Tuesday, December 9, 2008

A Fast, Effective and Efficient Emergency Communications Plan for the Obama Administration


David Aylward[1], December 4, 2008


Introduction

All the key reports on 9/11, Hurricane Katrina, and similar disasters have pointed to failures and weaknesses in emergency communications and information sharing as critical and primary problems. 9-1-1 and emergency communications and response systems remain largely stuck in the technology and mentality of the 20th Century resulting in the loss of life, emergency communications systems that repeatedly underperform and/or fail in major disasters, and overall system inefficiencies. The new Administration will face this one way or another. It can confront the problem as a major national and White House priority – and solve it. A strong, visionary effort by the Obama Administration to deploy next generation emergency communications and information technology will save lives and property, reduce injuries, protect homeland security, improve emergency medical care, and ultimately save money across a wide array of local, state and federal safety and related functions. Such an effort is also wholly consistent and supportive of the emphasis on investment in broadband and critical infrastructure outlined by President-Elect Obama. [2]

Alternatively, the Obama Administration can allow the current Bush programs and policies in a wide variety of agencies to continue. If it does the latter, responses to the emergencies that will inevitably arise in the next few years will be weakened and lives will lost – both in disasters and in daily emergencies. We have failed to make significant progress in all forms of emergency communications since 9/11, despite spending billions of federal dollars. The current morass of emergency communications policy is not due to a lack of emphasis and resources on homeland security at the Federal level; it results from a lack of direction and leadership that understands modern information technology. It results from a failure to treat the emergency communications system as a single, “virtual enterprise”, pursuing instead disjointed and uncoordinated efforts based on different public safety professions and historical perspectives.

The Obama Administration should apply its focus on modern information technology and 21st Century information sharing paradigms to dramatically improving our nation’s emergency communications. 9-1-1 agencies need to be able to receive data and video from the public, not just voice calls, and need to be the nerve center of a smart, all-hazards, Internet-protocol, interoperable and integrated emergency response system. Emergency organizations of all kinds could provide more informed response (and responders would be safer) if they had access to, and could share, video, text messages, car crash data, key personal electronic health data, building plans, extrication guides, traffic information, electronic maps, weather and hazmat data. These are all available electronically somewhere, but usually not to the brave responders who need them. From the first 9-1-1 call at the beginning of an emergency, to the patient’s going home from the hospital, and from the onset of a disaster to the communities’ recovery, we need to give all our responders access to all the information they need, when and where they need it.[3]

· We still lack real voice interoperability for and with the tens of thousands of emergency organizations[4], and data interoperability with almost all of them
· Public warning and alerting is a hodge podge of stove pipe efforts: locally, at the states, by various DHS initiatives, within HHS, DOJ, DOT, Commerce, the FCC, and the private sector
· Inter-organizational data sharing and situational awareness is spotty at the very best
· 9-1-1 can only accept voice calls; text, video and data beyond location and number cannot be received; it cannot send or receive information to or from “N-1-1” entities like 2-1-1 social services, 3-1-1 city services, poison control centers or 800 number crisis hotlines
· Local emergency IT systems rarely connect to private organizations and NGOs involved in emergencies, much less employers and the general public
· The National Guard and other military organizations typically cannot share situational awareness or other information with civilian organizations, unless they are using the same software application, which is usually impractical
· In providing billions of dollars in emergency communications grants to the states and localities, there has been a narrow focus on buying new “transport” (on communications networks and devices), rather than on Internet Protocol and the “application layer”, where both interoperability and information sharing linking legacy systems are far more easily and cheaply accomplished
· In direct federal expenditures for software systems, there has been a dominant focus on buying specific federal software applications and trying to force state and local agencies to use them, rather than providing network-centric tools that enable the linking of diverse legacy applications
· There are no major federal or state efforts to focus on network-centric solutions – what is needed “in the middle” to connect the legacy systems of tens of thousands of emergency organizations
· There are no major government-enabled efforts to establish common standards across all the domains (professions) involved in emergency preparation, response and recovery; the small programs that exist are not seriously funded or given priority; the handful of larger programs are domain-specific
· There are is no common “Yellow Pages” of emergency organizations, enabling routing of incident information to all the organizations in the safety eco-system[5]. Nor are there standards for them (the equivalent of DNS servers for email: .com, .net, .gov etc.); therefore every sender of emergency messages needs to know and keep up to date its own list of the recipient organizations, and how to send data to them, a recipe for incompleteness and inaccuracy
· To ensure security, there is no federated organizational access control and identity management service across all the emergency response domains, or standards for them, to record information rights policies, enabling organizations to know which ones are allowed to send and receive emergency information, or that they are who they say they are[6]; this has to be hard coded, creating silos by agency, jurisdiction or domain
· Huge amounts of local, state and federal money are being wasted on duplicative programs and functions due to the stove-pipe and balkanized approach that has been followed.[7]

