2009 December | Security Debrief - a blog of homeland security news and analysis

Archive for December, 2009

A Response to Stewart Baker’s “Al Qaeda Failed. What About Us? Ten Questions.”

Wednesday, December 30th, 2009

My friend, and fellow Security DeBrief blogger, Stewart Baker, has raised a number of questions in his recent blog posting, “Al Qaeda Failed. What About Us? Ten Questions.” These questions exemplify the way too many policy-makers try to influence political outcomes – and that is by using the time-worn, law school technique of asking Socratic-style questions that hint at – but rarely provide – answers. The inference derived from those questions, however, is not difficult to comprehend.

Of course, it is always easier to ask questions than to provide answers. But there are times when the questions themselves should be questioned. This, I believe, is one of those times. Stewart’s questions imply that the blame for the Underwear Bomber’s actions should be laid on the Department of Homeland Security (DHS) or some foreign entity.

Sorry, but I am just not buying it.

There is no question that security practices can be changed by U.S. Government agencies; that improvements can be made in safety procedures; that new technology and screening technology can be implemented; and, that information holders with knowledge of a person’s potential terroristic tendencies should adopt a “need to share” culture.

But before Stewart starts rattling off queries in an effort to shape the anticipated congressional oversight hearings (or perhaps the press coverage in advance of those hearings) concerning this event, I think a disclaimer of his own involvement in another notorious political debate would have helped. This debate was one where he ultimately concluded that DHS should not object to the Dubai Ports World (DPW) acquisition of the British-owned Peninsula and Oriental Steam Navigation Company (P&O) and P&O’s wholly-owned U.S. subsidiary, P.O. Ports North America. Had he done so, it might have given some much-needed context to his commentary. One remembers that it was only after intensive political pressure from key members of Congress that DPW postponed and eventually walked away from that acquisition.

The key point is not that DPW failed to conclude their acquisition, but that in spite of initial questions about it, Stewart used his considerable intellect and good judgment to conclude that potential security concerns did not outweigh the decision to let the deal proceed.

Now, fast-forward to November of this year when the embassy official in Nigeria who, when advised by the father of Umar Farouk Abdulmutallab that his son was involved in possible radical activity, made a decision to report it. Yet, someone apparently believed there was insufficient information to recommend elevating Abdulmutallab to a more serious status. That official (and others in the analytical chain) made a judgment call that is now being second-guessed by political opportunists.

Stewart understands the unfairness of what it can be like to face a “fix the blame, not the problem” political windstorm, and therefore, I am surprised at some of the questions he posed in his recent blogs. For example:

2. One report suggested that the visa was granted to attend a religious meeting. Is there some political correctness problem that makes State reluctant to deny visas for such travel?

Well, I for one hope that State Department officials are quite reluctant to deny visas where the purpose is to attend a religious meeting, and my reason has nothing to do with political correctness. Frankly, I don’t want federal officials making decisions about the validity of someone’s religious beliefs. When we get to the stage that we have government officials denying visa applications because they think someone’s religious viewpoint is out of whack, we are only one step away from imposing a “religious correctness” test – and I have real problems with that. We are NOT a Caliphate.

Or what about these questions:

7. How good was the air travel screening in Nigeria?
8. If it wasn’t that good, and I suspect it wasn’t, in part because the plane was not bound for the U.S., did
Schiphol fall down on the job by not properly rescreening Abdulmutallab?

There is an implied arrogance in these questions that the Nigerians or security forces in Amsterdam have a poorly designed screening system and that the result would be different had the screening occurred elsewhere (read, “in the United States.”)

The implication – if that is what he meant – is based on a false premise, which is that TSA procedures and technology would have stopped Abdulmutallab from getting on an airplane and flying inside the U.S.
We might have gotten lucky, like we did when the Millennium Bomber was caught by a Port Angeles, Washington CBP officer ten years ago because she thought Ahmed Ressam looked “hinky.” The probable action today, however, is that Abdulmutallab would not have been stopped by TSA (short of a “hinkiness” determination).

Members of Congress from both sides of the aisle, bolstered by activist groups, have made a decision that an individual’s privacy trumps the application of technology permitting whole body scans of hidden materials, such as explosives. That decision can be changed, of course, and it may be – but it is hard to suggest blame should be placed on the Nigerian authorities (or those at Schiphol airport) when U.S. screeners would have likely done nothing different.

And finally, there is this question:

9. Have we let European objections to US screening standards affect the security of flights with connecting passengers?

The obvious answer is that the U.S. itself has the exclusive right to set standards for security of flights that land in our country. We have the right to forbid flights from landing here if we don’t think those flights will be safe and secure.

If the Europeans (or anyone else for that matter) impose standards that we don’t like, we have the ability to take action. That action, of course, would have serious consequences for international travel and commerce. But we cannot claim that someone else’s screening standards are insufficient and then sit back and accept flights and passengers who transit through that country without acknowledging our own complicity.

Stewart’s question implies that we ought to be able to dictate global standards. The perceived arrogance of that type of “my way or no way” approach is what hardened our foreign allies’ positions and led them to be less supportive in a range of global initiatives we desired. Stewart knows this heavy-handed approach did not work when he was a DHS official – and it won’t work today. Yet, he persists in pushing the idea – and while I favor strong safety and security procedures coupled with advanced technology detection systems, a more effective security program would place increased emphasis on identifying the “human factors” that lead people to do bad things.

Unfortunately, the current and previous DHS administrations have repeatedly cut the funding for “human factors” research – and rumors of further cuts in the upcoming FY11 DHS budget have been rampant for the past few weeks. Such cuts are, in my mind, unconscionable.

At a time when DHS Science and Technology (S&T) has to beg for money for legitimate research projects, any prioritization that shortchanges “human factors” research of new screening techniques in favor of hardware expenditures needs to be revisited by DHS officials before the President’s budget is released after the first of the year.

As the White House and Congress begin their investigations, it is good that the right questions get asked. It will be even better if the answers are helpful in making good decisions about the proper course going forward. As I said at the beginning, sometimes the questions need to be questioned. Our security depends upon it.

Stewart, my friend, back to you.

Posted in Aviation and airport security, Law Enforcement, Management & Administration, counterterrorism | Comments

Al Qaeda Failed. What About Us? Ten Questions.

Tuesday, December 29th, 2009

Early reports about the failed Christmas bombing of NW 253 raise questions that need answers. Because, frankly, if the reports are true, al Qaeda never should have gotten this close to a successful attack.

1. According to early reports, the suspect is 23-year-old Abdul Farouk Abdulmutallab, and his name “appears to be included in the government’s records of terrorist suspects, according to a preliminary review.” The first question, then, is how he managed to get a visa to come to the United States.

2. One report suggested that the visa was granted to attend a religious meeting. Is there some political correctness problem that makes State reluctant to deny visas for such travel?

3. A visa might have been granted for a good reason (a chance to interrogate or arrest him) but only in circumstances where he was watched closely. At a minimum, data about him should have gone to DHS and FBI from State. Did it?

4. Even if it didn’t, TSA and DHS should have identified him as a possible risk from his travel reservations. Did they? If not, why not?

5. If they did, was he screened specially at Schiphol? Did DHS put an air marshal on his flight?
6. Sometimes travel reservation data is spotty and badly recorded, but that shouldn’t be true for the passenger manifests that NW should have sent to DHS. Those should come straight off the passport. Did it? Should airlines be held liable for deaths caused by bad manifest information?

