Security technology alone rarely suffices to defeat every threat, for the same reason that unconsidered infusions of more guards or more money won’t work either. The challenge is too great to dismiss with an easy solution. Besides, the threat usually strikes with some element of surprise. And the more serious the adversary, the greater the attacker’s reliance on surprise to assure victory over defenses.
Like other countermeasures, security technology struggles to keep pace with surprise – no matter how valiant the deployment of its most advanced capabilities. The best defensive technology shares this quality with the worst threat: both are always in beta. They adapt and keep getting better.
Here is a typical sequence. An intrusion alarm reveals itself vulnerable to malfunctioning in wind or rain, so a crafty intruder times strikes to coincide with foul weather or causes so many nuisance alarms attributable to weather that defenders shunt them all and leave a hole in their defenses. Technology vendors look inward to counter this tactic, however, hence the addition of secondary sensors. Now, instead of the same alarm activating upon detecting a windblown tumbleweed, it takes the tripping of an additional sensor – say an infrared detector of body heat – to be triggered in tandem with the original motion sensor before the system annunciates an intrusion alarm. Consequently, an adaptive intruder figures out how to mask heat signature or how to introduce field animals into the protected area to create more nuisance alarms, and the technology contest of thrust and parry goes on and on. Innovation from the defender camp spawns innovation from the aggressor camp, and vice versa.
To the technology aficionado, this soon becomes an ongoing contest where the irresistible temptation leads to the narrow view that defines success in terms of finding and installing the latest security technology faster than adversaries can defeat it. Reality, however, outpaces this approach and reveals it for the illusion that burdens any utopian quest.
One day the sophisticated, costly security system designed to thwart an evil genius ends up compromised by a staggering drunk who stumbles undetected into the protected area to relieve himself. Humiliation ensues. Tempers flare. How could this happen? Next comes a media frenzy accompanied by executive efforts to point the accusing finger of blame. Should the security technology be scrapped and its adherents held to public scorn? Not at all. Why not?
The shortfall is more likely a consequence that is less the fault of the technology than of failures in integrating security devices into a larger security program that the organization’s employees and management actively support. Perhaps a sensor did fail, but it is more common for failure analysis to uncover other, systemic deficiencies.
For example, one vendor may have had a contract to install intrusion alarms while a separate provider – or even in-house staff – had responsibility for supplying surveillance cameras that functioned independently of the intrusion detection system. Result? Rather than working together seamlessly to cause a camera to home in automatically on the area under suspicion at the first activation of an intrusion sensor, the protocol in place calls for a camera operator to manually point the camera in the direction of the suspected penetration. This loses valuable detection time.
Alternatively, the security technology budget ended up paying for so many cameras that no one thought to reserve enough money for a security control room or state-of-the-art monitoring facility. Thus, the image from that alarm point went to a small monitor competing to display images from all the 200 or so other surveillance cameras on site. To make matters worse, an always-beeping alarm panel may have so desensitized the person monitoring this activity that he or she must reflexively shunt alarms before investigating them – just to curb ambient noise and to permit concentration. Worse still, budget economies may have resulted in having this security function performed by a system operator or network administrator as an additional duty that takes lower priority over core business. Thus, if the operator had to make a critical flow change or load shift at the same time as the intrusion alarm went off, the latter would have a lesser claim on attention spans. After all, the operational demands of the core business have to come first. Otherwise, it makes no justifiable sense to give priority to securing an operation whose core needs one may have just neglected to the point of causing more damage than an attack would inflict.
More commonly still, there is often a poor balance between security technology and effective staffing to make the most of the technological dividends. Who is watching the alarms and surveillance cameras? Are they properly trained? Do they have clearly assigned roles? Or do so many people have the capability to view such feeds remotely that no one has responsibility for doing so on a regular basis? Regardless of the training and vigilance of the assigned staff, is the assignment of the job such that one lone individual has to monitor all cameras and alarms for an entire work shift? Such deployments are distressingly common and equally misguided.
A study of control rooms by the Government Accountability Office noted that the most that the average mortal can devote to monitoring such things as surveillance cameras without missing significant activity is not an entire work shift but 20 minutes. The job is at once “boring and mesmerizing” [Source: Keith A. Rhodes, Chief Technologist, National Preparedness: Technologies to Secure Public Buildings, Testimony Before the Subcommittee on Technology and Procurement Policy, Committee on Government Reform, House of Representatives, Washington DC, GAO-020687T, April 25, 2002, p. 65].
Informed security operations address the foregoing vulnerability by rotating monitoring duties between employees several times during a shift. Many aren’t informed.
Systemic security failures are seldom the sole fault of technology. There tend to be contributing factors. Look for flawed integration of technology, staffing, and resources as likely culprits, even if they are unwitting contributors to a debacle. Don't blame technology for implementation failures.
-- Nick Catrantzos
Saturday, October 13, 2012
Thursday, October 4, 2012
Benghazi Consulate Gaps: OPSEC Savvy and Boogie Plans
While American media preoccupies itself with presidential debate discussions, news from Libya goes unremarked of the toll of an ill-prepared diplomatic post. Specifically, as suggests a thoughtful of interpretation of the latest news (available at http://m.washingtonpost.com/world/middle_east/sensitive-documents-left-behind-at-american-mission-in-libya/2012/10/03/11911498-0d7e-11e2-bd1a-b868e65d57eb_story.html ), it is becoming increasingly clear that American consular staff in volatile Benghazi proved unforgivably overmatched in two areas.