Why is this? The primary reason is that traditionally emergency communications decisions have been made at the individual agency level. Whether it is local, state, or federal government, there is no senior official above (and with authority over) the individual agencies and professions in charge of the big picture of emergency communications. There is no senior federal or state official responsible for emergency communications and information technology, with the responsibility and budget to bring a coherent “virtual safety enterprise” analysis and architecture to the problem. No senior official is asking and demanding answers to the overall key questions, or insisting on overall systemic outcomes and efficiencies (as opposed to improving the functioning of single agencies or single professions).

There is no emergency response Chief Technology Officer. No one is looking at the total cost of ownership of emergency information and communications technology for the federal government, much less federal, state, local and tribal. If they did, they would insist on shared applications that would produce overall benefits. No one is demanding true “all-hazards” planning, design, and implementation. (DHS is mostly focused on intelligence and law enforcement; to the extent it does emergencies it forgets health, and only does disasters; HHS only does health IT, but not emergencies except a bit for disasters, and a lot for some participants in pandemics; DOJ only does intelligence and crime; DOT does traffic information, EMS standards, and a smidgen of 9-1-1; most state and local agencies focus on day to day emergencies; so-called state “interoperability committees” were formed to rationalize the expenditure of federal funds on new digital police and fire radio systems).

Despite tough talk from the Bush Administration about the importance of emergency, interoperable communications, no one in the White House or OMB ever exercised serious overall leadership, demanding a common vision, coordination and cooperation. The “e-gov initiatives” supposedly managed by OMB included two emergency information and communications technology (ICT) projects: Safecom and Disaster Management[8]. Neither ever attempted a comprehensive, inclusive view. Individual agencies addressed these issues for themselves in a piecemeal way. There are at least 17 separate programs within DHS, scattered through several divisions that claim to be addressing some of the above issues.[9] None are trying to address all of them. Staff who try to take an overall view, to contribute to the whole, have been shut down. DHS, Congress, the FCC and others have not effectively addressed the problems for jurisdictional, interest group and leading safety vendor reasons.

And what about the transition to the new Administration? Issues concerning emergency information, communications technology and information sharing are most likely mentioned, perhaps highlighted, in transition reports from teams covering DHS, HHS (HRSA and CDC), the FCC, and even the Corporation for Public Broadcasting. These issues could just as well be part of reports for DOJ, DOT, DoE, DOD (including National Guard), and DoA, as all five of those departments have emergency ICT issues, programs, and/or requirements. But these issues cannot be properly addressed within those individual boxes, even if within each agency they were perfectly coordinated. Agencies and program staff understandably resist taking on projects beyond their boundaries and they have little incentive to do so.

Suggested Action Plan

Summary of Expected Outcomes, Action Items and Key Principles

The Obama Administration should not follow the failed models of the past. It should:

· Recognize that solutions to these issues are the compelling safety reasons and uses for the broadband deployments President-elect Obama has committed to encourage
· Make emergency communications a signature challenge and project for Administration, leading from the top, including the new overall CTO
· Recognize there are tangible day-to-day and disaster safety improvements that can be delivered to the public in the near future as we work toward a fully integrated, interoperable emergency response and communications system. The latter will take a long time and a lot of hard work, but early successes will speed adoption
· See how at a time of enormous demands on government budgets at all levels, better communications and information technology can be delivered at less cost, following the path that the commercial sector has blazed
· Harness and redirect projects already underway and undertake new ones to make rapid, tangible progress on emergency communications, with clear benefits to both the public and emergency responders.