7. How good was the air travel screening in Nigeria?

8. If it wasn’t that good, and I suspect it wasn’t, in part because the plane was not bound for the US, did Schiphol fall down on the job by not properly rescreening Abdulmutallab?

9. Have we let European objections to US screening standards affect the security of flights with connecting passengers?

10. One passenger is said to have helped thwart the attack by climbing over several less active passengers to grapple with the terrorist, apparently suffering burns to his hands in the process. How long will it take Secretary Napolitano (at least) or President Obama (my preference) to visit this guy in the hospital if these facts turn out to be true? Passengers are the last and most effective line of defense in cases like this. But the incentives to sit tight are still great. We need to honor the heroes who react quickly to thwart attacks in the air.

Update: Many thanks to Instapundit, BigGovernment, and Volokh Conspiracy, among others, for the links. They’ve spurred some interesting comments, and one by hiscross about AQQ is important enough to generate an 11th question.

AQQ is a program in which passport downloads collected by the airline are supposed to be sent to DHS *before* the plane takes off. Under AQQ, the airline is also supposed to be able to receive a return message from DHS requiring that suspect passengers be removed from the plane.

(AQQ is also that most dreaded of government innovations, the recursive acronym, in which one acronym nestles comfortably inside another. Thus, AQQ stands for APIS Quick Query, which tells you nothing unless you know that APIS stands for Advance Passenger Information System. APIS was the earlier, slower, one-way version of AQQ.)

DHS made the AQQ requirement final more than a year ago, after a long testing period. But a number of US carriers have been stiffing DHS, refusing to comply with the regulation because, they say, they can’t afford to upgrade their computer systems. They say they’re waiting to see what upgrades they’ll have to make for the TSA Secure Flight program, but I find it astonishing that a private regulated industry would simply declare that it won’t comply with US law. When you do that, you have to expect consequences — or be very lucky. As a result of airline noncompliance, it is hard for DHS to keep bad guys off planes, even if the bad guys have been identified from their passports. If Delta/NW falls into the carrier-scofflaw category, and that failure contributed to the incident, they are are, and should be, in trouble. In addition, I’m guessing, DHS will immediately begin fining the other carriers who have been rope-a-doping them.

So call it question 11: Was Delta/NW in compliance with US law when it boarded the Amsterdam flight?

This piece was originally posted on Skating on Stilts.

Posted in Aviation and airport security, International, Law Enforcement, counterterrorism | Comments

2009 Cyber Year in Review, At Least From Where I Sit

Tuesday, December 29th, 2009

People all over the country are writing about 2009 – a good many will write about the events that affected cyber issues. I will not try to do a complete tour de force but will list some of the issues I felt were either very interesting or particularly important. I will likely miss some issues readers may feel I should have been included. I ask your indulgence a head of time.

The year began with a new President and a new Administration. President Obama vowed to make Cyber a major priority. He hired Melissa Hathaway to lead a fast but comprehensive review. Although its release was delayed, on May 29, 2009, the resulting report was given a Presidential launch and a huge amount of attention.

The report was a good one. It had in it an excellent “skeleton” of the plan they wanted to follow. It was a bit light on the “how to” but was seen as a great start. The news media focused largely on the call for a Cyber Coordinator on the National Security Staff who would report to the National Security Advisor, Jim Jones, and the Director of the White House National Economic Council, Larry Summers and have direct access to the President.

The press mistakenly took to calling the position a Cyber Czar. Overall, things seemed to have promise. Unfortunately, it took until December 22 for the President to name Henry Schmidt to the job. The choice is a good one; industry and the rest of the government are looking forward to begin moving positively in the area of cyber activities.

The year was marked by a huge number of events, attacks and intrusions that made the news (By the way, these are not all of equal detriment – that is a post for another day).

Confiker continued to bedevil the cyber world. It is still out there proliferating, and we still don’t know what the darned thing is really designed to do. Massive efforts go on to stop it and discover its real purpose.

On July 4, we experienced the so-called Korean Virus attacks. The consensus was that we weathered them pretty well. True, the spontaneous botnet attack against South Korean and U.S. targets was essentially a distributed denial-of-service (DDoS) that collapsed after a few days. Unfortunately, those who dismissed it as nothing more than a “spam” attack were too optimistic. The event showed the uneven levels of protection and security that mark the U.S. cyber security response. While this particular event may not have been that big a danger, it did reveal to anyone watching that we have vulnerabilities that can be exploited by a relatively unsophisticated attack. This was not the good news that some claimed.

Considering that I have written and spoken about the confluence of Cyber Crime and Terror (Proceedings, Heritage Foundation, the French Journal de Defense National), I found something interesting in the Palestinian cyber response to the Israeli incursion into Gaza. Just as the Israelis launched their attack, they experienced a huge cyber assault against their civil defense system networks. The attacks ultimately had little effect, besides giving the Israelis a bit of a scare (They depend on those systems to keep their citizens informed and their responders moving). The interesting thing was that the DDoS attack was eerily similar to the techniques used in the 2007 attacks against Estonia. Could it be that terrorists renting criminal botnets might already be in place? Did Hamas or even Hezbellah hire the same Russian criminal organizations that participated in Estonia to go after the Israelis?

The FBI announced an investigation into the hack of CitiBank on December 22. This was interesting for two reasons. The first was timing, occurring on the same day as the announcement of Howard Schmidt as the Coordinator. It was a wonderful reminder that we still badly need better cyber defenses. The second was that it is emblematic of the kinds of problems we face everyday in the private sector that go unreported (or at least under reported) all the time. Until we can develop a system that incentivizes businesses to share intrusion in a timely way, the bad guys will continue to have the upper hand.

On a positive note, Cloud Computing continues to gain interest and momentum. It is the way we will be going (and should be), and we had better be good at it. Security concerns remain, as do many legal and policy questions. We have an opportunity to do this phase of cyber development well, and we should not miss it. We need quality providers, and good but flexible industry standards. The tech industry needs to get this right.

Lastly, we saw a proliferation of Industry Business Units, centers of excellence, and think tank-like organizations all trying to get on the cyber bandwagon. One hopes this is a good thing. It will be if companies get beyond a marquee name and a secretary in their cyber business units, or just renaming an older organization and calling it a cyber center of excellence. This is still a huge area of concern, and the private sector must get beyond looking at the potential for profit and try to help fix the problems that exist today and will develop in the future. The bad guys still move faster than we do. Everyone agrees the government needs the help of the private sector to do this well. There must be more to it than profit motive. A team must be forged to win this fight.

The New Year holds great promise. Let us all look to 2010 as the year we make real progress in Cyber Security.

Posted in Critical Infrastructure, Cyber Security, Management & Administration, Science & Technology, counterterrorism | Comments

Petty Politics, Poor Priorities and Protecting Us from Terror

Monday, December 28th, 2009

As history has shown us, there is no date or holiday that is sacrosanct to terrorism. One day is as good as any other to strike and that was certainly true for the Christmas Day, Detroit-bound, Northwest flight 253. However, thanks to fast-acting passengers, the murderous actions of Umar Farouk Abdulmutallab were stopped. Unlike the Ft. Hood actions of US Army Major Nidal Malik Hasan, the Obama Administration had no hesitation in calling these actions for what they were, “an act of terror.”

As accurate as that description may be, it is worth noting the ongoing politics at play that are directly impacting the security of the American public.

