When the chairman of New York’s mass-transit agency admitted this week that he’d spent only 5 percent of the $600 million he’d been allotted nearly three years ago for counterterrorism, he had an explanation: He didn’t know how to spend it. Experts had offered him all sorts of high-tech gear, but their sales pitches always contained the words “if it works.” The chairman, Peter S. Kalikow, told the New York Times, “The easy way out would be to spend the money quickly, without a thorough analysis of the cost and benefit. … We don’t think we should be wasting money on unproven technology.”The Times found other obstacles: The Metropolitan Transit Authority’s two leading—and apparently only—experts on the subject had been fired over an unrelated dispute; the Army, which was eager to sell its wares, wanted too much control over the transit system’s operations (or, by other accounts, the Metropolitan Transit Authority wanted to impose too many contractual obligations on the Army). And, as New Yorkers know, the MTA is particularly stuffy and resistant to technical change. Still, Kalikow has a point. It’s a waste to throw money aimlessly at a problem. And when it comes to counterterrorism, mass-transit managers don’t know—and can’t be expected to know—where to throw it.Here lies the nub of the problem: Even now, four years after the attacks of Sept. 11, 2001, nobody is telling these managers what to do. On Dec. 17, 2003, George W. Bush signed Homeland Security Presidential Directive 7, ordering the Department of Homeland Security to “produce a comprehensive integrated National Plan for Critical Infrastructure and Key Resources Protection.” The plan should “outline national goals, objectives, milestones, and key initiatives within one year of the issuance of this directive.” The Homeland Security Department broke down the task into 13 “sector specific plans.” The plan for the transportation sector laid out the following agenda: “(1) Identify participants in the sector, their roles and relationships and their means of communication; (2) identify assets in the sector; (3) assess vulnerabilities and prioritize assets …; (4) identify protective programs; (5) measure performance; and (6) prioritize research and development.” It also called for managers to “form the basis for allocating resources in a risk-based and cost-effective way.” This is rock-bottom basic stuff—not even a plan but an instruction to draw up a plan. And yet it was not completed by the December 2004 deadline—nor was the “comprehensive integrated national plan” that had been ordered by President Bush’s directive.On April 29, 2005, the Department of Homeland Security published an 18-page document called “Guidance and Template for Sector-Specific Plans.” But it merely restated, more verbosely, what categories of action a plan should cover. It rehashed the old questions but offered no answers. So, here’s a new question: What the hell is going on?