Expected Outcomes

In the first 18 months the Plan should:

· Deliver rapidly an all-hazards, all levels of government and the private sector, public alert and warning system linking all outlets to the public, enabling them with the multi-use core services discussed below[10]
· Deliver rapidly a handful of other high value, high profile shared, managed information services, enhancing informed emergency response and situational awareness, and pointing the way toward an exciting, safer future. Two of these should be:
o Rapid, flexible and inexpensive voice interoperability through the use of software
o Rapid, inexpensive situational awareness for all authorized organizations
· Enable the above with the development of, and standardization of, two key shared “core services”[11] required to enable interoperability over the entire safety enterprise:
o Who are the participants? Agency locator/GIS-based registry of organizations involved in emergencies needed for sharing of information before, during, and after emergencies of all magnitudes among local, state, federal and private entities responsible for emergency response
o Security. Access control/identity rights management and related security services where the above referenced organizations are registered and given appropriate authorizations to send and receive emergency information

Action Items

· Assemble immediately a team of paid and unpaid experts who can deliver the broad-based policy, technical, operational, political and economic planning needed to accomplish these suggestions
· Assemble all the mentioned federal agencies into a federal team with a designated White House leader, with OMB support, and the clout to require cooperation
· Assemble a working group of the above and leaders of state and local agencies, leaders of the affected professions (see two bullets down), NGOs, and relevant private sector leaders; this group needs to be well populated with experts without a corporate or specific constituency “axe to grind”
· Approach emergency response overall, as an end-to-end system, focused on outcomes for citizens, under all hazards, and on overall costs and benefits, rather than as a collection of discrete response professions (e.g. police, 9-1-1), emergency problems (e.g. nuclear, pandemic) or specific communications methods (e.g. P-25 statewide radio network, wireless broadband)
· Define safety/emergency response broadly and inclusively as an overall “virtual enterprise”. Require planning and Total Cost of Ownership analysis according to this enterprise and with all the participants at the table. This should include the traditional first responder professions (police, fire, EMS), other emergency response professions, agencies and NGOs (e.g. 9-1-1, emergency management, hospitals/trauma centers, public health, Red Cross, poison control, mental health, and other “N-1-1” entities), government emergency support professions (e.g. transportation, public works, IT, schools), critical infrastructure providers, the media (especially public broadcasting), and other relevant participants (e.g. the Chamber of Commerce). It should include both wired and wireless communications, with a heavy emphasis on Internet Protocol software based solutions (the “Application Layer”) that link legacy systems, instead of buying all new systems
· Require recipients of federal funding to implement a broad, inclusive definition of “interoperability,” beyond traditional voice radio interoperability restricted to “first responders”, which definition advances interoperability of voice, data and video communications among all entities involved in emergency response. Similarly legislation should allow funds to be used not just for “equipment”, but also “software and services”, allowing the use of shared IP-based emergency service networks and services
· Establish an inter-agency working group to coordinate the distribution process and eligibility criteria of all sources of Federal funding for 9-1-1 and emergency communications
· Provide funding for the shared IP emergency communications backbones and associated services in each state and/or region needed by 9-1-1 and all other emergency entities to support Next Generation emergency communications; coordinate this backbone need with the ongoing development of a national 700 MHz public safety broadband wireless network currently being planned by the FCC
· Initiate Total Cost of Ownership thinking and analysis for this virtual enterprise – where federal money is involved, require planning decisions as if there is a single owner; the public will benefit
· Involve citizen groups that respond to end to end, citizen-focused approaches, including the American Heart Association, Brain Injury Association, American Automobile Association
· Involve the organizations that represent individual responders, not just the agency chiefs: Emergency Nurses Association, EMTs, firefighters, FOP for example
· Adopt “everything over Internet Protocol” and open architecture requirements
· Significantly broaden the narrow focus on buying new networks to achieve interoperability, and generally on communications “pipes” (the “Transport Layer”)[12]
· Add a major focus on the Application Layer, and specifically on managed, shared services that do not require capital investment or sophisticated IT staffing by the mostly small emergency agencies
· Provide major support for the creation of data dictionary, messaging and other standards serving the whole virtual safety enterprise, not just parts of it – by those safety professions[13]
· Rather than trying to upgrade the tens of thousands of individual agencies, which has been proven to be horrendously slow and expensive[14], focus on the “middle”, the network-centric applications that can enable more informed, interoperable and situationally-aware response[15]
· While the above is going forward, launch on a parallel track a “Solutions Delivery” Project charged with delivering broadly useful, interoperable (and interoperability-enabling) solutions rapidly, in part to show the value of this approach to the public and the other affected constituencies. These solutions need to be delivered over large enough regions or uses to have an impact on current thinking. In the future, most of these services should be self-supporting through subscriptions from the public and private sectors. The government should cost share for the development and deployment of these components, bear the initial cost of developing the policies (business rules) at all levels of government to use them, and train staff to use them.