Nominated by the President this past summer to serve as the Administrator/Assistant Secretary of DHS’ Transportation Security Administration, Erroll Southers nomination is being held hostage by nothing short of petty politics by Sen. Jim DeMint (R-SC). After going through two different confirmation hearings and receiving numerous endorsements from Republicans, Democrats, and security and counterterrorism professionals from around the world, DeMint has placed a procedural hold on Southers, preventing one of the world’s most important jobs in safeguarding the traveling public from being filled. Because of DeMint’s vociferous demand that there be no collective bargaining for TSA’s employees, Southers nomination is going nowhere fast.

Isn’t this is just where we want our leadership and talent to be, especially after a thwarted terrorist attack? On the bench and unable to be in the game to make a difference? I don’t think so, and DeMint’s actions are playing politics where they should never be – in protecting the public.

It is unconscionable that anti-unionism, ideological purity or whatever drives Sen. DeMint decision making process would take precedent over putting someone in place to take on one of America’s toughest and most necessary leadership positions. Unfortunately Sen. DeMint seems to think otherwise.

As frustrating as DeMint’s petty actions may be, the hands of Senate Majority Leader, Harry Reid (D-NV) are not particularly clean on this matter either. While cutting just about every possible deal you can imagine in order to pass the Senate’s version of health care, he was able to get through a number of other important Administration appointments. Before recessing on Christmas Eve for the remainder of the year, Sen. Reid made sure the nominees for the National Highway Transportation Safety Agency (NHSTA), US Agency for International Development (USAID), and the Office of US Trade Representative were confirmed.

These are certainly important positions to the strategic interests of the American public, but none of them deals with safety and security the way the senior-most position at TSA does.

While the agency has functioned for nearly a year under the strong and able leadership of Gale Rossides, the acting administrator, it is far past time that this crucial position be permanently filled.

It would seem that the Senate can find plenty of time to cut backroom deals to pass a thousand-some page, indecipherable bill and confirm non-security centric positions, but it can’t take the time or assemble the votes to overturn DeMint’s hold and put Southers in place.

The fact that the Obama Administration has not put a full-court-press on Southers position is equally shameful. As they begin come to grips with the actions that occurred on Flight 253, Erroll Southers is the guy you want in the room to deal with this situation and right now they don’t have him.

If you needed further proof that the confirmation process in this country is horribly out of whack, this may be it. When petty politics and unwillingness to set the right confirmation priorities take greater precedence over putting strong, capable leadership in place to deal with some of the country’s greatest threats, our Republic is in real trouble.

At a time when we truly need one of our country’s best on the job to help protect us, we can’t put him into the arena to learn and lead us in how we are to thwart the new means of attack that Al Qaeda and its sympathizers have developed. Instead Erroll Southers remains on the sidelines.

There is nothing civil, just or American about this circumstance. It is playing a proverbial game of chicken with American security – a game that the passengers of Northwest flight 253 didn’t play. They took action. It’s way past time for the Senate and the Obama Administration to do the same.

Posted in Aviation and airport security, Congress, Politics & PR, Management & Administration, counterterrorism | Comments

The System Worked? Government Blinders on Homeland Security

Sunday, December 27th, 2009

I was dismayed by the Obama Administration’s claim that our security apparatus worked in terms of foiling the intended attack by Umar Farouk Abdulmutallab on Detroit-bound Northwest Flight 253. To quote Homeland Security Secretary Janet Napolitano, “One thing I’d like to point out is that the system worked.”

The system most assuredly did not work.

I am disappointed to have to take this stance. As I have watched gotcha media stories over the years about how the Department of Homeland Security “failed” because a reporter or GAO analyst snuck through one layer of security, I have become increasingly frustrated by the media’s lack of awareness that the nation’s homeland security strategy is based upon multiple layers of security. Getting through one layer doesn’t mean you’ll get through the next. Getting through even two layers still doesn’t mean you’ll be so lucky to get through a third. There is no such thing as 100 percent protection, which is why we need multiple layers of security.

However, in this case the system failed repeatedly. It shattered the confidence that the public should have that a layered system of security is at play. And for the Administration to come out and say that the “system worked” is to deepen – not strengthen – our sense of insecurity because of the outright foolishness of such a claim.

Let us count the ways in which the system failed:

The father of Umar Farouk Abdulmutallab reported to the U.S. Embassy in Nigeria that his son was becoming increasingly radicalized and might pose a threat to the United States, the information was entered into the system at the National Counterterrorism Center and then largely dismissed with no follow up.

Next the terrorist was given a visa by the State Department, despite his name now being on a terrorist watch list. How that is even possible is beyond me. We interrogate and delay students simply looking to come to the United States to study in graduate school, but we hand out visas to individuals actually on a terrorist watch list?

Next the terrorist breezed through airport security with incendiary materials stitched into his underwear. One wonders where all the privacy groups are now. Probably hanging thinly to the Administration’s claim that everything worked great and there is nothing to see here. Napolitano actually went so far as to say, “There is no suggestion that he [Umar Farouk Abdulmutallab] was improperly screened.”

Huh? There is every suggestion that he was improperly screened.

Finally, the Administration falls back upon its now-trite argument that this was somehow the Bush Administration’s fault. The Washington Post reports on White House Press Secretary Robert Gibbs comment that “White House officials struggled to explain the complicated system of centralized terrorist data and watch lists, stressing that they were put in place years ago by the Bush administration.” Good grief. At some point, the Administration is going to have to take responsibility for its own government.

Perhaps Napolitano meant that the “system worked” because this idiot managed to set himself on fire and several passengers leaped on him. Is this what we have come to? The government will no longer protect us from terrorists but we will have to protect it? There’s a confidence builder.

What we have here is a monumental failure of “the system.” This Administration’s claim to the contrary assumes that the American public is remarkably ignorant or that it simply isn’t worried about another terrorist attack and will accept such lame explanations.

Either of these suppositions is a dangerous place for the Administration. Dangerous for our country, from a counterterrorism perspective, at a time when international terrorists still view the United States as their greatest enemy. And, frankly, dangerous for the Obama team, from a political perspective, to assume that citizens and voters are intellectual slobs, which may create a lack of confidence by the public in this Administration’s grip on the terrorist threat to America.

After all, as this particular failed terrorist boasted: “There are many more like me.”

Update: On December 28th, Secretary Napolitano took back her claim that the system. See NPR’s report: “Our System Did Not Work,” Napolitano Concedes.

Posted in Aviation and airport security, Civil liberties & Privacy, Congress, Politics & PR, Featured Feed, Immigration & Visa Policy, Intelligence, Radicalization, Transportation Security, counterterrorism | Comments

Homeland Security is Important Everyday – Sometimes Security Debrief Slacks off

Thursday, December 24th, 2009

Security Debrief is dedicated to bringing its readers the latest and most insightful expert opinions on homeland security matters everyday. During the holiday season, however – from December 24 to January 3 – Security Debrief will slow its pace in publishing original content. We’re not going completely quiet, especially with the recent attempted terrorist attack on Detroit-bound Flight 253. So check in when you can, and definitely resume your daily read come January 4, at which time we will resume full service, daily postings.

Posted in Featured Feed | Comments

An Interesting Cyber Day – Citibank Hacked, Cyber Coordinator Selected

Tuesday, December 22nd, 2009

Today will be noted by followers of cyber issues as a very key one. Today we had a major step forward in defending our Nation’s networks and a huge reminder of how great the cyber security gap we face actually is.

