it is one that is sorely overdue; but not necessarily for the reasons that triggered it. Instead I think the review is necessary to help better clarify funding priorities so that state and local governments are getting the right equipment to confront the most pressing threats.
One of the greatest challenges with equipping state and local governments is prioritization: are the most right threats being reduced by the equipment dispensed? Conducting such risk based analyses are incredibly difficult, particularly given the ever-changing nature of threats and the inevitable politics involved in who gets what and when.
In my mind, the review will be successful if it helps distinguish the possible from the probable. There can be a huge gap between the two, and focusing on the 100 year event often leaves local communities vulnerable to everyday pernicious threats.
Specifically, I am thinking about whether state and local governments are receiving adequate federal support to protect themselves from cyber-attacks. From I can observe, the answer is a flat no.
We are basically 13 years removed from the horror of 9/11. Tens of billions of dollars have been spent in the interim ensuring that state and local governments have adequate resources available to respond to a variety of threats. Visions of chemical and biological attacks, "dirty bombs", improvised explosive devices, and "active shooter" events have danced through the head of any number of public safety officials. And the result has been extraordinary amounts of equipment that can be bought using federal dollars or obtained through surplus disposition programs.
Our law enforcement officers and first responders sorely needed equipment to combat those threats, and they in large part have gotten it. Now though, it is time to take a step back and determine whether the cyber-threat should be a higher funding/outfitting priority.
Anecdotally speaking, I think the answer is a resounding yes. If you look the scale and scope of cyber-attacks, both actual and possible, the contrast with physical events is astounding. Hundreds of thousands of pieces of malware are being created on a daily basis, and any number of organizations face thousands of attacks per day.
State and local governments are not immune from these attacks; some of the largest data breaches have occurred at the state level. Many governors have expressed concern about the need to improve their cyber security posture. Such worries make great sense - states hold just as much sensitive data on individuals as any other organization, and deliberate attacks designed to disrupt public utilities or even simple things like traffic lights could cause absolute chaos.
Thus reviewing how equipment and money is provided to state and local law enforcement agencies and governments is an absolutely vital step as we build additional defenses against the cyber-attack onslaught. There will always be a place for providing police departments with equipment to respond to violent threats, but right now taking a step back to see how more can be done to protect against electronic threats is not only right, it is vital.
Brian E. Finch (@brianefinch) is a partner at Pillsbury Winthrop Shaw Pittman LLP.