Thursday, August 23, 2012

The Afghan Assassin as Insider

The only “insider” aspect of Afghan soldiers who ambush Americans attempting to train them is the assassins’ ability to gain entry and enough maneuvering room to get next to Americans and kill them by surprise. Such killers do not resemble a traditional insider threat in the sense that they have not earned a position of trust, only to then betray that trust. However, to the extent that they penetrate American defenses by guile instead of force, they do share one all-important trademark of any serious insider threat and the proper focus on shoring up this vulnerability should go a long way to neutralizing the threat.

The real issue is access,” as noted on page 87 of Managing the Insider Threat: No Dark Corners (Boca Raton, CRC Press, 2012) in the chapter, “Rethinking Background Investigations.” As this book also notes further down the page, the way to address the problem of unescorted access when one does not have the time or capabilities to carry out the full vetting necessary before giving anyone a position of trust is to “insist that all outsiders be given access to critical areas, assets, or operations only when under knowledgeable escort. This means that the outsiders never receive unhampered freedom of movement …”

One of the idiosyncratically persistent American proclivities that play into increasing our vulnerability in such situations is that we consider escorting and watching people inconvenient. Consequently, our tendency is to find ways to clear them and let them roam unfettered or to assign the most junior, least capable employee to escort duty. This is a mistake which adversaries discern and exploit to our peril. What the situation in Afghanistan calls for is serious attention to access and escort.

In the case of fledgling Afghan trainees entering a U.S. compound in Afghanistan, this means that they are never out of the capable escort of American combatants better trained, equipped, and empowered to take them out of action at the first hint of hostile action. As the book says, “Escorts must be able to recognize inappropriate activity and intervene in time to prevent damage.” In the case under discussion, the damage is to American life and limb, and the intervention ranges from wrestling to the ground to shooting on sight. The situation dictates tactics, and life-or-death situations are no place for second-guessing American combatants risking their lives for their country.

-- Nick Catrantzos

Monday, August 20, 2012

Oak Ridge Fiasco Part 2: Weathering the Witch-Hunt

Part 1, Understanding Security Witch-Hunt, August 19, offered analysis and inferences concerning the challenging situation of any defender in the wake of a very public fiasco where a near-term need for scapegoats may trump the organization's long-term security interests. Now, in Part 2, we shift our focus to prescription, outlining a three-pronged approach to dealing with a near-impossible situation, including steps to take and actions to avoid.

Rx 1: Take the hit without generating alibis or excuses.

The temptation to soften the blow or redirect the accusing finger of blame will be almost insurmountable. Legal advisers will counsel making no admissions of culpability, for fear of civil and criminal actions that might ensue. Public relations consultants will advise changing the subject by any means in order to deflect negative scrutiny. Governing boards and special interests alike will look for human sacrifices. What is the professional defender to do?

Focus on verifiable facts. A security problem exists when there is a substantial, adverse difference between what is supposed to happen and what actually did happen. It does no good to create convoluted story lines to account for why an octogenarian nun could penetrate a secure area without holding any defenders responsible for the breach. Now is not the time for excuses, but is it the right time to drill down into details that identify situation-specific and systemic points of failure. If a strain-sensitive cable did not detect a cut along a fence-line, for example, capture this information and, for the next section, take charge for fixing this particular problem. If further examination reveals that the reason why such a failure occurred is because the detection device was inoperable at the time owing to an unforeseen budget cut whereby funds that were supposed to be allocated for a backup battery supply and tamper alarms had instead been reallocated to, say, replacing an air conditioning unit for a data center, by all means document this as an underlying or contributing cause. However, do not highlight this particular point at this juncture. To do so gives the unprofessional appearance of trying to dodge accountability.

With the foregoing approach in hand, document all verifiable security failures and take responsibility for instituting corrective action. In parallel, document all contributing factors for later reference in management discussions about correcting systemic problems and allocating resources necessary to meet existing and emerging security requirements.