The White House staff announced that Howard A. Schmidt was selected by the President to fill the role of Cyber Coordinator on the National Security Staff. This position has stood vacant since the President declared it a key need in his 29 May release of his Cyber report. In fact, the federal government has actually lost (not gained) several key high-level cyber experts in the intervening period. That said, the choice is an excellent one.

Howard A. Schmidt is currently the president and CEO of the Information Security Forum, a nonprofit international consortium for research in information security. He has also served as chief security officer for Microsoft and as cyber security chief for online auction giant eBay. Several cyber security experts praised the choice because Schmidt understands technology and has excellent management experience. Schmidt is considered an expert in computer forensics. His 40-year career includes more than three decades in local and federal government, serving as vice chairman of Bush 43’s Critical Infrastructure Protection Board. He also worked for the FBI and the National Drug Intelligence Center.

All indications are that he will be adept at working the complex interagency system that must be navigated to “get things done” in Washington. He is not known to have a big ego and is a consensus builder. This is key, as despite the press efforts to anoint him the “Cyber Czar,” he is not. Staff members on the NSS do not dictate to Cabinet officers how they should run their departments (or spend their money). The lack of clear overarching authority was a major factor in the delay in naming the Coordinator, and so many turn downs over the last few months. Schmidt seems to understand the role and is willing to roll up his sleeves and do the tough work that must be done to work the issues in the Interagency process.

The other event today was the announcement of the FBI investigation into a hack of Citibank by Russian criminals. The Bank has denied they were penetrated, but the signal the story sends provides a superb bookend to the Cyber Coordinator announcement.
The government and civilians remain vulnerable. What happens when it is not just criminals motivated by greed, but terrorists who only want to inflict hardship and pain on our people and systems? If you can hack to steal, could you not also hack and corrupt financial data? Former DNI Mike McConnell sees this scenario as the most likely major cyber danger we face. Other experts (including me), see numerous possibilities for terrorists to “rent” criminal capabilities to weaken, control, circumvent, or destroy parts of our critical infrastructure. Lastly, there is always the threat of a nation state competitor attack. The US is not the dominant power in the cyber realm that we are in other defense domains.

Our government is busy trying to plug our gaps and fill our seams in the cyber world. We are better than we ever have been before, but it still remains insufficient. There is still so much we could and should be doing.

So, let’s all celebrate the naming of a Cyber Coordinator. It is and has been long needed. Please do not declare victory, the war is raging still (ask Citibank), and we need to continue to develop our structures and skills to fight it and win. DHS is continuing to mature its systems and people. DoD has taken great strides forward. Numerous civilian agencies (federal, state, and local) are far more aware of the threat and are beginning to stir. The Private Sector knows it must work hand in glove with the Government to protect itself. The giant seems to be starting to wake. Let’s all hope it continues and quickens it pace; we need it.

Posted in Critical Infrastructure, Management & Administration, Science & Technology, counterterrorism | Comments

Arctic Meltdown: The Economic and Security Implications of Global Warming

Saturday, December 19th, 2009

Security Debrief contributor Scott Borgerson published “Arctic Meltdown: The Economic and Security Implications of Global Warming” last year in the prestigious foreign policy journal Foreign Affairs. With all of the focus on global warming currently coming out of Copenhagen, we thought it might be worth bringing Scott’s thoughts to your attention again.

Thanks to global warming, the Arctic icecap is rapidly melting, opening up access to massive natural resources and creating shipping shortcuts that could save billions of dollars a year. But there are currently no clear rules governing this economically and strategically vital region. Unless Washington leads the way toward a multilateral diplomatic solution, the Arctic could descend into armed conflict.

Posted in Featured Feed, Maritime & Seaport Security | Comments

The Firm Face of America – Obama in Oslo

Thursday, December 17th, 2009

By Justin Hienz
Adfero Group

Speaking in Oslo last week, President Obama was faced with the difficult task of accepting the Nobel Peace Prize while also acknowledging the recent troop increase in Afghanistan. A difficult task, but as Head of State, one the President could not afford to get wrong. With the world watching, President Obama had to exude the American confidence that underscores all our successes.

Opinionated talking heads on the various evening news programs pulled apart the President’s words, looking for meaning, strategy and accuracy. Was his speech the beginning of an Obama doctrine – morally justified conflict in the name of peace? I believe that’s what we call the Machiavelli Doctrine, but that’s not the point.

The President’s words were not the most essential part of his speech in Oslo. It was his presence and demeanor that mattered.

Of course, he had no choice but to attend, lest he insult the institution that honored Martin Luther King, Jr. in 1964; as our President said, a man whose teachings and efforts allowed President 44 to become a “living testimony to the moral force of nonviolence.”

This is rhetoric, however true and moving it might be. The real power was his image, and that is what his most effective role has been and should continue to be.

The President is the international face of our country. From time-to-time, a Vice President steps up, perhaps a Secretary of State, toss in a few war-hero generals. But for the most part, America is, for all intents and purposes, the President.

That face can never flinch or falter.

While the leader may change, the office is a static, resolute visage of American supremacy and endurance.

While living in the Middle East, I had an acquaintance who had served in Iraq with the U.S. Army. We spoke on the eve of the 2008 presidential election, and our conversation drifted to a review of President Bush and his overall presence and strategy throughout his two terms. We were of similar minds regarding Bush’s successes and missteps, but my acquaintance concluded our discussion with a powerful insight. He told me:

“I’ll say one thing for him. The world knows and will remember that when we say we will do something, you better believe we’re gonna do it.”

Well put! For all his frat boy charm and sometimes cryptic battles with Congress, President Bush did strengthen one essential part of the American image – we mean business. Our threats are not empty.

This is not something new. Due credit to the former President for continuing it, but American seriousness of purpose and action on words is a longstanding element in our history. Given this track record, it is essential that the face of our nation (i.e., the President) be neither apologetic nor rude, neither submissive nor overbearing – only a consistent, firm force immovable but for its own will.

Given our ongoing war against the Taliban, al Qaeda, and political and religious extremists bent on our destruction, our national face must be as firm, fair and determined as it has ever been. In seeing this face, our enemies must immediately and fully understand that we are an unstoppable force no enemy will ever truly stall.

This is what makes our enemies fear us…well, that and our giant guns.

Looking over our history, we need to remember the hardened, resolute face of American leaders so we can cheer it when we see it. And it is our duty as Americans, Republican, Democrat or otherwise, to cheer our Commander in Chief when he presents that face to the world.

We must remember the face of FDR addressing congress in 1942, telling the world that “the mood of quiet, grim resolution which here prevails bodes ill for those who conspired and collaborated to murder world peace.”

Remember the face of Nixon, then Vice President, in the “Kitchen Debate,” standing in the model American home, telling Khrushchev our industrial achievements were the direct result of a strong democracy.

The face of Reagan telling Gorbachev to “tear down this wall.”

The face of Bush 43, speaking before a joint session in 2001, telling the Taliban to end all terrorist support, and adding: “These demands are not open to negotiation or discussion…[The Taliban] will hand over the terrorists, or they will share in their fate.”

And now the face of President Obama, standing proudly and speaking truthfully, that America loves peace and will fight and die to preserve it.

Our leader told the world from Oslo that “the United States of America has helped underwrite global security for more than six decades with the blood of our citizens and the strength of our arms.”

Put another way, there is peace because we are strong, and I applaud our leader and pay him much due respect for furthering the enduring American message that can never waiver. To quote Lyndon Johnson, “This, then, is the state of the union: free and restless, growing and full of hope. So it was in the beginning. So it shall always be, while God is willing, and we are strong enough to keep the faith.”

