“Anything can go away. There’s no such thing as security. You can do things that give you the illusion of security, but there’s really no such thing.” — Will Smith
Authorization for the Chemical Facility Anti-Terrorism Standards (CFATS) expired on July 28, 2023. The House of Representatives passed the reauthorization bill by a vote of 409-1. The single dissenting vote came from Rep. Thomas Massie (R-Ky). Then it got to the Senate where Sen. Rand Paul (R-Ky) stopped a fast-track vote of the bill on July 26. Then congress recessed.
Paul commented at the time that probably no one would even notice that CFATS hadn’t been reauthorized. We might not have if it hadn’t been for a very public push from Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly, who wrote a guest opinion column for the Washington Post on August 28, and Department of Homeland Security (DHS) Secretary Alejandro Mayorkas, who delivered the keynote address to the 2023 Chemical Security Summit in Arlington, Virginia on August 29, 2023. Each made their public declarations that CFATS had expired the week before Congress was scheduled to return to session.
Apparently, the politics of pressuring the Senate into acting on the reauthorization bill trumped the security threat posed by announcing to terrorists that CFATS was not in force.
Is CFATS Important?
CFATS does three things. While 15 representatives in the House didn’t vote at all, only one voted against the bill to reauthorize CFATS. A clearly bipartisan supermajority of 409 voted for it. Since its hard to find anything that so many Republicans and Democrats agree on, it’s easy to conclude that what CFATS does must be important. On top of that, two industry groups—the American Chemistry Council (ACC) and the National Association of Chemical Distributors (NACD) came out in favor of it. So, what does CFATS authorize CISA to do?
CFATS authorizes CISA to conduct a “personal surety” program that allows the agency to evaluate persons seeking access to chemicals against the terrorist screening database. Before CFATS expired, CISA was receiving about 300 names a day from companies that had been contacted by potential customers.
CFATS requires that facilities with more than the screening threshold quantity of more than 300 chemicals to identify themselves to CISA to learn if they are subject to CFATS. The listed “chemicals of interest”, Appendix A of 6 CFR 27, are based on whether the chemicals are a threat if released, if stolen or diverted to be converted into weapons, or if mixed with readily available materials to commit acts of sabotage.
Inspectors from CISA conduct about 160 inspections a month; there are over 3,200 chemical facilities covered by CFATS. CISA reports that about one in three inspections results in findings. (That said, anyone who has experienced an OSHA inspection knows that it is just about impossible to survive a compliance inspection without a finding). To compel compliance, violations are subject to citation and fines and penalties.
So, Why Talk About Other Things?
While no facility wants to be fined and the security measures that CFATS requires cannot be installed without a significant outlay, no one in the chemical industry is indifferent to potential harm that terrorists can do with their chemicals. That is one of the reasons the industry fought so hard against a public registry of worst-case scenarios when the EPA first proposed the Risk Management Planning Rule, 40 CFR 68.
On the face of it, these seem like reasonable things to expect our government to do, although undoubtedly the devil is in the details. But rather than focus on what CISA does with CFATS, Director Easterly and Secretary Mayorkas talk about the Oklahoma City bombing of the Alfred P. Murrah Federal Building in April 1995, the September 11, 2001, attacks on the World Trade Center in New York and the Pentagon in Arlington, Virginia. They talked about the West Fertilizer Company explosion in West, Texas in April 2013 and the Boston Marathon bombing in Boston, both in April 2013.
Were these horrific events? Yes. Were they forms of chemical terrorism? No. Would CFATS have prevented any of them? No.
But Don’t We Have To Do Something
When bad things happen, there is a commendable urge to do something to keep those things from happening again. The urge to do something, anything, does not necessarily mean that the thing we land on is the right thing to do. Is CFATS flawed? Undoubtedly. Is it better than nothing? Perhaps. How can we judge?
The authorities at CISA and DHS cannot point to an act of chemical terror based on release, diversion, or sabotage that occurred before the agency was formed. There haven’t been any since they were formed. Maybe the agency is so successful that they’ve stopped a constant stream of potential attacks. Maybe the potential just wasn’t as big as we feared.
Several years ago, a security consultant described the security nightmare created by TSA and at other security checkpoints. Because they are chronically understaffed, there is inevitably a crowd of people at the checkpoint. Everyone in that crowd is carrying a package or luggage, something in which it would be easy to hide a bomb. And they haven’t been screened yet.
In addressing one security problem, TSA created another. Such is the law of unintended consequences.
Not On Your Watch
CFATS was not rubber-stamped and reauthorized for another 5 years. Perhaps it should have been. Perhaps there is a better approach. But we won’t find it if the law to reauthorize is introduced a scant month before the old law expires. Congress will get back to it. Halting fast-track approval is not the same as defeating legislation.
In the meantime, chemical facilities should remain alert to the potential for their materials to be released, diverted, or used in an act of sabotage. While calling something “high risk” doesn’t necessarily mean the risk is high, ignoring a hazard doesn’t make it go away. Probably nothing is going to happen while Congress, the DHS, and CISA get their act together. Probably. But if something does happen, you don’t want it to be at your plant.