One glaring area, as the foregoing news revealed, was in operational security, or OPSEC. Underscored by bushels of exploitable and sensitive records left untended, the consulate in its ruins became as useful to American adversaries as it is worthless to American diplomats. Strewn among the bombed-out rubble are lists and identifying information of Libyan employees and other local nationals who provided useful service to the American mission in this country. Personal details of American staff are or were also unsecured, hence CNN’s ready access to the office calendar of slain Ambassador Stevens. Analytical observers may only speculate on what more revealing documents and records have already found their way into enemy hands that were too full to bother with the ambassador’s calendar as they went scavenging through the ruins in the immediate aftermath of the Benghazi attack of 9/11/12. So, item one is a flagrant breach of basic OPSEC which would instruct diplomatic staff in volatile regions to minimize the quantity of sensitive records on hand and to secure or destroy that bare minimum at the first sign of hostilities.
Even 30 years ago, the takeover of the US Embassy in Teheran found our overseas staff making a better effort to purge sensitive documents in the face of imminent attack. Only given the availability of today’s advances in encryption and digital data storage, it is nothing short of astonishing for paper records such as those compromised in Benghazi not to have been all but virtually eliminated in favor of safeguarding the same data as electronic files whose deletion could be handled instantaneously or even remotely without waiting for another salvo of assault rifle and rocket-propelled grenade.
The second apparent deficiency complements a much touted security shortfall: the apparent absence of a well thought-out and properly executed contingency plan for evading lethal attackers. Some old hands in operations call this a boogie plan. Its purpose is to lay out in advance carefully vetted options for evading and escaping from hostile natives so as to save lives and prevent the compromise of sensitive activities. If there was a boogie plan in Benghazi, it either fell apart because of betrayal to the attackers themselves, or its intended beneficiaries failed to act on it before it was too late.
One need go no further than to re-read Mark Bowden’s 2006 Guests of the Ayatollah to see that such gaps and more came to the surface as a result of the Iranian takeover of the US Embassy in Teheran as the 1970s ended and the 1980s began. Since those tumultuous days, the State Department’s Bureau of Diplomatic Security has grown and evolved considerably, to the point of either employing or having access to a cadre of security professionals who could easily address such gaps. Recent events, however, make one wonder: Is the expertise on OPSEC and boogie plans altogether missing, or is that expertise going unheeded by higher echelons whose panjandrums think themselves above these prosaic details that save lives and safeguard operations?
-- Nick Catrantzos
One glaring area, as the foregoing news revealed, was in operational security, or OPSEC. Underscored by bushels of exploitable and sensitive records left untended, the consulate in its ruins became as useful to American adversaries as it is worthless to American diplomats. Strewn among the bombed-out rubble are lists and identifying information of Libyan employees and other local nationals who provided useful service to the American mission in this country. Personal details of American staff are or were also unsecured, hence CNN’s ready access to the office calendar of slain Ambassador Stevens. Analytical observers may only speculate on what more revealing documents and records have already found their way into enemy hands that were too full to bother with the ambassador’s calendar as they went scavenging through the ruins in the immediate aftermath of the Benghazi attack of 9/11/12. So, item one is a flagrant breach of basic OPSEC which would instruct diplomatic staff in volatile regions to minimize the quantity of sensitive records on hand and to secure or destroy that bare minimum at the first sign of hostilities.
Even 30 years ago, the takeover of the US Embassy in Teheran found our overseas staff making a better effort to purge sensitive documents in the face of imminent attack. Only given the availability of today’s advances in encryption and digital data storage, it is nothing short of astonishing for paper records such as those compromised in Benghazi not to have been all but virtually eliminated in favor of safeguarding the same data as electronic files whose deletion could be handled instantaneously or even remotely without waiting for another salvo of assault rifle and rocket-propelled grenade.
The second apparent deficiency complements a much touted security shortfall: the apparent absence of a well thought-out and properly executed contingency plan for evading lethal attackers. Some old hands in operations call this a boogie plan. Its purpose is to lay out in advance carefully vetted options for evading and escaping from hostile natives so as to save lives and prevent the compromise of sensitive activities. If there was a boogie plan in Benghazi, it either fell apart because of betrayal to the attackers themselves, or its intended beneficiaries failed to act on it before it was too late.
One need go no further than to re-read Mark Bowden’s 2006 Guests of the Ayatollah to see that such gaps and more came to the surface as a result of the Iranian takeover of the US Embassy in Teheran as the 1970s ended and the 1980s began. Since those tumultuous days, the State Department’s Bureau of Diplomatic Security has grown and evolved considerably, to the point of either employing or having access to a cadre of security professionals who could easily address such gaps. Recent events, however, make one wonder: Is the expertise on OPSEC and boogie plans altogether missing, or is that expertise going unheeded by higher echelons whose panjandrums think themselves above these prosaic details that save lives and safeguard operations?
-- Nick Catrantzos
Subscribe to:
Posts (Atom)