Let’s hope Osama and his followers were watching.

Justin Hienz is a Senior Account Executive at Adfero Group, working with the firm’s Homeland Security practice. He is also assistant editor of Security Debrief.

Posted in International, Management & Administration | Comments

TSA’s Security Breach – The Posting of the Classified Standard Operating Procedures

Tuesday, December 15th, 2009

As the House Homeland Security Committee prepares to hear testimony from Acting TSA Administrator Gale Rossides tomorrow, it should be reiterated that there is absolutely no acceptable excuse for TSA’s recent blunder in posting classified Standard Operating Procedures (SOP) for passenger and baggage screening on the Internet. While the agency’s response that the inadvertently posted SOPs are out of date is an accurate statement, it’s a disingenuous explanation that attempts to mask the nature of the breach. I understand that Secretary Napolitano has taken personnel actions in the aftermath of the breach – as well she should.

I make these comments as the former TSA head of policy where I had responsibility in 2002 for creating the first baggage screening SOPs to comply with the statutory requirement to screen all bags using Explosive Detection Systems by December 31 of that year.

The agency is leading the public and the Congress to believe that the current version of the SOPs is something significantly different in substance from what was posted, thus diminishing the potential security damage. TSA routinely updates SOPs for various reasons, but I believe it is reasonable to assume that few major changes were implemented during the past year. I know from experience that most updated versions usually contain minor processing changes.

But the important issue now is to assess the security risk of TSA’s error. In my opinion, the actual risk to security is low. TSA has roughly 40,000 Transportation Security Officers (TSOs) at any given time, each of whom has been trained on and has daily access to the SOPs. The agency has about a 15 percent annual attrition rate. So every year, 6,000 additional people have access to and are trained on the SOPs. Then there are airport and airline personnel who have a need to know the SOPs in order to integrate their own operations with TSA’s. TSA Airport Management personnel – add several thousand more people with access. The reality is that while the SOPS are classified at a low level, literally tens of thousands of people know what is in them.

The reality is that TSA has a presence at about 450 U.S. commercial airports providing security to nearly 30,000 flights a day by screening about 2 million passengers and nearly as many bags a day. The bottom line is a lot of people have a need to know the SOPs. There is no other choice. By definition, maintaining and keeping a complete lid on these SOPs is a security challenge that cannot be met 100 percent of the time. There are just too many people who have a legitimate need to know what is in them in order for TSA to carry out its security responsibilities.

So, this breach is less about lax security at airports and more about poor security management at TSA headquarters. Not good at all but neither is it an urgent new threat to our national security.

Posted in Aviation and airport security, Law Enforcement, Management & Administration, counterterrorism | Comments

Creating a Culture of Public-Private Aviation Cooperation

Monday, December 14th, 2009

It is no great revelation that the aviation industry and the Department of Homeland Security (DHS), specifically the Transportation Security Administration (TSA), endure a turbulent relationship. But recent events celebrating two titans of the aviation industry without DHS and TSA leaders present epitomizes the relationship between the two.

Last Friday, the aviation industry celebrated the annual Wright Brothers Memorial Banquet. Hosted by the National Aeronautic Association and the Aero Club of Washington, the dinner honors an individual who, over their lifetime, has contributed to the growth and evolution of the aviation industry. Transportation Secretary Ray LaHood and Federal Aviation Administration (FAA) Administrator Randy Babbitt spoke at the dinner. The next day, a smaller group gathered for a memorial service at the Air & Space Museum for Ed Stimpson, the former Ambassador to the UN’s International Civil Aviation Organization and a leader in the general aviation world who passed away recently.

Noticeably present at these events were current and former FAA officials. Noticeably absent from these two events were DHS representatives and officials from the DHS component agencies (namely TSA), intimately involved in the aviation business. (I did see a few TSA brethren there, but they weren’t displayed as prominently as the DOT and FAA officials.)

FAA and the aviation industry have a complex relationship that mixes enforcement and cooperation. Employing a “trust but verify” strategy, safety regulators work side-by-side with industry folks on a daily basis. Both parties recognize that a safe industry is an economically healthy industry. This equation results in a culture of cooperation that has yielded the world’s safest mode of transportation.

TSA and other DHS components seem to have a different relationship with the airlines, airports, and private aircraft owners and operators. After eight years, TSA and the industry continue to struggle to integrate their efforts. Employees look suspiciously at one another while holding each other at arms length during daily work routines or while developing policy.

There may be a number of reasons for the industry’s distinct relationships with its two prominent federal regulatory bodies, including the following:

Province: The FAA, in part, was formed to promote and enhance the aviation industry with the recognition that a strong industry is vital to the health of the entire economy. TSA’s role is to keep third-party bad guys from doing harm to the aviation system. This often requires a paternalistic, resolute attitude about what best keeps the industry secure.

Employees: Typically, aviation enthusiasts are drawn to FAA employment out of a personal affinity for flying and a love of airplanes. Most employees drawn to serve at TSA (and CBP or ICE) come from law enforcement backgrounds and the agency attracts fewer aviation enthusiasts.

Time: The FAA and aviation industry have enjoyed a long marriage filled with the usual ups and downs. But through the years, the union has produced an exemplary safety record. TSA is the new kid at school, and the relationship with industry hasn’t been completely formed. Both are still unsure of the other’s motives.

A culture of cooperation between industry and regulatory bodies has been proven to work, but developing this culture is a two-way street. Breaking bread together and TSA’s participation in celebratory events can only help with this effort. Attracting and integrating aviation enthusiasts to TSA will balance the law enforcement posture.

Finally, over time, working together daily with an appreciation of the ultimate goal – a secure and financially robust air transportation system – will go a long way towards building this culture.

Posted in Aviation and airport security, Law Enforcement, Management & Administration, counterterrorism | Comments

The Military Looks for Help in Cyber Defense

Monday, December 14th, 2009

In all my years in the military (28 years in uniform and a total 35 years in the Department of Defense), I always held a certain mind set. It goes something like this:

“In the private sector, if they do poorly, they lose money; in the military, if we do poorly, we lose lives.”

I still think this is true, but now, when I look at the military’s efforts in the cyber security realm, I am concerned. The military still has the highest motivation, but in the cyber security realm it is not doing as well as some entities in the private sector.

Please do not misunderstand me. The military and other U.S. defense agencies are doing well in many areas. For instance, the National Security Agency is unparalleled in its capabilities, many of which are highly classified. If we have to unleash cyber war, I feel fairly confident we will defeat our enemies. But on the defensive side, I have much less confidence.

The Military Services are all calling for help. There have been several recent contract actions started to provide the services with help for everything from the initial strategic planning for cyber efforts to specific capabilities in defending networks. This challenge reaches across the strategic – operational – tactical divide that governs how the military views conflict. It also crosses the barriers of geography, domains and nations. Lastly, it spills pretty regularly into commercial spaces where the military has no expertise or legal authorities.

To address this quandary, the services are looking to defense contractors to help them evaluate their needs and their present capabilities. This defines the delta of what they must do to fix the problem. The next step is to design a force structure, doctrine, methodology, and personnel system that can address this problem now and in the future.

A big issue is that in cyber security most of the big private sector federal integrators, staffed largely by former government employees, continue to think like the government agencies they served for so long. The solutions that many have developed are not greatly different than what the military is coming up with on their own. This is not to denigrate these firms. Despite the bad press they sometimes get, our Federal agencies could not function without them. In this case, however, I am afraid the closeness in their thought process to their clients’ will end up working against the Nation by limiting the types of solutions considered. We need some new thinking.