Rx 2: Having acknowledged specific, verifiable failures with brutal honesty, now develop corrective actions that fully meet all official security standards.

By no means exclude corrective recommendations that you suspect the customer will dismiss out of hand on grounds of cost, feasibility, or historical preference. Resist the temptation to buy into prevailing arguments that some official standards are unattainable, hence historically neglected or moderated by all concerned in joint recognition of resource or other constraints. The temptation may be overpowering in this case, as nuclear security is notoriously infected with very precise standards and just as reputedly overtaken by receptivity to role-playing and scripted performances that mask performance shortfalls by contriving security inspections whose occurrence and successful conclusion are known in advance.

Instead, this is the time to look at officially promulgated and contractually accepted security standards, and to propose to satisfy them in good faith, no matter what the cost. This process will no doubt unearth standards in place that were either unattainable or too resource-prohibitive to be met. In all likelihood, principals from all entities involved, including government customers, arrived at some kind of informal accommodation that permitted deviation from standards to occur. For example, if a given alarm was to officially compel arrival of an armed response within, say, five minutes at the point of an identified breach, perhaps the government customer, contract facility operator, and contract security service all previously acknowledged that distance and terrain would make such a response impossible without a helicopter on standby. Over time, the prohibitive cost of that helicopter, its pilots (for 24-hour coverage), and maintenance may have become too expensive to subsidize in the face of budget pressures. The proper way to address such a situation would have been to bring it out into the open and either revise the standard or provide a signed, written waiver under certain conditions for a given period of time. In all likelihood, however,it is just as likely that all principals found it more expedient and more bureaucratically risk averse to avoid raising the issue this way. Instead, they could, for example, mutually agree to start the countdown on response time once word of the breach has reached the nearest security responder in the field. What such an apparently minor interpretation of convenience neglects is that the time between detection of the breach and alert of the field responder may have already consumed 15-30 minutes, so that the net response to the site of the breach has now become up to 35 minutes. But, for purposes of a collusive inspection, that kind of response could still count as having met a five-minute criterion. [Note: This example is specifically created for purposes of illustration without any reference to a particular standard and is not meant as an indictment of any individual or function involved in the fiasco in question. The illustration is just a way of pointing out how operating entities, security services, and government customer representatives possessed of the best of intentions may nevertheless act in concert to undermine their own defensive posture without realizing it.]

After spelling out how to fix the security deficiencies that really do lend themselves to remedy, establish a timeline and propose to start implementing corrective actions at once. In all inspections, particularly those involving reputational risk, the goal should be to enable inspectors to say as often as possible, "Corrected on the spot."

While working on these corrective actions, concurrently capture alternatives, costs of implementation, and any recommended compromises to or modifications of official security standards. Use these data to formulate a separate impacts and options study to present to the customer at a more appropriate time, after the immediacy of the situation has subsided.

Rx 3: When it comes to addressing intangibles, like culture or mindset, instead of continuing a point-by-point response, offer up a bold program that will institute the kind of sweeping change necessary for addressing systemic and recurring lapses.

Instead of trying to vault this chasm in multiple hops, take a substantial leap. It is the only chance of avoiding ruin. This is where problem solving must give way to predicament unscrambling, where the place for specifics is in the details of designing a program and implementation schedule to support the sea change that will deliver results. What is this change, this program?

It is nothing less than a re-ordering of the workplace along the lines of a No Dark Corners approach, where the co-pilot model of engagement across the board extends not only to the teams responsible for operating the nuclear facility, but also to all the sentinels charged with its security. Everyone becomes deputized to take a hand in protection. Excuses become taboo, hence extinct. And collaboration extends to the point of making security an integral part of the overall operation, of every job, rather than a shopworn and anemically supported applique to be tacked on only when inspectors are watching.