Emergency Communications Solutions Delivery Project

This will seek to implement the agenda described above. It is designed to successfully and efficiently address in 18 months a handful of salient emergency communications issues. It is designed to (a) enable initial interoperability between legacy systems, (b) address the “bottom end” of the market (those agencies, organizations and persons with the least resources), (c) encourage cooperation and information sharing between appropriate entities, and (d) provide software tools, but leave policies and information sharing decision making in the hands of the appropriate levels of local, state, tribal and/or federal government. In all cases, the elements must be standards-based and fit in an open architecture so that solutions can freely interact with applications and networks controlled by other entities. It will include the following elements:

Agency and Consumer Software Services and Applications

· Interactive alerting/public warning. Today there are a multiplicity of use-built, stove pipe warning systems, and we are adding to them[16]. We need to link these legacy systems, not replace them. The way to do that is with common message standards and shared core services, not building new systems or stand alone products. We need to be able to reach the public and vice versa both through social networks of all kinds, and more formally through established agencies, services and businesses. We need to connect official sources of any hazard, any area alerting to any and all systems of communication in use by the public[17], and offer the public at least one attractive messaging service for personal emergency use as well as communications to and from government entities[18]
· Map-based, web-based emergency message generator and receiver application for budget-challenged and volunteer emergency organizations [19]
· Public information distribution after initial alerts, taking advantage of the trusted and ubiquitous public broadcasting system and all its digital assets as both part of the initial alerting process, and then afterwards as a public destination and distribution system for information

Shared Services[20]

· Voice communications interoperability, using sophisticated software to link dynamically any kind of wireless and wireline communications to any other kind of communications,[21] supported and enabled by core services
· Family emergency preparedness: intensive communications of the content already developed by ready.gov and leading partners such as Sesame Workshop[22]
Simple situational awareness, using incident and related information delivered to a locally-specific electronic map[23]

Enabling Services (“Core Services”) [24]

· Develop and standardize[25] the key shared “core services” that will allow efficient interoperability over the entire safety enterprise, helping connect networks and applications into what an FCC report called an “internetwork”[26]:
o Agency locator/GIS-based registry of organizations involved in emergencies[27]
o Access control/identity rights management and related security services[28]

· Provide funding to develop best practices for registering organizations and rights management policies[29] in the core services, and having legacy messaging and RoIP systems interact with them

· Provide and host middleware for intelligent message brokering, security, and auditing of compliance with access control and other rules.[30]

The above applications and services need to be hosted and offered as managed services on a subscription basis. They need to be managed in secure, reliable and sophisticated platforms that also offer agency customers service and billing functions. Appropriate subscription fees can and should be charged.[31] Each of these components must be architecturally independent so any application using the designated standards can be interoperable with them. Each will be able to initiate and process information using the DHS-sponsored international OASIS CAP and OASIS EDXL family of emergency messaging standards[32], along with other standardized data dictionaries and forms (e.g. National Information Exchange Model). Organizations receiving federal emergency funds should not be forced to use any of them. They should be free to use legacy systems and acquire new ones of their choosing, as long as they:

· Convert voice and data communications to the outside world into Internet Protocol[33]
· Connected redundantly to Internet Protocol networks, ideally backbone networks shared with other emergency organizations
· Ensure their legacy and new applications and systems interface to these standards.[34]