It will take ideas and thoughts from the “real” private sector to adequately address the challenges in cyber security. Of course, the government in general, and the military in particular, have unique requirements and challenges. That said, we still need to look to the private sector for successful cyber security applications and other ideas that will help the military build a system through which we can defend the networks critical to our military’s performance.

Let’s look outside the Beltway “box” and find some really creative solutions. Our military advantage depends on it.

Posted in Cyber Security, Law Enforcement, Military & Homeland Defense, Science & Technology, counterterrorism | Comments

Do we really love Rihanna more than air security?

Monday, December 14th, 2009

Rep. Peter King, the ranking member of the House Committee on Homeland Security, and other Republican members have sent a letter to Secretary Napolitano expressing concern about the “repeated reposting” of the unredacted TSA security manual on multiple Web sites and asking her to say whether the sites can be compelled to take it down. They’re right to worry. I said as much in an interview recently. Whenever someone posts a document that compromises our security, there’s much handwringing about this issue and much breast-beating about the first amendment. It seems like an unanswerable conundrum.

But there is an answer. In general, the sites that posted the TSA document don’t post copies of the latest Rihanna album, “Rated R.” That’s because the damages for posting Rihanna’s (pretty good, actually) album is likely to be $150,000 for each of the thirteen cuts — the damages for willful infringement of Rihanna’s (and Def Jam Recordings’) copyright. There are very few stable links on the Internet to Rihanna’s album, precisely because the threat of large damages deters such links. First amendment or not, Congress and the courts have agreed that this is a perfectly fine way to deter certain kinds of speech. Plenty of Democrats and Republicans on the Judiciary Committee have voted for just such deterrence

So here’s my question. Who thinks that protecting Rihanna’s profits is more important than keeping TSA’s procedures out of al Qaeda’s hands? Why do we create $1.45 million in liability for pirating “Rated R” and no liability at all for the willful posting of sensitive, properly redacted homeland security information?

And here’s a proposal for Rep. King: why not set the penalty for willfully disseminating properly classified or sensitive documents at twice the penalty for willfully disseminating registered copyright materials? And why not let anyone whose security has been put at risk bring that suit? After all, when the music industry finally gives up its litigation campaign against ordinary Americans, its lawyers are going to have to pay the rent somehow.

Anyone who voted to increase damage awards for copyright infringement should have no trouble supporting the same protection for national security. Since the $150,000 figure comes from the “Digital Theft Deterrence and Copyright Damages Improvement Act of 1999,” I’m guessing that a lot of those folks are still around.

This piece was originally posted on Skating on Stilts.

Posted in Aviation and airport security, Homeland Security & the Internet; Gov't 2.0, Law Enforcement, counterterrorism | Comments

Who’s Walking Your Hallways – Protecting Private Sector Infrastructure

Thursday, December 10th, 2009

Recent comments by Homeland Security Secretary Janet Napolitano highlight the growing threat of homegrown radicalization. The recent arrests in connection with thwarted terror plots, “remove any remaining comfort that some might have had from the notion that if we fight the terrorists abroad, we won’t have to fight them here,” Secretary Napolitano said. The lack of terrorist attacks in the United States since the devastating 9/11 attacks, coupled with our aggressive efforts to undermine al Qaeda overseas has created a false sense of security. Sure, we should have increased confidence in the state of our domestic security, but complacency is not an option. The threat of al Qaeda or some other homegrown terrorist motivated by jihad or another ideology (e.g., Unabomber, Tim McVeigh) striking again is a real problem that should not be taken lightly.

Just this week, federal officials charged Chicago resident David Hadley in a 12-count criminal information. The charges relate to his alleged role in conspiring with Lashkar-e-Taiba in the November 2008 Mumbai terror attacks and developing a plan to attack a Danish newspaper that published cartoons of the Prophet Mohammed.

This comes on the heels of the attack at Fort Hood. On the afternoon of November 5, U.S. Army Maj. Nidal Malik Hasan opened fire at Fort Hood, killing 13 and wounding 30 others. While his motivations are still under investigation, Mr. Hasan had been the target of suspicion for his radical extremism and connection to Anwar al-Awlaki. Born in America, Mr. al-Awlaki was the imam of the Dar al-Hijrah mosque where Mr. Hasan and two of the 9/11 hijackers attended in 2001. Mr. Hasan and al-Awlaki had at least 18 e-mail exchanges prior to the Fort Hood attack, according to published reports.

And earlier this fall, authorities uncovered what they call an al Qaeda-sponsored domestic terrorist attack plot involving a Denver airport shuttle driver, Najibullah Zazi. Mr. Zazi allegedly trained with al Qaeda in Pakistan in 2008 before he tested homemade bombs and drove cross country to New York with nine pages of hand-written notes on the manufacturing and handling of explosives. He faces charges of conspiring to use weapons of mass destruction.

Secretary Napolitano recently reminded real estate, professional sports, media and financial leaders in New York that “[t]he majority of America’s critical infrastructure is owned and operated by the private sector.”

What then, can corporate America do to protect itself, the country at large and prevent attacks from taking place?

Companies must be aware of who they are letting into their offices, plants and warehouses. Access to private sector infrastructure and technology can have devastating effects in the hands of al Qaeda operatives or sympathizers.

Background checks for employees and visitors are a vital first step toward ensuring workplace safety. It is important for companies to run background checks not only on their employees but on visitors as well.

“Insider” threats have the potential to have the most destructive results, as “insiders” are familiar with vulnerabilities and have access to areas that the general public typically would not.

Like David Hadley, who during five trips to India conducted surveillance and took photos and videos of various targets, including those attacked in Mumbai, visitors can gather information about a company’s facilities and use that information to plot an attack.

It is important for corporations to know that traditional criminal background checks typically only reveal arrests. As is clear from recent events, companies should drill down further in search of ticking time bombs like Mr. Zazi. An arrest is not the only indication of potential risk for terrorist connections.

The private sector must take Secretary Napolitano up on her commitment to build “meaningful partnerships with businesses across the country to secure the infrastructure vital to the safety of our citizens,” and work on implementing systems that would allow the public sector to disclose limited information on suspected terrorist connections of employees and visitors.

Additionally, companies can more vigorously institute security clearance levels that allow only certain employees access to specific locations, files and information. Implementing a “need to know” system for information access, similar to that used by government agencies, would limit access to the least number of people necessary. This would require corporations to conduct an in-depth evaluation of the way they store information to better determine who should have access to sensitive materials. While these measures might seem extreme, the security of the private sector is not only an issue of corporate security but of national security.

No additional security measures will be successful, however, without increased information sharing between the public and private sectors. The private sector must put in the work to ensure that its facilities and information are not being accessed by those seeking to harm the nation. But, the private sector can only do this if the public sector is willing to allow some form of access to information on which more informed security decisions can be made. There has been much post-9/11 talk about information sharing; however, one should question whether enough progress has been made.

In a recent interview, former Homeland Security Secretary Michael Chertoff discussed homegrown radicalization and stated that, “a larger trend has emerged that is not surprising, but is disturbing . . . . You are beginning to see the fruits of the pipeline that al-Qaida built to train Westerners and send them back to their homelands.” The private sector must develop, deploy and use technologies and processes that promote the sharing of reliable information – the first step in eliminating “insider” threats is to know who is in your hallways.

