Friday, December 20, 2013

Why Yenta's Background Checks Better than Governments'

The discussion that follows just came in from the annual No Dark Corners Roundtable Forum and Christmas Luncheon held at a Claim Jumper restaurant this year.

It isn't just a question of gathering up more data. Bureaucratic functionaries would have us believe that if they only knew just a little more about betrayers like NSA leaker Edward Snowden or phonies like Mandela memorial sign language imposter Thamsanqa Jantjie, they could have prevented such ne'er-do-wells from turning into national humiliations. This is balderdash. A thriving matchmaker, or yenta, can do better with even more limited data and budget. How so? The matchmaker blends available vetting data with direct observation and progressive testing before taking risks with important clients. This is hardly a matter left to chance. Nothing ends a matchmaking business faster than serial failures and mismatches.

What do matchmakers know and do that governments fail to apply in their background checks?

1. They check out prospects and clients with available data, but don't stop there. The way to do this is for the matchmaker not only to gather basic information via a standard questionnaire, but also to use that questionnaire as a starting point rather than an end point. The questionnaire informs a personal interview where the matchmaker gauges motives, manipulations, and determines what inevitable deceptions are acceptable white lies vs. dangerous fabrications. A savvy matchmaker also checks independently into reputations to determine whether it is worth doing business with a given candidate or client. After all, the matchmaker's own reputation is at stake if the match turns catastrophic.

2. They chaperone. The best matchmaker does not risk important clients by setting up liaisons with question marks. Instead, a low-risk experiment comes first. Thus, one sends a new, unknown prospect on a low-key lunch date to see how well it goes before presuming to pitch a weekend getaway in Monte Carlo with a shy billionaire client. A cautious matchmaker also knows how to be a chaperone without being a killjoy. The finesse is that of serving as a seasoned co-pilot who stays far enough in the background to let the aspiring pilot handle the take-off but remains close enough to take the controls if there a malfunction or problem with a safe landing. (For details on how this co-pilot model applies to insider threat defense, see Managing the Insider Threat: No Dark Corners, Boca Raton: CRC Press, 2012.)

3. They have enough of a stake in the deal to cut it off at the first sign of trouble, before a problem becomes a catastrophe. Unlike government background checkers with a hit-and-run mentality, matchmakers have a vested interest in follow-up and follow-through. Matchmakers have to own their results, taking credit for the sunshine as well as the rain. Government background checkers don't function with the same accountability. When was the last time a government employee lost a payday or a job from clearing a Snowden for classified access or a Jantjie for standing a dagger-thrust away from heads of state? We don't hear about it because this seldom happens. By contrast, a matchmaker whose deficient vetting produced such fiascoes would face no alternative but to embark on a change of careers.

Without necessarily realizing it, competent matchmakers exemplify some of the signature No Dark Corners (op cit) approaches to defending against insider threats. Their vetting process is akin to an enlightened new hire probation system, where penetrating scrutiny prevails over perfunctory checking. Their chaperoning and phased exposure to risk parallels the co-pilot model of limiting chances of undetected mischief. Finally, their ownership of their results keeps matchmakers vitally engaged in becoming and remaining a part of a team which is accountable for failure as much as for success. Until something like this happens in government-related background checks, look for more debacles to come.

-- Nick Catrantzos

Monday, December 16, 2013

Security Lessons from Somali Piracy

The motion picture Captain Phillips may indirectly give us pause to note a decline in Somali piracy. What can this decline tell us more broadly?

It seemed only a few years ago when the rise of piracy on the high seas sent the cargo freighter world and its insurers into frenzy and despair. Somali pirates were regularly boarding oil tankers and undefended commercial vessels at gunpoint, holding hostage their cargos and crews, and extorting million-dollar ransoms as a matter of routine. From about 2008 to 2011, piracy grew to over 40 successful attacks a year. Then the numbers began to tell a different story. There were 47 such hijackings in 2009, 46 in 2010, but only 14 by 2012. (For details, see )

One study offers a multitude of explanations for what led to the growth and more recent decline of Somali piracy. (Details are at )

Stripping the study of its plumes and spangles, the essential reason behind the boom in piracy was this: It paid well. This payoff came in the form of relatively low risk for relatively high reward.

With automation being what it is today, cargo vessels on the high seas began to operate with relatively small crews, and those crews were, by international maritime policy, intentionally unarmed. This was well known. Moreover, no armed naval forces were paying attention or allocating resources to escorting, defending, or rescuing the potential targets until their frequency of victimization became alarming. Additionally, the legal shambles that passed for the government of countries most likely to serve as home base for pirates were such that the pirates had little to fear in terms of capture or prosecution at home. These foregoing developments meant that the risk facing would-be pirates was minimal.

At the same time, realizing a return in millions paid to ransom ship and crew was the kind of payoff unmatched by a lifetime of honest work in the same countries where few jobs were to be had. The prevailing euphemism, economic dislocation, is one way of sugar-coating the relative attraction of piracy to communities when their members have no productive work prospects and have ceased to collect handouts once the flow of United Nations' subsidies has declined to a trickle. Add these factors all together, and piracy became an attractive career choice. So, what changed?

For one thing, despite much international angst over the liability and unseemliness of so unsophisticated a throwback option, the targets started to arm themselves. For another, aggressive naval patrols by nations with a stake in hijacked crews and cargo, started changing the risk calculations for pirates. Getting caught or shot will do that to a predator. Another raising of the stakes for hijackers came with aggressive prosecutions and sentencing for their crimes. (According to the first article cited above, over 1,100 Somali pirates have been jailed in 21 countries since prosecutions started in earnest. Considering that the estimated number of active pirates was 3,000, these incarcerations made a discernible impact.) Thus there came to be consequences for villainy, a price to pay. The net result of all these measures was to change the situation enough to the point where piracy was no longer such a good deal for the aspiring pirate.

There are useful security lessons to harvest here and to apply more broadly. Among them are:

1. No matter how unsophisticated and agonizingly debated it may be to do so, you make yourself less of a target if you take visible steps to defend yourself. Most attackers perform risk assessment at some level, even if not through any complicated, analytical process. Even if they operate with nothing more than low animal cunning, they realize that their odds improve when attacking undefended targets and those odds get worse if going up against targets equipped and willing to defend themselves.

2. Few adversaries are invincible, and most will back down if they face a broad array of defenses (such as armed vessels and crews, naval patrols, and a legal system that imposes consequences). At first encounter, an enemy may seem formidable when attacks are unexpected and defenses are inadequate. With the steady addition of well conceived defenses, however, it is not only possible but likely for defenders to prevail.

3. Once a major security problem appears to be solved, watch for the possibility of a new but related one to occur. In security theory, this is the phenomenon of displacement. For example, when car alarms became effective and widespread, some car thieves had to change their tactics; they became car hijackers instead. A car difficult to steal when secured but unattended became easier to acquire by forcing its keys out of the hands of the driver while the engine was already running. In the case of the present decline of Somali piracy, the speculation now is that thwarted pirates may similarly resort to different targets and tactics. One possibility is kidnapping high-value executives and holding them in exchange for ransom without having to encounter the new security measures at sea. Another possibility is that if defenders start diluting or abandoning their countermeasures because they prematurely declare the problem as being solved, it will resurface once conditions tilt back the risk-reward calculation in the pirates' favor.

In addition to this situation offering lessons to learn, it also offers lessons not to forget.

-- Nick Catrantzos