[1] David Aylward is a founder and Director of COMCARE Emergency Response Alliance (www.comcare.org), President of National Strategies, Inc., and a former Chief Counsel and Staff Director of the US House Subcommittee on Telecommunications, Consumer Protection and Finance. He has worked on emergency response issues for more than a decade. daylward@comcare.org. This paper is a living document; comments are welcome.
[2] This paper draws heavily on the analysis and near term suggestions for progress made in an article prepared by the author and the former Inspector General of DHS, Clark Ervin. See Clark Kent Ervin and David K. Aylward, “Next-Generation Inter-Organizational Emergency Communications,” Aspen Institute (sponsored by the Ford Foundation), December 2006, http://www.aspeninstitute.org/atf/cf/%7BDEB6F227-659B-4EC8-8F84-8DF23CA704F5%7D/Homeland_InteroperabilityReport.pdf
[3] A short video at www.comcare.org/video.html provides a vision of how emergency medical response could work if enabled in this fashion. Unlike the faster progress described in this paper for public alerting and warning, and a few other capabilities, that vision is achievable in the medium term (3-4 years).
[4] There are about 120,000 independent emergency response and response support organizations in the United States, not counting more than 100,000 schools, and other NGOs and businesses that are involved in emergencies.
[5] The FCC’s Network Reliability and Interoperability Council VII’s 1D Report called for these “Facilitation Services” to be established several years ago. This paper and others now call these “Core Services”.
[6] See footnote 5.
[7] Aside from safety and security benefits, an extremely interesting study would compare the Total Cost of Ownership to local, state, tribal and federal governments of the current siloed systems under the control of their multiplicity of masters, with the TCO of a modern efficient system based on Internet Protocol where backbone networks, enterprise services, and other appropriate functions and costs were shared, while customer premise applications were required to communicate externally using standard messages.
[8] The author’s organization, COMCARE, was a contractor to Disaster Management for two years, helping develop standards for communicating data between the diversity of emergency organizations.
[9] See, e.g., DNDO (CBRNE), S&T UICDS, S&T SAFECOM, S&T Disaster Management (now renamed), S&T assorted emergency response ICT projects, FEMA IPAWS, FEMA Office of Communications, FEMA OPEN project, FEMA Interoperable Emergency Communications Grants Program, FEMA CEDAP, FEMA NIMS, Homeland Security Information Network, State Homeland Security Program (SHSP), Urban Areas Security Initiative (UASI), Metropolitan Medical Response System (MMRS), Citizen Corps Program (CCP), CIO’s NIEM.
[10] These are described in some detail in the Aspen Institute article cited in footnote 2.
[11] These were strongly recommended in 2006 by the FCC’s Network Reliability and Interoperability Council VII 1d report, see http://www.nric.org/. The need for these core services has been noted by a variety of emergency organizations and papers. See, e.g. HHS’ Health Information Technology Standards Process (HITSP) Interoperability Specification 4; NENA Next Generation 9-1-1 paper, 2007; Network-centric Operations Industry Consortium Network-Enabled Emergency Response Project papers. See also, www.comcare.org/Core_Services.html. COMCARE has done a great deal of requirements work with all the emergency professions for core services over the last several years. It has produced detailed functional and technical requirements, and designs that meet them. As yet, no IT company has built an alpha version to allow a standardization process for them developed by the Open Geospatial Consortium and COMCARE to proceed.
[12] See the COMCARE blog article by the author, “Why Doesn’t the Government Get Emergency IT?”, September, 2008, for an exploration of this issue. http://comcare-talk.blogspot.com/. Certainly operability is an important issue, but it is not the only one. And certainly there are some agencies which are not close to and/or cannot afford wired broadband connections, but those are in a small minority.
[13] There are a number of standards efforts, but they have all been either entirely underfunded or stovepipes (one or only a few emergency domains), or both. The largest is the AHIC/HITSP effort funded by HHS to develop standards for electronic health records. It includes, but is not focused on, emergencies. DHS never gave the money or direction to the National Information Exchange Model (NIEM) to become more than an adoption of the pre-existing, longstanding justice community taxonomy efforts. The DHS Disaster Management Program got off to a positive start gathering all emergency responder professions around a table to develop detailed draft common messaging standards, a number of which are now official OASIS international standards. But it has been given little funding and has produced no additional standards output in almost three years.
[14] Consider the 14 year “Trail of Tears” to upgrade 9-1-1 centers to receive a tiny amount of data along with wireless calls: latitude/longitude and call back number. Around 20% of the centers, covering around 30% of the land mass, still cannot receive that data.