How does one manage all these steps? For a start, one may turn to the chapter, "Consulting for No Dark Corners Implementation," in Managing the Insider Threat: No Dark Corners (Boca Raton: CRC Press, 2012). But this is not the only solution. After all, one can also resolve to accept scapegoat status and change one's company name after serving in a public pillory and being debarred from future government work.

-- Nick Catrantzos

Sunday, August 19, 2012

Understanding Security Witch-Hunt Part 1: The Oakridge Fiasco

Fiascoes excite the greatest remark when tied to reputational risk, and the knee-jerk response to the worst case comes with a witch-hunt as surely as a dog comes with fleas. When the fiasco involves a very public security breach, however, attending expressions of outrage reach a firing-squad crescendo. In the frenzy to aim at blame and to give one's audience the drama of an execution as proof of swift action, the players in such proceedings too often make matters worse for defenders. How so? They issue cascading demands which begin reasonably enough with facts on the ground but soon launch beyond terrestrial orbits into the ether of unverifiable conditions and impossible timelines.

Example? Look no further than the security breach at the Y-12 Oak Ridge nuclear facility at the hands of an 83-year-old nun and her hippy-era peacenik cohorts (with details and regulatory reaction noted at http://www.knoxnews.com/news/2012/aug/14/bad-cameras-non-responsive-guards-part-of-y-12s/ ). According to media reports, three slow-moving, unremarkable geriatrics penetrated a secure area protected by state-of-the-art technology and armed-to-the-teeth guard patrols. So what did the government overseer of this site do? Point the accusing finger of blame, create additional insulation between itself and the likely scapegoat, and launch into expressions of outrage, with proclamations of demands for action that appear more calculated to dodge responsibility than to remedy security shortfalls.

Consider: The overseer, the National Nuclear Security Agency (NNSA) issued a very public letter to the engineering company operating the site, Babcock and Wilcox. This letter directed the engineering company to show cause within 30 days of why NNSA should not terminate the lucrative contract to operate the facility because of the foregoing security breach. NNSA's show cause letter cited not only the lapses in security but also an "inappropriate cultural mindset" as the flaws that require immediate attention. Meanwhile, NNSA shut down the plant's operations because of the security breach. NNSA also found fault with the guard force, a Wackenhut operation that was rebranded as G4S Government Solutions and known locally as WSI-Oak Ridge. Most interestingly, this security service was a prime contractor working directly for NNSA at the time of the breach -- just as Babcock and Wilcox was an NNSA prime contractor for operating the facility. However, with a stroke of the pen, NNSA seconded the guard service to the engineering company after-the-fact and is now holding B&W responsible for correcting G4's security performance.

To the trained security and management observer, this NNSA move is an artful dodge not only of immediate responsibility for any contributing role in the security fiasco but of future security misfires as well. Passing the blame to the engineering contractor by making this entity suddenly responsible for security actually undermines whatever original management value that the separation of contracting responsibilities between operations and security was first created to deliver. In theory, the previous state of affairs put security management and operational management on an equal footing with the NNSA customer, since both were prime contractors. Thus, whenever a plant manager might incline to economizing on security in favor of making working conditions better for his or her engineers, the organizational mechanism in place would have allowed senior engineering and security managers to raise the matter to their shared NNSA customer for the customer to resolve such a debate at a higher level. By ending that peer-level relationship, NNSA does two things: 1) Increase the chance of an engineering contractor's override of future security concerns once the immediate attention to site security has gone from the limelight, and 2) Relieve NNSA from any responsibility for making tough calls on future conflicts between the engineering contractor and the security contractor, since the second will now be working under the first. This is as bureaucratically elegant a maneuver as it is bereft of managerial and security accountability. To the astute practitioner, it begs the question, What else is NNSA eager to hide, such as contributory negligence or leadership failure that may have contributed to the "inappropriate mindset" that it now lays at the hands of the engineering company to repair?

So much for setting context. Part 2 will look at a realistic approach to answering the kinds of demands made in NNSA's show cause witch-hunt.

-- Nick Catrantzos