As FBI Director Robert Mueller has oft repeated, it is not a question of if another terrorist attack will occur. It’s a question of when.

Posted in Critical Infrastructure, Homeland Security Industry & Private Sector, Law Enforcement, Radicalization, counterterrorism | Comments

Internet Security Alliance Steps Out

Thursday, December 10th, 2009

The Internet Security Alliance (ISA), a broadly focused industry group, has released a report as their entry into a race to be the most helpful in cyber security to the Obama Administration. At the National Press Club on December 3, the release was marked by a lunchtime gathering and short presentation.

Led by the organization’s president, Larry Clinton, a panel announced and summarized the report, titled “Implementing the Obama Cyber Security Strategy via the ISA Social Contract Model.” This is a concept the ISA proudly points out was one of their main contributions to the May 29 Presidential “Cyber Space Policy Review.” Their recommendations focused on how the government will work with the private sector.

They began by reminding everyone that despite the press coverage and vocal concern shown by leaders in both the public and private sectors, everyone seems to think that cyber security is someone else’s job. Spending is actually going down on security on the commercial side, and at the very least, C Suite leaders expect their IT people to deal with it without any hindrance to business or increased costs.

ISA does not want the government to go forward with an old-style regulation regime. This will stifle innovation, put a big kink in the business models of most companies, cost a fortune and probably not work. Legislated regulations do not exactly move with “internet-like” speed. By the time they are enacted, and enforcement begins, they will be outstripped by new tech advances. Not a good route.

The Alliance points to their Social Contract Model as a better way forward. In a word, it calls for multiple actions that will all incentivize businesses to protect themselves. The guts of the report are a set of fairly practical ideas that could quickly be put in place, and with little emotion or rancor. These begin with an updated Cyber Safety Act, replacing the SAFETY ACT passed after 9/11. This was an anti-terror action that can be broadened to help set standards and promote best practices. They also recommended tying federal monies for grants, etc, to adopt better cyber security regimes.

The third point was to harness the Federal Government’s volume buying power to push manufacturers to provide better protected products. This would push everyone in that direction. Tax breaks for compliance and sound practices were the next recommendation. Direct provision of grants and other funding methods to promote cyber security R&D would help motivate the development of better technologies as well. Two related points were limited liability for actors doing the right things and faster development of viable cyber security insurance. Both are key to a balanced and comprehensive response. The last is a national award for excellence in cyber security.

Most folks in industry will see lots of good things in the ISA proposals, mainly because they share the concern over regulation-based models. This is much more business friendly. Playing devil’s advocate, one does have to ask why the government has to fund business so they’ll be motivated to protect themselves. That said, I also think ISA is on the right track. Their leaders should be congratulated on a good, thoughtful and hopefully adoptable plan.

Posted in Cyber Security, Homeland Security Industry & Private Sector, Management & Administration, Science & Technology | Comments

Interview with Chertoff in 2009 Year in Homeland Security

Thursday, December 10th, 2009

Rich Cooper, Security Debrief contributor and Principal with Catalyst Partners, recently published an interview with former Department of Homeland Security Secretary Michael Chertoff in the 2009 The Year in Homeland Security.

Below are some highlights from the Chertoff interview. You can read the full interview, along with other Cooper articles, by visiting the 2009 The Year in Homeland Security.

Mr. Secretary, looking back at your nearly four years of service at DHS, what are the accomplishments that you are most proud of and what were some of your greatest frustrations?

Michael Chertoff: Well, the bottom line, the accomplishment that was most significant is the fact that we did not have another successful attack against the United States. I think in many ways that’s the ultimate measure. At a somewhat less high altitude, I would say we dramatically changed and increased the security for people coming into the country. We transformed the way we deal with people at the ports of entry, not only bringing 10-print biometrics into effect, but also biographic collection and analysis based on commercial airline data.

We have more robust requirements for crossing our land border in terms of documentation, and even between the borders. You know we built 630 miles of fence, more than doubled the Border Patrol, and according to the reports I got from the Border Patrol just about a month ago, there’s been essentially a two-thirds reduction in the flow [of illegal immigrants] across the border. In some areas where we used to have thousands a day, there are now five or six a day.

What’s the most serious threat to the homeland today, and how do we address it?

Michael Chertoff: In terms of consequence, I would say biological terrorism is the most serious threat. It’s not a threat that I think is imminent, although we’ve had an attack in 2001 with anthrax. It is also one which would not be impossible to fabricate in a short period of time because the raw material for a biological attack occurs in nature or you can just have the know-how. So I would say if it was of high consequence, that worries me the most and I do become concerned.

Posted in Critical Infrastructure, Homeland Security & the Internet; Gov't 2.0, Homeland State & Local, Ideology & Public Diplomacy, International, Law Enforcement, Management & Administration, counterterrorism | Comments

Rapid Notification – When You Really Have to Know

Thursday, December 10th, 2009

Last week in Portland, officials conducting routine reservoir testing found something unexpected: E. Coli. Officials reached out to the community via print, television, and radio news outlets, health networks, and their utility Web site. Unfortunately, many in the community remained unaware of the contamination until reading about it on the bottom of their TV screens during the following day’s football games. As it turns out, textbook responses don’t work as well when the textbook in question is out of date.

In the age of Web 2.0, Blackberries and iPhones, utilities need to invest in rapid notification systems. While publicly-owned water systems operate on razor thin margins, they cannot afford not to invest in such systems.

Today’s alert systems can deploy text messages to cell phones and Twitter accounts; they can transmit personalized voice messages to home, work and cell numbers; they can provide critical updates and ongoing progress reports; and they can send out e-mail – all at the same time. Remarkably, the process can reach millions of people in minutes at a cost of pennies per household. Sound too good to be true? It isn’t. But in a conservative industry like water, makers of rapid notification alert systems need to do a better job explaining why their technologies won’t be obsolete tomorrow. It also wouldn’t hurt if manufacturers mentioned that today’s systems can be used to streamline other utility costs and operations (like fully automating the billing department).

There’s no silver bullet to rapid response, but by adopting multi-faceted approaches that incorporate digital and analog solutions, water utility managers can ensure their communities remain informed on the critical information they need to maintain public health during times of crisis.

While not all created equally, rapid notification systems, when leveraged as part of a relevant, cost-effective, and holistic approach to effective utility management, are capable of protecting public health and saving money. Welcome to the future.

Posted in Critical Infrastructure, Emergency Preparedness & Response, Homeland Security Industry & Private Sector, Science & Technology | Comments

Harvard Business School Hosts a Cyberposium

Wednesday, December 9th, 2009

In November, the Harvard Business School hosted its annual Tech Conference, the “Cyberposium.” The purpose of the event was to give its top-notch business students exposure to key issues they will face as they go out and act as leaders of American and international business.

This year, the Cyberposium focused on the “digital storm,” addressing the cutting-edge challenges that the U.S. faces today. Regrettably, I could not stay for the entire conference, but I was able to enjoy the keynote speaker, Jim Balsillie, the co-CEO of Research in Motion (RIM), of Blackberry fame. I also was privileged to be a panelist on one of the many superb panels the student organizers arranged.