[15] The US military has a long and deep history in the area of network-centric information technology operations. Faced with a new requirement for the military (regular and Guard) to be interoperable with civilian organizations in the US and abroad to allow assistance in complex human disasters, leading military contractors are exploring how to help US emergency agencies solve these problems. See the Network-centric Operations Industry Consortium’s (NCOIC) Network-centric Enabled Emergency Response project which is focused on core services.
[16] For example, the WARN Act has agencies establishing a one way alert capability that will use public broadcasting infrastructure only to get to stations and cell companies, only to deliver to cell phones, only up to 90 character text messages, and only for Presidential alerts, “life threatening” emergencies, and “Amber alerts”. There is nothing wrong with that use case and pathway conceptually as a component of a comprehensive system, but that is not how it is being constructed.
[17] All these systems need to be able to register for this purpose in the agency locator core service, and have their authority to send and receive messages about different kinds of incidents over different geographic areas registered in the access control core service.
[18] This is the messaging equivalent of using 9-1-1 for cell phones. The government will benefit if it has large audiences of private users it can reach in emergencies, and if systems such as these have a standardized way of accessing government services, including but not limited to 9-1-1.
[19] The functional requirement here is simple. We need to allow any authorized organization to initiate and receive a message concerning a specific incident type and a specific location or area of any size, using the OASIS EDXL Distribution Element or OASIS Common Alerting Protocol. If the DE is used, it can carry a digital payload of any standard, not just OASIS messages.
[20] “Shared services” are (generally managed) services shared between multiple, but not all, emergency domains.
[21] See http://www.comcare.org/RoIP.html. Cisco, Twisted Pair Solutions, and others have commercial software that does this.
[22] Grover and Rosita are the stars of an excellent new DVD-based package developed by Sesame Workshop that teaches kids of all ages (including very young ones) and their parents how to prepare for disasters. It was announced in September, 2008, but has not received wide circulation.
[23] The fastest, cheapest approach to common situational awareness is to share incident and related data about the affected area on a web-based map. For those agencies with limited resources the mapping need not be expensive. One state has taken the lead in this area using Google Maps. See “Virtual Alabama”. Maryland has pursued a higher end, non-incident, proprietary version of this idea with the GIS company ESRI; its acronym is MEGAN.
[24] These are managed, standardized services offered to all emergency domains.
[25] The Open GeoSpatial Consortium, supported by COMCARE, has developed a detailed plan to do exactly this: in an open, inclusive process develop standards for the content and querying of the two core services described here. It awaits a leading company to build and test the first alpha versions of core services meeting the developed requirements.
[26] See FCC Network Reliability and Interoperability Council VII, Report of Group 1d, 2005, www.nric.org.
[27] COMCARE has undertaken years of functional and technical requirements development resulting in a detailed design for the agency locator registry, called “EPAD”, and detailed technical and design requirements for the companion access control/identity management core service . www.comcare.org/epad
[28] See www.comcare.org/core_services.html.
[29] Core services do not make rights policies; they simply provide a software application in which to record those policies and implement them efficiently. The rules themselves are made by the appropriate body for the incident type and geographic area.
[30] This is a possible use for the new version of FEMA’s OPEN message broker that is being redesigned now.
[31] The point is not to preclude customer premises software, but to create managed service options so that high quality information technology is available to all emergency organizations, even those that lack the budget and expertise to buy their own software and manage it.
[32] For complete versions of the standards, see http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=emergency. FEMA’s Disaster Management Program funded the process that developed the detailed specifications for these standards. It was subsequently shifted to DHS’ Science and Technology Directorate which also has some other, uncoordinated standards efforts (e.g. a “CAD to CAD” project of some justice and 9-1-1 agencies).
[33] Modems are relatively inexpensive; many agencies already have them.
[34] This is not a new idea. Federal DHS, DOJ and DHS grantees are already required to acquire software that can interface with their various standards.

No comments: