RSS

Category Archives: Security

Homeland Security – A Local Responsibility!

All disasters are local. Period. This is a fundamental emergency management principle. The local public safety personnel know the area, have the site-specific training, and are actually there. They will respond to crisis situations. They are also the best people to plan for crises because, well . . . they’re local. Mitigation is a local responsibility. Planning is a local responsibility. Response is a local responsibility. Recovery is also a local responsibility. Most “old school” emergency management planners understand this, particularly because they are not academics, but rose from the first responder or public health ranks.

However, since the Department of Homeland Security was created, there has been a push to make Washington responsible for everything. This is not necessarily the DHS’ fault, many of their plans (which can be mind-numbing and strangely duplicative) are a direct result of the various Homeland Security Presidential Directives which were released in the years following 9/11.

What the public, and perhaps the new “Homeland Security” planners themselves do not understand is this – “emergency management” and “homeland security” are not separate disciplines. They are the same thing. They are fundamentally a local responsibility. I cringe when I read news articles in which local players criticize the DHS for their own failures. The excellent magazine, Homeland Security Today, carried just such an article on 22NOV11. The subject was, of course, the TSA – the most maligned and hated Federal agency in modern times.

The article was entitled, “TSA Must Improve Quality, Distribution of Threat Info, GAO Says.” The article opened with this tour de force:

“Fifty-seven percent of responding stakeholders said TSA could improve their information products by providing more guidance that would suggest how they could adapt their security measures in response to threat information.”

Excuse me? This was the result of a survey of aviation, rail and highway stakeholders, public and private – all of whom have proprietary, government or contract security professionals paid vast sums of money to do an important job. These people couldn’t come up with mitigation strategies? They wanted TSA to suggest solutions for them? There are several basic problems here:

1. Abdication of professional responsibility. The folks at TSA cannot tell the aviation, rail and highway stakeholders what to do. It’s not their job. They can provide them with regular intelligence bulletins with current threat information. It is up to the security professionals, at the local level, to implement appropriate measures commensurate with the local politics, personnel and resources they have. How can TSA really tell them what to do?

2. Lack of coordination. The fact that these stakeholders are complaining suggests they are not connected with the local and state emergency management and homeland security agencies. If they were, they wouldn’t be complaining. It is possible their local and state agencies are paper tigers, and essentially worthless, but that is the exception, not the rule.

“For 2010, 48 percent of stakeholders said they did not receive an annual security assessment, the GAO report said . . . Sixty percent of respondents indicated they never heard of the Homeland Security Information Network Critical Sectors portal (HSIN-CS), considered the primary means for distribution of threat information to critical infrastructure sectors by the Department of Homeland Security (DHS), the GAO report determined.”

Once again, there are some serious issues here . . .

1. Abdication of professional responsibility. There is no excuse for not being aware of the Homeland Security Information Network (HSIN). Transportation systems are one of our nation’s critical infrastructure/key resource sectors, identified in the DHS National Infrastructure Protection Plan (2009). Security is a professional industry, and if you are a security professional employed in the transportation sector, you should know where to find intelligence. Any number of venues, from continuing professional education, membership in professional associations or a simple security trade journal could have been enough to lead these blind professionals to the promised land. Apparently this is not happening, and it is appalling.

2. Lack of coordination. The stakeholders can’t find intelligence. Apparently, they also do not whom to turn to at the local level for intelligence. It boggles the mind. Many individual cities have an emergency management official, most counties do, and each state has an emergency management and homeland security function. With so many agencies involved in this arena, you have to almost purposely try not to network.

It’s almost as though there is a pattern developing! The lesson is this:

1. Disasters are local. They should be treated that way. Never abdicate responsibility for your shortcomings to the faceless Federal agency of your choice. If you need answers, make some phone calls and find them. If your local or regional agencies are worthless and won’t help you, call the State or go in LinkedIn and start making contacts and getting ideas. Yes, it really is that easy.

2. Network. It’s really pretty simple. Get to know the public safety agencies in your area. Go to meetings, there are always a bunch of them, take your pick. Volunteer to be on a planning committee, and represent your organization while you’re there. Be involved in the security industry, so you actually know what HSIN is! Read the DHS publications, or at least find the CliffNotes versions, so you know what resources are available.

References:

McCarter, M. (2011, November 22). TSA must improve quality, distribution of threat info, GAO says. Homeland Security Today. Retrieved from http://www.hstoday.us/industry-news/general/single-article/tsa-must-improve-quality-distribution-of-threat-info-gao-says/b13875655f0f0b260e0bd21f97361573.html.

 
Leave a comment

Posted by on November 25, 2011 in Security

 

Intelligence Gaps at the Local Level

While trolling through the depths of Homeland Security Today (a very good magazine, and FREE too!) I came across a small opinion piece on state intelligence fusion centers. It caught my eye because I’ve secretly suspected the same thing as the author – that these fusion centers don’t actually “fuse” anything at all.

The concept is noble and excellent – each state should have its own center to gather intelligence (from local, state and Federal sources), vet it, analyze it, and distribute it to appropriate agencies. In my position as a DoD Anti-Terrorism professional, I see a great deal of low-level intelligence, both from various state intelligence fusion centers and from the Department of Homeland Security’s Homeland Security Information Network portal.

Too often, states don’t actually produce any intelligence of their own. I get forwarded “pass-through” bulletins on a weekly basis which I’ve already gotten direct from DHS. I have yet to see an actual, original piece of intelligence from my state fusion center. I would be happier if states produced their own intelligence products, through actual analysis, than acted like a simple information clearinghouse.

The piece I referred to earlier, which can be found at the link below, presented three scenarios which the author claimed describe the state of affairs at most state fusion centers (Patton, 2011).

Scenario one: The majority of fusion centers in the US aren’t really fusion centers at all, but rather are buildings that consist of multiple law enforcement organizations working under the same roof.”

Scenario two: A great majority of analysts working inside state level fusion centers are straight out of college with little if any operational collection experience.”

Scenario three: Simply put, people are lazy.”

I don’t intent to malign the patriotism or competence of the folks working in my state fusion center. I believe they’re doing their best, within the limits of their experience and training. I do, however, believe we need actual intelligence analysis at the  state and local level. For example, in June, a DHS bulletin was distributed far and wide warning about possible Al-Qaeda plots against rail lines. This was days before the media got a hold of it. I received a simple pass-through on it from the state. Nothing further. I understand this wasn’t a very credible threat, but couldn’t there have been something original from the state added to this alert? How about a brief snapshot on high-risk rail lines statewide? Isn’t there some kind of study on this, gathering dust on a government shelf somewhere? There should have been. Rail lines carry HAZMAT on a daily basis . . .

The analysts closeted in Washington DC working for the DHS don’t know my state, don’t know yours, and cannot translate raw data into actionable intelligence on a local scale. “The greatest tool any operative needs comes from intelligence. Some of  the most incredible intelligence used in fighting the current wars abroad comes from legitimate, real, fusion centers,” (Patton, 2011).

What makes this shortfall even more critical is that all disasters are local. This is a key emergency management concept. Many incidents are not foiled by federal agents in dark suits, but by ordinary men and women reporting something suspicious. The people responsible for responding to incidents and coordinating for support are not federal officials in Washington, DC – they’re the emergency management, public safety, engineering types and elected officials in your city and mine. Disaster response is a local responsibility – intelligence analysis should be the same.

References:

Patton, K. (2011, April 11). Two Views on Upgrading Fusion Centers – Part 1: Improvements Needed in Fusion and Analysis. Homeland Security Today. Retrieved from http://www.hstoday.us/blogs/guest-commentaries/blog/two-views-on-upgrading-fusion-centers-part-1-improvements-needed-in-fusion-and-analysis/310a17b410692105eec8eb329af25fae.html.

 
Leave a comment

Posted by on August 8, 2011 in Security

 

The Federal Protective Service

This is the agency sworn to protect Federal facilities, specifically General Service Administration (GSA) facilities, from evil-doers. This daring-do includes law enforcement and physical security support, and  allegedly a comprehensive risk assessment of each facility so resources can be allocated appropriately to high priority sites. This is the theory. The reality is that reports show the Federal Protective Service seems to be outmoded, outwitted and completely ineffective.

Browse through the Government Accountability Office (GAO) report on the FPS from 2008; it essentially says the agency is broken and demoralized (GAO, 2008). I don’t have time to write an in-depth treatise on this subject, so I’ll zero in on one basic subject – security risk management.  Congressional reports and current news reporting indicate the FPS is having major problems in this arena.

Mark Goldstein, GAO director of physical infrastructure issues, emphasized that FPS still lacks a risk management approach to securing federal facilities. FPS approaches each building as requiring the same level of security with the same risk without actually conducting an analysis of threats and vulnerabilities for that building. “Without a risk management approach that identifies threats and vulnerabilities and the resources required to achieve FPS’s security goals, as GAO has recommended, there is limited assurance that programs will be prioritized and resources will be allocated to address existing and potential security threats in an efficient and effective manner,” Goldstein testified (Hong, 2011).

I’m obviously not intimately familiar with FPS’ problems, and I’m sure their leadership is doing it’s best. However, I question why the FPS is having so many problems with risk assessments when the security community is literally awash in this literature.

• FEMA has a very comprehensive Risk Management series available for download right now from their on-line library;

• The DoD has their own methodology;

• DHS describes a good methodology in their National Infrastructure Protection Plan, when they discuss critical infrastructure/key resources;

• DOE, in particular, has their own way of doing business, pioneered at Sandia National Laboratories;

• Private sector has many different approaches.

It really doesn’t matter which method you use, as long it is quantitative and sound. The basics are these:

Evaluate the threats – what can impact the facility? Look at local crime stats and low-level intelligence bulletins from your state intelligence fusion center and the Homeland Security Information Network. Rank them;

Evaluate your critical assets – what do you need to protect? Divide these into two groups; infrastructure (e.g. power, heat, water) and population (e.g. gathering areas, day care centers, leadership). Rank them;

Evaluate your vulnerability – what are the weak points in your facility? Take a walk around with a set of good physical security criteria (the DHS has some good stuff), a clipboard and a pen, and make some notes on vulnerabilities. You don’t have to be a genius, just go off the checklist! Also consider vulnerability to the identified threats while you’re walking around;

Quantify your risks – This isn’t hard. There are software programs that try to help, and actually do make this hard, but you don’t need them. The best work is developed with a Microsoft Word table and your brain – not mathematical computations from an aloof software program. I know some engineers out there hate me for saying this! How do you quantify? It’s real, real hard . . . You should have already prioritized threats, critical assets and vulnerability individually on a scale from 1-10. Use this equation – THREAT x CRITICALITY x VULNERABILITY = RISK. Rank the final numbers accordingly.

There is so much good information out there, it boggles the mind. The FPS has spent $41 million dollars trying to develop a program to track vulnerabilities agency-wide, and it has failed (Hong, 2011). Why? What is so hard about developing a database? It is possible they’re trying to develop a software program which will make the survey process easier for their overworked personnel, to streamline the process so the end product is standardized. This is a pervasive problem in any organization – unless your surveyers are well-trained to a specific standard, the results will vary widely and there is no guarentee the methodology will be consistent.

In the interim, this database problem can be solved with something as simple as an Excel document. I know it’s not sexy, and I know it’s not cool – so what? There is of course another option – borrow an existing software tool from another branch of government that already does the same thing. The Department of Veterans Affairs has one geared for crime assessments – steal it. The DoD has one specifically for anti-terrorism – steal it. Have a contractor modify it.

Risk assessments are a foundational piece of security work. The FPS’ troubles in this area are cause for concern. I know there are dedicated professionals at the FPS struggling through their own internal battles, and many of them probably share my viewpoint. I hope this agency can get back on it’s feet.

References:

Hong, M. (2011). FPS optimistic on resolving plans for risk analysis, workforce. Homeland Security Today.

Retrieved from http://www.hstoday.us/industry-news/general/single-article/fps-optimistic-on-resolving-plans-for-risk-analysis-workforce/5c544d346dc9c1bfb060b55567486e84.html.

Government Accountability Office. (2008). The federal protective service faces several challenges that hamper its ability to protect federal facilities. Retrieved from http://www.gao.gov/new.items/d08683.pdf.

 
Leave a comment

Posted by on July 19, 2011 in Security

 

TSA Attacks Continue

The Transportation Security Administration is well on its way to being the most maligned and hated federal agency in America. Every week seems to bring more sensational coverage of a TSA “patdown.” Pundits shake their heads; the subject of the search usually appears on screen shortly after, outraged and indignant. Americans are being programmed to believe that the TSA is an evil, inept organization. Nothing can be further from the truth. They’re a young agency, trying to find their way in an unforgiving federal bureaucracy.

The objections to the TSA search procedures are being made by amateurs who don’t understand security. I have watched instructional videos detailing the proper TSA search procedure. I can guarantee you that every person I’ve ever apprehended as a military police officer felt much more violated when I was finished with them. A law enforcement search incident to apprehension is much more intrusive than the TSA’s procedure . . . which was why I bowled over laughing when I saw a story out of Florida, where the Libertarian party demanded every TSA agent within the state of Florida be arrested immediately. The juiciest excerpt is here:

Every single day, TSA employees conduct electronic and bodily searches upon tens of thousands of Florida citizens and visitors at airports, and more recently at bus terminals, rail stations, and highways,” the Libertarian Party said. “They are searching the persons and seizing the effects of travelers without warrant or probable cause. Specifically, they are in blatant violation of the Fourth Amendment to the United States Constitution, (Laing, 2011).

• Security screening is not an option:        

Security screening at airports is a necessity – please comment if you disagree. Despite all best efforts, security is fundamentally a reactive field; something happens, lessons learned are applied, and new safeguards are put in place. Does anybody remember the “underwear bomber,” Umar Farouk Abdulmutallab? He tried to take down a Northwest Airlines flight into Detroit near Christmas 2009. He had 80 grams of Pentaerythritol tetranitrate (PETN) explosive sown into the lining of his underwear. This was more than enough explosive to take that airliner down. He only failed because the detonator did not work.