The keynote was surprisingly technical for a business school audience, and he used quite a few acronyms – and lots of jargon. The audience did not seem daunted by this, testifying to the technological savvy of today’s young business students. The thrust of his talk was that in the tech business, you have to be willing to take chances. Using his own experiences, and lots of great RIM research numbers, he showed that you need to do your research, develop as good a product as you can, and then go for it. Nothing is ever set or assured in business. RIM/Blackberry went from a pretty minor slice of the market to the lion in only a few years. Balsillie said they never thought it would turn out as big as it did. Next he pointed out that you had to be ready to fight, to adapt and to never sit back, regardless of your predominance. He drove his points home with great market research on the smart phone industry. It was a very instructive.

My panel was one of a few on various aspects of cloud computing. It had a moderator from Gartner, and participants from major cloud providers, Cloudswitch, Rightscale, Rackspace, Micosoft, vCloud/VMWare, and of course IBM. Despite all of us being competitors, there was surprising unanimity and support among the group. Everyone agreed that the cloud was not just a fad but the next major trend in IT methodology. It was not a perfect solution, but the positives were so obvious and so prevalent that it was not going to go away. It will grow and spread because it saves money, provides major advantages to enterprises large and small, and in fact, adds security overall.

The Cloud does not come without disadvantages, and these were noted as well. These could in fact be accentuated, depending on the provider (see my earlier posts on cloud computing here). If the customer was not sufficiently vigilant, and did not “force” the provider to prove capabilities, there would be major risks. The needed assurances included security of data (at rest, in motion and old-fashioned physical security), the ability to store data for extended periods, and the ability to search and retrieve data for discovery purposes, emergency back-up plans, vetting of trusted administrators, and other key tasks. These are all easy to claim but a lot harder to actually do.

All agreed that a company looking to a move to cloud computing (which is frankly everyone), must evaluate their present methodology, to see what they now have, shop around to see where they can obtain the best mix of real capability in a provider, and how big a gain they will get from their investment. There is a huge potential market for firms to do these sorts of evaluations for companies of all sorts.

We are going for the cloud folks, but we need to make sure we do not see a willy-nilly rush that includes providers who really cannot deliver. That will be costly and dangerous. If you go with reputable providers, you will be fine. So, as said in Indiana Jones and the Last Crusade, “Choose wisely.”

Posted in Cyber Security, Homeland Security Industry & Private Sector, Intelligence, International, Science & Technology, counterterrorism | Comments

Here We Go Again – Spending On Infrastructure Without a Plan

Wednesday, December 9th, 2009

On the drive home last night, I heard the WTOP/CBS news reporters talk about how the President was once again considering the building and re-building of portions of our nation’s infrastructure as a means to put the millions of unemployed and under-employed Americans back to work. I couldn’t help but feel, “Here we go again…”

Not even a year into office, the Administration is pulling out its playbook to once again issue the rallying call of: “Let’s build roads, bridges, clean-burning energy plants, etc.”

It is certainly a call worthy of answering. It’s no secret that our country’s infrastructure is in dreadful shape. Decades of neglect, inattention, over use, lack of resources and more have left our nation sailing along in a leaky boat with a semi-operable engine in stormy economic seas. As Steve Flynn has pointed out, repairing and protecting our critical infrastructure are both a homeland and a national security imperative.

But my sense of deja vu at hearing the President’s interests in infrastructure was met by the realization that we are about to commit the same old sins and mistakes we’ve been making for years when it comes to investing in U.S. critical infrastructure.

Since 1998, the ASCE (American Society of Civil Engineers) has released a report card on the state of America’s infrastructure. In 2009, we scored a big fat D.

This wasn’t the first lousy report card our infrastructure has received from ASCE. In fact, it seems to be the latest grade in a consistent pattern of underachievement. In 1998, we received a D. Three years later in 2001, ASCE issued another Report Card where we got a D+. By 2005, we had dropped back to our consistent D grade.

These grades are not so much a disturbing trend as they are a scathing indictment of how our nation plans and prioritizes its spending and construction on the core engines of America’s security and economy – our critical infrastructure.

While we are not short on grand ideas for the future or on the laundry list of needs (including addressing our lingering employment problems), we are completely absent any type of national strategy for the planning, preparation or resilience of our critical infrastructure.

Because we continue to use the same formulas that we have used for decades when it comes to allocating funding to our roads, bridges and transportation systems, we continue to spend hundreds of billions of dollars on projects that have failed to improve our critical infrastructure grade to anything above a D for more than decade.

By continuing to examine our infrastructure through stovepipes and old ways, instead of looking at them holistically as truly interdependent systems, we are continuing to dig our hole deeper and deeper. The time has come to say, “STOP!”

If the Administration and Congress are indeed serious about rebuilding America’s infrastructure and creating good jobs, it needs to show the same type of energy and dedication to establishing a national infrastructure strategy as the President did when establishing his new Afghanistan plan.

Regardless of how you feel about the Commander in Chief’s decision, he took the time to formulate a path that he believes will lead to securing America’s interests, a free-Afghan people and a terror-free world. Over the past three plus months, the President consulted with our nation’s military leaders, Members of Congress, his Cabinet, international allies, the Afghan government, military families and more in shaping his new strategy for Afghanistan.

For as cautious and deliberative as his approach has been on this issue, the same cannot be said about our nation’s approach to infrastructure investment. We continue to operate in “spend first; don’t maintain it and maybe we’ll get around to it later” mentality.

That is shocking when you consider the amount of money we have spent and continue to spend on infrastructure. As history has shown, spending money is never a problem for government; prioritizing and accounting for it are the hard parts.

The fundamental lack of a comprehensive national infrastructure strategy only ensures that the existing behavior will be allowed to continue unless critical infrastructure leaders, practitioners and average citizens call for and enact the change we desperately need.

We can no longer afford to make the same mistakes. Unless the Obama Administration and Congress decide to change their course, I’m afraid, “Here we go again.”

Posted in Critical Infrastructure, Emergency Preparedness & Response, Management & Administration | Comments

Leaked TSA Screening Procedures Only One Aspect of Transport Security

Wednesday, December 9th, 2009

Certainly the posting of the Transportation Security Administration’s screening procedures on the Internet was not the agency’s finest hour, but it was not the worst breach of security since 9/11, as I heard last night on CNN. While some were quick to pounce and ridicule, most of what was in that document can be deciphered by studying procedures at the checkpoint, something terrorists are known to do before they execute an attack.

TSA is a complex organization, and its people and policies should not be underestimated. The agency bases its operations on intelligence, and the document that was revealed does not account for constant updates and tweaks made based on current intelligence. Such changes can be applied at a given airport or on certain flights as needed. TSA also operates on the premise that ideally a terrorist is caught before the day of the attack. That is why there are so many layers of security, beyond physical screening at the checkpoint, and why the agency coordinates daily with law enforcement partners at the federal, state and local level.

The real bummer about this incident is that it gives critics another chance to take a jab at the agency that has managed to avoid controversy for quite some time. The agency employs nearly 50,000 patriotic Americans who are dedicated to ensuring that another terrorist attack on planes and other transportation modes does not occur. The majority of the front line workforce has at least five years experience, and that collective knowledge is a great asset against a would-be terrorist.

Officers and management nationwide completed an intense training earlier this year that takes them beyond the checklist mentality and enables them to rely on experience, and yes, even what their gut is telling them in a given situation. It has taught them to rely on their team as a network, just as terrorists try to infiltrate as a network. These public servants are formidable and deserve the public’s respect.

The beleaguered news media got a quick hit yesterday; good for them. The men and women of TSA are strong enough to shrug it off and keep going.

Posted in Law Enforcement, Management & Administration, Private and Physical Security, counterterrorism | Comments