In protecting the homeland, public and private responsibilities converge. Questions about who is responsible for what security measures need not always be complicated. When it comes to defending the nation's borders, for example, the federal government must be largely responsible. But who should implement and pay for various measures to protect such private-sector sites as commercial buildings, athletic arenas, and chemical plants?
Because terrorist attacks can have societal and national security implications far transcending their immediate private damage, market forces are often insufficient to protect against terrorist attacks on private property. Government intervention is often warranted when attacks would cost thousands of lives or harm critical infrastructure and when the intervention would reduce overall exposure to the risk of major terrorism (see box).
In protecting private-sector sites, Washington has three primary tools at its disposal: regulation, insurance requirements, and subsidies. It can impose direct regulation requiring any commercial or public building to include antiterrorist features. It can require (or encourage) any such building to carry insurance against terrorism. And it can provide a subsidythrough direct government spending or through a tax incentiveto private owners who invest to protect their buildings against attacks.
Normally one would evaluate these competing approaches using cost-benefit analysis, comparing the costs and benefits of each and choosing the one with the largest net benefits. But the nation's good fortune in not being exposed to many terrorism attacks before September 11 means that it lacks the knowledge base to determine with precision how much any given approach reduces the risk of any potential terrorist attack or limits its damages.
In the absence of quantitative cost-benefit analysis, several general criteria suggest themselves as a way of judging the cost-effectiveness of each approach. First, to what degree would each affect private behavior? Second, to what degree would the change in private behavior reduce the overall risk from a large-scale terrorist attack, as opposed to merely shifting it from one venue to another? Third, to what degree does each approach achieve the reduction in overall risk at the least possible economic cost? Finally, how fair is the expected outcome? Will society accept the consequences in terms of income or wealth distribution?
A regulatory approach has several benefits. Imposing a regulatory standard would provide a minimum guarantee regarding antiterrorism protection. It would also discourage the most dangerous activities. If skyscrapers are natural targets for terrorists, requiring security measures in new skyscrapers raises the costs of constructing new onesand the higher costs then discourage the construction in the first place (or discourage people from living there if the building goes up anyway).
But regulation has its downsides. First, knowing where to set the regulatory standard is particularly difficult given the nation's limited experience with terrorism. Second, regulation, especially in the form of "commands and controls" rather than market-like incentives, can be an unnecessarily expensive way to achieve a given level of security. Third, regulation does not generally encourage innovation. Firms would have an incentive to meet the minimum regulatory standard, but not to exceed it.
These deficiencies can be reduced, although not eliminated, through careful attention to the design of the regulations. The more a regulation focuses on outcomes and performance, rather than on requiring specific actions, the better. For example, a regulation could require an indoor sports arena's air ventilation system to be able to contain a given type of bioterrorist attack within a specified time, rather than to include specified devices. Such a performance-oriented regulation encourages firms to design and implement less expensive mechanisms for achieving any given level of security. Compliance with the performance-based regulation can then be tested regularly by government inspectors or third-party verifiers.
Requiring or encouraging private owners to have terrorism insurance may seem, at first glance, to be counterproductive. Wouldn't firms and individuals with insurance against terrorism lack incentives to take appropriate precautions against an attack? But insurance typically comes with provisions (such as a deductible) requiring the insured to bear at least some of the cost of an attack and thus have an economic incentive to avoid such attacks or minimize their consequences. And the insurance companies themselves have every reason to encourage risk-reducing activities. They thus provide incentives that spur owners to reduce their buildings' exposure to terrorist attack (by protecting the air intake, for example) and to protect their computer systems (by improving firewalls or using more advanced encryption).
Insurance is not a panacea. The insurance market may not discriminate well among terrorism risks. Indeed, it is not even clear whether allowing insurers to charge premiums that discriminate among different exposures to terrorism is fair. Is it fair to charge higher premiums on insurance for such "iconic" structures as the World Trade Center, the Empire State Building, and other tall existing buildingswhen their owners would not have expected a terrorism threat when the buildings were constructed? Is it fair for the population as a whole effectively to subsidize the owners of such prominent buildings, as they would if differential premiums were not allowed? For new construction, the issue is less complicated, for prospective owners are now aware of the threat of attack; differentiated premiums could help encourage safer designs of prominent buildings.
Just as government regulators find it difficult to use cost-benefit analysis in fighting terrorism, private insurers may find it hard to price the risks associated with terrorism in the absence of solid actuarial information on the risks involved. Insurers in the United States are now developing models that will help them better price terrorism insurance in the future.
Most fundamentally, an insurance system won't work if insurers won't offer the insurance or offer it only at extremely high prices. A particular concern involves reinsurance. Rather than maintaining high reserves to meet the potential costs of extreme events, primary insurance firms buy reinsurance from other firms to cover at least part of a severe loss. But reinsurance firms have generally stopped offering reinsurance on terrorism risks. In response, many primary insurance companies have eliminated terrorism coverage from their policies (when allowed by state commissioners to do so).
Thus far, lenders appear to be continuing to provide credit to commercial borrowers who lack terrorism insurance. But it is unclear how sustainableor desirablesuch a situation is. Even if the federal government does not intervene in the primary insurance market, policymakers should explore options to facilitate the provision of terrorism insurance. One possibility, which Congress has considered in some forms but not yet adopted, is a temporary federal reinsurance program in which the government shares some of the risk, but also some of the premiums, from terrorism insurance policies. Over time, as new approaches to spreading the financial risks associated with terrorism insurance develop, the need for any government reinsurance program could be reduced.
Government could also help pay for antiterrorism measures undertaken by private actors. Subsidies could affect firm behavior and (if appropriately designed) provide some protection against terrorist threats. But they carry four dangers. First, they can encourage unnecessarily expensive investments in security. Second, they would likely spark intensive lobbying efforts by firms to capture the subsidiesnot only dissipating resources that could be used more productively elsewhere, but skewing the definition of what qualifies for the subsidy. Third, subsidies could provide benefits to firms that would have improved security without the subsidyraising public costs without buying any added security. Finally, subsidies financed from general revenue are effectively paid for by the entire population. The fairness and feasibility of that approach are debatable, especially given the recent dramatic deterioration in the federal budget.
Toward a Mixed System: Minimum Regulatory Standards and Insurance
Given the shortcomings of each sort of government intervention, the most cost-effective approach over the longer term may be a combination of performance-based regulation and insurance coverage.
Such a mixed system is used in many other areas, such as owning a home. Local building codes specify minimum standards that homes must meet. But mortgages generally require homes to carry insurance, and insurance companies provide incentives for improvements beyond the building code levelfor example, by reducing premiums if the homeowner installs a security system.
Three areas of homeland security seem especially well-suited to a mixed system. Chemical and biological plants, for example, contain materials that could be used in a catastrophic terrorist attack, making it appropriate for government intervention to subject them to security requirements that are more stringent than those applying to other commercial facilities. Supplementing regulatory standards with insurance would allow insurance firms to provide incentives for more innovative security measures.
In the case of large commercial buildings that house thousands of people, Washington could strengthen existing local building codes by applying minimum performance-based antiterrorism standards. It could also supplement those regulations by requiring or encouraging owners to buy antiterrorism insurance. Even if regulators do not allow insurance premiums to vary by type of building, they could still allow insurers to lower premiums in exchange for improvements, such as protecting the air intake system or reinforcing the building structure, that lessen the probability or severity of an attack.
A terrorist cyberattack, to cite one more example, could cripple the nation's infrastructure, at least temporarily, and would warrant federal intervention. Because protecting a computer system against terrorist attack is similar to protecting it against more conventional hacking, the case for federal subsidies is relatively weak. Subsidies would induce private firms to spend excessively to improve cybersecurity, because they would not bear the full costs but would capture the added benefit of protection against hackers. But performance-oriented regulatory steps, at least in the case of large firms or those with direct access to critical computer infrastructure, may be effective. The government could, for example, require critical computer systems to be able to withstand mock cyberattacks. Because mock attacks and tests could be conducted easily and could provide a basis for pricing, insurers could play a constructive role in improving security. Insurance firms already, for example, use cyber-experts to advise firms how to reduce their exposure to cyberattacks.
A mixed system can spur innovation to reduce the costs of achieving any given level of safety. And a mixed system is flexiblea key virtue when, as now, new threats seem to be "discovered" on an ongoing basis. In areas where insurance firms lack the experience needed to provide proper incentives to the private sector for efficient risk reduction, regulation can play a larger role. Regulation's role can diminish in areas where insurers can provide innovative incentives for security improvements. And of course regulatory standards and insurance can and should be supplemented or replaced when there is credible evidence that other approaches would be more efficient.