After the failed attempt, al-Qaeda triumphantly referred to Abdulmutallab as “a hero who overcame legendary American intelligence which showed its fragility, putting its nose in the ground, using all of what they spent in new security techniques against them,” (Esposito & Ross, 2009).

• No 4th Amendment violation:

The 4th Amendment protects against unreasonable searches and seizures. A law enforcement officer generally must have probable cause to search a person – there are all sorts of exceptions, and I won’t go into them here. The Florida Libertarians mistakenly believe that because the TSA has no probable cause airline passengers are concealing any sinister devices on their person; they should not constitutionally be allowed to search anybody. This is ridiculous, and reveals how out of touch they truly are.

I’m not a lawyer or a sadist, and I don’t intend to torture myself by sifting through legal statutes to prove these folks wrong. I can cite one real world precedent – all personnel are subject to search upon entry or exit from any military installation or vessel. Probable cause does not play into this at all. The Commanding Officer of the ship or installation has an inherent right to protect his personnel from harm, and he is allowed to conduct random searches at entry and exit points to ensure the good order and discipline of his command.

The same concept can apply to TSA searches. They are necessary, and if they weren’t conducted and a plane was blown out of the sky, people will be sharpening their knives, looking for the person who failed to ensure the safety of airline passengers. The Libertarians need to give the TSA a break, and stop putting out inflammatory news stories for political gain.

References:

Esposito, R. & Ross, B. (2009). Photos of the northwest airlines flight 253  bomb. ABC News. Retrieved from http://abcnews.go.com/Blotter/northwest-airlines-flight-253-bomb-photos-exclusive/story?id=9436297

Laing, K. (2011). Florida libertarians: florida TSA agents should be arrested. The Hill.com.
Retrieved from http://thehill.com/blogs/transportation-report/tsa/169691-fla-libertarians-tsa-agents-should-be-arrested

 
Leave a comment

Posted by on July 6, 2011 in Security

 

TSA vs. Private Contractors

Recently, the TSA determined that private security organizations were not as efficient at screening passengers and their baggage at airports as they were. “In January 2011, Transportation Security Administration (TSA) chief, John Pistole, announced a halt to expansion of the use of private security screeners at US airports explaining that the TSA had found “no clear and substantial advantage” to expand the use of private contractors,” (Leggiere, 2011).

A new report, recently released, rebuts this claim. The story can be found here: http://www.hstoday.us/industry-news/general/single-article/house-committee-report-disputes-tsa-findings-on-private-airport-screening/23cdeeffb9ebefda597912814593f1b8.html

This function, of personnel screening at our nation’s airports, has made TSA perhaps the most hated and maligned Federal entity in recent memory. The IRS will continue to hold that title, however, until somebody flies a plane into TSA headquarters . . .

The screening function should be outsourced to private contractors. Here are a few very obvious points in favor of this model:

Competition encourages innovation. The TSA is an immature, lumbering agency struggling to find its way. I understand they’re facing staffing and training challenges. However, lack of competition stifles innovation. Nobody needs to see a study to agree with this concept. A private security company who competes with rivals for a contract will perform better. Period.

This is an easy job. I don’t care what the TSA union might say – this is an easy job. I did years of sentry duties as a military policeman, inspecting baggage, vehicles and personnel for explosives and other sinister devices. I know it’s easy, all hyperbole aside.

TSA should focus on procedural compliance. This is the proper role for the agency – oversight and quality control. I don’t care whether this is the model TSA administrators envision, or are implementing now – it is the most effective model.

TSA should act as a clearinghouse for aviation threats and intelligence. One critic of the private screening model had this to say, “further privatization could lead to greater inconsistencies in threat identification, intelligence dissemination, and screening operations.  This would greatly threaten TSA’s mission,” (Leggiere, 2011). This is complete nonsense.

–          If TSA took a step backward from the “front lines,” it could efficiently liaison with the various contract companies and provide timely intelligence to those employees actually conducting the screenings at the airports. I realize that would mean each local and regional TSA office would have to maintain effective and constant liaison with the airports within their jurisdiction – would harm could possibly come from that?

–          The employee putting hands-on at the airports (pun intended) needs very basic information about current threats. Sources and methods involved in the collection of this intelligence will never be distributed to these screeners. Distributing tactical, low level intelligence to field hands is not nearly as glamorous or informative as commonly assumed – and this intelligence can be distributed just as easily to private contractors as it is to TSA employees.

The private model is more efficient. We should go with it.

Reference:

Leggiere, P. (06 June 2011). House Committee Report Disputes TSA Findings On Private Airport Screening. Homeland Security Today. http://www.hstoday.us/industry-news/general/single-article/house-committee-report-disputes-tsa-findings-on-private-airport-screening/23cdeeffb9ebefda597912814593f1b8.html

 
Leave a comment

Posted by on June 7, 2011 in Security